User:Pietinger/temp/delete me
From Gentoo Wiki
Jump to:navigation
Jump to:search
For @4761 because you know my german guide and you may use it as a check list ;-)
GENTOO Installation for Machine: sun
====================================
Equipment:
----------
Intel i9-13900K (Raptor Lake-S/HX B0 - GT1 UHD Graphics 770)
Gigabyte Z790 Aorus Elite AX
64 GB G.Skill Trident Z5 RGB, DDR5-6000, CL30
1 TB Samsung 980 PRO Series NVMe SSD, PCIe 4.0 M.2 Typ 2280
4 TB Seagate BarraCuda SATA 6G
Fractal Design Define 7 XL Black Big-Tower
Arctic Liquid Freezer II 420 mm
Corsair RMX Series RM750x
- install additional:
1 TB Seagate FireCuda 530 NVMe SSD, PCIe 4.0 M.2 Typ 2280
History:
--------
2023-04-27 Initial Installation 1
2023-05-01 Initial Installation 2 (new kernel)
2023-05-03 Initial Installation 3 (more KDE apps)
2023-05-07 Initial Installation 4 (D. AppArmor)
2023-05-09 Initial Installation 5 (B.3)
2023-05-10 Initial Installation 6 (make harddisk)
2023-05-15 Initial Installation 7 (A.3.9 Luckybackup)
ToDo:
-----
- Hardening privoxy
- Configure Konqueror und Falkon
- Configure Xboard
Partitions:
-----------
- to fill - !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
KDE settings
------------
-> KDE Systemeinstellungen ->
Erscheinungsbild -> Breeze Dunkel
Verhalten des Arbeitsbereichs -> Bildsschirmsperre -> Kein automatisches sperren
Verhalten des Arbeitsbereichs -> Virtuelle Arbeitsflächen -> Hinzufügen von 5 weiteren
Verhalten des Arbeitsbereichs -> Zuletzt geöffnete Dateien -> Nicht merken
Kurzbefehle -> Kurzbefehle -> Kwin -> STRG-F5 und STRG-F6 für die beiden letzen virtuellen Bildschirme
Starten und Beenden -> Hintergrunddienste -> Nachtfarben, Touchpad, Speicherplatzbenachrichtigung raus
Starten und Beenden -> Arbeitsflächen-Sitzung -> Mit leerer Sitzung starten
Anwendungen -> Standard-Anwendungen -> Webbrowser Konqueror
Anwendungen -> Standard-Anwendungen -> Karte Marble
Netzwerk Einstellungen -> Proxy -> Proxy des Systems verwenden
Netzwerk Einstellungen -> Cookies -> Um Bestätigung bitten
Anzeige und Monitor -> Anzeige-Einrichtung -> Skalierung auf 125 %
Energieverwaltung -> Energiesparmodus -> Bildsschirm-Energieverwaltung: Ausschalten nach 10 Min.
-> Configure kmix: Einstellungen -> Hauptkanal auswählen -> PCM
-> Configure falkon: Einstellungen -> Im Internet surfen -> Lokaler Speicherplatz -> Zwischenspeicher-Ordner: /tmp/peter/...
2023-04-27 Initial Installation 1
---------------------------------
Chapters from: Installation Guide for Paranoid Dummies
A.1.2
On the old PC:
- download: install-amd64-minimal-20230423T164653Z.iso
# dd if=/home/peter/Downloads/install-amd64-minimal* of=/dev/sdc; sync
- download: stage3-amd64-nomultilib-openrc-20230423T164653Z.tar.xz
On the new PC:
- start BIOS with "Entf" (== Del) and set date and time to UTC
- check if UEFI boot is enabled: CSM must be disabled -> yes
- SecureBoot must be disabled -> was enabled -> now disabled
- change to: "Other OS"
- Intels Volume Management Device was disabled. I dont need it -> ok (it would need kernel module "vmd")
- insert USB-stick
- save and quit
- be fast with input "12" for german keyboard
A.1.3
# clear
! Check if /sys/firmware/efi exists:
# ls /sys/firmware
-> yes -> ok, it was really an uefi boot
# ifconfig -a
-> ok -> ip address via dhcp from router: 192.168.2.100
-> Notice name of ethernet interface for later: enp2s0
# ping -c 3 www.gentoo.org
-> ok
! Checks in advance:
# uname -a
-> actual stable 6.1.19
# date
-> ok (2 hours before local summer time)
# lscpu
-> 6-183-1 800-5.800 MHz
# lsblk
-> hd has 2 partitions -> I will delete them later
# dmesg | grep "Intel(R)"
-> notice family, model and stepping: 06-b7-01
# dmesg | grep firmware
-> notice all firmware files (with directory)
# lsmod | more
-> notice all modules
# lspci -k
-> mark all modules from "Kernel driver in use: xxxx" in my list from lsmod with red text marker
A.1.4
# parted -a optimal /dev/nvme0n1
> p
! if any delete with "rm X"
! two partitions ?!
