Date: Tue, 25 Aug 2009 20:26:57 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Redd Vinylene <reddvinylene@gmail.com> Cc: Jose Amengual <jose.amengual@gmail.com>, freebsd-jail@freebsd.org Subject: Re: Best practice to update jails Message-ID: <20090825182656.GA1446@arthur.nitro.dk> In-Reply-To: <f1019d520908201310t6e117e25wf46c59fa4624fdb2@mail.gmail.com> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> <f1019d520908201310t6e117e25wf46c59fa4624fdb2@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[Don't cc virtualization - no reason for cross post] On 2009.08.20 22:10:36 +0200, Redd Vinylene wrote: > On Thu, Aug 20, 2009 at 8:50 PM, Jose Amengual <jose.amengual@gmail.com>wrote: > > > I have a dev server for our developers that holds around 40 jails, each > > jail has php, mysql, python etc. > > > > The server is now 7.0 and was wondering what is the best practice to > > maintain security patches and kernel updates and I came out with the > > following idea : > > > > 1.- freebsd-update fetch install ( host system) > > 2.- rebuild kernel ( I have a custom kernel ) > > 3.- ezjail-update -b ( update basejail for all jails ) > > 4.- run in cron portaudit on the jails for thirty party security updates > > 5.- run portupgrade in case of a security update or for apps upgrade on the > > jails. > > > > I red in some forums that if you run freebsd-update you will need to do a > > portuprade -fa to reinstall all the thirty party apps because freebsd-update > > could upgrade or remove some libraries linked to that programs, is this > > true ?, will be better to run a cvsup and instead ? There is no difference wrt. ports on freebsd-update and make world. For major versions you need to recompile all ports, for minor versions you don't. Personally I use ezjail to manage a similar development setup, and I recently upgraded 7.1 -> 7.2 using 'ezjail-admin install' (or something like that). I quite often upgrade the host system and wait with the jails so you don't have to do it all in one go (though it might be simpler in). Other people mention that "most people" use use based solutions - I'm far from sure about that, at least unless you are running a modified FreeBSD or not -RELEASE, there is generally not any reason to compile it all yourself. > here's how I do it, hope it helps: http://pastie.org/590295 This does make installworld into the jail from the host - it should be mentioned that you should never do this if you use the jails for security isolation as the jail root would likely be able to perform a symlink attack. I haven't every actually looked at how it could be done, but installworld isn't make to be "secure" against such things. -- Simon L. Nielsen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090825182656.GA1446>