'Re: [gentoo-hardened] State of Hardened + AMD64?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-hardened
Subject:    Re: [gentoo-hardened] State of Hardened + AMD64?
From:       "Matthew Summers" <msummers42 () gmail ! com>
Date:       2008-02-21 16:04:57
Message-ID: c8b556060802210804j71ae5eafq15e6c13645f24a5a () mail ! gmail ! com
[Download RAW message or body]

On Thu, Feb 21, 2008 at 8:21 AM, Kerin Millar <kerframil@gmail.com> wrote:

> On 21/02/2008, Calum <caluml@gmail.com> wrote:
>
> [snip]
>
> > Yes, that's what I did. There is a hardened/amd64/ and a
> >  hardened/amd64/multilib/ profile. Does that mean then, that if I use
> >  the multilib amd64 profile, I should have less problems?
>
> Yes.
>
> >  >  Regardless of whether that was the case or not, I wouldn't
> personally
> >  >  recommend migrating systems in this manner in-situ as it is a
> complex
> >  >  procedure at the best of times. I'd suggest to use a recent stage
> >  >  tarball (see the topic in the #gentoo-hardened channel), roll a new
> >  >  chroot and use that as a basis for preparing your new base system.
> >
> >
> > No, it's not something I'd normally want to do, given the choice. But
> >  life is never perfect, is it? :)
> >  It's a box that's up and running, and I wanted to migrate it with
> >  minimal downtime.
>
> Preparing a chroot need not entail any downtime. You could use the
> quickpkg tool to generate binary packages from within the chroot then
> consume those packages on your live system. There are still many
> factors to consider but it's a lot more reliable than a "direct"
> migration.
>
> >
> >  Other than that, though - is the AMD64 Hardened as well polished as
> >  the X86 variety?
>
> Yes.
>
> Regards,
>
> --Kerin
> --
> gentoo-hardened@lists.gentoo.org mailing list
>
>
I have been running hardened amd64 in production for some time now with
great results.  I did, however, start from a hardened stage3 on all the
machines. From what you have said, downtime is an issue, so I agree with
Kerin Miller above, build in a chroot, perhaps on another drive, then reboot
after everything (hardened kernel) is done.

Regards,
-- 
M. Summers

msummers42@gmail.com

"...there are no rules here -- we're trying to accomplish something."
- Thomas A. Edison

[Attachment #3 (text/html)]

<br><br><div class="gmail_quote">On Thu, Feb 21, 2008 at 8:21 AM, Kerin Millar &lt;<a \
href="mailto:kerframil@gmail.com" target="_blank">kerframil@gmail.com</a>&gt; \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

<div>On 21/02/2008, Calum &lt;<a href="mailto:caluml@gmail.com" \
target="_blank">caluml@gmail.com</a>&gt; wrote:<br> <br>
</div>[snip]<br>
<div><br>
&gt; Yes, that&#39;s what I did. There is a hardened/amd64/ and a<br>
&gt; &nbsp;hardened/amd64/multilib/ profile. Does that mean then, that if I use<br>
&gt; &nbsp;the multilib amd64 profile, I should have less problems?<br>
<br>
</div>Yes.<br>
<div><br>
&gt; &nbsp;&gt; &nbsp;Regardless of whether that was the case or not, I wouldn&#39;t \
personally<br> &gt; &nbsp;&gt; &nbsp;recommend migrating systems in this manner \
in-situ as it is a complex<br> &gt; &nbsp;&gt; &nbsp;procedure at the best of times. \
I&#39;d suggest to use a recent stage<br> &gt; &nbsp;&gt; &nbsp;tarball (see the \
topic in the #gentoo-hardened channel), roll a new<br> &gt; &nbsp;&gt; &nbsp;chroot \
and use that as a basis for preparing your new base system.<br> &gt;<br>
&gt;<br>
&gt; No, it&#39;s not something I&#39;d normally want to do, given the choice. \
But<br> &gt; &nbsp;life is never perfect, is it? :)<br>
&gt; &nbsp;It&#39;s a box that&#39;s up and running, and I wanted to migrate it \
with<br> &gt; &nbsp;minimal downtime.<br>
<br>
</div>Preparing a chroot need not entail any downtime. You could use the<br>
quickpkg tool to generate binary packages from within the chroot then<br>
consume those packages on your live system. There are still many<br>
factors to consider but it&#39;s a lot more reliable than a &quot;direct&quot;<br>
migration.<br>
<div><br>
&gt;<br>
&gt; &nbsp;Other than that, though - is the AMD64 Hardened as well polished as<br>
&gt; &nbsp;the X86 variety?<br>
<br>
</div>Yes.<br>
<div><div></div><div><br>
Regards,<br>
<br>
--Kerin<br>
--<br>
<a href="mailto:gentoo-hardened@lists.gentoo.org" \
target="_blank">gentoo-hardened@lists.gentoo.org</a> mailing list<br> <br>
</div></div></blockquote></div><br>I have been running hardened amd64 in production \
for some time now with great results.&nbsp; I did, however, start from a hardened \
stage3 on all the machines. From what you have said, downtime is an issue, so I agree \
with Kerin Miller above, build in a chroot, perhaps on another drive, then reboot \
after everything (hardened kernel) is done.<br> <br>Regards,<br>-- <br>M. Summers<br>
<br><a href="mailto:msummers42@gmail.com" \
target="_blank">msummers42@gmail.com</a><br><br>&quot;...there are no rules here -- \
we&#39;re trying to accomplish something.&quot;<br> - Thomas A. Edison


-- 
gentoo-hardened@lists.gentoo.org mailing list


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic