Re: Best practice to update jails
On 25/08/2009 19:36, Eirik Øverby wrote: On 20. aug. 2009, at 20.50, Jose Amengual wrote: Hi guys. I have a dev server for our developers that holds around 40 jails, each jail has php, mysql, python etc. The server is now 7.0 and was wondering what is the best practice to maintain security patches and kernel updates and I came out with the following idea : 1.- freebsd-update fetch install ( host system) 2.- rebuild kernel ( I have a custom kernel ) 3.- ezjail-update -b ( update basejail for all jails ) 4.- run in cron portaudit on the jails for thirty party security updates 5.- run portupgrade in case of a security update or for apps upgrade on the jails. sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using installworld etc. Newer versions (not yet in ports) support using 'template jails'. The latter is what we use. Basically the update procedure goes like this: freebsd-update the template jail, freebsd-update the host, reboot. I have found freebsd-update to be an incredibly time-saver compared to buildworld/installworld, and the IDS function included - despite not being a really efficient IDS tripwire-style - is extremely useful for us in determining which of our multiple-dozen jails need updates of binaries or configuration. /Eirik ezjail can also utilise a pre-built /usr/obj to upgrade the base jail and already uses a templating system, fwiw. Jase. ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: crontab hanging won't die on SIGTERM in jail
Stef Walter wrote: Michael Scheidell wrote: anyone having problems during an in jail shutdown with crontab hanging? I have seen this in 6.4 and 7.1, on i386 and amd64. I don't remember problems with 6.3 I see this same problem in certain jails. A jail that has this problem does it consistently, jails without the problem (on the same machine, same FreeBSD userland/kernel) don't have the problem consistently. Turns out (for me) the bug was in jailutils, and occurred when the jail had been restarted from inside the jail using the jkill (or appropriately configured reboot) command. I've released a new version of jailutils (1.6) that fixes this problem. Cheers, Stef ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org
Re: crontab hanging won't die on SIGTERM in jail
you the jailutils guy? thanks, good stuff. (been meaning to ask why certain options that work outside of jail don't work inside also) thanks for finding this. really flustered. (but sigkill works also!) Stef Walter wrote: Stef Walter wrote: Michael Scheidell wrote: anyone having problems during an in jail shutdown with crontab hanging? I have seen this in 6.4 and 7.1, on i386 and amd64. I don't remember problems with 6.3 I see this same problem in certain jails. A jail that has this problem does it consistently, jails without the problem (on the same machine, same FreeBSD userland/kernel) don't have the problem consistently. Turns out (for me) the bug was in jailutils, and occurred when the jail had been restarted from inside the jail using the jkill (or appropriately configured reboot) command. I've released a new version of jailutils (1.6) that fixes this problem. Cheers, Stef -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _ ___ freebsd-jail@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to freebsd-jail-unsubscr...@freebsd.org