Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Jul 2003 20:29:43 -0500
From:      Paul Smith <paul@cnt.org>
To:        Gregory Bond <gnb@itga.com.au>
Cc:        freebsd-stable@freebsd.org
Subject:   Re: Hardening production servers
Message-ID:  <20030709012942.GJ66624@cnt.org>
In-Reply-To: <200307082335.JAA29618@lightning.itga.com.au>
References:  <200307082335.JAA29618@lightning.itga.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
Gregory Bond <gnb@itga.com.au> wrote on 08/Jul/03 at  6:35 PM:
> Here's what we do:
> 
> For the system:
> 
>  - A separate build box, spec'd no higher than the lowest production machine
>  - keep a CVS repository on the build box
>  - buildbox /etc/make.conf has KERNCONF="SERVER CLIENT1 CLIENT2..."
>  - run make update / make buildworld / make buildkernel on the build box
>  - Install kernel & world on the build box, run mergemaster, etc as documented
>  - run the build box for a couple of days (rebuilding ports etc) to check it 
>    out
>  - NFS mount /usr/src and /usr/obj readonly on each client
>  - client /etc/make.conf has KERNCONF=CLIENTn
>  - installkernel / installworld / mergemaster on the client in the normal way
> 
> For the ports:
> 
>  - use portupgrade on build box and clients
>  - build box has the union of all the client package sets installed on it
>  - build box does "portupgrade -p" to build packages
>  - client boxes NFS mount /usr/ports/ (including /usr/ports/packages)
>      (can also do it with a local CVSup'd /usr/ports and using FTP to 
>       the build box to get the packages, but that's harder to get right.)
>  - clients run portupgrade -PP to use the packages only
> 
> This works well enough for us with a similar number of servers.

Say a system like this were put into place to support existing production
servers. What's the cleanest/most elegant/least destablizing way to remove
the compiler tools on those machines?

-- 
Paul Smith <paul@cnt.org>
Webmaster/Systems Administrator
Center for Neighborhood Technology
Chicago, Illinois USA

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030709012942.GJ66624>