“When it comes to hosting a company or a personal web site, there are more choices than ever. Not only is there a plethora of web hosting providers all lining up for our business, we also have a choice of many excellent operating systems, most of which are free – in both senses of the word”
says Ladislav Bodnar at lwn.net.
Debian vs. FreeBSD as a Web Serving Platform, Part 1
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
good article
I’ve used FreeBSD from 4.1 to 4.10 for website hosting but in the end I’m now running Debian on every server that I’m responsible for. Keeping a Debian system up to date is so much easier and more stable than on FreeBSD (disclaimer: you have to use the package manager on Debian!).
I don’t want my production server to sit around *compiling* its updates. I know it can be done differently (build binary packages elsewhere) but the default route is to use the ports collection on the machine itself which consumes major resources.
Then comes the big question: will my system function properly after I upgrade through ports? In my experience the ports process works flawlessly about 95% of the time. However that 5% error is unacceptable to me. Admittedly, most errors that fall into this 5% category can be avoided by carefully skimming through the config files of your updated package.
Apt-get hasn’t failed me a single time and it works just great. It allows for custom configurations, alerts me when things are not as it expects and well.. it just works.
The argument in the article about Debian’s slower boot times is kind of moot I think. You’re not going to reboot some hugely important website that can’t stand 2 minutes of downtime without having a proper failover in place, are you!?
I think the age of the some of the debian packages would probably be more of a factor than anything else.
Currently, the server I work on hasn’t had Linux reinstalled for ages (about 4 years from memory). Debian Stable is probably quite recent compared. However it’s underscored the problem of updates. Every update these days seems to break something else. Generally I now avoid making any updates unless its a critical security issue.
I’ve used freebsd as a desktop for several years. The problems I had were related to being constantly behind the upgrade curve and a few gaps in the ports collection. A server would probably be easier to maintain as the desktop packages took forever to recompile.
For the newer web server I’m going to give slackware a try. The downside so far is that I will be upgrading my own packages rather than relying on a distro maker to do it for me. I think I can live with that.
> I don’t want my production server to sit around
> *compiling* its updates.
Generally you can just install precompiled packages which have been built for you. Unless you’re using some exotic ports you may get away without compiling at all. True, not all ports are available as packages, though.
But you’re not installing/upgrading *anything* on your 24/7 production box anyway without checking on mirror box first, right? If you just upgrade your ports/packages on production server without testing then it’s not really that important server anyway, is it?
We use FreeBSD here.
the current stable release – Debian Woody is now 31 months old. This means that those administrators and web developers who would like to make use of new features in any of the applications they deploy will probably be better off with FreeBSD
Rrright, since the 6 months release cycle give a much stable system ? If not, then why doesn’t the guy refer to Sarge or Sid when comparing recent-ness ? No need to answer, it’s called convenience.
other FreeBSD advantage worth mentioning – it boots much faster than Debian
Rrright, like anybody would care about that. Onthe other hand you telling me that apache+postgres+everything gets faster on their feet ? By how much, 2 seconds ?
Yup, I care.
Disclaimer: I love Free&NetBSD. What I don’t like is the argumentation here guys.
Prepare the base of FreeBSD 4.11. Throw it in Jail. Mix in Apache13 with suExec + suPhp + p5-Apache-ASP, MySQL and add mods to taste. As a siding, add qmail with vpopmail. Perfect.
> Generally you can just install precompiled
> packages which have been built for you. Unless
> you’re using some exotic ports you may get away
> without compiling at all. True, not all ports are
> available as packages, though.
I think it is a bit more complicated. In fact,
some binary ports do not work correctly (I think about
the “screen” program).
Some others are incompatible with what has already
have been compiled: sometimes, if you want to update
a port, you must compile a port which was first
installed as a binary package. So usually I start
with binary packages, but I eventually replace all
these packagse with source ports while I do upgrades.
I use FreeBSD and Debian, I prefer to administrate FreeBSD
instead of Debian, but I recognize that Debian works far
more better if someone wants to install binary
packages or to update the whole system.
‘There is one interesting feature of FreeBSD that does not exist in Debian (at least not in its default configuration) – a set of reports entitled “Daily Run” and a “Security Run”‘, sounds like a great idea!
Is it difficult to implement, or more importantly are there any sites available that explain how this can be set up in Debian?
Thanks
FreeBSD is more “unixy” in the packages dept, relying much more on source code… In the end it all depends on how much you like this particular approach. Hell, you can make a serer on Windows where updates are distributed in neatly packaged exe files!
I love FreeBSD, it’s fresh and smells good.
I have to say I have no admin experience at all.
1)
I sincerely don’t undestand Debian/Stable.
You cannot install Apache2!
I have to use Testing to use Apache2!
But let me see the change-log:
http://packages.debian.org/testing/web/apache2
http://packages.debian.org/changelogs/pool/main/a/apache2/apache2_2…
After 2.0.53
BTW those are the patched to the package:
Mon, 14 Feb 2005 01:45:08
Wed, 9 Feb 2005 11:30:21
Wed, 9 Feb 2005 04:20:07
Mon, 7 Feb 2005 07:54:12 (2.0.53 release)
Let me check php4:
http://packages.debian.org/changelogs/pool/main/p/php4/php4_4.3.10-…
Thu, 17 Feb 2005 00:06:36
Mon, 14 Feb 2005 16:04:28
Sun, 13 Feb 2005 19:09:39
Wed, 9 Feb 2005 11:52:10
Sun, 6 Feb 2005 05:32:11 (this is 4.10-patch 3…)
How often should have I upgrade my packages ?
Based on urgency=high ?
BTW the last 3 php4 patches are marked high…
imho, are not too much those patches within a month ?
2)
php5, it doesn’t exist under sid at all
Sincerely I’m using Debian/sid as my dekstop machine and I’m happy with it.
But I’d like to use a VirtualPrivateServer with Debian, some of those cheap plan with ~20 bucks at month, but still confused on what to do to use an apache2 server.
Stable seems frozen and really old, testing/stable really too much updates!
PHP5 no debian official way to use it!
Don’t want to go to 3rd part repos.
The FreeBSD side for Apache2 patches is this:
http://www.freshports.org/www/apache2/
and php4 here:
http://www.freshports.org/lang/php4/
About the article by Ladislav Bodnar: very interesting indeed.
Bas (IP: —.xs4all.nl) wrote:
Then comes the big question: will my system function properly after I upgrade through ports?
I really think no professional sysadmin should *ever* upgrade an application in a remotely relevant production environment without trying it first in a test environment.
And this is true even when using FreeBSD, notwithstanding the fact that FreeBSD ports have an *excellent* reputation for functionality – the very few ports that are broken are almost invariably marked as such.
over any Linux distribution. Hardware may be cheap but it aint free. In order to allow our hardward to go its furthest, we use FreeBSD’s slick jail capability. This allows me to expose my web server, for example, in a jail with a tightly controlled security configuration all the while running my database process on the same machine with its own independent security configuration.
Slick stuff. I’ve never seen any Linux distro ship with anything remotely like it (chroot does NOT compare, for those of you who are tempted to bring that up).
Jail on FreeBSD rocks…HARD! Beat that. No?
Didn’t the Debian project set out to create a debian(GNU) version of FreeBSD a few years ago? The debian people must have seen some merit in FreeBSD?
See below:
http://www.debian.org/ports/kfreebsd-gnu/
I’ve been in charge of quite a few systems, and no matter which operating system I use (usually debian), I typically end up pre-compiling the application running, especially if it’s a production server. If that application is apache with php, I download and compile it from source. This has saved me quite a few times from debian trying to upgrade apache or php and it failing to work (yes, sometimes apt-get fails….like .0001% of the time). I also don’t really like how apt-get downloads the packages, stops the service, then installs every single one of the new packages, then starts up the services again. If there is an error installing a package or the packages take forever to install, apt-get hangs and either doesn’t start up the services it stops or takes forever to finish installing. That means if you aren’t paying attention, your apt-get (apt-gotten?) apache will be stopped while scrollkeeper updates it’s database. That’s pretty unacceptable to me, so compiling from source and just not telling debian or any other operating system about the server software seems to work out a little better in the 99.999% application uptime.
This method also makes it easier to go back and add or disable certain features of the codebase that’s not usually available in the package management solutions.
Why the heck do you have to update apache and scrollkeeper at the same time? Duh!
Hardware may be cheap but it aint free. In order to allow our hardward to go its furthest, we use FreeBSD’s slick jail capability.
Something isn’t quite right about the priorities of this author. Boot time for a hosting company isn’t even worth mentioning. However, jails are, for they are responsible for the popularity of FreeBSD among providers. It combines the best of both worlds of chroot and vmware. With jails, you can let your users have maximum flexibility – they can have a root account for the jail, and use whatever granularity they deem appropriate for user management. They can have whatever version of apache/php/mysql want running isolated from both the stuff the host system (or main sytem rather?) or other jails are running. Even if the jail is broken into, the host system remains intact, and getting the jailed processes back online takes only a few minutes if you have proper backups.
Someone mentioned that a downside of FreeBSD is having to spend lots of cpu cycles compiling. Even if binary security updates would not be available (they are. so if you can opt out compiling anything if you wish to) … have you measured actually how much time you spend compiling? Because I have mysql, apache, php, ssh, pure-ftpd, perl, python, ruby etc. installed (56 packages alltoghether) and if I average out the time I spend compiling _including_ complete rebuild of the kernel and the world, it won’t be much more than 1 hour/week (of course, this is machine dependent, I have an athlonxp 2800+, where apache takes some 15 minutes to compile, and world+kernel about 1h15min).
So the time you have to spend compiling is pretty much overestimated in some of the posts I see here. Besides, the entire process can be easily automated – hence the legendary maintainability of FreeBSD. Recently I’ve been scheduling weekly rebuilds of the kernel+world, and decide whether to install it or not based on my experience on my home machine (I’m tracking Stable: uname -v
FreeBSD 5.4-PRERELEASE #22: Sun Feb 27 21:15:27 CET 2005 )
Anyway, in my experience (and I came _from_ debian) FreeBSD combines the stability of Debian (stable branch) with up-to-date software. For instance, I’ve been already running PHP 5.3 hours before the news about this security update hit slashdot. As to kernel/world: if you read the security notifications regurarly (last one was from december), it is really rare when you have to rebuild the kernel or the entire world. For instance, take for example this one: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:17…
A quick glance at the fix suggests that you’ll need a kernel recompile. But take a careful look: procfs? Procfs is off by default in 5.x releases, so unless you need it for some reason or other, this security notification doesn’t concern you.
Debian rocks my socks!
I haven’t used Debian since 2002 or so. But I remember having the system go south, and apt managed to render the system unbootable. This has never happened to me on FreeBSD. If you want to use binary updates on FreeBSD you can use Colin Percival’s FreeBSD update ( http://www.daemonology.net/freebsd-update/ ). I personally build packages on one box and deploy them via nfs on the other servers after testing.
One of the comments in the LWN article mentions Debian GNU/kFreeBSD. According to the stats there’s only 1 user, the developer 🙂
I fail to see why anyone would prefer GNU userland on a FreeBSD system, but hey, to each his own.
There is something similar in linux : User Mode Linux. Though, I believe UML requires more power (CPU, RAM) than a jail.
I use FreeBSD, but I use it in a really small environment so I’m not sure how Yahoo approaches updating FreeBSD. However, from reading stuff, my thoughts on it was that a web hosting company would generally have hundreds of servers with very similar configurations. They would generally download and compile the security fixes on a deployment type server, and after running tests on this server, and making sure everything is ok, they would then deploy these changes via binary updates to all the other thousands of servers. Anyways, I always thought that “time spent on compiling” was very small.
Exactly. And doing it is really a breeze. Although there is some truth in the claim that upgrading between major version (4.x to 5.x) might be a hassle, but if you can do it on one machine, much of the trouble can be alleviated. Same with security updates, even with complete rebuilds.
When you rebuild world + kernel the resulting binaries are self contained: they reside in /usr/obj. Export that via nfs, and you only have to do a make installkernel/world on the rest of the machines. The case is similar with 3rd party packages. Having portupgrade build binaries is as easy as passing -p to portinstall/upgrade. Binaries will reside in /usr/ports/packages. Share that via ftp, and change the repo source variable on the rest of the servers to that one machine, and you are done. portupgrade -PP will install any updates available from your package server automatically
We are talking about different thing. With a good admin, tuning FreeBSD or Debian is the same. The most important is that he can use FreeBSD or Debian to do his work flawlessly.
I don’t want a compiler and development libraries on a production web server.
Byebye *BSD.
I don’t like BSD’s bootup either. But that’s just personal. For the rest, like the author mentions, it’s the applications and tools that matter. And those are the same for pretty much any linux, BSD, UNIX or even Windows platform.
Looks like $author did use debian for a while, but doesn’t really understand it.
I’m reading posts here that say FreeBSD is just as easy to keep up to date as Debian. When I used FreeBSD, portupgrade would regularly mess up my system.. So maybe I’m doing something wrong? My biggest problem with FreeBSD has always been the hassle I experienced when trying to upgrade packages (not the base system). Could someone please give me a quick pointer so I can find out how to _properly_ upgrade FreeBSD’s packages?
“I don’t want a compiler and development libraries on a production web server.”
You don’t need them on a production server. You need them on your development server.
If your production server is your development server, than you have more important issues to resolve than which OS to use.
“You don’t need them on a production server. You need them on your development server.
If your production server is your development server, than you have more important issues to resolve than which OS to use.”
So basically what you’re telling me is that I do updates on a “development” server using that ports thing. Then figure out what the changes are and then somehow get those changes applied to the production server? How, by building a binary package on the development server and then install that (and all the crap it depends on) on the production server? Sorry, that stuff has already has been invented and streamlined. It’s called “Advanced Package Tool”, and it comes for free with Debian…together with the largest, best mirrored and most rigorously QA’ed package repository there is.
It’s all preference of course and opinion, but Debian (all of it, not just the distribution) wins any comparison, hands down. IMO.
then maybe you should be reading /usr/ports/UPDATING.
Hardware may be cheap but it aint free. In order to allow our hardward to go its furthest, we use FreeBSD’s slick jail capability.
For virtulization Linux has virtual-servers, User Mode Linux, BSD Jails, and chroot.
Personally I run NetBSD on my web-server, only because my modern GNU/Linux distribution live-cds will not work, admittingly I did not try Debian on it. But if it boots and runs properly I will replace my NetBSD server with it.
I don’t want a compiler and development libraries on a production web server.
Byebye *BSD.
I don’t claim to be a FreeBSD expert, but wouldn’t “pkg_add” for installing binaries in FreeBSD be a viable alternative to “apt-get install” under Debian?
How, by building a binary package on the development server and then install that (and all the crap it depends on) on the production server? Sorry, that stuff has already has been invented and streamlined.
All the crap it depends on? I think you don’t really understand what “development server” is in this context. What does apt do? Installes packages and all its dependencies. That’s exactly what pkg_add -r pkg_name does – no more, no less. Perhaps you are not aware of the fact that there are build-time and runtime dependencies? You won’t get more packages installed by using pkg_add than you would with using apt-get install. In fact, you have the flexibility to install less, with almost zero effort. Your prebuilt .deb packages will have a set of dependencies, some of which you won’t need anyway, so if you really want to streamline the packages installed on your server, you have to use source debs to do that or manual compile… How does this work in freebsd?
On your “development server” you install every package you think you’ll need on your other puters, and have the portupgrade/install tool build packages for them as well. This is as easy as passing -p to portinstall apache2 (portinstall -p apache2). This will build apache and dependencies, and will put the binary packages in a directory. You share that directory trough ftp, and that will be your pkg repo). Now what you do on each of the servers you maintain is: pkg_add -r apache2 – and this will install all the freshly built and i686 optimized (unless you have p1 or worse among your servers) packages that apache2 needs (without installing any “crap” as you put it). In fact, it may even install fewer packages than apt would for apache.deb, and you don’t need to dig around too much to achieve that>
mcsaba@mcsaba$ cd /usr/ports/multimedia/avidemux2/
mcsaba@mcsaba$ make config
===> Switching to root credentials to create /var/db/ports/avidemux2
Password:
This will result in the following screen: ftp://hatvani.unideb.hu/pub/personal/screenshots/avidemuxoption.pn…
Once you choose your options, they will be saved, and next time you upgrade, you don’t need to go through this again. Now think: how much effort and time did this take? Typing in make config and pressing space near a few checkboxes – 8-10 seconds, 15 if your typing is really slow. The resulting avidemux2 binary will only have the dependencies that you chose, above those that are absolutely required. Now what about avidemux2.deb? Will it install xvid (and have xvid support?) Will it install all of those options? None? Do you even know? And most importantly: does it even exist (version 2.0.38)? Once you go through that 10 seconds exercise, you can be sure that there won’t be more “crap” on your system than you would get with apt, in fact, it may very well be that you will have less.
You don’t even have to go through all that steps outlined above. If you simply type portinstall apache2, and if you’re doing it for the first time, that screen will be brought up automatically. make config is a good way to ensure that if you want to install multiple packages overnight or leave your puter building for the weekend, the build process won’t be stalled at an option screen. Once you have all packages that you need installed, this won’t have to “worry” even about that.
As I mentioned earlier, to build time required for a FreeBSD server, or even a desktop, is largely overestimated. The good thing is that you can have FreeBSD up and running in 15 minutes, and yes, pkg_add -r is the exact equivalent of apt-get install: it installs precompiled binary packages with automatic dependency checking/resolution. What I described above is just an addition (even though it is a _very nice_ addition
)) And then, when you just write an essay or read emails/surf the web, you can really spare some cpu cycles to rebuild xorg or kde or whatever in the background 
As to ports not working – well, you really should read /usr/ports/UPDATING. It only takes a few minutes, and you can see when you need checking it via freshports (which I consider part of the ports architecture which I didn’t even mention, although it has it adds even more spice to the joy using ports: you can upload your package list and add it to your watch list – which will send out emails if there are updates available. You can maintain multiple watch-lists – for instance, one watchlist for important stuff installed on your server, other for your desktop, etc. You can get instant emails about security fixes to mysql/apache/whatever, as well as upgrades/updates of your favorite ports
))
A few ppl at the begining mentioned that they don’t like the idea of compiling stuff on thier server… well that is easy not to do and still get it all done… don’t do on the server… do it some where else and use NFS
i think freebsd’s ports system is the best in the unix/linux industry. I also love debian’s package system. I like freebsd’s more though. It’s a hard pick.
In the end I will have to decide based on what will get the job done. the recentness is not really relevant. On a productive server you have to compile things anyway (like apache), so not wanting to compile stuff is really not a good arguement.
First, about apt-get issues. You can try
# apt-get -s install package
which will test the install process for the package. If it goes well you can safelu install/upgrade.
We use Debian at the company I work and it really rocks. Apache + PostgreSQL + Tomcat + Perl web apps + RRDtool + … Works flawlessly.
For those that are complaining that FreeBSD doesn’t easily do binary upgrades, I suggest that you read the portupgrade manpage a little closer. A “portupgrade -Pra” will upgrade a system completely using binary packages if they are available (And fall back to source, if they are not).
Some notes: similarly to -s in apt, we have -n (noinstall/deinstall) in freebsd, which shows what would happen if you installed a package. For instance, pkg_deinstall -rn php* would show that all packages beginning with php will be deinstalled, and it will also show every package that will be removed as a result of this. As I said, the pkg_* tools in FreeBSD are the equivalent of APT in Debian.
portupgrade -P will look for binary upgrades for a package, and if there is none available, it will install from source. portupgrade -PP would upgrade only those packages that have binary upgrades available. The package repository for FreeBSD is rebuild quite regurarly (from ports), so the lag compared to ports is ~1month, but I haven’t verified that, just guessing, for I use ports exclusively – if you have anything above an amd duron 700 – my previous machine – building from ports isn’t that much of a hassle, for you can choose the time when you want to do upgrades (on a desktop puter): for instance, when you work on a longer piece of writing, just browse the net, or even if you just watch movies (but you need the ULE scheduler for seamless playback and desktop interactivity). portinstall globs by default, in other words, lets say there are upgrades in ports for 50 packages. You can have a quick glance at that list, and then portupgrade lib* for instance, that will only upgrade packages whose name begin with lib along with their dependencies (so if you have kde there as well, it won’t be upgraded).
Old package versions are not the only problem with Debian Woody, it also lacks cryptographic verification for the origin of packages. The currently experimental APT version 0.6 would fix that and there’s been discussion on the mailing lists that APT 0.6 could make it to the upcoming stable Debian release, Sarge.
http://lists.debian.org/debian-devel/2005/02/msg00646.html
Here is the current status report for APT 0.6:
http://www.enyo.de/fw/software/apt-secure/
Sarge will also make available the apt-listbugs utility that searches the database of reported bugs and warns you before installing any packages with known problems, giving you the chance to cancel the planned installation.
Thanks for the precious infos you posted!
I don’t want a compiler and development libraries on a production web server.
Byebye *BSD.
You don’t need to have compilers on the production web server. We currently have every services on separate jails running on securelevel 3 and stripped down of every unecessary binary. We also have an extra jail (running on a private ip) with the portstree, used to build packages to install/upgrade on the other jails. Also, the internal jail services (ldap, database, dns, etc) run with private ip’s on tapX (yes I know there are performance issues, but works like a charm), so if somewone gets root on your webserver, can’t shutdown the mysql server, for example.