Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo is not ready for servers - So let's fix it
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Duplicate Threads
View previous topic :: View next topic  
Author Message
thedistance
n00b
n00b


Joined: 02 Jan 2003
Posts: 7

PostPosted: Tue Aug 12, 2003 3:13 pm    Post subject: Gentoo is not ready for servers - So let's fix it Reply with quote

Ok... before you flame please read on. First of all I love Gentoo... I've been using it since 1.2 was first released. After running Gentoo on 30+ servers I have to say that I don't think it's ready for servers for three reasons.

1. Portage is too bleeding edge and breaks too often (once a year per server is too often).

2. In my experience most administrators are not knowledgable enough to use an os that is shrink wrapped and dummy proof.

3. Because of the compile everything nature of Gentoo it will never be certified for use with most commercial software like oracle since there is no milestone releases that they can test. Yes I know 1.4 is a milestone, but one of the first things that gets done is portage gets synced which totally changes the packages that will be installed.

I suggest three things

1. A seperate "Stable branch" be created for portage. This branch would have a portage snapshot for each major release and only get updates for packages that have vulnerabilities.

2. Standardized config files like redhat. Redhat has prebuild config files that give you basic functionality for your sendmail, apache, etc... server. Since Redhat is the most widely distributed linux server os creating a ebuild with similar config files would ease the transition for system administrators.

3. Build quickstart scripts for building servers. Basically a script for partitioning and installing the base packages for the type of server you are deploying. If you have 20 webservers to build doing them by hand would be a pain the Gentoo way.

Oh and for all of the "system administrators" that only administer their home machines and home servers please understand there is a different requirment in an enterprise environment.

---- Stability ---- Stability ---- Stability ----

Ok... flame on.
Back to top
View user's profile Send private message
carbon
Guru
Guru


Joined: 27 Jun 2003
Posts: 455
Location: New York

PostPosted: Tue Aug 12, 2003 3:18 pm    Post subject: Reply with quote

did you actaully ran a gentoo server and experienced problem?
coz i have mine running for a couple months, no problem has found yet.
_________________
I do what I want, and that's what I do.
GNU World Domination

Carbon
Back to top
View user's profile Send private message
thedistance
n00b
n00b


Joined: 02 Jan 2003
Posts: 7

PostPosted: Tue Aug 12, 2003 3:28 pm    Post subject: Reply with quote

For one instance if you don't update the acutal portage package itself on a regular basis and try and update another package after a several month lag packages will sometimes break. So to get back in the clear you have to update the portage package, sync with the tree, and then try and update original package you were trying to install/update. This scenerio in a enterprise environment where most people are use to a tried and true stable release and minimal updates for key packages on that release can create a few problems. This is really true if you are trying to keep 100+ webservers identical to one another.
Back to top
View user's profile Send private message
Moled
l33t
l33t


Joined: 09 Jul 2003
Posts: 635

PostPosted: Tue Aug 12, 2003 3:50 pm    Post subject: Reply with quote

well if you have 100 servers, they can all use the same portage dir, mounted via nfs, you cron an emerge sync, and emerge -u world every so often
you use distcc on all of them to build binaries on one of them (set portage to be nice so normal operations can continue), and these binaries can be copied automatically to all 100 easily


there is a stable branch, that is "x86" etc

the unstable one being "~x86"

ive never had any stability issues
Back to top
View user's profile Send private message
thedistance
n00b
n00b


Joined: 02 Jan 2003
Posts: 7

PostPosted: Tue Aug 12, 2003 4:03 pm    Post subject: Reply with quote

While keeping your machine up to day with all of the latest packages using the good ole emerge -u world is fine for a small shop I don't think that it is in an enteprise environment where the rule of thumb is don't fix it unless it's broke. Following this rule you don't change things unless there is a security vulnerability or there is a bug fix. The problem is that using emerge -u is similar to going from Redhat 8 to Redhat 9. That just isn't something that is done "every so often" in a large enteprise.

