Recommended way of staying up to date?

[thortos]

What is the recommended way of keeping one's systems up to date? There are several tools such as portupgrade, portmanager, portaudit, portsnap etc and I'd like to hear what people are really using.

How do you have your machines auto-update vulnerable software? Do you employ different strategies regarding the ports vs. packages question?

 

[kamikaze]

That entirely depends on the use cases, the number and the diversity of systems you administrate.

 

[abarmot]

ok, how usually people keep up to date production web servers with apache, php, mysql?

 

[thortos]

I don't want an actual solution, I'd rather discuss general experiences with all those (to me) new-fangled ways of managing ports, because I guess somebody here must be using one tool or the other and tell a bit about what's nice about them, gotchas and so on.

I'm using FreeBSD since 4.5 or so, but always updated my ports manually as necessary, and would like to hear about the advantages/disadvantages of the (to me) new tools.

But hey, if you need an actual scenario:

I have a handful of individual servers, some of which I don't touch unless necessary (such as the mail and DNS servers), and some of which are more or less generic web servers (Apache/PHP/MySQL, Apache/mod_perl and Ruby On Rails via mod_rails, respectively). It's not much of a pain to keep them updated, but I'd like to write some scripts and stuff them into my crontab to have something to show to the PHB.

 

[s-tlk]

I don't think this is such a good idea, because when you update your ports via cron you maybe miss important hints in UPDATING. The worst case is you crash your system and then you have to fix it manually at the latest.

 

[Geoff]

I use portsnap for updating the tree, portaudit to check for vulnerabilities in installed ports and portupgrade to update/install them.

The idea of crontab portupgrading scares me too, maybe something like capistrano would be better as you could script a reasonable portion of it but still keep the interactive component to it.

 

[Snelius]

I use portsnap for updating the tree, portaudit to check for vulnerabilities in installed ports and portupgrade to update/install them.

The idea of crontab portupgrading scares me too, maybe something like capistrano would be better as you could script a reasonable portion of it but still keep the interactive component to it.

If u have 30 and more fbsd servers, what u can do ?

 

[sverreh]

For updating the ports tree I use portsnap, which has not caused me any problems.

Vulnerability checking is done by portaudit.

For updating ports I prefer portmaster, which I find is easier than portupgrade since I don't have to maintain the index manually.

Portdowngrade is also a tool I use sometimes because a new version does not work as expected.

This is for my desktop at home and at work, I don't know if it is a good strategy if you run a lot of servers.

 

[fender0107401]

This is my solution:

1.for vulnerability
portaudint -F;portaudint -a

2.for upgrade my source tree
cd /usr/src;make update
I specify csup to update my system and ports tree, in my /etc/make.conf file.

3.for upgrade my ports
portupgrade -a

 

[SirDice]

Csup to get the ports tree up2date. I use a jail to build all the packages I need from scratch. I've NFS exported /usr/ports read-only.

 

[anomie]

There are several tools such as portupgrade, portmanager, portaudit, portsnap etc and I'd like to hear what people are really using.

I'm using:

• portaudit: runs automatically after installation via its 410.portaudit script.
• csup: never got into portsnap... ] portmaster: works well for almost all upgrades, and it has a light footprint.
  

  > pkg_info -rR -x portmaster
  Information for portmaster-2.6:
  
  Depends on:

How do you have your machines auto-update vulnerable software? Do you employ different strategies regarding the ports vs. packages question?

I don't auto-update anything. If I want to upgrade ports that end users rely on I set up a scheduled maintenance window. (Hopefully on a weekend.)

 

[dave]

Also, some useful info here:

http://forums.freebsd.org/showthread.php?t=193

I am testing out portmaster now instead of portupgrade.

 

[steinex]

On workstations, I mostly run away from that 'upgrading ports'-struggle:

- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
- pkg_add <stuff> (or use ports - for myself, I mainly stick to packages when it's a workstation)
- restore /usr/local/etc

I just do this procedure when I feel I got too far behind and need something fresher with little pain. ;-)

 

[dave]

On workstations, I mostly run away from that 'upgrading ports'-struggle:

- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
- pkg_add <stuff> (or use ports - for myself, I mainly stick to packages when it's a workstation)
- restore /usr/local/etc

I just do this procedure when I feel I got too far behind and need something fresher with little pain. ;-)

Wow, I had no idea one could do that!

 

[fender0107401]

Nice hint!

On workstations, I mostly run away from that 'upgrading ports'-struggle:

- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
- pkg_add <stuff> (or use ports - for myself, I mainly stick to packages when it's a workstation)
- restore /usr/local/etc

I just do this procedure when I feel I got too far behind and need something fresher with little pain. ;-)

This is a clever trick, is is helpful for me.

And I agree that sometimes package is useful than ports.

 

[gilinko]

I mainly use portsnap in cron mode and then portmanager for keeping the ports software updated.

