FreeBSD: Running 'make installworld' from CD20 Aug 2003
Sorry, non-tech folks. This is a sysadmin voodoo post.
I maintain several FreeBSD machines. When a security alert is issued, the standard procedure is to update the source for your release with cvs or cvsup, then recompile and reinstall the system with 'make buildworld' and 'make installworld'. It's also fairly standard procedure to 'make buildworld' on one machine, then export /usr/src and /usr/obj read-only via NFS to do installworld on the target machine.
However, my FreeBSD machines are behind a firewall inside a DMZ. I can't mount NFS through the firewall, and I don't really want to be compiling systems on underpowered small-disk single-purpose machines in a DMZ. At first, I used installation CDs to update major versions. This is not very flexible and may not include the latest security patches. Lately I've been plugging the DMZ machines temporarily into the LAN to update over NFS. This is unelegant and may damage the cables and switches (not to mention my fingers) when unplugging.
However, through trial and error (I haven't seen this tip anywhere), I figured out that after running 'make buildworld' on the build machine, I can burn /usr/src and /usr/obj on CD, and then run 'make installworld' from it on the target machines. The trick is you can't just have symlinks from /usr/src and /usr/obj to the CD. You've got to have actual mounts. In this case, null mounts work wonders. (Ignore the bit about 'not fully supported' and 'this doesn't work'.) If the CD is mounted on /cdrom, then:
mount -t null /cdrom/src /usr/src
mount -t null /cdrom/obj /usr/obj
You can then cd /usr/src and do your make installs and mergemaster. If you're really brave, you can do this while your services are running (single-user mode is for wimps), and then your only downtime is the reboot.