[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/uclibc: index.xml lilblue.xml - gentoo-commits

From:	"Anthony G. Basile (blueness)" <blueness@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened/uclibc: index.xml lilblue.xml
Date:	Mon, 03 Jun 2013 01:43:30
Message-Id:	`20130603014327.5DB0D2171D@flycatcher.gentoo.org`

1

blueness    13/06/03 01:43:27

2

3

  Modified:             index.xml

4

  Added:                lilblue.xml

5

  Log:

6

  Add documentation about Lilblue

7

8

Revision  Changes    Path

9

1.9                  xml/htdocs/proj/en/hardened/uclibc/index.xml

10

11

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?rev=1.9&view=markup

12

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?rev=1.9&content-type=text/plain

13

diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?r1=1.8&r2=1.9

14

15

Index: index.xml

16

===================================================================

17

RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml,v

18

retrieving revision 1.8

19

retrieving revision 1.9

20

diff -u -r1.8 -r1.9

21

--- index.xml	31 May 2013 16:15:02 -0000	1.8

22

+++ index.xml	3 Jun 2013 01:43:27 -0000	1.9

23

@@ -37,8 +37,9 @@

24

25

<p>

26

 Continued developments in uClibc have made it increasingly suitable for fully

27

-featured systems, even desktops.  The recent addition of the native POSIX thread

28

-library (see <uri link="http://en.wikipedia.org/wiki/Native_POSIX_Thread_Library">nptl</uri>)

29

+featured systems, like <uri link="lilblue.xml">Lilblue</uri>, our security-enhanced,

30

+fully featured XFCE4, amd64 desktop built on uClibc.  The recent addition of the native POSIX

31

+thread library (see <uri link="http://en.wikipedia.org/wiki/Native_POSIX_Thread_Library">nptl</uri>)

32

 meant that we could finally implement our complete complement of tool chain

33

 hardening from glibc:

34

 </p>

35

@@ -86,7 +87,7 @@

36

 	<ti>Generic</ti>

37

 	<ti>Yes</ti>

38

 	<ti>Yes</ti>

39

-	<ti>stage3 desktop</ti>

40

+	<ti>stage3 <uri link="lilblue.xml">desktop</uri></ti>

41

 	<ti>[mirror]/experimental/amd64/uclibc</ti>

42

 </tr>

43

 <tr>

1.1                  xml/htdocs/proj/en/hardened/uclibc/lilblue.xml

48

49

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/lilblue.xml?rev=1.1&view=markup

50

plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/lilblue.xml?rev=1.1&content-type=text/plain

51

52

Index: lilblue.xml

53

===================================================================

54

<?xml version="1.0" encoding="UTF-8"?>

55

<?xml-stylesheet href="/xsl/project.xsl" type="text/xsl"?>

56

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

57

<!DOCTYPE project SYSTEM "/dtd/project.dtd">

58

<project>

59

60

<name>Lilblue</name>

61

<longname>Lilblue: A security-enhanced, fully featured XFCE4, amd64 Gentoo desktop,

62

built on uClibc</longname>

63

64

<description>

65

"Lilblue" is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop,

66

built on uClibc.

67

</description>

68

69

<longdescription>

70

<p>

71

"Lilblue", named after the <uri link="https://en.wikipedia.org/wiki/Little_Penguin">Little Blue Penguin</uri>

72

of New Zealand, a smaller cousin of the <uri link="https://en.wikipedia.org/wiki/Gentoo_Penguin">Gentoo</uri>,

73

is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop, built on uClibc.

74

</p>

75

<p>

76

The "security-enhancement" comes from a toolchain which builds all of userland

77

</p>

78

<ul>

79

<li>with <uri link="http://en.wikipedia.org/wiki/Stack-smashing_protection"> stack smashing protection </uri>

80

and <uri link="http://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html">stack-check</uri>,</li>

81

<li>as <uri link="https://en.wikipedia.org/wiki/Position-independent_code">position independent executables</uri>

82

--- even executables are marked ET_DYN</li>

83

<li>with hardened linking --- relocation read only and no lazy binding

84

(<uri link="https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only">relro and bindnow</uri>),</li>

85

<li>with a non-executable stack, only RW permitted on a GNU_STACK phdr,</li>

86

</ul>

87

<p>

88

and a kernel which provides:

89

</p>

90

<ul>

91

<li>various memory protection features for processes

92

	(<uri link="http://pax.grsecurity.net/docs/pageexec.txt">PAGEEXEC</uri>, 

93

	<uri link="http://pax.grsecurity.net/docs/mprotect.txt">MPROTECT</uri>,

94

	<uri link="http://pax.grsecurity.net/docs/randmmap.txt">RANDMMAP</uri>,

95

	<uri link="http://pax.grsecurity.net/docs/emutramp.txt">EMUTRAMP</uri>),</li>

96

<li>an <uri link="http://pax.grsecurity.net/docs/aslr.txt">enhanced address space layout

97

randomization </uri> in conjunction with PIE above,</li>

98

<li>numerous internal and kernel-userland surface hardening features,</li>

99

</ul>

100

<p>

101

See <uri link="http://pax.grsecurity.net/docs">PaX</uri> and

102

<uri link="https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">grsecurity</uri>

103

for more information on the various hardening features in the kernel.  If you want

104

a <uri link="https://wiki.ubuntu.com/Security/Features">laundry list of security

105

features</uri>, you might consider what Ubuntu does.  Most of these features, or

106

some variation of them, are in Lilblue.  However, Lilblue goes further with

107

grsecurity/PaX which is a major boost to hardening.  There's a nice little utility

108

by Tobias Klein, <uri link="http://www.trapkit.de/tools/checksec.html">checksec.sh</uri>.

109

Run it against the latest Ubuntu and Lilblue for a comparison.

110

</p>

111

<p>

112

The "fully featured desktop" comes the fact that the system comes with over 800

113

packages covering most desktop needs.  XFCE4 was chosen because of its slim and

114

flexible nature.  These include:

115

</p>

116

<ul>

117

<li>ephiphany, claws, hexchat for browsing, email and IRC</li>

118

<li>abiword, evince, gcalctool, gtext for generic office software</li>

119

<li>gqview, smplayer for multimedia with many open codecs</li>

120

<li>transmission for bittorrent</li>

121

<li>and no! busybox does not provide most of the core utilities</li>

122

</ul>

123

<p>

124

Lilblue should not be thought of as an "embedded" system.  The major difference

125

between it and a stock Gentoo system built with the same package set is that uClibc

126

replaces glibc.  Work is on the way to make about 7000 packages available via binpkg

127

hosting.

128

</p>

129

<p>

130

Finally, why uClibc and why only amd64?  Let me address the latter first: almost

131

all desktop systems today support X86_64 architecture.  Factored in with time

132

constraints, mostly revolving around the difficulties maintaining hardening on

133

X86, this made the choice to only support amd64 seem reasonable.  The uClibc is

134

harder to justify, so may or may not accept the following reasons:

135

</p>

136

<ul>

137

<li>uClibc is a configurable standard C library aimed at embedded systems, and

138

it should remain so, but it is not just for embedded systems anymore!</li>

139

<li>uClibc is fast! Lilblue boots in 14 seconds off a SSD</li>

140

<li>uClibc is small ~400 KB for uClibc vs 1.7 MB</li>

141

<li>uClibc's "link surface" is half that of glibc: 1327 (or less) symbols for

142

uClibc vs 2188 for glibc (Gentoo users can compare the speed of revdep-rebuild)</li>

143

<li>It is not the mainstream and forces the developer to confront design principles

144

when building a "Standard C Library" and executables that link against it</li>

145

<li>I like working with the people who work on Gentoo and uClibc.  Its not a

146

reason to use Lilblue, but it was a motivation for me to do this</li>

147

</ul>

148

</longdescription>

149

150

<extrachapter position="top">

151

<title>Installation</title>

152

<section>

153

<body>

154

<p>

155

Okay, so you're curious.  Maybe not enough to install it on a real box, but

156

you'll give it a spin as a virtual machine.  Good!  Installation is manual, but

157

much easier than the full Gentoo installation described in the

158

<uri link="http://www.gentoo.org/doc/en/handbook/index.xml">Handbook</uri>.  Of

159

course, there are less choices to be made.  What we give below will most likely

160

"just work", but feel free to deviate from it if you want to try something different.

161

For instance, the kernel is compiled with lots of support.  Do you want to try

162

BTRFS instead of EXT4?

