[gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Franklin Wang]

[-- Attachment #1: Type: text/plain, Size: 439 bytes --]

and what about slackware for server?


-------- Original Message --------
Subject: 	How about the gentoo server or cluster in production environment?
Date: 	Fri, 29 Nov 2013 09:41:28 +0800
From: 	Franklin Wang <touch21st@gmail.com>
To: 	gentoo-server@lists.gentoo.org, gentoo-cluster@lists.gentoo.org



Hi all,

I'm not familiar with gentoo server and cluster. So could you tell me
the experience about them? Thanks.




Franklin Wang




[-- Attachment #2: Type: text/html, Size: 1647 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Nilesh Govindrajan]

[-- Attachment #1: Type: text/plain, Size: 796 bytes --]

On 20 Feb 2014 05:12, "Franklin Wang" <touch21st@gmail.com> wrote:
>
> and what about slackware for server?
>
>
> -------- Original Message --------
> Subject:
> How about the gentoo server or cluster in production environment?
> Date:
> Fri, 29 Nov 2013 09:41:28 +0800
> From:
> Franklin Wang <touch21st@gmail.com>
> To:
> gentoo-server@lists.gentoo.org, gentoo-cluster@lists.gentoo.org
>
>
> Hi all,
>
> I'm not familiar with gentoo server and cluster. So could you tell me
> the experience about them? Thanks.
>
>
>
>
> Franklin Wang
>
>
>

Gentoo makes the best server os because it's a custom built os where the
admin knows each and every aspect of the os. Security wise, there are no
unwanted or unused stuff, so lesser bugs to deal with.

Clustering, well, you can do that using glusterfs

[-- Attachment #2: Type: text/html, Size: 1258 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Franklin Wang]

[-- Attachment #1: Type: text/plain, Size: 1310 bytes --]

Maybe it's intresting, although I prefer to use red hat, suse or ubuntu
in datacenter as Google. Slackware servers're not very poppular here
On 2014年02月20日 08:14, Nilesh Govindrajan wrote:
>
> On 20 Feb 2014 05:12, "Franklin Wang" <touch21st@gmail.com
> <mailto:touch21st@gmail.com>> wrote:
> >
> > and what about slackware for server?
> >
> >
> > -------- Original Message --------
> > Subject:
> > How about the gentoo server or cluster in production environment?
> > Date:
> > Fri, 29 Nov 2013 09:41:28 +0800
> > From:
> > Franklin Wang <touch21st@gmail.com <mailto:touch21st@gmail.com>>
> > To:
> > gentoo-server@lists.gentoo.org
> <mailto:gentoo-server@lists.gentoo.org>,
> gentoo-cluster@lists.gentoo.org <mailto:gentoo-cluster@lists.gentoo.org>
> >
> >
> > Hi all,
> >
> > I'm not familiar with gentoo server and cluster. So could you tell me
> > the experience about them? Thanks.
> >
> >
> >
> >
> > Franklin Wang
> >
> >
> >
>
> Gentoo makes the best server os because it's a custom built os where
> the admin knows each and every aspect of the os. Security wise, there
> are no unwanted or unused stuff, so lesser bugs to deal with.
>
> Clustering, well, you can do that using glusterfs
>

-- 
skype:touch21st, Gtalk:touch21st, Yahoo/MSN:franklinwang36@yahoo.com,
Xing/Linkedin:Franklin Wang


[-- Attachment #2: Type: text/html, Size: 2468 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Facundo Curti]

[-- Attachment #1.1: Type: text/plain, Size: 2151 bytes --]

I think a "more stable" distro is better for production. My choice is
debian. I think you cant find nothing more stable that debian...

>Gentoo makes the best server os because it's a custom built os where the
admin knows each and every aspect of the os.

This is true, but gentoo is a little unstable to use on production. The
system must be on 365 days/year. ¿and when you need to update the system?
This will use all the processor and the system will be overloaded. This
means users can't use the system when this is updating...

I think the best for a server is debian. I didn't try red hat but I see
this like a commercial distro :/ Any way, red hat is very used as server.
And if you choice to pay, you will have official support (Other wise, you
are alone :/)

P.D: I'm sorry if my english is not perfect, i speak spanish [?]


2014-02-19 21:36 GMT-03:00 Franklin Wang <touch21st@gmail.com>:

>  Maybe it's intresting, although I prefer to use red hat, suse or ubuntu
> in datacenter as Google. Slackware servers're not very poppular here
>
> On 2014年02月20日 08:14, Nilesh Govindrajan wrote:
>
> On 20 Feb 2014 05:12, "Franklin Wang" <touch21st@gmail.com> wrote:
> >
> > and what about slackware for server?
> >
> >
> > -------- Original Message --------
> > Subject:
> > How about the gentoo server or cluster in production environment?
> > Date:
> > Fri, 29 Nov 2013 09:41:28 +0800
> > From:
> > Franklin Wang <touch21st@gmail.com>
> > To:
> > gentoo-server@lists.gentoo.org, gentoo-cluster@lists.gentoo.org
> >
> >
> > Hi all,
> >
> > I'm not familiar with gentoo server and cluster. So could you tell me
> > the experience about them? Thanks.
> >
> >
> >
> >
> > Franklin Wang
> >
> >
> >
>
> Gentoo makes the best server os because it's a custom built os where the
> admin knows each and every aspect of the os. Security wise, there are no
> unwanted or unused stuff, so lesser bugs to deal with.
>
> Clustering, well, you can do that using glusterfs
>
>
> --
> skype:touch21st, Gtalk:touch21st, Yahoo/MSN:franklinwang36@yahoo.com,
> Xing/Linkedin:Franklin Wang
>
>

[-- Attachment #1.2: Type: text/html, Size: 3735 bytes --]

[-- Attachment #2: 349.gif --]
[-- Type: image/gif, Size: 912 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Nilesh Govindrajan]

[-- Attachment #1: Type: text/plain, Size: 2324 bytes --]

