Best practice to update jails

[Alexander Leidinger]

On Thu, 20 Aug 2009 11:50:49 -0700 Jose Amengual
<jose.amengual at gmail.com> wrote:

> The server is now 7.0 and was wondering what is the best practice to  
> maintain security patches and kernel updates and I came out with the  
> following idea :
> 
> 1.- freebsd-update fetch install ( host system)
> 2.- rebuild kernel ( I have a custom kernel )
> 3.- ezjail-update -b ( update basejail for all jails )
> 4.- run in cron portaudit on the jails for thirty party security
> updates 5.- run portupgrade in case of a security update or for apps
> upgrade on the jails.
> 
> I red in some forums that if you run freebsd-update you will need to  
> do a portuprade -fa to reinstall all the thirty party apps because  
> freebsd-update could upgrade or remove  some libraries linked to
> that programs, is this true ?, will be better to run a cvsup and
> instead ?

Not if you stay with the same major version of FreeBSD. If you update
from 7 to 8, this may be possible (I don't know, I don't use
freebsd-update, as I either run patched systems, or at least compile
my own kernels), but if you update from 7.x to 7.y, then this would be
an ABI change, which is very very very very much a no no in a
stable-branch (only an important security fix would be allowed to do
something like this, and only if nobody finds another way to do such
a fix without changing the ABI).

So if you stay on the same major version you can use your procedure,
but read the release notes before, such a big impact change is
announced on a stable branch. It may be the case that we had something
like this once, but I do not remember which major version was affected.

Bye,
Alexander.