Hi Swinog,
I wonder if someone has any experiences with Ubuntu as server distribution? Till this day, we use only Debian - but to the end of Debian 4.0 we must upgrade every server to get still security patches.
Now I consider to change to Ubuntu with the 5 year LTS versions.
Cheers, Benjamin
Topquote alert...
I use LTS and found it of higher feature completeness and equal stability and security as compared to debian stable.
I no longer install debian, but I am also a relatively smalltime user.
Pim
On Jan 28, 2010 3:28 PM, "Schlageter Benjamin" B.Schlageter@ebm.ch wrote:
Hi Swinog,
I wonder if someone has any experiences with Ubuntu as server distribution? Till this day, we use only Debian - but to the end of Debian 4.0 we must upgrade every server to get still security patches.
Now I consider to change to Ubuntu with the 5 year LTS versions.
Cheers, Benjamin
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
We have serveral servers running with Ubuntu 8.04 LTS here (every linux server which doesn't need Suse to run oracle or novell products in fact).
I'm really happy with them, very stable, and if you're not looking for the latest software version (like tomcat 6 ect) the available packages works very well.
Schlageter Benjamin a écrit :
Hi Swinog,
I wonder if someone has any experiences with Ubuntu as server distribution? Till this day, we use only Debian - but to the end of Debian 4.0 we must upgrade every server to get still security patches.
Now I consider to change to Ubuntu with the 5 year LTS versions.
Cheers, Benjamin
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
- --
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org
Thanks for the info.
Just running "normal" ISP services like dhcp, dns, webserver and so on. Main focus is the long support, maybe I'll wait for 10.04 LTS - so I got support to the year 2015 :)
Am 28.01.10 16:23 schrieb "Olivier Beytrison" unter olivier@heliosnet.org:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
We have serveral servers running with Ubuntu 8.04 LTS here (every linux server which doesn't need Suse to run oracle or novell products in fact).
I'm really happy with them, very stable, and if you're not looking for the latest software version (like tomcat 6 ect) the available packages works very well.
Schlageter Benjamin a écrit :
Hi Swinog,
I wonder if someone has any experiences with Ubuntu as server distribution? Till this day, we use only Debian - but to the end of Debian 4.0 we must upgrade every server to get still security patches.
Now I consider to change to Ubuntu with the 5 year LTS versions.
Cheers, Benjamin
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32)
iEYEARECAAYFAkthq/EACgkQr/yILk+4NShv+QCfcqD38RXmxGeH8FvIscTD2Hgg WAUAoKXzKCVmNlXTzwKKxwNN5KTK1ngZ =Ndqx -----END PGP SIGNATURE-----
Hi
Thanks for the info.
Just running "normal" ISP services like dhcp, dns, webserver and so on. Main focus is the long support, maybe I'll wait for 10.04 LTS - so I got support to the year 2015 :)
If you are going to pick Ubuntu because of the more predictable and long-term support[1], make sure the packages you need are in the repository 'main' and not in 'universe'. If you have to use packages from universe, I'd be careful. They do not have official security support for the same time but are 'supported by the community'. I've seen very sad states of packages in Ubuntu 'universe', there were even known broken kernels released in 'universe'. 'Main' is generally very nice, though.
On Debian all packages are officially supported equally good or bad by the security team, but generally for a shorter time.
Long story short:
If you can cover your needs with Ubuntu 'main', go for Ubuntu. If not, I'd rather use Debian.
You can check in what repository a given package is by searching for it on http://packages.ubuntu.com
Just my 5 cents
mauro
[1] Debian is trying to adress its problems in that respect with a fixed release schedule, but it remains to be seen whether Debian pull it's act to gether without going under in flame wars on debian-devel :)
Am 28.01.10 16:23 schrieb "Olivier Beytrison" unter <olivier@heliosnet.org
:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
We have serveral servers running with Ubuntu 8.04 LTS here (every linux server which doesn't need Suse to run oracle or novell products in fact).
I'm really happy with them, very stable, and if you're not looking for the latest software version (like tomcat 6 ect) the available packages works very well.
Schlageter Benjamin a écrit :
Hi Swinog,
I wonder if someone has any experiences with Ubuntu as server distribution? Till this day, we use only Debian - but to the end of Debian 4.0 we must upgrade every server to get still security patches.
Now I consider to change to Ubuntu with the 5 year LTS versions.
Cheers, Benjamin
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mobile: +41 (0)78 619 73 53 Mail: olivier@heliosnet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32)
iEYEARECAAYFAkthq/EACgkQr/yILk+4NShv+QCfcqD38RXmxGeH8FvIscTD2Hgg WAUAoKXzKCVmNlXTzwKKxwNN5KTK1ngZ =Ndqx -----END PGP SIGNATURE-----
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Am 28.01.2010 um 17:08 schrieb Mauro Calderara:
Hi
Thanks for the info.
Just running "normal" ISP services like dhcp, dns, webserver and so on. Main focus is the long support, maybe I'll wait for 10.04 LTS - so I got support to the year 2015 :)
If you are going to pick Ubuntu because of the more predictable and long-term support[1], make sure the packages you need are in the repository 'main' and not in 'universe'. If you have to use packages from universe, I'd be careful. They do not have official security support for the same time but are 'supported by the community'. I've seen very sad states of packages in Ubuntu 'universe', there were even known broken kernels released in 'universe'. 'Main' is generally very nice, though.
I think this is the most important thing to consider. I have an LTS Version of Ubuntu something or other running (How does one get the version out of this thing, certainly not with uname(1)), actually it is 6.06.1 LTS aka dapper.
Almost all of the things which I use on this box (Web, Mail, FTP Server) is not in main, but in universe, and might get updated and might not. Stuff like clamav, postfix, amavisd-new, pure-ftpd and loads of other goodies are in universe.
On Debian all packages are officially supported equally good or bad by the security team, but generally for a shorter time.
Long story short:
If you can cover your needs with Ubuntu 'main', go for Ubuntu. If not, I'd rather use Debian.
Definitively true, I ended up getting debian packages for clamav, patching them, and then compiling them, since there was no up-to-date clamav on Ubuntu.
You can check in what repository a given package is by searching for it on http://packages.ubuntu.com
Just my 5 cents
I think you are selling your experience short.
Cheers, -daniel (New year's resolution: update the ubuntu box and change its IP Addresses, if any spare time is to be found somewhere, update it to freebsd)
Hi
On 1 Feb 2010, at 17:01, Daniel G. Kluge wrote:
I think this is the most important thing to consider. I have an LTS Version of Ubuntu something or other running (How does one get the version out of this thing, certainly not with uname(1)), actually it is 6.06.1 LTS aka dapper.
lsb_release -a
Cheers.
Mathias Seiler
MiroNet GmbH, Strassburgerallee 86, CH-4055 Basel T +41 61 201 30 90, F +41 61 201 30 99
mathias.seiler@mironet.ch www.mironet.ch
Am 01.02.2010 um 17:19 schrieb Mathias Seiler:
Hi
On 1 Feb 2010, at 17:01, Daniel G. Kluge wrote:
I think this is the most important thing to consider. I have an LTS Version of Ubuntu something or other running (How does one get the version out of this thing, certainly not with uname(1)), actually it is 6.06.1 LTS aka dapper.
lsb_release -a
Ah, there's a 244 line python script, that does what I do with 'cat /etc/lsb_release', cute.
Greets, -daniel
Hi Benjamin
Am 1/28/10 4:51 PM, schrieb Benjamin Schlageter:
Just running "normal" ISP services like dhcp, dns, webserver and so on. Main focus is the long support, maybe I'll wait for 10.04 LTS - so I got support to the year 2015:)
I run several Ubuntu Server boxes. For the services you meantioned, you can use Ubuntu without troubles. You even have more hardware support, which is essential if you use newer server hardware. However, dist-upgrading might be a PITA with Ubuntu, since they change concepts more frequently than Debian (f.e. upstart and udev).
