View Full Version : Recommended way of staying up to date?
thortos
November 17th, 2008, 10:15
What is the recommended way of keeping one's systems up to date? There are several tools such as portupgrade, portmanager, portaudit, portsnap etc and I'd like to hear what people are really using.
How do you have your machines auto-update vulnerable software? Do you employ different strategies regarding the ports vs. packages question?
kamikaze
November 17th, 2008, 10:19
That entirely depends on the use cases, the number and the diversity of systems you administrate.
abarmot
November 17th, 2008, 10:34
ok, how usually people keep up to date production web servers with apache, php, mysql?
thortos
November 17th, 2008, 10:36
I don't want an actual solution, I'd rather discuss general experiences with all those (to me) new-fangled ways of managing ports, because I guess somebody here must be using one tool or the other and tell a bit about what's nice about them, gotchas and so on.
I'm using FreeBSD since 4.5 or so, but always updated my ports manually as necessary, and would like to hear about the advantages/disadvantages of the (to me) new tools.
But hey, if you need an actual scenario:
I have a handful of individual servers, some of which I don't touch unless necessary (such as the mail and DNS servers), and some of which are more or less generic web servers (Apache/PHP/MySQL, Apache/mod_perl and Ruby On Rails via mod_rails, respectively). It's not much of a pain to keep them updated, but I'd like to write some scripts and stuff them into my crontab to have something to show to the PHB. ;)
s-tlk
November 17th, 2008, 11:10
I don't think this is such a good idea, because when you update your ports via cron you maybe miss important hints in UPDATING. The worst case is you crash your system and then you have to fix it manually at the latest.
Geoff
November 17th, 2008, 11:31
I use portsnap for updating the tree, portaudit to check for vulnerabilities in installed ports and portupgrade to update/install them.
The idea of crontab portupgrading scares me too, maybe something like capistrano would be better as you could script a reasonable portion of it but still keep the interactive component to it.
Snelius
November 17th, 2008, 12:00
I use portsnap for updating the tree, portaudit to check for vulnerabilities in installed ports and portupgrade to update/install them.
The idea of crontab portupgrading scares me too, maybe something like capistrano would be better as you could script a reasonable portion of it but still keep the interactive component to it.
If u have 30 and more fbsd servers, what u can do ?
sverreh
November 17th, 2008, 13:10
For updating the ports tree I use portsnap, which has not caused me any problems. :)
Vulnerability checking is done by portaudit.
For updating ports I prefer portmaster, which I find is easier than portupgrade since I don't have to maintain the index manually.
Portdowngrade is also a tool I use sometimes because a new version does not work as expected.
This is for my desktop at home and at work, I don't know if it is a good strategy if you run a lot of servers.
fender0107401
November 17th, 2008, 17:48
This is my solution:
1.for vulnerability
portaudint -F;portaudint -a
2.for upgrade my source tree
cd /usr/src;make update
I specify csup to update my system and ports tree, in my /etc/make.conf file.
3.for upgrade my ports
portupgrade -a
SirDice
November 17th, 2008, 17:59
Csup to get the ports tree up2date. I use a jail to build all the packages I need from scratch. I've NFS exported /usr/ports read-only.
anomie
November 17th, 2008, 18:07
There are several tools such as portupgrade, portmanager, portaudit, portsnap etc and I'd like to hear what people are really using.
I'm using:
portaudit: runs automatically after installation via its 410.portaudit script.
csup: never got into portsnap... ;)
portmaster: works well for almost all upgrades, and it has a light footprint.
> pkg_info -rR -x portmaster
Information for portmaster-2.6:
Depends on:
How do you have your machines auto-update vulnerable software? Do you employ different strategies regarding the ports vs. packages question?
I don't auto-update anything. If I want to upgrade ports that end users rely on I set up a scheduled maintenance window. (Hopefully on a weekend.)
dave
November 17th, 2008, 19:11
Also, some useful info here:
http://forums.freebsd.org/showthread.php?t=193
I am testing out portmaster now instead of portupgrade.
steinex
November 18th, 2008, 01:47
On workstations, I mostly run away from that 'upgrading ports'-struggle:
- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
- pkg_add <stuff> (or use ports - for myself, I mainly stick to packages when it's a workstation)
- restore /usr/local/etc
I just do this procedure when I feel I got too far behind and need something fresher with little pain. ;-)
dave
November 18th, 2008, 02:01
On workstations, I mostly run away from that 'upgrading ports'-struggle:
- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
- pkg_add <stuff> (or use ports - for myself, I mainly stick to packages when it's a workstation)
- restore /usr/local/etc
I just do this procedure when I feel I got too far behind and need something fresher with little pain. ;-)
Wow, I had no idea one could do that!
fender0107401
November 18th, 2008, 05:47
On workstations, I mostly run away from that 'upgrading ports'-struggle:
- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
- pkg_add <stuff> (or use ports - for myself, I mainly stick to packages when it's a workstation)
- restore /usr/local/etc
I just do this procedure when I feel I got too far behind and need something fresher with little pain. ;-)
This is a clever trick, is is helpful for me.
And I agree that sometimes package is useful than ports.
gilinko
November 18th, 2008, 07:18
I mainly use portsnap in cron mode and then portmanager for keeping the ports software updated.
I'm fairly new to freebsd (like one year and still going), and stated using portupgrade, but found it to be more of an hassle than I wanted. Now all I do is login to a specific machine and run:
portsnap update
portmanager -u
What I like about portmanager is that it builds a temporary binary package of the software that is about to be updated and before it replaces it it creates a binary package "backup" of the current installed ports. That procedure has save my behind many times when I fracked up. This is all done on production servers (web, email etc), and I haven't tried it on a desktop yet.
The "bad" about portmanager is that although it has some very nice checks and balances while working, it takes quite some time to run. And maybe a secondary effect is that you need /var space for all the builds and backups.
rihad
November 18th, 2008, 08:39
On workstations, I mostly run away from that 'upgrading ports'-struggle:
- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
- pkg_add <stuff> (or use ports - for myself, I mainly stick to packages when it's a workstation)
- restore /usr/local/etc
I just do this procedure when I feel I got too far behind and need something fresher with little pain. ;-)
Nice, but new ports may have updated versions of what's in /usr/local/etc, so carefully merging your own changes to config files with new configuration using sdiff or similar is almost certainly required (this practice applies to upgrading ports in general, not only to the shortcut described above).
mck
November 18th, 2008, 11:52
I've written a nagios script net-mgmt/nagios-check_ports (http://code.adminlife.net/check_ports/) to check my installed Ports via nagios for updates (portupgrade) and security vulnerabilities (portaudit). Saves me a lot of time updating my FreeBSD servers :)
Regards,
Matthias
adstro
November 19th, 2008, 13:35
This is one area where I have always felt FBSD is lacking. I have used FBSD for a few years now and switched between portupgrade and portmanager. Both seem to have their benefits and faults. I wish the base system would include a utility for updating ports like most other OSes. There was a project to rewrite portupgrade in C but I dont know were that stands.
vivek
November 19th, 2008, 14:48
This is one area where I have always felt FBSD is lacking. I have used FBSD for a few years now and switched between portupgrade and portmanager. Both seem to have their benefits and faults. I wish the base system would include a utility for updating ports like most other OSes. There was a project to rewrite portupgrade in C but I dont know were that stands.
Have you tried freebsd-update?
freebsd-update fetch
freebsd-update install
The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system. May be following will help (see binary update):
http://www.cyberciti.biz/tips/howto-keep-freebsd-system-upto-date.html
http://www.daemonology.net/freebsd-update/
Mel_Flynn
November 19th, 2008, 19:29
On workstations, I mostly run away from that 'upgrading ports'-struggle:
- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
Congrats! You just deleted:
- Your apache webroot
- Your squid config and it's cache
- Your postgresql database
- etc.
In other words, in an ideal world anything locally customized lives in $LOCALBASE/etc, but that's not always the case.
I know for a desktop this mostly works, though. Just be careful with some ports.
adstro
November 22nd, 2008, 04:28
Have you tried freebsd-update?
freebsd-update fetch
freebsd-update install
The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system. May be following will help (see binary update):
http://www.cyberciti.biz/tips/howto-keep-freebsd-system-upto-date.html
http://www.daemonology.net/freebsd-update/
I meant a port update tool in the base install. Not a tool to update the base system. Updating the base system is actually pretty trivial with FreeBSD and is one of the reasons I stick with FBSD for my servers. I still think FBSD lacks when it comes to updating ports thought.
steinex
November 22nd, 2008, 06:02
Congrats! You just deleted:
- Your apache webroot
- Your squid config and it's cache
- Your postgresql database
- etc.
In other words, in an ideal world anything locally customized lives in $LOCALBASE/etc, but that's not always the case.
I know for a desktop this mostly works, though. Just be careful with some ports.
That's why I said I mostly do this on workstations. Of course this way of keeping up has some edges and you should be aware of issues like these you just mentioned.
I probably should have make others aware of these corner-cases in my original post, but I think people are clever enough to use their brains before copy & pasting commands. :-)
Mel_Flynn
November 22nd, 2008, 14:30
I probably should have make others aware of these corner-cases in my original post, but I think people are clever enough to use their brains before copy & pasting commands. :-)
Your optimism is heartwarming with the holiday season coming up ;)
Seriously though, the point is, that rm -rf /usr/local should not be necessary if you use pkg_delete -f.
If nothing was ever customized, you'd end up with an empty /usr/local and if you don't, you're left with the parts you want to back up.
Also, the better way to delete things is leaves first traversal. ports-mgmt/pkg_cutleaves is ideal for this. Move the excludes file out of the way if you have one, then run the program and always choose "go on with next leaves", till there are no more.
Now /var/db/pkg should be empty. Anything left in /usr/local was put there not by the ports system or is configuration/data and so worth inspecting why it's kept and/or how it got there.
p3n1x
November 23rd, 2008, 22:23
i stay up to date as follows
first i have a nightly run of csup to update my ports tree and a pkg_version -v run and emailed to root.
if necessary ill run portupgrade -a and let it go(of course reading the UPDATING file)
next just csup sources and goto /usr/src and make buildworld && make buildkernel && make installworld && makeinstallkernel && mergemaster && reboot
pretty simple....for what its worth lately ive been using the package manager from desktopbsd tools to check my outdated ports and have a nice lil gui tool to update ports and i just build my world/kernel in cli
feralape
November 24th, 2008, 02:07
Wow, I had no idea one could do that!
How safe is this? What if you have 400+ ports?
marius
November 24th, 2008, 18:09
I'm using portupgrade, portaudit and csup, althought I've been considering both portsnap and portmanager since I'm not just happy with portupgrade. Portupgrade feels utterly slow, but I'm not sure if any of the alternatives are any faster or better.
Looking forward to the day FreeBSD comes with a nice application in the base for updating ports :)
Mel_Flynn
November 24th, 2008, 18:51
Portupgrade feels utterly slow, but I'm not sure if any of the alternatives are any faster or better.
There's no real way to speed up the process. Some languages are faster then others, but the build process is the primary factor for slowdowns.
However, making things better then portupgrade is relatively easy, as the power features have a way of screwing things up beyond repair. Don't take my word for it, search mailing list archives.
kamikaze
November 24th, 2008, 23:26
Portupgrade uses LOTS of memory. Especially on machines with only 512MB RAM other tools like portmaster are faster, because of all the overhead portupgrade has.
I originally switched to portmaster, because portupgrade was unbearable on a machine with 256MB RAM. Portmaster was a real improvement there.
ArtemD
November 25th, 2008, 09:40
I have this alias for updating my system in ~/.profile:
alias sysupdate="portsnap fetch&&portsnap update&&cvsup /etc/cvsup.conf&&portupgrade -arn&&portsearch -vu"
So far I haven't come across anything easier.
rihad
November 25th, 2008, 10:24
I have this alias for updating my system in ~/.profile:
alias sysupdate="portsnap fetch&&portsnap update&&cvsup /etc/cvsup.conf&&portupgrade -arn&&portsearch -vu"
So far I haven't come across anything easier.
sysupdate isn't likely to be something you do thousands times a day, so putting the same code in a shell script seems to be a more logical thing to do, as it wouldn't use your shell interpreter's precious bytes of memory waiting to be run like an alias would.
Mel_Flynn
November 25th, 2008, 11:13
Portupgrade uses LOTS of memory. Especially on machines with only 512MB RAM other tools like portmaster are faster, because of all the overhead portupgrade has.
I originally switched to portmaster, because portupgrade was unbearable on a machine with 256MB RAM. Portmaster was a real improvement there.
Machines with 256MB RAM were state of the art in the previous millennium. Machines with that low memory, I wouldn't run a desktop on (or maybe donate it to my parents) and I'd do binary upgrades using the tools in the base system.
Still, 5 minutes start up time is only a perception of slowness on a 2 day build of open-office, for which portupgrade, portmaster or whichever tool is asleep the entire time.
I do believe portmaster is faster, but the gains are minimal for large upgrades, plus it does better on the perception part: portupgrade does a lot of things during start up in silence, which makes you think it's slow.
Also, any speed gains from portmaster are negated when a core library is upgraded (gettext, libxml, libiconv, take your pick), because portmaster will rebuild all dependenants, where portupgrade will do the smart thing and change the +CONTENTS files in /var/db/pkg.
Of course, this smartness is the cause of many tears on various mailing lists.
ArtemD
November 25th, 2008, 11:30
sysupdate isn't likely to be something you do thousands times a day, so putting the same code in a shell script seems to be a more logical thing to do, as it wouldn't use your shell interpreter's precious bytes of memory waiting to be run like an alias would.
Thank for your suggestion. Your point is valid, but I have 4GB of ram and I doubt it creates a lot of overhead.
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.
0