Re: [gentoo-dev] Maintaining production systems - and losing ebuilds - gentoo-dev

From:	Ron OHara <rono@×××××××××××.au>
To:	Sami K M Naatanen <sami.naatanen@×××××××××××.fi>
Cc:	gentoo-dev@g.o
Subject:	Re: [gentoo-dev] Maintaining production systems - and losing ebuilds
Date:	Tue, 11 Nov 2003 21:20:00
Message-Id:	`3FB15269.7040000@sentuny.com.au`

1

In this case I dont want to make revdep-renuild ignore the version - I 

2

just need it to recompile the version of everything that has been 

3

installed.   In a production environment, I cant just 'upgrade' many 

4

versions of  software without regression testing of the applications in 

5

that environment.

6

I need to be able to apply security fixes (like the openssl library) and 

7

still have the installed set of software work.  One change at a time is 

8

crucial for production systems stability.

9

10

Ron

11

12

Sami K M Naatanen wrote:

13

14

>On Monday 10 November 2003 05:00, Ron OHara wrote:

15

>

16

>revdep-rebuild --help and you will see that you can set the revdep-rebuild to

17

>ignore the version. You might have problems getting the files, because wget

18

>depends from openssl (if you have ssl in your USE). But do emerge -fp wget

19

>and you get a bunch of URI's download every file and dump them in the

20

>/PORTDIR/distfiles/ emerge wget.

21

>

22

>revdep-rebuild with the version ignoring option. or you can

23

>first add -- -p to see what emerge would rebuild.

24

>

25

>If your portage version is too old (ie your version of revdep-rebuild doesn't

26

>support options) then do emerge -fp portage and download all of those files.

27

>

28

>You also could try to add link 0.9.6 to the 0.9.7 version of the ssl lib. This

29

>should work. Based on the fact, that it seems that the new openssl ebuild

30

>misses the link creation according to some people.

31

>

32

>

33

>

34

>>Hi,

35

>>

36

>>I want to raise an issue resulting from my experience so far in using

37

>>Gentoo as the basis of production systems. Some may ask why? - but

38

>>basically 'portage' seems to offer the very best framework for ongoing

39

>>maintenance/admin of systems, though it's not perfect in that role.

40

>>

41

>>In essence, the continuous, easy upgrade capability of portage is great

42

>>for a development system and should be an excellent mechanism for

43

>>critical security (and other) upgrades in a production environment (and

44

>>it is).

45

>>The problems arise because of the continuous easy upgrades!! - the main

46

>>benefit is also the main problem.

47

>>

48

>>I have just hit a real life hassle with a security upgrade. The history

49

>>of it goes like this:

50

>>

51

>>[background]

52

>>The example system in trouble is an old P233, and used to be on the end

53

>>of a dialup link (it's now ADSL).

54

>>Gentoo has been installed for about 10 months and the last time it was

55

>>brought completely up to date was about 6 months ago (emerge rsync &&

56

>>emerge -u world)

57

>>[/background]

58

>>

59

>>

60

>>[creating a problem]

61

>>

62

>>As you have guessed, I've just had some system problems - partly of my

63

>>own creation, but partly because of how Gentoo operates.

64

>>

65

>>My real problem came from doing 'emerge rsync', and then just

66

>>(selectively) doing 'emerge -u openssl'

67

>>

68

>>This installed 'openssl-0.9.7' and removed 'openssl-0.9.6' -

69

>>unfortunately lots of stuff on the system was compiled and linked

70

>>against 'openssl-0.9.6' and they promptly broke. IE. Serious outage on a

71

>>production system.

72

>>

73

>>There is a script designed to fix this called 'revdep-rebuild' which

74

>>scans all the installed binaries for broken dependencies and then

75

>>recompiles them which should make them link against the nice new

76

>>'openssl-0.9.7'

77

>>

78

>>except!!! - revdep-rebuild carefully tries to recompile the exact

79

>>versions of software you have installed (good idea) - but the Gentoo

80

>>central repository has since deleted some of the build scripts for these

81

>>older versions and when I did the 'emerge rsync', the scripts were also

82

>>removed from my system. So I ended up where I am now - I have to go

83

>>through and do 'emerge -u world' and then 'revdep-rebuild' to get it all

84

>>working... not nice when there are nearly 200 packages to

85

>>download/recompile on an old P233

86

>>

87

>>[/creating a problem]

88

>>

89

>>

90

>>

91

>>

92

>>As you can see, I was intending to leave the installed set of packages

93

>>(and versions) alone. For this machine (and any production system), I

94

>>dont want to install each and every little patch as it comes along. The

95

>>machine is 'stable' - so I only want to apply upgrades on a very

96

>>selective, controlled, manual basis - but still use portage for the

97

>>package management.

98

>>This is a very common tactic for 'production' machines, where you want

99

>>the minimum number of changes to reduce your risks of outage.

100

>>

101

>>The trap is that 'emerge rsync' removes old .ebuilds that your installed

102

>>machine may need if revdep-rebuild is to be able to recovery things

103

>>after a critical library is rebuilt.

104

>>In the way portage works, the only time it is safe for 'emerge rsync' to

105

>>delete ebuilds, is immediately after successfully doing 'emerge -u world'.

106

>>

107

>>

108

>>Is there a way to suppress the 'delete' part of  rsync? Maybe a setting

109

>>in /etc/make.conf ?

110

>>

111

>>That way, even though Gentoo may have removed the relevant (old) ebuild

112

>>I want, the target machine would have it's local portage version for

113

>>future recompiles.... I can afford the disk space!!!

114

>>

115

>>

116

>>

117

>>

118

>>Regards

119

>>Ron OHara

120

>>PS: This is not a 'casual' problem for me - I've convinced a client to

121

>>use Gentoo for the basis of their deployments and the plan is supposed

122

>>to be for around 900 sites!! - catering for production software support

123

>>for the next decade is very relevant to things in this scenario.

124

>>

125

>>

126

>

127

>

128

>

--

133

gentoo-dev@g.o mailing list

1	In this case I dont want to make revdep-renuild ignore the version - I
2	just need it to recompile the version of everything that has been
3	installed. In a production environment, I cant just 'upgrade' many
4	versions of software without regression testing of the applications in
5	that environment.
6	I need to be able to apply security fixes (like the openssl library) and
7	still have the installed set of software work. One change at a time is
8	crucial for production systems stability.
9
10	Ron
11
12	Sami K M Naatanen wrote:
13
14	>On Monday 10 November 2003 05:00, Ron OHara wrote:
15	>
16	>revdep-rebuild --help and you will see that you can set the revdep-rebuild to
17	>ignore the version. You might have problems getting the files, because wget
18	>depends from openssl (if you have ssl in your USE). But do emerge -fp wget
19	>and you get a bunch of URI's download every file and dump them in the
20	>/PORTDIR/distfiles/ emerge wget.
21	>
22	>revdep-rebuild with the version ignoring option. or you can
23	>first add -- -p to see what emerge would rebuild.
24	>
25	>If your portage version is too old (ie your version of revdep-rebuild doesn't
26	>support options) then do emerge -fp portage and download all of those files.
27	>
28	>You also could try to add link 0.9.6 to the 0.9.7 version of the ssl lib. This
29	>should work. Based on the fact, that it seems that the new openssl ebuild
30	>misses the link creation according to some people.
31	>
32	>
33	>
34	>>Hi,
35	>>
36	>>I want to raise an issue resulting from my experience so far in using
37	>>Gentoo as the basis of production systems. Some may ask why? - but
38	>>basically 'portage' seems to offer the very best framework for ongoing
39	>>maintenance/admin of systems, though it's not perfect in that role.
40	>>
41	>>In essence, the continuous, easy upgrade capability of portage is great
42	>>for a development system and should be an excellent mechanism for
43	>>critical security (and other) upgrades in a production environment (and
44	>>it is).
45	>>The problems arise because of the continuous easy upgrades!! - the main
46	>>benefit is also the main problem.
47	>>
48	>>I have just hit a real life hassle with a security upgrade. The history
49	>>of it goes like this:
50	>>
51	>>[background]
52	>>The example system in trouble is an old P233, and used to be on the end
53	>>of a dialup link (it's now ADSL).
54	>>Gentoo has been installed for about 10 months and the last time it was
55	>>brought completely up to date was about 6 months ago (emerge rsync &&
56	>>emerge -u world)
57	>>[/background]
58	>>
59	>>
60	>>[creating a problem]
61	>>
62	>>As you have guessed, I've just had some system problems - partly of my
63	>>own creation, but partly because of how Gentoo operates.
64	>>
65	>>My real problem came from doing 'emerge rsync', and then just
66	>>(selectively) doing 'emerge -u openssl'
67	>>
68	>>This installed 'openssl-0.9.7' and removed 'openssl-0.9.6' -
69	>>unfortunately lots of stuff on the system was compiled and linked
70	>>against 'openssl-0.9.6' and they promptly broke. IE. Serious outage on a
71	>>production system.
72	>>
73	>>There is a script designed to fix this called 'revdep-rebuild' which
74	>>scans all the installed binaries for broken dependencies and then
75	>>recompiles them which should make them link against the nice new
76	>>'openssl-0.9.7'
77	>>
78	>>except!!! - revdep-rebuild carefully tries to recompile the exact
79	>>versions of software you have installed (good idea) - but the Gentoo
80	>>central repository has since deleted some of the build scripts for these
81	>>older versions and when I did the 'emerge rsync', the scripts were also
82	>>removed from my system. So I ended up where I am now - I have to go
83	>>through and do 'emerge -u world' and then 'revdep-rebuild' to get it all
84	>>working... not nice when there are nearly 200 packages to
85	>>download/recompile on an old P233
86	>>
87	>>[/creating a problem]
88	>>
89	>>
90	>>
91	>>
92	>>As you can see, I was intending to leave the installed set of packages
93	>>(and versions) alone. For this machine (and any production system), I
94	>>dont want to install each and every little patch as it comes along. The
95	>>machine is 'stable' - so I only want to apply upgrades on a very
96	>>selective, controlled, manual basis - but still use portage for the
97	>>package management.
98	>>This is a very common tactic for 'production' machines, where you want
99	>>the minimum number of changes to reduce your risks of outage.
100	>>
101	>>The trap is that 'emerge rsync' removes old .ebuilds that your installed
102	>>machine may need if revdep-rebuild is to be able to recovery things
103	>>after a critical library is rebuilt.
104	>>In the way portage works, the only time it is safe for 'emerge rsync' to
105	>>delete ebuilds, is immediately after successfully doing 'emerge -u world'.
106	>>
107	>>
108	>>Is there a way to suppress the 'delete' part of rsync? Maybe a setting
109	>>in /etc/make.conf ?
110	>>
111	>>That way, even though Gentoo may have removed the relevant (old) ebuild
112	>>I want, the target machine would have it's local portage version for
113	>>future recompiles.... I can afford the disk space!!!
114	>>
115	>>
116	>>
117	>>
118	>>Regards
119	>>Ron OHara
120	>>PS: This is not a 'casual' problem for me - I've convinced a client to
121	>>use Gentoo for the basis of their deployments and the plan is supposed
122	>>to be for around 900 sites!! - catering for production software support
123	>>for the next decade is very relevant to things in this scenario.
124	>>
125	>>
126	>
127	>
128	>
129
130
131
132	--
133	gentoo-dev@g.o mailing list

Gentoo Archives: gentoo-dev