Updating Bastille Jails is pleasingly simple, especially if so-called ‘thin jails’ are used. Thin jails do not contain any data from the base system. These are integrated into the jail as ‘read-only’. This means that 100 jails access a base installation. If this base is updated, all 100 jails are updated at the same time.
Always use diff -u /usr/local/etc/bastille/bastille.conf /usr/local/etc/bastille/bastille.conf.sample to check beforehand if there have been any changes to the configuration template. The rest is done quickly
These are normal updates within the release, these updates have a direct effect on all jails.
bastille update XX.Y-RELEASE # Use current release
bastille cmd ALL certctl rehash # Read in new certificates
bastille restart ALL # Restart all jailsOld jails run on newer systems, but not necessarily the other way round.
The situation is different for release upgrades, e.g. from 14.1-RELEASE to 14.2-RELEASE. As the base is integrated via nullfs, the fstab of the respective jail must be adapted. Otherwise, an update is again very simple:
bastille stop ALL # Stop all jails
bastille bootstrap XX.Z-RELEASE update # Download the new release
bastille list -a # Displays all stopped jails
bastille edit JAILNAME fstab # Store reference to the new release
- /usr/local/bastille/releases/XX.Y-RELEASE /usr/local/bastille/jails/JAILNAME/root/.bastille nullfs ro 0 0
+ /usr/local/bastille/releases/XX.Z-RELEASE /usr/local/bastille/jails/JAILNAME/root/.bastille nullfs ro 0 0
bastille start ALL
bastille list release # List Releases
bastille destroy XX.Z-RELEASE # OPTIONAL: Remove old unused release "Thick Jails" sind komplette Systeme, die wie normale FreeBSD-Installationen aktualisiert werden.
After an update, it is advisable to update the packages. This can also be done for all jails at the same time.
Find out BEFOREhand whether there are any important changes to your installed services and whether adjustments need to be made. If in doubt, it is better to carry out a manual update within the jail. If a bastille restart ALL is too far-reaching for you, you can of course restart the services within the jails manually, e.g. with bastille cmd JAILNAME service nginx restart the service NGINX is restarted in the jail JAILNAME.
bastille cmd ALL pkg upgrade -y # Alle Pakete in allen Jails aktualisieren
bastille cmd ALL pkg autoremove -y # Alte nicht mehr benötigte Pakete entfernen
bastille cmd ALL pkg clean -y -a # Alte Downloads entfernen
bastille restart ALL # Alle Jails neu startenVoilá