# Gentoo being used as production server

## Messiah

Hi all,

I am working for an Internet Service Provider (http://www.qweb.nl) at the Netherlands, and have installed Gentoo on one of our servers that is being used as a production server. We are using the following services:

- apache + mod_ssl + mod_perl + mod_php

- ssh

- mysql

- qmail + courier-imap + vpopmail + qmailadmin + ezmlm-idx

- proftpd

- bind

- gShield as firewall

- awstats for website statistics

[edit]

- webmin

How can I forget that one?

[/edit]

This is almost everything I need at all times. I have set it up and running perfectly right now. Tomorrow I updated db, and MySQL stopped working. So I wanted to update MySQL too, and saw that it didn't compile complaining about the version of db (it said I don't recognise version 3.2.9, use 3.2.9a or 3.2.3h). So I had to downgrade to 3.2.3h, and of course, did let me start to think.

I haven't tested Gentoo with these services too well, my fault. First I need to test and then implement. But hey, nobody is perfect, and I like Gentoo really.

I saw a post of klieber saying he wouldn't use Gentoo in a production environment.

My questions:

- Is it really that a bad idea to install Gentoo on a production environment? Why?

- What are the things I should watch for. I mean, I do have some configurations and changes to ebuild files, and I am tracking them, and doing the same things when upgrading and so on. But what more?

- Why was MySQL broken by the update of db? I mean, the person who is responsible for the db ebuild files, didn't he check it? Wasn't he aware? Is it likely to happen often? Is it likely to happen on other packages also? Are  these guys testing it or should I test it before? (I know the safest thing to do is to test first, but that is a lot of work man  :Sad:  ).

Thanks in advance.Last edited by Messiah on Thu Jul 04, 2002 10:06 pm; edited 1 time in total

----------

## Scandium

 *Quote:*   

> 
> 
> My questions:
> 
> - Is it really that a bad idea to install Gentoo on a production environment? Why?
> ...

 

The problem is that there are no branches like stable/testing/unstable like in Debian, and furthermore "versions" don't really exist in Gentoo.

So, to be safe, you have to install your system and never update again because gentoo currently is bleeding edge all the time and has no stable branch (I hope that gentoo will be divided into stable/unstable some time, but stable as stable and not as old [like debian does]).

Every update could break your system - that's the problem (which can't happen with SuSE, RedHat, Mandrake...because they only have "big" versions and in the meantime they only supply security updates etc. (and not update every package constantly because it's not in the distributions natur like in gentoo and debian)

 *Quote:*   

> Thanks in advance.

 

Could only answer first question, but I hope it helps you

----------

## cyc

you should just be conservative with updates. dont do an emerge -u world every week. do emerge -pu world look what your in need of (because of security reason or feature addition) and then choose your updates. perhaps test them on a local machine

----------

## Scandium

on the other hand, if a security hole gets known do emerge --clean rsync and emerge the package (for example openssh *grin*) only.

The problem with this one is that you need to look for yourself what has security bugs etc. so this isn't a good idea if you don't have too much time  :Smile: Last edited by Scandium on Thu Jul 04, 2002 9:55 pm; edited 1 time in total

----------

## Messiah

I do know what packages have security issues (mostly) because I also administer 1 RedHat server and three Mandrake Linux servers, among with some Cobalt servers. I update them too, and get some posts from lists. So that is a good option.

But someone sometime stated that one needs to do emerge -u world often, otherwise things get broken. Now I don't know who said this and when (I think it was on this forum tho), but is this true? Is it more likely that things get broken when I do less emerge -u world?

Please, don't make me say that I did a wrong choice. I got plenty of time in it to run the way I want  :Wink: 

(PS Off-course, if I did make a mistake it's better to stop now than to stop later, because in a couple of weeks I need to install another server and I am considering to install Gentoo on that one too)

----------

## cyc

yes perhaps we need some kinda importance-level for ports. or freshports service   :Wink: 

----------

## trapni

 *Messiah wrote:*   

> - Is it really that a bad idea to install Gentoo on a production environment? Why?

 No. not really, ot let's say it's just been kliebers choice. Not mine  :Smile: 

I'm using Gentoo in production in two places and it really works fine (exept one or two things, not more  :Wink:  )

I was previousely using SuSE Linux 7.2 on all servers (and clients) but I feel really more happy with Gentoo. So why not using it?

 *Messiah wrote:*   

> But someone sometime stated that one needs to do emerge -u world often, otherwise things get broken. Now I don't know who said this and when (I think it was on this forum tho), but is this true? Is it more likely that things get broken when I do less emerge -u world?

 Well I just think that this user wasn't just guru enough to set it up right  :Wink:  I really haven't had such problems until now  :Razz: 

Regards,

Christian Parpart.Last edited by trapni on Thu Jul 04, 2002 2:18 pm; edited 1 time in total

----------

## cyc

exactly my background

----------

## Nitro

 *Messiah wrote:*   

> I saw a post of klieber saying he wouldn't use Gentoo in a production environment.
> 
> 

 

I think klieber might be leaning the other way now.  What if I told you www.gentoo.org and forums.gentoo.org are running Gentoo?

