In page 1 of the Gentoo Slice setup article we completed the ssh configuration along with a basic iptables install.
Now we’ll configure the gentoo ebuild system and get our Slice up to date.
Login as the admin user that you made in the previous article:
ssh -p 30000 email@example.com
30000 with the port you configured your ssh server with in the previous article, change
demo to the username
you created, and change
188.8.131.52 to the ip address of your slice.
USE flags define how ebuilds are built. They not only affect what libraries to compile against when building something, but also dependencies between ebuilds.
For example setting the
postgres USE flag would make the
php ebuild depend on the postgresql client libraries, and
also affect the parameters passed to the its build process. This gives us a great degree of control over how we install
We can change the use flags for all packages be editing
/etc/make.conf. This file contains the settings that the build system uses:
sudo nano /etc/make.conf
Now lets set our USE flags. There’s already a line there saying USE in /etc/make.conf, we can add our own preferences in there. Putting a ‘-’ (minus) in front of a flag declares that you explicitly don’t want it. There’s a reference to all the USE flags and their meanings here.
You don’t need to set too many, just have a browse through and if any jump out at you, add them to your file. As we look at installing things later we’ll be changing the USE flags some more.
Here’s an example of my preferences:
USE="bash-completion postgres mysql -alsa -cups -doc -gnome -gtk -gtk2 -ipv6 -java -kde -oss -qt -sdl -X"
In this example I’m using postgresql and mysql, perhaps you only want mysql, it’s all up to you. You should go through the reference page and choose flags that are appropriate to your setup. Notice I’ve turned off anything to do with a graphical server to keep the bloat down; some packages come with multiple UIs, I only want text based interfaces on my slice.
Once you are happy with your choice of USE flags, save the file and exit the editor. Again, don’t worry about spending too much time in here, we will be changing it later as we look at emerging new software.
Gentoo uses the ‘ebuild’ system to manage software installs, each new ‘package’ or software program available for install is called an ‘ebuild’. Lets update our list of available ebuilds from the Gentoo servers:
sudo emerge --sync
At the bottom it may say:
* An update to portage is available. It is _highly_ recommended * that you update portage now, before any other packages are updated. * To update portage, run 'emerge portage' now.
So lets do that now:
sudo emerge portage
Now that we have an up-to-date list of ebuilds available, we should start updating our system:
sudo emerge system --update -vp
pretend. It will now give some information explaining what would happen if you emerge
-vp. We can use this output to decide if you want to update our USE flags before continuing. My output
looked like this, (I’ve word wrapped it so it fits nicely on the page):
These are the packages that would be merged, in order: Calculating system dependencies... done! [ebuild U ] sys-apps/net-tools-1.60_p20071202044231-r1 [1.60-r13] USE="nls -static" 180 kB [ebuild U ] sys-apps/busybox-1.11.1 [1.8.2] USE="pam -debug -make-symlinks -savedconfig (-selinux) -static" 1,880 kB [ebuild U ] sys-apps/gawk-3.1.6 [3.1.5-r5] USE="nls" 1,818 kB [ebuild U ] app-arch/bzip2-1.0.5-r1 [1.0.5] USE="-static" 822 kB [ebuild U ] sys-apps/findutils-4.4.0 [4.3.13] USE="nls (-selinux) -static" 1,983 kB [ebuild U ] sys-apps/man-1.6f-r2 [1.6f-r1] USE="nls" 249 kB [ebuild U ] sys-devel/automake-1.10.1-r1 [1.10.1] 897 kB [ebuild U ] sys-apps/util-linux-2.14.1 [184.108.40.206] USE="crypt nls unicode -loop-aes -old-linux (-selinux) -slang (-uclibc)" 2,861 kB [ebuild U ] sys-fs/udev-124-r1  USE="(-selinux)" 204 kB [ebuild U ] net-misc/rsync-3.0.4 [3.0.2] USE="acl iconv ipv6 -static -xattr -xinetd" 755 kB [ebuild U ] net-misc/openssh-5.1_p1-r1 [4.7_p1-r6] USE="pam tcpd -X -X509 -hpn -kerberos -ldap -libedit (-selinux) -skey -smartcard -static (-chroot%)" 1,083 kB [ebuild U ] sys-apps/man-pages-3.14 [2.80] USE="nls" LINGUAS="-cs -da -de -es -fr -it -ja -nl -pl -ro -ru -zh_CN" 1,015 kB [ebuild N ] sys-apps/man-pages-posix-2003a 949 kB Total: 13 packages (12 upgrades, 1 new), Size of downloads: 14,692 kB
U means the software will be upgraded and the
N means its a new install. USE flags with a
% sign mean
the flag is being made available in the version we are about to upgrade to, or if the
% is accompanied by brackets
it’s becoming unavailable.
For example the
(-chroot%) in the
openssh line means that in our currently installed version of openssh the
USE flag has a meaning but in the version we are upgrading to it is no longer effective nor useful.
If we can’t remember what a certain USE flag does for an ebuild we can ask gentoo. For example to find out what the build flags for openssh mean we can type:
equery uses openssh
I particularly like the sound of the
hpn flag, ‘High performance ssh’, before enabling we’ll check with google if it’s
really what we want. I came up with this link.
Looks good to me.
Instead of enabling that flag for all packages (in
/etc/make.conf) we’ll just enable it for the openssh ebuild:
sudo nano /etc/portage/package.use
Add a line like this:
Once that file has been saved, we can see that the output of
sudo emerge system -vp is different now. Once you’re happy with what it is
planning to do, run it for real:
sudo emerge system --update
This will take some time, so please feel free to go make another coffee.
Updating the Configuration Files
Once it’s done you’ll see that now some of our configuration files need updating. What gentoo does is download the new version of each config file and ask you to merge the differences in. Lets run the command as suggested:
It will show you a bunch of configuration files from
/etc that need updating. As we’ve updated openssh, our
/etc/ssh/sshd_config needs updating. We don’t want to just overwrite it with the new one, but we may want some of the
options to be available in it.
In my output, that file is number
4 so I hit
enter; you should type whatever number it is listed under in
Now it shows the differences between both the files; lines to be added have a
+ in front, and
lines that are to be deleted. This listing of the changes is to give you a preview of what comes next.
You can get to the next page by hitting the
space bar, once you get down to the bottom
q to exit the difference listing.
Now you’ll be presented with a list of options. Choose
3) Interactively merge original with update (hit
enter). Now for each line that is different you’ll be asked to choose which line you want to keep, and also have the
oppurtunity to edit the line. Hit
enter to get further instructions on how to merge in the changes.
The first line is the banner, telling the version of the file. We want to keep the updated version of that so type
enter to keep the ‘right’ hand version.
The changes on the left side are the ones in your current config file, on the right side are the changes that gentoo
wants to make. Basically you want to keep anything that you’ve set, such as the
Port and the
AllowedUsers, and bring
in all the new lines.
If you make a mistake, you can hit
quit (from the merge program), then choose
3) Remerge original with update to start the merge process again for this file. If you totally panic, after quitting
the merge program you can hit
ctrl and hit
c); this will take you back to the linux prompt, and you
can start again with
Once you’ve been through the changes and you’re confident about your choices,
1) Replace /etc/ssh/sshd_config with merged file. You could also edit the config file to go through it one more
time if you would like. Follow the prompts to finish setting up the new /etc/ssh/sshd_config. You can type
enter for yes or
enter for no.
In this case we know we haven’t changed any of the other files, so just type
-5 and enter to auto update them all.
It wouldn’t hurt to do a reboot once all the config files are updated. We should at least get the new openssh server to running. Don’t worry it won’t log you out:
sudo /etc/init.d/sshd restart
Now that we’ve upgraded the system level apps, lets see what will happen when we upgrade the higher level apps:
sudo emerge world --update -vp
Adjust your USE flags as you deem appropriate again, then run it for real with out the
Once you’ve run it, you’ll need to go through the
etc-update process again. On my install I had to merge the
changes for the
/etc/sudoers file to keep that wheel group with sudoers access.
Finally we’ll want to check for any known security issues on our slice. Gentoo has a great service called the Gentoo Linux Security Advisory. When a known security problem becomes apparent in a gentoo package, it’s added to the glsa list.
We’ll use the
glsa-check tool to see if there are any known security updates with our current setup:
sudo glsa-check -tv all
In my case I have two security announcements that affect my slice. The output looks like this:
This system is affected by the following GLSAs: 200807-16 ( Python: Multiple vulnerabilities ) 200812-06 ( libxml2: Multiple vulnerabilities )
You can find out more about what is affecting your system by searching for the announcement number in the glsa listing page and clicking on it’s link.
You could follow the instructions in the page manually to fix the security problem, or we could get it all done automatically:
sudo glsa-check -fv affected
It will now proceed to fix all security vunerabilities mentioned in the glsa that affect your slice.
Finally I’d like to introduce a great Gentoo tool;
esearch tool lets you search for ebuilds to install using a cached indexing system that is much faster than a
emerge --search something.
sudo emerge esearch sudo eupdatedb
This will take quite some time; but will save us a lot of time in searching for ebuilds in the future.
From now on, we can update
esearch's indexes and update our list of available ebuilds with a single command:
This is the equivalent of:
sudo emerge --sync && sudo eupdatedb
Now to give you an example of how to use it, lets search for something. If you’re search for the name of a specific
package, you might want to leave the
-S flag off. The
-S flag makes it search through the package descriptions as well
as the names:
esearch apache esearch -S mail.*server
The search string is a regular expresssion.
mail.*server will match any ebuild description with the pattern
server, following the pattern
. means any charater and the
* means zero or more of the character before.
Well done, you now have an up to date and more secure Gentoo Slice ready to be loaded up with your server software.