Funtoo - hpaluch/hpaluch.github.io GitHub Wiki

Funtoo

Funtoo is Gentoo alternative. I'm now discovering it. See homepage: https://www.funtoo.org/Welcome

One appealing feature is that Funtoo is supposed to be more "release" like than pure "rolling" Gentoo. This should make it easier to manage. However last time there was no upgrade path:

https://forums.funtoo.org/topic/5159-14-release-is-being-retired-in-2024/

We are officially retiring 1.4-release in 2024, which means that if you have not yet done so, now is the time to upgrade to next-release. The official way to do this is to do a REINSTALL of Funtoo. You may be able to in-place upgrade from 1.4-release to next-release but THIS IS NOT OFFICIALLY SUPPORTED so if you can't get it to work, you can ask on Discord for help unofficially but if you can't work through the various quirks you WILL need to reinstall.

Really, a reinstall should be done unless you have a very specific reason why you can't. ...

However Funtoo is more opinionated than Gentoo. For example, if you disable Fonts support in Grub the ego boot update will simply crash with Python stacktrace.

Following more or less:

What is different:

  • Install CD - there is helper command fchroot that do all necessary steps to prepare and enter chroot.
  • only OpenRC is supported (no S-word allowed :-)
  • While Gentoo uses Profile + USE flags. Funtoo has more categories - arch, build, subarch, flavor and mixins. Please see https://www.funtoo.org/Install/Profiles for details.
  • Funtoo uses binary Debian kernel as default
  • emerge-webrsync is replaced with ego sync
  • grub configuration is updated with ego boot update

WARNING! Funtoo is unable to boot from LVM (having root filesystem on LVM) - with prepared Debian kernel and initramfs. You have to use genkernel etc, some information is available on: https://www.funtoo.org/LVM_Install_Guide

If you insist to use LVM for rootfs you need also to:

  • build kernel modules without compression (because script /usr/share/genkernel/gen_initramfs.sh expects that modules have extension .ko (no compression suffix). In your .config has to be option CONFIG_MODULE_COMPRESS_NONE=y
  • additionally ensure that Unix sockets are enabled (CONFIG_UNIX=y) - this default changed on latest 6.8 kernels..
  • additional parameter to generate initramfs: genkernel --lvm --ramdisk-modules initramfs
  • example entry in /etc/boot.conf
    "Funtoo Linux LVM" {
          kernel vmlinuz-6.8.7-vanilla-hpfun
          initrd initramfs-genkernel-x86_64-6.8.7-vanilla-hpfun
          params += dolvm doscsi noload=nfs doload=ahci real_root=auto rootfstype=ext4
    }
    
  • WARNING! Default initramfs does NOT boot properly if there recent lvm-thin volume on some drive (I have another HDD with Proxmox VE and lvm-thin which is default). I don't know what is exact cause of that problem, but when I compare lvm version output, Proxmox has LVM from 2022 while Funtoo 2017 - I guess that there is some incompatible change in lvm-thin format(?) Because it is treated as error, so necessary LVM commands (lvm vgchange -a y and lvm vgmknodes) are not executed. In such case you can enter emergency shell and type these commands manually. Then exit shell and specify proper root path (same as real_root in generated /boot/grub/grub.cfg to continue boot. As workaround I listed allowed volume groups (VG) in /etc/lvm/lvm.conf, by adding line volume_list = ["king500"] (VG on Kingston SSD, where is Funtoo) in section activation { ... }. And rebuild initramfs with genkernel --lvm --ramdisk-modules initramfs - this command will also copy current /etc/lvm/lvm.conf to initramfs - which is required to be applied on boot.
  • WARNING! I have to blacklist nfs (with noload=nfs) - it was autoloaded on boot and hang up kernel...
  • See my kernel config on: https://github.com/hpaluch/funtoo-files/blob/master/kernel/sys-kernel/vanilla-sources-6.8.7/arch/x86/configs/hpfun_defconfig

WARNING! When I use custom kernels they dont like set gfxpayload=keep that is put by ego boot udpate to each entry on /boot/grub/grub.cfg. I use this simple post-fix after every run of ego boot update:

sed -i.bak -e  's/^\( *set *gfxpayload=keep.*\)/#\1/' /boot/grub/grub.cfg

WARNING! There is missing nouveau driver in gnome-stage3-generic_64-next-2024-04-18.tar.xz (I can't use proprietary nvidia because they dropped support of my GT218 card in version 340 - around 10 years ago...). To enable nouveau one has to:

NOTE: Mix-in gfxcard-nvidia-legacy it too new for me:

/var/git/meta-repo/kits/core-gl-kit/profiles/funtoo/mix-ins/gfxcard-nvidia-legacy/package.mask
# Updated Sep 18 2019 -- use 390.129 or earlier.
>=x11-drivers/nvidia-kernel-modules-390.130
>=x11-drivers/nvidia-drivers-390.130

I need 340 or older...

To enable nouveau we may try:

sudo epro profile mix-in gfxcard-nouveau
sudo emerge -auDN @world

Builserver

I always use build server (Debian12 host with Funtoo in chroot) to avoid building same binaries again and again...

NOTE: When using long FQDN you have to add server_names_hash_bucket_size 256; to /etc/nginx/nginx.conf to avoid fatal error:

[emerg] 2306#2306: could not build server_names_hash, \
 you should increase server_names_hash_bucket_size: 64

I actually used sudo apt-get install python3-certbot-nginx and command sudo certbot --nginx -d MY_SERVER_FQDN to get free certificate for https.

On Debian 12 host I install nginx and certbot and acquire Let's Encrypt https certificate. Then I add to /etc/nginx/sites-available/default

       location /funtoo/portage {
                alias /srv/funtoo/AZ-SRV/var/cache/portage;
        }

My Funtoo chroot is right under /srv/funtoo/AZ-SRV.

WARNING! Just in 1 minute(!) there were attempts to attack my webserver from public Internet:

64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /server HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /.vscode/sftp.json HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /about HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /debug/default/view?panel=config HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /v2/_catalog HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.app
lication HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /server-status HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /login.action HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /_all_dbs HTTP/1.1" 404 125 "-" "Mozilla/5.0 (l9scan/2.0.631313e2834323e2438313e243; +https://leakix.net)"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /.DS_Store HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /.env HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /.git/config HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /s/631313e2834323e2438313e243/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /config.json HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /telescope/requests HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /?rest_route=/wp/v2/users/ HTTP/1.1" 200 409 "-" "Go-http-client/1.1"

There is official docs regarding building and consuming binary packages:

Differences from Gentoo:

  • Funtoo uses /var/cache/portage/packages instead of /var/cache/binpkgs

Example (incomplete) build server setup (Debian 12):

# on Debian 12 host
sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot
# I want to have manual control on system updates:
sudo systemctl mask apt-daily.timer dpkg-db-backup.timer apt-daily-upgrade.timer \
     man-db.timer e2scrub_all.timer fstrim.timer
sudo systemctl stop unattended-upgrades
sudo apt-get purge unattended-upgrades
sudo visudo
# To stop DNS requests: Append: Defaults !fqdn
# few utilities:
sudo apt-get install curl mc tmux vim wget
# prepare filesystem
sudo mkdir -p /srv/funtoo/funtoo-uni-gnome
cd /srv/funtoo/funtoo-uni-gnome
sudo curl -fLO https://build.funtoo.org/next/x86-64bit/generic_64/2024-04-18/gnome-stage3-generic_64-next-2024-04-18.tar.xz
sudo tar --numeric-owner --xattrs --xattrs-include='*' -xpf gnome-stage3-generic_64-next-2024-04-18.tar.xz

Our host is Debian (not Funtoo) so we have no fchroot available.

Entering chroot - omitted...

In chroot:

# verify that you extracted tarball with extended attributes:
getcap /sbin/unix_chkpwd
# must output: /sbin/unix_chkpwd = cap_dac_override+ep

If output of getcap /sbin/unix_chkpwd is empty - it means that your filesystem lost extended attributes - this will cause various malfunction (for example xfce4 screensaver will be unable to login user!). In such case you should format and extract filesystem again with proper tar options(!)

