Optimizing Gentoo CFLAGS (Part II)

 Linux Guides  Comments Off
Feb 202011
 

Introduction

As I mentioned last time, you want to be comfortable with the existing documentation on CFLAGS before going crazy trying to play with. It also helps to have a good understanding of what you’re doing to the code when you modify these “sacred” parameters.

Alright, now that the CYA is out of the way let’s take this one step further. Last time we talked about figuring out which instruction sets your processor understood and how to figure out what `-m` flags would get those instruction sets into the binaries on your system. This time we’ll be talking about making sure those same flags are in your use flags (just to be sure they’re picked up by the system).

Finding Flag Names

So how do we find the flags that do what we want? Well, as always BASH is our friend and can be used to find this answer in a mostly automated fashion:

. /etc/make.conf && gcc -Q -c -v ${CFLAGS} --help=target | grep enabled

This displays the currently enabled flags based on your CFLAGS parameter and allows us to find which flags have use flags with the following one liner:

gawk '/-m.*/ { print $1 }' | cut -d 'm' --complement -f 1 | xargs -I{} equery h "{}"

Conclusion

Using a little scripting we can extract the necessary information to quickly determine if there are any use flags we should be adding for particular compiler flags that our system might support.  With this last level of optimization beyond the previous time’s we should be ready to move on to -O3 (for the daring) and watch our machine’s nose bleed.

 Posted by Alex Brandt at 5:00 PM  Tagged with: , ,

Mailing Portage Output

 Linux Guides  Comments Off
Jan 182011
 

Introduction

Portage is an amazingly simple and complex piece of technology.  The simplicity in each piece’s ability to do a specific function comes together in a complex package management system that rivals all other forms of package management (at least in my opinion).  Automating updates is something that admins everywhere do out of necessity.  Heck, automating everything is an admin’s life.  Automating portage’s updates is a bit more harrowing than other package management systems but it isn’t impossible.

Problem

As admins we attempt to simplify the work we actually do by writing scripts and programs to do most of our job for us.  It’s often been said that systems admins are the only people whose job description is to remove their job responsibilities.

Portage doesn’t have any default automation for doing nightly or even weekly portage updates but that doesn’t stop the creative from coming up with their own solution.  A simple but elegant solution is to create a small cron script that runs every day.  The problem comes when you want to read the wonderful output of portage (sometimes these messages can guide you when problems are about to occur) to avert disasters.  If the updates are performed from cron, the output will be preserved in an e-mail to the appropriate user but then we have to sift through all of the output at once.  This also doesn’t solve the issue if the updates are performed by another utility such as puppet.  These annoying little changes to the problem require a slightly more elegant solution.

Solution

The solution is to take advantage of portage’s logging specifications.  From the make.conf man file:

  • PORTAGE_ELOG_CLASSES
  • PORTAGE_ELOG_SYSTEM
  • PORTAGE_ELOG_COMMAND
  • PORTAGE_ELOG_MAILURI
  • PORTAGE_ELOG_MAILFROM
  • PORTAGE_ELOG_MAILSUBJECT

Using a combination of these directives in the make.conf file allows us to log the reports from portage to a large number of locations.  If we wanted to simply add mailing output (not the full build output just the messages) we would add the following directives to make.conf:

PORTAGE_ELOG_SYSTEM="save mail"
PORTAGE_ELOG_MAILFROM="portage@alunduil.com"

This simply adds the mailing log utility to portage and specifies that the e-mails come from the address portage@alunduil.com.  Of course, much more complex configurations can be crafted to suit any admins’ needs.

Conclusion

Letting your servers notify you of possible actions is one way of automating maintenance tasks; making maintenance eventually disappear from your task list. By starting with the tasks that are repeated the most frequently, you can quickly free up time for higher level automation and organization which leads to a cleaner and sturdier infrastructure.

 Posted by Alex Brandt at 5:49 PM  Tagged with: , , , , , , , ,

Pclean, a new /etc/portage/package.* cleaner

 Linux Guides  Comments Off
Nov 072010
 

I’ve often gotten frustrated with my /etc/portage/package.* files when they become massive and full of crud that I don’t even have installed any longer. Because of this I have crafted a simple little utility to clean out packages that are no longer installed and use flags that are no longer valid from these files. This should help trim the cruft from the Gentoo configuration.

The utility, pclean, does all of this and only has one major problem (so far) before I shall call it good enough for a 1.0 release. If you would like to try this little utility; it’s available in my overlay and if you notice any odd behavior please report it to my bugzilla.

 Posted by Alex Brandt at 9:53 AM  Tagged with: , , , , ,

Hamachi on Gentoo

 Linux Guides  Comments Off
Sep 272010
 

Introduction

Hamachi is a lightweight personal VPN connector that is a breeze to setup but there can be some pain if you don’t know what to expect. As always Gentoo provides us with an ebuild that simplifies the installation process but getting up and running is still a little confusing.

Installation and Setup

User Specific Configurations

The obvious first step is `emerge -av hamachi` (this only available to ~arch right now so add to `package.keywords` as necessary). The following are the typical instructions to install hamachi on Gentoo from portage:

  1. Add to `packages.keywords` if necessary
  2. `emerge -av hamachi`
  3. `rc-update add tuncfg default`

After these steps have been taken you can run hamachi as any user on the system for ad-hoc VPN creation.

Server Wide Configuration

If you prefer to do a system wide on boot VPN with hamachi this is also possible but requires a slightly different setup:

  1. Add to `packages.keywords` if necessary
  2. `emerge -av hamachi`
  3. rc-update add hamachi default

Now all configuration should be placed inside `/etc/hamachi` for this setup so the system will automatically start routing traffic correctly.

Kernel Configuration

For hamachi to work correctly you do need the tun parameter in your kernel or loaded as a module. This parameter is located in Device Drivers->Network device support->Universal TUN/TAP device driver support.

Using Hamachi

Now that hamachi is on the system we need to start using it. The server-wide installation doesn’t require this (but I’m sure you can use this method to create a configuration usable by the server-wide instance) but the user specific usage does.

Starting hamachi is as simple as the following:

  1. `hamachi-init`
  2. `hamachi start`
  3. `hamachi login`
  4. `hamachi create [ ]`
  5. `hamachi join [ ]`
  6. `hamachi go-online `

That’s it. You’re now connected to a private network named . You can view who else is connected to your network with `hamachi list` and `hamachi get-nicks`.

Conclusion

Setting up a VPN can be daunting (see the OpenVPN configuration documentation) or it can be a breeze with hamachi. Need a quick VPN for LAN gaming or a VPN for performing maintenance over the internet on a device behind a firewall? Hamachi may be the quick solution you’re looking for.

 Posted by Alex Brandt at 4:11 PM  Tagged with: , , ,

Gentoo Hardened [Mostly] Ready for Servers

 Linux Guides  Comments Off
Sep 192010
 

Introduction

I’ve been using the minimal “server” profile on my Gentoo servers for a few years now (Ever since I first found out that hardened didn’t support the glibc version that the stage tarballs used).  This profile has been excellent for the minimal needs of a headless server but it constantly reminded me that I should be using hardened; so, I finally decided to take the plunge and moved all my Gentoo servers to the hardened profile. The migration was mostly painless (with the errors being my own fault as usual).

Migration Process

The process for migrating to hardened is actually well documented and very simple (I’m simply summarizing the Official Documentation).

  1. Switch to a hardened profile
  2. Install `hardened-sources` following the directives for PAX in the Documentation
  3. Reboot the machine
  4. Rebuild tool chain (gcc, glibc, binutils)
  5. Rebuild world
  6. Reboot the machine

That’s all there is to it. Once the reboot finalizes all processes should be working without an issue. Although, because you have now increased security you can expect some more strange bugs to work their way into your software: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=2092.

Conclusion

Although strange things may be afoot I would still recommend making the plunge from a server profile to a true hardened profile. The stability far outweighs the issues that are to be encountered but be wary if something begins misbehaving in an unidentifiable manner.

 Posted by Alex Brandt at 3:38 PM  Tagged with: , , , ,
 Older Entries
© 2011 Alunduil's Hosting Suffusion theme by Sayontan Sinha