This is part Zero of an N-part series (I'm thinking 4 parts) discussing the investigation of radmin as a patch/deployment tool for FreeBSD. It will be filled in over the course of Q2/2009 as we test (and possibly deploy) radmin at Premier Heart. As many (if not all) of you know, I'm a BSD Bigot - I firmly believe that the BSD projects have a huge edge over Linux on servers in all the areas that matter to me most: Performance, Security & Stability. That being said, there's one area where they suck big floppy donkey dick: Patch Management. Over the years I've had several solutions:
- Ignore the Problem
Don't patch and hope you never get compromised. This has never been an acceptable solution to me.
- Patch Manually
Log in to every machine in your organization once a quarter, do a Make World / Portupgrade and deal with the fallout.
This is great if all you have are 1-2 machines, and it's how I patch bsd-box.net.
- Deploy a Build Server
A central machine builds the world and ports, then you log in to each machine to install them. It's manual patching, but you don't wait for Make World to run a bunch of times.
This is what most BSD admins do, but I'm lazier than the average admin.
- Deploy a Commercial Solution
This is OK as far as it goes, but using commercial solutions puts you on someone else's patch schedule.
Also, I'm not aware of any commercial solutions that Don't Suck™.
- Use freebsd-update
While I greatly admire what the FreeBSD Security Team has done with freebsd-update, it's just not for me -- Patching my custom software and ports with freebsd-update is a pain in the ass (I would have to essentially roll a custom release - More work than I want to do.) Also, freebsd-update is geared toward applying the security team's patches, not managing system deployments - that's only half of what I want.