View previous topic :: View next topic |
Author |
Message |
luckylinux n00b
Joined: 17 Mar 2012 Posts: 48
|
Posted: Sun Mar 25, 2018 9:21 am Post subject: How to manage multiple gentoo installations |
|
|
Hello,
Maybe the question is quite common (probably it is) but I wonder how do "experienced" users manage multiple Gentoo installations ?
I have about 15 Gentoo installations, which I group in "profiles" for which I build binary packages:
- Minimal: DNSServer, Distcc host, Crossdev, ...
- Server: NAS, Other kind of servers requiring Apache/PHP/...
- Desktop
At the moment I'm using FEATURES="buildpkg distcc distcc-pump" whenever I run an update on a host. Therefore the next time other hosts having the same profile get updated, they can simply install the binary packages. USE flags is common amongst packages and CFLAGS/CXXFLAGS is set to lowest common setting (currently Intel Sandy Bridge but I set a generic x86-64 profile, CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe")
Packages are shared using NFS from the NAS and mounted in each client to /usr/portage/distfiles and /usr/portage/packages.
Next steps I plan on implementing:
- Implement "chattr +i" on /usr/portage/distfiles and /usr/portage/packages so that if NFS cannot be mounted I won't have each host compiling packages in his corner and not being able to tell. I should have done this already, so much time and disk space wasted
- Use Salt/Saltstack to manage and distribute configuration files. Due to the common settings amongst the above mentioned "profiles", all files in /etc/portage and other files such as /etc/genkernel.conf should be in sync. At the moment I'm doing this by hand
- Distribute binary kernel to each host. Again this makes sense since all hosts have basically the same configuration and no specific driver requirement. All Gentoo currently (except Desktop) reside on ESXi. I should probably just tar /boot/{linux,initrd,System.map} as well as /lib/modules/linux{version}, .config and /etc/genkernel.conf and append some requirements on the ebuild (such as gentoo-sources, linux-firmware, ...)
However I wonder how do you guys manage multiple Gentoo installations concerning the updates. Mainly the security updates. I currently use Royal TS on Windows and after compiling on one machine, I just send the same command to all others automatically. Probably the same can be done from a Bash shell, I'm not sure. This works very well when things go OK. But when things go south, I quickly lose a few hours trying to debug what package is creating issues and why.
I read on the wiki there are some scripts for "automatic" updates which are *highly discouraged*. If using these is highly discouraged, then what do you use and how do you implement it, at least for security updates ?
- You run glsa-check and automatically install updates
- You subscribe on gentoo-announce mailing list for security updates then perform the updates automatically
Furthermore, can you keep the list of installed packages in sync between the different machines ? I would like to have the machines installed with identical packages. This includes the troublesome emerge --depclean at the end of the update. How do you perform that ? My idea was to create a custom ebuild like desktop-package-list where I add lots of DEPEND and RDEPEND items for each package I want installed. This way I could also "enforce" the removal of a package I don't want anymore. I just wanted to know if there was a more elegant way to do it
I hope somebody can shed a bit more light on this |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Mon Mar 26, 2018 10:16 pm Post subject: |
|
|
Quote: | Furthermore, can you keep the list of installed packages in sync between the different machines ?
|
luckylinux: If you want the same packages installed on your machines, turn your attention to the file '/var/lib/portage/world' - and synchronize it between your machines.
If you have two machines with same USE flags, same profile, identical file '/var/lib/portage/world' and similar emerge environments, they will probably have the same packages installed AFTER 'emerge --update --newuse --deep @world' and 'emerge --depclean'. If you want to add a package, add it to /var/lib/portage/world, and if you want to remove a package, remove it from that file. 'emerge --update --newuse --deep @world' and 'emerge --depclean' will take care of everything else.
So you could have a master file for /var/lib/portage/world, which you copy to your machines using a script whenever you modify the master file. During the copy operation, the script could automatically add or delete machine-specific packages. |
|
Back to top |
|
|
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Mon Mar 26, 2018 11:00 pm Post subject: |
|
|
One note on modifing the world file, it is NOT designed for you to edit directly. You should use portage to add/remove packages to/from the world file.
3 main options to keep in mind, is --oneshot installs a package but does NOT add it to the world file. Without that, it would add the package to the world file.
To remove a package entry from the world file, you can use --deselect would remove that package from the world file. (this simply removes the entry in the world file, does not uninstall the package.
Lastly, you have --noreplace, which does the opposite of deselect, adds a package to the world file (does not recompile the the already installed package). |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Tue Mar 27, 2018 12:18 am Post subject: |
|
|
ct85711 wrote: | One note on modifing the world file, it is NOT designed for you to edit directly.
|
Well, I don't know. There's this strong warning.
On the other hand, there's this document from a (former?) Gentoo developer, who recommends to edit the file (slide 9).
EDIT: In the meantime, I found a man page which states that it's perfectly fine to edit the world file. Please look at my next post below.
I apologize for the various changes in this post.
Last edited by mike155 on Tue Mar 27, 2018 2:11 am; edited 2 times in total |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Tue Mar 27, 2018 1:00 am Post subject: |
|
|
portage doesn't have any real trouble to handle world trouble
Code: | grep bug /var/lib/portage/world
bug/me
emerge -u --nodeps world -pv
...
!!! Problems have been detected with your world file
!!! Please run emaint --check world
!!! Ebuilds for the following packages are either all
!!! masked or don't exist:
bug/me
|
|
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Tue Mar 27, 2018 1:57 am Post subject: |
|
|
I browsed through the man pages and I'm now convinced that it's safe to edit or copy '/var/lib/portage/world':
man emerge wrote: | /var/lib/portage/world
Contains a list of all user-specified packages. You can safely edit this file, adding packages that you want to be considered in world set updates and removing those that you do not want to be considered.
|
'man portage' specifies the format of the file:
man portage wrote: | Every time you emerge a package, the package that you requested is recorded here. Then when you run `emerge world -up`, the list of packages is read from this file. Note that this does not mean that the packages that were installed as dependencies are listed here. For example, if you run `emerge mod_wsgi` and you do not have apache already, then "www-apache/mod_wsgi" is recorded in the world file but "www-servers/apache" is not. For more information, review emerge(1).
Format:
- one DEPEND atom base per line
Example:
games-misc/fortune-mod-gentoo-dev
dev-libs/uclibc
app-cdr/cdemu |
|
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Mar 27, 2018 2:32 am Post subject: |
|
|
A few things I do:
- PORTDIR on a ro NFS mount
- DISTDIR on a rw NFS mount (DISTDIR should never be inside PORTDIR, the default is terrible)
- PORTAGE_RO_DISTDIRS="/mnt/nfs/http-replicator" (or whatever fetch proxy you're using) is a good idea too
- /etc/portage on one machine is a ro NFS mount that the others can symlink config files from
My hardware is too varied to try this but mounting root via NFS and booting a kernel from PXE may also be options. |
|
Back to top |
|
|
musv Advocate
Joined: 01 Dec 2002 Posts: 3366 Location: de
|
Posted: Tue Mar 27, 2018 7:06 am Post subject: |
|
|
I'm using some kind of squash_portage, but have written the scripts on my own, when I switched to Sytemd a few years ago.
I have a directory /var/portage, which is mounted rw via NFS. This directory includes a distfiles directory (DISTDIR) and a portage-current.sqfs file (SquashFS image of the Portage). This image is mounted to /usr/portage (ro). Furthermore I use a OverlayFS on /usr/portage to be able to update and modify the portage. When I unmount /usr/portage, the changed portage tree will be written to my SquashFS image in the NFS folder.
Advantages
- The portage image has a size of 146 mb including several overlays.
- You don't need the portage tree physically stored on any machine (unmounted /usr/portage is empty).
- It can be updated on a machine of you choice and is up to date on any other machine in the network (after remounting the image).
- Distfiles are downloaded only once
Disadvantages
- Portage becomes incredibly slow. The get a list of packages to be updated can take up to 10 minutes.
- If you update the portage tree, you have to restart/remount the portage tree on every machine to have the updated tree available.
- Doesn't work together with Networkmanager, which always stopps NFS before unmounting the SquashFS image and NFS portage directory. Solved by throwing NetworkManager away.
|
|
Back to top |
|
|
luckylinux n00b
Joined: 17 Mar 2012 Posts: 48
|
Posted: Fri Mar 30, 2018 6:29 pm Post subject: |
|
|
Wow so many answers so quickly I'm amazed
So you basically all suggest to do this with integrated tools rather than relying on an external configuration system such as Puppet/Cfengine/Saltstack/...
@Ant P.: what is exactly the difference between DISTDIR and PORTAGE_RO_DISTDIRS ? I'm a bit confused since both concer distfiles. Furthermore you say "DISTDIR should never be inside PORTDIR, the default is terrible". I would say that also applies to packages /usr/portage/packages. Why not putting it a bit more structured say /usr/portage/ports, /usr/portage/distfiles and /usr/portage/packages ?
Furthermore mounting root via NFS, although attractive (space savings, ...) may defy one purpose: availability. If for whatever reason the network goes down, I lose all access to all machines. Not a good solution. Would any of you reccomend running an rsync (or say zfs send -R // replication, although at the moment I'm using ext4 but could move to ZoL I guess) to the "slave" machines ? At least this could be done for the 6-7 distcc hosts I have in my lab
@mike155: I'm not exactly fan of editing the world file directly. However, even if I do, how can I enforce that the changes will be applied ? emerge -auDn @world ? Not sure if it's a good idea to let this run unattended (say via cron)
@All: nobody install updates automatically ? |
|
Back to top |
|
|
musv Advocate
Joined: 01 Dec 2002 Posts: 3366 Location: de
|
Posted: Sat Mar 31, 2018 9:27 am Post subject: |
|
|
luckylinux wrote: | So you basically all suggest to do this with integrated tools rather than relying on an external configuration system such as Puppet/Cfengine/Saltstack/... |
That's not the point. Puppet & Co. describe the configuration of a system. For that reason those tools are great.
But on Gentoo you have the additional problem to compile the packages before installing. I mean, probably it's not a good idea, to compile chromium on a machine started by a puppet run. It could bring you directly to the Windows update mechanism, where the update process often starts in the worst situation for you.
If you want to distribute the packages with a configuration management tool, you should have a build machine, where you create the bin packages in case of a package update.
Nevertheless you need a method to distribute the portage tree and the bin package or distfiles directory to every machine. In a RHEL or SLES environment there's also the package manager on every machine installed.
Btw. at my work we are currently using Puppet. But it's an old version with a lot of modifications. I got my eye on Ansible. Puppet has the disadvantage of the client to server direction (pull instead of push). So you have to open up the firewall from the outer shell to the internal server. Ansible distributes the configs via SSH and push method. So don't need any firewall modifications. And there's no open connection from the DMZ to the internal net. And personally I like Python much more than Ruby. Of Chef and Salt I haven't read anything about.
luckylinux wrote: | Furthermore mounting root via NFS, although attractive (space savings, ...) may defy one purpose: availability. If for whatever reason the network goes down, I lose all access to all machines. Not a good solution. |
Correct. I wouldn't use NFS. Compared with block device oriented solutions NFS has quite a big overhead. A couple of years ago I had read a project to distribute the system via NBD. They distributed a readonly image to every machine. To be able to save any modficitations, they put an OverlayFS on top of the readonly system to store changes via nfs. In that case you wouldn't even need a disk in your machines. You could boot the system via PXE from an central TFTP. The combination of TFTP and NBD I'm using on my NAS to be able to boot the SysrescueCD in any case of emergency.
luckylinux wrote: | @mike155: I'm not exactly fan of editing the world file directly. However, even if I do, how can I enforce that the changes will be applied ? emerge -auDn @world ? Not sure if it's a good idea to let this run unattended (say via cron) |
It's the easiest way to manage the packages to be installed, if you have a lot of machines and don't need to care of the package configurations.
luckylinux wrote: | @All: nobody install updates automatically ? |
I'm using Gentoo in a non-production environment with accept keywords "~". With that configuration my computers would be compiling around the clock. |
|
Back to top |
|
|
luckylinux n00b
Joined: 17 Mar 2012 Posts: 48
|
Posted: Sat Mar 31, 2018 2:51 pm Post subject: |
|
|
I'm wondering then what to do with /etc/portage. To my the "/etc" folder has to be always available, even in the event of a network failure.
Furthermore mounting using NFS to /etc/portage presents an additionnal problem: NFS is prone to give "stale file handle" errors (already had it happen on my media server).
I wonder therefore what the best approach would be:
- Using rsync ?
- Using zfs send -R (assuming I would convert all Gentoo installations to ZFS) ?
- Using saltstack ?
musv wrote: | And personally I like Python much more than Ruby. Of Chef and Salt I haven't read anything about. |
I'm a bit surprised you didn't know Saltstack. It's also based on python. Although I talk about it I just finished reading a book on it, I haven't implemented anything yet
musv wrote: | It's the easiest way to manage the packages to be installed, if you have a lot of machines and don't need to care of the package configurations. |
Yes but how do you do in order to make that file in sync on each machine ? Rsync ? NFS ? Other ?
So yes the "problem" of keeping synchronised the world file is not so different than keeping the /etc/portage folder in sync. But what is the best solution to apply here ...[/quote] |
|
Back to top |
|
|
soparla n00b
Joined: 21 Aug 2018 Posts: 72 Location: Florida
|
Posted: Mon Nov 27, 2023 1:55 am Post subject: IS 2023 why mess around when you can save your time? |
|
|
Why should we mess around with portage setup and etc... next to the usual support for source-based ebuilds, Portage also supports building and installing binary packages.
Below guide explains how to install them, create them, and how to setup a binary package (binhost) server.
https://wiki.gentoo.org/wiki/Binary_package_guide
To make emerge happy and sync repos between the nodes, simply host your own local rsync mirror on a single dedicated machine (perhaps the same binhost):
https://wiki.gentoo.org/wiki/Local_Mirror
You should also cache the dist files (again, on binhost):
https://wiki.gentoo.org/wiki/Local_distfiles_cache
Beside all of the above, my farm is also using distcc so compilation is processed in the cluster but the binaries are stored on a single node (binary package server: binhost) and then distributed to the rest:
https://wiki.gentoo.org/wiki/Distcc
For me... the annoying part was setting up the SSH user config to work correct. The trick is to have the user created on the server, generate its keys and export both private/public to all of the machines. Then you might find it easier to alias the binhost via the ~/.ssh/config on all the clients:
Code: |
Host binhost
HostName <your host or IP>
User binpkguser
IdentityFile ~/.ssh/binpkguser.key
|
Client machine example for make.conf:
Code: |
# https://wiki.gentoo.org/wiki/Binary_package_guide
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --getbinpkg"
FEATURES="getbinpkg"
PORTAGE_BINHOST="ssh://binhost/var/cache/binpkgs"
|
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|