1 |
Hi Andy, |
2 |
|
3 |
I too am working on migrating our Red Hat 7.3 servers to Gentoo. I will |
4 |
outline what i have done to address some of the issues when running |
5 |
production servers, you can probably get some ideas from this and i'd |
6 |
certainly like to hear from anyone how it can be improved. |
7 |
|
8 |
What i have done is created an internal rsync server which serves a |
9 |
fixed copy of the Portage tree. This server also houses the distfiles |
10 |
archive and a binary packages repository, both of which are mounted via |
11 |
NFS. Almost all my servers are p3's so i have the same make.conf |
12 |
distributed between the servers (manually at build time, with cfengine |
13 |
planned), so they all build with the same CFLAGS, i use "buildpkg" in |
14 |
my FEATURES so all machines contribute any binary package they build. |
15 |
|
16 |
When building a new server, i rsync with the fixed portage tree then use |
17 |
buildpkg to install from the packages repository, generally it takes |
18 |
around 1-2 hours to build a server (including compiling the kernel). It |
19 |
is probably easier than some distributions to install: Do the regular |
20 |
partitioning, copy the make.conf, emerge sync, mount the nfs exports, |
21 |
emerge -u system, build the kernel, install the bootloader. We also run |
22 |
a distributed mail system so we have quite a few servers which need an |
23 |
identical setup, for these i just copy the world file and do "for |
24 |
package in `cat world`; emerge ...". |
25 |
|
26 |
Your question was mainly regarding updates, which is fairly easy. To |
27 |
handle security updates, i sync the branch of the portage tree which has |
28 |
the update, eg sys-libs/glibc/, the rest of the tree stays in a good, |
29 |
stable, known state. At the moment i am jumping on the servers manually |
30 |
to do the updates (only the first server builds the binary package), |
31 |
which isn't too bad for 7 servers but you could add a cron job to sync |
32 |
the tree every night and do an emerge -u, someone else posted a simple |
33 |
command to do this. What i plan to do, is implement cfengine to manage |
34 |
all the hosts, so instead of rsyncing every night, send out a cfengine |
35 |
job when an update to the tree is applied. |
36 |
|
37 |
That's pretty much where i am at the moment, though i'm sure that more |
38 |
things will come up in the future. I am very happy with Gentoo in a |
39 |
production environment so far. |
40 |
|
41 |
Jon |
42 |
|
43 |
|
44 |
Andy Mayer wrote: |
45 |
> Hi there, |
46 |
> |
47 |
> I've been using Gentoo as my desktop platform for about 3 months now and |
48 |
> I really like it's power and flexibility. But I usually use Red Hat 7.3 |
49 |
> on our production servers as I really like the Red Hat Network up2date |
50 |
> functionality which automatically applies security patches without |
51 |
> needing human intervention. |
52 |
> |
53 |
> Basically, I am the sort of guy that wants to spend minimal time |
54 |
> maintaining production servers that are not cutting edge so that I can |
55 |
> concentrate my time on development work. |
56 |
> |
57 |
> But with Red Hat dropping Red Hat Network support for RH7.3, I am |
58 |
> seriously considering changing our server platform over to Gentoo. |
59 |
> |
60 |
> Our server requirements are not cutting edge; we only need Apache, PHP. |
61 |
> Perl and mySql (and maybe later some mail services). My question is: if |
62 |
> I move our server platform to Gentoo, is there an automated way of |
63 |
> applying security patches to the currently installed software that I can |
64 |
> "fire and forget" without fear of things breaking big time.? |
65 |
> |
66 |
> I know this question is not very focused, but I wanted to start a |
67 |
> discussion as to the best methods of automating security updates for |
68 |
> non-cutting edge Apache/MySQl/PHP servers using Gentoo. |
69 |
> |
70 |
> Thanks for your help! |
71 |
> |
72 |
> Andy |
73 |
> |
74 |
> PS. Is there a web-archive of this list that I can search? |
75 |
> |