Merge pull request #20 from cedwards/master

0.3.20181124 patch

.gitignore

@@ -0,0 +1 @@
+docs/_build

README.md

@@ -4,9 +4,39 @@ Bastille is a jail automation framework that allows you to quickly and
 easily create and manage FreeBSD jail.
 
 
+Installation
+------------
+Bastille is not (yet) in the official ports tree, but I have built and verified
+binary packages.
+
+To install using one of the BETA binary packages, copy the URL for the latest
+release here (TXZ file): https://github.com/bastillebsd/bastille/releases
+
+Then, install via `pkg`. 
+Example:
+
+```shell
+pkg add https://github.com/BastilleBSD/bastille/releases/download/0.3.20181120/bastille-0.3.20181120.txz
+```
+
+BETA binary packages are signed. These can be verified with this pubkey:
+
+```
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq28OLDhJ12JmsKKcJpnn
+pCW3fFYBNI1BtdvTvFx57ZXvQ2qecBvnR9+XWi83hKS9ALTKZI6CLC2uTv1fIsZl
+u6rDRRNZwZFfITACSfwI+7UObMXz3oBZjk94J3rIegk49EyjDswKdVWv5k1EiVXF
+SAwXSl2kA2hGfQJkj5NS4nrfoRBc0z6fm+BGdNuHKSTmeZh1dbLEHt9EArD20DJ7
+HIr8vUSPLwONeqJCBFA/MeDO+GpwtwA/ldc2ZZy1RCPctdC2NeiGW7oy1yVDu6wp
+mHCq8qDfmCx5Aex84rWUf9iH8TM92AWmegTaz2p+BgESctpjNRCUuSEwOCBIO6g5
+3wIDAQAB
+-----END PUBLIC KEY-----
+```
+
+
 Basic Usage
 -----------
-```
+```shell
 ishmael ~ # bastille -h
 Usage:
   bastille command [ALL|glob] [args]
@@ -26,6 +56,7 @@ Available Commands:
   start       Start a stopped jail.
   stop        Stop a running jail.
   sysrc       Safely edit rc files within targeted jail(s).
+  template    Apply Bastille template to running jail(s).
   top         Display and update information about the top(1) cpu processes.
   update      Update jail base -pX release.
   upgrade     Upgrade jail release to X.Y-RELEASE.
@@ -51,7 +82,7 @@ the firewall, permitting and denying traffic as needed.
 First, create the loopback interface:
 
 ```shell
-ishmael ~ # sysrc cloned_interfaces="lo1"
+ishmael ~ # sysrc cloned_interfaces+=lo1
 ishmael ~ # service netif cloneup
 ```
 
@@ -130,7 +161,7 @@ release version as the argument.
 
 ```shell
 ishmael ~ # bastille bootstrap 11.2-RELEASE
-ishmael ~ # bastille bootstrap 10.4-RELEASE
+ishmael ~ # bastille bootstrap 12.0-RELEASE
 ```
 
 This command will ensure the required directory structures are in place and
@@ -440,6 +471,88 @@ Note: jail console logs not destroyed.
 
 ```
 
+bastille template
+-----------------
+Bastille supports a templating system allowing you to apply files, pkgs and
+execute commands inside the jail automatically.
+
+Currently supported template hooks are: `PRE`, `CONFIG`, `PKG`, `SYSRC`, `CMD`.
+Planned template hooks include: `FSTAB`, `PF`
+
+Templates are created in `${bastille_prefix}/templates` and can leverage any of
+the template hooks. Simply create a new directory named after the template. eg;
+
+```shell
+mkdir -p /usr/local/bastille/templates/base
+```
+
+To leverage a template hook, create an UPPERCASE file in the root of the
+template directory named after the hook you want to execute. eg;
+
+```shell
+echo "zsh vim-console git-lite htop" > /usr/local/bastille/templates/base/PKG
+echo "/usr/bin/chsh -s /usr/local/bin/zsh" > /usr/local/bastille/templates/base/CMD
+echo "etc root usr" > /usr/local/bastille/templates/base/CONFIG
+```
+
+Template hooks are executed in specific order and require specific syntax to
+work as expected. This table outlines those requirements:
+
+| HOOK    | format           | example                              |
+|---------|------------------|--------------------------------------|
+| PRE/CMD | /bin/sh command  | /usr/bin/chsh -s /usr/local/bin/zsh  |
+| CONFIG  | path             | etc root usr                         |
+| PKG     | port/pkg name(s) | vim-console zsh git-lite tree htop   |
+| SYSRC   | sysrc command(s) | nginx_enable=YES                     |
+
+Note: SYSRC requires NO quotes or that quotes (`"`) be escaped. ie; `\"`)
+
+In addition to supporting template hooks, Bastille supports overlaying files
+into the jail. This is done by placing the files in their full path, using the
+template directory as "/".
+
+An example here may help. Think of `/usr/local/bastille/templates/base`, our
+example template, as the root of our filesystem overlay. If you create an
+`etc/hosts` or `etc/resolv.conf` *inside* the base template directory, these
+can be overlayed into your jail.
+
+Note: due to the way FreeBSD segregates user-space, the majority of your
+overlayed template files will be in `usr/local`. The few general
+exceptions are the `etc/hosts`, `etc/resolv.conf`, and `etc/rc.conf.local`.
+
+After populating `usr/local/` with custom config files that your jail will
+use, be sure to include `usr` in the template CONFIG definition. eg;
+
+```shell
+echo "etc usr" > /usr/local/bastille/templates/base/CONFIG
+```
+
+The above example "etc usr" will include anything under "etc" and "usr" inside
+the template. You do not need to list individual files. Just include the
+top-level directory name.
+
+Applying Templates
+------------------
+
+Jails must be running to apply templates.
+
+Bastille includes a `template` sub-command. This sub-command requires a target
+and a template name. As covered in the previous section, template names
+correspond to directory names in the `bastille/templates` directory.
+
+```shell
+ishmael ~ # bastille template folsom base
+[folsom]:
+Copying files...
+Copy complete.
+Installing packages.
+...[snip]...
+Executing final command(s).
+chsh: user information updated
+Template Complete.
+
+```
+
 
 bastille top
 ------------
@@ -757,8 +870,25 @@ rdr pass inet proto tcp from any to any port 8081 -> 10.7.6.5 port 8080
 rdr pass inet proto tcp from any to any port 8181 -> 10.7.6.5 port 443
 ```
 
-Tip: Initially I spent time worrying about what IP addresses to assign. In the
+Tip #3:
+-------
+Don't worry too much about IP assignments.
+Initially I spent time worrying about what IP addresses to assign. In the
 end I've come to the conclusion that it _really_ doesn't matter. Pick *any*
 private address and be done with it. These are all isolated networks. In the
 end, what matters is you can map host:port to jail:port reliably, and we
 can.
+
+
+Community Support
+=================
+We would love to hear your feedback on Bastille! Please join us on the
+[BastilleBSD Chat Server](https://chat.bastillebsd.org) and let us know what
+you think. Registration is currently open pending email verification. 
+
+Be mindful of the [Bastille Code of
+Conduct](https://github.com/BastilleBSD/bastille/blob/master/CODE-OF-CONDUCT.md)
+when participating in the chat rooms.
+
+If you've found a bug in Bastille, please submit it to the [Bastille Issue
+Tracker](https://github.com/bastillebsd/bastille/issues/new).

ROADMAP.md

@@ -0,0 +1,45 @@
+Bastille Roadmap
+================
+This is the general roadmap for the next nine months. I would like the
+near-term done by the end of 2018. The mid-term should be done by March 2019.
+The long-term by summer 2019.
+
+At that point, if the templating is mature, and the top 50 is complete, the
+platform is ready for general purpose use. 
+
+
+near-term
+---------
+1. zfs support (configurable)
+2. bastille-dev template (see below):
+```shell
+## jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99 
+## ip4.addr=10.20.12.68 persist
+## jexec foo /bin/csh
+## foo# jail -c name=bar host.hostname=bar allow.raw_sockets 
+## ip4.addr=10.20.12.68 persist
+## foo# jexec bar /bin/csh
+## bar# ping gritton.org
+```
+3. branding
+
+
+mid-term
+--------
+1. templating
+2. ssh-to-jail demo (ie; ldap + .authorized_keys + command)
+```shell
+## TODO: .ssh/authorized_keys auto-launch into user jail
+## jail_create_login_hook() {
+##     echo "permit nopass ${user} cmd /usr/sbin/jexec args ${name} /usr/bin/login -f ${user}" >> /usr/local/etc/doas.conf
+##     echo "command='/usr/local/bin/doas /usr/sbin/jexec ${name} /usr/bin/login -f ${user}' ${pubkey}" >> $HOME/.ssh/authorized_keys
+## }
+```
+3. additional modules: ps, sockstat, pf, fstab.
+
+
+long-term
+---------
+1. top 50
+2. monitoring
+3. rctl

TODO

@@ -1,29 +0,0 @@
-# TODO
-
-##This is just a place to throw down the ideas of things I need to fix and or
-##improve. In no particular order.
-##
-##+ ZFS or UFS support
-##+ Support for multi-jail templating (create, snapshot, deploy)
-##+ jail.conf validation support in `create`
-##+ Dynamic config support for templating
-##+ 
-
-##Bastille in Bastille
-##--------------------
-## found on mailing list archive. need to research
-
-## jail -c name=foo host.hostname=foo allow.raw_sockets children.max=99 
-## ip4.addr=10.20.12.68 persist
-## jexec foo /bin/csh
-## foo# jail -c name=bar host.hostname=bar allow.raw_sockets 
-## ip4.addr=10.20.12.68 persist
-## foo# jexec bar /bin/csh
-## bar# ping gritton.org
-
-## TODO: .ssh/authorized_keys auto-launch into user jail
-## jail_create_login_hook() {
-##     echo "permit nopass ${user} cmd /usr/sbin/jexec args ${name} /usr/bin/login -f ${user}" >> /usr/local/etc/doas.conf
-##     echo "command='/usr/local/bin/doas /usr/sbin/jexec ${name} /usr/bin/login -f ${user}' ${pubkey}" >> $HOME/.ssh/authorized_keys
-## }
-

docs/Makefile

@@ -0,0 +1,19 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS    =
+SPHINXBUILD   = sphinx-build
+SOURCEDIR     = .
+BUILDDIR      = _build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)

docs/README.md

@@ -0,0 +1 @@
+../README.md

docs/conf.py

@@ -0,0 +1,185 @@
+# -*- coding: utf-8 -*-
+#
+# Configuration file for the Sphinx documentation builder.
+#
+# This file does only contain a selection of the most common options. For a
+# full list see the documentation:
+# http://www.sphinx-doc.org/en/master/config
+
+# -- Path setup --------------------------------------------------------------
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+#
+# import os
+# import sys
+# sys.path.insert(0, os.path.abspath('.'))
+
+import os
+on_rtd = os.environ.get('READTHEDOCS') == 'True'
+if on_rtd:
+    html_theme = 'default'
+else:
+    html_theme = 'sphinx_rtd_theme'
+
+# -- Project information -----------------------------------------------------
+
+project = 'Bastille'
+copyright = '2018, Christer Edwards'
+author = 'Christer Edwards'
+
+# The short X.Y version
+version = '0.3'
+# The full version, including alpha/beta/rc tags
+release = 'beta'
+
+
+# -- General configuration ---------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#
+# needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be
+# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
+# ones.
+extensions = [
+]
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix(es) of source filenames.
+# You can specify multiple suffix as a list of string:
+#
+# source_suffix = ['.rst', '.md']
+source_suffix = '.md'
+
+from recommonmark.parser import CommonMarkParser
+source_parsers = {
+    '.md': CommonMarkParser,
+}
+
+# The master toctree document.
+master_doc = 'README'
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#
+# This is also used if you do content translation via gettext catalogs.
+# Usually you set "language" from the command line for these cases.
+language = None
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+# This pattern also affects html_static_path and html_extra_path.
+exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = None
+
+
+# -- Options for HTML output -------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+#
+##html_theme = 'alabaster'
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#
+# html_theme_options = {}
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
+# Custom sidebar templates, must be a dictionary that maps document names
+# to template names.
+#
+# The default sidebars (for documents that don't match any pattern) are
+# defined by theme itself.  Builtin themes are using these templates by
+# default: ``['localtoc.html', 'relations.html', 'sourcelink.html',
+# 'searchbox.html']``.
+#
+# html_sidebars = {}
+
+
+# -- Options for HTMLHelp output ---------------------------------------------
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'Bastilledoc'
+
+
+# -- Options for LaTeX output ------------------------------------------------
+
+latex_elements = {
+    # The paper size ('letterpaper' or 'a4paper').
+    #
+    # 'papersize': 'letterpaper',
+
+    # The font size ('10pt', '11pt' or '12pt').
+    #
+    # 'pointsize': '10pt',
+
+    # Additional stuff for the LaTeX preamble.
+    #
+    # 'preamble': '',
+
+    # Latex figure (float) alignment
+    #
+    # 'figure_align': 'htbp',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title,
+#  author, documentclass [howto, manual, or own class]).
+latex_documents = [
+    (master_doc, 'Bastille.tex', 'Bastille Documentation',
+     'Christer Edwards', 'manual'),
+]
+
+
+# -- Options for manual page output ------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    (master_doc, 'bastille', 'Bastille Documentation',
+     [author], 1)
+]
+
+
+# -- Options for Texinfo output ----------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+#  dir menu entry, description, category)
+texinfo_documents = [
+    (master_doc, 'Bastille', 'Bastille Documentation',
+     author, 'Bastille', 'One line description of project.',
+     'Miscellaneous'),
+]
+
+
+# -- Options for Epub output -------------------------------------------------
+
+# Bibliographic Dublin Core info.
+epub_title = project
+
+# The unique identifier of the text. This can be a ISBN number
+# or the project homepage.
+#
+# epub_identifier = ''
+
+# A unique identification for the text.
+#
+# epub_uid = ''
+
+# A list of files that should not be packed into the epub file.
+epub_exclude_files = ['search.html']
+

docs/index.rst.sample

@@ -0,0 +1,20 @@
+.. Bastille documentation master file, created by
+   sphinx-quickstart on Tue Nov 20 20:48:22 2018.
+   You can adapt this file completely to your liking, but it should at least
+   contain the root `toctree` directive.
+
+Welcome to Bastille's documentation!
+====================================
+
+.. toctree::
+   :maxdepth: 2
+   :caption: Contents:
+
+
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`modindex`
+* :ref:`search`

rc.d/bastille

@@ -1,65 +0,0 @@
-#!/bin/sh
-
-# $FreeBSD: $
-#
-# Bastille startup script
-#
-# PROVIDE: bastille
-# REQUIRE: LOGIN
-# KEYWORD: shutdown
-
-# Add the following to /etc/rc.conf[.local] to enable this service
-#
-# bastille_enable (bool):          Set to NO by default.
-#               Set it to YES to enable bastille.
-# bastille_list (string):        Set to "" by default.
-#               Space separated list of jails to start.
-#
-
-. /etc/rc.subr
-
-name=bastille
-rcvar=bastille_enable
-
-load_rc_config ${name}
-
-: ${bastille_enable:=NO}
-: ${bastille_list:=""}
-
-start_cmd=bastille_start
-stop_cmd=bastille_stop
-
-start_command="%%$PREFIX%%/bin/bastille start"
-stop_command="%%$PREFIX%%/bin/bastille stop"
-
-bastille_start()
-{
-    if [ ! -n "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
-        return 1
-    fi
-
-    local _jail
-
-    for _jail in ${bastille_list}; do
-        echo "Starting Bastille Jail: ${_jail}"
-        ${start_command} ${_jail}
-    done
-}
-
-bastille_stop()
-{
-    if [ ! -n "${bastille_list}" ]; then
-        echo "${bastille_list} is undefined"
-        return 1
-    fi
-
-    local _jail
-
-    for _jail in ${bastille_list}; do
-        echo "Stopping Bastille Jail: ${_jail}"
-        ${stop_command} ${_jail}
-    done
-}
-
-run_rc_command "$1"

usr/local/bin/bastille

@@ -32,8 +32,7 @@
 . /usr/local/etc/bastille/bastille.conf
 
 ## version
-BASTILLE_VERSION="0.3.20181107"
+BASTILLE_VERSION="0.3.20181124"
-
 
 usage() {
     cat << EOF
@@ -58,6 +57,7 @@ Available Commands:
   start       Start a stopped container.
   stop        Stop a running container.
   sysrc       Safely edit rc files within targeted container(s).
+  template    Apply file templates to targeted jail(s).
   top         Display and update information about the top(1) cpu processes.
   update      Update container base -pX release.
   upgrade     Upgrade container release to X.Y-RELEASE.
@@ -73,7 +73,6 @@ EOF
 
