From owner-freebsd-isp@FreeBSD.ORG Thu Jun 12 17:48:49 2014 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5739025E for ; Thu, 12 Jun 2014 17:48:49 +0000 (UTC) Received: from mx1.scaleengine.net (beauharnois2.bhs1.scaleengine.net [142.4.218.15]) by mx1.freebsd.org (Postfix) with ESMTP id 176682639 for ; Thu, 12 Jun 2014 17:48:48 +0000 (UTC) Received: from [10.1.1.2] (S01060001abad1dea.hm.shawcable.net [50.70.146.73]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 927C6101B9 for ; Thu, 12 Jun 2014 17:48:47 +0000 (UTC) Message-ID: <5399E808.4000000@freebsd.org> Date: Thu, 12 Jun 2014 13:48:56 -0400 From: Allan Jude User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: freebsd-isp@freebsd.org Subject: Re: "Online" Updating of OpenSSL References: <3783360C-9CB7-4286-955B-7CFC2D68C8A5@gmail.com> <1207386468.87959.1402594732717@51579f81c1a348fb9060d70bbb215ff4.nuevasync.com> In-Reply-To: <1207386468.87959.1402594732717@51579f81c1a348fb9060d70bbb215ff4.nuevasync.com> X-Enigmail-Version: 1.6 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vdDLKc49p7BtmqiNox8JfdvSeoRNlqd2i" X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2014 17:48:49 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --vdDLKc49p7BtmqiNox8JfdvSeoRNlqd2i Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 2014-06-12 13:38, khatfield@socllc.net wrote: > There are a few ways to do it and I'm certain there is an easier method= than what I'm recommending. However, you can use portmaster, for example= =2E You could also use this wrapper script: >=20 > http://www.charlieroot.de/bsd/pkg_depends.pl >=20 > With no arguments you're going to pull everything. I would recommend lo= oking at running services and using this script to view the dependencies = per service package. >=20 > Ensuring that (of course) restart all services with open ports after th= e upgrade. (Web/email/ssh/etc) >=20 > Best of luck >=20 >=20 >> On Jun 12, 2014, at 10:52 AM, "Florian Heigl" wrote: >> >> Hi, >> >> I suppose we pretty much all went through some updates since April. >> So far, I have been rebooting the affected systems during the OpenSSL = updates to make sure the services are all properly restarted. >> >> >> I=E2=80=99d like to switch to some kind of restarting only the affecte= d services, as that would minimize the downtimes from minutes to seconds.= >> >> But how do you identify the affected applications and relate them to s= cripts in /etc/rc.d /usr/local/etc/rc.d ? >> >> How are you guys handling it? >> >> - Identifying what=E2=80=99s really linked to openssl / gnutls / whate= ver >> - Restarting gracefully at the right time >> >> Greetings, >> Florian >> _______________________________________________ >> freebsd-isp@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-isp >> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"= > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" >=20 Some services, especially nginx, have an 'upgrade' command. 'service nginx upgrade' will start the newly installed nginx binaries along side the old one, move the listening sockets over to the new binary, and then shut the old binaries down once they finish processing the pending reques= ts. This results in a 0 downtime upgrade. 'service apache22 graceful' should do the same. --=20 Allan Jude --vdDLKc49p7BtmqiNox8JfdvSeoRNlqd2i Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTmegLAAoJEJrBFpNRJZKfC7QP/iuOM035VENHZoSJutamV+vg pmx3okI6ofw6vt+m1oOvRdblWYOb7Pn3jDXj0yeZb+FPQAbtF7gCgufKGpOrqAdn PfQDLL69E2mlDG6tnUCU6+6HtrPO+XJS+TlPY1F3b+CD4HAmlQIhAYio+/7Vukag nR0JSqUVH0kBTV992j7nVAldMPjBZXUE2FXMzLglYH8ekmQvpufJ2VOF9VF6R/Ur 3NjiJ5VH4TSihJeE2YgeleTDi/yWsSxytJKz+WVXR02u2WatuU557t172z4tEHNz tHXVlnzZ8HFjzREWIPSYFli50nRbGrc6WZk3XcIiU/byI5A9E4AcsMg6sVG1Ko49 wPmuGIG/dk5qGa5kbr0gP4Sveo7XY3UhSVZ+cbBvOmagFu9wRUL9Xok1GYMBTq1f JBJ3XIjiY2ER6ik+9ud7/gPYoVmb8u8+sLFlfiS8rSBfnJkHj2rnHSmx4a1TDUpA pP2AiG1xaPVAAoLuC/nz/fBOliJc+P664E00BKcXG93dyE3GQveY/EJHtUrlSYjn Gx8hkI3I/dMKDF+1MGVXvnWM/6oCNr9hRnQ6U3psaOuuCdfif7KiqXwqzJJFVVYJ OEBxgG0RxFQgybV56ZazTrQkLy8Zo97ZZNMGoyrHxMyb7YD3a8Ps2xOs1pEfwsj6 5n00D6kpaicb3CLI1DDr =uYb0 -----END PGP SIGNATURE----- --vdDLKc49p7BtmqiNox8JfdvSeoRNlqd2i--