We had been getting a message every time we tried to update the portage tree so after some research decided to implement a hardened version of Gentoo on our Linux production server. The research we did seemed to make out it was going to be fairly easy, simply point your make profile to a hardened profile then run the emerge -e world command and you would end up with a working but hardened system. So much for the research, we did the upgrade and all seemed to go well, we ran the etc-update function and carefully checked that we upgraded the relevant config files and started everything again.
Boot up went well with no issues and the initial checks like does the apache server show the right pages etc. Then we found out that PHP was not compiled into the server! OK so we updated the server to include apache, regenerated the modules etc, restarted apache and sure enough phpinfo(); returned all the right information! Or so we thought!
Next we tried to start the SugarCRM application interface, just a blank page! we also looked at phpmyadmin and the same problems, no session support, so we went though the exercise of rebuilding PHP and restarted everything again. We could now see everything in SugarCRM, but what about other programs? To cut a long story short we must have re-generated PHP 6 times to get everything that was working to work again. we had to add xml,session,pcre,sockets,posix and unicode into the USE variables just to get SugarCRM working again.
We then found out that the email functions had stopped working because the resolve conf file had been cleared, it wasn’t part of the etc-update file list so we dont know why it happened? So we rebuilt the file and we now have a working system! Would we suggest you migrate to a hardened version? No not unless you are really sure you need to and understand all of the ramifications of doing so. We are not Linux experts, but we have been using Gentoo in test and development for about 5 years now and never had the problems we had for this upgrade. We did contemplate moving back to the un-hardened version but we had so much time and effort invested in this we decided to keep plodding on!
The real reason for this is to say just how EASY the System i is to manage, all of you linux, unix guys out there have my respect. I think I am pretty savvy when it comes to systems and how to manage them but System i is still the best I have come across. If it wasnt for the very poor performance on the System i we have installed SugarCRM on (i520 low end model) I would never have moved to the Linux server! Not that the System i is a poor performer normally, just that trying to cludge PHP into the PASE environment has caused a lot of problems which unless IBM does something about will stop anyone from taking the option seriously! I moved from V5R3 to V5R4 in less than a day, most of the time was taken up waiting for the CD to spin, none of this reconfiguring everything everytime you upgrade! I am sure the V6R1 move will be just as painless once the initial bugs have been ironed out.
The Linux Environment seems to be stable at the moment! The System i has been stable since we installed it!
Chris…
You should have done some test emerge commands and looked for green (use flags that are changing state). The reason you need to do this is each profile has a set of USE defaults. Switching to the hardened profile added a couple and removed a few in relation to your old non-hardened profile. So basically, do an emerge -ave world and look for green and * which signifies a change in the use flag since the last time you merged a package. Add or remove corresponding use flags to /etc/make.conf (or use app-portage/ufed as I do). Keep running the emerge -ave world and saying n until you are happy with the output and then hit y to actually start merging.
Also, if you just switched profiles and then emerge -e world, you probably wasted a lot of time. According to the hardened FAQ, you need to do the toolchain first (binutils, gcc, libc), switch to the new hardened gcc if it wasn’t done automatically, THEN emerge -e world. Otherwise you may have rebuilt the whole system using your existing non-hardened-spec-enabled gcc.
I actually followed the instructions in the documtentation to the letter. I should have done more research first so I do share the blame, but what appeared to be a simple upgrade that would remove the annoying messages about my install not being hardened turned out to be a lot more. I now have it working fully and very happy with the results, just knowing what I know now could have saved a lot of hair pulling and annoyance.
Chris…