FreeBSD for webserver?

Wed Jul 23 06:46:11 UTC 2008

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Paul Schmehl
> Sent: Tuesday, July 22, 2008 2:22 PM
> To: VeeJay; FreeBSD-Questions
> Subject: Re: FreeBSD for webserver?
>
>
> --On Tuesday, July 22, 2008 22:05:26 +0200 VeeJay
> <maanjee at gmail.com> wrote:
>
> > Hi there
> >
> > I am going to make 2 Webserver at my work going to handle 50
> mil hits per
> > month... They are using Linux already. But being a FreeBSD fan, I have
> > proposed FreeBSD to my Boss convincing him that FreeBSD is more Fast and
> > Secure solution for his needs... And now I want to show the results...
> > *Hardware:*
> > Dell PowerEdge 2950 III having 2 x CPU 3,0 GHz Intel Xeon L5450
> Quad-Core
> > 2x6MB cache WITH 16 GB RAM.
> >
> > *Tools:*
> > 1. FreeBSD 7 Production Release
> > 2. Apache 2.2.9
> > 3. MySQL 5.1.26
> > 4. PHP 5.2.6
> >
> > My question is, "*To get the speed, performance and security*":
> >
> > Should I use Ports or Packages to install all these tools One by One?
> >
> > *OR*
> > Should I use TAR files and compile them manually. For example
> giving command
> > line arguments and commands like
> >
>
> This seems to be a common misperception about ports.  Ports
> aren't something
> magical.  They do exactly what you would do from the commandline (i.e.
> ./configure, make, make install), except they come with several bonuses.
>
> 1) The port maintainer has already worked out all the quirks to
> make it compile
> and install properly on FreeBSD.  2) The port maintainer has
> already supplied
> patches that allow the software to build correctly on FreeBSD.
> 3) All the
> dependencies are already taken care of.  4) Upgrading is quite simple and
> straightforward.  5) The software is now
> architechture-independent (in most
> cases), meaning you can move from Intel to AMD (for example)
> without having to
> worry that the software will no longer build and you'll have to
> start from
> scratch again.
>
> For example, I decided today that I wanted to try out some software named
> "arguseye".  So I downloaded and untarred the program.  I looked at the
> dependencies.  It requires a number of perl modules, some of
> which are not in
> ports.  So, I just created three new perl ports to satisfy those
> dependencies
> and submitted them this afternoon.
>
> Once those are accepted into the tree, I'll create the arguseye
> port and submit
> it as well.  Then, when someone else wants to install arguseye,
> all they will
> have to do is type "make install clean" in the port directory and
> everything
> that they need will be installed for them.
>
> Unless you're a glutton for punishment, why would you do all that
> yourself?

Because maybe you don't care for the porter's choice of defaults.

Many programs come with hard-coded defaults that are modified
in a config file.  For example cistron-radius.  Another example
is the dspam port.  The porter for that insisted on using a
default of apache vhost.  However the default apache port does
not activate this.  I don't give a rat's ass that vhost is
supposedly more secure.  Another one that always pisses me off
is the porter's choice in building uw-imap to turn off plaintext
passwords.  And the default for pine is also to turn off
plaintext support.

Another problem is that not all porters are good about maintaining
their ports.  For example icradius.  Someone spent a lot of time
creating the port for that.  Then just let it die.  Another is
the open source ingres database.  Julian ported that one then
lost interest, it died sometime around FBSD 4.X

Another problem with ports is that all of them like pulling the
original source from the author's site.  I've had a few where the
author released the code under GPL then a few years later lost
interest, stopped paying whatever ISP he had the main site for
the program at, and the porter also lost interest in the project
and never bothered obtaining the last available tarfile from
the authors site and uploading it to freebsd, then both disappeared.
Another one I can recall is the gated code, similar issue.

The fundamental achillies heel of the ports system is it makes
the assumption that every package in the ports system is popular
and will be supported for the indefinite future by the original
package developer.  The ports system counts on this insofar that
it assumes that if the original porter loses interest and stops
tracking the master site, that someone else will step in and
assume responsibility for maintaining the port.

The reality is that in every release of FreeBSD, some ports go
wanting for sponsors, and nobody steps forward and so when the
port stops building, the FreeBSD maintainers simply cut it out
of the ports tree, plus anything dependent on it.

This assumption is fine for people running vanilla apache or
whatever systems, which is most people.  But, if your doing
anything that isn't plain-jane middle of the road, you better
assume that if your using a series of ports, to make detailed
notes, and save the ports, and save the patches, and save
the distfiles.  You may need to see how they did it in an
older FreeBSD system when a new version of FreeBSD comes out
that is missing one or more of the ports you depend on.

Ultimately, ports isn't any different than most other things.
When it's properly executed it's great.  But proper execution
of the entire thing depends on every porter who has an active
port in the system doing the right thing, and there's so many of
them that statistically, some of them are going to be flakes.

Ultimately, if your going to be a server admin, you need to
know how to build your applications without ports.

It's no different than, for example, I know how to pour and
form concrete, I know how to plumb pipes.  But if I needed
concrete poured, or pipes plumbed, I would call a contractor
and a plumber, and because I know how to do these things I
would be able to keep an eye on what the people I hired
were doing and know if they were doing what they were supposed
to be doing, or if they were incompetents.

The folks that depend utterly on ports and have no notion of
how to build it manually, are like the people who don't know
how to pour concrete or plumb pipes, and who hire a mason and
a plumber anyway.  They think they are having their concrete
and pipes done, but in reality they have no clue if the
work is really being done properly or not.  And, years later
that concrete may be cracked and the pipes leaking, and
they have no clue if it was due to crap work or something else.

Ted