On Tue, Jun 23, 2009 at 04:12:23PM +0200, Urban Hillebrand wrote:
> I am seeking advice on how to keep several almost identical OpenBSD
> installations up to date over several years / releases if possible.
>
> I have 6-10 OpenBSD firewall/gateway/proxy hosts running, all with the
> following tasks:
> - pf
> - squid
> - postfix / amavisd / clamd
> - openvpn
> - ... and a few minor things.
>
> All hosts are running on (different) i386 hardware, with a standard
> kernel. Almost everything is orininally installed using packages/ports,
> with a few exceptions (postfix, where I always preferred to pick the
> version myself, or some perl modules for amavisd where I didn4t find a
> port or package).
>
> My goal is to keep those systems up to date. Until now, I only used
> releases, did source code patches when necessary, and from time to time
> manual updates to postfix + clamav (I compiled those from source -
> could4nt use updated ports, as I do not run current - or am I wrong with
> this assumption?)
>
>
> I really would like to make things easier
> - by using exactly the same version (which isn4t the case right now
> unfortunatly)
> - by using exactly the same set of installed software (with some
> components disabled if not needed)
> - by using one "build system" to test the updates, and rolling it out
> from there to all other hosts
> - All updates should be done remotely (if something goes terribly wrong
> I4d still have the option of driving there).
>
> My questions are:
> (1) I should use release(8) for this, shouldn4t I?
> (2) Would you recommend using the release versions + source code
> updates, or snapshots together with updated ports? (I am aware that many
> seem to prefer snapshots here; I was reluctant to use them till now as
> stability is really important here)
> (3) Will either of those 2 options make it possible to perform remote
> upgrades to new OpenBSD releases? (say from 4.5 to 4.6)
> (4) While the software selection is almost identical on those machines,
> configuration can be really different. I never tried release(8) - how to
> keep track of different versions of files in /etc?
> (5) Do you see a better alternative / what did I get wrong :) ?
If you want to go the whole hog, cfengine/puppet may be useful. But
you're likely content to just keep a single configuration up to date, in
which case simpler measures may suffice.
You can use release(8) to construct updated tarballs for the base
system. Create these on a secure system, sftp them to anywhere you need,
and unpack. Binary patches are possible, but probably more effort than
they're worth for a comparatively small setup like yours.
I'd be inclined to go with snapshots, but you'll need to follow the
process at least a little and test at least a little. On the other hand,
if you go with -stable, you should make sure your ports are kept up to
date, which isn't guaranteed.
Remote upgrades should be possible in either case.
You can use sysmerge to check for and resolve differences between the
installed files and the etcXY.tgz and xetcXY.tgz files. This is very
useful when upgrading systems.
As for keeping the configuration in sync, you may want to consider your
favourite version control system. You will, obviously, need some
per-host customizations: these may be best represented as branches. Or
not.
You should create ports from your personalized postfix and clamav
installations, which will make it a lot easier to install them and
ensure you can easily keep all your hosts on an updated version.
Otherwise, it seems pretty sensible. You might be better off if you
could convince those organizations to trust in a single mailhost run by
you, though.
Joachim
