Last active
August 29, 2015 14:12
-
-
Save peteyoung/6b087af963fb16ab14e4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Initial Setup | |
=========================================================== | |
Create drive for portage | |
----------------------------------------------------------- | |
Linode Manager -> Dashboard -> Disks -> Create new disk | |
Label: Gentoo Portage | |
Type: unformatted/raw | |
Size: 20148 | |
Save Changes | |
NOTE: May need to do this for /var/tmp/portage | |
Deploy an Image | |
----------------------------------------------------------- | |
Linode Manager -> Dashboard -> Dashboard -> Deploy an Image | |
Image: Gentoo 2013-11-26 | |
Deployment Disk Size: 3072 | |
Swap Disk: Use existing swap | |
Root Password: <REDACTED> | |
Click Deploy | |
Wait for "Disk Create From Distribution" to succeed | |
Click on "My Gentoo 2013-11-26 Profile" | |
Under "Block Device Assignment" select "Gentoo Portage" for /dev/xvdc | |
Save Changes | |
Boot "My Gentoo 2013-11-26 Profile" | |
Set up the portage partition | |
----------------------------------------------------------- | |
# ssh to Linode and log in | |
# create ext2 filesystem for portage drive with a block size | |
# with enough inodes for portage and ebuilds | |
mkfs.ext2 -b 1024 -i 1024 /dev/xvdc | |
# disk label | |
e2label /dev/xvdc portage | |
# -O dir_index Use hashed b-trees to speed up lookups in large directories. | |
# -c10 Number of mounts between forced fsck checks | |
# -i20 Number of days between forced fsck checks | |
tune2fs -O dir_index -c10 -i20 /dev/xvdc | |
# edit fstab to mount the new drive | |
vim /etc/fstab | |
nano /etc/fstab | |
# add the following line to fstab | |
/dev/xvdc /usr/portage ext2 noatime,rw 0 2 | |
# check the new mount | |
mount /usr/portage | |
df -h | |
---------------------------8<--------------------------- | |
Filesystem Size Used Avail Use% Mounted on | |
rootfs 2.9G 743M 2.2G 26% / | |
/dev/root 2.9G 743M 2.2G 26% / | |
devtmpfs 996M 0 996M 0% /dev | |
tmpfs 200M 228K 200M 1% /run | |
shm 997M 0 997M 0% /dev/shm | |
cgroup_root 10M 0 10M 0% /sys/fs/cgroup | |
/dev/xvdc 1.5G 3.1M 1.4G 1% /usr/portage | |
--------------------------->8--------------------------- | |
# restart the server | |
shutdown -r now | |
# ssh to Linode and log in | |
# check the new mount again | |
df -h | |
---------------------------8<--------------------------- | |
Filesystem Size Used Avail Use% Mounted on | |
rootfs 2.9G 743M 2.2G 26% / | |
/dev/root 2.9G 743M 2.2G 26% / | |
devtmpfs 996M 0 996M 0% /dev | |
tmpfs 200M 228K 200M 1% /run | |
shm 997M 0 997M 0% /dev/shm | |
cgroup_root 10M 0 10M 0% /sys/fs/cgroup | |
/dev/xvdc 1.5G 3.1M 1.4G 1% /usr/portage | |
--------------------------->8--------------------------- | |
# sync emerge | |
emerge --sync | |
---------------------------8<--------------------------- | |
* IMPORTANT: 3 config files in '/etc' need updating. | |
* See the CONFIGURATION FILES section of the emerge | |
* man page to learn how to update config files. | |
* An update to portage is available. It is _highly_ recommended | |
* that you update portage now, before any other packages are updated. | |
* To update portage, run 'emerge --oneshot portage' now. | |
* IMPORTANT: 4 news items need reading for repository 'gentoo'. | |
* Use eselect news to read news items. | |
--------------------------->8--------------------------- | |
# update emerge config files | |
find /etc -name '._cfg????_*' | |
---------------------------8<--------------------------- | |
/etc/._cfg0000_rc.conf | |
/etc/conf.d/._cfg0000_hostname | |
/etc/ssh/._cfg0000_sshd_config | |
--------------------------->8--------------------------- | |
diff /etc/rc.conf /etc/._cfg0000_rc.conf | view - | |
mv -f /etc/._cfg0000_rc.conf /etc/rc.conf | |
diff /etc/conf.d/hostname /etc/conf.d/._cfg0000_hostname | view - | |
mv -f /etc/conf.d/._cfg0000_hostname /etc/conf.d/hostname | |
diff /etc/ssh/sshd_config /etc/ssh/._cfg0000_sshd_config | view - | |
# DON'T MOVE, it sets sshd passwd auto to NO. We need that for now | |
# get some disk usage stats | |
df -i | |
---------------------------8<--------------------------- | |
Filesystem Inodes IUsed IFree IUse% Mounted on | |
rootfs 196608 48103 148505 25% / | |
/dev/root 196608 48103 148505 25% / | |
devtmpfs 254813 1363 253450 1% /dev | |
tmpfs 255108 808 254300 1% /run | |
shm 255108 1 255107 1% /dev/shm | |
cgroup_root 255108 12 255096 1% /sys/fs/cgroup | |
/dev/xvdc 2097152 180927 1916225 9% /usr/portage | |
--------------------------->8--------------------------- | |
df -h | |
---------------------------8<--------------------------- | |
Filesystem Size Used Avail Use% Mounted on | |
rootfs 2.9G 743M 2.2G 26% / | |
/dev/root 2.9G 743M 2.2G 26% / | |
devtmpfs 996M 0 996M 0% /dev | |
tmpfs 200M 228K 200M 1% /run | |
shm 997M 0 997M 0% /dev/shm | |
cgroup_root 10M 0 10M 0% /sys/fs/cgroup | |
/dev/xvdc 1.5G 427M 1007M 30% /usr/portage | |
--------------------------->8--------------------------- | |
Update portage | |
=========================================================== | |
emerge --oneshot portage | |
Detect IP address | |
=========================================================== | |
IPADDR=$(/bin/ifconfig eth0 | awk '/inet / { print $2 }') | |
Setup hosts and hostname | |
=========================================================== | |
HOSTNAME=aybabtu | |
FQDN=aybabtu.yepitworks.com | |
# hosts | |
echo $IPADDR $FQDN $HOSTNAME >> /etc/hosts | |
echo "HOSTNAME=\"$HOSTNAME\"" > /etc/conf.d/hostname | |
/etc/init.d/hostname restart | |
Set timezone | |
=========================================================== | |
echo "CST6CDT" > /etc/timezone | |
emerge --config sys-libs/timezone-data | |
Update all the things | |
=========================================================== | |
# update world | |
emerge -uDNv world | |
# clean out the portage drive | |
rm /usr/portage/distfiles/* | |
Install some packages | |
=========================================================== | |
# equery et. al. | |
emerge gentoolkit | |
# see what's installed already | |
equery list "*" | less | |
# install curl | |
emerge net-misc/curl | |
# install vim | |
emerge vim | |
# install sudo | |
emerge app-admin/sudo | |
Set root's default editor to vim | |
=========================================================== | |
echo "export EDITOR=$(which vim)" >> ~/.bashrc | |
. .bashrc | |
Create normal user and add to sudoers | |
=========================================================== | |
NEWUSER=peteyoung | |
useradd -m -G users,wheel $NEWUSER | |
NEWPASS=<REDACTED> | |
echo -e "$NEWPASS\n$NEWPASS" | passwd peteyoung | |
unset NEWPASS | |
echo "$NEWUSER ALL=(ALL:ALL) ALL" >> /etc/sudoers | |
echo "export EDITOR=$(which vim)" >> /home/$NEWUSER/.bashrc | |
curl ssh keys | |
=========================================================== | |
PRIVKEYURL=<REDACTED> | |
PUBKEYURL=<REDACTED> | |
AUTHKEYSURL=<REDACTED> | |
mkdir ~/.ssh | |
curl -L $PRIVKEYURL > ~/.ssh/ln_rsa | |
curl -L $PUBKEYURL > ~/.ssh/ln_rsa.pub | |
chmod 700 ~/.ssh | |
chmod 600 ~/.ssh/ln_rsa | |
chmod 600 ~/.ssh/ln_rsa.pub | |
mkdir /home/$NEWUSER/.ssh | |
cp ~/.ssh/ln_rsa /home/$NEWUSER/.ssh | |
cp ~/.ssh/ln_rsa.pub /home/$NEWUSER/.ssh | |
curl -L $AUTHKEYSURL > /home/$NEWUSER/.ssh/authorized_keys | |
chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh | |
chmod 700 /home/$NEWUSER/.ssh | |
chmod 600 /home/$NEWUSER/.ssh/ln_rsa | |
chmod 600 /home/$NEWUSER/.ssh/ln_rsa.pub | |
chmod 600 /home/$NEWUSER/.ssh/authorized_keys | |
Disable ssh root login and password auth | |
=========================================================== | |
sed -r -i.bak \ | |
-e 's/^#?PermitRootLogin .*$/PermitRootLogin no/g' \ | |
-e 's/^#?PasswordAuthentication .*$/PasswordAuthentication no/g' \ | |
-e 's/^#?PermitEmptyPasswords .*$/PermitEmptyPasswords no/g' \ | |
/etc/ssh/sshd_config | |
/etc/init.d/sshd restart | |
Install some more packages | |
=========================================================== | |
sudo emerge dev-vcs/git | |
sudo emerge dev-vcs/mercurial | |
sudo emerge app-misc/tmux | |
Update the kernel | |
=========================================================== | |
# http://wiki.gentoo.org/wiki/Kernel/Upgrade | |
# https://www.linode.com/docs/tools-reference/custom-kernels-distros/run-a-custom-compiled-kernel-with-pvgrub | |
# install kernel source | |
# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sys-kernel/gentoo-sources/ | |
sudo emerge sys-kernel/gentoo-sources | |
# NOTE: some kernels may require a keyword change in order to be emerged | |
sudo vim /etc/portage/package.accept_keywords | |
# add the following lines to package.accept_keywords | |
---------------------------8<--------------------------- | |
# required by =sys-kernel/gentoo-sources-3.18.1 (argument) | |
=sys-kernel/gentoo-sources-3.18.1 ~amd64 | |
--------------------------->8---------------------------- | |
sudo emerge sys-kernel/gentoo-sources | |
- or to force the version - | |
sudo emerge -1 =sys-kernel/gentoo-sources-3.18.1 | |
# review and set link to current kernel sources | |
eselect kernel list | |
sudo eselect kernel set 1 | |
# jump into src dir | |
cd /usr/src/linux | |
# make a copy of current linode gentoo kernel config in src dir | |
sudo sh -c 'zcat /proc/config.gz > .config' | |
# if you need to sanitize sources | |
sudo cp .config /usr/src/kernel_config_bk | |
sudo make distclean | |
sudo mv /usr/src/kernel_config_bk .config | |
# redo config with nftables options enabled | |
sudo make oldconfig | |
# build modules and kernel | |
sudo make modules_prepare | |
sudo emerge --ask @module-rebuild | |
sudo make -j3 | |
sudo make install | |
sudo make modules_install | |
# set up pv-grub with new kernel | |
sudo mkdir /boot/grub | |
sudo vim /boot/grub/menu.lst | |
---------------------------8<--------------------------- | |
timeout 3 | |
title Custom Compile, vmlinuz-3.17.7-gentoo | |
root (hd0) | |
kernel /boot/vmlinuz-3.17.7-gentoo root=/dev/xvda ro quiet | |
--------------------------->8--------------------------- | |
Set up the profile to boot the kernel with pv-grub | |
----------------------------------------------------------- | |
Dashboard -> My Gentoo 2014.12 Profile -> Kernel dropdown | |
Select pv-grub-x86_64 | |
Save changes | |
uname -a | |
---------------------------8<--------------------------- | |
Linux aybabtu 3.16.7-x86_64-linode49 #3 SMP Fri Nov 14 16:55:37 EST 2014 x86_64 Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz GenuineIntel GNU/Linux | |
Linux aybabtu 3.17.7-gentoo #1 SMP Wed Dec 31 01:54:08 CST 2014 x86_64 Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz GenuineIntel GNU/Linux | |
--------------------------->8--------------------------- | |
Reboot the Linode | |
uname -a | |
---------------------------8<--------------------------- | |
Linux aybabtu 3.17.7-gentoo #1 SMP Wed Dec 31 01:54:08 CST 2014 x86_64 Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz GenuineIntel GNU/Linux | |
Linux aybabtu 3.18.1-gentoo #1 SMP Sun Jan 4 17:48:01 CST 2015 x86_64 Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz GenuineIntel GNU/Linux | |
--------------------------->8--------------------------- | |
Scan open ports | |
=========================================================== | |
# https://www.digitalocean.com/community/tutorials/how-to-use-nmap-to-scan-for-open-ports-on-your-vps | |
sudo nmap -Pn 173.255.198.155 | |
---------------------------8<--------------------------- | |
Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-31 18:38 CST | |
Nmap scan report for yepitworks.com (173.255.198.155) | |
Host is up (0.036s latency). | |
Not shown: 995 closed ports | |
PORT STATE SERVICE | |
22/tcp open ssh | |
25/tcp filtered smtp | |
135/tcp filtered msrpc | |
139/tcp filtered netbios-ssn | |
445/tcp filtered microsoft-ds | |
--------------------------->8--------------------------- | |
Install nftables | |
=========================================================== | |
# be sure kernel source is installed and you've recompiled the | |
# kernel with nftables options enabled | |
# create or edit package.accept_keywords | |
sudo vim /etc/portage/package.accept_keywords | |
# add the following lines to package.accept_keywords | |
---------------------------8<--------------------------- | |
# required by net-firewall/nftables (argument) | |
=net-firewall/nftables-0.4 ~amd64 | |
# required by net-firewall/nftables-0.4 | |
# required by net-firewall/nftables (argument) | |
=net-libs/libnftnl-1.0.3 ~amd64 | |
--------------------------->8--------------------------- | |
# install nftables | |
sudo emerge net-firewall/nftables | |
# setup nftables tables, chains, and rules | |
cat > rules.nft | |
---------------------------8<--------------------------- | |
flush ruleset | |
table inet filter { | |
chain input { | |
type filter hook input priority 0; | |
ip protocol icmp limit rate 10/second accept | |
ip protocol icmp drop | |
ip6 nexthdr ipv6-icmp limit rate 10/second accept | |
ip6 nexthdr ipv6-icmp drop | |
ct state established,related accept | |
ct state invalid drop | |
ip6 daddr & :: == :: icmpv6 type { nd-router-advert, nd-neighbor-solicit, echo-request, nd-neighbor-advert} accept | |
tcp dport { ssh} accept | |
counter packets 61 bytes 2563 drop | |
} | |
chain output { | |
type filter hook output priority 0; | |
} | |
} | |
--------------------------->8--------------------------- | |
ctrl-d | |
nft -f rules.nft | |
nft list ruleset | |
Install dotfiles from github | |
=========================================================== | |
* Have you forgotten to do a complete update prior to depclean? The | |
* most comprehensive command for this purpose is as follows: | |
* | |
* emerge --update --newuse --deep --with-bdeps=y @world | |
find ~/.ssh -name '*.pub' -print0 \ | |
| xargs -0 -n 1 -I {} sh -c \ | |
'echo $(basename {}): $(ssh-keygen -lf {})' \ | |
| awk '{printf "%-20s %-5s %-48s %-8s\n", $1, $2, $3, $4}' | |
PREVIOUS ISSUES | |
=========================================================== | |
=========================================================== | |
inodes issue when first synching emerge | |
=========================================================== | |
df -i | |
---------------------------8<--------------------------- | |
Filesystem Inodes IUsed IFree IUse% Mounted on | |
rootfs 196608 48102 148506 25% / | |
/dev/root 196608 48102 148506 25% / | |
devtmpfs 254813 1358 253455 1% /dev | |
tmpfs 255108 802 254306 1% /run | |
shm 255108 1 255107 1% /dev/shm | |
cgroup_root 255108 12 255096 1% /sys/fs/cgroup | |
--------------------------->8--------------------------- | |
emerge --sync | |
---------------------------8<--------------------------- | |
receiving incremental file list | |
rsync: mkstemp "/var/tmp/.tmp48j99g.GMJD5b" failed: No space left on device (28) | |
--------------------------->8--------------------------- | |
df -i | |
---------------------------8<--------------------------- | |
Filesystem Inodes IUsed IFree IUse% Mounted on | |
rootfs 196608 196607 1 100% / | |
/dev/root 196608 196607 1 100% / | |
devtmpfs 254813 1358 253455 1% /dev | |
tmpfs 255108 802 254306 1% /run | |
shm 255108 1 255107 1% /dev/shm | |
cgroup_root 255108 12 255096 1% /sys/fs/cgroup | |
--------------------------->8--------------------------- | |
# Research | |
https://nixos.org/wiki/Install_NixOS_on_Linode | |
https://forums.gentoo.org/viewtopic-t-422692-start-0.html | |
https://forum.linode.com/viewtopic.php?t=3423 | |
http://forums.gentoo.org/viewtopic-p-7168622.html | |
Portage disk space issue | |
=========================================================== | |
Argh! vim-core at 7.4.237, but vim at 7.3.567 | |
---------------------------------------- | |
emerge vim | |
# Blargh! drive full. | |
# `du -hd1` points at /var/tmp/portage. | |
# rm all the subfolders in /var/tmp/portage. | |
# rerun `emerge vim` | |
Update all the things | |
=========================================================== | |
# https://forums.gentoo.org/viewtopic-t-763595-start-0.html | |
# update meta-data (no man page, eix-sync -h) | |
eix-sync | |
# pretend, display what *would* have been installed | |
emerge -puDNv world | |
# just fetch all the packages, don't build | |
emerge -fuDNv world | |
# actually update all the things now | |
emerge -uDNv world | |
# sane configuration file merging | |
dispatch-conf | |
# pretend to build reverse dependencies, display what *would* have been installed | |
revdep-rebuild --pretend | |
# build reverse dependencies | |
#revdep-rebuild --ignore | |
# clean out the portage drive | |
rm /usr/portage/distfiles/* | |
sudo emerge net-firewall/nftables | |
Password: | |
* IMPORTANT: 8 news items need reading for repository 'gentoo'. | |
* Use eselect news to read news items. | |
Calculating dependencies... done! | |
[ebuild N ] net-libs/libmnl-1.0.3-r1 USE="-examples -static-libs" | |
[ebuild NS ] app-text/docbook-xml-dtd-4.2-r2 [4.1.2-r6] | |
[ebuild N ] dev-perl/XML-NamespaceSupport-1.110.0-r1 | |
[ebuild N ] dev-perl/XML-SAX-Base-1.80.0-r1 | |
[ebuild N ] dev-perl/XML-SAX-0.990.0-r1 | |
[ebuild N ] dev-perl/XML-LibXML-2.1.400-r1 USE="{-test}" | |
[ebuild N ] app-text/docbook2X-0.8.8-r4 USE="{-test}" | |
[ebuild N ~] net-libs/libnftnl-1.0.3 USE="-examples -json -static-libs {-test} -xml" | |
[ebuild N ~] net-firewall/nftables-0.4 USE="readline -debug" | |
The following keyword changes are necessary to proceed: | |
(see "package.accept_keywords" in the portage(5) man page for more details) | |
# required by net-firewall/nftables (argument) | |
=net-firewall/nftables-0.4 ~amd64 | |
# required by net-firewall/nftables-0.4 | |
# required by net-firewall/nftables (argument) | |
=net-libs/libnftnl-1.0.3 ~amd64 | |
Use --autounmask-write to write changes to config files (honoring | |
CONFIG_PROTECT). Carefully examine the list of proposed changes, | |
paying special attention to mask or keyword changes that may expose | |
experimental or unstable packages. | |
update and upgrade brew | |
install nmap | |
scan server's ports | |
2013-09-27-initramfs-required | |
Title Separate /usr on Linux requires initramfs | |
Author William Hubbs <williamh@gentoo.org> | |
Posted 2013-09-27 | |
Revision 1 | |
Linux systems which have / and /usr on separate file systems but do not | |
use an initramfs will not be supported starting on 01-Nov-2013. | |
If you have / and /usr on separate file systems and you are not | |
currently using an initramfs, you must set one up before this date. | |
Otherwise, at some point on or after this date, upgrading packages | |
will make your system unbootable. | |
For more information on setting up an initramfs, see this URL: | |
https://wiki.gentoo.org/wiki/Initramfs/HOWTO | |
Due to many upstream changes, properly supporting Linux systems that | |
have /usr missing at boot time has become increasingly difficult. | |
Despite all our efforts, it already breaks in some exotic | |
configurations, and this trend is likely to grow worse. | |
For more information on the upstream changes and why using an initramfs | |
is the cleanest route forward, see the following URLs: | |
http://freedesktop.org/wiki/Software/systemd/separate-usr-is-broken | |
https://blog.flameeyes.eu/2013/01/the-boot-process | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment