From owner-freebsd-questions@FreeBSD.ORG Thu Sep 18 05:43:38 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C6F416A4B3 for ; Thu, 18 Sep 2003 05:43:38 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1AF543F85 for ; Thu, 18 Sep 2003 05:43:36 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h8ICgZeC044080 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 18 Sep 2003 13:43:33 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h8ICgZnF044079; Thu, 18 Sep 2003 13:42:35 +0100 (BST) (envelope-from matthew) Date: Thu, 18 Sep 2003 13:42:35 +0100 From: Matthew Seaman To: "Voracity.net Administrator" Message-ID: <20030918124235.GE59821@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , "Voracity.net Administrator" , freebsd-questions@freebsd.org References: <20030918083013.77982.qmail@web10004.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qFgkTsE6LiHkLPZw" Content-Disposition: inline In-Reply-To: <20030918083013.77982.qmail@web10004.mail.yahoo.com> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-11.3 required=5.0 tests=AWL,BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-questions@freebsd.org Subject: Re: remote administration of upgrades X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 12:43:38 -0000 --qFgkTsE6LiHkLPZw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 18, 2003 at 01:30:13AM -0700, Voracity.net Administrator wrote: > Anyway, I used cvsup to grab the RELENG_4_8 sources > with the fixes. I'm=20 > now faced with the choice of doing "make world" (which > I have never=20 > done) or just recompiling ssh and sendmail and > installing them only. Unless you have remote console access to your machine, you would be well advised to just reinstall those parts of the system as detailed in the security advisories. If you need remote console access, the cheapest way to do it is via a null-modem serial cable link from a neighbouring machine at your hosting center. See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/serialconsole-set= up.html and http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/install-advanced.= html =20 > - All of the instructions for "make world" that I've > read involve=20 > shutting down into single-user mode, am I corrent that > this is not=20 > possible over ssh? Is there a way to accomplish the > install step=20 > remotely? I have already recompiled and successfully > installed a=20 > customized kernel remotely, and that was gut-wrenching > enough waiting=20 > the minute or so while it rebooted with fingers > crossed. :-) It depends how risk averse you are. Shutting down all of the servers (except sshd, of course) and kicking off any other users is *almost* as good as taking the system down to single user mode, and 99 times out of 100 you can successfully run 'make installworld' from that state, and then do all of the other stuff required to update the system before rebooting. However, avoiding program crashes and so forth is not actually the principal problem that rebooting to single user mode helps you avoid. Rebooting into single user mode lets you test that your newly compiled kernel actually works before you go ahead an install the matching world. Should your kernel not boot up, it is possible to back out to the previous kernel from the boot loader screen. Backing out an installworld like that is basically impossible. =20 > - Assuming that is not possible, I will just recompile > the individual=20 > parts, following the instructions in the bulletin.=20 > However, I still=20 > don't want to fubar sshd and then not be able to > connect to fix it.=20 > When I run "kill `cat /var/run/sshd.pid`" will that > kill only the=20 > listening daemon (leaving any already-established > sessions open) or will=20 > it kill all connections and everything related to > sshd? I was hoping=20 > that I could kill just the listening sshd, restart the > new one, and test=20 > it by connecting, all without severing the old known > working=20 > connections... at least I'd have an out if something > went wrong. And=20 > likewise, if I wanted to restart sshd (for example, > after changing the=20 > config file) can I safely kill the sshd.pid process > without killing the=20 > current sessions, just in case restarting sshd doesn't > work? Yes, absolutely. A 'kill -HUP `cat /var/run/sshd.pid`' will restart the main instance of sshd(8), whilst leaving any sshd's forked to manage login sessions alone. You should test that you can login remotely to the updated sshd from a second window before you log out of the first session. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --qFgkTsE6LiHkLPZw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/aag7dtESqEQa7a0RAsQ/AKCa1R3yKl2+mvt9p3Ht26+KuUq3ZACfUQJo tdA6Lm1cXP+o79LnzVT3xsA= =idQN -----END PGP SIGNATURE----- --qFgkTsE6LiHkLPZw--