On 25/08/2009 19:36, Eirik Øverby wrote:
On 20. aug. 2009, at 20.50, Jose Amengual wrote:
Hi guys.
I have a dev server for our developers that holds around 40 jails,
each jail has php, mysql, python etc.
The server is now 7.0 and was wondering what is the best practice to
maintain security patches and kernel updates and I came out with the
following idea :
1.- freebsd-update fetch install ( host system)
2.- rebuild kernel ( I have a custom kernel )
3.- ezjail-update -b ( update basejail for all jails )
4.- run in cron portaudit on the jails for thirty party security updates
5.- run portupgrade in case of a security update or for apps upgrade
on the jails.
sysutils/jailctl uses a pre-built /usr/obj to upgrade jails using
installworld etc. Newer versions (not yet in ports) support using
'template jails'. The latter is what we use.
Basically the update procedure goes like this: freebsd-update the
template jail, freebsd-update the host, reboot. I have found
freebsd-update to be an incredibly time-saver compared to
buildworld/installworld, and the IDS function included - despite not
being a really efficient IDS tripwire-style - is extremely useful for
us in determining which of our multiple-dozen jails need updates of
binaries or configuration.
/Eirik
ezjail can also utilise a pre-built /usr/obj to upgrade the base jail
and already uses a templating system, fwiw.
Jase.
_______________________________________________
freebsd-jail@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