I'm fairly new to freebsd (like one year and still going), and stated using portupgrade, but found it to be more of an hassle than I wanted. Now all I do is login to a specific machine and run:

portsnap update
portmanager -u

What I like about portmanager is that it builds a temporary binary package of the software that is about to be updated and before it replaces it it creates a binary package "backup" of the current installed ports. That procedure has save my behind many times when I fracked up. This is all done on production servers (web, email etc), and I haven't tried it on a desktop yet.

The "bad" about portmanager is that although it has some very nice checks and balances while working, it takes quite some time to run. And maybe a secondary effect is that you need /var space for all the builds and backups.

 

[rihad]

On workstations, I mostly run away from that 'upgrading ports'-struggle:

- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
- pkg_add <stuff> (or use ports - for myself, I mainly stick to packages when it's a workstation)
- restore /usr/local/etc

I just do this procedure when I feel I got too far behind and need something fresher with little pain. ;-)

Nice, but new ports may have updated versions of what's in /usr/local/etc, so carefully merging your own changes to config files with new configuration using sdiff or similar is almost certainly required (this practice applies to upgrading ports in general, not only to the shortcut described above).

 

[mck]

I've written a nagios script net-mgmt/nagios-check_ports to check my installed Ports via nagios for updates (portupgrade) and security vulnerabilities (portaudit). Saves me a lot of time updating my FreeBSD servers

Regards,
Matthias

 

[adstro]

This is one area where I have always felt FBSD is lacking. I have used FBSD for a few years now and switched between portupgrade and portmanager. Both seem to have their benefits and faults. I wish the base system would include a utility for updating ports like most other OSes. There was a project to rewrite portupgrade in C but I dont know were that stands.

 

[vivek]

This is one area where I have always felt FBSD is lacking. I have used FBSD for a few years now and switched between portupgrade and portmanager. Both seem to have their benefits and faults. I wish the base system would include a utility for updating ports like most other OSes. There was a project to rewrite portupgrade in C but I dont know were that stands.

Have you tried freebsd-update?

freebsd-update fetch
freebsd-update install

The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system. May be following will help (see binary update):
http://www.cyberciti.biz/tips/howto-keep-freebsd-system-upto-date.html
http://www.daemonology.net/freebsd-update/

 

[Mel_Flynn]

On workstations, I mostly run away from that 'upgrading ports'-struggle:

- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local

Congrats! You just deleted:
- Your apache webroot
- Your squid config and it's cache
- Your postgresql database
- etc.

In other words, in an ideal world anything locally customized lives in $LOCALBASE/etc, but that's not always the case.
I know for a desktop this mostly works, though. Just be careful with some ports.

 

[adstro]

Have you tried freebsd-update?

freebsd-update fetch
freebsd-update install

The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system. May be following will help (see binary update):
http://www.cyberciti.biz/tips/howto-keep-freebsd-system-upto-date.html
http://www.daemonology.net/freebsd-update/

I meant a port update tool in the base install. Not a tool to update the base system. Updating the base system is actually pretty trivial with FreeBSD and is one of the reasons I stick with FBSD for my servers. I still think FBSD lacks when it comes to updating ports thought.

 

[steinex]

Congrats! You just deleted:
- Your apache webroot
- Your squid config and it's cache
- Your postgresql database
- etc.

In other words, in an ideal world anything locally customized lives in $LOCALBASE/etc, but that's not always the case.
I know for a desktop this mostly works, though. Just be careful with some ports.

That's why I said I mostly do this on workstations. Of course this way of keeping up has some edges and you should be aware of issues like these you just mentioned.

I probably should have make others aware of these corner-cases in my original post, but I think people are clever enough to use their brains before copy & pasting commands.

 

[Mel_Flynn]

I probably should have make others aware of these corner-cases in my original post, but I think people are clever enough to use their brains before copy & pasting commands.

Your optimism is heartwarming with the holiday season coming up

Seriously though, the point is, that rm -rf /usr/local should not be necessary if you use pkg_delete -f.
If nothing was ever customized, you'd end up with an empty /usr/local and if you don't, you're left with the parts you want to back up.
Also, the better way to delete things is leaves first traversal. ports-mgmt/pkg_cutleaves is ideal for this. Move the excludes file out of the way if you have one, then run the program and always choose "go on with next leaves", till there are no more.
Now /var/db/pkg should be empty. Anything left in /usr/local was put there not by the ports system or is configuration/data and so worth inspecting why it's kept and/or how it got there.

 

[p3n1x]

i stay up to date as follows

first i have a nightly run of csup to update my ports tree and a pkg_version -v run and emailed to root.

if necessary ill run portupgrade -a and let it go(of course reading the UPDATING file)

next just csup sources and goto /usr/src and make buildworld && make buildkernel && make installworld && makeinstallkernel && mergemaster && reboot

pretty simple....for what its worth lately ive been using the package manager from desktopbsd tools to check my outdated ports and have a nice lil gui tool to update ports and i just build my world/kernel in cli