-
Notifications
You must be signed in to change notification settings - Fork 8
Funtoo
Funtoo is Gentoo alternative. I'm now discovering it. See homepage: https://www.funtoo.org/Welcome
One appealing feature is that Funtoo is supposed to be more "release" like than pure "rolling" Gentoo. This should make it easier to manage. However last time there was no upgrade path:
https://forums.funtoo.org/topic/5159-14-release-is-being-retired-in-2024/
We are officially retiring 1.4-release in 2024, which means that if you have not yet done so, now is the time to upgrade to next-release. The official way to do this is to do a REINSTALL of Funtoo. You may be able to in-place upgrade from 1.4-release to next-release but THIS IS NOT OFFICIALLY SUPPORTED so if you can't get it to work, you can ask on Discord for help unofficially but if you can't work through the various quirks you WILL need to reinstall.
Really, a reinstall should be done unless you have a very specific reason why you can't. ...
However Funtoo is more opinionated than Gentoo. For example, if you disable Fonts support in Grub
the ego boot update
will simply crash with Python stacktrace.
Following more or less:
What is different:
- Install CD - there is helper command
fchroot
that do all necessary steps to prepare and enter chroot. - only OpenRC is supported (no S-word allowed :-)
- While Gentoo uses Profile + USE flags. Funtoo has more categories - arch, build, subarch, flavor and mixins. Please see https://www.funtoo.org/Install/Profiles for details.
- Funtoo uses binary Debian kernel as default
-
emerge-webrsync
is replaced withego sync
- grub configuration is updated with
ego boot update
WARNING! Funtoo is unable to boot from LVM (having root filesystem on LVM) - with prepared Debian kernel and initramfs. You have to use genkernel etc, some information is available on: https://www.funtoo.org/LVM_Install_Guide
If you insist to use LVM for rootfs you need also to:
- build kernel modules without compression (because script
/usr/share/genkernel/gen_initramfs.sh
expects that modules have extension.ko
(no compression suffix). In your.config
has to be optionCONFIG_MODULE_COMPRESS_NONE=y
- additionally ensure that Unix sockets are enabled (
CONFIG_UNIX=y
) - this default changed on latest 6.8 kernels.. - additional parameter to generate initramfs:
genkernel --lvm --ramdisk-modules initramfs
- example entry in
/etc/boot.conf
"Funtoo Linux LVM" { kernel vmlinuz-6.8.7-vanilla-hpfun initrd initramfs-genkernel-x86_64-6.8.7-vanilla-hpfun params += dolvm doscsi noload=nfs doload=ahci real_root=auto rootfstype=ext4 }
- WARNING! Default
initramfs
does NOT boot properly if there recent lvm-thin volume on some drive (I have another HDD with Proxmox VE and lvm-thin which is default). I don't know what is exact cause of that problem, but when I comparelvm version
output, Proxmox has LVM from 2022 while Funtoo 2017 - I guess that there is some incompatible change in lvm-thin format(?) Because it is treated as error, so necessary LVM commands (lvm vgchange -a y
andlvm vgmknodes
) are not executed. In such case you can enter emergency shell and type these commands manually. Then exit shell and specify proper root path (same asreal_root
in generated/boot/grub/grub.cfg
to continue boot. As workaround I listed allowed volume groups (VG) in/etc/lvm/lvm.conf
, by adding linevolume_list = ["king500"]
(VG on Kingston SSD, where is Funtoo) in sectionactivation { ... }
. And rebuild initramfs withgenkernel --lvm --ramdisk-modules initramfs
- this command will also copy current/etc/lvm/lvm.conf
to initramfs - which is required to be applied on boot. - WARNING! I have to blacklist nfs (with
noload=nfs
) - it was autoloaded on boot and hang up kernel... - See my kernel config on: https://github.com/hpaluch/funtoo-files/blob/master/kernel/sys-kernel/vanilla-sources-6.8.7/arch/x86/configs/hpfun_defconfig
WARNING! When I use custom kernels they dont like set gfxpayload=keep
that is put by ego boot udpate
to each entry on /boot/grub/grub.cfg
. I use this simple post-fix after every run of ego boot update
:
sed -i.bak -e 's/^\( *set *gfxpayload=keep.*\)/#\1/' /boot/grub/grub.cfg
WARNING! There is missing nouveau driver
in gnome-stage3-generic_64-next-2024-04-18.tar.xz
(I can't use proprietary nvidia because they dropped
support of my GT218 card in version 340 - around 10 years ago...). To enable nouveau one has to:
NOTE: Mix-in gfxcard-nvidia-legacy
it too new for me:
/var/git/meta-repo/kits/core-gl-kit/profiles/funtoo/mix-ins/gfxcard-nvidia-legacy/package.mask
# Updated Sep 18 2019 -- use 390.129 or earlier.
>=x11-drivers/nvidia-kernel-modules-390.130
>=x11-drivers/nvidia-drivers-390.130
I need 340 or older...
