Help understanding basic FreeBSD concepts (ports, updates, jails)

Hello all,

I'm coming from Linux and I would appreciate it if I could get some
help understanding some basic FreeBSD concepts.
Here is the output of 'uname -r' is "7.2-RELEASE-p4".

My first concerned is how do I keep FreeBSD up to date.
According to the FreeBSD site, the lastest production release is 7.2.
Is this the version that is recommended to have in a production
server?
According to what I have read from the Handbook and searches in
google, the way to stay up to date
binary wise is to use "freebsd-update", is this correct?
I believe freebsd-update will update the base system but not the
ports. Please correct me if I'm wrong.

My second concerned is the ports. In the file "ports-supfile" there is
one option, "*default release=cvs tag=.".
I believe this specifies which cvs tag to use when pulling files from
the ports. At one point I had "*default release=cvs
tag=RELEASE_7_2_0".
When I pulled the ports using the "RELEASE_7_2_0" tag and tried to
build "portsupgrade" the installation failed because the ruby version
that was going to be installed I believe had a security problem. (I
love the fact that I was stopped from installing software that is
KNOWN to be vulnerable).
I figured that maybe I needed to get the latest version. So I went
ahead and changed the cvs tag to "." (which I believe means the head
version).
I updated the ports and then tried the installation again, this time
the installation went further but failed again due to the fact that
my libtool (I can't remember the exact name) was older than what the
installation required. So that threw me off.
I believe that libtool is part of the base system and not the ports, correct?
 So that made me think that maybe because of using the latest version
of the ports I can build certain ports if my base is not
concurrent (in terms of what the ports requires and what my system
offers) with the port system.
So my question is this, if my FreeBSD release is 7.2-RELEASE-p4 which
tag should I set for the ports system?
Should I put the tag "RELEASE_7_2_0" and then wait for a security fix
of the particular port (ruby) and then proceed to install?
What is the recommended approach if your aim is to have your system up
to date and stable?
Another question that I have about the port system is, if LibX has a
security update (or simply a bug fix) and programs from the ports
programA, programB and programC depend on that library what is the
recommended way to perform the upgrade that will also handle upgrading
those programs?

My third item is jails. I currently have only one external IP. I would
like to setup two jails, one for apache and the other for postfix.
Would that require more external IPs? If I wanted to have ssh access
to the host and the jails that would definitely will require 3
external IPs right?

Thank you very much for your time and patience,

-r
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

Roger wrote:
Yes.

> According to what I have read from the Handbook and searches in
> google, the way to stay up to date
> binary wise is to use "freebsd-update", is this correct?
>  

Yes, and...

> I believe freebsd-update will update the base system but not the
> ports. Please correct me if I'm wrong.
>
>  

you are right!

This is correct. For a ports supfile you would want to always get the
latest ports version, so tag=. will do it.
> I updated the ports and then tried the installation again, this time
> the installation went further but failed again due to the fact that
> my libtool (I can't remember the exact name) was older than what the
> installation required. So that threw me off.
>  

You have installed some ports from the DVD or compiled them using the
default (non-updated) ports tree. Your libtool (a port) is out of date
and you need to upgrade it. Use ports-mgmt/portupgrade to perform port
upgrades and read /usr/ports/UPDATING for special notes regarding
specific ports. You will find a note on libtool in there too.

> I believe that libtool is part of the base system and not the ports, correct?
>  

No, this is a port. If it were a base system component it would already
be up to date as you are running -p4

>  So that made me think that maybe because of using the latest version
> of the ports I can build certain ports if my base is not
> concurrent (in terms of what the ports requires and what my system
> offers) with the port system.
> So my question is this, if my FreeBSD release is 7.2-RELEASE-p4 which
> tag should I set for the ports system?
>  

Always use tag=. for the ports supfile. Your problem comes from the fact
you have already installed some older programs.

> Should I put the tag "RELEASE_7_2_0" and then wait for a security fix
> of the particular port (ruby) and then proceed to install?
> What is the recommended approach if your aim is to have your system up
> to date and stable?
>  

No. What I would recommend is to install a base system from CD, do not
install any packages from it (except maybe linux_base, the linux
emulation) and then after installation, proceed to update your ports
tree and install everything else from ports.
The packages in the official media get outdated very fast, and if you
are installing packages from a several months old release chances are
some of them will have to be upgraded before you can install other
packages from the updated ports tree. Spare yourself the time and
install everything from your updated ports tree.

> Another question that I have about the port system is, if LibX has a
> security update (or simply a bug fix) and programs from the ports
> programA, programB and programC depend on that library what is the
> recommended way to perform the upgrade that will also handle upgrading
> those programs?
>
>  
Yes, portupgrade (and other programs in the ports-mgmt/* category) can
handle this type of problem. Specific instructions for upgrading in this
case are listed in /usr/ports/UPDATING. These are usually something like
portupgrade -Rf pkg-x-y-z

> My third item is jails. I currently have only one external IP. I would
> like to setup two jails, one for apache and the other for postfix.
> Would that require more external IPs? If I wanted to have ssh access
> to the host and the jails that would definitely will require 3
> external IPs right?
>
>  
Not much experience with jails here, someone else will hopefully answer
this for you!


_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

In response to Manolis Kiagias <sonicy@...>:

> Roger wrote:
>
> > My third item is jails. I currently have only one external IP. I would
> > like to setup two jails, one for apache and the other for postfix.
> > Would that require more external IPs? If I wanted to have ssh access
> > to the host and the jails that would definitely will require 3
> > external IPs right?

You can do some funky address aliasing with (for example) pf or ipfw, but
it gets rather complex.

So, the answer is, "No, you don't need multiple IPs, but the setup gets
rather complicated if you don't have multiple IPs.  As a result, most
people who do this will have multiple IPs."

--
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

Roger wrote:
> Hello all,
>
> I'm coming from Linux and I would appreciate it if I could get some
> help understanding some basic FreeBSD concepts.

Roger,

I had a hard time with ports and core apps.  Here is a summary of what I
learned (taken from a post I made months ago):

===

Applications on a FreeBSD machine are broken into two categories:
1. Applications installed under /bin, /usr/bin, etc
2. Applications installed under /usr/local


The first group is called "core OS applications". The second is called
"ports applications." FreeBSD developers think carefully before deciding
in which group to place a new application.

Update applications in the first group using freebsd-update but first
decide whether you want RELEASE, STABLE, or CURRENT. Update applications
in the second group using CVS on the ports tree.

Sometimes applications in the second group will require an update to the
first group with a message like "Does not compile on FreeBSD < 7.0"

Some applications are in both groups and can exist simultaneously, such
as GCC.

===

Chris
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

Bill Moran wrote: Oh, it's not so complex as all that[*].  You will need at least an IP
per jail *but* these don't have to be on the external, world visible
network interface.  You can create aliases on the loopback interface for
this purpose.  The downside is that you have to use pf to redirect traffic
into the jail from the outside interface based on some unique combination
of IP number and network port, which means that you can't have eg. sshd(8)
in the host system and in the jail both listening on the external port 22.
You either have to hop through the host system or you have to redirect
traffic to some other some other ports (eg 2201 for the first jail, 2202
for the second) into the jailed sshd's.

I sketched out how to do this sort of thing in a post a year or so back:

http://lists.freebsd.org/pipermail/freebsd-questions/2008-March/171748.html

it should be fairly easy to generalise that to multiple jails.  

        Cheers,

        Matthew

[*] Well, alright, yes, it is quite an advanced topic and probably not
something you should be trying before you've got a bit more FreeBSD
experience under your belt.

--
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

Hello all,

I have another concept that I'm confused about, the source distribution.
Some ports, like "lsof" require the existence of /usr/src.
What I don't understand is which version to use to keep synchronized
with the production release.
When the installed was performed the release was 7.2 but after doing
"freebsd-update" the release is now
7.2-p4. According to the documentation, I can track CURRENT, STABLE plus other.
Which one is the recommended one for a production server. I have not
build that many
packages that need the sources present so now would be a good time to
find out which one
I should use.

Thank you for your time and patience,

-r
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sat, Nov 7, 2009 at 10:39 AM, Roger <rnodal@...> wrote:
There are three basic branches, CURRENT STABLE RELEASE

You want release.  You shouldn't run anything else unless you're willing and
able to help with testing, debugging, and development.

--
Adam Vande More
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

Roger wrote:

> Hello all,
>
> I have another concept that I'm confused about, the source distribution.
> Some ports, like "lsof" require the existence of /usr/src.
> What I don't understand is which version to use to keep synchronized
> with the production release.
> When the installed was performed the release was 7.2 but after doing
> "freebsd-update" the release is now
> 7.2-p4.

A RELEASE such as 7.2 has a maintenance period during which the security
team will apply security patches to the OS. Only the patches are applied,
the rest of the bulk of /usr/src is untouched. This is what the -p4 means.
The security support period for different releases can be located on the web
site. Some releases are designated "extended support", while others have
shorter time frames.


> According to the documentation, I can track CURRENT, STABLE plus
> other. Which one is the recommended one for a production server. I have
> not build that many
> packages that need the sources present so now would be a good time to
> find out which one
> I should use.
>

I don't use the binary freebsd-update myself, but still use the old csup the
source in /usr/src and the make buildworld/buildkernel/install dance. So I
tend to think in terms of CVS tags. The tag RELENG_7_2_0_RELEASE would fetch
the original release bits that never change. The tag RELENG_7_2 would fetch
the /usr/src that has the security patches applied.

The -p4 you observed means that freebsd-update used binaries built with
security patches applied. If there exists any question as to whether your
/usr/src is in sync you can simply csup your source with the RELENG_7_2 tag
in the supfile.

There is also another way to patch, and that is to apply patches manually.
Let's say, for example, the built in bind had a file or two that got
patched. You could rebuild just this one thing and after installing the bits
simply restart the daemon. Sometimes this is preferred when one needs to
prevent a security hole but doesn't want to reboot a server. A downside is
when you do this it does not register the "-p4" like you noticed.

For a production server I feel it is best to use production release. IMHO
there is one possible cause to consider STABLE for a production server and
that is if there is new code "Merged From Current" that addresses and
corrects a very specific problem. Let's say you have a particular NIC in
your server that is exhibiting an exact same (and reproducible) condition as
described in a bug report. If code which fixes this exact problem becomes
available it will be written in CURRENT, and after some testing if deemed to
be of sufficient quality it will be merged back to STABLE. Upgrading to
STABLE will then pull in this fix. IMHO I wouldn't normally consider this
unless there is an exact match between problem and fix.

-Mike


_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sat, Nov 07, 2009 at 11:39:41AM -0500, Roger wrote:
You mentioned lsof but there is a utility in base which you probably
don't know about called fstat(1), which does a lot of what lsof does.

IIRC, the sources for 7.2 should be on the CD (run sysinstall(8) after
sticking the CD in). That will save you from downloading all the
sources.

Then update the sources with csup(1) using the correct tag: RELENG_7_2

There's a supfile, /usr/share/examples/cvsup/standard-supfile, which
you can change the default host and cvs tag of and it should work.

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvsup.html

goes into the details.


Regards,

--

 Frank

 Contact info: http://www.shute.org.uk/misc/contact.html


_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sat, Nov 7, 2009 at 3:20 PM, Frank Shute <frank@...> wrote:

> You mentioned lsof but there is a utility in base which you probably
> don't know about called fstat(1), which does a lot of what lsof does.
>

Thank you for the tip. I will definitely look into it.
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Fri, Nov 6, 2009 at 9:31 AM, Roger <rnodal@...> wrote:

Don't bother with any of that. Just use portsnap. It's also part of base,
and was written by the same person that wrote freebsd-update. It's lovely
and much faster, although some people may argue with me on that.


I updated the ports and then tried the installation again, this time

For your system, use freebsd-update. For your ports tree, use portsnap. For
installed ports, use portupgrade or portmanager. I'm more fond of
portmanager, but it seems portupgrade has many more users. Both portupgrade
and portmanager are available in the ports tree, not base.

-- randi
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sat 2009-11-07 19:19:52 UTC-0800, Randi Harper (randi@...) wrote:

> Don't bother with any of that. Just use portsnap. It's also part of
> base, and was written by the same person that wrote freebsd-update.
> It's lovely and much faster, although some people may argue with me on
> that.

> For your system, use freebsd-update.

Seconded.  Portsnap and freebsd-update are a cinch to use.

> For your ports tree, use portsnap. For installed ports, use
> portupgrade or portmanager. I'm more fond of portmanager, but it seems
> portupgrade has many more users. Both portupgrade and portmanager are
> available in the ports tree, not base.

I use portmaster and find it easy to use.  Not familiar with portmanager.
/usr/ports/UPDATING will often provide portmaster commands where
necessary and these can useful for upgrading some ports.  Maybe it's
easy to translate those commands to their equivalent portmanager commands.

Regards
Andrew
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

andrew clarke writes:

>  > Don't bother with any of that. Just use portsnap. It's also part of
>  > base, and was written by the same person that wrote freebsd-update.
>  > It's lovely and much faster, although some people may argue with me on
>  > that.
>  
>  > For your system, use freebsd-update.
>  
>  Seconded.  Portsnap and freebsd-update are a cinch to use.

        As for freebsd-update:
        It has limitations; /inter alia/ see the DESCRIPTION section of
the man page.  If that's something one can live with, use it.
        If it's not, then the OP really needs to get familiar with the
update-from-source method as described in the Handbook.  It's scary
at first (actually, it's still a teeny bit scary after ten years).
but it helps one understand what goes into making a working system
... which is a really good thing if something does manage to go
Horribly Wrong(tm).


                                Robert Huff

_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."

On Sat, 7 Nov 2009 10:57:54 -0600, Adam Vande More <amvandemore@...> wrote:
> There are three basic branches, CURRENT STABLE RELEASE
>
> You want release.  You shouldn't run anything else unless you're willing and
> able to help with testing, debugging, and development.

That's a quite generic answer, but basically I agree.

On a production system, in most cases RELEASE is the branch
you want to follow, beginning from X.Y-RELEASE and then
tacking the security updates X.Y-RELEASE-pZ. The tool
freebsd-update is very good for this task, especially
when you're not running a custom kernel.

STABLE is a good solution when you want to use a stable
system, but are interested in additions between the releases.
Things that are tested and found working are present in
STABLE and will often appear in the upcoming RELEASE.

CURRENT is interesting for you - as Adam said - for
testing and development, and if you are intendedly
interested in "bleeding edge" software. Note that it
can happen that a CURRENT system of today won't build,
but will tomorrow. It's the development branch.

In any case: You should re-install or re-compile ALL of
your applications when you perform the step to a new
release (e. g. 7.2 -> 8.0). You can install the 7-compat
port to avoid this (downward compatibility libraries).




--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
_______________________________________________
freebsd-questions@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@..."