Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Aug 2009 13:02:03 +0100
From:      Jase Thew <bazerka@beardz.net>
To:        freebsd-jail@freebsd.org
Subject:   Re: Best practice to update jails
Message-ID:  <4A95243B.4000100@beardz.net>
In-Reply-To: <FA55CC11-FC57-4B03-B266-6075710E861B@anduin.net>
References:  <20090820121309.122740@gmx.net>	<9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> <FA55CC11-FC57-4B03-B266-6075710E861B@anduin.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On 25/08/2009 19:36, Eirik Øverby wrote:
> On 20. aug. 2009, at 20.50, Jose Amengual wrote:
>
>> Hi guys.
>>
>> I have a dev server for our developers that holds around 40 jails, 
>> each jail has php, mysql, python etc.
>>
>> The server is now 7.0 and was wondering what is the best practice to 
>> maintain security patches and kernel updates and I came out with the 
>> following idea :
>>
>> 1.- freebsd-update fetch install ( host system)
>> 2.- rebuild kernel ( I have a custom kernel )
>> 3.- ezjail-update -b ( update basejail for all jails )
>> 4.- run in cron portaudit on the jails for thirty party security updates
>> 5.- run portupgrade in case of a security update or for apps upgrade 
>> on the jails.
>
> sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using 
> installworld etc. Newer versions (not yet in ports) support using 
> 'template jails'. The latter is what we use.
>
> Basically the update procedure goes like this: freebsd-update the 
> template jail, freebsd-update the host, reboot. I have found 
> freebsd-update to be an incredibly time-saver compared to 
> buildworld/installworld, and the IDS function included - despite not 
> being a really efficient IDS tripwire-style - is extremely useful for 
> us in determining which of our multiple-dozen jails need updates of 
> binaries or configuration.
>
> /Eirik
ezjail can also utilise a pre-built /usr/obj to upgrade the base jail 
and already uses a templating system, fwiw.

Jase.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A95243B.4000100>