Debian/Ubuntu setup etckeeper

apt-get install git etckeeper
sed -i 's/#VCS="git"/VCS="git"/' /etc/etckeeper/etckeeper.conf
sed -i 's/VCS="bzr"/#VCS="bzr"/' /etc/etckeeper/etckeeper.conf
sed -i 's/PUSH_REMOTE=""/PUSH_REMOTE="origin"/' /etc/etckeeper/etckeeper.conf

cat <<EOF > /etc/etckeeper/post-install.d/99git-gc
#!/usr/bin/env sh
exec git gc

chmod +x /etc/etckeeper/post-install.d/99git-gc

cat  <<EOF > ~/.ssh/config
Host etckeeper
IdentityFile /etc/ssl/private/etckeeper.key

cat <<EOF > /etc/ssl/private/etckeeper.key

chmod 600 /etc/ssl/private/etckeeper.key

cd /etc/
etckeeper init
git remote add origin git@etckeeper:*REPO/PATH*.git
etckeeper commit Initial

Enable SNMP in vSphere ESX 6

First, make sure you have enabled SSH access to your ESXi node.
You can do that in Configuration > Security Profile > Services > SSH.

When SSH is enabled, login to your server with ssh root@esxi-address and type the following commands to enable a SNMP community named myc0mmun1ty with your appropriate Location and Contact.

esxcli system snmp set -r
esxcli system snmp set -c myc0mmun1ty
esxcli system snmp set -p 161
esxcli system snmp set -L "Stockholm, Sweden"
esxcli system snmp set -C
esxcli system snmp set -e yes

All done! Now add your host to your favourite SNMP powered monitoring tool (i.e. LibreNMS)

Installing Gentoo with GRUB2, GPT, LUKS and software raid (mdraid/mdadm)

So for various reasons I wanted to install Gentoo utilizing full disk encryption with luks (except for /boot ofc), mdraid, gpt and grub2.

I’m mostly writing this for myself as copy/paste kind of notes, but posting it in case anyone else is looking to do the same kind of installation too, and maybe this will save you some time.

These notes assume you’ve done your fair share of Gentoo installations, although as almost everything is copy/paste you could probably survive anyway.

Begin by downloading a Gentoo install cd (install-amd64-minimal-20130509.iso used at the time of writing) and boot it up.

Configure the network and power up ssh.

ifconfig enp1s0f0 netmask
route add default gw
echo "nameserver" >> /etc/resolv.conf
passwd root
/etc/init.d/sshd start

Prepare the partitions, I’m going to create a small 2MB partition at the beginning for GRUB2 to reside on, ~94MB for /boot, ~2GB swap, ~2GB /tmp and the rest for /.

parted -a opt /dev/sda
mklabel gpt
mkpart primary ext2 1 2mb
mkpart primary ext2 2mb 96mb
mkpart primary ext2 96mb 2144mb
mkpart primary ext2 2144mb 4192mb
mkpart primary ext2 4192mb -1s (just answer Y when prompted)
name 1 grub
name 2 boot
name 3 swap
name 4 tmp
name 5 root
set 1 bios_grub on
set 2 raid on
set 3 raid on
set 4 raid on
set 5 raid on

Make sure you make the partitions identical on the second drive.
parted -a opt /dev/sdb
Now lets create the raid arrays, setting the –name makes us able to completely skip the need for a mdadm.conf later on, which I find much smoother.
We can also use the 1.2 metadata version on all arrays (including root) without problems, as we’re going to use GRUB2.

mdadm --create --name=server:boot --verbose /dev/md1 --level=1 --raid-devices=2 /dev/sda2 /dev/sdb2
mdadm --create --name=server:swap --verbose /dev/md2 --level=1 --raid-devices=2 /dev/sda3 /dev/sdb3
mdadm --create --name=server:tmp --verbose /dev/md3 --level=1 --raid-devices=2 /dev/sda4 /dev/sdb4
mdadm --create --name=server:root --verbose /dev/md4 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5

Encrypt and open root.

cryptsetup --verify-passphrase luksFormat -c aes-xts-plain64 /dev/md4
cryptsetup luksOpen /dev/md4 root

Mount swap, format /boot and /. If you’re concerned by an unencrypted swap during the installation, skip that part 🙂
mkswap /dev/md2 && swapon /dev/md2
mkfs.ext2 /dev/md1
mkfs.xfs /dev/mapper/root

Some usual Gentoo installation steps..
mount /dev/mapper/root /mnt/gentoo
cd /mnt/gentoo/
mkdir boot
mount /dev/md1 /mnt/gentoo/boot

Get desired stage3 from

tar xvjpf stage3-*.tar.bz2
rm -v stage3-*.tar.bz2

Initialize the portage tree.
tar xvjf /mnt/gentoo/portage-latest.tar.bz2 -C /mnt/gentoo/usr
rm -v portage-latest.tar.bz2

For GRUB2, add the following to make.conf, also add some mirrors.

echo 'GRUB_PLATFORMS="pc"' >> /mnt/gentoo/etc/portage/make.conf
mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf
mirrorselect -i -r -o >> /mnt/gentoo/etc/portage/make.conf

More usual Gentoo steps..
cp -L /etc/resolv.conf /mnt/gentoo/etc/
cd /
mount -t proc none /mnt/gentoo/proc && mount --rbind /sys /mnt/gentoo/sys && mount --rbind /dev /mnt/gentoo/dev
chroot /mnt/gentoo /bin/bash
env-update && source /etc/profile && export PS1="(chroot) $PS1"
emerge --sync
eselect profile list

Generate some locales and configure UTF-8.
nano -w /etc/locale.gen
en_US.UTF-8 UTF-8
en_US ISO-8859-1
sv_SE.UTF-8 UTF-8
sv_SE ISO-8859-1


nano -w /etc/env.d/02locale

Set your timezone.

cp /usr/share/zoneinfo/Etc/UTC /etc/localtime
echo "Etc/UTC" > /etc/timezone

Time for the kernel.

emerge hardened-sources
cd /usr/src/linux
make menuconfig

These are some essential options for our setup (enable AES-NI if your CPU supports it).

Device Drivers --->
Generic Driver Options --->
[*] Maintain a devtmpfs filesystem to mount at /dev

[*] Multiple devices driver support (RAID and LVM) --->
<*> RAID support
[ ] Autodetect RAID arrays during kernel boot
<*> RAID-1 (mirroring) mode
<*> Device mapper support
<*> Crypt target support

-*- Cryptographic API --->
-*- XTS support
<*> AES cipher algorithms (AES-NI)

make && make modules_install
cp arch/x86_64/boot/bzImage /boot/vmlinuz-3.8.6-hardened

Run blkid to get UUID, we need the one for /boot, which should be /dev/md1.

nano -w /etc/fstab
UUID=xxxxxxxxxxxxxxxxx /boot ext2 noauto,noatime 1 2
/dev/mapper/root / xfs relatime 0 1
/dev/mapper/cryptswap none swap sw 0 0
/dev/mapper/crypttmp /tmp xfs relatime,nodev,nosuid,noexec 0 0

More usual Gentoo yaddayadda

nano -w /etc/conf.d/hostname

nano -w /etc/hosts server localhost
::1 server localhost

hostname server
hostname -f

Configure the network.
nano -w /etc/conf.d/net

routes_enp1s0f0="default via"

Set the new root password.
Change keymap if you need to.
nano -w /etc/conf.d/keymaps

We want quite a bit of packages to use static-libs for our initrd to work.
nano -w /etc/portage/package.use
dev-libs/libgcrypt static-libs
dev-libs/libgpg-error static-libs
dev-libs/popt static-libs
sys-apps/util-linux static-libs
sys-fs/cryptsetup static static-libs udev
sys-fs/lvm2 static-libs
sys-fs/mdadm static
sys-fs/udev static-libs
sys-kernel/genkernel cryptsetup
sys-libs/e2fsprogs-libs static-libs
virtual/udev static-libs

And we absolutely want to use the newest GRUB.
nano -w /etc/portage/package.keywords
sys-boot/grub ~amd64

Emerge some essential packages.

emerge xfsprogs postfix syslog-ng vixie-cron logrotate
emerge mdadm
emerge cryptsetup

emerge linux-firmware
Make sure stuff start at boot.
cd /etc/init.d/ && ln -s net.lo net.enp1s0f0
rc-update add net.enp1s0f0 default
rc-update add sshd default
rc-update add postfix default
rc-update add syslog-ng default
rc-update add vixie-cron default
rc-update add dmcrypt boot

Configure dmcrypt to encrypt swap and /tmp with one-time keys on each boot (pre_mount ref.
nano -w /etc/conf.d/dmcrypt
pre_mount='mkswap -f ${dev}'

## /tmp
options='-c aes-xts-plain -h sha1 -d /dev/urandom'
pre_mount='mkfs.xfs ${dev}'
post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}'

Almost done, emerge genkernel and create our initrd.
emerge genkernel
genkernel --install --luks --mdadm --no-ramdisk-modules initramfs

Emerge and configure GRUB.
emerge grub
nano -w /etc/default/grub
GRUB_CMDLINE_LINUX="domdadm rootfstype=xfs crypt_root=/dev/md/server:root"

Install GRUB on all devices and generate the config.

grub2-install /dev/sda
grub2-install /dev/sdb
grub2-mkconfig -o /boot/grub2/grub.cfg

That’s it, all done!
umount -l /mnt/gentoo/dev{/shm,/pts,}
umount -l /mnt/gentoo{/boot,/proc,/sys,}