From owner-freebsd-jail@FreeBSD.ORG Wed Aug 26 12:18:06 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B9FF106568B for ; Wed, 26 Aug 2009 12:18:06 +0000 (UTC) (envelope-from bazerka@beardz.net) Received: from mx-2.btshosting.co.uk (mx-2.btshosting.co.uk [87.117.208.79]) by mx1.freebsd.org (Postfix) with ESMTP id D26A68FC2C for ; Wed, 26 Aug 2009 12:18:05 +0000 (UTC) Received: from [192.168.1.65] (host86-133-121-194.range86-133.btcentralplus.com [86.133.121.194]) (Authenticated sender: bazerka@beardz.net) by mx-2.btshosting.co.uk (Postfix) with ESMTPA id 87B896E5402 for ; Wed, 26 Aug 2009 13:02:10 +0100 (BST) Message-ID: <4A95243B.4000100@beardz.net> Date: Wed, 26 Aug 2009 13:02:03 +0100 From: Jase Thew User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.1) Gecko/20090715 Thunderbird/3.0b3 MIME-Version: 1.0 To: freebsd-jail@freebsd.org References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamav-milter 0.95.2 at mx-2.btshosting.co.uk X-Virus-Status: Clean Subject: Re: Best practice to update jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Aug 2009 12:18:06 -0000 On 25/08/2009 19:36, Eirik Øverby wrote: > On 20. aug. 2009, at 20.50, Jose Amengual wrote: > >> Hi guys. >> >> I have a dev server for our developers that holds around 40 jails, >> each jail has php, mysql, python etc. >> >> The server is now 7.0 and was wondering what is the best practice to >> maintain security patches and kernel updates and I came out with the >> following idea : >> >> 1.- freebsd-update fetch install ( host system) >> 2.- rebuild kernel ( I have a custom kernel ) >> 3.- ezjail-update -b ( update basejail for all jails ) >> 4.- run in cron portaudit on the jails for thirty party security updates >> 5.- run portupgrade in case of a security update or for apps upgrade >> on the jails. > > sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using > installworld etc. Newer versions (not yet in ports) support using > 'template jails'. The latter is what we use. > > Basically the update procedure goes like this: freebsd-update the > template jail, freebsd-update the host, reboot. I have found > freebsd-update to be an incredibly time-saver compared to > buildworld/installworld, and the IDS function included - despite not > being a really efficient IDS tripwire-style - is extremely useful for > us in determining which of our multiple-dozen jails need updates of > binaries or configuration. > > /Eirik ezjail can also utilise a pre-built /usr/obj to upgrade the base jail and already uses a templating system, fwiw. Jase.