Avoiding source code on production servers

Thu May 28 10:31:54 UTC 2009

On Fri, May 22, 2009 at 11:06 AM, Tonix (Antonio Nati) <tonix at interazioni.it
> wrote:

> I'm in the phase of planning my new generation of FreeBSD servers, and I
> would love to make them more easy to upgrade.
> Main problem I have currently is I do not want any source code on
> production server, so freebsd-update is welcome, but... what about packages?
> I would use packages, but they are not easy to upgrade, while ports can be
> easy to upgrade, but need to have sources an servers.
>
> What do you suggest me? What is currently done on other environments?
>
> Thanks,
>
> Tonino
>
> --
> ------------------------------------------------------------
>       Inter at zioni            Interazioni di Antonio Nati
> http://www.interazioni.it      tonix at interazioni.it
> ------------------------------------------------------------
>
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
>

Hi,

some good solutions have been suggested. I personally like and find easy to
maintain these two:

- having a build server where to compile code, pkg_create and then
distribute the packages and pkg_add them (what I was doing at the last shop
where I was working on FreeBSD)
- when you need to install/upgrade software you nfsmount volumes from a non
critical host that hosts the source code

All the installation/upgrades can be pushed with a tool like cfengine; this
way you can test the process on testing servers and then decide when and how
to push the changes on the other machines in the order you wish. With
cfengine you can perform whatever actions you want so you can actually
include pre and post installation scripts and checks.
This also makes really easy to add new machines, install a fresh OS and
apply ALL the changes you applied to the other server without forgetting a
single package or setting.

To keep things simple I try to have the base freebsd setup as clean as
possible on the server and install only the packages that are really needed
for infrastructural purposes: monitoring tools, cfengine and a host based
firewall. Every non infrastructural service goes on its own into a minimal
jail This makes trivial to migrate services from a server to another and
prevents to have package conflicts (never tried to make different versions
of php or perl coexist?) on the base system.

My 2 cents :)

Angelo