I understand that there is a "x86" and "~x86" branch, but really they could be called "cutting edge" and "bleeding edge" neither of which sit well in a enterprise.
Back to top
View user's profile Send private message
stonent
Veteran
Veteran


Joined: 07 Aug 2003
Posts: 1139
Location: Texas

PostPosted: Tue Aug 12, 2003 4:08 pm    Post subject: Reply with quote

I think you missed the point. He said he runs 30+ Gentoo servers.
Many companies lock things at certain release levels. The last place I worked, all of the Linux systems ran RH 6.2. Even though there was newer stuff, they had written their software and compiled it against a tested OS. We even ran into some problems where newer hardware wasn't yet supported so we had to make a few hardware changes. (Replacing Intel Pro/100M cards with 3Com 3c905C cards)

A lot of companies still use NT 4 becaue it works fine. You can run a pretty fast server off of a first generation Pentium II with NT4. So I agree that there should be "break points" every so many months with minor version number. Or perhaps by quarter. 1.4Q1, 1.4Q2, etc.

carbon wrote:
did you actaully ran a gentoo server and experienced problem?
coz i have mine running for a couple months, no problem has found yet.
Back to top
View user's profile Send private message
nbensa
l33t
l33t


Joined: 10 Jul 2002
Posts: 799
Location: Buenos Aires, Argentina

PostPosted: Tue Aug 12, 2003 4:09 pm    Post subject: Reply with quote

thedistance wrote:
While keeping your machine up to day with all of the latest packages using the good ole emerge -u world is fine for a small shop I don't think that it is in an enteprise environment where the rule of thumb is don't fix it unless it's broke.


I don't see Daniel pointing to you with a gun and saying "HEY!!!!! Run emerge -u world NOW!!"
Back to top
View user's profile Send private message
carbon
Guru
Guru


Joined: 27 Jun 2003
Posts: 455
Location: New York

PostPosted: Tue Aug 12, 2003 4:42 pm    Post subject: Reply with quote

thedistance wrote:
For one instance if you don't update the acutal portage package itself on a regular basis and try and update another package after a several month lag packages will sometimes break. So to get back in the clear you have to update the portage package, sync with the tree, and then try and update original package you were trying to install/update. This scenerio in a enterprise environment where most people are use to a tried and true stable release and minimal updates for key packages on that release can create a few problems. This is really true if you are trying to keep 100+ webservers identical to one another.


why do you have to do emerge -u world when you are happy with your current system? of coz you would wanna do a emerge -u certain package if a security hole is found on that one.
_________________
I do what I want, and that's what I do.
GNU World Domination

Carbon
Back to top
View user's profile Send private message
Beekster
Apprentice
Apprentice


Joined: 26 Nov 2002
Posts: 268
Location: Sydney

PostPosted: Tue Aug 12, 2003 5:20 pm    Post subject: Reply with quote

Another perspective, with a 30+ server environment, you should have enough resources for a small test environment, (even using older decommissioned hardware) where any change can be tested prior to going live. Extra work, perhaps, but it covers YOUR ass if something in a live environment breaks when you can say I fully tested the change successfully.

It can involve taking snapshots of the portage tree (which I have seen mentioned in another thread here) which then become your own, private "release points".

Just my .02
Back to top
View user's profile Send private message
sKewlBoy
Guru
Guru


Joined: 03 Nov 2002
Posts: 406
Location: Portugal

PostPosted: Tue Aug 12, 2003 6:06 pm    Post subject: Reply with quote

You dont need to update world. Just keep check these forums main page and at the top you get to know the packages with security holes. Then emerge sync and update that package.
Making a perl script (or even a shell script) to check those security news wouldnt be hard and you could then set it up in cron and set it to send a mail or SMS when a new item was added...
I'm willing to help you with that, if you need (which I doubt since you seem to know it better than me :oops: ), just don't say gentoo is not ready for servers. You're the one who isnt ready for running gentoo on your servers...
Back to top
View user's profile Send private message
thedistance
n00b
n00b


Joined: 02 Jan 2003
Posts: 7

PostPosted: Tue Aug 12, 2003 7:04 pm    Post subject: Reply with quote

well just to clarify... I believe Gentoo is ready for servers... I just don't think most admins are ready for Gentoo...

