Is anybody using Gentoo on a co-located / production server?

[duh]

Hi,

We are thinking of doing both an hardware as well as an OS upgrade for our co-located servers (it's about time;). Since we mostly use Debian Linux it seems a logical choice for server OS. It's stable, it's reliable and quite secure. However, I have been running Gentoo Linux for quite some time at home and I really enjoy it; it's so much up-to-date compared to Debian and the dependencies are managed very well. However, this can also oppose a problem security wise. Debian's old packages are thoroughly put to the security test and you can almost certainly be sure that there are no huge exploits, and if there are, they will quickly be fixed.

Therefore I wanted to see if any people on this forum are running Gentoo for OS on their large, co-located, public/production servers, and what their view and experiences are on reliablity, security and maintainability.

Any thoughts are welcome!

Jeroen

[Oopsz]

I'm running gentoo on my production server, venus.tripadelic.com.

The initial install was easy, as my host had a prepared gentoo image for my server configuration. I can't imagine doing a remote gentoo install (weeelll.. I guess it could be done, have them boot it off knoppix and run sshd, but I wouldn't want to do it.) I changed my cflags and arch (Nothing major, -Os -mmmx -msse + i686) and rebuilt the system using emerge -evD world. I don't use ~x86, and I've masked >=apache-2.0. It's stable, sturdy, and very easy to maintain. I'm happy with it. Though i'm not running any iptables filtering at the moment, and I think that might be a good idea.. maybe I'll set that up this weekend... I also want to try locking down my system with propolice and hardened gcc, but I want to make sure those patches are stable before doing another emerge -evD... I'd also like to set up prelude/piwi, but piwi is still masked in the portage tree, and for the moment I value stability over security (That sounds bad but I mean, I prefer stability to added protection against attack)
_________________
Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide

[cschwede]

We're running Gentoo also on our production servers. This includes Apache, MySql, Samba, Postfix, Cyrus Imap, Openldap, ....
I started one year ago with the first server, now all 4 main servers run on gentoo.
I'm really happay with it because administration is really nice (in my eyes).
And security: Some people say that there shouldn't be a compiler on a production server especially when it's connected to inet. From my point of view, when a compiler is a security flaw you have much more problems than the compiler itself
ONe of the biggest advances is that you decide what to run and what not - you also know what you've installed.
I'm happy with my servers because I can sleep better than with redhat and suse.
For upgrading see the scripts at https://forums.gentoo.org/viewtopic.php?t=36086&highlight=[url][/url]

[symbiat]

[cschwede]

[symbiat]

[cschwede]

[symbiat]

[EvilTwinSkippy]

I've been running a cluster of production machines off of Gentoo for almost a year.

My first tip is have an identical box to the production one to test all upgrades on. Before I put a server in the field I make a tarball of the file system. This way I can clone the box and test out everything before I discover halfway through a kernel upgrade that baselayout prevents the machine from booting. (Ugly, and it's happened.) If you are really clever, you build binaries from your clone and save your production machine the bother of compiling the code itself.

My second tip is never rely on being able to run "emerge sync" from the gentoo network. I have my own server running a mirror of the portage tree. In this way I'm a) being a good citizen to the network and b) ensuring that all of my servers are working from the same portage tree. This enables me to build binaries that are compadible across my entire network. c) If for some reason the internet isn't available...

It may sound paranoid, but there is nothing more annoying than starting a datacenter upgrade on Monday only to discover that something has changed by Friday. (Throws dart at picture of maintainer of baselayout package. )

There are also a few chicken and egg problems that rolling binaries solve. One that comes to mind is that to run LDAP and SASL you somehow need to compile both at the same time. (LDAP: I need SASL. SASL: I need LDAP.) My answer it so yank the use flags for both LDAP and SASL, build the two seperately, and then re-add the SASL and LDAP use flags and rebuild both packages. If you save the resulting binary, your slave nodes are blissfully unaware of the chicken-n-egg dependency.

Binaries also allow you to re-build a server in a hurry. You take your last backup snapshot of the machine, and emerge -uK world.

On one or 2 machines it's overkill. But when you get up to 10 it's essential.
_________________
I've found that people will take what you say more seriously if you tell them Ben Franklin said it first.

[EvilTwinSkippy]

Someone was mentioning locking down matters with IPTABLES. Here is a script I use: