1 |
Hi, |
2 |
|
3 |
I want to raise an issue resulting from my experience so far in using |
4 |
Gentoo as the basis of production systems. Some may ask why? - but |
5 |
basically 'portage' seems to offer the very best framework for ongoing |
6 |
maintenance/admin of systems, though it's not perfect in that role. |
7 |
|
8 |
In essence, the continuous, easy upgrade capability of portage is great |
9 |
for a development system and should be an excellent mechanism for |
10 |
critical security (and other) upgrades in a production environment (and |
11 |
it is). |
12 |
The problems arise because of the continuous easy upgrades!! - the main |
13 |
benefit is also the main problem. |
14 |
|
15 |
I have just hit a real life hassle with a security upgrade. The history |
16 |
of it goes like this: |
17 |
|
18 |
[background] |
19 |
The example system in trouble is an old P233, and used to be on the end |
20 |
of a dialup link (it's now ADSL). |
21 |
Gentoo has been installed for about 10 months and the last time it was |
22 |
brought completely up to date was about 6 months ago (emerge rsync && |
23 |
emerge -u world) |
24 |
[/background] |
25 |
|
26 |
|
27 |
[creating a problem] |
28 |
|
29 |
As you have guessed, I've just had some system problems - partly of my |
30 |
own creation, but partly because of how Gentoo operates. |
31 |
|
32 |
My real problem came from doing 'emerge rsync', and then just |
33 |
(selectively) doing 'emerge -u openssl' |
34 |
|
35 |
This installed 'openssl-0.9.7' and removed 'openssl-0.9.6' - |
36 |
unfortunately lots of stuff on the system was compiled and linked |
37 |
against 'openssl-0.9.6' and they promptly broke. IE. Serious outage on a |
38 |
production system. |
39 |
|
40 |
There is a script designed to fix this called 'revdep-rebuild' which |
41 |
scans all the installed binaries for broken dependencies and then |
42 |
recompiles them which should make them link against the nice new |
43 |
'openssl-0.9.7' |
44 |
|
45 |
except!!! - revdep-rebuild carefully tries to recompile the exact |
46 |
versions of software you have installed (good idea) - but the Gentoo |
47 |
central repository has since deleted some of the build scripts for these |
48 |
older versions and when I did the 'emerge rsync', the scripts were also |
49 |
removed from my system. So I ended up where I am now - I have to go |
50 |
through and do 'emerge -u world' and then 'revdep-rebuild' to get it all |
51 |
working... not nice when there are nearly 200 packages to |
52 |
download/recompile on an old P233 |
53 |
|
54 |
[/creating a problem] |
55 |
|
56 |
|
57 |
|
58 |
|
59 |
As you can see, I was intending to leave the installed set of packages |
60 |
(and versions) alone. For this machine (and any production system), I |
61 |
dont want to install each and every little patch as it comes along. The |
62 |
machine is 'stable' - so I only want to apply upgrades on a very |
63 |
selective, controlled, manual basis - but still use portage for the |
64 |
package management. |
65 |
This is a very common tactic for 'production' machines, where you want |
66 |
the minimum number of changes to reduce your risks of outage. |
67 |
|
68 |
The trap is that 'emerge rsync' removes old .ebuilds that your installed |
69 |
machine may need if revdep-rebuild is to be able to recovery things |
70 |
after a critical library is rebuilt. |
71 |
In the way portage works, the only time it is safe for 'emerge rsync' to |
72 |
delete ebuilds, is immediately after successfully doing 'emerge -u world'. |
73 |
|
74 |
|
75 |
Is there a way to suppress the 'delete' part of rsync? Maybe a setting |
76 |
in /etc/make.conf ? |
77 |
|
78 |
That way, even though Gentoo may have removed the relevant (old) ebuild |
79 |
I want, the target machine would have it's local portage version for |
80 |
future recompiles.... I can afford the disk space!!! |
81 |
|
82 |
|
83 |
|
84 |
|
85 |
Regards |
86 |
Ron OHara |
87 |
PS: This is not a 'casual' problem for me - I've convinced a client to |
88 |
use Gentoo for the basis of their deployments and the plan is supposed |
89 |
to be for around 900 sites!! - catering for production software support |
90 |
for the next decade is very relevant to things in this scenario. |
91 |
|
92 |
|
93 |
|
94 |
|
95 |
|
96 |
|
97 |
|
98 |
|
99 |
-- |
100 |
gentoo-dev@g.o mailing list |