safest way to upgrade a production server
DA Forsyth
iwrtech at iwr.ru.ac.za
Mon Sep 8 09:15:48 UTC 2008
On 8 Sep 2008 , freebsd-questions-request at freebsd.org entreated about
"freebsd-questions Digest, Vol 232, Issue 1":
Hi John
> So, my first question is, do I really need to do this?
yes
> If so, what is the minimum amount of upgrading I can do to be safe?
> And how?
I track RELENG_7_0 in my source tree, but only build it when I see
somehting important in UPDATING. what is important? stuff like,I
don't run bind, so can ignore any bind related issues, but I do run
Samba and Apache, so if anything effects them, I get right on it.
If I need to build world (I have a custom kernel) I can do it
anytime, then after it is built (and kernel) I come in on a Saturday
and take the server to single user and install world and kernel etc
etc, following all the relevant instructions. The thing that can
take most time is mergemaster, but so what? on a Saturday that only
affects web visitors for half an hour or so.
> I also think I need to do this using freebsd-update to do a binary
> update, to upgrade on an errata branch.
if you are not running custom kernels then freebsd-update is
fantastic. I use it on my 2 print servers, which have almost
identicle 'minimal' setups and don't need a custom kernel.
> I've never done this, so will try upgrading a test system, first. If
> all goes well, I will give it a whirl on one of the production servers.
I have installed all my software from ports, so I do this:
- keep the ports tree updated. I wrote a little script that gets
called from cron on Monday morning early, that sends me an email
telling me what ports have been updated in the last week.
this mornings list is
1 2 ipmitool
1 2 mailman
1 4 rsync
1 5 samba
1 9 apcupsd
2 1 lsof
2 10 pear-XML_Parser
4 4 libksba
7 7 libxslt
9 11 pear-Log
10 58 gtk
24 1 png
54 5 apache
The numbers are 'required by', and 'requires', giving me an idea of
how many things are affected by this upgrade.
- following that list, I decide whether to upgrade now or leave it
till next week.
- to upgrade, I run 'portupgrade -vrR portname' and just fill in the
portname from my emailed list. sometimes I do several related ports
at the same time, like all php* or lib*
- restart any services that were upgraded, in my case usually samba,
but sometimes net-snmp and so on.
- TEST
with some early experiences in having a portupgrade break things, I
prefer not to do a 'portupgrade -a', instead doing them one by one
and thus seeing all the messages and so on.
Note that I do this Monday or Tuesday morning, on a live server with
~25 local users online, and external web service, and have never had
a huge problem. A few years ago the horde upgrade broke a lot of
stuff, but I fixed it from the backups of the setup files I keep on
another server. I tar /etc /usr/local/etc
/usr/local/www/horde/config and so on. havn't needed them in ages,
but I do it anyway.
> Frankly, I find this idea terrifying, but I guess it needs to be done.
yeah, me too, but it gets easier. keep records of what you have
done, and what the results are. makes problem tracking easier. I
use a 'sort of a blog' so I can access the information remotely. I
used to have the blog on a machine in a different building but that
has become impossible, so now it exists on 2 local machines.
if the main machine dies I can still see my blog entries for help in
fixing it.
info on how you set something up is just as important as backups of
the machine itself.
> > uname -a
> FreeBSD ***servername*** 6.3-PRERELEASE FreeBSD 6.3-PRERELEASE #1:
> Mon Dec 3 09:46:53 EST 2007 root@***servername***:/usr/obj/usr/
> src/sys/INET_ON amd64
oooh, that is a bit old I think.
--
DA Fo rsyth Network Supervisor
Principal Technical Officer -- Institute for Water Research
http://www.ru.ac.za/institutes/iwr/
More information about the freebsd-questions
mailing list