# pkgng and Multiple Repositories Priority or Default+Fallback



## adams (Mar 5, 2014)

Here is what I'm trying to do:

Maintain my own repository for our few hundred servers and VMs (and for our clients).  There are a number of ports which we need to set custom options for (e.g. enable LDAP support, set preferred DB back end, etc.).  There is also the issue of security updates for key pieces of software.  However we're looking at 35-40 ports/packages at the moment (plus dependencies of course), and don't have the time or resources to build the entire ports tree every day to keep things updated for security patches.

In pkg.conf I've got this (as the defaults as far as I can tell otherwise suit our purposes):

```
PKG_MULTIREPOS : YES
```

Then in /usr/local/etc/pkg/repos I have two files:

```
00-freebsd.conf
10-ateamrepo-9_1-amd64.conf
```

I found that (at least in my testing) the 'last' file would get priority and if a package wasn't found it would go backwards through the order (i.e. it would use our ateamrepo, then fall back to the FreeBSD one).

All of this was pure guess and test based on the documentation and man pages.  I have yet to find a conclusive howto for using multiple repositories (that isn't old and outdated), much less how do I set the 'priority' like this (or if it's even possible).  Since we've deployed this on a wider scale I have found now in practice that unless I manually specify our own repository, sometimes (seemingly randomly -- though I'm sure it's not) it will fall back to the FreeBSD repository for packages which are in both repositories -- the worst part being it will use FreeBSD's repository even when our own repository has a later version.

In my initial research the only thing close to finding some answers I found was this, which has inaccurate/old information:  http://forums.freebsd.org/viewtopic.php ... es#p212575.

Has anyone got any tips or know of a place with clearer documentation on this specific objective (or even if it's doable the way I am describing)?


----------



## SirDice (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*



			
				adams said:
			
		

> and don't have the time or resources to build the entire ports tree every day to keep things updated for security patches.


You don't have to do this _every_ day. Keep an eye on pkg-audit(8) and only rebuild when there are actually security issues. Not every bug fix or update is a security update. Just keep your ports tree as-is and only update when it's actually necessary. With a couple of dozen packages (including Apache and PHP) we only build maybe once a month, and only when there are security issues.

Constantly updating everything may even introduce issues (when default versions change for example), it's better to do this in a more controlled manner. So just stick to a snapshot of the ports tree. Keep that tree and only update it when you're having issues or when there's a security update.


----------



## adams (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*

We maintain lots of public facing web servers; part of the service we offer is keeping them updated.  We have an automatic system which presents `pkg audit`/portaudit information to us centrally so I'm very aware how often this happens -- it is quite frequent that things need updating due to security issues (PHP _cough_  ).  Rebuilding the entire ports tree every time this happens (even if it's not every day) I don't think is practical (read as: I would love to avoid it at all cost).  Instead I'd like to just rebuild the affected packages.


----------



## SirDice (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*

How are you building your packages? ports-mgmt/poudriere only rebuilds things when needed. You can start fresh every time but unless there's an issue I wouldn't do it. Even a full rebuild only takes two hours on our systems.


----------



## adams (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*

Yep, I've got Poudriere set up /w with jails/ZFS/etc. for 9.1 and 8.3 (don't ask) which works great so far.  And indeed over the last week I have noticed that it is quite smart about rebuilding as needed.  So what you're saying is after that first huge build the change rate is unlikely to be too bad/much?

Right now I've got it cron'd to just build out anything that's new/changed nightly.

This is likely cause for another post but as I recall there seemed to be no easy way to tell Poudriere to just "build everything" (just not X11 ), or did I miss something?  I was in the process of writing a script to generate the list based on the directories in /usr/ports when I decided to be much more focused on what got built.


----------



## SirDice (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*



			
				adams said:
			
		

> I've got Poudriere set up /w with jails/ZFS/etc. for 9.1 and 8.3 (don't ask) which works great so far.


Nothing wrong with 8.3. It's still supported, although not long any more. We have a few 8.4 boxes as they seem to perform better at their task than their 9.1 or 9.2 counterparts.



> Yep, I've got poudriere setup /w jails/ZFS/etc for 9.1 and 8.3 (don't ask) which works great so far. And indeed over the last week I have noticed that it is quite smart about rebuilding as needed. So what you're saying is after that first huge build the change rate is unlikely to be too bad/much?


Yes, it will try to only rebuild the ports that have changed, or have had their dependencies changed. It will only rebuild everything from scratch if you add the -c switch to the bulk command.



> This is likely cause for another post but as I recall there seemed to be no easy way to tell poudriere to just "build everything" (just not X11 ), or did I miss something?


No, you didn't miss anything. Poudriere was designed this way, it's actually a tool to test building a select number of ports. If you want to rebuild everything in the ports tree ports-mgmt/tinderbox may be a better solution. It's the same software that's used to build the official repositories. I don't know how "smart" it is with regards to rebuilding though, I've never really used it.


----------



## adams (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*

Ahh yes.  And it does appear that *T*inderbox does only rebuild what is needed, too.  What I think I might do is still stick with *P*oudriere as I do want to exclude a bunch of things still even if I greatly increase the scope of the builds (notably the foreign language, X, and audio ports for example).  So what I'll probably do is write a script that sniffs out all the ports and builds a portlist file based on that just before the poudriere bulk commands get run.

