Gentoo Howto (2)
This howto is based on the following documentation:
- Handbook:AMD64 [EN] @ Gentoo Wiki
- Hardened Gentoo [EN] @ Gentoo Wiki
- LVM [EN] @ Gentoo Wiki
- SSD [EN] @ Gentoo Wiki
Key points
- Hardware
- Fanless & silent
- Power consumption: ca. 12.5W (idle mode) & ca. 17W (full load, without graphics)
- 24/7 nonstop operation
Hardware
Machine 1
Machine 2
- Slim PC: Shuttle DS57U7
- Hard disk: Samsung 850 Pro, 128 GB
- Memory: Memorysolution Shuttle DS57U, 2x 8 GB
ToDo
- Configure systemd
- systemd [EN] @ Gentoo Wiki
- Configure SELinux
- SELinux Installation [EN] @ Gentoo Wiki
- Replace iptables & ip6tables by nftables
Installation
Get SystemRescueCd
NOTE:
site='https://sourceforge.net/projects/systemrescuecd/files'
file='sysresccd-x86/4.9.0/systemrescuecd-x86-4.9.0.iso'
wget --continue "${mirror}/${file}"
sha1sum "${file}"
Boot
.linux rescue64 nomodeset video=800x600 initrd=initram.igz
Change root password
passwd
Configure & test the network
ifconfig 'eth0'
Output:
eth0 Link encap:Ethernet HWaddr 80:ee:73:28:6c:00
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::82ee:73ff:fe28:6c00/64 Scope:Link
...
ping 'www.gentoo.org'
Output:
PING www-bytemark-v4v6.gentoo.org (89.16.167.134) 56(84) bytes of data.
64 bytes from www.gentoo.org (89.16.167.134): icmp_req=1 ttl=53 time=35.6 ms
...
Get & set time
ntpdate '0.ch.pool.ntp.org'
hwclock --systohc
Make partitions
| Partiton | Size | Mount point | File system | Mount options |
|---|---|---|---|---|
| /dev/sda1 | 2 MB | - | bios_grub[1] | - |
| /dev/sda2 | 256 MB | /boot | ext4 | relatime,noauto |
| /dev/sda3 | 2 GB | - | swap | sw |
| /dev/sda4 | Rest of the disk | - | LVM | - |
| /dev/vg1/lv_base | 5 GB | / | ext4 | relatime |
| /dev/vg1/lv_home | 10 GB | /home | ext4 | relatime,nodev,nosuid |
| /dev/vg1/lv_usr | 10 GB | /usr | ext4 | relatime,nodev |
| /dev/vg1/lv_var | 5 GB | /var | ext4 | relatime,nodev |
| Memory | 2 GB | /tmp | tmpfs | noatime,nodiratime,nodev,nosuid,noexec,size=2G |
| Memory | 4 GB | /var/tmp | tmpfs | noatime,nodiratime,nodev,nosuid,size=4G |
| Memory | 2 GB | /dev/shm | tmpfs | noatime,nodiratime,nodev,nosuid,noexec,size=2G |
| - | - | /proc | proc | defaults |
parted --align='optimal' '/dev/sda'
mklabel gpt
mkpart primary 1m 2m
mkpart primary 2m 258m
mkpart primary 258m 2306m
mkpart primary 2306m -1m
set 1 bios_grub on
quit
pvcreate '/dev/sda4'
vgcreate 'vg1' '/dev/sda4'
lvcreate --size '5G' --name 'base' 'vg1'
lvcreate --size '10G' --name 'home' 'vg1'
lvcreate --size '10G' --name 'usr' 'vg1'
lvcreate --size '5G' --name 'var' 'vg1'
mkfs.ext4 '/dev/sda2'
mkswap '/dev/sda3'
mkfs.ext4 '/dev/vg1/base'
mkfs.ext4 '/dev/vg1/home'
mkfs.ext4 '/dev/vg1/usr'
mkfs.ext4 '/dev/vg1/var'
mount '/dev/vg1/base' '/mnt/gentoo'
cd '/mnt/gentoo'
mkdir 'boot' 'home' 'usr' 'var'
mount '/dev/sda2' 'boot'
mount '/dev/vg1/home' 'home'
mount '/dev/vg1/usr' 'usr'
mount '/dev/vg1/var' 'var'
Install Stage 3
- Official Gentoo Mirrors [EN]
- Release Engineering [EN]
mirror='http://mirror.switch.ch/ftp/mirror/gentoo/releases/amd64/autobuilds'
version='current-stage3-amd64-hardened'
file='stage3-amd64-hardened-20170119.tar.bz2'
cd '/mnt/gentoo'
wget --continue "${mirror}/${version}/${file}"
tar --extract --bzip2 --verbose --preserve-permissions --xattrs \
--file="${file}"
rm "${file}"
Get inventory
mkdir --parents '/mnt/gentoo/root/inv'
for bin in 'lshw' 'lsmod'; do
${bin} >"/mnt/gentoo/root/inv/${bin}-$(date '+%F')"
done
Chrooting
cp --dereference '/etc/resolv.conf' '/mnt/gentoo/etc/'
mount --types 'proc' 'proc' '/mnt/gentoo/proc'
for dir in 'dev' 'sys'; do
mount --rbind "/${dir}" "/mnt/gentoo/${dir}"
mount --make-rslave "/mnt/gentoo/${dir}"
done
chroot '/mnt/gentoo' '/bin/bash'
source '/etc/profile'
export PS1="(chroot) ${PS1}"
Configure Portage (Part 1)
Edit the file /etc/portage/make.conf (2) or /etc/portage/make.conf (3) and define the variable GENTOO_MIRRORS, PORTAGE_RSYNC_EXTRA_OPTS & USE. Furthermore edit /etc/portage/package.use, /etc/portage/repos.conf/gentoo.conf & /etc/portage/rsync_excludes.
Update Portage
emaint --auto sync
Install some tools
emerge --update 'app-editors/vim' 'app-portage/cpuid2cpuflags' \
'app-portage/eix' 'app-portage/gentoolkit' 'app-vim/gentoo-syntax'
Configure Portage (Part 2)
Determinate the CPU flags (CPU_FLAGS_X86).
cpuinfo2cpuflags-x86
Edit the file /etc/portage/make.conf (2) or /etc/portage/make.conf (3) and define the variables CHOST, CPU_FLAGS_X86, CFLAGS, CXXFLAGS and maybe MAKEOPTS.
eselect profile list
Output:
Available profile symlink targets:
[1] default/linux/amd64/13.0
[2] default/linux/amd64/13.0/selinux
[3] default/linux/amd64/13.0/desktop
[4] default/linux/amd64/13.0/desktop/gnome
[5] default/linux/amd64/13.0/desktop/gnome/systemd
[6] default/linux/amd64/13.0/desktop/kde
[7] default/linux/amd64/13.0/desktop/kde/systemd
[8] default/linux/amd64/13.0/desktop/plasma
[9] default/linux/amd64/13.0/desktop/plasma/systemd
[10] default/linux/amd64/13.0/developer
[11] default/linux/amd64/13.0/no-multilib
[12] default/linux/amd64/13.0/systemd
[13] default/linux/amd64/13.0/x32
[14] hardened/linux/amd64 *
[15] hardened/linux/amd64/selinux
[16] hardened/linux/amd64/no-multilib
[17] hardened/linux/amd64/no-multilib/selinux
[18] hardened/linux/amd64/x32
[19] hardened/linux/musl/amd64
[20] hardened/linux/musl/amd64/x32
[21] default/linux/uclibc/amd64
[22] hardened/linux/uclibc/amd64
eselect profile set 14
gcc-config -l
Output:
[1] x86_64-pc-linux-gnu-4.9.4 *
[2] x86_64-pc-linux-gnu-4.9.4-hardenednopie
[3] x86_64-pc-linux-gnu-4.9.4-hardenednopiessp
[4] x86_64-pc-linux-gnu-4.9.4-hardenednossp
[5] x86_64-pc-linux-gnu-4.9.4-vanilla
gcc-config 1
source '/etc/profile'
Generate kernel
emerge --update 'sys-kernel/genkernel' 'sys-kernel/gentoo-sources' \
'sys-libs/ncurses'
ls -l '/usr/src/linux'
Output:
lrwxrwxrwx 1 root root 19 May 1 14:09 /usr/src/linux -> linux-VERSION-gentoo
Edit the file /etc/genkernel.conf & /etc/sysctl.conf.
mkdir --parents '/root/conf/kernel' '/var/cache/genkernel/src'
cd '/var/cache/genkernel/src'
source='http://mirror.switch.ch/ftp/mirror/gentoo/distfiles'
files=('busybox-1.20.2.tar.bz2' 'dmraid-1.0.0.rc16-3.tar.bz2'
'gnupg-1.4.11.tar.bz2' 'LVM2.2.02.88.tgz' 'open-iscsi-2.0-872.tar.gz')
for file in "${files[@]}"; do
wget --continue "${source}/${file}"
done
cd '/usr/src/linux'
genkernel 'all'
Configuration
Change root password
passwd
Configure file system
Edit the file /etc/fstab (See paragraph Make partitions).
Configure network
Edit the files /etc/hosts, /etc/conf.d/hostname & /etc/conf.d/net.
cd '/etc/init.d'
for if in 'eno1' 'enp2s0'; do
ln --symbolic 'net.lo' "net.${if}"
rc-update add "net.${if}" 'default'
done
Configure time & language settings
echo 'Europe/Zurich' >'/etc/timezone'
emerge --config 'sys-libs/timezone-data'
Edit the file /etc/conf.d/hwclock.
Edit the files /etc/conf.d/keymaps, /etc/locale.gen & /etc/env.d/02locale.
locale-gen
env-update
source '/etc/profile'
Install & configure some system tools
emerge --update 'app-admin/logrotate' 'app-admin/syslog-ng' \
'app-forensics/rkhunter' 'net-misc/dhcp' 'sys-apps/haveged' \
'sys-apps/smartmontools' 'sys-fs/lvm2' 'sys-process/at' 'sys-process/fcron'
emerge --config 'sys-process/fcron'
rc-update add 'lvm' 'boot'
for daemon in 'atd' 'fcron' 'haveged' 'sshd' 'syslog-ng'; do
rc-update add "${daemon}" 'default'
done
fcrontab -e
Content:
0 3 1 * * /usr/sbin/smartctl --info --health --attributes '/dev/sda'
10 3 1 * * /usr/sbin/rkhunter --check --nocolors --propupd --skip-keypress
Install & configure boot manager
emerge --update 'sys-boot/grub'
Edit the file /etc/default/grub.
cd '/boot'
grub-install '/dev/sda'
grub-mkconfig --output='/boot/grub/grub.cfg'
Reboot
exit
cd '/'
umount --lazy /mnt/gentoo/dev{/shm,/pts,}
umount --lazy /mnt/gentoo{/boot,/home,/proc,/sys,/usr,/var,}
reboot
Related Howtos
7 pages found:
- BIND Howto (3)
- iptables Howto (1)
- ISC DHCP Howto (1)
- ntp Howto (2)
- OpenSMTPD Howto (1)
- OpenSSH Howto (1)
- syslog-ng & logrotate Howto (1)
Work with Gentoo
Add a user
useradd --create-home --groups 'users,wheel,audio' --shell '/bin/bash' \
--comment 'Alex the Lion' 'alex'
passwd 'alex'
Compile a new kernel
Edit the file /etc/genkernel.conf if necessary.
mount '/boot'
cd !$
cp initramfs-genkernel-x86_64-VERSION-gentoo{,.old}
cp kernel-genkernel-x86_64-VERSION-gentoo{,.old}
cd '/usr/src'
rm 'linux'
ln --symbolic 'linux-VERSION-gentoo' 'linux'
cd '/usr/src/linux'
genkernel --oldconfig --kernel-config='/root/conf/kernel/latest' 'all'
cd '/boot'
grub-mkconfig --output='/boot/grub/grub.cfg'
reboot
Backup the kernel configuration in /usr/src/linux/.config (2) or /usr/src/linux/.config (3).
file="$(uname --kernel-release)-$(date +%F)"
cd '/root/conf/kernel'
cat 'header.txt' '/usr/src/linux/.config' >"${file}"
ln --symbolic --force "${file}" 'latest'
grep --invert-match 'is not set' "${file}" >"${file}.stripped"
ln --symbolic --force "${file}.stripped" 'latest.stripped'
emerge --prune 'sys-kernel/gentoo-sources'
cd '/usr/src'
rm --force --recursive 'linux-UNUSED_VERSION-gentoo' '...'
cd '/lib/modules'
rm --force --recursive 'UNUSED_VERSION-gentoo' '...'
Update the whole system
Set up crontab to keep the package databases up-to-date...
fcrontab -e
Insert:
0 1 * * 0 /usr/bin/eclean --quiet --deep 'distfiles'
10 1 * * * /usr/sbin/emaint --auto sync >'/dev/null'
20 1 * * * /usr/bin/eix-update --quiet
Edit the files /etc/portage/make.conf (2) or /etc/portage/make.conf (3) and /etc/portage/package.use if necessary.
And run the following commands on a regular base.
emerge --update --deep --newuse --with-bdeps='y' --pretend --verbose '@world'
eselect news read all
eselect news purge
emerge --update --deep --newuse --with-bdeps='y' '@world'
emerge @preserved-rebuild
emerge --depclean
revdep-rebuild --pretend --ignore
eclean --deep 'distfiles'
equery --quiet list '*' \
| grep --line-regexp \
--file=<(sed -e 's/^/^/' -e 's/\*/.*/' '/etc/portage/rsync_excludes')
equery list --duplicates '*'
glsa-check --test all
perl-cleaner --all
Portage Maintenance
Find USE flag definitions for packages which are not installed
grep --invert-match --regexp='^\(#\| *$\)' '/etc/portage/package.use' \
| awk '{ print $1 }' \
| grep --invert-match \
--file=<(equery --quiet list --format='$category/$name' '*')
Find installed packages which are excluded
equery --quiet list '*' \
| grep --line-regexp \
--file=<(sed -e 's/^/^/' -e 's/\*/.*/' '/etc/portage/rsync_excludes')
Remove definitions from packages which are excluded
cd '/usr/portage'
grep --invert-match --regexp='^\(#\| *$\)' '/etc/portage/rsync_excludes' \
| sed 's|/\*$||' \
| xargs rm --recursive --force --verbose
Fail over procedure
- Remove the failed machine from the network
- Change hostname
/etc/conf.d/hostname - Change the network configuration
/etc/conf.d/net - Reboot
reboot
- Configure firewall
/root/bin/mk-iptables-conf-fw.sh
/etc/init.d/iptables save /etc/init.d/ip6tables save
- Generate and test BIND & ISC DHCP configuration
/root/bin/mk-named-dhcpd-conf.py --overwrite '/root/conf/named-dhcpd/localhost.json' /root/bin/mk-named-dhcpd-conf.py --append '/root/conf/named-dhcpd/raysoft.loc.json'
install --mode=0640 --owner='root' --group='named' --target-directory='/etc/bind' \ 'named-zones.conf' install --mode=0640 --owner='root' --group='named' --target-directory='/var/bind/pri' \ 'raysoft.loc.zone' 'localhost.zone' '10.0.0.zone' install --mode=0644 --owner='root' --group='root' --target-directory='/etc/dhcp' \ 'dhcpd-hosts.conf'
named-checkconf -z '/etc/bind/named.conf' dhcpd -t -cf '/etc/dhcp/dhcpd.conf'
- Attach second network interface to the Internet
- Include second network interface to the start procedure & start it
rc-update add 'net.enp2s0' 'default' /etc/init.d/net.enp2s0 start
- Include services to the start procedure & start them
for daemon in 'dhcpd' 'iptables' 'ip6tables' 'named' 'ntpd'; do rc-update add "${daemon}" 'default' /etc/init.d/${daemon} start done
- Test firewall & services
- DHCP
- Internal & external DNS
- Send mail