Summary

This text describes the installation and configuration of a heavy duty internet server running a gentoo linux distribution. The server will have to run 24/7 with minimum downtime for maintenance and is connected to a 100MBit Internet backbone. I choose gentoo as distribution because of the really fast availability of new versions and security patches for all installed packages. Everything will be compiled for the special needs of this maschine with various security enhancement features which ship with the available glibc/gcc versions (like stack smashing protections).

Changelog

Note

This howto is NOT suited for users who run their first linux (or gentoo) install. Previous linux knowledge is needed, not every detail will be explained here.

System descriptions

Hardware

The system is a dual Xeon 2.66 Ghz with 512KB cache size and enabled hyperthreading.

System storage will be 2 80 GB HDDs running in a raid 1 with network backup every night. The filesystem will be XFS on a software raid 1 (mirroring) system.

Memory: 1GB, build in network card, no sound used, onboard graphics.

The machine will have an UPS and external cooling and will be mounted in a 19" rack.

Software

The system will be a heavy duty webserver running at least the following services/daemons:

• Apache 2 as webserver (with many virtual hosts)
• openLDAP for authentication for smtp/imap/pop3 and other login services, but not for system login
• postfix with sasl2 support as MTA (Mail Transfer Agent)
• courier-imap for imap access
• courier-pop3
• mysql as database backend
• php (hardened) for various web frontends
• LeopardCMS (a highspeed content management system written in C) for websites
• ldapphpadmin for administrating the ldap server
• squirrelmail as webmail service
• awstats for website statistics

Installation

The basic installation is explained in the wonderful gentoo installation handbook.

I will only describe the modification on each step.

I will use a stage 1 installation with the minimal boot CD.

Installation in quick style (refer to the handbook if you don't know how to do the individual step(s))

Booting:

• Boot from the CD, load the right network drivers
• Change root password to something we know.
• Configure the network with the given ip address dns servers etc.
• Start sshd (optional)

Partitioning the hdd(s)

I'm using fdisk to partition the hdds, use whatever you like best.

Attention: To be able to use the raid 1, both hdds must be partitioned exactly identical, so write down the setting when partitioning.

My HDD layout :

/dev/hda1 boot partition 10 MB,  partition type: fd (Linux raid autodetect)
/dev/hda2 swap partition 250 MB, partition type: 82 (Linux swap)
/dev/hda3 root partition remaining space, partition type: fd (Linux raid autodetect)

Setting up the raid 1

edit/create the file /etc/raidtab and enter the following (adjust the devices if neccessary)

raiddev         /dev/md0
nr-raid-disks   2
persistent-superblock   1
device          /dev/hda1
raid-disk       0
device          /dev/hdc1
raid-disk       1

raiddev         /dev/md2
nr-raid-disks   2
persistent-superblock   1
device          /dev/hda3
raid-disk       0
device          /dev/hdc3
raid-disk       1

In case you want to mirror the swap:

raiddev         /dev/md1
nr-raid-disks   2
persistent-superblock   1
device          /dev/hda2
raid-disk       0
device          /dev/hdc2
raid-disk       1

Note: I do not use a raid for the swap, I will explain the swap setup a bit later.
Please also see the comment at the bottom of this page, why this may cause trouble on a harddisk failure.

start the raid by running

raidstart --all

You should see something like this:

Personalities : [raid1]
md0 : active raid1 hda1[1] hdc1[1]
      XXX blocks [2/2] [UU]
md2 : active raid1 hda3[1] hdc3[1]
      YYY blocks [2/2] [UU]

Now, after your raid is up and running, don't think about touching /dev/hda or /dev/hdc directly again. Only use /dev/md0 or /dev/md2.

Applying a Filesystem to a Partition

create your filesystems like it is described in the handbook, only use /dev/md0 and /dev/md2 for the target devices.

Activate the Swap Partitions

Because we are using 2 identical hdds, we have 2 swap partitions that we enable both.

Later in the /etc/fstab config we can tune a bit to make our swap faster.

Mounting

Now we follow the handbook a bit for mounting and downloading the needed stage 1 tarball. Remember, use /dev/mdX as partitions.

Configuring the Compile Options

I prefer to to use the full make.conf.default for configuration, so I copy it over before editing.

cp /mnt/gentoo/etc/make.conf.default /mnt/gentoo/etc/make.conf

nano -w /mnt/gentoo/etc/make.conf

CHOST is set to i686-pc-linux-gnu

I use the following CFLAGS:

CFLAGS="-march=pentium4 -O2 -pipe" be careful, if you enable the hardened toolchain, never use more than -O2 for compiling.

If you have an AMD cpu, or a pentium2/3 change the -march setting to your cpu.

I set the MAKEOPTS to -j5 (number of CPUs plus one) (2 x Xeon with HT enabled makes 4 virtual CPUs)

MAKEOPTS="-j5"

setting USE-Flags

I use the following line

USE="-X -gtk -gnome -alsa mysql apache2 ssl ssh openldap\
sasl2 pam pic pie hardened hardenedphp xml vhosts"

But I want mysql, apache, a.s.o.

The flags pic, pie and hardened are used with the hardened toolchain provided by gentoo.

These make the executables less vulnerable to buffer overflow and other programming mistakes. As of the writing of this howto, the flags "pic, pie and hardened" cause some problems with some packages. Manual patching and fiddling may be needed.

UPDATE: I installed another server lately (Nov. 2005), no patching was needed any more.

Follow the installation manual including the Stage1 to Stage2 section.

It is always useful to download the packages first and after that, start the real bootstrapping process. There is nothing better than having a bootstrap failing after 60+ mins on the last package because the file was damaged on the ftp mirror.

Proceed from stage2 to stage3 the documented way.

This will take a while, in my case 71 packages will be installed.

Just keep yourself occupied with something, like writing a howto or something ;)

Now its time to configure the kernel as described in the manual

• set the timezone
• install a kernel. I used a hardened-sources kernel (version 2.6.7-r7)
• check the symlink /usr/src/linnux
• configure the kernel with make menuconfig
• make sure to check SMP support in case of a multiple CPU machine.
• If you use XFS and like to not loose parts of your filesystem data, disable preemptible kernel.
• Think twice before enabling power management functions like software suspend.
  
• You really don't want that your server goes into suspend mode during the night.
  
• Warning: If you use MySQL, do not enable the PaX feature "Disallow ELF text relocations". Enabling this makes you unable to compile and run MySQL. *sniff*
  
• compile the kernel (remember to use the -j5 flag like in the MAKEOPTS line).
  
• install the kernel.

configuring /etc/fstab

enter the data as described in the manual, but use /dev/md0 and /dev/md2

for the swap line use the following 2 lines

/dev/hda2  none swap sw,pri=2 0 0
/dev/hdc2  none swap sw,pri=2 0 0

/dev/md2  none swap sw,pri=2 0 0

Enter the networking information as described in the handbook (ip, domainname, ...)

Continue with the installation manual until you got through the manual and

have the basic system running as you want.

While writing this howto, it was planned to have a part 2 to describe the installation of additional software like apache, postfix and others.

But since they are installed exactly as on a "normal" gentoo distribution, a part 2 is not really needed.

comments