Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New 'etcupdate' sub command #660

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

Rodrigo-NH
Copy link

@Rodrigo-NH Rodrigo-NH commented Jan 6, 2024

Hi.
Started testing bastille recently and faced problems when upgrading 13.2-RELEASE 'test' jail to 14.0-RELEASE. The jail could start but wasn't able to 'bastille console' into the jail. This helped me solving this problem: https://forums.freebsd.org/threads/bastille-upgrading-jail-from-13-2-to-14-0-fails.91234/

I understand that this is not bastille fault, intrinsically. By the other hand it's concerning. It's non trivial having ./etc in sync considering different use cases, security changes, features or any other mix of situations like the issue I had.

The idea of 'etcupdate' command is to achieve a minimal level of sanity of ./etc folder, while being 'conservative' in regard to user modifications/additions made there. Includes a dry-run option and logs a semi-detailed log output. It's possible to see what it does checking the attached logfile produced by:

"bastille etcupdate -D testjail 13.2-RELEASE 14.0-RELEASE" from untouched 13.2-RELEASE jail upgraded to 14.0-RELEASE.
The options of what FreeBSD versions to compare are explicit. That's, script will compare actual jail's ./etc files against the two any reference versions, distributed along 8 conditions executed serially.

I don't know if this type of approach would be considered bastille scope by project owners. It's something I had to do anyway (do something about) because I'm worried about actual conditions of my prod jails (accumulating updates since... can't even remember). I tried to test it as thoroughly as I could ATM and it looks OK. Tested with bastille with ZFS and without with same results.

Thanks!
etcupdate.log

usr/local/share/bastille/etcupdate.sh Outdated Show resolved Hide resolved
Copy link

@scoobybejesus scoobybejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this change is somewhat opinionated, to be opinionated is necessary for this feature. Perhaps options could be added later for edge cases, but these choices seem sane and like they will cover the majority of use cases.

I made some small suggestions so the logs read properly, and changing a variable name to make it more clear/accurate.

Overall, this looks like a great and welcome contribution to me.

usr/local/share/bastille/etcupdate.sh Outdated Show resolved Hide resolved
usr/local/share/bastille/etcupdate.sh Outdated Show resolved Hide resolved
usr/local/share/bastille/etcupdate.sh Outdated Show resolved Hide resolved
usr/local/share/bastille/etcupdate.sh Outdated Show resolved Hide resolved
usr/local/share/bastille/etcupdate.sh Outdated Show resolved Hide resolved
usr/local/share/bastille/etcupdate.sh Outdated Show resolved Hide resolved
TARGET="${1}"
COMPAREVERSION="${2}"
UPGRADEVERSION="${3}"
bastille_jail_base="${bastille_jailsdir}/${TARGET}"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest changing bastille_jail_base to something like bastille_thin_jail because the former makes it sound like a "base" jail, which is what the release jails are in this context. The thin jail is the jail to be operated on.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

error_exit "See 'bastille stop ${TARGET}'."
fi

if [ ! -d "${bastille_jail_base}" ]; then

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest changing bastille_jail_base to something like bastille_thin_jail because the former makes it sound like a "base" jail, which is what the release jails are in this context. The thin jail is the jail to be operated on.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

usr/local/share/bastille/etcupdate.sh Show resolved Hide resolved
for sourcefile in ${filelistrelease}
do
dirpathnf=$(echo "${sourcefile}" | awk -F '/etc' '{print $NF}')
jailfile="${bastille_jail_base}/root/etc${dirpathnf}"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest changing bastille_jail_base to something like bastille_thin_jail because the former makes it sound like a "base" jail, which is what the release jails are in this context. The thin jail is the jail to be operated on.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although I agree with you, I named this variable following the same convention found in the codebase, for consistency. Perhaps best left as is until it (if) is reviewed as a whole? I can see pros and cons of both approaches. So.. umm.. I'm not sure.

bastille_jail_base="${bastille_jailsdir}/${NAME}/root/.bastille" ## dir

bastille_jail_base="${bastille_jailsdir}/${TARGET}" ## dir

@Rodrigo-NH
Copy link
Author

While this change is somewhat opinionated, to be opinionated is necessary for this feature.

That's how I see it too. Can be useful in many cases and doesn't hurt edge cases if it's run anyway (but not entirely sure on this). A generic option.
I really appreciate suggestions in regard to English as it's not my native language. Thanks!

@stafwag
Copy link

stafwag commented Jun 8, 2024

This PR might be related to: #704

Any idea when this PR can be merged? It'd be nice to have this feature implemented/documented as it allows to upgrade thin jails without manual interventions.

executeconditional "$cmd"
# Copy keeping permissions
fi
else

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At this point, there have been changes to the jail's /etc files compared to the currentbasefile, so there will be a diff for C5 or C6. Rather than have a list of diffs to revisit later (the conservative approach is to leave them alone), it would be great to have the option enter an interactive mode to approve/modify the diff here.

