Date: 18 Apr 2002 12:08:14 -0700 From: Ken McGlothlen <mcglk@artlogix.com> To: Brett Glass <brett@lariat.org> Cc: Christopher Schulte <schulte+freebsd@nospam.schulte.org>, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <87r8lcakpt.fsf@ralf.artlogix.com> In-Reply-To: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass <brett@lariat.org> writes:
| Alas, this is not an acceptable solution.
|
| I realize that many people use FreeBSD on non-mission-critical systems, or to
| tinker with, and can afford downtime. But we need to create and maintain
| production machines.
|
| I hope that you can understand that doing a CVSup and then rebuilding the
| world every night (slowing the system to a crawl in the process and creating
| a system which might or might not be 100% stable) is not an acceptable
| solution.
Actually, it's not as bad as it might seem. I suspect what's got you upset is
the thought of having to do a make buildworld on every machine. I can tell you
how to avoid that.
What I've done in the past is to use NFS to export /usr from my fastest
machine. Let's assume you want to keep a Class C network at 192.168.3.0
updated.
/etc/exports:
/usr -alldirs -maproot=0:10 -network 192.168.3 -mask 255.255.255.0
Then, on the machines you want to keep updated, you'd mount /usr/src and
/usr/obj from that build machine.
Now, on the fast box, type
# cd /usr/src
# make buildworld
Churn, churn, churn. None of your production machines are impacted; only the
fast box handling the build.
I should also note that you may want to move *all* your kernel configuration
files over to the fast box, into /sys/i386/conf (if you're running x86/Pentium/
AMD boxes).
Once the build is done, pick a machine you want to update. Let's assume it's
called wibble, and it's kernel configuration file is called WIBBLE.
On the fast box, type
# make buildkernel KERNCONF=WIBBLE
Once that's done, go to Wibble, shut down the services on it (what you want to
do is essentially bring it down to single-user mode, but still keep NFS
running), and type the following:
# cd /usr/src
(Remember, that's the directory that actually resides on the
fast box)
# make installworld
(Which installs the new operating system.)
# make installkernel KERNCONF=WIBBLE
(Which installs the new kernel.)
# reboot
You should be done at this point with wibble. Next machine, wobble. Go to the
fastbox and type
# make buildkernel KERNCONF=WOBBLE
and when that's done, go to wobble and type
# cd /usr/src
# make installworld
# make installkernel KERNCONF=WOBBLE
# reboot
and so on.
You'll find that's a LOT faster than rebuilding the entire OS from source on
each and every machine.
Hope that helps. If you have any questions . . . well, you know where to
write. :)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87r8lcakpt.fsf>