From owner-freebsd-isp@FreeBSD.ORG Thu May 28 10:31:54 2009 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EE3310656A8 for ; Thu, 28 May 2009 10:31:54 +0000 (UTC) (envelope-from nglrossi@gmail.com) Received: from mail-fx0-f159.google.com (mail-fx0-f159.google.com [209.85.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id D8CDE8FC0C for ; Thu, 28 May 2009 10:31:53 +0000 (UTC) (envelope-from nglrossi@gmail.com) Received: by fxm3 with SMTP id 3so673856fxm.43 for ; Thu, 28 May 2009 03:31:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=nMyJkx6VU7PfD5Jc96kXVpFcWXCgz1d2k+Cgcn36iSQ=; b=qzmiGc09Is5Oth3hU4NdrdpaFe8XdnxUbR2stN/AntzPwthpp1wNikcxRI0TgJfOHy clx9G0Y7hfaM9A7vbF2PPtdaMBHj0UmWDeVShznQk2KoPJtINp27akiSXnv7ftAQ/57C 2rbf8+ZaIrrzOczfAIl1DwvtmgJ0n/3wEOkns= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=nsO+87hSMC+37ZL/fpf1iejmaTpIfv/6ECg7wAfIi/rkCA1caVorgeyiXdDhLQoJZP soDEQdPOw1Eul2DpT4BjTrXqAAudiYYo2rsUO/jDbiwbBPufECBrxltFcrsRrn+WhDHE FbjIdsxP7IFdcNCTQGlApI18zR8C9EPJDM7nI= MIME-Version: 1.0 Received: by 10.223.108.210 with SMTP id g18mr1014630fap.38.1243505208838; Thu, 28 May 2009 03:06:48 -0700 (PDT) In-Reply-To: <4A166B29.1070202@interazioni.it> References: <4A166B29.1070202@interazioni.it> Date: Thu, 28 May 2009 12:06:48 +0200 Message-ID: <6c1e076a0905280306q3457242q311e0f8a0c2cff38@mail.gmail.com> From: Angelo To: "Tonix (Antonio Nati)" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-isp@freebsd.org Subject: Re: Avoiding source code on production servers X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2009 10:31:54 -0000 On Fri, May 22, 2009 at 11:06 AM, Tonix (Antonio Nati) wrote: > I'm in the phase of planning my new generation of FreeBSD servers, and I > would love to make them more easy to upgrade. > Main problem I have currently is I do not want any source code on > production server, so freebsd-update is welcome, but... what about packages? > I would use packages, but they are not easy to upgrade, while ports can be > easy to upgrade, but need to have sources an servers. > > What do you suggest me? What is currently done on other environments? > > Thanks, > > Tonino > > -- > ------------------------------------------------------------ > Inter@zioni Interazioni di Antonio Nati > http://www.interazioni.it tonix@interazioni.it > ------------------------------------------------------------ > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > Hi, some good solutions have been suggested. I personally like and find easy to maintain these two: - having a build server where to compile code, pkg_create and then distribute the packages and pkg_add them (what I was doing at the last shop where I was working on FreeBSD) - when you need to install/upgrade software you nfsmount volumes from a non critical host that hosts the source code All the installation/upgrades can be pushed with a tool like cfengine; this way you can test the process on testing servers and then decide when and how to push the changes on the other machines in the order you wish. With cfengine you can perform whatever actions you want so you can actually include pre and post installation scripts and checks. This also makes really easy to add new machines, install a fresh OS and apply ALL the changes you applied to the other server without forgetting a single package or setting. To keep things simple I try to have the base freebsd setup as clean as possible on the server and install only the packages that are really needed for infrastructural purposes: monitoring tools, cfengine and a host based firewall. Every non infrastructural service goes on its own into a minimal jail This makes trivial to migrate services from a server to another and prevents to have package conflicts (never tried to make different versions of php or perl coexist?) on the base system. My 2 cents :) Angelo