from stable/9 to stable/10: some questions

Michael Grimm trashcan at odo.in-berlin.de
Mon Dec 16 17:52:19 UTC 2013 

Hi --

I recently upgraded one of my servers from stable/9 to stable/10 which worked pretty well.

But, there are some questions left:

1) ezjail/jails
---------------
I am using ezjail to administrate my jails. During jail startup I will get warnings like:

| WARNING: Per-jail configuration via jail_* variables is obsolete.
| Please consider to migrate to /etc/jail.conf.

I did read the corresponding section in /usr/src/UPDATING, but I do have to admit that I do not understand clearly whether it is save to wait for a modified ezjail port, or better get that fixed by myself. All jails are running as expected, though.

2) portaudit/jailaudit
----------------------
poudriere tells me that the portaudit port is obsolete now, and that I should use "pkg audit" instead. Well that's ok, but now the jailaudit port is skipped because it depends on portaudit.

Well, I did find /usr/local/etc/periodic/security/410.pkg-audit, but that lacks the functionality to check security vulnerabilities of my ports running in jails.

3) /usr/local/etc/periodic/daily/490.status-pkg-changes
-------------------------------------------------------
Again, this script lacks the functionality to monitor changes in installed packages in jails.



Regarding 2) and 3) I hacked two scripts to deal with jails. Actually, I "stole" code from the portaudit, jailaudit, and 490.status-pkg-changes. Both scripts are kept in /usr/local/etc/periodic/daily and /usr/local/etc/periodic/security respectively and are triggered by specific configuration variables in /etc/periodic.conf

IMHO it would be better to deal with jails within 410.pkg-audit and 490.status-pkg-changes, preferably triggered by configuration variables on demand, only.

Doing that professionally for FreeBSD is far beyond my own scripting capabilities, sorry. But if someone is willing to add monitoring of vulnerabilities of ports installed in jails and monitoring changes in installed packages in jails, and if that person will be interested in getting my dirty hacked scripts, just let me know.

Regards and thanks to all persons involved in getting FBSD 10 done,
Michael

More information about the freebsd-ports mailing list