Difference between revisions of "CloverOS GNU/Linux"

From /tech/ Wiki
Jump to navigationJump to search
(Firefox configuration hardening)
Line 613: Line 613:
===I want to donate/host a mirror===
===I want to donate/host a mirror===
Run <pre>rsync -av --delete rsync://nl.cloveros.ga/cloveros /your/webserver/location/</pre> and link me the https://
Run <pre>rsync -av --delete rsync://nl.cloveros.ga/cloveros /your/webserver/location/</pre> and link me the https://
===Disabling Intel mitigations for performance===
sudo GRUB_CMDLINE_LINUX_DEFAULT="kpti=0 l1tf=off pti=off spectre_v2=off spectre_v2_user=off spec_store_bypass_disable=off ssbd=force-off" grub-mkconfig -o /boot/grub/grub.cfg
Make sure the computer you run this on has nothing important on it. (Dedicated gaming machines, etc.)
===Recompiling all packages/kernel with -march=native for performance===
===Recompiling all packages/kernel with -march=native for performance===
Line 630: Line 636:
sudo binutils-config --linker ld.bfd
sudo binutils-config --linker ld.bfd
sudo genkernel --kernel-config=config-arch-64 all
sudo genkernel --kernel-config=config-arch-64 all
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo emerge -b @module-rebuild
sudo emerge -b @module-rebuild
sudo binutils-config --linker ld.gold
sudo binutils-config --linker ld.gold
sudo GRUB_CMDLINE_LINUX_DEFAULT="kpti=0 l1tf=off pti=off spectre_v2=off spectre_v2_user=off spec_store_bypass_disable=off ssbd=force-off" grub-mkconfig -o /boot/grub/grub.cfg

Revision as of 20:27, 17 May 2019

CloverOS GNU/Linux desktop


CloverOS GNU/Linux is a minimal (middleware-free) and default out-of-the-box Gentoo image (stage4), a performance-optimized packages repo (Binhost) and the scripts that create them.

Objectives: Lowest RAM usage desktop, no changes to Gentoo and kept as default as possible, easily install any package in its ideal form with emerge, easy out-of-the-box desktop, best CFLAGS


System Requirements

x86_64 CPU that supports SSSE3 (Core 2 Duo, AMD FX and higher), 5GB of disk space, 64-128MB RAM depending on video driver

Cheat sheet

Installing program

sudo emerge filezilla

Upgrading system

sudo emerge --sync
sudo emerge -uavD @world
sudo emerge --depclean

Updating config files after upgrading system (Optional)

sudo dispatch-conf

After you run it, it will show you the changes to config files it's going to make:

q To quit without making changes

u To update and make the changes

z To zap and disregard the changes

Hit z if you're not sure or wish to keep your configuration files the same.

Controlling fvwm

Open Applications menu: right click on desktop

Move windows: alt + left click

Resize Windows: alt + right click

Open Applications menu anywhere: alt + middle click

Switch windows: alt + tab and shift + alt + tab

Switch desktops: ctrl + shift + up/down/left/right (desktops are in a 3x3 grid)

Take screenshot: Print Screen

Lock: super + L

Brightness controls: Laptop (software) Brightness up/down keys

Volume control: Laptop (software) Volume up/down keys

fvwm's settings are in


Setting default sound device


./cloveros_settings.sh 3




and hit F6 to see your audio devices. To make 1 the default device, edit


and add this:

defaults.pcm.card 1
defaults.ctl.card 1

Included software

Window manager - fvwm

Terminal - urxvt

File manager - spacefm

Wifi configuration - wpa_gui

Browser - firefox

Text editor - emacs

Graphic editor - gimp

Video player - smplayer / mpv

Image Viewer - nomacs

Archiver - xarchiver

FTP client - sshfs / curlftpfs

Torrent client - rtorrent

IRC client - weechat

Listing available packages





Web interface: https://packages.gentoo.org

List of binaries (no dependencies): https://gitgud.io/cloveros/cloveros/blob/master/binhost_settings/var/lib/portage/world

