Can I have two different profiles on my machine?[SOLVED]
Message
Can I have two different profiles on my machine?[SOLVED]
I am currently using gentoo-sources for my kernel but am interested in trying the hardened sources. Is it possible to have multiple profiles/kernels? For example when grub boots up choose to boot into my regular kernel or a hardened kernel. I looked at the eselect stuff but it looks like yo can only choose one profile.
Last edited by Budoka on Sat Jun 21, 2014 11:59 am, edited 3 times in total.
Hi. If by "profile" you mean "a different kernel source tree", then yes, you can have multiple kernel source trees. It's by definition what happens when you upgrade a kernel source tree: portage always downloads and installs kernel sources side-by-side, it never updates an already installed source tree. You will have to add the new kernel to the boot loader configuration (Grub might come with scripts to do that).
If you have out-of-tree kernel modules (e.g. nvidia drivers) be sure to re-emerge those packages as well after you compiled the new kernel. By the way eselect kernel allows you to select one kernel among those you installed and compiled. I guess from your post you currently have only one kernel installed, right?
If you have out-of-tree kernel modules (e.g. nvidia drivers) be sure to re-emerge those packages as well after you compiled the new kernel. By the way eselect kernel allows you to select one kernel among those you installed and compiled. I guess from your post you currently have only one kernel installed, right?
That is exactly what I was asking. Thanks for the clarification. I was able to emerge the hardened kernel sources in addition to the gentoo-sources and they both come up in my eselect kernel list.VinzC wrote:Hi. If by "profile" you mean "a different kernel source tree", then yes, you can have multiple kernel source trees. It's by definition what happens when you upgrade a kernel source tree: portage always downloads and installs kernel sources side-by-side, it never updates an already installed source tree. You will have to add the new kernel to the boot loader configuration (Grub might come with scripts to do that).
If you have out-of-tree kernel modules (e.g. nvidia drivers) be sure to re-emerge those packages as well after you compiled the new kernel. By the way eselect kernel allows you to select one kernel among those you installed and compiled. I guess from your post you currently have only one kernel installed, right?
So now just to deal with modules and compiling issues. Grub2 has a script that will add the new kernel to my bootloader for me.
Thanks again.
.So I have run into a snag.
I was able to successfully emerge a different kernel source tree, eselect it, compile, add it to my grub menu and boot into it.
However when I eselect the new profile, in this case hardened, and do a world update it bombs out on a bunch of conflicts. Something like 167 of them. Is this normal and I just have to solve each one individually? If I revert back to the "desktop" profile world update works as normal.
I can give a pastebin of the errors if you would like but it is long.
Thanks.
I was able to successfully emerge a different kernel source tree, eselect it, compile, add it to my grub menu and boot into it.
However when I eselect the new profile, in this case hardened, and do a world update it bombs out on a bunch of conflicts. Something like 167 of them. Is this normal and I just have to solve each one individually? If I revert back to the "desktop" profile world update works as normal.
I can give a pastebin of the errors if you would like but it is long.
Thanks.
- NeddySeagoon
- Administrator
- Posts: 56094
- Joined: Sat Jul 05, 2003 9:37 am
- Location: 56N 3W
Budoka,
When you install a hardened system, you are supposed to start with the hardened stage3.
I've never tried an update to hardened.
If you want a hardened install and a normal install side by side, they will meed their own root filesystems.
When you install a hardened system, you are supposed to start with the hardened stage3.
I've never tried an update to hardened.
If you want a hardened install and a normal install side by side, they will meed their own root filesystems.
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
There's one BIG misunderstanding here that needs clearing.
You can install as many kernel as you wish, that's no problem.
But a hardened profile in Gentoo is much more than just a kernel. A lot of packages will need to be recompiled, a lot of extra dependencies will need to be pulled, lots of others won't be able to be installed any longer, at least not easily, since they will be masked (and for good reason) in the hardened profile. You might need to downgrade a good bunch of them as well.
The kernel alone won't provide you with a hardened system.
On the other side, a regular kernel which is not hardened-capable won't even be able to work properly on a userland that's been prepared for hardened.
Your best bet is truly to make two separate installs.
As for migrating from regular to hardened, yes, it can be done (or it used to be possible, it's been long...). I've done it once merely for my own enjoyment, but don't expect it to be an easy trip.
You can install as many kernel as you wish, that's no problem.
But a hardened profile in Gentoo is much more than just a kernel. A lot of packages will need to be recompiled, a lot of extra dependencies will need to be pulled, lots of others won't be able to be installed any longer, at least not easily, since they will be masked (and for good reason) in the hardened profile. You might need to downgrade a good bunch of them as well.
The kernel alone won't provide you with a hardened system.
On the other side, a regular kernel which is not hardened-capable won't even be able to work properly on a userland that's been prepared for hardened.
Your best bet is truly to make two separate installs.
As for migrating from regular to hardened, yes, it can be done (or it used to be possible, it's been long...). I've done it once merely for my own enjoyment, but don't expect it to be an easy trip.
Thank you very much. That cleared things up for me. I was confused in terms of the symlink for the kernel and the profile select for the system. That plus Neddy's explanation about starting with a hardened stage3 for the hardened kernel helped. For the moment I will just leave it alone.i92guboj wrote:There's one BIG misunderstanding here that needs clearing.
You can install as many kernel as you wish, that's no problem.
But a hardened profile in Gentoo is much more than just a kernel. A lot of packages will need to be recompiled, a lot of extra dependencies will need to be pulled, lots of others won't be able to be installed any longer, at least not easily, since they will be masked (and for good reason) in the hardened profile. You might need to downgrade a good bunch of them as well.
The kernel alone won't provide you with a hardened system.
On the other side, a regular kernel which is not hardened-capable won't even be able to work properly on a userland that's been prepared for hardened.
Your best bet is truly to make two separate installs.
As for migrating from regular to hardened, yes, it can be done (or it used to be possible, it's been long...). I've done it once merely for my own enjoyment, but don't expect it to be an easy trip.
As a side not can anyone give advise as to which kernel sources are best for a laptop. To date I have been using Gentoo-sources.
You could install a hardened system with hardened stage3, but you could also "convert" your existing system.
I did this about 2 weeks ago.
I have "converted" my existing system from profile:
"default/linux/amd64/13.0/desktop/kde/systemd"
to "hardened/linux/amd64 *".
This was a lot easier then expected.
I changed profile via eselect, added all needed useflags from old profile.
Then "emerge -1 glibc gcc binutils" the rebuild the most important tools.
Then checked with "emerge -pv --update --deep --newuse world" which other changes needs to be done.
In ~4 or 5 cases i must adjust the package.use and/or package.accept_keywords files.
Also added "-tools" and "-X" to /etc/portage/profile/use.mask.
Also i disabled "pax_kernel" Useflag for Nvidia and Virtualbox Modul.
Then "emerge -e system --keep-going" && "emerge -e world --keep-going"
Only one(!) package failed with the new "hardened" gcc for me: app-emulation/virtualbox-4.3.12
But with "x86_64-pc-linux-gnu-4.7.3-vanilla" compile was Ok.
After reboot everything worked with the old gentoo-sources kernel and even with Nvidia driver.
Also Kernel Update with Gentoo Sources works with this combination. I still have no working hardened sources kernel installed.
So hardened userland and no-hardened Kernel works.
