Re: [squid-users] compiling squid on dev machine, then movingtoproductionmachine

From: Mike Cudmore <Mike.Cudmore@dont-contact.us>
Date: Thu, 09 Jan 2003 15:10:33 +0000

many thanks,

thats what I was trying to find out about

Mike

Regards
Mike Cudmore
GSI & Intranet Connectivity Team

>>> Henrik Nordstrom <hno@marasystems.com> 01/09/03 02:24pm >>>
I would recommend using a packaging system of some kind to keep
control
of which software versions you have installed.

Note: For easier packaging Squid-2.5 supports the DESTDIR variable
when
running install.

make DESTDIR=/packages/squid-2.5.STABLE1 install

will install Squid-2.5 using "/packages/squid-2.5.STABLE1" as "root"
path, giving you a tree with only Squid files at their correct
locations.

Regards
Henrik

tor 2003-01-09 klockan 13.37 skrev Mike Cudmore:
> Hi,
>
> as a 1 off on the production system ( which is the same
build/OS/arch
> as the dev machine just less features/packages installed)
> I have
>
> Installed squid start up scripts
>
> Raised the file descriptors in the start up scripts using ulimit
> command, to match the build environment.
>
> On the build system/dev create a tar of
>
> /usr/sbin/squid
> /usr/lib/squid/*
> /usr/share/errors/*
> /usr/share/icons/*
> /etc/squid/squid.conf
>
> and ship it to the destination.
>
> stop squid if running
> unpack tar
> run squid -z is need to create directories
> squid
>
> anything else springs to mind?
>
>
>
> Regards
> Mike Cudmore
> GSI & Intranet Connectivity Team
>
> >>> Henrik Nordstrom <hno@marasystems.com> 01/08/03 04:37pm >>>
> ons 2003-01-08 klockan 14.36 skrev Mike Cudmore:
>
> > I understand the need for same os'es and accept that this is
> necessary
> > for the binary that is moved top work properly.
> >
> > The os'es, architecure are and will be the same.
> >
> > I also intend to build multiple squids. i dont want to build
> multiple
> > dev boxes then harden them prior to going into production.
> >
> > Anyone else done this ?
>
> All the time. Our production boxes have a tiny read-only root/system
> filesystem (ca 8MB including kernel). Now way a compiling
environment
> fits in there..
>
> It is not at all difficult as long as you ensure that the needed
> shared
> libraries are compatible.
>
> If you need to support multiple different OS revisions then virtual
> minimal OS installations can be used via chroot or similar
> measurements.
> Most package managers allows for manual installation into a virtual
> root
> directory.
>
> But I see no real security issue why not have compilers on
production
> boxes.. If you are worried about security (I am) then mostly other
> measurements are needed. The only major reason why not have
compilers
> on
> production boxes is to stop your sysadmin friend from trying to
> compile
> stuff on production boxes which do not belong there, only because it
> is
> easier to try it out on the production system instead of the
> development
> system.. The other major reason (which is my case) is if you have a
> need
> to keep the root/system filesystem small.
>
> If you run on any common platform then hackers (including most
> script-kiddies) won't care much if there is a compiler or not once
> they
> hack the box as they most likely already have the needed binaries
> compiled for their needs..
>
> If you run a odd platform or variant where "normal" binaries won't
run
> then not having compilers available may be a reasonable security
> measure
> if hackers is what you worry about.
>
> Regards
> Henrik
>
>
> PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET.
>
> On entering the GSI, this email was scanned for viruses by the
> Government Secure Intranet (GSI) virus scanning service supplied
> exclusively by Cable & Wireless in partnership with MessageLabs.
>
> GSI users see http://www.gsi.gov.uk/main/new2002notices.htm for
further
> details. In case of problems, please call your organisational IT
> helpdesk.
>
>
>
*********************************************************************
> This E-mail and any files transmitted with it are private and
> intended solely for the use of the individual or entity to whom
> they are addressed. If you are not the intended recipient,
> the E-mail and any files have been transmitted to you in error
> and any copying, distribution or other use of the information
> contained in them is strictly prohibited.
>
> Nothing in this E-mail message amounts to a contractual
> or other legal commitment on the part of the Government
> unless confirmed by a communication signed on behalf of
> the Secretary of State.
>
> The Department's computer systems may be monitored
> and communications carried on them recorded, to secure
> the effective operation of the system and for other lawful
> purposes.
>
*********************************************************************

PLEASE NOTE: THE ABOVE MESSAGE WAS RECEIVED FROM THE INTERNET.

On entering the GSI, this email was scanned for viruses by the
Government Secure Intranet (GSI) virus scanning service supplied
exclusively by Cable & Wireless in partnership with MessageLabs.

GSI users see http://www.gsi.gov.uk/main/new2002notices.htm for further
details. In case of problems, please call your organisational IT
helpdesk.

*********************************************************************
This E-mail and any files transmitted with it are private and
intended solely for the use of the individual or entity to whom
they are addressed. If you are not the intended recipient,
the E-mail and any files have been transmitted to you in error
and any copying, distribution or other use of the information
contained in them is strictly prohibited.

Nothing in this E-mail message amounts to a contractual
or other legal commitment on the part of the Government
unless confirmed by a communication signed on behalf of
the Secretary of State.

The Department's computer systems may be monitored
and communications carried on them recorded, to secure
the effective operation of the system and for other lawful
purposes.
*********************************************************************
Received on Thu Jan 09 2003 - 08:10:57 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:36 MST