 *Messiah wrote:*   

> My questions:
> 
> - Is it really that a bad idea to install Gentoo on a production environment? Why?

 

The bottom line is: don't do an emerge -u world.  Plain and simple. Every package that I update on the forums server I've messed with at home on my workstation for at least a few days.  After you compile something, it isn't going to break magically (usually it doesn't...), only updating will hurt you.

 *Messiah wrote:*   

> - What are the things I should watch for. I mean, I do have some configurations and changes to ebuild files, and I am tracking them, and doing the same things when upgrading and so on. But what more?
> 
> 

 

I put together a custom ebuild for apache and php (ie server/server-apache)  on the forums server and my other servers.  I created a new category called server, emerge rsyc doesn't touch them, and I watch the revisions on the standard ebuilds for bugs and what not.

Just make sure you backup your customized ebuilds.  

 *Messiah wrote:*   

> - Why was MySQL broken by the update of db? I mean, the person who is responsible for the db ebuild files, didn't he check it? Wasn't he aware? Is it likely to happen often? Is it likely to happen on other packages also? Are  these guys testing it or should I test it before? (I know the safest thing to do is to test first, but that is a lot of work man  ).

 

The broken MySQL revision is an example of having different libs installed.  Donny Davies (woodchip) maintains a few of the major networking/server ebuilds, MySQL being one.  I assume that he had the old library installed and didn't notice the bug.  It is really hard to avoid stuff like this in a "live" distro.  The developers are focusing on QA (qaulity assurance) checks and tools that will be our first line of defense against bugs like these.

As mentioned above, I follow bugzilla reports ( bugs.gentoo.org ), the mailing lists, the forums, and general chat.  My first test is always "does it work on my box?" My box that I use for everday use is a P4 so it compiles fairly fast,  I like to compile, eat {lunch,breakfast,snack), check the new ebuild.

If you have more questions or requests, I would be more then glad to help you with them.

----------

## Messiah

Well Nitro you da man.

Now I do know I did make the right choice. Partly because I like fiddling around with software, partly because I love Gentoo so much. Besides, I got so many times broken software on my Mandrake Linux servers after updates also (especially apache, php and mysql updates), so what the heck, I will be careful. I think I'm gonna install some test-server like thing, and first test things on that one before I do upgrade all othe machines that will be running Gentoo Linux in the future.

----------

## metalhedd

I'd just like to strengthen the idea that there should be a stable branch of gentoo.  the best way to implement it would probably be a separate rsync server.  where the ebuilds are only updated when the newer software is proven stable and secure.  that way its still safe to do a world update without (too many) worries.

wouldn't be as Bleeding edge, but it'd be great for people who love gentoo and want to run it in a production environment.

----------

## trapni

that's why packages get masked.

And even if you'd prefer to devide here anyway, I'd prefer to add a special option to the /etc/make.conf like USE="beta-packages" or something like that  :Wink: 

----------

## ismark

all your packages from "emerge"? and  your qmail + vpopmail working fine?

I have emerge "qmail" and "vpopmail", when using "checkpassword" working fine, but when using "vchkpw" is fail............... :Sad: 

 *Messiah wrote:*   

> Hi all,
> 
> I am working for an Internet Service Provider (http://www.qweb.nl) at the Netherlands, and have installed Gentoo on one of our servers that is being used as a production server. We are using the following services:
> 
> - apache + mod_ssl + mod_perl + mod_php
> ...

 

----------

## pilla

If you're carefull about your updates, I think Gentoo is great also for production environments. You can have more than one version of the same package, therefore less chance of screw everything. IMHO it's more a question of knowing what you do and really knowing portage. 

Of course, it would be easier if you have a stable/unstable branch, but I like the bleeding edge.... I hate waiting for packages that never come.

Hey, I consider my notebook a production environment (if it does not work, I'm  in a really bad situation).  :Twisted Evil: 

----------

## ryker

 *ismark wrote:*   

> all your packages from "emerge"? and  your qmail + vpopmail working fine?
> 
> I have emerge "qmail" and "vpopmail", when using "checkpassword" working fine, but when using "vchkpw" is fail...............

 

If your having trouble with qmail and vpopmail try this thread.

As for the topic of this thread ....

I have a Gentoo production server set up and it works great.

----------

## splooge

I love Gentoo.

It's my personal preference of any Linux distribution.  I run it at home.  Bleeding edge rules.

That being said, would I want to install and maintain it across our 1800 servers?  No freaking way.  I have a hard enough time keeping my home system up to date, no way I'm gonna attempt this with 1800 servers  :Exclamation: 

----------

## frilled

I'm using it in a time-critical production environment on four servers and a couple of workstations (of course  :Very Happy:  ). We're quite close to bleeding edge (emerge sync is cron'ed to run before I come in so I can have a look what's new).

Once in a while even packages marked "stable" do break, that is why I test critical updates on my machine and a designated, non-productive test server first.

In my eyes, Gentoo is the best thing that ever happened to Linux. I was so sick of not being able to update SuSE the way I wanted to i almost lost all interest in Linux. But now my faith is restored  :Wink: 

The only sorry thing is that sometimes you're standing at a closed(-source) door. Like I haven't gotten Compaq's (HP nowadays  :Evil or Very Mad:  ) crappy Insight management agents to work on our ProLiants yet. It barfs horribly when I try and of course there is as little documentation as there ist source code. But hey, you can't have it all!

----------

## tuxmin

Just my two cents...

Gentoo comes in handy when you have well defined specifications about your setup. These days I had to install a LAMP system (yes, for a production environment with an estimated traffic of 60GB per day and several 100 simultaneous online users). The setup envolves 5 IBM x345, one acting as ReverseProxy, two backend webservers and two machines as DB servers running mySQL in master and slave mode.

The specifications demanded apache-1.3, mysql-3.23, php-4.3 and serveral other things like webalizer, ssh, rsync, imagemagick etc. all versions well  defined!

So I started looking at Debian/woody which had apache and mysql in the right version, but php and imagemagick didn't fit  :Sad:  so I tried Debian/testing: now mysql wouldn't fit  :Sad: , I checked RedHat -- the same problem... well, to put it short, no distro would fit these specs...

Compiling all this stuff by hand was no option. I had done this before and it's pain in the ass to resolve all these dependencies manually.

After having some good experience with Gentoo running on two of our firewalls, I remembered that slogan: Gentoo is everything about choice! And that's what it is. I defined all my specs in /etc/portage/package.mask and /etc/make.conf, did "emerge mod_php", came back two hours later and had exactly the system I needed! And now, 3 months later it has proven to run rock stable even under high load.

I use Gentoo on my desktop as well and yes, from time to time an ebuild fails, but I never had any serious system crash.

In my opinion you have to take it literally that Gentoo is everything about choice. But this well implies that within this freedeom of choice you really need to know what you want! And you need experience to evaluate the risks of deciding to choose this or that version of a package.

Regards, Alex!!!

----------

## Hazzl

I don't understand all this talk about Gentoo not having testing/stable branches. Isn't this what the ARCH/~ARCH keywords are for? As far as I see it, ~ARCH corresponds to Debian's testing-branch. Hard masked packages correspond to unstable and ARCH corresponds to stable.

Of course, us beeing Gentooists, we move all new packages into testing  by default and only hard-mask ebuilds with known problems.  Whereas Debian lets them start off in unstable.   :Wink: 

If you only want to update security related packages, can't you just do a glsa-check every day (or hasn't this functionality been implemented yet?)

----------

## ryker

I have glsa-check --fix all in a nightly cron and I haven't had any problems at all on my production server.

----------

## splooge

 *Hazzl wrote:*   

> I don't understand all this talk about Gentoo not having testing/stable branches. Isn't this what the ARCH/~ARCH keywords are for? As far as I see it, ~ARCH corresponds to Debian's testing-branch. Hard masked packages correspond to unstable and ARCH corresponds to stable.

 

Don't forget about the most important test of all:  The test of time.  Bleeding edge is a lot of fun, but the test of time is still an important factor.

----------

## F.Ultra

I think we Linux people should relax sometimes, hey look at those poor people that runs Windows on production machines (heck I have to), that is like running everything on ~x86

----------

## kands

I manage the IT infrastructure for a medium sized software development / Internet company.  We are moving away from Redhat to Gentoo for all of our production Linux servers.  As mentioned previously you have to be careful of what updates go into the system and what files you change with etc-update.  

I've used several distro's and I find the ease of management and administration of Gentoo to outweigh the problems we faced with other distro's.  Every distro has pro's and con's... Gentoo (for us) just has a better ratio between the two.  

If in doubt of an update we test carefully (which one should always doing prior to moving something into a production environment).

----------

## ryker

 *kands wrote:*   

> I manage the IT infrastructure for a medium sized software development / Internet company.  We are moving away from Redhat to Gentoo for all of our production Linux servers.  As mentioned previously you have to be careful of what updates go into the system and what files you change with etc-update.  
> 
> I've used several distro's and I find the ease of management and administration of Gentoo to outweigh the problems we faced with other distro's.  Every distro has pro's and con's... Gentoo (for us) just has a better ratio between the two.  
> 
> If in doubt of an update we test carefully (which one should always doing prior to moving something into a production environment).

 

I think this quote says it all.  I completely agree.  You just have to be careful.  I too, have been burned doing both an emerge -u world and etc-update, but only on my home computer.  On my production server, I would never just blindly do an emerge -u world.

You should

```
emerge sync

glsa-check --fix all

emerge -upv world

   Test the packages that show up on another machine first.

   Check the forums and bugzilla for potential problems your testing might have missed.

   Cautiously update one at a time the packages you need.

etc-update (be very very careful)

```

I know people have claimed 'glsa-check --fix all' can bork your system, but I have used it nightly in a cron job for at least 6 months and haven't had a problem.

----------

