Re: Best practice to update jails
On Thu, 20 Aug 2009 11:50:49 -0700 Jose Amengual wrote: > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security > updates 5.- run portupgrade in case of a security update or for apps > upgrade on the jails. > > I red in some forums that if you run freebsd-update you will need to > do a portuprade -fa to reinstall all the thirty party apps because > freebsd-update could upgrade or remove some libraries linked to > that programs, is this true ?, will be better to run a cvsup and > instead ? Not if you stay with the same major version of FreeBSD. If you update from 7 to 8, this may be possible (I don't know, I don't use freebsd-update, as I either run patched systems, or at least compile my own kernels), but if you update from 7.x to 7.y, then this would be an ABI change, which is very very very very much a no no in a stable-branch (only an important security fix would be allowed to do something like this, and only if nobody finds another way to do such a fix without changing the ABI). So if you stay on the same major version you can use your procedure, but read the release notes before, such a big impact change is announced on a stable branch. It may be the case that we had something like this once, but I do not remember which major version was affected. Bye, Alexander. ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
RE: Best practice to update jails
> Date: Thu, 20 Aug 2009 23:28:39 +0200 > From: reddvinyl...@gmail.com > To: jose.ameng...@gmail.com; freebsd-j...@freebsd.org; > freebsd-virtualization@freebsd.org > CC: > Subject: Re: Best practice to update jails > > On Thu, Aug 20, 2009 at 10:57 PM, Jose Amengual wrote: > >> any reason of why you do not use freebsd-update ? >> >> Thanks. > > > I think most people prefer to build from source. I do, at least. > We manage some jail host system both for production and development (since 6.2-RELEASE), and we found the best support in the "build-from-source" upgrade method. Here the main steps we follow for a release-step upgrade (since we have a few hosts to manage, we are using a dedicated build server, but the first three steps might be executed on the host machine itself): 1. sync sources from a local cvsup-mirror to the build host; 2. make binaries on the build host (once per architecture we are supporting); 3. mount /usr/src and /usr/obj via NFS on all systems to be upgraded; 4. run mergemaster in pre-buildworld mode (once for the host and once for each jail with the -D flag); 5. install the new kernel on the host we are upgrading; 6. reboot the host with the new kernel in single user mode; 7. install the new userland for the host and for the basejail (we are using the ezjail framework); 8. run mergemaster on the host to align its configuration files to the new release; 9. boot into multi user mode; 10. run mergemaster with the -D flag to update each jail’s configuration files; 11. run "make delete-old" and "make delete-old-libs" on both host and jail systems (using the DESTDIR variable). In our environment, this type of upgrade process has proved to be the most effective and reliable, both for tracking the errata branch and for upgrading between minor and major releases. Obviously it needs you quite knowledgeable about the build(7) process, but IMO time spent studying is always time spent well! :) Andrew _ With Windows Live, you can organize, edit, and share your photos. http://www.microsoft.com/middleeast/windows/windowslive/products/photo-gallery-edit.aspx___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: Best practice to update jails
On Thu, Aug 20, 2009 at 10:57 PM, Jose Amengual wrote: > any reason of why you do not use freebsd-update ? > > Thanks. I think most people prefer to build from source. I do, at least. -- http://www.home.no/reddvinylene ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
Re: Best practice to update jails
On Thu, Aug 20, 2009 at 8:50 PM, Jose Amengual wrote: > Hi guys. > > I have a dev server for our developers that holds around 40 jails, each > jail has php, mysql, python etc. > > The server is now 7.0 and was wondering what is the best practice to > maintain security patches and kernel updates and I came out with the > following idea : > > 1.- freebsd-update fetch install ( host system) > 2.- rebuild kernel ( I have a custom kernel ) > 3.- ezjail-update -b ( update basejail for all jails ) > 4.- run in cron portaudit on the jails for thirty party security updates > 5.- run portupgrade in case of a security update or for apps upgrade on the > jails. > > I red in some forums that if you run freebsd-update you will need to do a > portuprade -fa to reinstall all the thirty party apps because freebsd-update > could upgrade or remove some libraries linked to that programs, is this > true ?, will be better to run a cvsup and instead ? > > That are some points of my idea but reading on internet I finished more > confuse about how will be the best way to do this. > > any ideas will more appreciate. > > Thanks. > ___ > freebsd-j...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org" > Hi, here's how I do it, hope it helps: http://pastie.org/590295 Redd Vinylene -- http://www.home.no/reddvinylene ___ freebsd-virtualization@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-virtualization To unsubscribe, send any mail to "freebsd-virtualization-unsubscr...@freebsd.org"
