The Best OS: Install Gentoo Linux on an encrypted btrfs root with optional Sway WM.

May want to add a note now that Gentoo is switching to python 3.12 as default target starting 20240601!

Bro pin this comment

I didn't have the ability to pin comments previously, but looks like I do now! Cheers for the reminder. 😊

It's niche content, I wouldn't expect a million views, but very happy to hear you got value out of it! 🙂

Glad to hear it helped you! I like to hear about strong preferences-customizability is part of why we choose Gentoo, after all. 😉
I'll see if I can do anything about the links. YT gives me a warning when saving them in the description saying they won't be clickable until my channel is 'verified' either by showing ID (no thanks) or after some indeterminate time of being in good standing, but if they're truncated too I'll try to work around it. Thanks for the heads up!
Lmk if there's anything else you'd like to see covered. I've got a laundry list of topics I'm planning on going over, been focusing more on dev work the past month or so, but getting an itch to make some more videos.

@@libreisaac I'd love to see the video you hinted at being a possibility, a more in depth delve on manually building a kernel. For now I just consider myself to know just enough to be dangerous 😆, I'll be checking out all your future stuff regardless to sift more nuggets into my wetware! thanks again 🙇

Oh one other thing I happened to notice in the eselect news in case anyone from the future comes across this, but Gentoo is changing the default Python target from 3.11 to 3.12 on 2024-06-01.

Glad you got value out of it!
GCC is the better default, but you're very likely end up with both installed. You can use package.env + an env file with CC and CXX etc variables to change compiler on a per-package basis.

@@libreisaac thanks. I'm assuming that it's also possible to do the same thing with musl? (I'm talking about using glibc as the main system library, and using musl when desired.)

Maybe give it a shot again, try it out in a VM. Gentoo now has binaries available for some of the heavier loads.

I haven't tried a hybrid setup of this nature before, so I can't say for certain. What were your VIDEO_CARDS flags? You shouldn't have needed to install any drivers manually.
wiki.gentoo.org/wiki/AMDGPU#Identifying_which_graphics_card_is_in_use has troubleshooting steps, probably you would want `intel radeonsi`.

@@libreisaac Thanks! I thought I would need to write intel and radeon(legacy gpu card) because my Amd radeon r5 m330 release date was before june 2015 so it is not supported by amdgpu

semi-related, but emerging neovim requires i set LUA_SINGLE_TARGET to "lua5-1" -- as someone new to gentoo but familiar with linux, is there a way to override this so it uses a newer lua version? ty :)

On the grub menu, you can press a key to edit the boot script for the highlighted entry. I can't remember off the top of my head for certain what the key is-I think it's 'e', but the only laptop I have to hand is one I changed to use the EFI stub boot setup to help another person in the comments here. It should say under the box containing the Grub boot options.
If you open that, and look for the line containing your drive's UUID, what, exactly, does it say?
Also, in the recovery shell, if you try `cryptsetup luksOpen /dev/nvme0p1 root`, does it work, or does cryptsetup not exist?
The necessary modules should be automatically selected with the `--luks` argument passed to Genkernel; if the steps you changed were around the kernel compilation, it's possible it could be the kernel or initramfs which is the problem, but if cryptsetup is available in the initramfs, it's unlikely.
For Neovim, you can't tell it to use 5.4, unless there's an unstable version which uses that lua version. You can, however, add lua5_1 or luajit to LUA_TARGETS, then add the following flags to your package.use:
app-editors/neovim -lua_single_target_lua5-4 lua_single_target_luajit
dev-lua/luv -lua_single_target_lua5-4 lua_single_target_luajit
I also have 'python' on Neovim, and 'npm ssl' on net-libs/nodejs, I believe all three are optional, but required for many LSPs

@@libreisaac the grub editor shows all the proper partitions, and the rescue shell has cryptsetup enabled, but for some reason the part (nvme0n1p1) doesn't show up in /dev/. I'm reinstalling from scratch currently as i may have missed a step somewhere so i can follow up with a bit more info if it fails again
ty for the advice on nvim !

Interesting. Was it just that partition, or nvme in general? When configuring the kernel, check the modules listed in wiki.gentoo.org/wiki/Nvme
Just in case you're not aware, you can luksOpen and chroot off the installation media to enter your env to make changes without needing to reinstall everything again, but doing a reinstall can't hurt. You may want to skip the full recompile step and do it later on when you've got the system booting. You could also skip manually installing Rust, which will result in the binary version being pulled in with Tuigreet, saving additional time, again you can clean up once you're booted successfully.

@@libreisaac i'll check the nvme section - ty ! :)
same error again, the grub editor shows the following:
linux /vmlinuz-(kernel-version-architecture) root=UUID=(unencrypted root uuid) ro rootflags=subvol=activeroot crypt_root=(/dev/nvme uuid) quiet
so i think it may be an nvme-support issue. i'll give configuring the kernel some more a shot and if its successful i'll post the changes here on the offchance someone else winds up needing to do something similar

When booting, Linux mounts your FS as readonly, and at a later step remouts as writable when it's deemed safe to do so. Something is wrong with your boot config.
What does the booted system look like? Do you get Tuigreet, or just a terminal? If Tuigreet, can you log in?
Assuming you can access a terminal:
1. Lsblk to see what's mounted. If any of the mount points described by the guide (/, /home, /boot or /efi) don't exist, that's the first place to look in your fstab.
2. Check your /etc/fstab and UUIDs against blkid, and the options against those in the video. Make sure you're using UUID and not PARTUUID.
3. Check the /etc/inittab again
4. Check /boot/grub/grub.cfg (might be slightly different path, going off the top of my head as I'm on my phone). There should be lines with root=UUID=X and crypt_root=UUID=X. Root may be PARTUUID. The crypt_root UUID should match the UUID from blkid /dev/sda2, and root UUID/PARTUUID should match the corresponding value for the decrypted partition, which should iirc be mounted to /dev/mapper/root.
If you can rc-status boot, both fsck and root should be running.
If you notice an error in a config file, you can reboot with the installation media, cryptsetup luksOpen, mount up and edit with Nano. If you can't actually run commands in your booted env, most stuff can be done in this env too.

​@@libreisaac​ thanks for your answer! My system boots into tuigreet like any normal install would. I can run commands just fine with the exception of anything that needs to write to disk. I did notice an error in my fstab where my boot partition wasn't being mounted correctly due to a typo so i went and fixed that, however all the other uuids seem to match and everything seems to be running fine in rc-status other than systemd-tmpfiles-setup and NetworkManager. Do you have any other idea on what might be wrong?

Can you give some examples of packages where these settings cause issues which are anything worse than a compilation failure?
In the case of compilation failure, it's merely a case of applying a different env-a time sink for large packages like Firefox, but hardly suicidal.
Runtime failures used to be relatively common, but this is a serious software bug-relying on undefined behaviour usually has much worse implications than 'it doesn't support some compiler optimizations'. If you know of packages which have such failures, I'd be happy to go bug the maintainers.
There is a legitimate tradeoff in compilation time, but my personal opinion is that compilation time is seriously overstated as a problem for users-it only blocks a user on first install of a given piece of software. For development, longer compilation can be a massive pain, but nobody should be using Portage to handle iterative development builds.

@@libreisaac i don't have any specific package in mind i was just saying this as general advice, a compile time error can already be a big headache for a beginner, it will only cause frustration especially if we are talking about packages that take forever to compile..
it might not be obvious to the user why the compilation failed, and at the end that's just hours of compilation time down the drain for something that could have been avoided in the first place..
from my knowledge gcc -03 is barely tested, it's very cool some users are willing to do it but personally i would not trust my entire system to be build on it, even with all the sanitizers and safeguards, code will be buggy and unsafe, especially c code, so unless i have full trust on what was written or the performance gain is substantial i will pass.
to people who know what they are doing all kudos to you, i heard lto has come a long way in gentoo (otherwise the lto flag would not exist) but i just don't think the risk/reward is worth it for first timers.

Any disk partitioning utility will do, I'm just fond of parted myself.

TLDR; -O3 can be slower and buggier, you shouldnt use it systemwide, only use it for programs you know which work better with -O3

In GCC and LLVM, O3 is faster. Particularly when comparing march=native on O2 and O3. Clang, at least in the benchmarks I've seen, can be more spotty, but still O3 is generally faster.
In very old hardware, or cache constrained systems, O2 may be faster, but Os is likely to be even faster than O2, and these are niche, not a good general rule. O3 doesn't enable funroll-loops, and hasn't for a very long time. It does loop transformations, but more selective, well thought out transformations than were enabled by the optimization level in the past.
Two decades ago it was true that O3 was generally slower, and quite buggy (the optimization level was not what was buggy, however-the software being compiled was buggy, relying on undefined behaviour, and those bugs were revealed by O3). A decade ago, O3 was often faster, and in most, but not all software, the bugs it revealed were patched. Nowadays, if O3 breaks a piece of software, you probably shouldn't be using that software. I personally haven't encountered anything which needs a lower optimization level-I suspect realistically, only long abandoned drivers for ancient hardware are causes for concern for the average user. On the vast majority of modern systems, it will be faster than O2. Rust uses O3 for this reason.
The differences are not huge, and the compilation times *are* non-trivially longer, but personally, I think people make far more of a big deal about compilation times than they warrant. Still, some people really do care, and those people would probably be better served with O2 because the gains O3 yields are not generally large. LTO is even worse for compilation times, though in some cases it can yield quite significant performance improvements, so it's a trickier tradeoff for those people.
Agree that people should read the wiki, and I'll outright say people *should* RTFM.

Likely graphics driver/config related. What's your GPU, and the value of /etc/portage/make.conf VIDEO_CARDS? And how many cardX values do you see when running ls /dev/dri (you can hit F2 in greetd to change the sway script to /bin/bash to login to a terminal).

@@libreisaac 1060ti, nouveau and when i run ls /dev/dri i see "by-path", "card0" and "renderD128"

@@libreisaac nvidia 1060ti, nouveau and when i run "ls /dev/dri/" it shows "by-path", "card0" and "renderD128".

If you modify the sway script to have --unsupported-gpu does it work?
Or if you hit e on the grub menu, and add 'nvidia-drm.modeset=1' to the kernel params after crypt_root? (If this fixes it, you'll need to edit /etc/default/grub, remove grub from /boot and regenerate).
Does your CPU have integrated graphics?

In gentoo, it's crypt_root. It can be different in other distros though.

@@libreisaac OK :) I ask because earlier you use /dev/mapper/cryptroot path (not /dev/mapper/crypt_root) but if I understand well, it is irrelevant... right?

Yep, that's just the name used during installation, and it could really be anything you liked. Doesn't have an impact on the installed system.

What output do you get running 'alsamixer' in a terminal?
Can you launch Firefox from a terminal with 'Firefox -safe-mode'? If so, does it work launching without safemode after disabling hardware acceleration?

@@libreisaac alsa-mixer and alsamixer display the same thing: bash command not found
Safe mode for Firefox works fine, in the settings after unchecking use hardware accel when available for Firefox and reopening it still doesn't work and if I edit the about:config to change webgl.disabled to true it doesn't change (I briefly looked up to try and change it but I might be mistaken)
Also I greatly appreciate you helping me out for all of these

Wait my bad, I think I understand go into package.use and -hwaccel then update it, doin it now

You may have already said, but what exactly is your GPU setup and videocards flags? Including integrated graphics which aren't in use.
If you run 'emerge --info alsa-utils', what use flags are applied? Just to be doubly sure it's not some weird path issue, '/bin/alsamixer' definitely doesn't exist? Even in a root terminal ('doas -u root /bin/bash' then 'ls /bin/alsa*')

