Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Smallest rational Gentoo image?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2549

PostPosted: Thu Dec 26, 2013 2:42 am    Post subject: Smallest rational Gentoo image? Reply with quote

Hi,

My normal system tends to be a desktop or a server with I don't care how many extra tools.

I'm contemplating a few minimal systems, I'm curious as to how minimal it can get with a rational Gentoo system. The systems are for:

  1. KVM/Qemu host with RAID, LVM2.
  2. Internal router/switch with packet filtering. Internal means not exposed to the Internet directly. It will have physical and virtual NICs.
  3. Firewall (yes, separate from the router: A full blown external firewall with VPN endpoints)


So here are the main questions that come to mind:

  1. It seems to me that for these systems I don't need much more than a kernel, a logger, cron, bash and the software implicit in the task at hand. And maybe intrusion detection and such.
  2. For a router or firewall, I can see where it would be advantageous to NOT have a compiler. How hard is it to set up and then export a build without source and build tools for Gentoo?
  3. Would I be better off using a firewall/router distro in order to keep build tools off the security-oriented images?
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2549

PostPosted: Thu Dec 26, 2013 3:13 am    Post subject: Reply with quote

Actually what comes to mind for these non-source images would be something like this:

The router and firewall are intended to be VMs.

Either have a "compiler" VM or have the KVM host compile, then mount the firewall's filesystems and install to it, across VMs so to speak.

As far as that goes, I thought to have the firewall and router VMs run in read-only mode for everything except logging anyway. Maybe a shared root?
Back to top
View user's profile Send private message
666threesixes666
Veteran
Veteran


Joined: 31 May 2011
Posts: 1248
Location: 42.68n 85.41w

PostPosted: Thu Dec 26, 2013 3:31 am    Post subject: Reply with quote

easy, stage3, kernel compiled & installed, lilo/grub/syslinux.... use a full on distro to manage it via sftp... idk about cutting out gcc... id say cutting gcc out is a bad idea, but your situations a strange one with VMs & having a compile elsewhere very local to the machine.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2549

PostPosted: Thu Dec 26, 2013 4:23 am    Post subject: Reply with quote

Only considering cutting out build tools on the firewall and router. The premise being that you really don't want these devices to have a way to attack the internal network, should the router or firewall be cracked.

I'm pondering an LFS install. Never attempted it before, trying to decide if it's overkill.

Maybe I should just get a firewall distro.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2576

PostPosted: Thu Dec 26, 2013 5:25 am    Post subject: Reply with quote

You could always set up a special directory (/firewall or something) and use prefex to emerge everything you want there. Then you just have to tar it up into a stage 4 and install it where ever you want it. As long as you use a bin host, there is no reason why you couldn't cut out the gcc and still use portage to update. You would just have to make sure the installs can download your packages.

If you don't want to include portage, the binary packages can be installed by untaring them to root, but then you don't get the emerge messages and run the risk of excessive human error bring down your minimal system.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
1clue
Advocate
Advocate


Joined: 05 Feb 2006
Posts: 2549

PostPosted: Thu Dec 26, 2013 3:07 pm    Post subject: Reply with quote

Good ideas regarding directories, and good point about portage. Human error always gets you at some point.

I might just need to shoot the engineer and start building something.

Or maybe pfSense for the firewall/router images. They certainly know more about it than I do.

Thanks.
Back to top
View user's profile Send private message
jamapii
Guru
Guru


Joined: 16 Sep 2004
Posts: 559

PostPosted: Thu Feb 06, 2014 11:28 am    Post subject: Reply with quote

I think removing build tools from gentoo is too much effort for too little gain.

I prefer a distribution with tools that actually manages packages, i.e. unlike LFS. A security minded distro should probably have a reasonable way to install/update something even if there is no official update yet - and keep the package database updated.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum