[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

newbie Q: ezjail and freebsd-update

Hello, I've got several severs running jails using ezjail. I love how
simple it is to setup, but I am a little confused how to keep it

For the host system I don't use CVS or other developer methods to
follow a source tree, instead I use the freebsd-update tool to keep
updated with security patches - for example, right now I am running
7.2-RELEASE-p4. It's forced me to use a GENERIC kernel to get
freebsd-update's binary updates, and I *think* freebsd-update updates
my source tree as well but I am not sure. The kernel showing in my
jails get updated automatically using freebsd-update since the jail
system uses the same kernel.

How do I keep my jail's userland updated in this scenario?

I noticed that when I create a jail using ezjail the first time it
fetches a new copy of the release I am running via ftp, so my
impression is that userland in the jail would be 7.2-RELEASE whereas
the host userland could be 7.2-RELEASE-p4. So there are likely
security vulnerabilities in the userland of my jails. Maybe the only
way to keep up-to-date is to build the host world from *source* and
update the jail using ezjail, and not use freebsd-update? I can do
that but it's just not as convenient as using freebsd-update.

BTW I keep my ports updated by mounting the ports tree from the host
into the jail, and then using regular tools like portaudit and
portmaster to manage and update installed ports when new security
vulnerabilities are found. I'm on top of any security issues that
might arise in the ports, and my kernel is alway updated. So the only
issue I have left is how to keep userland in the jail updated.