Depenguinator "Upgrades" Linux to BSD

cperciva writes "Many systems around the world have been possessed by penguins and dead rats. It would be nice to exorcize these evil spirits, but this can be difficult without physical access to the machines in question. Thanks to a new depenguinator, it is now possible to upgrade Linux systems to run FreeBSD 5.x without requiring anything more than an SSH connection." Clever idea.

HOWTO - Install Debian Onto a Remote Linux System

[vinsci]

Personally, I find this howto more useful. ;-) HOWTO - Install Debian Onto a Remote Linux System [sourceforge.net]

Re:Similar tool for Debian

[CaptainBaz]

you need debootstrap. now is not the best time to be looking for the rpm, as people.debian.org is still down after the brk() attack, but the relevant section of the install docs is here [debian.org].

Re:Similar tool for Debian

[vadim_t]

Use debootstrap. It will create a minimal install in any folder. Then chroot, and there you go, a small Debian system. Using that, you can either install Debian on another partition while running another distribution, or I suppose you also could replace your current install with Debian by booting into single user mode, and replacing your old system with Debian.

While you should be able to simply chroot into your new system and start adding stuff, I'd be a very good idea to boot it first. Debian will need to run some scripts on boot to finish configuring itself.

I'd go with the first option. The second one is too easy to screw up if you don't know what you're doing.

Re:Similar tool for Debian

[Killeri]

I would guess the easiest way to do this is to get a Knoppix CD image, unpack it to disk and then boot from it, just like the source article describes.

Re:Similar tool for Debian

[Marsala]

Well, I don't know of a tool, but how about HOWTO [sourceforge.net]?

Have a good one. :)

Re:Not really an upgrade....

[cperciva]

So all this does is write to the boot partition and load a barebones copy of bsd on a ramdisk?

It also inserts a system configuration file into the filesystem image; and the filesystem in question -- UFS2 -- is one for which Linux support is rather lacking, so the filesystem image has to be built entirely within userland (thanks NetBSD!).

Re:Useful!

[cperciva]

This is PERFECT for one of those Dedicated Server hosting providers that don't let you touch your box at all.

That was the initial motivation; although it turns out that this is also very useful for installing FreeBSD on easily accessible servers, since loading the entire OS into a memory disk makes it possible to do things which sysinstall doesn't support -- for example, creating a vinum root system.

Re:does FreeBSD have something like apt-get or yum

[molnarcs]

"having to do a make world on 300 boxen"

Not any more, and 'make world' is being deprecated in favor of 'make buildworld'. The difference is, that 'make buildworld' is totally self contained. You do 'make buldworld' on one machine, export /usr/obj (and /usr/src as well?) as nfs, mount it on your 300 boxen, and you only need to install the shiny new bsd with 'make installworld'. That's it. So it is actually quite easy to deploy on a large server farm. You would go the same way with the ports btw: build on one machine and have it make pakcages, than install the packages with pkg_add -r whatever on the rest of the machines. Neat. :)

Re:Similar tool for Debian

[Alioth]

I use User-Mode-Linux for my web/email/DNS servers. The co-lo that rents servers only rents RedHat servers. The 'host' still runs RedHat, but really very little of it - I have my own custom kernel (with skas patch, very useful if you are running UML virtual machines) on the RedHat host, plus iptables to act as a firewall. The RedHat host conceptually just runs as a network router.

The real servers are all UML instances, all running Debian. The UML page on Sourceforge has a minimal Debian root disk image. I based my root images from these (created a new filesystem on the RedHat system of the appropriate size, mounted both, and cp -a from the minimal Debian install to the root filesystem file I was going to use, edited /mnt/etc/network/interface etc. to set the right IP addresses etc.) then booted. After that, it's just a case of using apt-get to get the packages you want to run.

The nice thing about separating all your services on different VMs within one host is you can apply decent firewall rules for each VM. If, say, your DNS UML got rooted because of an unpatched BIND (unlikely with Debian, since you can just apt-get update && apt-get upgrade to keep up to date) the skript kiddie - instead of having the run of your whole server and being able to deface your website (or worse) is locked into your DNS UML. Add proper egress firewall rules with iptables on the host, and you can prevent most skript kiddie attacks from being able to work.

Although I like the BSDs (I like all UNIX style OS, well, except a certain company whose name need not be mentioned), they can't yet (natively) do the equivalent of user mode Linux which is something I find incredibly useful. Hopefully they will in the future.

Re:does FreeBSD have something like apt-get or yum

[R.Caley]

[having to do a make world on 300 boxen is not my idea of time well spent.]

mount /usr/src
mount /usr/obj
cd /usr/src
make installkernel installworld
scp -r build:/etc/\* /etc

This is assuming all your machines are identical. If not you'd have to be more careful about the config stuff, and use mergemaster, but that would be the case for any OS.

Of course, NFS is not something you'd want to use to a remote machine, the idea of opening RPC ports in my firewall makes my skin crawl. But for upgrading multiple machines on your own network, the BSD system is really quick and clean.

