Date: Tue, 08 Jul 2003 16:33:50 -0400 From: Chuck Swiger <cswiger@mac.com> To: Paul Smith <paul@cnt.org> Cc: freebsd-stable@freebsd.org Subject: Re: Hardening production servers Message-ID: <3F0B2AAE.5080708@mac.com> In-Reply-To: <20030708200104.GA66624@cnt.org> References: <20030708200104.GA66624@cnt.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Smith wrote: > Apologies if this is not the appropriate list, but my questions are about > best practices in maintaining production servers (so I believe I can justify > a post in -stable, short of a -release list :) You ask good questions, regardless of where they were directed to. [ -questions or maybe -isp might have been a better choice. ] > I maintain a modest installation of 6 FreeBSD servers. They're CVSUP'd to > RELENG_4_8 (I make buildworld on each individually) and I portupgrade ports > as necessary. In an attempt to mature and harden this installation, I'm > wondering what is the best approach for keeping production servers patched > and with the latest ports. I know that compiling everything on each box is > poor security practice and a unnecessary drain on resources. But I'm confused > as to how to go about compiling world and the ports on a separate machine and > how to then distribute to the production servers. Should I compile ports as > packages? Which directories are appropriate for NFS export? Each machine is > i386, so there should be any architecture issues, but each has its own > hardware configuration, so how would I building a custom kernel work? If you do a "make package" for each port that you install, you can copy of using network filesharing (NFS, Samba, etc) to distribute the /usr/ports/packages directory. Create that directory if it doesn't exist, and "make package" will save the .tgz there rather than under each individual port directory. Beyond that, you should consider sharing /usr/src and /usr/obj from your buildserver onto the other machines for performing upgrades. You can copy all of your kernel config files to the build server, and do: make buildkernel KERNCONF=machine1 make buildkernel KERNCONF=machine2 ...etc, for each distinct kernel config file you have. You then "make installkernel" with the right KERNCONF as appropriate for the machine you're upgrading. While you're there, you can compare and possibly merge several individual config files into one that appropriate for most or all of your hardware. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F0B2AAE.5080708>