Home > Docs > Gentoo > Installation
Installation of a gentoo system
Tags: gentoo linux UpdateNeeded


When installing a gentoo system for the first time, please refer to the wonderfull gentoo handbook. This page is just installation notes shorthand when you know exactly what you are doing.

Installation media

You can get a bootable iso or liveusb from https://www.gentoo.org/downloads/. I recommend the minimal one. To create a bootable usb drive juste use dd to copy the image on it. Then boot on this brand new installation media.

Once you boot on the installation media, you can start sshd and set a temporary password and proceed with the installation more confortably from another machine :

/etc/init.d/sshd start

Don’t forget to either run dhcpcd or manually set an ip and gateway to the machine.


There are several options depending on wether you need soft raid, full disk encryption or a simple root device with no additional complications. It will also differ if you are using a virtual machine or a physical one.

blkdiscard /dev/nvme0n1
sgdisk -n1:0:+2M -t1:EF02 /dev/nvme0n1
sgdisk -n2:0:+512M -t2:EF00 /dev/nvme0n1
sgdisk -n3:0:0 -t3:8300 /dev/nvme0n1
mkfs.fat -F 32 -n efi-boot /dev/nvme0n1p2
mkfs.xfs /dev/nvme0n1p3
mount /dev/sda3 /mnt/gentoo
cd /mnt/gentoo

Make sure you do not repeat the mistake I too often make by mounting something to /mnt while using the liveusb/livecd. You will lose your shell if you do this and will need to reboot!

Get the stage3 and chroot into it

Get the stage 3 installation file from https://www.gentoo.org/downloads/. I personnaly use the non-multilib one from the advanced choices, since I am no longer using and 32bits software except steam, and I use steam from a multilib chroot.

Put the archive on the server in /mnt/gentoo (you can simply wget it from there), then extract it :

tar xpf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner
mount /dev/nvme0n1p2 boot
mount -R /proc proc
mount -R /sys sys
mount -R /dev dev
chroot .

Initial configuration

We prepare the local language of the system :

echo 'LANG="en_US.utf8"' > /etc/env.d/02locale
echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen
env-update && source /etc/profile
echo 'nameserver' > /etc/resolv.conf

We set a loop device to hold the portage tree. It will be formatted with optimisation for the many small files that compose it :

mkdir -p /srv/gentoo-distfiles
truncate -s 10G /portage.img
mke2fs  -b 1024 -i 2048 -m 0 -O "dir_index" -F /portage.img
tune2fs -c 0 -i 0 /portage.img
mkdir /usr/portage
mount -o loop,noatime,nodev /portage.img /usr/portage/

We set default compilation options and flags. If you are not me and cannot rsync this location, you can browse it from https://packages.adyxax.org/x86-64/etc/portage/ :

rsync -a --delete packages.adyxax.org:/srv/gentoo-builder/x86-64/etc/portage/ /etc/portage/
sed -i /etc/portage/make.conf -e s/buildpkg/getbinpkg/
echo 'PORTAGE_BINHOST="https://packages.adyxax.org/x86-64/packages/"' >> /etc/portage/make.conf

We get the portage tree and sync the timezone

emerge --sync

Set hostname and timezone

sed -i /etc/conf.d/hostname -e /hostname=/s/=.*/=\"${HOSTNAME}\"/
echo "Europe/Paris" > /etc/timezone
emerge --config sys-libs/timezone-data

Check cpu flags and compatibility


emerge cpuid2cpuflags -1q
gcc -### -march=native /usr/include/stdlib.h

Rebuild the system

emerge --quiet -e @world
emerge --quiet dosfstools app-admin/logrotate app-admin/syslog-ng app-portage/gentoolkit \
       dev-vcs/git bird openvpn htop net-analyzer/tcpdump net-misc/bridge-utils \
       sys-apps/i2c-tools sys-apps/pciutils sys-apps/usbutils sys-boot/grub sys-fs/ncdu \
       sys-process/lsof net-vpn/wireguard-tools
emerge --unmerge nano -q

Grab a working kernel

Next we need to Grab a working kernel from our build server along with its modules. If you don’t have one already, you have some work to do!

Check the necessary hardware support with :

i2cdetect -l
lspci -nnk

TODO specific page with details on how to build required modules like the nas for example.

emerge gentoo-sources genkernel -q

Final configuration steps


# /etc/fstab: static file system information.
#<fs>         <mountpoint>  <type>  <opts>              <dump/pass>
/dev/vda3     /             ext4    noatime,discard     0  1
/dev/vda2     /boot         vfat    noatime             1  2
/portage.img  /usr/portage  ext2    noatime,nodev,loop  0  0


echo 'hostname="phoenix"' > /etc/conf.d/hostname
echo 'dns_domain_lo="adyxax.org"
config_eth0=" netmask"
routes_eth0="default via"' > /etc/conf.d/net
cd /etc/init.d
ln -s net.lo net.eth0
rc-update add net.eth0 boot


TODO especially the conf in /etc/default/grub when using an encrypted /

In the case of UEFI use something like :

grub-install --efi-directory=/boot/ /dev/nvme1n1
grub-mkconfig -o /boot/grub/grub.cfg


scp root@collab-jde.nexen.net:/etc/hosts /etc/

root account access

mkdir -p /root/.ssh
echo ' ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILOJV391WFRYgCVA2plFB8W8sF9LfbzXZOrxqaOrrwco  hurricane' > /root/.ssh/authorized_keys

Add necessary daemons on boot

rc-update add syslog-ng default
rc-update add cronie default
rc-update add sshd default


rc-update add shorewall default
sed '/PRODUCTS/s/=.*/="shorewall"/' -i /etc/conf.d/shorewall-init
rc-update add shorewall-init boot

echo '[sshd]
enabled  = true
filter = sshd
ignoreip =
bantime  = 3600
banaction = shorewall
logpath = /var/log/messages
maxretry = 3' > /etc/fail2ban/jail.d/sshd.conf
rc-update add fail2ban default

{ "iptables": false }
rc-update add docker default

rc-update add lxd default