I am using this on my laptop on a daily basis.
emerge --info
Portage 2.2.8-r1 (hardened/linux/amd64, gcc-4.7.3, glibc-2.17, 3.14.8-gentoo x86_64)
=================================================================
System uname: Linux-3.14.8-gentoo-x86_64-Intel-R-_Core-TM-_i7-2630QM_CPU_@_2.00GHz-with-gentoo-2.2
hardening-check vlc
vlc:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
emerge -pv nvidia-drivers
[ebuild R ~] x11-drivers/nvidia-drivers-340.17 USE="X acpi multilib tools uvm -pax_kernel" 0 kB
I have about 1.500 packages installed,with KDE 4.13.2, systemd any many media apps, Steam from Overlay, etc..
If i have some more time i am switching then to hardened-sources.
The funny thing, some packages now needs less time to emerge... I do not know why...
The clean way is realy to start with a fresh stage3 install, but it just works also by "converting".
I did this about 2 weeks ago.
I have "converted" my existing system from profile:
"default/linux/amd64/13.0/desktop/kde/systemd"
to "hardened/linux/amd64 *".
This was a lot easier then expected.
I changed profile via eselect, added all needed useflags from old profile.
Then "emerge -1 glibc gcc binutils" the rebuild the most important tools.
Then checked with "emerge -pv --update --deep --newuse world" which other changes needs to be done.
In ~4 or 5 cases i must adjust the package.use and/or package.accept_keywords files.
Also added "-tools" and "-X" to /etc/portage/profile/use.mask.
Also i disabled "pax_kernel" Useflag for Nvidia and Virtualbox Modul.
Then "emerge -e system --keep-going" && "emerge -e world --keep-going"
Only one(!) package failed with the new "hardened" gcc for me: app-emulation/virtualbox-4.3.12
But with "x86_64-pc-linux-gnu-4.7.3-vanilla" compile was Ok.
After reboot everything worked with the old gentoo-sources kernel and even with Nvidia driver.
Also Kernel Update with Gentoo Sources works with this combination. I still have no working hardened sources kernel installed.
So hardened userland and no-hardened Kernel works.
I am using this on my laptop on a daily basis.
emerge --info
Portage 2.2.8-r1 (hardened/linux/amd64, gcc-4.7.3, glibc-2.17, 3.14.8-gentoo x86_64)
=================================================================
System uname: Linux-3.14.8-gentoo-x86_64-Intel-R-_Core-TM-_i7-2630QM_CPU_@_2.00GHz-with-gentoo-2.2
hardening-check vlc
vlc:
Position Independent Executable: yes
Stack protected: yes
Fortify Source functions: yes
Read-only relocations: yes
Immediate binding: yes
emerge -pv nvidia-drivers
[ebuild R ~] x11-drivers/nvidia-drivers-340.17 USE="X acpi multilib tools uvm -pax_kernel" 0 kB
I have about 1.500 packages installed,with KDE 4.13.2, systemd any many media apps, Steam from Overlay, etc..
If i have some more time i am switching then to hardened-sources.
The funny thing, some packages now needs less time to emerge... I do not know why...
The clean way is realy to start with a fresh stage3 install, but it just works also by "converting".
- nlsa8z6zoz7lyih3ap
- Guru
- Posts: 388
- Joined: Tue Sep 25, 2007 5:35 pm
- Location: Canada
I can confirm this as I did it a few days ago.but it just works also by "converting".
Steps:
(0) Back up your installation. (and undo prelink, if needed.)
(1) eselect appropriate hardened profile.
(2) emerge -uvDN @world --autounmask-write
(3) play around with use flags until step (2) succeeds. (Didn't take too much in my case, but someone else's experience might be much different.) Then emerge -vc .
(4) emerge -1v libtool; emerge -1v gcc
(5) use gcc-config to select the compiler you wish to use. (none of the vanilla, nopie etc choices)
(6) emerge -1v gcc;emerge -1v libtool
(7) emerge -ev @system;emerge -ev @world
(8) Configure and install a hardened kernel.
I know that this has already been covered, but I am posting just to show that someone else has done it too.
Added in edit:
Question: Does anyone know what security is gained, if any, if steps (1) through (7) are carried out. but one still uses a non-hardened kernel?