FreeBSD 11.1 EOL: how do I keep my jails secure now?

[Dwarf Cavendish]

Since a couple of weeks I have an annoying problem: I run FreeNAS 11.1 with a jail for Plex and a jail for running cloud backups using rclone. I created both jails with iocage so that they are nice and future-proof. Or so I thought.

It turns out that FreeBSD 11.1 went EOL recently. Where I otherwise would diligently use portmaster to stay up-to-date and secure in my jails I now cannot longer do so. At the same time, FreeNAS 11.2 has not yet been officially released and on top of that, I read about someone with the same hardware and set-up as me (HP Microserver Gen10, SSD over SATA as boot device) that ran into issues installing an 11.2 RC where he could no longer boot from an SSD on the 5th SATA port. So ideally I would postpone this update until a later moment at which I can take my time so that I can calmly tackle any issues that might arise, but at the same time I feel like I cannot postpone this much longer because I can no longer patch my jails.

What would be the best way to about this? Go with ALLOW_UNSUPPORTED_SYSTEM for the time being...?

On a related note: is there a way to do something equivalent to pkg audit when using ports? This command itself does not yield any results at the moment.

 

[gt2416]

Update to 11.2 as soon as its released :/
Thats the only real solution

 

[kdragon75]

Stop using your NAS as. Hosting platform and use it as a NAS. Also it sounds like you don't trust your own network at all. Where do you live? China? Russia?

You could always migrate your jails to a stand alone 11.2 FreeBSD server and back when FreeNAS 11.2 is released.

 

[Dwarf Cavendish]

Stop using your NAS as. Hosting platform and use it as a NAS. Also it sounds like you don't trust your own network at all. Where do you live? China? Russia?

You could always migrate tour jails to a Stan alone 11.2 FreeBSD server and back when FreeNAS 11.2 is released.

I could go without Plex for a while, but I would say that automated cloud backups are pretty NASsy and calling this a "hosting platform" is uncalled for. It would be very unfortunate if a (now unpatchable) vulnerability turned up that could facilitate a mitm attack while my NAS connects to B2 for running backups.

In the mean time I stumbled upon this thread: https://forums.freenas.org/index.ph...ge-jails-are-now-useless-what-do-we-do.70461/

In my mind there should be a transition period of a couple of months in which I can migrate to the new version of FreeNAS at a moment that is convenient for me. Instead now my back is against the wall to update asap, while I have, you know, a job and life to worry about too.

I am a software developer myself and don't mind having to tinker a bit to get stuff working again (at a time of my own choosing!), but a three month gap in which jails cannot be patched is in my mind simply unacceptable. Seeing that I only have a simple setup with 2 mirrored disks I am now strongly considering taking my chances with a BTRFS-enabled Synology instead.

I sincerely hope that it won't come to this, but what I read about FreeBSD's aggressive release schedule makes it sound that unpatchable jails could become a yearly recurring event. Not so thrilled about that prospect...

 

[danb35]

a jail for running cloud backups using rclone.

Since rclone is part of the base installation, this seems completely unnecessary.

In my mind there should be a transition period of a couple of months in which I can migrate to the new version of FreeNAS at a moment that is convenient for me.

I agree. IMO, the FreeBSD release cycle is far too aggressive in this regard. 90 days after 11.2 is released, 11.1 goes EOL.

Stop using your NAS as. Hosting platform and use it as a NAS.

Since iX are actively marketing FreeNAS as a hosting platform, this seems uncalled-for. Though the bhyve implementation seems, well, sub-optimal, jails have been solid for many years.

 

[kdragon75]

jails have been solid for many years.

Except for networking braking in new ways with every update. It seems they play to have a proper "network manager" in 11.3. You know, after everyone needs it for all the VM and jail hosting. I seriously think FreeNAS needs to fork.

 

[Jailer]

There's already something FreeBSD based that exists for just jails and vm management called ClonOS.

 

[danb35]

Except for networking braking in new ways with every update.

To be fair, networking worked well under warden. It's been iocage that's been a sh*tshow.

 

[Alex18]

Do not worry. It seems the Core Team has heard you. And now the support period will be even less: https://lists.freebsd.org/pipermail/freebsd-announce/2018-November/001854.html ;-)

 

[pschatz100]

To the OP: I understand your frustration, but you really need to get out of the mind set that you have to update your system every time an update is made available. That is a Windows mentality. FreeBSD and Linux systems don't have the same problems that Windows users have.

 

[Alex18]

I fully support the need for an update. However, in addition to this process, there are important things: day work, family, study, rest. I can update the system every six months. But there are a lot of such systems (I’m not just talking about FreeNAS + tons of jails). The problem that is being discussed here is not the need for an update, but a short period. When you may not be in time if you do not work in the IT industry every day (and night) and FreeNAS in particular.

I understand that these are problems of the lack of people in the FreeBSD. And I understand that this support is more of a marketing ploy. Nobody from Core team can force developers to support something. This is a non-profit project and voluntary participation. I hope IX will sooner or later be able to hire a sufficient number of professional developers and provide support regardless of FreeBSD

 

[Dwarf Cavendish]

Do not worry. It seems the Core Team has heard you. And now the support period will be even less: https://lists.freebsd.org/pipermail/freebsd-announce/2018-November/001854.html ;-)

A changed security landscape, increased toolchain velocity, and shorter support windows for our upstream components necessitate this reevaluation.

So basically FreeBSD suffers from the same problem further upstream. Somehow this makes sense, a higher velocity and shorter support windows is something I also experience as an enterprise software developer. Although I am a bit surprised that an operating system depends on upstream components...?

To the OP: I understand your frustration, but you really need to get out of the mind set that you have to update your system every time an update is made available. That is a Windows mentality. FreeBSD and Linux systems don't have the same problems that Windows users have.

I'd at least want to be able to update any software on my box that accesses the Internet. Exploitable vulnerabilities can come up in any software, regardless of the operating system. If for example a vulnerability would make it possible to pass off fake certificates as real ones it would make MITM attacks possible. If such an attack would take place at customers of Backblaze (i.e.: me), my data could be stolen when my box runs cloud updates. This is all theoretical of course, but thinking along those lines I might as well stop patching my web browser.

Ironically enough, installing software on Windows typically does not rely on ports/package managers that tell me that my operating system is EOL.

Lastly: I do appreciate the non-profit nature of FreeNAS and the effort that IX is putting into it. Despite its shortcomings I like FreeNAS and the benefits of ZFS that it brings me. I want this project to succeed so that it thrives and I can recommend my (less tech-inclined) friends to use it :) .

 

[pschatz100]

Then I would suggest that you take another look at FreeNAS 11.2. Check the changelog for RC2 and see whether or not they addressed the issues that caused problems on your system. I kept an eye on the changelogs for each release and waited until it looked like the problems I might encounter were addressed. My update from 11.1_U6 to 11.2_RC2 went OK..

Part of the problem, as has been pointed out in an earlier thread, was with iocage itself. In updates from 11.1-U2 through 11.1-U6, I had to fix network issues after each update. iocage itself has been updated along with FreeNAS.

You can always try a fresh install on a new boot device to see if the latest build will work for you. I would not bother with anything earlier than RC2. Or just wait a few more months. It's difficult for me to see how an attack on Plex could compromise anything on my system.

 

[Dwarf Cavendish]

I think I can tough it out another week, until 11.2 comes out :) .