@scoobybejesus
Copy link

Another issue came to mind while trying to test this. In short, this process would be better if it could detect the version of /etc that the jail has and account for it.

For example, I created a jail with 13.0-RELEASE. It currently runs on 13.2-RELEASE, but I haven't done any etcupdate procedures; I've only changed the fstab to point to the new 13.2-RELEASE base jail. When I first ran this etcupdate command on it, I told it to go from 13.2-RELEASE to 14.1-RELEASE, but I should really be telling it to go from 13.0-RELEASE to 14.1-RELEASE.

But that's actually not the major issue I'm finding. Looking at the diff's comparing 13.0 to the files it said are different in my jail, I didn't change most of the files. Unfortunately, this method of performing an etcupdate is a bit too crude to pick up on patch changes.

For example, I didn't make changes to $JAIL/root/etc/rc.d/gssd or $JAIL/root/etc/devd/iwmbtfw.conf or the enormous /root/etc/ssh/moduli files, but this diff shows that my jail has different files than 13.0 or 13.2, so it's leaving these changes undone. This is the case for many files.

If this etcupdate could detect that these files are from a jail created with, for example 13.0-RELEASEp0, then there would be no diff for $jail vs currentbasefile, and it would cleanly be able to copy the new file. Instead, I have a diff in C5 of 45 files that is over 2,000 lines long (mostly due to the moduli file).

It would be a hassle to interactively approve patch after patch 45 times, but I'm inclined to say interactively approving patches would be preferable to the current state where it simply skips all these files because it thinks I have modified them.

@Rodrigo-NH
Copy link
Author

Yeah I agree that having to indicate the from version can be problematic. I was trying to think some approach to this fact by the time I wrote script. My conclusion was I'm not able to determine version automatically and reliably.

/etc/os-release is obsolete ( https://forums.freebsd.org/threads/determining-the-version-of-freebsd.31324/ )
/etc/motd is out of question for obvious reasons
Other reference I can't remember right now, but also unreliable accross historical versions
I thought about creating/mantaining a table referencing first line of /etc/ssh/moduli to correlate moduli versions/dates to specific freebsd versions but I'm not sure that would be reliable as well.

Or (rethoric question): If you inspect C4 condition, if most files are listed there this would be a good measure that you're comparing the right version? How reliable/unreliable is this manual comparison against trying to detect it automatically?

Ideas?

As for the interactive approach for me it sounds like a nice idea if added as user option (e.g. can opt for just doing it without asking)

@yaazkal yaazkal added the enhancement New feature or request label Jul 8, 2024
@jimbobmcgee
Copy link

Are you sure /etc/os-release is obsolete? I understood that the port sysutils/etc_os-release was obsoleted as of v13, but only because the /etc/os-release file is now included and updated in FreeBSD as standard.

(Registering interest, as I think this solves my old issue, #438, which was closed but had no real resolution...)

if [ ! -f "${newbasefile}" ]; then
C3=$((C3+1))
C3ct="$C3ct${jailfile}\n"
cmd="rm -rf ${jailfile}"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommend -- between switches and file list; if someone happens to place a file called -x into /etc, rm would see this as an argument, not a file. e.g. rm -f -- ${jailfile}

If $jailfile is always a file (constrained by find -type f in L56), does it need to be recursive -r?

Possible issue with whitespace in filename, if filename is folded into eval'd command string? Since you are using eval "$@" in executeconditional, couldn't this simply be executeconditional rm -f -- "${jailfile}"

else
C4=$((C4+1))
C4ct="$C4ct${jailfile}\n"
cmd="cp -p ${newbasefile} ${jailfile}"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As with above, could this be executeconditional cp -p -- "${newbasefile}" "${jailfile}"


C1_C6_conditions() {
filelistjail=$(find "${jail_etc}" -mindepth 1 -type f)
for jailfile in ${filelistjail}
Copy link

@jimbobmcgee jimbobmcgee Jul 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pattern of for X in $(find...) is risky if filenames contain whitespace or control chars, but the "usual" mechanisms to sanely deal with arbitrary filenames are typically bash-specific (e.g. find ... -print0 | while IFS= read -r -d''; do ... done).

Generally, in POSIX shells, the only supported way (I know of) is to find -exec sh -c '...' + or find -print0 | xargs -0 sh -c '...', which would introduce a subshell and affect availability/scope of your variables.

