[gentoo-user] portage nfs permissions
Hi all, I'm trying to set up the portage directory to be hosted over nfs. Everything is working great but I would like to increase the security a little. I was wondering if there's an easy way to restrict 'emerge --sync' to only work on the server, while still letting all the nfs client machines download sources and emerge packages. I was thinking of doing an 'all_squash' on the server, then changing the /distfiles directory to give group write to the anongid account. I've tried this with no luck. I keep getting an error trying to fetch the package. I'm assuming it has something to do with the lock files that emerge uses to prevent multiple downloads of the same package source. I've tried to google to find a working configuration like this, but so far I've come up empty. Does anyone else have some ideas on how I can get this to work? Thanks, Chris Frederick -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] portage nfs permissions
On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote: Hi all, I'm trying to set up the portage directory to be hosted over nfs. Everything is working great but I would like to increase the security a little. I was wondering if there's an easy way to restrict 'emerge --sync' to only work on the server, while still letting all the nfs client machines download sources and emerge packages. Have clients only mount portage read-only and put distfiles in another fs and make it read-write. Also you should disable locking on distfiles if you use it over NFS: FEATURES=-distlocks. -a -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] portage nfs permissions
On Monday 28 April 2008, Albert Hopkins wrote: On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote: Hi all, I'm trying to set up the portage directory to be hosted over nfs. Everything is working great but I would like to increase the security a little. I was wondering if there's an easy way to restrict 'emerge --sync' to only work on the server, while still letting all the nfs client machines download sources and emerge packages. Have clients only mount portage read-only and put distfiles in another fs and make it read-write. Yes, this should work. I have got just one question: How does disabling emerge --sync from NFS clients improve security? Uwe -- Informal Linux Group Namibia: http://www.linux.org.na/ SysEx (Pty) Ltd.: http://www.SysEx.com.na/ -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] portage nfs permissions
Uwe Thiem wrote: On Monday 28 April 2008, Albert Hopkins wrote: On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote: Hi all, I'm trying to set up the portage directory to be hosted over nfs. Everything is working great but I would like to increase the security a little. I was wondering if there's an easy way to restrict 'emerge --sync' to only work on the server, while still letting all the nfs client machines download sources and emerge packages. Have clients only mount portage read-only and put distfiles in another fs and make it read-write. Yes, this should work. I have got just one question: How does disabling emerge --sync from NFS clients improve security? Uwe I have a number of overlay ebuilds that I need in place that override specific versions of packages, and I don't want various users to 'emerge --sync' too often and break things by installing a non-patched package that has an old overlay. This way I can also keep all the clients at the same revs of everything and avoid various bugs with things like pam/vmware/kernels/graphics drivers/etc... Plus there's the whole bandwidth saving issue. The biggest reason is so someone doesn't get a newer pam_usb or pam_ldap than the overlay versions and then can't login anymore. Chris Frederick -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] portage nfs permissions
Albert Hopkins wrote: On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote: Hi all, I'm trying to set up the portage directory to be hosted over nfs. Everything is working great but I would like to increase the security a little. I was wondering if there's an easy way to restrict 'emerge --sync' to only work on the server, while still letting all the nfs client machines download sources and emerge packages. Have clients only mount portage read-only and put distfiles in another fs and make it read-write. Also you should disable locking on distfiles if you use it over NFS: FEATURES=-distlocks. -a Why would I need to disable locking? Wouldn't that stop multiple users from downloading the same package at the same time and bring up potential race conditions that can break the emerge? Chris Frederick -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] portage nfs permissions
On Mon, 2008-04-28 at 15:03 -0500, Chris Frederick wrote: Albert Hopkins wrote: On Mon, 2008-04-28 at 12:03 -0500, Chris Frederick wrote: [..] Also you should disable locking on distfiles if you use it over NFS: FEATURES=-distlocks. -a Why would I need to disable locking? Wouldn't that stop multiple users from downloading the same package at the same time and bring up potential race conditions that can break the emerge? In my experience at least this causes emerge to hang on NFS clients for lockfiles that don't even exist on the server. Also see the man page for make.conf. Actually I don't think there will be any race conditions. IIRC portage will check to see if the file already exists in distfiles, if it does it will compare checksums, if it fails then the emerge fails. So worst case scenario is that one or more simultaneous emerges will fail. For my usage, the former is much more likely to happen than the latter (which has yet to happen to me). -- gentoo-user@lists.gentoo.org mailing list