# appliance how to... ports, upgrades, updates, and custom jails?



## zader (Oct 3, 2021)

How does freebsd deal with custom code, major upgrades updates and maintaining custom code on an appliance?

ie:
it may not have internet access for months on end.. how would one automate unattended major system, system ports and updating code / upgrades for a fleet of say 1000 applainces?

what is a good strategy for maintaining custom code in a jail of bhyve vm?
I need to replicate the functionality of a balana device running docker containers using jails vms and freebsd ... there seems to be a lot of documentation on the individual components.. but what is the recommended integration for fbsd based appliance?

although overly complex cicd seems fairly straightforward on say ubuntu .. but hazy on freebsd.. or there are just so may ways to accomplish the same task.. its hard to know what works well together

Thanks


----------



## Phishfry (Oct 3, 2021)

zader said:


> How does freebsd deal with custom code, major upgrades updates and maintaining custom code on an appliance?
> 
> ie:
> it may not have internet access for months on end.. how would one automate unattended major system, system ports and updating code / upgrades for a fleet of say 1000 applainces?


If all 1000 devices are the same I would use NanoBSD and build a custom image for the appliance.
Included would be any ports needed for the device.

The frequency of your NanoBSD builds would depend on your security posture.
On NanoBSD you would exclude any unneeded drivers or applications. So that right there helps.
But for a device that does not need Internet access at all I would build a new image every major release at minimum.
For some device that is internet facing I would build images by need and vulnerabilities.
Having a read only filesystem really helps.


----------



## Beastie7 (Oct 3, 2021)

I think something like ansible or salt would help. Installadm is another tool, but that's Solaris stuff.


----------



## bakul (Oct 3, 2021)

zader said:


> what is a good strategy for maintaining custom code in a jail of bhyve vm?
> I need to replicate the functionality of a balana device running docker containers using jails vms and freebsd ... there seems to be a lot of documentation on the individual components.. but what is the recommended integration for fbsd based appliance?


Do you mean _Balena_? One suggestion is to look at focker  or cbsd.


----------



## zader (Oct 3, 2021)

> Do you mean _Balena_?


 lol yes 



> If all 1000 devices are the same I would use NanoBSD


they will be yes, the biggest issue is the environment will not be consistent, nor will the device be guaranteed a spot on a tcip network. the proto type does have several nics on it so I hope to be able to peel off at least one to allow updates..
thanks Ill look into nano.. never worked with it but it looks good.. I was wondering about ho to go about making a container read only image.



> builds would depend on your security posture


the aim for the device is to secure the bas, however because its all traffic is udp broadcast .. a simple drop all tcp will get me most of the way there.



> One suggestion is to look at focker


interesting .. thanks!



> ansible


I can dig that to..

thanks for all the ideas, some good stuff to research ..


----------



## jbo (Oct 3, 2021)

Phishfry said:


> If all 1000 devices are the same I would use NanoBSD and build a custom image for the appliance.
> Included would be any ports needed for the device.


Given that this is dated 2006 I'm not sure how relevant and/or helpful it is: Poul-Henning Kamp's "Building a FreeBSD Appliance with NanoBSD" - By the author of NanoBSD himself.
That being said, things tend to remain a lot more stable compared to the worlds of Linux, Windows & MacOS. So I take it that most of the things in there still hold true today.


----------



## Phishfry (Oct 3, 2021)

This is probably a more recent article:





						NanoBSD [BSD Router Project]
					






					bsdrp.net
				




And if your appliance needs UEFI images you might want to investigate poudriere image.





						Poudriere image [BSD Router Project]
					






					bsdrp.net


----------

