Date: Thu, 18 Apr 2002 14:23:58 -0700 (MST) From: David Bear <David.Bear@asu.edu> To: security@freebsd.org Subject: light from heat! yeah!! Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <Pine.LNX.4.33.0204181417490.7826-100000@moroni.pp.asu.edu> In-Reply-To: <87r8lcakpt.fsf@ralf.artlogix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 18 Apr 2002, Ken McGlothlen wrote: > Brett Glass <brett@lariat.org> writes: > | I realize that many people use FreeBSD on non-mission-critical systems, or to > | tinker with, and can afford downtime. But we need to create and maintain > | production machines. > the thought of having to do a make buildworld on every machine. I can tell you > how to avoid that. THANKYOU. Here's a suggestion that helps. Seems like the topic for a new HOWTO -- Keeping security updates across large numbers of production servers --- I'm very new to FreeBSD -- I chose FreeBSD because there was not a distro dejour like in the linux world. Keeping security patching tractable should be of great interest to the security group. > > What I've done in the past is to use NFS to export /usr from my fastest > machine. Let's assume you want to keep a Class C network at 192.168.3.0 > updated. > > /etc/exports: > > /usr -alldirs -maproot=0:10 -network 192.168.3 -mask 255.255.255.0 > > Then, on the machines you want to keep updated, you'd mount /usr/src and > /usr/obj from that build machine. > > Now, on the fast box, type > > # cd /usr/src > # make buildworld > > Churn, churn, churn. None of your production machines are impacted; only the > fast box handling the build. > > I should also note that you may want to move *all* your kernel configuration > files over to the fast box, into /sys/i386/conf (if you're running x86/Pentium/ > AMD boxes). > > Once the build is done, pick a machine you want to update. Let's assume it's > called wibble, and it's kernel configuration file is called WIBBLE. > > On the fast box, type > > # make buildkernel KERNCONF=WIBBLE > > Once that's done, go to Wibble, shut down the services on it (what you want to > do is essentially bring it down to single-user mode, but still keep NFS > running), and type the following: > > # cd /usr/src > (Remember, that's the directory that actually resides on the > fast box) > # make installworld > (Which installs the new operating system.) > # make installkernel KERNCONF=WIBBLE > (Which installs the new kernel.) > # reboot > > You should be done at this point with wibble. Next machine, wobble. Go to the > fastbox and type > > # make buildkernel KERNCONF=WOBBLE > > and when that's done, go to wobble and type > > # cd /usr/src > # make installworld > # make installkernel KERNCONF=WOBBLE > # reboot > > and so on. > > You'll find that's a LOT faster than rebuilding the entire OS from source on > each and every machine. > -- David Bear College of Public Programs/ASU 480-965-8257 ...the way is like water, going where nobody wants it to go To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0204181417490.7826-100000>