Re: [gentoo-user] The Project Begins!
On 03/27/2016 01:10 AM, Hunter Jozwiak wrote: > > Okay. Thanks for that information. Is there a more descriptive version of > the twenty USE flags I should use for Apache, because the index is rather > vague. I pulled up the wiki page, clicked on a link that was attached to one > of the USE flags, which in turn opened up another three hundred plus USE > opportunities. > > The APACHE2_MODULES flags all correspond to a module on this list: https://httpd.apache.org/docs/2.4/mod/ The best way to figure out what each one does is to click the link and see what directives it provides.
Re: [gentoo-user] The Project Begins!
On 27/03/16 16:10, Hunter Jozwiak wrote: > Okay. Thanks for that information. Is there a more descriptive version of > the twenty USE flags I should use for Apache, because the index is rather > vague. I pulled up the wiki page, clicked on a link that was attached to one > of the USE flags, which in turn opened up another three hundred plus USE > opportunities. Depends on what you mean by the index. `equery uses www-servers/apache` (from app-portage/gentoolkit) provides a brief description of each flag, but beyond that the wiki and Google (and/or the forums and IRC) are your friends. You can also check out the gentoo-server mailing list[0]. 0: https://www.gentoo.org/get-involved/mailing-lists/all-lists.html Cheers; -- Sam Jorna (wraeth) GnuPG Key: D6180C26 signature.asc Description: OpenPGP digital signature
RE: [gentoo-user] The Project Begins!
-Original Message- From: Sam Jorna [mailto:wra...@gentoo.org] Sent: Saturday, March 26, 2016 22:12 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] The Project Begins! On 27/03/16 12:51, 80x24 wrote: > Hunter Jozwiak wrote: >> Hello, >> >> I am going to now host my web site on a Gentoo server. Firstly, is >> there a recommended profile for this, or will the default amd64 >> profile It depends on your use-case and preference, but hardened is often a good choice for something that will offer external services (as in over the Internet). >> suffice? Or would it be better to use a hardened profile for this task? >> Secondly, does Linode offer the requisite information for things you >> MUST have while building a kernel? The Linode configurations, last time I checked, were significantly out of date (including their Gentoo deployment image). Depending on your level of paranoia, it may be reasonable for you to boot your Linode using their rescue environment and perform a stage-3 install that way. Otherwise, you can simply deploy their Gentoo image and update/harden as necessary. As for kernel configuration, I don't recall seeing anything specifically, however they do include their default kernel configuration in either /boot/config* or /proc/config.gz, so you can use that as a base. >> And finally, I am going to have >> multiple servers. Is there a package that I can use to distribute my >> built kernels? There isn't a package, however depending on how you configure the kernel, you can either just copy the .config from one host or another, or the kernel make program has options to build archives of the built kernel - see `make help` for details. >> Thanks, you guys are awesome, and keep up the good work, >> >> Hunter >> > As far as you know how to hardened security of your servers. Normal > profile will be good (Though I still recommend hardened if you're > familiar with GRsecurity and other ``hardeded'' stuff). > > If you go with the hardened version, you will also need to build > custom kernel and set kernel to pygrub in Linode profile settings > (which selects proper generic kernel by default). And yes you will > need a bootloader. Hardened is not one be-all solution - you can use some hardened features and not others. For example, you can convert to the hardened profile and do not necessarily need to use hardened-sources. Similarly, if you *do* use hardened-sources, you do not need to enable an RBAC (such as GRSecurity or SELinux). If you do use PaX in the kernel, though, you will need to also be on a hardened profile to have binaries marked appropriately. Cheers; -- Sam Jorna (wraeth) GnuPG Key: D6180C26 Okay. Thanks for that information. Is there a more descriptive version of the twenty USE flags I should use for Apache, because the index is rather vague. I pulled up the wiki page, clicked on a link that was attached to one of the USE flags, which in turn opened up another three hundred plus USE opportunities.
Re: [gentoo-user] The Project Begins!
On 27/03/16 12:51, 80x24 wrote: > Hunter Jozwiak wrote: >> Hello, >> >> I am going to now host my web site on a Gentoo server. Firstly, is there >> a recommended profile for this, or will the default amd64 profile It depends on your use-case and preference, but hardened is often a good choice for something that will offer external services (as in over the Internet). >> suffice? Or would it be better to use a hardened profile for this task? >> Secondly, does Linode offer the requisite information for things you >> MUST have while building a kernel? The Linode configurations, last time I checked, were significantly out of date (including their Gentoo deployment image). Depending on your level of paranoia, it may be reasonable for you to boot your Linode using their rescue environment and perform a stage-3 install that way. Otherwise, you can simply deploy their Gentoo image and update/harden as necessary. As for kernel configuration, I don't recall seeing anything specifically, however they do include their default kernel configuration in either /boot/config* or /proc/config.gz, so you can use that as a base. >> And finally, I am going to have >> multiple servers. Is there a package that I can use to distribute my >> built kernels? There isn't a package, however depending on how you configure the kernel, you can either just copy the .config from one host or another, or the kernel make program has options to build archives of the built kernel - see `make help` for details. >> Thanks, you guys are awesome, and keep up the good work, >> >> Hunter >> > As far as you know how to hardened security of your servers. Normal > profile will be good (Though I still recommend hardened if you're > familiar with GRsecurity and other ``hardeded'' stuff). > > If you go with the hardened version, you will also need to build custom > kernel and set kernel to pygrub in Linode profile settings (which > selects proper generic kernel by default). And yes you will need a > bootloader. Hardened is not one be-all solution - you can use some hardened features and not others. For example, you can convert to the hardened profile and do not necessarily need to use hardened-sources. Similarly, if you *do* use hardened-sources, you do not need to enable an RBAC (such as GRSecurity or SELinux). If you do use PaX in the kernel, though, you will need to also be on a hardened profile to have binaries marked appropriately. Cheers; -- Sam Jorna (wraeth) GnuPG Key: D6180C26 signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] The Project Begins!
Hunter Jozwiak wrote: Hello, I am going to now host my web site on a Gentoo server. Firstly, is there a recommended profile for this, or will the default amd64 profile suffice? Or would it be better to use a hardened profile for this task? Secondly, does Linode offer the requisite information for things you MUST have while building a kernel? And finally, I am going to have multiple servers. Is there a package that I can use to distribute my built kernels? Thanks, you guys are awesome, and keep up the good work, Hunter As far as you know how to hardened security of your servers. Normal profile will be good (Though I still recommend hardened if you're familiar with GRsecurity and other ``hardeded'' stuff). If you go with the hardened version, you will also need to build custom kernel and set kernel to pygrub in Linode profile settings (which selects proper generic kernel by default). And yes you will need a bootloader. You can find out the kernel config options requirements at Linode website[1] I don't know any method to build a binary kernel package. Maybe others can help. I use to distribute it just by copying vmlinuz and initramfs (I built them without any CPU-specific optimization or ``host-only'' mode). [1]: https://www.linode.com/docs/tools-reference/custom-kernels-distros/run-a-custom-compiled-kernel-with-pvgrub
[gentoo-user] The Project Begins!
Hello, I am going to now host my web site on a Gentoo server. Firstly, is there a recommended profile for this, or will the default amd64 profile suffice? Or would it be better to use a hardened profile for this task? Secondly, does Linode offer the requisite information for things you MUST have while building a kernel? And finally, I am going to have multiple servers. Is there a package that I can use to distribute my built kernels? Thanks, you guys are awesome, and keep up the good work, Hunter
