User:Egberts/Dell Optiplex 790

How to setup the Gentoo 2022 OS from scratch ... on a Dell Optiplex 790

Dell Optiplex 790 is a cheap low-power (<100W) PC that has a crappy UEFI Class 1 making UEFI unusable from Linux point-of-view; this one remains firmly as a legacy master-boot record (MBR) boot sequence.

Optiplex 790 BIOS does not support ACPI 2.0 nor UEFI 2.3.1; save yourself further headache, use only the MBR approach.

This would be extremely useful for a home gateway (whose requirement is not entailing MySQL database nor JavaScript-based web browsing or easily hijacked using a `LD_PRELOAD` environment variable.)

Hardware Gotcha
There are a couple of hardware gotcha that has made installation of Linux OS into a struggle with the Dell Optiplex 790:

1. USB mouse gets randomly jumpy during BIOS setup; use a PS/2 mouse or try the USB mouse on each and every USB port until it this stops. I used the upper right corner USB port on front-panel before mouse got steady enough to be usable.

2. Any extra PCI-based video adapter will turns off the Intel HD VGA components on its motherboard. This may result in tiny (and hard-to-read) fonts during bootup sequence.

3. UEFI is not supported by Linux here. Dell 790 BIOS do not support UEFI 2.3.1 (they are stuck on UEFI Class 1 mode). Do not bother. Stick with the good old legacy master boot record (MBR) approach here.

4. Intel VT-d is NOT SUPPORTED on this 790 motherboard. While that Intel i7-2600 does support VT-d option, it is the Intel Q65 PCI Express Chipset LPC Controller that is NOT ABLE to support VT-d thereby rendering entire motherboard as non-VT-d capable. This is not too bad as you still can host virtual machines; just that you cannot leverage motherboard/PCI adapter card directly from these VMs.

= Install on Optiplex 790 =

Download ISO
Visit Gentoo and click on "Get Gentoo" button at top-row navigation panel.

Under, , select the desired ISO image.

Of the several variants of Stage 3, I chose "OpenRC" because PID 1 has too much network access privilege which IMHO is ripe for a file-less backdoor malware. OpenRC PID 1 has no such network privilege (same as original ATT SysV /, which sets my security mind at ease.

Identify the hard drive
Within the newly booted minimal Gentoo, identify the hard drive used to hold our filesystems.

Note: It should be (or, if in QEMU/virtual machine).

Drive Format
Optiplex 790 still mandates the use of legacy MBR. No need to touch UEFI here (not supported, despite BIOS settings).

The above partition scheme encompasses:


 * four(4) physical partitions
 * two(2) LVM volume groups (`vg_os` and `vg_log`)
 * seven(7) LVM volume partitions

Purging any physical partitions
Use `fdisk` to continue to stay with the 'dos' (MS-DOS/MBR) disktype.

Delete all partitions. Write and exit.

WARNING: If any error message appears saying that OS is still using it, then reboot the machine and go back into `fdisk` command again before continuing here.

Do not use GNU ; GPT is not supported in 790 BIOS.

Create physical partitions

 * Partition 1 - 250MB - /boot (should be 1G if doing some heavy kernel tweaking)
 * Partition 2 - 2GB - swap (should be twice your total 'physical' memory)
 * Partition 3 - 50GB of hard media - ROOT label - / directory
 * Partition 4 - remainder of hard media - LVM partition (MBR type 0x8E)

Changing physical partition type
Change partitions to:


 * Partition 1 - Type 0x83 Linux
 * Partition 2 - Type 0x82 Linux swap
 * Partition 3 - Type 0x83 Linux
 * Partition 4 - Type 0x8E LVM partition

Write out the entire partition table and quit.

Make /boot bootable
Do not forget to toggle the partition 1 as "bootable". In the fstab, enter in option and select partition 1.

Creating LVM partitions
Create the logical partitions by doing, , and commands:

Format physical partitions
Format the physical partitions:

Now onward to set up the root filesystem to hold our initial Gentoo CD installation.

Create mountpoint directories then mountings
Create the parent root file path for our new Gentoo OS:

Rescue Reboot (Resumption Point)
NOTE: If your kernel boot up fails (after finishing all this page), this is your starting point to resume setup.

Partition mountings
I typically create a bash script to store in so that it would cut down on my typing time during my kernel config tweaking/reduction effort.

Store following bash script as, set its file permission to 0750.

Mount the root (/) partition
This above command is the only thing you need to memorize when coming back here after a failed kernel boot. This is assuming that you have made the scripts to do recreate the following steps.

Mount /usr (and additional) partitions (optional)
I often break out into a separate partition as I do the recommended CISecurity partitioning scheme:

Creating
The goal is to have the following filesystem partitions:

Go mount them all using above script or use snippet of following:

Edit the  to contain:

Check the DateTimestamp
To ensure accurate recording of files being created on, check the date:

Network connectivity
I use the Gentoo to get the Internet up and running ... fast.

Use the 'manual configuration' option in, if you got some esoteric but exotic network setup.

Selection of Gentoo Installers
Since we are booting within a QEMU environment, we only need the following installer features:


 * OpenRC (no systemd due to uncontrolable network-access within PID 1)
 * libmusl (no glibc, no `LD_PRELOAD` support; comparison chart (external link)
 * no-multilib (x86-64 only, no x86-32 support)
 * no-desktop
 * hardened (oops, make that no-hardened; announcement, discontinued.

