Hi,

I wanted to ask about others' experiences running Debian on a server. I love Debian on my desktop, but for a server there seems to be an issue with the fact that Woody (stable) is pretty out of date, Sid (unstable) is not a good platform for a production environment, and Sarge (testing) is not covered by security patches. Both stable and unstable seem to get security patches pretty quickly, but testing doesn't get software from unstable until it's been bug-free for 10 days (I believe it is).

I have used Debian on several servers to date, generally opting for the testing distribution. I watch the security lists, and there has never yet been a threatening security problem, but I always feel a bit on edge should something come up. The latest server I set up I decided to keep in stable, since it only required a baseline php install, and that was very reassuring to be able to do.

My question is whether other Debian sysadmins use testing (I have spoken to a few people who have said that they do) and if so, whether you have a plan for how to patch the system proactively. Perhaps pin the affected application to unstable to get the patched version and keep it there long enough for the patched version to come into testing? Or do you just keep your fingers crossed?

My other question about running testing on a production server is whether you do apt-get upgrade regularly. Sometimes it seems like a *lot* of packages turn over, and I am torn between keeping the software current and not rocking the boat on a working production server.

Thanks for your thoughts.

I keep my production server at stable. I tried upgrading a few packages to testing and it got to be a mess, and like you said there was a constant flow of new versions and I got worried about breaking something. I'm relatively new to Debian and after reading this: "Please note that security updates for "testing" distribution are not managed by the security team. Hence, "testing" does not get security updates in a timely manner." at http://www.debian.org/releases/sarge/ , I decided against moving to testing. Instead I use backports.org to get some more recent versions of some important packages. That keeps me current on the apps I need to be current and the rest of the system stays nice and stable and secure. It seems to be the best of both worlds for me.

I have to say I'm pretty disappointed in Debian stable. I hadn't used it until I moved here to ServerBeach. I needed Linux and Debian was the only distro offered at the time. After giving it close to a year now, I have decided to migrate away from Debian as a server.

I had heard stories about the "old age" of package versions in Debian stable, but I was shocked to see just how old some of those things are. Things like version 1.x of the PostFix mail server (with no decent TLS/SSL support), massive functionality missing from SASL libraries (at best), etc., are missing or at some level of non-functionality in Debian stable. I'm sorry, but in these days not having the ability to add proper encryption support to your mail server is not acceptable to me. Neither is it acceptable to have to "mix and match" package maintenance schemes because the stable release doesn't contain what you need, and APT CANNOT play nice with mixing and matching (as was noted previously).

I will say this -- Debian has been stable and relatively easy to maintain... AS LONG AS YOU TAKE WHAT COMES STANDARD in the stable release. But, if you need any relatively current packages of anything, be prepared for the following kinds of workarounds:

- Wait for the next stable release of Debian
- Be prepared to build packages by hand
- Be prepared to search out and test privately created Deb packages

IMHO, I would use something else.

In general, this is less a problem on servers than on desktops. On a server, the admin should keep up to date whatever software is core to the server's function. If it is a mail and web server, then the admin should maintain his own web and mail software outside of the os package system.

The fact that big upgrades only happen every couple of years is a good thing. We can put one OS on a box and know that we will get security updates for a long time and we avoid the pain of a useless upgrade cycle.

Hello,

Well in defence of the stable branch lets define the word 'STABLE" shall we?

From Webster's Revised Unabridged Dictionary (1913) :

Stable \Sta"ble\, a. [OE. estable, F. stable, fr. L. stabilis,
fr. stare to stand. See Stand, v. i. and cf. Establish.]
1. Firmly established; not easily moved, shaken, or
overthrown; fixed; as, a stable government.



I have to ask, why do people expect bleeding edge crap on a stable distro?!

Fact #1 yes you can get ssl/tls/auth/etc.. working under 1.x of postfix on the stable branch. Oh and btw the new ssl/tls is broken in sid because the idiot designers (not debian's fault) decided again to change the layout so lets clear that fact up quickly.

Fact #2 is http://www.backports.org/ need I say more?

Fact #3, lets define the function of a server. A server is something that sits in the corner and works all the time doing various tasks. It's not ment to tinker with the latest craze rash of new stuff so bleeding edge it breaks everything and not field tested. A server is ment to serve data and that's it, no more no less. The only real reasons to upgrade/update a server is reasons like security patches, features you need to use and so forth. Don't let the version numbers on stable fool you, even tho the package release is 1.1 if you look at the patches you'll find 1.8 security patches on there.

Guess that's it for my soap box, sorry for harping.

Ed

Well, i run Debian stable, the only issue I have is DJB and qmail, due to the license, but that's not Debian's fault nor the stable branches. I have a workstation at home that runs Debian Sid and while it doesn't break much (less than twice a year) I don't trust it to the server. If I needed the latest and greatest I could always build my own debs from source. I'll be picking up an iBook sometime this week and running Debian on that as well. Apt makes it a wonderful OS to maintain. If I felt like compiling stuff all the time, I'd run OpenBSD.

$0.02

(yes, there has been a Sarge RSN push due to Woody being dated, but I'm not a developer, just a user, so I can't complain too much)

Boy, I just knew this would start something, and that wasn't my intention. I'm going to do my best to clarify my position at least one time -- after that I may give up.
Originally posted by BlackNet
... I have to ask, why do people expect bleeding edge crap on a stable distro?!
OK, hold the phone. Where in my post anywhere did I say (or demonstrate) that I wanted "bleeding edge" anything (crap or otherwise) on a server. The only products I mentioned by name were Postfix 2.x, which is NOT unstable by ANYONE'S standards, and SASL, about which I didn't even mention a particular distro or specific version.
Fact #1 yes you can get ssl/tls/auth/etc.. working under 1.x of postfix on the stable branch. ...
Well, I tried for hours and hours over several days to get mine working, and was unable to do so for the following reasons:
Insufficient documentation: Almost all the documentation I could find was related to Postfix 2.x and newer SASL libraries (for Authentication). TLS/SSL stuff was NOT much better, and had other problems (see next point). Even digging around in the various Debian mailing lists proved ultimately unfruitful for me, with some posts finally advocating just "building it from sources if you need 'newer' features".
Package directories/locations: Either because of how the the Woody packages have been built for certain applications, or because of changes in the various products over the last few years, I had difficulty locating various config files, utility scripts, etc., and sometimes discovered that they didn't exist at all (either on the file system or in APT).

Fact #2 is http://www.backports.org/ need I say more?
Precisely my point. I don't want to have to "work around" my packaging framework to get updated versions of packages. I don't want to have to 'apt-cache search whatever' for certain packages and scan http://backports.org for others (if it can be avoided). And I certainly don't want to "roll my own" Deb packages simply because the "official" ones for various products are built strangely or are simply very old versions. I realize that there are probably many "tricks" that time-tested Debian folks could give me to easily work around these issues, but I couldn't find them quickly in my own searching.
Fact #3, lets define the function of a server. A server is something that sits in the corner and works all the time doing various tasks. It's not ment to tinker with the latest craze rash of new stuff so bleeding edge it breaks everything and not field tested. ...
Again, I have no desire to run some kind of "johnny-come-lately" server environment, and would NOT advocate doing so. However, just because a certain package is newer doesn't mean it is untested or less stable/secure. And, I might add, it would be nice if the administrator knew at least a modicum of information to figure that out for themselves.

In summary, my intended, basic points were these:
The current Debian stable packages are in many cases quite old. This presents various problems or additional work for administrators depending on many factors.
If your needs are NOT met by the packages/versions included in the stable release, be prepared to do additional work to get around this issue. This may include using sites like "backports.org", or compiling packages from scratch, and/or building your own Deb packages.
APT is not designed to mix and match between the stable branch and the others (testing or unstable). I've seen some mailing list posts suggesting things like "just change your stable branch configuration in APT to 'testing'". This almost always results in system problems (I recommend against it). Of course, APT is not dpkg, and therefore you are NOT precluded from installing packages from other sources, as was duly noted.
Debian stable is just that, stable. I've had no problems there (but I usually don't on my systems).

I think Debian is a fine distro that serves the needs of many folks. I just think that my needs are better served with a different one.

Greg

Then use a different distro. There's no need to badmouth a distro that doesn't suit you. Just move on.

Differences != bad

The very thing you lament about debian is PRECISELY why it's such a great development and hosting platform. I build mod_perl applications and Debian stable gives me an environment I can rely on now and for the long term, unlike the frequently end-of-lifed redhat.

Originally posted by Hero Zzyzzx
Then use a different distro. There's no need to badmouth a distro that doesn't suit you. Just move on.

Please go back and read the entire thread. It seems that you missed some of it.

I have already moved on. Please see my first post.
I am not using RedHat/Fedora and didn't ever say that I was.
MY INTENTION IS NOT TO BLAST DEBIAN AS A DISTRO. You must have been blinded by rage and missed this as well. Please see the end of my post directly above yours.

I am simply responding to a question from a potential Debian user soliciting opinions on using this distro as a server. I am giving a true, real-life experience of a current Debian-stable system being managed as a Web/mail server, and the obstacles that WILL NEED TO BE OVERCOME.

As I pointed out... for ME, this system is not adequate. My needs and desires create a situation where the additional work required to maintain a Debian-stable system is unnecessary and undesired.

If Debian works for you then use it and enjoy yourself. But please DO NOT take issue with me because you don't like the criticism.

I assumed Redhat because that's the only other linux OS offered by Serverbeach. Otherwise, why are you here? Just to bash serverbeach/Debian?

It looks like you're itching for a fight, given your incindiary (sp?) response to my post. . .

My post was about as anti-inflammatory (haw haw) as they get - read it again.

Look, I don't have time to go over this again. Thankfully your revisionist-history doesn't work too well on a forum system where everything is available for all to read.

I'll let the thread speak for itself. Good day to you.

Personally speaking, I've had Debian 'live' and in production as a WWW/DNS/mail/whatever server for 6 or 7 years now with various hosting firms.

In my day job we formalised on RH so I've a fair bit of exposure to their offerings too. About 18 months ago myself & the 'co-owner' of our current SB server were looking for a new provider. At that time I was moving from a colo server to a managed solution. We looked at SB then and kept an eye on developments.

I'm not going to name names but the company we chose then messed us around financially and more importantly to us, failed to deliver a continuity of service. So we ran through the list again. To our pleasant surprise, SB were now offering Debian as a distro.

We jumped ship and have been more than happy with the service since then.

Now as to releases, our server was obv. deployed with woody but we moved to sarge about 4 or 5 months ago. Reason being was that some software we needed (I forget exactly which app) wouldn't play nice without some of the versions available in sarge.

We skirted the issue and build local testing servers to ensure that nothing else was going to fall by the wayside as a result of the upgrade process. In the end it was scarily easy :)

Plain sailing all the way - yes, apart from a big sendmail version change last week which caused a bit of stress. Apart from that, not a single problem.

That's my bit.