From owner-freebsd-virtualization@FreeBSD.ORG Tue Aug 18 22:24:04 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F3B6B1065672 for ; Tue, 18 Aug 2009 22:24:03 +0000 (UTC) (envelope-from pcc@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 4C8DC8FC3D for ; Tue, 18 Aug 2009 22:24:03 +0000 (UTC) Received: (qmail 17575 invoked by uid 0); 18 Aug 2009 21:57:21 -0000 Received: from 79.204.100.33 by www159.gmx.net with HTTP; Tue, 18 Aug 2009 23:57:20 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Tue, 18 Aug 2009 23:57:21 +0200 From: "Peter Cornelius" Message-ID: <20090818215721.23230@gmx.net> MIME-Version: 1.0 To: freebsd-virtualization@freebsd.org X-Authenticated: #491680 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 5 X-Provags-ID: V01U2FsdGVkX19lvicKn25l/pPz/FMac4I5aiv1N517l8EbSSlxlZ 9Q66BQg0jILNGWCZFESmuZwDrgMAqQH3pkNA== Content-Transfer-Encoding: 8bit X-GMX-UID: +RS4flF7f2IsCPfpa2xorQ14dWxlc1YM X-FuHaFi: 0.73 Subject: Vimage vs. jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2009 22:24:04 -0000 Hi there, I just see the vimage changes going into RELENG_8 and I now am getting my hands dirty, finally. So thanks to all involved. Just to get my head around this the right way, I understand that there is no plan to merge vimage and jail into a single jail utility, right? I may want a large number of vimages "w/o" jails, or at least a number of jails "inside" a couple of vimages (reason being the default route issue raised a while ago). Thanks again, and All the best, Peter. --- PS. I see a couple of lock order reversals on RELENG_8 which I would like to report if the build currently running did not address them -- do we prefer them to a mailing list or to gnats? -- GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT! Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01 From owner-freebsd-virtualization@FreeBSD.ORG Tue Aug 18 22:53:10 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 295F1106568F for ; Tue, 18 Aug 2009 22:53:10 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outC.internet-mail-service.net (outc.internet-mail-service.net [216.240.47.226]) by mx1.freebsd.org (Postfix) with ESMTP id 1315D8FC3F for ; Tue, 18 Aug 2009 22:53:10 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 2B5A6B3F80; Tue, 18 Aug 2009 15:53:21 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id A0D272D6016; Tue, 18 Aug 2009 15:53:09 -0700 (PDT) Message-ID: <4A8B30D5.9000400@elischer.org> Date: Tue, 18 Aug 2009 15:53:09 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) MIME-Version: 1.0 To: Peter Cornelius References: <20090818215721.23230@gmx.net> In-Reply-To: <20090818215721.23230@gmx.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-virtualization@freebsd.org Subject: Re: Vimage vs. jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2009 22:53:10 -0000 it's not Vimage vs Jails but Vimage as part of Jails. Peter Cornelius wrote: > Hi there, > > I just see the vimage changes going into RELENG_8 and I now am > getting my hands dirty, finally. So thanks to all involved. > > Just to get my head around this the right way, I understand that > there is no plan to merge vimage and jail into a single jail > utility, right? Actually it IS now all one utility... Add the 'vnet' option to jail to get it to create a new vnet withthe jail, otherwise it acts as before. > > I may want a large number of vimages "w/o" jails, or at least a > number of jails "inside" a couple of vimages (reason being the > default route issue raised a while ago). can you expand on that? example comand lines include: jail -c host.hostname=test path=/ vnet command=/bin/tcsh ( make a jail with the same root as normal but with a separate network stack.) jail -c host.hostname=test path=/ vnet children.max=4 \ command=/bin/tcsh (same as above, excep the jail made is in turn able to make up to 4 child jails > > Thanks again, and > > All the best, > > Peter. > > --- > > PS. I see a couple of lock order reversals on RELENG_8 which I > would like to report if the build currently running did not address > them -- do we prefer them to a mailing list or to gnats? From owner-freebsd-virtualization@FreeBSD.ORG Tue Aug 18 23:09:11 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD9E5106568B; Tue, 18 Aug 2009 23:09:11 +0000 (UTC) (envelope-from geekounet@poildetroll.net) Received: from tritus.poildetroll.net (unknown [IPv6:2001:758:f00:3::4:1]) by mx1.freebsd.org (Postfix) with ESMTP id 4D0BA8FC3F; Tue, 18 Aug 2009 23:09:11 +0000 (UTC) Received: from korriban.poildetroll.net (unknown [IPv6:2a01:e35:8a2b:e3d0:21d:9ff:fe3e:7a2c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tritus.poildetroll.net (Postfix) with ESMTPSA id F04C2C5DA; Wed, 19 Aug 2009 01:09:09 +0200 (CEST) Message-ID: <4A8B3495.7010304@poildetroll.net> Date: Wed, 19 Aug 2009 01:09:09 +0200 From: Pierre Guinoiseau Organization: Poil de Troll User-Agent: Thunderbird 2.0.0.22 (X11/20090810) MIME-Version: 1.0 To: Julian Elischer References: <20090818215721.23230@gmx.net> <4A8B30D5.9000400@elischer.org> In-Reply-To: <4A8B30D5.9000400@elischer.org> X-Enigmail-Version: 0.96.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig2698E08DAE7FCB8086E148D3" Cc: freebsd-jail@freebsd.org, freebsd-virtualization@freebsd.org Subject: Re: Vimage vs. jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2009 23:09:11 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2698E08DAE7FCB8086E148D3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hi, Julian Elischer wrote: > it's not Vimage vs Jails > but > Vimage as part of Jails. >=20 >=20 > Peter Cornelius wrote: >> Hi there, >> >> I just see the vimage changes going into RELENG_8 and I now am >> getting my hands dirty, finally. So thanks to all involved. >> >> Just to get my head around this the right way, I understand that >> there is no plan to merge vimage and jail into a single jail >> utility, right? >=20 > Actually it IS now all one utility... > Add the 'vnet' option to jail to get it to create a new vnet withthe > jail, otherwise it acts as before. >=20 >> >> I may want a large number of vimages "w/o" jails, or at least a >> number of jails "inside" a couple of vimages (reason being the >> default route issue raised a while ago). >=20 > can you expand on that? >=20 > example comand lines include: > jail -c host.hostname=3Dtest path=3D/ vnet command=3D/bin/tcsh > ( make a jail with the same root as normal but with a separate > network stack.) >=20 >=20 > jail -c host.hostname=3Dtest path=3D/ vnet children.max=3D4 \ > command=3D/bin/tcsh > (same as above, excep the jail made is in turn able to make > up to 4 child jails >=20 BTW, when will we be able to set those new parameters in rc.conf? The current jails rc script still uses the old way for setting up (or maybe did I missed something?), so it doesn't allow to add those new parameters. :( It may be a desirable feature for 8.0-RELEASE I think. >=20 >> >> Thanks again, and >> >> All the best, >> >> Peter. >> >> --- >> >> PS. I see a couple of lock order reversals on RELENG_8 which I >> would like to report if the build currently running did not address >> them -- do we prefer them to a mailing list or to gnats? >=20 --------------enig2698E08DAE7FCB8086E148D3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqLNJUACgkQJikNJSAyef+y7gCg0FhigABWk9l95l3JXLdk/dpg L/0An0S9zWVdpidmRIUboAzUC+edeMSM =SIPB -----END PGP SIGNATURE----- --------------enig2698E08DAE7FCB8086E148D3-- From owner-freebsd-virtualization@FreeBSD.ORG Tue Aug 18 23:28:47 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33E8D106568D for ; Tue, 18 Aug 2009 23:28:47 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outA.internet-mail-service.net (outa.internet-mail-service.net [216.240.47.224]) by mx1.freebsd.org (Postfix) with ESMTP id 17C3A8FC52 for ; Tue, 18 Aug 2009 23:28:46 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 6505BB7543; Tue, 18 Aug 2009 16:28:55 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 30FCE2D6013; Tue, 18 Aug 2009 16:28:46 -0700 (PDT) Message-ID: <4A8B392D.9080603@elischer.org> Date: Tue, 18 Aug 2009 16:28:45 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) MIME-Version: 1.0 To: Pierre Guinoiseau References: <20090818215721.23230@gmx.net> <4A8B30D5.9000400@elischer.org> <4A8B3495.7010304@poildetroll.net> In-Reply-To: <4A8B3495.7010304@poildetroll.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-jail@freebsd.org, freebsd-virtualization@freebsd.org Subject: Re: Vimage vs. jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Aug 2009 23:28:47 -0000 Pierre Guinoiseau wrote: > Hi, > > Julian Elischer wrote: >> it's not Vimage vs Jails >> but >> Vimage as part of Jails. >> >> >> Peter Cornelius wrote: >>> Hi there, >>> >>> I just see the vimage changes going into RELENG_8 and I now am >>> getting my hands dirty, finally. So thanks to all involved. >>> >>> Just to get my head around this the right way, I understand that >>> there is no plan to merge vimage and jail into a single jail >>> utility, right? >> Actually it IS now all one utility... >> Add the 'vnet' option to jail to get it to create a new vnet withthe >> jail, otherwise it acts as before. >> >>> I may want a large number of vimages "w/o" jails, or at least a >>> number of jails "inside" a couple of vimages (reason being the >>> default route issue raised a while ago). >> can you expand on that? >> >> example comand lines include: >> jail -c host.hostname=test path=/ vnet command=/bin/tcsh >> ( make a jail with the same root as normal but with a separate >> network stack.) >> >> >> jail -c host.hostname=test path=/ vnet children.max=4 \ >> command=/bin/tcsh >> (same as above, excep the jail made is in turn able to make >> up to 4 child jails >> > > BTW, when will we be able to set those new parameters in rc.conf? The > current jails rc script still uses the old way for setting up (or maybe > did I missed something?), so it doesn't allow to add those new > parameters. :( It may be a desirable feature for 8.0-RELEASE I think. The 8.0 vimage/vnet feature is a "feature test" facility. it allows you to test it out but no-one in their right mind would tell you to use it in production. It's been some time since I used the rc.conf method of starting jails so I can't speak to how much change would be required. possibly just the addition of "jail_xxx_extra_params". I forgot to mention the ifconfig vnet additions too, to allow an interface to be assigned to a particular jail. > >>> Thanks again, and >>> >>> All the best, >>> >>> Peter. >>> >>> --- >>> >>> PS. I see a couple of lock order reversals on RELENG_8 which I >>> would like to report if the build currently running did not address >>> them -- do we prefer them to a mailing list or to gnats? > > From owner-freebsd-virtualization@FreeBSD.ORG Thu Aug 20 12:13:13 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D6B01106568F for ; Thu, 20 Aug 2009 12:13:13 +0000 (UTC) (envelope-from pcc@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 47B888FC5B for ; Thu, 20 Aug 2009 12:13:12 +0000 (UTC) Received: (qmail 29915 invoked by uid 0); 20 Aug 2009 12:13:11 -0000 Received: from 79.204.98.166 by www094.gmx.net with HTTP; Thu, 20 Aug 2009 14:13:09 +0200 (CEST) Content-Type: text/plain; charset="iso-8859-1" Date: Thu, 20 Aug 2009 14:13:09 +0200 From: "Peter Cornelius" Message-ID: <20090820121309.122740@gmx.net> MIME-Version: 1.0 To: Julian Elischer , geekounet@poildetroll.net X-Authenticated: #491680 X-Flags: 0001 X-Mailer: WWW-Mail 6100 (Global Message Exchange) X-Priority: 5 X-Provags-ID: V01U2FsdGVkX19KG4dreEtKx6Id5gFcWj0BWNboVY9FC7gED9FyzV gxrR8ZLTa1aWrydcoWgcMbXtIRrDQ7GEF2kQ== Content-Transfer-Encoding: 8bit X-GMX-UID: 4Q+6fZtWbGInbdn2amRnakdvcmZ1Zlzo X-FuHaFi: 0.53 Cc: freebsd-jail@freebsd.org, freebsd-virtualization@freebsd.org Subject: Re: Vimage vs. jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2009 12:13:14 -0000 Hi guys, Thanks for the response, so it wasn´t such a bad question after all :) I "have" to pay toll to wifey & kids for a couple of days and will go on after that (hoping that the kernels I then build actually to run ;-)). Regards, Peter. -------- Original-Nachricht -------- > Datum: Tue, 18 Aug 2009 16:28:45 -0700 > Von: Julian Elischer > An: Pierre Guinoiseau > CC: Peter Cornelius , freebsd-virtualization@freebsd.org, freebsd-jail@freebsd.org > Betreff: Re: Vimage vs. jails > Pierre Guinoiseau wrote: > > Hi, > > > > Julian Elischer wrote: > >> it's not Vimage vs Jails > >> but > >> Vimage as part of Jails. > >> > >> > >> Peter Cornelius wrote: > >>> Hi there, > >>> > >>> I just see the vimage changes going into RELENG_8 and I now am > >>> getting my hands dirty, finally. So thanks to all involved. > >>> > >>> Just to get my head around this the right way, I understand that > >>> there is no plan to merge vimage and jail into a single jail > >>> utility, right? > >> Actually it IS now all one utility... > >> Add the 'vnet' option to jail to get it to create a new vnet withthe > >> jail, otherwise it acts as before. > >> > >>> I may want a large number of vimages "w/o" jails, or at least a > >>> number of jails "inside" a couple of vimages (reason being the > >>> default route issue raised a while ago). > >> can you expand on that? > >> > >> example comand lines include: > >> jail -c host.hostname=test path=/ vnet command=/bin/tcsh > >> ( make a jail with the same root as normal but with a separate > >> network stack.) > >> > >> > >> jail -c host.hostname=test path=/ vnet children.max=4 \ > >> command=/bin/tcsh > >> (same as above, excep the jail made is in turn able to make > >> up to 4 child jails > >> > > > > BTW, when will we be able to set those new parameters in rc.conf? The > > current jails rc script still uses the old way for setting up (or maybe > > did I missed something?), so it doesn't allow to add those new > > parameters. :( It may be a desirable feature for 8.0-RELEASE I think. > > > The 8.0 vimage/vnet feature is a "feature test" facility. > it allows you to test it out but no-one in their right mind > would tell you to use it in production. > > It's been some time since I used the rc.conf method of starting jails > so I can't speak to how much change would be required. > possibly just the addition of "jail_xxx_extra_params". > > I forgot to mention the ifconfig vnet additions too, to allow an > interface to be assigned to a particular jail. > > > > > >>> Thanks again, and > >>> > >>> All the best, > >>> > >>> Peter. > >>> > >>> --- > >>> > >>> PS. I see a couple of lock order reversals on RELENG_8 which I > >>> would like to report if the build currently running did not address > >>> them -- do we prefer them to a mailing list or to gnats? > > > > -- Jetzt kostenlos herunterladen: Internet Explorer 8 und Mozilla Firefox 3 - sicherer, schneller und einfacher! http://portal.gmx.net/de/go/atbrowser From owner-freebsd-virtualization@FreeBSD.ORG Thu Aug 20 19:22:51 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C9FE1106568B; Thu, 20 Aug 2009 19:22:51 +0000 (UTC) (envelope-from jose.amengual@gmail.com) Received: from mail-px0-f198.google.com (mail-px0-f198.google.com [209.85.216.198]) by mx1.freebsd.org (Postfix) with ESMTP id 958F78FC16; Thu, 20 Aug 2009 19:22:51 +0000 (UTC) Received: by pxi36 with SMTP id 36so3415678pxi.7 for ; Thu, 20 Aug 2009 12:22:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:in-reply-to:subject :x-priority:references:message-id:content-type :content-transfer-encoding:mime-version:date:cc:x-mailer; bh=qzPtAo6dCi2coejcbEc1tzPUTg2I3CpRJRlMQczQdOA=; b=kfTmRHPZGdJoRlaMG5nDDBCpjBQeEw7lgXbi6LZsFTn28hBSYIHw2KbhfCyH3yiz8c 90UOUZJWlZninsidroa96dUBKBpq/4bLRGYcA/TrdDY+QYxmaT6k5tDFJF7aMMdiIQ7i rKLSFQNZyxUeo4f7YjxrqJ+yIJU7ENj0vU6Ec= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:in-reply-to:subject:x-priority:references:message-id :content-type:content-transfer-encoding:mime-version:date:cc :x-mailer; b=xkqZSRYwnlCJBf7+KX7iihS9jCMm4d71rXPb8ZNXmmz9SeKq4Szk+x0qasH29p5PSb