Now we just create the config that the boot-loader uses into \/boot<\/tt>: grub2-mkconfig -o \/boot\/grub\/grub.cfg<\/tt><\/li>\n<\/ul>\nTime Zones<\/h3>\n
Set the time zone for our new machine\u2014I\u2019m in Cambridge, MA (USA), so I do:<\/p>\n
echo \"US\/Eastern\" > \/etc\/timezone\nemerge --config sys-libs\/timezone-data\n<\/pre>\nNetworking<\/h3>\n
To make sure we have networking support when we start the new OS, we will change \/etc\/conf.d\/net<\/tt>. First, provide all the silly names that the kernel has come up with over the years:<\/p>\ncd \/etc\/init.d\/\nln -s net.lo net.eth0\nln -s net.lo net.enp2s1\nln -s net.lo net.eno16777736\n<\/pre>\nThese symlinks are for init<\/tt>, which will use different configuration settings based on the name of the script that was invoked. Most recently, the ethernet interface has been \u201ceno16777736<\/tt>\u201d, so that\u2019s likely the only link we\u2019ll really need.<\/p>\n
Now edit \/etc\/conf.d\/net<\/tt> to set up a basic DHCP configuration (if you have information for a static network configuration, go ahead and do that instead of DHCP):<\/p>\n# Please review \/usr\/share\/doc\/netifrc-*\/net.example.bz2 for more configuration\n# options.\nmodules=\"dhcpcd\"\n\ndns_domain=\"yourdomain.foo\"\nnis_domain=\"yourdomain.foo\"\ndns_search=\"yourdomain.foo\"\n\nconfig_eno16777736=\"dhcp\"\ndhcpcd_eno16777736=\"-h\" # -4 to disable IPv6\n\nconfig_eth0=\"dhcp\"\ndhcpcd_eth0=\"-h\" # -4 to disable IPv6\n\nconfig_enp2s1=\"dhcp\"\ndhcpcd_enp2s1=\"-h\" # -4 to disable IPv6\n<\/pre>\nInstalling Useful Packages<\/h3>\n
Next, we will install some important (non-graphical) packages. These are basic things like sudo<\/tt> and VMware Tools, as well as things that Gentoo lets you choose, like a cron, syslog, and DHCP client implementation.<\/p>\nemerge --pretend --deep --with-bdeps=y app-admin\/logrotate app-admin\/pwgen app-admin\/sudo app-admin\/syslog-ng app-arch\/p7zip app-editors\/vim app-emulation\/open-vm-tools app-portage\/eix app-portage\/mirrorselect app-shells\/tcsh games-misc\/wtf net-dns\/bind-tools net-fs\/nfs-utils net-fs\/samba net-ftp\/proftpd net-misc\/dhcpcd net-misc\/iperf net-misc\/netkit-fingerd net-misc\/netkit-telnetd net-misc\/ntp sys-block\/parted sys-devel\/gdb sys-fs\/exfat-utils sys-fs\/lvm2 sys-fs\/quota sys-process\/lsof sys-process\/vixie-cron\n<\/pre>\nYou will probably need to stuff a few more files into \/etc\/portage\/package.use\/<\/tt> as a result of the \u201c--pretend<\/tt>\u201d dry-run. Once you are satisfied, go ahead and install these items.<\/p>\nSyslog<\/h3>\n
Setting up syslog-ng<\/tt> to do log rotation is pretty easy at this point, since we\u2019ve just installed the logrotate<\/tt> tool. All the work in cron<\/tt> has been taken care of for us, so we just edit \/etc\/logrotate.d\/syslog-ng<\/tt>, and change the section like so:<\/p>\n\/var\/log\/messages {\n monthly\n missingok\n sharedscripts\n rotate 24 # Keep two years, I guess...\n compress\n postrotate\n \/etc\/init.d\/syslog-ng reload > \/dev\/null 2>&1 || true\n endscript\n}\n<\/pre>\nConfiguring<\/h3>\n
We should configure the tools we\u2019ve installed so far by customizing what\u2019s located in \/etc\/conf.d\/<\/tt>. We will change the host name, domain, and so on. Make the following changes in the following files:<\/p>\n\n- .\/consolefont<\/tt>: consolefont = \"Lat2-Terminus16\"<\/tt> (this is a bit less chunky, but the same size as the kernel\u2019s font, so it will be nicer to look at on the plain console)<\/li>\n
- .\/hostname<\/tt>: hostname = \"my_host01\"<\/tt><\/li>\n
- .\/ntp-client<\/tt>: NTPCLIENT_OPTS=\"-s -b -u ntp_server1 ntp_server2\"<\/tt><\/li>\n<\/ul>\n
Change \/etc\/issue<\/tt> and \/etc\/issue.logo<\/tt> from \u201c\\O<\/tt>\u201d to \u201c\\o<\/tt>\u201d, since the original command rarely contains reasonable output. This is the file the system uses to display a nice welcome message when someone gets a console.<\/p>\n
<\/p>\n
Configuring SMB is slightly more complicated, but not too bad. Some things to note\u2014for my network, I get users and groups from LDAP, so SAMBA should know how to acquire this information as well. If your domain is \u201cmydomain.foo<\/tt>\u201d, your LDAP suffix will be \u201cdc=mydomain,dc=foo<\/tt>\u201d. Replace \u201cldap-server1.mydomain.foo<\/tt>\u201d with a proper LDAP FQDN.<\/p>\n\n- First, create a basic configuration: cp \/etc\/samba\/smb.conf.example \/etc\/samba\/smb.conf<\/tt><\/li>\n
- Now, edit \/etc\/samba\/smb.conf<\/tt>, add or change the following settings:\n
workgroup = CORPDOMAIN\n server string = Matt Bisson's (Gentoo Linux) workstation\n\n passdb backend = ldapsam:ldaps:\/\/ldap-server1.mydomain.foo:636\n ldap ssl = start tls\n ldap suffix = dc=mydomain,dc=foo\n ldap user suffix = ou=people\n ldap group suffix = ou=group\n<\/pre>\n<\/li>\n<\/ul>\nAdd this to the end of the file to share your development area.<\/p>\n
# Share the development storage area\n[stgdev]\n comment = Storage for development sandboxes\n path = \/stgdev\n browseable = no\n guest ok = no\n writable = yes\n<\/pre>\nIf you are OK with the root account logging into the machine with SSH, you can edit \/etc\/ssh\/sshd_config<\/tt> to set \u201cPermitRootLogin yes<\/tt>\u201d. Most likely, you will log in with a normal user account that can escalate its privileges, so you won\u2019t need to do this.<\/p>\n
Customize the \u201ceselect<\/tt>\u201d items. The eselect<\/tt> tool alters system-wide settings on Gentoo for any packages that register with the tool. We will want to check back with this subsystem at various points, so familiarize yourself with it if you have not used it. Most eselect<\/tt> modules support basic list\/set\/show functionality. Run through the items now (there are only a few) and customize what you like. This is highly dependent upon what\u2019s on your system, so I won\u2019t bother writing down exact command invocations.<\/p>\nCreating a Local User<\/h3>\n
Create local user so you can still get into the system if LDAP fails you for some reason. Root access is not always available for various window managers or services.<\/p>\n
useradd -c 'Matt Bisson (Local)' -d \/home\/mbisson.local -m -s \/bin\/tcsh -g 100 mbisson.local\npasswd mbisson.local\n<\/pre>\nAdd this user to the wheel<\/tt> group so it can become super-user when needed. Add it to some privileged groups as well, like: floppy<\/tt>, audio<\/tt>, cdrom<\/tt>, tape<\/tt>, video<\/tt>, cdrw<\/tt>, usb<\/tt>, users<\/tt>, and portage<\/tt>. In fact, you probably want to think about adding any user that you wish to be \u201cadministrators\u201d to these groups.<\/p>\nStart Services<\/h3>\n
Now, let\u2019s add important services to the appropriate run-level so the start after boot-up:<\/p>\n
rc-update add consolefont boot\nrc-update add ConsoleKit default\nrc-update add lvm boot\nrc-update add lvmetad boot\nrc-update add net.eno16777736 default\nrc-update add nfs default\nrc-update add nfsclient default\nrc-update add ntp-client default\nrc-update add numlock boot\nrc-update add sshd default\nrc-update add syslog-ng default\nrc-update add vixie-cron default\nrc-update add vmware-tools default\n<\/pre>\nSetting up LDAP<\/h3>\n
The development workstations at my place of business are a lot more usable when they are set up on LDAP. This way, we can use our account and credentials that are known across the corporate infrastructure, as well as have AutoFS access to network file-systems without hard-coding them in \/etc\/fstab<\/tt>. Let\u2019s do this before moving on to more complicated pieces of software (read: \u201cthe GUIs\u201d).<\/p>\n
Find out your local LDAP information. For me, I will be using TLS with certificate-based authentication of the LDAP server, and the following hosts server up LDAP(S) on port 636: ldap-server1.mydomain.foo<\/tt> and ldap-server2.mydomain.foo<\/tt>.<\/p>\n
Install the LDAP support for Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) as well as the AutoFS service. Note that AutoFS 5.0.7 does not build with GCC 5 apparently, so you may have to unmask a later version (also, only 5.5.1 worked for me, as 5.5.1-r2 actually crashed when attempting to mount a file-system)!<\/p>\n
emerge --deep --with-bdeps=y pam_ldap nss_ldap autofs\n\n# Installation warned me that these might be wrong, so it might be good to\n# check that this is as you want it:\nchown root:mail \/var\/spool\/mail\/\nchmod 03775 \/var\/spool\/mail\/\n<\/pre>\nNext, we have to grab the certificate to validate the LDAP servers.<\/p>\n
cd \/etc\/ssl\/cert\/\nwget http:\/\/intranet.mydomain.foo\/sipublic\/ldap\/ldap-cert-mydomain.pem\n<\/pre>\nEdit \/etc\/pam.d\/system-auth<\/tt> (order matters):<\/p>\nauth\t\trequired\tpam_env.so\nauth\t\tsufficient\tpam_ldap.so no_warn\nauth\t\trequired\tpam_unix.so try_first_pass likeauth nullok\nauth\t\toptional\tpam_permit.so\n\naccount\t\tsufficient\tpam_ldap.so no_warn ignore_authinfo_unavail ignore_unknown_user\naccount\t\trequired\tpam_unix.so\naccount\t\toptional\tpam_permit.so\n\npassword\trequired\tpam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3\npassword\tsufficient\tpam_ldap.so use_authtok use_first_pass debug\npassword\trequired\tpam_unix.so try_first_pass use_authtok nullok sha512 shadow\npassword\toptional\tpam_permit.so\n\nsession\t\trequired\tpam_limits.so\nsession\t\trequired\tpam_env.so\nsession\t\toptional\tpam_ldap.so\nsession\t\trequired\tpam_unix.so\nsession\t\toptional\tpam_permit.so\n<\/pre>\nEdit \/etc\/ldap.conf<\/tt>, and remove all settings except for the following ones (use your own local LDAP server where applicable):<\/p>\nbase dc=mydomain,dc=foo\nuri ldaps:\/\/ldap-server1.mydomain.foo:636 ldaps:\/\/ldap-server2.mydomain.foo:636\nldap_version 3\nbind_policy soft\n\npam_filter objectClass=posixAccount\n\nnss_base_passwd\t\tou=people,dc=mydomain,dc=foo?one\nnss_base_shadow\t\tou=people,dc=mydomain,dc=foo?one\nnss_base_group\t\tou=group,dc=mydomain,dc=foo?sub\nnss_base_netgroup\tou=netgroup,dc=mydomain,dc=foo?one\n\nssl\t\toff\ntls_checkpeer\tyes\ntls_reqcert\tdemand\ntls_cacert\t\/etc\/ssl\/certs\/ldap-cert-mydomain.pem\ntls_cacertfile\t\/etc\/ssl\/certs\/ldap-cert-mydomain.pem\n\nnss_reconnect_tries 4 # number of times to double the