All posts by cdstealer

Linux

DNS/DHCP server

Generating an RNDC key.

The rndc tool is used to managed the named daemon.
We need to generate a keyfile called /etc/bind/rndc.key which is referenced both by /etc/bind/rndc.conf and /etc/bind/named.conf

To do this we use the following command;

# rndc-confgen -a -c /etc/bind/rndc.key

BIND (NAMED) /etc/bind/named.conf

IP addresses and host names have obviously been changed.. I'm not *THAT* stupid ;)

The config file

Forwarder file: /etc/bind/pri/forwarddns

The config file

Reverse zone: /etc/bind/pri/reversedns

The config file

Trouble Shooting Bind

Depending on your connection/setup you may see the following in your log.

09-Feb-2011 11:19:14.234 edns-disabled: info: success resolving 'markmail.org/AAAA' (in 'org'?) after disabling EDNS

or

09-Feb-2011 11:18:38.986 edns-disabled: info: success resolving 'lists.isc.org/A' (in 'isc.org'?) after reducing the advertised EDNS UDP packet size to 512 octets

These on their own are harmless enough.. they just flood your log :)  They can be turned off by adding the following to your named.conf:

logging {
category lame-servers {null; };
category edns-disabled { null; };
};

Another issue I came across at the same time as above was 95% of all my DNS requests were timing out.  This, coincidentally was when I upgraded my internet connection to a 30Mbit VirginMedia with "super hub".   I found this was caused by the "IP flood protection" in the router settings.  Disabling this solved the timeout issue and also stopped any edns errors flooding the logs.

You may receive one or both of the following lines in bind log.

pri/example.com.signed:10: signature has expired

To remedy this this, run the following command (manual signing only):

cd /etc/bind/pri
dnssec-signzone -A -3 $(head -c 10 /dev/random | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com

OR

/var/bind/named.cache:2: signature has expired

To remedy this this, run the following command:

/usr/bin/wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/root.zone -O /var/bind/named.cache
/usr/sbin/rndc reload

CHROOT

If you are security conscious then you can "jail" the named process which if broken into will lock the perp in the chrooted named directories only... as these files are replaced upon restarting bind, it doesn't matter if they are damaged/compromised.

To setup a chroot envirnnment, just do the following.

1) Setup named as above so that everything is working.
2) Uncomment 'CHROOT="/chroot/dns"' in /etc/conf.d/named
3) execute emerge --config net-dns/bind
4) restart named

You should get the following:

* Starting chrooted named ...
* Mounting chroot dirs
* mounting /etc/bind to /chroot/dns/etc/bind
* mounting /var/bind to /chroot/dns/var/bind
* mounting /var/log/named to /chroot/dns/var/log/named                                                                                                                                [ ok ]

DNSSEC

Automagically

In the "options" block of named.conf, make sure the below lines are present.

dnssec-enable yes;
dnssec-validation yes;
key-directory "/var/bind/pri";
inline-signing yes;

Further down where your zones are defined, you should have something like this.

zone "example.com" IN {
type master;
file "pri/example.com";
notify yes;
allow-update { key "rndc-key"; };
inline-signing yes;
auto-dnssec maintain;
};

Restart named and you should see for each zone with inline-signing enabled.

example.com
example.com.jbk
example.com.jnl
example.com.signed
example.com.signed.jnl

 The auto signing way seems to be more reliable as using the manual method, named would fail to find the private keys randomly several times per day.

Manually

In /etc/bind/named.conf, ensure the following are present in the options block:

dnssec-enable yes;
dnssec-validation yes;
key-directory "/var/bind/pri";

Next cd to either /var/bind/pri or /etc/bind/pri.

Now we'll create a Zone Signing Key (ZSK):

dnssec-keygen -a RSASHA256 -b 2048 -n ZONE example.com

Note: You need to create telemetry or this will take hours. Start a big emerge or fire up a VM.

Next we'll create a Key Signing Key (KSK)

dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE example.com

Note: You need to create telemetry or this will take hours. Start a big emerge or fire up a VM.

You should have 1 pair of KSK and ZSK files.

Kexample.com.+008+00712.key
Kexample.com.+008+00712.private
Kexample.com.+008+12951.key
Kexample.com.+008+12951.private

Now add the key files to the bottom of the zone file. eg

$INCLUDE Kexample.com.+008+00712.key
$INCLUDE Kexample.com.+008+12951.key

Now we need to sign the zone file:

dnssec-signzone -A -3 $(head -c 10 /dev/random | sha256sum | cut -b 1-16) -N INCREMENT -o example.com -t example.com

This creates a new file named example.com.zone.signed which contains RRSIG records for each DNS record. We have to tell BIND to load this "signed" zone.
Open the bind config file /etc/bind/named.conf and add the signed file to the zone block. eg

zone "example.com" IN {
        type master;
        file "pri/example.com.signed";
        notify yes;
        allow-update { key "rndc-key"; };
        inline-signing yes;
};

That's it. Reload/restart bind and you should be golden ;)

If you're using a 3rd party DNS, you will need to add the DS and DNSSEC public keys.

There should be a dsset-example.com file within /var/bind/pri, cat this and you will see:

example.com. IN DS 8449 10 2 817AC0B85419C947608AAF54ED52F137137DA157F3B86C1B08509495 5E917C14

You may have several .key files, if you need to add another DS record, you can run the command:

dnssec-dsfromkey <Kexmaple.com....key>

Add the output to the dsset-example.com file and also the external nameserver provider.

Note: Remove the space from the Digest key.

We would also need to add the corresponding DNSSEC public key.  To do this, we need to cat the contents:

# cat /var/bind/keys/Kexample.com.+010+08449.key
; This is a key-signing key, keyid 8449, for example.com.
; Created: 20151115172130 (Mon Nov 15 17:21:30 2015)
; Publish: 20151115172130 (Mon Nov 15 17:21:30 2015)
; Activate: 20151115172130 (Mon Nov 15 17:21:30 2015)
example.com. IN DNSKEY 257 3 10 AwEAAdi4syP6xRyXjjGngSvFn51GR85AvWSqUCyST9CM6tJWEiRwEpTJ ....

Unfortunately this was unavailable with the provider I was with.

Testing

To varify that DNSSEC is used by the 3rd party nameservers, you can use this tool: https://dnssec-analyzer.verisignlabs.com/

You can also test your internal DNS by executing:

named-checkzone -D -f raw -o - example.com example.com.signed

This will output the encryption for each entry in the zone file.

# named-checkzone -D -f raw -o - cdstealer.com cdstealer.com.signed
zone cdstealer.com/IN: loaded serial 201421440 (DNSSEC signed)...

How to setup a DHCP that will update the dns records of bind.

 

DHCP /etc/dhcp/dhcp.conf

The config file

Then add the following to the top of /etc/conf/named

OPTIONS="-4"
ENABLE_ZONE_WRITE=yes

Now restart named & dhcpd. If you get any errors, check /var/log/messages and double check your work.

 

Linux

Email Server

Emerge exim, dovecot, spamassassin, clamav and of course all dependencies.

Now to configure them to work together.  First we'll configure Exim4.

The config file.

I strongly suggest reading the provided example in /etc/exim as everything is well commented.

To generate the certificate  for ssmtp/smtps use this command:

openssl genrsa -out email.key 1024
openssl req -new -key email.key -out email.csr
openssl x509 -req -days 3650 -in email.csr -signkey email.key -out email.crt
chown mail: email.key
chmod 600 email.key
chmod 644 email.crt

Ensure these go somewhere safe and accessible to the application(s).

To setup server side filtering(rules) include the file below in the users $home.

The config file

Again, there is a well commented example with the install.  [net-mail/dovecot-1.2*]

The config file

Upgrading Dovecot v1.2 to v2.0

A lot of settings have changed. Dovecot v2.0 can still use most of the v1.x configuration files, but it logs a lot of warnings at startup. A quick and easy way to convert your old config file to v2.0 format is:

doveconf -n -c dovecot-1.conf > dovecot-2.conf

This command logs a warning about each obsolete setting it converts to the new format. You can either go through the warnings to figure out what changes exactly were done, or you can simply trust doveconf and replace your old config with the newly generated one.

Once running v2.0, it's safe to downgrade to v1.2.5 or newer. Older versions don't understand some of the changes to index files and will log errors.

Other important changes:

  • Dovecot uses two system users for internal purposes now by default: "dovenull" and "dovecot". You need to create the "dovenull" user or change default_login_usersetting. "dovenull" user is used by completely untrustworthy processes, while "dovecot" user is used for slightly more trusted processes.
    • If you want to be using something else than "dovecot" as the other user, you need to change default_internal_user setting.
    • Just like with "dovecot" user, "dovenull" doesn't need a password, home directory or anything else (but it's good to give it its own private "dovenull" group).
  • no more convert plugin, use dsync instead
  • no more expire-tool, use doveadm expunge instead. also expire configuration is different.
  • Post-login scripts are configured differently and need to be modified
  • Quota warnings are configured differently and the script may need to be modified (most environment settings like $USER are gone)
  • Global ACL filenames now require namespace prefix (e.g. if you use "INBOX." prefix, /etc/acls/foo needs to be renamed to /etc/acls/INBOX.foo
  • Maildir: Permissions for newly created mail files are no longer copied from dovecot-shared file, but instead from the mail directory (e.g. for "foo" mailbox, they're taken from ~/Maildir/.foo directory)
  • dbox: v2.0 format is slightly different, but backwards compatible. The main problem is that v2.0 no longer supports maildir-dbox hybrid resulting from "fast Maildir migration". If you have any Maildir files in your dbox, you need to convert them somehow (some examples). You might also consider using dsync to get rid of the old unused metadata in your dbox files.
  • Pre-login and post-login CAPABILITY reply is now different. Dovecot expects clients to recognize new automatically sent capabilities. This should work with all commonly used clients, but some rarely used clients might have problems. Either get the client fixed, or set imap_capability manually.
  • ManageSieve protocol was assigned an official port by IANA: 4190. This is used by Pigeonhole by default now. If you want to listen also on the old 2000 port, see the Pigeonhole/ManageSieve/Configuration example.
  • dovecot --exec-mail imap has been replaced by simply running "imap" binary. You can also use "imap -u <username>" to access other users' mails more easily.

LDA

  • deliver binary was renamed to dovecot-lda (but a symlink still exists for now)
  • -n parameter was replaced by lda_mailbox_autocreate setting. The default also changed to "no".
  • -s parameter was replaced by lda_mailbox_autosubscribe setting. The default is "no", as before.

Configs:

Don't forget that ALL the configs have now changed.  No longer does everything reside in /etc/dovecot/dovecot.conf but in the following files:

# ls -1 /etc/dovecot/conf.d/
10-auth.conf
10-director.conf
10-logging.conf
10-mail.conf
10-master.conf
10-ssl.conf
15-lda.conf
20-imap.conf
20-lmtp.conf
20-pop3.conf
90-acl.conf
90-plugin.conf
90-quota.conf
auth-checkpassword.conf.ext
auth-deny.conf.ext
auth-ldap.conf.ext
auth-master.conf.ext
auth-passwdfile.conf.ext
auth-sql.conf.ext
auth-static.conf.ext
auth-system.conf.ext
auth-vpopmail.conf.ext

Hopefully the file names should indicate what does what.

/etc/dovecot/dovecot.conf:
protocols = imap [imaps is no longer valid]

Most of the settings from the v1.2 config can be transferred to the relevant configs above.

Global changes are in /etc/spamassassin/local.cf, user rules are ~/.spamassassin/user.prefs.  However, user_prefs is ignored when using spamd (daemon).  Also user.prefs can be insecure and also increase server load.
I personally add my whitelist/blackdays addresses in the global file.  Example below:

The config file

A comprehensive list of options can be found here.

I also added grey listing to my setup.

Instructions here.

Linux

JSymphonic (Sony Alternative)

A linux alternative to Sonys' SonicStage.

http://symphonic.sourceforge.net/

Installation:
Download and unpack the zip file (not the source).  And create a launcher.
ie.  I unzipped mine to /usr/local/bin.  The local user will need write permissions in this directory as an xml config file will be created when you first run.  Then create a launcher in ~/.local/share/applications/

$ cat .local/share/applications/SonicStage.desktop

[Desktop Entry]
 Encoding=UTF-8
 Type=Application
 Terminal=false
 Exec=/usr/bin/java -jar /usr/local/bin/JSymphonic_v0.3.0b.jar
 Comment=SonicStage alternative
 Name=SonicStage
 Icon=/usr/share/pixmaps/sonicstage.png
 Catagories=AudioVideo
Linux

MythTV Frontend Client

Ok.. so you have your backend all setup and recording TV :D
But what if I want Mythtv in another room?
No problem!

Hardware:
Acer Revo 230: (Aspire R3600)

Intel Atom 1.6 (Hyperthreading)
1Gb RAM
160Gb WD HDD
Nvidia HDMI

Setup:
Install Gentoo and MythTV as directed in the installation guide.  Then just point the front end to the back end.
On my setup, I omitted Mytharchive, Mythweb.

Todo:
Setup Storage Directory on backend for frontend to use.

Linux

MythTV Installation

I have create this guide based on my experience of Installing and configuring MythTV.  If you're looking for a PVR project, then MythTV is perfect.
This is for a dedicated box so no desktop environment will be installed.

I have compiled this on the assumption that you are competent in Linux so it won't be much use as a beginners guide, though I may turn it into one if I get time.
Obviously this guide is specific to my hardware so please make changes where needed for your setup.

