FreeBSD in business world: some questions

[gkbsd]

Hello,

I'm a network and system admin and am managing Linux virtual machines (>15), among other OS. Thanks for this great forum, it's nice to have an official board, and not just mailing lists

My first love was OpenBSD, that I tried years ago to use at my work, but the lack of update automation back then required too much time to manually patch everything. Currently, I am using only Ubuntu servers (LTS version) VMs, with the huge time saving service to manage the updates: Landscape (centralised online web page to manage updates).

However, I'm slowly thinking again about a BSD OS flavor, and FreeBSD sounds like a great option

Some drawbacks I encounter with Linux generally, and Landscape in business:

• updates may break something (I always do a VMware snapshot before)
• Linux distros I tried are not consistent over time (sometimes the filesystem directory
  and configuration files change dramatically from one major version to the other)
• Landscape is not cheap.
• I personally do not like iptables, although I know it pretty well, it is just a matter of personal preference. I do like much more pf

To sum it up, I need an easy security patch management, an OS as stable as possible and as consistent as possible, which does not break because of an update.

Does FreeBSD fit the bill? I know FreeBSD is provided as a whole OS and as such is supposed to be more stable update-wise, however can an external package (e.g Postfix MTA) not break anyway after an update?

Also, and that could be a blocking point, how do you do a distributed security patch management on many FreeBSD VMs? With Landscape, I'm warned when servers have security updates available, I can on my side do a snapshot, and then I push only security updates on the servers I want from a webpage. I would love to have a solution to that point, because I could manage 15-20 FreeBSD VMs, but it could be 200+ at another business.

Thanks in advance for sharing your experience

Regards,
gkbsd.

 

[SirDice]

updates may break something (I always do a VMware snapshot before)

This can happen to any OS, including our favourite. That's why you always test them before putting it out on production.

Linux distros I tried are not consistent over time (sometimes the filesystem directory and configuration files change dramatically from one major version to the other)

FreeBSD is a lot more stable in this respect. Files are, for the most part, still in the same place they were 10-15 years ago. See hier(7) for the directory layout.

Landscape is not cheap.

Not sure what you mean by this.

To sum it up, I need an easy security patch management, an OS as stable as possible and as consistent as possible, which does not break because of an update.

You came to the right place :e

Does FreeBSD fit the bill? I know FreeBSD is provided as a whole OS and as such is supposed to be more stable update-wise, however can an external package (e.g Postfix MTA) not break anyway after an update?

Sure, that's always a possibility. It doesn't happen very often though.

Also, and that could be a blocking point, how do you do a distributed security patch management on many FreeBSD VMs?

I'd suggest tracking a -RELEASE. That only gets security updates (there were 8 in 2012). Set up a small caching proxy server and feed freebsd-update(8) through that. That should allow the first server to fetch the updates from the internet and the rest of the servers from the cache. For ports/packages I suggest setting up your own repository using ports-mgmt/poudriere for example. ports-mgmt/portaudit can be used to keep track of security issues with ports.

 

[throAU]

In order to ensure you don't break things, always be sure to read /usr/ports/UPDATING every time you update ports.

 

[vermaden]

[*] updates may break something (I always do a VMware snapshot before)

Just use ZFS with BEADM (Boot Environments), it's better than VMware snapshots:
http://forums.freebsd.org/showthread.php?t=31662

[*] Linux distros I tried are not consistent over time (sometimes the filesystem directory
and configuration files change dramatically from one major version to the other)

FreeBSD is consistent in that matter, base system configuration files are in /etc and all third-party packages configuration files are in /usr/local/etc. Generally anything related to the base system is in / (/usr /etc ...) and third-party packages go into /usr/local (/usr/local/etc /usr/local/bin ...).

[*] Landscape is not cheap.

Landscape?

[*] I personally do not like iptables, although I know it pretty well, it is just a matter of personal preference. I do like much more pf

On FreeBSD You may use IPWF, PF or even IPF, but I suggest trying PF and doing fallback to IPFW if it does not suit your needs.

To sum it up, I need an easy security patch management, an OS as stable as possible and as consistent as possible, which does not break because of an update.

Check freebsd-update.

 

[ondra_knezour]

Landscape -> https://landscape.canonical.com/

 

[gkbsd]

Thank you very much for all of your answers

I was a bit astonished to read that in 2012 the RELEASE branch had only 8 vulnerabilities. I did a quick comparison between the Linux Ubuntu 10.04 LTS and FreeBSD 9.x in 2012, on the website Secunia. The difference is rather eye-opening for me:

• FreeBSD 9.x: 8 vulnerabilities
• Ubuntu 10.04: 2587 vulnerabilities

Also, by reading the documentation I found that the update command freebsd-update rollback allows for a quick rollback if the update did not go well, which is really helpful. The last thing required to have my boss acknowledgement is to have a support, a service to buy to be able to open support tickets. As the FreeBSD website provides helpful information about support companies, I have some leads to follow and contact some people

We are quite overwhelmed right know, so a test period will not be easy, and migrating every Linux box is not for tomorrow, but at least I have everything I need to try again a BSD OS at work. Thank you again for your answers, I know very well that time is precious and that we have never enough of it.

Regards,
gkbsd.

 

[junovitch@]

Don't read too much into those two numbers. Consider that the eight FreeBSD vulnerabilities are the base OS only. Ports vulnerabilities are not part of that. With Ubuntu you are getting the OS and packages from Canonical so that big number probably counts vulnerabilities in the software they package up for you.

 

[throAU]

Don't read too much into those two numbers. Consider that the eight FreeBSD vulnerabilities are the base OS only. Ports vulnerabilities are not part of that. With Ubuntu you are getting the OS and packages from Canonical so that big number probably counts vulnerabilities in the software they package up for you.

Well, given that the two machines I have in my DMZ run pretty much ONLY base (my name-server) and base plus a couple of spam-filter related utilities (my MX), this is pretty neat ammo to back up the choice I've made to use BSD instead of Linux.

 

[gkbsd]

Don't read too much into those two numbers. Consider that the eight FreeBSD vulnerabilities are the base OS only. Ports vulnerabilities are not part of that. With Ubuntu you are getting the OS and packages from Canonical so that big number probably counts vulnerabilities in the software they package up for you.

If I only check the Linux Kernel 2.6.x vulnerabilities, the one included in Ubuntu 10.04, there are still 643 vulnerabilities, which is significant to my eyes to say the least

Regards,
gkbsd.

 

[zeissoctopus]

Thank you very much for all of your answers

I was a bit astonished to read that in 2012 the RELEASE branch had only 8 vulnerabilities. I did a quick comparison between the Linux Ubuntu 10.04 LTS and FreeBSD 9.x in 2012, on the website Secunia. The difference is rather eye-opening for me:

• FreeBSD 9.x: 8 vulnerabilities
• Ubuntu 10.04: 2587 vulnerabilities

This figure does not tell the full story. Number of count about FreeBSD vulnerabilities does not include any third party applications. You need to check them at FreeBSD VuXML.

 

[kpa]

Yes that is true but the responsibilities for fixing the problems are very different. Ubuntu is committed to provide security fixes to all included software because there's no distinction of OS and applications (contrib repositories excluded I believe). That's one implication of what a "distro" means. In FreeBSD only the base system falls to the security team itself and any problems with third-party applications are handled with entirely different set of people, port maintainers mainly.

 

[gkbsd]

This figure does not tell the full story. Number of count about FreeBSD vulnerabilities does not include any third party applications. You need to check them at FreeBSD VuXML.

Thanks for the link. I checked, and I count 252 entries for 2012, that is still well below the 643 vulnerabilities for the Linux 2.6 Kernel only (no ports) for the same period, or the 2587 for Ubuntu 10.04 including packages. It depends of the server, but for instance for a network gateway with just FreeBSD and pf, I prefer 8 vulnerabilities than more than 600 in the year.

Nevertheless, I understand the point to not rely only on vulnerabilities numbers

Regards,
gkbsd.

 

[junovitch@]

@gkbsd,

Back to your point on Landscape, that is Ubuntu specific but your options on this side would be sysutils/puppet, sysutils/cfengine, sysutils/rubygem-chef-server to do something similar. It probably wouldn't be as polished as Landscape but being that those tools support more than just one OS, there's bound to be rough edges. Personally, my home backup server runs FreeBSD and my Ubuntu desktops and laptops check into the Puppetmaster running on my FreeBSD server. It's a real nifty tool and it's a timesaver for me and the couple computers I have, let alone running it with hundreds in a business.

 

[ShelLuser]

Just to chip in on administration panels: sysutils/webmin is what my company uses and although its main usage is for website administration it also provides cluster functionality which I personally consider to be quite impressive.

Although not as extensive as on Linux some of its functions can be very useful, like the option to copy files onto a whole cluster, synchronize user and group accounts or even run a specific shell command on the whole cluster.

Though I have to add that it doesn't provide "out of box" support to push updates and packages onto a cluster, as such its usefulness to you could be limited.

 

[throAU]

The other nice thing about BSD in general (along with FreeBSD) is that many of the parameters and output of commands are identical or compatible with other commercial UNIX variants such as Solaris or OS X. Which means your scripts work across platforms. Conversely, migrating from Linux this is something to look out for.

Many of the GNU tools in Linux format output differently or have different command line switches for no good reason, other than GNU or "not invented here".

E.g. http://forums.freebsd.org/showthread.php?p=206856

 

[rusty]

Thanks for the link. I checked, and I count 252 entries for 2012, that is still well below the 643 vulnerabilities for the Linux 2.6 Kernel only (no ports) for the same period, or the 2587 for Ubuntu 10.04 including packages. It depends of the server, but for instance for a network gateway with just FreeBSD and pf, I prefer 8 vulnerabilities than more than 600 in the year.

Nevertheless, I understand the point to not rely only on vulnerabilities numbers

Regards,
gkbsd.

It might sound pissy but Linux kernel developers are pretty much constantly accused of passing off security vulnerabilities as simple bugs. It would not be unfair to say there is a very lax attitude to publishing security advisories.