I'm trying to set up the portage directory to be hosted over nfs.
Everything is working great but I would like to increase the security a
little. I was wondering if there's an easy way to restrict 'emerge
--sync' to only work on the server, while still letting all the nfs
client machines download sources and emerge packages.
I was thinking of doing an 'all_squash' on the server, then changing the
/distfiles directory to give group write to the anongid account.
I've tried this with no luck. I keep getting an error trying to fetch
the package. I'm assuming it has something to do with the lock files
that emerge uses to prevent multiple downloads of the same package source.
I've tried to google to find a working configuration like this, but so
far I've come up empty. Does anyone else have some ideas on how I can
get this to work?
Thanks,
Chris Frederick
--
gentoo-user@lists.gentoo.org mailing list
04-28-2008, 05:09 PM
Albert Hopkins
portage nfs permissions
On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:
> Hi all,
>
> I'm trying to set up the portage directory to be hosted over nfs.
> Everything is working great but I would like to increase the security
> a
> little. I was wondering if there's an easy way to restrict 'emerge
> --sync' to only work on the server, while still letting all the nfs
> client machines download sources and emerge packages.
Have clients only mount portage read-only and put distfiles in another
fs and make it read-write.
Also you should disable locking on distfiles if you use it over NFS:
FEATURES=-distlocks.
-a
--
gentoo-user@lists.gentoo.org mailing list
04-28-2008, 07:11 PM
Uwe Thiem
portage nfs permissions
On Monday 28 April 2008, Albert Hopkins wrote:
> On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:
> > Hi all,
> >
> > I'm trying to set up the portage directory to be hosted over nfs.
> > Everything is working great but I would like to increase the
> > security a
> > little. I was wondering if there's an easy way to restrict
> > 'emerge --sync' to only work on the server, while still letting
> > all the nfs client machines download sources and emerge packages.
>
> Have clients only mount portage read-only and put distfiles in
> another fs and make it read-write.
Yes, this should work. I have got just one question: How does
disabling "emerge --sync" from NFS clients improve security?
Uwe
--
Informal Linux Group Namibia:
http://www.linux.org.na/
SysEx (Pty) Ltd.:
http://www.SysEx.com.na/
--
gentoo-user@lists.gentoo.org mailing list
04-28-2008, 08:01 PM
Chris Frederick
portage nfs permissions
Uwe Thiem wrote:
On Monday 28 April 2008, Albert Hopkins wrote:
On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:
Hi all,
I'm trying to set up the portage directory to be hosted over nfs.
Everything is working great but I would like to increase the
security a
little. I was wondering if there's an easy way to restrict
'emerge --sync' to only work on the server, while still letting
all the nfs client machines download sources and emerge packages.
Have clients only mount portage read-only and put distfiles in
another fs and make it read-write.
Yes, this should work. I have got just one question: How does
disabling "emerge --sync" from NFS clients improve security?
Uwe
I have a number of overlay ebuilds that I need in place that override
specific versions of packages, and I don't want various users to 'emerge
--sync' too often and break things by installing a non-patched package
that has an old overlay. This way I can also keep all the clients at
the same revs of everything and avoid various bugs with things like
pam/vmware/kernels/graphics drivers/etc... Plus there's the whole
bandwidth saving issue.
The biggest reason is so someone doesn't get a newer pam_usb or pam_ldap
than the overlay versions and then can't login anymore.
Chris Frederick
--
gentoo-user@lists.gentoo.org mailing list
04-28-2008, 08:03 PM
Chris Frederick
portage nfs permissions
Albert Hopkins wrote:
On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:
Hi all,
I'm trying to set up the portage directory to be hosted over nfs.
Everything is working great but I would like to increase the security
a
little. I was wondering if there's an easy way to restrict 'emerge
--sync' to only work on the server, while still letting all the nfs
client machines download sources and emerge packages.
Have clients only mount portage read-only and put distfiles in another
fs and make it read-write.
Also you should disable locking on distfiles if you use it over NFS:
FEATURES=-distlocks.
-a
Why would I need to disable locking? Wouldn't that stop multiple users
from downloading the same package at the same time and bring up
potential race conditions that can break the emerge?
Chris Frederick
--
gentoo-user@lists.gentoo.org mailing list
04-28-2008, 08:17 PM
Albert Hopkins
portage nfs permissions
On Mon, 2008-04-28 at 15:03 -0500, Chris Frederick wrote:
> Albert Hopkins wrote:
> > On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote:
[..]
> > Also you should disable locking on distfiles if you use it over NFS:
> > FEATURES=-distlocks.
> >
> >
> > -a
> >
>
> Why would I need to disable locking? Wouldn't that stop multiple users
> from downloading the same package at the same time and bring up
> potential race conditions that can break the emerge?
In my experience at least this causes emerge to hang on NFS clients for
lockfiles that don't even exist on the server. Also see the man page
for make.conf.
Actually I don't think there will be any race conditions. IIRC portage
will check to see if the file already exists in distfiles, if it does it
will compare checksums, if it fails then the emerge fails. So worst
case scenario is that one or more simultaneous emerges will fail.
For my usage, the former is much more likely to happen than the latter
(which has yet to happen to me).
portage nfs permissions
