Build kernel and world from sources and jails

Hello,

I am looking for some feedback to improve my current setup/flow.

What I have:
* home server, with 12.1R with ZFS
* a few jails that I manage with iocage (have a template that I clone to create new)
* I build world and kernel from source from now and then, following handbook steps, however I don't have a specific need to build it myself (at the moment i change just the IDENT). Basically I followed some instructions how to enable VNET through custom kernel, which I learned later that it's enabled in 12.x
* `/etc/freebsd-update.conf` - `Components world`
* I don't mind waiting for build world, I use -j11 and it takes ~40min + ~10min for the kernel

What I want:
* use the same server as home ZFS storage/NAS and a development machine (multiple jails)
* by development I mean create new jails as independent as possible so that I can experiment (I use ansible to provision new jails) with dbs, servers, etc.
* ideally I could even configure firewall rules for each jails, my understanding VNET helps with this, but I have not tried it yet

The main question is related to maintaining the system (both host and jails) up to date. Once I update (from sources) the host, what's the best way to update jails?

My current flow is:
* update host
** `beadm create xyz`
** `svnlite update /usr/src`, build world and kernel, install, reboot, merge etc..
* update jails
** `freebsd-update -b /z/iocage/jails/test/root fetch install`

But I am not sure if I am missing anything or I may get into problems in future. e.g. custom kernel may impact jail somehow.

A few options I was thinking
* go back to binary updates only (both system and kernel) - if yes, I want to avoid reinstalling everything
* go back to binary update (keeping custom kernel)

Any input is welcome. Thank you in advance.
 
I would suggest sticking to a -RELEASE version and using freebsd-update(8) to do binary updates. There's really nothing to gain by building from source for your usage.
 
I would suggest sticking to a -RELEASE version and using freebsd-update(8) to do binary updates. There's really nothing to gain by building from source for your usage.

Thank you. I think I will try binary updates for the installed software and keep custom kernel for now, since it seems more complicated to go back to GENERIC kernel.

So, all I have to do is to enable `world` components and run `freebsd-update fetch install`, right? The `freebsd-update IDS` shows too many changes for the host, which makes sense because everything was built from sources.
 
Ok, I think I switched back to binary updates after `freebsd-update fetch install`. For now only with `world` component.
 
since it seems more complicated to go back to GENERIC kernel.
What's special about your custom kernel? I mean, what was missing from a stock GENERIC?

I think I switched back to binary updates after `freebsd-update fetch install`. For now only with `world` component.

If you really want to, you can mix things up a bit. You could run 12-STABLE on the host (that definitely always requires building from source) and use a -RELEASE with binary updates for your jails. But it's up to you if it's really worth the trouble. Think about running updates, it's just a lot easier to update a lot of machines (virtual, jails or physical) using the binary updates than installing from source each time. It's fun to do the first couple of times but it gets boring and tedious fairly quick.
 
What's special about your custom kernel? I mean, what was missing from a stock GENERIC?
Nothing anymore, but initially I had VNET, RACCT and RCTL thinking I will need them in future after following iocage's guide. https://iocage.readthedocs.io/en/latest/networking.html#vimage-vnet

If you really want to, you can mix things up a bit. You could run 12-STABLE on the host (that definitely always requires building from source) and use a -RELEASE with binary updates for your jails. But it's up to you if it's really worth the trouble. Think about running updates, it's just a lot easier to update a lot of machines (virtual, jails or physical) using the binary updates than installing from source each time. It's fun to do the first couple of times but it gets boring and tedious fairly quick.
That is interesting indeed. I need to read more about STABLE branch, it would for sure justify building everything from the source :). Updating multiple jails (thick jails) or VMs I was hoping to do using Ansible.

Thanks.
 
Code:
$ uname -a
FreeBSD server.home 12.1-STABLE FreeBSD 12.1-STABLE r360493 GENERIC  amd64
So far so good. Thanks for the suggestion.
 
Back
Top