Hardening production servers
Paul Smith
paul at cnt.org
Wed Jul 9 11:50:57 PDT 2003
Gregory Bond <gnb at itga.com.au> wrote on 08/Jul/03 at 6:35 PM:
> Here's what we do:
>
> For the system:
>
> - A separate build box, spec'd no higher than the lowest production machine
> - keep a CVS repository on the build box
> - buildbox /etc/make.conf has KERNCONF="SERVER CLIENT1 CLIENT2..."
> - run make update / make buildworld / make buildkernel on the build box
> - Install kernel & world on the build box, run mergemaster, etc as documented
> - run the build box for a couple of days (rebuilding ports etc) to check it
> out
> - NFS mount /usr/src and /usr/obj readonly on each client
> - client /etc/make.conf has KERNCONF=CLIENTn
> - installkernel / installworld / mergemaster on the client in the normal way
>
> [ ... ]
Just a quick addendum for anyone who's stepping through this, as I've just
done :)
- If you are going to 'make installworld' in single-user mode on the client,
you need to '# sh /etc/netstart' after fsck, mount, swapon, etc. to be able
to NFS mount the build server. May be obvious, but tripped me up a bit at
first.
--
Paul Smith <paul at cnt.org>
Webmaster/Systems Administrator
Center for Neighborhood Technology
Chicago, Illinois USA
More information about the freebsd-stable
mailing list