I'm looking for comments on the care and feeding of OpenBSD servers. Essentially and "best practices" document for maintaining OpenBSD production servers. Yes, "best" is a stupid way to describe anything, but I'm hoping that there is some consensus in the community.
1. Change Management: Many changes are logged by the daily insecurity report, but not all. Perhaps altroot can help with backing out changes. Does anyone have experience with cfengine on OpenBSD? 2. Disaster Recovery: Dump and Restore, or make a tar file for use as an install set? 3. Tracking Stable: I'm assuming that production servers should follow stable patch branch. Perhaps use a make file to automate these steps? Check out src, XF4, ports. What if XF4 was not chosen at install and not needed? How do we know if we need to rebuild kernel and reboot or not? Reboots should be minimized. Upgrading packages now easier with new pkg options, but how do you know when packages are updated? 4. Version Upgrades: This will usually happen once a year given the life cycle of OpenBSD. As far as I can tell, the best practice is to read the upgrade FAQ that comes out with each release, and in general fresh install with hand merging of old config files is preferred. -- Will Backman - Network Administrator Coastal Enterprises, Inc. http://www.ceimaine.org
