Re: Automated Patch - Patch management -

The "gold server" approach works pretty well with OpenBSD.

Basically, you set up a system (the "gold server") for each OpenBSD release.

When a new patch is released, you apply the patch to the "gold server" and then rsync the /usr, /bin, /sbin directories and the kernel (/bsd) to all the servers. Creating a script to automate this is trivial. Remember to exclude /usr/local and /usr/src from the synchronization.

Eventually, you might have to run some commands on the remote machines manually (restart a daemon, reboot the machine or the like), but if you are handling a big number of machines you probably already have a mechanism in place to accomplish that.

For more flexible configuration control and management you can use cfengine (http://www.cfengine.org/) instead of rsync.

The result is that you end up applying the patches to only one machine and all the systems are kept in a coherent state. A nice side effect of this approach is that you don't need a compiler in your production machines.

By the way, this is not an OpenBSD-only approach. Many other OSs work well with it (specially those that keep additional software in a separate location: /usr/local, /opt, ...). There is an interesting reference that you can check in this direction: http://www.infrastructures.org/

Aaron
The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com Received on Wed Apr 23 17:18:08 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek