"Online" Updating of OpenSSL

Allan Jude allanjude at freebsd.org
Thu Jun 12 17:48:49 UTC 2014 

On 2014-06-12 13:38, khatfield at socllc.net wrote:
> There are a few ways to do it and I'm certain there is an easier method than what I'm recommending. However, you can use portmaster, for example. You could also use this wrapper script:
> 
> http://www.charlieroot.de/bsd/pkg_depends.pl
> 
> With no arguments you're going to pull everything. I would recommend looking at running services and using this script to view the dependencies per service package.
> 
> Ensuring that (of course) restart all services with open ports after the upgrade. (Web/email/ssh/etc)
> 
> Best of luck
> 
> 
>> On Jun 12, 2014, at 10:52 AM, "Florian Heigl" <florian.heigl at gmail.com> wrote:
>>
>> Hi,
>>
>> I suppose we pretty much all went through some updates since April.
>> So far, I have been rebooting the affected systems during the OpenSSL updates to make sure the services are all properly restarted.
>>
>>
>> I’d like to switch to some kind of restarting only the affected services, as that would minimize the downtimes from minutes to seconds.
>>
>> But how do you identify the affected applications and relate them to scripts in /etc/rc.d /usr/local/etc/rc.d ?
>>
>> How are you guys handling it?
>>
>> - Identifying what’s really linked to openssl / gnutls / whatever
>> - Restarting gracefully at the right time
>>
>> Greetings,
>> Florian
>> _______________________________________________
>> freebsd-isp at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
>> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"
> 

Some services, especially nginx, have an 'upgrade' command. 'service
nginx upgrade' will start the newly installed nginx binaries along side
the old one, move the listening sockets over to the new binary, and then
shut the old binaries down once they finish processing the pending requests.

This results in a 0 downtime upgrade.

'service apache22 graceful' should do the same.

-- 
Allan Jude

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-isp/attachments/20140612/9fbc2e14/attachment.sig>

More information about the freebsd-isp mailing list