[gentoo-dev] Portage through SSH

[gentoo-dev] Portage through SSH

[John Nilsson]

Could one implement all packagemanagement emerge does through ssh (scp)?

I would like to be able to use this command:

emerge -u world server.mydomain.com

where world, make.conf and other settings would be read from the server 
however the portage tree would be local so only one computer needs 
emerge sync, and packages would be crosscompiled for the server and then 
copied through ssh to the server.

"emerge -u sendmail *.mydomain.com" =)

This way I could spare my poor 486 from compiling duties.

-John


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Marius Mauch]

On Sun, 31 Aug 2003 15:07:38 +0200
John Nilsson <john@milsson.nu> wrote:

> Could one implement all packagemanagement emerge does through ssh
> (scp)?
> 
> I would like to be able to use this command:
> 
> emerge -u world server.mydomain.com
> 
> where world, make.conf and other settings would be read from the
> server however the portage tree would be local so only one computer
> needs emerge sync, and packages would be crosscompiled for the server
> and then copied through ssh to the server.
> 
> "emerge -u sendmail *.mydomain.com" =)
> 
> This way I could spare my poor 486 from compiling duties.

The cross-compilation is not possible now (maybe with some hackish
scripts, but not "out of the box"), however you can share the portage
tree over NFS, so you only need one copy. And of course you can run
emerge over ssh, so "ssh root@yourbox emerge -upv world" should work.
And if you don't want to keep the ssh session open all the time use
"screen".

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Luke-Jr]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Last I checked, it was fairly simple to cross compile for another x86 CPU as 
long as the one compiling was also x86... Just change the CFLAGS and such and 
emerge it locally (with buildpkg), copy the output package and use -K on the 
target system...

On Sunday 31 August 2003 01:32 pm, Marius Mauch wrote:
> The cross-compilation is not possible now (maybe with some hackish
> scripts, but not "out of the box")
- -- 
Luke-Jr
Developer, Gentoo Linux
http://www.gentoo.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/UgObZl/BHdU+lYMRAkMgAJwKPMfixHANLrfRvBAy3xUNarkn4wCeJ9KC
V0zLmUrfPV6pxnOInjfdi+8=
=mC7O
-----END PGP SIGNATURE-----


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[John Nilsson]

No you are missing the point. I want emerge to execute on one host and 
then do the file operations (install delete and that) on a remote host.

- John
söndagen den 31 augusti 2003 kl 15.32 skrev Marius Mauch:

> On Sun, 31 Aug 2003 15:07:38 +0200
> John Nilsson <john@milsson.nu> wrote:
>
>> Could one implement all packagemanagement emerge does through ssh
>> (scp)?
>>
>> I would like to be able to use this command:
>>
>> emerge -u world server.mydomain.com
>>
>> where world, make.conf and other settings would be read from the
>> server however the portage tree would be local so only one computer
>> needs emerge sync, and packages would be crosscompiled for the server
>> and then copied through ssh to the server.
>>
>> "emerge -u sendmail *.mydomain.com" =)
>>
>> This way I could spare my poor 486 from compiling duties.
>
> The cross-compilation is not possible now (maybe with some hackish
> scripts, but not "out of the box"), however you can share the portage
> tree over NFS, so you only need one copy. And of course you can run
> emerge over ssh, so "ssh root@yourbox emerge -upv world" should work.
> And if you don't want to keep the ssh session open all the time use
> "screen".
>
> Marius
>
> --
> gentoo-dev@gentoo.org mailing list
>


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Marc Giger]

On Sun, 31 Aug 2003 15:07:38 +0200
John Nilsson <john@milsson.nu> wrote:

> Could one implement all packagemanagement emerge does through ssh
> (scp)?
> 
> I would like to be able to use this command:
> 
> emerge -u world server.mydomain.com
> 
> where world, make.conf and other settings would be read from the
> server however the portage tree would be local so only one computer
> needs emerge sync, and packages would be crosscompiled for the server
> and then copied through ssh to the server.
> 
> "emerge -u sendmail *.mydomain.com" =)
> 
> This way I could spare my poor 486 from compiling duties.

What's with distcc? 

