Over the last year I have run a server using the Linux flavor Gentoo. While most of the servers I deal with these days run FreeBSD (WireLoad’s servers included), I was curious about what speed I could get out of old hardware with Gentoo. Gentoo is a system built to make it easy to compile every little piece of software in the system with the biggest and baddest gcc flags imaginable for your particular hardware. In theory this should lead to a faster system.
The experience has been a bit of a mixed bag. There are things I really like about Gentoo: the package management, USE flags and the sophisticated dependencies system. But unfortunately the drawbacks are severe for a server setting.
The system is better than most Linux systems I have seen when it comes to general package management and installation. The emerge command is excellent. It makes it easy to update and install software together with the necessary dependencies. A well thought out system called USE flags complement this system well. Rather than having to tinker around with every program you compile, you can set some global USE flags. Most packages will take note and your system will be made into one harmonious whole of software agreeing with each other about what should be used and what should not.
The easiest way to describe the benefits of this is by comparison to a normal FreeBSD server and the installation process. Assume that you don’t have X11 and that you don’t want it. Now, you are installing PHP and you want to have support for graphical operations (image conversion, CAPTCHA generation, etc). So you find the make flags to do this and you add them to your make.conf. You hit ‘make install’. During the build process the ports system goes out to build the dependencies of your graphics library. The graphics library requires fonts. The fonts want a font manager. The font manager is by default configured for X11. Wait, X11? Suddenly, X11 becomes a dependency and you find yourself hitting Ctrl-C rapidly!
In Gentoo on the other hand you would have -x11 in your USE flags and everything would be cool. It’s a slick system.
Gentoo also has an active community. As we have mentioned in this blog before, there is an excellent forum for Gentoo users. There are also little touches like how Gentoo uses colors by default, to improve clarity and to go easier on the eyes.
Disadvantages Expressed in Time
All of these things make it a pleasure to use Gentoo. I would love to use it for a desktop some day, should my Apple OS X machine fail me. But I really don’t see myself using Gentoo in a server setup again. Here’s why:
1. Gentoo is Time Consuming to Install
At least when I installed Gentoo there wasn’t really any installer. The documentation is excellent and describes exactly what you need to do, but it takes a while. In fact, it took me several hours to set up my first Gentoo system. And that was just the beginning.
2. Gentoo is Even More Time Consuming to Install
The strength of Gentoo is the compile everything mentality – at least that seems to be the main selling point. Unfortunately on my low-end test server it took about three days to compile even the base system with Apache, MySQL, Python and some other important software. My machine was working non stop compiling things during this time.
I understand that the latest recommendation is to not perform a so called ‘stage-1′ installation anymore. I would recommend following this suggestion. But then what happens to the compile everything advantage?
3. Gentoo’s Stability Strategy: Update Everything
Since it takes a long time to compile a program, you usually don’t want to have to do it too often. Unfortunately Gentoo encourages you to update software on a frequent basis, just for the sake of updating.
There is no ‘stable’ version of Gentoo. Gentoo is rather a moving target where emerge will forever cause your system to approach the cutting edge. From the Gentoo handbook:
From the beginning, Gentoo was designed around the concept of fast, incremental updates.
If all you’re concerned with is keeping your web server up, what you usually want to do is to set up a stable system and then forget about it. You install security updates as needed but that’s it. With Gentoo, this isn’t really feasible because there is no ‘stable’ Gentoo release.
What’s worse, there will on occasion be a sort of ‘system update’. This is called a new ‘profile’. The Gentoo documentation and the handbook will at this time encourage you to update to this new profile. A profile update will try to replace your basic system. If you are a system administrator, rather than a desktop user, this should be enough to scare the living daylights out of you!
A profile update will touch a very large number of configuration files, and it may even alter your startup process. Obviously this is not something you want to do to any server. It would be very difficult to verify that everything works as it used to afterwards, and you’d be fairly likely to end up with broken configuration files that may stop working the next time you reboot. This is in fact exactly what happened to me, despite a substantial time spent updating /etc files. The end result: the machine had to be resuscitated on-site with associated downtime.
For a more sensitive server than my test system, you’ll want to simply retire the system whenever a new profile comes out. Just start over fresh with a new Gentoo installation on an alternate machine and go through the setup process. This way you can be fairly sure it’ll work even after a reboot. Once you’ve verified that everything works, switch to the new system.
4. Gentoo’s Security Strategy: Update Everything
As you might be aware, FreeBSD has a nice little program called portaudit. This utility will alert you if you have any software installed with known security holes. Then you can go ahead and update that software with a simple ‘portupgrade‘ command. There’s rarely any problem with this process.
Now, Gentoo also has something like portupgrade. What it doesn’t have is portaudit.
In all fairness, Gentoo has an experimental command called ‘glsa-check’. This command automatically examines whether your system is affected by vulnerabilities described in Gentoo issued security advisories. It also knows what steps need to be taken to fix a given security issue. I really like this development, but I understand that this command is not considered production ready. The Gentoo manual page about it is filled with warnings that this is a tool under development.
In the meantime, Gentoo rather encourages you to update the whole system. And of course a system wide update tends to cause just the amount of havoc you would expect from it.
Gentoo too Time Consuming and too Risky for Servers
I firmly believe in updating server software only when you need to. If you don’t need new features, and things are working, why change anything? If you update anything you will doubtlessly need to update configuration files. You will need to fix things that break in the upgrade process. This is exactly what happened to me with Gentoo during its test year. I had nearly no idea of what I was updating as I ran the dreaded but most needed “emerge world” update. And once I was done I still no idea. I spent a long time working my way through updates in the /etc folder, using the built in ‘etc-update’ command. I tried to read the enormous emerge log file and take appropriate actions. And still things broke.
The best way to keep a system stable is to get it working and then not changing anything. This is hard with Gentoo. Gentoo wants you to change a lot of stuff. It wants to be bleeding edge.
And hence my conclusion. Gentoo is fun to play with, but oh is it time consuming. I guess that’s the cost of living with a hardcore compile everything attitude – you’ll be on the bleeding edge and you better make sure you can balance on such a thin edge. For a desktop system, Gentoo seems fabulous. Fun to work with, colorful, a beautiful ports like system for software. USE flags.
But for a server, especially a production server, Gentoo just isn’t time effective. It’s both the time it takes to put in security updates, and the time possible reinstalls will take. I believe there were three profile updates for Gentoo in 2006, and very little support for older profiles. If you’re like me you’d probably much rather not reinstall your servers three times a year!
In closing I want to quote something Gentoo told me recently:
* An update to portage is available. It is _highly_ recommended
* that you update portage now, before any other packages are updated.
* Please run ‘emerge portage’ and then update ALL of your
* configuration files.
Call me stressed out but I really can’t fit too many ‘update ALL of your configuration files’ into my schedule. :)Author: Alexander Ljungberg Tags: Linux, open source