Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Gentoo Installation"

From NetSec
Jump to: navigation, search
Line 11: Line 11:
 
= Virtual Machine Setup =
 
= Virtual Machine Setup =
  
If you want to set up Gentoo within a virtual machine you will need at least:
+
If you are not using VM software like VMWare or Virtualbox, you can safely ignore this. Otherwise, make sure your VM has:
 
+
* Around 512mb to a gig of RAM
*Around 512MB to 1GB of RAM
+
* At least 10GB HDD
*At least 10GB HDD
+
* Networking features enabled
*Networking features enabled
+
* Preferably multiple cores on an x86_64 processor
*Preferably multiple cores on an x86_64 processor
+
  
 
=Hard Drive Setup=
 
=Hard Drive Setup=
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 25: Line 23:
 
cfdisk /dev/sda
 
cfdisk /dev/sda
 
</syntaxhighlight>
 
</syntaxhighlight>
 
  
 
*cfdisk will then bring you into an ncurses gui.
 
*cfdisk will then bring you into an ncurses gui.
 
 
Use cfdisk to:
 
Use cfdisk to:
  
#Create 100MB Partition Bootable at the Beginning
+
* Create 100MB Partition Bootable at the Beginning
#Create 2048MB Partition at the beginning
+
* Create 2048MB Partition at the beginning
#Create remaining free space partition at the beginning
+
* Create remaining free space partition at the beginning
  
 
Choose to Write tables to disk, and then exit.
 
Choose to Write tables to disk, and then exit.
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 48: Line 43:
  
 
For the below line, you can simply press the TAB button after stage3 and it will automatically complete the command, just press enter to confirm it:
 
For the below line, you can simply press the TAB button after stage3 and it will automatically complete the command, just press enter to confirm it:
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 55: Line 49:
 
cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
 
cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
 
</syntaxhighlight>
 
</syntaxhighlight>
 
  
 
Okay, now you've set up your hard drives, downloaded a copy of gentoo on your live environment, and copied resolv.conf over.
 
Okay, now you've set up your hard drives, downloaded a copy of gentoo on your live environment, and copied resolv.conf over.
Line 67: Line 60:
 
if it isn't working, try the following:
 
if it isn't working, try the following:
 
  {{info|you might need to do this each time you reboot}}
 
  {{info|you might need to do this each time you reboot}}
<pre>
+
<pre>  
 
+
ifconfig eth0 down && ifconfig eth0 up
    ifconfig eth0 down && ifconfig eth0 up
+
dhcpcd eth0
    dhcpcd eth0
+
 
</pre>
 
</pre>
 
 
----
 
  
 
=Base installation and Configuration=
 
=Base installation and Configuration=
  
 
+
   {{info| Remember the number in the output of this command, you will need it later.}}
   {{warning| Remember the number in the output of this command, you will need it later.}}
+
 
<pre>
 
<pre>
 
grep -ci "processor" /proc/cpuinfo
 
grep -ci "processor" /proc/cpuinfo
Line 85: Line 73:
  
 
Download & Extract portage to /mnt/gentoo/usr/
 
Download & Extract portage to /mnt/gentoo/usr/
    cd /mnt/gentoo/usr/
+
<pre>
    wget http://gentoo.arcticnetwork.ca/releases/snapshots/current/portage-latest.tar.bz2
+
cd /mnt/gentoo/usr/
    tar xvjf portage-latest.tar.bz2
+
wget http://gentoo.arcticnetwork.ca/releases/snapshots/current/portage-latest.tar.bz2
 +
tar xvjf portage-latest.tar.bz2
 +
</pre>
  
 
Open make.conf in nano.
 
Open make.conf in nano.
    cd /mnt/gentoo/etc/
+
<pre>
    nano make.conf
+
cd /mnt/gentoo/etc/
 
+
nano make.conf
 +
</pre>
  
 
Modify make.conf as follows:  
 
Modify make.conf as follows:  
Line 113: Line 104:
 
     PORTAGE_NICENESS="12"
 
     PORTAGE_NICENESS="12"
  
   
 
 
</pre>
 
</pre>
  
 
+
Now press ^x Y Enter to save and quit, this is {{Key|CTRL}}+{{Key|X}} -> {{Key|Y}} -> {{Key|ENTER}}
 
+
 
+
 
+
 
+
 
+
  
 
=CHROOT=
 
=CHROOT=
 
{{info| You will have to return to this part each time you reboot until the installation is finished.}}
 
{{info| You will have to return to this part each time you reboot until the installation is finished.}}
  
 
+
<syntaxhighlight lang="bash">
 
     mount /dev/sda3 /mnt/gentoo
 
     mount /dev/sda3 /mnt/gentoo
 
     swapon /dev/sda2
 
     swapon /dev/sda2
Line 133: Line 118:
 
     mount -t proc none /mnt/gentoo/proc
 
     mount -t proc none /mnt/gentoo/proc
 
     chroot /mnt/gentoo /bin/bash --login
 
     chroot /mnt/gentoo /bin/bash --login
 +
</syntaxhighlight>
  
 
You only need to run gcc-config the first time around.
 
You only need to run gcc-config the first time around.
    gcc-config 1  
+
<pre>
 
+
gcc-config 1  
    env-update
+
env-update
 +
</pre>
  
 
The following line helps remember where you are.
 
The following line helps remember where you are.
    export PS1="chroot) $PS1"
+
<pre>
 
+
export PS1="chroot) $PS1"
 +
</pre>
 
=Installing Software=
 
=Installing Software=
  
 
This requires a working internet connection, test your connection with ping:
 
This requires a working internet connection, test your connection with ping:
 
+
<pre>
  ping -c 2 google.com
+
ping -c2 google.com
 +
</pre>
  
 
If you cannot ping, try issuing the following:
 
If you cannot ping, try issuing the following:
  
echo nameserver 4.2.2.1 > /etc/resolv.conf
+
<pre>
echo nameserver 4.2.2.2 >> /etc/resolv.conf
+
echo nameserver 4.2.2.1 > /etc/resolv.conf
 +
echo nameserver 4.2.2.2 >> /etc/resolv.conf
 +
</pre>
  
 
Sync your repos:
 
Sync your repos:
  emerge -q --sync
+
<pre>
 +
emerge -q --sync
 +
</pre>
 +
 
 
if it tells you that an update to portage is availible then do the following
 
if it tells you that an update to portage is availible then do the following
 
   emerge -q portage
 
   emerge -q portage
  
 
otherwise, continue from here:
 
otherwise, continue from here:
 
+
<pre>
    emerge -q axel
+
emerge -q axel
 +
</pre>
  
 
Let's edit make.conf again:
 
Let's edit make.conf again:
 +
<pre>
 +
nano -w /etc/make.conf
 +
</pre>
 +
<pre>
 +
# put this at the bottom of make.conf
 +
FETCHCOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}"
 +
RESUMECOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}"
 +
</pre>
  
 
+
Press {{Key|CTRL}}+{{Key|X}} -> {{Key|Y}} -> {{Key|ENTER}} to quit
    nano -w /etc/make.conf
+
 
+
    # put this at the bottom of make.conf
+
    FETCHCOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}"
+
    RESUMECOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}"
+
    # ^x Y Enterto save and quit
+
 
+
  
 
Now that you're package manager is set up, execute the following command:
 
Now that you're package manager is set up, execute the following command:
 +
<pre>
 +
emerge -qN pciutils coreutils baselayout hardened-sources world
 +
</pre>
  
    emerge -qN pciutils coreutils baselayout hardened-sources world
 
  
 
=Encrypted Home Dir=
 
=Encrypted Home Dir=
 
create /crypt/ directory to store home.dm
 
create /crypt/ directory to store home.dm
    mkdir /crypt
+
<pre>
    touch /crypt/home.dm
+
mkdir /crypt
 +
touch /crypt/home.dm
 +
</pre>
  
 
Install cryptsetup
 
Install cryptsetup
    echo "sys-fs/cryptsetup static-libs" >> /etc/portage/package.use
+
<pre>
    emerge -q cryptsetup
+
echo "sys-fs/cryptsetup static-libs" >> /etc/portage/package.use
 
+
emerge -q cryptsetup
 +
</pre>
  
  
 
replace XXX in the command below with the size in GB (Gigabytes) you want your home to be.
 
replace XXX in the command below with the size in GB (Gigabytes) you want your home to be.
 
if you are not sure, run 'df -h' and use perhaps a quarter of the size of sda3
 
if you are not sure, run 'df -h' and use perhaps a quarter of the size of sda3
    dd if=/dev/zero of=/crypt/home.dm bs=1024 count=$(head -1 /etc/make.conf|awk '{print XXX * 1024^2}')
+
<pre> 
 
+
dd if=/dev/zero of=/crypt/home.dm bs=1024 count=$(head -1 /etc/make.conf|awk '{print XXX * 1024^2}')
 
+
</pre>
    losetup /dev/loop1 /crypt/home.dm
+
<pre>
 
+
losetup /dev/loop1 /crypt/home.dm
    cryptsetup luksFormat -h whirlpool -c blowfish /dev/loop1
+
cryptsetup luksFormat -h whirlpool -c blowfish /dev/loop1
 
+
cryptsetup luksOpen /dev/loop1 home
    cryptsetup luksOpen /dev/loop1 home
+
emerge -q reiserfsprogs
 
+
mkfs.reiserfs /dev/mapper/home
    emerge -q reiserfsprogs
+
mount -o loop /dev/mapper/home /home
 
+
</pre>
    mkfs.reiserfs /dev/mapper/home
+
 
+
    mount -o loop /dev/mapper/home /home
+
  
 
open /etc/init.d/home in nano:
 
open /etc/init.d/home in nano:
Line 211: Line 209:
 
make the file look like this:
 
make the file look like this:
  
 
+
<pre>
    #########
+
#########
    #!/sbin/runscript
+
#!/sbin/runscript
    # Copyright 1999-2011 Gentoo Foundation
+
# Copyright 1999-2011 Gentoo Foundation
    # Distributed under the terms of the GNU General Public License v2
+
# Distributed under the terms of the GNU General Public License v2
    # $Header: $
+
# $Header: $
    depend() {
+
depend() {
    true
+
true
    }
+
}
    start() {
+
start() {
    losetup /dev/loop1 /crypt/home.dm
+
losetup /dev/loop1 /crypt/home.dm
    cryptsetup luksOpen /dev/loop1 home
+
cryptsetup luksOpen /dev/loop1 home
    mount -o loop /dev/mapper/home /home
+
mount -o loop /dev/mapper/home /home
    }
+
}
    stop() {
+
stop() {
    umount /home
+
umount /home
    cryptsetup luksClose home
+
cryptsetup luksClose home
    losetup -d /dev/loop1
+
losetup -d /dev/loop1
    }
+
}
    restart() {
+
restart() {
    stop
+
stop
    start
+
start
    }
+
}
    ##########
+
##########
 
+
</pre>
  
  
 
Once you're done with that:
 
Once you're done with that:
 +
<pre>
 +
chmod +x /etc/init.d/home
 +
rc-update add home default
 +
</pre>
  
    chmod +x /etc/init.d/home
+
{{Info|If you have rebooted, do the following:}}
    rc-update add home default
+
<pre>
 +
mount /dev/sda3 /mnt/gentoo
 +
mount /dev/sda1 /mnt/gentoo/boot
 +
swapon /dev/sda2
 +
mount -t proc none /mnt/gentoo/proc
 +
mount -o bind /dev /mnt/gentoo/dev
 +
chroot /mnt/gentoo /bin/bash --login
 +
</pre>
  
 
=Kernel=
 
=Kernel=
Line 248: Line 257:
 
     FOUND </nowiki>}}
 
     FOUND </nowiki>}}
 
{{info| If ls /mnt/gentoo returns something other than file not found, do the following}}
 
{{info| If ls /mnt/gentoo returns something other than file not found, do the following}}
 
+
<pre>
    mount /dev/sda3 /mnt/gentoo
+
mount /dev/sda3 /mnt/gentoo
 
+
mount /dev/sda1 /mnt/gentoo/boot
    mount /dev/sda1 /mnt/gentoo/boot
+
swapon /dev/sda2
 
+
mount -t proc none /mnt/gentoo/proc
    swapon /dev/sda2
+
mount -o bind /dev /mnt/gentoo/dev
 
+
chroot /mnt/gentoo /bin/bash --login
    mount -t proc none /mnt/gentoo/proc
+
</pre>
 
+
    mount -o bind /dev /mnt/gentoo/dev
+
 
+
    chroot /mnt/gentoo /bin/bash --login
+
  
 
Otherwise continue on here:
 
Otherwise continue on here:
  
 
+
<pre>
    cd /usr/src/linux
+
cd /usr/src/linux
 
+
groupadd audit  
    groupadd audit
+
grep audit /etc/group  
+
groupadd blackhole  
    grep audit /etc/group
+
grep blackhole /etc/group
+
</pre>
    groupadd blackhole
+
+
    grep blackhole /etc/group
+
 
+
  
 
{{warning | confirm you get stuff returned to you after each grep. these numbers you're seeing are GIDs for RBAC}}
 
{{warning | confirm you get stuff returned to you after each grep. these numbers you're seeing are GIDs for RBAC}}
 
    groupadd clients
 
 
    grep clients /etc/group
 
 
    groupadd services
 
 
    grep services /etc/group
 
 
  
{{warning| again, confirm you are getting information when you grep.  you probably want to write those id's down}}
+
<pre>
 +
groupadd clients
 +
grep clients /etc/group
 +
groupadd services
 +
grep services /etc/group
 +
</pre>
  
    wget http://paste.pocoo.org/raw/430946
+
{{warning| Again, confirm you are getting information when you grep. you probably want to write those id's down}}
  
    mv 430946 .config
+
<pre>
 +
wget http://paste.pocoo.org/raw/430946
 +
mv 430946 .config
 +
</pre>
 +
Now you can
 +
<pre>
 +
emerge -q wgetpaste
 +
lspci -n | wgetpaste
 +
</pre>
  
now you can
+
Open provided url in browser, paste into the following website or:
 +
<pre>
 +
passwd
 +
</pre>
  
    emerge -q wgetpaste
+
Now type in a password twice.
  
    lspci -n | wgetpaste
+
To start the SSHD run:
 
+
<pre>
open provided url in browser, paste into the following website or:
+
/etc/init.d/sshd start
    passwd
+
</pre>
 
+
type in a password twice
+
    /etc/init.d/sshd start
+
 
download PuTTy on your main/host pc and use it to connect to the ipaddress of the vm/box, you can find out the ip with
 
download PuTTy on your main/host pc and use it to connect to the ipaddress of the vm/box, you can find out the ip with
    ifconfig
+
<pre>
 +
ifconfig
 +
</pre>
 
you connect on port 22 (ssh)
 
you connect on port 22 (ssh)
    lspci -n
+
<pre>
 +
lspci -n
 +
</pre>
 
copy and paste this to the following website:  
 
copy and paste this to the following website:  
 
http://kmuto.jp/debian/hcl/
 
http://kmuto.jp/debian/hcl/
 
  
  
 
if you need to, take a note of each entry under 'drivers'
 
if you need to, take a note of each entry under 'drivers'
 
+
<pre>
 
+
make menuconfig
 
+
</pre>
 
+
 
+
    make menuconfig
+
 
+
 
search for 'dm_crypt' with the / key from the main menu - this should open a search box.
 
search for 'dm_crypt' with the / key from the main menu - this should open a search box.
 
you will see the location of dm_crypt in the menu, and whether it is [=y] (enabled) or [=n] (disabled)
 
you will see the location of dm_crypt in the menu, and whether it is [=y] (enabled) or [=n] (disabled)
Line 328: Line 332:
 
replace every - in a driver name with a _
 
replace every - in a driver name with a _
  
also, verify that all the following settings are correct:
+
Also, verify that all the following settings are correct:
  
 
* Disable loadable module support
 
* Disable loadable module support
Line 360: Line 364:
 
* Put the gid to 'audit' in the proc gid as well as the kernel auditing pid
 
* Put the gid to 'audit' in the proc gid as well as the kernel auditing pid
  
exit, saving the config
+
now exit, saving the config
  
 
put the number of processors you have +1 instead of ?, for example -j5 if you have 4 cores
 
put the number of processors you have +1 instead of ?, for example -j5 if you have 4 cores
    make -j?
+
<pre>
 +
make -j?
 +
</pre>
  
 
make sure boot is mounted, this should NOT say file not found, exit from chroot and remount /mnt/gentoo/boot, then chroot in again if you get an error
 
make sure boot is mounted, this should NOT say file not found, exit from chroot and remount /mnt/gentoo/boot, then chroot in again if you get an error
    ls /boot
+
<pre>
 +
ls /boot
 +
</pre>
  
replace XXX below with your architecture (x86 for 32bit, x86_64 for 64bit)
+
Replace XXX below with your architecture (x86 for 32bit, x86_64 for 64bit)
    cp /usr/src/linux/arch/XXX/boot/bzImage /boot/bzImage
+
 
 +
<pre>
 +
cp /usr/src/linux/arch/XXX/boot/bzImage /boot/bzImage
 +
</pre>
 
if you ever need to repeat this, make clean before reconfiguring your kernel and adding/removing stuff
 
if you ever need to repeat this, make clean before reconfiguring your kernel and adding/removing stuff
you can read much more about kernel configuration at kernel-seeds.org, this website contains premade, stripped
+
You can read much more about kernel configuration at http://kernel-seeds.org, this website contains premade, stripped kernels and step-by-step guides on configuring your own kernel from scratch, with detailed notes on every option.
kernels and step-by-step guides on configuring your own kernel from scratch, with detailed notes on every option
+
It's great to check out if you are unsure about anything, and will really help the learning process.
it's great to check out if you are unsure about anything, and will really help the learning process :)
+
  
 
=Final Configurations=
 
=Final Configurations=
Line 459: Line 469:
  
  
=xserver=
+
=X Server=
 +
 
 +
{{Warning|Never run the X Server as root!}}
 +
{{Info|Make sure your home directory is encrypted before we begin}}
 +
 
 +
<pre>nano /etc/make.conf</pre>
 +
Add the following line with the correct driver for your card, ie. noveau for nvidia, radeon for radeon, vmware for vmware, virtualbox for virtualbox or intel for intel:
 +
 
 +
<pre>VIDEO_CARDS="driver"</pre>
 +
 
 +
Also add the following line if you are on a PC or VM:
 +
<pre>INPUT_DEVICES="evdev"</pre>
 +
Or this line if you are on a laptop:
 +
<pre>INPUT_DEVICES="evdev synaptics"</pre>
 +
 
 +
*Make sure that the correct driver for your graphics card is built into the kernel, return to the kernel section to do this if you have not already.
 +
*Make sure you have udev in your USE flag in /etc/make.conf
 +
 
 +
now to install the X server and window manager
 +
<pre>
 +
emerge -q xorg-drivers
 +
emerge -q xorg-server
 +
emerge -q fluxbox
 +
emerge -q aterm # transparent terminal!
 +
emerge -q conky # system monitoring tool
 +
emerge -q sudo
 +
</pre>
 +
 
 +
Now edit /etc/sudoers to your own preference, you only need to remove the comment before the %wheel sudo access with NOPASSWD, OR the one using password. make sure to add the user to the wheel group with
 +
<pre>gpasswd -a wheel username</pre>
 +
 
 +
Also add the following line:
 +
 
 +
*32 bit users:
 +
<pre>%wheel ALL = (firefox) NOPASSWD: /usr/lib64/firefox/firefox</pre>
 +
*64 bit users:
 +
<pre>%wheel ALL = (firefox) NOPASSWD: /usr/lib32/firefox/firefox</pre>
 +
 
 +
To make fluxbox start with the x server:
 +
<pre>
 +
mkdir -p /etc/X11/xinit
 +
echo "exec startfluxbox" > /etc/X11/xinit/xinitrc
 +
</pre>
 +
 
 +
For virtualbox, check out <a href="http://en.gentoo-wiki.com/wiki/Virtualbox_Guest">http://en.gentoo-wiki.com/wiki/Virtualbox_Guest</a> for a guide to enable copy-paste between host/vm etc.
 +
 
 +
<pre>
 +
/etc/init.d/udev start
 +
rc-update add udev sysinit
 +
</pre>
 +
 
 +
If you don't have a basic user account already, make one now.
 +
 
 +
now exit from root, login as a normal user and type:
 +
<pre>startx</pre>
 +
This will run the x server.
 +
 
 +
O a terminal by right clicking and choosing to open xterm
 +
<pre>sudo useradd -m -G clients -U firefox</pre>
 +
 
 +
{{Info|The following script is a little buggy and prevents firefox from launching if it takes more than 1 second for it to read the Xauthority file, so if that happens just bump up the sleep value.}}
 +
 
 +
You could also create sandfox in your ~/bin as described under the security section below, in that case just replace /usr/bin/sandfox with ~/bin/sandfox from now on.
 +
 
 +
<pre>sudo nano /usr/bin/sandfox</pre>
 +
Add the following:
 +
<pre>
 +
cp $HOME\/.Xauthority /tmp/$USER\.firefox.Xauthority
 +
chmod 777 /tmp/$USER\.firefox.Xauthority
 +
( ( env XAUTHORITY=/tmp/$USER\.firefox.Xauthority sudo -u firefox /usr/lib64/firefox/firefox $1 & ) & )
 +
sleep 1
 +
rm /tmp/$USER\.firefox.Xauthority
 +
</pre>
 +
 
 +
Now to make it executable
 +
<pre>sudo chmod +x /usr/bin/sandfox</pre>
 +
 
 +
{{Info|All history and profiles will be saved in firefox's home directory instead of yours, take note of this. you can pass paramaters such as -private by running, eg /usr/bin/sandfox -private}}
 +
 
 +
<pre>
 +
sudo mkdir -p /etc/portage
 +
sudo echo "www-browser/firefox hardened" >> /etc/portage/package.use
 +
</pre>
 +
<pre>sudo emerge -q tint2 tintwizard</pre>
 +
 
 +
<pre>nano ~/.fluxbox/init</pre>
 +
Change change session.screen0.toolbar.visible: to false
 +
 
 +
To enable dropshadows and fading:
 +
<pre>sudo emerge -q xcompmgr</pre>
 +
 
 +
<pre>~/.fluxbox/startup</pre>
 +
Add, at the end of Applications you want to start with Fluxbox:
 +
<pre>xcompmgr -c -r 6 -f -D 5 -t -9 -l -9 &
 +
tint2 &</pre>
 +
 
 +
Make sure the last line is exec fluxbox
 +
 
 +
<pre>nano ~/.fluxbox/menu</pre>
 +
 
 +
Change every occurance of xterm to 'aterm -tr -trsb -sh 40' without the '', if xterm is being used to execute something else, add -e so 'aterm -tr -trsb -sh 40 -e sudo -s' for an automatic root terminal.
 +
 
 +
Add sandfox, it should be pretty easy to figure out.
 +
 
 +
For fluxbox themes you can check out box-looks.org.
  
  

Revision as of 14:59, 10 May 2012

RPU0j.png You are viewing an article in progress. This entry is unfinished.

Gentoo is a source-based linux distribution.source-based means every application is compiled locally.

You can download a copy of Gentoo here

To install Gentoo, you will need to create a Bootable LiveCD or LiveUSB.

There are many ways one could create a LiveCD or LiveUSB, but that is outside of the scope of Gentoo Installation

Virtual Machine Setup

If you are not using VM software like VMWare or Virtualbox, you can safely ignore this. Otherwise, make sure your VM has:

  • Around 512mb to a gig of RAM
  • At least 10GB HDD
  • Networking features enabled
  • Preferably multiple cores on an x86_64 processor

Hard Drive Setup

<syntaxhighlight lang="bash"> ls /dev | grep sd cfdisk /dev/sda </syntaxhighlight>

  • cfdisk will then bring you into an ncurses gui.

Use cfdisk to:

  • Create 100MB Partition Bootable at the Beginning
  • Create 2048MB Partition at the beginning
  • Create remaining free space partition at the beginning

Choose to Write tables to disk, and then exit.

<syntaxhighlight lang="bash"> mkfs.ext2 /dev/sda1 mkswap /dev/sda2 mkfs.reiserfs /dev/sda3 mount -t reiserfs /dev/sda3 /mnt/gentoo ; cd /mnt/gentoo wget http://gentoo.arcticnetwork.ca/releases/x86/current-stage3/stage3-i686-20110614.tar.bz2 </syntaxhighlight>


For the below line, you can simply press the TAB button after stage3 and it will automatically complete the command, just press enter to confirm it:

<syntaxhighlight lang="bash"> tar xvpjf stage3* swapon /dev/sda2 cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf </syntaxhighlight>

Okay, now you've set up your hard drives, downloaded a copy of gentoo on your live environment, and copied resolv.conf over. Before continuing make sure you can access the internet.

you can test this by pinging google:

ping -c 2 google.com

if it isn't working, try the following:

c3el4.png you might need to do this each time you reboot
   
ifconfig eth0 down && ifconfig eth0 up
dhcpcd eth0

Base installation and Configuration

c3el4.png Remember the number in the output of this command, you will need it later.
grep -ci "processor" /proc/cpuinfo

Download & Extract portage to /mnt/gentoo/usr/

cd /mnt/gentoo/usr/
wget http://gentoo.arcticnetwork.ca/releases/snapshots/current/portage-latest.tar.bz2
tar xvjf portage-latest.tar.bz2

Open make.conf in nano.

cd /mnt/gentoo/etc/
nano make.conf

Modify make.conf as follows:

RPU0j.png Do not modify the CHOST, this will cause problems!
 CFLAGS="-fstack-protector-all -fforce-addr -Os -pipe -march=native"
    CXXFlags="${CFLAGS}"


    FEATURES="metadata-transfer sandbox candy parallel-fetch"

    USE="gtk truetype postgres freetype jpg jpeg png gif imap ttf winscp passwd scp X gnutls mysql v4l2 extras lisp threads ithreads acpi bash-completion bzip2 crypt cracklib css ctype apache2 curl curlwrappers dbus encode ftp gcj gd geoip udev ipv6 lua ncurses nsplugin python readline sockets socks5 sqlite sse sse2 ssl suid unicode vim-syntax xml php perlsuid"

    #Replace Y with the output of the grep command and X with the returned number +1. For one core, you'd have "--jobs=1" and "-j2".

    MAKEOPTS="-jX -s"
#   Only use the below line if you have a multicore CPU or multiple processors
#   EMERGE_DEFAULT_OPTS="--jobs=Y --load-average=1.5"
    PORTAGE_NICENESS="12"

Now press ^x Y Enter to save and quit, this is CTRL+X -> Y -> ENTER

CHROOT

c3el4.png You will have to return to this part each time you reboot until the installation is finished.

<syntaxhighlight lang="bash">

   mount /dev/sda3 /mnt/gentoo
   swapon /dev/sda2
   mount /dev/sda1 /mnt/gentoo/boot
   mount -o bind /dev /mnt/gentoo/dev
   mount -t proc none /mnt/gentoo/proc
   chroot /mnt/gentoo /bin/bash --login

</syntaxhighlight>

You only need to run gcc-config the first time around.

gcc-config 1 
env-update

The following line helps remember where you are.

export PS1="chroot) $PS1"

Installing Software

This requires a working internet connection, test your connection with ping:

 ping -c2 google.com

If you cannot ping, try issuing the following:

echo nameserver 4.2.2.1 > /etc/resolv.conf
echo nameserver 4.2.2.2 >> /etc/resolv.conf

Sync your repos:

 emerge -q --sync

if it tells you that an update to portage is availible then do the following

 emerge -q portage

otherwise, continue from here:

emerge -q axel

Let's edit make.conf again:

nano -w /etc/make.conf
# put this at the bottom of make.conf
FETCHCOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}"
RESUMECOMMAND="/usr/bin/axel -n 8 -o /\${DISTDIR}/\${FILE} -a \${URI}"

Press CTRL+X -> Y -> ENTER to quit

Now that you're package manager is set up, execute the following command:

emerge -qN pciutils coreutils baselayout hardened-sources world


Encrypted Home Dir

create /crypt/ directory to store home.dm

mkdir /crypt
touch /crypt/home.dm

Install cryptsetup

 
echo "sys-fs/cryptsetup static-libs" >> /etc/portage/package.use
emerge -q cryptsetup


replace XXX in the command below with the size in GB (Gigabytes) you want your home to be. if you are not sure, run 'df -h' and use perhaps a quarter of the size of sda3

  
dd if=/dev/zero of=/crypt/home.dm bs=1024 count=$(head -1 /etc/make.conf|awk '{print XXX * 1024^2}')
losetup /dev/loop1 /crypt/home.dm
cryptsetup luksFormat -h whirlpool -c blowfish /dev/loop1
cryptsetup luksOpen /dev/loop1 home
emerge -q reiserfsprogs
mkfs.reiserfs /dev/mapper/home
mount -o loop /dev/mapper/home /home

open /etc/init.d/home in nano: nano /etc/init.d/home


make the file look like this:

#########
#!/sbin/runscript
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
depend() {
true
}
start() {
losetup /dev/loop1 /crypt/home.dm
cryptsetup luksOpen /dev/loop1 home
mount -o loop /dev/mapper/home /home
}
stop() {
umount /home
cryptsetup luksClose home
losetup -d /dev/loop1
}
restart() {
stop
start
}
##########


Once you're done with that:

chmod +x /etc/init.d/home
rc-update add home default
c3el4.png If you have rebooted, do the following:
mount /dev/sda3 /mnt/gentoo
mount /dev/sda1 /mnt/gentoo/boot
swapon /dev/sda2
mount -t proc none /mnt/gentoo/proc
mount -o bind /dev /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash --login

Kernel

RPU0j.png DOUBLE CHECK THAT YOU ARE IN A CHROOT BEFORE DOING THIS! ls /mnt/gentoo should return FILE NOT FOUND
c3el4.png If ls /mnt/gentoo returns something other than file not found, do the following
mount /dev/sda3 /mnt/gentoo
mount /dev/sda1 /mnt/gentoo/boot
swapon /dev/sda2
mount -t proc none /mnt/gentoo/proc
mount -o bind /dev /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash --login

Otherwise continue on here:

cd /usr/src/linux
groupadd audit 
grep audit /etc/group 
groupadd blackhole 
grep blackhole /etc/group
RPU0j.png confirm you get stuff returned to you after each grep. these numbers you're seeing are GIDs for RBAC
 
groupadd clients 
grep clients /etc/group 
groupadd services
grep services /etc/group


RPU0j.png Again, confirm you are getting information when you grep. you probably want to write those id's down
wget http://paste.pocoo.org/raw/430946
mv 430946 .config

Now you can

emerge -q wgetpaste
lspci -n | wgetpaste

Open provided url in browser, paste into the following website or:

passwd

Now type in a password twice.

To start the SSHD run:

/etc/init.d/sshd start

download PuTTy on your main/host pc and use it to connect to the ipaddress of the vm/box, you can find out the ip with

ifconfig

you connect on port 22 (ssh)

lspci -n

copy and paste this to the following website: http://kmuto.jp/debian/hcl/


if you need to, take a note of each entry under 'drivers'

make menuconfig

search for 'dm_crypt' with the / key from the main menu - this should open a search box. you will see the location of dm_crypt in the menu, and whether it is [=y] (enabled) or [=n] (disabled) you want to find it and enable it. do not set it as 'M', that will make it a module and for security reasons you are not using loadable modules. do this for each driver on the above website, and make sure that they are all enabled some, such as graphics, can be safely missed out (get vesa, instead) - if you have any worries, ask in #questions on irc replace every - in a driver name with a _

Also, verify that all the following settings are correct:

  • Disable loadable module support
  • Disable virtualization on the kernel
  • Under general options, change kernel compression mode to lzma
  • Under processor type and features, you'll want to either A. Put the processor type, if it's in the list or B. Select generic if unsure
  • In filesystems, you only want reiserfs depending on how you set it up. You do not want ext2 -- if it is enabled, (Second Extended FS Support), DISABLE THIS.
  • Under security options, enable grsecurity
  • Under address space protection
  • Enable active kernel exploit response
  • Under RBAC,enable 'Hide Kernel Processes'
  • Under filesystem protections, restrict /proc to user only
  • Under kernel auditing, enable every option except 'ELF TEXT Relocation
  • Put the gid to 'audit'
  • Enable everything under network protections
  • Put the gid to 'services' in 'deny client sockets for group' gid
  • Put the gid to 'clients' in 'deny server sockets for group' gid
  • Put the gid to blackhole in the 'deny all sockets to any group' gid
  • Under logging options, "Add source ip addresses to AVC SeLinux messages"
  • Under pax control, change 'MAC system integration' to hook
  • Under misc. hardening features, You'll want to enable everything
  • Under non-executable pages,Enforce non-executable pages' is enabled
  • Back in the main security options window, enable 'Restrict unpriviledged access to the kernel syslog'
  • Enable Integrity Measurement Architecture
  • Under cryptographic api, we want aes of all flavors, whirlpool, and blowfish
  • Uncheck the Hardware Crypto Devices support
  • Under device drivers -> multi device support, enable dm_crypt
  • Block devices ->loopback device support, enable cryptoloop support
  • Under kernel hacking enable strict copy size checks and disable kernel debugging
  • Under kernel hacking disable kernel debugging
  • Put the gid to 'audit' in the proc gid as well as the kernel auditing pid

now exit, saving the config

put the number of processors you have +1 instead of ?, for example -j5 if you have 4 cores

make -j?

make sure boot is mounted, this should NOT say file not found, exit from chroot and remount /mnt/gentoo/boot, then chroot in again if you get an error

ls /boot

Replace XXX below with your architecture (x86 for 32bit, x86_64 for 64bit)

cp /usr/src/linux/arch/XXX/boot/bzImage /boot/bzImage

if you ever need to repeat this, make clean before reconfiguring your kernel and adding/removing stuff You can read much more about kernel configuration at http://kernel-seeds.org, this website contains premade, stripped kernels and step-by-step guides on configuring your own kernel from scratch, with detailed notes on every option. It's great to check out if you are unsure about anything, and will really help the learning process.

Final Configurations

Install the syslog-ng, vixie-cron, strace, gdb, ruby, and nemesis by issuing

 emerge -q syslog-ng vixie-cron strace gdb ruby nemesis

Once emerge finishes, fill in your mtab:

  grep -v rootfs /proc/mounts > /etc/mtab 



Replace "XXX" below with either "x86" or "x86_64" depending on your processor architecture. (32bit, 64bit. respectively.)

  cp arch/XXX/boot/bzImage /boot
    nano /etc/fstab
    change the ROOT and SWAP lines to look like the following
    /dev/sda3               /               reiserfs                noatime         0 1
    /dev/sda2               none            swap           sw              0 0
    

delete the /dev/BOOT line and CTRL+X -> Y to exit.

Bootloader

Install the GRUB Bootloader

   emerge -q grub

Install grub to /dev/sda

   grub-install --no-floppy /dev/sda


Now it's time to edit our grub configuration

   nano -w /boot/grub/grub.conf

uncomment the splash image and ensure the below is in the file

   kernel /boot/bzImage root=/dev/sda3
   root (hd0,0)

Exit by hitting CRTL+X, then Y.

Set your root password.

   passwd root


   emerge -q pump
   rc-update add vixie-cron default
   rc-update add syslog-ng default
   rc-update add home default
   source /etc/profile
   env-update

now exit from the chroot for the final step

exit and ensure you have all the device nodes you need

   umount /mnt/gentoo/dev
Notice: make sure you do NOT accidentally umount /mnt/gentoo above, we just want to umount dev!
   cp -a /dev/* /mnt/gentoo/dev/

Once that is done, restart your system.

After restarting, we need to get networking up and running.

   ifconfig eth0 down && ifconfig eth0 up
   pump -i eth0

to get the network working, you may need to overwrite resolv.conf as mentioned earlier

   echo nameserver 4.2.2.1 > /etc/resolv.conf
   echo nameserver 4.2.2.2 >> /etc/resolv.conf

c3el4.png 4.2.2.1/2 are DNS servers, one could use Google's public DNS servers as well, which are 8.8.8.8 and 8.8.4.4
   # install vim
   emerge -q vim
   # or emacs
   emerge -q emacs
   # and you'll have to look up a tutorial on these yourself or ask for help in choosing in #questions :) try getting vim and typing vimtutor



X Server

RPU0j.png Never run the X Server as root!
c3el4.png Make sure your home directory is encrypted before we begin
nano /etc/make.conf

Add the following line with the correct driver for your card, ie. noveau for nvidia, radeon for radeon, vmware for vmware, virtualbox for virtualbox or intel for intel:

VIDEO_CARDS="driver"

Also add the following line if you are on a PC or VM:

INPUT_DEVICES="evdev"

Or this line if you are on a laptop:

INPUT_DEVICES="evdev synaptics"
  • Make sure that the correct driver for your graphics card is built into the kernel, return to the kernel section to do this if you have not already.
  • Make sure you have udev in your USE flag in /etc/make.conf

now to install the X server and window manager

emerge -q xorg-drivers
emerge -q xorg-server
emerge -q fluxbox
emerge -q aterm # transparent terminal!
emerge -q conky # system monitoring tool
emerge -q sudo

Now edit /etc/sudoers to your own preference, you only need to remove the comment before the %wheel sudo access with NOPASSWD, OR the one using password. make sure to add the user to the wheel group with

gpasswd -a wheel username

Also add the following line:

  • 32 bit users:
%wheel ALL = (firefox) NOPASSWD: /usr/lib64/firefox/firefox
  • 64 bit users:
%wheel ALL = (firefox) NOPASSWD: /usr/lib32/firefox/firefox

To make fluxbox start with the x server:

mkdir -p /etc/X11/xinit
echo "exec startfluxbox" > /etc/X11/xinit/xinitrc

For virtualbox, check out <a href="http://en.gentoo-wiki.com/wiki/Virtualbox_Guest">http://en.gentoo-wiki.com/wiki/Virtualbox_Guest</a> for a guide to enable copy-paste between host/vm etc.

/etc/init.d/udev start
rc-update add udev sysinit

If you don't have a basic user account already, make one now.

now exit from root, login as a normal user and type:

startx

This will run the x server.

O a terminal by right clicking and choosing to open xterm

sudo useradd -m -G clients -U firefox
c3el4.png The following script is a little buggy and prevents firefox from launching if it takes more than 1 second for it to read the Xauthority file, so if that happens just bump up the sleep value.

You could also create sandfox in your ~/bin as described under the security section below, in that case just replace /usr/bin/sandfox with ~/bin/sandfox from now on.

sudo nano /usr/bin/sandfox

Add the following:

cp $HOME\/.Xauthority /tmp/$USER\.firefox.Xauthority
chmod 777 /tmp/$USER\.firefox.Xauthority
( ( env XAUTHORITY=/tmp/$USER\.firefox.Xauthority sudo -u firefox /usr/lib64/firefox/firefox $1 & ) & )
sleep 1
rm /tmp/$USER\.firefox.Xauthority

Now to make it executable

sudo chmod +x /usr/bin/sandfox
c3el4.png All history and profiles will be saved in firefox's home directory instead of yours, take note of this. you can pass paramaters such as -private by running, eg /usr/bin/sandfox -private
sudo mkdir -p /etc/portage
sudo echo "www-browser/firefox hardened" >> /etc/portage/package.use
sudo emerge -q tint2 tintwizard
nano ~/.fluxbox/init

Change change session.screen0.toolbar.visible: to false

To enable dropshadows and fading:

sudo emerge -q xcompmgr
~/.fluxbox/startup

Add, at the end of Applications you want to start with Fluxbox:

xcompmgr -c -r 6 -f -D 5 -t -9 -l -9 & 
tint2 &

Make sure the last line is exec fluxbox

nano ~/.fluxbox/menu

Change every occurance of xterm to 'aterm -tr -trsb -sh 40' without the , if xterm is being used to execute something else, add -e so 'aterm -tr -trsb -sh 40 -e sudo -s' for an automatic root terminal.

Add sandfox, it should be pretty easy to figure out.

For fluxbox themes you can check out box-looks.org.




BASH

Screen

Services

Network Services

Debugging Services

Permissions and Security Basics

Getting Help

Troubleshooting