On Saturday 04 February 2006 08:09, you wrote: > if you have 10 web servers, then they all use the same 'build profile' or > whatever y ou called them, that's fantastic. However... what if on 2 of > them, we want apache 'threads' enabled, and on 4 of them we want hardened > PHP patches, but we don't want it on all of them due to some issue with > the patch (this is all hypotetical). Lets also pretend that these 2 > exceptions overlap, 1 threaded server, 1 threaded with hardened php, 3 > hardened php, and 5 'standard' web servers. > > This means there's now 4 profiles, and 4 lots of build profiles to > maintain, 99% of the packages in these build profiles will use identical > use flags, only apache and php will be different - your system doens't > allow for these exceptions very nearly, which is my biggest concern.
I do have a few of these situations, I just create a different build host for them. I developed this environment at home, where I have one really nice P4 3GHz with lots of memory (my myth box). I got sick of rebuilding by laptop and the wife's workstation over and over every time a toolchain or kde update happened. So now I do all of my builds on the fast machine. Each one has its own chroot and originally started at stage1. I have my laptop snapshot set to portage-latest, so I can update it daily if I desire.. With servers, the size of the build does not turn out to be too bad since all of the crap that is not needed for servers is not built in. I have a couple of situations like you describe, for example one set of web servers needs pam, the other does not, one set needs ssl, the other does not (behind a load balancer that offloads ssl). > I do entirly agree that standardisation is the way to go , but I want to > be able to neatly handle the exceptions - because unfortunatly, they will > happen. Actually, I went this way because it is more often that not quicker to completely rebuild from a stage1 and install from the resulting binary packages than to risk going through updates. Particularly if you don't update more often than once a week or so. By limiting what goes into the server builds (getting rid of the extranneous crap), the servers rarely need upgrading. Either way, I have to know a complete build (particular snapshot date) will work flawlessly _before_ I put it out on production servers. If you are interested, I will post my build scripts. They were not created for public consumption, so they are not perfect, but they do work... Any feedback/improvements would certainly be appreciated :)
pgpVVDu0Ssrsy.pgp
Description: PGP signature
