# Gentoo on a production box?

## idoru

Hello,

I'd like to ask, if it is good idea to put Gentoo on a production server.

I'm using Slackware (over a year on a server) and Gentoo (6 months on my workstation) - now, I'm building new box to replace my old one and I'm wondering, what distro to install...

Is anybody here using gentoo on heavily loaded web/database server? Is it stable/secure enough? (by "secure" I mean things in portage - of course, I'll make my own fw/grsec+tweaked kernel/chroot/etc setup)

The main disadvantages I see are:

slackware: new release = old release is discontinuied - can be dangerous to install new packages

gentoo: any bug in portage can destroy the installation - it already happened on my workstation

----------

## Forse

Well I dunno...I am running Gentoo on my server (Apache2/MySQL/ProFTPD/IRCd) and I have no problems. I guess it all depends how secure you have your server to be  :Cool:   With heavy load server compiling might be a problem. If you compile like mySQL it might slow down your system a LOT (I can tell from my own expirience  :Crying or Very sad:  )

  Give it a try...(In your place I would consider sticking with slackware)

----------

## Hellfire

I use gentoo in about 6 "production" servers from mySQL to BIND, I'm absolutely confident in them. Although the first 2 (BIND) are going to get rebuilt shortly with the 1.4_rc2 iso, I don't fancy the gcc conversion on a live box.

On a production server you would never just merge/update files without explicitly knowing what they're going to do, so the recent Portage problem would be irrelevant. Compile-time will cut into a servers capability, but if it hurts performance *that* much you probably need a little bigger box.

In general I don't favor binary packages for any production server, it's just too hard to know beyond a shadow of a doubt how it is being built/installed. Whereas a quick check of the .ebuild or even your own homegrown overlay give you precise control over what you get.

Go with your gut, but for my .02 you can't go wrong with Gentoo.

-hLast edited by Hellfire on Wed Feb 19, 2003 10:51 pm; edited 1 time in total

----------

## pjp

The power of Gentoo also allows you to hang yourself.  You should emerge nothing on a critical system without testing it first.

----------

## kashani

 *idoru wrote:*   

> 
> 
> The main disadvantages I see are:
> 
> slackware: new release = old release is discontinuied - can be dangerous to install new packages
> ...

 

Gentoo gives you the power to change more often, so people do. Often there are stiff lessons to learn when you've gotten used to running Gentoo as a workstation. It all comes down to test environment... with any distro. Make sure your stuff works and then never touch it unless it's a bug fix and then only after you've done the same on your test environment. I've got a small shop setup on four v1.2 boxes and other then a few packages I don't really mess with it. 

kashani

----------

## keifir

r u guys actually putting the gcc on your production boxen?

that's kinda risky from the security point of view in itself, if broken into anyone can compile their stuff on it. At least that's what i read on the net (no actual experience setting up a prod server meself  :Embarassed: ). 

I just thought i mention this, and i'm actually curious what u think of it.

keifir

----------

## Forse

 *keifir wrote:*   

> r u guys actually putting the gcc on your production boxen?
> 
> that's kinda risky from the security point of view in itself, if broken into anyone can compile their stuff on it. At least that's what i read on the net (no actual experience setting up a prod server meself ). 
> 
> I just thought i mention this, and i'm actually curious what u think of it.
> ...

 

 Well if you don't put gcc on the box users could still upload them own compiled programs or install gcc in their home dir. If gcc needed on the server box I would put permissions that only root can access gcc. Having gcc on the box isn't a real problem.  :Twisted Evil: 

----------

## idoru

ad hardware:

it's

P4 1.8GHz

Asus P4T533-C

4x512MB ECC RDRAM PC800-40

1x Seagate Cheetah 18.4GB / 15K RPM

2x Seagate Baracudda 9GB / 7.2K RPM

and it's replacing some old PII 450 / 512MB RAM...so, for some time, compilations won't be a problem

ad security / gcc etc.

I'm using trusted path execution prom grsecurity, so nobody can run their compiled/uploaded binaries

.............

I'm kinda scared of Gentoo's rc-scripts...I'm used to slackware's (imho the best rc-script, I have ever seen)...but I'l probably give it a try...yet, I'd have to learn a LOT of new things :)

To replicate my setup on diferent distro...ehm...that will be quite fun...2 apaches (one as a proxy, on as an aplication server - both chrooted (each in it's own dir)), chrooted mysql+innodb with raw data partition, complete ACL via grsecurity...and with WOLK as a kernel...yeah...I will try to call it "fun" :)

----------

## Forse

Well your hardware setup sounds ok...By the way if you like your deamons chroot:ed to their own dir then give SoL (Server Optimized Linux) a try. It has 

```
/server
```

Directory where all the deamons are like apache is in dir

```
/server/apache
```

And all the deamons are chrooted to them dir

 SoL newest release is in beta stage, as a member of beta team I can say that it looks *VERY* promising. Ok, my idea wasn't to advertise, but give it a try. I reccomend waiting for beta to go stable.

Homepage: www.sol-linux.com

----------

## bagu

There is nothing securitywise to object to having a compiler on your system. Removing everything remotely risky from a server will render it unusable. 

Solaris for example does not have a compiler installed per default, but as already pointed out, this offers no added security since attackers upload binaries instead. 

Also, my experience is that many attacks can be exploited via shellscripts. Still other security issues appear because of bad configuration and unwise permissions (for example world-writable configfiles).

Security is alot like alchemy; You will probably never get it exactly right, but the right ingredients and procedures can get you pretty close..

Hmm.. I'm getting Kunfucius-like on your ass.. I guess my age is finally showing =)

Regards,

bagu

----------

## Dalrain

We've been using Gentoo on one of our production servers at work without problems so far, though the point brought up earlier by kanuslupus about testing is very very very true.  I'll even take it a step further and say if you need perfect uptime on everything, you might do better with another distro.  I love Gentoo and its setup, but it is -far- too easy to break things across upgrades, IMHO.  (Though a really experienced admin shouldn't get too tripped up by these, it's your funeral   :Wink:  )

Also, if you're really using it for some power stuff, version incompatabilities might arise with homegrown tools you're working with, making a patched instead of upgraded system more desirable.

----------

## Sven Vermeulen

We're not using Gentoo on production systems. There are several reasons for that. 

One of them is that Gentoo isn't enough proven on servers. It's a relatively new distribution, and normal servers are just coming up.

Second is that even Gentoo stable still requires a reasonable amount of updates because it places several tools far to fast in stable (not that the tools aren't stable, but for security POV I'd rather only have security updates, which I know is going to happen in the not-so-far future).

Third is that Gentoo can't assure secure updating (there have been numerous threads on this subject, so I know this is gonna change  :Smile:  yet.

----------

## Sasun

 *Sven Vermeulen wrote:*   

> We're not using Gentoo on production systems. There are several reasons for that. 
> 
> One of them is that Gentoo isn't enough proven on servers. It's a relatively new distribution, and normal servers are just coming up.
> 
> Second is that even Gentoo stable still requires a reasonable amount of updates because it places several tools far to fast in stable (not that the tools aren't stable, but for security POV I'd rather only have security updates, which I know is going to happen in the not-so-far future).
> ...

 

You are right.

I am using gentoo on aproduction server, and it is working fine.

But I should have chosen debian. 

It takes too much time to maintain and update gentoo.

----------

## upnix

A problem I have with Gentoo on servers is how security updates are dealt with.

Whenever something has a vulnerability, the solution is to upgrade to the newest version of the said software. For me, this doesn't cut it. Because the software I'm upgrading to will likely come with new functionality, introduce new bugs, and generally not behave in a similar fashion to the old one.

(coming from BSD land) If there's a vulnerability in some software, say OpenSSL, a -patch- should be released fixing the bug in your current version of software. This ensures that all the functionality and behaviour of OpenSSL remains the same so that my once stable box can remain that way.

If I wanted to stir things up even more, I'd mention how I think the reason this isn't done is because the Gentoo "developers" only seem to make ebuilds, and the occasional Python program.

----------

