Note: this note has been originally written end of 2015, but I updated it on 4 feb 2017 as some steps were not consistent anymore.
\n <\/p>\n
<\/p>\n
This tutorial tries to stick to a step-by-step approach, but your chances to reach the end with a working system will be most likely higher if you already have previous experience installing Gentoo systems. If not, I would recommend getting some by following the Gentoo Handbook<\/a> on a virtual system like VMware Workstation\/Player. Once you get familiar following the handbook and installing a simple system, you’ll be able to move on to the slightly more complex setup described here.<\/p>\n The main differences between the Gentoo Handbook and this tutorial are the emphasis on RAID and the use of Gentoo Hardened. I’ve actually put this tutorial together to remember how to install the OS on the rented server<\/a> this blog is running on, or if I have to do it again to install a new server. Once you get a working system under VMware Workstation\/Player, it should be rather straightforward to adapt this tutorial to any virtual or physical hardware.<\/p>\n For this tutorial I assume a RAID1 setup on two physical (or virtual) 16GB+ hard drives. When using VMWare Workstation\/Player, create your two virtual hard drives on different physical hard drives if possible, to make it easier on your drives mechanics. If you have SSDs then it doesn’t really matter.<\/p>\n The kernel config linked in this tutorial should work as-is if you use VMware Workstation\/Player, but it doesn’t have many features activated. You should customize it further according to your system and\/or the features you need. Network setup is assumed to be based on DHCP, localization is minimal.<\/p>\n Note about RAID: RAID won’t protect you from silent data corruption, it’s really a basic tool to recover from the failure of a drive assuming that the data on the other drive(s) is reliable. Last generation filesystems such as ZFS or BTRFS should be preferred over software or hardware RAID when possible. At some point I should edit this post to describe a ZFS based install… oh well, if I have the time.<\/p>\n Let’s start. Boot on your minimal install .iso<\/a>, or system rescue<\/a>. Note: I’ve linked some info about OVH\/SoYouStart servers, but before you try this on one of their offers, or similar, be sure<\/strong> you understand how to configure your firewall<\/a> so that your hosting company won’t dispatch maintenance because they are not able to monitor your server.<\/p>\n <\/p>\n <\/p>\n Wipe out disk A Type Then do the same for disk B Repeat same steps (as for disk A): type Partition disk A Type Type Type Type Type Type Now clone the partition layout of disk A to disk B And create a new GUID for disk B <\/p>\n <\/p>\n Activate a software RAID1 to create the boot partition (where the “\/boot” directory will be located) Note: we are not using \/dev\/sda1 and \/dev\/sdb1 for the RAID1 boot partition because \/dev\/sda1 and \/dev\/sdb1 will be used by GRUB to host the bootloader<\/p>\n Activate a software RAID1 to create the swap partition Activate a software RAID1 to create the root partition (where the “\/” directory will be located) Note: if you want RAID5 mode instead of RAID1, replace The rest of this howto is now very similar to the standard Gentoo handbook, except that instead of {\/dev\/sda2, \/dev\/sda3, \/dev\/sda4} found in the handbook, our boot, swap, root partitions are respectively {\/dev\/md\/boot, \/dev\/md\/swap, \/dev\/md\/root}<\/p>\n <\/p>\n <\/p>\n Create an ext2 filesystem on the boot partition Create a swap on the swap partition Activate the swap Create an ext4 filesystem on the root partition Get the latest portage tree snapshot (use your preferred mirror that you can select from the gentoo mirrors<\/a>) Get the latest hardened stage3, for example at the time of writing (you need to dig in the autobuilds directory to get the latest, DO NOT pick the “nomultilib” version unless you know what you are doing) Create the gentoo directory in \/mnt if it’s not already there Mount the root partition in the directory you’ve just created Create the boot directory Mount the boot partition in the directory you’ve just created Extract the stage3 to the root of the target filesystem. Note: if you get an error message from the tar utility complaining about missing extended attributes support, it’s not a show stopper to install a hardened system, but you will need to re-emerge your full system after completing the install guide to get the correct extended attributes on your files. More on this later. Extract the portage tree snapshot to \/usr in the target filesystem Link your \/etc\/resolv.conf file to the target root filesystem Mount \/proc in the target root filesystem Bind \/sys in the target root filesystem Bind \/dev in the target root filesystem Now chroot yourself in the filesystem you just prepared Update your environment variables in the chroot Change the prompt to remind us that we are in chroot Optional: if you have enough RAM (\u22658GB) you can save compile time (and the life or your SSDs if you use them as disk A and disk B) by mounting \/var\/tmp\/portage in RAM Set your timezone. My timezone here is “Europe\/Berlin” but if yours is different pick one from Reconfigure the sys-libs\/timezone-data package Select the locale, uncomment the entry Generate the locale Activate the locale, first look for the entry related to Select the entry related to reload your environment Now we need to edit \/etc\/fstab. Recent changes in udev require the use of UUID’s. To find them, issue And look for the UUID’s of the \/dev\/mdXXX devices. You’ll need them for the Edit your fstab Here is my (optional) set your hostname, for the example we use “gentoo” here Configure your network with DHCP Alternatively, if you’re not on DHCP, set your IPv4 (and optionnally IPv6) and respective default gateways. Here in my example I have only IPv4, replace the x’s by your actual values. Also, if you’re not on DHCP, set your DNS server(s), replace the x’s by the IP of your DNS server(s) If you’re not on DHCP and you have changed your hostname, update your hosts file with your IP addresse(s). Replace the x’s by your IP address set above, add your IPv6 address if you have one. If your host name has a FQDN, you should put it in. If you’re on DHCP and you have changed your hostname, for Now in any case (DHCP or static) set eth0 to be a standard service during startup Allow the test version of the gradm package Adjust your make.conf file according to your hardware and location. Your CPU_FLAGS_X86 variable can be found by emerging Create the repos.conf directory that is needed for syncing the portage tree Create the gentoo.conf file Mine looks like this<\/p>\n Sync the portage tree Read the news. You’ll need to do this several times during this tutorial. Install and update eix, it will be useful later. Remember here that this is Gentoo, everything is compiled from source, so installing packages takes time \ud83d\ude42 Install the kernel source and a few needed utils If you read the news again here, you’ll see that unfortunately grsecurity<\/a> only makes the test versions of their kernel patch available to the public. That’s infortunate for us small end users, but still better than nothing.<\/p>\n Create the MDADM config file And start the MDADM service at boot Edit some needed genkernel config tweaks, make sure the following options are uncommented \/ adjusted as follows. Note, in the genkernel config file I suggest to disable the CLEAN option because if you need to adjust your kernel config file and compile it again, you’ll save a lot of time. Edit your kernel config, or grab my config which should work on VMWare Workstation\/Player (as long as you stay in the 4.8.x release, but you can always start from it with a “make oldconfig” on 4.9+). Note: the config file will also work on\u00a0the rented server<\/a> I run this blog on.\n
\ngdisk \/dev\/sda<\/code><\/p>\nx<\/code> (for expert), then z<\/code> (for zap), answer Y<\/code> (wipe out GPT) and again Y<\/code> (blank out MBR)<\/p>\n
\ngdisk \/dev\/sdb<\/code><\/p>\nx<\/code> (for expert), then z<\/code> (for zap), answer Y<\/code> (wipe out GPT) and again Y<\/code> (blank out MBR)<\/p>\n
\ngdisk \/dev\/sda<\/code><\/p>\no<\/code> (create a new empty GUID partition table), answer Y<\/code> (proceed)<\/p>\nn<\/code>, type enter to select the default partition number (partition 1), type enter to select the default first sector value 2048, type +2M<\/code> for last sector to create a 2M BIOS partition, type ef02<\/code> for hex code to set a BIOS partition type<\/p>\nn<\/code>, type enter to select the default partition number at this stage (partition 2), type enter to select the default first sector value, type +128M<\/code> for last sector to create a 128M boot partition, type fd00<\/code> for hex code to set a software raid partition type<\/p>\nn<\/code>, type enter to select the default partition number at this stage (partition 3), type enter to select the default first sector value, type +2G<\/code> for last sector to create a 2GB swap partition, type fd00<\/code> for hex code to set a software raid partition type<\/p>\nn<\/code>, type enter to select the default partition number at this stage (partition 4), type enter to select the default first sector value, type enter for last sector to create a root partition using the remaining space, type fd00<\/code> for hex code to set a software raid partition type<\/p>\nw<\/code> to write your changes to disk a, answer Y<\/code> (proceed)<\/p>\n
\nsgdisk -R=\/dev\/sdb \/dev\/sda<\/code><\/p>\n
\nsgdisk -G \/dev\/sdb<\/code><\/p>\n\n
\nmdadm --create --name=server:boot --verbose \/dev\/md\/boot --level=1 --raid-devices=2 \/dev\/sda2 \/dev\/sdb2<\/code>
\nanswer y<\/code><\/p>\n
\nmdadm --create --name=server:swap --verbose \/dev\/md\/swap --level=1 --raid-devices=2 \/dev\/sda3 \/dev\/sdb3<\/code>
\nanswer y<\/code><\/p>\n
\nmdadm --create --name=server:root --verbose \/dev\/md\/root --level=1 --raid-devices=2 \/dev\/sda4 \/dev\/sdb4<\/code>
\nanswer y<\/code><\/p>\n--level=1 --raid-devices=2<\/code> by --level=5 --raid-devices=<n><\/code> with n being at least 3, and the right partition names. You’ll also need RAID5 activated in the kernel.<\/p>\n\n
\nmkfs.ext2 \/dev\/md\/boot<\/code><\/p>\n
\nmkswap \/dev\/md\/swap<\/code><\/p>\n
\nswapon \/dev\/md\/swap<\/code><\/p>\n
\nmkfs.ext4 \/dev\/md\/root<\/code><\/p>\n
\nwget http:\/\/gentoo.mirrors.ovh.net\/gentoo-distfiles\/snapshots\/portage-latest.tar.xz<\/code><\/p>\n
\nwget http:\/\/gentoo.mirrors.ovh.net\/gentoo-distfiles\/releases\/amd64\/autobuilds\/current-stage3-amd64-hardened\/stage3-amd64-hardened-20170202.tar.bz2<\/code><\/p>\n
\nmkdir -p \/mnt\/gentoo<\/code><\/p>\n
\nmount \/dev\/md\/root \/mnt\/gentoo\/<\/code><\/p>\n
\nmkdir \/mnt\/gentoo\/boot<\/code><\/p>\n
\nmount \/dev\/md\/boot \/mnt\/gentoo\/boot<\/code><\/p>\n
\ntar xpf stage3* --xattrs -C \/mnt\/gentoo\/<\/code><\/p>\n
\ntar xf portage* -C \/mnt\/gentoo\/usr\/<\/code><\/p>\n
\ncp -L \/etc\/resolv.conf \/mnt\/gentoo\/etc\/<\/code><\/p>\n
\nmount -t proc none \/mnt\/gentoo\/proc<\/code><\/p>\n
\nmount --rbind \/sys \/mnt\/gentoo\/sys<\/code><\/p>\n
\nmount --rbind \/dev \/mnt\/gentoo\/dev<\/code><\/p>\n
\nchroot \/mnt\/gentoo \/bin\/bash<\/code><\/p>\n
\nsource \/etc\/profile<\/code><\/p>\n
\nexport PS1=\"(chroot) $PS1\"<\/code><\/p>\n
\nmkdir \/var\/tmp\/portage<\/code>
\nmount -t tmpfs tmpfs -o nr_inodes=1M \/var\/tmp\/portage<\/code><\/p>\n\/usr\/share\/zoneinfo\/<\/code>
\necho \"Europe\/Berlin\" > \/etc\/timezone<\/code><\/p>\n
\nemerge --config sys-libs\/timezone-data<\/code><\/p>\nen_US.UTF-8 UTF-8<\/code> in \/etc\/locale.gen<\/code>
\nnano \/etc\/locale.gen<\/code><\/p>\n#en_US ISO-8859-1<\/code>\r\nen_US.UTF-8 UTF-8<\/code>\r\n#ja_JP.EUC-JP EUC-JP<\/code>\r\n#ja_JP.UTF-8 UTF-8<\/code>\r\n#ja_JP EUC-JP<\/code>\r\n#en_HK ISO-8859-1<\/code>\r\n#en_PH ISO-8859-1<\/code>\r\n#de_DE ISO-8859-1<\/code>\r\n#de_DE@euro ISO-8859-15<\/code>\r\n#es_MX ISO-8859-1<\/code>\r\n#fa_IR UTF-8<\/code>\r\n#fr_FR ISO-8859-1<\/code>\r\n#fr_FR@euro ISO-8859-15<\/code>\r\n#it_IT ISO-8859-1<\/code>\r\n<\/pre>\n
\nlocale-gen<\/code><\/p>\nen_US.utf8<\/code>
\neselect locale list<\/code><\/p>\nAvailable targets for the LANG variable:\r\n\u00a0 [1]\u00a0\u00a0 C\r\n\u00a0 [2]\u00a0\u00a0 POSIX\r\n\u00a0 [3]\u00a0\u00a0 en_US.utf8\r\n\u00a0 [ ]\u00a0\u00a0 (free form)\r\n<\/pre>\n
en_US.utf8<\/code>, for me it’s the third but yours could be different
\neselect locale set 3<\/code><\/p>\n
\nenv-update && source \/etc\/profile && export PS1=\"(chroot) $PS1\"<\/code><\/p>\n
\nlsblk -f<\/code><\/p>\n\/etc\/fstab<\/code> file.<\/p>\n
\nnano \/etc\/fstab<\/code><\/p>\n\/etc\/fstab<\/code> file, but you need to adjust yours according to the values of your UUID’s. Pay attention to the mount points to put the right UUIDs. Again, you can uncomment the last line if you have lots of RAM<\/p>\n#<fs>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <mountpoint>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <type>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <opts>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <dump\/pass>\r\nUUID=9ba69117-4896-41d4-bbac-c7ccb3fa0ced\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/boot\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 auto,noatime\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1 2\r\nUUID=45c9cc7e-3967-4692-a523-6fe4112bb827\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ext4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 noatime\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0 1\r\nUUID=377610a3-b921-4b4a-afa3-54b4f8cfb1bf\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 none\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 swap\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sw\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0 0\r\n#tmpfs\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/tmp\/portage\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tmpfs\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 auto,nr_inodes=1M\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0 0\r\n<\/pre>\n
\nnano \/etc\/conf.d\/hostname<\/code><\/p>\nhostname=\"gentoo\"<\/code>\r\n<\/pre>\n
\nnano \/etc\/conf.d\/net<\/code><\/p>\nconfig_eth0=\"dhcp\"<\/code>\r\n<\/pre>\n
\nnano \/etc\/conf.d\/net<\/code><\/p>\nconfig_eth0=\"x.x.x.x\/x\"<\/code>\r\nroutes_eth0=\"default via x.x.x.x\"<\/code>\r\n<\/pre>\n
\nnano \/etc\/resolv.conf<\/code><\/p>\nnameserver x.x.x.x<\/code>\r\nnameserver x.x.x.x<\/code>\r\n<\/pre>\n
\nnano \/etc\/hosts<\/code><\/p>\nx.x.x.x gentoo<\/code>\r\n<\/pre>\ngentoo<\/code> for example, add your hostname to the localhost IPv4 and IPv6 aliases to avoid headaches with some software that bind to the hostname.
\nnano \/etc\/hosts<\/code><\/p>\n# IPv4 and IPv6 localhost aliases<\/code>\r\n127.0.0.1 localhost gentoo<\/code>\r\n::1 localhost gentoo<\/code><\/pre>\n
\ncd \/etc\/init.d\/<\/code>
\nln -s net.lo net.eth0<\/code>
\ncd<\/code>
\nrc-update add net.eth0 default<\/code><\/p>\n
\nnano \/etc\/portage\/package.keywords<\/code><\/p>\nsys-apps\/gradm<\/code>\r\n<\/pre>\napp-portage\/cpuid2cpuflags<\/code> and running cpuinfo2cpuflags-x86<\/code>. Below is my file.
\nnano \/etc\/portage\/make.conf<\/code><\/p>\nCFLAGS=\"-O2 -pipe -march=native\"<\/code>\r\nCXXFLAGS=\"${CFLAGS}\"<\/code>\r\nCHOST=\"x86_64-pc-linux-gnu\"<\/code>\r\nUSE=\"unicode python lzma xattr\"<\/code>\r\nCPU_FLAGS_X86=\"aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3\"<\/code>\r\nEMERGE_DEFAULT_OPTS=\"--jobs=4 --load-average=4.0 --keep-going --with-bdeps y --complete-graph\"<\/code>\r\nMAKEOPTS=\"-j4\"<\/code>\r\nGENTOO_MIRRORS=\"http:\/\/gentoo.mirrors.ovh.net\/gentoo-distfiles\/\"<\/code>\r\nPORTDIR=\"\/usr\/portage\"<\/code>\r\nDISTDIR=\"${PORTDIR}\/distfiles\"<\/code>\r\nPKGDIR=\"${PORTDIR}\/packages\"<\/code>\r\nPORTAGE_NICENESS=10<\/code>\r\nGRUB_PLATFORMS=\"pc\"<\/code>\r\nKERNEL=\"linux\"<\/code>\r\nPAX_MARKINGS=\"XT\"<\/code>\r\n<\/pre>\n
\nmkdir \/etc\/portage\/repos.conf<\/code><\/p>\n
\nnano \/etc\/portage\/repos.conf\/gentoo.conf<\/code><\/p>\n[DEFAULT]<\/code>\r\nmain-repo = gentoo<\/code>\r\n\r\n[gentoo]<\/code>\r\nlocation = \/usr\/portage<\/code>\r\nsync-type = rsync<\/code>\r\nsync-uri = <\/code>rsync:\/\/rsync2.fr.gentoo.org\/gentoo-portage\/\r\nauto-sync = yes<\/code>\r\n<\/pre>\n
\nemerge --sync<\/code><\/p>\n
\neselect news read | more<\/code><\/p>\n
\nemerge eix<\/code>
\neix-update<\/code><\/p>\n
\nemerge hardened-sources && emerge gradm mdadm genkernel<\/code><\/p>\n
\nmdadm -Es >> \/etc\/mdadm.conf<\/code><\/p>\n
\nrc-update add mdadm boot<\/code><\/p>\n
\nnano \/etc\/genkernel.conf<\/code><\/p>\nCLEAN=\"no\"<\/code>\r\nMRPROPER=\"no\"<\/code>\r\nMDADM=\"yes\"<\/code>\r\nMDADM_CONFIG=\"\/etc\/mdadm.conf\"<\/code>\r\nCOMPRESS_INITRD_TYPE=\"xz\"<\/code>\r\n<\/pre>\n