163

</p>

164

<p>

165

Here are the steps:

166

</p>

167

<p>

168

<b>1.</b> First let's prepare a boot device and boot into it.  Download the install ISO

169

image using

170

</p>

171

<pre caption=""><i>wget http://[mirror]/pub/linux/gentoo/releases/amd64/current-iso/install-amd64-minimal-[date].iso</i></pre>

172

<p>

173

Here [mirror] is any <uri link="http://www.gentoo.org/main/en/mirrors2.xml">Gentoo

174

mirror</uri> and [date] is whatever the date is of the latest release.  This is

175

just Gentoo's generic amd64 minimal install image.  Its glibcbased, but that's

176

okay, it won't prevent chrooting into the uClibc desktop which you have to do

177

later on.  If you are putting this on a physical box, then burn the ISO image to

178

a CD or DVD.  For a virtual machine, just aim its virtual CD/DVD device to the

179

ISO file.  Alternatively, you may want to boot from a pen drive.  Gentoo's install

180

ISO is not the best for this.  You may want to try

181

<uri link="http://www.sysresccd.org/SystemRescueCd_Homepage">SystemRescueCD</uri>,

182

a Gentoo-derived distro with lots of uses.  Or, if you already have a working

183

Linux system and you want to install Lilblue to another drive, just boot off

184

your current system and partition the other drive.  Whatever your choice, boot

185

off that device now.

186

</p>

187

<p>

188

<b>2.</b> Prepare root/boot/swap partitions, format and mount them.  Using

189

<uri link="http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?chap=4&amp;part=1#doc_chap3">

190

fdisk</uri>, prepare at least three partitions.  boot only has to hold a kernel

191

or two, so you can get away with less, but the others are reasonable minima:

192

</p>

193

<table>

194

	<tr><th>Partition</th><th>Mount Point</th><th>Size</th></tr>

195

	<tr><ti>/dev/sda1</ti><ti>/boot</ti><ti>128 MB</ti></tr>

196

	<tr><ti>/dev/sda2</ti><ti>swap</ti><ti>&gt;1 GB</ti></tr>

197

	<tr><ti>/dev/sda3</ti><ti> / </ti><ti>&gt;4 GB</ti></tr>

198

</table>

199

<p>

200

<b>3.</b> Format the partitions and mount them:

201

</p>

202

<pre caption="">

203

<i># mke2fs /dev/sda1</i>

204

<i># mkswap /dev/sda2</i>

205

<i># mkfs.ext4 /dev/sda3</i>

206

207

<i># mkdir -p /mnt/gentoo</i>

208

<i># mount /dev/sda3 /mnt/gentoo</i>

209

210

<i># mkdir -p /mnt/gentoo/boot</i>

211

<i># mount /dev/sda1 /mnt/gentoo/boot</i></pre>

212

<p>

213

<b>4.</b> Download and unpack the tarball image:

214

</p>

215

<pre caption="">

216

<i># cd /mnt/gentoo</i>

217

<i># wget http://[mirror]/pub/linux/gentoo/experimental/amd64/uclibc/desktop-amd64-uclibc-hardened-[date].tar.bz2</i>

218

<i># tar xf desktop-amd64-uclibc-hardened-[date].tar.bz2</i></pre>

219

<p>

220

<b>5.</b> Prepare the chroot and chroot into it.  Assuming you're still in the same directory as in the previous step, do

221

</p>

222

<pre caption="">

223

<i># mount --bind /dev dev/</i>

224

<i># mount --bind /dev/pts dev/pts</i>

225

<i># mount --bind /proc proc/</i>

226

<i># mount --bind /sys sys/</i>

227

<i># chroot . /bin/bash -l</i>

228

<i># source /etc/profile</i>

229

<i># env-update</i>

230

>>> Regenerating /etc/ld.so.cache...

231

/sbin/ldconfig: You should remove `/lib' from `/etc/ld.so.conf'

232

/sbin/ldconfig: You should remove `/usr/lib' from `/etc/ld.so.conf'

233

/sbin/ldconfig: skipping /usr/games/lib: No such file or directory</pre>

234

<p>

235

Don't worry about the warning messages generated by <c>ldconfig</c>, they are harmless issues.

