From owner-freebsd-stable@FreeBSD.ORG Tue Jul 8 13:33:58 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7064237B401 for ; Tue, 8 Jul 2003 13:33:58 -0700 (PDT) Received: from out003.verizon.net (out003pub.verizon.net [206.46.170.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A3BB43FBD for ; Tue, 8 Jul 2003 13:33:57 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([141.149.47.46]) by out003.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030708203356.WQEJ4805.out003.verizon.net@mac.com>; Tue, 8 Jul 2003 15:33:56 -0500 Message-ID: <3F0B2AAE.5080708@mac.com> Date: Tue, 08 Jul 2003 16:33:50 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Paul Smith References: <20030708200104.GA66624@cnt.org> In-Reply-To: <20030708200104.GA66624@cnt.org> X-Enigmail-Version: 0.76.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out003.verizon.net from [141.149.47.46] at Tue, 8 Jul 2003 15:33:53 -0500 cc: freebsd-stable@freebsd.org Subject: Re: Hardening production servers X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Jul 2003 20:33:58 -0000 Paul Smith wrote: > Apologies if this is not the appropriate list, but my questions are about > best practices in maintaining production servers (so I believe I can justify > a post in -stable, short of a -release list :) You ask good questions, regardless of where they were directed to. [ -questions or maybe -isp might have been a better choice. ] > I maintain a modest installation of 6 FreeBSD servers. They're CVSUP'd to > RELENG_4_8 (I make buildworld on each individually) and I portupgrade ports > as necessary. In an attempt to mature and harden this installation, I'm > wondering what is the best approach for keeping production servers patched > and with the latest ports. I know that compiling everything on each box is > poor security practice and a unnecessary drain on resources. But I'm confused > as to how to go about compiling world and the ports on a separate machine and > how to then distribute to the production servers. Should I compile ports as > packages? Which directories are appropriate for NFS export? Each machine is > i386, so there should be any architecture issues, but each has its own > hardware configuration, so how would I building a custom kernel work? If you do a "make package" for each port that you install, you can copy of using network filesharing (NFS, Samba, etc) to distribute the /usr/ports/packages directory. Create that directory if it doesn't exist, and "make package" will save the .tgz there rather than under each individual port directory. Beyond that, you should consider sharing /usr/src and /usr/obj from your buildserver onto the other machines for performing upgrades. You can copy all of your kernel config files to the build server, and do: make buildkernel KERNCONF=machine1 make buildkernel KERNCONF=machine2 ...etc, for each distinct kernel config file you have. You then "make installkernel" with the right KERNCONF as appropriate for the machine you're upgrading. While you're there, you can compare and possibly merge several individual config files into one that appropriate for most or all of your hardware. -- -Chuck