From owner-freebsd-jail@FreeBSD.ORG Tue Aug 25 18:52:27 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5690A106564A for ; Tue, 25 Aug 2009 18:52:27 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 1683C8FC30 for ; Tue, 25 Aug 2009 18:52:26 +0000 (UTC) Received: from c8ea05ac1.dhcp.bluecom.no ([193.90.160.142] helo=[192.168.11.31]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1Mg0sT-0001Mq-8Z; Tue, 25 Aug 2009 20:36:18 +0200 Mime-Version: 1.0 (Apple Message framework v1075.2) Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes From: =?iso-8859-1?Q?Eirik_=D8verby?= X-Priority: 5 In-Reply-To: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> Date: Tue, 25 Aug 2009 20:36:13 +0200 Content-Transfer-Encoding: 7bit Message-Id: References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> To: Jose Amengual , freebsd-jail@freebsd.org X-Mailer: Apple Mail (2.1075.2) Cc: Subject: Re: Best practice to update jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 18:52:27 -0000 On 20. aug. 2009, at 20.50, Jose Amengual wrote: > Hi guys. > > I have a dev server for our developers that holds around 40 jails, > each jail has php, mysql, python etc. > > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security > updates > 5.- run portupgrade in case of a security update or for apps upgrade > on the jails. sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using installworld etc. Newer versions (not yet in ports) support using 'template jails'. The latter is what we use. Basically the update procedure goes like this: freebsd-update the template jail, freebsd-update the host, reboot. I have found freebsd- update to be an incredibly time-saver compared to buildworld/ installworld, and the IDS function included - despite not being a really efficient IDS tripwire-style - is extremely useful for us in determining which of our multiple-dozen jails need updates of binaries or configuration. /Eirik > I red in some forums that if you run freebsd-update you will need to > do a portuprade -fa to reinstall all the thirty party apps because > freebsd-update could upgrade or remove some libraries linked to > that programs, is this true ?, will be better to run a cvsup and > instead ? > > That are some points of my idea but reading on internet I finished > more confuse about how will be the best way to do this. > > any ideas will more appreciate. > > Thanks. > _______________________________________________ > freebsd-jail@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail- > unsubscribe@freebsd.org" >