Difference between pages "User:Omicrondelta" and "Funtoo Resources on LAN"

From Funtoo
(Difference between pages)
Jump to: navigation, search
 
m (warning of fail2ban being insufficient security.)
 
Line 1: Line 1:
{{Person
+
== Introduction ==
|Full name=David Whyte
+
This page will show you how to setup Funtoo resources on your LAN, so you can have a faster access to them via your local area network, for installing packages, updating your local trees, and keep everything in sync.
|Email=david_corey_whyte@hotmail.com
+
 
|Geoloc=55.1699396, -118.79861519999997
+
One use case for this is, if you have more than one machine and you want to keep all machines up to date in such a way that all the machines update to the tree of one machine, and that one primary machines pulls from the outside world (funtoo @ github).
|Location name=Grande Prairie, Alberta, Canada
+
 
|Roles=
+
Example:
|Maintains=
+
 
|Blogs=
+
Machine A = Primary Server on LAN (Pulls from github, contains distfiles, contains binaries - built by FEATURES="buildpkg")
}}
+
 
 +
Machine B = Another machine on your LAN. Could be a laptop. (Pulls from Machine A. Thus any distfiles that it can get will be pulled from the primary server - thus reducing network load and basically making your primary server a fast cache for future funtoo installs and upgrades. Also this means that you can compile packages on your primary server, and just pull them from Machine B. You can be confident that since Machine B can only be as up-to-date as Machine A, that it won't try to pull some unknown package that hasn't been compiled yet).
 +
 
 +
== Setting up Machine A ==
 +
 
 +
Machine A is your primary server and it's basically already complete. Just make sure that SSH is enabled and started (Which it is by default on Funtoo) and make sure that your distfiles and packages are being served out over http. For this setup, root over SSH will be enabled and this is the user that we will be using to sync. You can change this to whatever you want if you really want to. You will need to modify the settings on your own though.
 +
 
 +
=== Setting up the binary server ===
 +
Follow the instructions on this page: [[How_to_set_up_a_binary_package_server#Setting_up_the_host_machine|Setting up the Host Machine]]
 +
 
 +
=== Some security tips for SSH ===
 +
In your /etc/ssh/sshd_config, you can add the following:
 +
 
 +
==== Change SSH default port ====
 +
{{Warning|[https://github.com/fail2ban/fail2ban/issues/643 fail2ban fails to match some ip addresses when paired with port information]}}
 +
You should definitely do this because if you don't and you open port 22 to the world, you will get attacked. I noticed that I was getting attacked multiple times every single day and the only way I was able to reduce it was to install '''fail2ban'''. However, changing the port to another port dropped the number of attacks from [Every Day * Multiple] to 0.
 +
 
 +
<console>
 +
# Change Port 22 to some other port
 +
Port 8902
 +
</console>
 +
 
 +
==== Limit users ====
 +
Attackers will try to brute force user names. You can set the '''"AllowUsers"''' value so that it only lets those users login.
 +
 
 +
<console>
 +
# Let's say that we only want root and roger to login
 +
AllowUsers root roger
 +
 
 +
# PermitRootLogin should also be set to 'yes' if it isn't
 +
PermitRootLogin yes
 +
</console>
 +
 
 +
== Setting up secondary machine ==
 +
 
 +
This section will teach you how to pull from a remote tree, and set up your machine to use the distfiles and packages that your remote tree has (Could be a tree from a local network).
 +
 
 +
We will assume that you are pulling the tree from your local network and that you are accessing the tree via ssh.
 +
 
 +
We will assume that this is a fresh install and that you don't have any previous portage trees or setting tweaks.
 +
 
 +
==== /etc/portage/make.conf ====
 +
What we will first due is edit our make.conf so that it pulls resources from the correct locations.
 +
 
 +
We will assume that Machine A's IP is 192.168.1.100, SSH port is 8902, that we are logging in as the root user, and that the portage tree is in it's default location of /usr/portage on that machine.
 +
 
 +
Open up the make.conf file for Machine B and add the following:
 +
 
 +
<console>
 +
# This is where it will try to pull the tree the first time it syncs. After this it will just use w/e the git tree origin is set to
 +
SYNC="ssh://192.168.1.100:8902/usr/portage"
 +
 
 +
# This sets where it will try to find source files (distfiles). We will try to pull from Machine A first, but if Machine A doesn't have the files we need, it will go to Gentoo to get them
 +
GENTOO_MIRRORS="http://192.168.1.100/funtoo http://distfiles.gentoo.org"
 +
 
 +
# This sets where it will try to find binary packages (We are using an http server to make it more convenient for us because we don't need "security" to just download precompiled packages)
 +
PORTAGE_BINHOST="http://192.168.1.100/funtoo/packages"
 +
</console>
 +
 
 +
=== If you already have a tree ===
 +
If you already have a tree and would like to delete it and start fresh, you can just delete the .git folder inside the /usr/portage directory and the next time you run '''emerge --sync''', portage will tell you that it isn't a git repository, and it will wipe the contents and sync the new tree.
 +
 
 +
== Conclusion ==
 +
 
 +
That is basically it.
 +
 
 +
[[Category:HOWTO]]
 +
[[Category:First Steps]]

Latest revision as of 04:11, 13 March 2014

Introduction

This page will show you how to setup Funtoo resources on your LAN, so you can have a faster access to them via your local area network, for installing packages, updating your local trees, and keep everything in sync.

One use case for this is, if you have more than one machine and you want to keep all machines up to date in such a way that all the machines update to the tree of one machine, and that one primary machines pulls from the outside world (funtoo @ github).

Example:

Machine A = Primary Server on LAN (Pulls from github, contains distfiles, contains binaries - built by FEATURES="buildpkg")

Machine B = Another machine on your LAN. Could be a laptop. (Pulls from Machine A. Thus any distfiles that it can get will be pulled from the primary server - thus reducing network load and basically making your primary server a fast cache for future funtoo installs and upgrades. Also this means that you can compile packages on your primary server, and just pull them from Machine B. You can be confident that since Machine B can only be as up-to-date as Machine A, that it won't try to pull some unknown package that hasn't been compiled yet).

Setting up Machine A

Machine A is your primary server and it's basically already complete. Just make sure that SSH is enabled and started (Which it is by default on Funtoo) and make sure that your distfiles and packages are being served out over http. For this setup, root over SSH will be enabled and this is the user that we will be using to sync. You can change this to whatever you want if you really want to. You will need to modify the settings on your own though.

Setting up the binary server

Follow the instructions on this page: Setting up the Host Machine

Some security tips for SSH

In your /etc/ssh/sshd_config, you can add the following:

Change SSH default port

Warning Warning: fail2ban fails to match some ip addresses when paired with port information

You should definitely do this because if you don't and you open port 22 to the world, you will get attacked. I noticed that I was getting attacked multiple times every single day and the only way I was able to reduce it was to install fail2ban. However, changing the port to another port dropped the number of attacks from [Every Day * Multiple] to 0.

# Change Port 22 to some other port
Port 8902

Limit users

Attackers will try to brute force user names. You can set the "AllowUsers" value so that it only lets those users login.

# Let's say that we only want root and roger to login
AllowUsers root roger

# PermitRootLogin should also be set to 'yes' if it isn't
PermitRootLogin yes

Setting up secondary machine

This section will teach you how to pull from a remote tree, and set up your machine to use the distfiles and packages that your remote tree has (Could be a tree from a local network).

We will assume that you are pulling the tree from your local network and that you are accessing the tree via ssh.

We will assume that this is a fresh install and that you don't have any previous portage trees or setting tweaks.

/etc/portage/make.conf

What we will first due is edit our make.conf so that it pulls resources from the correct locations.

We will assume that Machine A's IP is 192.168.1.100, SSH port is 8902, that we are logging in as the root user, and that the portage tree is in it's default location of /usr/portage on that machine.

Open up the make.conf file for Machine B and add the following:

# This is where it will try to pull the tree the first time it syncs. After this it will just use w/e the git tree origin is set to
SYNC="ssh://192.168.1.100:8902/usr/portage"

# This sets where it will try to find source files (distfiles). We will try to pull from Machine A first, but if Machine A doesn't have the files we need, it will go to Gentoo to get them
GENTOO_MIRRORS="http://192.168.1.100/funtoo http://distfiles.gentoo.org"

# This sets where it will try to find binary packages (We are using an http server to make it more convenient for us because we don't need "security" to just download precompiled packages)
PORTAGE_BINHOST="http://192.168.1.100/funtoo/packages"

If you already have a tree

If you already have a tree and would like to delete it and start fresh, you can just delete the .git folder inside the /usr/portage directory and the next time you run emerge --sync, portage will tell you that it isn't a git repository, and it will wipe the contents and sync the new tree.

Conclusion

That is basically it.