Keeping FreeBSD up-to-date
 | ||
 | Email weblog link | |
 | Discuss | |
 | Blog this |
Dru Lavigne
Dec. 08, 2004 02:43 PM
Permalink
There are quite a few applications available to assist you in keeping your system up-to-date. My script uses several third-party components. Here, I'll quickly add the necessary packages; you can "grep" through "pkg_info" to see if any of these are already installed on your system:
# pkg_add -r cvsup-without-gui
# pkg_add -r fastest_cvsup
# pkg_add -r portupgrade
# pkg_add -r freebsd-update
# pkg_add -r docproj-nojadetex
To use "cvsup", you'll need a
cvsup file. Mine will keep src, ports, and docs up-to-date as a FreeBSD 5.3 system:
# more /root/cvs-supfile
*default host=cvsup.freebsd.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default tag=RELENG_5_3
*default release=cvs delete use-rel-suffix compress
src-all
ports-all tag=.
doc-all tag=.
If this is your first "cvsup", don't forget to make a directory for it to use:
# mkdir /usr/local/etc/cvsup
While these configurations can keep things up-to-date, I also wanted to script a daily check for operating system security patches using "freebsd-update" as mentioned in Richard Bejtlich's November 25th blog.
This program won't work until you rename this program's configuration file:
# mv /usr/local/etc/freebsd-update.conf.sample \
/usr/local/etc/freebsd-update.conf
Hack #89 in BSD Hacks explains that the cvsup'd doc changes are in SGML and how to use "docproj-nojadetex" to convert them to HTML. Now, if you decide to use a "refuse" file with "cvsup", the command will abort with an error once it encounters the missing doc files for the languages you don't "cvsup".
You can edit "/usr/doc/Makefile" to remove the languages you don't "cvsup". For example, mine now looks like this:
# $FreeBSD: doc/Makefile,v 1.34 2004/09/27 00:26:48 josef Exp $
#
# The user can override the default list of languages to build and install
# with the DOC_LANG variable.
#
.if defined(DOC_LANG) && !empty(DOC_LANG)
SUBDIR = ${DOC_LANG}
.else
SUBDIR = en_US.ISO8859-1
.endif
Unfortunately, "cvsup" will overwrite your changes to this file. One work-around is to remember to do this before you run cvsup:
# cp /usr/doc/Makefile /usr/doc/Makefile.orig
The other work-around is to not use a "refuse" file at all.
Finally, make a script to tie everything together:
# more /root/cvsup
#!/bin/sh
#use fastest_cvsup to find fastest geographically
#close mirror; I'll check Canada and the US
if SERVER=`fastest_cvsup -q -c ca,us`
then
echo "Running cvsup"
cvsup -L2 -h $SERVER /root/cvs-supfile
else
echo "There's a problem" 1>&2
exit 1
fi
#-U (which takes a long time to execute) isn't needed
#with the fetchindex command
echo "Updating ports index"
cd /usr/ports
make fetchindex
portsdb -u
#send copious output to the bit bucket
echo "Updating docs"
cd /usr/doc
cp Makefile.orig Makefile
make install > /dev/null
echo "Looking for security patches"
freebsd-update fetch
echo "The following ports need upgrading"
portversion -l "<"
echo "Finished at `/bin/date`."
exit
Make your script executable and give it a go, watching for any error messages.
I like to run this script manually (while drinking my morning coffee) so I can watch its output. This gives me an idea of which src, ports, and docs have changed. If there's new source, there's probably a new security vulnerability. And I certainly want to know if there's any new docs so I can check them out.
I also want to look at the output of freebsd-update; if there's a security vulnerability in the operating system, I want to know about it.
This script will NOT upgrade your ports; instead, it will tell you which ports need upgrading. I like to manually run "portupgrade -arR", once I've determined that I do indeed want to upgrade all of my ports.
I also considered including "/usr/ports/security/portaudit" in the script, but decided it added too much additional output. Instead, I enabled it as a periodic script so the results are emailed to root. Once the package is installed, see "man portaudit" for details.
Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.
Showing messages 1 through 3 of 3.
-
portmanager
2004-12-09 06:45:27 Thomas80 [Reply | View]
I like to use portmanager instead of portupgrade. It's very easy to use :
portupgrade -s to show wether there are out of dates ports
portupgrade -u to upgrades ports
/usr/ports/sysutils/portmanager
http://portmanager.sourceforge.net/
-
Cron jobs
2004-12-08 16:45:22 cperciva [Reply | View]
Just a note to anyone who might be tempted to run the above script from a cron job: "freebsd-update fetch" doesn't like being run from cron(8). This is deliberate -- after experiencing a few accidental distributed denial of service attacks from ntp-synchronized systems (e.g., 50 systems all fetching updates at exactly 3:00:00 AM), I added code to make sure this wouldn't happen again.
If you want to use a cron job, run "freebsd-update cron" instead (the manual page gives more details).
| Showing messages 1 through 3 of 3. |
Return to weblogs.oreilly.com.
Weblog authors are solely responsible for the content and accuracy of their weblogs, including opinions they express, and O'Reilly Media, Inc., disclaims any and all liabililty for that content, its accuracy, and opinions it may contain.
This work is licensed under a
Creative Commons License.
If you are new to FreeBSD as I am. Please make sure that your cvs-supfile in correct, mine looked liked this:
I had two many spaces and that caused CVSup to delete my /usr/src directory evertime I tried to CVSup. You may also try to do make buildworld and get this output.
Make sure that you CVSup looks like Dru's.