Slashdot Mirror
Gentoo On Server Considered Harmful
Siker writes in to point out his blog post — Why Gentoo Shouldn't Be On Your Server — which seems to have stirred up a lot of discussion, including a thread on the Gentoo forums. From the post: "I firmly believe in updating server software only when you need to. If you don't need new features, and things are working, why change anything? If you update anything you will undoubtedly need to update configuration files. You will need to fix things that break in the upgrade process... This is hard with Gentoo. Gentoo wants you to change a lot of stuff. It wants to be bleeding edge."
At the same time, the "your system is always approaching the bleeding edge" way of doing things solves one problem that I've always been bothered by with running user servers for suso.org. Eventually, the OS on the server reaches the age where it is no longer supported and updates are no longer coming out for it. This isn't always X years where X is the number of years that a distribution claims to provide package updates for. Its usually X-1. This is because you'd be foolish to use the very latest hasn't been available for more than a day version of Linux. Usually you wait for 6-12 months for it to be mature and have special packages of whatever available for it. Then you spend another month or two setting up the machine and getting it ready for production. By that time, you've already burned over a year of support time. Then you get users onto it and now you only have X-1.5 years of support. On Fedora, this means practically no time is left. Upgrading such a system to the latest version of whatever distro means taking the server down for several hours to upgrade, hope to hell that special packages you've built and configurations aren't broken and in nightmare situations, roll back because something is broken and can't be fixed.
The promise of Gentoo for me is being able to continually upgrade and never get outside of that window of support.
I actually have a new shared user system that is running Gentoo that is kinda in beta right now. This article was very useful for me because it brings up those points about stability that concern me. Its kinda an experiment.
I think I may try Debian next.
Someone tag this article flamebait because hoo-boy are the trolls going to be coming out of the woodwork for this. My prediction, around 200 comments along the lines of "You don't have to update constantly and still get the 2% performance increase from those 72 hours of compiling!!!1!!one"
Skiffy is Spiffy, but Ort is tort.
This is hard with Gentoo. Gentoo wants you to change a lot of stuff. It wants to be bleeding edge.
Hey now, anything endorsed by Larry the Cow can't be bad. Larry the Cow and Poochie the dog are similar, in a lot of ways.
Push Button, Receive Bacon
Gentoo allows you to be on the cutting edge, just like all the other distributions. The primary difference is it makes it very easy for those who don't know what they are doing to be there. Most folks running SuSE, RH, or one of the other 'package' based distributions won't build their own RPM, etc. There is nothing stopping one of the 'normal' distributions from upgrading the kernel with each release. I certainly don't update everything on my Gentoo box because it is there, on my server.
I run Gentoo on a server. The server is stripped down beyond what a typical 'router' distro looks like - one of the reasons I went with Gentoo is I could really trim the system down for the job at hand. My server only gets updates for security, and once in a while a bug fix that impacts the applications running on the server. Not often. When I need to compile something big, the last place I'd do it on is the server itself - it has another task. I take one of my workstations with far more GCC horsepower and let distccd do the work for the poor little pizza box. Beyond the initial build, I doubt those boxes have ever compiled anything.
Since it is a source-based distro, I also am not trapped by RPM's or other packages no longer getting provided for my system. One of the applications I had was using RH9 (with paid support) only to have them drop maintenance on it and have the vender drag their feet moving to another platform (clue stick, they had issues with the 2.6 kernel, so would not 'support' any platform but RH 8 and later 9. The enterprise editions? Forget about it... You want to live in the suck, you try keeping one of those boxes alive and secure years after it EOL.
+++ UGUCAUCGUAUUUCU
Troll
You feel sleepy. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise.
This whole article is a blatant troll. Gentoo's usability on a production server depends entirely on how you use it. It is up to the admin to manage updating software without breaking anything.
/etc/portage/profile/package.provided, but that's an ugly hack.
That said, what really ticks me off about Gentoo is when they make big, sweeping changes that aren't backwards compatible. For example: modular X. I know there was plenty of warning, but when modular X went stable all of a sudden *all* packages that needed X now depended on the modular X libs. If you had monolithic X installed, anything that requires X now generates many blockers. That's just *awesome*... you are forced into installing something you shouldn't have to install. The best solution to that problem was really to put all the modular X libs in
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10);'
But if you have a good schedule for when you want to update your system, it's as good as any other linux distro out there. What this guy wanted was probably something like Redhat, or Debian (don't nitpick). I don't run enterprise servers, I run basic gaming/radio/website setups, the website server is updated once every 4 days, but I don't get a lot of traffic, and I can afford to have my system come down for a few hours while I figure out what is going wrong.
My gaming server is my testbed, since I update that once a day, if something goes wrong I don't mind digging into it to figure out what went wrong, this usually helps me keep the other sites from screwing up when they update, and I can troubleshoot problems on them before they happen.
Regardless of what you run, there is going to be downtime associated with your distro, and gentoo is no exception. If the guy who wrote this article had any experience with Gentoo, he'd know the hardships that come with it. I'd never reccommend someone to use Gentoo as their server operating system if they've never used it, even if they've had a few months using it, but that doesn't mean it's a bad choice for a server operating system.
- Aetheral Research -
"I firmly believe in updating server software only when you need to. If you don't need new features, and things are working, why change anything?"
I agree... so why does this preclude using Gentoo?
Just because you _can_ update all the time doesn't mean you should. I've used gentoo for various purposes (server, desktop, laptop). What I usually do is get it setup and install all the packages I need and then leave it for a _long_ time... only upgrading packages that I either need the new capability of or for security purposes.
Look... I personally don't think Gentoo is the best server OS out there... but I also don't think that just because the package system makes it really easy to tinker with the system that Gentoo is inherently unstable...
Friedmud
There is no 'stable' version of Gentoo. Gentoo is rather a moving target where emerge will forever cause your system to approach the cutting edge.
/etc/portage, you can have a stable system, but have one or more packages be unstable without having it a system-wide setting.
Yea. Not quite. This is what the "ACCEPT_KEYWORDS=" setting in make.conf is for. If you don't have it set, you get "stable" packages. If you do have it set, you get the unstable stuff.
Further, with the use of the files in
Haven't read the rest yet, but wanted to point that out.
bork bork bork!
If nobody had "bleeding edge" software running, how would anyone know when it was ready to use ?
This person is obviously no pioneer, & exhibits the same attitude described in the "Stale Tech" article on Slashdot awhile ago.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I certainly wouldn't want a Gentoo on my servers. Sure, it wouldn't weigh much, but think of the poop you'd have to clean up!
Be relentless!
* MySQL DATADIR is /var/lib/mysql
* Previous datadir found, it's YOUR job to change
* ownership and have care of it
* Sorry, plain up/downgrade between different version of MySQL is (still)
* un-supported.
I vowed never to use Gentoo again, and promptly moved that machine to Debian. I use to run Gentoo on all my desktop machines in the pre-ubuntu days, because it had the most bleeding edge desktop packages and optimizations. After Ubuntu came on the seen, Gentoo had no advantage for me. Its still a great learning too though. I highly recommend for aspiring Linux geeks.
I have been a server admin for web/database for about 3 years now. I agree that bleeding edge is *not* where server admins want to be. There's a reason that Debian is widely considered the best server OS despite being rather far behind the bleeding edge. Tried and tested is better than the latest and greatest when you rely on the machine being up. It's also worth noting that the military doesn't use any COTS technology within 5 years of it being released.
I hate printers.
Gentoo is only good for ricers, Gentoo is bleeding edge and unstable, Gentoo is only good for X deployment
The truth about Gentoo is that it is not really a distribution. Gentoo Linux does not make "releases" and it does not aim to cover one area of the market alone.
In Gentoo's packaging system, called portage, the aim is not only to provide up-to-the-minute packages (which it does) but also to provide a wide variety of both tested and verified "stable" packages as well as more bleeding-edge, testing packages.
This, along with a properly configured make.conf and /etc/portage file system, allows you to pull down the packages you want that have been verified as stable (and are also under watch by the Gentoo security project) and keep track of their libraries with revdep-rebuild.
Stop branding Gentoo with stereotypes that label it as X distribution, the project even calls itself a "metadistribution" capable of dropping into multiple roles.
mattdev@server$ touch
cannot touch `/dev/genitals': Permission denied
Don't fix it if it ain't broke: up 292 days, 22:26 The reason for the short uptime, is PSU upgrades...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
First of all, I find it interesting that FreeBSD never seems to get these complaints and hate about having to recompile packages with portupgrade all the time, and being able to tweak the flags, etc. In this respect, it's just like gentoo!!! Except without a lot of the fancy features like etc-update and slots and masking and multiple supported versions. Yes, the "base system" is more stable on FreeBSD (which is both a blessing and curse), but what is it about Gentoo that attracts so many haters/inexperienced admins, hmm??
Anyway, I run Gentoo on servers. (Also FreeBSD). I think it's great. I can't stand stuff like Red Hat, which makes it difficult to customize anything, so I'd always resort to installing stuff "by hand", which was a huge pain. Or creating a custom RPM, which was an even bigger pain (RPM is basically a huge clusterfuck in general).
Being able to set up ebuild "overlays" is great. Being able to set up custom profiles that contain all the software needed for a particular app is great. Writing ebuilds is a piece of cake. Turning on/off various features system-wide is very helpful. The mechanism for merging configs (etc-update or dispatch-conf) is nice. Being able to pin down specific versions with masking is good. Etc. For the record, I've never tweaked the CFLAGS in my life.. that's just not why I use Gentoo.
The author writes this:
I have no idea what happened to him. Updating your profile is basically moving a symlink, which changes some lists of base packages and other high-level build configuration. It doesn't "touch" anything in your system. Sure, you have to some upgrades afterwards, but you have to do that regularly anyway on Gentoo. Compare it to upgrading FreeBSD from 5.x to 6.x, which is much more involved.
I've been using glsa-check for a while now, it works great. It tells me what's got known holes and I just update those packages, and their dependencies. What problem did he have with it, besides the "experimental" status? Yeah it can "do stuff", but I don't use those options, I just use it to get a list of packages with known holes. Heck I could probably write a script to do the very same thing.
Suppose you need to patch one of your installed packages by the way.. it's very easy to create custom ebuilds on Gentoo. Sometimes I plug security holes that I've found on my own for instance.
I have a simple strategy with Gentoo servers: keep an identical test/staging server nearby and do your updates on that machine first. Run your application tests and then upgrade the production machine. If you want, build binary packages on the staging machine. I would do this even with Red Hat, Debian, etc.
Another point: I've NEVER run "emerge -u world". I always do the packages in small groups or chunks and then updated configs, restarted daemons, and run tests after each one. This seems like a much better strategy than what some people do.
Also, I gotta say, it's probably not a good idea to run Gentoo on a production server unless you've got at least 5 years of Linux admin under your built. You also need to FOLLOW the Gentoo newsletter, AT LEAST, so you can get a heads-up when config files change or files are moved around. It happens from time to time.
Really, the only valid point he makes that generalizes to servers other than his own is the following: Gentoo takes more time to keep running. But you have to weigh that against the flexibility you get, just like any "build vs. buy" decision.
The article makes it sound as if gentoo installs the ~unstable profile by default. The stable one's no more bleeding-edge than Ubuntu.
Gee!!! I thought that moving from Windows to any Linux-based anything would solve all the worlds's problems that Microsoft has caused!!!
Where, oh where, is the standard Slashdot drivel from you sanctimonious Slashdot twits?
There is NOTHING forcing you to "emerge world", "emerge system", and "emerge --sync" every single time Gentoo
updates portage... Emerge flags include "--pretend", "--ask" and "--fetchonly" among several others, learn to
use them.
Non sequitur: Your facts are uncoordinated.
...gentoo is *the* bleeding edge distro and is proud of that. Almost every CS major at the University of Chicago has it on their Thinkpad or Powerbook.
As for being unstable in regards to updating, I can only guess the submitter didn't configure his system correctly and allowed clearly labeled beta builds of server components into the automated upgrade queue. That's an irresponsible mistake only a newbie would make, and has nothing to do with the distro itself (or any distro for that matter).
i didn't read TF blog post, but since i saw a radical view and the word "server" in the same summary, i'll add my 2 yen here. Since we see the word "server", we assume we're talking competent system administrators here. A competent system administrator usually reads and understands the documentation of a software package before making a decision. Having read the documentation of gentoo, I can suggest at least the following ways to ensure a stable distribution:
- one can create a copy of the source files repository
- one can create a repository for self-compiled binary packages and install from there
- one can use the global repositories, and still get a stable version by restricting available packages by version
- finally, as others say, one can use the stable version.
Since the blogger seems to have missed these obvious ways, he hasn't read the documentation, and hence is not a competent administrator, hence his opinion is not very valuable.
...I wonder where the debate stems from. Gentoo is a nice OS and all that, but it's not one that includes the features most server admins want: stability, non-intrusive security upgrades, support for commercial software, minimum hassle, minimum maintenance, and minimum surprises!
Of course, if you absolutely want to, Gentoo is perfectly capable of running on a server. It's just not something I would use myself, or recommend to any others. People who do so, do it because they are already Gentoo fans, not because it's the system that's arguably best for their purpose.
(I posted this on the gentoo forums)
If someone is running a server room with many live production systems where downtime must be in seconds per year, they should ALWAYS have a test environment and a production environment. Gentoo makes it extremely easy to produce this setup. Imagine if you will, this setup:
1) Master rsync system (contains the portage sync used by all the systems)
2) Test boxes for each role needed (perhaps you have 3 different kinds of servers, WWW, Mail, DB)
3) Many production boxes
What you would end up doing is creating a fairly generic gentoo install (by generic, I mean hardware independent - like i686 or whatever you feel comfortable that will be supported for the lifecycle of the servers). All production servers are identical to the test boxes at the beginning of this example and have a simple backup of the whole test environments (perhaps a large tarball saved on a separate drive). A new update is necessary for apache so you do an emerge --sync on the master rsync system. Then you rsync all the test boxes so they have the same portage tree. You then run the necessary installs on the test systems to make sure that it works, if it doesn't, then you research why and figure out if its easier to fix after the update, or if the update needs to be done differently, if you need to, you can restore the test system from the backup and start over. After you have all the test boxes running well, you can then rsync the production boxes and reproduce the steps necessary to get them updated.
Once all this is said and done, the production boxes will all be updated successfully (and the updates were tested on the test boxes) and the test boxes will at this point have the same configuration as the production boxes. You would make a new backup of the test boxes and wait for the next time you have to do this cycle. As long as the boxes really are identical, you could even run konsole (or another xterm that allows you to send your input to multiple console windows) and perform the identical steps on all the same type of boxes (sending your update commands to 20 or even 50 servers at once).
I'm sorry, but in any real production environment, I see NO issues with this setup. It may be a bit time consuming if you have a lot of etc-updates to do, but still, the basic update should be painless to that point.
-Jason Pf.
For a true production server where downtime costs thousands or millions of dollars a minute, you need the insurance of having people to escalate to if you have a problem. If for no other reason than to CYA in a liability / management-political situation. That's the real reason not to run your production on Gentoo (though the technical problem mentioned is probably what's kept anyone serious from selling a support contract for it).
They say the mind is the first thing to
I'm a Linux newbie. I've run it for about 1.5 years and in that time, I've installed and used Fedora Core, Ubuntu, Gentoo, and now Arch.
I might have just been unlucky, but I ran the so-called "stable" branch of Gentoo and on more then one occasion, ebuilds had syntax errors, program sources had undeclared variables, and gaim (which I consider to be an important desktop application) segfaulted where the unstable release did not. The advice I was getting was to emerge the unstable version. Why was the unstable branch fixing known bugs in the stable branch? Am I missing something?
In any case, I've moved to Arch linux and I've been running it for about a week. So far, I've been extremely impressed.
To be fair, I ran Gentoo for 2 weeks only and I've never had experience with a server, so my opinion is likely insignificant.
You say Gentoo wants to change a lot of stuff?
Any binary distribution has two modes of updates. One is an updated package within the same release; the other is a mass-update from one release to another. Gentoo combines the two, since the distinction is artificial. What you call "changing a lot of stuff" is merely keeping packages reasonably current so that you never have to do a mass-update or complete reinstall.
Anyone who considers the Gentoo update process too difficult either hasn't used Gentoo (upgrades are easy, and there aren't that many of them if you stick to stable x86) or has never dealt with package conflicts in binary distributions. That is the real horror I want to avoid, and I avoid it nicely by running Gentoo.
Gentoo gives you 100% control over your system and how things are built.
It does NOT force you to do anything.
"You will need to fix things that break in the upgrade process..." Like what?
This past year there have been some major changes in the Linux world like:
glibc, gcc, xorg, apache(Gentoo went to the standard) and mysql are some the things I can think off of the top of my head.
Because of how Gentoo updates, big updates like these might break things if your not watching what your doing.
And if your blindly updating your system and overwriting confings when you do etc-update, its your own damm fault.
There comes a point in where a package is marked 'stable' for some distros, but if you look on the project site, its old and outdated.
http://gentoo-install.com/
I have tried them all and the only one you can trust is Debian stable.
Keeping it up to date is a no risk operation.
Services are stopped and started and any config changes are explained and documented.
Everything else is junk compared to Debian stable.
It even still has SysV init which is a dying "Legacy UNIX" thing... so the OSX, Ubuntu, Slowlaris etc. crowds say..
Debian GNU/Linux (stable), OpenBSD.
"Something Considered Harmful" is one of the more cliche ways to title an essay like this. Can't we come up with *slightly* better titles? Like, say, the one the blog post used?
Anyway, it's been said far better than I could manage already, so I won't keep ranting here.I RTFA but I do not fully agree with both, the article and its information. The author seems to have fallen in love with the word "time" or the phrase "time consuming"; so much that he's willing to use it in every other sentence and/or listed as different critics.
Now on to the containing information and my personal opinion:
1.) "Gentoo is time consuming" - that it is, measuring between a few hours and three days (if you set up your system completely from scratch by pulling every source file like I did). But you can leave the system most of that time unattended. Also this is done once et voilá.
2.) "Gentoo's Stability/Security Strategy: Update Everything" - wrong. That's pretty much a choice left to the end user. You don't have to run "emerge --sync && emerge --update --deep world" each and every day. Hell, I haven't synced my file server since I've set it up half a year ago and it works fine. If I ever find a reason to update a specific application, most often or not updating it won't require updating anything else on that system.
