FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 10-29-2010, 04:11 PM
Alec Warner
 
Default Changes in server profiles

On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras <hwoarang@gentoo.org> wrote:
> On Fri, Oct 29, 2010 at 12:02:20PM +0000, Jorge Manuel B. S. Vicetto wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi.
>>
>> On 29-10-2010 11:03, Markos Chandras wrote:
>> > Hi
>> >
>> > I don't know how many of you are using these profiles. I would like to
>> > propose a couple of changes
>> >
>> > 1) I want to drop the warning message located on profile.bashrc files
>> > e.g $PORTDIR/default/linux/amd64/10.0/server/profile.bashrc
>> > It is more than obvious what this profile is for so I don't think this
>> > message makes any sense.
>>
>> I've always taken the message about the server profiles not being
>> properly tested as a warning that anyone wanting to run a "secure"
>> server profile should use one of the hardened profiles.
> But isn't that obvious? How is server profiles related to hardened
> anyway? Anyway, this can stay. The rest about GCC and Glibc I think is
> useless

I think there are two nagging things that this thread raises.

Jorge's comment leads me to:

'Anyone wanting to run a secure server profile should use hardened'
tends to imply that the server profile is insecure which is probably
not what you intend to convey to users. Hardened is likely more
secure (which is all we can really say authoritatively...) I don't
think saying that *somewhere* is a bad idea. The profile.bashrc is
likely not the best place however.

>> If so, I'd leave that warning alone until we get enough people working
>> on the server profiles so we can make any promises about it.
> How many? Work on what actually? It is just a profile with minimal use
> flags. There is nothing to work on :-/ I don't understand that. Tell me
> which areas of server profile need more attention so I can understand
> what are you talking about

If it is a profile with minimal use flags why not call it minimal?

>>
>> > 2) Furthermore I would like to drop the following use flags from default
>> > IUSE
>> >
>> > -apache2
>> > -ldap
>> >
>> > A minimal server installation does requires neither apache2 nor ldap
>>
>> Although one can install a server without apache or ldap, I'd say the
>> server profile seems the natural choice to have them enabled.
> So you assume that the most common server configuration is for active
> directory or web hosting

I think the values are there as a CYA thing to replace auto-use. I
think when someone installs LDAP they generally want the ldap use flag
(so optionally LDAP support is compiled into apps. The same thing is
true of apache. Now sadly I removed support for auto-use around 2006
because it was a giant mess so instead we have default profile use
flags.

>> If we had the statistics for it, we could check how many people have
>> apache installed with that profile vs not having it. As there's nothing
>> preventing one from having USE="-apache2 -ldap" when required and I
>> don't use the server profiles, I don't really have a strong opinion
>> about this.
> Same for USE="apache2 ldap" on make.conf. That is not a valid argument
>

1) I don't believe anyone has any clear data on what flags are enabled
or disabled by users.
2) Each of us users the server profile differently.
3) Each of us has a different idea of what is involved with running a server.

It is difficult to take the argument in any strong direction due to
these types of problems (it is an obvious bikeshed..)

I will instead try a different tact. I think it is advantageous to
reduce the number of default flags. There is a question of what will
break though; so that is the question I pose to you.

Can I install a machine with the server profile and USE=-ldap, but
still get ldap + pam working?
Can I install a machine with the server profile and USE=-apache, but
still get apache + php working? apache + rails?
How many packages support each USE flag?
How many of those packages have IUSE defaults for +ldap or +apache already?

-A

>>
>> - --
>> Regards,
>>
>> Jorge Vicetto (jmbsvicetto) - jmbsvicetto at gentoo dot org
>> Gentoo- forums / Userrel / Devrel / KDE / Elections / RelEng
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.16 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQIcBAEBAgAGBQJMyrfMAAoJEC8ZTXQF1qEP1AMQANVKK4f1T0 41WrHMJ7gXM4sI
>> hEhoH25GkoxjEEztxdaQ7TI+fxPRqbAHv6AWYNsTd7C6c0RwgT Qa8TwNATvmWdCT
>> tyTge9SWO1lubiwdNUu5AoamZkzyvWibK5hwP6cd/4OWP02aFZ/BYICeL5G3IQ1I
>> YBXwjzf6f6Nyae8/SKCQalU0Zlse1Cx6A58siS2Uqz63DqPglQqhiN10PB4S496y
>> fvA84h8B0FUtexFn8Ho0nFVHh5Lea6qo4YZfhDemjMSio9daPM fcAK63za5M/vq+
>> AEjLOmFuj5yg3hppE+5tqc4R+Qt3mDklRHT/p3tdhMTgw0aXHSA/23NSqdKs7NTK
>> 4w/HJ+k5S5BXUUrb3VjNByO5vOKm7A4ROLBAuDZFgu/dah3A3OwtoolEEooWMHDG
>> Bgo4aRX0cvNGTdVFnUQp7aDO/idi61ONV/G9cqPsl5nmD0K/1JhujLmR9oU26ctk
>> sEv/ZxAbUWBYiPx08y6u7lm2g2uUnC0VmJS6rLeHKpp501I8ulTuNR lc1U8EvmPn
>> aQHLG+6IvBpifFml3nDIG64LwsXqkEmwc67vcHvYRJqyzcxyHk ORl2qTH19zsV1B
>> PAa9bN9jRYssdLvDLdsrBc1S3LSGftWihu5ITwkdf3DK6uo7UU ViSeesiESsP0sa
>> +maI98w1ehWNX2I8RZ7l
>> =fHNt
>> -----END PGP SIGNATURE-----
>>
>
> --
> Markos Chandras (hwoarang)
> Gentoo Linux Developer
> Web: http://hwoarang.silverarrow.org
> Key ID: 441AC410
> Key FP: AAD0 8591 E3CD 445D 6411 *3477 F7F7 1E8E 441A C410
>
 
Old 10-29-2010, 04:29 PM
Markos Chandras
 
Default Changes in server profiles

On Fri, Oct 29, 2010 at 09:11:33AM -0700, Alec Warner wrote:
> 'Anyone wanting to run a secure server profile should use hardened'
> tends to imply that the server profile is insecure which is probably
> not what you intend to convey to users. Hardened is likely more
> secure (which is all we can really say authoritatively...) I don't
> think saying that *somewhere* is a bad idea. The profile.bashrc is
> likely not the best place however.
I understand your concern and why someone might get confused about the
server/hardened thingie however I think that polluting this profile
in this way is not acceptable.
Furthermore the message about glibc-2.4 and gcc-4.1 looks rather obsolete.
At least this part has to be removed/changed
>
> >> If so, I'd leave that warning alone until we get enough people working
> >> on the server profiles so we can make any promises about it.
> > How many? Work on what actually? It is just a profile with minimal use
> > flags. There is nothing to work on :-/ I don't understand that. Tell me
> > which areas of server profile need more attention so I can understand
> > what are you talking about
>
> If it is a profile with minimal use flags why not call it minimal?
Cause 'server' is minimal by default.
>
> >>
> >> If we had the statistics for it, we could check how many people have
> >> apache installed with that profile vs not having it. As there's nothing
> >> preventing one from having USE="-apache2 -ldap" when required and I
> >> don't use the server profiles, I don't really have a strong opinion
> >> about this.
> > Same for USE="apache2 ldap" on make.conf. That is not a valid argument
> >
>
> 1) I don't believe anyone has any clear data on what flags are enabled
> or disabled by users.
> 2) Each of us users the server profile differently.
> 3) Each of us has a different idea of what is involved with running a server.
>
> It is difficult to take the argument in any strong direction due to
> these types of problems (it is an obvious bikeshed..)
>
> I will instead try a different tact. I think it is advantageous to
> reduce the number of default flags. There is a question of what will
> break though; so that is the question I pose to you.
>
> Can I install a machine with the server profile and USE=-ldap, but
> still get ldap + pam working?
> Can I install a machine with the server profile and USE=-apache, but
> still get apache + php working? apache + rails?
> How many packages support each USE flag?
> How many of those packages have IUSE defaults for +ldap or +apache already?
First of all, relying on specific package use flag choices is wrong by
default. What if these package change their default use flags some day?
Are you sure you want to engineer your profiles' behavior based on
specific packages?
Using these flags by default you imply that the server profile is
optimised for web hosting/active directory usage. So why don't you add
ipv6, snmp, vhosts by default too, to include all those firewall/router
hosts running Gentoo? The server profile *imho* should have
as few as possible USE flags. Users who use this profile should be well
educated on how to add more USE flags if needed.

--
Markos Chandras (hwoarang)
Gentoo Linux Developer
Web: http://hwoarang.silverarrow.org
Key ID: 441AC410
Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410
 
Old 10-29-2010, 05:09 PM
"Paweł Hajdan, Jr."
 
Default Changes in server profiles

On 10/29/10 6:29 PM, Markos Chandras wrote:
> Furthermore the message about glibc-2.4 and gcc-4.1 looks rather obsolete.
> At least this part has to be removed/changed

Fine for me.
 
Old 10-30-2010, 01:37 AM
Donnie Berkholz
 
Default Changes in server profiles

On 15:46 Fri 29 Oct , Thomas Sachau wrote:
> Which raises the question, if those people, who want to install a
> minimal server will mostly use apache or something different. And
> especially for minimal setups, i dont think that apache will be the
> first choice, so i agree with the removal of those USE flags from
> default IUSE. The profile is intended to have a minimal set of flags,
> i would call apache an additional optional flag, not a default option
> for minimal server setups.

I'm not sure when this transition happened, as profile USE flags have
traditionally been a reasonable default set rather than a minimal set.
This gives people who don't have much experience with Gentoo a decent
chance at getting a working system on their first try. For people who
have more experience, it's not exactly difficult to change things.

--
Thanks,
Donnie

Donnie Berkholz
Sr. Developer, Gentoo Linux
Blog: http://dberkholz.wordpress.com
 
Old 10-30-2010, 06:05 AM
Peter Volkov
 
Default Changes in server profiles

В Птн, 29/10/2010 в 09:11 -0700, Alec Warner пишет:
> On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras <hwoarang@gentoo.org> wrote:
> Can I install a machine with the server profile and USE=-ldap, but
> still get ldap + pam working?
> Can I install a machine with the server profile and USE=-apache, but
> still get apache + php working? apache + rails?
> How many packages support each USE flag?
> How many of those packages have IUSE defaults for +ldap or +apache already?

Having lxc/openvz/vserver technologies at hand it's not rare to split
LAMP server into a number of virtual servers (containers): mysql /
backend with php / frontend / smtp - everything sits in its own
container. And USE=apache will be used only in _one_ container. Also not
all servers are web servers. So IMO server profile should be just
minimal profile that hints users that this profile will stay minimal and
usable for all kinds of servers. That said I think server profile is
useless and for servers I maintain my own profiles.

--
Peter.
 
Old 10-30-2010, 09:09 AM
Markos Chandras
 
Default Changes in server profiles

On Sat, Oct 30, 2010 at 10:05:17AM +0400, Peter Volkov wrote:
> В Птн, 29/10/2010 в 09:11 -0700, Alec Warner пишет:
> > On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras <hwoarang@gentoo.org> wrote:
> > Can I install a machine with the server profile and USE=-ldap, but
> > still get ldap + pam working?
> > Can I install a machine with the server profile and USE=-apache, but
> > still get apache + php working? apache + rails?
> > How many packages support each USE flag?
> > How many of those packages have IUSE defaults for +ldap or +apache already?
>
> Having lxc/openvz/vserver technologies at hand it's not rare to split
> LAMP server into a number of virtual servers (containers): mysql /
> backend with php / frontend / smtp - everything sits in its own
> container. And USE=apache will be used only in _one_ container. Also not
> all servers are web servers. So IMO server profile should be just
> minimal profile that hints users that this profile will stay minimal and
> usable for all kinds of servers. That said I think server profile is
> useless and for servers I maintain my own profiles.
>
> --
> Peter.
>
>
Exactly! How about the warning message. Should the statement about
gcc+glibc be removed and keep the one about hardened but make it a bit
different?Like "This profile is making use of a minimal set of use flag.
You may find it useful in a server environment. However, If you are seeking
for extra security, please check the Hardened project
(http://hardened.gentoo.org)."

--
Markos Chandras (hwoarang)
Gentoo Linux Developer
Web: http://hwoarang.silverarrow.org
Key ID: 441AC410
Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410
 
Old 10-30-2010, 10:14 AM
Richard Freeman
 
Default Changes in server profiles

On 10/30/2010 05:09 AM, Markos Chandras wrote:
> On Sat, Oct 30, 2010 at 10:05:17AM +0400, Peter Volkov wrote:
>> В Птн, 29/10/2010 в 09:11 -0700, Alec Warner пишет:
>>> On Fri, Oct 29, 2010 at 5:21 AM, Markos Chandras <hwoarang@gentoo.org> wrote:
>>> Can I install a machine with the server profile and USE=-ldap, but
>>> still get ldap + pam working?
>>> Can I install a machine with the server profile and USE=-apache, but
>>> still get apache + php working? apache + rails?
>>> How many packages support each USE flag?
>>> How many of those packages have IUSE defaults for +ldap or +apache already?
>>
>> Having lxc/openvz/vserver technologies at hand it's not rare to split
>> LAMP server into a number of virtual servers (containers): mysql /
>> backend with php / frontend / smtp - everything sits in its own
>> container. And USE=apache will be used only in _one_ container. Also not
>> all servers are web servers. So IMO server profile should be just
>> minimal profile that hints users that this profile will stay minimal and
>> usable for all kinds of servers. That said I think server profile is
>> useless and for servers I maintain my own profiles.
>>
>> --
>> Peter.
>>
>>
> Exactly! How about the warning message. Should the statement about
> gcc+glibc be removed and keep the one about hardened but make it a bit
> different?Like "This profile is making use of a minimal set of use flag.
> You may find it useful in a server environment. However, If you are seeking
> for extra security, please check the Hardened project
> (http://hardened.gentoo.org)."
>

What exactly is the intended use of the server flag?

When I want a minimal image, I usually just use the default profile.
That is pretty-much a bare-bones gentoo install. I can see the use of
desktop, and I can see the use of hardened. Right now server just looks
like default with random stuff for various kinds of servers added.

I could see if server had a different set of keywords and QA policy
(like debian stable), or if there were a set of use flags that would be
universally useful on a server and not on a desktop.

Right now it just seems like the server profile exists since lots of
other distros have server editions, so we should too. If that is the
case, why not just point users to the default profile, or hardened?'

I'd be curious what the users of the server profile say. If anything
they are the ones we should be listening to since they've found a use
for it.

Rich
 
Old 10-30-2010, 12:10 PM
Thomas Sachau
 
Default Changes in server profiles

Am 30.10.2010 03:37, schrieb Donnie Berkholz:
> On 15:46 Fri 29 Oct , Thomas Sachau wrote:
>> Which raises the question, if those people, who want to install a
>> minimal server will mostly use apache or something different. And
>> especially for minimal setups, i dont think that apache will be the
>> first choice, so i agree with the removal of those USE flags from
>> default IUSE. The profile is intended to have a minimal set of flags,
>> i would call apache an additional optional flag, not a default option
>> for minimal server setups.
>
> I'm not sure when this transition happened, as profile USE flags have
> traditionally been a reasonable default set rather than a minimal set.
> This gives people who don't have much experience with Gentoo a decent
> chance at getting a working system on their first try. For people who
> have more experience, it's not exactly difficult to change things.
>

If i remember it right, the server profile was created for those people, who only want a minimum
amount of default profile enabled USE flags (so no desktop profile because of that), but on the
other side dont want to do the additional work/checks/reading for hardened profiles (which have much
less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile,
which does the same as hardened profile without the specific hardened bits.


--
Thomas Sachau

Gentoo Linux Developer
 
Old 10-31-2010, 02:59 AM
Richard Freeman
 
Default Changes in server profiles

On 10/30/2010 08:10 AM, Thomas Sachau wrote:
> If i remember it right, the server profile was created for those people, who only want a minimum
> amount of default profile enabled USE flags (so no desktop profile because of that), but on the
> other side dont want to do the additional work/checks/reading for hardened profiles (which have much
> less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile,
> which does the same as hardened profile without the specific hardened bits.
>
>

Isn't this essentially what the default profile is? Basically server is
just default + USE="apache2 ldap mysql snmp truetype xml".

Hmm, which of those flags is not like the others? Maybe it is needed
for a use-dependency/etc.

It seems like a not-quite-minimal and definitely not all-in-one set of
features. I could see if this were some kind of run-your-whole-network
appliance that threw in everything from DNS to mail to asterisk, and
with a canned set of integrated configuration files for turnkey
operation. I could see if we just stuck with the minimal default
profile. I just don't get having a LAMP box without the P, but with
ldap and snmp - oh, and truetype...

Rich
 
Old 10-31-2010, 10:50 AM
Markos Chandras
 
Default Changes in server profiles

On Sat, Oct 30, 2010 at 10:59:08PM -0400, Richard Freeman wrote:
> On 10/30/2010 08:10 AM, Thomas Sachau wrote:
> > If i remember it right, the server profile was created for those people, who only want a minimum
> > amount of default profile enabled USE flags (so no desktop profile because of that), but on the
> > other side dont want to do the additional work/checks/reading for hardened profiles (which have much
> > less profile enabled USE flags, but also have the special gcc, glibc and Kernel), basicly a profile,
> > which does the same as hardened profile without the specific hardened bits.
> >
> >
>
> Isn't this essentially what the default profile is? Basically server is
> just default + USE="apache2 ldap mysql snmp truetype xml".
Well it shouldn't be like that. And if the default profile is pretty
much the same as the server one, then please consider removing the
server profile as it makes no sense then
>

--
Markos Chandras (hwoarang)
Gentoo Linux Developer
Web: http://hwoarang.silverarrow.org
Key ID: 441AC410
Key FP: AAD0 8591 E3CD 445D 6411 3477 F7F7 1E8E 441A C410
 

Thread Tools




All times are GMT. The time now is 10:48 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org