From owner-freebsd-jail@FreeBSD.ORG Tue Aug 25 18:26:59 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7128A106568E for ; Tue, 25 Aug 2009 18:26:59 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 2A7978FC57 for ; Tue, 25 Aug 2009 18:26:59 +0000 (UTC) Received: from arthur.nitro.dk (arthur.bofh [192.168.2.3]) by mx.nitro.dk (Postfix) with ESMTP id 130422D4A78; Tue, 25 Aug 2009 18:26:58 +0000 (UTC) Received: by arthur.nitro.dk (Postfix, from userid 1000) id E46405C0A; Tue, 25 Aug 2009 20:26:57 +0200 (CEST) Date: Tue, 25 Aug 2009 20:26:57 +0200 From: "Simon L. Nielsen" To: Redd Vinylene Message-ID: <20090825182656.GA1446@arthur.nitro.dk> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Jose Amengual , freebsd-jail@freebsd.org Subject: Re: Best practice to update jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 18:26:59 -0000 [Don't cc virtualization - no reason for cross post] On 2009.08.20 22:10:36 +0200, Redd Vinylene wrote: > On Thu, Aug 20, 2009 at 8:50 PM, Jose Amengual wrote: > > > I have a dev server for our developers that holds around 40 jails, each > > jail has php, mysql, python etc. > > > > The server is now 7.0 and was wondering what is the best practice to > > maintain security patches and kernel updates and I came out with the > > following idea : > > > > 1.- freebsd-update fetch install ( host system) > > 2.- rebuild kernel ( I have a custom kernel ) > > 3.- ezjail-update -b ( update basejail for all jails ) > > 4.- run in cron portaudit on the jails for thirty party security updates > > 5.- run portupgrade in case of a security update or for apps upgrade on the > > jails. > > > > I red in some forums that if you run freebsd-update you will need to do a > > portuprade -fa to reinstall all the thirty party apps because freebsd-update > > could upgrade or remove some libraries linked to that programs, is this > > true ?, will be better to run a cvsup and instead ? There is no difference wrt. ports on freebsd-update and make world. For major versions you need to recompile all ports, for minor versions you don't. Personally I use ezjail to manage a similar development setup, and I recently upgraded 7.1 -> 7.2 using 'ezjail-admin install' (or something like that). I quite often upgrade the host system and wait with the jails so you don't have to do it all in one go (though it might be simpler in). Other people mention that "most people" use use based solutions - I'm far from sure about that, at least unless you are running a modified FreeBSD or not -RELEASE, there is generally not any reason to compile it all yourself. > here's how I do it, hope it helps: http://pastie.org/590295 This does make installworld into the jail from the host - it should be mentioned that you should never do this if you use the jails for security isolation as the jail root would likely be able to perform a symlink attack. I haven't every actually looked at how it could be done, but installworld isn't make to be "secure" against such things. -- Simon L. Nielsen