System preparation

Qemu

Emerge qemu with static-user USE enabled and your wanted architectures.

1
2
3
4
5
6
7
8

app-emulation/qemu      QEMU_SOFTMMU_TARGETS: aarch64 arm x86_64
app-emulation/qemu      QEMU_USER_TARGETS: aarch64 arm x86_64

app-emulation/qemu      static-user
dev-libs/glib           static-libs
sys-apps/attr           static-libs
sys-libs/zlib           static-libs
dev-libs/libpcre2       static-libs

OpenRC

Enable qemu-binfmt:

1

rc-update add qemu-binfmt default

Start qemu-binfmt:

1

rc-service qemu-binfmt start

Chrooting

• select chroot location (eg /chroots/gentoo-arm64-musl-stable)
• unpack the desired rootfs
• create needed directories
  • mkdir -p /chroots/gentoo-arm64-musl-stable/var/cache/distfiles
• execute bwrap
  • with last ro-bind mount the qemu emulator binary (eg qemu-aarch64)
  • execute the mounted emulator binary giving it a shell program (eg bash)

Chroot with bwrap:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

bwrap                                                       \
    --bind /chroots/gentoo-arm64-musl-stable /              \
    --dev /dev                                              \
    --proc /proc                                            \
    --perms 1777 --tmpfs /dev/shm                           \
    --tmpfs /run                                            \
    --ro-bind /etc/resolv.conf /etc/resolv.conf             \
    --bind /var/cache/distfiles /var/cache/distfiles        \
    --ro-bind /usr/bin/qemu-aarch64 /usr/bin/qemu-aarch64   \
    /usr/bin/qemu-aarch64 /bin/bash -l

User-mode

By default you would probably have something like this, the user-mode network:

1
2
3
4
5

<interface type="user">
  <mac address="00:00:00:00:00:00"/>
  <model type="virtio"/>
  <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>

Bridge

Bridges can be easily created using the NetworkManager’s TUI tool called nmtui.

Bridge XML configuration for Libvirt

1
2
3
4
5
6
7
8

<interface type="bridge">
  <mac address="00:00:00:00:00:00"/>
  <source bridge="br1"/>
  <target dev="vnet2"/>
  <model type="virtio"/>
  <alias name="net0"/>
  <address type="pci" domain="0x0000" bus="0x06" slot="0x00" function="0x0"/>
</interface>

Sysctl options

Be sure the following options are enabled (1):

• net.ipv4.ip_forward
• net.ipv4.conf.all.send_redirects

and the following options are disabled (0):

• net.bridge.bridge-nf-call-iptables

Binpkgs generated by user

The binary packages generated by user can have architecture-specific optimizations because they are generated after they were compiled by the host Portage installation.

In addition binpkgs are generated from ebuilds so if there is a USE flag incompatibility on the consumer system then the binpkg will not be installed on the host and Portage will fall back to from-source compilation.

Those binary packages can use two formats: XPAK and GPKG.

XPAK had many issues and is getting superseded by the GPKG format. Beware of upcoming GPKG transition and if you must use XPAKs then you should explicitly enable it in your system’s Portage configuration.

To host a binary package distribution server see the Binary package guide on the Gentoo wiki.

Bin packages in a repository

Binary packages in ::gentoo (the official Gentoo repository) have the -bin suffix.

Those packages might have USE flags but generally they are very limited in case of customizations or code optimizations because they were compiled either by a Gentoo developer or by a given package upstream maintainer (or their CI/CD system).

Those packages land in ::gentoo mostly because it is too hard (or even impossible) to compile them natively by Portage. Most of the time those packages use very complicated build systems or do not play nice with network sandbox like (e.g. Scala-based projects) or use very large frameworks/libraries like (e.g. Electron).

They can also be added to the repository because they are very desirable either by normal users (e.g. www-client/firefox-bin) or for (from-source) package bootstrapping purposes (e.g. dev-java/openjdk-bin). Such packages are sometimes generated from the regular source packages inside ::gentoo and later repackaged.

Template

File: /etc/systemd/system/APP.service

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

[Unit]
Description=Run APP application

[Service]
Type=simple
ExecStart=/usr/bin/LANG APP_DIR/APP APP_ARGS
Restart=on-failure
User=root
WorkingDirectory=APP_DIR

[Install]
WantedBy=multi-user.target

Also, the application might need to reference a PID file, let systemD know abut it via PIDFile.

1

PIDFile=/tmp/APP.pid

Example

File: /etc/systemd/system/julia_dash_app.service

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

[Unit]
Description=Run Julia Dash application

[Service]
Type=simple
ExecStart=/usr/bin/julia /root/julia_dash_app/main.jl
Restart=on-failure
User=root
WorkingDirectory=/root/julia_dash_app

[Install]
WantedBy=multi-user.target

Intro

Backing up using this method takes a lot less space - ~60MB (without distfiles) and can be restored on almost any system (running portage) and tweaked afterwards for, say, CPU architecture. I've created a a short script with similar method in here.

