Gentoo - hpaluch/hpaluch.github.io GitHub Wiki

Gentoo notes

Gentoo is legendary Linux where it is possible to easily build (and rebuild) complete system from sources with fine tunings.

Example scenarios:

  • real freedom: you may use OpenRC instead of SystemD
  • build binaries without X and/or without IPv6 (or any other significant options)
  • good playground for emerging technologies (Wayland)

Installation guide is on:

Problems - there are sometimes various disputes and disagreements in Gentoo development:

WARNING! Before any profile change (including upgrade to higher profile version) you should consult in detail this page:

Emerge basics

Emerge is central tool (using "Portage" virtual packages) to build and manage packages.

Typical workflow:

  • search for package 
    emerge -s ncdu
  • pretend install (dry-run) 
    emerge -p sys-fs/ncdu
  • now really build with Ask (-a) and do not rebuild (-n) already installed package: 
    # must be run as root
emerge -an sys-fs/ncdu

It is recommended to install gentoolkit that contains many advanced commands:

# run as root
emerge -an app-portage/gentoolkit

Now there are several useful commands:

# find to what package file belongs:
equery -b /usr/bin/ncdu
# list installed packages matching ncdu
equery l ncdu
# list all files belonging to package sys-fs/ncdu
equery f sys-fs/ncdu

# find meaning of USE flags cdda
euse -i cdda

Listing all installed packages:

# just names
qlist -I
# with version numbers
qlist -Iv

Installation notes

Although there is no PDF version of installation manual, there is "single HTML page" version on:

How to make Gentoo manageable

There two important ways how to speed builds or create reusable binary packages (!)

  1. To just speed builds you can use distcc, see

  2. To be able to build time-consuming package once (for example gcc), you may use binary packages. For details please see:

Please note that there are significant constraints when combining both distcc and/or binary packages from different hosts - they are described on above guides.

Note: I'm working on setup guide in dedicated wiki page: Gentoo setup.

Intersecting architectures

I want to make build compatible with these 2 distinct processors from same (AMD) vendor:

  1. AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ (my old bare-metal machine)
  2. AMD EPYC 7763 64-Core Processor (VM in Azure "Size": Standard E4as v5 (4 vcpus, 32 GiB memory) or "CLI" Size: Standard_E4as_v5) - If I understand it properly the series with a letter are using AMD CPUs - so E4as uses AMD EPYC - see https://azure.microsoft.com/en-us/pricing/details/virtual-machines/series/

It may sound easy (saying that K8 is simply subset of EPYC), but there is an catch:

  • AMD EPYC dropped 3DNow support (!)

How to get CPU capabilities:

  • right after chroot (before REBUILD!) install these 2 packages: 
    emerge -a app-portage/cpuid2cpuflags app-misc/resolve-march-native
  • and then run 2 commands on each machine:
  1. resolve-march-native
    • X2: -march=k8-sse3 -mtune=k8 -mcx16 -mno-tune=k8-sse3 -msahf --param=l1-cache-line-size=64 --param=l1-cache-size=64 --param=l2-cache-size=512
  • EPYC: -march=znver3 -mno-mwaitx -mno-pku -mno-wbnoinvd -mshstk --param=l1-cache-line-size=64 --param=l1-cache-size=32 --param=l2-cache-size=512
  1. cpuid2cpuflags
    • X2: CPU_FLAGS_X86: 3dnow 3dnowext mmx mmxext sse sse2 sse3
    • EPYC: CPU_FLAGS_X86: aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sha sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3

NOTE1: On AMD K8, the sse3 is called pni (to resolve surprise that there is no sse3 in /proc/cpuinfo)

NOTE2: There is no -mno-=3dnowext so I did not use it...

Here are my merged flags in /etc/portage/make.conf:

# COMMON_FLAGS we intersect K8 and EPYC
COMMON_FLAGS="-O2 -pipe -fno-strict-aliasing -march=k8-sse3 -mtune=k8-sse3 -mno-3dnow"

