# What happens in a jail when updating the main host system?



## japoc (Mar 28, 2017)

Hi,

despite reading and re-reading the manual, I have an extremely hard time understanding how to keep my FreeBSD host and my FreeBSD jails secure.

I am going to try to express my current understanding of FreeBSD as maybe the problem is that I don't understand it.

There seems to be on one side the kernel and base components, and on the other side the packages. I'm not going to include ports in the discussion for now, I hope it is not necessary to include them as long as I don't install anything from ports. I'm not going to include the packages in the discussion either because I think I'm going to write a second post for that. So, in this post, I'd like to focus exclusively on how to correctly update the kernel and base components, in the host, and in the jails.

To check for new security patches available for the kernel (and, I guess, for the other base components of FreeBSD which are not managed with pkg and are considered part of FreeBSD itself), I should do

`# freebsd-update fetch`

This will tell me what new security patches are available for the kernel and base components.

Then
`# freebsd-update install`

will install them. Correct me if I'm wrong.

I also have jails on this system.
Until now, I used to believe that all jails shared the kernel and base components of the host. So I thought that running `freebsd-update install` on the host would automatically update the kernels and base components of the jails.
However, it seems that I was wrong. Because just after running `freebsd-update install` on the host, if I enter a jail and type `freebsd-update fetch`, a lot of available security patches are displayed.

So what happened? Does each jail have a separate kernel and/or base components? What should I do?

In case it has any relevance to the discussion, I'm going to point out that I use ezjail to create my jails.

I hope you can help me.


----------



## SirDice (Mar 28, 2017)

japoc said:


> So what happened? Does each jail have a separate kernel and/or base components?


Almost. Jails share the kernel with the host but their base components are separate.



> What should I do?


Update your jails separately. How you do that depends on how the jails are set up. EZJail for example has a single "base" jail, update that and all your jails are updated.


```
ezjail-admin update -b
             Build and install a world from source. The sources are taken from
             /usr/src (but see the -s flag). This can be used both for creat-
             ing the initial base jail, and for updating it after the host has
             been upgraded.

     ezjail-admin update -u
             Update the base jail to the next release using freebsd-update(8)
             (i.e. using binary packages). This may be used only to update an
             existing installation.
```

Handbook: 14.5. Updating Multiple Jails
Handbook: 14.6. Managing Jails with ezjail
Handbook: 14.6.4. Updating Jails


----------



## japoc (Mar 28, 2017)

Thanks for the reply. I had read this part of the manual, but I don't understand it, because I'm not sure what exactly is meant by "the world". Does it mean the kernel and base components?


----------



## japoc (Mar 28, 2017)

Also assuming, the "world" is the base system as I guessed in my last post, why do I need to compile it from source before using jails? Doesn't my host already have a base system that could be used by the jails?


----------



## SirDice (Mar 28, 2017)

japoc said:


> because I'm not sure what exactly is meant by "the world". Does it mean the kernel and base components?


"World" is the base utilities, libraries, etc. Basically everything except the kernel.



japoc said:


> Also assuming, the "world" is the base system as I guessed in my last post, why do I need to compile it from source before using jails?


You don't _need_ to, you can also do a binary update with freebsd-update(8) (`ezjail-admin update -u`).



> Doesn't my host already have a base system that could be used by the jails?


Yes, and no. Think of a jail as a completely separate system. Updating one system doesn't automatically update another.


----------



## japoc (Mar 28, 2017)

Thanks, I think I understand better now.
However when I run

`# ezjail-admin update -u`

I get the following output:


`/lot/of/paths/and/files/....
/usr/share/zoneinfo/Indian/Kerguelen
/usr/share/zoneinfo/Pacific/Easter
/usr/share/zoneinfo/Pacific/Tongatapu
/usr/share/zoneinfo/zone.tab
Installing updates... done.
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 4 mirrors found.
Fetching metadata signature for 11.0-RELEASE from update6.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

The following files will be added as part of updating to 11.0-RELEASE-p8:
/usr/share/zoneinfo/Asia/Barnaul
/usr/share/zoneinfo/Asia/Famagusta
/usr/share/zoneinfo/Asia/Tomsk
/usr/share/zoneinfo/Asia/Yangon
/usr/share/zoneinfo/Europe/Astrakhan
/usr/share/zoneinfo/Europe/Kirov
/usr/share/zoneinfo/Europe/Ulyanovsk
Installing updates...mkdir: /usr/jails/newjail//boot: No such file or directory
mtree: /usr/jails/newjail//boot/kernel: No such file or directory
mtree: /usr/jails/newjail//boot/kernel.old: No such file or directory
touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such file or directory
Could not create kernel backup directory`

Is it normal? I would guess it comes from the fact that, as you said, jails share the kernel with the host, but then why this message from ezjail-admin? It should be aware of that and not display such messages.

Also, after running the
`# freebsd-update install`
and
`# ezjail-admin update -u`
commands from the host, if I then run
`# freebsd-update fetch` in one of my jail, I still get a lot of lines of output displaying available patches (I don't have those anymore when running the same command from the host).
So it seems the update didn't occur, or I'm missing something again.


----------



## japoc (Mar 28, 2017)

By reading your replies in other threads, I understood that the first issue is normal (the error messages come from the *freebsd-update* command that *ezjail-admin* runs under the hood).
Again, correct me if I'm wrong.

However, I'm still clueless about why running `freebsd-update fetch` from the jail still offers me a bunch of patches despite having done a `ezjail-admin update -u` the minute before on the host.


----------



## SirDice (Mar 28, 2017)

japoc said:


> By reading your replies in other threads, I understood that the first issue is normal (the error messages come from the *freebsd-update* command that *ezjail-admin* runs under the hood).


Strictly speaking it's not normal but it won't cause any issues. It's just the sources that are being updated. And because the source is missing on your system you get these error messages.


----------



## japoc (Mar 28, 2017)

Thanks.

Any idea why the `freebsd-update fetch` command inside the jail continues to display the same list of available updates before and after running `ezjail-admin update -u` on the host?
This seems to indicate that the jail wasn't updated, but the `ezjail-admin update -u` command did not exit with an error code. Did I miss a step?


----------



## bsd33 (Oct 12, 2022)

For me it is also not clear.
i did a: freebsd-update fetch && freebsd-update install on the host. So the host is up to date.

When i run the command to update the basejail: ezjail-admin update -u
it looks likes it runs only in the background: freebsd-update fetch

Because i can run this command (ezjail-admin update -u) over and over and the output is the same.

But how can you install the updates in the basejail (i know the kernel is shared between host and basejail, but some otherfiles need also to be updated?) 
Which command is executed after "ezjail-admin update -u" ?


----------



## Alain De Vos (Oct 12, 2022)

I never used ezjail but maybe,





						ezjail-admin
					






					www.freebsd.org


----------



## W.hâ/t (Oct 12, 2022)

Alternatively you can run freebsd-update(8)

```
-b basedir     Operate on a system mounted at basedir.  (default: /, or
                    as given in the configuration file.)
```


----------



## SirDice (Oct 12, 2022)

bsd33 said:


> Which command is executed after "ezjail-admin update -u" ?


Nothing. Your base jail has been updated. Just login on one of your jails and check with `freebsd-version -u`.


----------



## SKull (Oct 13, 2022)

japoc said:


> Hi,
> 
> despite reading and re-reading the manual, I have an extremely hard time understanding how to keep my FreeBSD host and my FreeBSD jails secure.
> 
> ...


If you're using jails without iocage or ezjail you can just use
`freebsd-update -j /your/jail`


----------

