Solved PKG on Jails: Different Repositories Than Host?

[jasonvp]

Hey folks -

I'm having a stupid moment here and it's likely due to something I did. I have a 11.2R4 server running with a few jails on it. I'm using the LetsEncrypt certbot pkg on the host and a couple of the jails. They've made some changes and are now requiring certbot v 0.28 or higher be installed. As per this doc:

How to stop using TLS-SNI-01 with Certbot

Let's Encrypt is removing support for domain validation with TLS-SNI-01. If you're using Certbot and received an email titled "Action required: Let’s Encrypt certificate renewals" or are getting the error message: Client with the currently selected authenticator does not support any...

community.letsencrypt.org

The challenge: On the host OS, I was able to pkg update ; pkg upgrade py27-certbot and that did the right thing. Certbot was updated.

joker# certbot --version certbot 0.29.1

However, the jails each apparently still think the version of certbot they're running is the most recent. And it appears to be a repository thing, or something like that? I'm not 100% sure. But, here's an example. From the host:

joker# pkg search py27-certbot | grep client py27-certbot-0.29.1_2,1 Let's Encrypt client

But from one of the jails:

catwoman# pkg search py27-certbot | grep client py27-certbot-0.27.1,1 Let's Encrypt client

I've tried all sorts of pkg updates, pkg updates with the -f flag, etc. No luck.

Any ideas? And no, please don't suggest "just installing the port". I'd rather manage using pkg... Thanks.

 

[Datapanic]

Check the /usr/local/etc/pkg/repos/* files to see where the servers are getting their packages from.

Also, latest version of py-certbot is 0.31.0,1.

 

[jasonvp]

Check the /usr/local/etc/pkg/repos/* files to see where the servers are getting their packages from.

No such directory on the host nor the jails.

 

[SirDice]

Your locally cached database might be out of sync, try forcing a refresh with pkg update -f.

 

[jasonvp]

Your locally cached database might be out of sync, try forcing a refresh with pkg update -f.

I had already done that and it didn't seem to matter.

I'm starting to think this is a host/jail upgrade problem, but I'm not certain. I don't get this warning on the host, just the jails:

catwoman# pkg update -f
Updating FreeBSD repository catalogue...
[catwoman.lateapex.net] Fetching meta.txz: 100%    944 B   0.9kB/s    00:01    
[catwoman.lateapex.net] Fetching packagesite.txz: 100%    6 MiB   3.4MB/s    00:02    
Processing entries:   0%
Newer FreeBSD version for package p5-Email-Date-Format:
To ignore this error set IGNORE_OSVERSION=yes
- package: 1004000
- running kernel: 1002000
Allow missmatch now?[Y/n]:

 

[SirDice]

You probably get them on the host too, but if you accept the missmatch you're not going to see it again.

You need to update your host, you're one or more patches behind.

 

[jasonvp]

You probably get them on the host too, but if you accept the missmatch you're not going to see it again.

I honestly don't remember if I had. If I accept in a jail and try again, I still see the mismatch.

You need to update your host, you're one or more patches behind.

joker# freebsd-version
11.2-RELEASE-p4

What's the latest?

 

[SirDice]

Use freebsd-version -uk and uname -a. It's possible you updated but haven't rebooted yet (so the 'old' kernel is still active).

 

[jasonvp]

Use freebsd-version -uk and uname -a. It's possible you updated but haven't rebooted yet (so the 'old' kernel is still active).

joker# freebsd-version -uk
11.2-RELEASE-p4
11.2-RELEASE-p4
joker# uname -a
FreeBSD joker.lateapex.net 11.2-RELEASE-p4 FreeBSD 11.2-RELEASE-p4 #0: Thu Sep 27 08:16:24 UTC 2018     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

 

[SirDice]

Last patch version should be 11.2-RELEASE-p9. At least that explains the 'missmatch' messages.

https://www.freebsd.org/security/advisories/FreeBSD-SA-19:01.syscall.asc

There's a newer security advisory (SA-19:02) but that one only applies to 12.0.

 

[jasonvp]

Last patch version should be 11.2-RELEASE-p9. At least that explains the 'missmatch' messages.

The issue appears to be: "Jason is an idiot and didn't properly update his jails." The base wasn't done properly, and I'm now going through and re-doing them all. One of them is done, and it updated pkg properly, and then upgraded certbot as expected. So I'll be back in business shortly.

Thanks.

 

[Ole]

To ignore this error set IGNORE_OSVERSION=yes
- package: 1004000
- running kernel: 1002000
Allow missmatch now?[Y/n]:

Check out

grep -A28 ^20140930: /usr/ports/CHANGES

notes if you do not want to meet this in the future. This will allow pkg in jail to work only with the version of the kernel corresponding to the version of jail and not depend on the version of the base or hoster’s kernel.