To enable nouveau we may try:
sudo epro profile mix-in gfxcard-nouveau
sudo emerge -auDN @world
I always use build server (Debian12 host with Funtoo in chroot) to avoid building same binaries again and again...
NOTE: When using long FQDN you have to add server_names_hash_bucket_size 256;
to /etc/nginx/nginx.conf
to avoid fatal error:
[emerg] 2306#2306: could not build server_names_hash, \
you should increase server_names_hash_bucket_size: 64
I actually used sudo apt-get install python3-certbot-nginx
and
command sudo certbot --nginx -d MY_SERVER_FQDN
to get free certificate
for https.
On Debian 12 host I install nginx and certbot and acquire Let's Encrypt https certificate.
Then I add to /etc/nginx/sites-available/default
location /funtoo/portage {
alias /srv/funtoo/AZ-SRV/var/cache/portage;
}
My Funtoo chroot is right under /srv/funtoo/AZ-SRV
.
WARNING! Just in 1 minute(!) there were attempts to attack my webserver from public Internet:
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /server HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /.vscode/sftp.json HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /about HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /debug/default/view?panel=config HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /v2/_catalog HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.app
lication HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /server-status HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /login.action HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:34 +0000] "GET /_all_dbs HTTP/1.1" 404 125 "-" "Mozilla/5.0 (l9scan/2.0.631313e2834323e2438313e243; +https://leakix.net)"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /.DS_Store HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /.env HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /.git/config HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /s/631313e2834323e2438313e243/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /config.json HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /telescope/requests HTTP/1.1" 404 125 "-" "Go-http-client/1.1"
64.225.75.246 - - [11/May/2024:08:46:35 +0000] "GET /?rest_route=/wp/v2/users/ HTTP/1.1" 200 409 "-" "Go-http-client/1.1"
There is official docs regarding building and consuming binary packages:
Differences from Gentoo:
- Funtoo uses
/var/cache/portage/packages
instead of/var/cache/binpkgs
Example (incomplete) build server setup (Debian 12):
# on Debian 12 host
sudo apt-get update
sudo apt-get dist-upgrade
sudo reboot
# I want to have manual control on system updates:
sudo systemctl mask apt-daily.timer dpkg-db-backup.timer apt-daily-upgrade.timer \
man-db.timer e2scrub_all.timer fstrim.timer
sudo systemctl stop unattended-upgrades
sudo apt-get purge unattended-upgrades
sudo visudo
# To stop DNS requests: Append: Defaults !fqdn
# few utilities:
sudo apt-get install curl mc tmux vim wget
# prepare filesystem
sudo mkdir -p /srv/funtoo/funtoo-uni-gnome
cd /srv/funtoo/funtoo-uni-gnome
sudo curl -fLO https://build.funtoo.org/next/x86-64bit/generic_64/2024-04-18/gnome-stage3-generic_64-next-2024-04-18.tar.xz
sudo tar --numeric-owner --xattrs --xattrs-include='*' -xpf gnome-stage3-generic_64-next-2024-04-18.tar.xz
Our host is Debian (not Funtoo) so we have no fchroot
available.
Entering chroot - omitted...
In chroot:
# verify that you extracted tarball with extended attributes:
getcap /sbin/unix_chkpwd
# must output: /sbin/unix_chkpwd = cap_dac_override+ep
If output of getcap /sbin/unix_chkpwd
is empty - it means that your
filesystem lost extended attributes - this will cause various malfunction
(for example xfce4 screensaver will be unable to login user!). In such case
you should format and extract filesystem again with proper tar options(!)
In chroot (continued):
# verify that DNS works:
nslookup www.google.com
# setting timezone
rm -f /etc/localtime
ln -sf /usr/share/zoneinfo/Europe/Prague /etc/localtime
date # verify that date shows correct timezone CE(S)T in my example
I'm currently testing this /etc/portage/make.conf
:
MAKEOPTS="-j4"
USE="mmx sse sse2"
LINGUAS="en en_US"
# for Server:
FEATURES="buildpkg userfetch"
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --buildpkg-exclude 'acct-*/* virtual/* sys-kernel/*-sources'"
# for Client
#FEATURES="userfetch getbinpkg"
#EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg-exclude 'acct-*/* virtual/* sys-kernel/*-sources'"
#PORTAGE_BINHOST="https://FQDN_OF_BUILD_SERVER/funtoo/portage/packages"
Typical update & rebuild cycle (applies also to bootstrap):
ego sync
# log packages (-p = pretend) that will be updated:
emerge -p -uDN @world | tee ~/emerge-world-`date '+%y%m%d-%H%M'`.log
# again - with Ask this time:
emerge -auDN @world
# remove obsolete installed packages - DANGEROUS - double check output before saying yes!
# if you want to keep specific package use "emerge -n PACKAGE_NAME" to keep it.
emerge -ac
# clean obsolete binary packages (remove -p - pretend after review):
eclean -dp packages
# clean obsolete sources in /var/cache/portage/distfiles (remove -p - pretend after review):
eclean -dp distfiles
On system bootstrap we have also to:
# this is required to install GRUB modules into /boot/grub
grub-install /dev/sdX
# if you use real hardware you will likely need firmware:
emerge -an linux-firmware
# generate /boot/grub/grub.cfg
ego boot update
# enable DHCP client:
rc-update add dhcpcd default
# edit FQDN in /etc/conf.d/hostname
# I always use sudo - it will also install metalog logger:
emerge -an app-admin/sudo
rc-update add metalog default
Ooops! ON 2024-05-19 hit this bug:
-
https://bugs.funtoo.org/browse/FL-12359 (
sys-libs/ncurses-6.5_p20240518::core-kit
)
Oops! On 2024-04-23 hit this bug:
- app-text/enchant-2.7.0
- https://bugs.funtoo.org/browse/FL-12292
- used following hack:
cd /var/git/meta-repo/kits/text-kit
git diff
Applied diff:
diff --git a/app-text/enchant/enchant-2.7.0.ebuild b/app-text/enchant/enchant-2.7.0.ebuild
index a8f15bb..50934c1 100644
--- a/app-text/enchant/enchant-2.7.0.ebuild
+++ b/app-text/enchant/enchant-2.7.0.ebuild
@@ -31,8 +31,7 @@ BDEPEND="virtual/pkgconfig"
src_configure() {
local myconf=(
- --disable-static
- $(use_enable test relocatable)
+ --disable-static --enable-relocatable
$(use_with aspell)
$(use_with hunspell)
$(use_with nuspell)
@@ -48,4 +47,4 @@ src_configure() {
src_install() {
default
find "${D}" -name '*.la' -delete || die
-}
\ No newline at end of file
+}
And then:
emerge -a app-text/enchant
emerge -auDN @world
emerge -an sys-kernel/debian-sources
# No Op in my case
emerge -anv linux-firmware
# No Op in my case
emerge -an net-firewall/nftables
2024-5-01: Ooops! Hit by bug building git: https://bugs.funtoo.org/browse/FL-12306 Commit: https://code.funtoo.org/bitbucket/projects/AUTO/repos/core-kit/commits/597b351d6a3ca803b6c8cce7fab7c9ccde22277f#dev-vcs/git/git-2.45.0.ebuild Posted workaround:
cd /var/git/meta-repo/kits/core-kit
- apply patch below:
diff --git a/dev-vcs/git/git-2.45.0.ebuild b/dev-vcs/git/git-2.45.0.ebuild index e8cef15..db17d92 100644 --- a/dev-vcs/git/git-2.45.0.ebuild +++ b/dev-vcs/git/git-2.45.0.ebuild @@ -382,7 +382,6 @@ src_install() { local contrib_objects=( buildsystems fast-import - hg-to-git hooks remotes2config.sh rerere-train.sh
- rerun
emerge -auDN @world
When I build ncdu
(tested sys-fs/ncdu-2.3:0
) on Host with CPU that is incompatible with client I will get:
$ ncdu
Illegal instruction
$ sudo dmesg
traps: ncdu[1995] trap invalid opcode ip:23bd81 sp:7fff83e84e70 error:0 in ncdu[220000+5b000]
It is because ncdu
is written in Zig language that ignores CFLAGS et al. and rather by default
optimizes code for current (= build server's) CPU - which is problem for me...
Try this workaround:
# run command below on build server:
ZIG_FLAGS="-Doptimize=ReleaseFast -Dcpu=x86_64" emerge -a ncdu
# after build run this command on client:
emerge -agk sys-fs/ncdu
# and run (-x does not enter volumes)
ncdu -x
# Wow! No longer "Illegal instruction"
Resources:
Metalog is only official logger. By default it logs everything to /var/log/everything/current
.
I want to log firewall (nftables - basically same as in Gentoo-setup) to dedicated files but not
else.
Firewall messages have this characteristics:
- comes from kernel
- contains literal string
[NFT]
I added this to /etc/metalog.conf
# My rule - must be first
Kernel firewall :
facility = "kern"
regex = "\[NFT\]"
logdir = "/var/log/firewall"
break = 1
# Original rules follow
Everything important :
...
I have following 2nd disk layout using MBR + BIOS scheme:
-
/dev/sdb1
- NetBSD disklabel -
/dev/sdb2
- Funtoo Linux /boot -
/dev/sdb3
- Funtoo Linux swap -
/dev/sdb4
- Funtoo Linux /
Grub is installed into MBR /dev/sdb
(and it also occupies few blocks before start of /dev/sdb1
).
To add NetBSD to GRUB menu I appended to /etc/boot.conf
:
"NetBSD" {
type win7
params root=/dev/sdb1
}
And run ego boot update
. Using type win7
under hood uses "chainloader"
(grub simply loads specified sector from /dev/sdb1
to RAM and jump to it
(chains) to continue booting OS from /dev/sdb1)
You can look into generated config at standard location /boot/grub/grub.cfg
What is weird that although there is in /usr/share/ego/python/funtoo/boot/extensions/grub.py
:
if mytype in ["win7", "win8"] or mytype == "win10" and self.uefiboot is False:
boot_menu.lines.append(" chainloader " + mychainloader) if mychainloader else boot_menu.lines.append(
" chainloader +4"
)
elif mytype in ["vista", "dos", "winxp", "haiku"]:
boot_menu.lines.append(" chainloader " + mychainloader) if mychainloader else boot_menu.lines.append(
" chainloader +1"
)
elif mytype in ["win10"]:
boot_menu.lines.append(" chainloader " + mychainloader) if mychainloader else boot_menu.lines.append(
" chainloader /EFI/Microsoft/Boot/bootmgfw.efi"
)
It works (I should rather choice OS with chainloader +1
instead of +4
) - it is mystery that it works.
Here is my experiment - maintaining "srv" (aka "core") edition of Funtoo Linux and seeing, how much updates are there.
Doing
ego sync
# on server:
emerge -auDN @world
# on client append -gk to use binaries
# carefully study output:
emerge -ac
# on server only: (clean obsolete binaries):
eclean -dp packages
# review list and then run:
eclean -d packages
- 2024-02-03:
- previous update (not tracked here)
- 2024-02-12:
- 8 packages:
[ebuild U ] sys-libs/ncurses-6.4_p20240210 [6.4_p20240127] [ebuild U ] app-misc/ca-certificates-20240203 [20230311] [ebuild U ] app-editors/vim-core-9.1.0076 [9.1.0059] [ebuild U ] dev-vcs/git-2.43.1 [2.43.0] [ebuild U ] dev-lang/rust-bin-1.76.0 [1.75.0] [ebuild U ] virtual/rust-1.76.0 [1.75.0] [ebuild U ] dev-db/postgresql-16.2 [16.1] [ebuild U ] app-editors/vim-9.1.0076 [9.1.0059]
- please note that only Rust binary takes 481MB installed...
- 8 packages:
It is useful to at least sometims look what is listening on tcp or udp ports with using any of:
ss -ltu
netstat -tulnp
You should pay special attention to processes that listens globally which is:
a. 0.0.0.0:PORT
for IPv4, for example 0.0.0.0:22
(SSH listening for TCP/IPv4 connections)
b. :::PORT
for IPv6, for example :::22
(SSH listening for TCP/IPv6 connections)
Found (in gnome
flavor) that there is vino-server globally listening on port 5900 for VNC connections.
It is installed as package net-misc/vino
and started on GNOME login. To disable it it should be enough
to remove link:
rm /etc/xdg/autostart/vino-server.desktop
GEO Clue is unbelievable spyware that will start on request of any whitelisted
app and query location using Mozilla location services
(location.services.mozilla.com
). If you don't believe it look at
/etc/geoclue/geoclue.conf
. You can try command equery f app-misc/geoclue
to
list all files related to GEO clue.
Please note that geoclue
can be started anytime - when some application request it through dbus
using hook /usr/share/dbus-1/system-services/org.freedesktop.GeoClue2.service
- another reason why dbus
should be banned... If you have metalog
running you can find in logs:
grep GeoClue /var/log/everything/current
[dbus-daemon] [system] Activating service name='org.freedesktop.GeoClue2' requested by ':1.17' (uid=109 pid=11369 comm="/usr/bin/gnome-shell ") (using servicehelper)
So be aware that it means absolutely nothing that there is no startup script in /etc/init.d
(but there is one for systemd...).
Also removed agent for geoclue
- it is spy service that will contact Mozilla servers on each boot (or login) to determine
your location. It will than happily provide your location to any dbus client...
rm /etc/xdg/autostart/geoclue-demo-agent.desktop
But it is not whole story. There is also service:
$ equery b /usr/share/applications/geoclue-where-am-i.desktop
app-misc/geoclue-2.4.13
WARNING! This spyware can't be removed - gnome-shell REQUIRES it to start at all!
Trying to at least silence it in /etc/geoclue/geoclue.conf
Install with:
emerge -an www-servers/nginx
WARNING! In default configuration, NGINX listens just on localhost
- so it is NOT
reachable from outside. To allow global http server on port 80 you can:
- use my example of /etc/nginx/sites-available/default
- remove
localhost
link and create newdefault
link with:cd /etc/nginx/sites-available rm localhost ln -s ../sites-available/default
Now verify that configuration is valid with:
/etc/init.d/nginx configtest
Enable autostart in default run-level
rc-update add nginx
Start it manually (needed only before reboot):
/etc/init.d/nginx start
TODO: https support (certs or certbot)
There is trac package but it does not work:
emerge -av www-apps/trac
These are the packages that would be merged, in order:
Calculating dependencies... done!
emerge: there are no ebuilds to satisfy "dev-python/genshi[python_targets_python2_7(-)?,-python_single_target_python3_10(-),-python_single_target_pypy3(-),-python_single_target_python3_7(-),-python_single_target_python3_6(-),-python_single_target_python3_9(-),-python_single_target_python3_8(-)]".
(dependency required by "www-apps/trac-1.2.1::net-kit" [ebuild])
(dependency required by "www-apps/trac" [argument])
There is python2 binary but it is just wrapper:
$ equery b /usr/bin/python2
* Searching for /usr/bin/python2 ...
dev-lang/python-exec-2.4.6-r2 (/usr/bin/python-exec2c)
dev-lang/python-exec-2.4.6-r2 (/usr/bin/python2 -> python-exec2c)
Installing python 2 aside of existing python 3:
emerge -av '<dev-lang/python-3.0'
Veryfing that both python versions work:
$ python2 --version
Python 2.7.18
$ python3 --version
Python 3.9.19
Unable to emerge Ruby on Rails
emerge -an dev-ruby/rails
emerge: there are no ebuilds to satisfy ">=dev-ruby/sprockets-3.0.0:*[ruby_targets_ruby31(-)]".
(dependency required by "dev-ruby/sprockets-rails-3.2.2::ruby-kit[-test,ruby_targets_ruby31]" [ebuild])
(dependency required by "dev-ruby/rails-6.1.4::ruby-kit[ruby_targets_ruby31]" [ebuild])
(dependency required by "dev-ruby/rails" [argument])
Already happened in the past (but different versions):
I use 1st HDD with Proxmox VE as only Boot grub loader. However it has intentionally disabled os-prober
because
there is risk that it will find "phony" Linux installation on lvm-thin (or plain lvm) partitions. So I can't use
os-prober safely to add Funtoo or other foreign Linux distributions to Proxmox Grub menu.
However as long as my target Funtoo generated proper /boot/grub/grub.cfg
on its partition (with ego boot update
).
One can use nested Grub menu loading. Here is excerpt from my /etc/grub.d/40_custom
on Proxmox host, to load
Funtoo grub menu from MBR partition with ext4 filesystem:
menuentry "Funtoo Srv - nested grub - SAMTB /dev/sdb10" {
insmod part_msdos
insmod ext2
search --no-floppy --fs-uuid --set=root 64021de2-1f63-4d4a-b3e6-38ba996b3c74
configfile /boot/grub/grub.cfg
}
This snippet, when selected, will magically load menu from Funtoo's /boot/grub/grub.cfg
so it is always
up-to-date :-)
Copyright © Henryk Paluch. All rights reserved.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License