> rm 2
> rm 1
(yes, I know it is not really necessary because it will be erased with next command)
> mklabel gpt
> unit mib
> mkpart primary 1 256
> name 1 Boot
> set 1 boot on
> mkpart primary 256 4096
> name 2 Swap
> mkpart primary 4096 -1
> name 3 Root
> q
# mkfs.fat -F 32 /dev/nvme0n1p1
# mkswap /dev/nvme0n1p2
# swapon /dev/nvme0n1p2
# mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/nvme0n1p3
! I have a NVMe, therefore -> (skip this on a harddisk)
# tune2fs -o discard /dev/nvme0n1p3
? Check with:
# tune2fs -l /dev/nvme0n1p3
# mount /dev/nvme0n1p3 /mnt/gentoo
A.1.5
# ntpd -q -g
# date
-> ok -> seconds correct; 2h before Berlin (with next step in next chapter it will be correct)
# cd /mnt/gentoo
# scp root@192.168.2.4:/home/peter/stage3* .
! I skipped verifying and validating
# tar xpvf stage3* --xattrs-include='*.*' --numeric-owner
A.1.6
# mkdir -p /mnt/gentoo/etc/portage/repos.conf
# cp /mnt/gentoo/usr/share/portage/config/repos.conf /mnt/gentoo/etc/portage/repos.conf/gentoo.conf
# cp -L /etc/resolv.conf /mnt/gentoo/etc/
# mount -t proc /proc /mnt/gentoo/proc
# mount --rbind /sys /mnt/gentoo/sys
# mount --rbind /dev /mnt/gentoo/dev
# mount --bind /run /mnt/gentoo/run
# chroot /mnt/gentoo /bin/bash
# . /etc/profile
# passwd
# mount /dev/nvme0n1p1 /boot
# emerge-webrsync
# eselect news list
# eselect news read all
# eselect news purge all
# eselect profile list
-> correct setting to 17.1/no-multilib (stable) -> ok
# emerge -1 cpuid2cpuflags
# cpuid2cpuflags
! copy output into make.conf and set some important vars
# nano -w /etc/portage/make.conf
=>
COMMON_FLAGS="-march=native -O2 -pipe"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"
LC_MESSAGES=C
CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 ssse3"
ACCEPT_LICENSE="* -@EULA"
MAKEOPTS="-j24"
GRUB_PLATFORMS="efi-64"
LINGUAS="de"
L10N="de"
VIDEO_CARDS="intel"
USE="-bluetooth -ipv6 -wifi -wireless alsa pie threads udev usb"
USE="$USE default-stack-clash-protection default-znow"
<=
? emerge --info
# echo "Europe/Berlin" > /etc/timezone
# emerge --config timezone-data
# date
-> ok - now correct
# nano -w /etc/locale.gen
! Add => de_DE.UTF-8 UTF-8
# locale-gen
# eselect locale list
# eselect locale set 7
# env-update
# . /etc/profile
# emerge --sync
- gather some data for later (optional)
# cd /root
# dmesg > dmesg.mininst
# lsmod > lsmod.mininst
A.2 Linux Kernel
! This time I dont install grub anymore and choose an UEFI boot (because I already have a monolithic hardened stub kernel configuration for an Intel machine)
