From owner-freebsd-stable@FreeBSD.ORG  Wed Jul  9 11:50:57 2003
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2424637B401
	for <freebsd-stable@freebsd.org>;
	Wed,  9 Jul 2003 11:50:57 -0700 (PDT)
Received: from loop.cnt.org (mailbox.cnt.org [68.20.235.7])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 649EA43FA3
	for <freebsd-stable@freebsd.org>;
	Wed,  9 Jul 2003 11:50:56 -0700 (PDT)
	(envelope-from paul@mailbox.cnt.org)
Received: from loop.cnt.org (localhost.cnt.org [127.0.0.1])
	by loop.cnt.org (8.12.3/8.12.3) with ESMTP id h69IotvC036928;
	Wed, 9 Jul 2003 13:50:55 -0500 (CDT)
	(envelope-from paul@mailbox.cnt.org)
X-Authentication-Warning: loop.cnt.org: Host localhost.cnt.org [127.0.0.1]
	claimed to be loop.cnt.org
Received: (from paul@localhost)
	by loop.cnt.org (8.12.3/8.12.3/Submit) id h69IotKK036927;
	Wed, 9 Jul 2003 13:50:55 -0500 (CDT)
	(envelope-from paul)
Date: Wed, 9 Jul 2003 13:50:55 -0500
From: Paul Smith <paul@cnt.org>
To: Gregory Bond <gnb@itga.com.au>
Message-ID: <20030709185054.GI32234@cnt.org>
References: <200307082335.JAA29618@lightning.itga.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200307082335.JAA29618@lightning.itga.com.au>
User-Agent: Mutt/1.4i
cc: freebsd-stable@freebsd.org
Subject: Re: Hardening production servers
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Production branch of FreeBSD source code
	<freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2003 18:50:57 -0000

Gregory Bond <gnb@itga.com.au> wrote on 08/Jul/03 at  6:35 PM:
> Here's what we do:
> 
> For the system:
> 
>  - A separate build box, spec'd no higher than the lowest production machine
>  - keep a CVS repository on the build box
>  - buildbox /etc/make.conf has KERNCONF="SERVER CLIENT1 CLIENT2..."
>  - run make update / make buildworld / make buildkernel on the build box
>  - Install kernel & world on the build box, run mergemaster, etc as documented
>  - run the build box for a couple of days (rebuilding ports etc) to check it 
>    out
>  - NFS mount /usr/src and /usr/obj readonly on each client
>  - client /etc/make.conf has KERNCONF=CLIENTn
>  - installkernel / installworld / mergemaster on the client in the normal way
>
>  [ ... ]

Just a quick addendum for anyone who's stepping through this, as I've just
done :)

- If you are going to 'make installworld' in single-user mode on the client,
  you need to '# sh /etc/netstart' after fsck, mount, swapon, etc. to be able
  to NFS mount the build server. May be obvious, but tripped me up a bit at
  first.

-- 
Paul Smith <paul@cnt.org>
Webmaster/Systems Administrator
Center for Neighborhood Technology
Chicago, Illinois USA