Date: Tue, 25 Aug 2009 20:36:13 +0200 From: =?iso-8859-1?Q?Eirik_=D8verby?= <ltning@anduin.net> To: Jose Amengual <jose.amengual@gmail.com>, freebsd-jail@freebsd.org Subject: Re: Best practice to update jails Message-ID: <FA55CC11-FC57-4B03-B266-6075710E861B@anduin.net> In-Reply-To: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20. aug. 2009, at 20.50, Jose Amengual wrote: > Hi guys. > > I have a dev server for our developers that holds around 40 jails, > each jail has php, mysql, python etc. > > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security > updates > 5.- run portupgrade in case of a security update or for apps upgrade > on the jails. sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using installworld etc. Newer versions (not yet in ports) support using 'template jails'. The latter is what we use. Basically the update procedure goes like this: freebsd-update the template jail, freebsd-update the host, reboot. I have found freebsd- update to be an incredibly time-saver compared to buildworld/ installworld, and the IDS function included - despite not being a really efficient IDS tripwire-style - is extremely useful for us in determining which of our multiple-dozen jails need updates of binaries or configuration. /Eirik > I red in some forums that if you run freebsd-update you will need to > do a portuprade -fa to reinstall all the thirty party apps because > freebsd-update could upgrade or remove some libraries linked to > that programs, is this true ?, will be better to run a cvsup and > instead ? > > That are some points of my idea but reading on internet I finished > more confuse about how will be the best way to do this. > > any ideas will more appreciate. > > Thanks. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FA55CC11-FC57-4B03-B266-6075710E861B>