2b.) "With Gentoo, this isn't really feasible because there is no 'stable' Gentoo release." - That's not correct. There are hardened sources intended to be.. well.. hard, as in "stable". Also all packages should be pretty much stable unless you specify the "~x86" (or whatever system you are running) keyword which will take the most bleeding edge stuff into account.
Either the author misunderstood something or I'm completely a gentoo fanboy.
In a production eviornment you don't have time for little things like that. RTFM on every little upgrade does'nt really matter when the mysql server suddenly goes down for no reason and thousands of users get pissed off. I reccomend fedora for beginners and slackware for seasoned veterans and people wanting to know what a true linux experience is (no flames please :).. They are very solid for production enviornments. Like previous posts have said, Gentoo is a good distro, but not suitable for production. development boxes, sure.
...is currently uptime 242 days. Updating daily.
So, now when server issue has been explained exhaustingly, we can talk about my gentoo programer's desktop, gentoo electronics lab and drill machinery controller, gentoo adsl/wifi router and gentoo tv/multimedia nano-itx box.
From my point of view, Siker is just a moron and I mean it seriously.
There you are, staring at me again.
If you have more than one server, the best way to manage updates is to have one server (preferably non-production) on which you build and install binary package updates.
These binary updates can be pushed out to other machines and installed once any config file issues have been ironed out on your package-build machine. For extra kudos, all machines can be used as distcc-servers so that package compilation can be accelerated.
Finally, to reduce load on gentoo's servers and to help keep the machines in sync, the machine on which the packages are built should be the only machine that syncs to Gentoo's servers. All other machines should be configured to get their portage updates from your local build machine.
The real "Libtards" are the Libertarians!
It's been said before by many. I cannot say I disagree with the article. With more traditional distributions of Linux, you always have standardized packages with some amount of quality control. Bugs and security holes slip through to the end users all the time. Often your end users report these bugs to the upstream maintainer. Occasionally, the end user even submits fixes upstream.
Gentoo is so system dependent compared to other distros. The end result, instead of having 1 package for some function, you have 1^n packages for that same function. Given 'n' amount of users with differing hardware and compile time arguments. The Qaulity Assurance ends at the user, always. You ultimately have a quality control department that consists of one, the user.
Any system upgrade or maintenance procedures in production environments are usually limited to a few hours at most. It does not make sense to spend six hours compiling what could have been installed, configured, and tested in 6 minutes with a pre-compiled package. In the event of a hardware failure, I find it reassuring when a Linux distro can be loaded onto a spare box in 15 minutes. Then spend a few more minutes restoring configurations from a good backup.
But that's just my opinion. To each his own. If it works for you, then go with it. Otherwise, I'd say it is a fairly level-headed review.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
As I was reading this article, it occurred to me that more and more Linux has become a hot rodders' playground. It's all about the fun had with tinkering. It's true for many distros and true for the kernel itself.
Not bad as an end in itself, it's just unfortunate when people don't understand this is the case and work to build products off it.
Like the perlmudgeon Christiansen used to say (para.), "the game isn't on the computer, it *is* the computer."
I haven't RTFA, but, yeah, compiling all of your software from scratch in a production environment every time you want to upgrade? That's ok. I'll pass.
My webserver runs Gentoo and it has been rock solid for two years now. If you know what you are doing, it doesn't break.
I run an
emerge --sync
everynight, this updates my portage cache.
I run the following by hand weekly:
emerge -uDav world
emerge -pv --depclean
emerge -v --depclean
revdep-rebuild -pv
revdep-rebuild -v
dispatch-conf
This does a DEEP update of my system, checks all dependences are OK, then rebuilds conf files with a bit of help from me.
Every hour I run a:
glsa_check -f all
which checks and installs latest security patchs.
I've been using a Hardened Server profile, using only packages marked stable.
I have been doing this over the last 2 years and the system has only broken once -- due to mysql. Which caused me a 60min downtime.
Don't believe everything you read.
Gentoo on a server? No longer.
I used Gentoo for several years. I learned an awful lot about Linux from it. And I appreciate the work that goes into it. But my servers run Debian now, for one reason - quick, reliable updates. I support several small businesses, I don't have the resources to maintain test environnments to check the impact of upgrades. And not having multiple powerful systems at many sites means distcc is not an option. And the recompiles occasionally necessary for apache or samba or postfix or mysql put an unreasonable strain on servers that are typically not high powered and are supporting multiple users. So for quick, reliable system updating apt-get beats emerge every time.
I'm not knocking gentoo. It's a great system for testing stuff, and evaluating software. But in the 3 minutes it took me to type this post, I could update 5 servers that hadn't been updated in a week.
-- "Never underestimate the power of human stupidity." - R.A.H.
At risk of exposing my ignorance here (I'm a Debian person; the last time I did anything RedHat-based was before automatic package management), what is CentOS's automatic-update feature like? Does it have one?
I assume it uses yum, or something like it, being RedHat, but does it pull from RedHat's servers directly, or are there separate CentOS repositories? I assume it's the latter. In that case, how closely do the CentOS repos track the 'official' RHEL ones, in terms of patches and bugfixes? Not that you'd probably want to do it on a true 'production' system, but can you do the CentOS equivalent of 'apt-get upgrade' and be reasonably assured of not breaking things?
I've always been intrigued with CentOS, and it does seem to have a good reputation as far as stability is concerned, but after growing up with apt-get (and before that, nightmarish experiences with dependency hell on some very early RedHat systems), I've developed a certain perhaps-unwarranted negative bias of everything else.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I think you need some Quality Assurance
Is that it assumes that you know how to use it.
The article is really about the disadvantages of running Gentoo on any box that needs to be stable. Some workstations are like that, and some servers aren't.
So using the same logic as the article uses. I don't thin buying a car short of building one yourself is a good thing. Why? Because most brands comes out with new cars every year. And the article thinks that if there is something new, then it must be acquired.
Not at all. Don't want to emerge --sync && emerge --uD world? Why don't then. I really don't understand where this article gets any credit for being anything other than flamebate.
Hello? Security anyone? Or maybe someone remember kernel 2.4.11? Don't wanna update that one either should you happen to have it installed back when it was considered stable?
I do agree that there are certain things you needn't update. A local server without a connection to any user you do not trust your data with (i.e. nobody but you, if you're smart) running on rock stable software that gets feature adds rather than bugfixes in new versions is a candidate for this. And for this server (singular, probably worldwide), the setup is ok.
Not updating a server connected to the internet is an invitation for hackers. No matter how "stable" or "solid" or "secure" a system is deemed to be at the moment of its compilation. Time and again there are bugs found in software that has been considered stable and safe for years. OpenSSH is hardly the most insecure application out there, and I would NOT want to see what happens to a server that does not update it.
And, last but not least, when you don't want to update Gentoo, you don't have to. It's fine and satisfied if you don't do an update sync. Actually, you reduce the workload of the servers if you don't.
So what the hell is this fuss about?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Gentoo in the server room?
I think Gentoo CAN work in the server room. glsa and other tools make it a better candidate than it was a few years ago.
Some of the other popular distros capable of running X-less (e.g. Debian) and the *BSDs have been and are in wider production deployment. Of course, if one is tied to a storage, database, or backup vendor, one may be tied to Red Hat or SUSE.
I'm currently doing a work study at my university helping them administrate their Gentoo machines. They to have given up on Gentoo and are planning a switch to Ubuntu. The problem with Gentoo is that you really need it to be someones job to maintain it. The problem my university had was that everyone there had many responsibilities and did not want to waste time making sure that everything was going smoothly on Gentoo. This led them to just ignore it and never update. It worked fine until users asked for new or updated software to be installed, then portage wanted to update many things. Since I have gotten there, and my job is maintaining Gentoo, things have gotten a lot smoother. Compiling takes forever even on a dual dual core machine and if one package fails I have to figure out how to fix it until I can continue compiling. If you have things setup correctly only one machine will need to compile and make a package while the rest will just download from that one server and install. The other problem we're having is that even though we run stable many packages fail to compile or have problems which take weeks to fix. It takes many packages a very long time to get marked stable even if they are, such as KDE 3.5.6 or the NVIDIA 9-series drivers. As for having to reinstall every time a new profile comes out, he just had no idea what he was doing. I've ran my desktop and laptop for over five years going through hardware upgrades and many profile updates and never had to reinstall. All you have to do after you update your profile is emerge -uD world --newuse; revdep-rebuild
I have been using Gentoo on my personal server for quite some time. I update about once a week and whilst I have to upgrade the configuration files, as long as I do it regularly, I tend to have no problems. My server has been up and running for over three months now and everything works dandy. I personally like the bleeding edge on my machines. If it were a true production server, however, I wouldn't update unless I absolutely needed a feature.
Got a problem? Call a monkey!
Call me a jerk, but I found a lot of what was said to be totally accurate. I tried to love Gentoo, off and on, for three years. While it's true that you can start on a fairly complete base system, and while it's true that there are tools available such as glsa-check now and revdep-rebuild (to say nothing of the joys of being able to unmask only what you want to have as totally bleeding-edge) it's true that it's it's a major time sink.
;-)
I'll be more than happy to let the folks at Canoical, Red Hat, Novell, or wherever be the ones to put in several hours of work; I simply can't, at home, put in the hours required to maintain a "stable" system. When I quit using Gentoo a couple of years ago, it was to the point where I'd search the forums before I'd ever install a piece of software. And you know what? That gets old. Real old. Especially if you're sitting in front of what should be a desktop machine and you're waiting for revdep-rebuild to rebuild a couple dozen packages because libpng applied a non-backwards-compatible patch that fixed a major security flaw.
Sorry, kids, but although I can deal with running a Gentoo system, I choose to run Kubuntu 6.10. Not because I'm too much of a wuss to run Gentoo, or because I'm too stupid to run anything other than Ubuntu, but because I'd rather spend the hour or so of computer time I have at home some days getting pix and video of my adorable girl (now at toddler age) ready for the grandparents. Not glamorous, and doesn't help push the state of the art, but it's much more gratifying than, say (I'm making this one up), trying to chase down the ruby package maintainer to get him to apply a patch so that you can use Getopt::Long without having to edit files by hand.
Stating on Slashdot that I like cheese since 1997.
Serious. Gentoo has worked GREAT on my servers giving me the ability to configure and update my systems with simplicity. One copy of portage mirrors gentoo dev, one is a production milestone build. When I freeze a copy of gentoo dev, build and test against it, and if all is good move that over to the production milestone build. That's it, then use the binary packages to upgrade everything else.
/. Aren't the editors knowledgeable enough about the subject to see the glaring problems? Didn't start with stage3 (and doesn't seem to understand why you'd want to), doesn't seem to understand the version dependency system, misrepresents the security model, and proves his own lack of skill by having a machine hosted remotely without proper access to the console.
I keep great uptime:
someone@someserver ~ $ uptime
21:55:29 up 1103 days, 13:08, 4 users, load average: 0.08, 0.03, 0.01
And never hacked once running gentoo.
Also, gentoo's advantage is not now and never will be to compile everything. This guy is a terrible system administrator, who cannot recognize the advantage in gentoo's flexibility. For some people and institutions, it may not be an advantage but for highly customized environments it's great.
He clearly does not know what he's talking about. Additionally, those of us who work with big iron always have a proper LOM solution, because we know a sun cluster patch (which really is equivalent to a gentoo profile change) can screw things up just as badly. We either have a serial terminal for console, or a remote console management system.
I'm sorry some dork with a single machine hosted in some remote data center had problems with his gentoo install, and has even more problems with his lack of administration skills, but this type of crap should never make
This guy might as well be running win2k3 server.
So how many of the bleeding edge proponents have to support more than 50 systems?
Package management, rpm, dpkg, all came out in response to the shortcomings of compile-yourself approach we can dearly remember from the days Slackware was about the only Linux distro.
I was there. I was the young sysadmin who had to support 2 Linux servers and who was excited by the performance gain I was supposed to get from compiling stuff yourself. In truth, I never noticed it - and I bet 90% of others don't notice it either and 9% see the gain there because they believe in it.
That was around 11 years ago. By the time Gentoo came out I was dealing with RPMs and blessing them.
Nowadays package management software on SuSE, Ubuntu or others even lets you upgrade running system to next release while running.
Do I want to spend hours of my time tweaking compile parameters and wondering why some of them don't work? Do I need "bleeding edge" or stability? For production systems my answer is clear. Yes, there will cases when you want to squeeze the top speed out of the system, so it is good that something like Gentoo is there, too. But I am fairly certain those cases are rare, and in majority of them an upgraded piece of hardware is usually required in the end.
Does this make all criticisms against gentoo fair? No.
But the fact that more have used FreeBSD on servers for longer also means it has had useful tools. portaudit predates glsa-check & has better coverage in many ways, for example. Can you please tell me why I'd want slotted packages on a server, particularly if glsa-check doesn't yet work well with slots?
2.6.8-1.521smp #1 SMP Mon Aug 16 09:25:06 EDT 2004 i686 i686 i386 GNU/Linux
01:24:48 up 466 days, 16:08, 42 users, load average: 0.56, 0.58, 0.49
would be much longer but tech at ISP occasionaly confuses with another machine and mashes the reset button.
Do not look into LASER with remaining eye!
Whoooooooosh!
Where I come from, deployments to production are first validated in a QA environment. OS stuff, application updates belong there too.
What happened to backups anyway?
http://stephan.sugarmotor.org
No offense to Daniel Robbins or any of the other Gentoo people, but to me personally, downstream water doesn't taste so good. ;-)
Daniel's original premise seems to have been (which I agree with) that there are some elements of FreeBSD which are highly desirable, which at the time, Linux didn't have. Ports, portaudit, portupgrade...they're all good things. Ubuntu has an equivalent of portaudit and portupgrade combined, and of course the Red Hat autoupdate was probably the first on Linux, but the difference between those and the two commands I mentioned is that the Ubuntu and Red Hat services both focus on binaries...portupgrade anywayz focuses on source, which is something that at least some of us want.
I don't advocate using source compilation all the time, or if I do, at least not during the day or when you're active...set something up to do it while you're asleep or while the system isn't being used...that way it won't bother you. To be honest also, the main reason why I advocate compiling from source is simply for the reason that if you stop doing a certain thing for long enough, the ability to do said thing when you *do* want to has a tendency to disappear. If you maintain the attitude of compiling from source when it doesn't matter, there'll still be enough people doing it that the option to do so will still be there when it *does*.
There are a lot of people out there who don't want to do anything that even vaguely resembles self-responsibility or proactivity, at least where using a computer is concerned. That's fine, but said people need to realise that the fascist nature of such things as Vista is merely the ultimate logical extension of them wanting multinational corporations to act as their wetnurse. It's been an eternal truth in politics and other areas as well as IT that freedom and proactivity genuinely go hand in hand...If you don't want one, you're not going to get the other.
is LFS. I tried installing that thing and gave up after two months. I don't think that it would be good in the serven room either /joke
To summarize:
Quote: "If you don't need new features, and things are working, why change anything?"
Translation: "Never change a working system."
Quote: "...I ran the dreaded but most needed "emerge world"..."
Translation: "My system worked but I updated everything"
Quote: "I had nearly no idea of what I was updating..."
Translation: "I didn't bother to check what was going to change"
Quote: "I tried to read the enormous emerge log file..."
Translation: "I didn't bother to read the log file about what had changed"
Quote: "...the machine had to be resuscitated..."
Translation: "I changed it, it doesn't work anymore and I can't be bother to read the documentation"
Basically, he made a bad choice for his environment. Horses for courses.
Most enterprises have security policies that don't allow compilers on production servers. This immediately makes Gentoo a lot more effort to use on production servers than distros that require binary packages to work (where binary packages on Gentoo are an after-thought, and using only binary packages loses all the advantages of the distro).
We run minimal installs (you're lucky if you get vim instead of vi) of RPM-based distributions, and have a build host which supports all the releases we run in production, with internal repos. And we know that all our production servers are using the same packages, and that we can rebuild any server in under 20 minutes.
I have several gentoo coloboxes in production, the oldest of them is 2.5 years old. Switched profiles 2 times, upgraded gcc from 3.3 to 3.4, kernel from 2.4 to 2.6. I had to visit the colocation building two times: to install the box and to add an HDD to it. Yet the system is up-to-date and reasonably patched against the recent vulnerabilities. I don't have to deal with all that "end-of-support for release XX.YY" crap. I almost never have to resort to building my own packages manually these days, because I can just tweak USE flags (which also means I don't have to maintain my own apache build or my own perl build or whatever else I need). When some new security vulnerability is disclosed and I have to check my systems for it, I usually find them patched against it during the last emerge -u.
Good luck getting any of the above with a binary distro.
I have no idea how the author of TFA managed to ruin his system multiple times during one year. Looks like someone is seriously out of clue.
his argument that if you don't ever update your server's software, when you finally DO have to update you might have compatability problems is true for ANY software. i'm not a gentoo fan but to point the finger at gentoo for this is plain stupid. this is problems with individual software which, if they change their config layout then wtf is gentoo supposed to do about it? the bottom line, is that the admin has to weigh up the pro's and con's up doing an update - that is after all the kind of thing your being paid to do as a sysadmin.
If you mod me down, I will become more powerful than you can imagine....
I've been using Gentoo on our database / web / email / many-other-goodies server since August 2003 ( I keep emerge --sync logs ). I'm running the stable branch on our server, and the unstable ( ~x86 ) branch on desktops. I certainly agree that updates on the unstable branch have to be done thoughtfully, but building binary packages when emerging helps a great deal with disaster recovery. It's nothing that can't be fixed with a little searching.
... stable ... it is ( coming from the ~x86 branch ). I keep a separate binary packages repository for the server ... just in case ... but haven't actually had to back-track to anything yet. I do updates outside of work hours, and revdep-rebuild when upgrading major parts. I haven't had any catastrophes yet. Actually I haven't even had any mishaps yet. What can I say? If you are confident enough to run Linux on a server, I say you can handle the stable branch of Gentoo.
But on the stable branch, I've actually been very surprised with how
As for the points the author raised against Gentoo:
1) Too long to do initial install.
This one gives it away from the start. You only install once. But this is at the top of the list. I can't remember how long it took me to install Gentoo on this server, but it was probably 2 days or something. Who cares? That's what time I take installing *any* server. You don't just whack it together and put it into production. You install, you read, you test, you frig around some more. What's wrong with that? The author is no server administrator.
