From LinodeWiki

[edit] How To Set Up Your Server On Gentoo

Any pointers, thoughts or ideas would be appreciated.

Notes:

• Security
• LSAT

[edit] Setup

1. Use the Distro Wizard tool to create the main profile and partition. Make sure to leave room for a swap partition and a home partition. If you have enough space, you might want to have a separate partition for var as well.
2. Use the Disk Images tool to create the swap and home partitions.
3. Use the Configuration tool to create two profiles: the one you normally boot up with, and the single user mode (these should be identical except for the single user flag).

NOTE: DEVFS has been removed from the 2.6 kernel. The setup at one point didn't handle this properly and this node has instructions on how to fix your setup if you still have problems in this regard.

I prefer to have my swap partition as the first partition. I don't remember why, but I've been doing it this way for the last 10 years. It just feels more comfortable this way. The setup doesn't handle this properly. Even though I have the correct partition selected in the drop down box in the profile, the fstab is incorrect:

 /dev/ubda               /               ext3            noatime         0 1
 /dev/ubdb               none            swap            sw              0 0

and the home partition isn't included either. So I need to take the following steps:

1. In the Configuration tool, enable the "init=/bin/bash" option in the "Run Level" section.
2. Use the Overview page to boot.
3. Connect with Lish, remount the root partition and edit the fstab file.
   • mount -n -o remount,rw /.
   • nano /etc/fstab
4. Change the lines mentioned above to the following, and add the line for the home partition.

 /dev/ubda               none            swap            sw              0 0
 /dev/ubdb               /               ext3            noatime         0 1
 /dev/ubdc               /home           ext3            noatime         0 0

 I also comment out the cdrom line, but it doesn't really make a difference.

1. Use the Overview page to shutdown.
2. Use the Configuration tool to change your "Run Level" section back to "Default Run Level"
3. Use the Overview page to boot.

[edit] Check LiSH

You will need to login via your LiSH account to check this. See this page under the Remote Console Access with Lish (Linode Shell) section for details on how to do this.

Check for 'respawning too fast' messages. If you're getting those then take the following steps (see this thread):

• Edit /etc/inittab so that c0 is pointing to vc/0
• Edit /etc/securetty to add and entry for vc/0
• Run 'telinit q' as root

If the above doesn't give you a login prompt, you might see something like this in /var/log/messages

Sep 11 15:57:23 mail agetty[4102]: /dev/vc/0: No such file or directory
Sep 11 15:57:33 mail agetty[4103]: /dev/vc/0: No such file or directory
Sep 11 15:57:43 mail init: Id "c0" respawning too fast: disabled for 5 minutes

You can also try pointing c0 to tty0 in /etc/inittab instead.

[edit] Add Your Main User

As things stand right now, root can log in via ssh because of the default settings. We need to fix that.

Add your user, adding yourself to whatever groups you want, and your password:

• useradd -G wheel,nobody,portage youruser
• passwd youruser

I prefer vim so we might as well emerge vim at the same time. To save time at this point we'll emerge with the bare bones and let the world rebuild we're going to do later fix things up. Might as well add screen to the mix since we'll be using it as well. conf-update and elogv al since we'll be wanting to administer correctly from the beginning.

• USE='-*' emerge vim sudo screen conf-update elogv

I used to allow users in the wheel group full sudo access, but I've come to realize that I'm better off just allowing myself access. If my server ever has need I can certainly change it. For now just add the following line to /etc/sudoers:

• youruser ALL=(ALL) ALL

And comment out the following line:

• Defaults env_reset

This will allow the environment variables to be passed on to the child process.

Now, to fix the problem of root being able to login via ssh. Edit the /etc/ssh/sshd_config file and add the fillowing line:

NOTE: You might want to log out and log back in as your user before making this change ... if you've messed something up you'll have to log in as root via LiSH to fix it.

• PermitRootLogin no
• /etc/init.d/sshd restart

Now you can log in as your regular user and do everything as your user (remember to start screen).

[edit] Save Space

hdparm in this context doesn't make a whole lot of sense, so let's get rid of it.

• mkdir -p /etc/portage/profile
• echo "-*sys-apps/hdparm" >> /etc/portage/profile/packages
• emerge -C hdparm

Generate only the locale information you need. See this tip.

• Edit /etc/locale.gen and make sure you have the languages you need listed.
• Run the locale-gen command if you made any changes to locale.gen:
  • locale-gen

Also, set the LINGUAS variable to your language.

• Edit /etc/make.conf
• LINGUAS="en"
  • space separated list of languages

Even with the locale settings above some packages still insist on installing locale files on your system that you don't want or need. This will help minimize your system size when run regularly.

• emerge localepurge
• Edit /etc/locale.nopurge and set things the way you like.

I don't know how much extra space this will save, but if you set these two variables portage is supposed to compress the documentation.

• PORTAGE_COMPRESS="bzip"
• PORTAGE_COMPRESS_FLAGS="-9"

You can use whatever compression program you want here. PORTAGE_COMPRESS is the name of the program and PORTAGE_COMPRESS_FLAGS are the command parameters.

??? What else can be done here?

• Hardware specific software that doesn't make sense in a UML environment?
• More CFLAG options?
• See this Tips & Tricks page for more ideas.

[edit] Make Portage Run A Little Faster

If you add the following line to your fstab portage will run in memory, speeding it up somewhat. I've seen dramatic increases in time myself, but I've read reports that it's been less successful for others.

• none /var/tmp/portage tmpfs size=1000M,nr_inodes=1M 0 0

[edit] Set The Timezone

rm /etc/localtime && ln -s /usr/share/zoneinfo/yourtimezone /etc/localtime

List the files in /usr/share/zoneinfo/ to find your timezone and use it in place of 'yourtimezone'.

Edit /etc/conf.d/clock and make sure the following lines are set:

• CLOCK="local"
• TIMEZONE="yourtimezone"

[edit] Check Your Profile

Make sure make.profile is pointing to the latest profile:

readlink /etc/make.profile && ls -1 $(dirname $(readlink /etc/make.profile))

If make.profile does not point to the latest profile then make it do so:

DIR=$(dirname $(readlink /etc/make.profile)) && rm /etc/make.profile && ln -s $DIR/2007.0 /etc/make.profile

As of this writing 2007.0 is the latest profile.

[edit] Update Portage

Then update your portage tree:

emerge --sync

If you get a message about an update available for portage, go ahead and update it.

emerge portage

[edit] Set USE Flags

WARNING!!! FOLLOW THESE STEPS AT YOUR OWN RISK!!! IF YOU DO THIS STEP YOU MUST PAY ATTENTION TO YOUR USE FLAGS FOR THE LIFE OF YOUR SERVER!!!

See this tip for details.

emerge --info | perl -ne 's/^(USE=")(.*?").*$/$1-* $2/ && print "\n$_\n"' >> /etc/make.conf

This finds the current profiles default USE flags, prepends -* to the list which turns off those same default USE flags (see this discussion on USE flags for more details), and appends it to the make.conf file.

Edit your make.conf file and delete the flags you don't want.

At this point my USE flags look like:

USE="-* berkdb cli cracklib crypt dri fortran gdbm gpm iconv libg++ ncurses nls nptl nptlonly pam pcre perl python readline session ssl tcpd unicode x86 zlib"

[edit] Emerge Basic Packages

I use these programs for system administration and the like. You, of course, may pick and choose and put your own desired packages in at this point.

Follow the links for discussion on the individual packages.

emerge autounmask ccache colordiff eix eselect euses gentoolkit grc herdstat layman localepurge mirrorselect perl-info portage-manpages subversion symlinks

[edit] Modify Configuration Files

While you're waiting for that stuff to compile, go over your configuration files and setup whatever needs to be done. See this list of configuration files for some guidelines. But, basically, everything in /etc.

[edit] Miscelaneous Stuff

• Put all your [core] in the same place.
• Make your [ssh] connections faster.
• [Limit ssh logins] using AllowGroups.
• [Customize] bash a little bit.

[edit] Unsupported Add-ons

Add unsupported add-on tools found at the following locations:

• An update script. See this thread for details.

cd /usr/local/sbin
wget http://www.mindlesstechie.net/gentoo/update-world/update-world-1.8 -O update-world
chmod 700 update-world

• My own update scripts (I put them in /usr/local/sbin:

• update-world-prepare

 #!/bin/bash
 emerge --metadata
 eix-sync -v
 herdstat --fetch
 rm ~/.update-world/emergelist
 update-world -p

• update-world-install

 #!/bin/bash
 update-world -i -r
 glsa-check -f new
 localepurge
 symlinks -cdrs /
 conf-update
 elogv

[edit] Update Your system

update-world-prepare

Check the emergelist for anything out of whack. Fix it if necessary.

update-world-install

Exit your screen session using <Ctrl-A><D> and come back in a day or so.

When the update is done, you'll probably be looking at conf-update waiting for you to tell it to merge changes or not. Go through and make changes or not at your pleasure.

[edit] Run rc-update

Make sure everything is started that needs to be started

[edit] Reboot

Just to make sure everything is ok up to this point