Re: When is BuildWorld necessary?
--On September 17, 2006 1:37:27 PM +0200 [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: No one has mentioned the security/freebsd-update port. With that you can apply updates to the kernel and world without having to build them *if* (and only if!) you are running a GENERIC kernel. For remote administration, this may be a good option for some. I read that this can be used _only_ nothing has been re-compiled locally, of have I missed something? We have custom kernel due to database needed optimizations. That's correct. If you have a custom kernel, you cannot use freebsd-update. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: When is BuildWorld necessary?
[EMAIL PROTECTED] wrote: No one has mentioned the security/freebsd-update port. With that you can apply updates to the kernel and world without having to build them *if* (and only if!) you are running a GENERIC kernel. For remote administration, this may be a good option for some. I read that this can be used _only_ nothing has been re-compiled locally, of have I missed something? We have custom kernel due to database needed optimizations. Iv. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: When is BuildWorld necessary?
--On September 17, 2006 6:18:24 AM +0200 [EMAIL PROTECTED] wrote: Bob wrote: On Saturday 16 September 2006 15:52, [EMAIL PROTECTED] wrote: But I have one question - do you rebuild the world on a remote machine Sorry; I am a newbie at FreeBSD, and have never done a buildworld :-( I have spent lots of time on Linux, Solaris, and SCO, but this is my first cut at BSD. Just from past NIX experience though, I would never rebuild an entire OS remotely without having someone onsite to push the On/Off switch when the inevitable happens :-( We have someone to push the switch. I just thought if it is possible to be done without engaging the support. No one has mentioned the security/freebsd-update port. With that you can apply updates to the kernel and world without having to build them *if* (and only if!) you are running a GENERIC kernel. For remote administration, this may be a good option for some. I've done a number of build world and kernel routines without a problem. make buildworld make buildkernel make installkernel reboot mergemaster -p make install world mergemaster reboot This has worked for me on three different systems, all of which are easily accessible if something goes wrong. I have one server that's about 20 miles away and much more critical than the others (in terms of uptime and accessibility) *and* I don't have remote access to the server through a KVM or similar. For that one I use freebsd-update, because I don't want to have to suddenly jump in the car and drive 30 minutes (while the server is down) to fix a problem. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Re: When is BuildWorld necessary?
Laurence Sanford wrote: [EMAIL PROTECTED] wrote: But I have one question - do you rebuild the world on a remote machine (without physical access) and if yes - how do you restart in single user mode. This is what I can't understand so far. Thanks, Iv In 6 years, I've never dropped any machine to single user to do any part of a buildworld upgrade. I've stopped many running services, but never gone to single user. The only time I had any problems with this approach was when I blindly flubbed versions in my supfile and cvsup'd a 6 system with 4 source. That wasn't pretty. But it would have been not pretty in single user mode as well. I heard this from another place as well. It just sounds too scary for me at the moment... But may be when I feel more comfortable with the things and/or there is no other way. Thanks anyway for pointing that out! Iv. -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: When is BuildWorld necessary?
Bob wrote: On Saturday 16 September 2006 15:52, [EMAIL PROTECTED] wrote: But I have one question - do you rebuild the world on a remote machine Sorry; I am a newbie at FreeBSD, and have never done a buildworld :-( I have spent lots of time on Linux, Solaris, and SCO, but this is my first cut at BSD. Just from past NIX experience though, I would never rebuild an entire OS remotely without having someone onsite to push the On/Off switch when the inevitable happens :-( We have someone to push the switch. I just thought if it is possible to be done without engaging the support. Iv. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: When is BuildWorld necessary?
[EMAIL PROTECTED] wrote: But I have one question - do you rebuild the world on a remote machine (without physical access) and if yes - how do you restart in single user mode. This is what I can't understand so far. Thanks, Iv In 6 years, I've never dropped any machine to single user to do any part of a buildworld upgrade. I've stopped many running services, but never gone to single user. The only time I had any problems with this approach was when I blindly flubbed versions in my supfile and cvsup'd a 6 system with 4 source. That wasn't pretty. But it would have been not pretty in single user mode as well. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: When is BuildWorld necessary?
On Saturday 16 September 2006 21:34, Bob wrote: > On Saturday 16 September 2006 16:13, RW wrote: > > Not all of the point releases are for the kernel, for example > > 6.1-RELEASE-p2 was a sendmail fix. > > Ok I see; just because my kernel is at p6, doesn't mean the base system is. > > I wasn't on FreeBSD when p2 was released. Would that p2 have triggered a > portaudit warning? Assuming of course that p2 was a security related > sendmail patch. > > What I am getting at is if, my sendmail were acting up, I would look for an > update, and patch sendmail only. If the patch were security related I would > patch it anyway, but I can't see why I would want to rebuild the entire > system for a sendmail upgrade, or a kernel stability patch, when the > individual broken/insecure pieces can be fixed with much less hassel, time, > and risk. In FreeBSD the most conservative approach is to rebuild both world and kernel, they are more of a "matched pair" than in Linux. Since I don't bother to drop into single-user mode, or do the extra reboot for point releases, I just run a single script that does the whole thing (including cvsup), then reboot at my convenience. Having said that, I know some people that run STABLE will just rebuild individual parts of world. IMHO this is a lot more hassle than typing the name of a script, and letting the hardware take the strain. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: When is BuildWorld necessary?
Bob wrote: > Hi: > > I recently installed FreeBSD 6.1 over the net from sources. I am keeping > things up-to-date using CVSup. > > When portaudit tells me I have a security issue; I update/re-install the > affected port. When a kernel patch comes in, I re-compile the kernel; which > now stands at FreeBSD 6.1-RELEASE-p6 #3. > > From what I can tell, buildworld re-builds the base system, something I have > yet to do. My thought is to do a buildworld only when the OS version is > updated to the next number above 6.1. I understand this happens at about 4 > month intervals. > > My question is, is there a good reason to buildworld before a version change? > I hate "fixing" something which is working perfectly, and this system has > been stellar! You can't assume that any patch release on a security branch is solely going to be to fix things in the kernel. More often than not, the upgrade is to fix things in the userland. That means you have to recompile and re-install the affected software. Gennerally security advisories will tell you how to patch and update the specifically affected stuff. On the whole though, it always works to apply a full buildworld cycle as described in /usr/ports/UPDATING, and for certain security problems it's the only way to be sure the base system is rendered invulnerable[*]. Also it means the system version number gets bumped making it easy to identify what machines have been patched weeks or months down the line. If you haven't been rebuilding and re-installing world along with kernel as part of the update cycle, then there is a distinct possibility that you are still exposed eg. to the sendmail vulnerabilities from SA-06:17 or the ypserv problems from SA-06:15 or to various others. You will find that running the full buildworld procedure is a pretty smooth operation and if applied with due care and attention it is not at all difficult to get the system successfully updated nor is it hard to avoid foot-shooting while doing so. Cheers, Matthew [*] Where there is significant change of a vulnerability from the base system affecting 3rd party software from the ports or wherever, that should be discussed in the security advisories that come out, as well as what measures are necessary to provide a fix. -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: When is BuildWorld necessary?
On Saturday 16 September 2006 15:52, [EMAIL PROTECTED] wrote: > > But I have one question - do you rebuild the world on a remote machine > (without physical access) and if yes - how do you restart in single user > mode. This is what I can't understand so far. I remembered something right after I sent the last post. I have done this before, years ago. Not with bsd, but with Linux. I was working on a small server farm, and cross-connected serial ports from one server to another. Made the serial port the console, and then I could telnet to the adjacent server, tip to the other one, and have the system console. From there you could pretty safely do whatever you wanted to do, if the kernel were to fail to boot, you would be left at the loader prompt, where you could boot the box into a known good kernel. I can't see why you couldn't do something like that with FreeBsd. All you need is a serial port you can control remotely, like an adjacent server, or a router set it all up beforehand, and you should be good to go. Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: When is BuildWorld necessary?
On Saturday 16 September 2006 15:52, [EMAIL PROTECTED] wrote: > > But I have one question - do you rebuild the world on a remote machine Sorry; I am a newbie at FreeBSD, and have never done a buildworld :-( I have spent lots of time on Linux, Solaris, and SCO, but this is my first cut at BSD. Just from past NIX experience though, I would never rebuild an entire OS remotely without having someone onsite to push the On/Off switch when the inevitable happens :-( Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: When is BuildWorld necessary?
On Saturday 16 September 2006 16:13, RW wrote: > Not all of the point releases are for the kernel, for example > 6.1-RELEASE-p2 was a sendmail fix. > Ok I see; just because my kernel is at p6, doesn't mean the base system is. I wasn't on FreeBSD when p2 was released. Would that p2 have triggered a portaudit warning? Assuming of course that p2 was a security related sendmail patch. What I am getting at is if, my sendmail were acting up, I would look for an update, and patch sendmail only. If the patch were security related I would patch it anyway, but I can't see why I would want to rebuild the entire system for a sendmail upgrade, or a kernel stability patch, when the individual broken/insecure pieces can be fixed with much less hassel, time, and risk. Is my logic flawed? Bob ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: When is BuildWorld necessary?
On Saturday 16 September 2006 20:41, Bob wrote: > Hi: > > I recently installed FreeBSD 6.1 over the net from sources. I am keeping > things up-to-date using CVSup. > > When portaudit tells me I have a security issue; I update/re-install the > affected port. When a kernel patch comes in, I re-compile the kernel; which > now stands at FreeBSD 6.1-RELEASE-p6 #3. > > From what I can tell, buildworld re-builds the base system, something I > have yet to do. My thought is to do a buildworld only when the OS version > is updated to the next number above 6.1. I understand this happens at > about 4 month intervals. > > My question is, is there a good reason to buildworld before a version > change? I hate "fixing" something which is working perfectly, and this > system has been stellar! Not all of the point releases are for the kernel, for example 6.1-RELEASE-p2 was a sendmail fix. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: When is BuildWorld necessary?
Bob wrote: Hi: I recently installed FreeBSD 6.1 over the net from sources. I am keeping things up-to-date using CVSup. When portaudit tells me I have a security issue; I update/re-install the affected port. When a kernel patch comes in, I re-compile the kernel; which now stands at FreeBSD 6.1-RELEASE-p6 #3. From what I can tell, buildworld re-builds the base system, something I have yet to do. My thought is to do a buildworld only when the OS version is updated to the next number above 6.1. I understand this happens at about 4 month intervals. My question is, is there a good reason to buildworld before a version change? I hate "fixing" something which is working perfectly, and this system has been stellar! Bob Hi Bob, I believe it is basically good to get the 'p' patches as they contain security fixes. My thinking is that if 'p' patch comes out - your system is, in some sense, not perfect anymore :) But I have one question - do you rebuild the world on a remote machine (without physical access) and if yes - how do you restart in single user mode. This is what I can't understand so far. Thanks, Iv -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
