View previous topic :: View next topic |
Author |
Message |
idoru n00b
Joined: 29 Oct 2002 Posts: 16
|
Posted: Wed Feb 19, 2003 10:17 pm Post subject: Gentoo on a production box? |
|
|
Hello,
I'd like to ask, if it is good idea to put Gentoo on a production server.
I'm using Slackware (over a year on a server) and Gentoo (6 months on my workstation) - now, I'm building new box to replace my old one and I'm wondering, what distro to install...
Is anybody here using gentoo on heavily loaded web/database server? Is it stable/secure enough? (by "secure" I mean things in portage - of course, I'll make my own fw/grsec+tweaked kernel/chroot/etc setup)
The main disadvantages I see are:
slackware: new release = old release is discontinuied - can be dangerous to install new packages
gentoo: any bug in portage can destroy the installation - it already happened on my workstation |
|
Back to top |
|
|
Forse Apprentice
Joined: 26 Dec 2002 Posts: 260 Location: /dev/random
|
Posted: Wed Feb 19, 2003 10:32 pm Post subject: Dunno |
|
|
Well I dunno...I am running Gentoo on my server (Apache2/MySQL/ProFTPD/IRCd) and I have no problems. I guess it all depends how secure you have your server to be With heavy load server compiling might be a problem. If you compile like mySQL it might slow down your system a LOT (I can tell from my own expirience )
Give it a try...(In your place I would consider sticking with slackware) _________________ [ My sites ]: UnixTutorials : AniFIND : AnimeYume |
|
Back to top |
|
|
Hellfire n00b
Joined: 09 May 2002 Posts: 54 Location: Madison, WI
|
Posted: Wed Feb 19, 2003 10:48 pm Post subject: |
|
|
I use gentoo in about 6 "production" servers from mySQL to BIND, I'm absolutely confident in them. Although the first 2 (BIND) are going to get rebuilt shortly with the 1.4_rc2 iso, I don't fancy the gcc conversion on a live box.
On a production server you would never just merge/update files without explicitly knowing what they're going to do, so the recent Portage problem would be irrelevant. Compile-time will cut into a servers capability, but if it hurts performance *that* much you probably need a little bigger box.
In general I don't favor binary packages for any production server, it's just too hard to know beyond a shadow of a doubt how it is being built/installed. Whereas a quick check of the .ebuild or even your own homegrown overlay give you precise control over what you get.
Go with your gut, but for my .02 you can't go wrong with Gentoo.
-h
Last edited by Hellfire on Wed Feb 19, 2003 10:51 pm; edited 1 time in total |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Wed Feb 19, 2003 10:48 pm Post subject: |
|
|
The power of Gentoo also allows you to hang yourself. You should emerge nothing on a critical system without testing it first. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
kashani Advocate
Joined: 02 Sep 2002 Posts: 2032 Location: San Francisco
|
Posted: Wed Feb 19, 2003 10:59 pm Post subject: Re: Gentoo on a production box? |
|
|
idoru wrote: |
The main disadvantages I see are:
slackware: new release = old release is discontinuied - can be dangerous to install new packages
gentoo: any bug in portage can destroy the installation - it already happened on my workstation |
Gentoo gives you the power to change more often, so people do. Often there are stiff lessons to learn when you've gotten used to running Gentoo as a workstation. It all comes down to test environment... with any distro. Make sure your stuff works and then never touch it unless it's a bug fix and then only after you've done the same on your test environment. I've got a small shop setup on four v1.2 boxes and other then a few packages I don't really mess with it.
kashani _________________ Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
Back to top |
|
|
keifir Tux's lil' helper
Joined: 10 Jun 2002 Posts: 119 Location: Canada
|
Posted: Thu Feb 20, 2003 12:13 am Post subject: |
|
|
r u guys actually putting the gcc on your production boxen?
that's kinda risky from the security point of view in itself, if broken into anyone can compile their stuff on it. At least that's what i read on the net (no actual experience setting up a prod server meself ).
I just thought i mention this, and i'm actually curious what u think of it.
keifir |
|
Back to top |
|
|
Forse Apprentice
Joined: 26 Dec 2002 Posts: 260 Location: /dev/random
|
Posted: Thu Feb 20, 2003 1:14 am Post subject: |
|
|
keifir wrote: | r u guys actually putting the gcc on your production boxen?
that's kinda risky from the security point of view in itself, if broken into anyone can compile their stuff on it. At least that's what i read on the net (no actual experience setting up a prod server meself ).
I just thought i mention this, and i'm actually curious what u think of it.
keifir |
Well if you don't put gcc on the box users could still upload them own compiled programs or install gcc in their home dir. If gcc needed on the server box I would put permissions that only root can access gcc. Having gcc on the box isn't a real problem. _________________ [ My sites ]: UnixTutorials : AniFIND : AnimeYume |
|
Back to top |
|
|
idoru n00b
Joined: 29 Oct 2002 Posts: 16
|
Posted: Thu Feb 20, 2003 6:47 am Post subject: details |
|
|
ad hardware:
it's
P4 1.8GHz
Asus P4T533-C
4x512MB ECC RDRAM PC800-40
1x Seagate Cheetah 18.4GB / 15K RPM
2x Seagate Baracudda 9GB / 7.2K RPM
and it's replacing some old PII 450 / 512MB RAM...so, for some time, compilations won't be a problem
ad security / gcc etc.
I'm using trusted path execution prom grsecurity, so nobody can run their compiled/uploaded binaries
.............
I'm kinda scared of Gentoo's rc-scripts...I'm used to slackware's (imho the best rc-script, I have ever seen)...but I'l probably give it a try...yet, I'd have to learn a LOT of new things :)
To replicate my setup on diferent distro...ehm...that will be quite fun...2 apaches (one as a proxy, on as an aplication server - both chrooted (each in it's own dir)), chrooted mysql+innodb with raw data partition, complete ACL via grsecurity...and with WOLK as a kernel...yeah...I will try to call it "fun" :) |
|
Back to top |
|
|
Forse Apprentice
Joined: 26 Dec 2002 Posts: 260 Location: /dev/random
|
Posted: Thu Feb 20, 2003 9:41 am Post subject: Secure server |
|
|
Well your hardware setup sounds ok...By the way if you like your deamons chroot:ed to their own dir then give SoL (Server Optimized Linux) a try. It has
Directory where all the deamons are like apache is in dir
And all the deamons are chrooted to them dir
SoL newest release is in beta stage, as a member of beta team I can say that it looks *VERY* promising. Ok, my idea wasn't to advertise, but give it a try. I reccomend waiting for beta to go stable.
Homepage: www.sol-linux.com _________________ [ My sites ]: UnixTutorials : AniFIND : AnimeYume |
|
Back to top |
|
|
bagu n00b
Joined: 25 Jun 2002 Posts: 24
|
Posted: Fri Feb 21, 2003 8:59 am Post subject: GCC on a server. |
|
|
There is nothing securitywise to object to having a compiler on your system. Removing everything remotely risky from a server will render it unusable.
Solaris for example does not have a compiler installed per default, but as already pointed out, this offers no added security since attackers upload binaries instead.
Also, my experience is that many attacks can be exploited via shellscripts. Still other security issues appear because of bad configuration and unwise permissions (for example world-writable configfiles).
Security is alot like alchemy; You will probably never get it exactly right, but the right ingredients and procedures can get you pretty close..
Hmm.. I'm getting Kunfucius-like on your ass.. I guess my age is finally showing =)
Regards,
bagu _________________ "That's right," he said. "We're philosophers. We think, therefore we am."
-- (Terry Pratchett, Small Gods) |
|
Back to top |
|
|
Dalrain Tux's lil' helper
Joined: 02 Jul 2002 Posts: 136 Location: Wooster, OH USA
|
Posted: Fri Feb 21, 2003 12:45 pm Post subject: |
|
|
We've been using Gentoo on one of our production servers at work without problems so far, though the point brought up earlier by kanuslupus about testing is very very very true. I'll even take it a step further and say if you need perfect uptime on everything, you might do better with another distro. I love Gentoo and its setup, but it is -far- too easy to break things across upgrades, IMHO. (Though a really experienced admin shouldn't get too tripped up by these, it's your funeral )
Also, if you're really using it for some power stuff, version incompatabilities might arise with homegrown tools you're working with, making a patched instead of upgraded system more desirable. |
|
Back to top |
|
|
Sven Vermeulen Retired Dev
Joined: 29 Aug 2002 Posts: 1345 Location: Mechelen, Belgium
|
Posted: Fri Feb 21, 2003 2:28 pm Post subject: |
|
|
We're not using Gentoo on production systems. There are several reasons for that.
One of them is that Gentoo isn't enough proven on servers. It's a relatively new distribution, and normal servers are just coming up.
Second is that even Gentoo stable still requires a reasonable amount of updates because it places several tools far to fast in stable (not that the tools aren't stable, but for security POV I'd rather only have security updates, which I know is going to happen in the not-so-far future).
Third is that Gentoo can't assure secure updating (there have been numerous threads on this subject, so I know this is gonna change yet. |
|
Back to top |
|
|
Sasun n00b
Joined: 07 May 2002 Posts: 15
|
Posted: Sat Feb 22, 2003 10:53 pm Post subject: |
|
|
Sven Vermeulen wrote: | We're not using Gentoo on production systems. There are several reasons for that.
One of them is that Gentoo isn't enough proven on servers. It's a relatively new distribution, and normal servers are just coming up.
Second is that even Gentoo stable still requires a reasonable amount of updates because it places several tools far to fast in stable (not that the tools aren't stable, but for security POV I'd rather only have security updates, which I know is going to happen in the not-so-far future).
Third is that Gentoo can't assure secure updating (there have been numerous threads on this subject, so I ,
know this is gonna change yet. |
You are right.
I am using gentoo on aproduction server, and it is working fine.
But I should have chosen debian.
It takes too much time to maintain and update gentoo. |
|
Back to top |
|
|
upnix n00b
Joined: 02 Jan 2003 Posts: 63 Location: Canada
|
Posted: Sun Feb 23, 2003 12:08 am Post subject: |
|
|
A problem I have with Gentoo on servers is how security updates are dealt with.
Whenever something has a vulnerability, the solution is to upgrade to the newest version of the said software. For me, this doesn't cut it. Because the software I'm upgrading to will likely come with new functionality, introduce new bugs, and generally not behave in a similar fashion to the old one.
(coming from BSD land) If there's a vulnerability in some software, say OpenSSL, a -patch- should be released fixing the bug in your current version of software. This ensures that all the functionality and behaviour of OpenSSL remains the same so that my once stable box can remain that way.
If I wanted to stir things up even more, I'd mention how I think the reason this isn't done is because the Gentoo "developers" only seem to make ebuilds, and the occasional Python program. |
|
Back to top |
|
|
|