Gentoo setup - Page 2

In page 1 of the Gentoo Slice setup article we completed the ssh configuration along with a basic iptables install.

Now we’ll configure the gentoo ebuild system and get our Slice up to date.

Login as the admin user that you made in the previous article:

ssh -p 30000 demo@

Replace 30000 with the port you configured your ssh server with in the previous article, change demo to the username you created, and change to the ip address of your slice.

USE Flags

USE flags define how ebuilds are built. They not only affect what libraries to compile against when building something, but also dependencies between ebuilds.

For example setting the postgres USE flag would make the php ebuild depend on the postgresql client libraries, and also affect the parameters passed to the its build process. This gives us a great degree of control over how we install software.

We can change the use flags for all packages be editing /etc/make.conf. This file contains the settings that the build system uses:

sudo nano /etc/make.conf

Now lets set our USE flags. There’s already a line there saying USE in /etc/make.conf, we can add our own preferences in there. Putting a ‘-’ (minus) in front of a flag declares that you explicitly don’t want it. There’s a reference to all the USE flags and their meanings here.

You don’t need to set too many, just have a browse through and if any jump out at you, add them to your file. As we look at installing things later we’ll be changing the USE flags some more.

Here’s an example of my preferences:

USE="bash-completion postgres mysql
     -alsa -cups -doc -gnome -gtk -gtk2 -ipv6 -java -kde -oss -qt -sdl -X"

In this example I’m using postgresql and mysql, perhaps you only want mysql, it’s all up to you. You should go through the reference page and choose flags that are appropriate to your setup. Notice I’ve turned off anything to do with a graphical server to keep the bloat down; some packages come with multiple UIs, I only want text based interfaces on my slice.

Once you are happy with your choice of USE flags, save the file and exit the editor. Again, don’t worry about spending too much time in here, we will be changing it later as we look at emerging new software.

System Update

Gentoo uses the ‘ebuild’ system to manage software installs, each new ‘package’ or software program available for install is called an ‘ebuild’. Lets update our list of available ebuilds from the Gentoo servers:

sudo emerge --sync

At the bottom it may say:

* An update to portage is available. It is _highly_ recommended
 * that you update portage now, before any other packages are updated.

 * To update portage, run 'emerge portage' now.

So lets do that now:

sudo emerge portage

Now that we have an up-to-date list of ebuilds available, we should start updating our system:

sudo emerge system --update -vp

The -vp means verbose and pretend. It will now give some information explaining what would happen if you emerge without the -vp. We can use this output to decide if you want to update our USE flags before continuing. My output looked like this, (I’ve word wrapped it so it fits nicely on the page):

These are the packages that would be merged, in order:

Calculating system dependencies... done!
[ebuild     U ] sys-apps/net-tools-1.60_p20071202044231-r1 [1.60-r13] USE="nls -static" 180 kB
[ebuild     U ] sys-apps/busybox-1.11.1 [1.8.2] USE="pam -debug -make-symlinks -savedconfig
                (-selinux) -static" 1,880 kB
[ebuild     U ] sys-apps/gawk-3.1.6 [3.1.5-r5] USE="nls" 1,818 kB
[ebuild     U ] app-arch/bzip2-1.0.5-r1 [1.0.5] USE="-static" 822 kB
[ebuild     U ] sys-apps/findutils-4.4.0 [4.3.13] USE="nls (-selinux) -static" 1,983 kB
[ebuild     U ] sys-apps/man-1.6f-r2 [1.6f-r1] USE="nls" 249 kB
[ebuild     U ] sys-devel/automake-1.10.1-r1 [1.10.1] 897 kB
[ebuild     U ] sys-apps/util-linux-2.14.1 [] USE="crypt nls unicode -loop-aes -old-linux
                (-selinux) -slang (-uclibc)" 2,861 kB
[ebuild     U ] sys-fs/udev-124-r1 [119] USE="(-selinux)" 204 kB
[ebuild     U ] net-misc/rsync-3.0.4 [3.0.2] USE="acl iconv ipv6 -static -xattr -xinetd" 755 kB
[ebuild     U ] net-misc/openssh-5.1_p1-r1 [4.7_p1-r6] USE="pam tcpd -X -X509 -hpn -kerberos -ldap
                -libedit (-selinux) -skey -smartcard -static (-chroot%)" 1,083 kB
[ebuild     U ] sys-apps/man-pages-3.14 [2.80] USE="nls" LINGUAS="-cs -da -de -es -fr -it -ja -nl
                -pl -ro -ru -zh_CN" 1,015 kB
[ebuild  N    ] sys-apps/man-pages-posix-2003a  949 kB

Total: 13 packages (12 upgrades, 1 new), Size of downloads: 14,692 kB

Here the U means the software will be upgraded and the N means its a new install. USE flags with a % sign mean the flag is being made available in the version we are about to upgrade to, or if the % is accompanied by brackets it’s becoming unavailable.

For example the (-chroot%) in the openssh line means that in our currently installed version of openssh the chroot USE flag has a meaning but in the version we are upgrading to it is no longer effective nor useful.

If we can’t remember what a certain USE flag does for an ebuild we can ask gentoo. For example to find out what the build flags for openssh mean we can type:

equery uses openssh

I particularly like the sound of the hpn flag, ‘High performance ssh’, before enabling we’ll check with google if it’s really what we want. I came up with this link. Looks good to me.

Instead of enabling that flag for all packages (in /etc/make.conf) we’ll just enable it for the openssh ebuild:

sudo nano /etc/portage/package.use

Add a line like this:

net-misc/openssh hpn

Once that file has been saved, we can see that the output of sudo emerge system -vp is different now. Once you’re happy with what it is planning to do, run it for real:

sudo emerge system --update

This will take some time, so please feel free to go make another coffee.

Updating the Configuration Files

Once it’s done you’ll see that now some of our configuration files need updating. What gentoo does is download the new version of each config file and ask you to merge the differences in. Lets run the command as suggested:

sudo etc-update

It will show you a bunch of configuration files from /etc that need updating. As we’ve updated openssh, our /etc/ssh/sshd_config needs updating. We don’t want to just overwrite it with the new one, but we may want some of the options to be available in it.

In my output, that file is number 4 so I hit 4 and enter; you should type whatever number it is listed under in your output.

Now it shows the differences between both the files; lines to be added have a + in front, and - for lines that are to be deleted. This listing of the changes is to give you a preview of what comes next. You can get to the next page by hitting the space bar, once you get down to the bottom hit q to exit the difference listing.

Now you’ll be presented with a list of options. Choose 3) Interactively merge original with update (hit 3 and enter). Now for each line that is different you’ll be asked to choose which line you want to keep, and also have the oppurtunity to edit the line. Hit ? and enter to get further instructions on how to merge in the changes.

The first line is the banner, telling the version of the file. We want to keep the updated version of that so type r and enter to keep the ‘right’ hand version.

The changes on the left side are the ones in your current config file, on the right side are the changes that gentoo wants to make. Basically you want to keep anything that you’ve set, such as the Port and the AllowedUsers, and bring in all the new lines.

If you make a mistake, you can hit q for quit (from the merge program), then choose 3) Remerge original with update to start the merge process again for this file. If you totally panic, after quitting the merge program you can hit ctrl+c (Hold ctrl and hit c); this will take you back to the linux prompt, and you can start again with sudo etc-update.

Once you’ve been through the changes and you’re confident about your choices, choose 1) Replace /etc/ssh/sshd_config with merged file. You could also edit the config file to go through it one more time if you would like. Follow the prompts to finish setting up the new /etc/ssh/sshd_config. You can type y and enter for yes or n and enter for no.

In this case we know we haven’t changed any of the other files, so just type -5 and enter to auto update them all.

It wouldn’t hurt to do a reboot once all the config files are updated. We should at least get the new openssh server to running. Don’t worry it won’t log you out:

sudo /etc/init.d/sshd restart

Upgrade applications

Now that we’ve upgraded the system level apps, lets see what will happen when we upgrade the higher level apps:

sudo emerge world --update -vp

Adjust your USE flags as you deem appropriate again, then run it for real with out the -vp.

Once you’ve run it, you’ll need to go through the etc-update process again. On my install I had to merge the changes for the /etc/sudoers file to keep that wheel group with sudoers access.


Finally we’ll want to check for any known security issues on our slice. Gentoo has a great service called the Gentoo Linux Security Advisory. When a known security problem becomes apparent in a gentoo package, it’s added to the glsa list.

We’ll use the glsa-check tool to see if there are any known security updates with our current setup:

sudo glsa-check -tv all

In my case I have two security announcements that affect my slice. The output looks like this:

This system is affected by the following GLSAs:
200807-16 ( Python: Multiple vulnerabilities ) 
200812-06 ( libxml2: Multiple vulnerabilities )

You can find out more about what is affecting your system by searching for the announcement number in the glsa listing page and clicking on it’s link.

You could follow the instructions in the page manually to fix the security problem, or we could get it all done automatically:

sudo glsa-check -fv affected

It will now proceed to fix all security vunerabilities mentioned in the glsa that affect your slice.

Quick Searches

Finally I’d like to introduce a great Gentoo tool; esearch.

The esearch tool lets you search for ebuilds to install using a cached indexing system that is much faster than a standard emerge --search something.

Lets install esearch :

sudo emerge esearch
sudo eupdatedb

This will take quite some time; but will save us a lot of time in searching for ebuilds in the future.

From now on, we can update esearch's indexes and update our list of available ebuilds with a single command:

sudo esync

This is the equivalent of:

sudo emerge --sync && sudo eupdatedb

Now to give you an example of how to use it, lets search for something. If you’re search for the name of a specific package, you might want to leave the -S flag off. The -S flag makes it search through the package descriptions as well as the names:

esearch apache
esearch -S mail.*server

The search string is a regular expresssion. So mail.*server will match any ebuild description with the pattern server, following the pattern mail, with anything in between. The . means any charater and the * means zero or more of the character before.

Well done, you now have an up to date and more secure Gentoo Slice ready to be loaded up with your server software.

Article Comments:

john commented Wed Jan 14 16:25:04 UTC 2009:

Thank you matiu for this two articles.. I've learned a lot of stuff (actually i didn't neither set up iptables...which I think it's quite bad for a server) I'd love to see more stuff about gentoo and better configurations for the slices :) (one nice would be to setup, configure and do some optimizations about apache and mysql... maybe having a look at the different mpms like prefork and worker). What do you think?

eregon commented Fri Jan 16 11:05:48 UTC 2009:

you wrote to set MAKEOPTS="-j4", wouldn't be better to set it as j5 ? as the gentoo handbook says it's safe to set (number of cpu) + 1

matiu commented Fri Jan 16 20:52:24 UTC 2009:

Yes, that's a good idea. It is really something that varies depending on your environment.

In the Gentoo handbook they recommend to set it at one more than the number of cpu cores you have.

Another source recommends to set it to 1.5 times the number of cores (6).

Of course it's not a magic number you can set to 1,000,000 and expect things to build instantly.

The more parallel tasks you run, the more memory you consume. This is especially noticeable when compiling larger programs.

Also we must remember that we're in a shared environment and although you can burst to use all the CPU you can get your hands on. The actual guaranteed amount of CPU is generally much lower.

In summary, try different settings, keep an eye on top, and use what's best for your situation.

Michael Søndergaard commented Sun Jan 18 14:00:41 UTC 2009:

In fact, setting MAKEOPTS="-j6" on a 256 slice will cause compilation of certain programs like mysql to choke on memory so much that the slice crumbles and you have to do a hard reboot...

matiu commented Sun Jan 18 23:42:51 UTC 2009:

Ouch! Thanks for the heads up on that one Michael.

I'd just like to mention that right now, the stable version of esearch is broken because it calls emerge with the wrong arguments.

As a work around, you can either unmask the testing version by adding the line:

=app-portage/esearch-0.7.1-r7 ~amd64

to /etc/portage/package.keyword.

Or by using eix instead.

Tony Plack commented Thu Feb 26 23:25:44 UTC 2009:

Actually, setting MAKEOPTS="-j4" on a 256 slice will cause problems for gcc-4.1.X and above when java has been enabled. If you plan to run an emerge --new_use world, make sure you turn it down or it will cause make to use all your memory.

Chris Beswick commented Wed Oct 14 10:04:11 UTC 2009:

You are suggesting that people just do:

emerge --sync

To get the inital portage tree, as the one in the provided image is blank. To reduce strain on the rsync servers, the gentoo handbook suggests something like:


tar xvjf portage-latest.tar.bz2 -C /usr

rm portage-latest.tar.bz2

Followed by the emerge --sync, which moves some of the "strain" onto the mirrors, and might even be faster.

Dustin commented Sun Aug 29 10:13:43 UTC 2010:

Great tutorial! Thanks for taking the time to write this. :-)

the pirate bay org thepiratebay commented Tue Mar 26 21:51:20 UTC 2013:

Samuels (Eminem) “Nothin’ On You” — Philip Lawrence, Ari Levine, Bruno Mars & Bobby Simmons Jr. Nash, who had received a gigantic claim in reward for his discovery, could possibly be seen just about any day busily at work. After debating the situation and being in the opinion that the Government had no capability to reimburse, they submitted the truth towards the Crown Law Office for his or her decision.

movies Online commented Sat May 04 08:20:24 UTC 2013:

You could take your possibilities with software just like Limewire or Kazaa to undoubtedly download viruses or spyware. Yes, I finally found a way to use my computer to get me a similar entertainment that I was getting form my TV provider without a monthly fee. Ettleman recognized it as number 10 inside "Time 25 Top Ten 2006" for Time Magazine.

movies Online commented Sat May 04 08:21:18 UTC 2013:

You could take your possibilities with software just like Limewire or Kazaa to undoubtedly download viruses or spyware. Yes, I finally found a way to use my computer to get me a similar entertainment that I was getting form my TV provider without a monthly fee. Ettleman recognized it as number 10 inside "Time 25 Top Ten 2006" for Time Magazine.

Want to comment?

(not made public)


(use plain text or Markdown syntax)