The Hardware:
Samsung Dual Layer SATA DVD-RW
Western Digital 1Tb HDD [System & Storage]
Asus P7H55M PRO Mainboard
4Gb Corsair XMS3 1333Mhz DDR3
Intel 3.2Ghz i5 650 CPU
MCE Remote v2 (Phillips
Leadtek DTV1000 DVB-T PCI x2

Once you have you base Linux system up and running it's time to start installing applications.  The version currently being used at the time of writing this is:

media-tv/mythtv-0.22_p22860
media-plugins/mythgallery-0.22_p22763
media-plugins/mythgame-0.22_p22763
media-plugins/mythvideo-0.22_p22864-r1
media-plugins/mytharchive-0.22_p22763
x11-themes/mythtv-themes-0.22_p22869
media-plugins/mythmusic-0.22_p22763
x11-themes/mythtv-themes-extra-0.22_p22492
www-apps/mythweb-0.22_p22763-r1

So we now have a base Gentoo install and Mythtv.  If you have used the "autostart" flag then follow the steps below:

(you may need to use ALT+F1 to get a terminal) Assuming you have installed mysql and have not yet setup the root account for mysql.. execute:

  • mysqladmin -uroot -p
  • Edit /etc/inittab and add c8:2345:respawn:/sbin/mingetty --autologin mythtv tty8 underneath the #TERMINALS section.
  • Edit /usr/share/mythtv/database/mc.sql and change the username and password entries.
  • Run mysql -uroot -p < /usr/share/mythtv/database/mc.sql to create the Mythtv database with the details used in previous step.
  • Log into mysql as root and run GRANT ALL PRIVILEGES ON `mythconverg`.* TO 'mythtv'@'localhost'; this just gives permissions to the mythtv user for the Mythtv database.
  • Run rc-update add mythbackend default to have Mythtv's brains startup on reboot.
  • Edit /home/mythtv/.xinitrc

# .xinitrc
#[ -x /usr/bin/nvidia-settings ] && /usr/bin/nvidia-settings -l
/usr/bin/killall -9 mythfrontend evilwm
sleep 1
/usr/bin/xset s noblank
/usr/bin/xset s off
/usr/bin/xset -dpms
/uar/bin/xsetroot -cursor_name dot
/usr/bin/evilwm &
exec /usr/bin/mythfrontend -l /var/log/mythtv/mythfrontend.log -v important,general
#exec /usr/bin/mythtv-setup

*TIP* If you need to enter mythtv-setup for whatever reason, comment out exec /usr/bin/mythfrontend -l /var/log/mythtv/mythfrontend.log -v important,general and add exec /usr/bin/mythtv-setup to  your .xinitrc.  Then exit the frontend.  Don't forget to change back when finished.

You can reboot now

If things are working as they should, you will now have a language selection screen.
Hit ALT+F1 and login as root and stop the mythbackend daemon. /etc/init.d/mythbackend stop
SU to mythtv. su - mythtv Execute DISPLAY=":0.0" mythtv-setup and hit ALT-F7.

Now to tell Mythtv where it's brains are.  Most of the screens can be left as the default settings. If you are only have 1 box leave the IP's as 127.0.0.1, if you are planning remote frontends then change to the IP of the backend (ie this box).

Change this screen to your TV settings.

Click Next

Click Next

Click Next

Click Next

Change the CPU to HIGH and uncheck Allow Advert Detection Jobs.

Click Next

Click Finish

Capture Cards

Highlight (new capture card) and hit enter.

Change the card type for your tuner.

Select Recording options.
If you only have one card, leave the max recordings as 1.
Tick Wait for SEQ start header
Tick Open DVB card on demand
Tick Use DVB card for active EIT scan

Video Sources

Highlight (new video source) and press enter

Enter a name in the Video source name box
Change the Listings Grabber to EIT

Input Connections

Here you should see the card(s) you have just setup in the previous step.
Select your card and press enter.

Change the Video Source (there should only be the one)
Use Quick Tuning should be fine as the default Live TV Only
Click Scan for Channels (you may need to change the country)

Change the Input group 1 to DVB0 if setting up the first card.

Channel Editor (optional)

Click Icon Download

Storage Directories

Highlight default and press enter
Highlight Add New Directory and press enter
Enter the full path to where you want TV streams to be saved.

Exit mythtv-setup by pressing ESC (you may see the language screen again.. do not select anything!
Hit ALT+F1 and reboot.. you should now boot straight into Mythtv.

Mythvideo

Highlight Setup and press enter.
Highlight Video Settings and press enter.
Highlight General Settings and press enter.
Enter the full path to where you want mythtv to find other videos etc that mythtv did not record.
DVD's ripped by Mythtv will be put here.






PLAYER SETTINGS:
The defaults should be ok.

FILE TYPES:
Here you can add files types of videos that are not enabled by default.

