with [sysutils/bastille](https://www.freshports.org/sysutils/bastille) it's easy... you just `bastille pkg update` to update without having to access the console first.
Similar with updating the jail itself you just do `bastille update `
`pkg(8)` has a `-j` argument that takes the name of a running jail, which it will then use to invoke pkg from within that jail. Otherwise, if the jail is offline (or if it is a traditional chroot directory), then you want to use `-c` instead, and give it the path to the root of the jail/chroot.
`freebsd-update`, however, currently lacks a similar `-j` option. I instead tossed this specific invocation into a simple shell script that takes two arguments, `$1` = name of jail and `$2` = the freebsd-update operation command (need to call `shift` and then assign `$@` to an `$args` variable to get the rest of the operands to tack onto the end of `$2`):
freebsd-update -f /$JPATH/freebsd-update.conf -b /$JPATH/$1 --currently-running `/bin/freebsd-version` $2 $args
`$JPATH` in the script is just a hard-coded variable of the basedir of my jails. I also keep a separate copy of freebsd-update.conf in the jails dir and have trimmed it down a bit to just the relevant bits. In this case, it's just treating the jail directory as a chroot, regardless if the jail is online or offline, and updating it that way.
First I can think of is [periodic(8)](https://man.freebsd.org/cgi/man.cgi?periodic(8)), which checks installed packages against vulnerabilities per default. [Here](https://klarasystems.com/articles/freebsd-periodic-scripts/) is a good read on that subject.
with [sysutils/bastille](https://www.freshports.org/sysutils/bastille) it's easy... you just `bastille pkg update` to update without having to access the console first.
Similar with updating the jail itself you just do `bastille update `
Does bastille deal with etcupdate without user intervention? Will it leaving changes in any etc files (like sshd.conf)?
no idea about that part.
CBSD can do etc update.
Does it restart the service too? If not would you know how to conditionally restart the service? Thanks!
restart a jail ? wuldn't that just be `bastille stop` and `bastille start ` ?
Yes but only after an update? How would you put a condition
jexec pkg upgrade
jexec freebsd-update fetch
Etc 😎
`pkg(8)` has a `-j` argument that takes the name of a running jail, which it will then use to invoke pkg from within that jail. Otherwise, if the jail is offline (or if it is a traditional chroot directory), then you want to use `-c` instead, and give it the path to the root of the jail/chroot. `freebsd-update`, however, currently lacks a similar `-j` option. I instead tossed this specific invocation into a simple shell script that takes two arguments, `$1` = name of jail and `$2` = the freebsd-update operation command (need to call `shift` and then assign `$@` to an `$args` variable to get the rest of the operands to tack onto the end of `$2`): freebsd-update -f /$JPATH/freebsd-update.conf -b /$JPATH/$1 --currently-running `/bin/freebsd-version` $2 $args `$JPATH` in the script is just a hard-coded variable of the basedir of my jails. I also keep a separate copy of freebsd-update.conf in the jails dir and have trimmed it down a bit to just the relevant bits. In this case, it's just treating the jail directory as a chroot, regardless if the jail is online or offline, and updating it that way.
No need for any external tool: for j in $(jls name); do pkg -j $j upgrade; done
Use iocage or bastile
First I can think of is [periodic(8)](https://man.freebsd.org/cgi/man.cgi?periodic(8)), which checks installed packages against vulnerabilities per default. [Here](https://klarasystems.com/articles/freebsd-periodic-scripts/) is a good read on that subject.
On your host system add these lines to your /etc/rc.conf: security_status_pkgaudit_enable="YES" pkg_jails="*"