Overall this is probably a better route too as I did worry about encountering the eventual inconsistency between the FreeBSD repository and our own due to the FreeBSD one only being updated once a quarter.

I appreciate the help!


----------



## SirDice (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*



			
				adams said:
			
		

> Overall this is probably a better route too as I did worry about encountering the eventual inconsistency between the FreeBSD repo and our own due to the FreeBSD one only being updated once a quarter.


To be honest I'm not sure how often the official repository is buil_t_. I thought it was once a week. I think that would be good enough too. If there's a serious security issue you could always start an extra build right away.  

I'm of the "don't fix what isn't broken" camp. So I really only update when there's a reason to do so. I don't like to update just because there's an update. So "keeping up to date" for me only happens for security reasons. But different people may have different opinions on what "up to date" means.


----------



## kpa (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*



			
				SirDice said:
			
		

> adams said:
> 
> 
> 
> ...



Once a week is not often enough IMO but I have gathered that the majority of the package building infrastructure is still in use for the old style packages. The old style packages will be deprecated sooner than expected *) so that should free up resources to build the new packages more often.

*) http://lists.freebsd.org/pipermail/freebsd-ports/2014-February/089547.html


----------



## SirDice (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*



			
				kpa said:
			
		

> Once a week is not often enough imo but I have gathered that majority of the package building infrastructure is still in use for the old style packages. The old style packages will be deprecated sooner than expected *) so that should free up resources to build the new packages more often.


For the official repositories it may not be often enough, but for a company? What would be gained? From a stability point of view I don't think it'll be advantageous to update every day. New versions may fix some bugs but they can also introduce new ones. 

I'm a bit stumped by the fact they also stop building old style packages for 8 and 9 though. FreeBSD 8.4 is still supported until 2015 and there shouldn't be any new features added (I consider PKGNG a new feature). That was the whole point of sticking to a certain release version. I can understand though, besides the extra resource that would be required I think there's also some restructuring needed in the ports tree and the old style packages are preventing some of those changes from being implemented.


----------



## adams (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*



			
				SirDice said:
			
		

> To be honest I'm not sure how often the official repository is buil_t_. I thought it was once a week. I think that would be good enough too. If there's a serious security issue you could always start an extra build right away.



Good question, though for me I am pretty set on running my own repository so I'm too lazy to try to find out now because my original issue still stands -- I need custom options during build time, though weekly would be good enough if that wasn't the case.   I run *P*oudriere daily just to stay 'caught up' so that when we do get audit alerts it's all there ready and waiting basically (and it's doing a little bit of work every day vs. a lot every week or so).  And yeah I've had to add a few ports to our build list already because the official package hasn't been updated and there was a security issue with it (and I've only had this in mass deployment for a week).

GNUTLS just got nailed and along with it a ton of dependencies, for example.



			
				SirDice said:
			
		

> I'm of the "don't fix what isn't broken" camp. So I really only update when there's a reason to do so. I don't like to update just because there's an update. So "keeping up to date" for me only happens for security reasons. But different people may have different opinions on what "up to date" means.



I agree entirely with your first sentence.  Really we only update stuff when port/pkg audit flags it or there is a specific problem to be fixed.  Given our volume and the public facing nature of the servers we manage (and I think the types of packages too, stuff like PHP, TLS, etc) it happens quite frequently (several times a month) that we deploy the same update on 100+ servers easily.   So there is plenty of work to be done without just "updating to update"


----------



## kpa (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*



			
				SirDice said:
			
		

> kpa said:
> 
> 
> 
> ...



Yeah I was talking solely about the official repositories. There's already been a few times when the build has failed for parts of the repository and many important packages have been unavailable for days or at the worst case until the next time the packages are built which means a full week. 

I'm guessing that support for FreeBSD 8.4 will be on basis that everything else is supported as planned but binary packages are not updated after the date when the support for the old style packages is dropped. There's always ports and that's probably what users of 8.4 are using mostly.


----------



## SirDice (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*



			
				kpa said:
			
		

> I'm guessing that support for FreeBSD 8.4 will be on basis that everything else is supported as planned but binary packages are not updated after the date when the support for the old style packages is dropped. There's always ports and that's probably what users of 8.4 are using mostly.


For me personally it doesn't matter. For the project I did I started with PKGNG because it's so much better than the old tools. Some of the older servers I simply migrated. Setting up a local repository and using PKGNG was the best decision I ever made


----------



## adams (Mar 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*

So. I've come full circle and have decided to just stick with my fixed, small list of pkgs packages via *P*oudriere and add any as needed. However I am back to my original question about priority/defaulting when using multiple repositories.  Is there a way to say "use this repository unless the pkg package is missing, then use the next one"?


----------



## spork (Apr 5, 2014)

*Re: pkgng and Multiple Repositories Priority or Default+Fall*

Same here.  I just spent way too much time googling this only to find examples that predate the removal of 'packagesite'.

Can anyone speak with some authority on how one deals with multiple repositories?  With a local poudriere setup I've simply been setting the official FreeBSD repo to 'enabled: no' so that my local repository is used.  The pkg.conf manpage I believe is just wrong or outdated, as it's suggesting to use the "method above", which appears to mean using the deprecated 'packagesite' setting(s).


----------

