Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

Tips for upgrading to the current stable gentoo hardened?

  

 
Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


karlis.repsons at gmail

Jun 15, 2011, 3:55 AM

Post #1 of 12 (721 views)
Permalink
Tips for upgrading to the current stable gentoo hardened?
Hi all,

I've got a machine, which hasn't been upgraded for some 2 years or less. It
has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So
I'm here to ask for the right sequence of upgrades and other actions before
it's too late...

These actions done already:
1. updated binutils,
2. updated glibc,
3. unmerged and re-emerged libtool (had a blocker),
4. tried with the new GCC, but failed with some unclear problems,
5. switched to vanilla GCC and now compile glibc...

So have I done something bad or what should I do to be sure that the upgrade
goes as smooth as possible? Thanks...
Attachments: signature.asc (0.19 KB)


b4b1 at free

Jun 15, 2011, 4:35 AM

Post #2 of 12 (695 views)
Permalink
Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
Hi !

another "hardcore" solution could be to create a chroot fresh
installation whithin you import your system's preferences:

- Create directory
- Untar last hardened stage 3
- Copy your /etc in the chroot
- Copy your world file in the chroot
- Copy any kind of data or local aplication to your chroot
- chroot and update your system
- when things is done, test it
- wipe your old gentoo and move your chrooted one on /


that's "hardcore" but permit me several times to ressucite a old gentoo
system.

IF you can't do it, the normal way is:

- Recompile your toolchain by compiling twice this ports:
virtual/portage virtual/os-headers sys-libs/glibc sys-devel/binutils-config sys-devel/binutils sys-devel/gcc-config
(don't forget to switch your gcc on the way and to clean your ccache if you use it)
- Recompile your system (emerge -Davut system)
- Finally recompile your world.


TIPS: use of revdep-rebuild and lafilefixer could help on the way...


Hoping that could help you to update your old gentoo.





On Wed, 2011-06-15 at 10:55 +0000, Krlis Repsons wrote:
> Hi all,
>
> I've got a machine, which hasn't been upgraded for some 2 years or less. It
> has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So
> I'm here to ask for the right sequence of upgrades and other actions before
> it's too late...
>
> These actions done already:
> 1. updated binutils,
> 2. updated glibc,
> 3. unmerged and re-emerged libtool (had a blocker),
> 4. tried with the new GCC, but failed with some unclear problems,
> 5. switched to vanilla GCC and now compile glibc...
>
> So have I done something bad or what should I do to be sure that the upgrade
> goes as smooth as possible? Thanks...

--
--------------------------------------------------------------------------------------
Jean-Franois Maeyhieux
--------------------------------------------------------------------------------------
PGP Public Key - Key ID = 63DB4770 Tuttle (JFM) <b4b1 [at] free>
http://pgpkeys.mit.edu:11371/pks/lookup?op=get&search=0x63DB4770
--------------------------------------------------------------------------------------
Attachments: signature.asc (0.19 KB)


lists at wildgooses

Jun 20, 2011, 7:20 AM

Post #3 of 12 (692 views)
Permalink
Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 15/06/2011 11:55, KÄrlis Repsons wrote:
> Hi all,
>
> I've got a machine, which hasn't been upgraded for some 2 years or less. It
> has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So
> I'm here to ask for the right sequence of upgrades and other actions before
> it's too late...
>
> These actions done already:
> 1. updated binutils,
> 2. updated glibc,
> 3. unmerged and re-emerged libtool (had a blocker),
> 4. tried with the new GCC, but failed with some unclear problems,
> 5. switched to vanilla GCC and now compile glibc...
>
> So have I done something bad or what should I do to be sure that the upgrade
> goes as smooth as possible? Thanks...

You didn't give any info on the problems you had using gcc 4.5 so very
hard to comment. However, roughly the upgrade of any gcc is as per the
docs (upgrade, switch to it, upgrade libtool, emerge -ev system)

Likely problems you had were dependencies upgrading from a very old
system? Remember there is no harm in masking your gcc, upgrading, then
upgrading gcc is this solves some dependency? (Slower)

Remember to backup the machine...

