This text describes the installation and configuration of a heavy duty internet server running a gentoo linux distribution. The server will have to run 24/7 with minimum downtime for maintenance and is connected to a 100MBit Internet backbone. I choose gentoo as distribution because of the really fast availability of new versions and security patches for all installed packages. Everything will be compiled for the special needs of this maschine with various security enhancement features which ship with the available glibc/gcc versions (like stack smashing protections).
This howto is NOT suited for users who run their first linux (or gentoo) install. Previous linux knowledge is needed, not every detail will be explained here.
The system is a dual Xeon 2.66 Ghz with 512KB cache size and enabled hyperthreading.
System storage will be 2 80 GB HDDs running in a raid 1 with network backup every night. The filesystem will be XFS on a software raid 1 (mirroring) system.
Memory: 1GB, build in network card, no sound used, onboard graphics.
The machine will have an UPS and external cooling and will be mounted in a 19" rack.
The system will be a heavy duty webserver running at least the following services/daemons:
The basic installation is explained in the wonderful gentoo installation handbook.
I will only describe the modification on each step.
I will use a stage 1 installation with the minimal boot CD.
Installation in quick style (refer to the handbook if you don't know how to do the individual step(s))
Booting:
I'm using fdisk to partition the hdds, use whatever you like best.
Attention: To be able to use the raid 1, both hdds must be partitioned exactly identical, so write down the setting when partitioning.
My HDD layout :
/dev/hda1 boot partition 10 MB, partition type: fd (Linux raid autodetect) /dev/hda2 swap partition 250 MB, partition type: 82 (Linux swap) /dev/hda3 root partition remaining space, partition type: fd (Linux raid autodetect)The same applies to the 2nd HDD.
edit/create the file /etc/raidtab and enter the following (adjust the devices if neccessary)
raiddev /dev/md0 nr-raid-disks 2 persistent-superblock 1 device /dev/hda1 raid-disk 0 device /dev/hdc1 raid-disk 1 raiddev /dev/md2 nr-raid-disks 2 persistent-superblock 1 device /dev/hda3 raid-disk 0 device /dev/hdc3 raid-disk 1
In case you want to mirror the swap:
raiddev /dev/md1 nr-raid-disks 2 persistent-superblock 1 device /dev/hda2 raid-disk 0 device /dev/hdc2 raid-disk 1
Note: I do not use a raid for the swap, I will explain the swap setup a bit later.
Please also see the comment at the bottom of this page, why this may cause trouble on a harddisk failure.
start the raid by running
raidstart --allenter "cat /proc/mdstat"
You should see something like this:
Personalities : [raid1] md0 : active raid1 hda1[1] hdc1[1] XXX blocks [2/2] [UU] md2 : active raid1 hda3[1] hdc3[1] YYY blocks [2/2] [UU]
Now, after your raid is up and running, don't think about touching /dev/hda or /dev/hdc directly again. Only use /dev/md0 or /dev/md2.
create your filesystems like it is described in the handbook, only use /dev/md0 and /dev/md2 for the target devices.
Activate the Swap Partitions
Because we are using 2 identical hdds, we have 2 swap partitions that we enable both.
Later in the /etc/fstab config we can tune a bit to make our swap faster.
Mounting
Now we follow the handbook a bit for mounting and downloading the needed stage 1 tarball. Remember, use /dev/mdX as partitions.
I prefer to to use the full make.conf.default for configuration, so I copy it over before editing.
cp /mnt/gentoo/etc/make.conf.default /mnt/gentoo/etc/make.confnow we edit the file
nano -w /mnt/gentoo/etc/make.conf
CHOST is set to i686-pc-linux-gnu
I use the following CFLAGS:
CFLAGS="-march=pentium4 -O2 -pipe"
be careful, if you enable the hardened toolchain, never use more than -O2 for compiling.
If you have an AMD cpu, or a pentium2/3 change the -march setting to your cpu.
I set the MAKEOPTS to -j5 (number of CPUs plus one) (2 x Xeon with HT enabled makes 4 virtual CPUs)
MAKEOPTS="-j5"
I use the following line
USE="-X -gtk -gnome -alsa mysql apache2 ssl ssh openldap\ sasl2 pam pic pie hardened hardenedphp xml vhosts"I don't want X, gtk, gnome or alsa. (This is a server)
But I want mysql, apache, a.s.o.
The flags pic, pie and hardened are used with the hardened toolchain provided by gentoo.
These make the executables less vulnerable to buffer overflow and other programming mistakes. As of the writing of this howto, the flags "pic, pie and hardened" cause some problems with some packages. Manual patching and fiddling may be needed.
UPDATE: I installed another server lately (Nov. 2005), no patching was needed any more.
Follow the installation manual including the Stage1 to Stage2 section.
It is always useful to download the packages first and after that, start the real bootstrapping process. There is nothing better than having a bootstrap failing after 60+ mins on the last package because the file was damaged on the ftp mirror.
Proceed from stage2 to stage3 the documented way.
This will take a while, in my case 71 packages will be installed.
Just keep yourself occupied with something, like writing a howto or something ;)
Now its time to configure the kernel as described in the manual
enter the data as described in the manual, but use /dev/md0 and /dev/md2
for the swap line use the following 2 lines
/dev/hda2 none swap sw,pri=2 0 0 /dev/hdc2 none swap sw,pri=2 0 0This way the kernel uses both hdds for swap with the same priority, this means some data will be swapped to one hdd, some to the other and both could be read/written at the same time. This gives a speed boost when you need swap (which should never happen on normal conditions...).
/dev/md2 none swap sw,pri=2 0 0in case of a mirrored swap partion.
Enter the networking information as described in the handbook (ip, domainname, ...)
Continue with the installation manual until you got through the manual and
have the basic system running as you want.
While writing this howto, it was planned to have a part 2 to describe the installation of additional software like apache, postfix and others.
But since they are installed exactly as on a "normal" gentoo distribution, a part 2 is not really needed.