What happens in a jail when updating the main host system?

J

japoc

Hi,

despite reading and re-reading the manual, I have an extremely hard time understanding how to keep my FreeBSD host and my FreeBSD jails secure.

I am going to try to express my current understanding of FreeBSD as maybe the problem is that I don't understand it.

There seems to be on one side the kernel and base components, and on the other side the packages. I'm not going to include ports in the discussion for now, I hope it is not necessary to include them as long as I don't install anything from ports. I'm not going to include the packages in the discussion either because I think I'm going to write a second post for that. So, in this post, I'd like to focus exclusively on how to correctly update the kernel and base components, in the host, and in the jails.

To check for new security patches available for the kernel (and, I guess, for the other base components of FreeBSD which are not managed with pkg and are considered part of FreeBSD itself), I should do

# freebsd-update fetch

This will tell me what new security patches are available for the kernel and base components.

Then
# freebsd-update install

will install them. Correct me if I'm wrong.

I also have jails on this system.
Until now, I used to believe that all jails shared the kernel and base components of the host. So I thought that running freebsd-update install on the host would automatically update the kernels and base components of the jails.
However, it seems that I was wrong. Because just after running freebsd-update install on the host, if I enter a jail and type freebsd-update fetch, a lot of available security patches are displayed.

So what happened? Does each jail have a separate kernel and/or base components? What should I do?

In case it has any relevance to the discussion, I'm going to point out that I use ezjail to create my jails.

I hope you can help me.
 
japoc said:
So what happened? Does each jail have a separate kernel and/or base components?
Click to expand...
Almost. Jails share the kernel with the host but their base components are separate.

What should I do?
Click to expand...
Update your jails separately. How you do that depends on how the jails are set up. EZJail for example has a single "base" jail, update that and all your jails are updated.

Code: 
     ezjail-admin update -b
             Build and install a world from source. The sources are taken from
             /usr/src (but see the -s flag). This can be used both for creat-
             ing the initial base jail, and for updating it after the host has
             been upgraded.

     ezjail-admin update -u
             Update the base jail to the next release using freebsd-update(8)
             (i.e. using binary packages). This may be used only to update an
             existing installation.

Handbook: 14.5. Updating Multiple Jails
Handbook: 14.6. Managing Jails with ezjail
Handbook: 14.6.4. Updating Jails
 
Thanks for the reply. I had read this part of the manual, but I don't understand it, because I'm not sure what exactly is meant by "the world". Does it mean the kernel and base components?
 
Also assuming, the "world" is the base system as I guessed in my last post, why do I need to compile it from source before using jails? Doesn't my host already have a base system that could be used by the jails?
 
japoc said:
because I'm not sure what exactly is meant by "the world". Does it mean the kernel and base components?
Click to expand...
"World" is the base utilities, libraries, etc. Basically everything except the kernel.

japoc said:
Also assuming, the "world" is the base system as I guessed in my last post, why do I need to compile it from source before using jails?
Click to expand...
You don't need to, you can also do a binary update with freebsd-update(8) ( ezjail-admin update -u).

Doesn't my host already have a base system that could be used by the jails?
Click to expand...
Yes, and no. Think of a jail as a completely separate system. Updating one system doesn't automatically update another.
 
Thanks, I think I understand better now.
However when I run

# ezjail-admin update -u

I get the following output:


/lot/of/paths/and/files/....
/usr/share/zoneinfo/Indian/Kerguelen
/usr/share/zoneinfo/Pacific/Easter
/usr/share/zoneinfo/Pacific/Tongatapu
/usr/share/zoneinfo/zone.tab
Installing updates... done.
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 11.0-RELEASE from update6.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

The following files will be added as part of updating to 11.0-RELEASE-p8:
/usr/share/zoneinfo/Asia/Barnaul
/usr/share/zoneinfo/Asia/Famagusta
/usr/share/zoneinfo/Asia/Tomsk
/usr/share/zoneinfo/Asia/Yangon
/usr/share/zoneinfo/Europe/Astrakhan
/usr/share/zoneinfo/Europe/Kirov
/usr/share/zoneinfo/Europe/Ulyanovsk
Installing updates...mkdir: /usr/jails/newjail//boot: No such file or directory
mtree: /usr/jails/newjail//boot/kernel: No such file or directory
mtree: /usr/jails/newjail//boot/kernel.old: No such file or directory
touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such file or directory
Could not create kernel backup directory


Is it normal? I would guess it comes from the fact that, as you said, jails share the kernel with the host, but then why this message from ezjail-admin? It should be aware of that and not display such messages.

Also, after running the

# freebsd-update install

and

# ezjail-admin update -u

commands from the host, if I then run
# freebsd-update fetch in one of my jail, I still get a lot of lines of output displaying available patches (I don't have those anymore when running the same command from the host).
So it seems the update didn't occur, or I'm missing something again.
 
By reading your replies in other threads, I understood that the first issue is normal (the error messages come from the freebsd-update command that ezjail-admin runs under the hood).
Again, correct me if I'm wrong.

However, I'm still clueless about why running freebsd-update fetch from the jail still offers me a bunch of patches despite having done a ezjail-admin update -u the minute before on the host.
 
japoc said:
By reading your replies in other threads, I understood that the first issue is normal (the error messages come from the freebsd-update command that ezjail-admin runs under the hood).
Click to expand...
Strictly speaking it's not normal but it won't cause any issues. It's just the sources that are being updated. And because the source is missing on your system you get these error messages.
 
Thanks.

Any idea why the freebsd-update fetch command inside the jail continues to display the same list of available updates before and after running ezjail-admin update -u on the host?
This seems to indicate that the jail wasn't updated, but the ezjail-admin update -u command did not exit with an error code. Did I miss a step?
 
For me it is also not clear.
i did a: freebsd-update fetch && freebsd-update install on the host. So the host is up to date.

When i run the command to update the basejail: ezjail-admin update -u
it looks likes it runs only in the background: freebsd-update fetch

Because i can run this command (ezjail-admin update -u) over and over and the output is the same.

But how can you install the updates in the basejail (i know the kernel is shared between host and basejail, but some otherfiles need also to be updated?)
Which command is executed after "ezjail-admin update -u" ?
 
japoc said:
Hi,

despite reading and re-reading the manual, I have an extremely hard time understanding how to keep my FreeBSD host and my FreeBSD jails secure.

I am going to try to express my current understanding of FreeBSD as maybe the problem is that I don't understand it.

There seems to be on one side the kernel and base components, and on the other side the packages. I'm not going to include ports in the discussion for now, I hope it is not necessary to include them as long as I don't install anything from ports. I'm not going to include the packages in the discussion either because I think I'm going to write a second post for that. So, in this post, I'd like to focus exclusively on how to correctly update the kernel and base components, in the host, and in the jails.

To check for new security patches available for the kernel (and, I guess, for the other base components of FreeBSD which are not managed with pkg and are considered part of FreeBSD itself), I should do

# freebsd-update fetch

This will tell me what new security patches are available for the kernel and base components.

Then
# freebsd-update install

will install them. Correct me if I'm wrong.

I also have jails on this system.
Until now, I used to believe that all jails shared the kernel and base components of the host. So I thought that running freebsd-update install on the host would automatically update the kernels and base components of the jails.
However, it seems that I was wrong. Because just after running freebsd-update install on the host, if I enter a jail and type freebsd-update fetch, a lot of available security patches are displayed.

So what happened? Does each jail have a separate kernel and/or base components? What should I do?

In case it has any relevance to the discussion, I'm going to point out that I use ezjail to create my jails.

I hope you can help me.
Click to expand...
If you're using jails without iocage or ezjail you can just use
freebsd-update -j /your/jail
 
You must log in or register to reply here.
Back
Top