From the terminal prompt, enter in:

Go down to 'Downloads' link and hit enter.

Go down to 'Advance choices and other architectures' section (past the 'amd64 aka x86-64, x64, Intel 64' section).

Select `amd64` link.

Go slightly past just the 'Musl stage archives' section.

Select and download `Stage 3 musl | openrc 2022-XX-XX XXXMB`.

Make a note of the filename that you just saved. My resultant filename is.

A tiny bit further down the screen to just before the BIG 'amd64' section, move to on the 'All stages' link and press enter.

Select the 20220720T2237212Z subdirectory.

Go down to that filename you just saved.

Go down two more lines to the file. Download and save that file.

Obtain PGP Keys of Gentoo Organization
If not done already, save the PGP keys of the entire Gentoo organization:

Validate Stage3 File
NOTE: WARNING is because I've opted to read a DIGEST file that has GnuPG headers and footers wrapped around the checksum values; we are only interested in the `OK` part of the `sha512sum` output.

Content of root filesystem
Unpack the stage 3 tarball file that contains the initial root filesystem:

Clone network setup
Save the resolver into the future

Clone system filesystems
Create another script:

Build setup
If you know how many CPU processors you have, then you can increase the make build tool with all those processors by leveraging `--job=` options of the make utility. For two CPUs, execute:

Required packages
Create a local repository for Gentoo portage packages:

Network Interfaces
Identify available network interface to use:

In our case, we have `enp1s0` for the name of our network interface.

Now we create a startup script for `enp1s0` called `net.enp1s0`:

Edit :

Choose The Right Profile
Get a list of System Models.

Choosing from a List of System Models
Those index numbers can change weekly, so check for the correct index number to this 'amd64 musl' or your desire profile.

Relocating Portage TMPDIR
Since cannot support execution of code, we must relocate the  for Portage:

We will make this permanent by updating in the next section using  envvar.

Configuring USE
Add the following to /etc/portage/make.conf

Updating Entire World
Within the given Gentoo stage 3 that we chose and installed, update the entire thing with the latest and greatest repositories:

Required packages for basic QEMU of Linux kernel, OpenRC, portage, modules

= Linux Kernel =

Installing Kernel Tools
This has to be done AFTER kernel source has been e-selected.

SECURITY: I do not install SSH server. If this VM needs network access, the VM itself can do the SSH or RSYNC protocol as a client.

Defaulting Kernel Configuration
If no kernel (`.config`) configuration file exist, create one with all of its default settings:

Note: If `.config` exist, then it shall have any and all newer Kconfig settings added at default setting (using `oldconfig` make option).

Note: If `.config` does not exist, then default settings are used.

If you are gung-ho about a minimalistic Linux kernel size, execute:

Of course, this would only bring you one step closer.

If you are hell-bent on a super-minimalistic sized Linux kernel, execute:

but then you would have to painstakenly enable all the things that you actually need. This would be the very last kernel "upgrade" step after doing the aboves firstly.

Kconfig for Dell Optiplex 790
The following settings for Linux kernel config for Dell Optiplex 790 are:

To merge the above settings into the file, execute:

To ensure that we did not miss any new Kconfig settings for VirtIO (and other but related kernel settings, bring up to date with newest (but defaulted) settings:

The output of should be empty (no new config undefined).

CPU-specific
For my Intel Core i7-2600 CPU processor, the kernel config settings are also set:

There are kernel tools that allows for multiple (in form of  filename).

Configuring Kernel
Optionally, tweak "boot cmdline" in. This becomes a required step if not using UUID for device identifier within GRUB2.

Note: in  is mandatory if a graphic card has been inserted into the PCI slot thus overriding Intel HD graphic card. d Note: in  compensates for any tiny, flakey or mis-configured graphic hardware settings.

Details of above GRUB2 settings can be found in here (external link).

Firmware Required for Genkernel
We must accept a bit more latitude and flexibility for firmware used on Linux OS. This is required for building using the `genkernel` tool.

Append the following text into `/etc/portage/package.license`:

Automated Kernel Build
Install the tool:

Ensure that is mounted for genkernel to fill in:

If resultant output is empty, go mount the :

Instructing InitRamFS to mount multiple disk partitions/volumes at boot.

and put in something like what I use for CISecurity partitionings:

Build kernel
Complete kernel build including all modules as denoted by or after your kernel customization.

Rebuild Modules & Libraries
If tweaking kernel config on the second (or nth) pass, modules need to be rebuilt

Password Quality
To bastardize the password quality to that those of 1980-style:

Edit the line to reflect in the file:

Now you can use any 8-char simple password or longer.

System Clock Timezone
Edit the timezone to your desire setting (I use ) in file:

Syslog
Install the smallest syslog daemon possible, `sysklogd` and activate them at bootup:

Remote Access (SSH)
Activate SSH server daemon (I don't do this here, but most people do):

Maybe allow root to log in (for the short-term during setup) by adding:

Serial Console
On OpenRC, ensure that the serial console section in /etc/inittab are commented out (prepend with `#`) in `/etc/inittab` file:

Time Synchronization
Install and activate it:

Filesystem Tools
Install filesystem tools:

DHCP Client
We are using ISC DHCP client on one side of the network, and our ISP DHCP server is on the other side; add some editor syntax coloring:

Selecting Bootloader Package
To select a Grub2 bootloader:

Rebooting
Exit and then reboot