8.7 KiB
Now is the time to actually install Gentoo.
First import the pool again:
# zpool import -N -R /mnt rpool
# zfs load-key -L file:///tmp/rpool.key rpool
Then mount the datasets and the ESP on /mnt:
# mount -t zfs rpool/root/gentoo /mnt
# mkdir /mnt/var
# mount -t zfs rpool/root/gentoo/var /mnt/var
# mkdir /mnt/efi
# mount -t vfat /dev/disk/by-label/esp /mnt/efi
Now we're going to fetch a stage3 tarball for on the root of the system. Replace the <release_date> with the latest tarball release.
# cd /mnt
# wget https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/stage3-amd64-musl-hardened-<release_date>.tar.xz
There are also other mirrors like
https://ftp.snt.utwente.nl/pub/os/linux/gentoo/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened/which might provide a faster download depending on your location. Check out https://www.gentoo.org/downloads/mirrors/ for other mirrors.
It is also possible to use
linksinstead ofwgetwhich provides a small user interface for navigation:# links https://distfiles.gentoo.org/releases/amd64/autobuilds/current-stage3-amd64-musl-hardened
Unpack it in the new root:
# tar xpvf stage3-*.tar.xz --numeric-owner
Then before finally chrooting into the system simply copy over the resolv.conf for internet connection inside the chroot.
# cp /etc/resolv.conf /mnt/etc/.
# cp /tmp/rpool.key /mnt/tmp
# for i in dev proc sys run; do
mount --rbind --make-rslave /$i /mnt/$i
done
# chroot /mnt
Configuring the system
Portage
Before installing any software first edit /etc/portage/make.conf which acts as the main configuration file for portage. A Gentoo installation is highly personal so diverting from these settings is encouraged. Here's an example file:
# Please consult /usr/share/portage/config/make.conf.example for a more
# detailed example.
COMMON_FLAGS="-march=native -O2 -pipe"
CFLAGS="${COMMON_FLAGS}"
CXXFLAGS="${COMMON_FLAGS}"
FCFLAGS="${COMMON_FLAGS}"
FFLAGS="${COMMON_FLAGS}"
RUSTFLAGS="${RUSTFLAGS} -C target-cpu=native"
# MakeOpts
MAKEOPTS="-j7 -l5"
# WARNING: Changing your CHOST is not something that should be done lightly.
# Please consult https://wiki.gentoo.org/wiki/Changing_the_CHOST_variable before changing.
CHOST="x86_64-pc-linux-musl"
# NOTE: This stage was built with the bindist USE flag enabled
# This sets the language of build output to English.
# Please keep this setting intact when reporting bugs.
LC_MESSAGES=C.utf8
# Logging
PORTAGE_ELOG_CLASSES="log warn error"
PORTAGE_LOGDIR="/var/log/portage"
PORTAGE_LOGDIR_CLEAN="find \"\${PORTAGE_LOGDIR}\" -type f ! -name \"summary.log*\" -mtime +7 -delete"
# Only accept free licenses
ACCEPT_LICENSE="-* @FREE"
# USE flags
USE="${USE} networkmanager wayland dbus elogind -systemd policykit pam man udev pipewire initramfs secureboot modules-sign dist-kernel -gtkdoc" # ....
# Emerge settings
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --with-bdeps y"
# For secureboot (will be necessary later)
SECUREBOOT_SIGN_KEY="/var/lib/sbctl/keys/db/db.key"
SECUREBOOT_SIGN_CERT="/var/lib/sbctl/keys/db/db.pem"
MODULES_SIGN_KEY="${SECUREBOOT_SIGN_KEY}"
MODULES_SIGN_CERT="${SECUREBOOT_SIGN_CERT}"
MODULES_SIGN_HASH="sha512"
Don't forget to change the
MAKEOPTSto match your CPU and also theUSEFLAGSto your liking.
Now finally sync the repositories and try installing a package like vim.
# emaint sync
# emerge --ask --verbose app-editors/vim
In theory it should work.
Fstab
Simply add these lines to the fstab:
rpool/root/gentoo / zfs rw,noatime,xattr,posixacl,casesensitive 0 1
rpool/root/gentoo/var /var zfs rw,noatime,nosuid,nodev,xattr,posixacl,casesensitive 0 2
/dev/disk/by-label/efi /efi vfat defaults,nodev,nosuid,noexec,umask=0077 0 2
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec,mode=1777 0 0
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
Date and time
First install timezone-data:
# emerge -av sys-libs/timezone-data
Create /etc/env.d/00local with:
TZ="/usr/share/zoneinfo/<region>/<city>"
Update the environment:
# env-update && source /etc/profile
Configure hwclock in /etc/conf.d/hwclock:
clock="UTC"
clock_hctosys="NO"
clock_systohc="NO"
And set up a ntpd:
# emerge -av net-misc/openntpd
# rc-update add ntpd default
# rc-service ntpd start
Set up locales
Install the musl-locales package:
# emerge -av sys-apps/musl-locales
And in /etc/env.d/01musl_locales add:
MUSL_LOCPATH="/usr/share/i18n/locales/musl"
Then choose the desired locale with n \in \mathbb{N}:
# eselect locale list
# eselect locale set <n>
# env-update && source /etc/profile
Setting the hostname
Simply run:
echo "<hostname>" > /etc/hostname
Internet
NetworkManager is an easy to use network manager. Before emerging it, consider adding some USE flags in /etc/portage/package.use/networkmanager
net-misc/networkmanager dhcpcd -wext
And also make sure the networkmanager USE flag is enabled in your make.conf. Then emerge networkmananger:
# emerge -av net-misc/networkmanager
Then disable any other network services before enabling the service:
# rc-update add NetworkManager default
# rc-service NetworkManager start
Making the system boot
Sbctl
First off install sbctl:
# emerge -av sbctl
Verify that Secureboot mode is on and in setup mode with
sbctl status
Then create and enroll keys into the system.
# sbctl create-keys
# sbctl enroll-keys <--microsoft>
Use the --microsoft flag if the system is unable to use custom keys or when dual booting with Windows.
Adding GURU
GURU is an extra repository which contains packages not available in the main Gentoo repository. Although the packages it contains might not be as well tested as in the main repo they are still necessary for some setups. Add Guru with:
# emerge -av app-eselect/eselect-repository
# eselect repository enable guru
# emaint sync --repo guru
To allow unstable packages from GURU, in /etc/portage/package.accept_keywords/guru:
*/*::guru ~amd64
Zlevis' auto decryption
zlevis is able to unlock an encrypted ZFS root pool with keys saved in a TPM, currently it's only available in the portage-ample repository and also has some dependencies in the guru repository:
# eselect repository add portage-ample git https://git.bijl.us/lnorg/portage-ample
# emaint sync -r portage-ample
Then before emerging add the dracut flag in /etc/portage/package.use/zlevis
app-crypt/zlevis dracut
Then simply install it:
# emerge -av app-crypt/zlevis
Now add zlevis to the pool with
# zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/rpool.key) rpool
UKI's
UKI's in conjuction with secureboot make for a pretty secure bootchain :D <--- deze lijnen moeten nog anders
We use dracut as initramfs generator and ukify as UKI generator.
Firsty create /usr/lib/kernel/install.conf
layout=uki
initrd_generator=dracut
uki_generator=ukify
And in /etc/kernel/uki.conf
[UKI]
SecureBootSigningTool=sbsign
Portage also has to be told to generate a UKI when installing a kernel this can be done by creating /etc/portage/package.use/uki
sys-apps/systemd-utils kernel-install boot ukify
sys-kernel/installkernel dracut ukify uki
These USE flags tell portage also to install systemd-boot which can automatically detect UKI's and because of the secureboot flag in /etc/portage/make.conf it will also automatically sign the bootloader.
Also allow linux-firmware's license in /etc/portage/package.license:
# Accepting the license for linux-firmware
sys-kernel/linux-firmware linux-fw-redistributable
# Accepting any license that permits redistribution
sys-kernel/linux-firmware @BINARY-REDISTRIBUTABLE
Enable the zlevis module in /etc/dracut.conf.d/zlevis.conf
nofsck="yes"
add_dracutmodules+=" zlevis "
Before installing a kernel define a minimal kernel command line in /etc/kernel/cmdline:
rw root=ZFS=rpool/root/gentoo quiet splash
Then finally install all the necessary packages:
# emerge -av sbsigntools systemd-utils linux-firmware gentoo-kernel-bin zfs-kmod
It should have done this without throwing any errors.
Then for a nice boot interface install systemd-boot on the ESP:
# bootctl install
The last thing to do is adding a few ZFS services on boot:
# rc-update add zfs-import sysinit
# rc-update add zfs-mount sysinit
Now exit the chroot and unmount the filesystem with:
# umount -lf /mnt
The system should boot after reboot!