Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20110415192032.GA84@drozd.smutek.pl>
Date: Fri, 15 Apr 2011 21:20:33 +0200
From: Piotr Meyer <aniou@...tek.pl>
To: owl-dev@...ts.openwall.com
Subject: Re: usage of BSD ports for Owl

On Fri, Apr 15, 2011 at 10:17:04PM +0400, (GalaxyMaster) wrote:
 
> My concern is how pkgsrc would handle bulk installation on a bunch of
> servers?  updates?  I never worked with ports before, so my questions
> may be dumb, but with binary packages it's quite trivial to support a
> park of servers and do updates/modification of a set of package across
> these servers.  Recently, I needed to install 30+ systems in a day.  If
> we had ports, would I need to build packages on each of these 30+ boxes?

Fortunately, updating or bulk installing pkgsrc may be very easy. Whole
installation resides in /usr/pkg directory (typically) and can be tarred, 
rsynced and moved without problems - especially when pkgsrc-meta data are
also located in /usr/pkg (it's configurable but not default).

In my case: I have separated build environment (in some cases it's
simply chroot). After building new version I upgrade packages in test 
environment. If all things are OK I use simply script that made rsync 
from 'template' to rest of servers. I never build packages on 'production'
server, even if this is standalone install - it's unreliable, pkgsrc
can automagically (re|un)installs upgraded packages, it's Bad Idea for
running service ;)

When I plan Really Big Changes I always can preserve old root by 
mv /usr/pkg /usr/pkg.[date] and install totally new version in /usr/pkg.

The biggest pkgsrc advantages for me, are:
- OS-agnostic nature of pkgsrc. It's not FreeBSD project, it's not
  gentoo-specific project: pkgsrc is usable in various linux distros
  (I work mostly with Debian/RHEL-based), Haiku, DragonFly and even
  Minix.

- automatic builds: You can set every option in global config file
  (mk.conf) and then built 'empty' package that depends on all needed
  applications. I most cases all finishes without user interaction.
  For example I have my own makefiles that simply builds complete
  mail (postfix, dovecot, amavisd, clamav) or www servers (php and all
  typically requested modules) after one 'make package'.

- pkgsrc is easily configurable:
  Packages are defined by makefiles[1] (global config is makefile too). 
  Typical options for individual packages looks like following ('-' means
  'without'):

PKG_OPTIONS.nginx=              ssl pcre
PKG_OPTIONS.php=                suhosin
PKG_OPTIONS.screen=             ncurses
PKG_OPTIONS.mysql5=             -embedded-server -ndb-cluster

   pkgsrc is highly configurable, many daemons allow precise settings,
   for example:

# uids and gidas
PKG_UID.nginx=   788
PKG_GID.nginx=   788

   Sets prefferred uid and gid for user/group nginx (used by - surprise 
   - nginx daemon ;)
   
- pkgsrc has 'vulnerabilities' file, maintaned by security team and tools
  for reporting (also during builds) vulnerable packages.a
  IMVHO it's biggest advantage.

  Typical audit session (usually run from cron):
  
  $ audit-package 
  Package rsync-3.0.4nb1 has a denial-of-service vulnerability, 
  see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1097

  Sample build (in linux environment 'bmake package'):
  # make package
=> Bootstrap dependency digest>=20010302: found digest-20080510
WARNING: Deprecated variable _ACCEPTABLE found, use SKIP_LICENSE_CHECK=yes
===> Checking for vulnerabilities in rsync-3.0.7
Package rsync-3.0.7 has a denial-of-service vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1097
ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in pkg_install.conf(5) if this package is absolutely essential.

*** Error code 1

Stop.
make: stopped in /usr/pkgsrc/net/rsync





1 - http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/meta-pkgs/gnome/Makefile

PS. Yes, I declared simple howto for Owl, but I was very busy in last 
days...

PS2. Web frontend for pkgsrc: http://pkgsrc.se/
     Cvsweb: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/
     Mailing lists archives: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc
     pkgsrc-work-in-progress project: http://pkgsrc-wip.sourceforge.net/

-- 
Piotr 'aniou' Meyer

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.