Gentoo being used as production server

Messiah · Tux's lil' helper Joined: 30 Apr 2002 Posts: 139

Hi all,

I am working for an Internet Service Provider (http://www.qweb.nl) at the Netherlands, and have installed Gentoo on one of our servers that is being used as a production server. We are using the following services:
- apache + mod_ssl + mod_perl + mod_php
- ssh
- mysql
- qmail + courier-imap + vpopmail + qmailadmin + ezmlm-idx
- proftpd
- bind
- gShield as firewall
- awstats for website statistics
[edit]
- webmin
How can I forget that one?
[/edit]

This is almost everything I need at all times. I have set it up and running perfectly right now. Tomorrow I updated db, and MySQL stopped working. So I wanted to update MySQL too, and saw that it didn't compile complaining about the version of db (it said I don't recognise version 3.2.9, use 3.2.9a or 3.2.3h). So I had to downgrade to 3.2.3h, and of course, did let me start to think.

I haven't tested Gentoo with these services too well, my fault. First I need to test and then implement. But hey, nobody is perfect, and I like Gentoo really.

I saw a post of klieber saying he wouldn't use Gentoo in a production environment.

My questions:
- Is it really that a bad idea to install Gentoo on a production environment? Why?
- What are the things I should watch for. I mean, I do have some configurations and changes to ebuild files, and I am tracking them, and doing the same things when upgrading and so on. But what more?
- Why was MySQL broken by the update of db? I mean, the person who is responsible for the db ebuild files, didn't he check it? Wasn't he aware? Is it likely to happen often? Is it likely to happen on other packages also? Are these guys testing it or should I test it before? (I know the safest thing to do is to test first, but that is a lot of work man

).

Thanks in advance.

Scandium

cyc · Tux's lil' helper Joined: 28 Jun 2002 Posts: 89

you should just be conservative with updates. dont do an emerge -u world every week. do emerge -pu world look what your in need of (because of security reason or feature addition) and then choose your updates. perhaps test them on a local machine
_________________
http://www.gentoo-de.org
Gentoo userpage

Scandium · Posted: Thu Jul 04, 2002 1:42 pm Post subject:

on the other hand, if a security hole gets known do emerge --clean rsync and emerge the package (for example openssh *grin*) only.

The problem with this one is that you need to look for yourself what has security bugs etc. so this isn't a good idea if you don't have too much time

Messiah · Tux's lil' helper Joined: 30 Apr 2002 Posts: 139

I do know what packages have security issues (mostly) because I also administer 1 RedHat server and three Mandrake Linux servers, among with some Cobalt servers. I update them too, and get some posts from lists. So that is a good option.

But someone sometime stated that one needs to do emerge -u world often, otherwise things get broken. Now I don't know who said this and when (I think it was on this forum tho), but is this true? Is it more likely that things get broken when I do less emerge -u world?

Please, don't make me say that I did a wrong choice. I got plenty of time in it to run the way I want ;-)

(PS Off-course, if I did make a mistake it's better to stop now than to stop later, because in a couple of weeks I need to install another server and I am considering to install Gentoo on that one too)

cyc · Tux's lil' helper Joined: 28 Jun 2002 Posts: 89

yes perhaps we need some kinda importance-level for ports. or freshports service

_________________
http://www.gentoo-de.org
Gentoo userpage

trapni · Posted: Thu Jul 04, 2002 2:15 pm Post subject:

cyc · Tux's lil' helper Joined: 28 Jun 2002 Posts: 89

exactly my background
_________________
http://www.gentoo-de.org
Gentoo userpage

Nitro

Messiah · Tux's lil' helper Joined: 30 Apr 2002 Posts: 139

Well Nitro you da man.

Now I do know I did make the right choice. Partly because I like fiddling around with software, partly because I love Gentoo so much. Besides, I got so many times broken software on my Mandrake Linux servers after updates also (especially apache, php and mysql updates), so what the heck, I will be careful. I think I'm gonna install some test-server like thing, and first test things on that one before I do upgrade all othe machines that will be running Gentoo Linux in the future.

metalhedd · Posted: Fri Jul 05, 2002 4:43 pm Post subject:

I'd just like to strengthen the idea that there should be a stable branch of gentoo. the best way to implement it would probably be a separate rsync server. where the ebuilds are only updated when the newer software is proven stable and secure. that way its still safe to do a world update without (too many) worries.

wouldn't be as Bleeding edge, but it'd be great for people who love gentoo and want to run it in a production environment.

trapni · Posted: Fri Jul 05, 2002 9:00 pm Post subject:

that's why packages get masked.
And even if you'd prefer to devide here anyway, I'd prefer to add a special option to the /etc/make.conf like USE="beta-packages" or something like that

ismark · n00b Joined: 29 Jun 2002 Posts: 40

all your packages from "emerge"? and your qmail + vpopmail working fine?

I have emerge "qmail" and "vpopmail", when using "checkpassword" working fine, but when using "vchkpw" is fail...............

pilla · Posted: Sun Sep 15, 2002 2:51 pm Post subject:

If you're carefull about your updates, I think Gentoo is great also for production environments. You can have more than one version of the same package, therefore less chance of screw everything. IMHO it's more a question of knowing what you do and really knowing portage.