236

</p>

237

<p>

238

If you changed any of the above values for /dev/sda*, or you're not installing

239

onto sda, then edit /etc/lilo.conf and /etc/fstab.  Change the values to what

240

you picked.  Finally, install lilo to your boot drive, exit the chroot and reboot:

241

</p>

242

<pre caption="">

243

<i># lilo</i>

244

Added Gentoo  +  *

245

<i># exit</i>

246

<i># reboot</i></pre>

247

<p>

248

<b>6. </b>Log in and enjoy!  You have one user account and root.  You can only log into the desktop

249

as user <b>gentoo</b>, but can <c>sudo</c> or <c>su</c> root.  

250

</p>

251

<table>

252

<tr><th>Username</th><th>Password</th></tr>

253

<tr><ti>gentoo</ti><ti>gentoo</ti></tr>

254

<tr><ti>root</ti><ti>root</ti></tr>

255

</table>

256

</body>

257

</section>

258

</extrachapter>

259

260

<extrachapter position="top">

261

<title>Working with Lilblue</title>

262

<section>

263

<body>

264

<p>

265

Lilblue <b>is</b> Gentoo, not a separate distro.  Gentoo covers many possibilities

266

and building all userland against uClibc is just one choice.  You can learn how to

267

work with a Gentoo system by reading the <uri link="http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml">Handbook</uri>.

268

Skip the section on "Installing Gentoo" since we've already done that; but take a

269

look at "Working with Gentoo", "Working with Portage" and "Gentoo Network Configuration".

270

</p>

271

</body>

272

</section>

273

</extrachapter>

274

275

276

<extrachapter position="top">

277

<title>Reporting Bugs and Feature Requests</title>

278

<section>

279

<body>

280

<ul>

281

<li>Submit bugs to: <uri link="http://bugs.gentoo.org">Gentoo's Bugzilla</uri></li>

282

<li>Assign to: blueness@g.o</li>

283

<li>CC: hardened@g.o</li>

284

</ul>

285

</body>

286

</section>

287

</extrachapter>

288

289

<dev role="lead">blueness</dev>

290

291

<extrachapter position="bottom">

292

<title>I Want to Participate</title>

293

<section>

294

<body>

295

<p>

296

To participate in the Hardened uClibc project join the mailing list at

297

<c>gentoo-hardened@g.o</c> and visit our online IRC channel at

298

<c>#gentoo-hardened</c> on <c>irc.freenode.net</c>.

