Date: Wed, 7 Sep 2011 02:17:25 +0100 From: Frank Shute <frank@shute.org.uk> To: Polytropon <freebsd@edvax.de> Cc: Pierre-Luc Drouin <pldrouin@pldrouin.net>, freebsd-questions@freebsd.org Subject: Re: Best Server OS for Someone That Does not Want to Touch a Shell on a Regular Basis? Message-ID: <20110907011725.GA70734@orange.esperance-linux.co.uk> In-Reply-To: <20110905163623.98ebca0a.freebsd@edvax.de> References: <4E644637.1030500@pldrouin.net> <20110905143102.68a797fa.freebsd@edvax.de> <4E64CC1D.90001@pldrouin.net> <20110905154358.187c9fba.freebsd@edvax.de> <4E64DAA6.60006@pldrouin.net> <20110905163623.98ebca0a.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 05, 2011 at 04:36:23PM +0200, Polytropon wrote: > > On Mon, 05 Sep 2011 10:20:22 -0400, Pierre-Luc Drouin wrote: > > How well does it work to use binary packages only to maintain a FreeBSD= =20 > > web server in general (I am thinking of package availability, but also= =20 > > and in particular as a quasi-automated updating tool)? >=20 > Quite well - as long as you're satisfied with the default > building options. You know that a binary package is a port, > compiled with the default set of options. This is okay in > most cases, but there may be situations where you explicitely > need to enable or disable a certain feature at compile time. >=20 > You also may encounter a situation where _no_ package is > available for a port (e. g. too many options, or licensing > restrictions). >=20 > This can be solved by portmaster which has an option to > go through all interactive configuration screens _before_ > starting any action. Those settings can be saved for the > next update run. >=20 > The portmaster program itself can be instructed to _use_ > binary packages (just as pkg_add -r would do) with the -P > and -PP options. In this case, binary packages will be > used as long as possible, and only those ports that > require building (as no package exists) will be compiled. > See "man portmaster" for details. >=20 > This is a good approach in combination with freebsd-update. > I have used that concept on some servers myself (especially > on smaller ones with low resources where compiling would > be too problematic). >=20 >=20 >=20 > > I noticed that in=20 > > the past few years, updating softwares through ports has been requiring= =20 > > more user intervention, due to the way some dependencies are being=20 > > updated from one version to the next. Would using binary packages allow= =20 > > to avoid more such user intervention? >=20 > Yes. All dependencies would be incorporated automatically. > Only ports without equivalent package that additionally have > OPTIONS to set would invoke a configuration screen, and this > screen would have to be dealt with only in the first run of > the updating process. >=20 > There are also options for portmaster that can be used to > control program behaviour in case of problems (e. g. some > package not found, conflicting ports, versioning problem, > or port marked "broken"). >=20 > Those solutions can also easily be scripted, e. g. check > one a week for possible updates and get the packages, but > do not install them automatically (which can be a security > requirement). If the list is approved, the updates will > be installed during night, creating a "fallback copy" just > in case something went wrong (e. g. malfunctioning new > software). Reports can be generated automatically and mailed > to the system administrator. >=20 > I would also suggest to frequently check the mailing lists > of the software in use for bugs and security updates that > might be interesting in terms of system security. This sould > be done for any "major server software" (Apache, PHP, MySQL > and the services utilizing those software, whatever you > want to run on the server). >=20 I'd recommend installing ports-mgmt/portaudit to keep an eye out on any vulnerabilities that require an update of the ports/packages. Personally, I'd go for ports rather than packages. As long as your friend reads /usr/ports/UPDATING and he uses either portupgrade or portmaster, he shouldn't go too far wrong. Also couldn't your friend give you a key for his server so that you can ssh into it and fix things if it goes wrong? Regards, --=20 Frank Contact info: http://www.shute.org.uk/misc/contact.html --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iEYEARECAAYFAk5mxiQACgkQHduKvUAgeK6yRACeKvw8VzHPe8EGTUr+8OVrFc18 cF4Ani31dTM+qW/u3oiM6mLce6l674U6 =WELW -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110907011725.GA70734>