From owner-freebsd-stable  Wed Aug  7 17:14:33 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 861F137B400
	for <stable@freebsd.org>; Wed,  7 Aug 2002 17:14:29 -0700 (PDT)
Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D035743E42
	for <stable@freebsd.org>; Wed,  7 Aug 2002 17:14:28 -0700 (PDT)
	(envelope-from dmp@pantherdragon.org)
Received: from sparx.pantherdragon.org (evrtwa1-ar10-4-61-252-210.evrtwa1.dsl-verizon.net [4.61.252.210])
	by spork.pantherdragon.org (Postfix) with ESMTP id 11C44FF3D
	for <stable@freebsd.org>; Wed,  7 Aug 2002 16:53:29 -0700 (PDT)
Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2])
	by sparx.pantherdragon.org (Postfix) with ESMTP id 7DBFAAB04
	for <stable@freebsd.org>; Wed,  7 Aug 2002 16:53:27 -0700 (PDT)
Message-ID: <3D51B2F7.CE6F51D7@pantherdragon.org>
Date: Wed, 07 Aug 2002 16:53:27 -0700
From: Darren Pilgrim <dmp@pantherdragon.org>
X-Mailer: Mozilla 4.76 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: FreeBSD-Stable <stable@freebsd.org>
Subject: Safest way to do a remote installworld?
References: <20020807214726.89A505D04@ptavv.es.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

I've been trying to come up the safest way possible to do a remote
installworld without doing it from the console in single-user mode.
Here's what I've come up with so far, please tell me if there's
something else I can do to make it safer:

- Do normal pre-buildworld stuff and buildworld.

- Backup /, /boot, /bin, /etc, /modules, and /sbin to
  /userdata/rootdir_backup.tar.

- INSTKERNNAME="kernel.GENERIC" make -e kernel -DNO_MODULES
- make kernel KERNCONF=CUSTOM
- install -o root -g wheel -m 555 -f schg /usr/obj/usr/src/sys/CUSTOM/kernel.debug /kernel.debug

- Backup, /usr/X11R6, /usr/bin, /usr/compat, /usr/include, /usr/lib,
  /usr/libdata, /usr/libexec, /usr/sbin, and /usr/share to
  /userdata/usr_backup.tar.
- Backup, /usr/local to /userdata/usr.local_backup.tar.
- Roll-over all logs under syslog's control.
- Backup /var to /userdata/var_backup.tar.
- Backup /root to /userdata/roothome_backup.tar.
- Backup /home and any other user-data filesystems that are on any
  disks touched by installworld.
- Backup the disklabels.
- Take a snapshot of /dev using this pair of commands:
  ls -alR | egrep ^c | awk '{print $1 " " $3 " " $4 " " $5 " " $6 " " $10}' >/userdata/devlist_pre-iw
  ls -alR | egrep -v ^c | awk '{print $1 " " $3 " " $4 " " $5 " " $9 " " $10 " " $11}' >>/userdata/devlist_pre-iw

- Set the machine to do nothing more than bring up the normal network
  configuration, an open firewall, and run what's required for a
  functioning system and sshd.
- Run a script to disable logins on all accounts except for root and
  the non-root admin account.
- Verify and apply this patch:

--- /usr/src/etc/rc     Thu May  9 10:39:01 2002
+++ /etc/rc     Wed Aug  7 03:36:41 2002
@@ -227,6 +227,14 @@
 
 adjkerntz -i
 
+if [ -e /usr/obj/installworld_on_reboot ]; then
+  mount -uat ufs -o exec
+  rm /usr/obj/installworld_on_reboot   
+  # /empty_fs is a synchronous filesystem by itself on a disk    
+  cd /usr/src && script /empty_fs/m-iw.out make installworld  
+  mount -uat ufs
+fi
+
 purgedir() {
        local dir file

- Reboot the machine with the new kernels and old world.
- Login in and look at dmesg output and the log files for anything
  non-kosher.
- If everything looks ok, touch /usr/obj/installworld_on_reboot and
  reboot again.

- Machine runs installworld, then finishes booting back to the
  stripped-down multi-user state.

- Log back in and examine the installworld output for problems.
- Mergemaster
- Run /root/devupdate, which installs /usr/src/etc/MAKEDEV* to
  /usr/obj/tempdev, makes the full set of devices, takes a snapshot,
  then diffs that snapshot with devlist_pre-iw.
- Make any needed updates to /dev.
- cd /usr/src/release/sysinstall && make all install
- Rebuild and reinstall anything that may have gotten clobbered by
  installworld (like postfix).
- Swap the special config files with the normal versions, reenable
  the user accounts and reboot again.

The system should now come back up to a full running state.

- Pull down doc-all
- Test all the installed ports, rebuild and reinstall as desired.
- Pull down a new ports tree and portupgrade as desired.

What do you think?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message