How do you patch programs running with a jail?

[Ed_Flecko]

I'm planning on installing Apache, in a jail, from a port because I want more granular control as to what options and modules get installed from scratch. If I understand it correctly, I can run make rmconfig to remove the default options and then make config to select the options I want.

Correct so far?

My other question is: how do you patch Apache, in the jail, as security vulnerability patches are released from time to time? I've subscribed to the Apache security notification list, but I'm just not clear on how you apply the patch(es) as they're released. Or, is it just like I install it - i.e., just apply the patch (as if it wasn't running in a jail), and then re-run make install clean?

Thank you,
Ed

 

[wblock@]

A jail is treated like just another FreeBSD system. If you installed from a port or package, update the port or package to get the latest patches.

 

[Ed_Flecko]

Something like this:

# ezjail-admin update -P

Login on the jail console
# ezjail-admin list
# ezjail-admin console <hostname>

List outdated ports
# pkg_version -vIL=

Read about ports you want to upgrade
# less /usr/ports/UPDATING

Now use portmaster(8) to upgrade outdated ports
# portmaster -db <port>

and then re-run make install clean for Apache?

Is this correct?

Ed

 

[tobik@]

Updating ports is outlined in the handbook: https://www.freebsd.org/doc/handbook/ports-using.html#ports-upgrading

 

[Ed_Flecko]

Thank you!

Ed

 

[wblock@]

Something like this:

Not quite. Always, yes always read /usr/ports/UPDATING after updating the ports tree and before adding or updating applications. See Upgrading FreeBSD Ports.

 

[kpa]

You don't want to recompile ports inside the jails. Use prebuilt packages either from the official repository or from your own repository. The updating procedure if you have your own repository would be:

• Update the ports tree on the system that builds your packages.
• Build updated packages, this could be done with ports-mgmt/poudriere or by other means.
• Run pkg upgrade in all of your jails to update the installed package.
• Restart updated services in the jails.

 

[Ed_Flecko]

You don't want to recompile ports inside the jails...

I'm probably confused about how to install Apache from source into the jail, so maybe someone can clarify this for me? Typically the jail has either has it's own ports tree or it's linked to the hosts' ports tree, correct? Like I said, I'd much prefer to install Apache from the port, so I can better control how Apache is initially configured.

Having said that, If I install Apache from a port within the jail, what's wrong with doing it the second time, i.e., after the ports have been updated (i.e., patched)?

Ed

 

[kpa]

You're wasting time by compiling updated ports multiple times. If you build your own binary packages you can build once, install many times with very little effort.

If it's not obvious yet, binary packages are just pre-built ports. After installation they are indistinguishable from ports that are installed by building them directly.

 

[Ed_Flecko]

Since my primary goal is to have Apache installed with only the options *I* want (as opposed to the way Apache is built using the default package), is poudriere my best method to achieve that goal?

If so, I just need to learn more about poudriere and how to build my own packages?

I'm guessing that by building my own package I can customize the install options?

Ed

 

[kpa]

Yes, you have very good control over the options with Poudriere. Start by reading these:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports-poudriere.html

https://forums.freebsd.org/threads/...g-ports-mgmt-poudriere-no-zfs-required.38859/

 

[Ed_Flecko]

Cool...thank you. I'll check them out.

I'm *really* just looking for the easiest way to install Apache in a jail on a server that I'm creating and then manage to keep it patched as quickly and efficiently as security patches are released.



Ed