Update jail base system

[makro]

Hi. I recently upgraded to FreeNAS 9.3, and it all went well.

I have been using FreeNAS for a few years, and have some fairly old jails (9.1-pluginjail template). They still work, and with cyberjocks guide I have all the packages up to date. However, the base system within the jails are as old as they have always been, and e.g. OpenVPN package uses the old OpenSSL 0.9.8x, and sshd is at 5.8-p2. The FreeBSD handbook suggests running freebsd-update from the host, with -b option pointing to the jail, but freebsd-update is not available in the FreeNAS host environment.

Is there a reasonable way to update the base system of a jail in FreeNAS?

 

[cyberjock]

I was just talking to the CTO of iXsystems about this in IRC 5 hours ago.

The bottom line is that jails aren't designed to be update-able. There never has been and currently is no good mechanism to update the jails.

I've been toying with the same dilemma here at home. I'm about to upgrade from FreeNAS 9.2.1.9 to 9.3 and I wanted to update my jails (I have 10 or so). The only way to "update" the jails is to simply destroy the jail and recreate it from scratch with the new 9.3 template.

I don't like this answer, but after spending 4 frustrating hours last night trying to solve this question and then getting the answer that I did from the CTO, I'm pretty much sold that there really is no "upgrade" options for jails.

Jordan's answer was basically "once you get a jail running you shouldn't really mess with it unless you have a specific problem. If you develop a problem then you deal with that problem, but you don't update just to update." He basically told me I was a fool for trying to update when I couldn't give specific reasons for an update to be necessary. :P

For me, redoing all of my jails is something around 30-40 hours worth of work. Not something I'm too thrilled to think about, so I think I'm going to take his advice on this. :)

 

[makro]

Thanks. Well that's boring, good thing I upgraded before I set up my newest jail at least. I only have two old jails, so I'll think about migrating them when I somehow have extremely little to do.

He basically told me I was a fool for trying to update when I couldn't give specific reasons for an update to be necessary. :P

So much care for version number syndrome. :P

 

[cyberjock]

I know. I'll probably update my jails when I have downtime and am bored. It just bothers me that it wouldn't be kept up to date. :P

 

[JW0914]

I was just talking to the CTO of iXsystems about this in IRC 5 hours ago.

The bottom line is that jails aren't designed to be update-able. There never has been and currently is no good mechanism to update the jails.

...Jordan's answer was basically "once you get a jail running you shouldn't really mess with it unless you have a specific problem. If you develop a problem then you deal with that problem, but you don't update just to update." He basically told me I was a fool for trying to update when I couldn't give specific reasons for an update to be necessary.

I have only a minute amount of experience thus far with FreeNAS and using jails, and due to only recently delving into UNIX based systems, I still look at some things from a Windows-like perspective... does it not pose a network security risk to have a freebsd jail and not be able to update the virtual freebsd system? My question comes from wanting to use one of the freebsd jails to run strongswan to create a vpn between the FreeNAS server and two remote locations.

 

[cyberjock]

I have only a minute amount of experience thus far with FreeNAS and using jails, and due to only recently delving into UNIX based systems, I still look at some things from a Windows-like perspective... does it not pose a network security risk to have a freebsd jail and not be able to update the virtual freebsd system? My question comes from wanting to use one of the freebsd jails to run strongswan to create a vpn between the FreeNAS server and two remote locations.

Yes, there is definitely the possibility that it will pose a security risk. That's where you, and your level of experience, determines what you should and shouldn't do.

As I've said quite a bit in the forum and IRC, if you couldn't have setup the system yourself with FreeBSD and the CLI, you probably don't have the skillset to manage jails securely yourself. On a home LAN where ports won't be forwarded your risk is relatively low. But for a jail that is going to have a port forwarded for something like a VPN, you'd be crazy to do it IMO.

It's totally on you to take responsibility for the security of your server, for better or worse. So do it like you want it. It's your data and your LAN that may be compromised. :)

 

[JW0914]

Wouldn't using encryption and ssl certificates lower the risk substantially?

