. 
SummaryThis text describes the installation and configuration of a heavy duty internet server running a gentoo linux distribution. The server will have to run 24/7 with minimum downtime for maintenance and is connected to a 100MBit Internet backbone. I choose gentoo as distribution because of the really fast availability of new versions and security patches for all installed packages. Everything will be compiled for the special needs of this maschine with various security enhancement features which ship with the available glibc/gcc versions (like stack smashing protections). Changelog
Previous versions used to split the swap space across the raid harddiscs and not to mirror it. In case of a hard disc failure your system might(will) crash. This is not intended... (Thanks to Nick Rosier to point this out).NoteThis howto is NOT suited for users who run their first linux (or gentoo) install.
Previous linux knowledge is needed, not every detail will be explained here. System descriptionsHardwareThe system is a dual Xeon 2.66 Ghz with 512KB cache size and enabled hyperthreading. System storage will be 2 80 GB HDDs running in a raid 1 with network backup every night.
The filesystem will be XFS on a software raid 1 (mirroring) system. Memory: 1GB, build in network card, no sound used, onboard graphics. The machine will have an UPS and external cooling and will be mounted in a 19" rack. SoftwareThe system will be a heavy duty webserver running at least the following services/daemons:
- Apache 2 as webserver (with many virtual hosts)
- openLDAP for authentication for smtp/imap/pop3 and other login services, but not for system login
- postfix with sasl2 support as MTA (Mail Transfer Agent)
- courier-imap for imap access
- courier-pop3
- mysql as database backend
- php (hardened) for various web frontends
- LeopardCMS (a highspeed content management system written in C) for websites
- ldapphpadmin for administrating the ldap server
- squirrelmail as webmail service
- awstats for website statistics
InstallationThe basic installation is explained in the wonderful gentoo installation handbook. I will only describe the modification on each step. I will use a stage 1 installation with the minimal boot CD. Installation in quick style (refer to the handbook if you don't know how to do the individual step(s)) Booting:
- Boot from the CD, load the right network drivers
- Change root password to something we know.
- Configure the network with the given ip address dns servers etc.
- Start sshd (optional)
Partitioning the hdd(s)I'm using fdisk to partition the hdds, use whatever you like best. Attention: To be able to use the raid 1, both hdds must be partitioned exactly identical, so write down the setting when partitioning. My HDD layout : /dev/hda1 boot partition 10 MB, partition type: fd (Linux raid autodetect)
/dev/hda2 swap partition 250 MB, partition type: 82 (Linux swap)
/dev/hda3 root partition remaining space, partition type: fd (Linux raid autodetect)
The same applies to the 2nd HDD.Setting up the raid 1edit/create the file /etc/raidtab and enter the following (adjust the devices if neccessary) raiddev /dev/md0
nr-raid-disks 2
persistent-superblock 1
device /dev/hda1
raid-disk 0
device /dev/hdc1
raid-disk 1
raiddev /dev/md2
nr-raid-disks 2
persistent-superblock 1
device /dev/hda3
raid-disk 0
device /dev/hdc3
raid-disk 1 In case you want to mirror the swap: raiddev /dev/md1
nr-raid-disks 2
persistent-superblock 1
device /dev/hda2
raid-disk 0
device /dev/hdc2
raid-disk 1
Note: I do not use a raid for the swap, I will explain the swap setup a bit later.
Please also see the comment at the bottom of this page, why this may cause trouble on a harddisk failure. start the raid by running raidstart --all
enter "cat /proc/mdstat"
You should see something like this: Personalities : [raid1]
md0 : active raid1 hda1[1] hdc1[1]
XXX blocks [2/2] [UU]
md2 : active raid1 hda3[1] hdc3[1]
YYY blocks [2/2] [UU]Now, after your raid is up and running, don't think about touching /dev/hda or /dev/hdc directly again. Only use /dev/md0 or /dev/md2. Applying a Filesystem to a Partitioncreate your filesystems like it is described in the handbook, only use /dev/md0 and /dev/md2 for the target devices. Activate the Swap Partitions Because we are using 2 identical hdds, we have 2 swap partitions that we enable both. Later in the /etc/fstab config we can tune a bit to make our swap faster. Mounting Now we follow the handbook a bit for mounting and downloading the needed stage 1 tarball. Remember, use /dev/mdX as partitions. Configuring the Compile OptionsI prefer to to use the full make.conf.default for configuration, so I copy it over before editing. cp /mnt/gentoo/etc/make.conf.default /mnt/gentoo/etc/make.conf
now we edit the filenano -w /mnt/gentoo/etc/make.conf CHOST is set to i686-pc-linux-gnu
I use the following CFLAGS:
CFLAGS="-march=pentium4 -O2 -pipe"
be careful, if you enable the hardened toolchain, never use more than -O2 for compiling.
If you have an AMD cpu, or a pentium2/3 change the -march setting to your cpu.
I set the MAKEOPTS to -j5 (number of CPUs plus one) (2 x Xeon with HT enabled makes 4 virtual CPUs) MAKEOPTS="-j5" setting USE-FlagsI use the following line USE="-X -gtk -gnome -alsa mysql apache2 ssl ssh openldap\
sasl2 pam pic pie hardened hardenedphp xml vhosts"
I don't want X, gtk, gnome or alsa. (This is a server)
But I want mysql, apache, a.s.o.
The flags pic, pie and hardened are used with the hardened toolchain provided by gentoo. These make the executables less vulnerable to buffer overflow and other programming mistakes. As of the writing of this howto, the flags "pic, pie and hardened" cause some problems with some packages. Manual patching and fiddling may be needed.
UPDATE: I installed another server lately (Nov. 2005), no patching was needed any more. Follow the installation manual including the Stage1 to Stage2 section. It is always useful to download the packages first and after that, start the real bootstrapping process. There is nothing better than having a bootstrap failing after 60+ mins on the last package because the file was damaged on the ftp mirror. Proceed from stage2 to stage3 the documented way. This will take a while, in my case 71 packages will be installed. Just keep yourself occupied with something, like writing a howto or something ;) Now its time to configure the kernel as described in the manual
- set the timezone
- install a kernel. I used a hardened-sources kernel (version 2.6.7-r7)
- check the symlink /usr/src/linnux
- configure the kernel with make menuconfig
- make sure to check SMP support in case of a multiple CPU machine.
- If you use XFS and like to not loose parts of your filesystem data, disable preemptible kernel.
- Think twice before enabling power management functions like software suspend.
-
- You really don't want that your server goes into suspend mode during the night.
-
- Warning: If you use MySQL, do not enable the PaX feature "Disallow ELF text relocations". Enabling this makes you unable to compile and run MySQL. *sniff*
-
- compile the kernel (remember to use the -j5 flag like in the MAKEOPTS line).
-
- install the kernel.
configuring /etc/fstabenter the data as described in the manual, but use /dev/md0 and /dev/md2 for the swap line use the following 2 lines /dev/hda2 none swap sw,pri=2 0 0
/dev/hdc2 none swap sw,pri=2 0 0
This way the kernel uses both hdds for swap with the same priority, this means
some data will be swapped to one hdd, some to the other and both could be read/written at the same time. This gives a speed boost when you need swap (which should never happen on normal conditions...).
Or use/dev/md2 none swap sw,pri=2 0 0
in case of a mirrored swap partion.Enter the networking information as described in the handbook (ip, domainname, ...) Continue with the installation manual until you got through the manual and have the basic system running as you want. While writing this howto, it was planned to have a part 2 to describe the installation of additional software like apache, postfix and others. But since they are installed exactly as on a "normal" gentoo distribution, a part 2 is not really needed.
comments
Nick Rosier wrote in an email:
I just read this setup. IMHO there's a little flaw in the setup. Goal is
to have as little downtime as possible. To gain maybe a bit more
performance the author decided not to mirror swap. This is a bad idea. In
case of a hard-disk failure part of your swapspace will be
unavailable/corrupted meaning your system will possibly crash. I doubt
that is what one wants.
Nick has a valid point.
In this setup I use ide harddisks. (yes, I know, SCSI would be better...)
If one of the hdds dies, its very likely that the system crashes any way. This is my experience with ide hdds.
If you use SCSI or SATA-drives, the situation might change. On those drives it might be better to use raid on the swap, too.
rate this article:
current rating: average rating: 1.7 (18 votes) (1=very good 6=terrible)
Your rating:
back
| 
| 
| 
- Running on 
-
:
: 