From nobody Mon Sep 30 11:50:08 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XHKBv5cjBz5YB4j for ; Mon, 30 Sep 2024 11:50:31 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from fhigh-a2-smtp.messagingengine.com (fhigh-a2-smtp.messagingengine.com [103.168.172.153]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4XHKBs5FZyz48jS for ; Mon, 30 Sep 2024 11:50:29 +0000 (UTC) (envelope-from dch@skunkwerks.at) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm3 header.b=Ra5OkaN3; dkim=pass header.d=messagingengine.com header.s=fm2 header.b="L iYdP16"; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 103.168.172.153 as permitted sender) smtp.mailfrom=dch@skunkwerks.at; dmarc=pass (policy=none) header.from=skunkwerks.at Received: from phl-compute-02.internal (phl-compute-02.phl.internal [10.202.2.42]) by mailfhigh.phl.internal (Postfix) with ESMTP id CC597114026B; Mon, 30 Sep 2024 07:50:28 -0400 (EDT) Received: from phl-imap-02 ([10.202.2.81]) by phl-compute-02.internal (MEProxy); Mon, 30 Sep 2024 07:50:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm3; t=1727697028; x=1727783428; bh=UxWfQ40f1sLu4Q56e4BaxkBfR2yIZyTY c77eLTNPUBU=; b=Ra5OkaN3VALWzZC8NmwinAU2LC4Hn4D8Z84UIb0a61C4U+vS ukXZKxmYRgDDGk55Yi8wsLWWGETdKkKVhfdzpaAU/GJ6pLVRC0hzLfa4YJ7vCa8w XLRyH6rILMEm8SuFgtv84mDRVSgBQhjC6mIg44ptjvdPkTX+ny/7oCJtf0NCrfPz D2qMXU8TMZZPZ02yA+CNO+Q2OVgszaOuNyJ/7EFQFtPe3eap6MEWOxdGw5K70rK0 ahnfST6VXJhejFwwv0gRMvW4CqE6yW0GwpNIoZRFP/FaKlEuGjUO4XDsD1EfJodG PIwdy/kGDF8qHZaFQ13MEKK3W1vXehww2n4YMg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1727697028; x= 1727783428; bh=UxWfQ40f1sLu4Q56e4BaxkBfR2yIZyTYc77eLTNPUBU=; b=L iYdP164E3clDGSe/0+IxGhH/m/47PHId5a4gSoYWrud9Px8jE538hUJu+683eZSU WoWZc5IMkJOSMyCJQN7NY/JcV6lv7MVbeaSKpDSV44HPxcvJf7aJW9oRsBFNDAFS 40dkp2jDSRHzdxVlckwxBN5dUUbfbE2dqqwDMCkqWzDUW7bdHa42o/uyAZF+A6jU AWruYFUbtakKEYkPbUiE22zOrqezsRbgtnxxIEGXufkQBzYBpfOR7tUZij8icgiQ shk2XdGSIr2Jo9gIsGkoKm/ab3tXp5/SN5cOo45x94oWtQPWm9kGS5tMpIgKUh9o /G2BmZWw9ASlm9fBiCNKw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrvdduhedggeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefoggffhf fvvefkjghfufgtgfesthejredtredttdenucfhrhhomhepfdffrghvvgcuvehothhtlhgv hhhusggvrhdfuceouggthhesshhkuhhnkhifvghrkhhsrdgrtheqnecuggftrfgrthhtvg hrnhepveffgedtfeeugfethfegjedtueeihfelfeffgfeujeduleeifeelvdeltdetkedu necuffhomhgrihhnpehgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtne curfgrrhgrmhepmhgrihhlfhhrohhmpegutghhsehskhhunhhkfigvrhhkshdrrghtpdhn sggprhgtphhtthhopedvpdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehfrhgvvg gsshguqdhquhgvshhtihhonhhssehfrhgvvggsshgurdhorhhgpdhrtghpthhtoheptghl ihgpjhhunhhkihgvsehprhhothhonhhmrghilhdrtghomh X-ME-Proxy: Feedback-ID: ic0e84090:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 8A3A4B00072; Mon, 30 Sep 2024 07:50:28 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Date: Mon, 30 Sep 2024 11:50:08 +0000 From: "Dave Cottlehuber" To: Pat Cc: freebsd-questions Message-Id: In-Reply-To: References: Subject: Re: Updating disconnected systems Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-4.08 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.994]; DMARC_POLICY_ALLOW(-0.50)[skunkwerks.at,none]; R_SPF_ALLOW(-0.20)[+ip4:103.168.172.128/27]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm3,messagingengine.com:s=fm2]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[103.168.172.153:from]; XM_UA_NO_VERSION(0.01)[]; DWL_DNSWL_NONE(0.00)[messagingengine.com:dkim]; FREEFALL_USER(0.00)[dch]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:209242, ipnet:103.168.172.0/24, country:US]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; FREEMAIL_TO(0.00)[protonmail.com]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+] X-Rspamd-Queue-Id: 4XHKBs5FZyz48jS X-Spamd-Bar: ---- On Fri, 27 Sep 2024, at 19:18, Pat wrote: > I figure can use Poudriere for packages, but that doesn't work for the > core system as far as I can tell? Yes this is also possible. Klara Systems released a tool, sync-be, to use zfs boot environments and poudriere-image which works very nicely in airgapped systems. It is a lot less complicated to setup and use than it appears to be, probably is exactly what you want. - servers configured with zfs boot environments - poudriere-image (builds freebsd from sources and then builds packages) - the resulting output is a new zfs boot environment, as a single tarball - use https://github.com/KlaraSystems/sync-be to fetch and deploy it - insert airgaps at appropriate points in the process So a high-level upgrade process looks like: - [net] update src & ports, and ports distfile tarballs - [air] move them to your build machine - `poudriere image -t zfs+send+be -j builder ...` - [air] move the image file to the airgapped system - install `/usr/local/bin/sync-be 13.4-RELEASE /etc/syncbe.conf < be202409301146.be.zfs` - `bectl activate -t ...` and reboot the boot env allows a trivial rollback in case of issues to the prior boot env. The syncbe.conf file takes a little bit of work to prepare, it's the server-specific files and directories that should be shifted from the current BE (root / dataset) into the new one. /etc/sshd/, /etc/hostid, password files etc are common examples, and any custom stuff in /usr/local/etc/ or similar depending on your circumstances. A+ Dave