Ed W


7v5w7go9ub0o at gmail

Jun 28, 2011, 2:42 PM

Post #4 of 12 (661 views)
Permalink
Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 06/15/11 07:35, Jean-François Maeyhieux wrote:
> Hi !
>
> another "hardcore" solution could be to create a chroot fresh
> installation whithin you import your system's preferences:
>
> - Create directory - Untar last hardened stage 3 - Copy your /etc in
> the chroot - Copy your world file in the chroot - Copy any kind of
> data or local aplication to your chroot - chroot and update your
> system - when things is done, test it - wipe your old gentoo and
> move your chrooted one on /
>
>
> that's "hardcore" but permit me several times to ressucite a old
> gentoo system.
>
> IF you can't do it, the normal way is:
>
> - Recompile your toolchain by compiling twice this ports:
> virtual/portage virtual/os-headers sys-libs/glibc
> sys-devel/binutils-config sys-devel/binutils sys-devel/gcc-config
> (don't forget to switch your gcc on the way and to clean your ccache
> if you use it) - Recompile your system (emerge -Davut system) -
> Finally recompile your world.
>


Somewhere you need to fool with profiles and make.conf. I *think* the
profiles will add, e.g., "hardened" to your gcc flag

There used to be a wiki somewhere that described the building of
hardened-gentoo step by step after branching off from the gentoo
handbook - to upgrade a standard box. It may have been called
gentooexperimental, but appears now dead.

IF anyone can point me to current documentation about building a
hardened box (which should include the make.conf and other hardened
settings), please post it here.

TIA


7v5w7go9ub0o at gmail

Jun 28, 2011, 3:20 PM

Post #5 of 12 (663 views)
Permalink
Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 06/28/11 17:42, 7v5w7go9ub0o wrote:

>
> IF anyone can point me to current documentation about building a
> hardened box (which should include the make.conf and other hardened
> settings), please post it here.

I just dropped by #gentoo-hardened on irc.freenode.net and asked about
instructions for building, and for migration (upgrading).

FWICT the instructions for building a hardened box are not quite yet
incorporated into the Gentoo handbook. However, thanks to Klondike, I
was quickly directed to:

<http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile>

which pretty-well describes the migration process.

(Note the "eselect profile list" step, which switches to the hardened
profile - necessary before recompiling stuff.)


karlis.repsons at gmail

Jun 29, 2011, 1:39 AM

Post #6 of 12 (655 views)
Permalink
Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 20 June 2011 14:20, Ed W <lists [at] wildgooses> wrote:
> On 15/06/2011 11:55, KÄrlis Repsons wrote:
>> Hi all,
>>
>> I've got a machine, which hasn't been upgraded for some 2 years or less. It
>> has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So
>> I'm here to ask for the right sequence of upgrades and other actions before
>> it's too late...
>>
>> These actions done already:
>> 1. updated binutils,
>> 2. updated glibc,
>> 3. unmerged and re-emerged libtool (had a blocker),
>> 4. tried with the new GCC, but failed with some unclear problems,
>> 5. switched to vanilla GCC and now compile glibc...
>>
>> So have I done something bad or what should I do to be sure that the upgrade
>> goes as smooth as possible? Thanks...
>
> You didn't give any info on the problems you had using gcc 4.5 so very
> hard to comment.  However, roughly the upgrade of any gcc is as per the
> docs (upgrade, switch to it, upgrade libtool, emerge -ev system)
>
> Likely problems you had were dependencies upgrading from a very old
> system?  Remember there is no harm in masking your gcc, upgrading, then
> upgrading gcc is this solves some dependency? (Slower)
>
> Remember to backup the machine...

Thanks, the problem was rather silly: I ran out of RAM in a diskless machine...

By the way, if I wish to update and totally rebuild my system, what
steps do I have to take? I've seen many guides telling about the
toolchain and emerge -e system, then world, but I lack consistency and
understanding about how exactly and why. Anyone to suggest me some
valuable link about that?


karlis.repsons at gmail

Jun 29, 2011, 1:45 AM

Post #7 of 12 (654 views)
Permalink
Re: Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 28 June 2011 22:20, 7v5w7go9ub0o <7v5w7go9ub0o [at] gmail> wrote:
> <http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedprofile>
Does it say when glibc and libtool, perhaps some other
toolchain-related components need to be rebuilt? Didn't find anything
really...
(perhaps rebuilding virtual/libc leads to glibc rebuild?)


blueness at gentoo

Jun 29, 2011, 4:19 AM

Post #8 of 12 (654 views)
Permalink
Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 06/29/2011 04:39 AM, KÄrlis Repsons wrote:
> On 20 June 2011 14:20, Ed W <lists [at] wildgooses> wrote:
>> On 15/06/2011 11:55, KÄrlis Repsons wrote:
>>> Hi all,
>>>
>>> I've got a machine, which hasn't been upgraded for some 2 years or less. It
>>> has GCC-4.3.4 and now I tried to upgrade to 4.5.2, but something failed. So
>>> I'm here to ask for the right sequence of upgrades and other actions before
>>> it's too late...
>>>
>>> These actions done already:
>>> 1. updated binutils,
>>> 2. updated glibc,
>>> 3. unmerged and re-emerged libtool (had a blocker),
>>> 4. tried with the new GCC, but failed with some unclear problems,
>>> 5. switched to vanilla GCC and now compile glibc...
>>>
>>> So have I done something bad or what should I do to be sure that the upgrade
>>> goes as smooth as possible? Thanks...
>>
>> You didn't give any info on the problems you had using gcc 4.5 so very
>> hard to comment. However, roughly the upgrade of any gcc is as per the
>> docs (upgrade, switch to it, upgrade libtool, emerge -ev system)
>>
>> Likely problems you had were dependencies upgrading from a very old
>> system? Remember there is no harm in masking your gcc, upgrading, then
>> upgrading gcc is this solves some dependency? (Slower)
>>
>> Remember to backup the machine...
>
> Thanks, the problem was rather silly: I ran out of RAM in a diskless machine...
>
> By the way, if I wish to update and totally rebuild my system, what
> steps do I have to take? I've seen many guides telling about the
> toolchain and emerge -e system, then world, but I lack consistency and
> understanding about how exactly and why. Anyone to suggest me some
> valuable link about that?

The safest approach in either switching or recompiling everything is:

1. Make the profile is set "eselect profile list" and pick your hardened
box. Careful on amd64 about changing multilib/nomultilib. Stick with
your mutilib-edness (if such a word exists :)

2. Rebuild the tool chain: emerge binutils glibc gcc

3. Rebuild system: emerge --keep-going -eq system
(note anything that fails you might want to file a bug)

4. Rebuild world: emerge --keep-going -eq world
(again not any failures, shouldn't happen else we're not doing our job)

system vs world = system is just the bare minimum packages that any box
running that profile needs. world = system + what you've added. You
can skip step 3, but there might be a chance of mixing
unhardened/hardened stuff if you do, but I'm not 100% sure.


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness [at] gentoo
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535


7v5w7go9ub0o at gmail

Jun 29, 2011, 7:47 AM

Post #9 of 12 (644 views)
Permalink
Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 06/29/11 07:19, Anthony G. Basile wrote:

[snip]

>
> The safest approach in either switching or recompiling everything
> is:
>
> 1. Make the profile is set "eselect profile list" and pick your
> hardened box. Careful on amd64 about changing multilib/nomultilib.
> Stick with your mutilib-edness (if such a word exists :)
>
> 2. Rebuild the tool chain: emerge binutils glibc gcc
>
> 3. Rebuild system: emerge --keep-going -eq system (note anything
> that fails you might want to file a bug)
>
> 4. Rebuild world: emerge --keep-going -eq world (again not any
> failures, shouldn't happen else we're not doing our job)
>
> system vs world = system is just the bare minimum packages that any
> box running that profile needs. world = system + what you've added.
> You can skip step 3, but there might be a chance of mixing
> unhardened/hardened stuff if you do, but I'm not 100% sure.
>

Thank You!

1. Is there some way this clear, succinct list could get into the
hardened documentation?

2. At this point, the 'clearest' way to build a hardened box from scratch
seems to go a few steps into the Gentoo handbook, then migrate using the
steps above. Not ideal, but until the documentation can be refined, how
about either putting these steps into the handbook, or alternatively a
reference *in the handbook* to wherever you find a home for these steps
(e.g. QandA).

IIRC, there is nowhere a reference to "hardened" in the Gentoo Handbook.


tom at whyscream

Jun 29, 2011, 2:39 PM

Post #10 of 12 (639 views)
Permalink
Re: Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 29/06/11 16:47, 7v5w7go9ub0o wrote:
> On 06/29/11 07:19, Anthony G. Basile wrote:
>
> [snip]
>
>>
>> The safest approach in either switching or recompiling everything
>> is:
>>
>> 1. Make the profile is set "eselect profile list" and pick your
>> hardened box. Careful on amd64 about changing multilib/nomultilib.
>> Stick with your mutilib-edness (if such a word exists :)
>>
>> 2. Rebuild the tool chain: emerge binutils glibc gcc
>>
>> 3. Rebuild system: emerge --keep-going -eq system (note anything
>> that fails you might want to file a bug)
>>
>> 4. Rebuild world: emerge --keep-going -eq world (again not any
>> failures, shouldn't happen else we're not doing our job)
>>
>> system vs world = system is just the bare minimum packages that any
>> box running that profile needs. world = system + what you've added.
>> You can skip step 3, but there might be a chance of mixing
>> unhardened/hardened stuff if you do, but I'm not 100% sure.
>>
>
> Thank You!
>
> 1. Is there some way this clear, succinct list could get into the
> hardened documentation?
>
> 2. At this point, the 'clearest' way to build a hardened box from scratch
> seems to go a few steps into the Gentoo handbook, then migrate using the
> steps above. Not ideal, but until the documentation can be refined, how
> about either putting these steps into the handbook, or alternatively a
> reference *in the handbook* to wherever you find a home for these steps
> (e.g. QandA).

I built a hardened box last week by grabbing a hardened autobuild, then
following the regular handbook for my arch. Above steps are only needed
when you start from a regular stage, or when you are converting a
regular install.

Usage of autobuilds is missing in the handbook now, but iirc there are
some open bugs on getting this changed.

--
Regards,
Tom


7v5w7go9ub0o at gmail

Jun 29, 2011, 4:44 PM

Post #11 of 12 (641 views)
Permalink
Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 06/29/11 17:39, Tom Hendrikx wrote:
> On 29/06/11 16:47, 7v5w7go9ub0o wrote:

>>
>> 2. At this point, the 'clearest' way to build a hardened box from
>> scratch seems to go a few steps into the Gentoo handbook, then
>> migrate using the steps above. Not ideal, but until the
>> documentation can be refined, how about either putting these steps
>> into the handbook, or alternatively a reference *in the handbook*
>> to wherever you find a home for these steps (e.g. QandA).
>
> I built a hardened box last week by grabbing a hardened autobuild,
> then following the regular handbook for my arch. Above steps are only
> needed when you start from a regular stage, or when you are
> converting a regular install.
>
> Usage of autobuilds is missing in the handbook now, but iirc there
> are some open bugs on getting this changed.
>
> -- Regards, Tom
>
>

Geeze... I've built a couple of hardened boxes from scratch; most
recently two or three years ago; never *heard* of autobuild. Maybe my
experience precedes it (I was using experimental.org).

Perhaps the perfect (as in the traditionally excellent Gentoo
documentation) has become the enemy of the good (the documentation of the
autobuild is good, but not perfect enough to be entered into official docs.)

If "Q and A" is now the official hardened documentation, then 'twould be
nice if someone put a couple of imperfect sentences in there about
autobuild.

Good to know; so autobuilds are probably the clearest way to build a
hardened box. Thanks for posting.

(p.s. I think of ALL of the work that Zorry, Blueness, and a myriad of
other folks put into bringing Hardened Gentoo up to date - truly
*heroic* contributions - and I now fear that a lack of documentation will
result in a loss of the benefit of all of that work)

killall rant


blueness at gentoo

Jun 29, 2011, 6:21 PM

Post #12 of 12 (638 views)
Permalink
Re: Re: Tips for upgrading to the current stable gentoo hardened? [In reply to]
On 06/29/2011 05:39 PM, Tom Hendrikx wrote:
> On 29/06/11 16:47, 7v5w7go9ub0o wrote:
>> On 06/29/11 07:19, Anthony G. Basile wrote:
>>
>> [snip]
>>
>>>
>>> The safest approach in either switching or recompiling everything
>>> is:
>>>
>>> 1. Make the profile is set "eselect profile list" and pick your
>>> hardened box. Careful on amd64 about changing multilib/nomultilib.
>>> Stick with your mutilib-edness (if such a word exists :)
>>>
>>> 2. Rebuild the tool chain: emerge binutils glibc gcc
>>>
>>> 3. Rebuild system: emerge --keep-going -eq system (note anything
>>> that fails you might want to file a bug)
>>>
>>> 4. Rebuild world: emerge --keep-going -eq world (again not any
>>> failures, shouldn't happen else we're not doing our job)
>>>
>>> system vs world = system is just the bare minimum packages that any
>>> box running that profile needs. world = system + what you've added.
>>> You can skip step 3, but there might be a chance of mixing
>>> unhardened/hardened stuff if you do, but I'm not 100% sure.
>>>
>>
>> Thank You!
>>
>> 1. Is there some way this clear, succinct list could get into the
>> hardened documentation?
>>
>> 2. At this point, the 'clearest' way to build a hardened box from scratch
>> seems to go a few steps into the Gentoo handbook, then migrate using the
>> steps above. Not ideal, but until the documentation can be refined, how
>> about either putting these steps into the handbook, or alternatively a
>> reference *in the handbook* to wherever you find a home for these steps
>> (e.g. QandA).
>
> I built a hardened box last week by grabbing a hardened autobuild, then
> following the regular handbook for my arch. Above steps are only needed
> when you start from a regular stage, or when you are converting a
> regular install.
>
> Usage of autobuilds is missing in the handbook now, but iirc there are
> some open bugs on getting this changed.
>
> --
> Regards,
> Tom

That's correct, these are instructions for switching from vanilla or if
you want to *very* safely recompile everything making sure you get
hardened. It is the most conservative path but also very time consuming.

If you're starting from scratch, just grab the latest stage3 *hardened*
tarball, start building your system from there and save yourself the
time. You will gain nothing but recompiling the tool chain and
system/world.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness [at] gentoo
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.