Cheerz, - Dan
* on the Thu, Jan 28, 2010 at 03:18:19PM +0100, Schlageter Benjamin wrote:
I wonder if someone has any experiences with Ubuntu as server distribution?
Not much.
Till this day, we use only Debian - but to the end of Debian 4.0 we must upgrade every server to get still security patches.
Yes, but that's absolutely painless. sed -i s/etch/lenny/g /etc/apt/sources.list apt-get update apt-get dist-upgrade
Cheers Seegras
On Fri, Jan 29, 2010 at 11:22:04AM +0100, Peter Keel wrote:
Yes, but that's absolutely painless.
I also regret the times when Debian was only releasing every 3 years or so, however, the current release cycle is not that fast, you still have two years between upgrades, and obsolescence is usually announced one year ahead.
I still prefer Debian over Ubuntu, even installed minimally, because Debian has less "weight" (although it's increasing: I have for example seen with horror that I was touched by the python security bug, because Debian installed python for the ssh-blacklist package -- it's unfortunate those dependancies leak in ...).
Remember: the more packages you have installed, the more the administrative overhead will cost.
I suggest the following, after the upgrade:
sed -i s/etch/lenny/g /etc/apt/sources.list apt-get update apt-get dist-upgrade
- start aptitude, check if there are any Obsolete or locally installed packages, remove them, and possibly find new packages to replace them. If you don't do this, those packages might be a security hazard (or just an administrative cost).
- maybe use apt-get autoremove (but see below) to get rid of unnecessary installed packages (less packages == less work).
- maybe use deborphan to locate unused packages, and remove it.
It is always a good idea to read the release notes before upgrading (see http://www.debian.org/releases/stable/). There are many advices there for what to do BEFORE, DURING, and AFTER the upgrade.
Other ideas:
- I use OpenVZ as a fast, efficient, simple: in a word UNIX-ish virtualization plateform; keeping the host system as simple as possible, basically a hardware layer.
Thus non host updates can be tested first on a VZ copy; host updates can be attempted first on similar hardware, especially if you already have some sort of high availability in place.
- don't forget to check whether you have added any non standard sources.list entries, those packages are not supported by Debian on upgrades. Of course you haven't installed any package by hand with dpkg -i or converted with alien/rpm that you found on the Internet I hope :)
- if you use special administrative tricks (for example package diversions, package holds), be sure to check for them before and after upgrading.
- it is generally assumed that any local changes to the system will be done in /usr/local and never to installed packages themselves (diversions come handy here!). Locally installed software (in /usr/local or /opt) is usually not touched by system upgraded, don't forget to update it as necessary yourself.
- if you use aptitude, beware of the autoremove features.
- use FAI for easy service / system installation (class-based, reproductible)
For those who don't know, diversions are a way to tell the packaging system that when it updates a file, it should update it elsewhere. This paves the way for seemless patching and wrapper scripts in-place.
Holds are ways to tell the system to never touch (upgrade) a package. There are unfortunately two incompatible holds in Debian: apt/dpkg and aptitude.
Recommended books: The Debian system : concepts and techniques, 1-59327-069-0; Cahiers de l'Admin: Debian GNU/Linux (http://www.ouaza.com/livre/admin-debian/extrait-apt.pdf)
hi Benjamin, long time no see :)
Ubuntu was the only OS distribution where all Torrus pre-requisites were available as packages:
everywhere else one needs to compile a few things from sources.
just my 2 cents :)
----- Original Message ----
From: Schlageter Benjamin B.Schlageter@ebm.ch To: swinog@lists.swinog.ch Sent: Thu, January 28, 2010 3:18:19 PM Subject: [swinog] Debian vs. Ubuntu
Hi Swinog,
I wonder if someone has any experiences with Ubuntu as server distribution? Till this day, we use only Debian - but to the end of Debian 4.0 we must upgrade every server to get still security patches.
Now I consider to change to Ubuntu with the 5 year LTS versions.
Stanislav Sinyagin wrote:
hi Benjamin, long time no see :)
Ubuntu was the only OS distribution where all Torrus pre-requisites were available as packages:
everywhere else one needs to compile a few things from sources.
AFAICT from that list, you'd be fine on openSUSE too. Still, nothing wrong with untar+config+make :-)
/Per
* on the Sat, Jan 30, 2010 at 01:36:52PM +0100, Per Jessen wrote:
AFAICT from that list, you'd be fine on openSUSE too. Still, nothing wrong with untar+config+make :-)
Yes, very wrong. Maintainability goes trough the floor. Or are you sure not to miss a security-relevant update in an insignificant program like tar? Or any other program or library which might be a dependancy of the software you're compiling?
And if you're compiling yourself, because the package in the distribution is too outdated, make packages, and name them after the same scheme as the distribution. That way your package might be upgraded automatically if the distribution ships a newer one.
Cheers Seegras
I would say CentOS... ;)
Stable, compatible and quick on patching critical stuff.. I have never trusted Ubuntu on my servers maybe its because of the great with desktops etc..
Never been a fan of debian..
On Jan 30, 2010, at 15:45, "Peter Keel" seegras@discordia.ch wrote:
- on the Sat, Jan 30, 2010 at 01:36:52PM +0100, Per Jessen wrote:
AFAICT from that list, you'd be fine on openSUSE too. Still, nothing wrong with untar+config+make :-)
Yes, very wrong. Maintainability goes trough the floor. Or are you sure not to miss a security-relevant update in an insignificant program like tar? Or any other program or library which might be a dependancy of the software you're compiling?
And if you're compiling yourself, because the package in the distribution is too outdated, make packages, and name them after the same scheme as the distribution. That way your package might be upgraded automatically if the distribution ships a newer one.
Cheers Seegras -- "Those who give up essential liberties for temporary safety deserve neither liberty nor safety." -- Benjamin Franklin "It's also true that those who would give up privacy for security are likely to end up with neither." -- Bruce Schneier
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
I would say Solaris.
Stable, well designed, full featured Unix with a stable API.
Ihsan
Am 30.01.10 21:51, schrieb Mehmet Akcin:
I would say CentOS... ;)
Stable, compatible and quick on patching critical stuff.. I have never trusted Ubuntu on my servers maybe its because of the great with desktops etc..
Never been a fan of debian..
On Jan 30, 2010, at 15:45, "Peter Keel" seegras@discordia.ch wrote:
- on the Sat, Jan 30, 2010 at 01:36:52PM +0100, Per Jessen wrote:
AFAICT from that list, you'd be fine on openSUSE too. Still, nothing wrong with untar+config+make :-)
Yes, very wrong. Maintainability goes trough the floor. Or are you sure not to miss a security-relevant update in an insignificant program like tar? Or any other program or library which might be a dependancy of the software you're compiling?
And if you're compiling yourself, because the package in the distribution is too outdated, make packages, and name them after the same scheme as the distribution. That way your package might be upgraded automatically if the distribution ships a newer one.
Cheers Seegras -- "Those who give up essential liberties for temporary safety deserve neither liberty nor safety." -- Benjamin Franklin "It's also true that those who would give up privacy for security are likely to end up with neither." -- Bruce Schneier
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hey guys,
Thanks for all replys. As I see, every distribution has their own pros and cons. For me I'll stay atm on debian - maybe I'll do a mixture of debian and ubuntu - as stan said, in ubuntu are all pre-requisites done for torrus. :)
At the end, every sysadmin need to know by himself, why he uses his "own" distri. ;)
/Benj
Am 31.01.10 22:13 schrieb "Ihsan Dogan" unter ihsan@dogan.ch:
I would say Solaris.
Stable, well designed, full featured Unix with a stable API.
Ihsan
Am 30.01.10 21:51, schrieb Mehmet Akcin:
I would say CentOS... ;)
Stable, compatible and quick on patching critical stuff.. I have never trusted Ubuntu on my servers maybe its because of the great with desktops etc..
