Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hardened+NoMultilib+SELinux Install?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1367
Location: Fayetteville, NC, USA

PostPosted: Sun Jul 10, 2016 2:50 pm    Post subject: Hardened+NoMultilib+SELinux Install? Reply with quote

I am setting up a web-server and using the hardened+nomultilib stage3 archive to install with. Once into my chroot I get to the point of selecting a profile. I want to change it from hardened+nomultilib to hardened+nomultilib+selinux, but when doing that I get errors about missing selinux.h from sed. How do I install this configuration? The system is an AMD Athlon 64x2, 4GiB RAM, and two 500GB SATA disks in RAID1 via BTRFS.

Things I tried last night were leaving the profile alone until I built the kernel with SELinux support THEN changing the profile, but that failed also. All this box will run (aside form the core things Linux needs) is MariaDB, Apache2, and an SSH server for updating, administration, etc. I will be running a strict iptables firewall with the geoip xtables support to only allow connections from my contry (USA) as an added layer of protection, since this will only be needed in the USA. My company is not large enough to have foreign clients.

So, how can I get this done? I just repartitioned the disks, extracted the tarball, entered the chroot, and synced protage. I would like some guidance before I move forward. Also, my partitioning scheme is below.
Code:

1MiB-8MiB - GRUB
8MiB-1GiB - Boot, BTRFS, noauto,compress=no,autodefrag
1GiB-6GiB - Var, BTRFS, compress=no
6GiB-8GiB - Var/Log, BTRFS, compress=no
8GiB-16GiB - (root), BTRFS, compress=no
16GiB-18GiB - Tmp, BTRFS, compress=no
18GiB-20GiB - Portage, BTRFS, compress=zlib,autodefrag
20GiB-26GiB - Distfiles, BTRFS, compress=zlib,autodefrag
26GiB-30GiB - Usr/Src, BTRFS, compress=zlib
30GiB-32GiB - Swap
32GiB-288GiB - Database, BTRFS, compress=no
288GiB-352GiB - Sites, BTRFS, compress=no
352GiB-100% - Home, BTRFS, compress=zlib

All BTRFS partitions are RAID1 between sda and sdb.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1367
Location: Fayetteville, NC, USA

PostPosted: Mon Jul 11, 2016 2:32 am    Post subject: Reply with quote

I finally spliced the guides together in my head and got the install finished. However, while my root partition is found (sdb5), it will not mount. I get "Failed to mount /dev/sdb5 on /newroot: Invalid argument". I created the initramfs with "genkernel --btrfs --install initramfs". So what is going on here? GRUB2 claims to support BTRFS and I want it for RAID1 with checksums. I am not using subvolumes or compression on the root, boot, or anything critical.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5876

PostPosted: Mon Jul 11, 2016 8:46 pm    Post subject: Reply with quote

The_Great_Sephiroth wrote:
I am not using subvolumes

You've gone with an insane static partitoning scheme to avoid one of the main reasons to even have Btrfs in the first place? Why?
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Mon Jul 11, 2016 10:06 pm    Post subject: intramfs setup maybe Reply with quote

I think your problem may be that your initramfs script needs to scan for btrfs filesystems before it attempts to mount anything. Check the basic busybox script that scans and mount's the root in this link:

https://wiki.gentoo.org/wiki/Btrfs/Native_System_Root_Guide

If I remember right, grub2 was a bit stupid handling anything other than basic one disk setups. I also don't use genkernel and prefer to hand build my kernels making sure that the hardware and the filesystems I'm using are baked right into the kernel rather than loaded as modules. Also note that I've been on ssd system roots since doing that guide and thus don't bother doing system mirrors like that anymore.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1367
Location: Fayetteville, NC, USA

PostPosted: Mon Jul 11, 2016 11:21 pm    Post subject: Reply with quote

I only use genkernel for the initramfs. I do my kernels by hand. My drivers and even iptables is baked into the kernel. I am like you, I want control over my kernel and what it can and cannot do.

As for the subvolumes question, I have several reasons. The biggest one is that I can't find anything that explains it well enough for me to understand. I am an advanced user, but I am not a kernel or FS dev and cannot wrap my head around it. I also do not see it as useful since if I have an issue down the road a snapshot may take me back too far to upgrade via portage. Oh, and my BIGGEST reason (almost the sole reason) I chose BTRFS was that I could have bit-rot protection without enough RAM to run the NASA supercomputer, unlike ZFS.

As for GRUB2 handling things, it will split things into two lines, but a quick fix is to add "head -n 1" to the two lines in the "grub2-mkconfig" script. Still no dice though. It literally SEES /dev/sdb5 a the root, but cannot mount it for whatever reason.

I read that the init script linked was for an older version of btrfs, so I did not try it. Are you staying we must still do this?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Tue Jul 12, 2016 2:54 am    Post subject: btrfs scan may be necessary Reply with quote

There were two issues I ran into back when I was doing the system mirror like you. The first was that I had to make sure to do the "btrfs scan" in the initramfs init script before attempting to mount root. Then I noticed further problems with trying to have the system root on anything other than the default subvolume.

BTW you read that correctly. When do you don't use subvolumes on the mount, there is actually a default subvolume.

I moved to grub2 at some point or other and ssd based systems as I mentioned. At some point, I think I had grub2 managing to find a non-default subvolume to mount for the system root. I haven't tried to do a two disk mirror since though.

Never did look to see what genkernel puts out there for an initramfs. I take it that it puts out some sort of stock init script based on what you give it for options?
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Tue Jul 12, 2016 3:28 am    Post subject: snapshots Reply with quote

Snapshots are a good backup strategy, especially if you have a filesystem that doesn't change a lot such as my friend's NAS that held a backup of their software tree.

They may not make as much sense for an entire system disk, but I could see the benefit of using them to snap /usr/portage for example. Just remember that when you take a snapshot, you are basically copying the map of extents for each file in a directory tree from one place to another. It's very quick because it's space efficient and not taking whole copies of extents. When you destroy a snapshot, it's likewise very quick.

Ceph uses them on btrfs for osd filesystems in order to implement a stack of save states or transactions.

Code:
2016-07-11 23:08:12.551322 mon.0 [INF] pgmap v18002744: 768 pgs: 1 active+clean+scrubbing, 767 active+clean; 7189 GB data, 16742 GB used, 4715 GB / 22356 GB avail
2016-07-11 23:08:17.548390 mon.0 [INF] pgmap v18002745: 768 pgs: 1 active+clean+scrubbing, 767 active+clean; 7189 GB data, 16742 GB used, 4715 GB / 22356 GB avail
2016-07-11 23:08:22.545351 mon.0 [INF] pgmap v18002746: 768 pgs: 1 active+clean+scrubbing, 767 active+clean; 7189 GB data, 16742 GB used, 4715 GB / 22356 GB avail


Notice how the pgmap rolls? Each one of those represents a btrfs snapshot when the filesystem underlying the osd is based on btrfs or zfs. The filestore code has to do things a bit differently when it is using xfs or ext4 instead. When a shard gets written out, one osd represents the "primary" osd and then one or more other osd's are considered secondaries. The I/O waits until the primary is done, but the secondaries may or may not have finished before the I/O is considered done.

Here's a dump of placement groups for a given pgmap with only one pg shown:

Code:
ceph pg dump | less
version 18002833
stamp 2016-07-11 23:17:17.599601
last_osdmap_epoch 26529
last_pg_scan 26529
full_ratio 0.95
nearfull_ratio 0.85
pg_stat objects mip     degr    misp    unf     bytes   log     disklog state   state_stamp     v       reported        up      up_primary      acting  acting_primary  last_scrub      scrub_stamp     last_deep_scrub deep_scrub_stamp
5.ff    0       0       0       0       0       0       300     300     active+clean    2016-07-11 18:38:47.703634      23375'300       26529:2974      [1,2,3] 1       [1,2,3] 1       23375'300       2016-07-11 18:38:47.703582      23375'300       2016-07-07 16:44:48.235221


For this pg known as 5.ff there are a primary and two replicas. osd.1 is the primary with 2 and 3 designated as secondaries. osd.1, 2 and 3 will be talking amongst themselves to make sure that things are eventually in sync, but stuff happens. The transactions provided by the snapshots are how things can be eventually brought back in sync if a drive starts acting up and makes its parent osd wait longer than necessary or requires it to re-issue the write.

As you might guess, ceph provides a pretty strenuous workout of btrfs snaphshotting :D
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1367
Location: Fayetteville, NC, USA

PostPosted: Wed Jul 13, 2016 1:34 pm    Post subject: Reply with quote

It may just be me, but both the guide you linked and the early userspace mounting guide do not work. I do not have "/usr/src/initramfs" or "/usr/src/linux/initramfs". As such, I do not have the initramfs_list file. I do have busybox emerged. What do I do?
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Thu Jul 14, 2016 1:55 am    Post subject: Did you set? Reply with quote

In your kernel .config file do you have this pointing to something?

Code:
CONFIG_INITRAMFS_SOURCE:


You are going to be setting that tree up by hand by pulling in the binaries and so files that will be needed to support the btrfs tools and mount. Then based on what you put in there, you are going to create your initramfs_list file that also goes in there. When you build the resulting kernel, it will run cpio and embed the resulting archive directly into the kernel image. My guide showed what I pulled in from /lib64 and /sbin to this directory and then my resulting initramfs_list file.

Since I never used genkernel, I didn't know whether it did anything for you about building this stuff. You could probably emerge and play with sys-kernel/dracut for an initramfs that will be a bit more automated.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1367
Location: Fayetteville, NC, USA

PostPosted: Fri Jul 15, 2016 2:59 pm    Post subject: Reply with quote

I did not realize that I had to make that file by hand. I cannhandle that. I will attempt it now and report the results. Thanks!

*EDIT*

Question. Can I use UUID's instead of /dev/sd<x> in the fstab that goes into the initramfs? I have an issue where these get shuffled when backup devices (USB or eSATA) are plugged into the system. If one is plugged in and we do a remote reboot, it may not come up if we rely on /dev/sd<x>.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Fri Jul 15, 2016 5:45 pm    Post subject: uuids Reply with quote

Yeah you should be able to use uuids just fine. This fstab would be treated just like your normal one in /etc. It's here because you need all of the files dependent on btrfs operations to be in the archive and then unpacked by the kernel just after it boots. The whole idea is to get your root detected and mounted properly before you pivot from your memory based one into it.

Personally, I set and use LABELS instead because UUIDS need to be copy/pasted and take a lot more real estate in an editor like nano. Also at work I do a lot with reference vm's that I clone and then go elsewhere with or turn into physical installs. RedHat would probably have a hissy fit if they saw my methods of avoiding their infernal kickstart approach by grafting a new root on top of a minimal install while preserving grub and /boot. The uuid gets changed when I do stuff like this so I just use either physical names or LABELs.
Back to top
View user's profile Send private message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1367
Location: Fayetteville, NC, USA

PostPosted: Mon Jul 18, 2016 12:50 am    Post subject: Reply with quote

I forgot to post back. I am good. I didn't need a lot of the info in your article. I am going to document my steps for future reference, but some of the stuff near the end, like copying files, is done if you do "make install". Makes it easier. Either way I am golden and our new server will be up soon.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum