Hi,
despite reading and re-reading the manual, I have an extremely hard time understanding how to keep my FreeBSD host and my FreeBSD jails secure.
I am going to try to express my current understanding of FreeBSD as maybe the problem is that I don't understand it.
There seems to be on one side the kernel and base components, and on the other side the packages. I'm not going to include ports in the discussion for now, I hope it is not necessary to include them as long as I don't install anything from ports. I'm not going to include the packages in the discussion either because I think I'm going to write a second post for that. So, in this post, I'd like to focus exclusively on how to correctly update the kernel and base components, in the host, and in the jails.
To check for new security patches available for the kernel (and, I guess, for the other base components of FreeBSD which are not managed with pkg and are considered part of FreeBSD itself), I should do
This will tell me what new security patches are available for the kernel and base components.
Then
will install them. Correct me if I'm wrong.
I also have jails on this system.
Until now, I used to believe that all jails shared the kernel and base components of the host. So I thought that running
However, it seems that I was wrong. Because just after running
So what happened? Does each jail have a separate kernel and/or base components? What should I do?
In case it has any relevance to the discussion, I'm going to point out that I use ezjail to create my jails.
I hope you can help me.
despite reading and re-reading the manual, I have an extremely hard time understanding how to keep my FreeBSD host and my FreeBSD jails secure.
I am going to try to express my current understanding of FreeBSD as maybe the problem is that I don't understand it.
There seems to be on one side the kernel and base components, and on the other side the packages. I'm not going to include ports in the discussion for now, I hope it is not necessary to include them as long as I don't install anything from ports. I'm not going to include the packages in the discussion either because I think I'm going to write a second post for that. So, in this post, I'd like to focus exclusively on how to correctly update the kernel and base components, in the host, and in the jails.
To check for new security patches available for the kernel (and, I guess, for the other base components of FreeBSD which are not managed with pkg and are considered part of FreeBSD itself), I should do
# freebsd-update fetch
This will tell me what new security patches are available for the kernel and base components.
Then
# freebsd-update install
will install them. Correct me if I'm wrong.
I also have jails on this system.
Until now, I used to believe that all jails shared the kernel and base components of the host. So I thought that running
freebsd-update install
on the host would automatically update the kernels and base components of the jails.However, it seems that I was wrong. Because just after running
freebsd-update install
on the host, if I enter a jail and type freebsd-update fetch
, a lot of available security patches are displayed.So what happened? Does each jail have a separate kernel and/or base components? What should I do?
In case it has any relevance to the discussion, I'm going to point out that I use ezjail to create my jails.
I hope you can help me.