Table of Contents

;-- mode: Org; fill-column: 110;--

1. short help

https://wiki.gentoo.org/wiki/Gentoo_Cheat_Sheet emerge:

  • eclean-dist - clear /var/cache/distfiles, /usr/portage/distfiles - DISTDIR and the PKGDIR respectively variables in /etc/portage/make.conf
  • eclean-pkg - clear /usr/portage/packages, /var/cache/binpkgs
  • light (standard):
    emerge –ask –update –changed-use –deep @world
    update
    • emerge -1vUD @world
  • hard
    emerge –ask –update –newuse –deep –with-bdeps=y –verbose-conflicts –tree @world
    update
  • install package with –ask –tree –verbose
  • search any package in names
  • info for any package
  • search al packages in category
  • emerge –ask –oneshot sys-apps/portage
  • find out reverse dependencies
  • emerge older version
  • USE="qt4 -gtk" emerge -1v app-misc/autokey
  • installed packages
  • resume from package was finished (after Ctr+C)
  • skip first package with couse failure –keep-going - ignore fails
  • emerge @preserved-rebuild - emerge does not update the depending libraries, but put them into a set instead
  • last installed packages

equery: for installes:

equery h flag1 flag2
packages with specific USE flags
equery list '*'
all installed packages - chech if package installed
equery f package
files of package
equery b 'ifstat'
belongs - list packages that owns FILE
equery g iwd-1.24
dependencies for iwd - "-1.24" - required
equery d iwd-1.24
packages dependent on iwd
equery m firefox
available versions

for all:

equery meta package
info
equery u package
package USE flags

which package provide file:

REQUIRED_USE conditions:

foo? ( bar ) if foo is set, bar must be set
foo? (!bar ) if foo is set, bar must not be set
foo? (or (bar baz aha ) at least one must be set
^^ (foo bar aha) exactly one must be set
?? ( foo bar aha) no more than one may be set

CFLAGS per package:

2. emerge

2.1. output language

man -P 'less -p ^OUTPUT' emerge

  • N new
  • NS ?
  • R re-emerge
  • U upgrade
  • UD downgrade
  • # package.mask
  • * missing keyword
  • ~ unstable keyword

2.2. stupid language

  • D - deep
  • u - update
  • q - quiet
  • N - newuse
  • v - verbose
  • a - ask
  • 1 - oneshot - do not add to world
  • p - pretend
  • e - emptytree - reinstall of atom and his dependencies as though no packages are currently installed
  • s - search

3. package manager - Portage

TODO: https://wiki.gentoo.org/wiki/Handbook:AMD64/Portage/CustomTree variables:

  • emerge –info
  • /usr/share/portage/config/make.globals
  • activated repositories/overlays:
    • q -o
    • eselect repository list -i

3.1. terms

  • Portage - package manager and distribution system (emerge command)
    • packages or atoms

  • ebuild repository, colloquially known as an overlay - metadata files for pachages

    • main Gentoo ebuild repository.
    • overlays not main Gentoo ebuild repository, because when they are used, they are overlay on the main

    (ebuild) repository, means that a package with the same name and version in the overlay will take precedence over that in the main ebuild repository when user installs package via emerge.

    • local ebuild repository
  • primary repository - Gentoo ebuild repository - Gentoo repo, ::gentoo, gentoo.git - the Portage tree, rsync tree, or sometimes just "the tree"
    • contains ebuilds
  • ebuild file - bash like
    • standardized through the Package Manager Specification
    • define Ebuild Phase Functions - how to install
      • src_unpack, src_prepare, src_configure, src_compile
    • SRC_URI - tells Portage the address to use for downloading the source tarball
    • BDEPEND, DEPEND, and RDEPEND - dependencies
  • live ebuilds - use 9999 as the version (or as the last version component)
  • Gentoo rsync mirrors - mirrors distribute the Gentoo ebuild repository
  • Gentoo source mirrors - distribute the source archives for the software, stages and tree snapshots for installation
  • eclass is a collection of code which can be used by more than one ebuild
  • CBUILD - The system on which the build is performed.
  • CHOST - The system on which the package is going to be executed.
  • BDEPEND - dependencies, programs that need to be executed during the build
  • RDEPEND - dependencies, on built (target) system

3.2. system directories and files

directories

  • usr/tmp/portage or var/tmp/portage - extracted source files (PORTAGE_TMPDIR)
  • var/db/pkg - config of installed packages

make.conf:

  • PORTDIR="var/db/repos/gentoo" - snapshot of Gentoo ebuild repository
    • /var/db/repos/gentoo/profiles/use.desc - A full description on the available USE flags
    • /var/db/repos/gentoo/metadata/timestamp.chk - last updated (synced)
  • DISTDIR="/var/cache/distfiles" - is the default directory Portage uses to store source code tarballs.
  • PKGDIR="/var/cache/binpkgs"

default config usr/share/portage/config

  • repos.conf - may be overwriten in /etc/portage/repos.conf/gentoo.conf
  • make.globals - main config file defaults

https://wiki.gentoo.org/wiki/Gentoo_specific_directories

3.3. solving conflicts

types:

  • slot conflict
  • dependency confclit ( warning)

search installed packages and output formatted:

  • equery l kde-frameworks/* -F '$category/$name'

3.4. add localrep and own modified package

  • emerge –ask app-eselect/eselect-repository
  • eselect repository create <repository_name> # /var/db/repos/localrepo and /etc/portage/repos.conf/eselect-repo.conf
  • emerge –ask git -iconv -pcre -perl -webdav
  • /var/db/repos/localrepo/metadata/layout.conf:
    • auto-sync = false
  • git install and initiate in var/db/repos/localrepo
  • mkdir /var/db/repos/localrepo/<package-group>
  • cp /var/db/repos/gentoo/<package-group>/<package> /var/db/repos/localrepo/<package-group>/<package>
  • cp <package-group>/<package> <package-group>/<package>-r222 # version must be more

3.5. add remote repository

root # eselect repository add guru git git://github.com/gentoo-mirror/guru.git
root # emaint sync -r guru

Sometime, it's convenient to temporarily configure the overlay as local repository for test purpose, this can avoid frequently pushing temporary work to remote git repository.

/etc/portage/repos.conf/my-overlay.conf 

[localrepo]
location = /home/my-name/my-overlay
priority = 100

3.6. overlays

3.6.1. install from overlay

  • emerge –ask app-eselect/eselect-repository
  • eselect repository enable N
  • emerge –sync
  • emerge ??

3.6.2. add non-official overlay

3.6.3. list

3.7. socks proxy

  • net-proxy/sshuttle - to create VPN connection over ssh

for portage: https://forums.gentoo.org/viewtopic-t-52442-start-0.html

  • net-proxy/tsocks
  • in /etc/make.conf
  • in /etc/socks/tsocks.conf
    • # We can access 192.168.0.* directly
    • local = 192.168.0.0/255.255.255.0
    • # Otherwise we use the server
    • path {
    • reaches = 0.0.0.0/0
    • server = 192.168.0.1
    • server_type = 5
    • default_user = test
    • default_pass = test
    • }

3.8. issue solving

  • emerge –info
  • eselect profile show

3.9. ebuilds - name-version.ebuild

bash scripts that are executed within a special environment.

3.9.1. steps

  1. /usr/bin/emerge -> /usr/lib/python-exec/python-exec2 -> /usr/lib/python-exec/python3.11/emerge
  2. /usr/lib/python3.11/site-packages/_emerge/main.py
  3. 3.9.2 /usr/lib/python-exec/python3.11/ebuild
  4. all files from SRC_URI downloaded to /var/cache/distfiles (if exist, skip)
    • SRC_URI tells Portage the address to use for downloading the source tarball.

3.9.2.

low level interface to the Portage system

  • /usr/lib/python-exec/python3.11/ebuild
  • portage.doebuild(ebuild_path, action) /usr/lib/python3.11/site-packages/portage/package/ebuild/doebuild.py
    • _spawn_phase -> _doebuild_spawn
  • /usr/lib/portage/python3.11/ebuild.sh
  • /usr/lib/portage/python3.11/phase-functions.sh: __ebuild_main

3.9.3. package in the tree(ebuild repository)

  • Manifest - hashes
  • 20200316.ebuild
  • 99999999.ebuild
  • metadata.xml - additional data about a package or category. use flags, maintainers

3.9.4. Ebuild Phase Functions

  • Package from source: pkg_pretend, pkg_setup, src_unpack, src_prepare, src_configure, src_compile, src_test (optional, FEATURES="test"), src_install, pkg_preinst, pkg_postinst
  • Package from binary: pkg_pretend, pkg_setup, pkg_preinst, pkg_postinst

pkg_prerm and pkg_postrm functions are called when uninstalling a package

Between the transition from pkg_preinst to pkg_postinst, files are copied over to the live filesystem from the sandboxed temporary installation location, and Portage records digests of the files installed.

There is phase functions, which may be called as "default" from redefined funcions(pkg_nofetch, src_unpack).

  • default_pkg_nofetch
  • default_src_unpack
  • default_src_prepare
  • default_src_configure
  • default_src_compile
  • default_src_test
  • default_src_install

https://devmanual.gentoo.org/ebuild-writing/functions/index.html

3.9.5. Predefined Read-Only Variables

internal

PORTAGE_TMPDIR
from emerge –info: PORTAGE_TMPDIR="/var/tmp"
PORTAGE_BUILDDIR
internal directory with extracter tar.gz. ex: 'var/tmp/portage/dev-python/flask-2.3.2'

accessible

P
Package name and version (excluding revision, if any), for example vim-6.3.
PN
Package name, for example vim.
CATEGORY
Package's category, for example app-editors.
ROOT
The absolute path to the root directory into which the package is to be merged. Only allowed in pkg_* phases
DISTDIR
Contains the path to the directory where all the files fetched for the package are stored (.tar.gz). defined in "/var/cache/distfiles"
A
All the source files for the package (excluding those which are not available because of USE flags).
WORKDIR
Path to the ebuild's root build directory. For example: "${PORTAGE_BUILDDIR}/work".
T
Path to a temporary directory which may be used by the ebuild. For example: "${PORTAGE_BUILDDIR}/temp".
D
Path to the temporary install directory. For example: "${PORTAGE_BUILDDIR}/image".
HOME
Path to a temporary directory for use by any programs invoked by an ebuild that may read or modify the home directory. For example: "${PORTAGE_BUILDDIR}/homedir".

https://devmanual.gentoo.org/ebuild-writing/variables/index.html#predefined-read-only-variables

  1. ex
    PN=slack
PV=4.36.138
echo https://downloads.slack-edge.com/releases/linux/${PV}/prod/x64/${PN}-desktop-${PV}-amd64.deb

3.9.6. Ebuild-defined Variables

SRC_URI
A list of source URIs for the package. Can contain USE-conditional parts, see SRC_URI. From where to get tar.gz
KEYWORDS
suitability and stability of both the package and the ebuild on each given arch. see 2.1, -* - worth trying to test on unlisted arches.
IUSE
A list of all USE flags (excluding arch flags, but including USE_EXPAND flags) used within the ebuild.
SLOT
"0" - not needed. when package require multiple version of same app or lib. see https://devmanual.gentoo.org/general-concepts/slotting/index.html
REQUIRED_USE
A list of assertions that must be met by the configuration of USE flags to be valid for this ebuild.
RESTRICT
Valid values are fetch, mirror, strip, test and userpriv. see: man 5 ebuild
BDEPEND
A list of the package's CBUILD build dependencies. where we build
RDEPEND
A list of the package's runtime dependencies. target platform
S
Path to the temporary build directory, used by src_compile and src_install. Default: "${WORKDIR}/${P}"

3.9.7. fetch

Downloading a package's source happens before any of phases.

