RE: [gentoo-server] Gentoo for server - gentoo-server

From:	"Wilkins
To:	gentoo-server@l.g.o
Subject:	RE: [gentoo-server] Gentoo for server
Date:	Tue, 07 Dec 2004 13:20:42
Message-Id:	`F62740B0EFCFC74AA6DCF52CD746242D0103370F@iu-mssg-mbx05.exchange.iu.edu`

1

I would definitely NOT use the unstable tree for everything, by using ~x86 in package.keywords.  There's really no justification for that, even on a bleeding edge server.  I have found many packages in the unstable tree to be fine, even for server use, and sometimes I do need them right away for security fixes, but there are numerous packages in the unstable tree that cause problems.

2

3

Second, there are some special considerations for "production" servers although, they may not be big issues for home use.  I would at the very least distribute compiling so that you are not tying up the cpu on your server.  If you setup your config files correctly, using distcc you can put a very light load on the server during compiling.  Even better is to compile on a separate machine.  You can use emerge or quickpkg to build binary packages on another system and then distribute them to your server.  You still get all the advantage of a customized binary, but don't place any compiling load on the server.  

4

5

When supporting multiple servers, it often advantageous to mount /usr/portage/distfiles from a remote share.  You can then synch only one tree, which saves a good bit of time and processing on your other servers.

6

7

If you compile on your server, you probably want to have /var/ /var/tmp or /var/tmp/portage on a separate partition (preferably on a disk on a different controller).

8

9

Gentoo works well for me on servers because it is so cutting edge.  If there's a security update, I don't want to wait any longer than necessary for a fix, and I find that Gentoo packages are often out before rpm packages.  If necessary I'll just compile from source (downloaded from the application website) which is always easier on Gentoo and causes fewer problems than doing the same on an rpm based distribution.  If necessary you can always inject what you compiled into portage later.  Additionally the ease with which you can add, remove options from applications is a big boost to performance, security, and stability.  

10

11

You mentioned security, again I wouldn't use ~x86, the unstable tree, unless you need to for a very recent security fix or feature.  Customize your logging properly, setup your partitions correctly (with the right options like noexec on data only partitions), use tcp wrappers (very easy to configure on Gentoo), use a firewall, and configure your daemons correctly and you won't have any problems.  If you are really paranoid, you can add intrusion detection, log monitors, hardened kernel sources, etc.  Gentoo gives you a huge number of options to create a server as secure as you would like, you just have to learn a lot to be able to do it, which is no small task!

12

13

Finally the ease with which other applications are installed, or configured on Gentoo is unmatched, and this too is a big benefit.  Easily being able to choose my logger, a firewall front-end, mail server, etc.  makes it a lot easier to build and maintain a secure server.

14

15

I see a lot of discussion elsewhere about how Gentoo is not for servers.  I've used probably over 20 distributions in enterprise environments over the last 10 years or more, and I honestly can't imagine ever using another distribution on a workstation or server.

16

17

18

Vern Wilkins

19

Senior Technology Specialist

20

Indiana University Libraries

-----Original Message-----

27

From:	Simon Striker [mailto:simon@×××××××××.net]

28

Sent:	Mon 12/6/2004 6:20 PM

29

To:	gentoo-server@l.g.o

30

Cc:

31

Subject:	[gentoo-server] Gentoo for server

32

Hi!

33

34

I have just installed Gentoo on my laptop and I am very satisfied with

35

it! I really like the portage feature and other Gentoo philosophy.

36

37

At home and at "week-end house" I have a Linux server with Slackware

38

distribution installed. Now I am thinking of reinstalling my servers and

39

installing the Gentoo Linux on them, but I am a bit worried

40

because all packages in Portage tree are NOT up-to-date.

41

42

I am using servers for: Mail-server, web-server, printer-share,

43

firewall, router, backup-server, webmail, mysql etc.

44

45

I would like to know, how do you maintain your servers? Is it safe to

46

have Gantoo as a server?

47

48

What do you think of putting all installed packages into

49

/etc/portage/packages.keywords (~x86) for server?

50

51

I would like to make my Linux server "insensitive" for hackers or

52

intruders. Is it possible with Gentoo?

53

54

I will be very gratefull to hear some of your opinion or exepriences.

55

56

Thanks in advance!

57

58

Best regards, Simon

59

-------------

60

61

Simon Striker

62

Rusjanov trg 2

63

1000 Ljubljana      +38641473856

64

Europe (Slovenia)

65

66

E-mail: simon@×××××××××.net

1	I would definitely NOT use the unstable tree for everything, by using ~x86 in package.keywords. There's really no justification for that, even on a bleeding edge server. I have found many packages in the unstable tree to be fine, even for server use, and sometimes I do need them right away for security fixes, but there are numerous packages in the unstable tree that cause problems.
2
3	Second, there are some special considerations for "production" servers although, they may not be big issues for home use. I would at the very least distribute compiling so that you are not tying up the cpu on your server. If you setup your config files correctly, using distcc you can put a very light load on the server during compiling. Even better is to compile on a separate machine. You can use emerge or quickpkg to build binary packages on another system and then distribute them to your server. You still get all the advantage of a customized binary, but don't place any compiling load on the server.
4
5	When supporting multiple servers, it often advantageous to mount /usr/portage/distfiles from a remote share. You can then synch only one tree, which saves a good bit of time and processing on your other servers.
6
7	If you compile on your server, you probably want to have /var/ /var/tmp or /var/tmp/portage on a separate partition (preferably on a disk on a different controller).
8
9	Gentoo works well for me on servers because it is so cutting edge. If there's a security update, I don't want to wait any longer than necessary for a fix, and I find that Gentoo packages are often out before rpm packages. If necessary I'll just compile from source (downloaded from the application website) which is always easier on Gentoo and causes fewer problems than doing the same on an rpm based distribution. If necessary you can always inject what you compiled into portage later. Additionally the ease with which you can add, remove options from applications is a big boost to performance, security, and stability.
10
11	You mentioned security, again I wouldn't use ~x86, the unstable tree, unless you need to for a very recent security fix or feature. Customize your logging properly, setup your partitions correctly (with the right options like noexec on data only partitions), use tcp wrappers (very easy to configure on Gentoo), use a firewall, and configure your daemons correctly and you won't have any problems. If you are really paranoid, you can add intrusion detection, log monitors, hardened kernel sources, etc. Gentoo gives you a huge number of options to create a server as secure as you would like, you just have to learn a lot to be able to do it, which is no small task!
12
13	Finally the ease with which other applications are installed, or configured on Gentoo is unmatched, and this too is a big benefit. Easily being able to choose my logger, a firewall front-end, mail server, etc. makes it a lot easier to build and maintain a secure server.
14
15	I see a lot of discussion elsewhere about how Gentoo is not for servers. I've used probably over 20 distributions in enterprise environments over the last 10 years or more, and I honestly can't imagine ever using another distribution on a workstation or server.
16
17
18	Vern Wilkins
19	Senior Technology Specialist
20	Indiana University Libraries
21
22
23
24
25
26	-----Original Message-----
27	From: Simon Striker [mailto:simon@×××××××××.net]
28	Sent: Mon 12/6/2004 6:20 PM
29	To: gentoo-server@l.g.o
30	Cc:
31	Subject: [gentoo-server] Gentoo for server
32	Hi!
33
34	I have just installed Gentoo on my laptop and I am very satisfied with
35	it! I really like the portage feature and other Gentoo philosophy.
36
37	At home and at "week-end house" I have a Linux server with Slackware
38	distribution installed. Now I am thinking of reinstalling my servers and
39	installing the Gentoo Linux on them, but I am a bit worried
40	because all packages in Portage tree are NOT up-to-date.
41
42	I am using servers for: Mail-server, web-server, printer-share,
43	firewall, router, backup-server, webmail, mysql etc.
44
45	I would like to know, how do you maintain your servers? Is it safe to
46	have Gantoo as a server?
47
48	What do you think of putting all installed packages into
49	/etc/portage/packages.keywords (~x86) for server?
50
51	I would like to make my Linux server "insensitive" for hackers or
52	intruders. Is it possible with Gentoo?
53
54	I will be very gratefull to hear some of your opinion or exepriences.
55
56	Thanks in advance!
57
58	Best regards, Simon
59	-------------
60
61	Simon Striker
62	Rusjanov trg 2
63	1000 Ljubljana +38641473856
64	Europe (Slovenia)
65
66	E-mail: simon@×××××××××.net

Gentoo Archives: gentoo-server