I guess I should have said "Most linux admins aren't ready for Gentoo... what can we do to make Gentoo more lazy admin friendly"

From what I've seen not only at where I work, but at other places as well a lot of the unix admins are old school big iron guys and are used very few changes. This coupled with the fact that Oracle and other commercial software makers won't consider certifying Gentoo since there really isn't a snapshot release as there is in the binary distros really hampers getting Gentoo into the enteprises. I would really like to see Gentoo used more widely, but I think that these hurdles will keep it from becoming anything more than a desktop/hobbiest distro.
Back to top
View user's profile Send private message
carbon
Guru
Guru


Joined: 27 Jun 2003
Posts: 455
Location: New York

PostPosted: Tue Aug 12, 2003 7:06 pm    Post subject: Reply with quote

the main thing that makes gentoo different from others is the portage tree that gentoo has.

emerge -u blah = install the lastest rpm in redhat.

i cant see why is it so hard.
_________________
I do what I want, and that's what I do.
GNU World Domination

Carbon
Back to top
View user's profile Send private message
mmealman
Guru
Guru


Joined: 02 Nov 2002
Posts: 348
Location: Florida

PostPosted: Tue Aug 12, 2003 7:47 pm    Post subject: Reply with quote

I think he's talking more about a rock solid base level that admins who want to keep their systems up to a reasonable date could use to keep their systems recent.

Sort of like a Debian stable, which x86 isn't.

If all your servers are running 1.2 and 1.4 gets released, you'll want to upgrade to 1.4. But an emerge -u world isn't just 1.4, it's actually more recent, current up to that day.

What might be interesting would be to have "certified" Gentoo release cycles. Admins could then run a certified Gentoo 1.4 that's not as recent as x86, but is well known to be stable, tested and safe to upgrade to from the previously certified version(maybe 1.2).

Security fixes could be thrown into mini updates so every now and then you'd see things like 1.4.1-cert, 1.4.2-cert, which would just be 1.4-cert with security fixes thrown into the loop.

I'm starting to use Gentoo on servers and don't really need the above, as I used Debian unstable/testing in production for 5 years with no issues, but I can understand how many admins would feel more comfortable with a more stable release cycle. And using the word certified would make the PHB's feel all warm and fuzzy.
Back to top
View user's profile Send private message
thedistance
n00b
n00b


Joined: 02 Jan 2003
Posts: 7

PostPosted: Tue Aug 12, 2003 8:20 pm    Post subject: Reply with quote

mmealman --- exactly.

I believe this is exactly what RedHat is doing and it seems to be working for them. Even with the crappy RPM package management system.

If you look around you see IBM, Sun, HP, Novell, etc... all jumping on the linux bandwagon which will / is driving commercial software development companies to start to develop for the linux platform. The only problem is that if you want a commercial software company (ie:. Oracle) to certify their software for your distro it can't be a peacemeal of varying different versions of 100+ different applications. There has to be some "base-system" for them to certify.
Back to top
View user's profile Send private message
sKewlBoy
Guru
Guru


Joined: 03 Nov 2002
Posts: 406
Location: Portugal

PostPosted: Tue Aug 12, 2003 8:25 pm    Post subject: Reply with quote

if you are running 1.2, an emerge sync && emerge -u world will get you to 1.4 ...

and I dont think Gentoo should be more admin-friendly, admins should be more gentoo-alike-distros-friendly.
Getting distros admin-friendly makes admins lazy, and lazy admins makes a lot of faults. Just look at all the bunch of RedCrap servers around there. Of course there are admins that do secure quite well a RH box (I couldnt, I must say), but those are the admins that when they try Gentoo, won't be burning any other .iso , because those are the working admins.
Most of the security problems (I'd say 99,99999999%) are caused by sysadmins' faults and lack of staying uptodate!

I guess I'm getting a bit offtopic, but you've touched THAT point... That's the thing I think we should fight *against*. Everyone has his job. The sysadmin's one is to keep a system stable and uptodate about security flaws and updating the needed packages. No more. But no less.

This is just MHO, of course...


Last edited by sKewlBoy on Tue Aug 12, 2003 8:36 pm; edited 1 time in total
Back to top
View user's profile Send private message
aethyr
Veteran
Veteran


Joined: 06 Apr 2003
Posts: 1085
Location: NYC

PostPosted: Tue Aug 12, 2003 8:26 pm    Post subject: Reply with quote

I think it says something when Red Hat decides to stop backporting patches to their user-level product [1], and instead put it on a release cycle that's more in line with gentoo-stable.

Maybe they realized it's simply not profitable to provide their non-enterprise customers with that level of support.

It's a bit much to ask of the gentoo developers to spend hours and hours keeping a stable, up-to-date security-wise tree, just so you can feel comfortable running gentoo for free on 100 servers.

If you really need that level of support, buy Red Hat Enterprise, or try a different distribution.

Sorry, I just don't see the point in this never-ending desire for gentoo to be a one-size-fits-all distribution. Especially since in this case it would require more work to keep a totally "frozen", yet secure release, than to just move forward keep things flowing back and forth between gentoo and upstream developers (which is what Red Hat have switched over to doing).

[1] http://rhl.redhat.com/
Back to top
View user's profile Send private message
chidrob
n00b
n00b


Joined: 07 Aug 2002
Posts: 17

PostPosted: Tue Aug 12, 2003 8:50 pm    Post subject: Reply with quote

I want to support the concerns expressed by thedistance.

It is very different to customize a machine for your own use (or your parents, friends, ...) or a server: the later is making money, for your own, your clients, etc. Remember, every problem your machines have is money that you or your employer lose.

I am a happy Gentoo user, enjoying my two home/desktop PCs a lot. But professional services are "another thing".

As an example taken from where I work, every (and I'm saying ALL) changes are: first proposed, then aproved, then prepared and finally tested.

After that, we go to a meeting were the proposed change is explained again. With a little of luck, we have an estimated date to start to propagate the change. We propagate the change one by one, usually every week.

I understand it is an extreme situation, but a lot can be done to export the Gentoo and portage concepts to some new worlds.

It works for me, don't do an emerge -up world, enter a mask, look at the forums, are not valid answers in these contexts.

Of course you can put Gento on a server. The question is: can Gentoo be between the best tools to do it?

Excuse my poor English, I'm Spanish.
Back to top
View user's profile Send private message
wmgoree
Apprentice
Apprentice


Joined: 08 Aug 2003
Posts: 246
Location: Alexandria, VA

PostPosted: Tue Aug 12, 2003 9:24 pm    Post subject: Re: Gentoo is not ready for servers - So let's fix it Reply with quote

thedistance wrote:
1. A seperate "Stable branch" be created for portage. This branch would have a portage snapshot for each major release and only get updates for packages that have vulnerabilities.


Already exists. It's called Debian :wink:
_________________
vi? *snicker* it doesn't even include a mail reader...
Back to top
View user's profile Send private message
stonent
Veteran
Veteran


Joined: 07 Aug 2003
Posts: 1139
Location: Texas

PostPosted: Tue Aug 12, 2003 9:48 pm    Post subject: Reply with quote

Yeah, but it's not gentoo :)
_________________
Inspiron 4100 & Sun UltraAXe
Portage on Solaris|Dell Laptop Hacks
The way you feel about organized religion is the same way I feel about organized socialism.
Back to top
View user's profile Send private message
mmealman
Guru
Guru


Joined: 02 Nov 2002
Posts: 348
Location: Florida

PostPosted: Tue Aug 12, 2003 10:37 pm    Post subject: Reply with quote

sKewlBoy wrote:

and I dont think Gentoo should be more admin-friendly, admins should be more gentoo-alike-distros-friendly.
Getting distros admin-friendly makes admins lazy, and lazy admins makes a lot of faults.


