One of the solutions I have found to the version issue is to build my own package repo. I build the packages the way I want, and then upload them to my own package repo (which is just another jail running thttpd). I also keep a jail running with the ports tree frozen at the versions I am using for production.
Add the following to /usr/local/etc/pkg.conf repos_dir: [ "/usr/local/etc/pkg/repos", "/etc/pkg", ] The tells pkg to look in your private repo first Then, create /usr/local/etc/pkg/repos/private.conf private: { url: "pkg+http://pkg.ssimicro.com/${ABI}/latest", enabled: true, signature_type: "PUBKEY", PUBKEY: "/usr/local/etc/pkg/repos/ssi.pub", mirror_type: "srv" } Note: you also need to create a public/private key pair for this using openssl. I don't recall the specifics though, but it looks like a pretty standard self-signed key/cert pair. The private key is stored on the repo and used to sign the packages when you add initialize the repo: pkg repo /home/pkg/repo/freebsd:10:x86:64/latest /home/pkg/repo.key Best, -Markham On 2016-02-21 6:13 PM, Aristedes Maniatis wrote: > I've been using FreeBSD jails (with ezjail) for many years and they work very > well. However I'm now reaching a critical mass (30+ jails) where I want to be > able to manage them in bulk more easily. > > In this environment, each jail runs just a single application, installed from > a package built using poudriere from a custom port. That package depends on > Java, so lots of other packages also get pulled in. That application gets new > versions roughly once every 4 weeks. The problems I have right now are: > > * FreeBSD's packaging system doesn't understand the concept of installing a > particular package version, so all my scripts will by default upgrade the > application to the current version even if I don't want to. I can't easily > install a new jail at an old version. > > * It is hard to reproduce the environment exactly, matching the application > to the same version of Java that was available at the time of deployment. > Again I'm fighting against the pkg system which always wants the latest > version. > > * For failover I want each jail reproduced exactly on another host, or at > least a snapshot which could be sent to another host within a few seconds. > The jails are quite small (< 500Mb). Most of that is just the openjdk pkg. > > > As I understand, ezjail doesn't support multiple base jails. If it did, then > I could simply install the application (and packages) to the base jail and > have versions of the base. Then by shutting down a jail, switching the base > to the new version and starting up, everything would upgrade easily. Even > better would be some concept of hierarchy with customer_jail sitting on top > of base_version_1.0 which in turn sits on top of base_jail. > > Would I need to abandon ezjail and be able to build all the above myself with > a combination of nullfs (basejail) and unionfs (intermediate versioned jail)? > Does unionfs now work with ZFS? > > > Alternatively I could simply use zfs clones to deploy a new version of the > application by destroying the whole jail and replacing it with a new one. I'd > need to then script (I use saltstack) deploying the 2-3 config files which > are different in each jail. > > > > Thoughts? What seems like a more robust long term approach to jail management? > > > Thanks > Ari > > >
signature.asc
Description: OpenPGP digital signature