Never been a fan of debian..
On Jan 30, 2010, at 15:45, "Peter Keel" seegras@discordia.ch wrote:
- on the Sat, Jan 30, 2010 at 01:36:52PM +0100, Per Jessen wrote:
AFAICT from that list, you'd be fine on openSUSE too. Still, nothing wrong with untar+config+make :-)
Yes, very wrong. Maintainability goes trough the floor. Or are you sure not to miss a security-relevant update in an insignificant program like tar? Or any other program or library which might be a dependancy of the software you're compiling?
And if you're compiling yourself, because the package in the distribution is too outdated, make packages, and name them after the same scheme as the distribution. That way your package might be upgraded automatically if the distribution ships a newer one.
Cheers Seegras -- "Those who give up essential liberties for temporary safety deserve neither liberty nor safety." -- Benjamin Franklin "It's also true that those who would give up privacy for security are likely to end up with neither." -- Bruce Schneier
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
* on the Sun, Jan 31, 2010 at 10:13:57PM +0100, Ihsan Dogan wrote:
I would say Solaris.
Stable, well designed, full featured Unix with a stable API.
And a miserable package-management. No. This won't do. If you don't need ZFS you're way better off with any Linux which has some kind of package-management.
With one or two machines you might use any UNIX-ish OS, *BSD, MacOSX, Solaris, Slackware Linux, whatever, it doesn't really matter. But as soon as you're running _lots_ of machines you're practically screwed without a decent package-management. And then you'll want dpkg, or at least rpm.
Cheers Seegras
Peter Keel wrote:
- on the Sat, Jan 30, 2010 at 01:36:52PM +0100, Per Jessen wrote:
AFAICT from that list, you'd be fine on openSUSE too. Still, nothing wrong with untar+config+make :-)
Yes, very wrong. Maintainability goes trough the floor. Or are you sure not to miss a security-relevant update in an insignificant program like tar? Or any other program or library which might be a dependancy of the software you're compiling?
When you know what you're doing, I don't see a problem.
/Per
imo its a question of resources. in an ideal world I would argue you build and install manually, for everything...but only after you have reviewed every line of code to ensure there are no security issues. If there are then you fix. but i mean, who has the resources to do this? not many I bet. So, as normal its a matter of compromise, you have to find the right balance. Ensure that your security policy is maintained within resource limits, due diligence et al. You have to do what works for you.
mike
btw, nice sig Peter.. here is one from me ... Athens (+15°C)
2010/1/31 Per Jessen per.jessen@enidan.ch:
Peter Keel wrote:
- on the Sat, Jan 30, 2010 at 01:36:52PM +0100, Per Jessen wrote:
AFAICT from that list, you'd be fine on openSUSE too. Still, nothing wrong with untar+config+make :-)
Yes, very wrong. Maintainability goes trough the floor. Or are you sure not to miss a security-relevant update in an insignificant program like tar? Or any other program or library which might be a dependancy of the software you're compiling?
When you know what you're doing, I don't see a problem.
/Per
-- Per Jessen, Zürich (-2.6°C)
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Michael Dilworth wrote:
imo its a question of resources. in an ideal world I would argue you build and install manually, for everything...but only after you have reviewed every line of code to ensure there are no security issues. If there are then you fix. but i mean, who has the resources to do this? not many I bet. So, as normal its a matter of compromise, you have to find the right balance. Ensure that your security policy is maintained within resource limits, due diligence et al. You have to do what works for you.
Exactly my thoughts.
/Per
-
Benjamin Schlageter -
Daniel G. Kluge -
Daniel Kamm -
Ihsan Dogan -
Marc SCHAEFER -
Mathias Seiler -
Mauro Calderara -
Mehmet Akcin -
Michael Dilworth -
Olivier Beytrison -
Per Jessen -
Peter Keel -
Pim van Pelt -
Schlageter Benjamin
-
Stanislav Sinyagin