DISTCC_HOSTS="compiling_hosts" emerge -u sendmail  ??

Just leave localhost away from DISTCC_HOSTS.
So it will only do preprocessing and such things on your 486. The object
generation will do the "compiler_host...

greets

Marc

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Douglas Russell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sunday 31 August 2003 3:35 pm, Marc Giger wrote:
> On Sun, 31 Aug 2003 15:07:38 +0200
>
> John Nilsson <john@milsson.nu> wrote:
> > Could one implement all packagemanagement emerge does through ssh
> > (scp)?
> >
> > I would like to be able to use this command:
> >
> > emerge -u world server.mydomain.com
> >
> > where world, make.conf and other settings would be read from the
> > server however the portage tree would be local so only one computer
> > needs emerge sync, and packages would be crosscompiled for the server
> > and then copied through ssh to the server.
> >
> > "emerge -u sendmail *.mydomain.com" =)
> >
> > This way I could spare my poor 486 from compiling duties.
>
> What's with distcc?
>
> DISTCC_HOSTS="compiling_hosts" emerge -u sendmail  ??
>
> Just leave localhost away from DISTCC_HOSTS.
> So it will only do preprocessing and such things on your 486. The object
> generation will do the "compiler_host...
>
> greets
>
> Marc
>
> --
> gentoo-dev@gentoo.org mailing list

distcc works well, but on my cyrix 166 the linking takes absolutely ages. It
is much faster to just crosscompile for it on such a slow machine with the -K
method mentioned in another email.

Puggy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Ug3CXYnvgFdTojMRAjoqAJ42yIx8R2QxYW1OSVDmcr33aNjP+QCfcncq
kPL4ZUIkvmhjTsPs0SR1FfM=
=tHGt
-----END PGP SIGNATURE-----


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[John Nilsson]

For me the problem is that the machines cant even run emerge sync, much 
less search for deps and that kind of calculations. I want EVERYTHING 
portage to be executed on one host (or with distcc a selected few) but 
still be able to manage the software on the other hosts. Best would be 
if I could uninstall portage from the other hosts completely.

-John


söndagen den 31 augusti 2003 kl 17.01 skrev Douglas Russell:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sunday 31 August 2003 3:35 pm, Marc Giger wrote:
>> On Sun, 31 Aug 2003 15:07:38 +0200
>>
>> John Nilsson <john@milsson.nu> wrote:
>>> Could one implement all packagemanagement emerge does through ssh
>>> (scp)?
>>>
>>> I would like to be able to use this command:
>>>
>>> emerge -u world server.mydomain.com
>>>
>>> where world, make.conf and other settings would be read from the
>>> server however the portage tree would be local so only one computer
>>> needs emerge sync, and packages would be crosscompiled for the server
>>> and then copied through ssh to the server.
>>>
>>> "emerge -u sendmail *.mydomain.com" =)
>>>
>>> This way I could spare my poor 486 from compiling duties.
>>
>> What's with distcc?
>>
>> DISTCC_HOSTS="compiling_hosts" emerge -u sendmail  ??
>>
>> Just leave localhost away from DISTCC_HOSTS.
>> So it will only do preprocessing and such things on your 486. The 
>> object
>> generation will do the "compiler_host...
>>
>> greets
>>
>> Marc
>>
>> --
>> gentoo-dev@gentoo.org mailing list
>
> distcc works well, but on my cyrix 166 the linking takes absolutely 
> ages. It
> is much faster to just crosscompile for it on such a slow machine with 
> the -K
> method mentioned in another email.
>
> Puggy
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
>
> iD8DBQE/Ug3CXYnvgFdTojMRAjoqAJ42yIx8R2QxYW1OSVDmcr33aNjP+QCfcncq
> kPL4ZUIkvmhjTsPs0SR1FfM=
> =tHGt
> -----END PGP SIGNATURE-----
>
>
> --
> gentoo-dev@gentoo.org mailing list
>


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Georgi Georgiev]

On 31/08/2003 at 17:15:02(+0200), John Nilsson used 2.0K just to say:
> For me the problem is that the machines cant even run emerge sync, much 
> less search for deps and that kind of calculations. I want EVERYTHING 
> portage to be executed on one host (or with distcc a selected few) but 
> still be able to manage the software on the other hosts. Best would be 
> if I could uninstall portage from the other hosts completely.

You can mount the remote filesystems over nfs and then set ROOT=/mnt/remote to
make the portage on the original system install stuff on the remote one. This
method also has its problems of course. Last time I tried it -- I had lots of
trouble with for example mplayer autodetecting some libraries on the compiling
computer that are not installed on the slow host that I was compiling for. Even
emerge -p was failing because the version of glibc on the compiling system was
older (only by a release) than the one on the remote system.
http://bugs.gentoo.org/show_bug.cgi?id=22722

Another thing I tried -- mount the remote filesystems with full permissions,
chroot over there and start compiling. You may want to "mount -o bind
/var/tmp/portage /mnt/remote/var/tmp/portage" and also do the same with
/usr/portage. I of course assume that programs compiled on the slow machine
would run on the fast one as well (and this is usually the case).

-- 
 /   Georgi Georgiev    / If you see an onion ring -- answer it!        /
\     chutz@gg3.net    \                                               \
 /  +81(90)6266-1163    /                                               /

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[John Nilsson]

Some requirement thoughts:
A network of gentoo hosts should have only one portage processing server 
and any number of installation leafs.

First of all portage needs to easily handle more than one installation.
Second the "leaf-installations" should have a very strict minimum 
requiremnts.
Third redundancy is probably important. The information to restore a 
lost "leaf" should be availible on booth the portage host and on the 
leaf it self.

/John

Georgi Georgiev wrote:

> On 31/08/2003 at 17:15:02(+0200), John Nilsson used 2.0K just to say:
> 
>>For me the problem is that the machines cant even run emerge sync, much 
>>less search for deps and that kind of calculations. I want EVERYTHING 
>>portage to be executed on one host (or with distcc a selected few) but 
>>still be able to manage the software on the other hosts. Best would be 
>>if I could uninstall portage from the other hosts completely.
> 
> 
> You can mount the remote filesystems over nfs and then set ROOT=/mnt/remote to
> make the portage on the original system install stuff on the remote one. This
> method also has its problems of course. Last time I tried it -- I had lots of
> trouble with for example mplayer autodetecting some libraries on the compiling
> computer that are not installed on the slow host that I was compiling for. Even
> emerge -p was failing because the version of glibc on the compiling system was
> older (only by a release) than the one on the remote system.
> http://bugs.gentoo.org/show_bug.cgi?id=22722
> 
> Another thing I tried -- mount the remote filesystems with full permissions,
> chroot over there and start compiling. You may want to "mount -o bind
> /var/tmp/portage /mnt/remote/var/tmp/portage" and also do the same with
> /usr/portage. I of course assume that programs compiled on the slow machine
> would run on the fast one as well (and this is usually the case).
> 



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Douglas Russell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think this kind of capability is what is being developed by the 
gentoo-server people...

Puggy

On Sunday 31 August 2003 7:14 pm, John Nilsson wrote:
> Some requirement thoughts:
> A network of gentoo hosts should have only one portage processing server
> and any number of installation leafs.
>
> First of all portage needs to easily handle more than one installation.
> Second the "leaf-installations" should have a very strict minimum
> requiremnts.
> Third redundancy is probably important. The information to restore a
> lost "leaf" should be availible on booth the portage host and on the
> leaf it self.
>
> /John
>
> Georgi Georgiev wrote:
> > On 31/08/2003 at 17:15:02(+0200), John Nilsson used 2.0K just to say:
> >>For me the problem is that the machines cant even run emerge sync, much
> >>less search for deps and that kind of calculations. I want EVERYTHING
> >>portage to be executed on one host (or with distcc a selected few) but
> >>still be able to manage the software on the other hosts. Best would be
> >>if I could uninstall portage from the other hosts completely.
> >
> > You can mount the remote filesystems over nfs and then set
> > ROOT=/mnt/remote to make the portage on the original system install stuff
> > on the remote one. This method also has its problems of course. Last time
> > I tried it -- I had lots of trouble with for example mplayer
> > autodetecting some libraries on the compiling computer that are not
> > installed on the slow host that I was compiling for. Even emerge -p was
> > failing because the version of glibc on the compiling system was older
> > (only by a release) than the one on the remote system.
> > http://bugs.gentoo.org/show_bug.cgi?id=22722
> >
> > Another thing I tried -- mount the remote filesystems with full
> > permissions, chroot over there and start compiling. You may want to
> > "mount -o bind /var/tmp/portage /mnt/remote/var/tmp/portage" and also do
> > the same with /usr/portage. I of course assume that programs compiled on
> > the slow machine would run on the fast one as well (and this is usually
> > the case).
>
> --
> gentoo-dev@gentoo.org mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Uj6fXYnvgFdTojMRAsbGAKDgTFol2ogpWUCEYHRbB6nMJndh1wCcCTlz
y1EEnpYe3yB2WfzMNQNLptw=
=mHcD
-----END PGP SIGNATURE-----


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Steven Elling]

On Sunday 31 August 2003 13:14, John Nilsson wrote:
> Some requirement thoughts:
> A network of gentoo hosts should have only one portage processing server
> and any number of installation leafs.
>
> First of all portage needs to easily handle more than one installation.
> Second the "leaf-installations" should have a very strict minimum
> requiremnts.
> Third redundancy is probably important. The information to restore a
> lost "leaf" should be availible on booth the portage host and on the
> leaf it self.

I'm not familar with cfengine but can it be adapted to perform this or 
something similar?


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[oom]

Pardon me if i'm missing the point.. but would something like:
[1]dsh -a emerge -ku sendmail

be usefull in this type of situation?

Assuming of course you had a server with the binarys (i486 or whatever
is most suitable) avaialble by ftp or something 

You could prolly do this over ssh forwarding, or stunnel too so all
transactions were secure.

[1]  dsh (1)  - Distributed shell, or dancer's shell

On Mon, 2003-09-01 at 11:31, Steven Elling wrote:
> On Sunday 31 August 2003 13:14, John Nilsson wrote:
> > Some requirement thoughts:
> > A network of gentoo hosts should have only one portage processing server
> > and any number of installation leafs.
> >
> > First of all portage needs to easily handle more than one installation.
> > Second the "leaf-installations" should have a very strict minimum
> > requiremnts.
> > Third redundancy is probably important. The information to restore a
> > lost "leaf" should be availible on booth the portage host and on the
> > leaf it self.
> 
> I'm not familar with cfengine but can it be adapted to perform this or 
> something similar?
> 
> 
> --
> gentoo-dev@gentoo.org mailing list


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Seemant Kulleen]

[-- Attachment #1: Type: text/plain, Size: 284 bytes --]

Just a thought, but what about shfs?

-- 
Seemant Kulleen
Developer and Project Co-ordinator,
Gentoo Linux					http://dev.gentoo.org/~seemant

Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3458780E
Key fingerprint = 23A9 7CB5 9BBB 4F8D 549B 6593 EDA2 65D8 3458 780E

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Portage through SSH

[Stuart Herbert]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 677 bytes --]

On Monday 01 September 2003 6:57 am, Seemant Kulleen wrote:
> Just a thought, but what about shfs?

SHFS is a lovely idea, but even with the cache disabled I've found it too 
buggy to rely on :(

Best regards,
Stu
-- 
Stuart Herbert                                              stuart@gentoo.org
Gentoo Developer                                       http://www.gentoo.org/
Beta packages for download            http://dev.gentoo.org/~stuart/packages/
Come and meet me in March 2004                 http://www.phparch.com/cruise/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Portage through SSH

[Steven Elling]

On Sunday 31 August 2003 13:14, John Nilsson wrote:
> Some requirement thoughts:
> A network of gentoo hosts should have only one portage processing server
> and any number of installation leafs.
>
> First of all portage needs to easily handle more than one installation.
> Second the "leaf-installations" should have a very strict minimum
> requiremnts.
> Third redundancy is probably important. The information to restore a
> lost "leaf" should be availible on booth the portage host and on the
> leaf it self.

I think this is something sorely needed.  I'm reading some books on securing 
Linux servers and on a bastion host (or any host in a DMZ for that matter) 
there should not be a compiler or any include files.  The reason why is if 
the system were compromised it would limit the cracker from compiling and 
installing a root kit.  As it stands right now, a Gentoo based system 
requires gcc, includes, and all their friends to operate and be managable 
(Note: Gentoo alone does not have this problem. RedHat, Debian, and every 
kitchen sink distro does the same).

I like Gentoo, but it is not a viable option to the security concious and 
enterprises because it does not support such a feature in addition to 
central package management.  Gentoo is no alone however.

For reference, the book I am reading is "Building Secure Servers with Linux" 
(ISBN: 0-596-00217-3).  The book is written by Michael D. Bauer and 
published by O'Reilly.


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Brian Harring]

On Monday, September 1, 2003, at 02:04 AM, Steven Elling wrote:

> On Sunday 31 August 2003 13:14, John Nilsson wrote:
>> Some requirement thoughts:
>> A network of gentoo hosts should have only one portage processing 
>> server
>> and any number of installation leafs.
>>
>> First of all portage needs to easily handle more than one 
>> installation.
>> Second the "leaf-installations" should have a very strict minimum
>> requiremnts.
>> Third redundancy is probably important. The information to restore a
>> lost "leaf" should be availible on booth the portage host and on the
>> leaf it self.
>
> I think this is something sorely needed.  I'm reading some books on 
> securing
> Linux servers and on a bastion host (or any host in a DMZ for that 
> matter)
> there should not be a compiler or any include files.  The reason why 
> is if
> the system were compromised it would limit the cracker from compiling 
> and
> installing a root kit.
It would limit them to having to install a root kit, or install a 
compiler (and needed headers).  Kind of pointless though, since if 
they've managed to elevate their rights to the level of installing a 
root kit, lack of a compiler is merely an annoyance to them at that 
point.
Maybe I'm missing something, but this strikes me as nothing more then 
an annoyance to someone after they've *already* cracked the box.  To me 
it's like littering tacks throughout your house, hoping to slow down 
the robber who has already broke into your house- yeah, it'll likely 
slow him down, but it's also a makes things a pain in the arse for the 
home owner...
Of course, as I said, perhaps I'm missing something...

>   As it stands right now, a Gentoo based system
> requires gcc, includes, and all their friends to operate and be 
> managable
> (Note: Gentoo alone does not have this problem. RedHat, Debian, and 
> every
> kitchen sink distro does the same).
>
> I like Gentoo, but it is not a viable option to the security concious 
> and
> enterprises because it does not support such a feature in addition to
> central package management.
I'd agree on the central package management aspect- the ability to 
control and push updates out (after securing the method/control 
channels in some manner) would be quite nice.  None the less, I'd tend 
to think (opinion of course) gentoo is quite fine from a security 
standpoint.  You're reasons for it not being viable?

>   Gentoo is no alone however.
>
> For reference, the book I am reading is "Building Secure Servers with 
> Linux"
> (ISBN: 0-596-00217-3).  The book is written by Michael D. Bauer and
> published by O'Reilly.
I'll probably end up taking a look at it (got to love safari), specific 
chapter that this is suggested in?
~bdh
>
>
> --
> gentoo-dev@gentoo.org mailing list
>


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[John Nilsson]

How about the ability to install a gentoo system on a 20MB partition?
The ability make a profile not containing gcc, glibc and portage would 
be nice.

-John


Brian Harring wrote:
> 
> On Monday, September 1, 2003, at 02:04 AM, Steven Elling wrote:
> 
>> On Sunday 31 August 2003 13:14, John Nilsson wrote:
>>
>>> Some requirement thoughts:
>>> A network of gentoo hosts should have only one portage processing server
>>> and any number of installation leafs.
>>>
>>> First of all portage needs to easily handle more than one installation.
>>> Second the "leaf-installations" should have a very strict minimum
>>> requiremnts.
>>> Third redundancy is probably important. The information to restore a
>>> lost "leaf" should be availible on booth the portage host and on the
>>> leaf it self.
>>
>>
>> I think this is something sorely needed.  I'm reading some books on 
>> securing
>> Linux servers and on a bastion host (or any host in a DMZ for that 
>> matter)
>> there should not be a compiler or any include files.  The reason why 
>> is if
>> the system were compromised it would limit the cracker from compiling and
>> installing a root kit.
> 
> It would limit them to having to install a root kit, or install a 
> compiler (and needed headers).  Kind of pointless though, since if 
> they've managed to elevate their rights to the level of installing a 
> root kit, lack of a compiler is merely an annoyance to them at that point.
> Maybe I'm missing something, but this strikes me as nothing more then an 
> annoyance to someone after they've *already* cracked the box.  To me 
> it's like littering tacks throughout your house, hoping to slow down the 
> robber who has already broke into your house- yeah, it'll likely slow 
> him down, but it's also a makes things a pain in the arse for the home 
> owner...
> Of course, as I said, perhaps I'm missing something...
> 
>>   As it stands right now, a Gentoo based system
>> requires gcc, includes, and all their friends to operate and be managable
>> (Note: Gentoo alone does not have this problem. RedHat, Debian, and every
>> kitchen sink distro does the same).
>>
>> I like Gentoo, but it is not a viable option to the security concious and
>> enterprises because it does not support such a feature in addition to
>> central package management.
> 
> I'd agree on the central package management aspect- the ability to 
> control and push updates out (after securing the method/control channels 
> in some manner) would be quite nice.  None the less, I'd tend to think 
> (opinion of course) gentoo is quite fine from a security standpoint.  
> You're reasons for it not being viable?
> 
>>   Gentoo is no alone however.
>>
>> For reference, the book I am reading is "Building Secure Servers with 
>> Linux"
>> (ISBN: 0-596-00217-3).  The book is written by Michael D. Bauer and
>> published by O'Reilly.
> 
> I'll probably end up taking a look at it (got to love safari), specific 
> chapter that this is suggested in?
> ~bdh
> 
>>
>>
>> -- 
>> gentoo-dev@gentoo.org mailing list
>>
> 
> 
> -- 
> gentoo-dev@gentoo.org mailing list
> 



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[John Nilsson]

Or rather use gentoo to manage a number of lfs-systems. =)

-John

John Nilsson wrote:

> How about the ability to install a gentoo system on a 20MB partition?
> The ability make a profile not containing gcc, glibc and portage would 
> be nice.
> 
> -John
> 
> 
> Brian Harring wrote:
> 
>>
>> On Monday, September 1, 2003, at 02:04 AM, Steven Elling wrote:
>>
>>> On Sunday 31 August 2003 13:14, John Nilsson wrote:
>>>
>>>> Some requirement thoughts:
>>>> A network of gentoo hosts should have only one portage processing 
>>>> server
>>>> and any number of installation leafs.
>>>>
>>>> First of all portage needs to easily handle more than one installation.
>>>> Second the "leaf-installations" should have a very strict minimum
>>>> requiremnts.
>>>> Third redundancy is probably important. The information to restore a
>>>> lost "leaf" should be availible on booth the portage host and on the
>>>> leaf it self.
>>>
>>>
>>>
>>> I think this is something sorely needed.  I'm reading some books on 
>>> securing
>>> Linux servers and on a bastion host (or any host in a DMZ for that 
>>> matter)
>>> there should not be a compiler or any include files.  The reason why 
>>> is if
>>> the system were compromised it would limit the cracker from compiling 
>>> and
>>> installing a root kit.
>>
>>
>> It would limit them to having to install a root kit, or install a 
>> compiler (and needed headers).  Kind of pointless though, since if 
>> they've managed to elevate their rights to the level of installing a 
>> root kit, lack of a compiler is merely an annoyance to them at that 
>> point.
>> Maybe I'm missing something, but this strikes me as nothing more then 
>> an annoyance to someone after they've *already* cracked the box.  To 
>> me it's like littering tacks throughout your house, hoping to slow 
>> down the robber who has already broke into your house- yeah, it'll 
>> likely slow him down, but it's also a makes things a pain in the arse 
>> for the home owner...
>> Of course, as I said, perhaps I'm missing something...
>>
>>>   As it stands right now, a Gentoo based system
>>> requires gcc, includes, and all their friends to operate and be 
>>> managable
>>> (Note: Gentoo alone does not have this problem. RedHat, Debian, and 
>>> every
>>> kitchen sink distro does the same).
>>>
>>> I like Gentoo, but it is not a viable option to the security concious 
>>> and
>>> enterprises because it does not support such a feature in addition to
>>> central package management.
>>
>>
>> I'd agree on the central package management aspect- the ability to 
>> control and push updates out (after securing the method/control 
>> channels in some manner) would be quite nice.  None the less, I'd tend 
>> to think (opinion of course) gentoo is quite fine from a security 
>> standpoint.  You're reasons for it not being viable?
>>
>>>   Gentoo is no alone however.
>>>
>>> For reference, the book I am reading is "Building Secure Servers with 
>>> Linux"
>>> (ISBN: 0-596-00217-3).  The book is written by Michael D. Bauer and
>>> published by O'Reilly.
>>
>>
>> I'll probably end up taking a look at it (got to love safari), 
>> specific chapter that this is suggested in?
>> ~bdh
>>
>>>
>>>
>>> -- 
>>> gentoo-dev@gentoo.org mailing list
>>>
>>
>>
>> -- 
>> gentoo-dev@gentoo.org mailing list
>>
> 
> 
> 
> -- 
> gentoo-dev@gentoo.org mailing list
> 



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Steven Elling]

On Sunday 31 August 2003 13:14, John Nilsson wrote:
> Some requirement thoughts:
> A network of gentoo hosts should have only one portage processing server
> and any number of installation leafs.
>
> First of all portage needs to easily handle more than one installation.
> Second the "leaf-installations" should have a very strict minimum
> requiremnts.
> Third redundancy is probably important. The information to restore a
> lost "leaf" should be availible on booth the portage host and on the
> leaf it self.

Just in case no one has seen this, I just ran across "The Open Software 
Description Format (OSD)" (http://www.w3.org/TR/NOTE-OSD) and think it can 
be used to implement a central portage server with push/pull software 
distribution.


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Luke-Jr]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just thought it might be worth noting that:
1. The document is not endorsed by w3c (as might be implied by the URI)
2. It was submitted by Marimba Incorporated and Microsoft Corporation.
3. No doubt as result of item #2, the "OS value" for Linux is "Lunix" in the 
document.
4. This format uses the term "OS" to refer to the kernel only. There are not 
even provisions for different actual operating systems (eg Gentoo, RedHat, 
Windows 98, Windows XP, Mac OS X, etc).

Perhaps something based on this might be considered, but I don't think it 
would be a good idea to use the exact format described when taking these 
issues into consideration.

On Monday 01 September 2003 05:34 pm, Steven Elling wrote:
> On Sunday 31 August 2003 13:14, John Nilsson wrote:
> > Some requirement thoughts:
> > A network of gentoo hosts should have only one portage processing server
> > and any number of installation leafs.
> >
> > First of all portage needs to easily handle more than one installation.
> > Second the "leaf-installations" should have a very strict minimum
> > requiremnts.
> > Third redundancy is probably important. The information to restore a
> > lost "leaf" should be availible on booth the portage host and on the
> > leaf it self.
>
> Just in case no one has seen this, I just ran across "The Open Software
> Description Format (OSD)" (http://www.w3.org/TR/NOTE-OSD) and think it can
> be used to implement a central portage server with push/pull software
> distribution.
>
>
> --
> gentoo-dev@gentoo.org mailing list

- -- 
Luke-Jr
Developer, Gentoo Linux
http://www.gentoo.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/U59tZl/BHdU+lYMRAgKWAJwPXXNnPT66wkFLu6Uefm5qZOb3JgCdE316
1KSYHyX2cNy0amI4g5+Gvks=
=cn2S
-----END PGP SIGNATURE-----


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Terje Kvernes]

John Nilsson <john@milsson.nu> writes:

> Some requirement thoughts: A network of gentoo hosts should have
> only one portage processing server and any number of installation
> leafs.

  this is what I'm doing today, so I'll agree.  :-)
 
> First of all portage needs to easily handle more than one
> installation.  Second the "leaf-installations" should have a very
> strict minimum requiremnts.  Third redundancy is probably
> important. The information to restore a lost "leaf" should be
> availible on booth the portage host and on the leaf it self.

  this is easily doable with something like rdist.  most things under
  unix are files.  keeping this in mind when working with unix is a
  very good idea.

  at work, me and one other guy maintain about 150-odd linux boxes
  with rdist and a little bit extra.  the idea is to rdist / with a
  few appropriate exceptions.  we also maintain a configuration
  database (flat files under /etc/config) that gets rdisted as well.
  this means that all configuration for all the machines is available
  everywhere -- which is nice even though we have tape backups. 

-- 
Terje

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[John Nilsson]

rdist is probably great if you would like to have identical hosts.
But if you are having diffrent kind of installations it could get messy.

I was thinking something along these lines.

  %emerge sync && emerge world --target server1 --update

   1. rsync to localhost

   2. read localhost:/var/cache/edb/server1/world || \
      read server1:/var/cache/edb/localhost/world

   3. calculate which packages have to be updated

   4. read localhost:/var/cache/edb/server1/make.conf || \
      read server1:/etc/make.conf

   5. download and compile localy

   6. install to server1:/

   7. modify server1:/var/cache/edb/localhost/world && \
      modify localhost:/var/cache/edb/server1/world


-John


Terje Kvernes wrote:
> John Nilsson <john@milsson.nu> writes:
> 
> 
>>Some requirement thoughts: A network of gentoo hosts should have
>>only one portage processing server and any number of installation
>>leafs.
> 
> 
>   this is what I'm doing today, so I'll agree.  :-)
>  
> 
>>First of all portage needs to easily handle more than one
>>installation.  Second the "leaf-installations" should have a very
>>strict minimum requiremnts.  Third redundancy is probably
>>important. The information to restore a lost "leaf" should be
>>availible on booth the portage host and on the leaf it self.
> 
> 
>   this is easily doable with something like rdist.  most things under
>   unix are files.  keeping this in mind when working with unix is a
>   very good idea.
> 
>   at work, me and one other guy maintain about 150-odd linux boxes
>   with rdist and a little bit extra.  the idea is to rdist / with a
>   few appropriate exceptions.  we also maintain a configuration
>   database (flat files under /etc/config) that gets rdisted as well.
>   this means that all configuration for all the machines is available
>   everywhere -- which is nice even though we have tape backups. 
> 



--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Portage through SSH

[Terje Kvernes]

  (I generally don't reply to top-posted articles, but oh well)

John Nilsson <john@milsson.nu> writes:

> rdist is probably great if you would like to have identical hosts.

  you don't need to have identical hosts with rdist.

> But if you are having diffrent kind of installations it could get
> messy.

  hm, could you define "different kind of installations"?  :-)
 
> I was thinking something along these lines.
> 
>   %emerge sync && emerge world --target server1 --update
> 
>    1. rsync to localhost
> 
>    2. read localhost:/var/cache/edb/server1/world || \
>       read server1:/var/cache/edb/localhost/world
> 
>    3. calculate which packages have to be updated
> 
>    4. read localhost:/var/cache/edb/server1/make.conf || \
>       read server1:/etc/make.conf
> 
>    5. download and compile localy
> 
>    6. install to server1:/
> 
>    7. modify server1:/var/cache/edb/localhost/world && \
>       modify localhost:/var/cache/edb/server1/world

  honestly?  no.  there are a lot of other things that should be fixed
  in Portage before this ever gets on a drawingboard, if it even
  should get there.  

  if you want this functionality, my best advise would be to build a
  buildroot on your build host using chroot, and remove stuff you
  don't want when you rdist it to the client.  otherwise you could use
  buildpkg and just install packages on the client.  even a stripped
  system should have 'tar'.  :-)

  this would also leave the whole task transparent to Portage, which
  is good[tm].  actually, this isn't too different from how I deal
  with my NAT-box.

-- 
Terje

--
gentoo-dev@gentoo.org mailing list