FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 04-28-2008, 05:03 PM
Chris Frederick
 
Default portage nfs permissions

Hi all,

I'm trying to set up the portage directory to be hosted over nfs.
Everything is working great but I would like to increase the security a
little. I was wondering if there's an easy way to restrict 'emerge
--sync' to only work on the server, while still letting all the nfs
client machines download sources and emerge packages.


I was thinking of doing an 'all_squash' on the server, then changing the
/distfiles directory to give group write to the anongid account.


I've tried this with no luck. I keep getting an error trying to fetch
the package. I'm assuming it has something to do with the lock files
that emerge uses to prevent multiple downloads of the same package source.


I've tried to google to find a working configuration like this, but so
far I've come up empty. Does anyone else have some ideas on how I can
get this to work?


Thanks,

Chris Frederick
--
gentoo-user@lists.gentoo.org mailing list
 
Old 04-28-2008, 05:09 PM
Albert Hopkins
 
Default portage nfs permissions

On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:
> Hi all,
>
> I'm trying to set up the portage directory to be hosted over nfs.
> Everything is working great but I would like to increase the security
> a
> little. I was wondering if there's an easy way to restrict 'emerge
> --sync' to only work on the server, while still letting all the nfs
> client machines download sources and emerge packages.

Have clients only mount portage read-only and put distfiles in another
fs and make it read-write.

Also you should disable locking on distfiles if you use it over NFS:
FEATURES=-distlocks.


-a

--
gentoo-user@lists.gentoo.org mailing list
 
Old 04-28-2008, 07:11 PM
Uwe Thiem
 
Default portage nfs permissions

On Monday 28 April 2008, Albert Hopkins wrote:
> On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:
> > Hi all,
> >
> > I'm trying to set up the portage directory to be hosted over nfs.
> > Everything is working great but I would like to increase the
> > security a
> > little. I was wondering if there's an easy way to restrict
> > 'emerge --sync' to only work on the server, while still letting
> > all the nfs client machines download sources and emerge packages.
>
> Have clients only mount portage read-only and put distfiles in
> another fs and make it read-write.

Yes, this should work. I have got just one question: How does
disabling "emerge --sync" from NFS clients improve security?

Uwe

--
Informal Linux Group Namibia:
http://www.linux.org.na/
SysEx (Pty) Ltd.:
http://www.SysEx.com.na/
--
gentoo-user@lists.gentoo.org mailing list
 
Old 04-28-2008, 08:01 PM
Chris Frederick
 
Default portage nfs permissions

Uwe Thiem wrote:

On Monday 28 April 2008, Albert Hopkins wrote:

On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:

Hi all,

I'm trying to set up the portage directory to be hosted over nfs.
Everything is working great but I would like to increase the
security a
little. I was wondering if there's an easy way to restrict
'emerge --sync' to only work on the server, while still letting
all the nfs client machines download sources and emerge packages.

Have clients only mount portage read-only and put distfiles in
another fs and make it read-write.


Yes, this should work. I have got just one question: How does
disabling "emerge --sync" from NFS clients improve security?


Uwe



I have a number of overlay ebuilds that I need in place that override
specific versions of packages, and I don't want various users to 'emerge
--sync' too often and break things by installing a non-patched package
that has an old overlay. This way I can also keep all the clients at
the same revs of everything and avoid various bugs with things like
pam/vmware/kernels/graphics drivers/etc... Plus there's the whole
bandwidth saving issue.


The biggest reason is so someone doesn't get a newer pam_usb or pam_ldap
than the overlay versions and then can't login anymore.


Chris Frederick
--
gentoo-user@lists.gentoo.org mailing list
 
Old 04-28-2008, 08:03 PM
Chris Frederick
 
Default portage nfs permissions

Albert Hopkins wrote:

On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:

Hi all,

I'm trying to set up the portage directory to be hosted over nfs.
Everything is working great but I would like to increase the security
a
little. I was wondering if there's an easy way to restrict 'emerge
--sync' to only work on the server, while still letting all the nfs
client machines download sources and emerge packages.


Have clients only mount portage read-only and put distfiles in another
fs and make it read-write.

Also you should disable locking on distfiles if you use it over NFS:
FEATURES=-distlocks.


-a




Why would I need to disable locking? Wouldn't that stop multiple users
from downloading the same package at the same time and bring up
potential race conditions that can break the emerge?


Chris Frederick
--
gentoo-user@lists.gentoo.org mailing list
 
Old 04-28-2008, 08:17 PM
Albert Hopkins
 
Default portage nfs permissions

On Mon, 2008-04-28 at 15:03 -0500, Chris Frederick wrote:
> Albert Hopkins wrote:
> > On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:
[..]
> > Also you should disable locking on distfiles if you use it over NFS:
> > FEATURES=-distlocks.
> >
> >
> > -a
> >
>
> Why would I need to disable locking? Wouldn't that stop multiple users
> from downloading the same package at the same time and bring up
> potential race conditions that can break the emerge?

In my experience at least this causes emerge to hang on NFS clients for
lockfiles that don't even exist on the server. Also see the man page
for make.conf.

Actually I don't think there will be any race conditions. IIRC portage
will check to see if the file already exists in distfiles, if it does it
will compare checksums, if it fails then the emerge fails. So worst
case scenario is that one or more simultaneous emerges will fail.

For my usage, the former is much more likely to happen than the latter
(which has yet to happen to me).


--
gentoo-user@lists.gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 12:31 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org