Re: Hardening production servers
On Wed, 9 Jul 2003, Gregory Bond wrote: Even easier might be to maintain a list of files you don't want on the client machines and then rm them after every installworld (you could automate this in the /usr/src/Makefile). Great points, just wanted to add... You could also use config mgmt tools like cfengine, PIKT, etc. (see ports) to remove (and make sure they stay removed) these files on all servers. You would then get all the other benefits (and headaches) typically associated with config mgmt. (Syncing config files from a central source, notification of changes, etc.) We've had cfengine running for awhile... A bit of a learning curve, but it has proven to be worthwhile. -mrh -- From: Spam Catcher [EMAIL PROTECTED] To: [EMAIL PROTECTED] Do NOT send email to the address listed above or you will be added to a blacklist! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Hardening production servers
Chuck Swiger [EMAIL PROTECTED] writes: Paul Smith wrote: [ ... ] Is there a way to take advantage of the portupgrade suite when it comes to building packages? I.e., is there a make package equivalent in portupgrade? I would imagine portupgrade would make packages of any dependicies as well, no? Exactly; use the -p option to portupgrade: -p --package Build a package when each specified port is installed or upgraded. If a package is upgraded and its dependent packages are given from the com- mand line (including the case where -r is speci- fied), build packages for them as well. ...and on the installing side, use -PP. -- Dan Pelleg ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Hardening production servers
Gregory Bond [EMAIL PROTECTED] wrote on 08/Jul/03 at 6:35 PM: Here's what we do: For the system: - A separate build box, spec'd no higher than the lowest production machine - keep a CVS repository on the build box - buildbox /etc/make.conf has KERNCONF=SERVER CLIENT1 CLIENT2... - run make update / make buildworld / make buildkernel on the build box - Install kernel world on the build box, run mergemaster, etc as documented - run the build box for a couple of days (rebuilding ports etc) to check it out - NFS mount /usr/src and /usr/obj readonly on each client - client /etc/make.conf has KERNCONF=CLIENTn - installkernel / installworld / mergemaster on the client in the normal way [ ... ] Just a quick addendum for anyone who's stepping through this, as I've just done :) - If you are going to 'make installworld' in single-user mode on the client, you need to '# sh /etc/netstart' after fsck, mount, swapon, etc. to be able to NFS mount the build server. May be obvious, but tripped me up a bit at first. -- Paul Smith [EMAIL PROTECTED] Webmaster/Systems Administrator Center for Neighborhood Technology Chicago, Illinois USA ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]