Gentoo on a production box?

[idoru]

Hello,
I'd like to ask, if it is good idea to put Gentoo on a production server.
I'm using Slackware (over a year on a server) and Gentoo (6 months on my workstation) - now, I'm building new box to replace my old one and I'm wondering, what distro to install...
Is anybody here using gentoo on heavily loaded web/database server? Is it stable/secure enough? (by "secure" I mean things in portage - of course, I'll make my own fw/grsec+tweaked kernel/chroot/etc setup)

The main disadvantages I see are:
slackware: new release = old release is discontinuied - can be dangerous to install new packages
gentoo: any bug in portage can destroy the installation - it already happened on my workstation

[Forse]

Well I dunno...I am running Gentoo on my server (Apache2/MySQL/ProFTPD/IRCd) and I have no problems. I guess it all depends how secure you have your server to be With heavy load server compiling might be a problem. If you compile like mySQL it might slow down your system a LOT (I can tell from my own expirience )

Give it a try...(In your place I would consider sticking with slackware)
_________________
[ My sites ]: UnixTutorials : AniFIND : AnimeYume

[Hellfire]

I use gentoo in about 6 "production" servers from mySQL to BIND, I'm absolutely confident in them. Although the first 2 (BIND) are going to get rebuilt shortly with the 1.4_rc2 iso, I don't fancy the gcc conversion on a live box.

On a production server you would never just merge/update files without explicitly knowing what they're going to do, so the recent Portage problem would be irrelevant. Compile-time will cut into a servers capability, but if it hurts performance *that* much you probably need a little bigger box.

In general I don't favor binary packages for any production server, it's just too hard to know beyond a shadow of a doubt how it is being built/installed. Whereas a quick check of the .ebuild or even your own homegrown overlay give you precise control over what you get.

Go with your gut, but for my .02 you can't go wrong with Gentoo.

-h

[pjp]

The power of Gentoo also allows you to hang yourself. You should emerge nothing on a critical system without testing it first.
_________________
Quis separabit? Quo animo?

[kashani]

[keifir]

r u guys actually putting the gcc on your production boxen?

that's kinda risky from the security point of view in itself, if broken into anyone can compile their stuff on it. At least that's what i read on the net (no actual experience setting up a prod server meself ).

I just thought i mention this, and i'm actually curious what u think of it.

keifir

[Forse]

[idoru]

ad hardware:

it's
P4 1.8GHz
Asus P4T533-C
4x512MB ECC RDRAM PC800-40
1x Seagate Cheetah 18.4GB / 15K RPM
2x Seagate Baracudda 9GB / 7.2K RPM

and it's replacing some old PII 450 / 512MB RAM...so, for some time, compilations won't be a problem

ad security / gcc etc.
I'm using trusted path execution prom grsecurity, so nobody can run their compiled/uploaded binaries

.............

I'm kinda scared of Gentoo's rc-scripts...I'm used to slackware's (imho the best rc-script, I have ever seen)...but I'l probably give it a try...yet, I'd have to learn a LOT of new things :)

To replicate my setup on diferent distro...ehm...that will be quite fun...2 apaches (one as a proxy, on as an aplication server - both chrooted (each in it's own dir)), chrooted mysql+innodb with raw data partition, complete ACL via grsecurity...and with WOLK as a kernel...yeah...I will try to call it "fun" :)

[Forse]

Well your hardware setup sounds ok...By the way if you like your deamons chroot:ed to their own dir then give SoL (Server Optimized Linux) a try. It has

[bagu]

There is nothing securitywise to object to having a compiler on your system. Removing everything remotely risky from a server will render it unusable.

Solaris for example does not have a compiler installed per default, but as already pointed out, this offers no added security since attackers upload binaries instead.

Also, my experience is that many attacks can be exploited via shellscripts. Still other security issues appear because of bad configuration and unwise permissions (for example world-writable configfiles).

Security is alot like alchemy; You will probably never get it exactly right, but the right ingredients and procedures can get you pretty close..

Hmm.. I'm getting Kunfucius-like on your ass.. I guess my age is finally showing =)

Regards,
bagu
_________________
"That's right," he said. "We're philosophers. We think, therefore we am."
-- (Terry Pratchett, Small Gods)

[Dalrain]

We've been using Gentoo on one of our production servers at work without problems so far, though the point brought up earlier by kanuslupus about testing is very very very true. I'll even take it a step further and say if you need perfect uptime on everything, you might do better with another distro. I love Gentoo and its setup, but it is -far- too easy to break things across upgrades, IMHO. (Though a really experienced admin shouldn't get too tripped up by these, it's your funeral )

Also, if you're really using it for some power stuff, version incompatabilities might arise with homegrown tools you're working with, making a patched instead of upgraded system more desirable.

[Sven Vermeulen]

We're not using Gentoo on production systems. There are several reasons for that.

One of them is that Gentoo isn't enough proven on servers. It's a relatively new distribution, and normal servers are just coming up.

Second is that even Gentoo stable still requires a reasonable amount of updates because it places several tools far to fast in stable (not that the tools aren't stable, but for security POV I'd rather only have security updates, which I know is going to happen in the not-so-far future).

Third is that Gentoo can't assure secure updating (there have been numerous threads on this subject, so I know this is gonna change yet.

[Sasun]

[upnix]

A problem I have with Gentoo on servers is how security updates are dealt with.

Whenever something has a vulnerability, the solution is to upgrade to the newest version of the said software. For me, this doesn't cut it. Because the software I'm upgrading to will likely come with new functionality, introduce new bugs, and generally not behave in a similar fashion to the old one.

(coming from BSD land) If there's a vulnerability in some software, say OpenSSL, a -patch- should be released fixing the bug in your current version of software. This ensures that all the functionality and behaviour of OpenSSL remains the same so that my once stable box can remain that way.

If I wanted to stir things up even more, I'd mention how I think the reason this isn't done is because the Gentoo "developers" only seem to make ebuilds, and the occasional Python program.