On 20 Feb 2014 06:23, "Facundo Curti" <facu.curti@gmail.com> wrote:
>
> I think a "more stable" distro is better for production. My choice is
debian. I think you cant find nothing more stable that debian...
>
>
> >Gentoo makes the best server os because it's a custom built os where the
admin knows each and every aspect of the os.
>
> This is true, but gentoo is a little unstable to use on production. The
system must be on 365 days/year. ¿and when you need to update the system?
This will use all the processor and the system will be overloaded. This
means users can't use the system when this is updating...
>
> I think the best for a server is debian. I didn't try red hat but I see
this like a commercial distro :/ Any way, red hat is very used as server.
And if you choice to pay, you will have official support (Other wise, you
are alone :/)
>
> P.D: I'm sorry if my english is not perfect, i speak spanish
>
>
> 2014-02-19 21:36 GMT-03:00 Franklin Wang <touch21st@gmail.com>:
>
>> Maybe it's intresting, although I prefer to use red hat, suse or ubuntu
in datacenter as Google. Slackware servers're not very poppular here
>>
>> On 2014年02月20日 08:14, Nilesh Govindrajan wrote:
>>>
>>> On 20 Feb 2014 05:12, "Franklin Wang" <touch21st@gmail.com> wrote:
>>> >
>>> > and what about slackware for server?
>>> >
>>> >
>>> > -------- Original Message --------
>>> > Subject:
>>> > How about the gentoo server or cluster in production environment?
>>> > Date:
>>> > Fri, 29 Nov 2013 09:41:28 +0800
>>> > From:
>>> > Franklin Wang <touch21st@gmail.com>
>>> > To:
>>> > gentoo-server@lists.gentoo.org, gentoo-cluster@lists.gentoo.org
>>> >
>>> >
>>> > Hi all,
>>> >
>>> > I'm not familiar with gentoo server and cluster. So could you tell me
>>> > the experience about them? Thanks.
>>> >
>>> >
>>> >
>>> >
>>> > Franklin Wang
>>> >
>>> >
>>> >
>>>
>>> Gentoo makes the best server os because it's a custom built os where
the admin knows each and every aspect of the os. Security wise, there are
no unwanted or unused stuff, so lesser bugs to deal with.
>>>
>>> Clustering, well, you can do that using glusterfs
>>
>>
>> --
>> skype:touch21st, Gtalk:touch21st, Yahoo/MSN:franklinwang36@yahoo.com,
>> Xing/Linkedin:Franklin Wang
>
>

Um, binhost?

[-- Attachment #2: Type: text/html, Size: 3480 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Franklin Wang]

[-- Attachment #1: Type: text/plain, Size: 2965 bytes --]

Debian's powerful and stable, and I like apt very much. Gentoo and arch
can be used for soho. Google uses red hat in datacenter with a
customized kernel, and facebook started the project of open compute. are
several RISC processors going to die?

On 2014年02月20日 08:53, Facundo Curti wrote:
> I think a "more stable" distro is better for production. My choice is
> debian. I think you cant find nothing more stable that debian...
>
> >Gentoo makes the best server os because it's a custom built os where
> the admin knows each and every aspect of the os.
>
> This is true, but gentoo is a little unstable to use on production.
> The system must be on 365 days/year. ¿and when you need to update the
> system? This will use all the processor and the system will be
> overloaded. This means users can't use the system when this is updating...
>
> I think the best for a server is debian. I didn't try red hat but I
> see this like a commercial distro :/ Any way, red hat is very used as
> server. And if you choice to pay, you will have official support
> (Other wise, you are alone :/)
>
> P.D: I'm sorry if my english is not perfect, i speak spanish
>
>
> 2014-02-19 21:36 GMT-03:00 Franklin Wang <touch21st@gmail.com
> <mailto:touch21st@gmail.com>>:
>
>     Maybe it's intresting, although I prefer to use red hat, suse or
>     ubuntu in datacenter as Google. Slackware servers're not very
>     poppular here
>
>     On 2014年02月20日 08:14, Nilesh Govindrajan wrote:
>>
>>     On 20 Feb 2014 05:12, "Franklin Wang" <touch21st@gmail.com
>>     <mailto:touch21st@gmail.com>> wrote:
>>     >
>>     > and what about slackware for server?
>>     >
>>     >
>>     > -------- Original Message --------
>>     > Subject:
>>     > How about the gentoo server or cluster in production environment?
>>     > Date:
>>     > Fri, 29 Nov 2013 09:41:28 +0800
>>     > From:
>>     > Franklin Wang <touch21st@gmail.com <mailto:touch21st@gmail.com>>
>>     > To:
>>     > gentoo-server@lists.gentoo.org
>>     <mailto:gentoo-server@lists.gentoo.org>,
>>     gentoo-cluster@lists.gentoo.org
>>     <mailto:gentoo-cluster@lists.gentoo.org>
>>     >
>>     >
>>     > Hi all,
>>     >
>>     > I'm not familiar with gentoo server and cluster. So could you
>>     tell me
>>     > the experience about them? Thanks.
>>     >
>>     >
>>     >
>>     >
>>     > Franklin Wang
>>     >
>>     >
>>     >
>>
>>     Gentoo makes the best server os because it's a custom built os
>>     where the admin knows each and every aspect of the os. Security
>>     wise, there are no unwanted or unused stuff, so lesser bugs to
>>     deal with.
>>
>>     Clustering, well, you can do that using glusterfs
>>
>
>     -- 
>     skype:touch21st, Gtalk:touch21st, Yahoo/MSN:franklinwang36@yahoo.com <mailto:Yahoo/MSN:franklinwang36@yahoo.com>,
>     Xing/Linkedin:Franklin Wang
>
>

-- 
skype:touch21st, Gtalk:touch21st, Yahoo/MSN:franklinwang36@yahoo.com,
Xing/Linkedin:Franklin Wang


[-- Attachment #2.1: Type: text/html, Size: 6076 bytes --]

[-- Attachment #2.2: Type: image/gif, Size: 912 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[thegeezer]

[-- Attachment #1: Type: text/plain, Size: 3652 bytes --]

On 02/20/2014 12:53 AM, Facundo Curti wrote:
> I think a "more stable" distro is better for production. My choice is
> debian. I think you cant find nothing more stable that debian...
>
> >Gentoo makes the best server os because it's a custom built os where
> the admin knows each and every aspect of the os.
>
> This is true, but gentoo is a little unstable to use on production.
> The system must be on 365 days/year. ¿and when you need to update the
> system? This will use all the processor and the system will be
> overloaded. This means users can't use the system when this is updating...
>
the advantage of clustering servers though is you can take one out and
update it.   if you use a distributed compliation [1] and tell portage
to keep the binaries [2] you can take a few out and do them together,
then the remainder do not require compilation as the compile has been done.

