User:Dimonade/Installations

Personal reminders about installation specifics that I might otherwise forget.

Introduction

Generally, this follows the Full Disk Encryption From Scratch Simplified, with a fallback to the standard installation guide and some spicing from Sakaki's installation guide. Some personal changes include a kernel that is more tailored to the specific hardware that I am installing Gentoo on. As I dig deeper into Gentoo, this guide will change. Finally, this is not the way, but a way, the target is to have a better understanding and have fun.

Some choices that I have made about the system:

• OpenRC
• Wayland
• Minimal profile (nomultilib)
• GPG Symmetrically encrypted key file with non standard algorithms
• No swap - the laptop does not hibernate and has enough RAM.

This guide is written with a Dell Latitude 7480 as reference hardware. Some specs:

• CPU: i7-7600U
• RAM: 16GB
• SSD: 256GB

TODO

1. Add dvorak layout to boot password.

2. Add kernel update section.

Preparation

Get a Gentoo Minimal Installation CD burned on a USB flash disk. Plug it in the target laptop and boot into it. I am accustomed to a Dvorak keyboard - in the current iteration of the CD it is number 14 in the selection menu. If you are a happy qwerty user, press Enter and move on.

Configuring the network

This chapter is the parallel of the Network page in the official Handbook or the similar page from Sakaki's guide.

Network is required for downloading the Stage 3 tarballs as well as syncing portage and more. If the laptop has an Ethernet jack, and there is a cable around, great - plug it and try pinging Gentoo:

If the ping is successful, you are in luck and can move to the next section.

If you are a lucky owner of a laptop without an Ethernet jack (I feel you...) or you do not have the cable around, then use wpa_supplicant to connect to the WiFi.

Figure out which one of the interfaces can connect to the WiFi (yours might have different names):

Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
lo                    ... further output suppressed ...
wlp2s0                ... further output suppressed ...
wwp0s20f0u2i12        ... further output suppressed ...

Create the configuration file for the network adapter:

Add the following:

ctrl_interface=/run/wpa_supplicant
update_config=1

To add the network details you will need the WiFi name and the password:

At this point the wpa_supplicant config file will have the following appended:

ctrl_interface=/run/wpa_supplicant
update_config=1
network={
	ssid="NETWORK_NAME"
        #psk="NETWORK_PASSWORD"
	psk=verylongstring
}

With that done, initialize the wpa_supplicant with the configuration file:

Successfully initialized wpa_supplicant

With that, test the network by pinging gentoo.org (or any other website of your choice):

PING gentoo.org (151.101.213.91) 56(84) bytes of data.
64 bytes from ... (151.101.213.91): icmp_seq=1 ttl=57 time=202 ms
... further output supressed ...

Disk partitioning

For proper full disk encryption, using a separate boot drive the following partition scheme will be used:

'"`UNIQ--pre-00000007-QINU`"'

In the case of this laptop, there is no NVME device.

Partitioning the main storage device

Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier <identifier>.

Command (m for help): g
Created a new GPT disklabel (GUID: <some ID>).

With a partition table crated, a new partition spanning the drive can be created by using n and then accepting the defaults:

Partition number (1-128, default 1): 
First sector (2048-<size of media>, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-<size of media>, default <size of media>): 

Created a new partition 1 of type 'Linux filesystem' and of size <size of media> GiB.

Finally, the changes can be written with w:

The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Partitioning the boot USB stick

The boot disk can be setup using a similar process, the main difference is the boot flags will be set as a final step:

Welcome to fdisk (util-linux 2.38.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier <identifier>.

Command (m for help): g

Created a new GPT disklabel (GUID: <some id>).
|

With a fresh partition table, a 512mb partition can be created using:

Partition number (1-128, default 1): 
First sector (2048-<usb device size>, default 2048): 
Last sector, +/-sectors or +/-size{K,M,G,T,P} (2048-<usb device size>, default <usb device size>): +512M

Created a new partition 1 of type 'Linux filesystem' and of size 512 MiB.

Finally, the ESP properties can be set using t:

Selected partition 1
Partition type or alias (type L to list all): 1
Changed type of partition 'Linux filesystem' to 'EFI System'.

Changes can be written with w:

The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Create the GPG key for the LUKS encrypted partition

Enter passphrase
Passphrase <your new passphrase>
Please re-enter this passhprase
Passphrase <your new passphrase again>
... further output suppressed ...

Format the LUKS encrypted partition with the GPG key

Open the LUKS volume

Before you can work with the encrypted volume, it must be unlocked:

This maps the encrypted drive to /dev/mapper/crypt.

Backup the header file

Configure LVM inside of the LUKS volume

To create the LVM structure used in this example, with logical volumes for (/root, /var, and /home):

The physical volume can be created on the opened LUKS volume with:

The volume group vg0 can be created wtih:

The logical volumes for /root, /var, and /home can be created with:

Format the Filesystems

Create a filesystem for /dev/sdc1 (the USB boot stick), the boot partition which will contain GRUB and kernel files. This partition is read by UEFI. Most motherboards can read only a FAT32 filesystem:

If LVM is being used, to format each logical volume with the btrfs filesystem:

Mount the freshly formatted USB stick

At this point, the USB stick can be mounted to save the GPG key and the LUKS header file from the next session.

Find which device is the USB stick:

<TODO>

Create the mounting point:

Mount it:

Finally, copy the GPG key and the header file over to the USB boot stick's new partition:

Mounting the partitions

Mounting the root partition

At this point the device mapping should look like something along the lines of:

NAME                                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
loop0                                           7:0    0 427,8M  0 loop  /mnt/livecd
sda                                             8:0    0 238,5G  0 disk
└─sda1                                          8:1    0 238,5G  0 part
  └─crypt                                     253:0    0 238,5G  0 crypt
    └─vg0-root                                253:1    0    64G  0 lvm
    └─vg0-var                                 253:2    0    64G  0 lvm
    └─vg0-home                                253:3    0 110,5G  0 lvm
sdb
... Gentoo Live CD ...
sdc                                             8:32   0  57,3G  0 disk
└─sdc1                                          8:33   0   512M  0 part  /mnt/stick

Create the mounting point for the root partition:

Mount the root partition:

Mount home and var partitions

Similarly, mount the home and var partitions:

You device tree will look like: TODO: Insert filesystem mounting point scheme.

Installing a stage3 tarball

This chapter is the parallel of the Stage page in the official Handbook or the similar page from Sakaki's guide.

Setting correct date and time

Ensure that the target machine has the correct time and date, as without it, you will have random weird issues and errors that are hard to debug:

If necessary, set the date and time, in MMDDhhmmYYYY format (Month, Day, hour, minute, year):

Getting the Stage 3 tarballs

As mentioned before, here I will choose the OpenRC, no multilib (no desktop profile) tarball. With vg0-root mounted to /mnt/gentoo, switch to the latter directory:

Download the tarball from the Gentoo Downloads page:

Unpacking the Stage 3 tarballs

Unpack the tarballs into the /mnt/gentoo directory:

After it is done unpacking, you should see a familiar file structure. The stage3 tarball is no longer necessary, and you may wish to remove it now or at a later stage.

Configuring compile options

Information about compile options are described in great detail in the Handbook and in Sakaki's guide. Be sure to read it.

For this laptop I will use the following /etc/portage/make.conf file:

# These settings were set by the catalyst build script that automatically
# built this stage.
# Please consult /usr/share/portage/config/make.conf.example for a more
# detailed example.
MAKEOPTS="-j4 -l4"
EMERGE_DEFAULT_OPTS="-j4 -l3.6"
ACCEPT_KEYWORDS="~amd64"
VIDEO_CARDS="intel"
USE="elogind wayland sway swaybg swayidle swaylock swaymsg swaynag wallpapers \
    alsa flac sound-server vulkan \
    networkmanager -ppp -wext \
    -doc -npm -systemd -gnome -kde -handbook -neon -gtk -gtk-doc -plasma -X
    -pulseaudio -coreaudio \
    -bluetooth -aac -aptx -geolocation -geoip -dvd -ipv6 \
    -smartcard -quicktime -3df -3dfx -cups \
    -nvidia -ibm -ios -ipod"

