[clug] Distro advice for server

Daniel Black daniel.subs at internode.on.net
Wed Jun 7 11:20:00 GMT 2006 

On Wednesday 07 June 2006 20:49, jan wrote:
> Chris Smart wrote:
> >How do you maintain your Gentoo servers? I have a few scripts I use, like
> >one that emails me security vulnerabilities and then I go and fix them
> >manually.
> >
> >I guess I'm not totally confident that if I update a package under Gentoo
> >that it's not going to break something due to lack of testing. Mind you I
> >haven't had this happen that I can think of, but on a server that I have
> > to rely on it's niggling at the back of my mind.

>
> There are 2 proposals to fix these issues:
>
> 1.
> http://www.gentoo.org/proj/en/glep/glep-0014.html
> also see
> http://www.gentoo.org/proj/en/portage/glsa-integration.xml

glsa-check is still part of gentoolkit. I there are any still a few 
outstanding bugs on it so it cannot be incorporated into the mainstream yet. 
It is more likely to move forward that glep19 though.

> and
> http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=14
>
> 2.
> http://www.gentoo.org/proj/en/glep/glep-0019.html

Hmm this glep hasn't moved for ages. It has a spout of interest in Jan 2006. 
It tends to lack the numbers in the package maintainer community to support a 
stable version branch though. Redhat and to some extent Debian (correct me if 
I'm wrong) put a lot of effort into backporting fixes. Gentoo people (I 
include myself here) are just too lazy and say 'if the next version fixes it 
then that can be the new stable version'.

My thoughts were:

I'd suggest having a uml test overlay on your server. Have the main filesystem 
overlayed with unionfs/cow drivers so that the main system is protected from 
changes. Configure services to look at the real server for database and 
webpages and the like. Do your upgrade on the uml and test there. Before 
upgrading to the main server do a quickpkg to get a binary tarball of the 
previous version of a particular upgrade so it can be revered easily.

probably should write a doco on it.


-- 

Daniel Black
--
Proudly a Gentoo Linux User.
Gnu-PG/PGP signed and encrypted email preferred
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x9E0C7E3B
GPG Signature 15AB 91B4 9896 A81A 4976 8C51 6E0A 9607 9E0C 7E3B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20060607/fa238e7f/attachment.bin

More information about the linux mailing list