Wednesday, May 31, 2006

Server Upgraded to OpenBSD 3.9

OpenBSDI just completed the upgrade to OpenBSD 3.9 for my web and mail server. Besides the obvious OpenBSD 3.9 upgrade goodness, many of the applications and servers that I run were upgraded with it.

It's amazing that with each upgrade/re-install I do, how much easier it gets. But, I still run into problems along the way.

I've been waiting to upgrade my server until packaging of PHP 5.1.4 was integrated into the tree. Unfortunately it was integrated into the -current ports tree (which is kind of "beta code"). Fortunately, not much has changed in the ports tree from 3.9 to -current. So, just downloading the php-5.1.4 CVS code into the 3.9 ports tree worked and the packages built without any issues. Along with this version of PHP, a hardened flavor has been introduced [hardened-php].

Prior to installing, I wrote a script to automatically install the packages I wanted to install to work out dependency issues (like a few X libs for GD). Once I had my "port_install" script ready, it was go-time.

My installation process involved running mergemaster on copies of my etc and var directories beforehand (to minimize downtime). Then, I did a clean install, blowing away /, /tmp, /var and /usr while preserving /home (many of the traditional /var directories like mysql, named and some spool directories live on /home and are symlinked to /var). I copied my upgraded etc and pieces of var in place. Then I made the symlinks in /var to their respective directories in /home. After that, pretty much everything came up on its own.

EXCEPT: I forgot a few files for spamd (OpenBSD's, not SpamAssassin) in /var/db. D'oh! During the first boot, pf failed because it couldn't find some files to load some tables. But, I had backed /var up, so I just copied those files over.

The only other hiccup I had was with the new MySQL (5.0.21). I had to upgrade some tables before my old data would work with the new server. I kind of anticipated that, but forgot in the moment, so was caught a little off guard.

But, now my server is up and running:

  • Stock Apache, chrooted, with PHP-5.1.4 (hardened)

  • Stock Sendmail with SASL

  • Courier IMAP with POP3

  • ClamAV for anti-virus

  • OpenBSD's spamd tarpit with greylisting

  • SpamAssassin

  • Hypermail for ssh-l archives

  • mlmmj for ssh-l mailing list