LINGUAS="en_US"
ACCEPT_LICENSE="-* @FREE"
INPUT_DEVICES="libinput"

COMMON_FLAGS="-march=skylake -O2 -pipe"
ABI_X86="64"
LLVM_TARGETS="ARM RISCV"

CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"

# NOTE: This stage was built with the bindist Use flag enabled
PORTDIR="/var/db/repos/gentoo"
DISTDIR="/var/cache/distfiles"
PKGDIR="/var/cache/binpkgs"

# This sets the language of build output to English.
# Please keep this setting intact when reporting bugs.
LC_MESSAGES=C

CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sse sse2 sse3 sse4_1 sse4_2 ssse3"

GENTOO_MIRRORS="https://ftp.belnet.be/pub/rsync.gentoo.org/gentoo/ \
    http://ftp.belnet.be/pub/rsync.gentoo.org/gentoo/ \
    rsync://ftp.belnet.be/gentoo/gentoo/ \
    http://ftp.fi.muni.cz/pub/linux/gentoo/ \
    ... additional output suppressed ...
    https://ftp.uni-hannover.de/gentoo/ \
    https://mirror.isoc.org.il/pub/gentoo/"

Some notes:

• MAKEOPTS="-j4 -l4" and EMERGE_DEFAULT_OPTS="-j4 -l3.6" are due to the laptop having 4 cores.
• COMMON_FLAGS="-march=skylake -O2 -pipe" is due to the CPU architecture.
• LLVM_TARGETS="ARM RISCV" is for Rust on embedded.
• The list of GENTOO_MIRRORS can be obtained by mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf

Later on more configuration files will be downloaded from the configs repository, which may not fit exactly, but with a minor variation of parameters should be OK. More configurations of Portage will be described in the relevant section.

Gentoo ebuild repository

You can get it from the configs repository or from what comes in default. So, either:

or:

Copy DNS information

Copy wpa_supplicant information

If installing via WiFi, copy the /etc/wpa_supplicant/wpa_supplicant-wlp2s0.conf:

Chrooting

Get the hardware information

It is useful to know ahead of time what hardware the system is running on, as well as which drivers are being used. This will help a lot with the kernel configuration.

To do so:

Mounting the necessary filesystems

Entering the new environment

Go to the mounting point:

Chroot in:

Source the profile:

Mounting the /boot partition from the USB stick

It is necessary to mount the /boot partition while in /chroot so that when compiling the kernel and installing the bootloader, they will be saved there.

then:

Configuring Portage

Installing an up-to-date Portage tree

Check that you still have a network connection while in chroot:

With that, to have a baseline snapshot of Portage we will sync it twice - once to get the baseline with the webrsync protocol, and once more with the more effective rsync protocol (note that there is no vi/vim/nvim in chroot, only nano:

And choose the webrsync protocol:

sync-type = webrsync
# sync-type = rsync

And sync Portage:

>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys from keyserver ...                                    [ ok ]
Fetching most recent snapshot ...
... further output suppressed ...

Now, edit the gentoo.conf file again to use the more efficient rsync protocol:

And choose the webrsync protocol:

# sync-type = webrsync
sync-type = rsync

Issue (again):

Setting the Profile

To see which profiles are available:

  [1]   default/linux/amd64/17.1 (stable)
  [2]   default/linux/amd64/17.1/selinux (stable)
... additional output suppressed ...
  [15]  default/linux/amd64/17.1/no-multilib (stable) *
  [16]  default/linux/amd64/17.1 (stable)
... additional output suppressed ...
  [21]  default/linux/amd64/17.1/desktop/gnome (stable)
  [22]  default/linux/amd64/17.1/desktop/gnome/systemd (stable)
... furnther output suppressed ...

Note that the asterisk (*) denotes the selected profile. Note that the no-multilib profile is already selected. Do note, that changing profiles after the fact is a very tedious and complex task, so it is better to choose the correct version and stick with it.

