From owner-freebsd-security Thu Apr 18 14:24:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from post2.inre.asu.edu (post2.inre.asu.edu [129.219.110.73]) by hub.freebsd.org (Postfix) with ESMTP id E6CC337B400 for ; Thu, 18 Apr 2002 14:24:04 -0700 (PDT) Received: from conversion.post2.inre.asu.edu by asu.edu (PMDF V6.1 #40111) id <0GUS00F018RYJI@asu.edu> for security@freebsd.org; Thu, 18 Apr 2002 14:23:58 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) by asu.edu (PMDF V6.1 #40111) with ESMTP id <0GUS00DLE8RYBJ@asu.edu> for security@freebsd.org; Thu, 18 Apr 2002 14:23:58 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.120.183]) by smtp.asu.edu (8.11.0/8.11.0/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id g3ILNwB14969 for ; Thu, 18 Apr 2002 14:23:58 -0700 (MST) Date: Thu, 18 Apr 2002 14:23:58 -0700 (MST) From: David Bear Subject: light from heat! yeah!! Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-reply-to: <87r8lcakpt.fsf@ralf.artlogix.com> X-X-Sender: To: security@freebsd.org Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 18 Apr 2002, Ken McGlothlen wrote: > Brett Glass writes: > | I realize that many people use FreeBSD on non-mission-critical systems, or to > | tinker with, and can afford downtime. But we need to create and maintain > | production machines. > the thought of having to do a make buildworld on every machine. I can tell you > how to avoid that. THANKYOU. Here's a suggestion that helps. Seems like the topic for a new HOWTO -- Keeping security updates across large numbers of production servers --- I'm very new to FreeBSD -- I chose FreeBSD because there was not a distro dejour like in the linux world. Keeping security patching tractable should be of great interest to the security group. > > What I've done in the past is to use NFS to export /usr from my fastest > machine. Let's assume you want to keep a Class C network at 192.168.3.0 > updated. > > /etc/exports: > > /usr -alldirs -maproot=0:10 -network 192.168.3 -mask 255.255.255.0 > > Then, on the machines you want to keep updated, you'd mount /usr/src and > /usr/obj from that build machine. > > Now, on the fast box, type > > # cd /usr/src > # make buildworld > > Churn, churn, churn. None of your production machines are impacted; only the > fast box handling the build. > > I should also note that you may want to move *all* your kernel configuration > files over to the fast box, into /sys/i386/conf (if you're running x86/Pentium/ > AMD boxes). > > Once the build is done, pick a machine you want to update. Let's assume it's > called wibble, and it's kernel configuration file is called WIBBLE. > > On the fast box, type > > # make buildkernel KERNCONF=WIBBLE > > Once that's done, go to Wibble, shut down the services on it (what you want to > do is essentially bring it down to single-user mode, but still keep NFS > running), and type the following: > > # cd /usr/src > (Remember, that's the directory that actually resides on the > fast box) > # make installworld > (Which installs the new operating system.) > # make installkernel KERNCONF=WIBBLE > (Which installs the new kernel.) > # reboot > > You should be done at this point with wibble. Next machine, wobble. Go to the > fastbox and type > > # make buildkernel KERNCONF=WOBBLE > > and when that's done, go to wobble and type > > # cd /usr/src > # make installworld > # make installkernel KERNCONF=WOBBLE > # reboot > > and so on. > > You'll find that's a LOT faster than rebuilding the entire OS from source on > each and every machine. > -- David Bear College of Public Programs/ASU 480-965-8257 ...the way is like water, going where nobody wants it to go To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message