How to better update a jail host system

Andrew Hotlab andrew.hotlab at hotmail.com
Thu Dec 20 05:34:53 PST 2007 

> -----Original Message-----
> From: Alexander Leidinger [mailto:Alexander at Leidinger.net]
> Sent: Thursday, December 20, 2007 8:35 AM
> To: Andrew Hotlab
> Cc: FreeBSD-Jail
> Subject: Re: How to better update a jail host system
> 
> > To track the security branch both on the host and the jails I'm
> > using the "update from source" method: I synchronize the source tree
> >  with csup(1), build and install the kernel, build and install the
> > userland for the host first and then for the jails (using the
> > ezjail-admin(1) "update -i" switch).
> 
> You should maybe use "make delete-old DESTDIR=/path/to/basejail" (and
> delete-old-libs after making sure all ports which depend upon the old
> files (check-old-files lists the old files) are rebuild with the new
> ones) in the src directory. On a -stable branch there should be not
> much removed, but if you keep the system over several releases, it's
> handy.

That's a good point: I was missing it... I thought that all that would be done by "ezjail-admin upgrade" :)


> > All that is working fine now, but I wonder if I could speed up the
> > whole process, by switching to the binary update method. By using
> > the freebsd-update(8) utility on the host I think to maintain the
> > system cleaner (this utility only updates the installed
> > distributions) and to reduce the administrative effort (no
> > mergemaster(8) required, I'm right?).
> 
> I don't know how freebsd-update handles the changes in /etc, but it
> can not do magic (for the update you have to update the basejail, and
> as such freebsd-update doesn't know about the etc directory of each
> jail), so something like mergemaster has to be done. I also don't know
> how it handles old (removed) files, maybe is doesn't touch them, to be
> on the safe side.

That's another aspect I wasn't thinking of. How important might be to update files in the /etc directory in the jails, when tracking the security branch?


> Regarding the distributions which you haven't installed: you can
> exclude parts from building/installation. If you have a 7.x system,
> you can do "man src.conf" for all the options
> (http://www.freebsd.org/cgi/man.cgi?query=src.conf&apropos=0&sektion=0&
> manpath=FreeBSD+7.0-RELEASE&format=html). 6.x has similar options, but
> IIRC you have to specify them in
> make.conf.

I definitely think I'll do that from now on, and I'll likely continue upgrading the host by building it from sources: I'll have to maintain the sources anyway, because of the ezjail update procedure, and there will be some kernel modifications that I'll need in the future to improve performance on the host system (for example, do you think it would be a nice idea to build nullfs support into the kernel?).

Thanks for your suggestions.


Andrew

More information about the freebsd-jail mailing list