For example, I have my certificates setup with AES256 and certificates and keys were generated at 2048. I also set up a tls-auth key, and the accompanying options in the server and client conf files. Doesn't this guarantee that without the proper certificates and keys someone can't access the VPN?

I'd also assume (and these assumptions could very well be wrong) that I could set up something similar to a mac filter within FreeBSD to further secure the VPN? I assume since 2048 keys are uncrackable (and will remain so for at least the next century if Moore's law is applied) that would be enough regardless... or am I thinking about this the wrong way?

 

[Whattteva]

I was just talking to the CTO of iXsystems about this in IRC 5 hours ago.

The bottom line is that jails aren't designed to be update-able. There never has been and currently is no good mechanism to update the jails.

I've been toying with the same dilemma here at home. I'm about to upgrade from FreeNAS 9.2.1.9 to 9.3 and I wanted to update my jails (I have 10 or so). The only way to "update" the jails is to simply destroy the jail and recreate it from scratch with the new 9.3 template.

I don't like this answer, but after spending 4 frustrating hours last night trying to solve this question and then getting the answer that I did from the CTO, I'm pretty much sold that there really is no "upgrade" options for jails.

Jordan's answer was basically "once you get a jail running you shouldn't really mess with it unless you have a specific problem. If you develop a problem then you deal with that problem, but you don't update just to update." He basically told me I was a fool for trying to update when I couldn't give specific reasons for an update to be necessary. :p

For me, redoing all of my jails is something around 30-40 hours worth of work. Not something I'm too thrilled to think about, so I think I'm going to take his advice on this. :)

I definitely don't like this answer either. Reinstalling everything and configuring them the way you have them working is surely a royal pain.

I've been wanting to upgrade my jails because they were created under FreeNAS (9.1 I think). These jails have a bug where the 'netstat' command does not work inside the jail, which appears to have been fixed under 9.3 STABLE, but I'm not looking forward (don't think I ever will) to migrating all those config files.

 

[cyberjock]

I definitely don't like this answer either. Reinstalling everything and configuring them the way you have them working is surely a royal pain.

I've been wanting to upgrade my jails because they were created under FreeNAS (9.1 I think). These jails have a bug where the 'netstat' command does not work inside the jail, which appears to have been fixed under 9.3 STABLE, but I'm not looking forward (don't think I ever will) to migrating all those config files.

What you mean to say is "I don't know how to handle updating the jails myself". That's the real problem.

In all fairness, I don't know how to handle updating them myself. If you aren't a coder and you are compiling and troubleshooting the code when things break on upgrades, well, it's gonna be basically impossible to do. Knowledge is power.

Some of us in the world can do jail upgrades. Some of us have to create a new jail if we want to upgrade. If you fall into the latter and don't like it, then become a FreeBSD developer so you can join that elite group that can do the former. If you don't want to spend the next few years of your life on that, well, "that sounds like a you problem". You can't have everything in this world. Not everything in this world can be bought or made. Some requires knowledge and experience.

Now if you'll excuse me I'm going to go make a new jail for Plex. ;)

 

[jkh]

[I've deleted the personal observations in this thread - they only add heat, and no light, to the conversation]

Let me be clear, since I've been quoted multiple times in this thread: There is no mechanism for updating Jails in FreeNAS. It's just a tarball that gets extracted when the jail type is first created, and then it's also used as a template for all additional jails of the same type. You should not expose your jails to the internet, to say nothing of the FreeNAS box itself, without additional firewall controls in place. SSL and Certificates won't save you from the types of attacks people mount against Unix systems of all types - they look for services listening on open ports and then try to compromise those services by fuzzing their inputs and otherwise causing them to behave in ways unintended by the designers and then exploit that unexpected behavior, if possible.

Why is there no mechanism for updating jails? Because Jails were designed in a very simplistic fashion and "lifecycle management" was never part of the original design. Jails are not comprised of packages, so garbage-collecting old things won't work and you're also not able to upgrade in a controlled fashion, which is very important. Just splatting a new tarball on top of the old one wouldn't work: It would cause things to just accumulate, possibly in highly unpredictable and security-compromising ways, since nothing could ever be deleted. No migration or upgrade scripts could be run, either, since extracting a tarball won't cause that to happen, so things could be broken as a consequence.

