Best practice Gentoo on Soekris

[102039]

Dear all,

I am trying to get a very small Gentoo on a Soekris net4801 box (compact flash card), but asking myself what could be the best way to do it.

What I basically want:

- Small Gentoo with an editor, iptables and SSH/SFPT/SCP capitability on board.
- Read-only mounted root dir (preferably completly loaded from an image in the RAM) and a second partition to get the iptables rules from (for example /etc mounted on a writable partition)
- Very small memory usage, because this box only has 256MB RAM

The box will be an router between two local networks. I want upload new firewall rules by using SSH/SFTP (maybe SCP) on this second partition, therefore also OpenSSH or Dropbear has to be running.

You may asking yourself now...why the hell is this guy asking instead of searching? I found several guides for running Gentoo on embedded hardware. But all of them had some problems which took me long to check on without finding a solution (I am not a novice, but also not a guru). In the meantime I was asking myself if there wasn't someone who already tried that. I have seen some guides about Soekris and Gentoo, but one of them was using a full blown system with and also left everything read/write on this flash card, which is unsuitable for a router which is supposed to run for at least 2-3 years.

So maybe one of you has done something like this in the past and give me a hint what could be the best strategy here. I already tried those guides:

1) https://forums.gentoo.org/viewtopic-t-327295-highlight-busybox.html - All the scripts for cleaning and packaging the system at the end didn't work right for me.
2) http://www.gentoo-wiki.info/TinyGentoo - System was already booting, using the initramfs image, but I had problems with the init script then and our own (kernel panics, ..)

Maybe I could combine the following one with the former approaches to build a really small Gentoo packaged in a memory resident image: https://forums.gentoo.org/viewtopic-t-705771-highlight-busybox.html

Moved by NedySeagoon

[pvos]

[Dammital]

Not what you asked for, but you might consider OpenBSD on that box. It dropped in nicely in my 5501, and does the things you say you want Gentoo for - routing and stateful packet filter in a handy appliance.

[102039]

Hi,

thanks for your answers. I gave up on the busybox setup, because after hours of checking and reading guides I just felt like maybe it is the best idea to have a rather normal, but very small Gentoo system on it, maybe like the ideas I posted above. Regarding OpenBSD...I have not enough experience in working with it. Since the box will connect two company networks I need to have enough experience to deal with problems. I already tried m0n0wall, but the webinterface is not comfortable enough for changing that much firewall rules like we have at the moment. So loading our existing iptables script from the current hardware is much easier and flexible.

[22bsti]

Not sure if you still care, but I would look at Openwrt or one of the BSD's. Pfsense/monowall perhaps.

[pa4wdh]

Hi,

Sorry for my somewhat late response, hope you're still interested.

I have a net5501 running here, and it runs gentoo. This is my setup (hardware wise):
- net5501
- 2GB CF card (could be smaller, but is cheap these days )
- USB harddrive

Software setup:
- CF card is mounted as /boot and contains kernels, ramdisk images and is the device it boots from (grub in bootsector)
- USB Harddrive is used for a regular Gentoo installation (hardened server profile)
- Script copies everything i need to a ramdisk image

In a normal situation (like now for example ) it's running from ramdisk all the time. Changes (and updates) are done on the harddrive and after that i just create a new image.
Images are 16 MB in size and contain (among a basic system): bind, dhcpd, pptp, vsftpd, thttpd (with rrdtool images), ssh, scp, wget

Biggest problem was to find a way to boot it the first time I ended up using PXE and a ramdisk image containing chroot, fdisk, mkfs, etc.

Of course the net4801 is different (hardware wise) but i think the method can still be applied.

Best regards,
pa4wdh
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com

[102039]

Hi,

this is what I did know:

- Used normal stage3/hardened/x86 image
- Optimized everything for i586 in /etc/make.conf and compiled everything in chroot
- Created two partitions on the cf card, one for /boot, one for /
- Using tmpfs for /var/log and /tmp
- After compiling the system on a host system, I copied the whole system to a secondary dir and first removed every unneeded package with ROOT="/copy_of_the_compiled_system" emerge --unmerge <packages> and after that cleaned out the rest manually

Since I don't use a cron daemon, the CF card should be pretty safe right now. Additionally I had to perform "set BootPartition=1" in Combios to make it boot without issueing "boot=80" and "reboot" eveyrtime the system lost power.

Unfortunatly I can't use BSD, because we already have a large set of iptables firewall rules.