If the no-multilib profile is not selected, choose the no-multilib profile:

Where n is the number of the profile.

Set up the correct timezone

Generating the correct locale

en_US.UTF-8 UTF-8

Next, we must run locale-gen to create the locales, based on the information in the /etc/locale.gen file:

Assuming that completes successfully, you then must then specify the default locale to use. Find the system list with:

  [1]   C
  [2]   C.utf8
  [3]   POSIX
  [4]   en_US.utf8
  [5]   C.UTF8 *
  [ ]   (free form)

Issue:

Where n is the index of en_US.utf8.

Now, reload your environment:

Setting up the Post-boot keymap (optional)

This applies only if you want to have a different keymap (Dvorak) in my case for use post-boot, so that you will be able to type commands correctly when typing directly at your machine's keyboard.

and edit the keymap=... line, to cite the string you just found. For example, in my case:

keymap="dvorak"

Informing Portage of Processor-Specific features (optional)

If your processor differs from the one that I use through this tutorial, you might want to edit the CPU_FLAGS_X86 in /etc/portage/make.conf.

If you do want to set CPU_FLAGS_X86, first emerge the /proc/cpuinfo query tool (we'll use --oneshot here, to avoid adding it to your @world set):

Now, run the tool and note its output (yours may well differ from the below, which is taken from the Panasonic CF-AX3):

CPU_FLAGS_X86: aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3

Issue:

Then copy the flags output by cpuid2cpuflags-x86 into the existing CPU_FLAGS_X86="mmx mmxext sse sse2" definition (replacing mmx mmxext sse sse2); for our example:

CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3"

(Your values will most likely differ) Leave the rest of the file as-is. Save and exit nano.

Updating the @world set

More information about the @world set.

At this point, it is wise to update the system's @world set so that a base can be established.

This following step is necessary so the system can apply any updates or USE flag changes which have appeared since the stage3 was built and from any profile selection:

This long command can be shortened to (and with the t switch:

If there are no issues, apply the suggested update with y.

Install vi/vim/nvim/helix

Installing:

Update configurations with dispatch-conf

Whether or not emerge warns you that you have configuration files that need updating as a result of the above update, it is good hygiene to run:

If the keymap was set to Dvorak, dispatch conf will try to revert it to "us". Don't accept this change by pressing z for zap-new.

Kernel configuration and compilation

This chapter is the analogue of the Handbook's "Configuring the Linux kernel" page and Sakaki's "Configuring and Building the Kernel" page. Go read them for a good understanding of what is up.

Allow necessary licenses for linux-firmware

Emerge tools hardware discovery and kernel configuration

Here we will emerge a number of packages which will help us to compile the kernel: linux-firmware, gentoo-sources, pciutils and usbutils.

eselecting the kernel

To see if the kernel from the previous section was installed run

Available kernel symlink targets:
  [1]   linux-6.3.5-gentoo

Select it:

Available kernel symlink targets:
  [1]   linux-6.3.5-gentoo *

Check that the symlink is correct:

linux-6.3.5-gentoo

Configuring the kernel

Configuring the kernel depends very much on the hardware, therefore take a look at the auxilliary files that were created before. Therefore, read them, and take note of the relevant drivers.

In the case of this laptop, some of the drivers of interest are:

TODO: Add these ones (and additional hardware) to the chart as well.

• rtsx_pci
• i2c_i801 (i801_smbus)
• snd_hda_intel
• pcieport
• ahci
• intel_lpss_pci (intel_lpss)
• xhci_pci
• kvm_intel
• hwmon

Some of these are hardware specific to this laptop, some are generic.

