[BUG] upgrade and update commands rely on broken semantics of freebsd-update which might lead to broken jails

[michael-o]

Describe the bug Both commands ugprade and update use freebsd-update(8) to update releases and thick jails. Unfortunately, they assume that freebsd-update will rebase all commands on top of the basedir passed, thus fully isolate all operations. It does not. The command is broken in this regard.

See:

• https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=276094
• https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=253989
• https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235318

It pollutes the jailhost and uses potentially wrong config.

Sources:

• https://github.com/BastilleBSD/bastille/blob/master/usr/local/share/bastille/upgrade.sh
• https://github.com/BastilleBSD/bastille/blob/master/usr/local/share/bastille/update.sh

Bastille and FreeBSD version (paste bastille -v && freebsd-version -kru output) 0.10.20231013 13.2-STABLE 13.2-STABLE 13.2-STABLE

How did you install bastille? (port/pkg/git) port

Expected behavior For release updates/upgrades:

• pass -f from the release root
• pass -d outside of release root, but independent of the jailhost, e.g., /var/db/bastille/releases/{release}/freebsd-update/

For thick jail updates/upgrades:

• pass -j to reduce params
• pass -f from the jail root
• pass -d from the jail root (thus the update dir will remain completely inside the jail)

Additional context Gladly, I have tested the upgrade in a separate host where the jails were shredded. I will refrain from using bastille update/upgrade for now. If desired, I can provide a PR for this.

[michael-o]

These worked for me instead:

• Thick jail upgrade:

  freebsd-update -j deblndw013x4v1j -d $(jls -j deblndw013x4v1j -h path | tail -1)/var/db/freebsd-update -f $(jls -j deblndw013x4v1j -h path | tail -1)/etc/freebsd-update.conf -r 13.2-RELEASE upgrade
  freebsd-update -j deblndw013x4v1j -d $(jls -j deblndw013x4v1j -h path | tail -1)/var/db/freebsd-update -f $(jls -j deblndw013x4v1j -h path | tail -1)/etc/freebsd-update.conf install

• Release update:

  mkdir -p /var/db/bastille/releases/13.2-RELEASE/freebsd-update
  freebsd-update -d /var/db/bastille/releases/13.2-RELEASE/freebsd-update -f /usr/local/bastille/releases/13.2-RELEASE/etc/freebsd-update.conf -b /usr/local/bastille/releases/13.2-RELEASE --currently-running 13.2-RELEASE fetch install

• Thick jail update:

  freebsd-update -j deblndw013x1j -d $(jls -j deblndw013x1j -h path | tail -1)/var/db/freebsd-update -f $(jls -j deblndw013x1j -h path | tail -1)/etc/freebsd-update.conf fetch install

[michael-o]

FTR: Poudriere properly isolates jail updates: https://github.com/freebsd/poudriere/blob/f2d23984f54b56cb8377302e2deb6ee357d725a2/src/share/poudriere/jail.sh#L293-L303

[michael-o]

Improvement upstream: https://reviews.freebsd.org/D43700

[michael-o]

Improvement upstream: https://reviews.freebsd.org/D43700

This has been merged upstream.