Perhaps, this may be better written as...

search_jail_etc_dir () {
  [ -n "$1" ] || return 1
  [ -d "$1" ] || return 1

  for jailfile in "${1}"/*; do
    if [ -d "${jailfile}" ]; then
      search_jail_etc_dir "${jailfile}"
    else
      process_jail_etc_file "${jailfile}"
    fi
  done
}

process_jail_etc_file () {
  ...
}

search_jail_etc_dir "${jail_etc}"

This should ensure that filenames are properly quoted, so even if they contain garbage, they will still be handled correctly.

txtvar=""
txtname=""
for x in 1 2 3 4 5 6 7 8; do
eval txtvar="\$"C$x
Copy link

@jimbobmcgee jimbobmcgee Jul 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you are trying to loop over the passed function arguments here, i.e. $1, $2, etc...

Consider refactoring into a while [ -n "$1" ]; do ... shift; done -- then you can always use $1 and have no limitation on the number of arguments passed:

format_output_summary () {
  printf 'SUMMARY:\n'
  while [ -n "$1" ]; do
    printf '%s = %s\n' "$1" "$2"
    shift; shift
  done
}

format_output_details () { : ... ; } #...todo

format_output () {
  format_output_summary "$C1txt" "$C1" "$C2txt" "$C2" "$C3txt" "$C3" "$C4txt" "$C4" #...etc
  format_output_details "$C1ct" "$C1txt" "$C2ct" "$C2txt" "$C3ct" "$C3txt" "$C4ct" "$C4txt" #...etc
}

jailpath="${bastille_jail_base}/root/etc${dirpathnf}"
if [ ! -d "${jailpath}" ]; then
C7=$((C7+1))
cmd="mkdir ${jailpath}"
Copy link

@jimbobmcgee jimbobmcgee Jul 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As with above, could this be executeconditional mkdir -p -- "${jailpath}"
(the -p would make any missing intermediate parent dirs; omit it if you don't want this)

cmd="mkdir ${jailpath}"
executeconditional "$cmd"
dirperm=$(stat -f "%Mp%Lp" "${dirpath}")
cmd="chmod ${dirperm} ${jailpath}"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As with above, could this be executeconditional chmod "${dirperm}" -- "${jailpath}"

jailfile="${bastille_jail_base}/root/etc${dirpathnf}"
if [ ! -f "${jailfile}" ]; then
C8=$((C8+1))
cmd="cp -p ${sourcefile} ${jailfile}"

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As with above, could this be executeconditional cp -p -- "${sourcefile}" "${jailfile}"

fi
}

C1_C6_conditions() {
Copy link

@jimbobmcgee jimbobmcgee Jul 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, the C1-C8 naming convention makes it difficult to read what is going on, which might make for maintenance difficulty. Perhaps prefer functions and variables that actually describe the operation, rather than the opaque, e.g. user_added (I think that's C1), upgrade_added (C2?), for readability.

if [ ! -f "${currentbasefile}" ]; then
if [ ! -f "${newbasefile}" ]; then
C1=$((C1+1))
C1ct="$C1ct${jailfile}\n"
Copy link

@jimbobmcgee jimbobmcgee Jul 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even considering the readability of C1 (as above), the suffix ct does not make sense. I believe this is a file list, built up for display purposes, but ct could easily be taken to mean count.

Perhaps $user_added_list and $user_added_count would make it more explicit?

fi

if [ -f "${currentbasefile}" ]; then
diffr=$(diff -u "${jailfile}" "${currentbasefile}")
Copy link

@jimbobmcgee jimbobmcgee Jul 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the output of diff -u is important, consider using temp files to capture it rather than variables. Variables can have whitespace folding and length issues, which might lead to unexpected corruption.

Also, if diff3 is available (i.e. if command -v diff3 >/dev/null 1>&2; then ... fi), perhaps use a threeway diff to generate auto-updated files, e.g. diff3 -A "${newbasefile}" "${currentbasefile}" "${jailfile}" (I think that's the right way around for those file args; it may also/alternatively need -m). This should be able to better differentiate between changes that were made by the end-user and changes that were introduced by the update. I think this is what freebsd-update does for the "normal" install/upgrade procedure, and it might be good to do something similar here.

Perhaps use diffdir="$(mktemp -d -t "${TMPDIR:-/tmp}/etcupdate.XXXXXX")" to make a temporary directory, then write your diffs into the temp dir. Let the end-user decide whether to use your version or the existing version, then move the desired version out of the directory into the correct place. Use trap "[ -d '${diffdir}' ] && rm -rf -- '${diffdir}'" EXIT INT TERM to clean up all unused temp files at the end of the run.

Also, perhaps allow end-user to invoke vi (or "${VISUAL:-${EDITOR:-vi}}" for style points) on the updated file, so they can make manual edits to each file prior to acceptance. Especially, if doing in-place diffs with diff3, you can use the exit code to determine if a diff conflict has happened ([ "$?" -eq 1 ]), and prompt them to manually resolve.

@tschettervictor
Copy link
Contributor

Wondering if one could simply replace those files with the files from the upgraded release...?

@jimbobmcgee
Copy link

Wondering if one could simply replace those files with the files from the upgraded release...?

You can if you haven't made any changes to them between the two releases, but configuration/personalisation of a system usually requires that you edit these a lot.

The point of an ideal etcupdate process is to identify the differences that you have made to those files and fold in the changes that have been introduced as part of the upgrade, while keeping as much of your customization as possible.

@tschettervictor
Copy link
Contributor

Good point.

But isn't it best practice to stay out of there? And make any customizations inside /usr/local/etc instead?

@jimbobmcgee
Copy link

jimbobmcgee commented Dec 16, 2024

Good point.

But isn't it best practice to stay out of there? And make any customizations inside /usr/local/etc instead?

In a perfect world, yes. In practice, you are probably getting hung up on /etc (the location) vs the principal of merging your changes with upstream changes.

Or... resolv.conf cares not for your /usr/local/etc.

@tschettervictor
Copy link
Contributor

And how is this PR working for you so far? Is it functional?

@jimbobmcgee
Copy link

And how is this PR working for you so far? Is it functional?

Can't honestly say at this point. Lack of support for etcupdate (i.e. the FreeBSD function) was a blocker for me implementing Bastille, back in 2021. I remain interested, but am not in a position to test.

Gut feel when I offered up my review comments was that the PR itself might not be ready for prime time, yet.

@scoobybejesus
Copy link

I don't know if this PR has risen to the level of something that should be added. Perhaps with some polish, it would. But I like it a lot, in certain circumstances. Consider this workflow:

  1. FreeBSD 14.1-RELEASE (p0) is released
  2. I run bastille bootstrap 14.1-RELEASE
  3. I run bastille create my_jail 14.1-RELEASE 10.0.10.10
  4. FreeBSD 14.1-RELEASE{p1,p2,etc} are released, and I do not run bastille upgrade 14.1-RELEASE
  5. FreeBSD 14.2-RELEASE (p0) is released
  6. I run bastille bootstrap 14.2-RELEASE
  7. I bastille stop my_jail, edit my_jail/fstab to point to 14.2-RELEASE
  8. I run bastille etcupdate -D my_jail
  9. Finally, I run bastille etcupdate my_jail
  10. After bastille start my_jail, it's running 14.2-RELEASE with an updated /etc

In Step 8, it identifies (in what is called C5) several files I have previously updated that it will not touch. Perhaps I'd like the option to do a three-way merge on those items. Otherwise, etcupdate seems to do exactly what I want it to, and now my_jail is fully up to date.

Note: this was a smooth, ideal process because I did not upgrade the point releases. I knew that my_jail was created with p0, and etcupdate had a p0 release to reference when doing its diff'ing.

For now, I'm content to not have point release upgrades for my thin jails, because in exchange I am able to completely* upgrade when a new release is available.

* Well, everything will be done automatically except the items in C5.

I'll continue to manually patch in this script. Hopefully someone comes up with an elegant way to handle point releases (or comes up with a way to upgrade from any given stale /etc).

@tschettervictor
Copy link
Contributor

tschettervictor commented Dec 17, 2024

Are you aware that there is a command in freebsd called etcupdate?
https://github.com/DtxdF/AppJail/blob/3af9acb8652b108eb33018e11b575d252192b714/share/appjail/cmd/etcupdate#L209

This is how Appjail does it.

https://github.com/DtxdF/AppJail/blob/3af9acb8652b108eb33018e11b575d252192b714/share/appjail/cmd/etcupdate#L209

root@webmin:~ # etcupdate help
usage: etcupdate [-npBFN] [-d workdir] [-r | -s source | -t tarball]
                 [-A patterns] [-D destdir] [-I patterns] [-L logfile]
                 [-M options] [-m make]
       etcupdate build [-BN] [-d workdir] [-s source] [-L logfile] [-M options]
                 [-m make] <tarball>
       etcupdate diff [-d workdir] [-D destdir] [-I patterns] [-L logfile]
       etcupdate extract [-BN] [-d workdir] [-s source | -t tarball]
                 [-D destdir] [-L logfile] [-M options] [-m make]
       etcupdate resolve [-p] [-d workdir] [-D destdir] [-L logfile]
       etcupdate revert [-d workdir] [-D destdir] [-L logfile] file ...
       etcupdate status [-d workdir] [-D destdir]

We could simply integrate this into a bastille command as Appjail does.

@tschettervictor
Copy link
Contributor

Would it not be better to have the etcupdate command simply use the etcupdate that is built in.
I just followed these four steps outlined #631 (comment) and it seemed to work fine.

A better structure IMO would be to allow the etcupdate command to bootstrap a RELEASE, which would clone the RELEASE source and build an etcupdate tarball.
Then one could run etcupdate jailname 14.0-RELEASE which will use the created tarball to compare the jails /etc with.

@tschettervictor
Copy link
Contributor

tschettervictor commented Dec 17, 2024

Consider this script i just spun up. It has no error checking currently, so be careful.
I did a dry run, output is below.

This will simply bootstrap and tar whichever RELEASE specified. This tarball can then be used with a simple etcupdate command to compare and merge any jail to.

Use -d for a dry run.

#!/bin/sh
#
# Copyright (c) 2018-2024, Christer Edwards <[email protected]>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
#   list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
#   this list of conditions and the following disclaimer in the documentation
#   and/or other materials provided with the distribution.
#
# * Neither the name of the copyright holder nor the names of its
#   contributors may be used to endorse or promote products derived from
#   this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

. /usr/local/share/bastille/common.sh
. /usr/local/etc/bastille/bastille.conf

usage() {
    error_exit "Usage: bastille etcupdate TARGET RELEASE"
}

# Handle special-case commands first.
case "$1" in
    help|-h|--help)
        usage
        ;;
    esac

bastille_root_check

bootstrap_etc_release() {
    local _rel="${1}"
    git clone --branch releng/"${_rel}" --depth 1 https://git.FreeBSD.org/src.git /usr/local/bastille/source/"${_rel}"
    etcupdate build -d /tmp/etcupdate -s /usr/local/bastille/source/"${_rel}" "${_rel}".tbz2
}

update_jail_etc() {
    local _jail="${1}"
    local _rel="${2}"
    if [ "${DRY_RUN}" -eq 1 ]; then
        etcupdate -n -D "${bastille_jailsdir}"/"${_jail}"/root -t /usr/local/bastille/source/"${_rel}".tbz2
    else
        etcupdate -D "${bastille_jailsdir}"/"${_jail}"/root -t /usr/local/bastille/source/"${_rel}".tbz2
    fi
}

while [ $# -gt 0 ]; do
    case "${1}" in
        -d|--dry-run|-D)
            DRY_RUN=1
            shift 1
            ;;
        bootstrap)
            bootstrap_etc_release "${2}"
            shift $#
            ;;
        update)
            update_jail_etc "${2}" "${3}"
            shift $#
            ;;
        *)
            usage
            ;;
    esac
done

root@webmin:/usr/src # bastille etcupdate bootstrap 14.0-RELEASE
Cloning into '/usr/local/bastille/source/14.0-RELEASE'...
remote: Enumerating objects: 100031, done.
remote: Counting objects: 100% (100031/100031), done.
remote: Compressing objects: 100% (85844/85844), done.
remote: Total 100031 (delta 21289), reused 38744 (delta 10438), pack-reused 0
Receiving objects: 100% (100031/100031), 316.86 MiB | 3.31 MiB/s, done.
Resolving deltas: 100% (21289/21289), done.
Updating files: 100% (96500/96500), done.
root@webmin:~ # bastille etcupdate -d update jail9 14.0-RELEASE
  D /etc/opieaccess
  D /etc/pam.d/telnetd
  D /etc/periodic/daily/330.news
  D /etc/portsnap.conf
  D /etc/rc.d/addswap
  D /etc/rc.d/archdep
  D /etc/rc.d/othermta
  D /etc/rc.d/sppp
  D /etc/rc.sendmail
  U /.cshrc
  U /.profile
  U /COPYRIGHT
  U /etc/auto_master
  U /etc/autofs/include_ldap
  U /etc/autofs/include_nis
  U /etc/autofs/include_nis_nullfs
  U /etc/autofs/special_hosts
  U /etc/autofs/special_media
  U /etc/autofs/special_noauto
  U /etc/autofs/special_null
  U /etc/blacklistd.conf
  U /etc/bluetooth/hcsecd.conf
  U /etc/bluetooth/hosts
  U /etc/bluetooth/protocols
  U /etc/cron.d/at
  M /etc/crontab
  U /etc/csh.cshrc
  U /etc/csh.login
  U /etc/csh.logout
  U /etc/ddb.conf
  U /etc/defaults/bluetooth.device.conf
  U /etc/defaults/devfs.rules
  U /etc/defaults/periodic.conf
  U /etc/defaults/rc.conf
  U /etc/devd.conf
  U /etc/devd/asus.conf
  U /etc/devd/devmatch.conf
  U /etc/devd/hyperv.conf
  U /etc/devd/iwmbtfw.conf
  U /etc/devd/uath.conf
  U /etc/devd/ulpt.conf
  U /etc/devd/zfs.conf
  U /etc/devfs.conf
  U /etc/dhclient.conf
  U /etc/disktab
  U /etc/dma/dma.conf
  U /etc/fbtab
  U /etc/freebsd-update.conf
  U /etc/ftpusers
  U /etc/gettytab
  U /etc/group
  U /etc/gss/mech
  U /etc/gss/qop
  U /etc/hosts
  U /etc/hosts.allow
  U /etc/hosts.equiv
  U /etc/hosts.lpd
  U /etc/inetd.conf
  U /etc/kyua/kyua.conf
  U /etc/libalias.conf
  U /etc/libmap.conf
  U /etc/locate.rc
  U /etc/login.access
  U /etc/login.conf
  U /etc/mac.conf
  U /etc/mail/Makefile
  U /etc/mail/README
  U /etc/mail/access.sample
  U /etc/mail/aliases
  U /etc/mail/freebsd.cf
  U /etc/mail/freebsd.mc
  U /etc/mail/freebsd.submit.cf
  U /etc/mail/freebsd.submit.mc
  U /etc/mail/helpfile
  U /etc/mail/mailer.conf
  U /etc/mail/mailertable.sample
  U /etc/mail/sendmail.cf
  U /etc/mail/submit.cf
  U /etc/mail/virtusertable.sample
  U /etc/master.passwd
  U /etc/motd.template
  U /etc/mtree/BSD.debug.dist
  U /etc/mtree/BSD.include.dist
  U /etc/mtree/BSD.lib32.dist
  U /etc/mtree/BSD.root.dist
  U /etc/mtree/BSD.sendmail.dist
  U /etc/mtree/BSD.tests.dist
  U /etc/mtree/BSD.usr.dist
  U /etc/mtree/BSD.var.dist
  U /etc/netconfig
  U /etc/netstart
  U /etc/network.subr
  U /etc/networks
  U /etc/newsyslog.conf
  U /etc/newsyslog.conf.d/ftp.conf
  U /etc/newsyslog.conf.d/lpr.conf
  U /etc/newsyslog.conf.d/opensm.conf
  U /etc/newsyslog.conf.d/pf.conf
  U /etc/newsyslog.conf.d/ppp.conf
  U /etc/newsyslog.conf.d/sendmail.conf
  U /etc/nscd.conf
  U /etc/nsmb.conf
  U /etc/nsswitch.conf
  U /etc/ntp.conf
  U /etc/pam.d/README
  U /etc/pam.d/atrun
  U /etc/pam.d/cron
  U /etc/pam.d/ftp
  U /etc/pam.d/ftpd
  U /etc/pam.d/imap
  U /etc/pam.d/login
  U /etc/pam.d/other
  U /etc/pam.d/passwd
  U /etc/pam.d/pop3
  U /etc/pam.d/sshd
  U /etc/pam.d/su
  U /etc/pam.d/system
  U /etc/pam.d/xdm
  U /etc/pccard_ether
  U /etc/periodic/daily/100.clean-disks
  U /etc/periodic/daily/110.clean-tmps
  U /etc/periodic/daily/120.clean-preserve