 CMD=$1
 shift
-CMD_ENV=
 
 # Handle special-case commands first.
 case "${CMD}" in
@@ -88,32 +87,13 @@ esac
 
 # Filter out all non-commands
 case "${CMD}" in
-cmd|console|cp|create|destroy|list|pkg|restart|start|stop|sysrc|verify)
+cmd|cp|create|destroy|list|pkg|restart|start|stop|sysrc|template|verify)
 	;;
 update|upgrade)
-	CMD_ENV="${CMD_ENV} PAGER=cat"
 	;;
 console|bootstrap|htop|top)
-	while read envvar envvalue; do
+    ;;
-		case "${envvar}" in
-			TERM)
-				CMD_ENV="${CMD_ENV} ${envvar}=${envvalue}"
-				;;
-		esac
-	done <<-EOF
-	$(env | sed -Ee 's,^([^=]*)=(.*),\1 \2,')
-	EOF
-	;;
 bootstrap|update|upgrade)
-	while read envvar envvalue; do
-		case "${envvar}" in
-			FETCH_BIND_ADDRESS|FTP_*|ftp_*|HTTP_*|http_*|SSL_|NO_PROXY|no_proxy|MAKEOBJDIRPREFIX)
-				CMD_ENV="${CMD_ENV} ${envvar}=${envvalue}"
-				;;
-		esac
-	done <<-EOF
-	$(env | sed -Ee 's,^([^=]*)=(.*),\1 \2,')
-	EOF
 	;;
 *)
 	usage
@@ -127,4 +107,4 @@ umask ${UMASK}
 
 : ${SH:=sh}
 
-exec env -i ${CMD_ENV} ${SH} "${SCRIPTPATH}" "$@"
+exec ${SH} "${SCRIPTPATH}" "$@"

usr/local/etc/bastille/bastille.conf

@@ -7,4 +7,5 @@ bastille_cachedir=${bastille_prefix}/cache
 bastille_jailsdir=${bastille_prefix}/jails
 bastille_logsdir=${bastille_prefix}/logs
 bastille_releasesdir=${bastille_prefix}/releases
+bastille_templatesdir=${bastille_prefix}/templates
 bastille_sharedir=/usr/local/share/bastille

usr/local/etc/rc.d/bastille

@@ -0,0 +1,45 @@
+#!/bin/sh
+
+# $FreeBSD: $
+#
+# PROVIDE: bastille
+# REQUIRE: LOGIN
+# KEYWORD: shutdown
+
+# Add the following to /etc/rc.conf[.local] to enable this service
+#
+# bastille_enable (bool):          Set to NO by default.
+#               Set it to YES to enable bastille.
+# bastille_list (string):        Set to "" by default.
+#               Space separated list of jails to start.
+#
+
+. /etc/rc.subr
+
+name=bastille
+rcvar=${name}_enable
+
+command="/usr/local/bin/${name}"
+
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+
+: ${bastille_enable:=NO}
+: ${bastille_list:="ALL"}
+
+bastille_start()
+{
+    for _jail in ${bastille_list}; do
+        ${command} start ${_jail}
+    done
+}
+
+bastille_stop()
+{
+    for _jail in ${bastille_list}; do
+        ${command} stop ${_jail}
+    done
+}
+
+load_rc_config ${name}
+run_rc_command "$@"

usr/local/share/bastille/bootstrap.sh

@@ -46,36 +46,42 @@ esac
 RELEASE=$1
 
 bootstrap() {
-    ### create $bastille_base/release/$release directory
+    ## ensure required directories are in place
-    ### fetch $release/base.txz -o $bastille_base/cache/$release/base.txz
-    ### extract $release/base.txz to $bastille_base/release/$release
     if [ ! -d ${bastille_jailsdir} ]; then
         mkdir -p ${bastille_jailsdir}
     fi
     if [ ! -d ${bastille_logsdir} ]; then
         mkdir -p ${bastille_logsdir}
     fi
-    if [ ! -d ${bastille_cachedir}/${RELEASE} ]; then
+    if [ ! -d ${bastille_templatesdir} ]; then
-        mkdir -p ${bastille_cachedir}/${RELEASE}
+        mkdir -p ${bastille_templatesdir}
+    fi
+    if [ ! -d "${bastille_cachedir}/${RELEASE}" ]; then
+        mkdir -p "${bastille_cachedir}/${RELEASE}"
     fi
 
-    if [ ! -d ${bastille_releasesdir}/${RELEASE} ]; then
+    ### create $bastille_base/release/$release directory
-        mkdir -p ${bastille_releasesdir}/${RELEASE}
+    ### fetch $release/base.txz -o $bastille_base/cache/$release/base.txz
+    ### fetch $release/lib32.txz -o $bastille_base/cache/$release/lib32.txz
+    ### extract $release/base.txz to $bastille_base/release/$release
+    ### extract $release/lib32.txz to $bastille_base/release/$release
+    if [ ! -d "${bastille_releasesdir}/${RELEASE}" ]; then
+        mkdir -p "${bastille_releasesdir}/${RELEASE}"
         sh ${bastille_sharedir}/freebsd_dist_fetch.sh -r ${RELEASE} base lib32
 
         echo
         echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} base.txz.${COLOR_RESET}"
-        /usr/bin/tar -C ${bastille_releasesdir}/${RELEASE} -xf ${bastille_cachedir}/${RELEASE}/base.txz
+        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/base.txz"
 
         echo -e "${COLOR_GREEN}Extracting FreeBSD ${RELEASE} lib32.txz.${COLOR_RESET}"
-        /usr/bin/tar -C ${bastille_releasesdir}/${RELEASE} -xf ${bastille_cachedir}/${RELEASE}/lib32.txz
+        /usr/bin/tar -C "${bastille_releasesdir}/${RELEASE}" -xf "${bastille_cachedir}/${RELEASE}/lib32.txz"
 