# CPU_FLAGS_X86 we intersect K8 and EPYC - EPYC dropped 3DNow(!) sets...
CPU_FLAGS_X86="mmx mmxext sse sse2 sse3"

# Here are my other options:
AKEOPTS="-j5"
USE="vaapi vdpau brotli webp -kde -accessibility -openmp -fortran -qmanifest -imap -pop3 -qtegrity -tftp -multilib compress-zstd zstd logrotate wayland kms gles2 vim-syntax lvm lm-sensors contrib layers tray wallpapers -bluetooth -joystick"VIDEO_CARDS="nouveau intel qxl"
GENTOO_MIRRORS="http://ftp.fi.muni.cz/pub/linux/gentoo/"
ACCEPT_LICENSE="@FREE @BINARY-REDISTRIBUTABLE"
FEATURES="buildpkg"
# Server: which Binary packages to NOT build:
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --buildpkg-exclude  'acct-*/* sys-kernel/*-sources virtual/*'"

Now you can happily rebuild world with:

emerge --ask --verbose --update --deep --newuse @world

Important resources:

Favorite packages

Here are my favorite packages:

  • app-editors/vim - best editor ever
  • app-misc/mc - mature Norton Commander clone
  • app-admin/sudo - I get used to it (Debian in the past pushed everyone to use it and suddenly they removed it from detail install...)
  • app-misc/tmux - virtual consoles (similar to older screen)
  • sys-fs/ncdu - full-screen disk-usage application with easy navigation and delete. NOTE: Use -x options to NOT descend into other filesystems (/proc, etc...)
  • app-admin/sysstat - provides important tools iostat and pidstat
  • sys-apps/smartmontools (for bare-metal to quickly SSDs wear...)
  • sys-process/lsof - list files open by process(es)
  • app-portage/gentoolkit - lot of useful repository query commands
  • net-firewall/nftables - latest kernel firewall (but needs config)

Installing Git

  • First I enable highlight globally using: 
    euse -E highlight
  • Optional: enable generated documentation (Docbook) for git: 
    echo 'dev-vcs/git doc' >> /etc/portage/package.use/custom
  • Then I install git as dependency on git-lfs (Large File Storage plugin) using: 
    emerge -an dev-vcs/git-lfs

NVidia support

I have following NVidia card:

lspci | fgrep VGA

06:00.0 VGA compatible controller: NVIDIA Corporation GT218 [GeForce 210] (rev a2)

According to this table https://nouveau.freedesktop.org/CodeNames.html I need firmware: NVA8 (GT218)

In my case I plan to use nouveau (open-source) driver for NVidia.

  • following https://wiki.gentoo.org/wiki/Nouveau
  • setup proper variables in /etc/portage/make.conf: 
    VIDEO_CARDS="nouveau"
ACCEPT_LICENSE="@FREE @BINARY-REDISTRIBUTABLE"
  • you may need to rebuild world to build Mesa and other base libraries: 
    emerge --ask --changed-use --deep @world
  • install firmware: 
    # CHANGED! Guide incorrectly uses sys-firmware/nvidia-firmware which is MASKED!
emerge --ask sys-kernel/linux-firmware

WARNING! To properly initialize Console with DRM note this:

  • These options must be DISABLED:
    • CONFIG_DRM_SIMPLEDRM
    • CONFIG_SYSFB_SIMPLEFB
  • These options must by ENABLED:
    • CONFIG_FB
    • CONFIG_FB_MODE_HELPERS
    • CONFIG_FB_SIMPLE Otherwise text console will just freeze without any progress... (I build kernel more than 3 times to find right combination of above switches).

Binary packages

Described here:

To build binary package from already installed package use quickpkg, for example:

quickpkg --include-config y app-misc/mc
ls -l /var/cache/binpkgs/app-misc/mc

WARNING! quickpkg create packages with wrong permissions. After run relax permissions using:

chmod a+rX -R /var/cache/binpkgs

To build binary package with every new source simply add to /etc/portage/make.conf:

# Server: enable building Binary packages in /var/cache/binpkgs
FEATURES="buildpkg"
# Server: which Binary packages to NOT build:
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --buildpkg-exclude  'acct-*/* sys-kernel/*-sources virtual/*'"

NOTE: Packages are already compressed with zstd as default so there is not real need to use variable BINPKG_COMPRESS

Build packages are stored in /var/cache/binpkgs/

To make them available to clients we can again follow guide and:

  • install web server: 
    emerge -an www-servers/lighttpd
  • append to /etc/lighttpd/lighttpd.conf 
    # listen to IPv4
server.bind = "0.0.0.0"
server.port = "80"
# enable listing for binary packages...
server.dir-listing = "enable"
server.modules += ( "mod_alias" )
alias.url = ( "/packages" => "/var/cache/binpkgs/" )
  • and start it manually or add it to rc-default...
  • if you are using Gentoo in chroot the init script will not work, but you can start it manually just by using: 
    /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf

We have to replace sync-url instead of using make.conf, otherwise emerge will attempt to sometimes fetch binaries from Official Gentoo server - which WILL clash (because they expect systemd).

So in this case edit /etc/portage/binrepos.conf/gentoobinhost.conf this way

[gentoobinhost]
priority = 1
#sync-uri = https://gentoo.osuosl.org/releases/amd64/binpackages/17.1/x86-64
sync-uri = http://YOUR_BINHOST_SERVER/packages

Finally we should make exclude list for CLIENT - add this line to your /etc/portage/make.conf:

# Client: do not fetch specified binary packages (use always source)
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg-exclude  'sys-kernel/gentoo-sources virtual/*'"

Notice that this time we used --usepkg-exclude instead of --buildpkg-exclude

To download and install binary packages only use switches -GK (they will fail if binary package is not available), or -gk that will just build from source if binary package is not available...

Example client command:

sudo emerge -anGK gui-wm/sway

You should see Magenta flags with binary N to proceed...

WARNING! Always install same set of packages (with same settings in /etc/portage/* on both Binary Server and Client! I accidentally installed media-sound/apulse on Client that created unresolvable conflict with pulseaudio from Binary Server. I had to uninstall it on client using:

emerge -Ca media-sound/apulse

Working ALSA audio

Follow guide from: https://wiki.gentoo.org/wiki/ALSA For impatient:

euse -E alsa
emerge --ask --changed-use --deep @world
emerge -an media-sound/alsa-utils
# this will unmute mixer in future (see below)
rc-update add alsasound boot
# CLI mp3 player to test sound
emerge -an media-sound/mpg123

WARNING! Currently these addition to /etc/portage/package.use/custom are needed:

media-plugins/mpg123-output-plugins -haptic -sdl
media-sound/mpg123 -haptic -sdl

Remember to add yourself to audio group:

sudo usermod -G audio -a USERNAME

To verify that your card was found try this command:

alsactl info

#
# Sound card
#
- card: 0
  id: NVidia
  name: HDA NVidia
  longname: HDA NVidia at 0xfccf0000 irq 21
  driver_name: HDA-Intel
  mixer_name: Realtek ALC883
  components: HDA:10ec0883,14627250,00100002
  controls_count: 47
  pcm:
...

Now there is last trick - ALSA by default MUTES audio output.

First use full screen AP to unmute Master PCM output:

alsamixer -c 0
  • warning! without -c 0 it can connect to PulseAudio daemon (that is often run on background when using Wayland or X)
  • ensure that there is proper card name, in my case HDA NVidia
  • select Master knob using Left/Right arrows
  • press M to un-mute output (the MM should change to OO)
  • increse volume
  • on other console start mpg123 or another audio program

Now save Mixer settings:

sudo /etc/init.d/alsasound save

This should be also enough for Firefox to play sound.

Wayland

Gentoo is ideal for experiments - including Wayland. Official guide is at: https://wiki.gentoo.org/wiki/Wayland You should have working DRM (see above section).

However it is good idea to keep both X and Wayland support in applications, because many things in Wayland does not work yet properly (for example some bookmarks menus in Firefox...)

Here is interesting list of Wayland applications:

NOTE: It is work in progress. Not sure I should use EGL (supported by NVidia):

First I have to add these per-package options into /etc/portage/package.use/custom:

>=gui-apps/swaybg-1.2.0 gdk-pixbuf
# required for Wayland
sys-auth/seatd server

Here is what I did:

# Sway is compositor ("X-Server" replacement)
emerge -an gui-wm/sway sys-auth/seatd
# this terminal is directly mentioned in /etc/sway/config
emerge -an gui-apps/foot
# this menu generator is used by Sway
emerge -an x11-misc/dmenu
# nice SysTray (found on Fedora)
emerge -an gui-apps/waybar

NOTE: For Waybar there are many feature related flags, I use these in /etc/portage/package.use/custom

gui-apps/waybar pulseuadio network evdev experimental

NOTE: waybar 0.9.22 requires this in /etc/portage/package.use/custom:

# required by waybar
>=dev-libs/libdbusmenu-16.04.0-r2 gtk3

Optional: Terminus monospace font:

emerge -an media-fonts/terminus-font

After emerge I recommend to enable waybar - edit section bar in /etc/sway/config this way:

# from Fedora /usr/share/sway/config.d/90-bar.conf
# Requires: waybar
bar {
    position top
    swaybar_command waybar
}

But before running it you need "seat management library" (in case of OpenRC instead of systemd). Following: https://wiki.gentoo.org/wiki/Seatd

Enable and start service:

rc-update add seatd default
rc-service seatd start

Finally you have to add yourself to these groups:

usermod -G video,seat -a YOUR_USERNAME

Additionally create XDG_RUNTIME_DIR variable - append to your ~/.bashrc:

# required by Sway/Wayland
# modified version from: https://github.com/swaywm/sway/issues/7202
export XDG_RUNTIME_DIR="$HOME/.runtime-$USER"

[ -d "$XDG_RUNTIME_DIR" ] || {
        mkdir -p "$XDG_RUNTIME_DIR"
        chmod 0700 "$XDG_RUNTIME_DIR"
}

Congratulation! Now relogin and run sway you should see plain screen with simple bar...

Basic commands:

  • most commands start with "Left Windows Key" also "Logo" key (Mod4)
  • press Logo+ENTER to run new foot terminal
  • press Logo+d to show menu with all commands from /usr/bin/ (the menu is no right top)
    • use Left and Right arrow to scroll through all commands
    • use ENTER to run such command
    • use ESC to leave this menu
  • if you run more than one application they will Tile (no overlay) - like original Xerox Windows system.
  • you can use Logo+(h,j,k,l) to switch focus (like Vim keys)
  • you can use Logo+NUMBER to switch workspaces - number is at top-left corner...
  • finally use Logo+SHIFT+e to Exit Sway (you will be prompted on Status bar for confirmation)

Or another workflow:

  • change Windows layout:
    • Logo+S (stacking) - there is vertical list (stack) of Windows on Top, you can select other window using Logo+Up, or Logo-Down according to that vertical list
    • Logo+W (tabbed) - there is horizontal list (tabs) of Windows on Top, you can select other Window using Logo+Left or Logo+Right according to that horizontal list
    • Logo+E - "toggle split" - you will see all Windows tiled - you can just press Logo-E again to toggle Horizontal tiling or Vertical Tiling
  • Resize mode:
    • useful only in Tile modes (Logo+E)
    • press Logo-R to enter resize mode (there will be "Resize" keyword shown on top-left)
    • now you can Resize active Window with Arrows

To change font in Foot terminal to Terminus (if you installed it) you can uncomment add to /etc/xdg/foot/foot.ini:

font=Terminus:size=12
  • just exiting and opening terminal again (with Logo+ENTER key) should be enough to apply this new setting.

To study:

Wayland taking screenshot

You need up to 2 tools as described on:

emerge -an gui-apps/slurp gui-apps/grim

While Sway is running you can just try:

mkdir -p ~/Pictures
cd ~/Pictures
grim -c

It will create timestamped image ending with .png in current directory...

Firefox for Wayland

Firefox:

  • NOTE: It is possible to use binary package firefox-bin to avoid time-consuming compile
  • but we will build it from sources for fun...
  • official guide: https://wiki.gentoo.org/wiki/Firefox

Here are my USE flags in /etc/portage/make.conf:

USE="-openmp -fortran -qmanifest -imap -pop3 -qtegrity -tftp -multilib compress-zstd zstd logrotate wayland kms gles2 vim-syntax lvm lm-sensors contrib layers tray wallpapers -bluetooth -joystick"

Append per-package flags to /etc/portage/package.use/custom

# Custom USE flags per app
app-text/ghostscript-gpl -dbus
app-arch/cpio  -nls
app-editors/vim -X -acl -crypt -sound
>=gui-apps/swaybg-1.2.0 gdk-pixbuf
# required for Wayland
sys-auth/seatd server

Build time (4 cores):

qlop -tH firefox
2023-12-24T16:09:00 >>> www-client/firefox: 1 hour, 22 minutes, 13 seconds

Adding shortcut to Firefox:

  • first create directory: mkdir -p /etc/sway/config.d
  • now create file /etc/sway/config.d/firefox with contents: 
    bindsym Ctrl+F12 exec /usr/bin/firefox
  • and run sway...

building Chromium

I need Chromium (or any Chromium based browser) for Web apps that simply don't work under Firefox:

  • MS Skype (web version)
  • MS Teams (web version)
  • e-shop https://www.tme.eu/ - it appears to work, but never shows alerts (for example invalid login name) under Firefox...
  • and possibly others...

There is surprisingly only source package called www-client/chromium, but not binary. Binary was masked and scheduled for removal around May 2023:

There are several USE flags that need to be set:

  • for: www-client/chromium-120.0.6099.129
  • append to /etc/portage/package.use/custom 
    # CHROMIUM
# 2 lines below were produced with: emerge -an www-client/chromium`
>=sys-libs/zlib-1.3-r2 minizip
>=net-libs/nodejs-20.6.1 inspector
# enabled pulseaudio, widevine is DRM codec required for Spotify, etc...
www-client/chromium pulseaudio widevine
  • Additionally I added custom localizations to /etc/portage/make.conf: 
    L10N="cs en en-US en-GB"
  • and finally run: 
    emerge -an www-client/chromium
  • you need around 30GB to build and install Chromium (14GB build, and another space for install, etc...)
  • you should have properly set and build kernel under /usr/src/linux, otherwise there will be several warnings:
  • Determining the location of the kernel source code
  • Unable to find kernel sources at /usr/src/linux
  • Please make sure that /usr/src/linux points at your running kernel,
  • (or the kernel you wish to build against).
  • Alternatively, set the KERNEL_DIR environment variable to the kernel sources location
  • Unable to calculate Linux Kernel version for build, attempting to use running version
  • Unable to check for the following kernel config options due
  • to absence of any configured kernel sources or compiled
  • config:
    • PID_NS - PID_NS is required for sandbox to work
    • NET_NS - NET_NS is required for sandbox to work
    • SECCOMP_FILTER - SECCOMP_FILTER is required for sandbox to work
    • USER_NS - USER_NS is required for sandbox to work
    • ADVISE_SYSCALLS - CONFIG_ADVISE_SYSCALLS is required for the renderer (bug #552576)
    • COMPAT_VDSO - CONFIG_COMPAT_VDSO causes segfaults (bug #556286)
    • GRKERNSEC - CONFIG_GRKERNSEC breaks sandbox (bug #613668)
  • You're on your own to make sure they are set if needed.

Above build will take lot of time:
- times on Azure VM `Standard E4as v5 (4 vcpus, 32 GiB memory)` with `AMD EPYC 7763`
- nodejs (uses V8 JavaScript engine from Google), builds 1695 files with C++,
took 56 minutes (so nearly 1 hour)
```shell
qlop -tH net-libs/nodejs
2023-12-24T14:50:38 >>> net-libs/nodejs: 59 minutes, 50 seconds
# line below is rebuild for Chromium
2023-12-28T07:15:57 >>> net-libs/nodejs: 56 minutes
  • chromium build itself: ...
  • watching chromium build progress: 
    egrep '^\[' /var/tmp/portage/www-client/chromium-120.0.6099.129/temp/build.log | tail -1 | sed 's/ .*//'

[44040/58074]

How to resume interrupted build:

My favorite GUI packages

Here is my list:

  • app-text/evince PDF viewer (but has some gnome dependencies)
  • www-client/firefox Firefox build from source
  • media-video/vlc multimedia player - be careful - it may stick ffmpeg to old version with some configuration parameters
  • media-gfx/gthumb image viewer (dependencies in Gnome libraries)
  • media-gfx/imagemagick image converter
  • x11-misc/vdpauinfo - info on hardware video acceleration
  • xfce4 plugins: 
    emerge -an xfce-extra/xfce4-cpugraph-plugin xfce-extra/xfce4-diskperf-plugin \
  xfce-extra/xfce4-netload-plugin xfce-extra/xfce4-pulseaudio-plugin
  • media-sound/audacious - GUI audio player
  • dev-util/geany - lightweight IDE (I use it as simple editor with syntax highlight)

NOTE: For gthumb, to avoid building lot of not needed deps

  • add to /etc/portage/package.use/custom: 
    # cdr has lots of dependencies - disabled
media-gfx/gthumb -cdr
  • and build with: emerge -an gthumb

NOTE: For ImageMagick: To use Microsoft fonts you have to:

  • add license MSttfEULA to /etc/portage/make.conf: 
    ACCEPT_LICENSE="@FREE @BINARY-REDISTRIBUTABLE MSttfEULA"
  • and I appended these flags to USE in /etc/portage/make.conf: 
    USE="... fontconfig corefonts tahoma"
  • and finally install using: 
    emerge -an media-gfx/imagemagick

VLC warning:

  • found issue - conflicts on ffmpeg, version
  • because there is in /var/db/repos/gentoo/media-video/vlc/vlc-3.0.18-r3.ebuild 
    # <ffmpeg-5 dep for USE="ffmpeg vaapi" for bug #864721
RDEPEND="
  ffmpeg? ( >=media-video/ffmpeg-3.1.3:=[postproc,vaapi?,vdpau?] )
  vaapi? (
         <media-video/ffmpeg-5
         media-libs/libva:=[drm(+),wayland?,X?]
  )
  "
  • while up-to-date ffmpeg is 6 (try equery m media-video/ffmpeg)

KeePass problem (favorite password manager written in .NET).

  • There is circular dependency reported on: 
    emerge -an app-admin/keepass
  • there is hint using temporarily USE='minimal' for dev-lang/mono: 
    echo 'dev-lang/mono minimal' >> /etc/portage/package.use/custom
  • And run emerge again... - no longer circular dependency error...

LibreOffice

Homepage here:

There is again both Source and Binary package. I will use source to know how much it takes to build...

emerge -an app-office/libreoffice

FYI: on Azure VM Standard E4as v5 (4 vcpus, 32 GiB memory) with AMD EPYC 7763 64-Core Processor build took around 170 minutes (little under 3 hours). Dependencies build fast, most time was spend in libreoffice build.

Copying kernel configuration

To avoid invoking make menuconfig and setting all options again and again you can use so called "defconfig".

To save your kernel configuration do this:

  1. Save your configuration (only non-default options) using: 
    make savedefconfig
  2. Backup generated config to safe place and ensure that it ends with _defconfig: 
    cp defconfig /root/hpgentoo_defconfig

To restore your configuration:

  1. This will reset kernel back to clean source (all configuration lost!)

    make mrproper

  2. Copy your configuration to kernel tree:

    cp /root/hpgentoo_defconfig arch/x86/configs/

  3. Apply your configuration - specify configuration name:

    make hpgentoo_defconfig

Now continue as usual

# optional:
make menuconfig
# build and install kernel and modules:
make && make modules_install && make install

In my case I need to add lvm zstd compress-zstd to USE=... in /etc/portage/make.conf.

Usually you need dracut for initrd, installing with:

emerge -an sys-kernel/dracut
emerge -an sys-fs/e2fsprogs
# WARNING! btrfs need sphinx to generate manual pages
emerge -an sys-fs/btrfs-progs
emerge -an sys-fs/lvm2

If you use dracut you need to create Initrd using:

dracut --kver=MY_KERNEL_VER

Keeping Gentoo up-to-date

To keep Gentoo up-to-date we have to regularly do this:

  • refresh portage database: 
    emerge-webrsync
  • update "world" (it is term from FreeBSD (Gentoo portage is inspired by its "ports" build system) where core system build is called "world" and make targets are "buildworld" and "installworld"): 
    emerge --ask --verbose --update-if-installed --deep --newuse @world
  • now list and read news: 
    eselect news list | less
  • now merge config files in /etc/ using (see https://wiki.gentoo.org/wiki/Handbook:X86/Portage/Tools): 
    dispatch-conf
  • finally remove obsolete packages: 
    emerge -a --depclean
    • often you will like to keep some of listed packages run emerge -n PKG_NAME, for example I used: 
      emerge -an media-fonts/dejavu
# confirm yes, if it will just tell you to add package(s) to favorite
    • and then again run emerge -a --depclean

Optional: or use cfg-update to merge files in /etc/

  • I decided to disable X support (I use Wayland and cfg-updated depends on xauth, etc...)
  • add to your /etc/portage/package.use/custom: 
    # disable X (we use wayland where xauth for root will not work)
app-portage/cfg-update -X
  • and then install with: 
    emerge -an app-portage/cfg-update

Tips

Getting human-readable build time from /var/log/emerge.log:

  • from https://forums.gentoo.org/viewtopic-p-8772373.html?sid=0765dc9998761ae6840c9f11aa806dfc
  • example: 
    # Must have read access to /var/log/emerge.log (portage group or root)

$ qlop -tH firefox

2023-12-24T16:09:00 >>> www-client/firefox: 1 hour, 22 minutes, 13 seconds
  • seeing builds from last emerge: 
    qlop -l
2023-12-28T07:13:37 >>> sys-libs/zlib: 36s
2023-12-28T07:14:13 >>> dev-util/gn: 1′44″
2023-12-28T07:15:57 >>> net-libs/nodejs: 56′00″
  • seeing build in progress (for 1st build there is no ETA - no reference in log....): 
    qlop -r
2023-12-28T08:11:57 >>> www-client/chromium... (4 of 4) ETA: unknown
  • see all Today builds: qlop -d today

Manual way to get all initiated emerges (will not handle properly special cases - for example @world...:

fgrep '*** emerge ' /var/log/emerge.log | awk '{print $NF}' | sort -

Also see man q that references many other tools starting with q

  • for example see how much space is taking Package firefox: 
    qsize firefox
www-client/firefox: 51 files, 42 non-files, 212.8M

Bugs python target changes

here is error I got after gentoolkit world upgrade (2024-05-02):

$ eclean -dp distfiles

 * Building file list for distfiles cleaning...
Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.11/eclean", line 41, in <module>
    main()
  File "/usr/lib/python3.11/site-packages/gentoolkit/eclean/cli.py", line 737, in main
    doAction(action, options, exclude=exclude, output=output)
  File "/usr/lib/python3.11/site-packages/gentoolkit/eclean/cli.py", line 582, in doAction
    clean_me, saved, deprecated, vcs = engine.findDistfiles(
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ValueError: not enough values to unpack (expected 4, got 3)

The eclean is included in app-portage/gentoolkit package.

Already someone reported here:

Another bug - xfce4-screensaver is unable to login user (there is error in auth.log - unknown user). Possible fix here:

Upgrading GCC

TODO: see text below...

Found this interesting page: https://wiki.gentoo.org/wiki/Upgrading_GCC To see if new GCC is available I use:

emerge -a1v sys-devel/gcc

If you see R (rebuild) there is no new GCC. Only if you see U (Update) you have to proceed.

Now listing available versions:

$ date --utc

Sun May 12 07:59:55 UTC 2024

$ gcc-config --list-profiles

 [1] x86_64-pc-linux-gnu-13 *

So we have to wait - till new GCC version is available and then follow

Importance of ACL

Due my mistake I did not transfer ACLs from chroot build system to target. One manifestation where it is wrong is xfce4-screensaver is unable to login user, see https://forums.gentoo.org/viewtopic-t-1136310-start-0.html There is just following message in /var/log/auth.log (if you use rsyslog):

unix_chkpwd[12584]: check pass; user unknown
unix_chkpwd[12584]: password check failed for user (user)
xfce4-screensaver-dialog: pam_unix(xfce4-screensaver:auth): authentication failure; \
  logname=user uid=1000 euid=1000 tty=:0.0 ruser= rhost=  user=user

I have found that Gentoo did not follow traditional policy - using shadow group for /etc/shadow or using setuid to group shadow for /usr/bin/unix_chkpwd but it rather uses capabilities(7)

Finally I started to understand ACL when I looked into:

less $(equery w sys-libs/pam)

pkg_postinst() {
# ...
        # The pam_unix module needs to check the password of the user which requires
        # read access to /etc/shadow only.
        fcaps cap_dac_override sbin/unix_chkpwd
}

The fcaps eclass (actually bash function) can be found on /var/db/repos/gentoo/eclass/fcaps.eclass. There is also official guide on https://devmanual.gentoo.org/eclass-reference/fcaps.eclass/index.html

Suddenly I started to sense what is wrong - compare these outputs:

# source system - chroot on build server:

$ getcap /usr/bin/unix_chkpwd

/usr/bin/unix_chkpwd cap_dac_override=ep

# target system where unix_chkpwd does not work:
$ getcap /usr/bin/unix_chkpwd
(no output)

Now there is obvious difference! Trying to fix it with:

setcap cap_dac_override=ep /usr/bin/unix_chkpwd

By combining two manual pages - cap_to_text(3) and capabilities(7) you can find that it means:

  • CAP_DAC_OVERRIDE means: Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".)
  • = exactly set to action
  • ep is Effective and Permitted

Fortunately found just few programs using it:

$ find /usr/bin -type f -exec getcap {} \;

/usr/bin/unix_chkpwd cap_dac_override=ep
/usr/bin/ping cap_net_raw=ep
/usr/bin/arping cap_net_raw=ep

Trac wiki removal

Gentoo removed old trac-wiki, because of Python2 dependency here:

Debian has interesting history:

  • Trac was included up to Debian 10 (depends on Python2)
  • Trac was silently (!) removed from Debian 11, because some Debian rule banned nearly all Python2 packages
  • Trac 1.6.2 (compatible with Python 3) was backported to Debian 12 - available on: https://packages.debian.org/bookworm-backports/trac

So theoretically it could be re-added to Gentoo, but it needs volunteer...

Profile version upgrade

In Gentoo you have not just profile name, but also version - sometimes you need to upgrade profile version which is tricky.

Example (using `:

To perform upgrade we have to find it in new (using eselect news list and eselect news read X

I strongly recommend to save content to text file:

eselect news read 23 > /root/upgrade-to-profile-23.txt

Also note upgrade notes on web as backup. In my case:

WARNING! I do upgrade on copy of chroot - where is nothing to lose...

Gentoo authors strongly recommend making backup before changing profile!

So now I have to do:

$ sudo emerge --info | fgrep CHOST

CHOST="x86_64-pc-linux-gnu"

$ eselect profile list | fgrep -w '*'

[13]  default/linux/amd64/17.1/no-multilib/hardened (stable) *

$ eselect profile list | fgrep -w 'default/linux/amd64/23.0/split-usr/no-multilib/hardened '

[51]  default/linux/amd64/23.0/split-usr/no-multilib/hardened (stable)

$ eselect profile set 51

$ eselect profile list | fgrep -w '*'

  [51]  default/linux/amd64/23.0/split-usr/no-multilib/hardened (stable) *

$ rm -r /var/cache/binpkgs/*

$ emerge -a1 sys-devel/binutils

[ebuild   R    ] sys-devel/binutils-2.42-r1  USE="zstd*"

$ . /etc/profile

$ binutils-config -l

[1] x86_64-pc-linux-gnu-2.42 *

 (OK nothing to switch)

$ emerge -a1 sys-devel/gcc

[ebuild   R    ] sys-devel/gcc-13.2.1_p20240210  USE="zstd*"

  (ensure that 'glibc' is NOT in rebuild list)
  (build took around 45 minutes on 4 cores)

$ emerge -a1 sys-libs/glibc

[ebuild   R    ] sys-libs/glibc-2.38-r13
(took 5 minutes on 4 cores)

$ emerge --info | fgrep CHOST
CHOST="x86_64-pc-linux-gnu"

$ binutils-config -l

 [1] x86_64-pc-linux-gnu-2.42 *
$ gcc-config -l

 [1] x86_64-pc-linux-gnu-13 *

$ env-update && source /etc/profile

# NOTE: libtool must be always emerged after gcc update(!)

$ emerge -a1 libtool

[ebuild   R    ] dev-build/libtool-2.4.7-r4

# It is unclear what should be CHOST now, but it looks OK:

$ ls -l /usr/bin/x86_64-pc-linux-gnu-gcc

lrwxrwxrwx 1 root root 59 May 16 17:01  \
  /usr/bin/x86_64-pc-linux-gnu-gcc -> /usr/x86_64-pc-linux-gnu/gcc-bin/13/x86_64-pc-linux-gnu-gcc

$ rm -r /var/cache/binpkgs/*

# TODO: Will rebuild everything - not sure if this command can be resumed after interrupt?

$ emerge -ae @world

When I compare emerge --info from hardened 17.1 profile and 23 profile I see these changes:

  • LDFLAGS appended -Wl,-z,pack-relative-relocs
  • USE removed cli dri fortran

Resources

Quite interesting conversation:

Subject: Re: [gentoo-dev] Update on the 23.0 profiles\ From: Michael Orlitzky Sat, 06 Apr 2024 19:03:17 -0700\ On Sat, 2024-04-06 at 17:06 +0200, Andreas K. Huettel wrote:

Hi all,

so here's a small update on the state of the 23.0 profiles:

Why was this silently added to make.defaults for all 23.0 profiles?

This just makes sense nowadays, if only for distfiles...

USE="lzma zstd"

It doesn't help with distfiles in any way, wasn't discussed here, doesn't belong there, and creates a mess on systems where they should be disabled. Use per-package defaults if they're important for certain packages.

Copyright © Henryk Paluch. All rights reserved.

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

⚠️ **GitHub.com Fallback** ⚠️