Re: How efficient is mounting /usr ro?

[Steve Wray <stevew@catalyst.net.nz>]

On Fri, 10 Oct 2003 13:56, Mark Ferlatte wrote:
> Steve Wray said on Fri, Oct 10, 2003 at 01:22:48PM +1300:
> > The answer we came up with was to update boxes by rsync
> > with --delete
>
> You may want to look at systemimager; it already does this, and it already
> knows to exclude the stuff that you don't want to rsync.  I've been doing
> something like this for over a year now, and it works really well.

We had to put something together fairly rapidly and considering the
amount of rsync expertise we have in-house we decided that it
would be the best solution for us. Granted there are possibly better
tools out there!

[snip]
> > Also, the rsync process runs some scripts on the target machine,
> > so any binaries used by these scripts are compared with
> > a record of what they are supposed to be (these are held
> > on the server), using the uploaded statically linked md5sum binary.
>
> Hrm, I would use a static tripwire or equiv, but yeah, this is also a good
> idea.  Of course, if you trust your rsync, then you don't have to worry
> about the md5sums on the client.

Ahhh but we run scripts on the target before and after the rsync; to prep it
up and so forth, as well as patching some things in /etc 
(we use a diff 'n' sed|patch system for some things in etc)
Hence, the binaries on the target that these scripts run need to
be verified. But yes, tripwire is ultimately the right tool!
:)