From owner-freebsd-questions@FreeBSD.ORG Sun Sep 7 22:22:49 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E94C1065677 for ; Sun, 7 Sep 2008 22:22:49 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) by mx1.freebsd.org (Postfix) with ESMTP id 1460A8FC14 for ; Sun, 7 Sep 2008 22:22:48 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r55.edvax.de (port-92-195-205-151.dynamic.qsc.de [92.195.205.151]) by mx02.qsc.de (Postfix) with ESMTP id 63C3116C011D; Mon, 8 Sep 2008 00:22:47 +0200 (CEST) Received: from r55.edvax.de (localhost [127.0.0.1]) by r55.edvax.de (8.14.2/8.14.2) with SMTP id m87MMkku003044; Mon, 8 Sep 2008 00:22:46 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Mon, 8 Sep 2008 00:22:46 +0200 From: Polytropon To: John Almberg Message-Id: <20080908002246.6291ed28.freebsd@edvax.de> In-Reply-To: <4066F926-4474-4B46-9030-0E2BD2AD1BA3@identry.com> References: <4066F926-4474-4B46-9030-0E2BD2AD1BA3@identry.com> Organization: EDVAX X-Mailer: Sylpheed 2.4.7 (GTK+ 2.12.1; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: safest way to upgrade a production server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2008 22:22:49 -0000 On Sun, 7 Sep 2008 18:08:55 -0400, John Almberg wrote: > So, my first question is, do I really need to do this? In short: Depends. For servers that are accessible to the public (i. e. the Internet), security updates should be installed (RELEASE-p). Furthermore, security updates for the services you're running are always welcome (for example for mail servers, for Apache, for SSH). > If so, what is the minimum amount of upgrading I can do to be safe? > And how? I'd say it's freebsd-update. % man freebsd-update This lets you follow the RELEASE branch, including security patches. For installed software, see % man portupgrade which requires the port "portupgrade" to be installed, or the "make update" / "portsnap" mechanism to upgrade the ports you've installed and which then need to be re-compiled ("make install"). But I think that's stuff you're trying to avoid. > I've studied the Upgrading chapter in Absolute FreeBSD, and think > what I need to do is patch the systems to the proper errata branch. > > I also think I need to do this using freebsd-update to do a binary > update, to upgrade on an errata branch. > > Am I on the right track, here? Yes, you are. Allthough there's no problem updating the system's source and recompile + reinstall, freebsd-upgrade saves you much work. > I've never done this, so will try upgrading a test system, first. If > all goes well, I will give it a whirl on one of the production servers. Good approach. > Frankly, I find this idea terrifying, but I guess it needs to be done. Hey, I've been running FreeBSD 5.4 until July 2008 and I'd still be using it if not my hard disk had gone mad! :-) > Here is what we are running... > > > uname -a > FreeBSD ***servername*** 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1: > Mon Dec 3 09:46:53 EST 2007 root@***servername***:/usr/obj/usr/ > src/sys/INET_ON amd64 When you're upgrading to the 7.x branch, it may (!) be neccessary to install a backwards compatibility (COMPAT) mechanism, or certain ports need upgrade + reinstallation, but it heavily depends on what services you're running. -- Polytropon >From Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...