2) Same as point one, just repeated
WTF? Seriously, this author has his head up his arse. On the one hand, he later says that you shouldn't update willy-nilly on servers, and yet then says that it takes ages to update everything. So what, exactly, is he trying to achieve? It takes me about 10 - 15 minutes to update MySQL, which is the most common package I update. What's wrong with that? I back things up, shut down MySQL, emerge the new MySQL package, test, and import form backups if required. No problem? Where is this guy's problem, seriously?
3) Don't like updates, even if they are to more stable packages
Nothing forces you to update packages. Also, no-one claims that packages updates *won't* break things ( though my experience is that in the stable branch, updates *don't* break things ). But if you don't want to update, don't. No problem. If you do want to update, the tools are there to update easily. Sure you should pay attention to what you're doing. It goes without saying.
4) Same as point 3, but with the update impetus being security instead of stablity
Doesn't deserve a response really.
I challenge this author to prove that he's actually used Gentoo Linux for more than 7 days without running crying back to Linspire.
Gentoo is great. Was it intended to be an enterprise ready OS? C'mon, this whole debate is kind of ridiculous. Red Hat/Suse/et al are great, they costs $$$ but the updates are Q/A'd they work closely with major vendors and they *know* they'll lose market if they don't do their jobs well.
I'm sure its possible to run a farm of Gentoo servers in production without problem. But thats not the point really. Time is money and as you scale up reliability and complexity work against you.
I'm sure there are some amusing stories about systems admins running Gentoo farms, good and bad. But there's a reason you only commonly hear a few players mentioned in this particular market.
FWIW I started out using Debian, but on my personal projects (I test a lot of stuff out on my own production because its much smaller and I'm much more forgiving). One day a simple update broke my PHP configuration. I never looked back.
On the server glamor is out and as close to bullet-proof as you can get is king. Period.
Its my job.
Quack, quack.
That would have had around 900 days uptime if my reboot-happy Windows-only-admin coworkers wouldn't have reset it in a panic on multiple occasions to "troubleshoot" (no it was never a problem with my OpenBSD box) mail problems.
I don't know what the hell it is with Windows-only admins and rebooting. The kind of instability that required reboots all the time was reduced drastically with Win2k and win2k3, yet that insatiable urge to reboot first and ask questions later still plauges my Windows-only counterparts.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Noone's saying that you can't use Gentoo on a server in production. Sure you can. You can even use LFS. The point is that there are many better alternatives for that sort of thing. Yes, you can manually mask packages you don't want to be updated etc... or you can just go Debian (for example) and save your time.
This author definitely sound like he does not use Gentoo nor is he a Unix Engineer. His only valid point, initial deployment does take longer than most other distributions. If you are in a data center/server farm where you are spitting out new deploys by the hour.... then gentoo probably isn't your best bet. However, if thats not the case then there is no excuse for initial setup time. A good admin should prefer the power, flexibility, ease of customization, and total control over a source based distro like Gentoo than a "fast deploymet". A fast install should not even be on the list for things to consider when picking an OS to run your server. As far as "constantly upgrading and on the bleeding edge"...... In what class of Unix administration did you learn that you're suppose to update your server daily? Just because gentoo, the project itself, is constantly being upgraded (and there is a stable and unstable branch btw) does NOT mean that you need to upgrade your server every day with it. A server upgrade should be scheduled. I like to do mine once a month or 2 months The only exception is a security hole was found and a fix was released. In which case this would affect ALL distros and the same upgrades would be performed. With package masking you are in total control and you can specify what version of what application, package you need absolutely. Gentoo is a GREAT Linux server. Gentoo is a blank canvas, it only does and grows as you command. Very few distributions aside from Gentoo, Slackware, and Arch fit this description. Snoogins
I use Gentoo on a 20 CPU cluster with 12 nodes ( 181 days uptime now ). The slave nodes are running on a liveCD built on the Gentoo sources. I use Gentoo as network shaper, LTSP server, Mail and Web server. After trying different linux distributions, Gentoo seems to be the most flexible Linux distribution. About the stability? Gentoo forces you to get known every part of your system. This knowledge is what helps you to solve the problems in critical situations. The control is in your hand.
Exactly that is what the T2 System Development Environment is for: While building from source it allows to define exactly the subset of features you need and then create ISO, netinstall, flash, Virtual Machine images from the result and then do controlled update build.
Additionally you can then install your exact image on multiple machines with all of them in the same, known-good state as you would do with commercial, pre-built Linux distributions,
Gentoo is great.
Gentoo is wonderful.
*IF* you're only administrating a small handful of servers.
When you have to look out for a few HUNDRED machines at a time, you **reaaaally** start to appreciate things like calendar based release cycles, binary packages, uniformity, hardware compatibility lists, repository mirroring, etc.
Gentoo is far too schizophrenic to be a reliable environment for n servers, especially in a "real" scenario.
Academically, Gentoo is a wonderful system.... but its one of those things that works "great on paper" but sucks a lot of ass in Real Life. Trust me, you have better things to do than worry about than whether or not upgrading one package for a minor security fix will drag along your system libs and userland utils with it. If this is the sort of thing you concern yourself with on a day to day basis, you're doing something WRONG.
Large environment management is a constant battle with entropy.
Hard drives die, switches fail, nics go bad, boards burn out, storage space fills up, and all this has to be dealt with. Using predictable, understandable, documented, tested and supported systems creates One Less Thing to worry about.
An entire IT staff should not have to be briefed on a daily basis about what the Gentoo Administrator decided to include in his(her?) build flags.
-s
While compiling from source is will certainly give you optimisation for your given architecture, I often wonder at the situations where this should be imposed on you. I've seen people spend hours setting up gentoo users desktops and have to ask at the necessity for this. On a production environment expecting high load leves, 'yes, build from source,' however on a user desktop, I think it's waste of an organisations time and money.
Gentoo's portage system gives one the illusion of hackerish control, but having been one with hackerish control, I look at emerge and am not so satisfied. I was recently trying to build perl and wanted to fire off configure options, so I fired up emerge -vp (which shows you valid USE flags). It seems that in many places it completely curtails what you can do, depending on what the port maintainer has decided to expose in the ebuild - so I couldn't fire off half the configure options I wanted to. In my personal opinion, this leaves me wondering why I'd even want to use emerge package. Further, i was also unable to direct the build to another PREFIX directory, which is generally handy when you want to have multiple versions of components. Obviously this breaks the packaging system's world of dependencies.
Portage might be more attractive to me, if packages came as in both binary and source flavours and if there was more control over your interaction with build process. I don't like the fact that updating one emerge package seems to break your whole system and end up costing time. If I'm maintaining a desktop, I don't need this kind of hastle. I don't like emerging cpan modules, which are not consistency named. I don't need to see a large GUI application building for several hours.
SO, I ask myself, which is the best packaging system I've used. Strangely, I'm surprised, when I arrive at RPM. I've used RPM on production systems and have been surprisiingly happy with it. ebuilds are no harder than rpm spec's, however the real beauty is something which I think is essential for modern enterprise systems; transactionality. RPM v4 + allows you treat package updates as atomic transactions and in turn one can roll back from these to the previous itteration, of touched files, without having to manually manage these. SO, what happens if you break the build? You rollback.
I have a lot of friends who have used gentoo and loved it for a couple of months. I don't know anyone who hasn't shagged up his/her system and further I know a lot of these people have tired and gone back to some other distro. And we're not talking about people who didn't know what their way around a linux distro - it's typically frustration with portage. Anyway, I'm still going to give it a run for it's money and see if I end up with a different attitude.
The article makes a few good points to which there is no doubt many valid counter arguments.
However there is one reason I definately wouldn't use it on a production box: because gentoo _encourages_ compilation rather than packaging binaries you can't download a known good set of fingerprints/hashes/checksums (md5/sha1/whatever) to compare the system against...so from an _auditing_ point of view gentoo is a definite no no.
I have tried it only once, but it was recommended to me as "server distro".
The guy who introduced me to Gentoo, used it in his company on several servers. He had two configurations (think two types of servers) and software was compiled correspondently on two of the servers and then replicated to other servers. Strictly speaking, he had Gentoo only on two servers - while other servers used some kind of compiled/bundled internal versions produced by the two Gentoos. He didn't seem to experience any kind of problems.
P.S. The same guy actually recommended me also more accessible option for servers: OpenPKG. Gentoo is Linux, but if you need stable services running variety of Unices, OpenPKG is strongly advised. I believe he had used some parts of OpenPKG along with Gentoo.
All hope abandon ye who enter here.
guy's this has highlighted how many incompetent system administrators or just plain lazy there really are out there.. I've run many Linux OS's on many servers for many years from Deb to RedHat and even Gentoo.. protage on Gentoo is like any utility useful but not the only why to update or keep stabilized. On Gentoo you can disable just about anything and yes you can build packages from source not just from the gentoo downloads but from anywhere you can download source code... come on wind your necks in, its a utility its not what you do as an sys admin its what you use and when you use it.
I run Gentoo on 2 x86 desktops and an amd64 laptop, I'd never run it on a production server. For servers I use Slackware or FreeBSD as a base and compile software from source on a staging system. There's no advantage to running Gentoo on a server, by the time you've futzed around with ever changing USE flags, you may as well recompiled the software for those few public facing services from a source tarball.
The truth is that Gentoo changes too often, it moves key configuration files without adequate warning and finally, using portage overlays is more complex and time consuming than compiling manually. Even on a desktop machine, I often end up installing software outside of portage and running custom patched kernels. Great desktop distro, I have no idea why anybody would want to run it on a server.
Don't forget gentoo's habit of reqiuring libraries Y to upgrade package X, only for library Y not to build...
It has been my experience that upgrading anything "big" (i.e. firefox) almost never works without hitting a broken build for something in the dependency chain.
Perhaps; accidents happen in all systems, whether Windows or Linux Distros; sometimes a library is missed or some combination of apps causes a problem even in "release"-level updates.
This is hard with Gentoo.
No it's not. Once you know what went wrong, mask the package that caused the problem, then re-emerge.
Gentoo wants you to change a lot of stuff.
No it doesn't, at least not on a server. Desktop Gentoo machines offer to update something most days but servers go weeks between updates. And, frankly, I want security updates to my servers ASAP.
It wants to be bleeding edge.
No it doesn't. There is a toggle - both global and per-package - for "bleeding edge" and it defaults to "off". You will get very little sympathy from me for running with that set on your server.
So, to recap: The poster is a moronic little self-publicising blogger who doesn't understand what he's talking about and is incapable of using even the basic Gentoo sys-admin tools (like the -p flag to emerge, for example) and decided to whine about it to /. in order to get his hit count through the roof and then strut about it to his loser blog-friends. Magic.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
If you have a server farm with a 100+ servers on it which is easier to upgrade in a production environment; Gentoo with possible manual intervention or Redhat using custom RPMs and Kickstart?
You may think me a tired, old, cynic. I'd have to disagree about the tired bit.
I run a site with 10 Gentoo Hardened servers. No big deal... never had a prob with them.
They're easy to maintain. Gentoo got lots of tools that help the admin tasks, like glsa-update, catalyst, etc-update and portage itself. Most software installations and upgrades are smooth. The Gentoo Hardened provide me with stable release circles and many security features that gives you headaches to implement on other distros. In fact, most tasks that I would spend ~20 minutes working with other distros I spend ~10 minutes on Gentoo. Go on and try to install djbdns on Debian and them do the same with Gentoo.
I don't use portage directly. A script updates portage tree, sends me a mail with the glsa advisories and I run glsa-update, build the binaries and install them on the servers.
I even have more trouble with a Mandriva 2005 (!) server that I'm forced to maintain because of a stupid old ERP system. This ERP was crashing under Gentoo and the developer claimed that his system only runs perfectly on Madriva or Conectiva. I installed Mandriva and the software keep crashing. After so much work learning how his own software works, he discovered that the problem was with the database... some underground software named Advantage Database System or so on. Well... the Mandriva server was running fine and I choose to keep it, because the developer would blame Gentoo on every problem with his crappy software.
TFA is about bullshit... posted by people who don't really understand how GNU/Linux works and people who flame things without really knowing the subject. Gentoo is such a great project... such as Debian and many others alike.
Sorry for poor english. I had to express myself and talk about my experiences with Gentoo.
Nice flamewar. His basic complaint is that Gentoo is biased to using the latest versions of packages, and he wanted a system the base library's don't change so often. (The installers and binary packages already address all his other points).
Whilst I accept that once you have fallen in love with Gentoo on the desktop it is easy to want to use it everywhere, you still have to have the right tool for the right job.
I run a public web server with a database server, and a workgroup file server. These need good reliability but more important very low maintenance; hence I have chosen not to use Gentoo.
I also run a public email gateway, where knowing that I am getting the best from the old hardware and ensuring that the whole system is security patched and running cutting edge spam filters makes Gentoo a valuable choice.
I also run some application servers that run custom code on top of fast developing OSS projects, these are running unstable profiles, with packages pulled from overlays. Here Gentoo is a godsend.
The whole argument of "Gentoo 'wants' you to update a lot of things" is trivially debunked. Gentoo isn't a distro per se, it is a meta-distribution. I have worked in environments where Gentoo was used on servers, desktops, and what have you. The "solution" to Gentoo's frequent changes is simple: maintain your own portage tree mirror, which you keep frozen until you are good and ready to roll out the next major update (which of course you only do after extensive testing, like any Suse, Red Hat, or debian update). You define your own in-house releases, not Gentoo (and you graft security updates to your own tree as they come out--this isn't difficult, as each security update is announced by package).
This is trivial to do, and leads me to suspect the person putting forward the argument against using Gentoo (or any other well-engineered distribution) on servers either has an agenda, hasn't taken much time to ponder the issue, or doesn't understand the technology.
The Future of Human Evolution: Autonomy
Seriously the "if it ain't broke don't fix mentality" is what pays my bills.
... e.g. migrating from Apache 1.x to 2.x... and then there are bugs that haven't affected you yet but are still in the code base. Just because you haven't experienced any problems yet does not mean there aren't any underlying problems in the packages you're using.
There are two kinds of "broke", there are gaps in functionality
Case in point. The company I work for is in a mad dash to upgrade for the DST time change. And for those of you thinking "duh, you just upgrade your timezone files"... no it's not that easy. Some Sun systems require firmware upgrades, almost all of the systems prior to 2005 require binary updates because they can't handle a timezone that has two rulesets (e.g. they would apply the new 2007 rules to timestamps from 2005), most JVM's have to be patched or upgraded and some applications inexplicably do their own calculations and have to be update as well.
The majority of the company has the "if it ain't broke" mentality and were running everything from NT 4.0 on DEC Alpha's and Sun 2.4 to Windows 2003 64-bit and Solaris 10. Upgrading the older machines is an absolute nightmare because the vendor patches are built one, two even three years worth of patches that we haven't applied. What should be a relatively simple upgrade task has broken applications all over the place and has our QA and Engineering staff bleary eyed and ready for it all to just end.
The answer is controlled refresh. Twice a year you sync up your servers with a certain patchset. You don't go crazy... you just get vendor required patches and include them in your dev and qa cycles. And you DO NOT USE EOL OS' in an enterprise environment. Ever. This includes commercial and FOSS packages.
Full Disclosure : I run two gentoo boxes at my house my workstation and my mythtv box. I patch them about once a week because I like to tinker. My web/file/mysql server is running on a stripped down Debian system that only gets patched every few months or if there is an advisory that comes out.
If you're running Debian stable, almost all of your software will be quite out of date. Not just a little bit, but a lot.
And this shouldn't be considered offensive by Gentoo proponents. The fact is, on production servers, you need to run distributions that have legacy baked into their methodology and that do not have a conflict of interest or obvious impediment to such an effort.
Gentoo's aim *clearly* is keep up to date with upstream constantly, plus add some patches for pending bugs, and the end user is smart enough and willing to put up with the inevitable pains in the ass that result from such an effort to always be cutting/bleeding edge (yes, Gentoo occasionally lags on a package depending on maintainer/build difficulties, but the goal is clear). The only periodic release you could remotely keep pace by is LiveCD releases, but the reality is that any given day may be significantly different in functionality/ABI compatibility than the previous and/or next. That is a fine segment of the population to target who will not be satisfied by anything that would be 'production appropriate', and Gentoo can't cater to both those and long-term production environments. I've been saying the same thing about Fedora Core (to a somewhat lesser, but still important extent), and the whole breakdown over 'Legacy' really proves that trying to maintain a cutting-edge distribution that releases frequently makes it nearly impossible to satisfy the needs of those not on the cutting edge. Add to that Fedora Core has a fair amount of RH directing the path of FC and you have a conflict of interest. OpenSuSE I can't directly speak to, but with being driven by the same company as SLES, I suspect OpenSuSE's situation is in line with FC.
As far as free 'production' appropriate distributions, so far the only "proven" ones are RHEL repackagings (CentOS high on the list, they deviate the least, others based on RHEL deviate more to differentiate themselves, and depending on that deviation things could get troublesome) and Debian. Now Ubuntu with Dapper has a stated goal of maintaining a release for years, so the stated goal aligns with this need. Add to this that ultimately Canonical is a commercial entity with a vested interest in Ubuntu LTS being embraced by their customers, and it seems likely Dapper will belong on this list. However, not enough time has passed to know yet.
XML is like violence. If it doesn't solve the problem, use more.
I've known this for a long time. I like Gentoo, I just don't like the overhead that comes with it. (compile time) In my current position, all the Linux servers were Gentoo. I'm slowly replacing them with Redhat Fedora or RHEL depending on the job they preform. One of the Gentoo boxes was being attacked so I off-lined it, imaged it onto identical hardware to run an update on it (it wouldn't update until I put the new profile on it 2006.0?) and see how it went. Everything stopped functioning as it had. Needless to say, it now runs Fedora and I update what needs to be updated and thats it.
I like Gentoo, but in a production environment. It's way of doing things becomes a real issue.
Please tell me you didn't need an article to know that you shouldnt put something like that on a server. And I mean a server, not your home built garbage.
You put supported operating systems on servers, period. That doesnt mean you need a support contract. That means it's in the vendors list of supported operatings for your hardware.
And if you can't afford the real thing, get a repsin.
End of story, or it's gonna be the end of your job.
Gentoo..please...save it for your uber box at home..
And I don't need to read the article...
A little harsh but this is real life, don't put your company at risk, this isn't school...no one should have to teach you this or hold your hand..
They'll take an old (stable, well tested) build, and backport any critical features/security fixes. This is a non-trivial task.
Debian, in my experience, just leaves the old build in place, leaving you stranded if you need a new feature. If it's only one or two things, sure, Debian would be fine. Usually it's much more than that, which throws Debian out of consideration.
Although very few use Stable. Most are using testing.
Siker writes in to point out his blog post... This is just silly, /. editors.
Sam
I can't help but think, is it really Gentoo's fault? The majority of bugs I see on my server are related to the packages them self, not Gentoo in any fashion. If the gnu-tar group releases a 'stable' release (1.16.1 has a serious bug with gnu incremental backups), how much testing should the 'tar' group put into their software vs. how much testing should go into every distro?
If you want to be super anal about things, then you would run your own barrage of tests before updating your 'live' servers.
You get what you pay for....
this is my sig, there are many like it, but this one is mine.
From TFA:
(Emphasis mine)
This kind of thinking made sense in 1995, when your servers were only hooked up to the office LAN. But now it's 2007 and they are hooked into a global network, on which millions of nefarious people are working hard every day to find new ways to crack systems.
This makes the "if it works, don't update it" line of thinking not just misguided but actively dangerous, because it means that you're not keeping up with security fixes that are issued to close avenues of attack that were never envisioned when the product first shipped. (Unless those fixes are included in the author's definition of "new features", that is. But I kind of doubt that.)
In short: "get it stable and leave it alone" is 20th century thinking. It's out of date for any system that touches the public Internet.
(Note that this is not an endorsement of the "update everything" philosophy as described in TFA. You should still know what you're updating, why you're updating it, and how things will change after the update. But "no updates" is just as silly as "update everything", IMHO.)
Read my blog.
On a server that needs to be stable, in a production environment, you want to minimise the possible variables to deal with, minimise your exposure time to known threats and minimise the possibilities for making mistakes.
By compiling your own binaries, sure - if you're really anal you can examine the source to each and every program to make sure it's not trojan-ed. Sure, you can tweak use flags and optimisation flags as much as you like. However, if you do that you're running binaries that are probably quite different to the majority of the rest of the gentoo population.
If something goes pear shaped, who's problem is it? Is it an issue with your compiler? Your hardware you used to compile with? Your use flags? Your optimisation flags? Some obscure library out of date? Who knows? And when it's broken and down for a few hours, your boss' opinion is likely to be "who cares? just fix it".
If you're running a "known good" binary that has been compiled with "known good" flags, you minimise all that.
Sure, it won't be optimised, but 99% of the time with today's hardware, it doesn't matter a shit. And *if* it does, locate the bottleneck/hotspot and optimise *that* package only so you can keep the rest of your system as close to "standard" as possible, and you'll reduce your exposure to "wierd" problems that most other people don't encounter.
I don't have any issues with Gentoo as a distribution, but seriously, horses for courses... I wouldn't personally choose to run OpenBSD as a multimedia desktop. By the same token, I wouldn't suggest running bleeding edge roll-your-own gentoo (roll-your-own-compile-flags FreeBSD for that matter) on a server, either.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Every backported fix I have ever seen either doesn't need to change hardly at all or changes in very well-thought out ways to be applicable to the old version. I've even seen fixes that take the 2.4 2.6 (yes it flows both ways) path. They are radically different in some ways, but not so different as to make code completely irrelevant.
I've ran many distributions and supported them in large deployments, and did similar for Gentoo in small small deployments (workstations and a rare server). Gentoo's approach by *far* leads to the most babysitting of updates and the most downtime (and most of it unanticipated) post-upgrade. revdep-rebuild was created to deal with the obvious linking implications of ABI-breaking library upgrades, but you have to examine and contemplate a pending update list to predict how things are likely to break, and then deal with the breakage. If you aren't careful, you suddenly end up with a new major version of your DB server and have to deal with that, or an Apache update that requires you rebuild your plugins. Though more often by design than by accident, nearly blindly following upstream causes more headaches than not.
What you get out of Gentoo is that 99% of the time, you have the latest features package X has to offer. For production environments, this is almost never important across the board, and rarely is it important even for a particular package. This has its place, but not on production servers. On production servers, you shouldn't need to devote a large time to updates *and* suffer such downtime as a consequence, and you should *always* know without much of a thought if you are about to do a major upgrade with implications or a minor update that is not likely to cause major issues.
XML is like violence. If it doesn't solve the problem, use more.
...I don't know what the hell it is with Windows-only admins and rebooting. The kind of instability that required reboots all the time was reduced drastically with Win2k and win2k3, yet that insatiable urge to reboot first and ask questions later still plauges my Windows-only counterparts.It's still a good test when interviewing prospective Exchange/MS SQL/Windows admins. Ask them how to troubleshoot a fairly common scenario and if they mention the word reboot they go into the 'do not hire' pile.
we see things not as as they are, but as we are.
-- anais nin
I was a Gentoo user for many years, now mostly an Ubuntu user. I still have one server I need to migrate. Let me tell you. I set it up with Gentoo a few years ago and never updated it. Now, it is impossible to update it. Absolutely impossible. If I simply try to emerge sync, the whole thing will probably die right there and then. Gentoo has its place and use. It's a great desktop OS if you can spend a week or so configuring it to perfection. It's a wonderful developer's OS. Probably still the best. It's a great OS for a development server. A production server it is not, nor ever will it be.
The GeekNights podcast is going strong. Listen!
Wtf did that guy think, putting a completely ignorant statement into a headline? He obviously has NO whatsoever experiences with gentoo
Yes, it takes time to install, yes it occasionally breaks on updates, yes you should be updating very often to maintain the system (as ebuilds are gone very fast when new versions come out).
But harmful? Are you serious? Did you ever try to install subversion on a 3 year old redhat/debian/suse/... box? It's simply not possible, because you do not have the libs needed.
Did you ever have managed multiple servers over a long period of time? You'll see: Every distribution except gentoo has to be completely reinstalled from scratch every 2-3 years.
Once you reinstalled some 10 servers or so, you'll gladfully thank gentoo for it's very existance.
I manage about 20 boxes, all with gentoo. I update a dev machine, sort out the problems of the upgrade (if there are any) and then transport this to all the other servers in no time. Mostly using binary packages.
I haven't reinstalled a single box since using gentoo, and that is certainly not considered harmful
I thought a lot of people were like me. For servers (especially facing Internet) I want nothing but a stable minimal base o/s from a distribution.
Then I build from source all and any services that I need such as web server, mail server, database server, etc.
That way I know that I have the latest available, with exactly the options that I need with exactly the dependancies that I know about.
Nobody fucking cares about those kinds of things except the people you listed that are "stereotypical" Gentoo users. So, get over the fact that Gentoo is specialized for only certain types of people who want to put up with it. I use it, but you're not going to see me putting it on my servers.
...post from a user pretending to be a sysadmin.
This is the reason I dropped Gentoo for FreeBSD on my server back in 2002. I had used Gentoo for a bit then, as it was very new, and loved it on the desktop so I put it on the server, but as described I was constantly fixing things due to updates. Enter FreeBSD and its ports system; I'm in heaven. For me it's *the* server platform if you don't need Solaris, and unless you need to run Oracle I can't see a reason why anyone would really *need* Solaris, unless they just like paying too much for hardware!
fak3r
fak3r.com
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
Here's the uptime for a Gentoo desktop machine.
Corporate Gadfly
Jonathan Archer: the most beaten up Enterprise captain in Star Trek history
Gentoo has long been considered a hobbyists flavor of linux, and as much as I enjoy Gentoo as a hobbyist, I've come to learn that a slim hardned version of Gentoo will have almost no trouble at all. A slim server that requires minimal amounts of packages requires minimal amounts of updates, and runs extremely well.
I also love that Gentoo has THEE quickest reaction time to security updates, leaving your competition vulnerable and you safe. I've got multiple computers running gentoo. One is my home desktop that I didn't use for probably 2 months. In that period of time there were 800 packages that had to be updated, I'm now down to about 200 that I still have to finish, and that is exactly what this article talks about. However, a server won't have that many packages to begin with because it won't have gnome, kde, beryl, nvidia, dvd support, mythtv and other optional programs, and games! However, my gentoo server, left alone for 2-3 years probably would require everything to be updated, it would flow much more smoothly than a desktop update.
Gentoo is great on serveres as long as you don't have everyting installed. Gentoo is great on desktops as long as you keep upgrading. Gentoo rox.
Support the source, Open Source! An entire site developed with OSS
If you want a server, don't use a bleeding-edge distro. Use a stable one like Debian, RHEL/CentOS, etc. If you want something up to date, then use something like Gentoo or Ubuntu or Fedora.
Is it just me, or is this an obvious conclusion?
"I firmly believe in updating server software only when you need to. If you don't need new features, and things are working, why change anything?"
I agree... so why does this preclude using Gentoo?
Because sometimes you *have* to update, to fix security problems. Ideally, you want those updates to change as little as possible, other than to patch the hole. This is why e.g. Debian stable releases are an *advantage*: if you're using stable, the versions of the software you have will never need to be updated - security fixes are *backported* into the versions tested and blessed for that stable release.
If your idea of fixing security problems is to update to the latest upstream version, you will eventually get bitten by this: either you'll end up updating dependencies to match upstream's expectations, or you won't and you'll end up with incompatibilities on your system.
The Koan of Proximity of Genius Effect
The Master walked into the room and watched a student power-cycle a machine several times in hope of getting it working.
The Master approached the student, hit him upside the head and declared: "Idiot! You cannot simply power-cycle a machine and expect it to work without having any idea what is wrong!"
Then the Master turned the machine off and back on. And it worked. The student was enlightened.
Defining Statistics and Social Research
C'mon, now, you should recognize religious war baiting on Slashdot by now. This is where a quarter of the readership spends hours yelling at each other about how their one-size-fits-all solution is superior in all situations, generating ad impressioons, and nobody recommends a requirements analysis.
Things subscribers can now see in the queue: vi Considered Harmful, MySQL Considered Harmful, and bash Considered harmful.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
At work here, I have to do a lot with DOS. Knowing this tendency to reboot things, I've added several fixes for common problems to their autoexec.bat files, so that the machine automatically fixes lots of random things if they're broken every time they reboot it.
:)
Sometimes, when possible, it's just easier to work with their natural tendency than against it
Hmm, that's funny, I update/upgrade my Debian 'stable' server periodically, and have never needed to edit a config file.
I update/upgrade my Debian 'unstable' workstation all the time, and only occasionally have to double-check it's update of my config files.
It basically just works....
Reed
Whoever wrote this has obviously never set up automated updates for any number of computers. one basic option of almost all update programs is to not upgrade where the configuration file has been updated. And not updating just because everything appears to be running fine is a security nightmare, as most updates, especially for server-side programs is exploit/security updates, not "new features" Besides all that, its not too hard to do a diff between your .conf backup and the new .conf. (if you aren't backing this stuff up, and you're complaining about updates, not only should you quit your job, you should never boot to anything but windows)
Because of its near-unlimited adaptability, we call Gentoo a metadistribution.
;)
Sorry, we screwed the pooch on that one.
I'll believe in corporations having personhood when Texas executes one... - advocate_one
In looking over the list of complaints this article has he makes some good points I think that his complaint is not about Gentoo so much as specific tools he would like to see:
1-2 Gentoo is too time consuming to install.
Basically he is complaining about the lack of a redhat-like or debian-like graphical installer. While such a thing does exist for Gentoo it is in the earlier stages. Moreover for anyone seeking to exploit the power of the system you will have to take time. One of the primary time-sinks in the install process is the setting up of use flags which the author lauds just a few paragraphs earlier.
From past experience both with RedHat and Debian they were easier to install but lacked the fine-point control that came with thinks like the use flags.
3-4 Update Everything
Again this is more of a complaint about specific tools and not quiote true in my opinion. Firstly Gentoo does not require that you update everything either for security or simple maintenance. The profile system does not "force" a change every day or even every year. Profiles have a long-term use and a support cycle much like a Debian release. After a specified period (most recently 4 years) I was informed that I should upgrade my profile or lose some support. That is no different than the messages that I received from RedHat back when I used them.
Similarly, emerge allows you to specify packages on a finer level than "world". This means that yoy do not have to upgrade everything or nothing in a single go. Yes some packages (e.g. Mysql, and Xorg) carry a heavy burden of dependencies with them and will cause a large number of dependencies to come with them but it is up to the sysadmin to update them if they so wish.
Gentoo has existing features (consistent with its package system) to enable a sysadmin to freeze some or all of the packages. These include the packages.unmask, packages.mask, packages.use, and portage overlays whick allow you to freeze the individual packages at a set version and prevent them from being upgraded automatically.
With the specific security updates, I will grant you that gentoo does not, yet, have a single tool for simply "executing security updates at the commandline". There is ongoing work on integrating the GLSA tools with emerge. It would be nice to have them.
While I do think that this guy tested Gentoo before using it I think that he missed a few details in his study.
I have five Gentoo boxes and while they can be a pain in the ass to update (especially given the hell that was portage in 2006), I find that only my server upgrade is problem free. Servers shouldn't be running much software in the first place, as long as you keep X off, you shouldn't have many problems with it cause you aren't updating that much.
I have considered switching my workstations over to Gentoo, but my server will always be Gentoo. It's the only computer exposed to the outside world so I want to be sure it has the latest updates. It also seems like with any other distro, you have to reinstall everything every few years or so and I don't want to deal with that downtime.
On frequency of updates, if you plan to ever go more than a month without updating, then you shouldn't be using Gentoo at all. And whereas once a month use to be good, I'd say 2 to 4 times a month is in order now. You may not need any of the updates but the longer you wait, the less likely you'll be able to update at all.
My feelings? Do Gentoo if you want to; but do it sensibly.
Myself, I run Gentoo in a very small environment. However, I do it in a way that makes things stable, effective and reliable. Simply, my customer has a couple of big meaty servers that run VMware ESX. This provide the stable base. Then the actual work servers are each virtual machines in fault-tolerant instances. Each virtual server has only a small amount of RAM, disk space and resources and each runs a particular service or collection of related services (depending on SLA). Each work server is a Gentoo box.
In this way, if you need to do an upgrade on your email router (an hypothetical box that merely routes mail, not stores it) then you can do your "Gentoo magic" and upgrade it without affecting other services (such as HTTP, or file storage, or... you get the picture). As a bonus, before you start you can snapshot the server so that in the event of a borked upgrade you can roll back immediately and your customer's downtime is kept to an absolute minimum.
It seems to me this is a great way to do things. At the moment, said customer's ESX servers are around 380 days of uptime (last downtime was due to environmental issues, not server problems), and each of the virtual instances vary between the max 380 days of uptime and only a couple of weeks. At least one of them has had a rollback (the file server), but the files the customer used were actually on a SAN volume so they weren't part of the snapshot. Said rollback was because of a borked Samba installation, and time from identification of the problem to resolution was in the minutes. As soon as I realized it was going to take some work to fix, I pulled the trigger on the rollback and tried again during the next maintenance window (which succeeded by the way).
So long as you manage it correctly, why not use Gentoo? It's certainly the most likely to be secure since it can be as fat or slim as you like, and has all the latest security patches almost by default.
I can see where the author is coming from. I've replaced my Redhat 6.2 colo server with Gentoo 2003.0 4 years ago and have not looked back. This server has a couple hundred thousand uniques visit various hosted domains every month. It isn't mission critical, but it is important enough that if it goes down I get calls nearly right away from people wondering what happened to their stuff. (I've been very unlucky with my choice of hard drives)
I had two big problems with using RedHat.
One, it was amazingly incredibly out of date after a year. When too many newer packages wouldn't install on the system, I'd update to a newer redhat, but then I'd have to take huge amounts of time reapplying and checking all the various customizations I had made to the previous install. I hated doing that.
Two, RedHat did not provide RPMS for what seemed like most applications that I wanted on the server. This invariably meant that I was compiling what I wanted from sources, and so I had to deal with library hell anyway. There are other repositories for packages now like via Yum... but the last time I checked (and this has been a while ago) most of the obscure packages I like to install were not in the repository, but they are in portage.
Anyway, in those 4 years of running Gentoo on the server, I have had a couple of traumatic experiences.
One of my profiles was deprecated and I had to switch to a new updated one, and there was a good deal of configuration breakage.
Some time ago, the gentoo folks decided to change they way apache behaved and since I wasn't diligently keeping up with new changes, my apache server was down for a while while I figured out what happened. There was good documentation, I just didn't pay attention.
The gentoo folks switched from using Xfree86 to Xorg at some point, and I spent quite a long bit of time recompiling everything X and getting that sorted out.
I also got bitten by mysql upgrade issues when going from 4 to 5 that brought down my service for a while.
One annoying thing that happens fairly often is a lot of peoples websites break when I upgrade php. But I at least have it down pat enough to force upgrade several users photo galleries when I upgrade.
Besides for hardware issues, those have been my biggest issues while running gentoo on a server these past 4 years.
The benefits I get are of course being able to easily install pretty much any open source application I want which is just killer. Because I have a multiuser server, I also originally set up gentoo to be hardened. I had enough issues with lame users trying to get root with their shell account that I truly appreciate the benefits of a hardened install.
I do know that it is one thing to use gentoo on one server you pay a lot of attention to rather than deploying it on a lot of other servers that you probably don't want to pay so much attention to. There are tools and procedures in place to make multiple gentoo deployments reasonable. Building binary packages on a development system and deploying them to the production systems would be a must. I do that a lot on my home systems and it works well.
Oh yeah, I've been running on unstable this entire time. When I first set up the system I didn't realize you could run stable and then grab a few unstable packages. Oops.
-Supertux
You have to a) realize what packages must be pinned and b) forgo any potentially badly needed updates for that package until you are thoroughly fucked and you realize you have a problem. The good thing about having a trusted update source that won't pull in upstream blindly is that you *don't* have to worry and you *don't* end up on forums looking for the reason why X went south and what release Y ends up addressing your problem, at which point you *then* have to do the update you were fearing in the beginning.
Pinning versions is *not* a solution. Just accept that Gentoo is *not* appropriate for the discussed environment because it caters to a different group than that. It does what it aims to do well and shoehorning it everywhere because you like it on your personal systems is simply not good.
XML is like violence. If it doesn't solve the problem, use more.