Re: Best practice to update jails

Tue, 25 Aug 2009 11:52:48 -0700 

On 20. aug. 2009, at 20.50, Jose Amengual wrote:


Hi guys.
I have a dev server for our developers that holds around 40 jails, each jail has php, mysql, python etc.
The server is now 7.0 and was wondering what is the best practice to maintain security patches and kernel updates and I came out with the following idea : 

1.- freebsd-update fetch install ( host system)
2.- rebuild kernel ( I have a custom kernel )
3.- ezjail-update -b ( update basejail for all jails )
4.- run in cron portaudit on the jails for thirty party security updates 5.- run portupgrade in case of a security update or for apps upgrade on the jails.
sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using installworld etc. Newer versions (not yet in ports) support using 'template jails'. The latter is what we use.
Basically the update procedure goes like this: freebsd-update the template jail, freebsd-update the host, reboot. I have found freebsd- update to be an incredibly time-saver compared to buildworld/ installworld, and the IDS function included - despite not being a really efficient IDS tripwire-style - is extremely useful for us in determining which of our multiple-dozen jails need updates of binaries or configuration. 

/Eirik
I red in some forums that if you run freebsd-update you will need to do a portuprade -fa to reinstall all the thirty party apps because freebsd-update could upgrade or remove some libraries linked to that programs, is this true ?, will be better to run a cvsup and instead ?
That are some points of my idea but reading on internet I finished more confuse about how will be the best way to do this. 

any ideas will more appreciate.

Thanks.
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail- unsubscr...@freebsd.org" 



_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Reply via email to