Distributions [LWN.net]

News and Editorials

Debian vs. FreeBSD as a Web Serving Platform, Part 1

February 23, 2005

This article was contributed by Ladislav Bodnar

When it comes to hosting a company or a personal web site, there are more choices than ever. Not only is there a plethora of web hosting providers all lining up for our business, we also have a choice of many excellent operating systems, most of which are free - in both senses of the word. In fact, after having spent some time investigating the possibilities, this author concluded that the majority of hosting companies in operation today seem to have standardized on offering Fedora Core, Debian GNU/Linux and FreeBSD as their preferred operating systems. This is hardly surprising; all three of them are not only free of cost, but also well-established and trusted as web serving platforms. For the purpose of this two-part article we will look and compare the features and security aspects of Debian GNU/Linux with those of FreeBSD, both of which the author had the pleasure to use and administer in recent years.

Despite some crucial differences with respect to their kernels and base system, the two operating systems, as considered from the point of view of included applications, are rather similar. Both Debian and FreeBSD provide the Apache web server, several scripting languages (PHP, Perl, Python, Ruby or any other tool one might employ for the purpose of developing interactive web pages), integration with MySQL and PostgreSQL databases, SSL features and anything else that we've come to expect from a system designed for web serving. All commonly used UNIX tools, such as man pages and shells, are also provided.

But under the surface, there are more profound differences, especially in the design and philosophy of the two operating systems. FreeBSD has a much faster release cycle - production-ready releases are made roughly every 6 months, whereas the Debian developers only make a new stable release "when ready", which can take years. In fact, the current stable release - Debian Woody is now 31 months old. This means that those administrators and web developers who would like to make use of new features in any of the applications they deploy will probably be better off with FreeBSD. As an example, during the time when this author administered a Debian server he found himself in need of upgrading PHP to take advantage of some newly introduced functions, as well as Postfix and SpamAssassin, the new versions of which offered much improved spam-fighting techniques. But with Debian's slow release cycle, the only way to upgrade the above mentioned packages (other than compiling them from source) was to get them from Backports.org. Although very good and highly up-to-date, Backports.org is a third-party repository, not officially sanctioned by the Debian Project and not supported by the Debian Security Team.

This is in sharp contrast with FreeBSD where only the base system, often referred to as kernel and userland, is kept in a constant state (with the only exception being security updates), while the included applications, or ports in FreeBSD's language, are continuously updated. This being so, a system administrator can choose to keep upgrading all important ports to their current stable versions and take advantage of any new features in them. This is a very pleasant aspect of FreeBSD - instead of an endless wait one might endure before a new stable Debian release, the administrator running FreeBSD can upgrade all installed ports to their latest versions at any time, independently on the base system.

While most system administrators would deploy Debian as a binary distribution, i.e. they would install and use its pre-compiled binary packages, FreeBSD's ports are mostly meant to be compiled directly from source on the user's system. As always, the proponents of each approach could engage in endless debates about their respective merits; here we'll just say that both ways of doing things have their advantages and disadvantages. As an example, compiling Apache with a worker.c module (for a busy web server) under FreeBSD is as simple as modifying a parameter in a Makefile, then running "make install". On a Debian system, achieving the same would entail downloading the source code, looking through the source files to find the relevant place, modifying it, then creating a new Debian package with "apt-build" - not a particularly tedious task, but not as elegant as on FreeBSD. On the other hand, compiling ports directly from source code always brings in a risk of a port failing to compile, which can be frustrating.

The ability to upgrade the operating system painlessly to a newer version is one area where Debian enjoys a considerable advantage. Since its early days, Debian has always provided a simple and elegant upgrade path between two stable releases, which is probably a feature that has attracted Debian many supporters. Unfortunately, FreeBSD does not have the same policy. While upgrading FreeBSD to a new minor version (e.g. from 4.10 to 4.11) is relatively easy and mostly trouble-free, the same cannot be said of upgrading between major versions (e.g from 4.10 to 5.3). In fact, the FreeBSD project does not recommend upgrading from 4.x to 5.x at all; not only is this path untested, it would also mean loss of functionality due to incompatible file systems in the two major FreeBSD versions. This could be an important consideration for those users who do not have physical access to the server - while upgrading Debian to a newer version is as simple as executing a couple of commands, with FreeBSD, one would need direct assistance of somebody at the web hosting company.

There is one interesting feature of FreeBSD that does not exist in Debian (at least not in its default configuration) - a set of reports entitled "Daily Run" and a "Security Run", which are emailed to the system administrator on a daily basis. They represent a collection of routine tasks as performed by several cron jobs. The "Daily Run" output provides information about the state of the system, uptime, mail in the mail queue, state of the disk partitions and network interfaces. It also backs up and outputs changes (if any) in the /etc/passwd and /etc/group files. The "Security Run" is even more useful, with information about setuid files and devices, passwordless user accounts, SSH login failures, and refused connections. It even informs the administrator about current vulnerabilities in any of the installed ports (provided that a certain port is installed on the system, but we'll get to that in the second part of this article).

There is perhaps one other FreeBSD advantage worth mentioning - it boots much faster than Debian. True, this is not a terribly exciting characteristic of an operating system that is meant to be running 24 hours a day, but it is still good to know that if the system needs to be rebooted (perhaps after a security-related kernel upgrade), it won't be down for more than a minute on any reasonably recent hardware. Booting Debian takes at least twice as long.

In part 2 of the article, coming up next week, we will compare the ways security updates are handled by the two operating systems, and briefly consider some migration issues.

Comments (21 posted)

Distribution News

Turbolinux releases preview of 64-bit OS

Turbolinux, Inc. has announced the availability of a technical preview version of "Turbolinux 10 for AMD64/EM64T".