  U /etc/periodic/daily/130.clean-msgs
  U /etc/periodic/daily/140.clean-rwho
  U /etc/periodic/daily/150.clean-hoststat
  U /etc/periodic/daily/200.backup-passwd
  U /etc/periodic/daily/210.backup-aliases
  U /etc/periodic/daily/221.backup-gpart
  U /etc/periodic/daily/222.backup-gmirror
  U /etc/periodic/daily/223.backup-zfs
  U /etc/periodic/daily/300.calendar
  U /etc/periodic/daily/310.accounting
  U /etc/periodic/daily/400.status-disks
  U /etc/periodic/daily/401.status-graid
  U /etc/periodic/daily/404.status-zfs
  U /etc/periodic/daily/406.status-gmirror
  U /etc/periodic/daily/407.status-graid3
  U /etc/periodic/daily/408.status-gstripe
  U /etc/periodic/daily/409.status-gconcat
  U /etc/periodic/daily/410.status-mfi
  U /etc/periodic/daily/420.status-network
  U /etc/periodic/daily/430.status-uptime
  U /etc/periodic/daily/440.status-mailq
  U /etc/periodic/daily/450.status-security
  U /etc/periodic/daily/460.status-mail-rejects
  U /etc/periodic/daily/480.leapfile-ntpd
  U /etc/periodic/daily/480.status-ntpd
  U /etc/periodic/daily/500.queuerun
  U /etc/periodic/daily/510.status-world-kernel
  U /etc/periodic/daily/800.scrub-zfs
  U /etc/periodic/daily/999.local
  U /etc/periodic/monthly/200.accounting
  U /etc/periodic/monthly/450.status-security
  U /etc/periodic/monthly/999.local
  U /etc/periodic/security/100.chksetuid
  U /etc/periodic/security/110.neggrpperm
  U /etc/periodic/security/200.chkmounts
  U /etc/periodic/security/300.chkuid0
  U /etc/periodic/security/400.passwdless
  U /etc/periodic/security/410.logincheck
  U /etc/periodic/security/500.ipfwdenied
  U /etc/periodic/security/510.ipfdenied
  U /etc/periodic/security/520.pfdenied
  U /etc/periodic/security/550.ipfwlimit
  U /etc/periodic/security/610.ipf6denied
  U /etc/periodic/security/700.kernelmsg
  U /etc/periodic/security/800.loginfail
  U /etc/periodic/security/900.tcpwrap
  U /etc/periodic/security/security.functions
  U /etc/periodic/weekly/310.locate
  U /etc/periodic/weekly/320.whatis
  U /etc/periodic/weekly/340.noid
  U /etc/periodic/weekly/450.status-security
  U /etc/periodic/weekly/999.local
  U /etc/pf.os
  U /etc/phones
  U /etc/pkg/FreeBSD.conf
  U /etc/ppp/ppp.conf
  U /etc/printcap
  U /etc/profile
  U /etc/protocols
  U /etc/rc
  U /etc/rc.bsdextended
  U /etc/rc.d/DAEMON
  U /etc/rc.d/FILESYSTEMS
  U /etc/rc.d/LOGIN
  U /etc/rc.d/NETWORKING
  U /etc/rc.d/SERVERS
  U /etc/rc.d/accounting
  U /etc/rc.d/adjkerntz
  U /etc/rc.d/apm
  U /etc/rc.d/auditd
  U /etc/rc.d/auditdistd
  U /etc/rc.d/automount
  U /etc/rc.d/automountd
  U /etc/rc.d/autounmountd
  U /etc/rc.d/bgfsck
  U /etc/rc.d/blacklistd
  U /etc/rc.d/bluetooth
  U /etc/rc.d/bootparams
  U /etc/rc.d/bridge
  U /etc/rc.d/bsnmpd
  U /etc/rc.d/bthidd
  U /etc/rc.d/ccd
  U /etc/rc.d/cfumass
  U /etc/rc.d/cleanvar
  U /etc/rc.d/cleartmp
  U /etc/rc.d/cron
  U /etc/rc.d/ctld
  U /etc/rc.d/ddb
  U /etc/rc.d/defaultroute
  U /etc/rc.d/devd
  U /etc/rc.d/devfs
  U /etc/rc.d/devmatch
  U /etc/rc.d/dhclient
  U /etc/rc.d/dmesg
  U /etc/rc.d/dumpon
  U /etc/rc.d/fsck
  U /etc/rc.d/ftp-proxy
  U /etc/rc.d/ftpd
  U /etc/rc.d/gbde
  U /etc/rc.d/geli
  U /etc/rc.d/geli2
  U /etc/rc.d/gptboot
  U /etc/rc.d/growfs
  U /etc/rc.d/gssd
  U /etc/rc.d/hastd
  U /etc/rc.d/hcsecd
  U /etc/rc.d/hostapd
  U /etc/rc.d/hostid
  U /etc/rc.d/hostid_save
  U /etc/rc.d/hostname
  U /etc/rc.d/inetd
  U /etc/rc.d/iovctl
  U /etc/rc.d/ip6addrctl
  U /etc/rc.d/ipfilter
  U /etc/rc.d/ipfs
  U /etc/rc.d/ipfw
