From owner-freebsd-jail@FreeBSD.ORG Sat Aug 22 16:40:13 2009 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 12256106568B for ; Sat, 22 Aug 2009 16:40:13 +0000 (UTC) (envelope-from alexander@leidinger.net) Received: from mail.ebusiness-leidinger.de (mail.ebusiness-leidinger.de [217.11.53.44]) by mx1.freebsd.org (Postfix) with ESMTP id B3ED58FC18 for ; Sat, 22 Aug 2009 16:40:12 +0000 (UTC) Received: from outgoing.leidinger.net (pD9E2CC10.dip.t-dialin.net [217.226.204.16]) by mail.ebusiness-leidinger.de (Postfix) with ESMTPSA id 7387684534E; Sat, 22 Aug 2009 18:40:06 +0200 (CEST) Received: from unknown (IO.Leidinger.net [192.168.2.103]) by outgoing.leidinger.net (Postfix) with ESMTP id 817F16F9D2; Sat, 22 Aug 2009 18:40:03 +0200 (CEST) Date: Sat, 22 Aug 2009 18:40:01 +0200 From: Alexander Leidinger To: Jose Amengual Message-ID: <20090822184001.00006882@unknown> In-Reply-To: <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> References: <20090820121309.122740@gmx.net> <9C042ACE-8677-4104-BBB5-5F80C7EAFD3C@gmail.com> X-Mailer: Claws Mail 3.7.2cvs15 (GTK+ 2.16.0; i586-pc-mingw32msvc) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-EBL-MailScanner-Information: Please contact the ISP for more information X-EBL-MailScanner-ID: 7387684534E.68DE6 X-EBL-MailScanner: Found to be clean X-EBL-MailScanner-SpamCheck: not spam, spamhaus-ZEN, SpamAssassin (not cached, score=-1.363, required 6, autolearn=disabled, ALL_TRUSTED -1.44, TW_ZJ 0.08) X-EBL-MailScanner-From: alexander@leidinger.net X-EBL-MailScanner-Watermark: 1251564008.22371@hMkJp4RCG2+X9cZwK3wqsQ X-EBL-Spam-Status: No Cc: freebsd-jail@freebsd.org, freebsd-virtualization@freebsd.org Subject: Re: Best practice to update jails X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Aug 2009 16:40:13 -0000 On Thu, 20 Aug 2009 11:50:49 -0700 Jose Amengual wrote: > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security > updates 5.- run portupgrade in case of a security update or for apps > upgrade on the jails. > > I red in some forums that if you run freebsd-update you will need to > do a portuprade -fa to reinstall all the thirty party apps because > freebsd-update could upgrade or remove some libraries linked to > that programs, is this true ?, will be better to run a cvsup and > instead ? Not if you stay with the same major version of FreeBSD. If you update from 7 to 8, this may be possible (I don't know, I don't use freebsd-update, as I either run patched systems, or at least compile my own kernels), but if you update from 7.x to 7.y, then this would be an ABI change, which is very very very very much a no no in a stable-branch (only an important security fix would be allowed to do something like this, and only if nobody finds another way to do such a fix without changing the ABI). So if you stay on the same major version you can use your procedure, but read the release notes before, such a big impact change is announced on a stable branch. It may be the case that we had something like this once, but I do not remember which major version was affected. Bye, Alexander.