What we need

• ebuild repositories are installed with git
• distfiles (those might be gone when we want to replicate)

Backup

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

# System info
emerge --info > info.txt

# Portage tree
cp -Lr /etc/portage .

# Portage layout
tree -a -L 2 /etc/portage > layout.txt

# Packages in @world
cp /var/lib/portage/world .

# Installed sets
cp /var/lib/portage/world_sets .

# Installed packages (with versions)
qlist --installed --nocolor --umap > qlist-use.txt
qlist --installed --nocolor --verbose > qlist-ver.txt

# Distfiles
cp -rv "$(portageq envvar DISTDIR)" distfiles

# Ebuild database
cp -r /var/db/pkg pkgdb

Restoration

To faithfully restore the system perform those actions as root

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# Copy the portage tree to /etc
rm -dr /etc/portage
cp -r portage /etc/portage

# Checkout the gentoo repo to a commit specified in info.txt
cd "$(portageq get_repo_path / gentoo)"
git checkout # <commit ID>

# Copy distfiles
cp -r distfiles/* "$(portageq envvar DISTDIR)"/

# Fake-install @world and sets
cp world /var/lib/portage/world
cp world_sets /var/lib/portage/world_sets

# Emerge the exact packages from qlist-ver.txt
emerge --keep-going=y -1Oav $(sed 's/^/=/' qlist-ver.txt)

Init basic functions

Init should:

• be the first started process - PID 1
• continue running until the system is shut down

Why systemd is more than init

Full system management

systemd needs to run as PID 1 to parenthood other services and… other parts of itself (listed below).

sytemd absorbed

• cron -> timers
• seat tracker -> systemd-logind
• service manager -> systemd-systemctl
• udev -> systemd-udevd
• system logger -> systemd-journald
• network manager -> systemd-networkd
• bootloader -> systemd-boot
• hostname -> systemd-hostnamed
• chroot -> systemd-nspawn
• resolv.conf generator -> systemd-resolved

Additionally systemd is also

• QR code generator
• http server (cockpit)
• home manager -> systemd-homed
• tmp manager -> systemd-tmpfiles

Why it's bad

systemd growth to cover more and more of other services capabilities is dangerous. It can mean that if we find a exploit in one part of systemd it will be easy to compromise the whole system. Actually, there is a even bigger problem - most of the time a user would like to run a standalone service covering one of the uses already covered by systemd - like cronie or rsyslog.

But what about cgroups

Cgroups are nothing new, they are available in other service managers too. Check out cgroups in OpenRC.

Alternatives

OpenRC

Primarily used by Gentoo based systems. Was adopted to Devuan and Artix. Alpine Linux uses it probably because it started out as a Gentoo-based system. Is also available in Debian - though that will still use some systemd services, notably systemd-udevd.

Runit

Avalible in Void Linux - the recommended init for that system.

Pure System V init

Most popular use of this is found in old CentOS, Slackware, Antix and MX Linux.

S6

Check out Devuan if you want to dive into this topic.

systemd + Emacs

One could think that because systemd and Emacs cover a lot of things - systemd - system management and emacs - user utilities - a fusion of two would be very good and will lack so-called bloat. There is one "problem" however - Emacs can be used also as a init! And that doesn't necessarily mean a lot more code being added. So i guess Emacs + Linux (kernel) is the way to go ;P

Was systemd a inside job?

Probably not - Microsoft made their own init for Azure because… systemd was to big… systemd is a history of what happens when everybody wants to be like the rest - adoption of systemd.

Is systemd the new busybox?

This is an interesting concept. There is one bad thing however - you can compile bysybox with any of its utilities and it will work - you can't do that with systemd, you will have to modify and fork it - like eudev and elogind projects

OpenRC prejudice

Many people think of OpenRC as a old SysVinit. I encourage you to check it out and see that most stuff you probably do with systemd you can get from OpenRC (service manager) + cronie (cron/timers) + htop/pstree (full description of system as opposed to "systemctl status")

Basic OpenRC vs systemd commands

OpenRC systemd ————————— ————————— rc-status -a systemctl status rc-service SERVICE start systemctl start SERVICE rc-service SERVICE stop systemctl stop SERVICE rc-update add SERVICE systemctl enable SERVICE rc-update del SERVICE systemctl disable SERVICE

Sources

• Ewontfix
• Wikipedia
• SystemE - Emacs as init

Honorable Mentions

• https://forums.gentoo.org/viewtopic-t-1105854.html
• https://unixsheikh.com/articles/the-real-motivation-behind-systemd.html