Best practice to update jails

Simon L. Nielsen simon at FreeBSD.org
Tue Aug 25 18:26:59 UTC 2009 

[Don't cc virtualization - no reason for cross post]

On 2009.08.20 22:10:36 +0200, Redd Vinylene wrote:
> On Thu, Aug 20, 2009 at 8:50 PM, Jose Amengual <jose.amengual at gmail.com>wrote:
> 
> > I have a dev server for our developers that holds around 40 jails, each
> > jail has php, mysql, python etc.
> >
> > The server is now 7.0 and was wondering what is the best practice to
> > maintain security patches and kernel updates and I came out with the
> > following idea :
> >
> > 1.- freebsd-update fetch install ( host system)
> > 2.- rebuild kernel ( I have a custom kernel )
> > 3.- ezjail-update -b ( update basejail for all jails )
> > 4.- run in cron portaudit on the jails for thirty party security updates
> > 5.- run portupgrade in case of a security update or for apps upgrade on the
> > jails.
> >
> > I red in some forums that if you run freebsd-update you will need to do a
> > portuprade -fa to reinstall all the thirty party apps because freebsd-update
> > could upgrade or remove  some libraries linked to that programs, is this
> > true ?, will be better to run a cvsup and instead ?

There is no difference wrt. ports on freebsd-update and make world.
For major versions you need to recompile all ports, for minor versions
you don't.

Personally I use ezjail to manage a similar development setup, and I
recently upgraded 7.1 -> 7.2 using 'ezjail-admin install' (or
something like that).  I quite often upgrade the host system and wait
with the jails so you don't have to do it all in one go (though it
might be simpler in).

Other people mention that "most people" use use based solutions - I'm
far from sure about that, at least unless you are running a modified
FreeBSD or not -RELEASE, there is generally not any reason to compile
it all yourself.

> here's how I do it, hope it helps: http://pastie.org/590295

This does make installworld into the jail from the host - it should be
mentioned that you should never do this if you use the jails for
security isolation as the jail root would likely be able to perform a
symlink attack.  I haven't every actually looked at how it could be
done, but installworld isn't make to be "secure" against such things.

-- 
Simon L. Nielsen

More information about the freebsd-jail mailing list