Marc's Linux-Wiki (Gentoo, Debian) linux:gentoo-spezifisch

linux:gentoo-spezifisch:encrypted_home_partition_using_luks_pam_mount_and_lvm

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:33:21 +0000

@@ -1 +1,73 @@
+ ====== Encrypted /home partition using LUKS, pam_mount and LVM ======
  
+ In preparation for yet another cross continent travel plan I finally decided to encrypt my home partition on myX61s laptop. I had to mess a bit with the pam_mount configuration file to make it work so I thought I would share my notes. In the following I will briefly describe how I'm going to use a password protected key stored on an external media to encrypt my home partition. I'll use the same password used for Xorg login to protect the key. So when you get asked to type in a password in the following examples use your normal user password and we'll use pam_mount to pass the password to LUKS once you log in.
+ 
+ First start out by preparing a key:
+ 
+ KEY=`tr -cd [:graph:] < /dev/urandom | head -c 79`
+ echo $KEY | openssl aes-256-ecb > verysekrit.key
+ 
+ Then create an LVM volume for the home directory and subsitute home with what you like to name the logical volume:
+ 
+ lvcreate -L30G -nhome vg
+ 
+ Then we initialize the volume with our secret key and LUKS:
+ 
+ openssl aes-256-ecb -d -in verysekrit.key | cryptsetup -v --cipher aes-cbc-plain --key-size 256 luksFormat /dev/vg/home
+ 
+ Now lets test that we can open the encrypted volume and format it:
+ 
+ openssl aes-256-ecb -d -in verysekrit.key | cryptsetup luksOpen /dev/vg/home myh_crypt
+ mkfs.ext3 /dev/mapper/myh_crypt
+ 
+ You can not mount it and sync over your old home like this:
+ 
+ mount /dev/mapper/myh_crypt /mnt/gentoo
+ rsync -va /home/username/* /mnt/gentoo/
+ 
+ Once everything is synced over we'll close the LUKS volume again:
+ 
+ cryptsetup luksClose myh_crypt
+ 
+ Now unmask and emerge pam_mount:
+ 
+ echo "sys-auth/pam_mount" >> /etc/portage/package.keywords
+ emerge -v pam_mount
+ 
+ Now configure pam_mount to first mount the SD card (/dev/mmcblo0p1) and then use the key to unlock the home partition by editing /etc/security/pam_mount.conf.xml. Note that if you store your secret key somewhere else the first volume statement may be omitted.
+ 
+ <volume user="username"
+ path="/dev/mmcblk0p1"
+ mountpoint="/mnt/mmc"
+ fstype="auto" />
+ 
+ <volume user="username"
+ path="/dev/mapper/vg-username"
+ mountpoint="/home/username"
+ fstype="crypt"
+ options="data=journal,commit=15"
+ cipher="aes-cbc-plain"
+ fskeypath="/mnt/mmc/verysekrit.key"
+ fskeycipher="aes-256-ecb"
+ fskeyhash="md5" />
+ 
+ Then configure PAM to use pam_mount by editing /etc/pam.d/system-auth. Add pam_mount to the auth section like this:
+ 
+ auth required pam_env.so
+ auth optional pam_mount.so
+ auth required pam_unix.so try_first_pass likeauth nullok
+ 
+ And to the sessions section like this:
+ 
+ session required pam_limits.so
+ session required pam_env.so
+ session required pam_unix.so
+ session optional pam_permit.so
+ session optional pam_mount.so
+ 
+ References:
+ 
+ http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick
+ http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS
+ http://en.gentoo-wiki.com/wiki/Root_on_LVM_or_EVMS_over_dm-crypt/LUKS
+ http://blog.infion.de/archives/2007/05/15/Full-disk-encryption-with-LUKS-on-new-notebook/

linux:gentoo-spezifisch:gcc

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:33:21 +0000

@@ -96,37 +96,5 @@
    LDFLAGS="-Wl,-flto"
  
  ===== 4. Aktuelles =====
  
- ====  4.1 GCC 4.6====
- 
- === 4.1.1 Allgemeines ===
- 
-   * graphite ist insofern "buggy", als dass sich bei eingeschalteter graphite-Unterstützung des toolchains keine (oder kaum) Pakte mehr mit der alten Version 4.5 kompilieren lassen. Solange diese als "Backup-Lösung" genutzt werden soll, dürfen //während// ihrer Nutzung die entsprechenden CFLAGS nicht aktiviert sein.
- 
- === 4.1.2 Spezielle Pakete ===
- 
- Auf meinem ~amd64-System (Portagetree vom 29.06.2011, overlays: toolchain, gcc-porting, x11, gnome, keruspe)...
- 
- ... **nicht kompilierbare** Pakete:
- 
-   * verifiziert
-     * <del>app-office/libreoffice-3.3.2</del>
-       * Patch aus Bugzilla
-     * <del>net-libs/xulrunner</del>
-       * gcc-porting-overlay hat Patches!
-     * <net-analyzer/wireshark-1.6.0_rc1
-       * unmask 1.6.0_rc1
- 
- 
- \\
- ... **fehlerhaft kompilierte** Pakete:
- 
-   * verifiziert
-     * <del>app-portage/eix-0.22.8:</del>
-       * <del>Speicherzugriffsfehler</del>
-       * Workaround: USE="-strong-optimization"
-     * 
- 
-   * unverifiziert
-     *

linux:gentoo-spezifisch:gentoolkit

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:33:20 +0000

@@ -1 +1,15 @@
+ ====== Gentoolkit ======
+ 
+ Collection of administration scripts for Gentoo
+ 
+ 
+  * Löschen von nicht mehr benötigten Quellcodearchiven:
+ 
+   # eclean-dist -d
+ 
+  * Löschen von nicht mehr benötigten Binärpaketen:
+ 
+   # eclean-pkg -d
+ 
+

linux:gentoo-spezifisch:howto_fly

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:33:20 +0000

@@ -1 +1,29 @@
+ ====== Flying withGentoo ======
  
+ /etc/init.d/localmount 
+ 
+ change: Code:
+   mount -at nocoda,nonfs,noproc,noncpfs,nosmbfs,noshm >/dev/null
+ 
+ for: Code:
+   mount -aFt nocoda,nonfs,noproc,noncpfs,nosmbfs,noshm >/dev/null
+  
+ 
+ 
+ /etc/conf.d/rc 
+ 
+ change: Code:
+   RC_PARALLEL_STARTUP="no"
+ 
+ 
+ for: Code:
+   RC_PARALLEL_STARTUP="yes" 
+  
+ 
+ 
+ /etc/sysctl.conf Code:
+   vm.swappiness = 40
+ 
+ 
+ This value can be between 0 and 100. Close to 0 will mean that the kernel should empty some ram, and a higher value close to 100 will tell the kernel to use the swap memory more often. 
+ The default value is 60. I set this to 25 in my laptop, so that i can reduce the disk access. You can use ´free -m´ to see the stats of your memory useage.

linux:gentoo-spezifisch:krempel

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:33:21 +0000

@@ -1,10 +1,6 @@
  ====== Krempel / ToDo ======
  
- 
-   * Write-Cache ausschalten
- 
-   hdparm -W0 /dev/sda
  
    * Binärpakete des Systems erstellen
  
    equery -q list '*' |awk '{printf "="; print $0}'|xargs quickpkg --include-config=y

linux:gentoo-spezifisch:make.conf

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:33:20 +0000

@@ -59,16 +59,12 @@
  ###################################################################
  ## CFLAGS ########################################################
  ###################################################################
  # really safe:
- #CFLAGS="-O2 -march=native -pipe"
+ # CFLAGS="-O2 -march=native -pipe"
+ # -ftree-vectorize -ftree-loop-linear
  
- # AFAIK the short-and-sweet versions:
- #add to USE "graphite", add to CFLAGS "-floop-interchange -floop-strip-mine -floop-block"
- 
- CFLAGS="-O2 -march=native -pipe
- -floop-interchange -floop-strip-mine -floop-block
- -ftree-vectorize -ftree-loop-linear"
+ CFLAGS="-O2 -march=native -pipe -floop-interchange -floop-strip-mine -floop-block"
  
  CXXFLAGS="${CFLAGS}"
  
  ###################################################################
@@ -80,33 +76,35 @@
  
