On Sat, 2005-09-10 at 14:29 -0500, John Jolet wrote:
> We're in the process of transitioning from 32-bit Redhat (7 I think) web/app
> servers to 64-bit gentoo web/app servers. One concern I've got is from a
> security standpoint, normally you don't deploy webservers with development
> tools on them. How do you guys handle this question with internet-facing
> production servers?
>
> One thought I had was to set up a build server, build the binaries on this
> server, and do an emerge of the binaries FROM this server to the production
> servers, with gcc and such removed from them. Will this work?
Yes.
>From emerge(1):
--buildpkg (-b)
Tells emerge to build binary packages for all ebuilds processed
in addition to actually merging the packages. Useful for main-
tainers or if you administrate multiple Gentoo Linux systems
(build once, emerge tbz2s everywhere). The package will be cre-
ated in the ${PKGDIR}/All directory. An alternative for
already-merged packages is to use quickpkg which creates a tbz2
from the live filesystem.
I would recommend building packages on a build server with --buildpkg,
installing them on a testing server, and once tested re-packaging them
with quickpkg on the testing server to install on the production
servers. (The advantage of quickpkg is it picks up changes to
configuration files.) Of course, you could combine the build and testing
servers onto one machine.
HTH.
--
[email protected] mailing list
