Date: Wed, 09 Jul 2003 09:35:15 +1000 From: Gregory Bond <gnb@itga.com.au> To: Paul Smith <paul@cnt.org> Cc: freebsd-stable@freebsd.org Subject: Re: Hardening production servers Message-ID: <200307082335.JAA29618@lightning.itga.com.au> In-Reply-To: Your message of Tue, 08 Jul 2003 15:01:04 -0500.
next in thread | raw e-mail | index | archive | help
Here's what we do:
For the system:
- A separate build box, spec'd no higher than the lowest production machine
- keep a CVS repository on the build box
- buildbox /etc/make.conf has KERNCONF="SERVER CLIENT1 CLIENT2..."
- run make update / make buildworld / make buildkernel on the build box
- Install kernel & world on the build box, run mergemaster, etc as documented
- run the build box for a couple of days (rebuilding ports etc) to check it
out
- NFS mount /usr/src and /usr/obj readonly on each client
- client /etc/make.conf has KERNCONF=CLIENTn
- installkernel / installworld / mergemaster on the client in the normal way
For the ports:
- use portupgrade on build box and clients
- build box has the union of all the client package sets installed on it
- build box does "portupgrade -p" to build packages
- client boxes NFS mount /usr/ports/ (including /usr/ports/packages)
(can also do it with a local CVSup'd /usr/ports and using FTP to
the build box to get the packages, but that's harder to get right.)
- clients run portupgrade -PP to use the packages only
This works well enough for us with a similar number of servers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200307082335.JAA29618>