RIP SETTINGS:

MythGallery



MythGame






MythArchive






MythWeb

You need apache2 and php5 installed and setup for mythweb to function.  Apache instructions

cp /usr/share/webapps/mythweb/<version>/htdocs/mythweb.conf.apache /etc/apache2/modules.d/mythweb.conf

edit /etc/apache2/modules.d/mythweb.conf and change the directory path to eg /var/www/localhost/htdocs/mythweb

Change the setenv entries to reflect the mythtv mysql account. run

htpasswd2 -c /path/to/your/.htpasswd <username> This will prompt for a username and password.

^ this should be outside the root of mythweb. The -c option creates a new file. If you are adding a second user or more, omit the -c to apend the file.

Restart apache /etc/init.d/apache2 restart

Advanced:  Setup SSL Add the following lines to .htaccess in the root of mythweb to encrypt user details.

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "<domain>"
ErrorDocument 403 https://domain/path/to/403.html
AuthType Basic
AuthUserFile /path/to/your/.htpasswd
AuthName "Please enter your username and password."
require valid-user

You will also need to create SSL keys and tell apache about them.  You will be forced to provide a password.  This will cause apache not to start if not attended.
openssl genrsa -des3 -out server.key 1024

To remove the password:
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

To create the certificate request:
openssl req -new -key server.key -out server.csr

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Now change the perms so only root can read them.

chmod 400 server*

Copy the generated key and crt files to somewhere that apache can read eg /etc/apache2/ssl/. Enter the following into your vhosts:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Restart apache

Trouble Shooting:
I've come across the occasional update where upon restarting mythbackend, the system load would max out for no reason. I found to resolve this I needed to run mythtv-setup and delete the dvb cards, readd them and rescan the channels. Upon restarting mythbackend, load would remain normal.

Linux

Gentoo Install

You can download a minimal install iso from here
It is assumed that you have some knowledge of Linux and how hardware is detected.

'#' = Direct command
Tips:* Once booted into the cd, press CTRL, ALT & F2 and enter

# lspci

This lists your hardware, you may need to refer to this later.*

Research... Gentoo has a fantastic user community and documentation.  If you're using the USB install the root is auto mounted under /mnt/cdrom.
Hard drive setup:-
# fdisk /dev/sda

A typical filesystem layout I use is this on an 80Gb drive.

Set partition 1 to +100M (boot)
Set partition 2 to +40G (root)
Set partition 3 to +30G (home)
Set partition 4 to the remainder (swap)

Press "t", select partition 4 then enter code 82.
Press "a", select partition 1 then "w" to write changes.

# mke2fs -L BOOTFS -t ext4 /dev/sda1
# mke2fs -L ROOTFS -t ext4 /dev/sda2
# mke2fs -L HOMEFS -t ext4 /dev/sda3
# mkswap -L SWAPFS /dev/sda4
# swapon /dev/sda4
# mount -t ext4 /dev/sda2 /mnt/gentoo
# mkdir /mnt/gentoo/boot
# mount /dev/sda1 /mnt/gentoo/boot
# cd /mnt/gentoo
Stage & Portage installation:-
# links http://www.gentoo.org/main/en/mirrors.xml
(move the highlight bar to the desired URL and hit enter.)
Move to releases and hit enter.
Select the correct arch (amd64.)
Select releases
Select your arch and hit enter. (amd64)
Select autobuilds hit enter
Select current-stage3-amd64-systemd
Select the stage file. (stage3-amd64-systemd-YYYYMMDD.tar.bz2)
select ok to save.
Go up 4 levels
Select snapshots
Select the most recent file. (portage-YYYYMMDD.tar.bz2)
# tar -xjpf stageXXX
# tar -xjf portage-XXX -C /mnt/gentoo/usr
#nano -w /mnt/gentoo/etc/portage/make.conf
press CTRL+X to exit, Y to accept changes and ENTER to save.
If you wish to define the CPU arch, please refer to this.
Also, please refer to the global useflags that maybe required depending on your end game.
# mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf
# mount -t proc none /mnt/gentoo/proc
# mount --types proc /proc /mnt/gentoo/proc
# mount --rbind /sys /mnt/gentoo/sys
# mount --make-rslave /mnt/gentoo/sys
# mount --rbind /dev /mnt/gentoo/dev
# mount --make-rslave /mnt/gentoo/dev
# cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf
!!!!NOTE:  Do not be tempted to add customisation at this stage.  It is better to get the base system built, bootable and stable.
Portage rsync configs are now located in /etc/portage/repos.conf/gentoo.conf

Create the directory:

# mkdir /etc/portage/repos.conf

Then create gentoo.conf with the content below.

[DEFAULT]
main-repo = gentoo
[gentoo]
location = /usr/portage
sync-type = rsync
sync-uri = rsync://rsync.europe.gentoo.org/gentoo-portage
Entering the Gentoo Environment:-
# chroot /mnt/gentoo /bin/bash
# env-update
# source /etc/profile
Install the Kernel:-
# emerge -av gentoo-sources
# cd /usr/src/linux

# make menuconfig
(configure the kernel for your system)

# make && make modules_install

# cp arch/x86_64/boot/bzimage /boot/kernel-?.?.?-gentoo-r?

# cp .config /boot/config-?.?.?-gentoo-r?
Note:  If unmasking a kernel, ensure you also unmask the linux-headers of the same version.
Setup root user password:-
# passwd
Setup Localtime:-
# ln -sf /usr/share/zoneinfo/Europe/London /etc/localtime
Setup FSTAB:-
# nano -w /etc/fstab

LABEL=BOOTFS    /boot   ext4    noauto,noatime    1 2
LABEL=SWAPFS    none    swap    sw                0 0
LABEL=ROOTFS    /       ext4    noatime           0 1
LABEL=HOMEFS    /home   ext4    noatime           0 1
Setup Grub (boot loader):-
# emerge grub
# grub-install /dev/sda
# grub-mkconfig -o /boot/grub/grub.cfg

!!! NOTE !!!
If grub fails to compile with the error "illegal instruction", as this is the first item you are compiling.  There is a good chance that the stage3 tarball is at fault.  Try using an older archive.It's also worth noting that if you are using systemd instead of initrc you should amend the following line in /etc/default/grub to save any headaches when adding a different kernel. Append parameters to the linux kernel command line for non-recovery entries:

GRUB_CMDLINE_LINUX_DEFAULT="rootfstype=ext4 init=/usr/lib/systemd/systemd"
 install systemd & networkmanager

* you may need to unmerge udev & libudev
# cd
# umount /mnt/gentoo/boot /mnt/gentoo/proc /mnt/gentoo
# reboot
REBOOT!

Login and enable NetworkManager.

systemctl enable NetworkManager

Now we have a bootable system, we can squeeze a little more speed from compiling.
Also, I highly recommend this if you're using an SSD.
Portage TMPFS
Setup hostname:-
# hostnamectl set-hostname <hostname>
Setup keyboard locale:-
# localectl set-keymap uk
Network Time:-
# systemctl enable systemd-timesyncd

Time servers are defined in /etc/systemd/timesyncd.conf.
Setup system log:-
# emerge syslog-ng logrotate
# systemctl enable syslog-ng@default
 YOU NOW HAVE GENTOO INSTALLED BUT NO GUI OR APPZ...
Now REBOOT
Select system profile
Then execute:
# eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/13.0
[2] default/linux/amd64/13.0/selinux
[3] default/linux/amd64/13.0/desktop
[4] default/linux/amd64/13.0/desktop/gnome
[5] default/linux/amd64/13.0/desktop/gnome/systemd
[6] default/linux/amd64/13.0/desktop/kde
[7] default/linux/amd64/13.0/desktop/kde/systemd
[8] default/linux/amd64/13.0/desktop/plasma
[9] default/linux/amd64/13.0/desktop/plasma/systemd
[10] default/linux/amd64/13.0/developer
[11] default/linux/amd64/13.0/no-multilib
[12] default/linux/amd64/13.0/systemd *
[13] default/linux/amd64/13.0/x32
[14] hardened/linux/amd64
[15] hardened/linux/amd64/selinux
[16] hardened/linux/amd64/no-multilib
[17] hardened/linux/amd64/no-multilib/selinux
[18] hardened/linux/amd64/x32
[19] hardened/linux/musl/amd64
[20] hardened/linux/musl/amd64/x32
[21] default/linux/uclibc/amd64
[22] hardened/linux/uclibc/amd64
Then execute:
# eselect profile set 11
executing:
# emerge -uvnD world will install/rebuild the the required packages for that profile. This may take a few hours.
OK.  If everything went to plan you should now have a basic Gentoo installation.  Now for the hard bit :D

These are only my recommendations:-

create /etc/locale.gen and add "en_GB.UTF8 UTF-8"

# emerge ufed

Set any required global use flags via ufed.  Some useful ones are:

X bluetooth branding cacert cairo consolekit corefonts cups dbus egl evdev flac gd gif gles2 gnome gnome-keyring gnutls gpm gtk icu jpeg jpeg2k ibnotify mmx mp3 mpi nautilus networkmanager offensive office ogg opengl png policykit pulseaudio python qt4 smp sse sse2 sse4 sse4_1 ssse3 svg syslog systemd tiff truetype udev disks usb uxa vhosts vim-syntax vorbis xkb -bindist -ipv6 -widevine

If you don't want to set any global flags, you can opt to set these on a per package basis (recommended).

If you do define/remove any global flags, ensure you run an "emerge -puvND world" and rebuild any packages.
Example only:

/etc/portage/package.use/qtwebkit
dev-qt/qtwebkit printsupport

/etc/portage/package.use/iputils
net-misc/iputils -caps -filecaps

/etc/portage/package.use/libpng
media-libs/libpng apng

/etc/portage/package.use/python
dev-lang/python sqlite

/etc/portage/package.use/ffmpeg
media-video/ffmpeg opus vpx aac aacplus bluray cdio faac fdk x264 xvid
virtual/ffmpeg threads -vdpau x264

/etc/portage/package.use/libpcre
dev-libs/libpcre pcre16

/etc/portage/package.use/qtkeychain
dev-libs/qtkeychain qt5

/etc/portage/package.use/zlib
sys-libs/zlib minizip

/etc/portage/package.use/cogl
media-libs/cogl gles2

/etc/portage/package.use/mesa
media-libs/mesa gles2
# emerge -evD system (optional but recommended)
[this will rebuild the install for your architecture. It may take a while]

#emerge gentoolkit
[this will install some handy tools. One is below]

# revdep-rebuild
[this will reinstall any dependencies. Add a "-p" to see what will be done]

Now it's time to get a GUI installed.
Install GDM & Gnome
Install your Desktop Environment.

# emerge av gdm gnome-light

Once complete enable gdm to autostart
# systemctl enable gdm
Caveats and Cleanups
Gnome-terminal may not start

# locale-gen

And then:

# localectl set-locale LANG="en_GB.UTF-8"

And reboot.

Gnome-shell screen cast may not work.

You may get the error:

gnome-session[736]: ** (gnome-shell:805): WARNING **: ShellRecorder: failed to parse pipeline: no element "vp9enc"
gnome-session[736]: ** (gnome-shell:805): CRITICAL **: shell_recorder_close: assertion 'recorder->state != RECORDER_STATE_CLOSED' failed

To fix this, ensure that gst-plugins-good, libvpx & ffmpeg are installed.

There you have it.  A full Gentoo Linux install with a Gnome3 desktop.

Time to spend a few more hours emerging your apps: ;)

A few useful apps are:

extundelete 
app-misc/screen 
libreoffice (take >1 hour)
google-chrome
firefox
app-admin/keepassx 
eog 
gimp 
vim 
corefonts
linux-firmware
dosfstools
chrome-binary-plugins
gnome-tweak-tool
Linux

Gentoo Live USB

1. Introduction

The LiveUSB

This HOWTO explains how to create a Gentoo Linux LiveUSB or, in other words, how to emulate an x86 or AMD64 Gentoo Linux LiveCD using a USB flash drive. This is particularly useful for installing Gentoo Linux on a modern laptop with no CD-ROM drive.

Note: The sys-boot/unetbootin package provides a much easier alternative to create a bootable USB stick from any bootable CD image.

Although the instructions found in this document aim at emulating a Gentoo Linux LiveCD using a USB flash drive, they should work for any arbitrary block device as long as you adjust the device names accordingly.

Prerequisites

In order to use a Gentoo Linux LiveUSB you need the following:

  • Bootable USB flash drive with at least 1GB
  • i686 or x86_64 computer with support for booting from USB

You will also need access to the following for creating the LiveUSB:

  • A computer running Gentoo Linux (or alternatively another Linux distribution)
Note: If you want to use the minimal CD on a smaller key or boot a <i686 system, you need to follow the procedure described in this document with a 2006.0 minimal CD image because of a bug in more recent releases.

2. Preparing the USB flash drive

Partitioning the drive

Warning: These instructions will erase all data from the USB flash drive. Make sure to backup your data first.
Important: This HOWTO assumes that the /dev/sdc device node corresponds to your USB flash drive. If you have other SCSI-like devices make sure to use the correct device node.

Create a FAT16 partition on your USB flash drive and mark it bootable using fdisk. An example partitioning scheme can be seen below:

Note: If your key is 4GB or larger, use partition type b (W95 FAT32).

Code Listing 2.1: Example partitioning scheme 
# fdisk -l /dev/sdc

Disk /dev/sdc: 2063 MB, 2063597056 bytes
255 heads, 63 sectors/track, 250 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sdc1   *           1         250     2008124+   6  FAT16

Creating the filesystem

Create a FAT16 filesystem on the USB flash drive using mkdosfs:

Note: If your key is 4GB or larger, use -F 32 to create a FAT32 filesystem.

Code Listing 2.2: Running mkdosfs 
(Make sure you have sys-fs/dosfstools installed)
# emerge -av sys-fs/dosfstools
# mkdosfs -F 16 /dev/sdc1
mkdosfs 2.11 (12 Mar 2005)

Installing a Master Boot Record

Install the precompiled Master Boot Record (MBR) from syslinux on the USB flash drive:

Code Listing 2.3: Installing a master boot record 
(Make sure you have sys-boot/syslinux-3.00 or later installed)
# emerge -av '>sys-boot/syslinux-3'
# dd if=/usr/share/syslinux/mbr.bin of=/dev/sdc
0+1 records in
0+1 records out
304 bytes (304 B) copied, 0.0162317 s, 18.7 kB/s

3. Copying the files to your key

Mounting the Gentoo Linux Installation CD

Download either livecd-i686-installer-2007.0.iso or livecd-amd64-installer-2007.0.iso from your local Gentoo Linux mirror site and mount the ISO image on /mnt/cdrom as shown below:

Code Listing 3.1: Mounting the Gentoo Linux Installation CD ISO image 
(Create the /mnt/cdrom mount point if needed)
# mkdir -p /mnt/cdrom
# mount -o loop,ro -t iso9660 livecd-i686-installer-2007.0.iso /mnt/cdrom
Note: If you receive a Could not find any loop device error message when mounting the iso, you need to enable the Loopback device support option in your kernel configuration.

Mounting the LiveUSB

Mount the newly formatted USB flash drive on /mnt/usb as shown below:

Code Listing 3.2: Mounting the USB flash drive 
(Create the /mnt/usb mount point if needed)
# mkdir -p /mnt/usb
# mount -t vfat /dev/sdc1 /mnt/usb

Copying the files

Copy the files from the Gentoo Linux Installation CD to the LiveUSB. The files need to be reordered a bit as we will be using the syslinux bootloader instead of isolinux:

Code Listing 3.3: Copying the files 
# cp -r /mnt/cdrom/* /mnt/usb
# mv /mnt/usb/isolinux/* /mnt/usb
# mv /mnt/usb/isolinux.cfg /mnt/usb/syslinux.cfg
# rm -rf /mnt/usb/isolinux*

(The memtest86 kernel needs to be renamed for loading it via syslinux)
# mv /mnt/usb/memtest86 /mnt/usb/memtest

You can now unmount the ISO image:

Code Listing 3.4: Unmounting the ISO image 
# umount /mnt/cdrom

Adjusting the bootloader configuration

Adjust the syslinux configuration file using sed as shown below. The slowusb parameter will introduce some extra delays before attempting to mount the filesystem. This is needed to allow the USB flash drive to settle upon detection.

Code Listing 3.5: Adjusting the boot parameters 
# sed -i \
    -e "s:cdroot:cdroot slowusb:" \
    -e "s:kernel memtest86:kernel memtest:" \
    /mnt/usb/syslinux.cfg

4. Installing a bootloader

Unmounting the drive

Make sure you unmount the USB flash drive before installing the bootloader:

Code Listing 4.1: Unmounting the USB flash drive 
# umount /mnt/usb

Installing syslinux

Finally install the syslinux bootloader on the USB flash drive:

Code Listing 4.2: Running syslinux 
# syslinux /dev/sdc1
Important: You will need to rerun syslinux /dev/sdc1 each time you modify the syslinux.cfg file for the configuration changes to take affect.

5. Using the LiveUSB

Booting

Insert the USB flash drive and turn on the computer, making sure the BIOS is set to boot from USB. If all goes well you should be presented with a standard syslinux prompt.

You should be able to follow the generic installation instructions found in the Gentoo Handbook from here on.

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

Linux

Dropbox install

This is now moot.. Dropbox is now in portage!  I'll keep this here just for prosperity :)

There is no ebuild in portage for Dropbox.  However, there is an ebuild out there.  Here's what to do:

Go here http://bugs.gentoo.org/237433 and download the latest ebuild.

The latest one today is nautilus-dropbox-0.6.1.ebuild created on 2009-05-11.

As root:
Copy the file to /usr/portage/gnome-base/nautilus-dropbox/ You will need to create the destination folder.
*NOTE* The destination folder has to be the same name as the ebuild.

Now run "ebuild /usr/portage/gnome-base/nautilus-dropbox/nautilus-dropbox-0.6.1.ebuild digest"
This should pull down the tarball of source code.

Chances are you will also need to add dropbox to your keywords file.
$ echo "gnome-base/nautilus-dropbox" >> /etc/portage/packages.keywords

Now just emerge the app as usual.
$ emerge -av nautilus-dropbox