XK3PmxLkPncMX8TJ7nMwg+iL8KplpI97ue19wjL6Dnob1r3E401C6gBaHlh6ZZgi5hw3 h8UsEqvuY7QpxGqppvRGh3+839uAPQY0nvFMg= Received: by 10.115.100.35 with SMTP id c35mr178427wam.104.1250794252762; Thu, 20 Aug 2009 11:50:52 -0700 (PDT) Received: from PePewi.workatplay ([96.49.96.182]) by mx.google.com with ESMTPS id n40sm611925wag.22.2009.08.20.11.50.50 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 20 Aug 2009 11:50:51 -0700 (PDT) From: Jose Amengual To: freebsd-jail@freebsd.org In-Reply-To: <20090820121309.122740@gmx.net> X-Priority: 5 References: <20090820121309.122740@gmx.net> Message-Id: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Thu, 20 Aug 2009 11:50:49 -0700 X-Mailer: Apple Mail (2.936) X-Mailman-Approved-At: Fri, 21 Aug 2009 08:23:48 +0000 Cc: freebsd-virtualization@freebsd.org Subject: Best practice to update jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2009 19:22:51 -0000 Hi guys. I have a dev server for our developers that holds around 40 jails, each jail has php, mysql, python etc. The server is now 7.0 and was wondering what is the best practice to maintain security patches and kernel updates and I came out with the following idea : 1.- freebsd-update fetch install ( host system) 2.- rebuild kernel ( I have a custom kernel ) 3.- ezjail-update -b ( update basejail for all jails ) 4.- run in cron portaudit on the jails for thirty party security updates 5.- run portupgrade in case of a security update or for apps upgrade on the jails. I red in some forums that if you run freebsd-update you will need to do a portuprade -fa to reinstall all the thirty party apps because freebsd-update could upgrade or remove some libraries linked to that programs, is this true ?, will be better to run a cvsup and instead ? That are some points of my idea but reading on internet I finished more confuse about how will be the best way to do this. any ideas will more appreciate. Thanks. From owner-freebsd-virtualization@FreeBSD.ORG Thu Aug 20 20:34:25 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F45B106568C; Thu, 20 Aug 2009 20:34:25 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id 775C48FC16; Thu, 20 Aug 2009 20:34:24 +0000 (UTC) Received: by ewy5 with SMTP id 5so203043ewy.36 for ; Thu, 20 Aug 2009 13:34:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=9eOyVLIyykcrwtvqg+wST5Xlx/pfKQBzpZFtNl9vshk=; b=ZlRcMEwlLj1uoq4ws3cJwC+sZlUwCmx5D4gCk8ainyZBr4r8joHcM6uPQwNRolXCAF XmjXC7LPAx0UqHedBUZkUqMR9bQzRlHp0Teg4vAaI1p6izIuQ/P7JOKHS9L725VSvhWV 1SqOuTHuuoQB9QXxGW/uZ+lzO1LlBVdMHWa5k= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=OXYnDc2xK7Et82yPfQKVdBQ5hM9D3bpDO8TC7GjYxjSh5//dK4FIFZSSzTCxtpBVvk C4Ea51sWjWqT6W9b2cpm86abST4rzf8+tZQOFTQck2CaZ9KaCqM1yc6LngfvGDO3AOF4 SIgtj6eLyYznpTCHGRjmSknmpbXJn43amxH74= MIME-Version: 1.0 Received: by 10.216.36.82 with SMTP id v60mr41104wea.120.1250799036028; Thu, 20 Aug 2009 13:10:36 -0700 (PDT) In-Reply-To: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Date: Thu, 20 Aug 2009 22:10:36 +0200 Message-ID: From: Redd Vinylene To: Jose Amengual X-Mailman-Approved-At: Fri, 21 Aug 2009 08:23:48 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-jail@freebsd.org, freebsd-virtualization@freebsd.org Subject: Re: Best practice to update jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2009 20:34:25 -0000 On Thu, Aug 20, 2009 at 8:50 PM, Jose Amengual wrote: > Hi guys. > > I have a dev server for our developers that holds around 40 jails, each > jail has php, mysql, python etc. > > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security updates > 5.- run portupgrade in case of a security update or for apps upgrade on the > jails. > > I red in some forums that if you run freebsd-update you will need to do a > portuprade -fa to reinstall all the thirty party apps because freebsd-update > could upgrade or remove some libraries linked to that programs, is this > true ?, will be better to run a cvsup and instead ? > > That are some points of my idea but reading on internet I finished more > confuse about how will be the best way to do this. > > any ideas will more appreciate. > > Thanks. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > Hi, here's how I do it, hope it helps: http://pastie.org/590295 Redd Vinylene -- http://www.home.no/reddvinylene From owner-freebsd-virtualization@FreeBSD.ORG Thu Aug 20 21:28:43 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 13225106564A; Thu, 20 Aug 2009 21:28:43 +0000 (UTC) (envelope-from reddvinylene@gmail.com) Received: from mail-ew0-f209.google.com (mail-ew0-f209.google.com [209.85.219.209]) by mx1.freebsd.org (Postfix) with ESMTP id 67E158FC66; Thu, 20 Aug 2009 21:28:41 +0000 (UTC) Received: by ewy5 with SMTP id 5so240357ewy.36 for ; Thu, 20 Aug 2009 14:28:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=iqiXUJbo4/WOUvKgtmgSP1AppYRsM7zynx8GhCAyiIk=; b=qJJ5F4vktYrN2qpjkd+q7lq5SMUZUF/ZkjXt2OTSjfTfQRKidbg+zPpTq9DpBTkBmY YzT3k3ZCeewNk6lTDwk1An+mEy/k7K6Tjuvb9o7pXH4xiGws9HlAk5BF6yXLgJlUMYOI wjZnXLBEcsV+oGZPqDvE0kGEGVJmqrgmz6rCE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=PupLhddhYeeu5buNF2y4XB4B1gm+JVz/goCuhcQdUSiYMn5V25WQCNE30rcIhcJ2Qe 9W7X0FpVDKXOemQp0E1eW4pPvSiyBvRFhxThLVubSB5+BB0VwxT46wv+UH9TJULwRdZX GDyoLqhqPA4pdeOXSV0mBduJtJIVxyBylBzTc= MIME-Version: 1.0 Received: by 10.216.86.206 with SMTP id w56mr59024wee.1.1250803719514; Thu, 20 Aug 2009 14:28:39 -0700 (PDT) In-Reply-To: References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Date: Thu, 20 Aug 2009 23:28:39 +0200 Message-ID: From: Redd Vinylene To: jose.amengual@gmail.com, freebsd-jail@freebsd.org, freebsd-virtualization@freebsd.org X-Mailman-Approved-At: Fri, 21 Aug 2009 08:23:48 +0000 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: Best practice to update jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2009 21:28:43 -0000 On Thu, Aug 20, 2009 at 10:57 PM, Jose Amengual wrote: > any reason of why you do not use freebsd-update ? > > Thanks. I think most people prefer to build from source. I do, at least. -- http://www.home.no/reddvinylene From owner-freebsd-virtualization@FreeBSD.ORG Fri Aug 21 17:59:11 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4068B106568B; Fri, 21 Aug 2009 17:59:11 +0000 (UTC) (envelope-from andrew.hotlab@hotmail.com) Received: from col0-omc2-s3.col0.hotmail.com (col0-omc2-s3.col0.hotmail.com [65.55.34.77]) by mx1.freebsd.org (Postfix) with ESMTP id 1D62E8FC18; Fri, 21 Aug 2009 17:59:10 +0000 (UTC) Received: from COL113-W3 ([65.55.34.71]) by col0-omc2-s3.col0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Fri, 21 Aug 2009 10:47:10 -0700 Message-ID: X-Originating-IP: [81.174.54.98] From: Andrew Hotlab To: , , , Date: Fri, 21 Aug 2009 17:47:10 +0000 Importance: Normal In-Reply-To: References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 21 Aug 2009 17:47:10.0411 (UTC) FILETIME=[689699B0:01CA2287] X-Mailman-Approved-At: Fri, 21 Aug 2009 21:03:55 +0000 Cc: Subject: RE: Best practice to update jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Aug 2009 17:59:11 -0000 > Date: Thu=2C 20 Aug 2009 23:28:39 +0200 > From: reddvinylene@gmail.com > To: jose.amengual@gmail.com=3B freebsd-jail@freebsd.org=3B freebsd-virtua= lization@freebsd.org > CC: > Subject: Re: Best practice to update jails > > On Thu=2C Aug 20=2C 2009 at 10:57 PM=2C Jose Amengual wrote: > >> any reason of why you do not use freebsd-update ? >> >> Thanks. > > > I think most people prefer to build from source. I do=2C at least. > We manage some jail host system both for production and development (since = 6.2-RELEASE)=2C and we found the best support in the "build-from-source" up= grade method. Here the main steps we follow for a release-step upgrade (since we have a f= ew hosts to manage=2C we are using a dedicated build server=2C but the firs= t three steps might be executed on the host machine itself): 1. sync sources from a local cvsup-mirror to the build host=3B 2. make binaries on the build host (once per architecture we are supportin= g)=3B 3. mount /usr/src and /usr/obj via NFS on all systems to be upgraded=3B 4. run mergemaster in pre-buildworld mode (once for the host and once for = each jail with the -D flag)=3B 5. install the new kernel on the host we are upgrading=3B 6. reboot the host with the new kernel in single user mode=3B 7. install the new userland for the host and for the basejail (we are usin= g the ezjail framework)=3B 8. run mergemaster on the host to align its configuration files to the new= release=3B 9. boot into multi user mode=3B 10. run mergemaster with the -D flag to update each jail=92s configuration = files=3B 11. run "make delete-old" and "make delete-old-libs" on both host and jail = systems (using the DESTDIR variable). In our environment=2C this type of upgrade process has proved to be the mos= t effective and reliable=2C both for tracking the errata branch and for upg= rading between minor and major releases. Obviously it needs you quite knowl= edgeable about the build(7) process=2C but IMO time spent studying is alway= s time spent well! :) Andrew _________________________________________________________________ With Windows Live=2C you can organize=2C edit=2C and share your photos. http://www.microsoft.com/middleeast/windows/windowslive/products/photo-gall= ery-edit.aspx= From owner-freebsd-virtualization@FreeBSD.ORG Sat Aug 22 16:57:52 2009 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1FFC3106568F for ; Sat, 22 Aug 2009 16:57:52 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id CD4278FC18 for ; Sat, 22 Aug 2009 16:57:51 +0000 (UTC) Received: from outgoing.leidinger.net (pD9E2CC10.dip.t-dialin.net [217.226.204.16]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 7387684534E; Sat, 22 Aug 2009 18:40:06 +0200 (CEST) Received: from unknown (IO.Leidinger.net [192.168.2.103]) by outgoing.leidinger.net (Postfix) with ESMTP id 817F16F9D2; Sat, 22 Aug 2009 18:40:03 +0200 (CEST) Date: Sat, 22 Aug 2009 18:40:01 +0200 From: Alexander Leidinger To: Jose Amengual Message-ID: <20090822184001.00006882@unknown> In-Reply-To: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> X-Mailer: Claws Mail 3.7.2cvs15 (GTK+ 2.16.0; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 7387684534E.68DE6 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-1.363, required 6, autolearn=disabled, ALL_TRUSTED -1.44, TW_ZJ 0.08) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1251564008.22371@hMkJp4RCG2+X9cZwK3wqsQ X-EBL-Spam-Status: No X-Mailman-Approved-At: Sat, 22 Aug 2009 17:12:31 +0000 Cc: freebsd-jail@freebsd.org, freebsd-virtualization@freebsd.org Subject: Re: Best practice to update jails X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Aug 2009 16:57:52 -0000 On Thu, 20 Aug 2009 11:50:49 -0700 Jose Amengual wrote: > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security > updates 5.- run portupgrade in case of a security update or for apps > upgrade on the jails. > > I red in some forums that if you run freebsd-update you will need to > do a portuprade -fa to reinstall all the thirty party apps because > freebsd-update could upgrade or remove some libraries linked to > that programs, is this true ?, will be better to run a cvsup and > instead ? Not if you stay with the same major version of FreeBSD. If you update from 7 to 8, this may be possible (I don't know, I don't use freebsd-update, as I either run patched systems, or at least compile my own kernels), but if you update from 7.x to 7.y, then this would be an ABI change, which is very very very very much a no no in a stable-branch (only an important security fix would be allowed to do something like this, and only if nobody finds another way to do such a fix without changing the ABI). So if you stay on the same major version you can use your procedure, but read the release notes before, such a big impact change is announced on a stable branch. It may be the case that we had something like this once, but I do not remember which major version was affected. Bye, Alexander.