That is all part of Package Management, which is how jails should be created in the future (as a collection of packages, just as FreeNAS is). That's a lot of work and a complete redesign of the current system, however, so it's not going to happen for 9.3. It's one of the goals for FreeNAS 10, along with the ability to run full-fledged VMs (using bhyve) instead of jails. For now, the best thing you can do is leave your jails alone once created, since if you don't know what you're doing at the CLI, you're only likely to break them (just like doing surgery on a person without any actual surgical or medical training). If you *have* the equivalent of medical training, of course, then Go For It since you know how to update individual components selectively and to audit the process carefully.

 

[JW0914]

[I've deleted the personal observations in this thread - they only add heat, and no light, to the conversation]

Let me be clear, since I've been quoted multiple times in this thread: There is no mechanism for updating Jails in FreeNAS. It's just a tarball that gets extracted when the jail type is first created, and then it's also used as a template for all additional jails of the same type. You should not expose your jails to the internet, to say nothing of the FreeNAS box itself, without additional firewall controls in place. SSL and Certificates won't save you from the types of attacks people mount against Unix systems of all types - they look for services listening on open ports and then try to compromise those services by fuzzing their inputs and otherwise causing them to behave in ways unintended by the designers and then exploit that unexpected behavior, if possible.

Why is there no mechanism for updating jails? Because Jails were designed in a very simplistic fashion and "lifecycle management" was never part of the original design. Jails are not comprised of packages, so garbage-collecting old things won't work and you're also not able to upgrade in a controlled fashion, which is very important. Just splatting a new tarball on top of the old one wouldn't work: It would cause things to just accumulate, possibly in highly unpredictable and security-compromising ways, since nothing could ever be deleted. No migration or upgrade scripts could be run, either, since extracting a tarball won't cause that to happen, so things could be broken as a consequence.

That is all part of Package Management, which is how jails should be created in the future (as a collection of packages, just as FreeNAS is). That's a lot of work and a complete redesign of the current system, however, so it's not going to happen for 9.3. It's one of the goals for FreeNAS 10, along with the ability to run full-fledged VMs (using beehive) instead of jails. For now, the best thing you can do is leave your jails alone once created, since if you don't know what you're doing at the CLI, you're only likely to break them (just like doing surgery on a person without any actual surgical or medical training). If you *have* the equivalent of medical training, of course, then Go For It since you know how to update individual components selectively and to audit the process carefully.

Do you have advice on where I can learn what firewall controls should be put in place if the NAS server is going to be exposed to internet?

 

[jkh]

Do you have advice on where I can learn what firewall controls should be put in place if the NAS server is going to be exposed to internet?

That depends entirely on the firewall, of course, and there are dozens of options. The pfSense firewall is always a good (and free) option if you have a suitable PC to devote to the purpose, or you can buy a small firewall product from any number of vendors. Whichever firewall you pick, if you make sure it supports VPN (OpenVPN being one good choice) then you can completely hide your NAS and other internal equipment behind the firewall and simply VPN in from outside when you need to reach your NAS - this is the best choice, and a far easier one than trying to selectively ACL specific ports or incoming IP addresses and being forced to keep that up to date as your environment and needs change.

 

[JW0914]

Thanks! =]

 

[KenNashua]

In a similar vein, is there a "safe" way to go about the delete/reinstall? Can I utilize a zfs snapshot, backup my jail databases (plex, sabnzbd, etc.), delete and recreate the jails and should the process get borked in some way, revert the zfs snapshot to restore the jails to their previous working condition?

 

[nightshade00013]

In a similar vein, is there a "safe" way to go about the delete/reinstall? Can I utilize a zfs snapshot, backup my jail databases (plex, sabnzbd, etc.), delete and recreate the jails and should the process get borked in some way, revert the zfs snapshot to restore the jails to their previous working condition?

The easiest way to do this is create a new dataset in the GUI and then change the jails configuration so that the Jail Root is the new location. If something messes up you can then switch the config back and the old jails are still there.