[gentoo-hardened] distcc and mixed hardened/vanilla toolchains

[gentoo-hardened] distcc and mixed hardened/vanilla toolchains

[Jonathat Skanes]

Hi all,

My environment is mainly hardened.  However, I have a couple boxen that aren't 
such as my laptop.

Can I use this hardened environment for emerge using distcc from the non 
hardened machines?  If so, do i change the gcc profile on the hardened 
machines to vanilla before emerging?  What else do I have to be aware of?

Thanks,
Jon
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] distcc and mixed hardened/vanilla toolchains

[Russ Gray]

As far as I'm aware, no, you can't use distcc with vanilla and
hardened versions interchangebly without producing broken code



On 5/19/06, Jonathat Skanes <jon@skanes.ca> wrote:
> Hi all,
>
> My environment is mainly hardened.  However, I have a couple boxen that aren't
> such as my laptop.
>
> Can I use this hardened environment for emerge using distcc from the non
> hardened machines?  If so, do i change the gcc profile on the hardened
> machines to vanilla before emerging?  What else do I have to be aware of?
>
> Thanks,
> Jon
> --
> gentoo-hardened@gentoo.org mailing list
>
>

-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] distcc and mixed hardened/vanilla toolchains

[Kevin F. Quinn]

[-- Attachment #1: Type: text/plain, Size: 746 bytes --]

On Fri, 19 May 2006 13:20:46 -0230
Jonathat Skanes <jon@skanes.ca> wrote:

> My environment is mainly hardened.  However, I have a couple boxen
> that aren't such as my laptop.
>
> Can I use this hardened environment for emerge using distcc from the
> non hardened machines?

Not as it currently stands, no.  Well, it'll do something, but the
results will be unreliable, to put it mildly.

>  If so, do i change the gcc profile on the
> hardened machines to vanilla before emerging?

That's the only way that will work with distcc.  Another option would
have been to add '-specs=vanilla.specs' to CFLAGS, but distcc will
reject it (it's a bit tricky to support).

>  What else do I have to be aware of?

-- 
Kevin F. Quinn

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-hardened] distcc and mixed hardened/vanilla toolchains

[Jonathan Skanes]

On May 22, 2006 16:31, Kevin F. Quinn wrote:

> >  If so, do i change the gcc profile on the
> > hardened machines to vanilla before emerging?
>
> That's the only way that will work with distcc.  Another option would
> have been to add '-specs=vanilla.specs' to CFLAGS, but distcc will
> reject it (it's a bit tricky to support).

OK, this being so, can I have the discc init.d script select a profile and 
update the environment before running distcc and have it retain the changes?  
If so, it should be possible to run a couple distcc invocations on different 
ports to support the different profiles.  This would be fabulous as then I 
can configure the distcc client to choose the right spec based on distcc port 
number.

Jon
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] distcc and mixed hardened/vanilla toolchains

[Kevin F. Quinn]

[-- Attachment #1: Type: text/plain, Size: 1324 bytes --]

On Sun, 28 May 2006 01:54:22 -0230
Jonathan Skanes <jon@skanes.ca> wrote:

> On May 22, 2006 16:31, Kevin F. Quinn wrote:
> 
> > >  If so, do i change the gcc profile on the
> > > hardened machines to vanilla before emerging?
> >
> > That's the only way that will work with distcc.  Another option
> > would have been to add '-specs=vanilla.specs' to CFLAGS, but distcc
> > will reject it (it's a bit tricky to support).
> 
> OK, this being so, can I have the discc init.d script select a
> profile and update the environment before running distcc and have it
> retain the changes? If so, it should be possible to run a couple
> distcc invocations on different ports to support the different
> profiles.  This would be fabulous as then I can configure the distcc
> client to choose the right spec based on distcc port number.

Should be simple enough.  The only environment thing that matters
however is the environment variable GCC_SPECS so you don't need to go
switching the system profile all the time.

I suggest copying the distccd init.d and conf.d scripts to (say)
distccdh.  Set the port number in conf.d/distccdh and set GCC_SPECS in
init.d/distccdh; probably best to add a line 'export
GCC_SPECS="hardened.specs"' before distccd is run. Then just start
distccdh.

-- 
Kevin F. Quinn

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-hardened] [solved] was: distcc and mixed hardened/vanilla toolchains

[Jonathan Skanes]

[-- Attachment #1: Type: text/plain, Size: 1861 bytes --]

Hi Everyone,

I've modified the stock distccd init.d and conf.d scripts to launch vanilla 
and hardened gcc profiles on different ports.  In my example, vanilla runs on 
the standard port and hardened runs on standard port +1.  The config script 
should be self explanatory.

On the hardened clients the distcc hosts file would look like this:

host1:3633 host2:3633 [...]

The gcc profile set with gcc-config, in the environment the distccd init 
script is started in, will be used.

Jon

On Sunday 28 May 2006 06:22, Kevin F. Quinn wrote:
> On Sun, 28 May 2006 01:54:22 -0230
>
> Jonathan Skanes <jon@skanes.ca> wrote:
> > On May 22, 2006 16:31, Kevin F. Quinn wrote:
> > > >  If so, do i change the gcc profile on the
> > > > hardened machines to vanilla before emerging?
> > >
> > > That's the only way that will work with distcc.  Another option
> > > would have been to add '-specs=vanilla.specs' to CFLAGS, but distcc
> > > will reject it (it's a bit tricky to support).
> >
> > OK, this being so, can I have the discc init.d script select a
> > profile and update the environment before running distcc and have it
> > retain the changes? If so, it should be possible to run a couple
> > distcc invocations on different ports to support the different
> > profiles.  This would be fabulous as then I can configure the distcc
> > client to choose the right spec based on distcc port number.
>
> Should be simple enough.  The only environment thing that matters
> however is the environment variable GCC_SPECS so you don't need to go
> switching the system profile all the time.
>
> I suggest copying the distccd init.d and conf.d scripts to (say)
> distccdh.  Set the port number in conf.d/distccdh and set GCC_SPECS in
> init.d/distccdh; probably best to add a line 'export
> GCC_SPECS="hardened.specs"' before distccd is run. Then just start
> distccdh.

[-- Attachment #2: distccd --]
[-- Type: text/plain, Size: 2017 bytes --]

#!/sbin/runscript
# $Header: /var/cvsroot/gentoo-x86/sys-devel/distcc/files/2.18/init,v 1.1 2004/10/12 17:21:43 lisa Exp $
# Modified by Jon Skanes <jon@skanes.ca> for serving
# vanilla and hardened gcc profiles together.

depend() {
	need net
	use ypbind
}

start-vanilla() {
	[ -e "${DISTCCD_VANILLA_PIDFILE}" ] && rm -f ${DISTCCD_VANILLA_PIDFILE} &>/dev/null
	
	ebegin "Starting vanilla distccd"
	chown distcc `dirname ${DISTCCD_VANILLA_PIDFILE}` &>/dev/null
	TMPDIR="${TMPDIR}" \
	PATH="$(gcc-config --get-bin-path):${PATH}" \
	export GCC_SPECS="$(gcc-config --get-lib-path)/vanilla.specs"
	/sbin/start-stop-daemon --start --quiet --startas ${DISTCCD_EXEC} \
	--pidfile ${DISTCCD_VANILLA_PIDFILE} -- \
	--pid-file ${DISTCCD_VANILLA_PIDFILE} -N ${DISTCCD_VANILLA_NICE} --user distcc --port ${DISTCCD_VANILLA_PORT} \
	${DISTCCD_OPTS} ${DISTCCD_VANILLA_OPTS}

	eend $?
}

start-hardened() {
	[ -e "${DISTCCD_HARDENED_PIDFILE}" ] && rm -f ${DISTCCD_HARDENED_PIDFILE} &>/dev/null
	
	ebegin "Starting hardened distccd"
	chown distcc `dirname ${DISTCCD_HARDENED_PIDFILE}` &>/dev/null
	TMPDIR="${TMPDIR}" \
	PATH="$(gcc-config --get-bin-path):${PATH}" \
	export GCC_SPECS="$(gcc-config --get-lib-path)/hardened.specs"
	/sbin/start-stop-daemon --start --quiet --startas ${DISTCCD_EXEC} \
	--pidfile ${DISTCCD_HARDENED_PIDFILE} -- \
	--pid-file ${DISTCCD_HARDENED_PIDFILE} -N ${DISTCCD_HARDENED_NICE} --user distcc --port ${DISTCCD_HARDENED_PORT} \
	${DISTCCD_OPTS} ${DISTCCD_HARDENED_OPTS}

	eend $?
}

stop-vanilla() {
	ebegin "Stopping vanilla distccd"
	start-stop-daemon --stop --quiet --pidfile "${DISTCCD_VANILLA_PIDFILE}"
	rm -f "${DISTCCD_VANILLA_PIDFILE}"
	eend $?
}

stop-hardened() {
	ebegin "Stopping hardened distccd"
	start-stop-daemon --stop --quiet --pidfile "${DISTCCD_HARDENED_PIDFILE}"
	rm -f "${DISTCCD_HARDENED_PIDFILE}"
	eend $?
}

start() {
	ebegin "Starting distccd"
	start-vanilla
	start-hardened
	eend $?
}

stop() {
	ebegin "Stopping distccd"
	stop-vanilla
	stop-hardened
	eend $?
}

### END ###

[-- Attachment #3: distccd --]
[-- Type: text/plain, Size: 1622 bytes --]

# /etc/conf.d/distccd: config file for /etc/init.d/distccd
# Modified by Jon Skanes <jon@skanes.ca> for serving
# vanilla and hardened gcc profiles together.

# General options for all distccd processes.
DISTCCD_OPTS="--daemon"

# Individual options for vanilla/hardened
DISTCCD_VANILLA_OPTS=""
DISTCCD_HARDENED_OPTS=""

# this is the distccd executable 
DISTCCD_EXEC="/usr/bin/distccd"

# this is where distccd will store its pid files
DISTCCD_VANILLA_PIDFILE="/var/run/distccd/distccd-vanilla.pid"
DISTCCD_HARDENED_PIDFILE="/var/run/distccd/distccd-hardened.pid"

# Default start port is 3632.
# For most people the default is okay.
DISTCCD_VANILLA_PORT="3632"
DISTCCD_HARDENED_PORT="3633"

# Logging
# You can change some logging options here:
# --log-file FILE
# --log-level LEVEL  [critical,error,warning, notice, info, debug]
#
# Leaving --log-file blank will log to syslog
# example: --log-file /dev/null --log-level warning
# example: --log-level critical

DISTCCD_OPTS="${DISTCCD_OPTS} --log-level error"

# SECURITY NOTICE:
# It is HIGHLY recomended that you use the --listen option
# for increased security. You can specify an IP to permit connections 
# from or a CIDR mask
# --listen accepts only a single IP
# --allow is now mandatory as of distcc-2.18.
# example:  --allow 192.168.0.0/24
# example:  --allow 192.168.0.5 --allow 192.168.0.150
# example:  --listen 192.168.0.2
DISTCCD_OPTS="${DISTCCD_OPTS} --allow 192.168.0.0/24 --allow 127.0.0.1"
#DISTCCD_OPTS="${DISTCCD_OPTS} --listen 192.168.0.2"

# set this for niceness
# Default is 15
DISTCCD_VANILLA_NICE="15"
DISTCCD_HARDENED_NICE="15"

### END ###