best way to update ports
Hi, I need your advice on how to update security patches for ports on a dozen servers with minimal efforts. As I gathered, I should run portaudit in cron jobs and then manually update the ports with vulnerabilities after reading UPDATING. Is this the best way? Is this manual way feasible for managing a dozen servers? I used to run portupgrade in cron jobs, but that created too much nightmare. For example, imap-uw broke for a few days recently. Someone recommended http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/small-lan.html . It's great for maintaining machines with identical ports installed, but not good when ports are installed with different options on different servers. Thanks, Bill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: best way to update ports
On 10/11/07, Aryeh Friedman [EMAIL PROTECTED] wrote: On 10/11/07, Bill Stwalley [EMAIL PROTECTED] wrote: Hi, I need your advice on how to update security patches for ports on a dozen servers with minimal efforts. If the servers are homogenious why not have a single /usr/local and nfs mount it? yeah, in that situation nfs mount will be easy. My servers are in different cities, and the ports are installed with different options on different servers, for example, some postfix use unix login accounts, some postfix use courier authentication with mysql database. So unfortunately I can't share the same ports among them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: too late to change to security branch?
On 9/30/07, Rakhesh Sasidharan [EMAIL PROTECTED] wrote: Hi Bill! I have servers running 6.1 and 6.2. I use freebsd-update in cron jobs to install binary security update to the base system, and use cvsup/portupgrade in cron jobs to install port updates. By default, cvsup uses CURRENT branch. The ports system doesn't have any branches. The same tree is used between all the different FreeBSD branches so you can't just track security updates only. You track it using portupgrade/ cvsup. The base system has many branches. In your case, you seem to be following the security branches for 6.1 and 6.2 using freebsd-update. I am tired of some updates breaking something unnecessarily, and am thinking of changing to SECURITY branch in cvsup. Is that possible? Some of my ports are already locally compiled with customized options. Maybe you can provide more info on what's breaking? I use FreeBSD for a couple of headless machines. No X and other stuff, but I haven't had any breakages so far. *touchwood* Do go though the UPDATING file to check out any gotchas before updating. HTH, - Rakhesh http://rakhesh.net/ I'm grateful to all your clarifications, as I feel this operation system is really supported with care. Our uw-imap was broken recently for a few days as people could not login, so I had to switch to dovecot. Nothing was mentioned in the UPDATING file, although there was indeed a big update of uw-imap. I only got relieved after finding http://lists.freebsd.org/pipermail/freebsd-ports/2007-October/044051.htmlposted a couple days later. Things similar to this, although to less extent, did happen once a couple months, sometimes the postfix and other startup scripts in /usr/local/etc/rc.d/ will be renamed to postfix.sh or vice verser by port upgrade, that broke my other scripts. As everyone appears to suggest against updating ports in cron job and suggest reading UPDATING instead and then updating by hand, I'm really curious: Is it practical to do that when you manage a dozen servers? I imagine doing that alone would be a substantial job. However crontab updated ports do take down services from time to time. Best, Bill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
too late to change to security branch?
I have servers running 6.1 and 6.2. I use freebsd-update in cron jobs to install binary security update to the base system, and use cvsup/portupgrade in cron jobs to install port updates. By default, cvsup uses CURRENT branch. I am tired of some updates breaking something unnecessarily, and am thinking of changing to SECURITY branch in cvsup. Is that possible? Some of my ports are already locally compiled with customized options. If that's impossible, can I wait until the release of 6.3, upgrading to it, and then switch to SECURITY branch in cvsup? If those are entirely impossible, can I switch to STABLE branch? I'm confused by this system, please let me know if anything I do doesn't make sense. Best, Bill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
(no subject)
___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: too late to change to security branch?
On 9/27/07, Beech Rintoul [EMAIL PROTECTED] wrote: On Wednesday 26 September 2007, Bill Stwalley said: I have servers running 6.1 and 6.2. I use freebsd-update in cron jobs to install binary security update to the base system, and use cvsup/portupgrade in cron jobs to install port updates. By default, cvsup uses CURRENT branch. I am tired of some updates breaking something unnecessarily, and am thinking of changing to SECURITY branch in cvsup. Is that possible? Some of my ports are already locally compiled with customized options. If that's impossible, can I wait until the release of 6.3, upgrading to it, and then switch to SECURITY branch in cvsup? If those are entirely impossible, can I switch to STABLE branch? I'm confused by this system, please let me know if anything I do doesn't make sense. Best, Bill There are no other branches of ports except current. The release, security, stable and current branches only apply to the system itself. The exception being the ports that come with a release are just a snapshot of the ports tree at the time the release was rolled. While we try our best to avoid breakage, it sometimes happens. My suggestion is that if you plan on upgrading something mission critical, you might want to try the upgrade on another similar box first and test. As for compiling with options not already available in the port itself, you are basically on your own. If there is a particular option that comes with the sources, but is not a port option contact the maintainer of that port. As for doing port updates with a cron script it's not recommended. You should always read UPDATING before installing anything. Believe me it will save you foot shooting. Beech -- I run freebsd-update and my cvsup configuration uses *default release=cvs tag=.. I am actually following security branch, since I do not recompile the kernel, right? This cvs tag only matters if I compile the kernel, right? Thanks, Bill ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
