[gentoo-hardened] Tips for upgrading to the current stable gentoo hardened?

[gentoo-hardened] Tips for upgrading to the current stable gentoo hardened?

[Kārlis Repsons]

[-- Attachment #1: Type: Text/Plain, Size: 628 bytes --]

Hi all,

I've got a machine, which hasn't been upgraded for some 2 years or less. It 
has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So 
I'm here to ask for the right sequence of upgrades and other actions before 
it's too late...

These actions done already:
1. updated binutils,
2. updated glibc,
3. unmerged and re-emerged libtool (had a blocker),
4. tried with the new GCC, but failed with some unclear problems,
5. switched to vanilla GCC and now compile glibc...

So have I done something bad or what should I do to be sure that the upgrade 
goes as smooth as possible? Thanks...

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-hardened] Tips for upgrading to the current stable gentoo hardened?

[Jean-François Maeyhieux]

[-- Attachment #1: Type: text/plain, Size: 2229 bytes --]

Hi !

   another "hardcore" solution could be to create a chroot fresh
installation whithin you import your system's preferences:

- Create directory
- Untar last hardened stage 3
- Copy your /etc in the chroot
- Copy your world file in the chroot
- Copy any kind of data or local aplication to your chroot
- chroot and update your system
- when things is done, test it
- wipe your old gentoo and move your chrooted one on /


	that's "hardcore" but permit me several times to ressucite a old gentoo
system.

IF you can't do it, the normal way is:

- Recompile your toolchain by compiling twice this ports:
	virtual/portage virtual/os-headers sys-libs/glibc sys-devel/binutils-config sys-devel/binutils sys-devel/gcc-config
  (don't forget to switch your gcc on the way and to clean your ccache if you use it)
- Recompile your system (emerge -Davut system)
- Finally recompile your world.


TIPS: use of revdep-rebuild and lafilefixer could help on the way...


	Hoping that could help you to update your old gentoo.


						


On Wed, 2011-06-15 at 10:55 +0000, Krlis Repsons wrote:
> Hi all,
> 
> I've got a machine, which hasn't been upgraded for some 2 years or less. It 
> has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So 
> I'm here to ask for the right sequence of upgrades and other actions before 
> it's too late...
> 
> These actions done already:
> 1. updated binutils,
> 2. updated glibc,
> 3. unmerged and re-emerged libtool (had a blocker),
> 4. tried with the new GCC, but failed with some unclear problems,
> 5. switched to vanilla GCC and now compile glibc...
> 
> So have I done something bad or what should I do to be sure that the upgrade 
> goes as smooth as possible? Thanks...

-- 
--------------------------------------------------------------------------------------
                Jean-Franois Maeyhieux
--------------------------------------------------------------------------------------
PGP Public Key - Key ID = 63DB4770       Tuttle (JFM) <b4b1@free.fr>
 http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x63DB4770
--------------------------------------------------------------------------------------

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

[7v5w7go9ub0o]

On 06/15/11 07:35, Jean-François Maeyhieux wrote:
> Hi !
>
> another "hardcore" solution could be to create a chroot fresh
> installation whithin you import your system's preferences:
>
> - Create directory - Untar last hardened stage 3 - Copy your /etc in
> the chroot - Copy your world file in the chroot - Copy any kind of
> data or local aplication to your chroot - chroot and update your
> system - when things is done, test it - wipe your old gentoo and
> move your chrooted one on /
>
>
> that's "hardcore" but permit me several times to ressucite a old
> gentoo system.
>
> IF you can't do it, the normal way is:
>
> - Recompile your toolchain by compiling twice this ports:
> virtual/portage virtual/os-headers sys-libs/glibc
> sys-devel/binutils-config sys-devel/binutils sys-devel/gcc-config
> (don't forget to switch your gcc on the way and to clean your ccache
> if you use it) - Recompile your system (emerge -Davut system) -
> Finally recompile your world.
>


Somewhere you need to fool with profiles and make.conf. I *think* the
profiles will add, e.g., "hardened" to your gcc flag

There used to be a wiki somewhere that described the building of
hardened-gentoo step by step after branching off from the gentoo
handbook - to upgrade a standard box. It may have been called
gentooexperimental, but appears now dead.

IF anyone can point me to current documentation about building a
hardened box (which should include the make.conf and other hardened
settings), please post it here.

TIA

[gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

[7v5w7go9ub0o]

On 06/28/11 17:42, 7v5w7go9ub0o wrote:

>
> IF anyone can point me to current documentation about building a
> hardened box (which should include the make.conf and other hardened
> settings), please post it here.

I just dropped by #gentoo-hardened on irc.freenode.net and asked about
instructions for building, and for migration (upgrading).

FWICT the instructions for building a hardened box are not quite yet
incorporated into the Gentoo handbook. However, thanks to Klondike, I
was quickly directed to:

<http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile>

which pretty-well describes the migration process.

(Note the "eselect profile list" step, which switches to the hardened
profile - necessary before recompiling stuff.)

Re: [gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

[Kārlis Repsons]

On 28 June 2011 22:20, 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> wrote:
> <http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile>
Does it say when glibc and libtool, perhaps some other
toolchain-related components need to be rebuilt? Didn't find anything
really...
(perhaps rebuilding virtual/libc leads to glibc rebuild?)

Re: [gentoo-hardened] Tips for upgrading to the current stable gentoo hardened?

[Ed W]

On 15/06/2011 11:55, Kārlis Repsons wrote:
> Hi all,
> 
> I've got a machine, which hasn't been upgraded for some 2 years or less. It 
> has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So 
> I'm here to ask for the right sequence of upgrades and other actions before 
> it's too late...
> 
> These actions done already:
> 1. updated binutils,
> 2. updated glibc,
> 3. unmerged and re-emerged libtool (had a blocker),
> 4. tried with the new GCC, but failed with some unclear problems,
> 5. switched to vanilla GCC and now compile glibc...
> 
> So have I done something bad or what should I do to be sure that the upgrade 
> goes as smooth as possible? Thanks...

You didn't give any info on the problems you had using gcc 4.5 so very
hard to comment.  However, roughly the upgrade of any gcc is as per the
docs (upgrade, switch to it, upgrade libtool, emerge -ev system)

Likely problems you had were dependencies upgrading from a very old
system?  Remember there is no harm in masking your gcc, upgrading, then
upgrading gcc is this solves some dependency? (Slower)

Remember to backup the machine...

Ed W

Re: [gentoo-hardened] Tips for upgrading to the current stable gentoo hardened?

[Kārlis Repsons]

On 20 June 2011 14:20, Ed W <lists@wildgooses.com> wrote:
> On 15/06/2011 11:55, Kārlis Repsons wrote:
>> Hi all,
>>
>> I've got a machine, which hasn't been upgraded for some 2 years or less. It
>> has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So
>> I'm here to ask for the right sequence of upgrades and other actions before
>> it's too late...
>>
>> These actions done already:
>> 1. updated binutils,
>> 2. updated glibc,
>> 3. unmerged and re-emerged libtool (had a blocker),
>> 4. tried with the new GCC, but failed with some unclear problems,
>> 5. switched to vanilla GCC and now compile glibc...
>>
>> So have I done something bad or what should I do to be sure that the upgrade
>> goes as smooth as possible? Thanks...
>
> You didn't give any info on the problems you had using gcc 4.5 so very
> hard to comment.  However, roughly the upgrade of any gcc is as per the
> docs (upgrade, switch to it, upgrade libtool, emerge -ev system)
>
> Likely problems you had were dependencies upgrading from a very old
> system?  Remember there is no harm in masking your gcc, upgrading, then
> upgrading gcc is this solves some dependency? (Slower)
>
> Remember to backup the machine...

Thanks, the problem was rather silly: I ran out of RAM in a diskless machine...

By the way, if I wish to update and totally rebuild my system, what
steps do I have to take? I've seen many guides telling about the
toolchain and emerge -e system, then world, but I lack consistency and
understanding about how exactly and why. Anyone to suggest me some
valuable link about that?

Re: [gentoo-hardened] Tips for upgrading to the current stable gentoo hardened?

[Anthony G. Basile]

On 06/29/2011 04:39 AM, Kārlis Repsons wrote:
> On 20 June 2011 14:20, Ed W <lists@wildgooses.com> wrote:
>> On 15/06/2011 11:55, Kārlis Repsons wrote:
>>> Hi all,
>>>
>>> I've got a machine, which hasn't been upgraded for some 2 years or less. It
>>> has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So
>>> I'm here to ask for the right sequence of upgrades and other actions before
>>> it's too late...
>>>
>>> These actions done already:
>>> 1. updated binutils,
>>> 2. updated glibc,
>>> 3. unmerged and re-emerged libtool (had a blocker),
>>> 4. tried with the new GCC, but failed with some unclear problems,
>>> 5. switched to vanilla GCC and now compile glibc...
>>>
>>> So have I done something bad or what should I do to be sure that the upgrade
>>> goes as smooth as possible? Thanks...
>>
>> You didn't give any info on the problems you had using gcc 4.5 so very
>> hard to comment.  However, roughly the upgrade of any gcc is as per the
>> docs (upgrade, switch to it, upgrade libtool, emerge -ev system)
>>
>> Likely problems you had were dependencies upgrading from a very old
>> system?  Remember there is no harm in masking your gcc, upgrading, then
>> upgrading gcc is this solves some dependency? (Slower)
>>
>> Remember to backup the machine...
> 
> Thanks, the problem was rather silly: I ran out of RAM in a diskless machine...
> 
> By the way, if I wish to update and totally rebuild my system, what
> steps do I have to take? I've seen many guides telling about the
> toolchain and emerge -e system, then world, but I lack consistency and
> understanding about how exactly and why. Anyone to suggest me some
> valuable link about that?

The safest approach in either switching or recompiling everything is:

1. Make the profile is set "eselect profile list" and pick your hardened
box.  Careful on amd64 about changing multilib/nomultilib.  Stick with
your mutilib-edness (if such a word exists :)

2. Rebuild the tool chain: emerge binutils glibc gcc

3. Rebuild system: emerge --keep-going -eq system
(note anything that fails you might want to file a bug)

4. Rebuild world: emerge --keep-going -eq world
(again not any failures, shouldn't happen else we're not doing our job)

system vs world = system is just the bare minimum packages that any box
running that profile needs.  world = system + what you've added.  You
can skip step 3, but there might be a chance of mixing
unhardened/hardened stuff if you do, but I'm not 100% sure.


-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535

[gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

[7v5w7go9ub0o]

On 06/29/11 07:19, Anthony G. Basile wrote:

[snip]

>
> The safest approach in either switching or recompiling everything
> is:
>
> 1. Make the profile is set "eselect profile list" and pick your
> hardened box.  Careful on amd64 about changing multilib/nomultilib.
> Stick with your mutilib-edness (if such a word exists :)
>
> 2. Rebuild the tool chain: emerge binutils glibc gcc
>
> 3. Rebuild system: emerge --keep-going -eq system (note anything
> that fails you might want to file a bug)
>
> 4. Rebuild world: emerge --keep-going -eq world (again not any
> failures, shouldn't happen else we're not doing our job)
>
> system vs world = system is just the bare minimum packages that any
> box running that profile needs.  world = system + what you've added.
> You can skip step 3, but there might be a chance of mixing
> unhardened/hardened stuff if you do, but I'm not 100% sure.
>

Thank You!

1. Is there some way this clear, succinct list could get into the
hardened documentation?

2. At this point, the 'clearest' way to build a hardened box from scratch
seems to go a few steps into the Gentoo handbook, then migrate using the
steps above. Not ideal, but until the documentation can be refined, how
about either putting these steps into the handbook, or alternatively a
reference *in the handbook* to wherever you find a home for these steps
(e.g. QandA).

IIRC, there is nowhere a reference to "hardened" in the Gentoo Handbook.

Re: [gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

[Tom Hendrikx]

On 29/06/11 16:47, 7v5w7go9ub0o wrote:
> On 06/29/11 07:19, Anthony G. Basile wrote:
> 
> [snip]
> 
>>
>> The safest approach in either switching or recompiling everything
>> is:
>>
>> 1. Make the profile is set "eselect profile list" and pick your
>> hardened box.  Careful on amd64 about changing multilib/nomultilib.
>> Stick with your mutilib-edness (if such a word exists :)
>>
>> 2. Rebuild the tool chain: emerge binutils glibc gcc
>>
>> 3. Rebuild system: emerge --keep-going -eq system (note anything
>> that fails you might want to file a bug)
>>
>> 4. Rebuild world: emerge --keep-going -eq world (again not any
>> failures, shouldn't happen else we're not doing our job)
>>
>> system vs world = system is just the bare minimum packages that any
>> box running that profile needs.  world = system + what you've added.
>> You can skip step 3, but there might be a chance of mixing
>> unhardened/hardened stuff if you do, but I'm not 100% sure.
>>
> 
> Thank You!
> 
> 1. Is there some way this clear, succinct list could get into the
> hardened documentation?
> 
> 2. At this point, the 'clearest' way to build a hardened box from scratch
> seems to go a few steps into the Gentoo handbook, then migrate using the
> steps above. Not ideal, but until the documentation can be refined, how
> about either putting these steps into the handbook, or alternatively a
> reference *in the handbook* to wherever you find a home for these steps
> (e.g. QandA).

I built a hardened box last week by grabbing a hardened autobuild, then
following the regular handbook for my arch. Above steps are only needed
when you start from a regular stage, or when you are converting a
regular install.

Usage of autobuilds is missing in the handbook now, but iirc there are
some open bugs on getting this changed.

--
Regards,
	Tom

[gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

[7v5w7go9ub0o]

On 06/29/11 17:39, Tom Hendrikx wrote:
> On 29/06/11 16:47, 7v5w7go9ub0o wrote:

>>
>> 2. At this point, the 'clearest' way to build a hardened box from
>> scratch seems to go a few steps into the Gentoo handbook, then
>> migrate using the steps above. Not ideal, but until the
>> documentation can be refined, how about either putting these steps
>>  into the handbook, or alternatively a reference *in the handbook*
>>  to wherever you find a home for these steps (e.g. QandA).
>
> I built a hardened box last week by grabbing a hardened autobuild,
> then following the regular handbook for my arch. Above steps are only
> needed when you start from a regular stage, or when you are
> converting a regular install.
>
> Usage of autobuilds is missing in the handbook now, but iirc there
> are some open bugs on getting this changed.
>
> -- Regards, Tom
>
>

Geeze... I've built a couple of hardened boxes from scratch; most
recently two or three years ago; never *heard* of autobuild. Maybe my
experience precedes it (I was using experimental.org).

Perhaps the perfect (as in the traditionally excellent Gentoo
documentation) has become the enemy of the good (the documentation of the
autobuild is good, but not perfect enough to be entered into official docs.)

If "Q and A" is now the official hardened documentation, then 'twould be
nice if someone put a couple of imperfect sentences in there about
autobuild.

Good to know; so autobuilds are probably the clearest way to build a
hardened box. Thanks for posting.

(p.s. I think of ALL of the work that Zorry, Blueness, and a myriad of
other folks put into bringing Hardened Gentoo up to date - truly
*heroic* contributions - and I now fear that a lack of documentation will
result in a loss of the benefit of all of that work)

killall rant

Re: [gentoo-hardened] Re: Tips for upgrading to the current stable gentoo hardened?

[Anthony G. Basile]

On 06/29/2011 05:39 PM, Tom Hendrikx wrote:
> On 29/06/11 16:47, 7v5w7go9ub0o wrote:
>> On 06/29/11 07:19, Anthony G. Basile wrote:
>>
>> [snip]
>>
>>>
>>> The safest approach in either switching or recompiling everything
>>> is:
>>>
>>> 1. Make the profile is set "eselect profile list" and pick your
>>> hardened box.  Careful on amd64 about changing multilib/nomultilib.
>>> Stick with your mutilib-edness (if such a word exists :)
>>>
>>> 2. Rebuild the tool chain: emerge binutils glibc gcc
>>>
>>> 3. Rebuild system: emerge --keep-going -eq system (note anything
>>> that fails you might want to file a bug)
>>>
>>> 4. Rebuild world: emerge --keep-going -eq world (again not any
>>> failures, shouldn't happen else we're not doing our job)
>>>
>>> system vs world = system is just the bare minimum packages that any
>>> box running that profile needs.  world = system + what you've added.
>>> You can skip step 3, but there might be a chance of mixing
>>> unhardened/hardened stuff if you do, but I'm not 100% sure.
>>>
>>
>> Thank You!
>>
>> 1. Is there some way this clear, succinct list could get into the
>> hardened documentation?
>>
>> 2. At this point, the 'clearest' way to build a hardened box from scratch
>> seems to go a few steps into the Gentoo handbook, then migrate using the
>> steps above. Not ideal, but until the documentation can be refined, how
>> about either putting these steps into the handbook, or alternatively a
>> reference *in the handbook* to wherever you find a home for these steps
>> (e.g. QandA).
> 
> I built a hardened box last week by grabbing a hardened autobuild, then
> following the regular handbook for my arch. Above steps are only needed
> when you start from a regular stage, or when you are converting a
> regular install.
> 
> Usage of autobuilds is missing in the handbook now, but iirc there are
> some open bugs on getting this changed.
> 
> --
> Regards,
> 	Tom

That's correct, these are instructions for switching from vanilla or if
you want to *very* safely recompile everything making sure you get
hardened.  It is the most conservative path but also very time consuming.

If you're starting from scratch, just grab the latest stage3 *hardened*
tarball, start building your system from there and save yourself the
time.  You will gain nothing but recompiling the tool chain and
system/world.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535