-	    echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}Bootstrap successful.${COLOR_RESET}"
-	    echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}See 'bastille --help' for available commands.${COLOR_RESET}"
-	    echo
+        echo
     else
         echo -e "${COLOR_RED}Bootstrap appears complete.${COLOR_RESET}"
-	exit 1
+        exit 1
     fi
 }
 
@@ -83,45 +89,63 @@ bootstrap() {
 case "${RELEASE}" in
 10.1-RELEASE)
     bootstrap
-    echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
+    echo -e "${COLOR_RED}WARNING: FreeBSD 10.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 10.2-RELEASE)
     bootstrap
-    echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
+    echo -e "${COLOR_RED}WARNING: FreeBSD 10.2-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 10.3-RELEASE)
     bootstrap
-    echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
+    echo -e "${COLOR_RED}WARNING: FreeBSD 10.3-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 10.4-RELEASE)
     bootstrap
-    echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
+    echo -e "${COLOR_RED}WARNING: FreeBSD 10.4-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 11.0-RELEASE)
     bootstrap
-    echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
+    echo -e "${COLOR_RED}WARNING: FreeBSD 11.0-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 11.1-RELEASE)
     bootstrap
-    echo -e "${COLOR_RED}This release is End of Life. No security updates.${COLOR_RESET}"
+    echo -e "${COLOR_RED}WARNING: FreeBSD 11.1-RELEASE HAS PASSED ITS END-OF-LIFE DATE.${COLOR_RESET}"
 	;;
 11.2-RELEASE)
     bootstrap
 	;;
+12.0-RELEASE)
+    bootstrap
+	;;
 12.0-BETA1)
     bootstrap
-    echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
+    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
 	;;
 12.0-BETA2)
     bootstrap
-    echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
+    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
 	;;
 12.0-BETA3)
     bootstrap
-    echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
+    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
+	;;
+12.0-BETA4)
+    bootstrap
+    echo -e "${COLOR_RED}BETA releases are completely untested.${COLOR_RESET}"
+	;;
+12.0-RC1)
+    bootstrap
+    echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}"
+	;;
+12.0-RC2)
+    bootstrap
+    echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}"
+	;;
+12.0-RC3)
+    bootstrap
+    echo -e "${COLOR_RED}RC releases are completely untested.${COLOR_RESET}"
 	;;
 *)
-    echo -e "${COLOR_RED}BETA releases are complete untested.${COLOR_RESET}"
     usage
     ;;
 esac

usr/local/share/bastille/cmd.sh

@@ -47,14 +47,14 @@ if [ $# -gt 2 ] || [ $# -lt 2 ]; then
 fi
 
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(jls -N name)
+    JAILS=$(jls name)
 fi
 if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls -N name | grep "$1")
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jexec -l ${_jail} $2
-    echo -e "${NC}"
+    echo
 done

usr/local/share/bastille/console.sh

@@ -42,19 +42,18 @@ help|-h|--help)
     ;;
 esac
 
-
 if [ $# -gt 1 ] || [ $# -lt 1 ]; then
     usage
 fi
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(jls -N name)
+    JAILS=$(jls name)
 fi
 if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls -N name | grep "$1")
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jexec -l ${_jail} /usr/bin/login -f root
-    echo -e "${NC}"
+    echo
 done

usr/local/share/bastille/cp.sh

@@ -47,16 +47,16 @@ if [ $# -gt 3 ] || [ $# -lt 3 ]; then
     usage
 fi
 
-if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls -N name | grep "$1")
-fi
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(jls -N name)
+    JAILS=$(jls name)
+fi
+if [ "$1" != 'ALL' ]; then
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 
 for _jail in ${JAILS}; do
-    bastille_jail_path="${bastille_jailsdir}/${_jail}/root"
+    bastille_jail_path="$(jls -j "${_jail}" path)"
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     cp -a "$2" "${bastille_jail_path}/$3"
-    echo -e "${COLOR_RESET}"
+    echo
 done

usr/local/share/bastille/create.sh

@@ -37,7 +37,7 @@ usage() {
 }
 
 running_jail() {
-    jls -N name | grep ${NAME}
+    jls name | grep -E "(^|\b)${NAME}($|\b)"
 }
 
 validate_ip() {
@@ -70,8 +70,8 @@ create_jail() {
 
     if [ ! -d "${bastille_jail_base}" ]; then
         mkdir -p "${bastille_jail_base}"
-        mkdir -p "${bastille_jail_path}/usr"
         mkdir -p "${bastille_jail_path}/usr/home"
+        mkdir -p "${bastille_jail_path}/usr/local"
     fi
 
     if [ ! -d "${bastille_jail_template}" ]; then
@@ -94,12 +94,11 @@ create_jail() {
 
     ## using relative paths here
     ## MAKE SURE WE'RE IN THE RIGHT PLACE
-    ## ro
     cd "${bastille_jail_path}"
     echo
-    echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
     echo -e "${COLOR_GREEN}NAME: ${NAME}.${COLOR_RESET}"
     echo -e "${COLOR_GREEN}IP: ${IP}.${COLOR_RESET}"
+    echo -e "${COLOR_GREEN}RELEASE: ${RELEASE}.${COLOR_RESET}"
     echo
 
     for _link in bin boot lib libexec rescue sbin usr/bin usr/include usr/lib usr/lib32 usr/libdata usr/libexec usr/sbin usr/share usr/src; do
@@ -107,7 +106,7 @@ create_jail() {
     done
 
     ## link home properly
-    ln -sf usr/home home
+    ln -s usr/home home
 
     ## rw
     cp -a "${bastille_releasesdir}/${RELEASE}/.cshrc" "${bastille_jail_path}"
@@ -125,9 +124,14 @@ create_jail() {
     cp -a "${bastille_releasesdir}/${RELEASE}/usr/obj" "${bastille_jail_path}"
     if [ "${RELEASE}" == "11.2-RELEASE" ]; then cp -a "${bastille_releasesdir}/${RELEASE}/usr/tests" "${bastille_jail_path}"; fi
 
-    ## rc.conf.local & resolv.conf
+    ## rc.conf.local
+    ##  + syslogd_flags="-ss"
+    ##  + sendmail_none="NONE"
+    ##  + cron_flags="-J 60" ## cedwards 20181118
+    ## resolv.conf
     if [ ! -f "${bastille_jail_rc_conf}" ]; then
         echo -e "syslogd_flags=\"-ss\"\nsendmail_enable=\"NONE\"" > ${bastille_jail_rc_conf}
+	echo -e "cron_flags=\"-J 60\"" >> ${bastille_jail_rc_conf}
     fi
 
     if [ ! -f "${bastille_jail_resolv_conf}" ]; then
@@ -135,8 +139,7 @@ create_jail() {
     fi
 
     ## TZ: UTC
-    ln -s "/usr/share/zoneinfo/Etc/UTC ${bastille_jail_root}/etc/localtime"
+    ln -s /usr/share/zoneinfo/Etc/UTC etc/localtime
-    ln -s "/.template/usr/local ${bastille_jail_root}/usr/local"
 }
 
 # Handle special-case commands first.
@@ -156,12 +159,51 @@ IP="$3"
 
 ## verify release
 case "${RELEASE}" in
+10.1-RELEASE)
+    RELEASE="10.1-RELEASE"
+	;;
+10.2-RELEASE)
+    RELEASE="10.2-RELEASE"
+	;;
+10.3-RELEASE)
+    RELEASE="10.3-RELEASE"
+	;;
 10.4-RELEASE)
     RELEASE="10.4-RELEASE"
     ;;
+11.0-RELEASE)
+    RELEASE="11.0-RELEASE"
+    ;;
+11.1-RELEASE)
+    RELEASE="11.1-RELEASE"
+    ;;
 11.2-RELEASE)
     RELEASE="11.2-RELEASE"
     ;;
+12.0-RELEASE)
+    RELEASE="12.0-RELEASE"
+    ;;
+12.0-BETA1)
+    RELEASE="12.0-BETA1"
+    ;;
+12.0-BETA2)
+    RELEASE="12.0-BETA2"
+    ;;
+12.0-BETA3)
+    RELEASE="12.0-BETA3"
+    ;;
+12.0-BETA4)
+    RELEASE="12.0-BETA4"
+    ;;
+12.0-RC1)
+    RELEASE="12.0-RC1"
+    ;;
+12.0-RC2)
+    RELEASE="12.0-RC2"
+    ;;
+12.0-RC3)
+    RELEASE="12.0-RC3"
+    ;;
 *)
     echo -e "${COLOR_RED}Unknown Release.${COLOR_RESET}"
     usage
@@ -169,20 +211,15 @@ case "${RELEASE}" in
 esac
 
 ## check for name/root/.bastille
-if [ -d "/usr/local/bastille/jails/${NAME}/root/.bastille" ]; then
+if [ -d "${bastille_jailsdir}/${NAME}/root/.bastille" ]; then
     echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.bastille exists.${COLOR_RESET}"
     exit 1
 fi
 
-## check for name/root/.template
-if [ -d "/usr/local/bastille/jails/${NAME}/root/.template" ]; then
-    echo -e "${COLOR_RED}Jail: ${NAME} already created. ${NAME}/root/.template exists.${COLOR_RESET}"
-    exit 1
-fi
-
 ## check if a running jail matches name
 if running_jail ${NAME}; then
-    echo -e "${COLOR_RED}Running jail matches name.${COLOR_RESET}"
+    echo -e "${COLOR_RED}A running jail matches name.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Jails must be stopped before they are destroyed.${COLOR_RESET}"
     exit 1
 fi
 

usr/local/share/bastille/destroy.sh

@@ -37,10 +37,10 @@ usage() {
 }
 
 destroy_jail() {
-    bastille_jail_base="${bastille_jailsdir}/${NAME}"  ## dir
+    bastille_jail_base="${bastille_jailsdir}/${NAME}"            ## dir
     bastille_jail_log="${bastille_logsdir}/${NAME}_console.log"  ## file
 
-    if [ $(jls -N name | grep ${NAME}) ]; then
+    if [ $(jls name | grep ${NAME}) ]; then
         echo -e "${COLOR_RED}Jail running.${COLOR_RESET}"
         echo -e "${COLOR_RED}See 'bastille stop ${NAME}'.${COLOR_RESET}"
         exit 1

usr/local/share/bastille/freebsd_dist_fetch.sh

@@ -1,4 +1,7 @@
 #!/bin/sh
+# https://pastebin.com/T6eThbKu
+
+. /usr/local/etc/bastille/bastille.conf
 
 DEVICE_SELF_SCAN_ALL=NO
 [ "$_SCRIPT_SUBR" ] || . /usr/share/bsdconfig/script.subr
@@ -17,7 +20,7 @@ mediaSetFTP
 mediaOpen
 set -e
 #debug=1
-REL_DIST=/usr/local/bastille/cache/$releaseName
+REL_DIST=${bastille_cachedir}/$releaseName
 download() # $src to $dest
 {
 	size=$( f_device_get device_media "$1" $PROBE_SIZE )

usr/local/share/bastille/htop.sh

@@ -48,17 +48,17 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
 fi
 
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(jls -N name)
+    JAILS=$(jls name)
 fi
 if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls -N name | grep "$1")
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 
 for _jail in ${JAILS}; do
-    if [ ! -x "${bastille_jailsdir}/${_jail}/root/usr/local/bin/htop" ]; then
+    bastille_jail_path=$(jls -j "${_jail}" path)
+    if [ ! -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
         echo -e "${COLOR_RED}htop not found on ${_jail}.${COLOR_RESET}"
-    fi
+    elif [ -x "${bastille_jail_path}/usr/local/bin/htop" ]; then
-    if [ -x "${bastille_jailsdir}/${_jail}/root/usr/local/bin/htop" ]; then
         echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
         jexec -l ${_jail} /usr/local/bin/htop
     fi

usr/local/share/bastille/list.sh

@@ -29,9 +29,10 @@
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 . /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
 
 usage() {
-    echo -e "${COLOR_RED}Usage: bastille list.${COLOR_RESET}"
+    echo -e "${COLOR_RED}Usage: bastille list [release|template|jail|log].${COLOR_RESET}"
     exit 1
 }
 
@@ -45,6 +46,18 @@ if [ $# -gt 0 ]; then
     help|-h|--help)
         usage
         ;;
+    release|releases)
+        ls "${bastille_releasesdir}" | sed "s/\n//g"
+        ;;
+    template|templates)
+	ls "${bastille_templatesdir}" | sed "s/\n//g"
+        ;;
+    jail|jails)
+	ls "${bastille_jailsdir}" | sed "s/\n//g"
+        ;;
+    log|logs)
+        ls "${bastille_logsdir}" | sed "s/\n//g"
+        ;;
     *)
         usage
         ;;

usr/local/share/bastille/pkg.sh

@@ -47,14 +47,14 @@ if [ $# -gt 2 ] || [ $# -lt 2 ]; then
 fi
 
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(jls -N name)
+    JAILS=$(jls name)
 fi
 if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls -N name | grep "$1")
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jexec -l ${_jail} /usr/sbin/pkg $2
-    echo -e "${COLOR_RESET}"
+    echo
 done

usr/local/share/bastille/service.sh

@@ -47,15 +47,15 @@ if [ $# -gt 2 ] || [ $# -lt 2 ]; then
 fi
 
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(jls -N name)
+    JAILS=$(jls name)
 fi
 
 if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls -N name | grep "$1")
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jexec -l ${_jail} /usr/sbin/service $2
-    echo -e "${COLOR_RESET}"
+    echo
 done

usr/local/share/bastille/start.sh

@@ -48,22 +48,19 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
 fi
 
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(find ${bastille_jailsdir} -d 1 | awk -F / '{ print $6 }')
+    JAILS=$(/usr/local/bin/bastille list jails)
 fi
 if [ "$1" != 'ALL' ]; then
-    JAILS=$(find ${bastille_jailsdir} -d 1 | awk -F / '{ print $6 }' | grep $1)
+    JAILS=$(/usr/local/bin/bastille list jails | grep "$1")
-fi
-
-if [ $(jls -N name | ${NAME}) ]; then
-    echo -e "${COLOR_RED}${NAME} already running.${COLOR_RESET}"
-    exit 1
 fi
 
 for _jail in ${JAILS}; do
-    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+    if [ $(jls name | grep ${_jail}) ]; then
-    jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
+        echo -e "${COLOR_RED}[${_jail}]: Already started.${COLOR_RESET}"
-    echo -e "${COLOR_RESET}"
+    elif [ ! $(jls name | grep ${_jail}) ]; then
+        echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+        jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -c ${_jail}
+        pfctl -f /etc/pf.conf
+    fi
+    echo
 done
-
-## HUP the firewall
-pfctl -f /etc/pf.conf

usr/local/share/bastille/stop.sh

@@ -48,17 +48,15 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
 fi
 
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(jls -N name)
+    JAILS=$(jls name)
 fi
 if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls -N name | grep "$1")
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 
 for _jail in ${JAILS}; do
     echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
     jail -f "${bastille_jailsdir}/${_jail}/jail.conf" -r ${_jail}
-    echo -e "${COLOR_RESET}"
+    pfctl -f /etc/pf.conf
+    echo
 done
-
-## HUP the firewall
-pfctl -f /etc/pf.conf

usr/local/share/bastille/sysrc.sh

@@ -47,11 +47,11 @@ if [ $# -gt 2 ] || [ $# -lt 2 ]; then
 fi
 
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(jls -N name)
+    JAILS=$(jls name)
 fi
 
 if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls -N name | grep "$1")
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/template.sh

@@ -0,0 +1,135 @@
+#!/bin/sh
+# 
+# Copyright (c) 2018, Christer Edwards <christer.edwards@gmail.com>
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+# 
+# * Redistributions of source code must retain the above copyright notice, this
+#   list of conditions and the following disclaimer.
+# 
+# * Redistributions in binary form must reproduce the above copyright notice,
+#   this list of conditions and the following disclaimer in the documentation
+#   and/or other materials provided with the distribution.
+# 
+# * Neither the name of the copyright holder nor the names of its
+#   contributors may be used to endorse or promote products derived from
+#   this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+. /usr/local/share/bastille/colors.pre.sh
+. /usr/local/etc/bastille/bastille.conf
+
+usage() {
+    echo -e "${COLOR_RED}Usage: bastille template [ALL|glob] template.${COLOR_RESET}"
+    exit 1
+}
+
+# Handle special-case commands first.
+case "$1" in
+help|-h|--help)
+    usage
+    ;;
+esac
+
+if [ $# -gt 2 ] || [ $# -lt 2 ]; then
+    usage
+fi
+
+if [ "$1" = 'ALL' ]; then
+    JAILS=$(jls name)
+fi
+if [ "$1" != 'ALL' ]; then
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
+fi
+
+## global variables
+TEMPLATE=$2
+bastille_template=${bastille_templatesdir}/${TEMPLATE}
+bastille_template_INCLUDE=${bastille_template}/INCLUDE
+bastille_template_PRE=${bastille_template}/PRE
+bastille_template_CONFIG=${bastille_template}/CONFIG
+bastille_template_FSTAB=${bastille_template}/FSTAB
+bastille_template_PF=${bastille_template}/PF
+bastille_template_PKG=${bastille_template}/PKG
+bastille_template_SYSRC=${bastille_template}/SYSRC
+bastille_template_CMD=${bastille_template}/CMD
+
+for _jail in ${JAILS}; do
+    ## jail-specific variables. 
+    bastille_jail_path=$(jls -j "${_jail}" path)
+
+    echo -e "${COLOR_GREEN}[${_jail}]:${COLOR_RESET}"
+
+    ## INCLUDE
+    if [ -s "${bastille_template_INCLUDE}" ]; then
+        echo -e "${COLOR_GREEN}Detected INCLUDE.${COLOR_RESET}"
+        while read _include; do
+            echo -e "${COLOR_GREEN}${_include}${COLOR_RESET}"
+        done < "${bastille_template_INCLUDE}"
+    fi
+
+    ## pre
+    if [ -s "${bastille_template_PRE}" ]; then
+        echo -e "${COLOR_GREEN}Executing PRE-command(s).${COLOR_RESET}"
+        jexec -l ${_jail} /bin/sh < "${bastille_template_PRE}"
+    fi
+
+    ## config
+    if [ -s "${bastille_template_CONFIG}" ]; then
+        echo -e "${COLOR_GREEN}Copying files...${COLOR_RESET}"
+        while read _dir; do
+            cp -a "${bastille_template}/${_dir}" "${bastille_jail_path}"
+        done < ${bastille_template_CONFIG}
+        echo -e "${COLOR_GREEN}Copy complete.${COLOR_RESET}"
+    fi
+
+    ## fstab
+    if [ -s "${bastille_template_FSTAB}" ]; then
+        bastille_templatefstab=$(cat "${bastille_template_FSTAB}")
+        echo -e "${COLOR_GREEN}Updating fstab.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
+    fi
+
+    ## pf
+    if [ -s "${bastille_template_PF}" ]; then
+        bastille_templatepf=$(cat "${bastille_template_PF}")
+        echo -e "${COLOR_GREEN}Generating PF profile.${COLOR_RESET}"
+        echo -e "${COLOR_GREEN}NOT YET IMPLEMENTED.${COLOR_RESET}"
+    fi
+
+    ## pkg (bootstrap + pkg)
+    if [ -s "${bastille_template_PKG}" ]; then
+        echo -e "${COLOR_GREEN}Installing packages.${COLOR_RESET}"
+        jexec -l "${_jail}" env ASSUME_ALWAYS_YES=YES /usr/sbin/pkg bootstrap
+        jexec -l "${_jail}" /usr/sbin/pkg audit -F
+        jexec -l "${_jail}" /usr/sbin/pkg install $(cat ${bastille_template_PKG})
+    fi
+
+    ## sysrc
+    if [ -s "${bastille_template_SYSRC}" ]; then
+        echo -e "${COLOR_GREEN}Updating services.${COLOR_RESET}"
+        while read _sysrc; do
+            jexec -l ${_jail} /usr/sbin/sysrc "${_sysrc}"
+        done < "${bastille_template_SYSRC}"
+    fi
+
+    ## cmd
+    if [ -s "${bastille_template_CMD}" ]; then
+        echo -e "${COLOR_GREEN}Executing final command(s).${COLOR_RESET}"
+        jexec -l ${_jail} /bin/sh < "${bastille_template_CMD}"
+    fi
+    echo -e "${COLOR_GREEN}Template Complete.${COLOR_RESET}"
+    echo
+done

usr/local/share/bastille/top.sh

@@ -47,11 +47,11 @@ if [ $# -gt 1 ] || [ $# -lt 1 ]; then
 fi
 
 if [ "$1" = 'ALL' ]; then
-    JAILS=$(jls -N name)
+    JAILS=$(jls name)
 fi
 
 if [ "$1" != 'ALL' ]; then
-    JAILS=$(jls -N name | grep "$1")
+    JAILS=$(jls name | grep -E "(^|\b)${1}($|\b)")
 fi
 
 for _jail in ${JAILS}; do

usr/local/share/bastille/update.sh

@@ -49,9 +49,6 @@ fi
 
 RELEASE=$1
 
-echo -e "${COLOR_RED}Targeting specified release.${COLOR_RESET}"
-echo -e "${RELEASE}"
-echo
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" fetch install --currently-running ${RELEASE}
 else

usr/local/share/bastille/upgrade.sh

@@ -50,9 +50,6 @@ fi
 RELEASE=$1
 NEWRELEASE=$2
 
-echo -e "${COLOR_RED}Targeting specified release.${COLOR_RESET}"
-echo -e "${RELEASE} => ${NEWRELEASE}"
-echo
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" -r ${NEWRELEASE} upgrade
 else

usr/local/share/bastille/verify.sh

@@ -49,9 +49,6 @@ fi
 
 RELEASE=$1
 
-echo -e "${COLOR_RED}Targeting specified release.${COLOR_RESET}"
-echo -e "${RELEASE}"
-echo
 if [ -d "${bastille_releasesdir}/${RELEASE}" ]; then
     freebsd-update -b "${bastille_releasesdir}/${RELEASE}" IDS
 else