|
I've been doing a lot of thinking lately on what distro to use in the server
room. Shortly after RedHat dropped support for it's free distro, we moved to
Debian. Debian is nice because things tend to work, and upgrading is
minimal.
It has it's issues though, Sure, packages are old, but that isn't my big
beef with Debian. How many features from new software does one normally run on
their server? I know for me it's very little. But there's other issues
that have arisen from my usage of Debian. Or perhaps better said, I recognized
issues in Debian and other distro's through my usage of Gentoo. Here is an
email I recently put together explaining my thoughts on the matter:
Now -- all that being said -- and with everything I had mentioned about
servers a few years back when RedHat dropped it's free products, we're
considering switching the distro on our internal servers.
Believe it or not, we're actually seriously considering Gentoo.
Gentoo has some really interesting features that make it really nice to work
with.
It has absolutally nothing to do with speed. This article here gets into some
of the positive aspects of Gentoo:
"Gentoo for all the Unusual Reasons"
http://www.linuxjournal.com/article/7438
The two biggest downsides someone would see to Gentoo on the server are:
* Newer (possibly less tested) packages
* Required to compile any package you want to install
Of course, both of those are issues. It was enough for me to write off
Gentoo as a server platform before having actually used it.
Now that I have it -- nearly every issue I run into with another distro, I
think "Wow, this would be easily solved in Gentoo". I actually feel that
there's less issues to be run into with the above two "downsides" in Gentoo,
as compared to the issues run into with other distros.
Before I get too much further -- I will state that this isn't necessarily
true for everyone, or always the best option. I have simply discovered that
it seems to work well for me :-)
I plan on getting around those two issues with Gentoo using a dedicated build
box. The build box would handle compiling all the packages that the other
servers might want. It'll store them as binaries (GRP packages). The other
servers would then install the binaries, not compile the source.
Further, to help the dedicated build box, some of the servers would probably
get distcc (a distributed compiler) put on them to help out with the building
process. Building packages would only occur at night, so running distcc on
things like our nameservers wouldn't be a problem, and would really speed
things up.
I also would not just install these new packages onto the servers without
first testing the packages on the dedicated box. The dedicated box would
need to have all the software installed on it that the servers have.
A setup like this would also allow us to make use of Hardened Gentoo.
Hardened Gentoo has a lot of security tools available to it, including memory
and buffer overrun protections, as well as things like SELinux. SELinux
isn't for everyone. Even without that, the protections provided by the other
tools is excellent. A good many of the remote vulnerabilities we're seeing
fall under the categories of being a buffer overflow, or being a poorly coded
web app. Hardened Gentoo, even without SELinux, can largely take care of the
buffer overflows. Just take care as to what web apps you're running, and
what they have rights to. Or run SELinux, and protect everything :-) But
there's administrative overhead that comes with SELinux deployments. If
you're willing to learn it, and you have the time, it's a useful tool.
Two things are coming up -- Debian will have a new release out, and we'll
need to upgrade our hardware. As opposed to installing the new Debian on this
hardware, it might work out to begin a migration to what I feel is a more
flexible Gentoo.
|