Gentoo Linux installation on a Raspberry Pi
This guide describes how to install and set up Gentoo Linux on a Raspberry Pi 5 8GB, turning it into a self-hosted server.
Main steps
The Gentoo Wiki offers a comprehensive and user-friendly guide for installing Gentoo on any Raspberry Pi board. Follow the guide for the basic installation:
Gentoo Wiki: Raspberry Pi Install Guide
Hardware
Raspberry Pi 5 Cooling
For understanding of temperature limits and cooling approaches, refer to the following post: Heating and cooling Raspberry Pi 5.
Running a Gentoo system on a Raspberry Pi 5, especially during initial setup or system rebuilds, requires additional cooling. Even with distributed compilation, the linking and build process management can lead to overheating and throttling.
The official active cooler [1] is highly effective and operates quietly. The Raspberry Pi 5's PWM fan control allows the fan to turn off or slow down during idle periods. This noise reduction is a significant advantage for a home self-hosted server.
To see CPU temperature, use either the sensors or the following script:
echo "$(((`cat /sys/class/thermal/thermal_zone0/temp` + 500) / 1000)) C"
You can check the fan status using the sensors tool:
$ sensors … pwmfan-isa-000c Adapter: ISA adapter fan1: 2480 RPM pwm1: 38% MANUAL CONTROL
Choosing an SD card
A fully operational system occupies over 4GB:
Filesystem Size Used Avail Use% Mounted on /dev/root 50G 4.1G 44G 9% /
This includes multiple services and data. The breakdown of occupied space is as follows:
$ du -h --max-depth=0 /var/www/wiki /var/db/repos /var/lib/mysql /usr /opt 440M /var/www/wiki 675M /var/db/repos 263M /var/lib/mysql 2.1G /usr 479M /opt
Additionally, consider space for the distfiles which can consume several gigabytes during a system rebuild. Not all packages, such as gcc and boost, can be compiled in memory, so it's a good idea to make an extra 8GB of space. For workflows with high memory demands, a swap partition can be utilized, requiring additional SD card space.
Given this information, a minimum 16GB SD card is sufficient for server applications. However, most guides recommend 32GB or more.
To reduce load on the SD card, put temporary files to the RAM:
$ cat /etc/fstab ... tmpfs /tmp tmpfs size=256M,mode=0777 0 0 tmpfs /var/tmp tmpfs size=2G,mode=0777 0 0
While 2GB is generally enough for the build process of most packages, it will not suffice for larger packages like gcc, boost, or rust-bin.
Network configuration
dhcpcd
DHCP is a good choice for a home server. Most router manufacturers allow for the allocation of a persistent IP address, which is necessary for port forwarding.
The Gentoo base image includes the `dhcpcd` client, which is sufficient.
Hostname is convenient for accessing the server by a name. However, default configuration of dhcpcd client doesn't announce its hostname, instead, it expects the DHCP server to provide one. Change /etc/dhcpcd.conf:
- Remove the line
option host_name - Add a line
hostname
Security
Blocklists
Once a TLS certificate is issued, bots begin scanning the domain for sensitive information or vulnerable software. The domain information is likely obtained from the certificate transparency logs.
In two weeks after issuing 3 certificates, the server blocks over 1000 SYN packets from known malicious hosts per hour. This is at least 160 blocked TCP connections depending on the SYN retries configuration. Each such connection potentially generates tens of HTTPS requests in a row. One particular host made over 2600 requests (~50 requests per minute) before it was blocked.
The bots activity includes:
- Scanning for git repository files and files containing passwords;
- Checking for WordPress and other known installations on the host;
- Utilizing
api.phpto attempt triggering access to a specific URL, a known script in MediaWiki. These requests aim to either execute a DDoS attack or generate traffic.
Such bot activity not only poses a security threat but also contributes to extra load and heating for the RPi board. To mitigate this impact, publicly available blocklists can be used.
Example of a script to create and update an ipset:
#!/bin/sh
DATA_DIR='/var/lib/ipset'
IPSET_NAME='blocklist'
IPSET_OPTS='hash:ip hashsize 131072 maxelem 262144'
IPSET_FILE="${DATA_DIR}/${IPSET_NAME}.txt"
IPSET_TMP="${IPSET_NAME}-tmp"
URLS='
https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/blocklist_net_ua.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/blocklist_de.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/cleantalk_30d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/myip.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/socks_proxy_1d.ipset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/refs/heads/master/sslproxies_1d.ipset
'
cat /dev/null > "${IPSET_FILE}"
for url in $URLS; do
[ -n "$url" ] || continue
wget -qNO - $url >> ${IPSET_FILE} || exit
done
networks="$(grep -E '^[0-9]' ${IPSET_FILE} | sed -rne 's/(^([0-9]{1,3}\.){3}[0-9]{1,3}).*$/\1/p' | sort | uniq)"
ipset destroy -quiet ${IPSET_TMP}
ipset create ${IPSET_TMP} ${IPSET_OPTS} || exit
for i in $networks; do
ipset add ${IPSET_TMP} $i || exit
done
ipset create -exist -quiet ${IPSET_NAME} ${IPSET_OPTS}
ipset swap ${IPSET_TMP} ${IPSET_NAME}
ipset destroy ${IPSET_TMP}
/etc/init.d/ipset save
The iptables rule to drop SYN packets from the blocked source IP addresses:
iptables -I INPUT -p tcp --syn -m set --match-set blocklist src -j DROP
Save the rule and restore it at startup:
$ /etc/init.d/iptables save $ rc-update add ipset boot $ rc-update add iptables boot
AmazonBot
AmazonBot can generate over 1.5GB traffic within a day on a mostly empty wiki. At least some IP addresses belong to Amazon, so the bots can be real. In theory, the following robots.txt should prevent the bots from crawling:
User-agent: Amazonbot Disallow: /
Services
TBD
Distributed compilation
TBD
Performance
TBD