# emerge -pv gentoo-sources intel-microcode linux-firmware efibootmgr
# cd /usr/src/linux-6.1.19-gentoo
# scp root@192.168.2.4:/usr/src/linux/.config .
# make oldconfig
# make menuconfig
-> Kernel changes:
- add NVMe modules static
- change Nr. CPUS=32
- change CMDLINE=
- change EXTRA_FIMWARE=
- disable old ethernet module and enable r8169
- disable CDROM
- enable some Intel modules (with help from my "lsmod"-list)
# time make -j32
(31 seconds ... !! :-)
# mkdir -p /boot/efi/secure
# cp arch/x86/boot/bzImage /boot/efi/secure/bzImage.efi
! I have no module support in my kernel, so I dont need "make modules_install"
# efibootmgr -c -d /dev/nvme0n1 -L "Secure" -l "\efi\secure\bzImage.efi"
(this is not the final kernel for /secure; C.IMA will install the final kernel here)
# mkdir -m 0700 /etc/MY
# cp .config /etc/MY/config-6.1.19-initial
# eselect kernel list
# eselect kernel set 1
A.3.1
! Check partlabels with:
# blkid
? or more pretty:
# lsblk -o name,size,parttypename,fstype,partlabel,partuuid
# cd /etc
# scp root@192.168.2.4:/etc/fstab .
# nano -w fstab
=>
PARTLABEL=Boot /boot vfat noauto,noatime 1 2
PARTLABEL=Root / ext4 noatime,iversion 0 1
PARTLABEL=Swap none swap sw 0 0
tmpfs /tmp tmpfs rw,noexec,nodev,nosuid,mode=1777 0 0
tmpfs /var/tmp/portage tmpfs rw,nodev,nosuid,size=24G,uid=portage,gid=portage,mode=1775,noatime 0 0
/dev/sdb1 /mnt/stick auto noauto,user,noatime 0 0
<=
# mkdir /mnt/stick
# nano -w hosts
=>
127.0.0.1 sun.home sun localhost
192.168.2.4 big.home big
<=
# nano -w rc.conf
! Change => rc_parallel="YES"
# cd conf.d
# nano -w hostname
=> hostname="sun"
# nano -w net
=>
config_enp2s0="192.168.2.9/24"
routes_enp2s0="default via 192.168.2.1"
<=
# nano -w keymaps
! Change => KEYMAP="de"
# cd /etc/init.d
# ln -s net.lo net.enp2s0
# rc-update add net.enp2s0 default
# rc-update del netmount default
A.3.2
# emerge -pv sysklogd
# rc-update add sysklogd default
# mv /etc/syslog.conf /etc/syslog.conf.orig
# nano -w /etc/syslog.conf
=>
*.* -/var/log/messages
*.emerg *
secure_mode 1
<=
! I will install Cronie later in A.3.5
A.3.3
! All done in A.2 for an UEFI boot !
! Because of an UEFI-problem (in the first run) I installed grub nevertheless ... :-(
(Later I found the reason and I dont need grub; but its ok ... using it as backup)
---
! CHECK AGAIN if GRUB_PLATFORMS="efi-64" is set in make.conf
# emerge -pv grub
# grub-install --target=x86_64-efi --efi-directory=/boot
# cd /usr/src/linux
# make install
# grub-mkconfig -o /boot/grub/grub.cfg
---
# nano -w /etc/bash/bashrc
! Add =>
alias df="df -h"
alias cd..="cd .."
alias su-="su -"
alias ll="ls -l"
alias lal="ls -al"
alias mylog="less /var/log/messages"
alias mylogt="tail -f /var/log/messages"
<=
# exit
# cd
# umount -l /mnt/gentoo/dev{/shm,/pts,}
# umount -R /mnt/gentoo
# reboot
---------------------------------------
A.3.4
! instead an "emerge -uNDv @world" I recompile everything because of using GCC with two new security Use-flags:
# emerge -1 gcc
# emerge -1 glibc
-> Parallel in 2nd shell (A.3.8):
# useradd -m -g users -G wheel,audio,video,usb -s /bin/bash peter
# chmod 0700 /home/peter
# passwd peter
<-
# rm /stage3*
# reboot
---------------------------------------
! I want /etc/portage/package.use being a file (and not a directory)
# cd /etc/portage
# rmdir package.use
# nano -w package.use
=>
net-misc/netifrc -dhcp
<=
# emerge -evp -X gcc -X glibc -X gentoo-sources -X linux-firmware -X intel-microcode -X linux-headers -X baselayout @world
# etc-update
# reboot
---------------------------------------
A.3.5
# emerge -pv cronie
# rc-update add cronie default
# nano -w /etc/portage/package.use
! Add => net-misc/chrony -nettle -nts -sechash
# emerge -pv chrony
# rc-update add chronyd default
# nano -w /etc/chrony/chrony.conf
=>
server 192.53.103.104 iburst
server 192.53.103.108 iburst
driftfile /var/lib/chrony/drift
makestep 1.0 3
rtcsync
rtconutc
cmdport 0
<=
! because I already have the correct settings in my kernel I can do right now:
# rc-update del hwclock boot
# rc-update add osclock default
# emerge -pv alsa-utils
# rc-update add alsasound boot
! Unmute your channels with:
# alsamixer
! Be sure to unmute all (also SPDIF): It must be OO and not MM
! I tested ALSA with:
# speaker-test -t wav -c 2
-> Failed
# aplay -l
->
**** Liste der Hardware-Geräte (PLAYBACK) ****
Karte 0: PCH [HDA Intel PCH], Gerät 0: ALC897 Analog [ALC897 Analog]
Sub-Geräte: 1/1
Sub-Gerät #0: subdevice #0
Karte 0: PCH [HDA Intel PCH], Gerät 1: ALC897 Digital [ALC897 Digital]
Sub-Geräte: 1/1
Sub-Gerät #0: subdevice #0
Karte 0: PCH [HDA Intel PCH], Gerät 3: HDMI 0 [Acer ET430K]
Sub-Geräte: 1/1
Sub-Gerät #0: subdevice #0
Karte 0: PCH [HDA Intel PCH], Gerät 7: HDMI 1 [HDMI 1]
Sub-Geräte: 1/1
[...]
<-
! Configure default device: my monitor (HDMI 0) ->
# nano -w /etc/asound.conf
=>
defaults.pcm.card 0
defaults.pcm.device 3
<=
# speaker-test -t wav -c 2
-> now ok
# emerge -pvD logrotate
A.3.6
# mkdir -p /var/db/repos/local/{metadata,profiles}
# chown -R portage:portage /var/db/repos/local
# echo "local" > /var/db/repos/local/profiles/repo_name
# echo -e "masters = gentoo\nprofile-formats = portage-2" > /var/db/repos/local/metadata/layout.conf
# echo -e "[local]\nlocation = /var/db/repos/local" > /etc/portage/repos.conf/local.conf
# mkdir -p /var/db/repos/local/profiles/no-multilib-plasma
# echo -e "gentoo:default/linux/amd64/17.1/desktop/plasma\ngentoo:arch/amd64/no-multilib" > /var/db/repos/local/profiles/no-multilib-plasma/parent
# echo "amd64 no-multilib-plasma dev" >> /var/db/repos/local/profiles/profiles.desc
# eselect profile list
-> and set to "local:no-multilib-plasma (dev)" (here it was: 36)
# eselect profile set 36
# nano -w /etc/portage/make.conf
=>
COMMON_FLAGS="-march=native -O2 -pipe"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"
LC_MESSAGES=C
CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 ssse3"
ACCEPT_LICENSE="* -@EULA"
MAKEOPTS="-j24"
LINGUAS="de"
L10N="de"
GRUB_PLATFORMS="efi-64"
VIDEO_CARDS="intel"
ALSA_CARDS="hda-intel"
INPUT_DEVICES="libinput"
USE="-bluetooth -gtk -gtk3 -ipv6 -lvm -modemmanager -networkmanager -phonon -ppp -pulseaudio -semantic-desktop -thin -thumbnail -wext -wifi -wireless "
USE="$USE jumbo-build lm-sensors matroska openexr opus theora threads vaapi vpx webp"
# gcc
USE="$USE default-stack-clash-protection default-znow"
<=
(In the first run I had no "-gtk"; this gave me "gnome-keyring" I dont want and dont need. One day later I added it and did a new "emerge -uNDv @world" and then an "emerge -c")
! Following is NOT necessary anymore with 64 GB
(# mkdir /etc/portage/env
(# mkdir -p /var/tmp/notmpfs
(# chown portage:portage /var/tmp/notmpfs
(# nano -w /etc/portage/env/notmpfs.conf
(=>
(PORTAGE_TMPDIR="/var/tmp/notmpfs"
(<=
(# nano -w /etc/portage/env/monster.conf
(=>
(MAKEOPTS="-j20"
(<=
(# nano -w /etc/portage/package.env
(=>
(dev-lang/rust monster.conf notmpfs.conf
(<=
(yes, I could use only one file, because at the moment it is only "rust"; but maybe I will need one of them for an other packages in the future)
# emerge -uNDvp @world
(rust needs 9:01 min. with -j24)
# reboot
---------------------------------------
A.3.7
# emerge -pv xorg-server
# cd /etc/X11
# mkdir xorg.conf.d
# cd xorg.conf.d
# cp /usr/share/X11/xorg.conf.d/40-libinput.conf .
# nano -w 40-libinput.conf
! Add to keyboard section => Option "xkb_layout" "de"
# nano -w /etc/portage/package.use
=>
kde-plasma/plasma-meta -crypt -crash-handler
<=
# emerge -pvD plasma-meta kdecore-meta
# nano -w /etc/conf.d/display-manager
! Change => DISPLAYMANAGER="sddm"
# rc-update add elogind boot
# rc-update add display-manager default
# emerge -pvD gentoolkit bind-tools cpuid cpupower dmidecode dosfstools eix efitools ethtool inxi
# emerge -pvD hdparm libva-utils lsof strace tcpdump traceroute unrar usbutils wgetpaste whois
# emerge -pvD sys-apps/keyutils
# nano -w /etc/portage/package.use
! Add => app-arch/p7zip -kde -wxwidgets
# emerge -pvD p7zip
! Setting from: [[wiki/SSD]] ->
# nano /etc/profile.d/xdg_cache_home.sh
=>
if [ ${LOGNAME} ]; then
export XDG_CACHE_HOME="/tmp/${LOGNAME}/.cache"
fi
<=
# rm -rf /home/peter/.cache/*
? smartctl -a /dev/nvme0n1
? hdparm -tT /dev/nvme0n1
# reboot
---------------------------------------
B.1 Privoxy and Iptables
# emerge -pv privoxy
# rc-update add privoxy default
# nano -w /etc/privoxy/config
-> enable logging; hardening I do later
# nano -w /etc/env.d/99myproxy
=>
export http_proxy="http://127.0.0.1:8118"
export https_proxy="http://127.0.0.1:8118"
<=
# env-update
# less /etc/passwd
-> notice privoxy UID for later -> 392
# rc-update add iptables default
# cd /etc/MY
# scp root@big:/home/peter/sun/fwrules-sun.sh .
# nano -w fwrules-sun.sh
=> insert privoxy UID
# chmod 0700 fwrules-hal.sh
# ./fwrules-sun.sh
! check if there is an error; then check new konfig with ->
# iptables -L -v -n
# /etc/init.d/iptables save
B.6 Unbound
# emerge -pv unbound
# rc-update add unbound default
# nano -w /etc/resolv.conf
=>
nameserver 127.0.0.1
options trust-ad
<=
# cd /etc/unbound
# mv unbound.conf unbound.conf-1.16.3.orig
# scp root@big:/etc/unbound/unbound.conf .
2023-05-01 Initial Installation 2
---------------------------------
# emerge -pvD ksysguard
-> Configure it to watch CPU temperature and CPU frequency
# scp root@big:~/mysync.sh .
# ./mysync.sh
# emerge -uNDvp @world
# cd /etc/portage
# rmdir package.accept_keywords
# nano -w package.accept_keywords
=>
sys-firmware/intel-microcode ~amd64
sys-kernel/gentoo-sources ~amd64
sys-kernel/linux-headers ~amd64
<=
# rmdir package.mask
# nano -w package.mask
=>
>=sys-kernel/gentoo-sources-6.2.0
>=sys-kernel/linux-headers-6.2
<=
# emerge -1pvD gentoo-sources
-> install new kernel
# reboot (actually: shutdown)
---------------------------------------
2023-05-03 Initial Installation 3
---------------------------------
# nano -w /etc/sysctl.conf
-> Copy settings from KSPP homepage: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
# emerge -pvD kdepim-meta
# emerge -pvD libva-intel-media-driver
# emerge -pvD ark gwenview kate kcalc kmix kompare konversation konqeror kwalletmanager marble okteta okular spectacle sweeper
# emerge -n falkon
-> Doing some KDE settings
# rm -rf /home/peter/.cache/*
# emerge -pvD igt-gpu-tools
# emerge -pvD spectre-meltdown-checker yt-dlp
(yt-dlp needs ffmpeg for encoding mp3)
# emerge -pvD kmahjongg kmines
# emerge -pvD libreoffice
# exit
$ mkdir info
$ cd info
$ scp -r peter@big:~/sun .
$ cd ~/.config
$ scp peter@big:~/.config/konversation* .
! Test IRC
2023-05-07 Initial Installation 4 - D. AppArmor
---------------------------------
# emerge -pvD apparmor apparmor-utils
# rc-update add apparmor boot
# cd /etc/apparmor.d/
# rm *
# scp -r root@big:/etc/apparmor.d/* .
# nano -w usr.bin.wget
-> remove line for old setting
# nano -w usr.bin.vlc
-> remove USECD
# reboot
---------------------------------------
! Check with:
# ps auxZ
# dmesg