Tom's Basement
Random Geekery
A virtual Gentoo KDE Plasma desktop for VMware Workstation (and Player)
- A pre-compiled Gentoo virtual image. Wait… what !?
Gentoo is about starting from scratch and learning. The pre-compiled virtual image you can download from this post seems then to defeat the whole purpose, and in a way I would agree. After all, you would miss all the fun:
But let’s say you have the following use-case: you already followed the Gentoo handbook so many times that you don’t see the point anymore. You want to test something and would like a working linux desktop, but you don’t want to go through hours of compile time just to get a basic desktop. Or, you’re a complete beginner, but you’re intimidated by the whole install process and you would benefit from playing with an already working environment.
If you think about it, Gentoo is not really “starting from scratch” anyway. The handbook is based on stage3 nowadays, but a stage3 is nothing else than a pre-compiled core of stuff you need all the time. Experienced Gentoo users even avoid starting from stage3 for each new install, they start from a so-called stage4 or stage5 which is their own backup of a fully working environment. What you have here for download is a kind of minimal KDE Plasma stage5 for VMware Workstation/Player version 12.5 or later.
But then you’ll say, “wait a sec, I still don’t get it, if I wanted to download a working KDE desktop, I would download Kubuntu or any other trusted distribution, why would I download your stuff ?”. Very valid point. As long as you want the Ubuntu environment, or you don’t care, then there is not a single good reason to get my virtual image. But if you specifically want Gentoo, and kind-of see the point, then keep reading.
- Ok, what do I download exactly ?
-Updated on 4 feb 2017. I’ll try to refresh this post from time to time.
-Built with generic amd64 compiler flags, so it should run with close to native speed on pretty much any host hardware. If you have enough RAM to start this virtual machine you probably have a 64 bit CPU 🙂
-Gentoo sources version 4.9.8, you have the “.config” file in /usr/src/linux as usual. The kernel config is based on a stripped down Arch Linux kernel, with some minor tweaks to run as a guest. If you need any specific kernel feature, chances are that the option is not activated
-KDE plasma version 5.8, using the “kde-plasma/plasma-desktop” ebuild. A few other packages are included, see below in the world file
-The latest official vmware-tools already pre-installed. You get the accelerated vmwgfx video driver, shared folders (mounted in /mnt/hgfs when activated), drag and drop between host and VM as the main benefits
-Freetype is built with the “infinality” USE flag. I’m not sure of the settings in “eselect fontconfig” that should really be activated as there is some level of confusion around this, but the fonts look okay. Well, not worse than in your Windows or Ubuntu desktop, and having nice looking fonts used to be a pain in Gentoo or Arch, it still is to some extent. The future or the infinality patch is highly uncertain though, so a future version of freetype may not support infinality anymore like it happened recently in Arch.
- Give it to me, where do I download it ?
- Install notes
-The file to download is ~760MB in size. Unzip it to your virtual machines folder. Expect a virtual image close to 6GB after decompression, so don’t unzip it on FAT32…
-Open the .vmx file using VMware Workstation/Player 12.5 or later, tweak the vCPU count and vRAM according to what your hardware allows. The image comes with 2GB vRAM and 2vCPUs configured by default. Hit “play”, then answer “I copied it” to the question asked.
-Change the account passwords. The installed account / password are user / user and root / root.
-With the modules activated in the kernel config supplied, vmware-tools should compile and install with any kernel version upgrade. The shared folders “vmhgfs” module used to be a pain the the @ss, and broke with each major kernel version update, but here we are using fuse. When “sys-fs/fuse” is installed, vmware-tools is using it instead of building the kernel module from source. It’s uglier, slower, but it always works. Choose your lesser evil.
