Upgrading iocage jails

[mpfusion]

Hi,

a while ago there has been a thread in the same spirit as this one, but with no result.

With freenas moving from warden to iocage I'm wondering if that will bring any changes to the jail upgrade mechanism. In the past jails weren't that easy to upgrade so it was often suggested to scrap and redo them.

The goal is to run a some services (nginx, postgresql, etc.) and I need to decide between a VM (which is easy to upgrade) or a jail.

Jailer writes that jails can't receive major upgrades. However, Steve Dickinson mentions it's possible.

So again: Is there an easy (and supported) way to continuously keep a jail (iocage) upgraded? CLI or GUI counts as long as it's supported. If that's not the case I'll rather set up the services in a VM.

If it is possible to upgrade the jail, what's the recommended way?

 

[nojohnny101]

In the past jails weren't that easy to upgrade so it was often suggested to scrap and redo them.

Sorry I don't have anything to directly answer you question about best way to upgrade and maintain iocage jails.

Your statement about the difficulty of upgrading warden based jails is not entirely true. There are obvious different ways warden jails could be setup (plugins, pkg, etc) and each one of those ways comes with its own challenges. I have all my warden based jails built through manually installs using pkg and they are very easy to upgrade. In fact I have a script that was written by a member on here that is I believe less than 5 lines that runs as a cron job and keeps all of my jails up to date. It simply runs the commands you can do yourself manually, namely "pkg upgrade" and "service jailname restart".

I havne't made the plunge to iocage yet but I hope it is as easy as it currently is with my warden based jails.

 

[garm]

If you continue reading the thread you linked you find two posts down from Jailer

http://iocage.readthedocs.io/en/latest/advanced-use.html

 

[Jailer]

If it is possible to upgrade the jail, what's the recommended way?

There's been enough questions about this that I may spin up an 11.0 install in a VM, create a 11.0 jail, update FreeNAS and then try upgrading the jail.

If someone else has already tried this before I put the time and effort please chime in.

 

[mpfusion]

Your statement about the difficulty of upgrading warden based jails is not entirely true. There are obvious different ways warden jails could be setup (plugins, pkg, etc) and each one of those ways comes with its own challenges. I have all my warden based jails built through manually installs using pkg and they are very easy to upgrade. In fact I have a script that was written by a member on here that is I believe less than 5 lines that runs as a cron job and keeps all of my jails up to date. It simply runs the commands you can do yourself manually, namely "pkg upgrade" and "service jailname restart".

There are several sources that state that jails can't/shouldn't be upgraded but instead redone from scratch:

https://forums.freenas.org/index.php?threads/update-jail-base-system.26610/#post-169030
https://forums.freenas.org/index.php?threads/upgrading-jails.25351/#post-159943
https://forums.freenas.org/index.php?threads/freenas-11-1-jail-rebuild-required.59311/#post-419835
https://forums.freenas.org/index.ph...to-eol-jails-in-freenas-11.59574/#post-422262

Does you upgrade prodedure work for package upgrades only or also for freebsd release upgrades?

 

[mpfusion]

If you continue reading the thread you linked you find two posts down from Jailer

http://iocage.readthedocs.io/en/latest/advanced-use.html

Yes, I'm aware there are iocage commands to upgrade a jail. But I found contradicting information if they'll work. Some folks claim they do and it's easy to upgrade. Others claim you can't upgrade a jail. That's why I'm asking again to get a definite answer.

Are you saying that issues these both commands are sufficient to keep a jail permanently up-to-date?

iocage update [UUID]
iocage upgrade -r [RELEASE] [UUID]


 

[garm]

Well I guess I don’t know what you mean with “permanently upgraded”, I won’t run jails of a different kernel then its FreeNAS host (unless for extraordinary circumstances). And I assume a FreeNAS upgrade will pull the iocage jails with it. We are in a messy situation at the moment with the Warden iocage mix, but that is passing.

 

[adrianwi]

I don't think the issue is specifically about updating the pkg contents within the jail on a regular basis, but more about the underlying FreeBSD version.

With warden jails, once the jail had been created you were stuck with whatever version of FreeBSD the template was based on. This isn't a problem initially, but over time this version of FreeBSD will reach EOL and thats where the problems start.

In my experience, at this point the only option is to recreated the jails using a more up to date template and then wait and repeat. I'm sure there were some previous threads suggesting this wouldn't be necessary with iocage as the version of FreeBSD the jails were built on could/would upgrade with FreeNAS.

If that's not the case, what's the big benefit of iocage over warden?

 

[mpfusion]

Well I guess I don’t know what you mean with “permanently upgraded”

Upgrade the packages inside the jail as well as the jail itself across freenas releases (a release is only supported for so long).

I won’t run jails of a different kernel then its FreeNAS host (unless for extraordinary circumstances).

AFAIK it it not possible to run jails of a different kernel as the jails don't have a kernel, they utilize the host's kernel.

And I assume a FreeNAS upgrade will pull the iocage jails with it.

What does that mean? That the jails are automatically upgraded? Really? If that's the case can someone please confirm?

 

[garm]

To upgrade the applications in a iocage jail you can do iocage pkg jailname update iocage pkg jailname upgrade according to the man page.

If you read the iocage man page (as I assumed you did before asking the question) you’ll find that iocage can handle a release upgrade. this makes me assume that FreeNAS updates will also pull jails along with it. Even if it doesn’t it’s easy to implement a GUI for manual release updates of jails when iocage has the commands for it built in.

Jails can have older releases, but share kernel with the host. I have warden jails with FreeBSD 11.0 on my FreeNAS 11.1 (like most people) that messes up pkg installs. I also have FreeBSD 11.1 jails managed by warden.
This is not something I expect to have to maintain on my own. I expect FreeNAS to deal with updates to jails.

 

[Chris Moore]

There's been enough questions about this that I may spin up an 11.0 install in a VM, create a 11.0 jail, update FreeNAS and then try upgrading the jail.

If someone else has already tried this before I put the time and effort please chime in.

What version of FreeNAS are you running?

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[Jailer]

What version of FreeNAS are you running?

9.10.2-U6

 

[Chris Moore]

9.10.2-U6

It might be good, if you had the time, but I would suggest 11.1-U4. It has been really problem free for me.

Sent from my SAMSUNG-SGH-I537 using Tapatalk

 

[Jailer]

It might be good, if you had the time, but I would suggest 11.1-U4

But that misses the point completely. The object here is to see if an Iocage jail can upgrade the FreeBSD version after creation. If you start with 11.1 the jail will be either on a mismatched Kernel if you start with an 11.0 jail or an 11.1 jail which would not be up gradable at that point. The point of the exercise to replicate an upgrade path a user that created a jail on 11.0 would have to take.

Start with FreeNAS 11.0, create 11.0 jail. Upgrade FreeNAS 11.0 to 11.1 then attempt to upgrade jail to 11.1.

Might have some time this Friday or Saturday to try it.

 

[adrianwi]

I'd love to know a definitive answer on this. Is there a FreeBSD version change between FreeNAS 11.0 and 11.1?

 

[danb35]

Is there a FreeBSD version change between FreeNAS 11.0 and 11.1?

Yes, from 11.0 to 11.1.

 

[adrianwi]

That must be the first time since 9.3 that they are aligned ;)

 

[Jailer]

Well this turned out rather interesting and rather frustrating and ultimately confusing. First the frustrating part.

I started this all with a fresh install of 11.0-U4 with a minimal configuration of a pool , network settings and SSH enabled for a remote console. I figured I'd start on the latest 11.0 branch and create my 11.0 jail and get everything working and then update from there.

Getting a jail created with iocage with functioning networking is a huge pain in the rear. Granted I'm working in Virtualbox on my desktop for testing but it's never been this difficult in the past. Also a note with Virtualbox; if you are going to test FreeNAS you need to enable promiscuous mode on the network adapter or you will never get a connection no matter what you try. It took me several HOURS to get it right but I finally got it working.

The name switch in iocage doesn't work for me. No matter what combination I tried using the name command found here on the forum -n or according to the iocage docs --name it returned an error and would not continue. Unfortunately in my frustration I didn't write down the error. Anyway once I omitted the name switch and several attempts later I finally got a jail up and running with a connection to the outside world.

I checked the base FreeNAS and the jail with uname -a and they both returned FreeBSD 11.0. Interestingly I also checked with uname -KU and got a different output from the jail than I did from the mail system

jail

Code:

1100512 1100122

system

Code:

1100512 1100512

Everything seemed to be working ok and I installed a package in the jail just to check things and it installed without issue. Since everything seemed to be working fine I updated FreeNAS to the latest stable release (11.1-U4) and rebooted. This is where it gets confusing.

The update went fine and everyting seemed to be working as expected. I checked uname -a on FreeNAS and the out put looked good.

Code:

FreeBSD freenastest.local 11.1-STABLE FreeBSD 11.1-STABLE #2 r321665+366f54a78b2(freenas/11.1-stable): Wed Mar 21 23:04:13 UTC 2018	 root@gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

Iocage list showed my jail as up and running so i switched to the jail and ran uname -a and got the following output:

Code:

FreeBSD b43f1b38-0677-40f3-a16a-a7d27c481385 11.1-STABLE FreeBSD 11.1-STABLE #2 r321665+366f54a78b2(freenas/11.1-stable): Wed Mar 21 23:04:13 UTC 2018	 root@gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

WTH? According to that output the jail was upgraded along with the base system? I thought this was odd so I created a new jail and specified 11.0 as the release. It was created and running so I checked the new jail and got the output below:

Code:

FreeBSD test2 11.1-STABLE FreeBSD 11.1-STABLE #2 r321665+366f54a78b2(freenas/11.1-stable): Wed Mar 21 23:04:13 UTC 2018	 root@gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

I'm not exactly sure what to think about all this. I thought I would answer some questions by trying this test and all it did is create more questions. Now I'm even more uncertain what to do with my existing jails on my 9.10.2-U6 system. FreeBSD 10.3 reaches EOL soon and I'm debating moving all my jailed services over to a FreeBSD box and managing them separate from my FreeNAS. To say I'm disappointed in the results of this test is an understatement. I love FreeNAS but it looks like jails are still a mess and my trust in the iocage jails system just isn't there.

 

[Jailer]

And just to add a little more to the wierdness. I went and rolled back to the initial 11.0-U4 install and created a Warden based jail from the old UI and then checked it. uname -a confirmed it is a FreeBSD 11.0 jail. I deleted the 11.1-U4 boot environment and ran the system update again to 11.1-U4. Once it completed and rebooted I checked the warden based jail again and it now shows FreeBSD 11.1 along with the iocage jails.

Warden jail

Code:

root@jail1:/ # uname -a
FreeBSD jail1 11.1-STABLE FreeBSD 11.1-STABLE #2 r321665+366f54a78b2(freenas/11.1-stable): Wed Mar 21 23:04:13 UTC 2018	 root@gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

Iocage jail

Code:

root@test:/ # uname -a
FreeBSD test 11.1-STABLE FreeBSD 11.1-STABLE #2 r321665+366f54a78b2(freenas/11.1-stable): Wed Mar 21 23:04:13 UTC 2018	 root@gauntlet:/freenas-11-releng/freenas/_BE/objs/freenas-11-releng/freenas/_BE/os/sys/FreeNAS.amd64  amd64

I'm totally confused now........

 

[Jurgen Segaert]

Jails don't have a kernel, and the uname command gets its information from the kernel, so you'll get the same result in the host and the jail.

Try using the command freebsd-version instead.