-
Notifications
You must be signed in to change notification settings - Fork 16
Updating
The procedure to update a service jail is to provision a new one. The procedures for how to do so are:
After a FreeBSD security release, the base jail needs to get updated and a new snapshot with the patches applied is created. After this step, all future provision operations will be based off the newly updated base snapshot.
sudo sh
fetch https://raw.githubusercontent.com/msimerson/Mail-Toaster-6/master/mail-toaster.sh
. mail-toaster.sh
provision host
provision baseThen provision anew any jails affected by the security updates.
-
provision hostneeds the jails to be stopped (service jail stop) - it's often safe to skip
provision host, see Changes - See also jailmanage
Provision anew any jails affected by the security updates.
- the reverse proxy (nginx or haproxy) no longer sends proxy_protocol
- remove instances of send-proxy-v2 from haproxy.conf and proxy_protocol from nginx/server.d/* files
- data: standardize dirs in /data file systems
- mt: stage_setup_tls populates /data/etc/tls
- dovecot: /data/etc/ssl -> /data/etc/tls
- haproxy: /data/ssl.d -> /data/etc/tls.d
- letsencrypt & webmail: acme document root /data -> /data/htdocs
- for details, see #595
MySQL was optional prior to 2021. When a toaster was built without it, vpopmail used the CDB backend. Dovecot has since dropped support for vpopmail authentication. The workaround is using dovecot's SQL passdb driver. That requires vpopmail to be converted to the MySQL backend. Vpopmail includes the vconvert utility to do the migration. See #481 regarding domain aliases.
# zfs snapshot zroot/jails/mysql@`date '+%Y-%m-%d'`
# service jail stop mysql && zfs snapshot zroot/data/mysql@`date '+%Y-%m-%d'` && service jail start mysql
# jexec mysql
# mysql_upgrade
# mysqlcheck --all-databases --check-upgrade
# mysqldump --all-databases --triggers --routines --events > /root/all.sql
# service mysql-server stop
# pkg install -y mysql80-server mysql80-client
# service mysql-server start
If all has gone well, you'll have MySQL 8.0 running.
Prior to Oct 2023, /data/mysql filesystem was the mysql database directory, mounted within the mysql jail at /var/db/mysql. This prevented the ability to also store other jail metadata, such as etc (config) files on the persistent data filesystem. To resolve this, the MySQL DB files need to be moved into a subdirectory. This must be done while MySQL is not running. The lightly tested process I've used looks like this:
# zfs snapshot zroot/data/mysql@`date '+%Y-%m-%d'`
# zfs snapshot zroot/jails/mysql@`date '+%Y-%m-%d'`
# jexec mysql mkdir /data
# service jail stop mysql
# cd /data/mysql
# mkdir db
# chown 88 db
# mv * db/
# vim /etc/jail.conf (see diff 👇)
# service jail start mysql
mysql {
ip4.addr = lo1|172.16.15.4;
ip6.addr = lo1|fd7a:e5cd:1fc1:afb5:dead:beef:cafe:0004;
- mount += "/data/mysql $path/var/db/mysql nullfs rw 0 0";
+ mount += "/data/mysql $path/data nullfs rw 0 0";
+ mount += "/data/mysql/db $path/var/db/mysql nullfs rw 0 0";
+ mount += "tmpfs $path/tmp tmpfs rw,mode=01777,noexec,nosuid 0 0";
}
Test and assure the MySQL service is working correctly. Then update the config to access the db from the /data/db path.
jexec mysql
mkdir /data/etc && chown 88:88 /data/etc
cat /data/db/my.cnf | sed -e 's|/var/db/mysql|/data/db|' -e '/tmpdir/s|=.*|= /tmp|' > /data/etc/extra.cnf
sysrc mysql_dbdir="/data/db";
sysrc mysql_optfile="/data/etc/extra.cnf";Assure the file extra.cnf has the following three declarations in the [mysqld] section:
[mysqld]
datadir = /data/db
innodb_data_home_dir = /data/db
innodb_log_group_home_dir = /data/dbservice jail restart mysqlAfter confirming again that MySQL is working, delete the two ZFS snapshots.
- if 'dns' jail was provisioned before 11 Dec 2016, the data volume MUST be added to /etc/jail.conf.
- config directory moved from /usr/local/haraka to /data
- config directory moved to /data/dovecot/etc
- in 2021, vpopmail auth support was removed. This requires manually updating your dovecot config to switch to the SQL based authentication. Reference your locally installed files against the updated ones in the dovecot provisioning script. See also updating lastauth.
- older versions (pre 5.4.1 MT6 update) preserved clamav-unofficial-sigs.conf. That file no longer exists.
- newer versions instead have a user.conf file which is preserved now.
- so, manually copy local changes from clamav-unofficial-sigs.conf to user.conf
As of 2016-12-09, the webmail jail no longer has squirrelmail and roundcube installed within. Once webmail has been rebuilt, squirrelmail and roundcube will be broken until you build those new jails and rebuild the haproxy jail with the new config sections.
- haproxy rules need updating (rebuild haproxy)
- if squirrelmail had sqlite (default) storage, move data from webmail to squirrelmail data volume
mv /data/webmail/squirrelmail/* /data/squirrelmail/
- if roundcube had sqlite storage, move data from webmail to roundcube data volume
mv /data/webmail/roundcube/sqlite.db /data/roundcube/
- if roundcube or squirrelmail used mysql, their mysql perms need updating (see #221)
- the CLI commands are untested and approximations (based on memory) of what need to be done.
When webmail jails with nginx are rebuilt, nginx is configured to expect proxy v2 requests. On older systems, proxy wasn't added in the haproxy config for those jails. After those jails are re-provisioned, the web service will time out. The solution is to edit /data/haproxy/etc/haproxy.conf and add send-proxy-v2 to the backend -> server line.
There is no courier-imap support in MT6. If you haven't yet converted to Dovecot, now is the time. Have a look at Migrating to Dovecot on the old wiki and issue #201