If something could be done to improve mergemaster, the ease of upgrading FBSD would be the killer argument for the death of the penguin. I've never seen a description of how to upgrade linux which didn't make me decide it would be easier just to do a clean install ofa new version. If there is such a description/method, please post and earn some well deserved karma.

Re:Let me get this straight...

[swb]

In the FreeBSD Ports collection, there are many Ports marked as broken, and many more unmaintained and suffering from bit-rot.

Name any five that depend on each other and are important for real-world use? Ports suffers from both the desire to be large and from the fact that they're generally supported by one person. I've been running FreeBSD now for nearly 5 years and have only run into a broken port once, snmpd, which broke after a significant change in system variables, which in turn broke snmpd. It was fixed quickly, and since then every time I've built a port it's built.

How exactly is FreeBSD 5 a "dramatic step-up from ANY Linux distro"? FreeBSD releases are only supported for 12 months. Then you have to upgrade. In comparison, Debian supports its releases for at least two years, and RHEL offers a whopping FIVE years. That's right, five. This matters in real-world use.

You don't understand FreeBSD releases. There are point releases (eg, 5.2), -STABLE branches and -CURRENT branches. Most people track a -STABLE branch. Tracking a stable branch provides you with bug fixes and occasionally some new features backported from -CURRENT. Tracking -STABLE requires you to periodically rebuild the system from source, but this is FreeBSD's *advantage* -- it's a single, coherent system that can be easily and totally recompiled from up-to-date source code.

I've been running 4-STABLE now for almost 4 years and its still a supported (ie, active development and maintenance) branch of FreeBSD. The 2.2 and 3 STABLE branches are still there and I think 3 was still supported until the 5-STABLE branch was created.

Maintaining FreeBSD is easy if you track -STABLE and supported for years, and its often possible (albeit not necessarily recommnede) to upgrade from one major release to another -- I did it from 3.x to 4.x. In this manner (and not just point RELEASEs), FreeBSD revisions are suppported for years -- far longer than even most sane people would run a given revision of software.

I never did more chasing than I did trying to keep Dead Rat systems updated; either I used RPMs and prayed that the package author didn't decide to switch a bunch of compilation options, or a built packages from source, which meant I had to do my own porting. And then there was libc upgrades and all other manner of horror of trying to maintain an OS that was a kernel with a bunch of other stuff glued on without any coherency.

I'll grant some Linux distros have better turnkey desktop setups, and certainly greater corporate involvement (although ask yourself when "greater corporate involvement" and "better software" were part of the same sentence), and higher visibility.

But longer suppport, easier maintenance and reliability over the long haul? No way.

Re:At least the server didn't go down...

[jrexilius]

it is a bit of a troll post as the item that would crash under a /. effect is Apache (assuming thats what you are running) not the OS. There is not enough of a performance difference in OS level operations between linux and bsd that would have an impact on your network and webserving daemon's ability to handle a /. Assuming apache 1.3.x, even recompiled to handle more than 256 children you are hard limited by memory and bandwidth. So when you get too many concurrent TCP connections, they just get dropped, regardless of OS.

Linux as a server

[shani]

Interestingly, the k root name server has been running Debian Linux for a year or two now and has not had any "creak". It gets about 1500 queries/second per machine (the root server is distributed geographically via anycasting, and at each site by load balancing), and receives all manner of ill-formed packets.

Other root servers seem to run Linux (use nmap if you're curious), but I don't know the people running them so I can't be sure.

Now admittedly this is a very specific type of service: it's a single application that all fits into memory.

We're going to be moving www.ripe.net and whois.ripe.net from Solaris to Linux in 2004. The WWW server gets about 20 hits/second as you can see here [ripe.net], and the whois server gets around 28 hits/second as you can see here [ripe.net]. These have more complex usage, with disk I/O, new process creation, and so on. I wouldn't let these services migrate if I thought they would be unstable.

Re:Thanks, thanks!

[cperciva]

I've put a static snapshot of mrtg.daemonology.net up here: http://www.daemonology.net/depenguinator/slashdott ing/ [daemonology.net]

I'll update it from time to time over the next day.

Re:Let me get this straight...

[Anonymous Coward]

It's somewhat amusing to see a Linux user talking about platform stability. Multiple incompatible package formats, constant libc and GCC ABI breakage, "stable" kernel releases that provide less hardware support because their kernel interfaces are constantly changing, major vendors shipping releases with broken compilers, and so on.

Then you get Linus telling people that binary kernel modules are supposed to be under the GPL. It's somewhat amazing and sad that Linux obtained so much publicity and commercial attention when it's such a bad platform in terms of stability, and its users are such rabid fanatics.

Re:You have been rooted, welcome to BSD

[Oopsz]

Tuxissa? [symantec.com]

rooting DNS will have consequences....

[jusdisgi]

While I certainly get your main point (rooting one box will leave the rest safe) I simply *must* take issue with your example.

You say if this guy roots your DNS VM, he won't be able to deface your website. I'll point out the obvious: he now has control over the web address, and can point your website at his own box, where the defaced site lies. Or he can point it at the DNS box itself, install apache, and deface it there.

Point is, if he roots your DNS server, you are all kinds of jacked.