sleep time\nnss_reconnect_sleeptime 1 # initial sleep value\nnss_reconnect_maxsleeptime 16 # max sleep value to cap at\nnss_reconnect_maxconntries 2 # how many tries before sleeping\n\nnss_initgroups_ignoreusers ldap,openldap,mysql,syslog,root,postgres\n<\/pre>\nEdit \/etc\/openldap\/ldap.conf<\/tt>\u2014this is basically the contents of the entire file (note that changing the password is not allowed on my set-up, so I give a helpful message):<\/p>\nBASE\t\tdc=mydomain,dc=foo\nURI\t\tldaps:\/\/ldap-server1.mydomain.foo:636 ldaps:\/\/ldap-server2.mydomain.foo:636\n\nldap_version\t3\n\nSSL\t\toff\nTLS\t\thard\nTLS_REQCERT\tdemand\nTLS_CACERT\t\/etc\/ssl\/certs\/ldap-cert-mydomain.pem\nBIND_POLICY\tsoft\n\npam_password_prohibit_message Please use https:\/\/password-change-o.mydomain.foo\/ to change your password.\n<\/pre>\nEdit \/etc\/nsswitch.conf<\/tt>, changing the following settings (ignore the others):<\/p>\npasswd:\t\tfiles ldap\nshadow:\t\tfiles ldap\ngroup:\t\tfiles ldap\n\nhosts:\t\tfiles dns # ldap -- This seems to hang??\n\nnetgroup:\tldap [NOTFOUND=return] files\nautomount:\tldap files\n<\/pre>\nEdit \/etc\/autofs\/autofs_ldap_auth.conf<\/tt> to enable TLS. The settings might already be this way:<\/p>\n<?xml version=\"1.0\" ?>\n<!--\nThis file contains a single entry with multiple attributes tied to it.\nSee autofs_ldap_auth.conf(5) for more information.\n-->\n \n<autofs_ldap_sasl_conf\n usetls=\"no\"\n tlsrequired=\"no\"\n authrequired=\"no\"\n\/>\n<\/pre>\nFinally, edit the AutoFS configuration (\/etc\/conf.d\/autofs<\/tt>). Some of the settings below are left as comments in the configuration because they match the defaults, but they\u2019re still important to know. Similar settings exist in \/etc\/autofs\/autofs.conf<\/tt>, if you prefer to make the changes there:<\/p>\n# MASTER_MAP_NAME - default map name for the master map.\n#MASTER_MAP_NAME=\"auto.master\"\n\n# NEGATIVE_TIMEOUT - set the default negative timeout for\n# failed mount attempts (default 60).\n#NEGATIVE_TIMEOUT=60\n\n# UMOUNT_WAIT - time to wait for a response from umount(8).\n#UMOUNT_WAIT=12\n\n# BROWSE_MODE - maps are browsable by default.\nBROWSE_MODE=\"yes\"\n\n# Define server URIs\n#\n# LDAP_URI - space seperated list of server uris of the form\n# <proto>:\/\/<server>[\/] where <proto> can be ldap\n# or ldaps. The option can be given multiple times.\n# Map entries that include a server name override\n# this option.\n#\n# This configuration option can also be used to\n# request autofs lookup SRV RRs for a domain of\n# the form <proto>:\/\/\/[<domain dn>]. Note that a\n# trailing \"\/\" is not allowed when using this form.\n# If the domain dn is not specified the dns domain\n# name (if any) is used to construct the domain dn\n# for the SRV RR lookup. The server list returned\n# from an SRV RR lookup is refreshed according to\n# the minimum ttl found in the SRV RR records or\n# after one hour, whichever is less.\nLDAP_URI=\"ldaps:\/\/ldap-server1.mydomain.foo:636 ldaps:\/\/ldap-server2.mydomain.foo:636\"\n\n# Define base dn for map dn lookup.\n#\n# SEARCH_BASE - base dn to use for searching for map search dn.\n# Multiple entries can be given and they are checked\n# in the order they occur here.\nSEARCH_BASE=\"ou=automount,dc=mydomain,dc=foo\"\n\n# Other common LDAP schema naming info\nMAP_OBJECT_CLASS=\"automountMap\"\nENTRY_OBJECT_CLASS=\"automount\"\nMAP_ATTRIBUTE=\"ou\"\nENTRY_ATTRIBUTE=\"cn\"\nVALUE_ATTRIBUTE=\"automountInformation\"\n\n# AUTH_CONF_FILE - set the default location for the SASL\n# authentication configuration file.\nAUTH_CONF_FILE=\"\/etc\/autofs\/autofs_ldap_auth.conf\"\n<\/pre>\nNow just enable AutoFS on boot, and test that you can talk to LDAP.<\/p>\n
rc-update add autofs default\n\n# You should find mbisson's user information:\nldapsearch -H ldaps:\/\/ldap-server1.mydomain.foo -D \"uid=mbisson,ou=people,dc=mydomain,dc=foo\" uid=mbisson -x -W -LLL\n<\/pre>\nPower Off<\/h3>\n
Let\u2019s reboot and see if the system actually comes up before we take a snapshot. Reboot (even from your chroot environment is fine). If the system doesn\u2019t come up how you like, fix the errors and reboot until it does. After you\u2019ve done all that, it\u2019s smart to power off the VM and take a snapshot (or clone). This can be the base system for any future customizations, like using X, making a web server, etc.<\/p>\n
Making A Development Workstation<\/h1>\n
Let\u2019s make the bare-bones Linux installation a bit more useful. Up to this point, we could have gone in the direction of making a mail server, a Bugzilla site, or whatever. Now we\u2019re going to install a UI and make this more functional as a development workstation. All of this is optional, so feel free to skip any of the below.<\/p>\n
Installing X Windows<\/h2>\n
First, update your USE<\/tt> flags to enable some important settings. We\u2019re slowly adding these flags as we build up the system, so you might end up building packages more than just once throughout the course of installation. This is OK as far as I\u2019m concerned, because I\u2019d rather have a locally-consistent set of libraries and utilities the entire time, rather than save myself 30 minutes of compilation. It\u2019s all a choice, though\u2014if you\u2019re still with me, edit \/etc\/portage\/make.conf<\/tt> accordingly:<\/p>\nUSE=\"-systemd dbus dga fontconfig ldap nfs offensive opengl samba syslog X\"\n<\/pre>\nAdd some more per-package USE<\/tt> flags that facilitate installing the new packages given the new settings (again, preferably in their own file):<\/p>\nmedia-libs\/mesa xa\nx11-libs\/libdrm libkms\nmedia-libs\/imlib2 png\n<\/pre>\nNow install Xorg. The new USE<\/tt> flags will make sure everything gets included.<\/p>\nemerge --deep --with-bdeps=y --newuse app-misc\/oneko x11-apps\/mesa-progs x11-apps\/xdm x11-base\/xorg-x11 x11-misc\/xteddy x11-terms\/xterm x11-wm\/twm x11-apps\/xsm\n\n# X will want this, so add it to the init scripts\nrc-update add dbus default\n<\/pre>\nXorg should be able to automatically configure itself and run, but I prefer to explicitly specify devices, as well as a 1920\u00d71200 screen size to match my physical monitor. Drop this file into \/etc\/X11\/xorg.conf<\/tt> to achieve that. Since you\u2019re currently running in a virtualized Gentoo installation, the VMware graphics drivers provide tons of monitor options, meaning that skipping this step is totally reasonable.<\/p>\nSection \"ServerLayout\"\n Identifier\t\"Custom X.org Configuration for 1920x1200\"\n Screen\t0 \"Screen0\" 0 0\n InputDevice\t\"Mouse0\" \"CorePointer\"\n InputDevice\t\"Keyboard0\" \"CoreKeyboard\"\nEndSection\n\nSection \"Files\"\n ModulePath\t\"\/usr\/lib64\/xorg\/modules\"\n FontPath\t\"\/usr\/share\/fonts\/misc\/\"\n FontPath\t\"\/usr\/share\/fonts\/TTF\/\"\n FontPath\t\"\/usr\/share\/fonts\/OTF\/\"\n FontPath\t\"\/usr\/share\/fonts\/Type1\/\"\n FontPath\t\"\/usr\/share\/fonts\/100dpi\/\"\n FontPath\t\"\/usr\/share\/fonts\/75dpi\/\"\nEndSection\n\nSection \"Module\"\n Load\t\"dri\"\n Load\t\"dbe\"\n Load\t\"record\"\n Load\t\"glx\"\n Load\t\"dri2\"\n Load\t\"extmod\"\nEndSection\n\nSection \"InputDevice\"\n Identifier\t\"Keyboard0\"\n Driver\t\"kbd\"\nEndSection\n\nSection \"InputDevice\"\n Identifier\t\"Mouse0\"\n Driver\t\"mouse\"\n Option\t\"Protocol\" \"auto\"\n Option\t\"Device\" \"\/dev\/input\/mice\"\n Option\t\"ZAxisMapping\" \"4 5 6 7\"\nEndSection\n\nSection \"Device\"\n Identifier\t\"Card0\"\n Driver\t\"vmware\"\n BusID\t\"PCI:0:15:0\"\nEndSection\n\nSection \"Monitor\"\n Identifier\t\"Monitor0\"\n VendorName\t\"VMware\"\n ModelName\t\"Virtual Monitor\"\nEndSection\n\nSection \"Screen\"\n Identifier\t\"Screen0\"\n Device\t\"Card0\"\n Monitor\t\"Monitor0\"\n SubSection\t\"Display\"\n Viewport\t0 0\n Depth\t\t24\n# Modes\t\t\"1600x1200\"\n Modes\t\t\"1920x1200\"\n EndSubSection\nEndSection\n<\/pre>\nInstall some more fonts\u2026 why not?<\/p>\n
emerge --pretend --deep --with-bdeps=y media-fonts\/aquafont media-fonts\/aquapfont media-fonts\/cheapskatefonts media-fonts\/corefonts media-fonts\/dejavu media-fonts\/freefont media-fonts\/freefonts media-fonts\/fs-fonts media-fonts\/inconsolata media-fonts\/ja-ipafonts media-fonts\/lfpfonts-fix media-fonts\/lfpfonts-var media-fonts\/terminus-font media-fonts\/ttf-bitstream-vera media-fonts\/ubuntu-font-family\n<\/pre>\nLooking at the 60-latin<\/tt> fontconfig file, we can see that the system prefers some fonts by default:<\/p>\n<alias>\n <family>serif<\/family>\n <prefer>\n <family>DejaVu Serif<\/family>\n <family>Bitstream Vera Serif<\/family>\n <family>Times New Roman<\/family>\n <family>Thorndale AMT<\/family>\n <family>Luxi Serif<\/family>\n <family>Nimbus Roman No9 L<\/family>\n <family>Times<\/family>\n <\/prefer>\n<\/alias>\n<alias>\n <family>sans-serif<\/family>\n <prefer>\n <family>DejaVu Sans<\/family>\n <family>Bitstream Vera Sans<\/family>\n <family>Luxi Sans<\/family>\n <family>Nimbus Sans L<\/family>\n <family>Arial<\/family>\n <family>Albany AMT<\/family>\n <family>Helvetica<\/family>\n <family>Verdana<\/family>\n <family>Lucida Sans Unicode<\/family>\n <family>BPG Glaho International<\/family> <!-- lat,cyr,arab,geor -->\n <family>Tahoma<\/family> <!-- lat,cyr,greek,heb,arab,thai -->\n <\/prefer>\n<\/alias>\n<alias>\n <family>monospace<\/family>\n <prefer>\n <family>DejaVu Sans Mono<\/family>\n <family>Bitstream Vera Sans Mono<\/family>\n <family>Inconsolata<\/family>\n <family>Luxi Mono<\/family>\n <family>Nimbus Mono L<\/family>\n <family>Andale Mono<\/family>\n <family>Courier New<\/family>\n <family>Cumberland AMT<\/family>\n <family>Courier<\/family>\n <\/prefer>\n<\/alias>\n<\/pre>\nMake sure to at least install media-fonts\/dejavu<\/tt> or media-fonts\/ttf-bitstream-vera<\/tt> (included in the command above), because Luxi Sans is a really ugly choice for a bold-face font (which KDE uses a bunch).<\/p>\n
You probably want to enable sub-pixel hinting for your fonts and the Liberation font package. Do this with \u201ceselect fontconfig<\/tt>\u201d. The options may be different, so I won\u2019t list them here, but I\u2019m selecting \u201c10-sub-pixel-rgb.conf<\/tt>\u201d for my sub-pixel setting. This same
![](\"\/editorial\/gentoo-3d-small.png\")
\n<\/div>\n