Keeping the jails up to date

Status
Not open for further replies.

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
So I think many people have underestimated the required management of the jails. In the past we've recommended people use pkg-ng or ports and upgrade using those programs as appropriately. This guide covers pkg-ng and not ports.

But, things have gotten a little ugly. FreeBSD didn't have a repository of it's own until recently. If you use pkg-ng and your system uses an old template your jails won't be up to date anymore. Here's some info and how to fix this problem...

1. Validate you have a problem.

There's many ways to validate you have a problem. The easiest is to look at where the pkg-ng repo is coming from.

Here's an example of a jail that's correct:
# pkg –vv
….
Repositories:
FreeBSD: {
url : "pkg+http://pkg.FreeBSD.org/freebsd:9:x86:64/latest",
enabled : yes,
mirror_type : "SRV"
}

Notice the red text. That's the FreeBSD repository. This shows that all is well and everything is fine. Your jail may be 32 bit instead of 64 bit, but pkg.freebsd.org should be there.

Here's an old jail that is incorrect:

# pkg -vv
....

Repositories:
packagesite:
url: http://pkg.cdn.pcbsd.org//freenas/9.1-RELEASE/amd64
key:
enabled: yes
mirror_type: SRV

Notice the location is pcbsd.org, not to mention 9.1-RELEASE. Ideally, you want pkg.freebsd.org to be your repository. So here's how we do it!

2. Should I care?

Yes, and no. The easiest determining factor is to check for vulnerabilities. You can find out if you have an security vulnerabilities for your jail using pkg-ng.

# pkg audit

If there are any, you'll get a report of them. If so, you are on your own to decide to update your jail or not. If you don't want to figure out if the vulnerability is something you need to worry about, the conservative answer is to fix the problem.

3. How do I fix this?

First, you need to figure out where pkg-ng stores it's repo info. For my version(1.1.3) I know it gets its info from /usr/local/etc. If your version is too new you will have to find the pkg-ng documentation to figure out where the file is.So here's the steps I took:

# cd /usr/local/etc
# cat pkg.conf
PACKAGESITE: http://pkg.cdn.pcbsd.org//freenas/9.1-RELEASE/amd64
HTTP_MIRROR: http
PUBKEY: /usr/local/etc/pkg-pubkey.cert
PKG_CACHEDIR: /usr/local/tmp

So clearly pkg.conf is my source for the bad repo. So you can do the proper thing and edit the file with nano or equivalent, or you can be sloppy. I'll be sloppy.

# echo PACKAGESITE: http://pkg.FreeBSD.org/freebsd:9:x86:64/latest > /usr/local/etc/pkg.conf
# pkg update
Updating repository catalogue
digests.txz 100% 1118KB 223.5KB/s 337.7KB/s 00:05
packagesite.txz 100% 5072KB 390.1KB/s 741.9KB/s 00:13
# pkg upgrade
Updating repository catalogue
New version of pkg detected; it needs to be installed first.
After this upgrade it is recommended that you do a full upgrade using: 'pkg upgrade'

Uprgades have been requested for the following 1 packages:

Upgrading pkg: 1.1.3_1 -> 1.2.7_1

The upgrade will require 1 MB more space

1 MB to be downloaded

Proceed with upgrading packages [y/N]:

--------

So there we go. All fixed up!

But, now there's a new problem...

# pkg update
pkg: PACKAGESITE in pkg.conf is deprecated. Please create a repository configuration file
Updating repository catalogue
pkg: Warning: use of http:// URL scheme with SRV records is deprecated: switch to pkg+http://
digests.txz 100% 1118KB 1.1MB/s 827.7KB/s 00:01
pkg: Warning: use of http:// URL scheme with SRV records is deprecated: switch to pkg+http://
packagesite.txz 100% 5072KB 298.3KB/s 141.9KB/s 00:17
Incremental update completed, 23376 packages processed:
0 packages updated, 0 removed and 23376 added.

So how do you deal with this? Easy..

First, remove the old file.

# rm /usr/local/etc/pkg.conf

Second: Add the proper new file. Some of these directories may exist, so if you get an error that they exist you can keep going.

# mkdir -p /usr/local/etc/pkg/repos
# nano /usr/local/etc/pkg/repos/FreeBSD.conf

Create or edit the file and make sure it contains the following:

Code:
FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  enabled: yes
}


NOTE: You can search around for a repository that's close to your location in the world and change the url appropriately.

4. So why is this happening?

So when you create a jail of a particular type(standard, portsjail, pluginsjail, etc) a template is downloaded by Warden. This template is never updated after it's downloaded. In my case, my template is quite old because it was from 9.1. As time goes on and the template is updated your template will be out of date. This may require action on your part to correct the problem. In this case, you have to deal with pointing pkg-ng to a proper repository so you can get proper updates.

Some problems, like this one, are fixed with Warden in 9.2.1+. But, if you are one of those suckers on the old version(I'm in that group) then you have to do some manual labor.

5. So is there a way to force a new template when I want to make a new jail in the future?

Yes. Stay tuned... ;)
 

SmallGuy

Guru
Joined
Jun 7, 2013
Messages
560
Many thanks for that post.
I've meet this behavior on a port jail and I think it's good to get this on Freenas forum.
I think also it's a good idee to keep a jail up to date as general rule, especially for sharing applications open on the Internet.
 

anika200

Contributor
Joined
Mar 18, 2013
Messages
113
Mistakes made by a noob, now I need some help fixing.

First I forgot to make a backup of /usr/local/etc/pkg.conf and then used the lazy method for moving to new pkg-ng and now I have an error message and a config file with only one line in it. :(
Here is the error:
Code:
root@subsonic:/usr/local/etc # echo PACKAGESITE: http://pkg.FreeBSD.org/freebsd:9:x86:64/latest > /usr/local/etc/pkg.conf
root@subsonic:/usr/local/etc # pkg update
Updating repository catalogue
digests.txz                                                                                                                                100% 1094KB   1.1MB/s   1.1MB/s   00:01  
packagesite.txz                                                                                                                            100% 5066KB   2.5MB/s   4.3MB/s   00:02  
pkg: package audio/pacpl is built for freebsd:9:* arch, and local arch is freebsd:9:x86:64
Incremental update completed, 0 packages processed:
0 packages updated, 0 removed and 23409 added.
pkg: No digest falling back on legacy catalog format
pkg: http://pkg.FreeBSD.org/freebsd:9:x86:64/latest/repo.txz: Not Found

What could be the problem?
Update:
I hate to thrash around on this thread so I will start a new one if I can not get it figured out. I think there may be some clues in this thread. http://forums.freebsd.org/viewtopic.php?f=5&t=44181&p=245847
 
Last edited:

DiWa

Cadet
Joined
Oct 28, 2013
Messages
9
Hi Anika200,

It's been a while since you posted your:

I faced it today too. Even though I didn't delete my pkg.conf, pkg (v1.1.3_1) was so old that nothing was working, even Cyberjock's:
echo PACKAGESITE: http://pkg.FreeBSD.org/freebsd:9:x86:64/latest > /usr/local/etc/pkg.conf

After struggling a lot to get pkg working, I found this solution:
https://forums.freebsd.org/viewtopic.php?f=4&t=45315#p253160

Manual install of a newer version of pkg​

In all my steps back and forth to make this work I applied at some point Cyberjock cleanup. Thanks for this!

Hope this will help others reading this thread an facing the same issue.

Enjoy
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Yeah, pkg-ng has upped their needs for the pkg.conf file. Basically you need all the stuff that I mentioned above for a working jail.

Do doubt pkg-ng will change even more as time goes on. It seems to be a pretty large moving target right now.
 

9C1 Newbee

Patron
Joined
Oct 9, 2012
Messages
485
For the uber n00bs who don't even know where start to type in this "pkg -vv" nonsense:

1) Log into your GUI.

2) Right under the FreeNAS logo, you will see icons "System" "Network" etc. Click on the "Jails" Icon. ( If you don't see one that says "Jail", you must have a different version than (9.x.x.x) what I have. If so, this method probably won't work.)

3) In a second or so after the "Loading...", all your jails should pop up in a list, such as sabznbd_1, firefly_1, etc. Select a jail by clicking on its respective line. This should highlight the selected jail.

4) Straight down to the bottom of the white section, you will see 5 icons. The icon on the farthest right with the "C:/>" is what will get you to the jail command line of the selected jail. Click it.

5) You should have a pop up window with a black background. You should also see something like "root@sabnzbd_1:/ # ". A generic example would be "root@WhateverJailYouAreIn:/ #" this is where you type in "pkg -vv" or whatever else.

6) Enjoy!

Probably a lot sexier way to do this, but this was my noob solution.
 

raidflex

Guru
Joined
Mar 14, 2012
Messages
531
Is there anyway to upgrade a jail created using the Virtualbox template without breaking Virtualbox?
 

raidflex

Guru
Joined
Mar 14, 2012
Messages
531
Really no one has tried to update the packages in the VirtualBox template? Anytime I update the jail, I receive a blank page when accessing the Virtualbox web interface.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
I've updated it with pkg-ng and had no problems...
 

raidflex

Guru
Joined
Mar 14, 2012
Messages
531
I've updated it with pkg-ng and had no problems...

Not sure what is going on then. There is about 90 packages to update and one of them is causing the issue I have been trying to update it for a while with no luck, hence why there are so many updates. Have there been any changes since 9.2.1.6 regarding the VirtualBox template? That was when I downloaded and created the jail, I am considering backing up my VMs and deleting the jail template and re-downloading.
 

raidflex

Guru
Joined
Mar 14, 2012
Messages
531
Update: So I completely removed the jail and deleted the template. I rebooted the Freenas server and then re-downloaded Virtualbox 4.3.12 template and installed a new jail. I then stopped all Virtualbox and Apache services in the jail and installed all package updates using pkg-ng successfully. Apache would not update normally, so I had to uninstall apache22 and install apache24, which worked without an issue. After the updates finished I restarted the jail. I also went into the httpd.conf and edit the correct lines for apache24. But now I am still back to the same place I was where the web GUI is not accessible.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Hmm. I'll take a look at this later tonight if I get a chance. If you don't hear from me by Friday ping this thread so I can get a swift kick in the butt. ;)
 

raidflex

Guru
Joined
Mar 14, 2012
Messages
531
Hmm. I'll take a look at this later tonight if I get a chance. If you don't hear from me by Friday ping this thread so I can get a swift kick in the butt. ;)

Okay, thanks for the help.
 

raidflex

Guru
Joined
Mar 14, 2012
Messages
531
Any updates on this problem?
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
/me *gets poked in the booty*

No. Sorry. Not at home because of internet troubles. If I'm lucky I'll go home tonight or tomorrow. Maybe poke me Sunday if I don't respond by then.
 

raidflex

Guru
Joined
Mar 14, 2012
Messages
531
Did you get a chance to look at this?
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
I'm trying it now... One of the problems I potentially see is that pkg-ng offers 4.3.16. That's newer than the kernel drivers that FreeNAS 9.2.1.8 comes with. So it is likely to not work. :(

Stay tuned...

Edit: So I didn't do the upgrades for Apache22 to Apache24 nor did I remove the mod_php5 dependency and everything still worked.

However, after doing the upgrade from Apache22 to Apache24 it's broken. I'm not an Apache wizard so I may or may not be able to fix it. My advice is:

1. Do the upgrades of everything and handle any problems that arise on your own (which could be a mess since 4.3.16 kernel drivers don't exist on FreeNAS).
2. Skip the upgrades of one or more packages. I'd skip upgrading Virtualbox and Apache if things get really ugly. Any security problems with Apache shouldn't be a major concern since your FreeNAS box (and therefore the jails) should be behind a firewall with no ports forwarded to Apache/Virtualbox.

My take is #2. Upgrade everything except Vbox and Apache and leave well enough alone until 9.3.

When virtualbox was released it was made very clear that upgrades may or may not work and should be kept in-line with the FreeNAS. Now you are left with having to accept that until 9.3 comes out. Sounds harsh, but it is and it's an unfortunate side-effect of making "all of this" work. It was a situation where we either live with these limitations or we never release it.

Oh, and I created a ticket so we can fix this... https://bugs.freenas.org/issues/6322
 
Last edited:

raidflex

Guru
Joined
Mar 14, 2012
Messages
531
I'm trying it now... One of the problems I potentially see is that pkg-ng offers 4.3.16. That's newer than the kernel drivers that FreeNAS 9.2.1.8 comes with. So it is likely to not work. :(

Stay tuned...

Edit: So I didn't do the upgrades for Apache22 to Apache24 nor did I remove the mod_php5 dependency and everything still worked.

However, after doing the upgrade from Apache22 to Apache24 it's broken. I'm not an Apache wizard so I may or may not be able to fix it. My advice is:

1. Do the upgrades of everything and handle any problems that arise on your own (which could be a mess since 4.3.16 kernel drivers don't exist on FreeNAS).
2. Skip the upgrades of one or more packages. I'd skip upgrading Virtualbox and Apache if things get really ugly. Any security problems with Apache shouldn't be a major concern since your FreeNAS box (and therefore the jails) should be behind a firewall with no ports forwarded to Apache/Virtualbox.

My take is #2. Upgrade everything except Vbox and Apache and leave well enough alone until 9.3.

When virtualbox was released it was made very clear that upgrades may or may not work and should be kept in-line with the FreeNAS. Now you are left with having to accept that until 9.3 comes out. Sounds harsh, but it is and it's an unfortunate side-effect of making "all of this" work. It was a situation where we either live with these limitations or we never release it.

Oh, and I created a ticket so we can fix this... https://bugs.freenas.org/issues/6322

When I upgrade all packages except Apache and Virtualbox I still have an issue. When I go to the web GUI, I see what looks like the outline of the Virtualbox interface, but no text is showing up. So I suspect there is another package that is being updated, causing the issue. Not sure were to look though.

Also if I get past this problem, is it possible to upgrade Virtualbox to at least 4.3.15 before the kernel drivers were updated?
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Virtualbox software and the kernel drivers should stay matched, period. Anything else is at your risk/reward and is unsupported.

If you want to upgrade the kernel drivers you'd need to download the FreeNAS code, update the build environment, then recompile FreeNAS. Generally the rule is "if you have to ask you don't know how to do it".

What is the reason for wanting 4.3.15 in particular?
 

raidflex

Guru
Joined
Mar 14, 2012
Messages
531
Virtualbox software and the kernel drivers should stay matched, period. Anything else is at your risk/reward and is unsupported.

If you want to upgrade the kernel drivers you'd need to download the FreeNAS code, update the build environment, then recompile FreeNAS. Generally the rule is "if you have to ask you don't know how to do it".

So basically no version above 4.3.12 will work then, without recompiling the Kernel drivers? I am still not sure why I cannot upgrade all packages except Virtualbox and Apache.

Edit: Never mind about the upgrades, the system was upgrading mod_php5 which was causing the issue. I locked that package, as well as apache and virtuabox.
 
Last edited:
Status
Not open for further replies.
Top