Updating the host without updating jail ( security )

[Sebastian]

Hey , this is a general freebsd system architecture question , but I hope this is the correct sub forum .

Let's assume there is a security bug in the kernel a new release was published.
When I update my host with freebsd-update to a new p2 Release followed by a reboot . I don't touch the jail they stay on p1 .

My assumption is that the bug is in the kernel , the jail is getting the fix automatically , because a jail is just a copy of the kernel of the host system ?

I am not really sure if I am right, because I know I can update my host system to a new major version let's say 14 and the jail can still run under 13 , that does not work good with my assumption above.

Which of my statements is wrong ?

Thank you, very much !

 

[Emrion]

Jails don't have a copy of the host kernel, they use it, even if the RELEASE version of the jail is inferior to the one of the host. This is why you can't have a RELEASE version of a jail superior to the one of the host.

Jails don't have a kernel.

 

[gotnull]

Smart people will answer that question better than I can, but here is what I know, a jail doesn't have a kernel if you enter the command freebsd-version -k it will show nothing good
If I am not wrong a jail has is own userland and set of directories and processes that make it work independently of the host.
EDIT: oops too slow ...

 

[im]

In general, you can run older jails on newer hosts.
But in case of huge version differences some applications may not work.
Especially the applications who communicating with the kernel.
There are: top, ps, netstat and many other.

Based on my experience, you may have some runtime issues if the difference of major version numbers is 2 or more.
(i.e. host=14.x, jail=12.x)