The kernel's configuration file is located in /usr/src/linux, so make sure you are in the correct repository:

Grab the latest available .config_<kernel_version> that is in the configs repository:

And use the menuconfig utility to breath life into the kernel configuration file:

This should load all the settings from the kernel configuration file into neatly packed, sorted menus and entries. To make sure that the necessary drivers are included in the kernel, not in order, and may be doubles, follow the following pages:

• dm-crypt
• btrfs

Misc. stuff:

• As it is a no-multilib setup:

Binary Emulations --->
  [ ] IA32 Emulation

Make sure to include the ciphers into the kernel compilation. In this case Serpent. Also you need to enable `CONFIG_CRYPTO_USER_API_SKCIPHER`.

Compilation

Make sure that the booting USB stick is mounted at /boot, as this is where the kernel files will go. If not mounted, they will appear in the regular filesystem's /boot directory:

One last thing before compiling - to compress the image lz4 is required. It may or may not be present in the installed packages, therefore, to install it:

Then compile the kernel:

To copy the kernel image to /boot/ issue:

Make sure that the kernel files are present in /boot (only kernel relevant files are displayed):

drwxr-xr-x  2 root root 4.0K May 21 14:20 ./
drwxr-xr-x 22 root root 4.0K May 21 13:34 ../
-rw-r--r--  1 root root 123K May 21 14:20 config-6.3.5-gentoo
-rw-r--r--  1 root root 5.7M May 21 14:20 System.map-6.3.5-gentoo
-rw-r--r--  1 root root  14M May 21 14:20 vmlinuz-6.3.5-gentoo

Initramfs configuration

An initramfs must be used to decrypt and mount the root partition. This can be done in a number of ways, here dracut will be used.

Emerge dracut and its auxilliary packages.

Make sure that the booting USB stick is mounted at /boot, as this is where the initramfs will go. If not mounted, they will appear in the regular filesystem's /boot directory:

The following modules must be added to the add_dracutmodules directive in /etc/dracut.conf:

add_dracutmodules+=" crypt crypt-gpg dm rootfs-block "

Once Dracut is configured, a new initramfs can be generated by running:

If the initramfs is being generated for a kernel other than the currently active one, --kver must be used:

This can happen in a situation when the kernel version in the Gentoo Live CD differs from the emerged sys-kernel/gentoo-sources in the kernel compilation process.

Make sure that the relevant files appeared in /boot:

drwxr-xr-x  2 root root 4.0K May 21 14:20 ./
drwxr-xr-x 22 root root 4.0K May 21 13:34 ../
-rw-r--r--  1 root root  14M May 21 14:40 initramfs-6.3.5-gentoo

Configuring the system

This section is pararllel to the Configuring the system from the Gentoo Handbook and the following page from Sakaki's guide.

fstab configuration

For consistent volume mounting, labels and UUIDs must be used. Recall:

NAME           UUID
sda                     
└─sda1         <long_string_sda1>
  └─crypt      < ... additional output supressed ... >
    ├─vg0-root < ... additional output supressed ... >
    ├─vg0-var  < ... additional output supressed ... >
    └─vg0-home < ... additional output supressed ... >
sdc 
└─sdc1         <short_string_boot_usb>

From here only the UUID of sdc1 (bootable USB stick) is required, as the other filesystems use a label (which was defined earlier).

To avoid typing their UUIDs, append the lsblk -o name,uuid to /etc/fstab:

Edit the file accordingly:

'"`UNIQ--pre-0000002F-QINU`"'

GRUB configuration

Emerge grub with the device-mapper USE flag.

Edit the grub configuration file's line (no quotes needed on the UUIDs):

'"`UNIQ--pre-00000032-QINU`"'

With that done issue:

Networking information

Create the hostname:

Emerge wpa_supplicant:

Root password

Create a password for root:

User account

Create a new user, add it to groups and set its password:

Removing the stage3 tarball

Once the system boots and working, the stage3 tarball can be removed:

Rebooting

At this stage a working (and minimal) system that can work by itself is built. To test it out exit the chroot environment, reboot the machine, and unplug the Gentoo Live UBS stick.

Troubleshooting

If things go wrong - worry not. It is possible to continue from the middle and troubleshoot through the Gentoo Live CD - mount the USB boot stick (as it contains the crypt_key), unlock the encrypted device, mount the partitions, chroot into it, and continue from the problematic point.