  # These are the USE flags that were used in addition to what is provided by the
  # profile used for building.
  USE="64bit X a52 ace acpi additions alsa bash-completion blksha1 cleartype \
-      clutter consolekit corefonts css dbus device-mapper drm dvd exif \
-      fastbuild fastcgi fat ffmpeg fuse gallium gd gdu gnome gphoto2 graphite \
-      gstreamer gtk gtk3 id3tag introspection jpeg jpeg2k lame laptop libffi \
-      libnotify lto matroska mdns-bundled mmx mp3 mpeg mpeg2 nautilus \
-      networkmanager nntp nsplugin ntfs opengl optimized-qmake pdf pidgin png \
-      policykit pulseaudio quicktime rar real scsi slideshow smp sse sse2 \
-      sse3 svg symlink system-cxx-headers system-sqlite theora threads \
-      truetype twolame type3 udev usb vcd video wicd wma wmf x264 xv xvid \
-      -3dnow -3dnowext -abiword -accessibility -aim -avahi -bluetooth -bonobo \
-      -debug -doc -eds -gecko-mediaplayer -gnome-keyring -guile -ieee1394 \
-      -ipod -ipv6 -joystick -kde -lcms -lirc -mercurial -msn -oss -pm-utils \
-      -qt-bundled -qt3support -qt4 -reiser4 -reiserfs -samba -tcl -totem -v4l \
-      -v4l2 -webdav -webdav-neon -webdav-serf -webkit -xfs -xinerama"
+      consolekit corefonts css dbus device-mapper drm dvd exif fastbuild \
+      fastcgi fat ffmpeg fuse gallium gd gdu gnome gphoto2 graphite gstreamer \
+      gtk gtk3 id3tag introspection jpeg jpeg2k lame laptop libnotify \
+      matroska mdns-bundled mmx mp3 mp4 mpeg mpeg2 nautilus networkmanager \
+      nntp nsplugin ntfs opengl optimization optimized-qmake pdf pidgin png \
+      policykit pulseaudio python3 quicktime rar real scsi slideshow smp sse \
+      sse2 sse3 strong-optimization svg symlink system-cxx-headers \
+      system-sqlite theora threads truetype twolame type3 udev usb v4l v4l2 \
+      vcd video vorbis wicd wma wmf x264 xv xvid -3dnow -3dnowext -abiword \
+      -accessibility -aim -avahi -bluetooth -bonobo -debug -doc -eds \
+      -gecko-mediaplayer -guile -ieee1394 -ipod -ipv6 -joystick -kde -lcms \
+      -lirc -mercurial -msn -oss -pm-utils -python2 -qt-bundled -qt3support \
+      -qt4 -reiser4 -reiserfs -samba -tcl -totem -webdav -webdav-neon \
+      -webdav-serf -webkit -xfs -xinerama -xscreensaver"
  
  ###################################################################
- MAKEOPTS="-j5"
- EMERGE_DEFAULT_OPTS="--keep-going --jobs=5"
+ #MAKEOPTS="-j1"
+ MAKEOPTS="-j3"
+ EMERGE_DEFAULT_OPTS="--keep-going --jobs=4"
  
  #GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo "
  GENTOO_MIRRORS="ftp://de-mirror.org/distro/gentoo "
  #GENTOO_MIRRORS="http://distfiles.gentoo.org "
  
  SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
  
- PORTAGE_NICENESS=15
+ PORTAGE_NICENESS=19
  
  #FEATURES="parallel-fetch fail-clean"
  FEATURES="sandbox parallel-fetch fail-clean buildpkg"
  DISTDIR="/Daten/.distfiles"
@@ -127,10 +125,10 @@
  LINGUAS="de"
  
  ACCEPT_KEYWORDS="~amd64"
  
- ACCEPT_LICENSE="PUEL dlj-1.1 googleearth AdobeFlash-10.1"
+ ACCEPT_LICENSE="PUEL dlj-1.1 googleearth AdobeFlash-10.1 google-talkplugin skype-eula"
  
  I_PROMISE_TO_SUPPLY_PATCHES_WITH_BUGS=1
  
  CLOCK="local"
  </file>

linux:gentoo-spezifisch:microcode

anonymous@undisclosed.example.com (Anonymous) — Thu, 05 May 2016 19:36:30 +0000

@@ -1,6 +1,13 @@
  ====== Microcode ======
  
  
  https://wiki.gentoo.org/wiki/Intel_microcode#Early_Microcode
+ 
+ 
+ Microcode generieren:
+ 
+   iucode_tool -S --write-earlyfw=/boot/early-ucode.cpio /lib/firmware/intel-ucode/*
+ 
+ Microcode zum initrd hinzufügen:
  
    cat ucode.cpio /boot/initrd-3.5.0.img > /boot/initrd-3.5.0.ucode.img

linux:gentoo-spezifisch:patch

anonymous@undisclosed.example.com (Anonymous) — Sat, 23 Nov 2019 16:32:28 +0000

@@ -1 +1,6 @@
+ ====== user-patches außerhalb portage-tree ======
  
+ Patches für Pakete können an folgenden Orten außerhalb des portage-trees abgelegt zur Anwendung gebracht werden (user-patches:
+ 
+   /etc/portage/patches/dev-qt/qtwayland/
+   /etc/portage/patches/dev-qt/qtwayland-5.13.2-r1/

linux:gentoo-spezifisch:tmpfs

anonymous@undisclosed.example.com (Anonymous) — Wed, 13 Nov 2019 18:37:29 +0000

@@ -18,9 +18,9 @@
  ==== tmpfs aktivieren ====
  
  <file - /etc/fstab>
  # portage:
- tmpfs /var/tmp/portage tmpfs rw,nosuid,noatime,nodev,size=4G,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 0 0
+ tmpfs		/var/tmp/portage		tmpfs	size=4G,uid=portage,gid=portage,mode=775,noatime	0 0
  </file>
  
  ==== per-package-handling ====