# Recommended way of staying up to date?



## thortos (Nov 17, 2008)

What is the recommended way of keeping one's systems up to date? There are several tools such as portupgrade, portmanager, portaudit, portsnap etc and I'd like to hear what people are really using.

How do you have your machines auto-update vulnerable software? Do you employ different strategies regarding the ports vs. packages question?


----------



## kamikaze (Nov 17, 2008)

That entirely depends on the use cases, the number and the diversity of systems you administrate.


----------



## abarmot (Nov 17, 2008)

ok, how usually people keep up to date production web servers with apache, php, mysql?


----------



## thortos (Nov 17, 2008)

I don't want an actual solution, I'd rather discuss general experiences with all those (to me) new-fangled ways of managing ports, because I guess somebody here must be using one tool or the other and tell a bit about what's nice about them, gotchas and so on.

I'm using FreeBSD since 4.5 or so, but always updated my ports manually as necessary, and would like to hear about the advantages/disadvantages of the (to me) new tools.

But hey, if you need an actual scenario:

I have a handful of individual servers, some of which I don't touch unless necessary (such as the mail and DNS servers), and some of which are more or less generic web servers (Apache/PHP/MySQL, Apache/mod_perl and Ruby On Rails via mod_rails, respectively). It's not much of a pain to keep them updated, but I'd like to write some scripts and stuff them into my crontab to have something to show to the PHB.


----------



## s-tlk (Nov 17, 2008)

I don't think this is such a good idea, because when you update your ports via cron you maybe miss important hints in UPDATING. The worst case is you crash your system and then you have to fix it manually at the latest.


----------



## Geoff (Nov 17, 2008)

I use portsnap for updating the tree, portaudit to check for vulnerabilities in installed ports and portupgrade to update/install them.

The idea of crontab portupgrading scares me too, maybe something like capistrano would be better as you could script a reasonable portion of it but still keep the interactive component to it.


----------



## Snelius (Nov 17, 2008)

Geoff said:
			
		

> I use portsnap for updating the tree, portaudit to check for vulnerabilities in installed ports and portupgrade to update/install them.
> 
> The idea of crontab portupgrading scares me too, maybe something like capistrano would be better as you could script a reasonable portion of it but still keep the interactive component to it.



If u have 30 and more fbsd servers, what u can do ?


----------



## sverreh (Nov 17, 2008)

For updating the ports tree I use portsnap, which has not caused me any problems. 

Vulnerability checking is done by portaudit.

For updating ports I prefer portmaster, which I find is easier than portupgrade since I don't have to maintain the index manually. 

Portdowngrade is also a tool I use sometimes because a new version does not work as expected.

This is for my desktop at home and at work, I don't know if it is a good strategy if you run a lot of servers.


----------



## fender0107401 (Nov 17, 2008)

This is my solution:

1.for vulnerability
portaudint -F;portaudint -a

2.for upgrade my source tree
cd /usr/src;make update
I specify csup to update my system and ports tree, in my /etc/make.conf file.

3.for upgrade my ports
portupgrade -a


----------



## SirDice (Nov 17, 2008)

Csup to get the ports tree up2date. I use a jail to build all the packages I need from scratch. I've NFS exported /usr/ports read-only.


----------



## anomie (Nov 17, 2008)

thortos said:
			
		

> There are several tools such as portupgrade, portmanager, portaudit, portsnap etc and I'd like to hear what people are really using.



I'm using: 

 portaudit: runs automatically after installation via its 410.portaudit script. 
 csup: never got into portsnap... ] portmaster: works well for almost all upgrades, and it has a light footprint. 

```
> pkg_info -rR -x portmaster
Information for portmaster-2.6:

Depends on:
```




			
				thortos said:
			
		

> How do you have your machines auto-update vulnerable software? Do you employ different strategies regarding the ports vs. packages question?



I don't auto-update anything. If I want to upgrade ports that end users rely on I set up a scheduled maintenance window. (Hopefully on a weekend.)


----------



## dave (Nov 17, 2008)

Also, some useful info here:

http://forums.freebsd.org/showthread.php?t=193

I am testing out portmaster now instead of portupgrade.


----------



## steinex (Nov 18, 2008)

On workstations, I mostly run away from that 'upgrading ports'-struggle:

- Do a backup of /usr/local/etc
- pkg_delete '*'
- rm -rf /usr/local
- pkg_add <stuff> (or use ports - for myself, I mainly stick to packages when it's a workstation)
- restore /usr/local/etc

I just do this procedure when I feel I got too far behind and need something fresher with little pain. ;-)


----------



## dave (Nov 18, 2008)

steinex said:
			
		

> On workstations, I mostly run away from that 'upgrading ports'-struggle:
> 
> - Do a backup of /usr/local/etc
> - pkg_delete '*'
> ...



Wow, I had no idea one could do that!


----------



## fender0107401 (Nov 18, 2008)

*Nice hint!*



			
				steinex said:
			
		

> On workstations, I mostly run away from that 'upgrading ports'-struggle:
> 
> - Do a backup of /usr/local/etc
> - pkg_delete '*'
> ...



This is a clever trick, is is helpful for me.

And I agree that sometimes package is useful than ports.


----------



## gilinko (Nov 18, 2008)

I mainly use portsnap in cron mode and then portmanager for keeping the ports software updated. 

I'm fairly new to freebsd (like one year and still going), and stated using portupgrade, but found it to be more of an hassle than I wanted. Now all I do is login to a specific machine and run:

portsnap update
portmanager -u

What I like about portmanager is that it builds a temporary binary package of the software that is about to be updated and before it replaces it it creates a binary package "backup" of the current installed ports. That procedure has save my behind many times when I fracked up. This is all done on production servers (web, email etc), and I haven't tried it on a desktop yet.

The "bad" about portmanager is that although it has some very nice checks and balances while working, it takes quite some time to run. And maybe a secondary effect is that you need /var space for all the builds and backups.


----------



## rihad (Nov 18, 2008)

steinex said:
			
		

> On workstations, I mostly run away from that 'upgrading ports'-struggle:
> 
> - Do a backup of /usr/local/etc
> - pkg_delete '*'
> ...



Nice, but new ports may have updated versions of what's in /usr/local/etc, so carefully merging your own changes to config files with new configuration using sdiff or similar is almost certainly required (this practice applies to upgrading ports in general, not only to the shortcut described above).


----------



## mck (Nov 18, 2008)

I've written a nagios script net-mgmt/nagios-check_ports to check my installed Ports via nagios for updates (portupgrade) and security vulnerabilities (portaudit). Saves me a lot of time updating my FreeBSD servers 

Regards,
Matthias


----------



## adstro (Nov 19, 2008)

This is one area where I have always felt FBSD is lacking.  I have used FBSD for a few years now and switched between portupgrade and portmanager.  Both seem to have their benefits and faults.  I wish the base system would include a utility for updating ports like most other OSes.  There was a project to rewrite portupgrade in C but I dont know were that stands.


----------



## vivek (Nov 19, 2008)

adstro said:
			
		

> This is one area where I have always felt FBSD is lacking.  I have used FBSD for a few years now and switched between portupgrade and portmanager.  Both seem to have their benefits and faults.  I wish the base system would include a utility for updating ports like most other OSes.  There was a project to rewrite portupgrade in C but I dont know were that stands.



Have you tried freebsd-update?

```
freebsd-update fetch
freebsd-update install
```
The freebsd-update tool is used to fetch, install, and rollback binary updates to the FreeBSD base system. May be following will help (see binary update):
http://www.cyberciti.biz/tips/howto-keep-freebsd-system-upto-date.html
http://www.daemonology.net/freebsd-update/


----------



## Mel_Flynn (Nov 19, 2008)

steinex said:
			
		

> On workstations, I mostly run away from that 'upgrading ports'-struggle:
> 
> - Do a backup of /usr/local/etc
> - pkg_delete '*'
> - rm -rf /usr/local



Congrats! You just deleted:
- Your apache webroot
- Your squid config and it's cache
- Your postgresql database
- etc.

In other words, in an ideal world anything locally customized lives in $LOCALBASE/etc, but that's not always the case.
I know for a desktop this mostly works, though. Just be careful with some ports.


----------



## adstro (Nov 22, 2008)

vivek said:
			
		

> Have you tried freebsd-update?
> 
> ```
> freebsd-update fetch
> ...



I meant a port update tool in the base install.  Not a tool to update the base system.  Updating the base system is actually pretty trivial with FreeBSD and is one of the reasons I stick with FBSD for my servers.  I still think FBSD lacks when it comes to updating ports thought.


----------



## steinex (Nov 22, 2008)

Mel_Flynn said:
			
		

> Congrats! You just deleted:
> - Your apache webroot
> - Your squid config and it's cache
> - Your postgresql database
> ...



That's why I said I mostly do this on workstations. Of course this way of keeping up has some edges and you should be aware of issues like these you just mentioned.

I probably should have make others aware of these corner-cases in my original post, but I think people are clever enough to use their brains before copy & pasting commands.


----------



## Mel_Flynn (Nov 22, 2008)

steinex said:
			
		

> I probably should have make others aware of these corner-cases in my original post, but I think people are clever enough to use their brains before copy & pasting commands.



Your optimism is heartwarming with the holiday season coming up 

Seriously though, the point is, that rm -rf /usr/local should *not* be necessary if you use pkg_delete -f.
If nothing was ever customized, you'd end up with an empty /usr/local and if you don't, you're left with the parts you want to back up.
Also, the better way to delete things is leaves first traversal. ports-mgmt/pkg_cutleaves is ideal for this. Move the excludes file out of the way if you have one, then run the program and always choose "go on with next leaves", till there are no more.
Now /var/db/pkg should be empty. Anything left in /usr/local was put there not by the ports system or is configuration/data and so worth inspecting why it's kept and/or how it got there.


----------



## p3n1x (Nov 23, 2008)

i stay up to date as follows

first i have a nightly run of csup to update my ports tree and a pkg_version -v run and emailed to root. 

if necessary ill run portupgrade -a and let it go(of course reading the UPDATING file)

next just csup sources and goto /usr/src and make buildworld && make buildkernel && make installworld && makeinstallkernel && mergemaster && reboot

pretty simple....for what its worth lately ive been using the package manager from desktopbsd tools to check my outdated ports and have a nice lil gui tool to update ports and i just build my world/kernel in cli


----------



## Deleted member 2077 (Nov 24, 2008)

dave said:
			
		

> Wow, I had no idea one could do that!



How safe is this?  What if you have 400+ ports?


----------



## marius (Nov 24, 2008)

I'm using portupgrade, portaudit and csup, althought I've been considering both portsnap and portmanager since I'm not just happy with portupgrade. Portupgrade feels utterly slow, but I'm not sure if any of the alternatives are any faster or better.

Looking forward to the day FreeBSD comes with a nice application in the base for updating ports


----------



## Mel_Flynn (Nov 24, 2008)

marius said:
			
		

> Portupgrade feels utterly slow, but I'm not sure if any of the alternatives are any faster or better.



There's no real way to speed up the process. Some languages are faster then others, but the build process is the primary factor for slowdowns.
However, making things better then portupgrade is relatively easy, as the power features have a way of screwing things up beyond repair. Don't take my word for it, search mailing list archives.


----------



## kamikaze (Nov 24, 2008)

Portupgrade uses LOTS of memory. Especially on machines with only 512MB RAM other tools like portmaster are faster, because of all the overhead portupgrade has.

I originally switched to portmaster, because portupgrade was unbearable on a machine with 256MB RAM. Portmaster was a real improvement there.


----------



## ArtemD (Nov 25, 2008)

I have this alias for updating my system in ~/.profile: 

```
alias sysupdate="portsnap fetch&&portsnap update&&cvsup /etc/cvsup.conf&&portupgrade -arn&&portsearch -vu"
```

So far I haven't come across anything easier.


----------



## rihad (Nov 25, 2008)

ArtemD said:
			
		

> I have this alias for updating my system in ~/.profile:
> 
> ```
> alias sysupdate="portsnap fetch&&portsnap update&&cvsup /etc/cvsup.conf&&portupgrade -arn&&portsearch -vu"
> ...



sysupdate isn't likely to be something you do thousands times a day, so putting the same code in a shell script seems to be a more logical thing to do, as it wouldn't use your shell interpreter's precious bytes of memory waiting to be run like an alias would.


----------



## Mel_Flynn (Nov 25, 2008)

kamikaze said:
			
		

> Portupgrade uses LOTS of memory. Especially on machines with only 512MB RAM other tools like portmaster are faster, because of all the overhead portupgrade has.
> 
> I originally switched to portmaster, because portupgrade was unbearable on a machine with 256MB RAM. Portmaster was a real improvement there.



Machines with 256MB RAM were state of the art in the previous millennium. Machines with that low memory, I wouldn't run a desktop on (or maybe donate it to my parents) and I'd do binary upgrades using the tools in the base system.
Still, 5 minutes start up time is only a perception of slowness on a 2 day build of open-office, for which portupgrade, portmaster or whichever tool is asleep the entire time.
I do believe portmaster is faster, but the gains are minimal for large upgrades, plus it does better on the perception part: portupgrade does a lot of things during start up in silence, which makes you think it's slow.
Also, any speed gains from portmaster are negated when a core library is upgraded (gettext, libxml, libiconv, take your pick), because portmaster will rebuild all dependenants, where portupgrade will do the smart thing and change the +CONTENTS files in /var/db/pkg.
Of course, this smartness is the cause of many tears on various mailing lists.


----------



## ArtemD (Nov 25, 2008)

rihad said:
			
		

> sysupdate isn't likely to be something you do thousands times a day, so putting the same code in a shell script seems to be a more logical thing to do, as it wouldn't use your shell interpreter's precious bytes of memory waiting to be run like an alias would.



Thank for your suggestion. Your point is valid, but I have 4GB of ram and I doubt it creates a lot of overhead.


----------