Of course, it would be easier if you have a stable/unstable branch, but I like the bleeding edge.... I hate waiting for packages that never come.

Hey, I consider my notebook a production environment (if it does not work, I'm in a really bad situation). :twisted:

ryker · Guru Joined: 28 May 2003 Posts: 412 Location: Portage, IN

splooge · l33t Joined: 30 Aug 2002 Posts: 636

I love Gentoo.

It's my personal preference of any Linux distribution. I run it at home. Bleeding edge rules.

That being said, would I want to install and maintain it across our 1800 servers? No freaking way. I have a hard enough time keeping my home system up to date, no way I'm gonna attempt this with 1800 servers :!:

_________________
http://get.a.clue.de

frilled · Posted: Fri Jul 30, 2004 5:32 am Post subject:

I'm using it in a time-critical production environment on four servers and a couple of workstations (of course

). We're quite close to bleeding edge (emerge sync is cron'ed to run before I come in so I can have a look what's new).

Once in a while even packages marked "stable" do break, that is why I test critical updates on my machine and a designated, non-productive test server first.

In my eyes, Gentoo is the best thing that ever happened to Linux. I was so sick of not being able to update SuSE the way I wanted to i almost lost all interest in Linux. But now my faith is restored ;-)

The only sorry thing is that sometimes you're standing at a closed(-source) door. Like I haven't gotten Compaq's (HP nowadays :evil:

) crappy Insight management agents to work on our ProLiants yet. It barfs horribly when I try and of course there is as little documentation as there ist source code. But hey, you can't have it all!

tuxmin · l33t Joined: 24 Apr 2004 Posts: 838 Location: Heidelberg

Just my two cents...

Gentoo comes in handy when you have well defined specifications about your setup. These days I had to install a LAMP system (yes, for a production environment with an estimated traffic of 60GB per day and several 100 simultaneous online users). The setup envolves 5 IBM x345, one acting as ReverseProxy, two backend webservers and two machines as DB servers running mySQL in master and slave mode.
The specifications demanded apache-1.3, mysql-3.23, php-4.3 and serveral other things like webalizer, ssh, rsync, imagemagick etc. all versions well defined!
So I started looking at Debian/woody which had apache and mysql in the right version, but php and imagemagick didn't fit

so I tried Debian/testing: now mysql wouldn't fit

, I checked RedHat -- the same problem... well, to put it short, no distro would fit these specs...
Compiling all this stuff by hand was no option. I had done this before and it's pain in the ass to resolve all these dependencies manually.
After having some good experience with Gentoo running on two of our firewalls, I remembered that slogan: Gentoo is everything about choice! And that's what it is. I defined all my specs in /etc/portage/package.mask and /etc/make.conf, did "emerge mod_php", came back two hours later and had exactly the system I needed! And now, 3 months later it has proven to run rock stable even under high load.

I use Gentoo on my desktop as well and yes, from time to time an ebuild fails, but I never had any serious system crash.

In my opinion you have to take it literally that Gentoo is everything about choice. But this well implies that within this freedeom of choice you really need to know what you want! And you need experience to evaluate the risks of deciding to choose this or that version of a package.

Regards, Alex!!!
_________________
ALT-F4

Hazzl · Posted: Fri Jul 30, 2004 10:47 am Post subject:

I don't understand all this talk about Gentoo not having testing/stable branches. Isn't this what the ARCH/~ARCH keywords are for? As far as I see it, ~ARCH corresponds to Debian's testing-branch. Hard masked packages correspond to unstable and ARCH corresponds to stable.

Of course, us beeing Gentooists, we move all new packages into testing by default and only hard-mask ebuilds with known problems. Whereas Debian lets them start off in unstable. :wink:

If you only want to update security related packages, can't you just do a glsa-check every day (or hasn't this functionality been implemented yet?)

ryker · Guru Joined: 28 May 2003 Posts: 412 Location: Portage, IN

I have glsa-check --fix all in a nightly cron and I haven't had any problems at all on my production server.
_________________
Athlon 64 3200+, 80G WD sata hd + 200G IDE, 1G Geil DDR400, MSI K8T Neo
IntelCore2Duo 2.0Ghz MSI laptop,100G SATA hd, 2G RAM

splooge · l33t Joined: 30 Aug 2002 Posts: 636

F.Ultra · Apprentice Joined: 17 Mar 2004 Posts: 169 Location: Sweden

I think we Linux people should relax sometimes, hey look at those poor people that runs Windows on production machines (heck I have to), that is like running everything on ~x86

kands · Posted: Fri Jul 30, 2004 8:57 pm Post subject:

I manage the IT infrastructure for a medium sized software development / Internet company. We are moving away from Redhat to Gentoo for all of our production Linux servers. As mentioned previously you have to be careful of what updates go into the system and what files you change with etc-update.

I've used several distro's and I find the ease of management and administration of Gentoo to outweigh the problems we faced with other distro's. Every distro has pro's and con's... Gentoo (for us) just has a better ratio between the two.

If in doubt of an update we test carefully (which one should always doing prior to moving something into a production environment).
_________________
http://www.brokenspoke.ca
Have you broken your spoke today?

ryker · Guru Joined: 28 May 2003 Posts: 412 Location: Portage, IN