> I think the best for a server is debian. I didn't try red hat but I
> see this like a commercial distro :/ Any way, red hat is very used as
> server. And if you choice to pay, you will have official support
> (Other wise, you are alone :/)
>
many of the cluster tools and services are actually written by redhat so
there is no surprise that there is much better integration.
however i would much rather put gentoo in a public facing domain where
you need the latest security patches always.
getting clustering to work with gentoo can be a bit of a pain if you are
just feeling your way

the big question really is what is the purpose of your cluster ?
shared database load?
load balanced web servers?
distributed file system?
distributed multi system multi cpu calculations?
distributed fast memory cache ?

each thing has a different set of tools and management thereof.
> P.D: I'm sorry if my english is not perfect, i speak spanish
>
>
> 2014-02-19 21:36 GMT-03:00 Franklin Wang <touch21st@gmail.com
> <mailto:touch21st@gmail.com>>:
>
>     Maybe it's intresting, although I prefer to use red hat, suse or
>     ubuntu in datacenter as Google. Slackware servers're not very
>     poppular here
>
>     On 2014年02月20日 08:14, Nilesh Govindrajan wrote:
>>
>>     On 20 Feb 2014 05:12, "Franklin Wang" <touch21st@gmail.com
>>     <mailto:touch21st@gmail.com>> wrote:
>>     >
>>     > and what about slackware for server?
>>     >
>>     >
>>     > -------- Original Message --------
>>     > Subject:
>>     > How about the gentoo server or cluster in production environment?
>>     > Date:
>>     > Fri, 29 Nov 2013 09:41:28 +0800
>>     > From:
>>     > Franklin Wang <touch21st@gmail.com <mailto:touch21st@gmail.com>>
>>     > To:
>>     > gentoo-server@lists.gentoo.org
>>     <mailto:gentoo-server@lists.gentoo.org>,
>>     gentoo-cluster@lists.gentoo.org
>>     <mailto:gentoo-cluster@lists.gentoo.org>
>>     >
>>     >
>>     > Hi all,
>>     >
>>     > I'm not familiar with gentoo server and cluster. So could you
>>     tell me
>>     > the experience about them? Thanks.
>>     >
>>     >
>>     >
>>     >
>>     > Franklin Wang
>>     >
>>     >
>>     >
>>
>>     Gentoo makes the best server os because it's a custom built os
>>     where the admin knows each and every aspect of the os. Security
>>     wise, there are no unwanted or unused stuff, so lesser bugs to
>>     deal with.
>>
>>     Clustering, well, you can do that using glusterfs
>>
>
>     -- 
>     skype:touch21st, Gtalk:touch21st, Yahoo/MSN:franklinwang36@yahoo.com <mailto:Yahoo/MSN:franklinwang36@yahoo.com>,
>     Xing/Linkedin:Franklin Wang
>
>
[1] https://wiki.gentoo.org/wiki/Distcc
[2]
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=3#doc_chap4

[-- Attachment #2.1: Type: text/html, Size: 7300 bytes --]

[-- Attachment #2.2: Type: image/gif, Size: 912 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Tanstaafl]

On 2014-02-19 7:53 PM, Facundo Curti <facu.curti@gmail.com> wrote:
> This is true, but gentoo is a little unstable to use on production. The
> system must be on 365 days/year. ¿and when you need to update the
> system? This will use all the processor and the system will be
> overloaded. This means users can't use the system when this is updating...

That is such total FUD I just can't even say anything else about it 
without using some unsavory words.

I had an old underpowered server (only 2GB of RAM) that supported about 
100 users using IMAP to access their huge maildir mailstores (some users 
have 20+GB of mail).

I kept the thing updated on a regular basis, and the only time it ever 
went down was to reboot after a kernel upgrade.

Updates to all of the other software - postfix and courier-imap (now 
dovecot) were always done on the live system, and interruption in 
service was only momentary when I restarted the services after the updates.

So please... there may be some legitimate philosophical or other reasons 
(PHB?) not to use gentoo, but what you said ain't one of them.

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Tanstaafl]

On 2014-02-20 7:04 AM, Tanstaafl <tanstaafl@libertytrek.org> wrote:
> On 2014-02-19 7:53 PM, Facundo Curti <facu.curti@gmail.com> wrote:
>> This is true, but gentoo is a little unstable to use on production. The
>> system must be on 365 days/year. ¿and when you need to update the
>> system? This will use all the processor and the system will be
>> overloaded. This means users can't use the system when this is
>> updating...
>
> That is such total FUD I just can't even say anything else about it
> without using some unsavory words.
>
> I had an old underpowered server (only 2GB of RAM) that supported about
> 100 users using IMAP to access their huge maildir mailstores (some users
> have 20+GB of mail).
>
> I kept the thing updated on a regular basis, and the only time it ever
> went down was to reboot after a kernel upgrade.

And I neglected a main factor - this server was running and serving this 
many users and being updated simultaneously like this for about 9 YEARS.

I only just recently (in the last couple of months) replaced it with a 
shiny new gentoo VM running on my shiny new vmWare host, and I only did 
that because I wanted to enable dovecots on disk indexes but couldn't do 
that without adding more RAM and more disk space to the old box, and 
since I had a shiny new vmWare host, it only made sense to ditch the old 
box.

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Facundo Curti]

[-- Attachment #1: Type: text/plain, Size: 736 bytes --]

> the advantage of clustering servers though is you can take one out and
update it.   if you use a distributed compliation [1] and tell portage to
keep the binaries [2] you can take a few out and do them together, then the
remainder do not require compilation as the compile has been

It is True. I didnt throught on thath. :)

>That is such total FUD I just can't even say anything else about it
without using some unsavory words.

You no need to be disrespectfull... It just was my opinion, and everybody
are here to learn...

Everybody say good points. I think it is just a matter of taste.
I hope get the chance to try gentoo as server someday. For now, i just stay
in debian. (And my lovely gentoo as desktop, of course).

Bye! ;)

[-- Attachment #2: Type: text/html, Size: 858 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Nilesh Govindrajan]

[-- Attachment #1: Type: text/plain, Size: 961 bytes --]

On 21 Feb 2014 06:33, "Facundo Curti" <facu.curti@gmail.com> wrote:
>
> > the advantage of clustering servers though is you can take one out and
update it.   if you use a distributed compliation [1] and tell portage to
keep the binaries [2] you can take a few out and do them together, then the
remainder do not require compilation as the compile has been
>
> It is True. I didnt throught on thath. :)
>
> >That is such total FUD I just can't even say anything else about it
without using some unsavory words.
>
> You no need to be disrespectfull... It just was my opinion, and everybody
are here to learn...
>
> Everybody say good points. I think it is just a matter of taste.
> I hope get the chance to try gentoo as server someday. For now, i just
stay in debian. (And my lovely gentoo as desktop, of course).
>
> Bye! ;)

Just my two cents - I've been using gentoo on my servers as well as on
client servers since about 2.5+ years and never had any issues.

[-- Attachment #2: Type: text/html, Size: 1177 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Tanstaafl]

On 2014-02-20 8:03 PM, Facundo Curti <facu.curti@gmail.com> wrote:
> Fsacundo impolitely omitted attribution, so I have to add it back...
 > I said:
>> That is such total FUD I just can't even say anything else about it
>> without using some unsavory words.

> You no need to be disrespectfull...

How was my comment disrespectful?

> It just was my opinion, and everybody are here to learn...

But no one is going to learn (anything worthwhile) by spreading FUD. If 
you are going to voice a strong opinion, be prepared to have it 
challenged, especially when it is so clearly and obviously wrong.

> Everybody say good points. I think it is just a matter of taste.