Making a dist easy to admin doesn't make admins lazy or make the dist any less secure. Debian stable with apt pointed to security is the easiest thing on the planet to admin and I'd hardly call Debian admins lazy or say the distribution lacks security.

Thedistance's point about commercial product support is also valid. You'll never see Oracle, IBM, or anyone officially support any of their products on Gentoo without some sort of stable target to aim at. It would be impossible, because there would be no way for them to know what libs you're running or to test it out properly.

No one wants to see a forever-and-a-day Debian frozen process that takes 1,000 devs 80 man years to complete, but maybe some sort of forked branch or mirror that's basically a snapshot of a particular x86 cycle would do the trick.

Like say when 1.4 final came out they could snapshot it and create a 1.4-cert portage tree. RC it for a month, pop in minor fixes as people find compile bugs or conflicts, then finalize it. You leave it alone except for security updates.

Then when 1.6 hits the press you do the same for it.

The point is that admins and companies could point at the 1.4-cert and say "Hey, that's stable, a lot of people have been using that exact same version of Gentoo packages, apps, kernel, and so on without issues. We can run that without worrying about something weird breaking."

It'd give them peace of mind and I don't think it has to impact Gentoo's normal release cycle or take a lot of upkeep energy.
Back to top
View user's profile Send private message
stonent
Veteran
Veteran


Joined: 07 Aug 2003
Posts: 1139
Location: Texas

PostPosted: Tue Aug 12, 2003 11:06 pm    Post subject: Reply with quote

Redhat's susbscription service which is actually pretty cheap lets you manage your packages from their website. You can choose packages to update based on e-mail updates, or choose to make it automatic. Their demo service is free but you have to verify your account every few months.

My server packages on my redhat system are all current with the latest bugfixes.
_________________
Inspiron 4100 & Sun UltraAXe
Portage on Solaris|Dell Laptop Hacks
The way you feel about organized religion is the same way I feel about organized socialism.
Back to top
View user's profile Send private message
hughesjr
n00b
n00b


Joined: 10 Aug 2003
Posts: 51

PostPosted: Tue Aug 12, 2003 11:33 pm    Post subject: Reply with quote

sKewlBoy wrote:
if you are running 1.2, an emerge sync && emerge -u world will get you to 1.4 ...


What the distance is saying is ......

That is not 1.4 ... it is today's packages ... for today ...

If I upgraded a server with the same command tomorrow ... 6 packages could be a different version on server 2 ....

a day later I do a third server ... and it has 3 packages different from server 2 and the 6 are also different from server 1....

A stable branch, that only get security updates ... and stays gcc / glib / etc compatable would be a good idea ... if you wanted to be in the server market....
Back to top
View user's profile Send private message
PowerFactor
Veteran
Veteran


Joined: 30 Jan 2003
Posts: 1692
Location: out of it

PostPosted: Wed Aug 13, 2003 12:14 am    Post subject: Reply with quote

Do we really need yet another gentoo server thread?

http://forums.gentoo.org/viewtopic.php?t=56321

Search and you can find several more.
Back to top
View user's profile Send private message
ebrostig
Bodhisattva
Bodhisattva


Joined: 20 Jul 2002
Posts: 3152
Location: Orlando, Fl

PostPosted: Wed Aug 13, 2003 1:04 am    Post subject: Reply with quote

Indeed, let's try to keep related topics into one single thread as it is easier to find the info you are looking for.

Moving this thread to Duplicates from Installing Gentoo (which was an incorrect forum anyway :) )

Erik
_________________
'Yes, Firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Duplicate Threads All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum