Medium-scale Gentoo Implementation?

[nonhuman]

I'm an administrator for the CS department at my school. I'm responsible for right about 100 machines in labs, classrooms, and faculty offices (it's a small school). Currently they dual-boot Windows XP and RedHat AS. I really don't like RedHat at all for various reasons, not the least of which being the RPM system. My boss is pretty much in agreement with me on this, especially now that we've switched to AS (this switch was done at the behest of the school's IT department who bought a site license in response to the demise of 'regular' RedHat).

So the possibility of switching away from RedHat has come up. My boss has been thinking about SUSE, while I've been an advocate of Gentoo. I'm in the process of looking around for information to support my position, and was hoping some of you could help me out.

The most important issue that I need to be able to convince my boss on is security. Specifically, that security updates are available in portage with in a reasonable time of their release. My suspicion is that Gentoo is able to push those updates at least as fast, if not faster than RedHat, but I haven't been able to find anything to support that. Obviously this is going to vary on a case by case basis, but is there any documentation on this? The Security Document didn't seem to talk about it (for understandable reasons).

The next issue is how easy it would be for us to propagate updates throughout the computers. With a lab environment, we definitely don't want to be compiling everything we install on every system. The idea I came up with is to have our own server for all the machines to sync their portage trees from on which we would be able to put our own binary ebuilds of the things that we want to be on every system. That way we can still have every package custom-compiled but only have to compile it once or twice (all of our machines are one of two types and are identical within those types). How hard would it be to implement this? I know it's not supposed to be very hard to make an ebuild, but I've never actually done it. Would it be possible to automate the process? Basically, I'd want to be able to sync with the main portage tree, then run a script that makes a custom-compiled binary ebuild of whatever package for us to put on our server. How hard/impossible would this be for someone who has little to no experience with Gentoo (I'll be leaving at the end of the year, so I won't be in charge of this)?

I'm assuming that I'm not the only one who wants to implement Gentoo as more than just a personal distro, and probably people have already done things similar to what I want to do. So if anyone has any advice/warnings about this, I'd be very happy to hear it.[/url]

[Angrybob]

you could have /usr as an nfs mount so all the apps come from one server, but I guess you might need a lot of bandwidth for that.

As for binary ebuilds, you just need a normal ebuild then once you have compiled it on one system execute "quickpkg <packagename>" and it will zip it up into a tbz2 file. Then on the other machines you simply do "emerge -K <packagename>" and it just extracts it from the tbz2 file instead of compiling.

[nonhuman]

you could have /usr as an nfs mount so all the apps come from one server, but I guess you might need a lot of bandwidth for that.

I really should have thought of that... Currently we have /usr/local as an nfs mount, so it's really not much of a stretch. Bandwidth shouldn't really be an issue, we just upgraded to 100bT ethernet for our network.

As for binary ebuilds, you just need a normal ebuild then once you have compiled it on one system execute "quickpkg <packagename>" and it will zip it up into a tbz2 file. Then on the other machines you simply do "emerge -K <packagename>" and it just extracts it from the tbz2 file instead of compiling.

Thanks, that's pretty much exactly what I was looking for. I figured there was probably some easy way to do it. Will quickpkg deal with dependencies at all?

[guard0]

why does it need to?
before you do a new emerge (to upgrade or whatever), just do emerge -up > /path/to/file
then it will dump all that info to a file.. use that file to generate your list of packages to use quickpkg on..
i doubt qpkg has the ability to handle dependancies, but portage handles that for you

[Boris27]

you could have /usr as an nfs mount so all the apps come from one server, but I guess you might need a lot of bandwidth for that.

I really should have thought of that... Currently we have /usr/local as an nfs mount, so it's really not much of a stretch. Bandwidth shouldn't really be an issue, we just upgraded to 100bT ethernet for our network.

As for binary ebuilds, you just need a normal ebuild then once you have compiled it on one system execute "quickpkg <packagename>" and it will zip it up into a tbz2 file. Then on the other machines you simply do "emerge -K <packagename>" and it just extracts it from the tbz2 file instead of compiling.

Thanks, that's pretty much exactly what I was looking for. I figured there was probably some easy way to do it. Will quickpkg deal with dependencies at all?

"emerge --buildpkg" will let you create binaries even for other archs. Just set your stuff in /etc/make.conf and let it rip. This allows you to let a dual p4 do the compiling for a pentium2 or something.

[PowerFactor]

I think boris27 is on the right track there. Just emerge --buildpkg on the server and have all your clients mount the servers pakages directory via nfs. Then once you get everything built(and tested) on the server it's simply a matter of running emerge -K on the clients.

[deathbaz]

We've set up a binary based install for 150+ machines. Its been running for about 3 months now with no major hassles. Here's instructions and all the scripts we use for the install part of the process. These might be useful for you. Theres also a custom system for maintaining the machines that we've written but I haven't got to documenting it yet.

[nonhuman]

We've set up a binary based install for 150+ machines. Its been running for about 3 months now with no major hassles. Here's instructions and all the scripts we use for the install part of the process. These might be useful for you. Theres also a custom system for maintaining the machines that we've written but I haven't got to documenting it yet.

Oh wow, thanks. This aught to be very useful in helping to convince my boss and the IT department (who are a real pain in the ass to deal with).

[ewan.paton]

why not setup on machine as a portage/binhost mirror that all the other machines sync there portage tree against that way you control what apps can be installed centrally but decisions on required apps can be made locally. theres a guide in the tips & tricks forum and this effectivly gives you an stable branch you control and you dont need to have filesystems mounted

as to the progress of "emerge security", i cant remeber what the command was but it was still testing but worked ok when i last tryed it