Date: Wed, 26 Aug 2009 13:02:03 +0100 From: Jase Thew <bazerka@beardz.net> To: freebsd-jail@freebsd.org Subject: Re: Best practice to update jails Message-ID: <4A95243B.4000100@beardz.net> In-Reply-To: <FA55CC11-FC57-4B03-B266-6075710E861B@anduin.net> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> <FA55CC11-FC57-4B03-B266-6075710E861B@anduin.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 25/08/2009 19:36, Eirik Øverby wrote: > On 20. aug. 2009, at 20.50, Jose Amengual wrote: > >> Hi guys. >> >> I have a dev server for our developers that holds around 40 jails, >> each jail has php, mysql, python etc. >> >> The server is now 7.0 and was wondering what is the best practice to >> maintain security patches and kernel updates and I came out with the >> following idea : >> >> 1.- freebsd-update fetch install ( host system) >> 2.- rebuild kernel ( I have a custom kernel ) >> 3.- ezjail-update -b ( update basejail for all jails ) >> 4.- run in cron portaudit on the jails for thirty party security updates >> 5.- run portupgrade in case of a security update or for apps upgrade >> on the jails. > > sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using > installworld etc. Newer versions (not yet in ports) support using > 'template jails'. The latter is what we use. > > Basically the update procedure goes like this: freebsd-update the > template jail, freebsd-update the host, reboot. I have found > freebsd-update to be an incredibly time-saver compared to > buildworld/installworld, and the IDS function included - despite not > being a really efficient IDS tripwire-style - is extremely useful for > us in determining which of our multiple-dozen jails need updates of > binaries or configuration. > > /Eirik ezjail can also utilise a pre-built /usr/obj to upgrade the base jail and already uses a templating system, fwiw. Jase.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A95243B.4000100>