# How do you patch programs running with a jail?



## Ed_Flecko (Jul 29, 2015)

I'm planning on installing Apache, in a jail, from a port because I want more granular control as to what options and modules get installed from scratch. If I understand it correctly, I can run `make rmconfig` to remove the default options and then `make config` to select the options I want.

Correct so far?

My other question is: how do you patch Apache, in the jail, as security vulnerability patches are released from time to time? I've subscribed to the Apache security notification list, but I'm just not clear on how you apply the patch(es) as they're released. Or, is it just like I install it - i.e., just apply the patch (as if it wasn't running in a jail), and then re-run `make install clean`?

Thank you,
Ed


----------



## wblock@ (Jul 29, 2015)

A jail is treated like just another FreeBSD system.  If you installed from a port or package, update the port or package to get the latest patches.


----------



## Ed_Flecko (Jul 29, 2015)

Something like this:

`# ezjail-admin update -P`

Login on the jail console
`# ezjail-admin list`
`# ezjail-admin console <hostname>`

List outdated ports
`# pkg_version -vIL=`

Read about ports you want to upgrade
`# less /usr/ports/UPDATING`

Now use portmaster(8) to upgrade outdated ports
`# portmaster -db <port>`

and then re-run `make install clean` for Apache?

Is this correct?

Ed


----------



## tobik@ (Jul 29, 2015)

Updating ports is outlined in the handbook: https://www.freebsd.org/doc/handbook/ports-using.html#ports-upgrading


----------



## Ed_Flecko (Jul 29, 2015)

Thank you!

Ed


----------



## wblock@ (Jul 29, 2015)

Ed_Flecko said:


> Something like this:



Not quite.  Always, yes _always_ read /usr/ports/UPDATING after updating the ports tree and before adding or updating applications.  See Upgrading FreeBSD Ports.


----------



## kpa (Jul 29, 2015)

You don't want to recompile ports inside the jails. Use prebuilt packages either from the official repository or from your own repository. The updating procedure if you have your own repository would be:


Update the ports tree on the system that builds your packages.
Build updated packages, this could be done with ports-mgmt/poudriere or by other means.
Run `pkg upgrade` in all of your jails to update the installed package.
Restart updated services in the jails.


----------



## Ed_Flecko (Jul 29, 2015)

kpa said:


> You don't want to recompile ports inside the jails...



I'm probably confused about how to install Apache from source into the jail, so maybe someone can clarify this for me? Typically the jail has either has it's own ports tree or it's linked to the hosts' ports tree, correct? Like I said, I'd much prefer to install Apache from the port, so I can better control how Apache is initially configured.

Having said that, If I install Apache from a port within the jail, what's wrong with doing it the second time, i.e., after the ports have been updated (i.e., patched)?

Ed


----------



## kpa (Jul 29, 2015)

You're wasting time by compiling updated ports multiple times. If you build your own binary packages you can build once, install many times with very little effort.

If it's not obvious yet, binary packages are just pre-built ports. After installation they are indistinguishable from ports that are installed by building them directly.


----------



## Ed_Flecko (Jul 29, 2015)

Since my primary goal is to have Apache installed with only the options *I* want (as opposed to the way Apache is built using the default package), is poudriere my best method to achieve that goal? 

If so, I just need to learn more about poudriere and how to build my own packages? 

I'm guessing that by building my own package I can customize the install options?

Ed


----------



## kpa (Jul 29, 2015)

Yes, you have very good control over the options with Poudriere. Start by reading these:

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports-poudriere.html

https://forums.freebsd.org/threads/...g-ports-mgmt-poudriere-no-zfs-required.38859/


----------



## Ed_Flecko (Jul 29, 2015)

Cool...thank you. I'll check them out.

I'm *really* just looking for the easiest way to install Apache in a jail on a server that I'm creating and then manage to keep it patched as quickly and efficiently as security patches are released.



Ed


----------