@@libreisaac I have an intel integrated video card, and I looked up the type and it shouldn't be the old one, it's compatible with virtual acceleration according to their websites, the flag is "Intel" I already tried the other Intel type thing and had the same issue from what I remember
EDIT: Intel(R) HD Graphics 4000
Running the info emerge: nls -bat -doc -ieee1394 -libsamplerate -ncurses (-selinux) ABI_X86=(64)
Doing ls: I got also info, alsactl, alsatplg and alsaucm, I remember it's meant to be here but for whatever reason it's not

What do you mean by profile? The env profile? Make sure the structure is:
/etc/portage/
package.env -- Contains www-client/firefox no-lto
env/no-lto -- Contains the environment variable overlays
For the WiFi, you may need to try enabling binary redistributables for the Linux firmware package, reemerging it (on Ethernet or in the live env CD) and rebooting.

​@@libreisaac I'll try the Wi-Fi solution you have real quick and I think it's the software profile with like specific settings or Your Firefox profile cannot be loaded. It may be missing or inaccessible
I have the env and no lto correct and safe mode works with Firefox for whatever reason

​@@libreisaacthank you for some reason I thought I reemerged the firmware after uncommenting but I guess I hadn't it's popping up with ifconfig now

​@@libreisaacWiFi works! Thank you

​@@libreisaacerror for Firefox: JavaScript error: resource://gre/modules/XULstore.sys.mjs line 60 error can't find profile directory

What's the error you're getting?
Should be able to log in as root and modify the /etc/doas.conf file to fix whatever you did wrong.
On the login screen, hit F2, change the command to just `/bin/bash` to login to a terminal, log in as root, with whatever you set the password to on the first passed command, and open the config file in nano.
If the config file has the correct content ('permit :wheel'), then check the permissions are correct as in the doas config chapter (timestamps in the description), and make sure your user account is in the wheel group (usermod USERBAME - aG wheel).
When you run doas, you should be entering your user account password, not the root password.

If you can't even log in as root, you can always boot into the installation media again, and run the following:
cryptsetup luksOpen /dev/yourrootpartition cryptroot
mount /dev/mapper/cryptroot /mnt/gentoo -t btrfs -o defaults,noatime,compress=lzo,autodefrag,subvol=activeroot
Then run the same set of chroot commands as previously (see timestamps in description) and you then should be able to run passwd to change the root password and passwd USERNAME to change your user account's password.

It's entirely my bad I misunderstood something fundamentally, nothing went wrong

Thank you for the very quick reply

What's in 'nano ~/.config/sway/config'? You can hit F2 in Tuigreet to change the login command from the Sway script to '/bin/bash' to easily access a terminal. Iirc by default foot is on Win+Enter or Alt+Enter with a broken sway config, which is another option.
If that config file doesn't exist, you either missed the sway config step, or copied to the wrong location, and it's using the fallback. The description has timestamps, you can go through the sway config steps again (no need to re-emerge anything, just the Github and unpacking steps), or if you just put the sway config in the wrong place, you can move it to that directory.
If the file exists, you'll just need to find the offending line and comment it out/remove it/change it, or source the default Sway background image and place it in the location it's trying to read it from.

@@libreisaac the file ~/.config/sway/config exists

im going to try and manually add a default background

@@libreisaac manually putting a background did get it to boot with the background and curser but nothing else appears

Do you have a line near the top whose content is '# Programs'?

What GPU do you have, and what is the value of your VIDEO_CARDS variable in /env/portage/make.conf?

@@libreisaac I'm using a Fujitsu Life book t902 so the graphics are intel HD Graphics 4000 with 3rd generation Core i processors

@@libreisaac I think I might need to change over to Intel i965 for the video card in portage make conf

I haven't tried this, so word of warning: might be completely wrong. Basing loosely off wiki.gentoo.org/wiki/EFI_stub
I'll give it a try at some point and report back w/ findings, but feel free to try and lmk if you run into issues in the meantime.
1. Swap out the `grub` use flag on `installkernel` in `package.use` with `efistub`. _May_ require additional use flag changes, which Portage should report.
2. When configuring the kernel, open `Processor types and features`, go to the bottom, where you should see a deselected option for `Built-in kernel command line`; enable it w/ space.
3. Enter on the new `Built-in kernel command string` option directly below.
4. Set to `cryptdevice=UUID=[UUID for encrypted root partition] root=PARTUUID=[PARTUUID for decrypted device (/dev/mapper/cryptroot)] rw quiet`.
5. When configuring services run `rc-update add kernel-bootcfg-boot-successful default` to add a boot entry to the EFI menu when boot succeeds.
And of course, skip all the grub-related steps in the video, don't install grub, etc.

@@libreisaac Okay I'll get back to you when I've finished the system, thank you.

@@libreisaac It doesnt prompt me for a passowrd and sys it couldnt find the root device ?

Spinning up a VM now

Took longer than I would have liked. Wound up having to do it on bare metal; my VM's UEFI firmware is a little borked, and the documentation is pretty lacking IMO, but eventually got a successful boot.
1. Boot back into your installation media & select keyboard layout
2. `cryptsetup luksOpen /dev/sda2 cryptroot`
3. `mount -t btrfs -o defaults,noatime,compress=lzo,autodefrag,subvol=activeroot /dev/mapper/cryptroot /mnt/gentoo`
4. Same again for `subvol=home` to `/mnt/gentoo/home`
5. Run the chroot mounts and commands again; timestamp in the video description will take you to the relevant part of the video.
6. Add `sys-kernel/installkernel ~amd64` and `sys-boot/uefi-mkconfig ~amd64` to your `/etc/portage/package.accept_keywords` file; `efistub` is not on the stable release.
7. `emerge --ask installkernel` should show the `efistub` use flag now; confirm to update it.
8. You'll need your relevant microcode package. For example, with an Intel CPU, I had to: add `sys-firmware/intel-microcode intel-ucode` to `package.license`, `sys-firmware/intel-microcode initramfs` in `package.use`, run through the WiFi connection steps in the corrections comment on this video (for WiFi), switch to a non-chrooted terminal and run `cp /etc/resolv.conf /mnt/gentoo/etc/resolv.conf`, then back in a chroot terminal run `emerge --ask intel-microcode`.
9. `genkernel --luks --btrfs --keymap --no-splash --oldconfig --save-config --menuconfig --install all`
10. Disable `Processor type and features -> Built-in kernel command line`, make `File systems -> DOS/FAT/EXFAT/NT -> MSDOS` and `VFAT` built-in (`*`, not `M`), and clear all options in `Device Drivers -> Graphics Support -> Frame buffer devices -> Support for frame buffer device drivers`, except `EFI-based Framebuffer Support` and `Simple framebuffer support`, save, and exit to compile. Should be much faster than previous compilations.
11. `mkdir -p /efi/EFI/gentoo`
12. `mv /boot/initramfs... /efi/EFI/gentoo/initramfs.img`
13. `mv /boot/vmlinuz... /efi/EFI/gentoo/vmlinuz.efi`
14. `mv /boot/System.map... /efi/EFI/gentoo`
15. `emerge --ask efibootmgr`
16. `efibootmgr --create --disk /dev/sda --part 1 --label "Gentoo" --loader "\EFI\gentoo\vmlinuz.efi" -u "crypt_root=UUID=[uuid from blkid /dev/sda2] root=/dev/mapper/root ro initrd=\EFI\gentoo\initramfs.img rootfstype=btrfs rootflags=subvol=activeroot quiet"`
You may also want to run `rm /boot/*.old` to clean up.
In future, for kernel updates, you'll build as usual, then `mv` the files in `/boot` again.
You can list boot entries with just `efibootmgr`, each has a hex number identifier like `Boot0017` where 0017 is the ID. You can delete an entry with `efibootmgr -b 0017 -B`
As you're relying on your computer's firmware, and UEFI implementations are notoriously loose with their interpretations of the spec (I've encountered this myself doing UEFI dev 😩), it's *possible* this won't work for you. I've included some steps (eg some of the driver options in the kernel) which don't seem to be necessary for _everyone_ to try to foolproof it. Lmk if you have any more problems.