From owner-freebsd-stable Sun May 13 10:58:51 2001 Delivered-To: freebsd-stable@freebsd.org Received: from maile.telia.com (maile.telia.com [194.22.190.16]) by hub.freebsd.org (Postfix) with ESMTP id 3CBAA37B42C for ; Sun, 13 May 2001 10:58:41 -0700 (PDT) (envelope-from ertr1013@student.uu.se) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by maile.telia.com (8.11.2/8.11.0) with ESMTP id f4DHwcM25103 for ; Sun, 13 May 2001 19:58:38 +0200 (CEST) Received: from ertr1013.student.uu.se (h185n2fls20o913.telia.com [212.181.163.185]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id TAA12973 for ; Sun, 13 May 2001 19:58:38 +0200 (CEST) Received: (qmail 20910 invoked by uid 1001); 13 May 2001 17:58:36 -0000 Date: Sun, 13 May 2001 19:58:35 +0200 From: Erik Trulsson To: freebsd-stable@FreeBSD.ORG Subject: Re: Running Stable on remote production server Message-ID: <20010513195835.A20679@student.uu.se> Mail-Followup-To: freebsd-stable@FreeBSD.ORG References: <20010513181834.A19888@student.uu.se> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nospam@hiltonbsd.com on Sun, May 13, 2001 at 12:15:03PM -0500 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, May 13, 2001 at 12:15:03PM -0500, Stephen Hilton wrote: > Regarding a "quiet" system, would ipfilter, ipnat, ipmon, snort, > named, qualify as O.K. processes to be running while the installworld > is taking place via SSH in multi-user mode. They are probably O.K. Personally I would probably kill named anyway just in case (and it shouldn't be needed during the installworld.) The other I have no experience with so I don't know. Most of the time you could probably get away with doing an installworld without preventing any logins or killing any processes. Note: *Most* of the time, not all the time. Better safe than sorry. > > > Otherwise you will have to disable further logins (see shutdown(8) or > > nologin(5) for info on how to do this) and then manually kill most > > processes. (Just be careful not to kill your own shell or sshd :-) ) One problem I just noticed here. It appears as if sshd will allow logins even when one of the files /etc/nologin or /var/run/nologin exists which is contrary to the manpage for sshd(8). This is probably a bug somewhere. A workaround is to kill the parent sshd process. This will prevent any further logins via sshd. (in the listing below that would be pid 191) > > I have already modified the source tree so ipfilter 3.4.17 is the > installed version, not 3.14.16 which comes as default. And the named > version would remain the same. > > > and then manually kill most processes. > > What are some guidelines for which process's to kill > example ps -wwaux output follows: Primarily processes which might start other processes on their own. So inetd and cron should definitely be killed. Starting a new process when you are installing the executable for that program or installing shared libraries which it needs is probably not a good idea. Any programs which might read/write to files that are updated by mergemaster is also probably a good idea to kill. Most programs read from /etc only when they are started and few write there so this is probably not a big problem. > > USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND > root 1 0.0 0.0 532 0 ?? ILs Sat10AM 0:00.09 /sbin/init -- > root 2 0.0 0.0 0 0 ?? DL Sat10AM 0:00.76 (pagedaemon) > root 3 0.0 0.0 0 0 ?? DL Sat10AM 0:00.00 (vmdaemon) > root 4 0.0 0.0 0 0 ?? DL Sat10AM 0:00.30 (bufdaemon) > root 5 0.0 0.0 0 0 ?? DL Sat10AM 0:01.73 (syncer) > root 30 0.0 0.0 208 0 ?? Is Sat10AM 0:00.00 adjkerntz -i > root 163 0.0 0.2 936 204 ?? Ss 3:36PM 0:00.25 syslogd -s -s > bind 167 0.0 0.3 2404 416 ?? Is 3:36PM 0:00.30 /usr/sbin/named -u b > ind -g bind > root 186 0.0 0.0 1028 0 ?? Is 3:36PM 0:00.00 inetd -wW > root 188 0.0 0.1 980 172 ?? Ss 3:36PM 0:00.26 /usr/sbin/cron > root 191 0.0 0.0 2176 12 ?? Is 3:36PM 0:00.87 /usr/sbin/sshd > root 218 0.0 0.0 900 0 ?? Is 3:36PM 0:00.00 moused -p /dev/psm0 > -t auto > root 246 0.0 0.1 912 68 ?? Ss 3:36PM 0:01.29 /sbin/ipmon > root 262 0.0 0.0 944 0 v2 Is+ 3:36PM 0:00.00 /usr/libexec/getty P > c ttyv2 > root 262 0.0 0.0 944 0 v2 Is+ 3:36PM 0:00.00 /usr/libexec/getty P > c ttyv2 > root 263 0.0 0.0 944 0 v3 Is+ 3:36PM 0:00.02 /usr/libexec/getty P > c ttyv3 > root 264 0.0 0.0 944 0 v4 Is+ 3:36PM 0:00.01 /usr/libexec/getty P > c ttyv4 > root 265 0.0 0.0 944 0 v5 Is+ 3:36PM 0:00.01 /usr/libexec/getty P > c ttyv5 > root 266 0.0 0.0 944 0 v6 Is+ 3:36PM 0:00.00 /usr/libexec/getty P > c ttyv6 > root 267 0.0 0.0 944 0 v7 Is+ 3:36PM 0:00.00 /usr/libexec/getty P > c ttyv7 > root 363 0.0 0.0 944 0 v1 Is+ 3:59PM 0:00.01 /usr/libexec/getty P > c ttyv1 > root 364 0.0 0.0 636 24 v0 Is+ 3:59PM 0:00.03 -sh (sh) > root 35092 0.0 0.2 2260 224 ?? S 11:32AM 0:00.22 sshd: root@ttyp2 (ss > hd) > root 35093 0.0 0.2 636 280 p2 Ss 11:33AM 0:00.05 -sh (sh) > root 53642 0.0 1.7 13616 2136 ?? Ss 11:52AM 0:01.42 /usr/local/bin/snort > root 0 0.0 0.0 0 0 ?? DLs Sat10AM 0:00.02 (swapper) > > > > Single-user mode is not really necessary to do an installworld/mergemaster. > > What is required is that the machine is "quiet", meaning no other users are > > logged in and no programs that might interfere with the installation should > > be running. > > For a machine to which one has access to the console the easiest way of > > accomplishing this is going to single-user mode. > > > Otherwise you will have to disable further logins (see shutdown(8) or > > nologin(5) for info on how to do this) and then manually kill most > > processes. (Just be careful not to kill your own shell or sshd :-) ) > > > Then you should be able do an installworld/mergemaster. > > Stephen Hilton > -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message