D- System config
Network Configuration
config_eth0=("null")
config_eth1=("null")
config_red=("192.168.0.3/24")
bridge_red=("eth0")
rc_need_red="net.eth0"
brctl_red=(
"setfd 0"
"stp off"
)
routes_red=("default via 192.168.0.2")
config_green=("192.168.2.3/24")
bridge_green=("eth1")
rc_need_green="net.eth1"
brctl_green=(
"setfd 0"
"stp off"
)
config_dmz=("null")
brctl_dmz=(
"setfd 0"
"stp off"
)localhost ~ # cd /etc/init.d localhost init.d # ln -s net.lo net.eth1 localhost init.d # ln -s net.lo net.red localhost init.d # ln -s net.lo net.green localhost init.d # ln -s net.lo net.dmz localhost init.d # rc-update add net.eth0 default localhost init.d # rc-update add net.eth1 default localhost init.d # rc-update add net.red default localhost init.d # rc-update add net.green default localhost init.d # rc-update add net.dmz default localhost init.d # /etc/init.d/net.eth0 start localhost init.d # /etc/init.d/net.eth1 start localhost init.d # /etc/init.d/net.red start localhost init.d # /etc/init.d/net.green start localhost init.d # /etc/init.d/net.dmz start
Now add ssh deamon to runlevels
localhost ~ # rc-update add sshd default * sshd added to runlevel default localhost ~ # /etc/init.d/sshd start Generating public/private rsa1 key pair. ... * Starting sshd ... localhost ~ #
Hostname configuration
... 127.0.0.1 srv-prs.home.loc srv-prs localhost ...
HOSTNAME="srv-prs"
localhost ~ # hostname srv-prs localhost ~ # hostname -f srv-prs.home.loc localhost ~ #
Timezone
localhost ~ # cp /usr/share/zoneinfo/Europe/Paris /etc/localtime
... TIMEZONE="Europe/Paris" ...
localhost ~ # emerge ntp ... localhost ~ # rc-update add ntp-client default localhost ~ # /etc/init.d/ntp-client start
Rebuild for optimisation
localhost ~ # time emerge -vae world ... real 183m54.743s user 155m45.326s sys 86m24.708s
Installation of basic softwares
localhost ~ # emerge -a syslog-ng vixie-cron sendmail logrotate cryptsetup mdadm bridge-utils usermode-utilities htop pci-utils usbutils ... localhost ~ # rc-update add syslog-ng default * syslog-ng added to runlevel default localhost ~ # rc-update add vixie-cron default * vixie-cron added to runlevel default localhost ~ # rc-update add sendmail default * sendmail added to runlevel default
- syslog-ng log system
- vixie-cron cron system
- sendmail to send administration mails
- logrotate rotate logs to prevend hard drive fill
- cryptsetup to manage encrypted drives
- mdadm to manage raid
- htop a better top
- pci-utils to privide lspci
- usbutils to provide lsusb
- bridge-utils to manage bridge if we have to do things by hand
- usermode-utilities to manage tun(tunctl) if we have to do things by hand
Hdparm
To save power and hard drive life you can configure your hard drive to Spindown after a time without using it :
localhost ~ # emerge -v hdparm
The Time (in seconds) after which the Drive spins down is the value of your x multiplied with 5 From the manpage:
A value of zero means “timeouts are disabled”: the device will not automatically enter standby mode. Values from 1 to 240 specify multiples of 5 seconds, yielding timeouts from 5 seconds to 20 minutes. Values from 241 to 251 specify from 1 to 11 units of 30 minutes, yielding timeouts from 30 minutes to 5.5 hours. A value of 252 signifies a timeout of 21 minutes. A value of 253 sets a vendor-defined timeout period between 8 and 12 hours. A value of 255 is interpreted as 21 minutes plus 15 seconds. The value 254 is reserved. Note that some older drives may have very different interpretations of these values.
... sda_args="-S241" sdd_args="-S241" ...
localhost ~ # /etc/init.d/hdparm start localhost ~ # rc-update add hdparm default
Iptables
As you can see in network configuration the server has 2 legs in 2 networks : red and green.
the green one will be the default one and the red one is an admin interface to the world(next to red network), where we are going to allow only ssh access :
# emerge -va iptables#!/bin/bash -x iptables -F iptables -X iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --destination-port 22 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --source-port 22 -j ACCEPT iptables -A INPUT -i eth0 -j REJECT iptables -A OUTPUT -o eth0 -j REJECT # IPV6 ip6tables -F INPUT ip6tables -F OUTPUT ip6tables -F FORWARD ip6tables -F ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP echo "0" >/proc/sys/net/ipv6/conf/all/forwarding
# chmod +x /root/fw.sh # rc-update add iptables default # rc-update add ip6tables default # /etc/init.d/iptables start # /etc/init.d/ip6tables start # /root/fw.sh # /etc/init.d/iptables save # /etc/init.d/ip6tables save
KVM
Layers used by to manage virtualisation :
| LAYERS | ||
|---|---|---|
| Hardware | ||
| KVM | ||
| qemu | ||
| libvirt | ||
| virsh | virt-manager | archipel? |
| cli | client | web? |
app-emulation/libvirt qemu udev x11-libs/cairo X
# emerge -va cairo dbus qemu-kvm libvirt virt-manager # rc-update add libvirtd default # rc-update add dbus default # /etc/init.d/libvirtd start # /etc/init.d/dbus start
Guest Kernel compilation
May not be needed…
