Hi I just installed FreeBSD 4.10 (my first one) and I fail to see the "big picture" about keeping my system up-to-date with security fixes. I read some relevant sections in the handbook, mailing list entries etc... and here's what I understand: 1. I need to follow the security advisories to see if there are vulnerabilities in the base system (I didn't find any regarding 4.10, am I right?) 2. I installed portaudit to tell me if there are vulnerabilities in the ports. 3. there are some tools (don't remember their names) that automatically downloads and installs upgrades. these are all bits and pieces I got here and there, but I'm looking for a document that describes all the aspects of keeping my system up-to-date with security. here are some of the things I don't fully understand: how do I update my ports without breaking anything and without downtime for important services (apache, mysql, etc...)? the one port I installed from pre-compiled binary (screen) took 99% cpu, and I had to compile it so it'll work ok. so how do I upgrade any of the above daemons without having to uninstall -> compile -> reinstall (which takes a long time). also, if the PNG library having vulnerabilities (as it is now on my system) and I update the ports and compile it, do I have to update all the ports or only this one (will php break if I won't upgrade it)? basically I'm looking for some kind of mechanism that acts more or less like my debian system (please don't start a flame war here, it's just the system I'm using now...) and that includes notifications of security updates, very minimal downtime (a second or two) and most important I'm always sure that my configurations are valid (in debian it's achieved by never upgrading the version of the package, only patching for security fixes). I'll appreciate any input on this, because I have to setup the system as production server in 2 days... thanx -- Haim
Haim Ashkenazi wrote:> 1. I need to follow the security advisories to see if there are > vulnerabilities in the base system (I didn't find any regarding 4.10, am I > right?)It's certainly a good idea, yes. There's a list just for security announcements, although anyone who follows CERT or bugtrak or other security lists are likely to see issues appear from various places. Decide whether to follow RELENG_4 or RELENG_4_10.> 2. I installed portaudit to tell me if there are vulnerabilities in the > ports.portaudit is still work-in-progress, but this is also a good idea.> 3. there are some tools (don't remember their names) that automatically > downloads and installs upgrades.portupgrade. [ ... ]> how do I update my ports without breaking anything and without downtime > for important services (apache, mysql, etc...)? the one port I installed > from pre-compiled binary (screen) took 99% cpu, and I had to compile it > so it'll work ok. so how do I upgrade any of the above daemons without > having to uninstall -> compile -> reinstall (which takes a long time).portupgrade does "compile -> uninstall -> reinstall", which interrupts the affected software only for a few seconds. Note that it might still be a good idea to shutdown and restart the service yourself directly.> also, if the PNG library having vulnerabilities (as it is now on my > system) and I update the ports and compile it, do I have to update all the > ports or only this one (will php break if I won't upgrade it)?That depends on whether the newer version of PNG retains shlib backwards-compatibility with the older version. Good software tends to be fine, other software where the authors are less concerned about retaining compatibility with previous versions may require one to recompile dependent ports as well. -- -Chuck
On Sat, 2004-06-12 at 15:55, David Wolfskill wrote:> First, there will be *some* downtime. However, it should be a matter of > seconds, not minutes (or more), as it is quite possible to compile a new > port before uninstalling the old one. > > Indeed, "portupgrade" (in the ports) does just that. > > Another way you can help yourself is have another system for doing builds, > one that does not provide "externally visible" services. You could then > build packages on that system, for installation on your "production" > systems. > > That said, if you really want *no* downtime, you will need to investigate > HA ("high availability") system design, and have multiple (at least 2) > machines providing any given service, with a mechanism for failover.well, I guess I can live with a few seconds of downtime. thanx -- Haim -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20040613/f0e324bc/attachment.bin
thanx everyone, you've been very helpful. I just finished upgrading and I now hopefully have a more or less secure system (at least until tomorrow... :). A few thoughts though (in the eyes of a FreeBSD newbie, I'm sure some of these have elegant solution): the upgrading process was a lot of trouble (even after I knew what to do). although portupgrade didn't break anything or cause a long downtime there were (and actually are ) some errors: 1. php4 didn't upgrade because it depends on apache 1.3.29_3 and I just upgraded apache to 1.3.31... this isn't a major problem except the fact that I'm not sure if it'll work ok... 2. apache+mod-ssl changed the starting procedure from '/usr/local/etc/rc.d' to rc.conf (as it said in the UPGRADE file), it didn't say anywhere during the installation that it's restarting apache, so I had to do it myself. this was not a problem cause I knew it was going to be updated, but what if it was upgraded as a dependency? I would have to run portupgrade interactively which takes a long time when you have more then one computer. btw, how do you stop/start a daemon that is run from rc.conf (except from killing it and searching for the arguments in rc.conf, or sending it SIGHUP)? 3. the most annoying thing is that after all the upgrades (apache, mc, and mysql) I get an error every time I boot (or run rc.firewall manually): ----------------------------------- Starting standard daemons: inetd cron sshdnt: not found sendmail-submit sendmail-clientmqueue. Initial rc.i386 initialization:. Configuring syscons: blanktime. Additional ABI support:. Local package initialization:nt: not found Starting apache. ------------------------------------- I'm talking about the "nt: not found" error in the first and next to last lines. I still have to trace where it comes from... (there is the option that it was there before and I didn't notice it). the thing that is most difficult for me to get used to is the idea that no one tested these packages before. I can upgrade a port only to find out it's very buggy (and I find out by getting angry calls from my clients...). anyway, I think I'll buy a newer book and hope it'll clear some issues for me. I would like to get some input though from the experience of those of you who maintain a few different servers (each perform a different task) and all of them serve general public (so I can't just "do it at night"). is it safe? how often did something actually break? etc... again, thanx a lot for your help. -- Haim
On Mon, 2004-06-14 at 01:05, Adrian Urquhart wrote:> On Mon, 14 Jun 2004, Haim Ashkenazi wrote: > > [snip] > > Hi > > Just to add my own general comment to all the fun you've been having. > I've been using FreeBSD since 3.2 and I gave up using the ports to keep > stuff up to date - it just never worked right for me, plus, many of the > ports install things in "non-standard" places - in fact, if I remember, > the Apache port was one of them. > > Instead, I'll install everything from source. I feel it works better and > gives me more control over things, along with a better chance of fixing > stuff if it goes wrong. For example, with Apache, installing it from > source puts everything into /usr/local/apache (of course, you can change > this) by default. > > Maybe I've been using the port management tools incorrectly, but I just > don't have confidence in them. And of course, installing from source > means your system is always up to date as you don't need to wait for > ports to catch up with a new release of something. > > Like everyone else I use CVS to keep the main source tree up to date and > so far that has worked really well. The machines I admin are 500 miles > away so usually I'll CVSup to a single machine, build world and kernels > on it, install its world and kernel, then reboot it to make sure it > comes up Ok. Then, SSH into the build machine and from there SSH in to > the others via their private interfaces. This lets me close the external > interfaces while I install their worlds and kernels over NFS (at LAN > speeds, this doesn't take long) then reboot and off we go. Hopefully. I > always have someone standing by just in case a machine doesn't come > back, and the only time he was needed was when I'd screwed something up. > > The system I admin has machines running Apache, BIND, pure-ftpd, > PostgreSQL, heavily modified qmail system, and a lot of code written by > me (C/C++) (it's a small ISP with several thousand cable users). > > Anyway, best of luck in your ventures - FreeBSD is an excellent server > platform, and I use it as a desktop machine for software development. > Just keep up to date with the advisories and you'll be Ok. Just out of > interest, my choice of Linux would be Gentoo (I'm writing this on a > SPARC64 running Gentoo).Personally I use debian for the last 3 years. I've been using linux for about 7 years as my only desktop, and I've used LinuxPPC (for macs) RedHat, Suse, Mandrake and finally I started using debian and I'm using it until now. I'm using 'stable' for servers and 'unstable' for my desktop. I didn't try gentoo yet... what's you're saying is very disturbing... I only moved to FreeBSD because debian stable releases a new version once in a long time (more then two years now) and my web clients are annoyed with having an "old" php (4.1.2), and since I want security and stability with minimum hassle for my servers I thought FreeBSD would be a good solution. if I need to download and compile application from source (and then having to audit many resources to find about security vulnerabilities and bugs), well, I can do that on debian. no need to spend time learning how to secure and maintain a new operating system... anyway, thanx for your input... -- Haim -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20040614/3e824873/attachment.bin