This is an old revision of the document!
Table of Contents
Updating FreeBSD Servers
All four physical hosts run FreeBSD. Upgrade them in this order:
- mustafar
- hoth
- geonosis
- bane
This order matters: start with the least critical server so any issues are caught early.
OS Patches
SSH into the server and become root:
ssh mustafar su -
Check for available updates:
freebsd-rustdate check-fetch
Fetch and install patches:
freebsd-rustdate fetch freebsd-rustdate install
Packages
Review automatically installed packages – decide what to keep and what to remove:
pkg noauto
Then update and upgrade all packages:
pkg update pkg upgrade
Before Rebooting
Before restarting, check who is currently connected:
root@mustafar:~ # sockstat -4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root sshd-sessi 79454 7 tcp4 172.20.200.90:22 172.20.96.2:40808 root sshd-sessi 78971 7 tcp4 172.20.200.90:22 172.20.96.2:40808 root sshd 47125 7 tcp4 *:22 *:* root nfsd 34681 7 tcp4 *:2049 *:* ntpd ntpd 3208 21 udp4 *:123 *:* ntpd ntpd 3208 22 udp4 172.20.200.90:123 *:* ntpd ntpd 3208 25 udp4 127.0.0.1:123 *:* ?? ?? ?? ?? udp4 *:2049 *:*
If you need more detail on connections:
root@mustafar:~ # netstat -4 Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 108 mustafar.ssh 172.20.96.2.40808 ESTABLISHED udp4 0 0 localhost.ntp *.* udp4 0 0 mustafar.ntp *.*
When you've confirmed it's safe to reboot:
shutdown -r now
The -r flag tells the system to reboot.
Jails and VMs
Some servers have jails and VMs that need attention after reboot.
Jails (bane, geonosis)
Jails on bane and geonosis start automatically on boot.
VMs (bane)
VMs on bane need to be configured for auto-start. For example, to enable scontrol-01:
root@bane:~ # sysrc vm_list="scontrol-01" root@bane:~ # cat /etc/rc.conf| grep vm_list vm_list="scontrol-01"
Confirm auto-start is enabled:
root@bane:~ # vm list NAME DATASTORE LOADER CPU MEMORY VNC AUTO STATE mitte-dev-01 default uefi 1 4G - No Stopped scontrol-01 default uefi 2 4G - Yes [1] Running (5469)
Updating Jails
Aside from all the jails on the bane server and others, we have a status page jail running UptimeKuma. For understandable reasons, this jail must outlive the other ones to be able to notify us about the others' instability from time to time. So UptimeKuma is held in a remote FreeBSD server in Chicago called bespin (hosted on Vultr), in a jail called st-01.
What is specific about Bespin
Bespin is NOT pkg-base; meaning you cannot use pkg to update/upgrade the OS on the host itself.
By contrast, the jail st-01 (for status.abi.am) is pkg-base. The two are independent: a jail can be pkg-base even if its host is not, and vice versa.
pkg-base vs. NOT pkg-base
pkg-base means using pkg for updating the base system. This is a relatively new practice in FreeBSD, available since 15.0. Before pkg update/upgrade, people would use freebsd-update (traditional) or freebsd-rustdate (newer alternative) for updating the OS. See /etc/pkg/Base.conf for further information.
In Bespin, /etc/pkg/FreeBSD.conf has a field saying freebsd-base { …, enabled: no, … } meaning the host is not pkg-base.
Note, it is possible to migrate a non-pkg-base system to pkg-base. Look that up if needed.
Updating pkgbase Jails
mount -t devfs devfs <path/to/jail>/dev pkg-static -c </path/to/jail> update && pkg-static -c </path/to/jail> upgrade
Updating NOT pkgbase Jails
You can use freebsd-update or freebsd-rustdate from the host, targeting the jail. You give freebsd-rustdate the path of the jail base with the -b flag and the path of the updating tool with -w, and pass the subcommand at the end to be executed:
freebsd-rustdate -b /path/to/jail -w /path/to/jail/var/db/freebsd-update/ <subcommand>
More precisely, in our case we run:
freebsd-rustdate -b /usr/local/jails/<jailname> -w /usr/local/jails/<jailname>/var/db/freebsd-update/ check freebsd-rustdate -b /usr/local/jails/<jailname> -w /usr/local/jails/<jailname>/var/db/freebsd-update/ fetch freebsd-rustdate -b /usr/local/jails/<jailname> -w /usr/local/jails/<jailname>/var/db/freebsd-update/ install