Keeping FreeBSD up-to-date

by Dru Lavigne

Those of you who have a copy of BSD Hacks will find a copy of my old up-to-date script on page 343. You can just skim over the bits of this blog that you're already familiar with. And for those who haven't tried scripting (or even using) "cvsup", I've included step by step directions of the pieces you need and how to put them all together.

There are quite a few applications available to assist you in keeping your system up-to-date. My script uses several third-party components. Here, I'll quickly add the necessary packages; you can "grep" through "pkg_info" to see if any of these are already installed on your system:

# pkg_add -r cvsup-without-gui
# pkg_add -r fastest_cvsup
# pkg_add -r portupgrade
# pkg_add -r freebsd-update
# pkg_add -r docproj-nojadetex

To use "cvsup", you'll need a
cvsup file.
Mine will keep src, ports, and docs up-to-date as a FreeBSD 5.3 system:

# more /root/cvs-supfile
*default host=cvsup.freebsd.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default tag=RELENG_5_3
*default release=cvs delete use-rel-suffix compress
src-all
ports-all tag=.
doc-all tag=.

If this is your first "cvsup", don't forget to make a directory for it to use:

# mkdir /usr/local/etc/cvsup

While these configurations can keep things up-to-date, I also wanted to script a daily check for operating system security patches using "freebsd-update" as mentioned in Richard Bejtlich's November 25th blog.

This program won't work until you rename this program's configuration file:

# mv /usr/local/etc/freebsd-update.conf.sample \
/usr/local/etc/freebsd-update.conf

Hack #89 in BSD Hacks explains that the cvsup'd doc changes are in SGML and how to use "docproj-nojadetex" to convert them to HTML. Now, if you decide to use a "refuse" file with "cvsup", the command will abort with an error once it encounters the missing doc files for the languages you don't "cvsup".

You can edit "/usr/doc/Makefile" to remove the languages you don't "cvsup". For example, mine now looks like this:

# $FreeBSD: doc/Makefile,v 1.34 2004/09/27 00:26:48 josef Exp $
#
# The user can override the default list of languages to build and install
# with the DOC_LANG variable.
#
.if defined(DOC_LANG) && !empty(DOC_LANG)
SUBDIR = ${DOC_LANG}
.else
SUBDIR = en_US.ISO8859-1
.endif

Unfortunately, "cvsup" will overwrite your changes to this file. One work-around is to remember to do this before you run cvsup:

# cp /usr/doc/Makefile /usr/doc/Makefile.orig

The other work-around is to not use a "refuse" file at all.

Finally, make a script to tie everything together:

# more /root/cvsup
#!/bin/sh

#use fastest_cvsup to find fastest geographically
#close mirror; I'll check Canada and the US
if SERVER=`fastest_cvsup -q -c ca,us`
then
echo "Running cvsup"
cvsup -L2 -h $SERVER /root/cvs-supfile
else
echo "There's a problem" 1>&2
exit 1
fi

#-U (which takes a long time to execute) isn't needed
#with the fetchindex command
echo "Updating ports index"
cd /usr/ports
make fetchindex
portsdb -u

#send copious output to the bit bucket
echo "Updating docs"
cd /usr/doc
cp Makefile.orig Makefile
make install > /dev/null

echo "Looking for security patches"
freebsd-update fetch

echo "The following ports need upgrading"
portversion -l "<"

echo "Finished at `/bin/date`."
exit

Make your script executable and give it a go, watching for any error messages.

I like to run this script manually (while drinking my morning coffee) so I can watch its output. This gives me an idea of which src, ports, and docs have changed. If there's new source, there's probably a new security vulnerability. And I certainly want to know if there's any new docs so I can check them out.

I also want to look at the output of freebsd-update; if there's a security vulnerability in the operating system, I want to know about it.

This script will NOT upgrade your ports; instead, it will tell you which ports need upgrading. I like to manually run "portupgrade -arR", once I've determined that I do indeed want to upgrade all of my ports.

I also considered including "/usr/ports/security/portaudit" in the script, but decided it added too much additional output. Instead, I enabled it as a periodic script so the results are emailed to root. Once the package is installed, see "man portaudit" for details.




3 Comments

cperciva
2004-12-08 16:45:22
Cron jobs
Just a note to anyone who might be tempted to run the above script from a cron job: "freebsd-update fetch" doesn't like being run from cron(8). This is deliberate -- after experiencing a few accidental distributed denial of service attacks from ntp-synchronized systems (e.g., 50 systems all fetching updates at exactly 3:00:00 AM), I added code to make sure this wouldn't happen again.


If you want to use a cron job, run "freebsd-update cron" instead (the manual page gives more details).

Thomas80
2004-12-09 06:45:27
portmanager
I like to use portmanager instead of portupgrade. It's very easy to use :


portupgrade -s to show wether there are out of dates ports


portupgrade -u to upgrades ports


/usr/ports/sysutils/portmanager
http://portmanager.sourceforge.net/

swygue
2004-12-09 16:01:46
Tip for Newbie

If you are new to FreeBSD as I am. Please make sure that your cvs-supfile in correct, mine looked liked this:



*default host=cvsup2.FreeBSD.org



*default base=/usr/local/etc/cvsup
*default prefix=/usr



*default tag=RELENG_5_3_0



*default release=cvs delete use-rel-suffix compress



src-all
ports-all tag=.
doc-all tag=.




I had two many spaces and that caused CVSup to delete my /usr/src directory evertime I tried to CVSup. You may also try to do make buildworld and get this output.

 "make don't know how to make buildworld. Stop"


Make sure that you CVSup looks like Dru's.