Patching 3.0 with minimal code

Patching 3.0 with minimal code

Post by Steven Cardina » Thu, 14 Mar 2002 01:46:16



I will be deploying a number of OpenBSD firewall/VPN boxes to remote sites.
Because of their nature, they will not be running nfs, smb, etc, nor will
they have source or compilers installed on the system.  I'm trying to
determine how to keep these systems patched.

I figured I would keep a system in my lab with all the source and compilers,
apply the patches there, performing all 'make' steps up to 'make install'
After that, I'd tar the directory (tar zxvf ssh.tgz /usr/src/usr.bin/ssh/
for instance), copy that to my firewall over sftp and run 'make install'
over there.
Unfortunately, I get errors related to bsd.man.mk amoung others - files
which aren't in the src branch, but exist on both machines.

Does anyone have a better way of applying patches?  I like OBSD for its
attention to security, but attention to making it manageable in a production
environment has been pretty poor (lack of automated install process, ala
KickStart, is another pet peeve)

The last time I asked this question, the responses included using rsync or
nfs - neither of which would I ever put on a firewall box.  Hopefully I will
get more realistic answers this time

Oh, I do like that I can patch the kernel and just copy the new bsd file to
my other systems.

Thanks
Steve

 
 
 

Patching 3.0 with minimal code

Post by William Aher » Thu, 14 Mar 2002 04:17:24


<snip>
Quote:> The last time I asked this question, the responses included using rsync or
> nfs - neither of which would I ever put on a firewall box.  Hopefully I will
> get more realistic answers this time

> Oh, I do like that I can patch the kernel and just copy the new bsd file to
> my other systems.

<snip>

so, why not just copy over the application binaries, as well?

you could throw together a commandline using find(1), tar(1) and xargs(1)
that would search out executables written after some timestamp and include
them in a tarball.

am i missing something? the shell kicks butt. i wrote a 20 line script to
put together a "backup utility" that rivals anything i could find elsewhere,
and tailored to exactly what i need.

maybe someting like:

cd /
find . -cmin -5 | xargs tar -czf latest.tgz

iow, find files updated within the last 5 mintues. xargs takes the newline
delimited list from find, and appends it as a space delimted list to the tar
command.

or, that's how i think it should work. play w/ it, a bit. you could do a
cron job, and use scp. create the tarball, scp it over to a location on the
remote machine. have a cron job running that checks some directory for the
update tarball. if its new, untar it. viola! make sure to restart your
services, when something is updated. maybe grep through ps or /var/run and
issue sig HUP to the right daemons.

 
 
 

Patching 3.0 with minimal code

Post by Ted » Thu, 14 Mar 2002 04:33:55



Quote:> Does anyone have a better way of applying patches?  I like OBSD for its
> attention to security, but attention to making it manageable in a production
> environment has been pretty poor (lack of automated install process, ala
> KickStart, is another pet peeve)

scp for simple things.  Or see man release.

--
Ted, toll collector of the information superhighway

 
 
 

Patching 3.0 with minimal code

Post by Steven Cardina » Thu, 14 Mar 2002 22:09:06


I'll look into that - I was thinking I needed something to figure out what
'make install' was actually doing, so as to figure out what needed to be
copied where - some perl script that could parse a Makefile. I supposed if I
wait long enough between all the 'make'ing and then perform a make install,
I could see what changed.

Not at my BSD boxes right now - any idea if the -n flag with make install
would be a suitable alternative, so as to build an install script?  I was
reading more through the make man page yesterday and noticed the -n will
show what make would do, but not actually do it .

Thanks for the input - I figured using scp or sftp would be fine to move the
files over - that is what I use now - I was more looking for input as to
figuring out what minimal pieces of code needed to be moved - I'll try -n
and if that doesn't work, search via timestamp

Cheers
Steve



> <snip>
> > The last time I asked this question, the responses included using rsync
or
> > nfs - neither of which would I ever put on a firewall box.  Hopefully I
will
> > get more realistic answers this time

> > Oh, I do like that I can patch the kernel and just copy the new bsd file
to
> > my other systems.
> <snip>

> so, why not just copy over the application binaries, as well?

> you could throw together a commandline using find(1), tar(1) and xargs(1)
> that would search out executables written after some timestamp and include
> them in a tarball.

> am i missing something? the shell kicks butt. i wrote a 20 line script to
> put together a "backup utility" that rivals anything i could find
elsewhere,
> and tailored to exactly what i need.

> maybe someting like:

> cd /
> find . -cmin -5 | xargs tar -czf latest.tgz

> iow, find files updated within the last 5 mintues. xargs takes the newline
> delimited list from find, and appends it as a space delimted list to the
tar
> command.

> or, that's how i think it should work. play w/ it, a bit. you could do a
> cron job, and use scp. create the tarball, scp it over to a location on
the
> remote machine. have a cron job running that checks some directory for the
> update tarball. if its new, untar it. viola! make sure to restart your
> services, when something is updated. maybe grep through ps or /var/run and
> issue sig HUP to the right daemons.

 
 
 

1. minimal work to get minimal printer working minimalling

I am an Apple Image Writer, that's right Image, not Laser.
I have a SPARC Classic. The Image writer is physically connected to the
A/B serial port, via a cable that is 25pin on the sun end, and the
appropriate 8 pin din whatever on the other. All I want to do is
print out my grocery list, nothing fancy, you see.

What is the MINIMAL thing I can do? Is this whole enterprise brain dead?
Can I get these minimal printouts without disturbing the modem port
configuration over which I labored an embarrassingly long time?

A quick well-informed fix will be immensely appreciated.

Ted Gilchrist

(BTW, the machine is standalone)

2. laptops ? best guess ?

3. Return Code or Error Code with patches

4. Intel Fayettville motherboard

5. Malformed patch at line XX - Patching C code Problem

6. SiS6326 and XFree86-4.0.2?

7. More Sol 9 minimal install issues - man hangs after patching box

8. PPP auto always connects

9. Patches to Solaris 5.4 - disk space minimal

10. how to get souurce code from two s.patch and s.patch.bz2.orig

11. Code Forge, Inc has just released version 3.0 of its Integrated Development Environment.

12. Code-Completition with Kdevelop 2.1 (KDE 3.0)

13. Code Forge, Inc has just released version 3.0 of its Integrated Development Environment.