I really like Gentoo for their awesome package manager, Portage. Gentoo is a really flexible distribution that you can customize (and break) in many ways. It’s a good opportunity to learn a lot about linux. I documented the installation process. Given is an EX server from Hetzner, booted into the Debian rescue system.
As a first step, we setup the partitioning + mdadm Raid + LVM + filesystems:
parted /dev/nvme0n1 --script mklabel gpt
parted /dev/nvme1n1 --script mklabel gpt
parted /dev/nvme0n1 --script mkpart primary ext3 2048s 4095s
parted /dev/nvme1n1 --script mkpart primary ext3 2048s 4095s
parted /dev/nvme0n1 --script mkpart primary ext3 4096s 1953791s
parted /dev/nvme1n1 --script mkpart primary ext3 4096s 1953791s
parted /dev/nvme0n1 --script mkpart primary ext3 1953792s 100%
parted /dev/nvme1n1 --script mkpart primary ext3 1953792s 100%
parted /dev/nvme0n1 --script set 1 bios_grub on
parted /dev/nvme1n1 --script set 1 bios_grub on
mdadm --verbose --create /dev/md/0 --level=1 --raid-devices=2 --metadata=1.2 /dev/nvme0n1p2 /dev/nvme1n1p2
mdadm --verbose --create /dev/md/1 --level=1 --raid-devices=2 --metadata=1.2 /dev/nvme0n1p3 /dev/nvme1n1p3
echo 999999999 > /proc/sys/dev/raid/speed_limit_min
echo 999999999 > /proc/sys/dev/raid/speed_limit_max
until ! grep -q resync /proc/mdstat; do echo "sleeping for 2s"; sleep 2; done
mkfs.ext4 -v /dev/md/1
pvcreate --verbose /dev/md/2
vgcreate --verbose vg0 /dev/md/2
lvcreate --verbose --name root --size 50G vg0
mkfs.ext4 -v /dev/mapper/vg0-root
mount /dev/mapper/vg0-root /mnt/
Next, we download a stage 3 tarball (minimal precompiled Gentoo basically) and verify it:
url='https://mirror.netcologne.de/gentoo/releases/amd64/autobuilds/current-stage3-amd64-systemd'
latest='stage3-amd64-systemd-20220102T170545Z.tar.xz'
for file in '' {.CONTENTS.gz,.DIGESTS.asc}; do wget "${url}/${latest}${file}"; done
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys 0xBB572E0E2D182910
gpg --verify "${latest}.DIGESTS.asc"
grep " ${latest}.CONTENTS.gz" *.DIGESTS.asc
openssl dgst -r -sha512 "${latest}.CONTENTS.gz"
This will verify the gpg signature in the .asc File. Afterwards we grep the SHA512 checksum for CONTENTS.gz from the .asc file. Then we run openssl to compute the SHA512 checksum on the actual stage 3. Compare the two SHA512 checksums, they have to be identical. If they are, continue with extracting the tarball:
mv stage3-amd64-hardened-selinux-*.tar.xz /mnt/
cd /mnt/
tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner
mount /dev/md/1 /mnt/boot/
Now we can prepare the chroot:
cp --dereference /etc/resolv.conf /mnt/etc/
mount --types proc /proc /mnt/proc
mount --rbind /sys /mnt/sys
mount --make-rslave /mnt/sys
mount --rbind /dev /mnt/dev
mount --make-rslave /mnt/dev
mkdir /mnt/hostlvm
mount --bind /run/lvm /mnt/hostlvm
chroot /mnt/gentoo /bin/bash
ln -s /hostlvm /run/lvm
source /etc/profile
export PS1="(chroot) ${PS1}"
Now we can configure portage:
mkdir /etc/portage/repos.conf
cp /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf
echo 'MAKEOPTS="-j6"' >> /etc/portage/make.conf
echo 'USE="systemd ipv6"' >> /etc/portage/make.conf
sed -i 's/^COMMON_FLAGS.*/COMMON_FLAGS="-march=native -O2 -pipe"/g' /etc/portage/make.conf
emerge --sync
emerge --ask --verbose --update --deep --newuse @world
emerge --depclean
echo '=sec-policy/selinux-base-policy-9999 **' >> /etc/portage/package.accept_keywords
# set profile to hardened..., see eselect profile list
emerge --ask --verbose --unmerge sysvinit eudev
echo 'sys-fs/mdadm static' >> /etc/portage/package.use/mdadm
echo 'sys-fs/lvm2 lvm2create_initr' >> /mnt/etc/portage/package.use/lvm2
echo 'app-admin/puppet augeas diff doc rrdtool' > /etc/portage/package.use/puppet
emerge --ask --autounmask-write --verbose sys-kernel/gentoo-sources sys-apps/systemd vim htop nload iftop iptraf-ng strace lsof gentoolkit intel-microcode pciutils genkernel dstat grub mdadm lvm2 smartmontools dropbear ccze fail2ban tcpdump dev-vcs/git puppet dfc gptfdisk ethtool net-misc/ipcalc ndisc6
echo 'LANG="en_US.utf8"' >> /etc/locale.conf
# setup /etc/systemd/network/50-dhcp.network
mdadm --detail --scan >> /etc/mdadm.conf
sed -i 's/.*LVM=.*/LVM="yes"/' /etc/genkernel.conf
sed -i 's/.*MICROCODE=.*/MICROCODE="yes"/' /etc/genkernel.conf
sed -i 's/.*SSH=.*/SSH="yes"/' /etc/genkernel.conf
sed -i 's/.*BUSYBOX=.*/BUSYBOX="yes"/' /etc/genkernel.conf
sed -i 's/.*MDADM=.*/MDADM="yes"/' /etc/genkernel.conf
sed -i 's/.*E2FSPROGS=.*/E2FSPROGS="yes"/' /etc/genkernel.conf
genkernel all
sed -i 's/.*GRUB_DISABLE_SUBMENU.*/GRUB_DISABLE_SUBMENU=y/g' /etc/default/grub
sed -i 's/.*GRUB_TIMEOUT=.*/GRUB_TIMEOUT=15/g' /etc/default/grub
sed -i 's|.*#GRUB_CMDLINE_LINUX=.*|GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd dolvm domdadm dossh rootfstype=ext4"|' /etc/default/grub
for dev in /dev/nvme?n1; do grub-install "${dev}"; done
grub-mkconfig -o /boot/grub/grub.cfg
# get UUID with `blkid /dev/mapper/vg0-root /dev/md1` and update /etc/fstab
passwd
mkdir ~/.ssh
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKC4uaKuYzMGK4jlTvPlbnMP9n+gdac65480/eDTMWRw bastelfreak" > ~/.ssh/authorized_keys
sed -i 's/.*PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
systemctl enable systemd-networkd sshd
Setup language/locales
echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen
# verify that our locale is present:
locale -a | grep en_US.utf8
eselect locale set en_US.utf8
echo 'dns_domain_lo="bastelfreak.org"' >> /etc/conf.d/net
echo 'hostname="hypervisor01"' >> /etc/conf.d/hostname
. /etc/profile
env-update && source /etc/profile
Setup timesyncd and DNS
sed -i 's/#NTP=/NTP=ntp1.hetzner.de ntp2.hetzner.com ntp3.hetzner.net/' /etc/systemd/timesyncd.conf
rm /etc/localtime
ln -s /usr/share/zoneinfo/Europe/Berlin /etc//localtime
sed -i 's/#DNS=/DNS=2a01:4f8:0:1::add:1010 2a01:4f8:0:1::add:9999 2a01:4f8:0:1::add:9898/' /etc/systemd/resolved.conf
sed -i 's/#Domains=/Domains=bastelfreak.org/' /etc/systemd/resolved.conf
systemctl enable systemd-timesyncd systemd-resolved
Now we can reboot! I suggest to configure a password first and/or create a user. After the first boot we can continue with some fancy pancy stuff:
Setup LLDP:
echo 'net-misc/lldpd jansson' > /etc/portage/package.use/lldpd
emerge --ask lldpd
systemctl enable lldpd
systemctl start lldpd
Setup all the fancy dotfiles:
cd ~
git clone https://github.com/bastelfreak/scripts.git
ln -s ~/scripts/vimrc ~/.vimrc
ln -s ~/scripts/bashrc ~/.bashrc
ln -s ~/scripts/bash_profile ~/.bash_profile
mkdir -p ~/.vim/backupdir/
mkdir ~/.vim/ftplugin
echo "set colorcolumn=80" >> ~/.vim/ftplugin/tex.vim
git clone https://github.com/gmarik/Vundle.vim.git ~/.vim/bundle/Vundle.vim
vim +PluginInstall +qall
And last but not least, you might want to run some virtual machines, so install Qemu and Libvirt:
echo 'app-emulation/libvirt zeroconf virt-network pcap parted lvm' > /etc/portage/package.use/libvirt
echo 'app-emulation/qemu spice virtfs usb usbredir' > /etc/portage/package.use/qemu
emerge --ask qemu libvirt ebtables dmidecode openvswitch bridge-utils
dispatch-conf
emerge --ask qemu libvirt ebtables dmidecode openvswitch bridge-utils
systemctl enable ovsdb-server
systemctl start ovsdb-server
systemctl start ovs-vswitchd
systemctl enable ovs-vswitchd
ovs-vsctl add-br br0
You now have a proper Gentoo box. I suggest to configure at least backups and a firewall. Please keep in mind that Gentoo is a rolling release distribution, so some of the commands might be obsolete after some time or you need to configure something differently. Still, this walkthrough should give you a good first impression.