Skip to content

2. Live-CD Environment

In the following, I am using SystemRescue, not the official Gentoo Linux installation media, in order to make use of its capability to create custom installation media and setup the "rescue" partition with it's script. If not otherwise stated, commands are executed as "root" on the remote machine where Gentoo Linux needs to be installed, in the beginning via TTY, later on over SSH. Most of the time, you can copy&paste the whole codeblock, but understand the commands first and make adjustments (e.g. IP address, disk names) if required.

2.1. (Optional) Virtual (Testing) Environment

If you want to use a virtual machine for the upcoming setup either to test things out or just to be a bit more secure, you have to take some preliminary measures. The easiest way to get started is the use of the Virtual Machine Manager with QEMU:

Open the Virtual Machine Manager:

screenshot of "Virtual Machine Manager"

Create a new virtual machine:

screenshot of "Virtual Machine Manager"

Install from a local medium:

screenshot of "Virtual Machine Manager"

Select the SystemRescue ISO and OS variant "Gentoo Linux":

screenshot of "Virtual Machine Manager"

Select an appropiate amount of CPU cores and memory:

screenshot of "Virtual Machine Manager"

Enable storage and select a sufficiently sized disk:

screenshot of "Virtual Machine Manager"

Name your virtual machine, make sure to set the checkmark at "Customize configuration before install" and setup your network device:

screenshot of "Virtual Machine Manager"

Select an UEFI x86_64 firmware with support for secure boot and click on "Add Hardware" for the next step:

screenshot of "Virtual Machine Manager"

Select "TPM", configure as shown and click on "Finish":

screenshot of "Virtual Machine Manager"

A new "TPM v2.0" device should be listed. Click on "Begin Installation" for the next step:

screenshot of "Virtual Machine Manager"

Select an appropiate "Boot SystemRescue [...]" boot option and press Enter :

screenshot of "Virtual Machine Manager"

The virtual machine should have booted into SystemRescue:

screenshot of "Virtual Machine Manager"

2.2. Live-CD Setup

Boot into SystemRescue and set the correct keyboard layout:

loadkeys de-latin1-nodeadkeys

(Optional) Start Xfce (copy&paste one command after the other):


# Open up a terminal in Xfce and set the keyboard layout:
setxkbmap de

Make sure you booted with UEFI:

[ -d /sys/firmware/efi ] && echo UEFI || echo BIOS

Disable "magic SysRq" for security sake:

sysctl -w kernel.sysrq=0

Using screen

You can detach from screen's session with Ctrl+A+D and reattach with screen -d -r install. Scrolling works with Ctrl+A+Esc followed by Up / Down / Page Up / Page Down . You can exit "scroll mode" with Esc .

Start a screen session to better cope with networks disconnects. Alternatively, you can use tmux.

screen -S install

If no automatic network setup has been done via DHCP, you have to use nmtui (recommended over nmcli). On Xfce, you have the option to use nm-applet in addition.


Insert an iptables rule at the correct place for SystemRescue to accept SSH connection requests:

iptables -I INPUT 4 -p tcp --dport 22 -j ACCEPT -m conntrack --ctstate NEW

Set a root password:

passwd root

Print out fingerprints to be able to double check later on upon initial SSH connection to the SystemRescue system:

find /etc/ssh/ -type f -name "ssh_host*\.pub" -exec ssh-keygen -vlf {} \;

Execute following "rsync" and "ssh" commands on your local machine from within the checked out "gentoo-installation" repo (copy&paste one command after the other):

# Copy installation files to remote machine. Don't forget to set the correct IP.
rsync -e "ssh -o VisualHostKey=yes" -av --numeric-ids --chown=0:0 {bin/{portage_hook_kernel,,,firewall.nft,},overlay} root@XXX:/tmp/

# From local machine, login into the remote machine
ssh root@...

# Resume "screen":
screen -d -r install

(Optional) Lock the screen on the remote machine by typing the following command on its keyboard (not over SSH) (copy&paste one command after the other):

# Execute "vlock" without any flags first.

# Try to relogin.

# If relogin doesn't work:
# 1. Switch TTY: <ctrl>+<alt>+<F2>
# 2. Set a correct password: passwd root
# 3. Switch to previous TTY: <ctrl>+<alt>+<F1>
# 4. Try to relogin again.

# If relogin succeeds execute vlock with flag "-a" to lock all TTY.
vlock -a

Check whether the system is in setup mode (copy&paste one command after the other):

 pacman -Sy sbctl
❯ sbctl status
Installed:       sbctl is not installed
Setup Mode:      Enabled <=============== This must state that it's enabled.
Secure Boot:     Disabled
Vendor Keys:    none

On bare-metal, set the date and time if the current system time is not correct:

! grep -q -w "hypervisor" <(grep "^flags[[:space:]]*:[[:space:]]*" /proc/cpuinfo) && \
# replace "MMDDhhmmYYYY" with UTC time
date --utc MMDDhhmmYYYY

On bare-metal, update the hardware clock:

! grep -q -w "hypervisor" <(grep "^flags[[:space:]]*:[[:space:]]*" /proc/cpuinfo) && \
hwclock --systohc --utc