299

</p>

300

</body>

301

</section>

302

</extrachapter>

303

304

305

</project>

1	blueness 13/06/03 01:43:27
2
3	Modified: index.xml
4	Added: lilblue.xml
5	Log:
6	Add documentation about Lilblue
7
8	Revision Changes Path
9	1.9 xml/htdocs/proj/en/hardened/uclibc/index.xml
10
11	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?rev=1.9&view=markup
12	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?rev=1.9&content-type=text/plain
13	diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml?r1=1.8&r2=1.9
14
15	Index: index.xml
16	===================================================================
17	RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/uclibc/index.xml,v
18	retrieving revision 1.8
19	retrieving revision 1.9
20	diff -u -r1.8 -r1.9
21	--- index.xml 31 May 2013 16:15:02 -0000 1.8
22	+++ index.xml 3 Jun 2013 01:43:27 -0000 1.9
23	@@ -37,8 +37,9 @@
24
25	<p>
26	Continued developments in uClibc have made it increasingly suitable for fully
27	-featured systems, even desktops. The recent addition of the native POSIX thread
28	-library (see <uri link="http://en.wikipedia.org/wiki/Native_POSIX_Thread_Library">nptl</uri>)
29	+featured systems, like <uri link="lilblue.xml">Lilblue</uri>, our security-enhanced,
30	+fully featured XFCE4, amd64 desktop built on uClibc. The recent addition of the native POSIX
31	+thread library (see <uri link="http://en.wikipedia.org/wiki/Native_POSIX_Thread_Library">nptl</uri>)
32	meant that we could finally implement our complete complement of tool chain
33	hardening from glibc:
34	</p>
35	@@ -86,7 +87,7 @@
36	<ti>Generic</ti>
37	<ti>Yes</ti>
38	<ti>Yes</ti>
39	- <ti>stage3 desktop</ti>
40	+ <ti>stage3 <uri link="lilblue.xml">desktop</uri></ti>
41	<ti>[mirror]/experimental/amd64/uclibc</ti>
42	</tr>
43	<tr>
44
45
46
47	1.1 xml/htdocs/proj/en/hardened/uclibc/lilblue.xml
48
49	file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/lilblue.xml?rev=1.1&view=markup
50	plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/uclibc/lilblue.xml?rev=1.1&content-type=text/plain
51
52	Index: lilblue.xml
53	===================================================================
54	<?xml version="1.0" encoding="UTF-8"?>
55	<?xml-stylesheet href="/xsl/project.xsl" type="text/xsl"?>
56	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
57	<!DOCTYPE project SYSTEM "/dtd/project.dtd">
58	<project>
59
60	<name>Lilblue</name>
61	<longname>Lilblue: A security-enhanced, fully featured XFCE4, amd64 Gentoo desktop,
62	built on uClibc</longname>
63
64	<description>
65	"Lilblue" is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop,
66	built on uClibc.
67	</description>
68
69	<longdescription>
70	<p>
71	"Lilblue", named after the <uri link="https://en.wikipedia.org/wiki/Little_Penguin">Little Blue Penguin</uri>
72	of New Zealand, a smaller cousin of the <uri link="https://en.wikipedia.org/wiki/Gentoo_Penguin">Gentoo</uri>,
73	is a security-enhanced, fully featured XFCE4, amd64 Gentoo desktop, built on uClibc.
74	</p>
75	<p>
76	The "security-enhancement" comes from a toolchain which builds all of userland
77	</p>
78	<ul>
79	<li>with <uri link="http://en.wikipedia.org/wiki/Stack-smashing_protection"> stack smashing protection </uri>
80	and <uri link="http://gcc.gnu.org/onlinedocs/gccint/Stack-Checking.html">stack-check</uri>,</li>
81	<li>as <uri link="https://en.wikipedia.org/wiki/Position-independent_code">position independent executables</uri>
82	--- even executables are marked ET_DYN</li>
83	<li>with hardened linking --- relocation read only and no lazy binding
84	(<uri link="https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only">relro and bindnow</uri>),</li>
85	<li>with a non-executable stack, only RW permitted on a GNU_STACK phdr,</li>
86	</ul>
87	<p>
88	and a kernel which provides:
89	</p>
90	<ul>
91	<li>various memory protection features for processes
92	(<uri link="http://pax.grsecurity.net/docs/pageexec.txt">PAGEEXEC</uri>,
93	<uri link="http://pax.grsecurity.net/docs/mprotect.txt">MPROTECT</uri>,
94	<uri link="http://pax.grsecurity.net/docs/randmmap.txt">RANDMMAP</uri>,
95	<uri link="http://pax.grsecurity.net/docs/emutramp.txt">EMUTRAMP</uri>),</li>
96	<li>an <uri link="http://pax.grsecurity.net/docs/aslr.txt">enhanced address space layout
97	randomization </uri> in conjunction with PIE above,</li>
98	<li>numerous internal and kernel-userland surface hardening features,</li>
99	</ul>
100	<p>
101	See <uri link="http://pax.grsecurity.net/docs">PaX</uri> and
