From owner-freebsd-jail@FreeBSD.ORG Thu Dec 20 13:34:53 2007 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2F3016A417 for ; Thu, 20 Dec 2007 13:34:53 +0000 (UTC) (envelope-from andrew.hotlab@hotmail.com) Received: from bay0-omc3-s14.bay0.hotmail.com (bay0-omc3-s14.bay0.hotmail.com [65.54.246.214]) by mx1.freebsd.org (Postfix) with ESMTP id 9161813C4E9 for ; Thu, 20 Dec 2007 13:34:53 +0000 (UTC) (envelope-from andrew.hotlab@hotmail.com) Received: from BAY138-DS1 ([64.4.49.28]) by bay0-omc3-s14.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 20 Dec 2007 05:34:53 -0800 X-Originating-IP: [217.133.1.92] X-Originating-Email: [andrew.hotlab@hotmail.com] Message-ID: From: "Andrew Hotlab" To: "freebsd-jail" References: <20071220083441.uo6hmypq84ssoowc@webmail.leidinger.net> In-Reply-To: <20071220083441.uo6hmypq84ssoowc@webmail.leidinger.net> Date: Thu, 20 Dec 2007 14:34:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchC2tEwux5AAXs9S6+IzbEYWuZ2KgAINicw Content-Language: en-us X-OriginalArrivalTime: 20 Dec 2007 13:34:53.0847 (UTC) FILETIME=[1A82BA70:01C8430D] Subject: RE: How to better update a jail host system X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2007 13:34:53 -0000 > -----Original Message----- > From: Alexander Leidinger [mailto:Alexander@Leidinger.net] > Sent: Thursday, December 20, 2007 8:35 AM > To: Andrew Hotlab > Cc: FreeBSD-Jail > Subject: Re: How to better update a jail host system >=20 > > To track the security branch both on the host and the jails I'm > > using the "update from source" method: I synchronize the source tree > > with csup(1), build and install the kernel, build and install the > > userland for the host first and then for the jails (using the > > ezjail-admin(1) "update -i" switch). >=20 > You should maybe use "make delete-old DESTDIR=3D/path/to/basejail" = (and > delete-old-libs after making sure all ports which depend upon the old > files (check-old-files lists the old files) are rebuild with the new > ones) in the src directory. On a -stable branch there should be not > much removed, but if you keep the system over several releases, it's > handy. That's a good point: I was missing it... I thought that all that would = be done by "ezjail-admin upgrade" :) > > All that is working fine now, but I wonder if I could speed up the > > whole process, by switching to the binary update method. By using > > the freebsd-update(8) utility on the host I think to maintain the > > system cleaner (this utility only updates the installed > > distributions) and to reduce the administrative effort (no > > mergemaster(8) required, I'm right?). >=20 > I don't know how freebsd-update handles the changes in /etc, but it > can not do magic (for the update you have to update the basejail, and > as such freebsd-update doesn't know about the etc directory of each > jail), so something like mergemaster has to be done. I also don't know > how it handles old (removed) files, maybe is doesn't touch them, to be > on the safe side. That's another aspect I wasn't thinking of. How important might be to = update files in the /etc directory in the jails, when tracking the = security branch? > Regarding the distributions which you haven't installed: you can > exclude parts from building/installation. If you have a 7.x system, > you can do "man src.conf" for all the options > = (http://www.freebsd.org/cgi/man.cgi?query=3Dsrc.conf&apropos=3D0&sektion=3D= 0& > manpath=3DFreeBSD+7.0-RELEASE&format=3Dhtml). 6.x has similar options, = but > IIRC you have to specify them in > make.conf. I definitely think I'll do that from now on, and I'll likely continue = upgrading the host by building it from sources: I'll have to maintain = the sources anyway, because of the ezjail update procedure, and there = will be some kernel modifications that I'll need in the future to = improve performance on the host system (for example, do you think it = would be a nice idea to build nullfs support into the kernel?). Thanks for your suggestions. Andrew