Create and manage minimal custom repo / update management

[SurtursRevenge]

Hello together,

i have the following situation : i need to deploy a lot of boxes with freebsd. They will be based on an image. There will be a minimal freebad and some standard software like nginx etc and a custom package i created.
So for my own package i think i have to create my own repository.
I now want to have the updates centraly deployed. All updates should be tested before roleout.
I think of having two repositories. A staging repository and a release repository. On the staging repository we pull updates from the official repos and test it on a small amount of servers. If there is no problem we sync the staging repo with the release repo. All servers will install the updates via cron if new versions are released. We want to achive a central point for update deployment.

My question is how can i create a minimalistic repository with only the packages i need. It should be minimalistic because we want to review every changed update and package.

Or is there maybe another different option for central update management and testing.

 

[SirDice]

You should have a look at ports-mgmt/poudriere. There are a few howto's here for it too.

This is a good one to get you started: Pkg package repository using ports-mgmt/poudriere. With or without ZFS.
I recommend using it with ZFS, it's possible without it but that's comparatively slow and generates a lot of I/O when spawning the jails.

 

[kpa]

That doesn't include that base system and creating an image that could be used to install everything, my howto is just for building your own packages out of the 3rd-party ported software known as ports(7).

I think what you want instead is release(7).

 

[SirDice]

I would suggest simply sticking to an official release images. And update those with freebsd-update(8). I do recommend setting up a caching proxy server for it though. That will download the updates the first time an update is run and every other server will get its updates from the proxy's cache. I've set this up for a client and it has been working extremely well. Only the first server to update is comparatively slow (as it needs to download the updates from the internet) but consecutive servers update quite fast.

 

[SurtursRevenge]

I had a closer look at poudriere and it looks great. But as kpa already stated how would i build the base system ?

We want an checked update process, something like wsus for windows. So we want to check the updates on the base system first in a staging environment and then release it to all boxes. So if there is an problem with some of the base packages we want to be able to restrain this update and release it later when it fixed

 

[SirDice]

It's still being worked on but PkgBase might be what you're looking for: https://wiki.freebsd.org/PkgBase

But other than that, using freebsd-update(8) is actually quite easy. You test updates on a couple of servers then work your way through the rest. It should also be easy to automate using Ansible for example.

 

[SurtursRevenge]

I will check out pkgbase.

freebsd-update is not an option. I wont have access to all servers, so ansible is no possible option. I was thinking of running freebsd-update via cron so whenever i update the repo all server will pull the updates automaticaly.

 

[SirDice]

I was thinking of running freebsd-update via cron so whenever i update the repo all server will pull the updates automaticaly.

That's typically a bad idea. If something happens during the automated upgrade the system could end up broken and unavailable. You can run freebsd-update cron to only download the patches automatically but I wouldn't automate the actual installation.