102	<uri link="https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">grsecurity</uri>
103	for more information on the various hardening features in the kernel. If you want
104	a <uri link="https://wiki.ubuntu.com/Security/Features">laundry list of security
105	features</uri>, you might consider what Ubuntu does. Most of these features, or
106	some variation of them, are in Lilblue. However, Lilblue goes further with
107	grsecurity/PaX which is a major boost to hardening. There's a nice little utility
108	by Tobias Klein, <uri link="http://www.trapkit.de/tools/checksec.html">checksec.sh</uri>.
109	Run it against the latest Ubuntu and Lilblue for a comparison.
110	</p>
111	<p>
112	The "fully featured desktop" comes the fact that the system comes with over 800
113	packages covering most desktop needs. XFCE4 was chosen because of its slim and
114	flexible nature. These include:
115	</p>
116	<ul>
117	<li>ephiphany, claws, hexchat for browsing, email and IRC</li>
118	<li>abiword, evince, gcalctool, gtext for generic office software</li>
119	<li>gqview, smplayer for multimedia with many open codecs</li>
120	<li>transmission for bittorrent</li>
121	<li>and no! busybox does not provide most of the core utilities</li>
122	</ul>
123	<p>
124	Lilblue should not be thought of as an "embedded" system. The major difference
125	between it and a stock Gentoo system built with the same package set is that uClibc
126	replaces glibc. Work is on the way to make about 7000 packages available via binpkg
127	hosting.
128	</p>
129	<p>
130	Finally, why uClibc and why only amd64? Let me address the latter first: almost
131	all desktop systems today support X86_64 architecture. Factored in with time
132	constraints, mostly revolving around the difficulties maintaining hardening on
133	X86, this made the choice to only support amd64 seem reasonable. The uClibc is
134	harder to justify, so may or may not accept the following reasons:
135	</p>
136	<ul>
137	<li>uClibc is a configurable standard C library aimed at embedded systems, and
138	it should remain so, but it is not just for embedded systems anymore!</li>
139	<li>uClibc is fast! Lilblue boots in 14 seconds off a SSD</li>
140	<li>uClibc is small ~400 KB for uClibc vs 1.7 MB</li>
141	<li>uClibc's "link surface" is half that of glibc: 1327 (or less) symbols for
142	uClibc vs 2188 for glibc (Gentoo users can compare the speed of revdep-rebuild)</li>
143	<li>It is not the mainstream and forces the developer to confront design principles
144	when building a "Standard C Library" and executables that link against it</li>
145	<li>I like working with the people who work on Gentoo and uClibc. Its not a
146	reason to use Lilblue, but it was a motivation for me to do this</li>
147	</ul>
148	</longdescription>
149
150	<extrachapter position="top">
151	<title>Installation</title>
152	<section>
153	<body>
154	<p>
155	Okay, so you're curious. Maybe not enough to install it on a real box, but
156	you'll give it a spin as a virtual machine. Good! Installation is manual, but
157	much easier than the full Gentoo installation described in the
158	<uri link="http://www.gentoo.org/doc/en/handbook/index.xml">Handbook</uri>. Of
159	course, there are less choices to be made. What we give below will most likely
160	"just work", but feel free to deviate from it if you want to try something different.
161	For instance, the kernel is compiled with lots of support. Do you want to try
162	BTRFS instead of EXT4?
163	</p>
164	<p>
165	Here are the steps:
166	</p>
167	<p>
168	<b>1.</b> First let's prepare a boot device and boot into it. Download the install ISO
169	image using
170	</p>
171	<pre caption=""><i>wget http://[mirror]/pub/linux/gentoo/releases/amd64/current-iso/install-amd64-minimal-[date].iso</i></pre>
172	<p>
173	Here [mirror] is any <uri link="http://www.gentoo.org/main/en/mirrors2.xml">Gentoo
174	mirror</uri> and [date] is whatever the date is of the latest release. This is
175	just Gentoo's generic amd64 minimal install image. Its glibcbased, but that's
176	okay, it won't prevent chrooting into the uClibc desktop which you have to do
177	later on. If you are putting this on a physical box, then burn the ISO image to
178	a CD or DVD. For a virtual machine, just aim its virtual CD/DVD device to the
179	ISO file. Alternatively, you may want to boot from a pen drive. Gentoo's install
180	ISO is not the best for this. You may want to try
181	<uri link="http://www.sysresccd.org/SystemRescueCd_Homepage">SystemRescueCD</uri>,
182	a Gentoo-derived distro with lots of uses. Or, if you already have a working
183	Linux system and you want to install Lilblue to another drive, just boot off
184	your current system and partition the other drive. Whatever your choice, boot
185	off that device now.
186	</p>
187	<p>
188	<b>2.</b> Prepare root/boot/swap partitions, format and mount them. Using
189	<uri link="http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml?chap=4&part=1#doc_chap3">
190	fdisk</uri>, prepare at least three partitions. boot only has to hold a kernel
191	or two, so you can get away with less, but the others are reasonable minima:
192	</p>
193	<table>
194	<tr><th>Partition</th><th>Mount Point</th><th>Size</th></tr>
195	<tr><ti>/dev/sda1</ti><ti>/boot</ti><ti>128 MB</ti></tr>
196	<tr><ti>/dev/sda2</ti><ti>swap</ti><ti>>1 GB</ti></tr>
197	<tr><ti>/dev/sda3</ti><ti> / </ti><ti>>4 GB</ti></tr>
198	</table>
199	<p>
200	<b>3.</b> Format the partitions and mount them:
201	</p>
202	<pre caption="">
203	<i># mke2fs /dev/sda1</i>
204	<i># mkswap /dev/sda2</i>
205	<i># mkfs.ext4 /dev/sda3</i>
206
207	<i># mkdir -p /mnt/gentoo</i>
208	<i># mount /dev/sda3 /mnt/gentoo</i>
209
210	<i># mkdir -p /mnt/gentoo/boot</i>
211	<i># mount /dev/sda1 /mnt/gentoo/boot</i></pre>
212	<p>
213	<b>4.</b> Download and unpack the tarball image:
214	</p>
215	<pre caption="">
216	<i># cd /mnt/gentoo</i>
217	<i># wget http://[mirror]/pub/linux/gentoo/experimental/amd64/uclibc/desktop-amd64-uclibc-hardened-[date].tar.bz2</i>
218	<i># tar xf desktop-amd64-uclibc-hardened-[date].tar.bz2</i></pre>
219	<p>
220	<b>5.</b> Prepare the chroot and chroot into it. Assuming you're still in the same directory as in the previous step, do
221	</p>
222	<pre caption="">
223	<i># mount --bind /dev dev/</i>
224	<i># mount --bind /dev/pts dev/pts</i>
225	<i># mount --bind /proc proc/</i>
226	<i># mount --bind /sys sys/</i>
227	<i># chroot . /bin/bash -l</i>
228	<i># source /etc/profile</i>
229	<i># env-update</i>
230	>>> Regenerating /etc/ld.so.cache...
231	/sbin/ldconfig: You should remove `/lib' from `/etc/ld.so.conf'
232	/sbin/ldconfig: You should remove `/usr/lib' from `/etc/ld.so.conf'
233	/sbin/ldconfig: skipping /usr/games/lib: No such file or directory</pre>
234	<p>
235	Don't worry about the warning messages generated by <c>ldconfig</c>, they are harmless issues.
236	</p>
237	<p>
238	If you changed any of the above values for /dev/sda*, or you're not installing
239	onto sda, then edit /etc/lilo.conf and /etc/fstab. Change the values to what
240	you picked. Finally, install lilo to your boot drive, exit the chroot and reboot:
241	</p>
242	<pre caption="">
243	<i># lilo</i>
244	Added Gentoo + *
245	<i># exit</i>
246	<i># reboot</i></pre>
247	<p>
248	<b>6. </b>Log in and enjoy! You have one user account and root. You can only log into the desktop
249	as user <b>gentoo</b>, but can <c>sudo</c> or <c>su</c> root.
250	</p>
251	<table>
252	<tr><th>Username</th><th>Password</th></tr>
253	<tr><ti>gentoo</ti><ti>gentoo</ti></tr>
254	<tr><ti>root</ti><ti>root</ti></tr>
255	</table>
256	</body>
257	</section>
258	</extrachapter>
259
260	<extrachapter position="top">
261	<title>Working with Lilblue</title>
262	<section>
263	<body>
264	<p>
265	Lilblue <b>is</b> Gentoo, not a separate distro. Gentoo covers many possibilities
266	and building all userland against uClibc is just one choice. You can learn how to
267	work with a Gentoo system by reading the <uri link="http://www.gentoo.org/doc/en/handbook/handbook-amd64.xml">Handbook</uri>.
268	Skip the section on "Installing Gentoo" since we've already done that; but take a
269	look at "Working with Gentoo", "Working with Portage" and "Gentoo Network Configuration".
270	</p>
271	</body>
272	</section>
273	</extrachapter>
274
275
276	<extrachapter position="top">
277	<title>Reporting Bugs and Feature Requests</title>
278	<section>
279	<body>
280	<ul>
281	<li>Submit bugs to: <uri link="http://bugs.gentoo.org">Gentoo's Bugzilla</uri></li>
282	<li>Assign to: blueness@g.o</li>
283	<li>CC: hardened@g.o</li>
284	</ul>
285	</body>
286	</section>
287	</extrachapter>
288
289	<dev role="lead">blueness</dev>
290
291	<extrachapter position="bottom">
292	<title>I Want to Participate</title>
293	<section>
294	<body>
295	<p>
296	To participate in the Hardened uClibc project join the mailing list at
297	<c>gentoo-hardened@g.o</c> and visit our online IRC channel at
298	<c>#gentoo-hardened</c> on <c>irc.freenode.net</c>.
299	</p>
300	</body>
301	</section>
302	</extrachapter>
303
304
305	</project>

Gentoo Archives: gentoo-commits