Talk:HOWTO Distcc over SSH with Portage
From Gentoo Linux Wiki
If you are just trying to use distcc from a laptop at home to compile on your server at work, you don't need all of this. The distcc daemon runs as user distcc, but distcc compiles run as root. Make sure you can ssh from root@localhost to root@compile.server without a password. Add "Host compile.server" followed by "Compression yes" and "ControlMaster yes" to root's .ssh/config file. Now put "root@compile.server/8" (or similar) in /etc/distcc/hosts. This works perfectly for me.
Oh, I forgot. Turn off the distcc daemon on "compile.server" (/etc/init.d/distcc stop).
Contents |
[edit] Where should the environment variables go?
- Where should the environment variables go? /etc/make.conf works, but is ugly.
- Environmental variables should be putted in /etc/env.d
- But then all users would get the same distcc settings, which is bad - they'd probably want to use their own accounts when logging in on compilation nodes.
- Environmental variables should be putted in /etc/env.d
[edit] distcc over an ssh tunnel initiated from the compiler machine?
Is it possible to initiate the connection that the distcc data will be sent over from the compiler machine? The machine that I'd like to run compile on (running distccd) is behind a NAT router, so the machine that is doing to emerge (using distcc) cannot connect into it. The machine running distccd can, however, connect via ssh to the distcc machine...
[edit] One method: distcc over an ssh tunnel initiated from the compiler machine?
One method might be to use reverse port forwarding from the build host. I've not tried it yet, however.
Note that this is another option to using ssh the other way. You could set up port fowards from localhost to build machine. And yes you can do localhost to localhost forwarding. The advantage to this is that it doesn't require global configs. Users could set up their (user) ssh config file for specific tunnels and call it good. it woudl also allow per-user ssh to answer the other question above.
[edit] ssh and daemon security
You can set your ssh-key to only allow specific commands to be run. This helps trim down what could happen via daemon log in.
[edit] About the variables...
In my opnion, if you want to have each account with a specific environment variable, just set it into ~/.bashrc or ~/.bash_profile (you could set it into /etc/skel/.bashrc or /etc/skel/bash_profile too so new users would already have this when the account is created). That's the standard linux way to do it, so I would say stick to it :)
Other way of doing this would be to create a wrapper for the compiler. Create a script which asks for the variables if they don't exist, or just shows the user which variables are already set and gives him 10 seconds (for example) to check if they are correct. If the user is satisfied with the variables, then the script would call distcc and start compiling. Or if the user is not happy with the variables the script could ask him which values he wants and set them before calling distcc. Could also have a feature so the user could tell the script that he wants those new variables to be the default ones.
[edit] conventions over configuration
Thanx to this wiki article, I got DistCC over SSH working on my systems.
However, I didn't follow the exact steps in the article. I took some liberty. My main reasons are:
- I'm lazy
- I don't like the wrapper for DISTCC_SSH
- Convention over configuration
- $HOME should be under /home
- prefer /home/distcc to /etc/distcc
- use SSH defaults
- ssh-keygen saves generated key to /root/.ssh/id_dsa{.pub}
- ssh finds key at /root/.ssh/id_dsa{.pub}
- $HOME should be under /home
Results:
- no modifying permissions for SSH keys (id_dsa and id_dsa.pub)
- no writing a wrapper script
- no setting DISTCC_SSH
- less typing
- works with genkernel
# genkernel --kernel-cc=distcc --utils-cc=distcc --makeopts='-j5' all
I'm not a security expert, and therefore I don't know if I COMPROMISE THE SECURITY of my systems by doing stuff I will outline below. You have been warned! Of course, suggestions are welcome.
I emerge packages as root, so I just use root's key.
Here's a log of what I did:
[edit] Setting up distcc
All nodes:
# mkdir -p /home/distcc/.ssh # usermod -d /home/distcc distcc
Compilation nodes:
# usermod -s /bin/bash distcc
Front end nodes:
// if your root user doesn't have an SSH key, then: # ssh-keygen -t dsa # scp /root/.ssh/id_dsa.pub <compilation-node>:/home/distcc/.ssh/authorized_keys
Compilation nodes:
# chown -R distcc:daemon /home/distcc # chmod 644 /home/distcc/.ssh/authorized_keys
Test this on front end nodes:
# ssh distcc@<compilation-node>
[edit] Setting up Portage
Front end nodes:
# distcc-config --set-hosts "localhost distcc@<compilation-node>"
Thoughts:
- I skipped known_hosts. Will this cause problems?
- How secure is this?
I needed to do chmod g-w /etc/distccto get ssh access without a password prompt. I'm not an expert, an error in the howto perhaps. pjv 23:48, 1 August 2007 (UTC)
