a methodology to do a binary update on a jailed system

doug at safeport.com doug at safeport.com
Mon Aug 25 23:03:28 UTC 2014

This documents the method I used to use freebsd-update to update a jail host, 
and a guest jail. I then installed a second jail after the updates to test that 
the basejail was updated correctly. This method follows the methodology laid 
out by Kozlov Sergey on the ezjail mailing list. His outline works. I have 
included a bit more detail here.

The method I followed is basically doing the following steps:

    shutdown jail[s] and host system services
    freebsd-update [fetch|update]  -- host system
    freebsd-update install
    freebsd-update [fetch|update]  -- basejail
    freebsd-update install
    freebsd-update [fetch|update]  -- each jail
    freebsd-update install
    set rc.conf so jail[s] do not start
    freebsd-update install
    reboot [or not, as instructed; I usually reboot anyway]

In this test I started with a 9.1-RC3 system, upgraded it to 9.2, installed 
ezjail and some other stuff and added a jail. I then followed the above to 
update the systems to 9.3.

To do this two freebsd-update.conf files are needed:

     Components world/base world/lib32
     IgnorePaths /etc /root /var /usr/games /usr/home /usr/local /usr/obj
     StrictComponents yes
     ServerName  ---\___ copied from /etc/freebsd-update.conf
     KeyPrint    ---/

     IgnorePaths /bin /boot /home /lib /libexec /proc /rescue /sbin /sys /tmp \
       /usr/bin /usr/sbin /usr/include /usr/lib /usr/lib32 /usr/libdata \
       /usr/libexec /usr/share /usr/src
     ServerName ...
     KeyPrint ...

I found by trial and error that ServerName and KeyPrint are required, either on 
the command line or in the file (my choice). You must tailor the Components line 
in the base jail conf file. I did not have lib32 installed on the host system 
but left it in to see what would happen. Basejail and the jail I created were 
updated to include /usr/lib32 without (I assume) the supporting kernel stuff. 
That probably does not hurt but ...

The commands used are then:

base: freebsd-update -b /usr/jails/basejail -f freebsd-update-basejail.conf <cmd>
jail: freebsd-update -b /usr/jails/jail1 -f freebsd-update-jails.conf <cmd>

It would seem to me this method will work for any jail system where the jails 
share a base via symlinks. I have not tested going across a major version. That 
has the added complexity of updating the ports. I found that the ezjail source 
update worked as documented.

Douglas Denault
doug at safeport.com
Voice: 301-217-9220
   Fax: 301-217-9277

More information about the freebsd-questions mailing list