Hardening production servers
Kevin Oberman
oberman at es.net
Tue Jul 8 14:43:47 PDT 2003
> From: Farid Hajji <me at farid-hajji.de>
> Date: Tue, 8 Jul 2003 22:50:03 +0200
> Sender: owner-freebsd-stable at freebsd.org
>
> > If you do a "make package" for each port that you install, you can copy of
> > using network filesharing (NFS, Samba, etc) to distribute the
> > /usr/ports/packages directory. Create that directory if it doesn't exist,
> > and "make package" will save the .tgz there rather than under each
> > individual port directory.
>
> Beware of ports that try to detect the CPU while compiling.
> mplayer (IIRC) or some CPU intensive ports _may_ detect
> a P4 on the compling machine and use it, so the binary
> may not work on vanilla i586s. /etc/make.conf is your friend.
If the port is done correctly (and it likely is for the package
builder to work correctly), it will turn off such features.
The mplayer port does exactly this. You need to build with
"WITHOUT_RUNTIME_CPUDETECTION" for it to test your CPU type and build
for it. By default, the port built will be CPU independent. Of course,
this does impact performance a bit, so you might want to build
packages for each type of CPU you use. :-(
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net Phone: +1 510 486-8634
More information about the freebsd-stable
mailing list