So I think many people have underestimated the required management of the jails. In the past we've recommended people use pkg-ng or ports and upgrade using those programs as appropriately. This guide covers pkg-ng and not ports.
But, things have gotten a little ugly. FreeBSD didn't have a repository of it's own until recently. If you use pkg-ng and your system uses an old template your jails won't be up to date anymore. Here's some info and how to fix this problem...
1. Validate you have a problem.
There's many ways to validate you have a problem. The easiest is to look at where the pkg-ng repo is coming from.
Here's an example of a jail that's correct:
# pkg –vv
….
Repositories:
FreeBSD: {
url : "pkg+http://pkg.FreeBSD.org/freebsd:9:x86:64/latest",
enabled : yes,
mirror_type : "SRV"
}
Notice the red text. That's the FreeBSD repository. This shows that all is well and everything is fine. Your jail may be 32 bit instead of 64 bit, but pkg.freebsd.org should be there.
Here's an old jail that is incorrect:
# pkg -vv
....
Repositories:
packagesite:
url: http://pkg.cdn.pcbsd.org//freenas/9.1-RELEASE/amd64
key:
enabled: yes
mirror_type: SRV
Notice the location is pcbsd.org, not to mention 9.1-RELEASE. Ideally, you want pkg.freebsd.org to be your repository. So here's how we do it!
2. Should I care?
Yes, and no. The easiest determining factor is to check for vulnerabilities. You can find out if you have an security vulnerabilities for your jail using pkg-ng.
# pkg audit
If there are any, you'll get a report of them. If so, you are on your own to decide to update your jail or not. If you don't want to figure out if the vulnerability is something you need to worry about, the conservative answer is to fix the problem.
3. How do I fix this?
First, you need to figure out where pkg-ng stores it's repo info. For my version(1.1.3) I know it gets its info from /usr/local/etc. If your version is too new you will have to find the pkg-ng documentation to figure out where the file is.So here's the steps I took:
# cd /usr/local/etc
# cat pkg.conf
PACKAGESITE: http://pkg.cdn.pcbsd.org//freenas/9.1-RELEASE/amd64
HTTP_MIRROR: http
PUBKEY: /usr/local/etc/pkg-pubkey.cert
PKG_CACHEDIR: /usr/local/tmp
So clearly pkg.conf is my source for the bad repo. So you can do the proper thing and edit the file with nano or equivalent, or you can be sloppy. I'll be sloppy.
# echo PACKAGESITE: http://pkg.FreeBSD.org/freebsd:9:x86:64/latest > /usr/local/etc/pkg.conf
# pkg update
Updating repository catalogue
digests.txz 100% 1118KB 223.5KB/s 337.7KB/s 00:05
packagesite.txz 100% 5072KB 390.1KB/s 741.9KB/s 00:13
# pkg upgrade
Updating repository catalogue
New version of pkg detected; it needs to be installed first.
After this upgrade it is recommended that you do a full upgrade using: 'pkg upgrade'
Uprgades have been requested for the following 1 packages:
Upgrading pkg: 1.1.3_1 -> 1.2.7_1
The upgrade will require 1 MB more space
1 MB to be downloaded
Proceed with upgrading packages [y/N]:
--------
So there we go. All fixed up!
But, now there's a new problem...
# pkg update
pkg: PACKAGESITE in pkg.conf is deprecated. Please create a repository configuration file
Updating repository catalogue
pkg: Warning: use of http:// URL scheme with SRV records is deprecated: switch to pkg+http://
digests.txz 100% 1118KB 1.1MB/s 827.7KB/s 00:01
pkg: Warning: use of http:// URL scheme with SRV records is deprecated: switch to pkg+http://
packagesite.txz 100% 5072KB 298.3KB/s 141.9KB/s 00:17
Incremental update completed, 23376 packages processed:
0 packages updated, 0 removed and 23376 added.
So how do you deal with this? Easy..
First, remove the old file.
# rm /usr/local/etc/pkg.conf
Second: Add the proper new file. Some of these directories may exist, so if you get an error that they exist you can keep going.
# mkdir -p /usr/local/etc/pkg/repos
# nano /usr/local/etc/pkg/repos/FreeBSD.conf
Create or edit the file and make sure it contains the following:
NOTE: You can search around for a repository that's close to your location in the world and change the url appropriately.
4. So why is this happening?
So when you create a jail of a particular type(standard, portsjail, pluginsjail, etc) a template is downloaded by Warden. This template is never updated after it's downloaded. In my case, my template is quite old because it was from 9.1. As time goes on and the template is updated your template will be out of date. This may require action on your part to correct the problem. In this case, you have to deal with pointing pkg-ng to a proper repository so you can get proper updates.
Some problems, like this one, are fixed with Warden in 9.2.1+. But, if you are one of those suckers on the old version(I'm in that group) then you have to do some manual labor.
5. So is there a way to force a new template when I want to make a new jail in the future?
Yes. Stay tuned... ;)
But, things have gotten a little ugly. FreeBSD didn't have a repository of it's own until recently. If you use pkg-ng and your system uses an old template your jails won't be up to date anymore. Here's some info and how to fix this problem...
1. Validate you have a problem.
There's many ways to validate you have a problem. The easiest is to look at where the pkg-ng repo is coming from.
Here's an example of a jail that's correct:
# pkg –vv
….
Repositories:
FreeBSD: {
url : "pkg+http://pkg.FreeBSD.org/freebsd:9:x86:64/latest",
enabled : yes,
mirror_type : "SRV"
}
Notice the red text. That's the FreeBSD repository. This shows that all is well and everything is fine. Your jail may be 32 bit instead of 64 bit, but pkg.freebsd.org should be there.
Here's an old jail that is incorrect:
# pkg -vv
....
Repositories:
packagesite:
url: http://pkg.cdn.pcbsd.org//freenas/9.1-RELEASE/amd64
key:
enabled: yes
mirror_type: SRV
Notice the location is pcbsd.org, not to mention 9.1-RELEASE. Ideally, you want pkg.freebsd.org to be your repository. So here's how we do it!
2. Should I care?
Yes, and no. The easiest determining factor is to check for vulnerabilities. You can find out if you have an security vulnerabilities for your jail using pkg-ng.
# pkg audit
If there are any, you'll get a report of them. If so, you are on your own to decide to update your jail or not. If you don't want to figure out if the vulnerability is something you need to worry about, the conservative answer is to fix the problem.
3. How do I fix this?
First, you need to figure out where pkg-ng stores it's repo info. For my version(1.1.3) I know it gets its info from /usr/local/etc. If your version is too new you will have to find the pkg-ng documentation to figure out where the file is.So here's the steps I took:
# cd /usr/local/etc
# cat pkg.conf
PACKAGESITE: http://pkg.cdn.pcbsd.org//freenas/9.1-RELEASE/amd64
HTTP_MIRROR: http
PUBKEY: /usr/local/etc/pkg-pubkey.cert
PKG_CACHEDIR: /usr/local/tmp
So clearly pkg.conf is my source for the bad repo. So you can do the proper thing and edit the file with nano or equivalent, or you can be sloppy. I'll be sloppy.
# echo PACKAGESITE: http://pkg.FreeBSD.org/freebsd:9:x86:64/latest > /usr/local/etc/pkg.conf
# pkg update
Updating repository catalogue
digests.txz 100% 1118KB 223.5KB/s 337.7KB/s 00:05
packagesite.txz 100% 5072KB 390.1KB/s 741.9KB/s 00:13
# pkg upgrade
Updating repository catalogue
New version of pkg detected; it needs to be installed first.
After this upgrade it is recommended that you do a full upgrade using: 'pkg upgrade'
Uprgades have been requested for the following 1 packages:
Upgrading pkg: 1.1.3_1 -> 1.2.7_1
The upgrade will require 1 MB more space
1 MB to be downloaded
Proceed with upgrading packages [y/N]:
--------
So there we go. All fixed up!
But, now there's a new problem...
# pkg update
pkg: PACKAGESITE in pkg.conf is deprecated. Please create a repository configuration file
Updating repository catalogue
pkg: Warning: use of http:// URL scheme with SRV records is deprecated: switch to pkg+http://
digests.txz 100% 1118KB 1.1MB/s 827.7KB/s 00:01
pkg: Warning: use of http:// URL scheme with SRV records is deprecated: switch to pkg+http://
packagesite.txz 100% 5072KB 298.3KB/s 141.9KB/s 00:17
Incremental update completed, 23376 packages processed:
0 packages updated, 0 removed and 23376 added.
So how do you deal with this? Easy..
First, remove the old file.
# rm /usr/local/etc/pkg.conf
Second: Add the proper new file. Some of these directories may exist, so if you get an error that they exist you can keep going.
# mkdir -p /usr/local/etc/pkg/repos
# nano /usr/local/etc/pkg/repos/FreeBSD.conf
Create or edit the file and make sure it contains the following:
Code:
FreeBSD: { url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", mirror_type: "srv", enabled: yes }
NOTE: You can search around for a repository that's close to your location in the world and change the url appropriately.
4. So why is this happening?
So when you create a jail of a particular type(standard, portsjail, pluginsjail, etc) a template is downloaded by Warden. This template is never updated after it's downloaded. In my case, my template is quite old because it was from 9.1. As time goes on and the template is updated your template will be out of date. This may require action on your part to correct the problem. In this case, you have to deal with pointing pkg-ng to a proper repository so you can get proper updates.
Some problems, like this one, are fixed with Warden in 9.2.1+. But, if you are one of those suckers on the old version(I'm in that group) then you have to do some manual labor.
5. So is there a way to force a new template when I want to make a new jail in the future?
Yes. Stay tuned... ;)