List of all binaries: https://cloveros.ga/s/packages.html

Package isn't available

Make an issue so I can add the package to binhost. In the meantime, install from source using

~/cloveros_settings.sh 5 ; sudo emerge [package] ; ~/cloveros_settings.sh 5

Switching to source

Switch to source by running

./cloveros_settings.sh 5




and edit the following lines:

EMERGE_DEFAULT_OPTS="--keep-going=y --autounmask-write=y --jobs=4 -G"


#EMERGE_DEFAULT_OPTS="--keep-going=y --autounmask-write=y --jobs=4 -G"

This disables the binhost and uses Portage's ebuilds for packages. Now you can emerge from source.


What is CloverOS?

It's a default Gentoo install with a binary packages repo. I made it to make my life easier.

How do I install systemd/avahi/pulseaudio?

Switch to source and then emerge

It hangs on boot in VirtualBox

In VirtualBox 6.x, change Graphics Controller to VBoxSVGA. This fixes the "Setting system clock using the hardware clock [UTC] ..." hang.

VirtualBox graphics adapters

Nvidia card crashes on boot with a green screen


blacklist vga16fb
blacklist nouveau
blacklist rivafb
blacklist nvidiafb
blacklist rivatv


linux   /boot/kernel-genkernel-x86_64-[ver]-gentoo root=UUID=[id] ro nomodeset nouveau.modeset=0

Using old Radeon card with new video drivers

sudo rmmod -f radeon && sudo modprobe amdgpu si_support=1

Installing proprietary Nvidia drivers

kernelversion=$(cut -d" " -f3 /proc/version | sed "s/-.*//")
kernelminorversion=$(sed "s/\.[^.]*$//" <<<$kernelversion)
sudo EMERGE_DEFAULT_OPTS="" emerge \=gentoo-sources-$kernelversion
sudo eselect kernel set linux-$kernelversion-gentoo
sudo wget https://raw.githubusercontent.com/damentz/liquorix-package/$kernelminorversion/linux-liquorix/debian/config/kernelarch-x86/config-arch-64 -O /usr/src/linux/.config
sudo emerge nvidia-drivers
sudo depmod
sudo eselect opengl set nvidia
sudo eselect opencl set nvidia
sudo sh -c 'echo -e "blacklist nouveau\nblacklist vga16fb\nblacklist rivafb\nblacklist nvidiafb\nblacklist rivatv" >> /etc/modprobe.d/blacklist.conf'



Kill X,

sudo rmmod -f nouveau vga16fb rivafb nvidiafb rivatv && sudo modprobe nvidia

and restart X

Installing bumblebee for laptops

This is for laptops that have both Intel GPU and Nvidia GPU with Optimus

sudo emerge bumblebee
sudo depmod
sudo sed -i 's/^Driver=$/Driver=nvidia/; s/^Bridge=auto$/Bridge=primus/; s/^VGLTransport=proxy$/VGLTransport=rgb/; s/^KernelDriver=$/KernelDriver=nvidia/; s/^PMMethod=auto$/PMMethod=bbswitch/; s@^LibraryPath=$@LibraryPath=/usr/lib64/opengl/nvidia/lib:/usr/lib/opengl/nvidia/lib@; s@^XorgModulePath=$@XorgModulePath=/usr/lib64/opengl/nvidia/lib,/usr/lib64/opengl/nvidia/extensions,/usr/lib64/xorg/modules/drivers,/usr/lib64/xorg/modules@' /etc/bumblebee/bumblebee.conf

Installing VirtualBox

sudo emerge virtualbox
sudo depmod
./cloveros_settings.sh 4
sudo useradd -g $USER vboxusers
sudo modprobe -a vboxdrv vboxnetadp vboxnetflt

Reboot if your kernel isn't up to date.

Steam stops working

Start steam with

rm -R ~/.steam/ && steam &

What are USE flags?


generally determines what your Gentoo install will look like. The first thing new Gentoo users should do is read the USE flags for their packages.


There's two types of USE flags that are treated equally: global and local.

Global USE flags are the ones that are in many packages, they generally do the same thing no matter what package uses them.

Local USE flags are the ones that are in a few packages and require you to read https://packages.gentoo.org to read what they do. You can also read the .ebuild to get an even better idea of what it does.

USE flags are basically ./configure parameters made easy.

Examples here:



What are keywording and unmasking?


See the green and the yellow? Green means you can just

emerge gimp

and get that version. But what if you want 2.9? It's keyworded, which means it isn't stable.

Gentoo Stable is using packages that aren't keyworded, as in they're tested and guaranteed to work.

Just add media-gfx/gimp to /etc/portage/package.keywords and you'll get the latest keyworded (Yellow) version.

Masked (Red) is just another step forward of keywording and the file is at /etc/portage/package.unmask

You can unmask or unkeyword a specific version by doing =media-gfx/gimp-2.9.6

Emerge error relating to openssl, fix OpenGL 3/4 not working

Add this to



dev-libs/openssl -bindist
net-misc/openssh -bindist
media-libs/mesa -bindist

GPU passthrough example

# fallocate -l 32GB drive && lspci

sudo sh -c '
devices=(01:00.0 01:00.1 00:12.0 00:12.2)

for devid in ${devices[@]}; do devid=0000:$devid
	echo $(</sys/bus/pci/devices/$devid/vendor) $(</sys/bus/pci/devices/$devid/device) > /sys/bus/pci/drivers/vfio-pci/new_id
	echo $devid > /sys/bus/pci/devices/$devid/driver/unbind
	echo $devid > /sys/bus/pci/drivers/vfio-pci/bind
	echo $(</sys/bus/pci/devices/$devid/vendor) $(</sys/bus/pci/devices/$devid/device) > /sys/bus/pci/drivers/vfio-pci/remove_id

qemu-system-x86_64 -enable-kvm -m 4G -cpu host -smp cores=8,threads=1 -vga none -display none -cdrom windows.iso -drive if=pflash,format=raw,readonly,file=/usr/share/edk2-ovmf/OVMF_CODE.fd -drive if=pflash,format=raw,file=/usr/share/edk2-ovmf/OVMF_VARS.fd -drive file=drive,format=raw $(sed "s/ / -device vfio-pci,host=/g" <<< \ ${devices[@]})

for devid in ${devices[@]}; do devid=0000:$devid
	echo 1 > /sys/bus/pci/devices/$devid/remove
	echo 1 > /sys/bus/pci/rescan

Change FVWM titlebar color

color=69aEb6; sed -i "s/\(Style \* BackColor \).*/\1#$color/; s/\(Style \* HilightBack \).*/\1#$color/; s/\(Colorset 1 bg #\)......\(.*\)/\1$color\2/" ~/.fvwm2rc && killall fvwm && fvwm &

Alternatively, replace every instance of #056839 (green) manually.

KDE theme in qt5 programs without KDE

sudo emerge qt5ct breeze
QT_QPA_PLATFORMTHEME="qt5ct" your_program

Open qt5ct and switch the style and the icon theme to Breeze.

Breeze theme

Firefox and Pulseaudio

Firefox 57+ still works with ALSA. If this changes, it will be built with apulse.

Vertical tabs in Firefox 57+


mkdir ~/.mozilla/firefox/*.default/chrome/
nano ~/.mozilla/firefox/*.default/chrome/userChrome.css
@namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"); /* set default namespace to XUL */
/* Hide Horizontal TAB Bar */
#TabsToolbar {
 visibility: collapse !important;
/* Hide White Header Tab Tree */
#sidebar-header {
 display: none;
Firefox vertical tabs

To have built-in tab list button available at all times:

#alltabs-button {
    visibility: visible !important;

Firefox configuration hardening

wget https://raw.githubusercontent.com/pyllyukko/user.js/master/user.js -P ~/.mozilla/firefox/*.default/
sed -i "s@\(.*\"browser.pr.*\)@//\1@; s@\(.*\"privacy.sanitize.s.*\)@//\1@; s@\(.*\"privacy.clearOnShutdown.s.*\)@//\1@; s@\(.*\"signon.r.*\)@//\1@; s@\(.*\"cl.*\)@//\1@; s@\(.*\"browser.disp.*\)@//\1@" /home/user/.mozilla/firefox/*.default/user.js # if you require password manager/session manager/clipboard/fonts to work

More information here: https://github.com/pyllyukko/user.js/

Firefox hardened user.js

Enable tap to click on touchpads

xinput set-prop "SynPS/2 Synaptics TouchPad" "libinput Tapping Enabled" 1

Disable mouse acceleration

xinput list --id-only | xargs -I{} xinput set-prop {} "libinput Accel Profile Enabled" 0 1 &>/dev/null

Suspend when laptop lid is closed

First run

emerge acpid && /etc/init.d/acpid start




# /etc/acpi/default.sh
# Default acpi script that takes an entry for all actions

set $*


log_unhandled() {
	logger "ACPI event unhandled: $*"

case "$group" in
		case "$action" in
				case "$id" in
					close) echo -n mem > /sys/power/state;;


			# if your laptop doesnt turn on/off the display via hardware
			# switch and instead just generates an acpi event, you can force
			# X to turn off the display via dpms.  note you will have to run
			# 'xhost +local:0' so root can access the X DISPLAY.
			#	xset dpms force off
			#	;;

			*)	log_unhandled $* ;;

		case "$value" in
			# Add code here to handle when the system is unplugged
			# (maybe change cpu scaling to powersave mode).  For
			# multicore systems, make sure you set powersave mode
			# for each core!
			#	cpufreq-set -g powersave
			#	;;

			# Add code here to handle when the system is plugged in
			# (maybe change cpu scaling to performance mode).  For
			# multicore systems, make sure you set performance mode
			# for each core!
			#	cpufreq-set -g performance
			#	;;

			*)	log_unhandled $* ;;

	*)	log_unhandled $* ;;

Dnscrypt-proxy howto

sudo emerge dnscrypt-proxy
sudo /etc/init.d/dnscrypt-proxy start
sudo rc-config add dnscrypt-proxy
sudo sh -c 'echo "static domain_name_servers=" >> /etc/dhcpcd.conf'
sudo /etc/init.d/dhcpcd restart

Clean outdated kernels

sudo find /boot/ /lib/modules/ -mindepth 1 -maxdepth 1 -name \*gentoo\* ! -name \*$(uname -r) -exec rm -R {} \;

Sound in OBS / Open Broadcaster Software using ALSA


sudo modprobe snd_aloop

and edit the following file, replacing

device 0



with your sound device:

    pcm.!default {
      type asym
      playback.pcm "LoopAndReal"
      capture.pcm "looprec"

    pcm.looprec {
        type hw
        card "Loopback"
        device 0
        subdevice 0

    pcm.LoopAndReal {
      type plug
      slave.pcm mdev
      route_policy "duplicate"

    pcm.mdev {
      type multi
      slaves.a.pcm pcm.MixReale
      slaves.a.channels 2
      slaves.b.pcm pcm.MixLoopback
      slaves.b.channels 2
      bindings.0.slave a
      bindings.0.channel 0
      bindings.1.slave a
      bindings.1.channel 1
      bindings.2.slave b
      bindings.2.channel 0
      bindings.3.slave b
      bindings.3.channel 1

    pcm.MixReale {
      type dmix
      ipc_key 1024
      slave {
        pcm "hw:0,0"
        rate 48000
        periods 128
        period_time 0
        period_size 1024
        buffer_size 8192

    pcm.MixLoopback {
      type dmix
      ipc_key 1025
      slave {
        pcm "hw:Loopback,0,0"
        rate 48000
        periods 128
        period_time 0
        period_size 1024
        buffer_size 8192

Start playing something, then run


, then add Audio Capture Device (ALSA) to your Sources.


Bluetooth audio using ALSA

sudo emerge bluez-alsa
/etc/init.d/bluealsa start
blueman-manager &


pcm.!default {
        type bluealsa
        device "RE:PL:AC:E:TH:IS"
        profile "a2dp"

Install Quake 3

sudo emerge quake3
sudo wget https://github.com/nrempel/q3-server/raw/master/baseq3/pak{0..8}.pk3 -P /usr/share/games/quake3/baseq3/

What is Gentoo?

Gentoo is a meta-distro. You can make any distro you want out of it. You can have a package.use/package.keywords that makes a binary-compatible Debian or Fedora or Arch or whatever. If there's something you don't like about Gentoo, you can just edit /etc/portage/package.use. Using Gentoo is like distro-hopping around the same distro. Also, by building everything yourself, that's one less botnet. If you have a problem with a package or the package doesn't exist, just add an overlay or write an ebuild and put it in your local portage directory and emerge.

Is this an overlay?

No, this uses regular Gentoo Portage only. Same versions and USE flag options.

Benefits of Gentoo/CloverOS over other distros

No systemd, maximized CFLAGS, lower RAM usage, it's Gentoo, package versions are stable, it's as default as possible while still being easy, has Infinality, UTF-8 and user groups configured, installs in 2 minutes, saves time by doing all the little things you would've done anyway.

What is CloverOS Libre?

CloverOS Libre doesn't have the



The kernel is the same gentoo-sources with Liquorix config but with https://linux-libre.fsfla.org/pub/linux-libre/releases/5.0.8-gnu/deblob-5.0 ran on it.

Turning CloverOS into CloverOS Libre

emerge -C linux-firmware

l) Update libre kernel

Reboot; Advanced options, select -gnu kernel

Turning CloverOS Libre into CloverOS

emerge linux-firmware

4) Update kernel

Reboot; Advanced options, select -gentoo kernel

Starting X automatically after login



Comment out

read -erp "Start X? [y/n] " -n 1 choice

And add in


I want to bypass the mixer to play >48KHz audio / DSD

Edit ~/.asoundrc:

pcm.!default {
  type hw
  card 0

Replace card 0 with your device number

Wayland howto

emerge weston
useradd weston-launch
gpasswd -a youruser weston-launch
echo '[core]
modules=xwayland.so' >> ~/.config/weston.ini
XDG_RUNTIME_DIR=. weston-launch

Things preventing CloverOS Libre from being 100% free software:

- LiveCD kernel is taken from Gentoo, it needs to be made from scratch

- /usr/portage/ needs to be filtered to not include the .ebuilds of proprietary software, also requiring a separate Portage mirror

- It needs a cloveros.ga mirror that doesn't host the non-free software packages

Does CloverOS have binaries?

Yes. It's a pre-setup Gentoo image with

PORTAGE_BINHOST="https://cloveros.ga" emerge -G package

preset in /etc/portage/make.conf. It uses Gentoo for everything (versions, ebuilds, etc.) and gets packages from cloveros.ga instead of building

How often is this updated?

It's stable rolling release (Gentoo Stable). The binaries reflect current Portage (amd64) about once a week: http://twitter.com/cloveros_ga

Does everything build with those CFLAGS?

These are all the packages that don't build with the full CFLAGS: https://gitgud.io/cloveros/cloveros/blob/master/binhost_settings/etc/portage/package.env

The default shell is bash but fvwm launches urxvt -e zsh?

This is done to keep it as default as possible.

Which DE does this come with?

None, it comes with fvwm and a


that can select/install a DE for you:


Installing a DE

First, connect to wifi using wpa_gui ('wifi' in fvwm)

Kill X and re-login. After you log in and the "Start X?" dialog pops up, instead of y/n, type one of the WM options and hit y when it asks to install.

I want to donate/host a mirror


rsync -av --delete rsync://nl.cloveros.ga/cloveros /your/webserver/location/

and link me the https://

Disabling Intel mitigations for performance

sudo GRUB_CMDLINE_LINUX_DEFAULT="kpti=0 l1tf=off pti=off spectre_v2=off spectre_v2_user=off spec_store_bypass_disable=off ssbd=force-off" grub-mkconfig -o /boot/grub/grub.cfg

Make sure the computer you run this on has nothing important on it. (Dedicated gaming machines, etc.)

Recompiling all packages/kernel with -march=native for performance

./cloveros_settings.sh 5
./cloveros_settings.sh c
sudo emerge -eDv --jobs=4 --keep-going=y --exclude=nodejs --exclude=qtnetwork @world

sudo emerge gentoo-sources genkernel lz4
sudo eselect kernel set 1
wget https://raw.githubusercontent.com/damentz/liquorix-package/5.0/linux-liquorix/debian/config/kernelarch-x86/config-arch-64 -O config-arch-64
wget https://raw.githubusercontent.com/graysky2/kernel_gcc_patch/master/enable_additional_cpu_optimizations_for_gcc_v8.1%2B_kernel_v4.13%2B.patch
sudo sh -c "patch -d /usr/src/linux/ -p1 < enable_additional_cpu_optimizations_for_gcc_v8.1+_kernel_v4.13+.patch" 
sed -i "s/CONFIG_GENERIC_CPU=y/CONFIG_MNATIVE=y/;" config-arch-64
sudo binutils-config --linker ld.bfd
sudo genkernel --kernel-config=config-arch-64 all
sudo grub-mkconfig -o /boot/grub/grub.cfg
sudo emerge -b @module-rebuild
sudo binutils-config --linker ld.gold

Remove the above GRUB_CMDLINE_LINUX_DEFAULT="" var if security is important.

To update the system using source:

./cloveros_settings.sh c && sudo emerge --sync && sudo emerge -uavDN world

To remove dbus:

sudo USE="-dbus" emerge -1 glib qtgui && sudo emerge --depclean

Certain packages may be from an overlay. To install, add overlays:

sudo emerge eselect-repository
sudo mkdir /etc/portage/repos.conf
sudo eselect repository enable $(grep -Po "(?<=\*/\*::).*" /etc/portage/package.mask | tr "\n" " ")
sudo emerge --sync

What if CloverOS dies? Will my install become useless?

No. Switch to source by running

./cloveros_settings.sh 5




and edit the following line:

EMERGE_DEFAULT_OPTS="--keep-going=y --autounmask-write=y --jobs=4 -G"


EMERGE_DEFAULT_OPTS="--keep-going=y --autounmask-write=y --jobs=4"

and comment out the following lines, eg:




Your system is now Gentoo Linux.

After emerge determines what it needs to install and checks dependencies, the -G switch tells emerge to check the binhost before it starts building source. Removing -G reverts to regular emerge operation. It's exactly the same as running

PORTAGE_BINHOST="https://cloveros.ga" emerge -G package

on any Gentoo install. Because it still uses Gentoo repo (versions, ebuilds), and only uses CloverOS as a binhost, you still need to run

emerge --sync

. CloverOS is a default Gentoo install with programs and with the above defaulted in


. There's also some configuration files and scripts in the user's home directory for making things easier. With those files removed, CloverOS becomes a default Gentoo install.

You can see exactly what's done here: https://gitgud.io/cloveros/cloveros/blob/master/livecd_build.sh