In chroot (continued):

# verify that DNS works:
nslookup www.google.com
# setting timezone
rm -f /etc/localtime
ln -sf /usr/share/zoneinfo/Europe/Prague /etc/localtime
date # verify that date shows correct timezone CE(S)T in my example

I'm currently testing this /etc/portage/make.conf:

MAKEOPTS="-j4"
USE="mmx sse sse2"
LINGUAS="en en_US"
# for Server:
FEATURES="buildpkg userfetch"
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --buildpkg-exclude 'acct-*/* virtual/* sys-kernel/*-sources'"
# for Client
#FEATURES="userfetch getbinpkg"
#EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg-exclude 'acct-*/* virtual/* sys-kernel/*-sources'"
#PORTAGE_BINHOST="https://FQDN_OF_BUILD_SERVER/funtoo/portage/packages"

Typical update & rebuild cycle (applies also to bootstrap):

ego sync
# log packages (-p = pretend) that will be updated:
emerge -p -uDN @world | tee ~/emerge-world-`date '+%y%m%d-%H%M'`.log
# again - with Ask this time:
emerge -auDN @world
# remove obsolete installed packages - DANGEROUS - double check output before saying yes!
# if you want to keep specific package use "emerge -n PACKAGE_NAME" to keep it.
emerge -ac
# clean obsolete binary packages (remove -p - pretend after review):
eclean -dp packages
# clean obsolete sources in /var/cache/portage/distfiles (remove -p - pretend after review):
eclean -dp distfiles

On system bootstrap we have also to:

# this is required to install GRUB modules into /boot/grub
grub-install /dev/sdX
# if you use real hardware you will likely need firmware:
emerge -an linux-firmware
# generate /boot/grub/grub.cfg
ego boot update
# enable DHCP client:
rc-update add dhcpcd default
# edit FQDN in /etc/conf.d/hostname
# I always use sudo - it will also install metalog logger:
emerge -an app-admin/sudo
rc-update add metalog default

Ooops! ON 2024-05-19 hit this bug:

Oops! On 2024-04-23 hit this bug:

cd /var/git/meta-repo/kits/text-kit
git diff

Applied diff:

diff --git a/app-text/enchant/enchant-2.7.0.ebuild b/app-text/enchant/enchant-2.7.0.ebuild
index a8f15bb..50934c1 100644
--- a/app-text/enchant/enchant-2.7.0.ebuild
+++ b/app-text/enchant/enchant-2.7.0.ebuild
@@ -31,8 +31,7 @@ BDEPEND="virtual/pkgconfig"
 
 src_configure() {
        local myconf=(
-               --disable-static
-               $(use_enable test relocatable)
+               --disable-static --enable-relocatable
                $(use_with aspell)
                $(use_with hunspell)
                $(use_with nuspell)
@@ -48,4 +47,4 @@ src_configure() {
 src_install() {
        default
        find "${D}" -name '*.la' -delete || die
-}
\ No newline at end of file
+}

And then:

emerge -a app-text/enchant
emerge -auDN @world
emerge -an sys-kernel/debian-sources
# No Op in my case
emerge -anv linux-firmware
# No Op in my case
emerge -an net-firewall/nftables

2024-5-01: Ooops! Hit by bug building git: https://bugs.funtoo.org/browse/FL-12306 Commit: https://code.funtoo.org/bitbucket/projects/AUTO/repos/core-kit/commits/597b351d6a3ca803b6c8cce7fab7c9ccde22277f#dev-vcs/git/git-2.45.0.ebuild Posted workaround:

  1. cd /var/git/meta-repo/kits/core-kit
  2. apply patch below:
    diff --git a/dev-vcs/git/git-2.45.0.ebuild b/dev-vcs/git/git-2.45.0.ebuild
    index e8cef15..db17d92 100644
    --- a/dev-vcs/git/git-2.45.0.ebuild
    +++ b/dev-vcs/git/git-2.45.0.ebuild
    @@ -382,7 +382,6 @@ src_install() {
     	local contrib_objects=(
     		buildsystems
     		fast-import
    -		hg-to-git
     		hooks
     		remotes2config.sh
     		rerere-train.sh
    
  3. rerun emerge -auDN @world

Fixing ncdu: Illegal instruction

When I build ncdu (tested sys-fs/ncdu-2.3:0) on Host with CPU that is incompatible with client I will get:

$ ncdu

Illegal instruction

$ sudo dmesg

traps: ncdu[1995] trap invalid opcode ip:23bd81 sp:7fff83e84e70 error:0 in ncdu[220000+5b000]

It is because ncdu is written in Zig language that ignores CFLAGS et al. and rather by default optimizes code for current (= build server's) CPU - which is problem for me...

Try this workaround:

# run command below on build server:
ZIG_FLAGS="-Doptimize=ReleaseFast -Dcpu=x86_64" emerge -a ncdu
# after build run this command on client:
emerge -agk sys-fs/ncdu
# and run (-x does not enter volumes)
ncdu -x
# Wow! No longer "Illegal instruction"

Resources:

Metalog - dedicated firewall log

Metalog is only official logger. By default it logs everything to /var/log/everything/current. I want to log firewall (nftables - basically same as in Gentoo-setup) to dedicated files but not else.

Firewall messages have this characteristics:

  • comes from kernel
  • contains literal string [NFT]

I added this to /etc/metalog.conf

# My rule - must be first
Kernel firewall :

    facility = "kern"
    regex    = "\[NFT\]"
    logdir   = "/var/log/firewall"
    break    = 1

# Original rules follow
Everything important :
...

Dual-boot with NetBSD

I have following 2nd disk layout using MBR + BIOS scheme:

  • /dev/sdb1 - NetBSD disklabel
  • /dev/sdb2 - Funtoo Linux /boot
  • /dev/sdb3 - Funtoo Linux swap
  • /dev/sdb4 - Funtoo Linux /

Grub is installed into MBR /dev/sdb (and it also occupies few blocks before start of /dev/sdb1).

To add NetBSD to GRUB menu I appended to /etc/boot.conf:

"NetBSD" {
	type win7
	params  root=/dev/sdb1
}

And run ego boot update. Using type win7 under hood uses "chainloader" (grub simply loads specified sector from /dev/sdb1 to RAM and jump to it (chains) to continue booting OS from /dev/sdb1)

You can look into generated config at standard location /boot/grub/grub.cfg

What is weird that although there is in /usr/share/ego/python/funtoo/boot/extensions/grub.py:

if mytype in ["win7", "win8"] or mytype == "win10" and self.uefiboot is False:
        boot_menu.lines.append("  chainloader " + mychainloader) if mychainloader else boot_menu.lines.append(
                "  chainloader +4"
        )
elif mytype in ["vista", "dos", "winxp", "haiku"]:
        boot_menu.lines.append("  chainloader " + mychainloader) if mychainloader else boot_menu.lines.append(
                "  chainloader +1"
        )
elif mytype in ["win10"]:
        boot_menu.lines.append("  chainloader " + mychainloader) if mychainloader else boot_menu.lines.append(
                "  chainloader /EFI/Microsoft/Boot/bootmgfw.efi"
        )

It works (I should rather choice OS with chainloader +1 instead of +4) - it is mystery that it works.

Example of changes

Here is my experiment - maintaining "srv" (aka "core") edition of Funtoo Linux and seeing, how much updates are there.

Doing

ego sync
# on server:
emerge -auDN @world
# on client append -gk to use binaries

# carefully study output:
emerge -ac
# on server only: (clean obsolete binaries):
eclean -dp packages
# review list and then run:
eclean -d packages
  • 2024-02-03:
    • previous update (not tracked here)
  • 2024-02-12:
    • 8 packages:
      [ebuild     U  ] sys-libs/ncurses-6.4_p20240210 [6.4_p20240127]
      [ebuild     U  ] app-misc/ca-certificates-20240203 [20230311]
      [ebuild     U  ] app-editors/vim-core-9.1.0076 [9.1.0059]
      [ebuild     U  ] dev-vcs/git-2.43.1 [2.43.0]
      [ebuild     U  ] dev-lang/rust-bin-1.76.0 [1.75.0]
      [ebuild     U  ] virtual/rust-1.76.0 [1.75.0]
      [ebuild     U  ] dev-db/postgresql-16.2 [16.1]
      [ebuild     U  ] app-editors/vim-9.1.0076 [9.1.0059]
      
    • please note that only Rust binary takes 481MB installed...

Security

It is useful to at least sometims look what is listening on tcp or udp ports with using any of:

ss -ltu
netstat -tulnp

You should pay special attention to processes that listens globally which is: a. 0.0.0.0:PORT for IPv4, for example 0.0.0.0:22 (SSH listening for TCP/IPv4 connections) b. :::PORT for IPv6, for example :::22 (SSH listening for TCP/IPv6 connections)

Found (in gnome flavor) that there is vino-server globally listening on port 5900 for VNC connections. It is installed as package net-misc/vino and started on GNOME login. To disable it it should be enough to remove link:

rm /etc/xdg/autostart/vino-server.desktop

Security: GEO clue

GEO Clue is unbelievable spyware that will start on request of any whitelisted app and query location using Mozilla location services (location.services.mozilla.com). If you don't believe it look at /etc/geoclue/geoclue.conf. You can try command equery f app-misc/geoclue to list all files related to GEO clue.

Please note that geoclue can be started anytime - when some application request it through dbus using hook /usr/share/dbus-1/system-services/org.freedesktop.GeoClue2.service - another reason why dbus should be banned... If you have metalog running you can find in logs:

grep GeoClue /var/log/everything/current

[dbus-daemon] [system] Activating service name='org.freedesktop.GeoClue2' requested by ':1.17' (uid=109 pid=11369 comm="/usr/bin/gnome-shell ") (using servicehelper)

So be aware that it means absolutely nothing that there is no startup script in /etc/init.d (but there is one for systemd...).

Also removed agent for geoclue - it is spy service that will contact Mozilla servers on each boot (or login) to determine your location. It will than happily provide your location to any dbus client...

rm /etc/xdg/autostart/geoclue-demo-agent.desktop

But it is not whole story. There is also service:

$ equery b /usr/share/applications/geoclue-where-am-i.desktop

app-misc/geoclue-2.4.13

WARNING! This spyware can't be removed - gnome-shell REQUIRES it to start at all! Trying to at least silence it in /etc/geoclue/geoclue.conf

NGinx notes

Install with:

emerge -an www-servers/nginx

WARNING! In default configuration, NGINX listens just on localhost - so it is NOT reachable from outside. To allow global http server on port 80 you can:

  • use my example of /etc/nginx/sites-available/default
  • remove localhost link and create new default link with:
    cd /etc/nginx/sites-available
    rm localhost
    ln -s ../sites-available/default 
    

Now verify that configuration is valid with:

/etc/init.d/nginx configtest

Enable autostart in default run-level

rc-update add nginx

Start it manually (needed only before reboot):

/etc/init.d/nginx start

TODO: https support (certs or certbot)

Trac

There is trac package but it does not work:

emerge -av www-apps/trac

These are the packages that would be merged, in order:

Calculating dependencies... done!

emerge: there are no ebuilds to satisfy "dev-python/genshi[python_targets_python2_7(-)?,-python_single_target_python3_10(-),-python_single_target_pypy3(-),-python_single_target_python3_7(-),-python_single_target_python3_6(-),-python_single_target_python3_9(-),-python_single_target_python3_8(-)]".
(dependency required by "www-apps/trac-1.2.1::net-kit" [ebuild])
(dependency required by "www-apps/trac" [argument])

There is python2 binary but it is just wrapper:

$ equery b /usr/bin/python2

 * Searching for /usr/bin/python2 ... 
dev-lang/python-exec-2.4.6-r2 (/usr/bin/python-exec2c)
dev-lang/python-exec-2.4.6-r2 (/usr/bin/python2 -> python-exec2c)

Installing python 2 aside of existing python 3:

emerge -av '<dev-lang/python-3.0'

Veryfing that both python versions work:

$ python2 --version

Python 2.7.18

$ python3 --version

Python 3.9.19

Bugs

Unable to emerge Ruby on Rails

emerge -an dev-ruby/rails

emerge: there are no ebuilds to satisfy ">=dev-ruby/sprockets-3.0.0:*[ruby_targets_ruby31(-)]".
(dependency required by "dev-ruby/sprockets-rails-3.2.2::ruby-kit[-test,ruby_targets_ruby31]" [ebuild])
(dependency required by "dev-ruby/rails-6.1.4::ruby-kit[ruby_targets_ruby31]" [ebuild])
(dependency required by "dev-ruby/rails" [argument])

Already happened in the past (but different versions):

Nested Grub menu

I use 1st HDD with Proxmox VE as only Boot grub loader. However it has intentionally disabled os-prober because there is risk that it will find "phony" Linux installation on lvm-thin (or plain lvm) partitions. So I can't use os-prober safely to add Funtoo or other foreign Linux distributions to Proxmox Grub menu.

However as long as my target Funtoo generated proper /boot/grub/grub.cfg on its partition (with ego boot update). One can use nested Grub menu loading. Here is excerpt from my /etc/grub.d/40_custom on Proxmox host, to load Funtoo grub menu from MBR partition with ext4 filesystem:

menuentry "Funtoo Srv - nested grub - SAMTB /dev/sdb10" {
        insmod part_msdos
        insmod ext2
        search --no-floppy --fs-uuid --set=root 64021de2-1f63-4d4a-b3e6-38ba996b3c74
        configfile /boot/grub/grub.cfg
}

This snippet, when selected, will magically load menu from Funtoo's /boot/grub/grub.cfg so it is always up-to-date :-)