Hardening production servers
Gregory Bond
gnb at itga.com.au
Tue Jul 8 16:35:27 PDT 2003
Here's what we do:
For the system:
- A separate build box, spec'd no higher than the lowest production machine
- keep a CVS repository on the build box
- buildbox /etc/make.conf has KERNCONF="SERVER CLIENT1 CLIENT2..."
- run make update / make buildworld / make buildkernel on the build box
- Install kernel & world on the build box, run mergemaster, etc as documented
- run the build box for a couple of days (rebuilding ports etc) to check it
out
- NFS mount /usr/src and /usr/obj readonly on each client
- client /etc/make.conf has KERNCONF=CLIENTn
- installkernel / installworld / mergemaster on the client in the normal way
For the ports:
- use portupgrade on build box and clients
- build box has the union of all the client package sets installed on it
- build box does "portupgrade -p" to build packages
- client boxes NFS mount /usr/ports/ (including /usr/ports/packages)
(can also do it with a local CVSup'd /usr/ports and using FTP to
the build box to get the packages, but that's harder to get right.)
- clients run portupgrade -PP to use the packages only
This works well enough for us with a similar number of servers.
More information about the freebsd-stable
mailing list