Skip to content

3. Disk Setup

3.1. Wiping Disks expects the disks, where you want to install Gentoo Linux on, to be completely empty. If that's not the case continue reading. Otherwise, continue with 3.2. Partitioning And Formating.

If you use SSD(s) I recommend a Secure Erase. Alternatively, you can do a fast wipe the following way given that no LUKS, MDADM, SWAP etc. device is open on the disk (copy&paste one command after the other):

# Change disk name to the one you want to wipe

for i in $(lsblk -npo kname "${disk}" | grep "^${disk}" | sort -r); do
    read -r -p "Do you want to wipe \"$i\"? Type uppercase \"yes\" to confirm. " wipe

    if [[ ${wipe} == YES ]]; then
        wipefs -a "$i"


If you have confidential data stored in a non-encrypted way on HDD(s) and don't want to risk the data landing in foreign hands I recommend the use of something like dd, e.g.!

3.2. Partitioning And Formating


You may want to execute the following codeblock outside screen and execute clear right after in order for confidential data not to show up when scrolling up.

Prepare the disks (copy&paste one command after the other):

# list devices
fdisk -l

# lookup all options
bash /tmp/ -h

# disable bash history
set +o history

# adjust to your liking
bash /tmp/ -f fallbackfallback -r rescuerescue -d "/dev/sda /dev/sdb etc." -s 12

# enable bash history
set -o history

Info creates the user "meh" which will be used later on to act as non-root.

3.3. /mnt/gentoo Content

After executing "", the btrfs subvolume "@root" mounted by "" at "/mnt/gentoo/" should contain:

four disks content

three disks content

two disks content

single disk content

3.4. Tarball Extraction


A recent stage3-amd64-systemd-mergedusr-*.tar.xz file was downloaded and verified by which itself was called by If you work on another architecture, download and verify the correct stage3 tarball (recommended: stage3-<architecture>-systemd-mergedusr-<timestamp>.tar.xz and stage3-<architecture>-systemd-mergedusr-<timestamp>.tar.xz.asc) manually and adjust below commands accordingly. Later on, an optional switch to the custom profile hardened-systemd-merged-usr and hardened-systemd-merged-usr-selinux both of which making use of merged-usr will be done, requiring modifications of those custom profiles if you use a stage3 tarball other than the ones previously recommended.

Extract the stage3 tarball and copy custom files:

tar -C /mnt/gentoo/ -xpvf /mnt/gentoo/stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner && \
rsync -a --numeric-ids --chown=0:0 --chmod=u=rwx,go=r /tmp/firewall.nft /mnt/gentoo/usr/local/sbin/ && \
rsync -a /tmp/portage_hook_kernel /mnt/gentoo/root/ && \
mkdir -p /mnt/gentoo/etc/gentoo-installation && \
echo -e "\e[1;32mSUCCESS\e[0m"

Extract the portage tarball (based on archived old handbook):

mkdir /mnt/gentoo/var/db/repos/gentoo && \
touch /mnt/gentoo/var/db/repos/gentoo/.keep && \
mount -o noatime,subvol=@ebuilds /mnt/gentoo/mapperSystem /mnt/gentoo/var/db/repos/gentoo && \
tar --transform 's#^gentoo-[0-9]\{8\}#gentoo#' -C /mnt/gentoo/var/db/repos/ -xvpJf /mnt/gentoo/gentoo-latest.tar.xz && \
rsync -av --numeric-ids --chown=250:250 /tmp/overlay/duxsco /mnt/gentoo/var/db/repos/ && \
mkdir /mnt/gentoo/etc/portage/repos.conf && \
echo '[duxsco]
location = /var/db/repos/duxsco
auto-sync = false' > /mnt/gentoo/etc/portage/repos.conf/duxsco.conf && \
echo -e "\e[1;32mSUCCESS\e[0m"

3.5. Mounting

Mount filesystems for the later chroot to work:

mount -t tmpfs -o noatime,nodev,nosuid,mode=1777,uid=root,gid=root tmpfs /mnt/gentoo/tmp && \

mount --types proc /proc /mnt/gentoo/proc && \
mount --rbind /sys /mnt/gentoo/sys && \
mount --make-rslave /mnt/gentoo/sys && \
mount --rbind /dev /mnt/gentoo/dev && \
mount --make-rslave /mnt/gentoo/dev && \
mount --bind /run /mnt/gentoo/run && \
mount --make-slave /mnt/gentoo/run && \

# I put /home, /var/cache/binpkgs, /var/cache/distfiles and /var/tmp
# on separate btrfs subvolumes to keep backups separate.

mount -o noatime,subvol=@home /mnt/gentoo/mapperSystem /mnt/gentoo/home && \

touch /mnt/gentoo/var/cache/binpkgs/.keep && \
mount -o noatime,subvol=@binpkgs /mnt/gentoo/mapperSystem /mnt/gentoo/var/cache/binpkgs && \

touch /mnt/gentoo/var/cache/distfiles/.keep && \
mount -o noatime,subvol=@distfiles /mnt/gentoo/mapperSystem /mnt/gentoo/var/cache/distfiles && \

touch /mnt/gentoo/var/tmp/.keep && \
mount -o noatime,subvol=@var_tmp /mnt/gentoo/mapperSystem /mnt/gentoo/var/tmp && \
chmod 1777 /mnt/gentoo/var/tmp && \

echo -e "\e[1;32mSUCCESS\e[0m"