Date: Thu, 20 Dec 2007 14:34:35 +0100 From: "Andrew Hotlab" <andrew.hotlab@hotmail.com> To: "freebsd-jail" <freebsd-jail@freebsd.org> Subject: RE: How to better update a jail host system Message-ID: <BAY138-DS1F782EFBC33924A07CFB6F65D0@phx.gbl> In-Reply-To: <20071220083441.uo6hmypq84ssoowc@webmail.leidinger.net> References: <BAY102-W41E0DDC536BD8491761400F65C0@phx.gbl> <20071220083441.uo6hmypq84ssoowc@webmail.leidinger.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Alexander Leidinger [mailto:Alexander@Leidinger.net] > Sent: Thursday, December 20, 2007 8:35 AM > To: Andrew Hotlab > Cc: FreeBSD-Jail > Subject: Re: How to better update a jail host system >=20 > > To track the security branch both on the host and the jails I'm > > using the "update from source" method: I synchronize the source tree > > with csup(1), build and install the kernel, build and install the > > userland for the host first and then for the jails (using the > > ezjail-admin(1) "update -i" switch). >=20 > You should maybe use "make delete-old DESTDIR=3D/path/to/basejail" = (and > delete-old-libs after making sure all ports which depend upon the old > files (check-old-files lists the old files) are rebuild with the new > ones) in the src directory. On a -stable branch there should be not > much removed, but if you keep the system over several releases, it's > handy. That's a good point: I was missing it... I thought that all that would = be done by "ezjail-admin upgrade" :) > > All that is working fine now, but I wonder if I could speed up the > > whole process, by switching to the binary update method. By using > > the freebsd-update(8) utility on the host I think to maintain the > > system cleaner (this utility only updates the installed > > distributions) and to reduce the administrative effort (no > > mergemaster(8) required, I'm right?). >=20 > I don't know how freebsd-update handles the changes in /etc, but it > can not do magic (for the update you have to update the basejail, and > as such freebsd-update doesn't know about the etc directory of each > jail), so something like mergemaster has to be done. I also don't know > how it handles old (removed) files, maybe is doesn't touch them, to be > on the safe side. That's another aspect I wasn't thinking of. How important might be to = update files in the /etc directory in the jails, when tracking the = security branch? > Regarding the distributions which you haven't installed: you can > exclude parts from building/installation. If you have a 7.x system, > you can do "man src.conf" for all the options > = (http://www.freebsd.org/cgi/man.cgi?query=3Dsrc.conf&apropos=3D0&sektion=3D= 0& > manpath=3DFreeBSD+7.0-RELEASE&format=3Dhtml). 6.x has similar options, = but > IIRC you have to specify them in > make.conf. I definitely think I'll do that from now on, and I'll likely continue = upgrading the host by building it from sources: I'll have to maintain = the sources anyway, because of the ezjail update procedure, and there = will be some kernel modifications that I'll need in the future to = improve performance on the host system (for example, do you think it = would be a nice idea to build nullfs support into the kernel?). Thanks for your suggestions. Andrew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY138-DS1F782EFBC33924A07CFB6F65D0>