  U /etc/rc.d/ipfw_netflow
  U /etc/rc.d/ipmon
  U /etc/rc.d/ipnat
  U /etc/rc.d/ippool
  U /etc/rc.d/ipropd_master
  U /etc/rc.d/ipropd_slave
  U /etc/rc.d/ipsec
  U /etc/rc.d/iscsictl
  U /etc/rc.d/iscsid
  U /etc/rc.d/jail
  U /etc/rc.d/kadmind
  U /etc/rc.d/kdc
  U /etc/rc.d/keyserv
  U /etc/rc.d/kfd
  U /etc/rc.d/kld
  U /etc/rc.d/kldxref
  U /etc/rc.d/kpasswdd
  U /etc/rc.d/ldconfig
  U /etc/rc.d/linux
  U /etc/rc.d/local
  U /etc/rc.d/local_unbound
  U /etc/rc.d/localpkg
  U /etc/rc.d/lockd
  U /etc/rc.d/lpd
  U /etc/rc.d/mdconfig
  U /etc/rc.d/mdconfig2
  U /etc/rc.d/mixer
  U /etc/rc.d/motd
  U /etc/rc.d/mountcritlocal
  U /etc/rc.d/mountcritremote
  U /etc/rc.d/mountd
  U /etc/rc.d/mountlate
  U /etc/rc.d/moused
  U /etc/rc.d/msgs
  U /etc/rc.d/natd
  U /etc/rc.d/netif
  U /etc/rc.d/netoptions
  U /etc/rc.d/netwait
  U /etc/rc.d/newsyslog
  U /etc/rc.d/nfscbd
  U /etc/rc.d/nfsclient
  U /etc/rc.d/nfsd
  U /etc/rc.d/nfsuserd
  U /etc/rc.d/nisdomain
  U /etc/rc.d/nscd
  U /etc/rc.d/ntpd
  U /etc/rc.d/ntpdate
  U /etc/rc.d/opensm
  U /etc/rc.d/os-release
  U /etc/rc.d/pf
  U /etc/rc.d/pflog
  U /etc/rc.d/pfsync
  U /etc/rc.d/power_profile
  U /etc/rc.d/powerd
  U /etc/rc.d/ppp
  U /etc/rc.d/pppoed
  U /etc/rc.d/pwcheck
  U /etc/rc.d/quota
  U /etc/rc.d/random
  U /etc/rc.d/rarpd
  U /etc/rc.d/rctl
  U /etc/rc.d/resolv
  U /etc/rc.d/rfcomm_pppd_server
  U /etc/rc.d/root
  U /etc/rc.d/route6d
  U /etc/rc.d/routed
  U /etc/rc.d/routing
  U /etc/rc.d/rpcbind
  U /etc/rc.d/rtadvd
  U /etc/rc.d/rtsold
  U /etc/rc.d/rwho
  U /etc/rc.d/savecore
  U /etc/rc.d/sdpd
  U /etc/rc.d/securelevel
  U /etc/rc.d/sendmail
  U /etc/rc.d/serial
  U /etc/rc.d/sshd
  U /etc/rc.d/statd
  U /etc/rc.d/static_arp
  U /etc/rc.d/static_ndp
  U /etc/rc.d/stf
  U /etc/rc.d/swap
  U /etc/rc.d/swaplate
  U /etc/rc.d/syscons
  U /etc/rc.d/sysctl
  U /etc/rc.d/sysctl_lastload
  U /etc/rc.d/syslogd
  U /etc/rc.d/sysvipc
  U /etc/rc.d/tlsclntd
  U /etc/rc.d/tlsservd
  U /etc/rc.d/tmp
  U /etc/rc.d/ubthidhci
  U /etc/rc.d/ugidfw
  U /etc/rc.d/utx
  U /etc/rc.d/var
  U /etc/rc.d/virecover
  U /etc/rc.d/watchdogd
  U /etc/rc.d/wpa_supplicant
  U /etc/rc.d/ypbind
  U /etc/rc.d/ypldap
  U /etc/rc.d/yppasswdd
  U /etc/rc.d/ypserv
  U /etc/rc.d/ypset
  U /etc/rc.d/ypupdated
  U /etc/rc.d/ypxfrd
  U /etc/rc.d/zfs
  U /etc/rc.d/zfsbe
  U /etc/rc.d/zfsd
  U /etc/rc.d/zpool
  U /etc/rc.d/zvol
  U /etc/rc.firewall
  U /etc/rc.initdiskless
  U /etc/rc.resume
  U /etc/rc.shutdown
  U /etc/rc.subr
  U /etc/rc.suspend
  U /etc/regdomain.xml
  U /etc/remote
  U /etc/rpc
  U /etc/services
  U /etc/shells
  U /etc/snmpd.config
  U /etc/ssh/moduli
  U /etc/ssh/ssh_config
  U /etc/ssh/sshd_config
  U /etc/ssl/openssl.cnf
  U /etc/sysctl.conf
  U /etc/syslog.conf
  U /etc/syslog.d/ftp.conf
  U /etc/syslog.d/lpr.conf
  U /etc/syslog.d/ppp.conf
  U /etc/termcap.small
  U /etc/ttys
  U /root/.cshrc
  U /root/.k5login
  U /root/.login
  U /root/.profile
  U /root/.shrc
  A /etc/devd/bluetooth.conf
  A /etc/devd/dhclient.conf
  A /etc/devd/moused.conf
  A /etc/devd/power_profile.conf
  A /etc/devd/syscons.conf
  A /etc/rc.d/dnctl
  A /etc/rc.d/ggated
  A /etc/rc.d/growfs_fstab
  A /etc/rc.d/var_run
  A /etc/rc.d/zpoolreguid
  A /etc/rc.d/zpoolupgrade
Warnings:
  Removed file changed: /boot/device.hints
  Needs update: /etc/mail/aliases.db (requires manual update via newaliases(1))
  Needs update: /etc/localtime (required manual update via tzsetup(8))
root@webmin:~ #

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants