[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] freebsd-update in ezjail?



Graham Todd wrote:
> Alexandros Kosiaris wrote:
> ...
>> After toying around a bit I believe there is a simple way to use it to
>> update the basejail fast and securely.
>>
>> 1. Stop an existing jail, or create a new one (completely otherwise
>> that's ok)
>> 2. Mount by hand and read-write basejail dir in the usual place for this
>> jail
> 
> Why is it necessary to mount the basejail in place of the jail's normal
> mount point?  Could there be a dedicated freebsdjail-update jail?

You basically create a new jail (or stop an existing one) just to have a
directory hierarchy which can be updated.

What you need to have updated by freebsd-update is the base system,
which lives mostly (/etc + some other things being an exception) in the
/basejail directory in the case of ezjails.

I 've come to the conclusion that,due to /basejail hierarchy, is safer
to run freebsd-update from inside a jail hierarchy however if someone
has a different solution please share.

Now starting a jail with ezjail results to a mounted read-only basejail
 directory, which can't be updated since it is read-only

And yes there could be a dedicated freebsdjail-update jail, albeit a not
running one for the reason i described above.

Actually I think a good solution perhaps would be the creation of a
dedicated jail + a 5-liner script to do the mount,freebsd-update
running,umounting.

However all this can be intergrated into a single ezjail-admin command.

>> 3. chown into the jail and run freebsd-update fetch && freebsd-update
>> install.
> 
> or chroot  ;-) Did you have to do any tweaking as in other (non ezjail)
> approach to jails/freebsd-update? e.g.

Yeap... chroot obviously. Took a long time for someone to notice which
makes wonder about the number of people who actually read this list

No I had to do no other tweaking. I haven't even ever had to do make
world on this system. Which is the point of binary updates anyway.

> http://unix.derkeiler.com/Mailing-Lists/FreeBSD/questions/2007-10/msg00701.html

The guy in the link above ended up doing what ezjail is doing anyway.
And his conclusions are the reason freebsd-update works in ezjails

> I assume you do this after you've done the same for the host system?
> freebsd-update is quite useful for binary updates (security releases
> etc) and it seems like it should be easy using freebsd-update.conf to
> get it to play nice with ezjail/basejail "out of the box", but your
> method or something like seems to be necessary. Perhaps I am continuing
> to miss something obvious about ezjail-admin?

Yeah, I 've done the same on the host system, however this is not a
prerequisite(I think)

As for the rest , I would love for someone to tell me how to use
freebsd-update and freebsd-update.conf ( or perhaps -b,-d flags to
freebsd-update) to get jails binary-updated and get rid of the process
above.
Unfortunately I have failed to create a desirable result in my tests

Regards,

-- 
Alexandros Kosiaris 	Network Management Center , NTUA
e-mail : alex AT noc.ntua DOT gr
Public Key Fingerprint :
D6B1 0634 BE65 719C 6C95  7492 8201 4B46 C478 F074

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature