Debian vs. FreeBSD as a Web Serving Platform, Part 1

Benefits for LWN subscribers

The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

February 23, 2005

This article was contributed by Ladislav Bodnar

When it comes to hosting a company or a personal web site, there are more choices than ever. Not only is there a plethora of web hosting providers all lining up for our business, we also have a choice of many excellent operating systems, most of which are free - in both senses of the word. In fact, after having spent some time investigating the possibilities, this author concluded that the majority of hosting companies in operation today seem to have standardized on offering Fedora Core, Debian GNU/Linux and FreeBSD as their preferred operating systems. This is hardly surprising; all three of them are not only free of cost, but also well-established and trusted as web serving platforms. For the purpose of this two-part article we will look and compare the features and security aspects of Debian GNU/Linux with those of FreeBSD, both of which the author had the pleasure to use and administer in recent years.

Despite some crucial differences with respect to their kernels and base system, the two operating systems, as considered from the point of view of included applications, are rather similar. Both Debian and FreeBSD provide the Apache web server, several scripting languages (PHP, Perl, Python, Ruby or any other tool one might employ for the purpose of developing interactive web pages), integration with MySQL and PostgreSQL databases, SSL features and anything else that we've come to expect from a system designed for web serving. All commonly used UNIX tools, such as man pages and shells, are also provided.

But under the surface, there are more profound differences, especially in the design and philosophy of the two operating systems. FreeBSD has a much faster release cycle - production-ready releases are made roughly every 6 months, whereas the Debian developers only make a new stable release "when ready", which can take years. In fact, the current stable release - Debian Woody is now 31 months old. This means that those administrators and web developers who would like to make use of new features in any of the applications they deploy will probably be better off with FreeBSD. As an example, during the time when this author administered a Debian server he found himself in need of upgrading PHP to take advantage of some newly introduced functions, as well as Postfix and SpamAssassin, the new versions of which offered much improved spam-fighting techniques. But with Debian's slow release cycle, the only way to upgrade the above mentioned packages (other than compiling them from source) was to get them from Backports.org. Although very good and highly up-to-date, Backports.org is a third-party repository, not officially sanctioned by the Debian Project and not supported by the Debian Security Team.

This is in sharp contrast with FreeBSD where only the base system, often referred to as kernel and userland, is kept in a constant state (with the only exception being security updates), while the included applications, or ports in FreeBSD's language, are continuously updated. This being so, a system administrator can choose to keep upgrading all important ports to their current stable versions and take advantage of any new features in them. This is a very pleasant aspect of FreeBSD - instead of an endless wait one might endure before a new stable Debian release, the administrator running FreeBSD can upgrade all installed ports to their latest versions at any time, independently on the base system.

While most system administrators would deploy Debian as a binary distribution, i.e. they would install and use its pre-compiled binary packages, FreeBSD's ports are mostly meant to be compiled directly from source on the user's system. As always, the proponents of each approach could engage in endless debates about their respective merits; here we'll just say that both ways of doing things have their advantages and disadvantages. As an example, compiling Apache with a worker.c module (for a busy web server) under FreeBSD is as simple as modifying a parameter in a Makefile, then running "make install". On a Debian system, achieving the same would entail downloading the source code, looking through the source files to find the relevant place, modifying it, then creating a new Debian package with "apt-build" - not a particularly tedious task, but not as elegant as on FreeBSD. On the other hand, compiling ports directly from source code always brings in a risk of a port failing to compile, which can be frustrating.

The ability to upgrade the operating system painlessly to a newer version is one area where Debian enjoys a considerable advantage. Since its early days, Debian has always provided a simple and elegant upgrade path between two stable releases, which is probably a feature that has attracted Debian many supporters. Unfortunately, FreeBSD does not have the same policy. While upgrading FreeBSD to a new minor version (e.g. from 4.10 to 4.11) is relatively easy and mostly trouble-free, the same cannot be said of upgrading between major versions (e.g from 4.10 to 5.3). In fact, the FreeBSD project does not recommend upgrading from 4.x to 5.x at all; not only is this path untested, it would also mean loss of functionality due to incompatible file systems in the two major FreeBSD versions. This could be an important consideration for those users who do not have physical access to the server - while upgrading Debian to a newer version is as simple as executing a couple of commands, with FreeBSD, one would need direct assistance of somebody at the web hosting company.

There is one interesting feature of FreeBSD that does not exist in Debian (at least not in its default configuration) - a set of reports entitled "Daily Run" and a "Security Run", which are emailed to the system administrator on a daily basis. They represent a collection of routine tasks as performed by several cron jobs. The "Daily Run" output provides information about the state of the system, uptime, mail in the mail queue, state of the disk partitions and network interfaces. It also backs up and outputs changes (if any) in the /etc/passwd and /etc/group files. The "Security Run" is even more useful, with information about setuid files and devices, passwordless user accounts, SSH login failures, and refused connections. It even informs the administrator about current vulnerabilities in any of the installed ports (provided that a certain port is installed on the system, but we'll get to that in the second part of this article).

There is perhaps one other FreeBSD advantage worth mentioning - it boots much faster than Debian. True, this is not a terribly exciting characteristic of an operating system that is meant to be running 24 hours a day, but it is still good to know that if the system needs to be rebooted (perhaps after a security-related kernel upgrade), it won't be down for more than a minute on any reasonably recent hardware. Booting Debian takes at least twice as long.

In part 2 of the article, coming up next week, we will compare the ways security updates are handled by the two operating systems, and briefly consider some migration issues.

Index entries for this article
GuestArticles	Bodnar, Ladislav

(Log in to post comments)

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Feb 24, 2005 8:54 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

If you mention a system that constantly updates, you should consider Debian's unstable as well, and not just stable.

As for daily checks: take a look at, e.g. logwatch, sxid.

Anyway, on Debian using apache with worker.c is as easy as:

apt-cache search apache| grep worker
apt-get install apache2-mpm-worker

Tested on Sarge.

And rebuilding from source is quite simple:

As root: apt-get build-deb apache2

As user:
apt-get source apache2
cd apache2-2.0.52
[patch whatever you want]
fakeroot dpkg-buildpackage

You get a nice deb to install on your system, along with its source so you'll be able to reproduce that build later.

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Feb 24, 2005 16:52 UTC (Thu) by vonbrand (guest, #4458) [Link]

Don't go around recomending unstable versions for 24x7 jobs (it is called unstable for some reason, isn't it?).

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Feb 24, 2005 17:36 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

Again, in the context where it was written:

> This is in sharp contrast with FreeBSD where
> only the base system, often referred to as
> kernel and userland, is kept in a constant
> state (with the only exception being security
> updates), while the included applications,
> or ports in FreeBSD's language, are
> continuously updated. This being so, a system
> administrator can choose to keep upgrading all
> important ports to their current stable
> versions and take advantage of any new
> features in them. This is a very pleasant
> aspect of FreeBSD - instead of an endless
> wait one might endure before a new stable
> Debian release, the administrator running
> FreeBSD can upgrade all installed ports to
> their latest versions at any time, independently
> on the base system.

Basically either use Stable+backports or Unstable to get basicalyl the same effect.

BTW: I'd like to see some comparison of the apache configuration in both distros. The Debian mainjtainers of the package bothered doing the extra work to automate as many tasks as possible. e.g.: almost all modules are disabled in the default apache config. There is an extra utility to "enable" modules (and virtual hosts, for apache2).

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Apr 14, 2005 10:14 UTC (Thu) by vinci (guest, #13772) [Link]

No, no, no. Only use "unstable" if you know what you are doing (being a developer or something). So generally NEVER use unstable. If you use it anyway, you will know why.

I had SO MUCH trouble because of people like you recommending unstable years ago, when I started using Debian.

Thilo

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Apr 8, 2009 0:15 UTC (Wed) by jel (guest, #38548) [Link]

Yes, yes, yes. I started using debian unstable many years ago, and like you, found it difficult. However, it was a lot tougher back then, and there are techniques you can learn to avoid problems, which is no different really from knowing how not to cause yourself problems with a release version. Most debian desktop users run unstable, and the tools and the distribution itself copes very well with making sure you don't burn yourself too badly. It's at least as safe as playing with ports, and probably a LOT more safe.

I also use it on servers, most of the time. The availability of debian unstable's modern, huge selection of managed, up-to-date packages, all downloadable at the stroke of a key, together with a little know-how, is much better than relying on something like a release from CDs.

Unstable stable and testing

Posted Mar 5, 2005 0:47 UTC (Sat) by cricketjeff (guest, #28244) [Link]

While I would never use unstable without a great deal of thought on a busy production server it isn't as drastic as the name implies, unstable doesn't mean the packages are flaky just that the versions and dependencies will change quite rapidly. Testing is a third set of archives and is the "new" stable version in waiting and is usually suitable for immediate use, indeed in my last job we served about 3 billion webpages a year from testing boxes. If you need to use the latest software for one or two packages but want stability for the rest Debian has that covered,
apt-get install -t unstable package-name
will pull the package you want from unstable the apt conf file allowing you to specify stable or testing to be your default distribution.
apt-get install -st unstable package-name
would pretend to do the same thing so you can see what extra packages will need to be pulled for unstable so you can decide whether or not to go ahead.

Unstable stable and testing

Posted Apr 14, 2005 10:24 UTC (Thu) by vinci (guest, #13772) [Link]

It does mean that a packages is there today and gone tomorrow - and you get NO support. This can lead to high frustration. Yes, some packages are very well organized, but "unstable" is not named "testing" for good reasons.

The truth is, and I hate to say that, that Debian today is quite unusable for people who like to use modern software. The concept is outdated. 3 years for a new release is just too much (for me and many others).

I am using Debian right now since 6 years as home server and webserver. I like it very much. But the update policy is a pain.

I don't know what comes into nex 'stable' and when 'stable' comes. That means that I might have to switch to another distribution if I want PHP5, Horde3 ,Gnome 2.10 in the next 4-5 years. We just don't know so many things today about a future release. "Its ready when it's ready" - this is good for a product nobody is eagerly waiting off. I want to know when a next release comes out and what software it will have. It is ok, if that does not fit a 100%. But if you need a certain basis you can not use todays Debian.

But I am optimistic that Debian will make its reforms now and be attractive again, soon. But right now one should not recommend Debian.

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted May 17, 2005 16:29 UTC (Tue) by yanzg (guest, #29995) [Link]

I use debian as my server and workstation. I think that stable is enough for a mini-server and Debian testing is really very stable compared with many other distributions including fedora core. So Debian testing can be used as server if needed, though I only use Debian testing as desktop. The unstable distribution of debian is not a bleeding edge, however, the unmatched packages may cause trouble if you rely on it.

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Feb 24, 2005 11:38 UTC (Thu) by climent (guest, #7232) [Link]

<i>...the administrator running FreeBSD can upgrade all installed ports to their latest versions
at any time, independently on the base system.</i>

Not completely true. Some ports depend on the actual kernel version of the FreeBSD base.

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Feb 24, 2005 17:19 UTC (Thu) by ballombe (subscriber, #9523) [Link]

Rebuilding Debian package from source is not essentially different from using a port system and has the advantage that you don't need to compile on the target system and can keep around your packages easily.

Debian is much a source distribution: each packages is compiled automatically 10 times on 10 different platforms before entering testing so this is a very well tested process. This much more than 'it works for me'.

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Feb 24, 2005 18:11 UTC (Thu) by chloe_zen (subscriber, #8258) [Link]

If you're interested in the "daily run" sort of checkup, the Debian "logcheck" and "tiger" packages offer lots of info mailed to you on whatever schedule you prefer.

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Feb 25, 2005 1:17 UTC (Fri) by planet12 (guest, #4199) [Link]

This is in sharp contrast with FreeBSD where only the base system, often referred to as kernel and userland, is kept in a constant state (with the only exception being security updates), while the included applications, or ports in FreeBSD's language, are continuously updated. This being so, a system administrator can choose to keep upgrading all important ports to their current stable versions and take advantage of any new features in them. This is a very pleasant aspect of FreeBSD - instead of an endless wait one might endure before a new stable Debian release, the administrator running FreeBSD can upgrade all installed ports to their latest versions at any time, independently on the base system.

This "pleasant" aspect of FreeBSD had a dark side, especially when it comes to security updates. There are no security branches for the ports tree, and I don't normally want a new version of insert-whatever-here, that may or may not break itself and other things upon installation. I just want a version without the vulnerability... and I'd rather spend three minutes with apt-get than two hours babysitting portupgrade.

The QA on many ports is, to be frank, utter crap. Having to restore your carefully crafted configuration file from a backup, because the port decided to delete or replace it, is not that uncommon. The FreeBSD ports system has given me more grief than Debian unstable ever has.

What I'd love to see: FreeBSD with much of Debian infrastructure, ie. dpkg, apt-get etc. Now that would be a butt-kicking combination.

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Feb 26, 2005 0:02 UTC (Sat) by ballombe (subscriber, #9523) [Link]

>What I'd love to see: FreeBSD with much of Debian infrastructure, ie. dpkg, apt-get etc. Now that would be a butt-kicking combination.

That exists, this is Debian GNU/kfreebsd http://www.debian.org/ports/kfreebsd-gnu/

and there is even at least one user according to http://popcon.debian.org

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Feb 25, 2005 4:24 UTC (Fri) by komarek (guest, #7295) [Link]

"Although very good and highly up-to-date, Backports.org is a third-party repository"

As I understand it, FreeBSD ports are also 3rd party, yes? And that is why they are in flux, relative to the base system? So the "sharp contrast" doesn't seem particularly sharp, or even in contrast. If you want recent stuff from either one, you leave the core system. Except that the core in Debian is enormous and old, and the core in FreeBSD is miniscule and as old as a Fedora release (with its large core) (not that I want to endorse Fedora here).

-Paul Komarek

kernel securelevels

Posted Feb 25, 2005 17:16 UTC (Fri) by ecashin (guest, #12040) [Link]

I've always considered the kernel securelevels
feature of FreeBSD to be the most significant
difference between, e.g., debian and FreeBSD
for a host like a web server.

By going into a higher securelevel, it's possible
to make files truly immutable. That is, no user,
not even root, can modify files that have the
immutable flag set. And the immutable flag can't
be unset. That means you can set up the server
such that trojaning its system programs (like login
and ls) becomes impossible.

Linux has some features aimed at providing this
level of security, but I've been waiting for
them to come together in a usable way for a while.

kernel securelevels

Posted Feb 25, 2005 22:43 UTC (Fri) by tzafrir (subscriber, #11501) [Link]

but every security update requires a reboot.

There are too many places you need to make immutable to prevent trojaning. Including a host of directories in which you can drop hook scripts for various packages. On the next reboot your system will be trojaned.

Just one more uninformed reviewer

Posted Mar 3, 2005 16:14 UTC (Thu) by leandro (guest, #1460) [Link]

Great concepts suffer from being out of line with what people have grown used to expect, and Debian is no exception.

First, if one wants to compare Debian to BSD on being up-to-date, the baseline should be not stable but testing.

Second, the article completely ignores the most benefical aspect of Debian, its policies and their effect in systems administration, including reliability and security. Make that third too, it's really important.

Fourth, most obviously any such comparision should start not with packaging and policies but with the OS itself, that is, the kernel, C libraries and basic utilities. Pretty much everything else comes from the same sources, but there are important points to compare -- like Linux running on pretty much anything, having more flexible and functional utilities and experimenting more, while FreeBSD is leaner and arguably having some advantages for databases.

Just one more uninformed reviewer

Posted Apr 14, 2005 10:33 UTC (Thu) by vinci (guest, #13772) [Link]

> Second, the article completely ignores the most benefical aspect of Debian, > its policies and their effect in systems administration, including
> reliability and security. Make that third too, it's really important.

I don't think Debian is more secure than other Linuxes. The thing is, that old software tends to have more know security leaks. Often brand new, rewritten code changes some architectural weaknesses of a program.

Fedora at some point drops support for old releases (that are younger than the newest Debian release). The support is than made by the Fedora Legacy project. Debian also should concentrate on packaging new software an making a good distribution. You will allways have bugs. Older distributions a re not necessarily more secure. People think that and tend to leave their server alone. But that's not a good idea, either.

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Mar 3, 2005 22:20 UTC (Thu) by penguinista (guest, #308) [Link]

I dont find these comparisions particularly useful. After having worked with solaris, then linux, then freebsd over the years it basically comes down to following some best practices for each platform. It really doesnt matter much to me what OS I work with, especially for web hosting. Intesestingly enough, I am about to go full circle and look forward to hosting a dedicated box on solaris 10.

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Mar 4, 2005 13:10 UTC (Fri) by l2fl2f (guest, #28230) [Link]

Hello,

Good job, The linux guys are not happy, read the post :)). I switched from Linux to FreeBSD few months ago and I am happy with what I get: 30 minutes to compile a new kernel, 45 minutes installation process, binary packages or ports compilation (www.freshports.org), a (real) unix kernel, good memory usage and a rock solid OS. Anyway, I use FreeBSD because I love it and it did and do the job for me (be honest and try FreeBSD).

Debian vs. FreeBSD as a Web Serving Platform, Part 1

Posted Apr 21, 2005 11:29 UTC (Thu) by Seegras (guest, #20463) [Link]

I'm a Sysadmin for about 30 servers; all running Debian stable or testing (actually, we upgraded when it seemed that this testing would very soon get stable.. That was a few months ago). And I'm lazy. And there's nothing better for lazy sysadmins than Debian. What I miss most are the BSD Jails, but considering the acessory amount of work with *BSD, I happily run Debian.

But BSD is certainly worth some consideration if you're only running one or a few servers.