Those of you who have a copy of BSD Hacks will find a copy of my old up-to-date script on page 343. You can just skim over the bits of this blog that you’re already familiar with. And for those who haven’t tried scripting (or even using) “cvsup”, I’ve included step by step directions of the pieces you need and how to put them all together.
There are quite a few applications available to assist you in keeping your system up-to-date. My script uses several third-party components. Here, I’ll quickly add the necessary packages; you can “grep” through “pkg_info” to see if any of these are already installed on your system:
# pkg_add -r cvsup-without-gui
# pkg_add -r fastest_cvsup
# pkg_add -r portupgrade
# pkg_add -r freebsd-update
# pkg_add -r docproj-nojadetex
To use “cvsup”, you’ll need a
cvsup file. Mine will keep src, ports, and docs up-to-date as a FreeBSD 5.3 system:
# more /root/cvs-supfile
*default host=cvsup.freebsd.org
*default base=/usr/local/etc/cvsup
*default prefix=/usr
*default tag=RELENG_5_3
*default release=cvs delete use-rel-suffix compress
src-all
ports-all tag=.
doc-all tag=.
If this is your first “cvsup”, don’t forget to make a directory for it to use:
# mkdir /usr/local/etc/cvsup
While these configurations can keep things up-to-date, I also wanted to script a daily check for operating system security patches using “freebsd-update” as mentioned in Richard Bejtlich’s November 25th blog.
This program won’t work until you rename this program’s configuration file:
# mv /usr/local/etc/freebsd-update.conf.sample \
/usr/local/etc/freebsd-update.conf
Hack #89 in BSD Hacks explains that the cvsup’d doc changes are in SGML and how to use “docproj-nojadetex” to convert them to HTML. Now, if you decide to use a “refuse” file with “cvsup”, the command will abort with an error once it encounters the missing doc files for the languages you don’t “cvsup”.
You can edit “/usr/doc/Makefile” to remove the languages you don’t “cvsup”. For example, mine now looks like this:
# $FreeBSD: doc/Makefile,v 1.34 2004/09/27 00:26:48 josef Exp $
#
# The user can override the default list of languages to build and install
# with the DOC_LANG variable.
#
.if defined(DOC_LANG) && !empty(DOC_LANG)
SUBDIR = ${DOC_LANG}
.else
SUBDIR = en_US.ISO8859-1
.endif
Unfortunately, "cvsup" will overwrite your changes to this file. One work-around is to remember to do this before you run cvsup:
# cp /usr/doc/Makefile /usr/doc/Makefile.orig
The other work-around is to not use a "refuse" file at all.
Finally, make a script to tie everything together:
# more /root/cvsup
#!/bin/sh
#use fastest_cvsup to find fastest geographically
#close mirror; I'll check Canada and the US
if SERVER=`fastest_cvsup -q -c ca,us`
then
echo "Running cvsup"
cvsup -L2 -h $SERVER /root/cvs-supfile
else
echo "There's a problem" 1>&2
exit 1
fi
#-U (which takes a long time to execute) isn’t needed
#with the fetchindex command
echo “Updating ports index”
cd /usr/ports
make fetchindex
portsdb -u
#send copious output to the bit bucket
echo “Updating docs”
cd /usr/doc
cp Makefile.orig Makefile
make install > /dev/null
echo “Looking for security patches”
freebsd-update fetch
echo “The following ports need upgrading”
portversion -l “<”
echo “Finished at `/bin/date`.”
exit
Make your script executable and give it a go, watching for any error messages.
I like to run this script manually (while drinking my morning coffee) so I can watch its output. This gives me an idea of which src, ports, and docs have changed. If there’s new source, there’s probably a new security vulnerability. And I certainly want to know if there’s any new docs so I can check them out.
I also want to look at the output of freebsd-update; if there’s a security vulnerability in the operating system, I want to know about it.
This script will NOT upgrade your ports; instead, it will tell you which ports need upgrading. I like to manually run “portupgrade -arR”, once I’ve determined that I do indeed want to upgrade all of my ports.
I also considered including “/usr/ports/security/portaudit” in the script, but decided it added too much additional output. Instead, I enabled it as a periodic script so the results are emailed to root. Once the package is installed, see “man portaudit” for details.
portmanager
I like to use portmanager instead of portupgrade. It's very easy to use :
portupgrade -s to show wether there are out of dates ports
portupgrade -u to upgrades ports
/usr/ports/sysutils/portmanager
http://portmanager.sourceforge.net/
