Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 8 Sep 2008 00:22:46 +0200
From:      Polytropon <freebsd@edvax.de>
To:        John Almberg <jalmberg@identry.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: safest way to upgrade a production server
Message-ID:  <20080908002246.6291ed28.freebsd@edvax.de>
In-Reply-To: <4066F926-4474-4B46-9030-0E2BD2AD1BA3@identry.com>
References:  <4066F926-4474-4B46-9030-0E2BD2AD1BA3@identry.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 7 Sep 2008 18:08:55 -0400, John Almberg <jalmberg@identry.com> wrote:
> So, my first question is, do I really need to do this?

In short: Depends. For servers that are accessible to the
public (i. e. the Internet), security updates should be
installed (RELEASE-p). Furthermore, security updates for
the services you're running are always welcome (for example
for mail servers, for Apache, for SSH).



> If so, what is the minimum amount of upgrading I can do to be safe?   
> And how?

I'd say it's freebsd-update.

	% man freebsd-update

This lets you follow the RELEASE branch, including security
patches. For installed software, see

	% man portupgrade

which requires the port "portupgrade" to be installed, or the
"make update" / "portsnap" mechanism to upgrade the ports you've
installed and which then need to be re-compiled ("make install").
But I think that's stuff you're trying to avoid.



> I've studied the Upgrading chapter in Absolute FreeBSD, and think  
> what I need to do is patch the systems to the proper errata branch.
> 
> I also think I need to do this using freebsd-update to do a binary  
> update, to upgrade on an errata branch.
> 
> Am I on the right track, here?

Yes, you are. Allthough there's no problem updating the system's
source and recompile + reinstall, freebsd-upgrade saves you much
work.



> I've never done this, so will try upgrading a test system, first. If  
> all goes well, I will give it a whirl on one of the production servers.

Good approach.



> Frankly, I find this idea terrifying, but I guess it needs to be done.

Hey, I've been running FreeBSD 5.4 until July 2008 and I'd still be
using it if not my hard disk had gone mad! :-)



> Here is what we are running...
> 
>  > uname -a
> FreeBSD ***servername*** 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1:  
> Mon Dec  3 09:46:53 EST 2007     root@***servername***:/usr/obj/usr/ 
> src/sys/INET_ON  amd64

When you're upgrading to the 7.x branch, it may (!) be neccessary
to install a backwards compatibility (COMPAT) mechanism, or certain
ports need upgrade + reinstallation, but it heavily depends on what
services you're running.


-- 
Polytropon
>From Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080908002246.6291ed28.freebsd>