Jul 092021

This post was originally a few tweets. It’s not really about upgrading vulnerabilities in poudriere jails either. Read this as if each paragraph was a tweet.

When a FreeBSD security alert comes out, or a package is marked as vulnerable, I try to get that fixed as soon as I can. Even if not using the feature. Sometimes a vuln can be leverages against something you are using. Patch it.

When it comes to my poudriere jails, I don’t.

I forget about them. Yesterday I remembered. I updated them and you can see the timestamps in this screen shot.

poudriere jail -l

poudriere jail -l

When a poudriere bulk is run, if the jail has been updated since the last run, all packages get rebuilt. This is by design. I don’t know if you can bypass that.

This is what my build server looks like now:

ps auwwx | grep poudriere

ps auwwx | grep poudriere

That’s 82 jails running in this jail (known as pkg01). On the host itself, there are 6 other jails running on this Dell R720 (hardware details here).

The cronjob

The build is started from a cron job which starts at 0408 UTC:

[dan@pkg01:~] $ sudo crontab -l -u root
# use /bin/sh to run commands, overriding the default set by cron
# mail any output to `dan', no matter whose crontab this is

18  4 * * * /usr/bin/lockf -t 0 /tmp/.poudriere.build /root/bin/poudriere-builds.sh
[dan@pkg01:~] $ 


You might ask, why lockf?

What’s lockf you might ask?

Any time you have a script which should never run concurrently with itself, lockf can help. See also cron is running all jobs twice – solved.

The script

What’s that job do?


[dan@pkg01:~] $ cat /root/bin/poudriere-builds.sh

/root/bin/poudriere-refresh-trees           2>&1 >> /usr/local/poudriere/data/cronjob-logs/poudriere-refresh-trees.log
#/root/bin/poudriere-builds-121-amd64.sh    2>&1 >> /usr/local/poudriere/data/cronjob-logs/poudriere-builds-121-amd64.log
#/root/bin/poudriere-builds-121-i386.sh     2>&1 >> /usr/local/poudriere/data/cronjob-logs/poudriere-builds-121-i386.log
/root/bin/poudriere-builds-122-amd64.sh     2>&1 >> /usr/local/poudriere/data/cronjob-logs/poudriere-builds-122-amd64.log
/root/bin/poudriere-builds-122-i386.sh      2>&1 >> /usr/local/poudriere/data/cronjob-logs/poudriere-builds-122-i386.log
/root/bin/poudriere-builds-13-amd64.sh      2>&1 >> /usr/local/poudriere/data/cronjob-logs/poudriere-builds-13-amd64.log
/root/bin/poudriere-builds-13-i386.sh       2>&1 >> /usr/local/poudriere/data/cronjob-logs/poudriere-builds-13-i386.log
[dan@pkg01:~] $ 

First, it refreshes the ports tree, all of them:

[dan@pkg01:~] $ cat /root/bin/poudriere-refresh-trees

. /root/bin/config.sh

# updates the ports trees
for tree in ${TREES}
  ${POUDRIERE} ports -u -p ${tree}
[dan@pkg01:~] $ 


What’s this config.sh eh?

[dan@pkg01:~] $ cat /root/bin/config.sh


TREES="default testing"


NEW_SIMPLE_SETS="master-list mysql57 mysql80 pg96 pg10 pg11 pg12 pg13 unifi"
[dan@pkg01:~] $ 

We’ll come back to those sets later

The ports trees

I don’t use the testing ports tree for building, but it is nice to get it updated from time to time.

These are the ports trees I have:

[dan@pkg01:~] $ poudriere ports -l
default   git       2021-07-09 04:18:05 /usr/local/poudriere/ports/default
dvl       null      2021-01-01 15:02:13 /usr/home/dan/ports/head
dvl-git   null      2021-04-07 15:15:02 /usr/home/dan/ports/ports
testing   git+https 2021-07-09 04:18:08 /usr/local/poudriere/ports/testing
[dan@pkg01:~] $ 

A build script

Let’s look at one of the build scripts:

[dan@pkg01:~] $ cat /root/bin/poudriere-builds-122-amd64.sh

. /root/bin/config.sh

for set in ${NEW_SIMPLE_SETS}
  ${POUDRIERE} bulk -j 122amd64 -p default -z ${set} -f /usr/local/etc/poudriere.d/buildlists/${set}
[dan@pkg01:~] $ 

This builds several sets of ports. The main list, used for general consumption is master-list. See NEW_SIMPLE_SETS in config.sh above.

The mysql57 mysql80 pg96 pg10 pg11 pg12 pg13 sets all correspond to various Bacula regression tests that run daily. Those sets ensure that each of the 7 jails (each of the same name as their corresponding poudriere set) get what they need and that the packages are built against the corresponding version of the database.

The unifi set is for the Unifi Controller which I run in a jail. The theory was: don’t build all that stuff with all the other stuff I use, since it’s Java etc. This might not be much of a time/space saver I thought it might be.

These builds have been running for 17 hours as I type this. That’s a lot of building. 7 sets, on four different architectures, that’s 28 builds. Each with between 150 and 980 packages. It can take a while.

This is what top looked like earlier:

top: 37 load avg, 46G free

top: 37 load avg, 46G free


This is the CPU usage. It tops out that 100% from time to time, but not all the time.

CPU usage

CPU usage

Power consumption

This graph covers the last 24 hours. The build is still going and it’s on its last set now.

The power consumption varies considerable and is directly related to CPU usage as shown above.

The idle PSU spinning up matching CPU

The idle PSU spinning up matching CPU

I have the server configured to let one power supply idle when not required.

The other CPU is pretty standard:

PSU which does not vary as much

PSU which does not vary as much

Disk I/O

The disk I/O is for the same period as above. Disk IO is not that high compared to non-build times.

disk I/O

disk I/O

EDIT: The next day – 2021.07.10

In comparison, the next days builds were completed by 04:51. Given they start at 04:18, that’s 33 minutes of building for 28 poudriere sets.

[dan@pkg01:/usr/local/poudriere/data/cronjob-logs] $ ls -l *.log
-rw-r--r--  1 root  wheel  28975 Jul 10 04:34 poudriere-builds-122-amd64.log
-rw-r--r--  1 root  wheel   2487 Jul 10 04:34 poudriere-builds-122-i386.log
-rw-r--r--  1 root  wheel  28708 Jul 10 04:51 poudriere-builds-13-amd64.log
-rw-r--r--  1 root  wheel   2420 Jul 10 04:51 poudriere-builds-13-i386.log
-rw-r--r--  1 root  wheel    120 Jul 10 04:18 poudriere-refresh-trees.log
[dan@pkg01:/usr/local/poudriere/data/cronjob-logs] $ 


This all came from me discovering that my builds were still running. Hope that helps.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive