Table of Contents

D- System config

Network Configuration

/etc/conf.d/net

config_eth0=("null")
config_eth1=("null")

config_red=("192.168.0.3/24")
bridge_red=("eth0")
rc_need_red="net.eth0"
brctl_red=(
        "setfd 0"
        "stp off"
)
routes_red=("default via 192.168.0.2")

config_green=("192.168.2.3/24")
bridge_green=("eth1")
rc_need_green="net.eth1"
brctl_green=(
        "setfd 0"
        "stp off"
)

config_dmz=("null")
brctl_dmz=(
        "setfd 0"
        "stp off"
)
localhost ~ # cd /etc/init.d
localhost init.d # ln -s net.lo net.eth1
localhost init.d # ln -s net.lo net.red
localhost init.d # ln -s net.lo net.green
localhost init.d # ln -s net.lo net.dmz
localhost init.d # rc-update add net.eth0 default
localhost init.d # rc-update add net.eth1 default
localhost init.d # rc-update add net.red default
localhost init.d # rc-update add net.green default
localhost init.d # rc-update add net.dmz default
localhost init.d # /etc/init.d/net.eth0 start
localhost init.d # /etc/init.d/net.eth1 start
localhost init.d # /etc/init.d/net.red start
localhost init.d # /etc/init.d/net.green start
localhost init.d # /etc/init.d/net.dmz start

Now add ssh deamon to runlevels 

localhost ~ # rc-update add sshd default
 * sshd added to runlevel default
localhost ~ # /etc/init.d/sshd start
Generating public/private rsa1 key pair.
...
 * Starting sshd ...
localhost ~ #

Hostname configuration

/etc/hosts

...
127.0.0.1       srv-prs.home.loc srv-prs localhost
...

/etc/conf.d/hostname

HOSTNAME="srv-prs"
localhost ~ # hostname srv-prs
localhost ~ # hostname -f
srv-prs.home.loc
localhost ~ #

Timezone

localhost ~ # cp /usr/share/zoneinfo/Europe/Paris /etc/localtime

/etc/conf.d/clock

...
TIMEZONE="Europe/Paris"
...
localhost ~ # emerge ntp
...
localhost ~ # rc-update add ntp-client default
localhost ~ # /etc/init.d/ntp-client start

Rebuild for optimisation

localhost ~ # time emerge -vae world
...

real    183m54.743s
user    155m45.326s
sys     86m24.708s

Installation of basic softwares

localhost ~ # emerge -a syslog-ng vixie-cron sendmail logrotate cryptsetup mdadm bridge-utils usermode-utilities htop pci-utils usbutils
...
localhost ~ # rc-update add syslog-ng default
 * syslog-ng added to runlevel default
localhost ~ # rc-update add vixie-cron default
 * vixie-cron added to runlevel default
localhost ~ # rc-update add sendmail default
 * sendmail added to runlevel default

  • syslog-ng log system
  • vixie-cron cron system
  • sendmail to send administration mails
  • logrotate rotate logs to prevend hard drive fill
  • cryptsetup to manage encrypted drives
  • mdadm to manage raid
  • htop a better top
  • pci-utils to privide lspci
  • usbutils to provide lsusb
  • bridge-utils to manage bridge if we have to do things by hand
  • usermode-utilities to manage tun(tunctl) if we have to do things by hand

Hdparm

To save power and hard drive life you can configure your hard drive to Spindown after a time without using it : 

localhost ~ # emerge -v hdparm

The Time (in seconds) after which the Drive spins down is the value of your x multiplied with 5 From the manpage:

A value of zero means “timeouts are disabled”: the device will not automatically enter standby mode. Values from 1 to 240 specify multiples of 5 seconds, yielding timeouts from 5 seconds to 20 minutes. Values from 241 to 251 specify from 1 to 11 units of 30 minutes, yielding timeouts from 30 minutes to 5.5 hours. A value of 252 signifies a timeout of 21 minutes. A value of 253 sets a vendor-defined timeout period between 8 and 12 hours. A value of 255 is interpreted as 21 minutes plus 15 seconds. The value 254 is reserved. Note that some older drives may have very different interpretations of these values.

/etc/conf.d/hdparm

...
sda_args="-S241"
sdd_args="-S241"
...
localhost ~ # /etc/init.d/hdparm start
localhost ~ # rc-update add hdparm default

Iptables

As you can see in network configuration the server has 2 legs in 2 networks : red and green.

the green one will be the default one and the red one is an admin interface to the world(next to red network), where we are going to allow only ssh access : 

# emerge -va iptables
#!/bin/bash -x

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --source-port 22 -j ACCEPT

iptables -A INPUT -i eth0 -j REJECT
iptables -A OUTPUT -o eth0 -j REJECT

# IPV6
ip6tables -F INPUT
ip6tables -F OUTPUT
ip6tables -F FORWARD
ip6tables -F

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

echo "0" >/proc/sys/net/ipv6/conf/all/forwarding

/root/fw.sh

# chmod +x /root/fw.sh
# rc-update add iptables default
# rc-update add ip6tables default
# /etc/init.d/iptables start
# /etc/init.d/ip6tables start
# /root/fw.sh
# /etc/init.d/iptables save
# /etc/init.d/ip6tables save

KVM

Layers used by to manage virtualisation :

LAYERS
Hardware
KVM
qemu
libvirt
virsh virt-manager archipel?
cli client web?

warning: We are currently not going to install the web part of administration

/etc/portage/package.use

app-emulation/libvirt qemu udev
x11-libs/cairo X
# emerge -va cairo dbus qemu-kvm libvirt virt-manager
# rc-update add libvirtd default
# rc-update add dbus default
# /etc/init.d/libvirtd start
# /etc/init.d/dbus start

Guest Kernel compilation

May not be needed…

Separation of dom0 and domU kernels

We are going to create 2 scripts to compile the domU and dom0. 

localhost ~ # cd /usr/src/linux/
localhost linux # echo "mkdir -p _dom0 && make O=_dom0 \$@" > make0.sh
localhost linux # echo "mkdir -p _domU && make O=_domU \$@" > makeU.sh
localhost linux # chmod +x make?.sh
localhost linux # ./make0.sh menuconfig

Just Exit and Save. 

localhost linux # ./makeU.sh menuconfig
localhost linux # cp .config _dom0/
localhost linux # cp .config _domU/
localhost linux # make mrproper

Same thing, Exit and save.

now you can compile :

  • your dom0 kernel by doing ./make0.sh … in /usr/src/linux and take the kernel in /usr/src/linux/_dom0
  • your domU kernel by doing ./makeU.sh … in /usr/src/linux and take the kernel in /usr/src/linux/_domU

domU compilation

Processor type and features  --->
  [*] Paravirtualized guest support  --->
    [ ]   Xen guest support
    [*]   KVM paravirtualized clock
    [*]   KVM Guest support
    -*-   Enable paravirtualization code
    [*]     Paravirtualization layer for spinlocks
      Processor family (Core 2/newer Xeon)  --->
[*] Networking support  --->
  Networking options  --->
    <*> 802.1d Ethernet Bridging
Device Drivers  --->
  [*] Network device support  --->
    <*> Universal TUN/TAP device driver support
    <*>   Virtio network driver (EXPERIMENTAL)
  [*] Block devices --->
    <*> Loopback device support
    <*>   Virtio block driver (EXPERIMENTAL)
      Character devices  --->
    <*> Virtio console
    <*>   VirtIO Random Number Generator support
  [*] Multiple devices driver support (RAID and LVM)  --->
    <*>   RAID support
    <*>     RAID-1 (mirroring) mode
    <*>     RAID-4/RAID-5/RAID-6 mode
    <*>   Device mapper support
    <*>     Crypt target support
File systems  --->
    <*> The Extended 4 (ext4) filesystem
    [*]   Ext4 extended attributes
    [*]     Ext4 POSIX Access Control Lists
    [*]     Ext4 Security Labels
    <*> FUSE (Filesystem in Userspace) support
-*- Cryptographic API  --->
  <*>   XTS support (EXPERIMENTAL)
  <*>   SHA224 and SHA256 digest algorithm
  <*>   SHA384 and SHA512 digest algorithms
  -*-   AES cipher algorithms (x86_64)
  <*>   AES cipher algorithms (AES-NI)
[*] Virtualization --->
    --- Virtualization
    <*>   Kernel-based Virtual Machine (KVM) support
    <*>     KVM for Intel processors support
    < >     KVM for AMD processors support
    <*>   Host kernel accelerator for virtio net (EXPERIMENTAL)
    <*>   PCI driver for virtio devices (EXPERIMENTAL)
    <*>   Virtio balloon driver (EXPERIMENTAL)

Now compile : 

localhost linux # ./makeU.sh -j3
...
localhost linux # cp _domU/arch/x86/boot/bzImage ../

-->