safest way to upgrade a production server

DA Forsyth iwrtech at
Mon Sep 8 09:15:48 UTC 2008

On 8 Sep 2008 , freebsd-questions-request at entreated about
 "freebsd-questions Digest, Vol 232, Issue 1":

Hi John

> So, my first question is, do I really need to do this?


> If so, what is the minimum amount of upgrading I can do to be safe?   
> And how?

I track RELENG_7_0 in my source tree, but only build it when I see 
somehting important in UPDATING.  what is important?  stuff like,I 
don't run bind, so can ignore any bind related issues, but I do run 
Samba and Apache, so if anything effects them, I get right on it.

If I need to build world (I have a custom kernel) I can do it 
anytime, then after it is built (and kernel) I come in on a Saturday 
and take the server to single user and install world and kernel etc 
etc, following all the relevant instructions.  The thing that can 
take most time is mergemaster, but so what?  on a Saturday that only 
affects web visitors for half an hour or so.

> I also think I need to do this using freebsd-update to do a binary  
> update, to upgrade on an errata branch.

if you are not running custom kernels then freebsd-update is 
fantastic.  I use it on my 2 print servers, which have almost 
identicle 'minimal' setups and don't need a custom kernel.

> I've never done this, so will try upgrading a test system, first. If  
> all goes well, I will give it a whirl on one of the production servers.

I have installed all my software from ports, so I do this:

 - keep the ports tree updated.  I wrote a little script that gets 
called from cron on Monday morning early, that sends me an email 
telling me what ports have been updated in the last week.   
this mornings list is
 1  2 ipmitool
 1  2 mailman
 1  4 rsync
 1  5 samba
 1  9 apcupsd
 2  1 lsof
 2 10 pear-XML_Parser
 4  4 libksba
 7  7 libxslt
 9 11 pear-Log
10 58 gtk
24  1 png
54  5 apache

The numbers are 'required by', and 'requires', giving me an idea of 
how many things are affected by this upgrade.

- following that list, I decide whether to upgrade now or leave it 
till next week.
- to upgrade, I run 'portupgrade -vrR portname' and just fill in the 
portname from my emailed list.  sometimes I do several related ports 
at the same time, like all php* or lib*
- restart any services that were upgraded, in my case usually samba, 
but sometimes net-snmp and so on.

with some early experiences in having a portupgrade break things, I 
prefer not to do a 'portupgrade -a', instead doing them one by one 
and thus seeing all the messages and so on.

Note that I do this Monday or Tuesday morning, on a live server with 
~25 local users online, and external web service, and have never had 
a huge problem.  A few years ago the horde upgrade broke a lot of 
stuff, but I fixed it from the backups of the setup files I keep on 
another server.  I tar /etc /usr/local/etc 
/usr/local/www/horde/config and so on.  havn't needed them in ages, 
but I do it anyway.

> Frankly, I find this idea terrifying, but I guess it needs to be done.

yeah, me too, but it gets easier.  keep records of what you have 
done, and what the results are.  makes problem tracking easier.  I 
use a 'sort of a blog' so I can access the information remotely.  I 
used to have the blog on a machine in a different building but that 
has become impossible, so now it exists on 2 local machines.
if the main machine dies I can still see my blog entries for help in 
fixing it.
info on how you set something up is just as important as backups of 
the machine itself.

>  > uname -a
> FreeBSD ***servername*** 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1:  
> Mon Dec  3 09:46:53 EST 2007     root@***servername***:/usr/obj/usr/ 
> src/sys/INET_ON  amd64

oooh, that is a bit old I think.  

       DA Fo rsyth            Network Supervisor
Principal Technical Officer -- Institute for Water Research

More information about the freebsd-questions mailing list