| 1 |
Hi Andy, |
| 2 |
|
| 3 |
I too am working on migrating our Red Hat 7.3 servers to Gentoo. I will |
| 4 |
outline what i have done to address some of the issues when running |
| 5 |
production servers, you can probably get some ideas from this and i'd |
| 6 |
certainly like to hear from anyone how it can be improved. |
| 7 |
|
| 8 |
What i have done is created an internal rsync server which serves a |
| 9 |
fixed copy of the Portage tree. This server also houses the distfiles |
| 10 |
archive and a binary packages repository, both of which are mounted via |
| 11 |
NFS. Almost all my servers are p3's so i have the same make.conf |
| 12 |
distributed between the servers (manually at build time, with cfengine |
| 13 |
planned), so they all build with the same CFLAGS, i use "buildpkg" in |
| 14 |
my FEATURES so all machines contribute any binary package they build. |
| 15 |
|
| 16 |
When building a new server, i rsync with the fixed portage tree then use |
| 17 |
buildpkg to install from the packages repository, generally it takes |
| 18 |
around 1-2 hours to build a server (including compiling the kernel). It |
| 19 |
is probably easier than some distributions to install: Do the regular |
| 20 |
partitioning, copy the make.conf, emerge sync, mount the nfs exports, |
| 21 |
emerge -u system, build the kernel, install the bootloader. We also run |
| 22 |
a distributed mail system so we have quite a few servers which need an |
| 23 |
identical setup, for these i just copy the world file and do "for |
| 24 |
package in `cat world`; emerge ...". |
| 25 |
|
| 26 |
Your question was mainly regarding updates, which is fairly easy. To |
| 27 |
handle security updates, i sync the branch of the portage tree which has |
| 28 |
the update, eg sys-libs/glibc/, the rest of the tree stays in a good, |
| 29 |
stable, known state. At the moment i am jumping on the servers manually |
| 30 |
to do the updates (only the first server builds the binary package), |
| 31 |
which isn't too bad for 7 servers but you could add a cron job to sync |
| 32 |
the tree every night and do an emerge -u, someone else posted a simple |
| 33 |
command to do this. What i plan to do, is implement cfengine to manage |
| 34 |
all the hosts, so instead of rsyncing every night, send out a cfengine |
| 35 |
job when an update to the tree is applied. |
| 36 |
|
| 37 |
That's pretty much where i am at the moment, though i'm sure that more |
| 38 |
things will come up in the future. I am very happy with Gentoo in a |
| 39 |
production environment so far. |
| 40 |
|
| 41 |
Jon |
| 42 |
|
| 43 |
|
| 44 |
Andy Mayer wrote: |
| 45 |
> Hi there, |
| 46 |
> |
| 47 |
> I've been using Gentoo as my desktop platform for about 3 months now and |
| 48 |
> I really like it's power and flexibility. But I usually use Red Hat 7.3 |
| 49 |
> on our production servers as I really like the Red Hat Network up2date |
| 50 |
> functionality which automatically applies security patches without |
| 51 |
> needing human intervention. |
| 52 |
> |
| 53 |
> Basically, I am the sort of guy that wants to spend minimal time |
| 54 |
> maintaining production servers that are not cutting edge so that I can |
| 55 |
> concentrate my time on development work. |
| 56 |
> |
| 57 |
> But with Red Hat dropping Red Hat Network support for RH7.3, I am |
| 58 |
> seriously considering changing our server platform over to Gentoo. |
| 59 |
> |
| 60 |
> Our server requirements are not cutting edge; we only need Apache, PHP. |
| 61 |
> Perl and mySql (and maybe later some mail services). My question is: if |
| 62 |
> I move our server platform to Gentoo, is there an automated way of |
| 63 |
> applying security patches to the currently installed software that I can |
| 64 |
> "fire and forget" without fear of things breaking big time.? |
| 65 |
> |
| 66 |
> I know this question is not very focused, but I wanted to start a |
| 67 |
> discussion as to the best methods of automating security updates for |
| 68 |
> non-cutting edge Apache/MySQl/PHP servers using Gentoo. |
| 69 |
> |
| 70 |
> Thanks for your help! |
| 71 |
> |
| 72 |
> Andy |
| 73 |
> |
| 74 |
> PS. Is there a web-archive of this list that I can search? |
| 75 |
> |
Archives