Contributed by jj on from the can-I-upgrade-my-boss-with-this dept.
Binary patches with BinpatchNGFor many server administrators it may not be desirable to keep a full src tree around to update a system when an errata is published. While this may still be something that could work out just fine on large/fast servers, it's a dreadful task to do this on embedded systems or servers with little diskspace (like CF storage) or limited CPU power (Soekris, Alix, etc).
That's where binpatches (short for binary patches) come into play, they allow for patching a system by just installing the patch (and reboot if needed). The binpatches can be built on a fast machine and then deployed to a range of servers (running the same architecture).
This article will serve as a short introduction to binpatches, and m:tier's BinpatchNG in particular.
Introducing BinpatchNGThe original idea of implementing binary patches for OpenBSD was coded by Gerardo Santana, after which Felix Kronlage has added various new features such as the ability to sign packages as well as initial rollback support.
We at m:tier have been using Felix' version for several years for our customers. Gradually some extra features were implemented which we decided to release to the public last year. Among these new features were:
- Fine grained rollback support. Since rollback packages can take up a lot of space (which may cause issues on smaller CF cards for example), it may be preferable to completely disable rollback support, or to only have it enabled for kernels, or enable it for every component.
- A new naming scheme was adopted which allowed us to update and replace binpatches just like regular packages people install with pkg_add(1). Because binpatches are cumulative in nature, a new binpatch for a component, say the kernel, always includes all previous patches for this component. With this new scheme it's possible to just update the binpatch package to the latest available version; instead of having several binpatches "chained together" to finally result in the final desired state. This is acquired by adopting the usage of pkgpath's, just like packages built from ports.
- Improved display of what's going on while fetching the distfiles, patches
etc. This gives a better view of what's actually going on while bootstrapping
the build environment and while building the binpatches.
BasicsIn order to build a new binpatch, the build environment needs to be set up first, this is done with a simple
make extractThis will fetch the sources and base sets and extract them. Now the patch which is to be used in the binpatch needs to be added to the Makefile after which it's simply a matter of executing the following command to build and create the binpatch:
make packageWhat's great about binpatches as regular patches, is that you can query them like any other package:
$ pkg_info binpatch52-amd64-bgpd-1.0 Information for inst:binpatch52-amd64-bgpd-1.0 Comment: Binary Patch for 001_bgpd.patch Description: Patch(es) included in this package: 001_bgpd.patch Maintainer: m:tier <firstname.lastname@example.org>Now we can also have a look at the actual code of the patch that was installed:
$ cat /var/db/binpatch/5.2-001/patches/001_bgpd.patch
PuppetAnother advantage of using Binpatches becomes obvious when managing systems with Puppet. As now it's become just a matter of adding the new binpatch to the list of packages that need to be installed on a machine in order to deploy the binpatch. For example:
Integritym:tier has been publishing pre-built binpatches for OpenBSD/amd64 and OpenBSD/i386 since 5.2, this allows for a quick 'pkg_add' when an errata has been issued.
While we do our best to ensure transparency (the patches used to build a binpatch are installed into /var/db/binpatch/) it's understandable policies may forbid installing packages from third parties. That's why in addition to providing the pre-built patches, we published the framework which is used to build this patches on.
Late edit: All this was submitted and written by email@example.com, I just lost that info along the way while editing. Sorry for that
(Comments are closed)