-Once you’re on the desktop, you’ll notice on the bottom right that the input locale is set to “fr”. Left-click on it to change it to “us”, or go to the system settings and remove the fr layout completely. (Despite the us layout being the default one and set to higher priority, my fr layout seems to come up first, looks like a bug). Why is it here in the first place? Well I grew up with the fr layout and I’m too old to change my habits 😉
-Usual disclaimer: this image is provided as is, you’re the only one responsible of what you do with it. This is considered as “non supported software”: don’t open bugs with this image, if you suspect anything, try first using Gentoo supported configurations.
- So what’s the diff ?
Or put it differently, what has been changed from the default settings ? knowing this, you can very easily override my settings to your taste.
Partition layout:
gentoo ~ # fdisk -l
(...) Device Boot Start End Sectors Size Id Type /dev/sda1 * 2048 2099199 2097152 1G 83 Linux /dev/sda2 2099200 10487807 8388608 4G 82 Linux swap / Solaris /dev/sda3 10487808 134217727 123729920 59G 83 Linux
note: the root partition is ~59GB of which ~51GB are free, which should be ok as a playground to begin with.
/etc/conf.d/hostname:
gentoo ~ # more /etc/conf.d/hostname
(...) hostname="gentoo"
/etc/hosts:
gentoo ~ # more /etc/hosts
(...) 127.0.0.1 localhost gentoo ::1 localhost gentoo (...)
/etc/locale.gen:
gentoo ~ # more /etc/locale.gen
(...) en_US.UTF-8 UTF-8 (...)
/etc/conf.d/hwclock:
gentoo ~ # more /etc/conf.d/hwclock
(...) clock="local" (...)
note: time sync with the host is activated in the VM settings. The best I could find to have the same clock between host and guest is just to set “local” wherever I can. Or use NTP.
/etc/timezone:
gentoo ~ # more /etc/timezone
localtime
/etc/conf.d/net:
gentoo ~ # more /etc/conf.d/net
config_eth0="dhcp"
/etc/rc.conf:
gentoo ~ # more /etc/rc.conf
(...) rc_logger="YES" (...) rc_sys=""
note: openrc logging can be useful to troubleshoot the services started at boot. Sooner or later you need this…
/etc/fstab:
gentoo ~ # more /etc/fstab
(...) #<fs> <mountpoint> <type> <opts> <dump/pass> UUID=fc83f3f2-6c7d-45c9-9749-b242ea186040 /boot ext2 auto,noatime 1 2 UUID=7d92c42c-f919-4562-be7b-02a9ea431571 / ext4 noatime 0 1 UUID=4ca8640a-fe56-4adc-a6cb-cb53e8e83b48 none swap sw 0 0 #tmpfs /var/tmp/portage tmpfs auto,nr_inodes=1M 0 0
note: the last line commented out can be activated if you have enough RAM (>8GB) and large packages to compile, like gcc. It can save quite some time (and the life of your SSD if your .vmdk file sits on an SSD…).
/etc/portage/repos.conf/gentoo.conf:
gentoo ~ # more /etc/portage/repos.conf/gentoo.conf
[DEFAULT] main-repo = gentoo [gentoo] location = /usr/portage sync-type = rsync sync-uri = rsync://rsync2.fr.gentoo.org/gentoo-portage auto-sync = yes
note: I live in France so I use a french rsync server. Change it for a mirror closer to you.
/etc/portage/make.conf:
gentoo ~ # more /etc/portage/make.conf
CFLAGS="-O2 -pipe"
CXXFLAGS="${CFLAGS}"
CHOST="x86_64-pc-linux-gnu"
USE="bindist python unicode xa libkms cleartype"
CPU_FLAGS_X86="mmx mmxext sse sse2"
#EMERGE_DEFAULT_OPTS="--jobs=4 --load-average=4.0 --keep-going --with-bdeps y --complete-graph"
MAKEOPTS="-j2"
GENTOO_MIRRORS="http://gentoo.mirrors.ovh.net/gentoo-distfiles/"
L10N="en"
INPUT_DEVICES="evdev vmmouse"
VIDEO_CARDS="vmware"
SEARCH_DIRS_MASK="/usr/lib/vmware-tools /usr/lib64/vmware-tools /usr/lib64/vmware-caf"
PORTDIR="/usr/portage"
DISTDIR="${PORTDIR}/distfiles"
PKGDIR="${PORTDIR}/packages"
PORTAGE_NICENESS=20
note: the commented out EMERGE_DEFAULT_OPTS can enable parallel building if activated. This also usually saves time if there are a lot of packages to build (but it disables gcc’s output, and then you can’t sit and contemplate ascii scrolling down your terminal anymore, which was probably the only reason you are using Gentoo 🙂 )
note2: I still live in France (yea, whatever), so set the mirror to one closer to you, and adjust MAKEOPTS to your vCPU setting.
note3: the SEARCH_DIRS_MASK prevents revdep-rebuild to look into the vmware-tools directories when it runs, where it usually generates complaints. We don’t care about broken vmware-tools dependencies.
note4: Notice the “bindist” USE flag. You’re downloading a precompiled image, and some software licensing prevents me from distributing precompiled binaries. So, once you have downloaded this image, remove this “bindist” USE flag, and recompile some packages that may depend on it using emerge -uDN @world to avoid some possible blocks.
/etc/portage/package.keywords:
gentoo ~ # more /etc/portage/package.keywords
sys-kernel/gentoo-sources sys-kernel/linux-headers
note: I consider stable what Linus considers stable, so I always build the latest stable kernel. But this (and everything else actually) is up to you.
/etc/portage/package.use/freetype:
gentoo ~ # more /etc/portage/package.use/freetype
media-libs/freetype infinality -bindist
/etc/conf.d/xdm:
gentoo ~ # more /etc/conf.d/xdm
(...) DISPLAYMANAGER="sddm"
note: install sddm as the handbooks says.
/etc/sddm.conf:
gentoo ~ # more /etc/sddm.conf
(...) [Theme] Current=breeze (...)
/var/lib/portage/world:
gentoo ~ # more /var/lib/portage/world
app-admin/syslog-ng app-portage/eix app-portage/gentoolkit kde-apps/kmix kde-apps/konsole kde-plasma/plasma-desktop kde-plasma/systemsettings media-sound/alsa-utils sys-boot/grub sys-fs/fuse sys-kernel/gentoo-sources x11-base/xorg-server x11-misc/sddm
note: that’s all that has been manually installed. Konsole because you want a terminal, do you? Kmix because you want to be able to change the sound volume easily. Fuse is here for the vmware-tools shared folders feature. The rest is pretty much minimal, and you would likely end up with it following the handbook, or pretty soon when working a little bit with portage.
profile:
gentoo ~ # eselect profile list
(...) [8] default/linux/amd64/13.0/desktop/plasma * (...)
infinality:
gentoo ~ # eselect infinality list
(...) [2] infinality * (...)
note: as per the infinality wiki.
lcdfilter:
gentoo ~ # eselect lcdfilter list
(...) [7] infinality-sharpened * (...)
note: as per the infinality wiki.
fontconfig (showing only the enabled settings):
gentoo ~ # eselect fontconfig list
Available fontconfig .conf files (* is enabled): (...) [5] 10-sub-pixel-rgb.conf * (...) [9] 11-lcdfilter-default.conf * (...) [24] 52-infinality.conf * [25] 57-dejavu-sans.conf * [26] 57-dejavu-sans-mono.conf * [27] 57-dejavu-serif.conf * [28] 60-latin.conf * [29] 62-croscore-arimo.conf * [30] 62-croscore-cousine.conf * [31] 62-croscore-symbolneu.conf * [32] 62-croscore-tinos.conf * [33] 65-fonts-persian.conf * [34] 65-khmer.conf * [35] 65-nonlatin.conf * [36] 69-unifont.conf * [37] 70-no-bitmaps.conf * [38] 70-yes-bitmaps.conf [39] 80-delicious.conf * [40] 90-synthetic.conf * [41] 99pdftoopvp.conf *
note: your mileage may vary, the infinality wiki is confusing about this. if you know a better way, drop me a comment.
/etc/default/grub:
gentoo ~ # more /etc/default/grub
(...) GRUB_TIMEOUT=2 (...) GRUB_CMDLINE_LINUX_DEFAULT="rootfstype=ext4 net.ifnames=0" (...)
note: I hate the unpredictable predictable network interface names, but again this is your call.
services starting during boot that I added manually:
gentoo ~ # rc-update
(...)
alsasound | boot
dbus | default
net.eth0 | default
syslog-ng | default
vmware | default
xdm | default
(...)
note: dbus was needed, else I would not get the notification for a usb key mount for example. If you install the more complete “*-meta” KDE ebuilds, dbus gets automatically started as a dependency, but here as the installation is quite basic I had to add it explicitely .
Groups to which the user “user” has been added:
gentoo ~ # grep "user$" /etc/group
wheel:x:10:root,user audio:x:18:user cdrom:x:19:user video:x:27:root,user cdrw:x:80:user usb:x:85:user users:x:100:user plugdev:x:103:user
The rest is specific to make vmware-tools work.
You need to create the following file, and as root make it executable:
/etc/init.d/vmware:
gentoo ~ # more /etc/init.d/vmware
#!/sbin/openrc-run
depend() {
need net
}
start() {
ebegin "Starting VMware tools"
/etc/init.d/vmware-tools start
echo
eend $?
}
stop() {
ebegin "Stopping VMware tools"
/etc/init.d/vmware-tools stop
echo
eend $?
}
The following was needed before running the vmware-tools install script for the first time:
mkdir /etc/rc{0..6}.d
The following created two scripts which are needed if the graceful shutdown, suspend or reset actions are used in the Workstation menu:
echo "/sbin/ifconfig $1 up" > /sbin/ifup
chmod 744 /sbin/ifup
echo "/sbin/ifconfig $1 down" > /sbin/ifdown
chmod 744 /sbin/ifdown
To install the official vmware-tools, mount the vmware-tools CD through the workstation VM settings menu, you should see a notification, click to mount the CD in KDE, then run the following as root in your home directory (/root):
rm -rf vmware-tools-distrib
tar xpf /run/media/user/VMware\ Tools/VMwareTools-*.tar.gz
cd vmware-tools-distrib
./vmware-install.pl -d
Then log out from the desktop, and log back in.
admin April 14th, 2016
Posted In: gentoo
Tags: desktop, download, gentoo, howto, image, KDE, machine, plasma, virtual, vmware, workstation
Gentoo Hardened on software RAID howto
Note: this note has been originally written end of 2015, but I updated it on 4 feb 2017 as some steps were not consistent anymore.
- Assumptions
This tutorial tries to stick to a step-by-step approach, but your chances to reach the end with a working system will be most likely higher if you already have previous experience installing Gentoo systems. If not, I would recommend getting some by following the Gentoo Handbook on a virtual system like VMware Workstation/Player. Once you get familiar following the handbook and installing a simple system, you’ll be able to move on to the slightly more complex setup described here.
The main differences between the Gentoo Handbook and this tutorial are the emphasis on RAID and the use of Gentoo Hardened. I’ve actually put this tutorial together to remember how to install the OS on the rented server this blog is running on, or if I have to do it again to install a new server. Once you get a working system under VMware Workstation/Player, it should be rather straightforward to adapt this tutorial to any virtual or physical hardware.
For this tutorial I assume a RAID1 setup on two physical (or virtual) 16GB+ hard drives. When using VMWare Workstation/Player, create your two virtual hard drives on different physical hard drives if possible, to make it easier on your drives mechanics. If you have SSDs then it doesn’t really matter.
The kernel config linked in this tutorial should work as-is if you use VMware Workstation/Player, but it doesn’t have many features activated. You should customize it further according to your system and/or the features you need. Network setup is assumed to be based on DHCP, localization is minimal.
Note about RAID: RAID won’t protect you from silent data corruption, it’s really a basic tool to recover from the failure of a drive assuming that the data on the other drive(s) is reliable. Last generation filesystems such as ZFS or BTRFS should be preferred over software or hardware RAID when possible. At some point I should edit this post to describe a ZFS based install… oh well, if I have the time.
Let’s start. Boot on your minimal install .iso, or system rescue. Note: I’ve linked some info about OVH/SoYouStart servers, but before you try this on one of their offers, or similar, be sure you understand how to configure your firewall so that your hosting company won’t dispatch maintenance because they are not able to monitor your server.
- Prepare the drives
Wipe out disk A
gdisk /dev/sda
Type x (for expert), then z (for zap), answer Y (wipe out GPT) and again Y (blank out MBR)
Then do the same for disk B
gdisk /dev/sdb
Repeat same steps (as for disk A): type x (for expert), then z (for zap), answer Y (wipe out GPT) and again Y (blank out MBR)
Partition disk A
gdisk /dev/sda
Type o (create a new empty GUID partition table), answer Y (proceed)
Type n, type enter to select the default partition number (partition 1), type enter to select the default first sector value 2048, type +2M for last sector to create a 2M BIOS partition, type ef02 for hex code to set a BIOS partition type
Type n, type enter to select the default partition number at this stage (partition 2), type enter to select the default first sector value, type +128M for last sector to create a 128M boot partition, type fd00 for hex code to set a software raid partition type
Type n, type enter to select the default partition number at this stage (partition 3), type enter to select the default first sector value, type +2G for last sector to create a 2GB swap partition, type fd00 for hex code to set a software raid partition type
Type n, type enter to select the default partition number at this stage (partition 4), type enter to select the default first sector value, type enter for last sector to create a root partition using the remaining space, type fd00 for hex code to set a software raid partition type
Type w to write your changes to disk a, answer Y (proceed)
Now clone the partition layout of disk A to disk B
sgdisk -R=/dev/sdb /dev/sda
And create a new GUID for disk B
sgdisk -G /dev/sdb
- Activate your software raid partitions
Activate a software RAID1 to create the boot partition (where the “/boot” directory will be located)
mdadm --create --name=server:boot --verbose /dev/md/boot --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
answer y
Note: we are not using /dev/sda1 and /dev/sdb1 for the RAID1 boot partition because /dev/sda1 and /dev/sdb1 will be used by GRUB to host the bootloader
Activate a software RAID1 to create the swap partition
mdadm --create --name=server:swap --verbose /dev/md/swap --level=1 --raid-devices=2 /dev/sda3 /dev/sdb3
answer y
Activate a software RAID1 to create the root partition (where the “/” directory will be located)
mdadm --create --name=server:root --verbose /dev/md/root --level=1 --raid-devices=2 /dev/sda4 /dev/sdb4
answer y
Note: if you want RAID5 mode instead of RAID1, replace --level=1 --raid-devices=2 by --level=5 --raid-devices=<n> with n being at least 3, and the right partition names. You’ll also need RAID5 activated in the kernel.
The rest of this howto is now very similar to the standard Gentoo handbook, except that instead of {/dev/sda2, /dev/sda3, /dev/sda4} found in the handbook, our boot, swap, root partitions are respectively {/dev/md/boot, /dev/md/swap, /dev/md/root}
- Install Gentoo “almost” as usual
Create an ext2 filesystem on the boot partition
mkfs.ext2 /dev/md/boot
Create a swap on the swap partition
mkswap /dev/md/swap
Activate the swap
swapon /dev/md/swap
Create an ext4 filesystem on the root partition
mkfs.ext4 /dev/md/root
Get the latest portage tree snapshot (use your preferred mirror that you can select from the gentoo mirrors)
wget http://gentoo.mirrors.ovh.net/gentoo-distfiles/snapshots/portage-latest.tar.xz
Get the latest hardened stage3, for example at the time of writing (you need to dig in the autobuilds directory to get the latest, DO NOT pick the “nomultilib” version unless you know what you are doing)
wget http://gentoo.mirrors.ovh.net/gentoo-distfiles/releases/amd64/autobuilds/current-stage3-amd64-hardened/stage3-amd64-hardened-20170202.tar.bz2
Create the gentoo directory in /mnt if it’s not already there
mkdir -p /mnt/gentoo
Mount the root partition in the directory you’ve just created
mount /dev/md/root /mnt/gentoo/
Create the boot directory
mkdir /mnt/gentoo/boot
Mount the boot partition in the directory you’ve just created
mount /dev/md/boot /mnt/gentoo/boot
Extract the stage3 to the root of the target filesystem. Note: if you get an error message from the tar utility complaining about missing extended attributes support, it’s not a show stopper to install a hardened system, but you will need to re-emerge your full system after completing the install guide to get the correct extended attributes on your files. More on this later.
tar xpf stage3* --xattrs -C /mnt/gentoo/
Extract the portage tree snapshot to /usr in the target filesystem
tar xf portage* -C /mnt/gentoo/usr/
Link your /etc/resolv.conf file to the target root filesystem
cp -L /etc/resolv.conf /mnt/gentoo/etc/
Mount /proc in the target root filesystem
mount -t proc none /mnt/gentoo/proc
Bind /sys in the target root filesystem
mount --rbind /sys /mnt/gentoo/sys
Bind /dev in the target root filesystem
mount --rbind /dev /mnt/gentoo/dev
Now chroot yourself in the filesystem you just prepared
chroot /mnt/gentoo /bin/bash
Update your environment variables in the chroot
source /etc/profile
Change the prompt to remind us that we are in chroot
export PS1="(chroot) $PS1"
Optional: if you have enough RAM (≥8GB) you can save compile time (and the life or your SSDs if you use them as disk A and disk B) by mounting /var/tmp/portage in RAM
mkdir /var/tmp/portage
mount -t tmpfs tmpfs -o nr_inodes=1M /var/tmp/portage
Set your timezone. My timezone here is “Europe/Berlin” but if yours is different pick one from /usr/share/zoneinfo/
echo "Europe/Berlin" > /etc/timezone
Reconfigure the sys-libs/timezone-data package
emerge --config sys-libs/timezone-data
Select the locale, uncomment the entry en_US.UTF-8 UTF-8 in /etc/locale.gen
nano /etc/locale.gen
#en_US ISO-8859-1en_US.UTF-8 UTF-8#ja_JP.EUC-JP EUC-JP#ja_JP.UTF-8 UTF-8#ja_JP EUC-JP#en_HK ISO-8859-1#en_PH ISO-8859-1#de_DE ISO-8859-1#de_DE@euro ISO-8859-15#es_MX ISO-8859-1#fa_IR UTF-8#fr_FR ISO-8859-1#fr_FR@euro ISO-8859-15#it_IT ISO-8859-1
Generate the locale
locale-gen
Activate the locale, first look for the entry related to en_US.utf8
eselect locale list
Available targets for the LANG variable: Â [1]Â Â C Â [2]Â Â POSIX Â [3]Â Â en_US.utf8 Â [ ]Â Â (free form)
Select the entry related to en_US.utf8, for me it’s the third but yours could be different
eselect locale set 3
reload your environment
env-update && source /etc/profile && export PS1="(chroot) $PS1"
Now we need to edit /etc/fstab. Recent changes in udev require the use of UUID’s. To find them, issue
lsblk -f
And look for the UUID’s of the /dev/mdXXX devices. You’ll need them for the /etc/fstab file.
Edit your fstab
nano /etc/fstab
Here is my /etc/fstab file, but you need to adjust yours according to the values of your UUID’s. Pay attention to the mount points to put the right UUIDs. Again, you can uncomment the last line if you have lots of RAM
#<fs>                                          <mountpoint>           <type>         <opts>         <dump/pass> UUID=9ba69117-4896-41d4-bbac-c7ccb3fa0ced      /boot                  ext2           auto,noatime           1 2 UUID=45c9cc7e-3967-4692-a523-6fe4112bb827      /                      ext4           noatime                0 1 UUID=377610a3-b921-4b4a-afa3-54b4f8cfb1bf      none                   swap           sw                     0 0 #tmpfs                                         /var/tmp/portage       tmpfs          auto,nr_inodes=1M      0 0
(optional) set your hostname, for the example we use “gentoo” here
nano /etc/conf.d/hostname
hostname="gentoo"
Configure your network with DHCP
nano /etc/conf.d/net
config_eth0="dhcp"
Alternatively, if you’re not on DHCP, set your IPv4 (and optionnally IPv6) and respective default gateways. Here in my example I have only IPv4, replace the x’s by your actual values.
nano /etc/conf.d/net
config_eth0="x.x.x.x/x"routes_eth0="default via x.x.x.x"
Also, if you’re not on DHCP, set your DNS server(s), replace the x’s by the IP of your DNS server(s)
nano /etc/resolv.conf
nameserver x.x.x.xnameserver x.x.x.x
If you’re not on DHCP and you have changed your hostname, update your hosts file with your IP addresse(s). Replace the x’s by your IP address set above, add your IPv6 address if you have one. If your host name has a FQDN, you should put it in.
nano /etc/hosts
x.x.x.x gentoo
If you’re on DHCP and you have changed your hostname, for gentoo for example, add your hostname to the localhost IPv4 and IPv6 aliases to avoid headaches with some software that bind to the hostname.
nano /etc/hosts
# IPv4 and IPv6 localhost aliases127.0.0.1 localhost gentoo::1 localhost gentoo
Now in any case (DHCP or static) set eth0 to be a standard service during startup
cd /etc/init.d/
ln -s net.lo net.eth0
cd
rc-update add net.eth0 default
Allow the test version of the gradm package
nano /etc/portage/package.keywords
sys-apps/gradm
Adjust your make.conf file according to your hardware and location. Your CPU_FLAGS_X86 variable can be found by emerging app-portage/cpuid2cpuflags and running cpuinfo2cpuflags-x86. Below is my file.
nano /etc/portage/make.conf
CFLAGS="-O2 -pipe -march=native"CXXFLAGS="${CFLAGS}"CHOST="x86_64-pc-linux-gnu"USE="unicode python lzma xattr"CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3"EMERGE_DEFAULT_OPTS="--jobs=4 --load-average=4.0 --keep-going --with-bdeps y --complete-graph"MAKEOPTS="-j4"GENTOO_MIRRORS="http://gentoo.mirrors.ovh.net/gentoo-distfiles/"PORTDIR="/usr/portage"DISTDIR="${PORTDIR}/distfiles"PKGDIR="${PORTDIR}/packages"PORTAGE_NICENESS=10GRUB_PLATFORMS="pc"KERNEL="linux"PAX_MARKINGS="XT"
Create the repos.conf directory that is needed for syncing the portage tree
mkdir /etc/portage/repos.conf
Create the gentoo.conf file
nano /etc/portage/repos.conf/gentoo.conf
Mine looks like this
[DEFAULT]main-repo = gentoo[gentoo]location = /usr/portagesync-type = rsyncsync-uri =rsync://rsync2.fr.gentoo.org/gentoo-portage/auto-sync = yes
Sync the portage tree
emerge --sync
Read the news. You’ll need to do this several times during this tutorial.
eselect news read | more
Install and update eix, it will be useful later. Remember here that this is Gentoo, everything is compiled from source, so installing packages takes time 🙂
emerge eix
eix-update
Install the kernel source and a few needed utils
emerge hardened-sources && emerge gradm mdadm genkernel
If you read the news again here, you’ll see that unfortunately grsecurity only makes the test versions of their kernel patch available to the public. That’s infortunate for us small end users, but still better than nothing.
Create the MDADM config file
mdadm -Es >> /etc/mdadm.conf
And start the MDADM service at boot
rc-update add mdadm boot
Edit some needed genkernel config tweaks, make sure the following options are uncommented / adjusted as follows. Note, in the genkernel config file I suggest to disable the CLEAN option because if you need to adjust your kernel config file and compile it again, you’ll save a lot of time.
nano /etc/genkernel.conf
CLEAN="no"MRPROPER="no"MDADM="yes"MDADM_CONFIG="/etc/mdadm.conf"COMPRESS_INITRD_TYPE="xz"
Edit your kernel config, or grab my config which should work on VMWare Workstation/Player (as long as you stay in the 4.8.x release, but you can always start from it with a “make oldconfig” on 4.9+). Note: the config file will also work on the rented server I run this blog on.
wget https://spacetux.org/tommie/.config -O /usr/src/linux/.config
Now compile and install your kernel. Go take a coffee, it usually takes a few minutes.
genkernel all
Install the bootloader
emerge grub
Edit a few grub tweaks
nano /etc/default/grub
Uncomment and change the following line
GRUB_CMDLINE_LINUX_DEFAULT="domdadm rootfstype=ext4 net.ifnames=0"
Deactivate a few unneeded grub boot options, create a grub config file, and install the bootloader on /dev/sda and /dev/sdb
cd /etc/grub.d/
chmod -x 20_linux_xen 30_os-prober 40_custom 41_custom
mkdir /boot/grub
cd
grub-mkconfig -o /boot/grub/grub.cfg
grub-install /dev/sda
grub-install /dev/sdb
Install the system logger
emerge syslog-ng
Start the system logger automatically
rc-update add syslog-ng default
(optional) start the ssh daemon. This is obviously mandatory if you’re following the guide to install a remote server, but then you should also secure your sshd config a lot more. It’s not covered here.
rc-update add sshd default
Add a user (change the user’s name if you don’t like “user”)
useradd -m -G wheel -s /bin/bash user
Change the root password
passwd
Change the user’s password
passwd user
Uncomment a few openrc settings
nano /etc/rc.conf
rc_logger="YES"rc_sys=""
Remove the files portage left in its tmp directory
rm -rf /var/tmp/portage/*
Quit the chroot
exit
Unmount all our stuff
umount -R /mnt/gentoo
And…phew. We’re (almost) done, reboot !
shutdown -r now
If all went well the system should boot fine.
- Post install
At the time of writing, init complains that udev doesn’t use the proper init script format, so let’s fix this
perl -i -pe 's/runscript/openrc-run/g' /etc/init.d/udev
(optional) create a trusted users group
groupadd -g 101 trusted
(optional) and add your user to it, or you won’t be able to run executable scripts created under this user
gpasswd -a user trusted
(optional) if the tar utility you used to extract the stage3 tarball doesn’t support extended attributes, it’s safer to recompile your whole system. This will take anywhere between half an hour and several hours depending on your hardware. At the time of writing, the tar version on the minimal Gentoo install .iso supports xattr, so this is not needed
emerge -e @world
(optional) if you recompiled your system in the step above, you can safely ignore all /etc updates (choose the -7 option when running the etc-update utility), and then clean your /usr/portage/disfiles directory as there will be a lot of source code there
rm /usr/portage/disfiles/*
(optional) when you’re done installing and happy with your kernel config, then clean the kernel source directory from all the pre-compiled objects
cd /usr/src/linux
make clean
admin December 13th, 2015
Posted In: gentoo
Tags: gentoo, hardened, howto, software raid