If the user tries to install a fetch-restricted package, the package manager will not try to download it, but simply check whether the corresponding archive is present in /usr/portage/distfiles

If not, it will execute the pkg_nofetch ebuild function which should print a message describing the steps needed to acquire the archive.

3.9.8. testing

It is possible to test fetching and unpacking the upstream sources by the new ebuild, using the ebuild command:

  • GENTOO_MIRRORS="" ebuild ./scrub-2.6.1.ebuild manifest clean unpack

creation of environment:

  • btrfs subvolume snapshot / /mnt/test

execute ebuild step - pkg_setup() 

ebuild /var/db/repos/gentoo/app-containers/lxc/lxc-4.0.6.ebuild setup

3.10. eclass

3.10.1. theory

collection of code which can be used by more than one ebuild.

add <repo>/eclass/autotools.eclass in ebuild: 

inherit autotools

for:

  • used by many ebuilds (for example, autotools, bash-completion-r1, flag-o-matic, toolchain-funcs)
  • provide a basic build system for many similar packages (for example, perl-module, vim-plugin)
  • handle one or a small number of packages with complex build systems (for example, kernel-2, toolchain)

consit of:

  • variables - affect the default behavior of the eclass.
  • functions -
  • Function Variables
  • phase functions or Export Functions - default implementations for any of the ebuild phase functions - used to override eclass-defined defaults
    • simple function definition (not multiple eclass friendly)
    • EXPORT_FUNCTIONS - have their name prefixed ("namespaced") with ${ECLASS}_. 1) define ${ECLASS}_src_compile 2) EXPORT_FUNCTIONS ${ECLASS}_src_compile
      • If multiple eclasses export the same function, the latest (inherited last) defined version wins.
  • Inherit guard:
if [[ -z ${_FOO_ECLASS} ]]; then _FOO_ECLASS=1 ... fi
  • Handling incorrect usage of an eclass: case ${EAPI} in …

recommendation is now that eclasses should not inherit other eclasses after calling EXPORT_FUNCTIONS.

  • inherit other eclasses

3.10.2. python building

  1. eclasses

    pypi.eclass - A helper eclass to generate PyPI source URIs

    distutils-r1.eclass

    • redefine phases src_prepare src_configure src_compile src_test src_install
    • variables:
      • DISTUTILS_USE_PEP517 - complete build and install is done in python_compile() just merges the temporary install tree into the real fs. may be: setuptools, hatchling, jupyter, poetry
    • inherit multibuild multilib multiprocessing ninja-utils toolchain-funcs
      • and python-r1 or python-single-r1

    multibuild.eclass - building multiple variants of packages (e.g. multilib, Python implementations).

    python-r1.eclass - A common, simple eclass for Python packages.

    • inherit multibuild python-utils-r1
    • variables:
      • PYTHON_COMPAT - list of Python implementations the package supports. ex: ( python2_7 python3_{3,4} )
      • BUILD_DIR - The current build directory. if unset, it defaults to ${S}. locally set to an implementation-specific build directory
  2. steps
    1. Compiling: gpep517 build-wheel –backend setuptools.build_meta –output-fd 3 –wheel-dir /var/tmp/portage/dev-python/flask-2.3.2/work/Flask-2.3.2-python3_11/wheel
    2. Installing to install tmp direcotyry: gpep517 install-wheel –destdir=/var/tmp/portage/dev-python/flask-2.3.2/work/Flask-2.3.2-python3_11/install –interpreter=/usr/bin/python3.11 –prefix=/usr –optimize=all /var/tmp/portage/dev-python/flask-2.3.2/work/Flask-2.3.2-python3_11/wheel/Flask-2.3.2-py3-none-any.whl
    3. install directory has venv structure
    4. installing - copying tmp install directory to /
  3. links

    https://github.com/projg2/python-guide/

3.11. disable unused ebuilds

/etc/portage/package.mask: 

*/*::gentoo

/etc/portage/package.unmask 

emerge -pve --color n world > /tmp/tmpe
cat /tmp/tmpe | sed 's/.* ] \([^ ]*\).*/\1/' | grep :: | grep -o '^\w*\-\?\w*/' | sort -u | sed 's#$#*::gentoo#' > /etc/portage/package.unmask
  • profiles, scripts, eclass

get repository name:

  • emerge –info

3.12. mirrors

3.13. update security critical packages

check if the system is up to date security-wise

  • glsa-check –list
  • glsa-check -t all

packages that will be updates:

  • glsa-check -p $(glsa-check -t all)

update required packages:

  • glsa-check -f $(glsa-check -t all)

3.14. (old) Portage security

4. install handbook

  • mkfs.ext4 -T small /dev/sda2
  • parted /dev/sda: set 1 bios_grub on # very important for GPT table
  • gpg –verify stage3-amd64-<release>-<init>.tar.?(bz2|xz){.DIGESTS.asc,}
  • tar xpvf stage3-.tar.xz –xattrs-include='.*' –numeric-owner
  • set time:
    • date +%Y%m%d -s "20220429"
    • date -s "19:35"
    • hwclock –systohc
  • mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf # require correct date
  • chroot!
  • mkdir –parents /etc/portage/repos.conf
  • cp /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf
  • nano /etc/resolv.conf: nameserver 8.8.8.8
  • for CPU_FLAGS_X86: emerge –ask app-portage/cpuid2cpuflags
    • variant: #`echo "/ $(cpuid2cpuflags)" >> /etc/portage/package.use/00cpuflags
  • to raplace -march=native: gcc -v -E -x c /dev/null -o /dev/null -march=native 2>&1 | grep /cc1 | grep mtune
  • /etc/portage/make.conf:
    • USE="caps X alsa ipv6 jpeg png ogg upower verify-sig -fonts -themes -nls -su -pam -qt5 -cups -fortran udev -elogind -udisks" # udev
    • CPU_FLAGS_X86="avx f16c mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3"
    • COMMON_FLAGS="-march=native -O2 -pipe"
    • MAKEOPTS="-j2"
    • L10N="en"
  • emerge –sync –quiet
  • build and install gentoo ???????????
  • emerge –ask sys-boot/grub sys-kernel/gentoo-sources
  • install kernel and grub
  • install dhcp client 11
  • Xorg/X11 confuguration 5
  • logging daemon
    • emerge –ask app-admin/sysklogd or app-admin/syslog-ng
    • rc-update add sysklogd default
    • chmod 700 /var/log
  • passwd larry
  • user autologin:
    • /etc/inittab: c2:2345:respawn:/sbin/agetty -a larry 38400 tty2 linux
  • timezone:
    • ls /usr/share/zoneinfo
    • echo "UTC" > /etc/timezone
  • locale
    • cat /usr/share/i18n/SUPPORTED
    • nano -w /etc/locale.gen
    • locale-gen
    • eselect locale list
  • nix#MissingReference
  • emerge –ask app-portage/gentoolkit # equery

4.1. firmware

4.2. chroot

  • mount –types proc /proc /mnt/gentoo/proc
  • mount –rbind /sys /mnt/gentoo/sys
  • mount –make-rslave /mnt/gentoo/sys
  • mount –rbind /dev /mnt/gentoo/dev
  • mount –make-rslave /mnt/gentoo/dev
  • mount –bind /run /mnt/gentoo/run
  • mount –make-slave /mnt/gentoo/run
  • chroot /mnt/gentoo /bin/bash
  • source /etc/profile
  • export PS1="(chroot) ${PS1}"

5. install xfce4

  1. emerge –ask app-misc/tmux && tmux
  2. /etc/portage/make.conf:
    • INPUT_DEVICES="evdev synaptics"
    • VIDEO_CARDS="intel i915" or "amdgpu radeon"
    • USE="X jpeg png ogg upower -qt5 -pam -su -elogind"
      • -qt5 - because of app-text/poppler
  3. emerge –pretend –verbose x11-base/xorg-server
  4. USE=-server emerge –ask x11-base/xorgcp ????????
  5. env-update
  6. source /etc/profile
  7. echo "xfce-base/xfce4-panel -dbusmenu" >> /etc/portage/package.use/xfce4-panel
  8. emerge –ask –oneshot xfce-extra/xfce4-notifyd
  9. emerge –ask xfce-base/xfce4-meta
  10. emerge –ask xfce4-xkb-plugin # keyboard layouts
  11. cp -r /usr/share/X11/xorg.conf.d /etc/X11/xorg.conf.d # copy configuration files of xorg-drivers
  12. rc-service dbus start && rc-update add dbus default # required for battery power management
  13. useradd -m -G users,wheel,input,audio,video,cdrom,games,usb -s /bin/bash larry
  14. or #usermod -a -G input,video larry # user should be in input,video groups
  15. $startxfce4 – vt1 # 1 - number of current tty
  16. security:
    • $startx – -nolisten tcp
    • or:
      • /usr/bin/startx: defaultserverargs="-nolisten tcp"
      • /etc/portage/make.conf:
        • CONFIG_PROTECT="/usr/bin/startx" # To make sure that startx does not get overwritten when emerging a new version of Xorg you must protect it. Add the following line to /etc/portage/make.conf:
  17. keyboard repeat delay: 200, speed: 35

Testing and trouble shooting

  • emerge –ask x11-wm/twm x11-terms/xterm
  • X -config /home/u/xorg.conf
  • $X -configure # generate xorg.conf (for testing)
  • evtest # test evdev app-misc/evtest
  • $less .local/share/xorg/Xorg.0.log # holy grail of trouble shooting

6. Gentoo full install - disk encryption USB - Dracut

steps

  • we need offset for MBR with grub and boot partition. This partition will contain GRUB files, plain (unencrypted) kernel and kernel initrd, dracut initramfs:
  • Partitioning GPT table (offset is a separate partition of size 1M):
    • parted /dev/sda
      • mkpart primary fat32 3 515
      • name 2 boot
      • set 2 BOOT on
      • mkpart primary 515 -1
      • name 3 lvm
      • set 3 lvm on
      • set 1 bios_grub on # offset for MBR in GPT table
  • Partitioning MSDOS table (offset is an empty space of size 1-10M):
    • fdisk /dev/sda
      • o
      • n, p, 1, 20488 (10M offset, not shure how many required for grub), +300M, w - boot
      • n, p, 2, 20488, Enter, +10G, w - swap
      • n, p, 3, 20488, Enter, Enter - luks partition
  • Formatting:
    • mkfs.vfat -F32 /dev/sdX2
    • modprobe dm-crypt
    • gpg variant
      • export GPG_TTY=$(tty)
      • dd if=/dev/urandom bs=8388607 count=1 | gpg –symmetric –cipher-algo AES256 –output /mnt/key/rootkey.gpg
      • gpg –quiet –decrypt /mnt/key/rootkey.gpg | cryptsetup –type luks2 –batch-mode –key-file - luksFormat /dev/sdX3
      • gpg –quiet –decrypt /mnt/key/rootkey.gpg | cryptsetup –type luks2 –batch-mode –key-file - luksOpen /dev/sdX3 lvm
    • cryptsetup-variant (not tested):
      • cryptsetup luksFormat /dev/sdZn
      • cryptsetup luksOpen /dev/ssdZn
    • cryptsetup luksDump /dev/sdX3 # check
  • Create LVM inside encrypted block - for SSD TRIM require special options
    • vgcreate vg0 /dev/mapper/lvm # Create volume group vg0:
    • lvcreate -L 60G -n root vg0 # Create logical volume for /root filesystem
    • lvcreate -L 40G -n var vg0 # Create logical volume for /var filesystem
    • lvcreate -L 7G -n swap vg0 # Create logical volume for swap filesystem
    • lvcreate -l 100%FREE -n home vg0 # Create logical volume for /home filesystem:
    • cryptsetup luksHeaderBackup /dev/sdXn –header-backup-file /tmp/efiboot/luks-header.img # backup
  • format
    • mkswap -L "swap" -n 32k /dev/mapper/vg1-swap
    • mkfs.btrfs -L "root" -n 32k /dev/mapper/vg1-root
    • mkfs.btrfs -L "var" -n 32k /dev/mapper/vg1-var
    • mkfs.trfs -L "home" -n 32k /dev/mapper/vg1-home
  • mount
    • mount -o ssd,compress=lzo,discard=async dev/vg0/root /mnt/gentoo
    • mkdir /mnt/getnoo/var
    • mount -o ssd,compress=lzo,discard=async dev/vg0/var mnt/gentoo/var
  • tar xpvf stage3-.tar.xz –xattrs-include='.*' –numeric-owner # v - verbose
  • mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf
  • mkdir –parents /mnt/gentoo/etc/portage/repos.conf
  • cp /mnt/gentoo/usr/share/portage/config/repos.conf /mnt/gentoo/etc/portage/repos.conf/gentoo.conf
  • cp –dereference etc/resolv.conf /mnt/gentoo/etc
  • nano -w /mnt/gentoo/etc/portage/make.conf
    • COMMON_FLAGS="-march=native -O2 -pipe"
    • MAKEOPTS="-j4"
  • chroot! (don't forget env-update && . /etc/profile )
  • emerge-webrsync
  • emerge –sync –quiet
  • gcc -v -E -x c /dev/null -o /dev/null -march=native 2>&1 | grep /cc1 | grep mtune
  • replace -march=native
  • emerge –ask app-portage/cpuid2cpuflags
  • $cpuid2cpuflags >> /etc/portage/make.conf
  • emerge –ask emacs sys-kernel/dracut sys-kernel/gentoo-sources sys-boot/grub sys-fs/lvm2 sys-fs/cryptsetup app-crypt/gnupg sys-fs/btrfs-progs
  • USE="-gtk -pango -libkms" emerge –ask sys-boot/plymouth
  • rc-update add lvm boot
  • fstab
  • sfdisk -d /dev/sda > /mnt/img/sda.partition.table.txt # backup partition table
  • findmnt –verify –verbose # verify fstab
  • set time:
    • date +%Y%m%d -s "20220429"
    • date -s "19:35"
    • hwclock –systohc
  • configure and build Kernel nix#MissingReference
  • /etc/dracut.conf
    • # Equivalent to -a "module"
    • # located usr/lib/dracut/modules.d
    • add_dracutmodules+=" lvm btrfs crypt crypt-gpg dm "
    • filesystems+=" btrfs "
    • kernel_cmdline="rd.luks.key=/luks-key.gpg:UUID=xxxxxx-xxx-xx-xx rd.luks.uuid=luks-xxxxxx-xxx-xx-xx rd.luks rd.lvm rd.lvm.vg=vg0 rd.lvm.lv=vg0/root root=/dev/mapper/vg0-root rootfstype=btrfs rootflags=rw,noatime,nodirtime,compress=lzo,ssd,space_cache=v2,subvolid=5,subvol=/" # shoud work
    • full: kernel_cmdline="
    • early_microcode="no
    • show_modules="yes"
    • rd.lvm.vg="vg0"
  • dracut –kver 6.1.57-gentoo –force –hostonly –fstab 2>drac_log.txt # - to generate /boot/initramfs-6.1.57-gentoo.img
  • grub-mkconfig -o /boot/grub/grub.cfg
  • grub-instal
  • /etc/dracut.conf: kernel_cmdline shoud be copied to /etc/default/grub:GRUB_CMDLINE_LINUX
  • passwd # set root password
  • useradd -m -G users,wheel,audio,video,cdrom,games,usb -s /bin/bash larry
  • network confuguration 11
  • Xorg/X11 confuguration 5
  • logging daemon
    • emerge –ask app-admin/sysklogd
    • rc-update add sysklogd default
    • chmod 700 /var/log
  • passwd larry
  • user autologin:
    • /etc/inittab: c2:2345:respawn:/sbin/agetty -a larry 38400 tty2 linux
  • timezone:
    • ls /usr/share/zoneinfo
    • echo "UTC" > /etc/timezone
  • locale
    • cat /usr/share/i18n/SUPPORTED
    • nano -w /etc/locale.gen
    • locale-gen
    • eselect locale list
  • nix#MissingReference

change password:

  • gpg -d /mnt/key/rootkey.gpg > /mnt/key/rootkey
  • cat /mnt/key/rootkey | gpg –cipher-algo aes256 –armor -c > /mnt/key/rootkey_sc.gpg

btrfs:

  • btrfs filesystem defragment -r -v -clzo / # force mounted to compress
  • mount -o compress=lzo,discard=async dev mnt

6.2. dracut.conf

udevdir=/lib/udev ro_mnt=yes omit_drivers+=" i2o_scsi "

omit_dracutmodules+=" systemd systemd-initrd dracut-systemd

6.3. errors

crypt error allocating crypto tfm

  • device-mapper: table : crypt error allocating crypto tfm
  • device-mapper: ioctl: error adding target to table
  • device-mapper: reload ioctl on failed: no such file or directory
  • no cryptographic support in Cryptographic API —>

grub install: WARNING: Failed to connect to lvmetad. Failling back to device scanning. ; Cannot process volume group luks

  • in /etc/lvm/lvm.conf the following : use_lvmetad = 0
  • USE=device-manager emerge –ask grub

6.4. change password luks.gpg

  • export GPG_TTY=$(tty)
  • gpg –quiet –decrypt /mnt/key/rootkey.gpg > file
  • cat file | gpg –symmetric –cipher-algo AES256 –output /mnt/key/luks-key_new.gpg

6.5. ru descryption

Если вам интересно, так я обеспечиваю свою безопасность. Понимаю, что вы работаете с более серьезными задачами.

  • Перепрошиваю чип с UEFI BIOS на "coreboot", это обратный инжинеринг волонтерами.
  • Устанавливаю Gentoo, где бинарные пакеты только на первом шаге, затем они же пересобирается из исходного кода.
  • Компилирую ядро Линукс с отключенными модулями и такими настройками, как: защита от переполнения буфера, рандомизация структур, очистка стека, отладка структур. Выборочно вставляю бинарные Блобы в ядро, когда нет альтернатив.
  • Полное шифрование диска с помощью LUKS (Linux Unified Key Setup) структуры раздела, где берется файл-ключ шифрования размером несколько мегабайт, шифруется симметричным шифрованием (AES256) обычным паролем и помещается на флеш карту. Во время загрузки из initramfs запрашивается пароль, с флешки берется файл, расшифровывается паролем и используется как ключ для LUKS (aes-xts-plain64,256 bits). /boot раздел располагается на флешке без шифрования.
  • /etc/fstab: proc /proc proc hidepid=2,nosuid,noexec,gid=wheel /home на отдельном разделе с noexec,nosuid,nodev
  • Простой фаервол с помощью iptables или nftables. Logcheck анализатор логов. Бэкап с помощью rsync.
  • Не использую SELinux, так как под рутом вроде бы ничего не запускаю, вместо этого устанавливаю библиотеку POSIX Capabilities, которая поддерживается многими пакетами.
  • Захожу под рутом и пользователем с разных консолей, для каждого прилажения создаю отдельного пользователя, sudo использую только для запуска таких прилажений.
  • Изолирую прилажения с помощью чательно настроенного Firejail, чтобы исключить сбор информации о системе и кейлогеров. Аппаратная виртуализация слишком сложная в настройке, даже паравиртуализация слишком много требует.

7. create USB stick

  1. check gpg
  2. or check hash
  3. USB: dd if=/path/to/image.iso of=/dev/sdc bs=8192k

8. python

PYTHON_SINGLE_TARGET PYTHON_TARGETS

app-editors/vim PYTHON_TARGETS: -* python2_7 PYTHON_SINGLE_TARGET: -* python2_7

$profile-config list - current stable

9. no root Xorg

package.use/xorg: x11-base/xorg-server -suid

startx – vt2

~/.xinitrc exec startxfce4

10. add user

useradd -m -G video,audio,wheel -s /bin/bash larry usermod -a -G video larry gpasswd -d larry video

11. network configuration

netifrc is Gentoo's default framework for configuring and managing network interfaces

  1. emerge –ask net-misc/dhcpcd
  2. dhcpcd eth0
  3. echo 'config_eth0="dhcp"' > /etc/conf.d/net
  4. ln -s /etc/init.d/net.lo /etc/init.d/net.eth0
  5. rc-service net.eth0 start
  6. rc-update add dhcpcd default
  7. iptables or nftables

wifi:

  • emerge –ask net-wireless/iw net-wireless/wpa_supplicant

11.1. /etc/wpa_supplicant/wpa_supplicant.conf

#ctrl_interface=/var/run/wpa_supplicant
eapol_version=2
country=RU

# random
# auto_uuid=1
mac_addr=1
preassoc_mac_addr=1

bss_expiration_age=1980
bss_expiration_scan_count=5

passive_scan=1

network={
        ssid="TP-Link_ACC3"
        psk="60s%.!_Col"
}

11.2. router

  • emerge –ask net-dns/dnsmasq
  • /etc/sysctl.conf:
    • net.ipv4.ip_forward = 1
    • net.ipv4.conf.default.rp_filter = 1
  • sysctl -p /etc/sysctl.conf
  • /etc/dnsmasq.conf:
    • dhcp-range=eth0,192.168.0.100,192.168.0.250,72h
    • interface=eth0
  • etc/init.d: ln -s net.ln net.eth0
  • rc-service net.eth0 restart
  • client:
  • etc/init.d: ln -s net.ln net.eth0
  • etc/conf.d:
    • config_eth0="192.168.0.2/24"
    • routes_eth0="default via 192.168.0.1" # or ip route add default via 192.168.0.1 dev eth0
  • rc-service net.eth0 restart
  • /etc/resolv.conf: nameserver 192.168.0.1

12. audio

  • add user to audio group!
  • euse -E alsa # add alsa to /etc/portage/make.conf
  • emerge –ask –changed-use –deep @world
  • emerge –ask media-sound/alsa-utils
  • alamixer # unmute Master
  • speaker-test -c2 -t wav
  • aplay -l # List all soundcards and digital audio devices
  • aplay -L # List all PCMs defined
  • arecord -L # List all PCMs defined
  • alsactl dump-cfg # show current full config

microphone

  • SND_USB_AUDIO - kernel
  • alsamixer => internal
  • arecord -l # list capture hardware
  • arecord -f S16_LE -d 3 -r 44100 –device="hw:0,0" -c 2 /tmp/test.wav
  • arecord arecord -f S16_LE -d 3 -f dat -V stereo -r 44100 –device="hw:0,0" -c 2 /tmp/test.wav
  • aplat /tmp/test.wav

volumne control:

  • amixer set Master 5%+
  • amixer set Master 5%-

12.1. alsa ~/.asoundrc

main config in /etc/asound.conf

12.2. simplest config output hw:0,0

12.3. hdmi output

# defaults.pcm.!card 0
# defaults.pcm.!device 3

# pcm.!spdif {
#          type hw
#          card 0
#          device 3
# }

# pcm.!default {
#            type plug
#            slave {
#                  pcm "spdif"
#            }
# }

12.4. troubleshooting

Automatic encoder selection failed for output stream #1:2. Default encoder for format xv (codec none) is probably disabled

13. fonts

eselect fontconfig list

System:

  • emerge –ask media-fonts/dejavu

Chinese:

  • emerge –ask media-fonts/font-isas-misc

14. linux firmware

  • package distributed alongside the Linux kernel
  • contains firmware binary blobs

bin files should be placed to lib/firmware

15. OpenRC

make two instances

  • ln -s sshd /etc/init.d/sshd.eth0
  • cp /etc/conf.d/sshd /etc/conf.d/sshd.eth0

16. udev brightness

/etc/udev/rules.d/91-backlight.rules:

  • ACTION=="add", SUBSYSTEM=="backlight", RUN+="/bin/sh -c 'echo 150 > /sys/class/backlight/radeon_bl0/brightness'"

17. device manager udev/eudev/hal

  • hal - old device manager
  • udev - systemd's device manager

18. parallel emerge

  • MAKEOPTS="-jN" - parallel makes
  • EMERGE_DEFAULT_OPTS= "–jobs 3 –load-average 2.9" - parallel emerges
  • N*K = max cpu
  • MAKEOPTS=”-j${core} +1″ is NOT the best optimization

19. raspberry pi

  • arm64
  • Clear root password: sed -i 's/^root:.*/root::::::::/' /mnt/gentoo/etc/shadow
  • /etc/fstab
  • for CPU_FLAGS_X86: emerge –ask app-portage/cpuid2cpuflags
  • to raplace -march=native: gcc -v -E -x c /dev/null -o /dev/null -march=native 2>&1 | grep /cc1 | grep march
  • /etc/portage/make.conf
  • mkdir –parents /etc/portage/repos.conf
  • cp /usr/share/portage/config/repos.conf /etc/portage/repos.conf/gentoo.conf
  • date +%Y%m%d -s "20220429"
  • date -s "19:35"
  • rc-update add swclock

19.1. kernel:

  • emerge –ask sys-devel/bc sys-devel/bison sys-devel/flex
  • Platform selection - Broadcom BCM2835 family
  • emerge –ask sys-boot/raspberrypi-firmware or git clone –depth 1 git://github.com/raspberrypi/linux.git
  • make bcmrpi3_defconfig
  • make bcm2711_defconfig
  • CPU Power Management -> SPU Frequency scaling -> Default CPUFreq governor = performance
  • make -j4 zImage modules dtbs
  • make -j4 Image modules dtbs
  • sudo make modules_install
  • sudo cp arch/arm64/boot/dts/broadcom/*.dtb boot
  • sudo cp arch/arm64/boot/dts/overlays/*.dtb* boot/overlays
  • sudo cp arch/arm64/boot/dts/overlays/README boot/overlays
  • sudo cp arch/arm64/boot/Image /boot/kernel8.img

Network support -> Network opetions -> The IPv6 protocol Network support -> RF switch subsystem support Device drivers -> Network -> Broadcom FullMac WLAN driver

19.2. firmware

  • emerge sys-kernel/linux-firmware –autounmask=y

https://github.com/raspberrypi/firmware/tree/master/boot

20. soft

20.1. games

20.1.1. dri

emerge –ask mesa-progs emerge –ask dev-util/strace strace glxinfo

20.1.2. openmw

  • emerge app-arch/innoextract

20.1.3. fps

games-fps/doomsday - modern engine for Doom, Heretic, and Hexen

20.1.4. mednafen

mednafen.github.io/documentation no sound

  • mednafen -sounddevice sexyal-literal-default

scaller

  • mednafen -md.special hq2x/nn2x/super2xsai/2xsai/nny2x

destination resolution

  • mednafen -md.stretch full/aspect

20.1.5. gemrb

after 0.9.1 require Python 3.3 or better

  1. TODO ebuild
    # Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2

EAPI=5

PYTHON_COMPAT=( python3_7 python3_8 python3_9 python3_10 python3_11 )

inherit eutils python-single-r1 cmake-utils gnome2-utils

DESCRIPTION="Reimplementation of the Infinity engine"
HOMEPAGE="http://gemrb.sourceforge.net/"

if [[ ${PV} = 9999* ]]; then
    EGIT_REPO_URI="https://github.com/gemrb/gemrb.git"
    inherit git-r3
elif [[ ${PV} = 6666* ]]; then
    EGIT_REPO_URI="https://github.com/gemrb/gemrb.git"
    EGIT_BRANCH="subviews"
    inherit git-r3
else
    SRC_URI="mirror://sourceforge/gemrb/${P}.tar.gz"
fi

LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~amd64 ~x86"
IUSE="mixer openal opengl png sdl sdl2 truetype -vlc -debug"
PYTHON_REQ_USE=""

REQUIRED_USE="
   opengl? ( sdl2 )
   ^^ ( sdl sdl2 )
"

RDEPEND="
   truetype? ( media-libs/freetype )
   png? ( media-libs/libpng:0 )
   mixer? (
      sdl? ( media-libs/sdl-mixer )
      sdl2? ( media-libs/sdl2-mixer )
   )
   sdl? (
      >=media-libs/libsdl-1.2[video]
   )
   sdl2? (
      media-libs/libsdl2[video]
   )
   media-libs/libvorbis
   openal? ( media-libs/openal )
   opengl? ( media-libs/glew:0 )
   vlc? ( media-video/vlc )
   sys-libs/zlib
   ${PYTHON_DEPS}"

DEPEND="${RDEPEND}
   virtual/pkgconfig"


src_prepare() {
   cmake-utils_src_prepare
   sed -i \
      -e '/COPYING/d' \
      CMakeLists.txt || die
}

src_configure() {
   CMAKE_BUILD_TYPE=$(usex debug "Debug" "None")
   local libdir=$(get_libdir)

   mycmakeargs=(
   -DLIBDIR_SUFFIX=${libdir/lib/}
   -DDOC_DIR=share/doc/${PF}
   -DDISABLE_WERROR=ON
   -DSDL_BACKEND=$(usex sdl2 "SDL2" "SDL")
   -DOPENGL_BACKEND=$(usex opengl "OpenGL" "None")
   $(cmake-utils_use_use mixer SDLMIXER)
   $(cmake-utils_use_use openal OPENAL)
   $(cmake-utils_use_use png PNG)
   $(cmake-utils_use_use truetype FREETYPE)
   $(cmake-utils_use_use vlc LIBVLC)
   )
   cmake-utils_src_configure
}

src_compile() {
   cmake-utils_src_compile
}

src_install() {
   cmake-utils_src_install
   python_fix_shebang "${ED%/}"/usr/bin/extend2da.py
}

pkg_preinst() {
   gnome2_icon_savelist
}

pkg_postinst() {
   gnome2_icon_cache_update
}

pkg_postrm() {
   gnome2_icon_cache_update
}
  2. links

20.2. media player

media-video/mpv

20.3. ntp set time

client:

  • emerge –ask net-misc/openntpd
  • /etc/ntpd.conf: servers 0.ru.pool.ntp.org
  • ntpd -ds # to sync time

21. hdmi mirroring

xarndr –output HDMI-0 –auto –same-as LVDS

22. opencl

  • virtual/opencl
  • emerge –ask =dev-util/rocminfo-5.0.2 –autounmask=y
  • dev-libs/rocm-opencl-runtime
  • HSA_USERPTR_FOR_PAGED_MEM=0 rocminfo
  • HSAKMT_DEBUG_LEVEL=7 rocminfo

Segmentation fault:

  • fix VIDEO_CARD or disable opencl flag from mesa

23. all modifications:

  • ~/.bashrc
  • ~/.bash_aliases
  • ~/nftables
  • ~/.ssh
  • /etc/udev/rules.d/91-backlight.rules
  • /etc/portage/make.conf
  • /etc/portage/package.use/*
  • /etc/sysctl.conf
  • ~/firef*
  • ~/hotkeys.sh
  • ~/.emacs
  • ~/x-set-keys.conf
  • create /mnt/share

24. lock screen & consoles

screen:

  • emerge –ask x11-misc/alock
  • alock -auth passwd

consoles:

  • emerge –ask app-misc/vlock
  • vlock -a

25. patching guide

It's usually better, if the patch is trivial, to open a bug and note that in the ChangeLog for the overlaid package just before adding the package to the overlay itself, unless the patches needs to be tested for a while before submitting them to the ebuild maintainer.

As soon as a patch is merged in the main tree, the ebuilds in the overlay need to go, to avoid having unneeded ebuilds there.

26. USECASES

downgrade package dracut to dracut-055-r4 for dracut-056-r1:

  • echo ">sys-kernel/dracut-055-r4" >> /etc/portage/package.mask/glibc

specify using the greater than operator (>) prefix if it is an older package than latest stable or lesser than operator (<) as a prefix if it is a newer one:

27. developsers githubs

28. gcc optimization

Some packages will fail to compile/run if the optimizations are too extreme.

declaration is on a single line, with as little whitespace as possible to avoid issues.

  • CFLAGS - C compiler
  • CXXFLAGS - is used to refer to the C++ compiler within many buildsystems.
  • FFLAGS - Fortran
  • FCFLAGS - any FORTRAN compiler in more modern build systems

28.1. options

-march
processor architecture (or arch); certain kind of CPU
-mtune and -mcpu
These flags are normally only used when there is no available -march option.
-pipe
use pipes instead of temporary files. it makes the compilation process faster. On systems with low memory, GCC might get killed.
-O0, -O1, -O2, -O3, -Os, -Oz, -Og, and -Ofast
-Ofast
-O3 plus -ffast-math, -fno-protect-parens, -fallow-store-data-races, -fstack-arrays and

-fno-semantic-interposition

-ftree-vectorize
is an optimization option (default at -O3, -Ofast and -fvect-cost-model=very-cheap), attempts to vectorize loops using the selected ISA if possible. doesn't always improve code
-fvect-cost-model=very-cheap
??
-fomit-frame-pointer
turned on at all levels of -O. will make debugging hard or impossible.
-msse, -msse2, -msse3, -mmmx, -m3dnow
Streaming SIMD Extensions (SSE), SSE2, SSE3, MMX, and 3DNow! instruction sets for x86 and x86-64 architectures.
-funroll-loops and -funroll-all-loops
Loop unrolling. On modern processors, loop unrolling is often counterproductive, as the increased code size can cause more cache misses;
-finline-functions
Inline expansion
-funswitch-loops
Loop unswitching optimization

Hardening optimizations

-fpie
full ASLR for executables
-fpic -shared
no text relocations for shared libraries
-D_FORTIFY_SOURCE=2
run-time buffer overflow detection
-D_GLIBCXX_ASSERTIONS
run-time bounds checking for C++ strings and containers
-fstack-protector-strong
stack smashing protector
-fstack-clash-protection
increased reliability of stack overflow detection
-fcf-protection
control flow integrity protection

28.2. Per-package

  • /etc/portage/env directory
  • /etc/portage/package.env file.

ex:

/etc/portage/env/debug-cflags 

CFLAGS="-O2 -ggdb -pipe"
FEATURES="${FEATURES} nostrip"

/etc/portage/package.env 

media-video/mplayer debug-cflags

29. links

Created: 2024-03-03 Sun 09:57

Validate