Lol! Wrong. Making a claim that gentoo cannot be updated while 
maintaining its server operations is just so wrong it is ridiculous, and 
has nothing to do with 'taste'.

If you don't want people to say that some claim you make is ridiculously 
false, stop making ridiculously false claims.

Simple.

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Nick Cameo]

[-- Attachment #1: Type: text/plain, Size: 2770 bytes --]

Just because google does it, does not mean it's right. If you are going to
make a suggestion, please
make it an educated one. For example:

"I prefer RHEL because of it's mature GFS, and CMAN support which is Red
Hat's implementation of
global file system and cluster computing."

Or you could even sound funny saying it but add valuable input
nevertheless. Some thing like:

"I think SLES is the shizaooo for clustering because of it's continued
support of Pacemaker Cluster, DRBD,
GFS, OCFS2 etc...."

Just saying I like something because google does, is not valuable input. To
be honest, it's just as a waste of time
to read as it is to write.

Debian, and Ubuntu are desktop platforms. Yes they are widely used in
production server environments (the slow
ones that is) however, our last experience with Debian squeeze as a whole
(ie, source tree, reliability, performance),
was inhospitable. Dare I say, it was making as nauseated as we would be
behind a Windows machine...

That being said, the OP did not specify the type of cluster. Is he
referring to HPLC (Oscar, Rocks, MPI) or Failover
cluster for certain services such as HTTP, SSH etc.. as is provided by
CMAN, Pacemaker.


What has worked really solid for us due to many factors, and the idea of
being able to build everything from the ground up
is Gentoo, with Pacemaker, GFS, and DRBD. This is for our failover system.

Kind Regards,

Nick from Toronto.


On Wed, Feb 19, 2014 at 7:36 PM, Franklin Wang <touch21st@gmail.com> wrote:

>  Maybe it's intresting, although I prefer to use red hat, suse or ubuntu
> in datacenter as Google. Slackware servers're not very poppular here
>
> On 2014年02月20日 08:14, Nilesh Govindrajan wrote:
>
> On 20 Feb 2014 05:12, "Franklin Wang" <touch21st@gmail.com> wrote:
> >
> > and what about slackware for server?
> >
> >
> > -------- Original Message --------
> > Subject:
> > How about the gentoo server or cluster in production environment?
> > Date:
> > Fri, 29 Nov 2013 09:41:28 +0800
> > From:
> > Franklin Wang <touch21st@gmail.com>
> > To:
> > gentoo-server@lists.gentoo.org, gentoo-cluster@lists.gentoo.org
> >
> >
> > Hi all,
> >
> > I'm not familiar with gentoo server and cluster. So could you tell me
> > the experience about them? Thanks.
> >
> >
> >
> >
> > Franklin Wang
> >
> >
> >
>
> Gentoo makes the best server os because it's a custom built os where the
> admin knows each and every aspect of the os. Security wise, there are no
> unwanted or unused stuff, so lesser bugs to deal with.
>
> Clustering, well, you can do that using glusterfs
>
>
> --
> skype:touch21st, Gtalk:touch21st, Yahoo/MSN:franklinwang36@yahoo.com,
> Xing/Linkedin:Franklin Wang
>
>

[-- Attachment #2: Type: text/html, Size: 4494 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Facundo Curti]

[-- Attachment #1.1: Type: text/plain, Size: 942 bytes --]

>
> Debian, and Ubuntu are desktop platforms. Yes they are widely used in
> production server environments (the slow
> ones that is) however, our last experience with Debian squeeze as a whole
> (ie, source tree, reliability, performance),
> was inhospitable. Dare I say, it was making as nauseated as we would be
> behind a Windows machine...
>

Really? Debian is a desktop distro? Gentoo it is also, as ALMOST every
distro...  Debian uses old software, because all packages are very tested,
and have bug fixes, before launch as stable... Debian is a REALLY stable
distro, is for that why is very used as server. And ubuntu? Yes, it is shit
[?] I think ubuntu is used as server, just because "is easy" [?]

Any way... I think every stable distro, could be used as server. Who is
better? Well, this depends on every one. Try to pick the best music group
and you will have a same large discusion.

Sorry if my english is not perfect.

Bye! ;)

[-- Attachment #1.2: Type: text/html, Size: 1656 bytes --]

[-- Attachment #2: 361.gif --]
[-- Type: image/gif, Size: 226 bytes --]

[-- Attachment #3: 360.gif --]
[-- Type: image/gif, Size: 453 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Tom Wijsman]

On Thu, 27 Feb 2014 14:53:22 -0300
Facundo Curti <facu.curti@gmail.com> wrote:

> >
> > Debian, and Ubuntu are desktop platforms. Yes they are widely used
> > in production server environments (the slow
> > ones that is) however, our last experience with Debian squeeze as a
> > whole (ie, source tree, reliability, performance),
> > was inhospitable. Dare I say, it was making as nauseated as we
> > would be behind a Windows machine...
> >
> 
> Really? Debian is a desktop distro? Gentoo it is also, as ALMOST every
> distro...

Gentoo is a meta distro; because of that, you can make it whatever you
want to be nearly unlimited (other than by available manpower). :)

-- 
With kind regards,

Tom Wijsman (TomWij)
Gentoo Developer

E-mail address  : TomWij@gentoo.org
GPG Public Key  : 6D34E57D
GPG Fingerprint : C165 AF18 AB4C 400B C3D2  ABF0 95B2 1FCD 6D34 E57D

[gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Nicolas Sebrecht]

The 20/02/14, Nilesh Govindrajan wrote:

>    Gentoo makes the best server os because it's a custom built os where the
>    admin knows each and every aspect of the os. Security wise, there are no
>    unwanted or unused stuff, so lesser bugs to deal with.

While I agree with the "less code is less bug" argument, I disagree with
your point.

Tuning softwares mean that the binaries compiled on a machine are less
used in the wild (other Gentoo systems have other hardware, enabled use
flags, etc). Hence, the binaries executed on you local server are likely
much less tested by others.

So, we can't say what is the true impact of use flags on security or
stability compared to any widely-used pre-compiled distribution.

-- 
Nicolas Sebrecht

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1408 bytes --]

On Thu, 20 Feb 2014 11:29:52 +0100 Nicolas Sebrecht wrote:
> The 20/02/14, Nilesh Govindrajan wrote:
> 
> >    Gentoo makes the best server os because it's a custom built os where the
> >    admin knows each and every aspect of the os. Security wise, there are no
> >    unwanted or unused stuff, so lesser bugs to deal with.
> 
> While I agree with the "less code is less bug" argument, I disagree with
> your point.
> 
> Tuning softwares mean that the binaries compiled on a machine are less
> used in the wild (other Gentoo systems have other hardware, enabled use
> flags, etc). Hence, the binaries executed on you local server are likely
> much less tested by others.

And this point is one of the highest security benefits in real world:
one have non-standard binaries, not available in the wild. Most
exploits will fail on such binaries even if vulnerability is still
there. This will cut-off most off automatic botnet attacks even
without additional security measures like hardened setup, PaX or
GRSecurity (yeah, I never trusted SELinux because of its main
author: sane agency will never release a security tool which can be
a hinder to this agency). Of course, if system is specifically
targeted by qualified professionals, this will only hinder their
approach, but binary based distributions will not provide any
advantage here either.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

[gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Nicolas Sebrecht]

On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko wrote:

> And this point is one of the highest security benefits in real world:
> one have non-standard binaries, not available in the wild. Most
> exploits will fail on such binaries even if vulnerability is still
> there. 

While excluding few security issues by compiling less code is possible,
believing that "non-standard binaries" (in the sense of "compiled for
with local compilation flags") gives more security is a dangerous dream.

-- 
Nicolas Sebrecht

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Alan McKinnon]

On 20/02/2014 22:41, Nicolas Sebrecht wrote:
> On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko wrote:
> 
>> And this point is one of the highest security benefits in real world:
>> one have non-standard binaries, not available in the wild. Most
>> exploits will fail on such binaries even if vulnerability is still
>> there. 
> 
> While excluding few security issues by compiling less code is possible,
> believing that "non-standard binaries" (in the sense of "compiled for
> with local compilation flags") gives more security is a dangerous dream.
> 


+1

"non-standard binaries" is really just a special form of security by
obscurity. Or alternatively a special form of "no-one will eva figure
out my l33t skillz! Mwahahaha!"

Which is a very poor stance to take.

The total amount of code not compiled by setting some USE flags off is
on the whole not likely to be very much, and hoping with finger crossed
that the next weakness in a package will just happen to fall within a
code path that got left out by USE flags is a fools dream.

I'm glad you mentioned this Andrew, because the internets are full of
stupid advice like this "non-standard binary" nonsense. Yes, the
arguments at face value are difficult to refute with hard facts, but
those that do not known it is stupid are easily led into a sense of
false security, doesn't matter how many disclaimers are tagged on the end.

I reckon it's the duty of all knowledgeable sysadmins to stamp out this
crap HARD every time it raises it's head. To the user who brought it up
- this might seem overly harsh but I've yet to find a better method that
actually works and gets through to people.



-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 5243 bytes --]

On Thu, 20 Feb 2014 22:59:59 +0200 Alan McKinnon wrote:
> On 20/02/2014 22:41, Nicolas Sebrecht wrote:
> > On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko wrote:
> > 
> >> And this point is one of the highest security benefits in real world:
> >> one have non-standard binaries, not available in the wild. Most
> >> exploits will fail on such binaries even if vulnerability is still
> >> there. 
> > 
> > While excluding few security issues by compiling less code is possible,
> > believing that "non-standard binaries" (in the sense of "compiled for
> > with local compilation flags") gives more security is a dangerous dream.
> > 
> 
> 
> +1
> 
> "non-standard binaries" is really just a special form of security by
> obscurity. Or alternatively a special form of "no-one will eva figure
> out my l33t skillz! Mwahahaha!"

Exactly. This is security trough obscurity. I never claimed this is
an ultimate or a sufficient way to protect a system. But this is just
a single of many multiple layers which can be used to provide
acceptable security level.

> Which is a very poor stance to take.
> 
> The total amount of code not compiled by setting some USE flags off is
> on the whole not likely to be very much, and hoping with finger crossed
> that the next weakness in a package will just happen to fall within a
> code path that got left out by USE flags is a fools dream.

You mare compare binary sizes for e.g. openldap (and all its
libraries) with minimal and full (USE="-minimal *") setup. Quite
impressive, not to count all external so libraries involved.
 
> I'm glad you mentioned this Andrew, because the internets are full of
> stupid advice like this "non-standard binary" nonsense.

Are you considering Bruce Schneier's advice as a stupid nonsense? In
his "Applied cryptography" he recommended one of the ways to
straighten a system: to use not so frequently used algorithms instead
of selected standards because less frequently used algorithms has no
better math but are less targeted, have less specialized hardware
built to crack them and so on.

> Yes, the
> arguments at face value are difficult to refute with hard facts, but
> those that do not known it is stupid are easily led into a sense of
> false security, doesn't matter how many disclaimers are tagged on the end.
> 
> I reckon it's the duty of all knowledgeable sysadmins to stamp out this
> crap HARD every time it raises it's head. To the user who brought it up
> - this might seem overly harsh but I've yet to find a better method that
> actually works and gets through to people.

I never talked about a sense of security just because system has
non-standard binaries. I talked about high variance which brings a
_bit_ more security. And I'm talking not from some theorizing, but
from practical experience on both ends (data protection and
legitimate system forensics).

Have you ever considered how systems became broken in the wild? The
most common way (in numbers of hosts, not significance) are automated
robots and botnets. They just scan the net, try to bruteforce any
login service they found and try to apply any exploit appropriate
from their database. If one have a widely used and improperly
configured (or not timely updated) setup, it will be hacked this way.

The key point of any attack is *cost*, is *money* one needs to spend
for an attack. Automated attacks are cheap and such _simple
and cheap_ measures as obscured binaries and non-standard (e.g. ssh)
ports will stop most of these attacks. This way it will cost _more_
for the attacker to break into protected system and with raise of an
attack cost system protection level also rises.

Of course, obfuscation is _not_ sufficient for system protection.
This is just one small step forward. I don't want to discuss full
scope of server protection issues, because this is far out of the
topic of this discussion and because measures needed are task-
dependent.

However I want to notice one critical security issue quite common for
production servers: an old software. It doesn't matter how many
protection layers system have, how skilled person configured it was.
When software is old it is quite trivial to look up for CVEs and
break the system. Quite practical encounter from my own experience: I
was asked to legitimately obtain root on the box (admin forgot
password, reboot (with init=/bin/bash) was not an option and root
access was needed for reconfiguration); a box was a year old RHEL
with SELinux enforced. Third kernel exploit worked perfectly (I just
found them on the net, not bothered to code myself). Such trivia with
Gentoo and its custom binaries is not possible. And Gentoo is quite
good with recent software updates (RH sometimes is too slow with
critical kernel/libc issues).

Old software is evil. It doesn't matter how good and tested it _was_.
Variety and diversity are quite important for real word systems
protection.

Of course, it is possible to break _any_ box on the Earth, the
only question is how high the cost will be. My point is that Gentoo
provides native techniques to raise the attack cost. That's all.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

[gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Nicolas Sebrecht]

The 21/02/14, Andrew Savchenko wrote:

> Are you considering Bruce Schneier's advice as a stupid nonsense? In
> his "Applied cryptography" he recommended one of the ways to
> straighten a system: to use not so frequently used algorithms instead
> of selected standards because less frequently used algorithms has no
> better math but are less targeted, have less specialized hardware
> built to crack them and so on.

First, it is worth recalling he talks about algorithms used in
cryptography especially considering the context of the supposed power of
the NSA.

Second, he never talks about compilation USE FLAGS. His point is about
algorithms. Only that. Gentoo does not change algorithms in the (widely
spread) softwares supported by the distribution.  And I'm not going to
talk about specialized hardware for cryptography that almost nobody here
will ever use.

> I never talked about a sense of security just because system has
> non-standard binaries. I talked about high variance which brings a
> _bit_ more security.

High variance applied to Gentoo or Debian IS non-sense. You won't get
high variance in any of the supported softwares they provide.

> Have you ever considered how systems became broken in the wild? The
> most common way (in numbers of hosts, not significance) are automated
> robots and botnets. They just scan the net, try to bruteforce any
> login service they found and try to apply any exploit appropriate
> from their database. If one have a widely used and improperly
> configured (or not timely updated) setup, it will be hacked this way.

<...>
> However I want to notice one critical security issue quite common for
> production servers: an old software. It doesn't matter how many
> protection layers system have, how skilled person configured it was.
> When software is old it is quite trivial to look up for CVEs and
> break the system. Quite practical encounter from my own experience: I
> was asked to legitimately obtain root on the box (admin forgot
> password, reboot (with init=/bin/bash) was not an option and root
> access was needed for reconfiguration); a box was a year old RHEL
> with SELinux enforced. Third kernel exploit worked perfectly (I just
> found them on the net, not bothered to code myself). 

Agreed. That's why the efforts from distribution maintainers focus on
taking care to _not_ provide such softwares enabled this way by default.
A large security effort relies on the admins, first. Upstream have few
responsability in security non-sense coming from the users.

>                                                    . Such trivia with
> Gentoo and its custom binaries is not possible. And Gentoo is quite
> good with recent software updates (RH sometimes is too slow with
> critical kernel/libc issues).

Such security issue is not avoidable whatever it is Gentoo or not. Then,
the best point is to have a wide community to ensure better support and
surveillance on security issues in order to expect better support by the
community to offer _updates_.

>                                             My point is that Gentoo
> provides native techniques to raise the attack cost. That's all.

And I'm afraid.

-- 
Nicolas Sebrecht

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[hasufell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alan McKinnon:
> On 20/02/2014 22:41, Nicolas Sebrecht wrote:
>> On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko
>> wrote:
>> 
>>> And this point is one of the highest security benefits in real
>>> world: one have non-standard binaries, not available in the
>>> wild. Most exploits will fail on such binaries even if
>>> vulnerability is still there.
>> 
>> While excluding few security issues by compiling less code is
>> possible, believing that "non-standard binaries" (in the sense of
>> "compiled for with local compilation flags") gives more security
>> is a dangerous dream.
>> 
> 
> 
> +1
> 
> "non-standard binaries" is really just a special form of security
> by obscurity.

So you are saying compiling a minimal kernel to minimize exposure to
subsystem bugs is only obscurity? (I really wonder what Greg would say
to this)

The argument that this particular setup may be less tested is a valid
one. But less tested also means less commonly known exploits and
testing these setups is a win-win for users and upstream.

Whether you like it or not... whenever you install software on a
server, you become a tester at the same point.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJTB19lAAoJEFpvPKfnPDWzxR0H/1sz9v/yvAS/EvdCUgo6MBYW
0+A1yJPNfDK3eNMtcipcfBLIs2PbxjamtXKI/Ysjbog3oJxrt1cczDlLByGgG2kW
PM0buUKsId6eLM/X3X9UJ06ZCVIK4JN4Baf9OAaBdJrquwL1Ja7rfzjTbC7vEOWj
9H0UqHuVL6qgvUvyVodMJWVXjc8Deda5w+Z9bWAbeBncf/pDukOO0JWr/6/wUsNe
fhdcDqijB+qZ3auHA7YYwpwIYTBIGdlHRUwqm9zVDbSnOQm79FLE/3+dsaAjTqv/
NmXvsAmggHb1Q6FpMwZmaXHCtTMN67zWRaE+Oi36p7p7gZK/1DyW8lwgqBsq5/M=
=ZQID
-----END PGP SIGNATURE-----

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Alan McKinnon]

On 21/02/2014 16:15, hasufell wrote:
> Alan McKinnon:
>> On 20/02/2014 22:41, Nicolas Sebrecht wrote:
>>> On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko
>>> wrote:
>>>
>>>> And this point is one of the highest security benefits in real
>>>> world: one have non-standard binaries, not available in the
>>>> wild. Most exploits will fail on such binaries even if
>>>> vulnerability is still there.
>>>
>>> While excluding few security issues by compiling less code is
>>> possible, believing that "non-standard binaries" (in the sense of
>>> "compiled for with local compilation flags") gives more security
>>> is a dangerous dream.
>>>
> 
> 
>> +1
> 
>> "non-standard binaries" is really just a special form of security
>> by obscurity.
> 
> So you are saying compiling a minimal kernel to minimize exposure to
> subsystem bugs is only obscurity? (I really wonder what Greg would say
> to this)

No, I'm saying that I pay RedHat large sums of money to look after this
on my behalf and that money is wasted if I build a custom kernel on that
machine.

RedHat has a vested interest in doing this right (it's the product they
sell) and they have more engineering resources to apply to the problem
than I can ever raise. The odds favour RedHat often getting this right
and me often getting it wrong, simply because I don't have the unit
testing facilities required and my employer doesn't employ OS builders.

I won't permit Gentoo to be used in production here for precisely that
reason - I can't provide the test guarantees the business and
shareholders demand.


> The argument that this particular setup may be less tested is a valid
> one. But less tested also means less commonly known exploits and
> testing these setups is a win-win for users and upstream.
> 
> Whether you like it or not... whenever you install software on a
> server, you become a tester at the same point.

Proper testing carries a onerous burden. I've yet to find a enterprise
anywhere in the world that does it right outside of their core business.
Instead, they pay someone else to do it.

-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[hasufell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alan McKinnon:
> On 21/02/2014 16:15, hasufell wrote:
>> Alan McKinnon:
>>> On 20/02/2014 22:41, Nicolas Sebrecht wrote:
>>>> On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko 
>>>> wrote:
>>>> 
>>>>> And this point is one of the highest security benefits in
>>>>> real world: one have non-standard binaries, not available
>>>>> in the wild. Most exploits will fail on such binaries even
>>>>> if vulnerability is still there.
>>>> 
>>>> While excluding few security issues by compiling less code
>>>> is possible, believing that "non-standard binaries" (in the
>>>> sense of "compiled for with local compilation flags") gives
>>>> more security is a dangerous dream.
>>>> 
>> 
>> 
>>> +1
>> 
>>> "non-standard binaries" is really just a special form of
>>> security by obscurity.
>> 
>> So you are saying compiling a minimal kernel to minimize exposure
>> to subsystem bugs is only obscurity? (I really wonder what Greg
>> would say to this)
> 
> No, I'm saying that I pay RedHat large sums of money to look after
> this on my behalf and that money is wasted if I build a custom
> kernel on that machine.
> 
> RedHat has a vested interest in doing this right (it's the product
> they sell) and they have more engineering resources to apply to the
> problem than I can ever raise. The odds favour RedHat often getting
> this right and me often getting it wrong, simply because I don't
> have the unit testing facilities required and my employer doesn't
> employ OS builders.
> 
> I won't permit Gentoo to be used in production here for precisely
> that reason - I can't provide the test guarantees the business and 
> shareholders demand.
> 
> 

Yes, I agree that RedHat might be a better choice, if you can afford
it (although there are some counter-arguments since they practically
maintain kernel-forks because of heavy backporting, but I am unable to
make a definite opinion on this). But that was not the point of my
claims, so I don't see an argument.

>> The argument that this particular setup may be less tested is a
>> valid one. But less tested also means less commonly known
>> exploits and testing these setups is a win-win for users and
>> upstream.
>> 
>> Whether you like it or not... whenever you install software on a 
>> server, you become a tester at the same point.
> 
> Proper testing carries a onerous burden. I've yet to find a
> enterprise anywhere in the world that does it right outside of
> their core business. Instead, they pay someone else to do it.
> 

Yeah, the kernel has _zero_ "proper" testing in the sense of software
engineering. RedHat does not really improve that (e.g. unit tests and
whatnot). Greg said why that's almost impossible, especially because
the internal API changes way too frequently.

Still unable to find a real counter-argument. This was about disabling
codepaths/subsystems, not about RedHat vs Gentoo which is quite an
uneven fight.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJTDgH2AAoJEFpvPKfnPDWzhZUIAIyT9nUPXYAOigXnb6M+OB4x
/KmYDZ59Fyuz0D0SoMn1pZCNWPrS8UPjAOzUIr4E0DT0uzh0348+1xHDYDv4ph/n
C9+0jqd9yPQ9kw5rX3zefmjC7wVpJFtLQIiOxaIo6wOqtxfjdVNZdVDEVKU/QJ7G
n2fOdAccuTFOHCiB2cV8LlF997GfuzJ9nNdXGev3tA8l46wV9/q3gp1HdbkhyAJV
61QGv8blsPHbXsC8G2fnz/YcNaa0iH6rRcboRHcpMa2Gk1Ui8UrTmiYC/NJO02bN
TSV8mb/VWow5vVyQSYmpCO4xcylQFVwwWOh14IXcl+mC+CQG4rxPTyUcDUhbewo=
=2JhD
-----END PGP SIGNATURE-----

[gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Nicolas Sebrecht]

The 21/02/14, hasufell wrote:

> So you are saying compiling a minimal kernel to minimize exposure to
> subsystem bugs is only obscurity? (I really wonder what Greg would say
> to this)

Developers made the kernel to rely on modules. Distributions relies on
them. Since they are almost always loaded on demand, Gentoo does not
make things better in this area, either.

-- 
Nicolas Sebrecht

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Poison BL.]

On Wed, Feb 26, 2014 at 5:55 AM, Nicolas Sebrecht <nsebrecht@piing.fr> wrote:
> The 21/02/14, hasufell wrote:
>
>> So you are saying compiling a minimal kernel to minimize exposure to
>> subsystem bugs is only obscurity? (I really wonder what Greg would say
>> to this)
>
> Developers made the kernel to rely on modules. Distributions relies on
> them. Since they are almost always loaded on demand, Gentoo does not
> make things better in this area, either.
>
> --
> Nicolas Sebrecht
>

Actually, they're loaded on demand when they:
a) Are enabled (the kernel doesn't rely on modules, it offers them for
versatility, though some user space code does rely on them, i.e.
virtualbox, a few drivers for X, etc)
b) Are built for that particular kernel
c) That kernel has all the dependencies in place to support them
d) The tools to load them exist in user space
e) They're not specifically blacklisted in user space (assuming a
loading mechanism that honors that)

Unless it's changed when I wasn't looking, it's entirely possible to
build a kernel with module loading disabled entirely and restrict the
set of code to be run in kernel space to an explicitly defined series
of kernel options. I say "when I wasn't looking" because I use modules
to trim down how much of iptables is constantly loaded on my router
for rules there I don't use and the only other places I have Gentoo
are my multitude of laptops, where the versatility of building and
loading a module to test out yet another toy someone has on hand
around me, without a reboot in many cases, is incredibly handy.

-- 
Poison [BLX]
Joshua M. Murphy

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[hasufell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Nicolas Sebrecht:
> The 21/02/14, hasufell wrote:
> 
>> So you are saying compiling a minimal kernel to minimize exposure
>> to subsystem bugs is only obscurity? (I really wonder what Greg
>> would say to this)
> 
> Developers made the kernel to rely on modules. Distributions relies
> on them. Since they are almost always loaded on demand, Gentoo does
> not make things better in this area, either.
> 

I wasn't only talking about modules and yes... loading them on demand
actually proves my point.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJTDgJIAAoJEFpvPKfnPDWz7a8IAKwtA+Ab7ETdaJ+nw0mGJcXg
Cq1QLQLlXheDoqNLDP63lKgePx82nenT9HxWRovpao1lzhr/y8AU0ZFLJhYTxAAC
sLc1Fbf2CHV1XqoPPwdJgK5AWI60jf2v5HTsCLNr57NK9VhpZGAwRvWf2M3DnOA+
VRrMnB0kzm4BolTvM1pVLvgx1CM2CSyRZBQjhd948aEUsCkVslNbb5Ad5/BYfA53
z+gxY7H+0r/an0xcc4LMdIHvE5ztCBhX+M5gkEhqNtI9IG7rXJTWmjQb69WA0ZYO
UpPPUzd+dNmyfd2w/lQoZFirPLMtEbgrFuzvu8OJHfDs02oyH6oLJ4eGjx4bXwo=
=fSvm
-----END PGP SIGNATURE-----

[gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Nicolas Sebrecht]

The 26/02/14, hasufell wrote:

> I wasn't only talking about modules and yes... loading them on demand
> actually proves my point.

No. We are talking about servers.

-- 
Nicolas Sebrecht

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[hasufell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Nicolas Sebrecht:
> The 26/02/14, hasufell wrote:
> 
>> I wasn't only talking about modules and yes... loading them on
>> demand actually proves my point.
> 
> No. We are talking about servers.
> 

I am aware of that. Please read the whole discussion.
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJTDo9PAAoJEFpvPKfnPDWzbVYH/2O8ILmj6D2BmA+NUWwLxbMK
hEyx7t+jZ1oVEnQAVjmnj4n4ylLKAH0qawl7fI2tBjfyXmw68pxItyqw0V3FdHl8
Zf6l/v7hVxTcJpMbF8Lk27BPMIBh8PpOm1A/A1G5eb3NGlMQht3zZa4QhUZkoU+U
rVHXVFfSeKyzNYFiRIfdD/dsGXHfqj5Z2PKAqxrjRYo7EdLcHhrJJ/3X1MczOOcf
n04vNbPSVCaer4WN5cqLG9bgJVnjVjhzF7bKwkjTjezwedEI969PCBHT0SZWN0mg
7vTEJzfykglcQ7PDJ/PPRgt8gwoFQCU1U7x/NAaANOQfoiCTHoffpwtVOf7XyUQ=
=LwNB
-----END PGP SIGNATURE-----

Re: [gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 937 bytes --]

On Thu, 20 Feb 2014 21:41:03 +0100 Nicolas Sebrecht wrote:
> On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko wrote:
> 
> > And this point is one of the highest security benefits in real world:
> > one have non-standard binaries, not available in the wild. Most
> > exploits will fail on such binaries even if vulnerability is still
> > there. 
> 
> While excluding few security issues by compiling less code is possible,
> believing that "non-standard binaries" (in the sense of "compiled for
> with local compilation flags") gives more security is a dangerous dream.

Any decent security setup contains multiple layers of protection.
Use of non-standard binaries, algorithms or implementations is just
one of them and it is the simplest math to prove that security is
_improved_ this way. Nobody says that system became _acceptably_
secure _only_ by using this techniques.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

[gentoo-user] Re: Fwd:How about the gentoo server or cluster in production environment?

[Nicolas Sebrecht]

The 21/02/14, Andrew Savchenko wrote:

> Any decent security setup contains multiple layers of protection.
> Use of non-standard binaries, algorithms or implementations is just
> one of them and it is the simplest math to prove that security is
> _improved_ this way. 

The algorithms and implementations do not change with configuration
options while they are almost always the cause of security issues of a
software.

Of course, building the same software on different architectures or with
custom configuration options will change the assembler code and the
binary fingerprint might be totally different. But considering this a
layer of protection remains non-sense and is a dangerous approach. The
nature of Gentoo does not help in this area compared to other binary
distributions.

I don't pretend that non-standard binaries NEVER protect against some
kind of issues. I pretend they are ridiculously insignificant in the
wild.

-- 
Nicolas Sebrecht

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 973 bytes --]

Hi,

On Thu, 20 Feb 2014 07:40:59 +0800 Franklin Wang wrote:
> I'm not familiar with gentoo server and cluster. So could you tell me
> the experience about them? Thanks.

We have successful experience with Gentoo on both production servers
(someone call this area "enterprise", though I dislike such name) and
HPC setups.

In short,
Procs:
- fine-tuned setups;
- really large choice of components;
- high-performance setups (especially rocks for HPC);
- reduced attack surface;
- nontrivial attack surface;
- large system updates easy (comparted to e.g. RHEL4 -> RHEL5
  migration);
- easier to add and maintain out-of-tree software.
Cons:
- much longer time for initial setup;
- harder to apply routine updates;
- poorly suitable for tasks like: "create me this new service ASAP
  (for which you don't have prepared images), preferably yesterday".
Other notes:
- requires more qualified personnel to maintain.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Franklin Wang]

Thanks for your help. The choice for HPC can be more free. I prepare to
try it in datacenter, for FTP first, and then web server, mail server
and so forth. Of course, I still think it's better to use rhel or suse
for database, CRM and others.

On 2014年02月20日 22:35, Andrew Savchenko wrote:
> Hi,
>
> On Thu, 20 Feb 2014 07:40:59 +0800 Franklin Wang wrote:
>> I'm not familiar with gentoo server and cluster. So could you tell me
>> the experience about them? Thanks.
> We have successful experience with Gentoo on both production servers
> (someone call this area "enterprise", though I dislike such name) and
> HPC setups.
>
> In short,
> Procs:
> - fine-tuned setups;
> - really large choice of components;
> - high-performance setups (especially rocks for HPC);
> - reduced attack surface;
> - nontrivial attack surface;
> - large system updates easy (comparted to e.g. RHEL4 -> RHEL5
>   migration);
> - easier to add and maintain out-of-tree software.
> Cons:
> - much longer time for initial setup;
> - harder to apply routine updates;
> - poorly suitable for tasks like: "create me this new service ASAP
>   (for which you don't have prepared images), preferably yesterday".
> Other notes:
> - requires more qualified personnel to maintain.
>
> Best regards,
> Andrew Savchenko

-- 
skype:touch21st, Gtalk:touch21st, Yahoo/MSN:franklinwang36@yahoo.com,
Xing/Linkedin:Franklin Wang

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Andreas K. Huettel]

> -------- Original Message --------
> Subject: 	How about the gentoo server or cluster in production environment?
> Date: 	Fri, 29 Nov 2013 09:41:28 +0800
> From: 	Franklin Wang <touch21st@gmail.com>
> To: 	gentoo-server@lists.gentoo.org, gentoo-cluster@lists.gentoo.org
> 
> Hi all,
> 
> I'm not familiar with gentoo server and cluster. So could you tell me
> the experience about them? Thanks.


There are some quite decent clusters running Gentoo. See the homepage of the 
cluster team, 

https://www.gentoo.org/proj/en/cluster/

and also the link there "Clusters running Gentoo".


-- 
Andreas K. Huettel
Gentoo Linux developer
kde, council

Re: [gentoo-user] Fwd: How about the gentoo server or cluster in production environment?

[Franklin Wang]

Thanks a lot.
On 2014年02月21日 02:41, Andreas K. Huettel wrote:
>> -------- Original Message --------
>> Subject: 	How about the gentoo server or cluster in production environment?
>> Date: 	Fri, 29 Nov 2013 09:41:28 +0800
>> From: 	Franklin Wang <touch21st@gmail.com>
>> To: 	gentoo-server@lists.gentoo.org, gentoo-cluster@lists.gentoo.org
>>
>> Hi all,
>>
>> I'm not familiar with gentoo server and cluster. So could you tell me
>> the experience about them? Thanks.
>
> There are some quite decent clusters running Gentoo. See the homepage of the 
> cluster team, 
>
> https://www.gentoo.org/proj/en/cluster/
>
> and also the link there "Clusters running Gentoo".
>
>

-- 
skype:touch21st, Gtalk:touch21st, Yahoo/MSN:franklinwang36@yahoo.com,
Xing/Linkedin:Franklin Wang