Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Jeff-3
Hello all,

Is this the sane/correct thing to do?  What is the impact?

Running: OpenBSD6.2-release

Goal: To run a secure and functional web server.
(the server is currently up and running and used by
the public at large)

Previously: Only installing needed packages as binaries via pkg_add.

Now: The thought is that the third-party packages being used
by the server should be kept up to date.

Ports tree via:
$ cvs -qd [hidden email]:/cvs\
  checkout -rOPENBSD_6_2 -P ports

Problem: Some out of date packages found via 'out-of-date' e.g.:
$ /usr/ports/infrastructure/bin/out-of-date
...
Outdated ports:

databases/mariadb,-main        # 10.0.32v1 -> 10.0.33v1
databases/mariadb,-server      # 10.0.32v1 -> 10.0.33v1
...

complain when running 'make update' (in this case mariadb). e.g.:
Fatal: /usr/ports/pobj must be on a wxallowed filesystem\
  (in lang/python/2.7)

To solve this issue, this is what I've done:

$cat /etc/mk.conf
SUDO=/usr/bin/doas
WRKOBJDIR=/usr/local/ports/pobj <---

(since /usr/local is on a wxallowed filesystem)

Is this a rational solution to the problem? I'm somewhat regretting
going this route as, unlike with pkg_add, building some ports from the
tree pulls in more dependencies than via pkg_add (I am assuming that
these are build dependencies and not run-time dependencies; please
correct me if this is not so)

Is it not worth it to update ports in this way; meaning, is it better
to simply wait for OpenBSD6.3 and stick with binary packages only
(as recommended on the openbsd.org site)?

Also, is there an easy/sane way to remove packages that were only
required for building once the ports have been updated?

I'm loathe to do something like build the packages on another system
and then install them as binary packages on the server; this seems like
a lot of effort and, at least for myself might be prone
to introduce other issues.

Thank-you in advance; advice is appreciated.

--
Jeff <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Scott Bennett
On 11/9/2017 2:04 PM, Jeff wrote:
> Hello all,
>
> [...]
>
> Also, is there an easy/sane way to remove packages that were only
> required for building once the ports have been updated?

You could use:
$ pkg_info -t

to show packages which are not required by any other packages
(man.openbsd.org/pkg_info#t). Obviously this will also show you
packages that you want to keep, such as mariadb, firefox, etc... But
this should help in determining some packages to remove.

Scott

Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Jeff-3
In reply to this post by Jeff-3
On Thu, 9 Nov 2017 14:04:39 -0500
Jeff <[hidden email]> wrote:

> Is it not worth it to update ports in this way; meaning, is it better
> to simply wait for OpenBSD6.3 and stick with binary packages only
> (as recommended on the openbsd.org site)?

It is has been pointed out to me that my meaning here is unclear.
I will attempt to clarify:

openbsd.org says:
        The ports tree is meant for advanced users.
        Everyone is encouraged to use the pre-compiled binary packages.

I do not imply that openbsd.org recommends waiting for the next release
and not patching software.

A better statement would possibly have been:

        Is it not worth it to update ports in this way; meaning,
        is it better to simply wait for OpenBSD6.3 and stick with
        binary packages?
       
        The openbsd.org site says:
                The ports tree is meant for advanced users.
                Everyone is encouraged to use the pre-compiled
                binary packages.

I'm looking for the advice of those more experienced than myself.

--
Jeff <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Daniel Boyd-2
On Thu, 2017-11-09 at 14:52 -0500, Jeff wrote:
>
        Is it not worth it to update ports in this way; meaning,

> is it better to simply wait for OpenBSD6.3 and stick with
> binary packages?
>
> The openbsd.org site says:
> The ports tree is meant for advanced users.
> Everyone is encouraged to use the pre-compiled
> binary packages.
>
> I'm looking for the advice of those more experienced than myself.
>

It just depends on your situation.  Most of the time, I'm happy just to
 upgrade every 6 months when a new release comes out.  But I'm also not
running a public-facing, mission-critical server.  Regardless, I
usually have the ports tree untarred on my system in case there is some
patch that I feel like I should install.

They say it's for advanced users, but really it's not difficult if
you're reasonably comfortable running unix-like OS commands.  Read the
FAQ: https://www.openbsd.org/faq/ports/ports.html

Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Allan Streib-2
In reply to this post by Jeff-3
Jeff <[hidden email]> writes:

> I do not imply that openbsd.org recommends waiting for the next release
> and not patching software.

I personally use openup from m:tier, they provide updated packages as
errata are released.

https://www.mtier.org/solutions/apps/openup/

Allan

Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Christoph R. Murauer
In reply to this post by Jeff-3
If I understood your question correct ...

> Running: OpenBSD6.2-release
>
> Goal: To run a secure and functional web server.
> (the server is currently up and running and used by
> the public at large)

If you apply the patches from the errata page using syspatch(8) (if
you are on i386 / amd64) then you have a up to date and secure -stabe
installation.

> Previously: Only installing needed packages as binaries via pkg_add.
>
> Now: The thought is that the third-party packages being used
> by the server should be kept up to date.

If there are security related patches or things needed to be fixed,
that the package works as it should, you can simple run pkg_add -iu

> databases/mariadb,-main        # 10.0.32v1 -> 10.0.33v1
> databases/mariadb,-server      # 10.0.32v1 -> 10.0.33v1
> ...

The question is, do you need the things which are provided from this
new versions - for security see above.

> complain when running 'make update' (in this case mariadb). e.g.:
> Fatal: /usr/ports/pobj must be on a wxallowed filesystem\
>   (in lang/python/2.7)

You can add wxallowed to a already mounted filesystem using mount(8).

> Is it not worth it to update ports in this way; meaning, is it better
> to simply wait for OpenBSD6.3 and stick with binary packages only
> (as recommended on the openbsd.org site)?

That depends on your requirements. See above.

> Also, is there an easy/sane way to remove packages that were only
> required for building once the ports have been updated?

A port is a package. See make clean and so on for builded ports and
pkg_delete -a for packages. IMHO Who say, that something unneeded is
installed ? It also has no effect to the system if build deps. are
kept in the ports tree.


Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Jeff-3
On Thu, 9 Nov 2017 22:06:43 +0100
"Christoph R. Murauer" <[hidden email]> wrote:

> If I understood your question correct ...
>
> > Running: OpenBSD6.2-release
> >
> > Goal: To run a secure and functional web server.
> > (the server is currently up and running and used by
> > the public at large)
>
> If there are security related patches or things needed to be fixed,
> that the package works as it should, you can simple run pkg_add -iu

Thanks for your replay Christoph.

Please correct me if I'm wrong, but as I understand things, this only
works if one is following OpenBSD-current.  I am running -release.
This is an in-use production server; I don't feel wise running -current.

> You can add wxallowed to a already mounted filesystem using mount(8).

In theory, I don't like this;  I would rather keep preventing everything
not mapped from /use/local from being able to have both writable and
executeable pages, even if it's only temporary.

> > Is it not worth it to update ports in this way; meaning, is it better
> > to simply wait for OpenBSD6.3 and stick with binary packages only
> > (as recommended on the openbsd.org site)?
>
> That depends on your requirements. See above.

My answer also depends.  Ideally, I'd want to jump on any update for
any software for which a security advisory has been issued.  Also,
I do wish to track other non-critical updates to keep the server's
software relatively up-to-date as not to fall behind; picking up
performance and related enhancements in a bonus.  In practice,
at least for myself and my available time, this isn't always feasible
(e.g. the ports tree doesn't have the latest software available as a port
and it would also be a significant time commitment to build and install
the software from the original source and successfully integrate it into
OpenBSD.)

For example, moving to php v7.1.11 or 7.2 fall into this category
(see: http://www.securityfocus.com/bid/101745)
.
Looking at what the ports system has to do to make the php 7.0.23
package, I'd be spending my life getting 7.2 to build and work properly
and I feel this is better left to those with more OpenBSD porting
experience.

Some software builds and integrates from original sources more easilym
that is, the usual:
./configure {reasonable options} -> make -> make install
procedure goes off withotu a hitch, or at least without too many edits.

> > Also, is there an easy/sane way to remove packages that were only
> > required for building once the ports have been updated?
>
> A port is a package. See make clean and so on for builded ports and
> pkg_delete -a for packages. IMHO Who say, that something unneeded is
> installed ? It also has no effect to the system if build deps. are
> kept in the ports tree.

I understand that the ports system first builds and packages a port,
and then installs it.

I could be doing something wrong, but it seems that some ports install
dependencies to the system (pkg_add-style) that are required to *build*
the package from source, but that aren't required to *run* the package
(e.g. cmake).

So, I definitely don't mind leaving the built packages in the ports
tree, but I *do* mind leaving them installed on the system.

--
Jeff <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

trondd-2
On Thu, November 9, 2017 4:54 pm, Jeff wrote:

> On Thu, 9 Nov 2017 22:06:43 +0100
> "Christoph R. Murauer" <[hidden email]> wrote:
>
>> If I understood your question correct ...
>>
>> > Running: OpenBSD6.2-release
>> >
>> > Goal: To run a secure and functional web server.
>> > (the server is currently up and running and used by
>> > the public at large)
>>
>> If there are security related patches or things needed to be fixed,
>> that the package works as it should, you can simple run pkg_add -iu
>
> Thanks for your replay Christoph.
>
> Please correct me if I'm wrong, but as I understand things, this only
> works if one is following OpenBSD-current.  I am running -release.
> This is an in-use production server; I don't feel wise running -current.
>
>> You can add wxallowed to a already mounted filesystem using mount(8).
>
> In theory, I don't like this;  I would rather keep preventing everything
> not mapped from /use/local from being able to have both writable and
> executeable pages, even if it's only temporary.
>
>> > Is it not worth it to update ports in this way; meaning, is it better
>> > to simply wait for OpenBSD6.3 and stick with binary packages only
>> > (as recommended on the openbsd.org site)?
>>
>> That depends on your requirements. See above.
>
> My answer also depends.  Ideally, I'd want to jump on any update for
> any software for which a security advisory has been issued.  Also,
> I do wish to track other non-critical updates to keep the server's
> software relatively up-to-date as not to fall behind; picking up
> performance and related enhancements in a bonus.  In practice,
> at least for myself and my available time, this isn't always feasible
> (e.g. the ports tree doesn't have the latest software available as a port
> and it would also be a significant time commitment to build and install
> the software from the original source and successfully integrate it into
> OpenBSD.)
>
> For example, moving to php v7.1.11 or 7.2 fall into this category
> (see: http://www.securityfocus.com/bid/101745)
> .
> Looking at what the ports system has to do to make the php 7.0.23
> package, I'd be spending my life getting 7.2 to build and work properly
> and I feel this is better left to those with more OpenBSD porting
> experience.
>
> Some software builds and integrates from original sources more easilym
> that is, the usual:
> ./configure {reasonable options} -> make -> make install
> procedure goes off withotu a hitch, or at least without too many edits.
>
>> > Also, is there an easy/sane way to remove packages that were only
>> > required for building once the ports have been updated?
>>
>> A port is a package. See make clean and so on for builded ports and
>> pkg_delete -a for packages. IMHO Who say, that something unneeded is
>> installed ? It also has no effect to the system if build deps. are
>> kept in the ports tree.
>
> I understand that the ports system first builds and packages a port,
> and then installs it.
>
> I could be doing something wrong, but it seems that some ports install
> dependencies to the system (pkg_add-style) that are required to *build*
> the package from source, but that aren't required to *run* the package
> (e.g. cmake).
>
> So, I definitely don't mind leaving the built packages in the ports
> tree, but I *do* mind leaving them installed on the system.
>

Use proot(1).  It's amazing.  You need space, though.  I am using 2.5G to
build my personal use ports.  So, nothing huge.

With dpb(1) it's a pretty automatic process to rebuild stuff.

Tim.


Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Marc Espie-2
In reply to this post by Jeff-3
On Thu, Nov 09, 2017 at 02:04:39PM -0500, Jeff wrote:
> Is this a rational solution to the problem? I'm somewhat regretting
> going this route as, unlike with pkg_add, building some ports from the
> tree pulls in more dependencies than via pkg_add (I am assuming that
> these are build dependencies and not run-time dependencies; please
> correct me if this is not so)

pkg_delete -a

will remove auto-added packages, which is what happens for strictly build-time
dependencies

Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Christoph R. Murauer
In reply to this post by Jeff-3
> Thanks for your replay Christoph.
>
> Please correct me if I'm wrong, but as I understand things, this only
> works if one is following OpenBSD-current.  I am running -release.
> This is an in-use production server; I don't feel wise running
> -current.

If you install for example OpenBSD 6.2 you have a -release version. On
the errata page https://www.openbsd.org/errata62.html you find the
available patches for the -release base system. If you apply this
patches with syspatch(8) you have a -stable system. -current (also
called snapshots is something different).

>> You can add wxallowed to a already mounted filesystem using
>> mount(8).
>
> In theory, I don't like this;  I would rather keep preventing
> everything
> not mapped from /use/local from being able to have both writable and
> executeable pages, even if it's only temporary.

That was only meaned as information. I have enough RAM and use it to
build things. There are many ways todo things.

> ...
> Some software builds and integrates from original sources more easilym
> that is, the usual:
> ./configure {reasonable options} -> make -> make install
> procedure goes off withotu a hitch, or at least without too many
> edits.

IMHO sure, you can build all things you need manually. The point is,
ports (from what you talked) have maintainers. If you use a
./configure switch, it means not, that the maintainer also will go
this way for port updates or, provide a flavour for the port using
this switch. Security things or broken things from a port should be
fixed upstream - if not and, if you like to see updated ports, work on
it.

>
> I understand that the ports system first builds and packages a port,
> and then installs it.
>
> I could be doing something wrong, but it seems that some ports install
> dependencies to the system (pkg_add-style) that are required to
> *build*
> the package from source, but that aren't required to *run* the package
> (e.g. cmake).
>
> So, I definitely don't mind leaving the built packages in the ports
> tree, but I *do* mind leaving them installed on the system.
>

See my pkg_add -a mention and, the answer from espie@


Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Christoph R. Murauer
In reply to this post by Jeff-3
Sorry, typo. Meaned pkg_delete -a

Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Stuart Henderson
In reply to this post by Christoph R. Murauer
On 2017-11-09, Christoph R. Murauer <[hidden email]> wrote:

> If I understood your question correct ...
>
>> Running: OpenBSD6.2-release
>>
>> Goal: To run a secure and functional web server.
>> (the server is currently up and running and used by
>> the public at large)
>
> If you apply the patches from the errata page using syspatch(8) (if
> you are on i386 / amd64) then you have a up to date and secure -stabe
> installation.
>
>> Previously: Only installing needed packages as binaries via pkg_add.
>>
>> Now: The thought is that the third-party packages being used
>> by the server should be kept up to date.
>
> If there are security related patches or things needed to be fixed,
> that the package works as it should, you can simple run pkg_add -iu

You can do this *if* you have a source of updated packages, e.g. via
mtier's openup, or packages that you've built yourself.

>> databases/mariadb,-main        # 10.0.32v1 -> 10.0.33v1
>> databases/mariadb,-server      # 10.0.32v1 -> 10.0.33v1
>> ...
>
> The question is, do you need the things which are provided from this
> new versions - for security see above.

Those are security updates. -stable doesn't get "normal" version updates.


Reply | Threaded
Open this post in threaded view
|

Re: Keeping up to date with ports and putting ports/pobj on wxallowed filesystem

Christoph R. Murauer

>>
>> If there are security related patches or things needed to be fixed,
>> that the package works as it should, you can simple run pkg_add -iu
>
> You can do this *if* you have a source of updated packages, e.g. via
> mtier's openup, or packages that you've built yourself.

Thanks for clarification, my fault. I thought, I readed somewhere in
the past, that there is also a new version of the related packages.

>
>>> databases/mariadb,-main        # 10.0.32v1 -> 10.0.33v1
>>> databases/mariadb,-server      # 10.0.32v1 -> 10.0.33v1
>>> ...
>>
>> The question is, do you need the things which are provided from this
>> new versions - for security see above.
>
> Those are security updates. -stable doesn't get "normal" version
> updates.

In this case yes. The OP wrote in the first post "Now: The thought is
that the third-party packages being used by the server should be kept
up to date.". I interpreted it like, if there is a new version, if it
is not security relevant and, if I don't need the functions which are
provided in this update - why update the package. Then the question
should be something like, latest stable packages or, latest
experimental packages of third-party packages.