Difference between pages "Package:Nftables" and "GNOME First Steps"

(Difference between pages)
(Created page with "{{Ebuild |Summary=Linux kernel (3.13+) firewall, NAT and packet mangling tools |CatPkg=net-firewall/nftables |Repository=Gentoo Portage Tree }} === What is nftables? === '''nf...")
 
(GNOME 3.14 from a clean install)
 
Line 1: Line 1:
{{Ebuild
+
=== What is GNOME? ===
|Summary=Linux kernel (3.13+) firewall, NAT and packet mangling tools
+
 
|CatPkg=net-firewall/nftables
+
"GNOME 3 is an easy and elegant way to use your computer. It is designed to put you in control and bring freedom to everybody. GNOME 3 is developed by the GNOME community, a diverse, international group of contributors that is supported by an independent, non-profit foundation." — [http://gnome.org GNOME]
|Repository=Gentoo Portage Tree
+
 
 +
=== Prerequisites ===
 +
 
 +
==== From a Clean Install ====
 +
 
 +
Ensure that the [[X Window System]] is installed.
 +
 
 +
=== Preparing to emerge ===
 +
 
 +
To get your system ready to emerge gnome, first set your system flavor to desktop, and enable the gnome profile mix-in. To accomplish this, do the following:
 +
{{console|recipe=setup,setup-light|desc=Set profile|body=
 +
# ##i##eselect profile set-flavor funtoo/1.0/linux-gnu/flavor/desktop
 +
# ##i##eselect profile add funtoo/1.0/linux-gnu/mix-ins/gnome
 
}}
 
}}
=== What is nftables? ===
 
'''nftables''' is the successor to [[iptables]]. It replaces the existing iptables, ip6tables, arptables and ebtables framework. It uses the Linux kernel and a new userspace utility called nft. nftables provides a compatibility layer for the ip(6)tables and framework.
 
  
==Introduction==
+
By enabling the gnome mix-in, various USE and other settings will be optimized to provide you with a pain-free GNOME installation experience.
As with the iptables framework, nftables is build upon rules which specify the actions. These rules are attached to chains. A chain can contain a collection of rules and is registered into the netfilter hooks. Chains are stored inside tables. A table is specific for one of the layer 3 protocols. One of the main differences with iptables is that there are no predefined tables and chains anymore.
+
  
===Tables===
+
=== Emerging ===
A table is nothing more than a container for your chains. With nftables there are no predefined tables (filter, raw, mangle...) anymore. You are free to recreate the iptables-like structure, but anything might do.
+
Currently there are 5 different families of tables:
+
* '''ip''': Used for IPv4 related chains;
+
* '''ip6''': Used for IPv6 related chains;
+
* '''arp''': Used for ARP related chains;
+
* '''bridge''': Used for bridging related chains;
+
* '''inet''': Mixed ipv4/ipv6 chains (kernel 3.14 and up).
+
  
It is not hard to recognize the old tables framework in these tables. The only new one is the inet table which is used for both IPv4 and IPv6 traffic. It should make firewalling for dual-stack hosts easier by combining the rules for IPv4 and IPv6.
+
You are provided with two packages that will pull in this desktop environment:
  
===Chains===
+
* ''gnome''
Chains are used to group together rules. As with the tables, nftables does not have any predefined chains. Chains are grouped in base and non-base types. Base chains are registered in one of the netfilter hooks. A base chain has a hook its registered with, a type and a priority.  Non-base chains are not attached to a hook and they don't see any traffic by default. They can be used to arrange a rule-set in a tree of chains.
+
There are currently three types of chains:
+
* '''filter''': for filtering packets
+
* '''route''': for rerouting packets
+
* '''nat''': for performing Network Address Translation. Only the first packet of a flow hits this chain, making it impossible to use it for filtering.
+
The hooks that can be used are:
+
* '''prerouting''': This is before the routing decision, all packets entering the machine hits this chain
+
* '''input''': All packets for the local system hits this hook
+
* '''forward''': Packets not for the local system, those that need to be forwarded hits this hook
+
* '''output''': Packets that originate from the local system pass this hook
+
* '''postrouting''': This hook is after the routing decision, all packets leaving the machine hits this chain
+
{{Note|The ARP address family only supports the input and output hook}}
+
{{Note|The bridge address family only seems to supports the input, forward and output hook}}
+
  
===Rules===
+
{{fancynote|This is the "whole shabang" - pulls in a range of applications made for the gnome desktop environment including a few games, an archive manager, a system monitor, a web browser, a terminal, etc.}}
Rules specify which action has to be taken for which packets. Rules are attached to chains. Each rule can has an expression to match packets with and one or multiple actions when matching. Main differences with iptables is that it is possible to specify multiple actions and that by default counters are off. It must be specified explicitly in rules if you want packet- and byte-counters for a rule.
+
Each rule has a unique handle number by which it can be distinguished.
+
The following matches are available:
+
* '''ip''': IP protocol
+
* '''ip6''': IPv6 protocol
+
* '''tcp''': TCP protocol
+
* '''udp''': UDP protocol
+
* '''udplite''': UDP-lite protocol
+
* '''sctp''': SCTP protocol
+
* '''dccp''': DCCP protocol
+
* '''ah''': Authentication headers
+
* '''esp''': Encrypted security payload headers
+
* '''ipcomp''': IPcomp headers
+
* '''icmp''': icmp protocol
+
* '''icmpv6''': icmpv6 protocol
+
* '''ct''': Connection tracking
+
* '''meta''': meta properties such as interfaces
+
  
====Matches====
+
* ''gnome-light''
{|class=wikitable
+
| Match
+
| Arguments
+
| Description/Example
+
|-
+
| rowspan="11" | '''ip'''
+
| version
+
| Ip Header version
+
|-
+
| hdrlength
+
| IP header length
+
|-
+
| tos
+
|Type of Service
+
|-
+
| length
+
| Total packet length
+
|-
+
| id
+
| IP ID
+
|-
+
| frag-off
+
| Fragmentation offset
+
|-
+
| ttl
+
| Time to live
+
|-
+
| protocol
+
| Upper layer protocol
+
|-
+
| checksum
+
| IP header checksum
+
|-
+
| saddr
+
| Source address
+
|-
+
| daddr
+
| Destination address
+
|-
+
| rowspan="8" | '''ip6'''
+
| version
+
| IP header version
+
|-
+
| priority
+
|
+
|-
+
| flowlabel
+
| Flow label
+
|-
+
| length
+
| Payload length
+
|-
+
| nexthdr
+
| Next header type (Upper layer protocol number)
+
|-
+
| hoplimit
+
| Hop limit
+
|-
+
|saddr
+
| Source Address
+
|-
+
|daddr
+
| Destination Address
+
|-
+
| rowspan="9" | '''tcp'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| Destination port
+
|-
+
| sequence
+
| Sequence number
+
|-
+
| ackseq
+
| Acknowledgement number
+
|-
+
| doff
+
| Data offset
+
|-
+
| flags
+
| TCP flags
+
|-
+
| window
+
| Window
+
|-
+
| checksum
+
| Checksum
+
|-
+
| urgptr
+
| Urgent pointer
+
|-
+
| rowspan="4" | '''udp'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| destination port
+
|-
+
| length
+
| Total packet length
+
|-
+
| checksum
+
| Checksum
+
|-
+
| rowspan="4" | '''udplite'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| destination port
+
|-
+
| cscov
+
| Checksum coverage
+
|-
+
| checksum
+
| Checksum
+
|-
+
| rowspan="4" |'''sctp'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| destination port
+
|-
+
|vtag
+
|Verification tag
+
|-
+
| checksum
+
| Checksum
+
|-
+
| rowspan="2" |'''dccp'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| destination port
+
|-
+
| rowspan="4" |'''ah'''
+
| nexthdr
+
| Next header protocol (Upper layer protocol)
+
|-
+
| hdrlength
+
| AH header length
+
|-
+
| spi
+
| Security Parameter Index
+
|-
+
| sequence
+
| Sequence Number
+
|-
+
| rowspan="2" | '''esp'''
+
| spi
+
| Security Parameter Index
+
|-
+
| sequence
+
| Sequence Number
+
|-
+
| rowspan="3" | '''ipcomp'''
+
| nexthdr
+
| Next header protocol (Upper layer protocol)
+
|-
+
| flags
+
| Flags
+
|-
+
| cfi
+
| Compression Parameter Index
+
|-
+
| '''icmp'''
+
| type
+
| icmp packet type
+
|-
+
| '''icmpv6'''
+
| type
+
| icmpv6 packet type
+
|-
+
|rowspan="12"|'''ct'''
+
|state
+
|State of the connection
+
|-
+
|direction
+
|Direction of the packet relative to the connection
+
|-
+
|status
+
|Status of the connection
+
|-
+
|mark
+
|Connection mark
+
|-
+
|expiration
+
|Connection expiration time
+
|-
+
|helper
+
|Helper associated with the connection
+
|-
+
|l3proto
+
|Layer 3 protocol of the connection
+
|-
+
|saddr
+
|Source address of the connection for the given direction
+
|-
+
|daddr
+
|Destination address of the connection for the given direction
+
|-
+
|protocol
+
|Layer 4 protocol of the connection for the given direction
+
|-
+
|proto-src
+
|Layer 4 protocol source for the given direction
+
|-
+
|proto-dst
+
|Layer 4 protocol destination for the given direction
+
|-
+
| rowspan="13" | '''meta'''
+
| length
+
| Length of the packet in bytes: ''meta length > 1000''
+
|-
+
| protocol
+
| ethertype protocol: ''meta protocol vlan''
+
|-
+
| priority
+
| TC packet priority
+
|-
+
| mark
+
| Packet mark
+
|-
+
| iif
+
| Input interface index
+
|-
+
| iifname
+
| Input interface name
+
|-
+
| iiftype
+
| Input interface type
+
|-
+
| oif
+
| Output interface index
+
|-
+
| oifname
+
| Output interface name
+
|-
+
| oiftype
+
| Output interface hardware type
+
|-
+
| skuid
+
| UID associated with originating socket
+
|-
+
| skgid
+
| GID associated with originating socket
+
|-
+
| rtclassid
+
| Routing realm
+
|-
+
|}
+
====Statements====
+
Statements represent the action to be performed when the rule matches. They exist in two kinds: Terminal statements, unconditionally terminate the evaluation of the current rules and non-terminal statements that either conditionally or never terminate the current rules. There can be an arbitrary amount of non-terminal statements, but there must be only a single terminal statement.
+
The terminal statements can be:
+
* '''accept''': Accept the packet and stop the ruleset evaluation.
+
* '''drop''': Drop the packet and stop the ruleset evaluation.
+
* '''reject''': Reject the packet with an icmp message
+
* '''queue''': Queue the packet to userspace and stop the ruleset evaluation.
+
* '''continue''':
+
* '''return''': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept
+
* '''jump <chain>''': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued
+
* '''goto <chain>''': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement
+
  
== Installing nftables ==
+
{{fancynote|As the name implies, this pulls in the base minimal you need to get a functioning GNOME Desktop Environment.}}
=== Kernel ===
+
These kernel options must be set:
+
  
[*] Networking support  --->
+
==== GNOME 3.14 from a clean install ====
    Networking options  --->
+
        [*] Network packet filtering framework (Netfilter)  --->
+
            Core Netfilter Configuration  --->
+
                <M> Netfilter nf_tables support
+
                <M>  Netfilter nf_tables IPv6 exthdr module
+
                <M>  Netfilter nf_tables meta module
+
                <M>  Netfilter nf_tables conntrack module
+
                <M>  Netfilter nf_tables rbtree set module
+
                <M>  Netfilter nf_tables hash set module
+
                <M>  Netfilter nf_tables counter module
+
                <M>  Netfilter nf_tables log module
+
                <M>  Netfilter nf_tables limit module
+
                <M>  Netfilter nf_tables nat module
+
                <M>  Netfilter x_tables over nf_tables module
+
            IP: Netfilter Configuration  --->
+
                <M> IPv4 nf_tables support
+
                <M>  nf_tables IPv4 reject support
+
                <M>  IPv4 nf_tables route chain support
+
                <M>  IPv4 nf_tables nat chain support
+
            IPv6: Netfilter Configuration  --->
+
                <M> IPv6 nf_tables support
+
                <M>  IPv6 nf_tables route chain support
+
                <M>  IPv6 nf_tables nat chain support
+
            <M>  Ethernet Bridge nf_tables support
+
  
=== Emerging ===
+
===== gnome =====
To install nftables, run the following command:
+
<console>
+
###i## emerge net-firewall/nftables
+
</console>
+
  
 +
To emerge ''gnome'' run the following command
  
== OpenRC configuration ==
+
{{console|desc=Emerging GNOME|body=
Don't forget to add nftables service to startup:
+
# ##i## emerge gnome
<console>
+
}}
###i## rc-update add nftables default
+
</console>
+
  
You cannot use iptables and nft to perform NAT at the same time. So make sure that the iptable_nat module is unloaded. Remove iptables_nat module:
+
===== gnome-light =====
<console>
+
###i## rmmod iptable_nat
+
</console>
+
  
Start nftables:
+
To emerge ''gnome-light'' run the following command
<console>
+
###i## /etc/init.d/nftables start
+
</console>
+
  
 +
{{console|recipe=setup-light|desc=Emerging a minimal GNOME environment (alternative)|body=
 +
# ##i## emerge gnome-light
 +
}}
  
== Using nftables ==
+
==== Upgrading from GNOME 3.12 ====
All nftable commands are done with the nft ultility from {{Package|net-firewall/nftables}}.
+
===Tables===
+
====Creating tables====
+
The following command adds a table called filter for the ip(v4) layer
+
<console>
+
###i## nft add table ip filter
+
</console>
+
Likewise a table for arp can be created with
+
<console>
+
###i## nft add table arp filter
+
</console>
+
{{Note|The name "filter" used here is completly arbitrary. It could have any name}}
+
====Listing tables====
+
The following command lists all tables for the ip(v4) layer
+
<console>
+
###i## nft list tables ip
+
</console>
+
<pre>
+
table filter
+
</pre>
+
The contents of the table filter can be listed with:
+
<console>
+
###i## nft list table ip filter
+
</console>
+
<pre>
+
table ip filter {
+
        chain input {
+
                type filter hook input priority 0;
+
                ct state established,related accept
+
                iifname "lo" accept
+
                ip protocol icmp accept
+
                drop
+
        }
+
}
+
</pre>
+
using -a with the nft command, it shows the handle of each rule. Handles are used for various operations on specific rules:
+
<console>
+
###i## nft -a list table ip filter
+
</console>
+
<pre>
+
table ip filter {
+
        chain input {
+
                type filter hook input priority 0;
+
                ct state established,related accept # handle 2
+
                iifname "lo" accept # handle 3
+
                ip protocol icmp accept # handle 4
+
                drop # handle 5
+
        }
+
}
+
</pre>
+
  
====Deleting tables====
+
To update either ''gnome'' or ''gnome-light'' run the following command:
The following command deletes the table called filter for the ip(v4) layer:
+
<console>
+
###i## nft delete table ip filter
+
</console>
+
===chains===
+
====Adding chains====
+
The following command adds a chain called input to the ip filter table and registered to the input hook with priority 0. It is of the type filter.
+
<console>
+
###i## nft add chain ip filter input { type filter hook input priority 0 \; }
+
</console>
+
{{Note|If You're running this command from Bash you need to escape the semicolon}}
+
A non-base chain can be added by not specifying the chain configurations between the curly braces.
+
  
====Removing chains====
+
{{console|body=
The following command deletes the chain called input
+
# ##i## emerge -vauDN world
<console>
+
}}
###i## nft delete chain ip filter input
+
=== Subsystems ===
</console>
+
{{Note|Chains can only be deleted if there are no rules in them.}}
+
===rules===
+
====Adding rules====
+
The following command adds a rule to the chain called input, on the ip filter table, dropping all traffic to port 80:
+
<console>
+
###i## nft add rule ip filter input tcp dport 80 drop
+
</console>
+
====Deleting Rules====
+
To delete a rule, you first need to get the handle number of the rule. This can be done by using the -a flag on nft:
+
<console>
+
###i## nft  rule ip filter input tcp dport 80 drop
+
</console>
+
<pre>
+
table ip filter {
+
        chain input {
+
                type filter hook input priority 0;
+
                tcp dport http drop # handle 2
+
        }
+
}
+
</pre>
+
It is then possible to delete the rule with:
+
<console>
+
###i## nft delete rule ip filter input handle 2
+
</console>
+
== Management ==
+
=== Backup ===
+
You can also backup your rules:
+
<console>
+
###i## echo "nft flush ruleset" > backup.nft
+
</console>
+
  
<console>
+
==== Bluetooth ====
###i## nft list ruleset >> backup.nft
+
 
</console>
+
For bluetooth support, ensure that:
 +
 
 +
# Bluetooth support is enabled in your kernel (using modules is fine).
 +
# Your bluetooth hardware is turned on.
 +
# Add the <code>bluetooth</code> startup script to the default runlevel, and start it.
 +
 
 +
This can be done as follows:
  
=== Restoration ===
 
And load it atomically:
 
 
<console>
 
<console>
###i## nft -f backup.nft
+
# ##i##rc-update add bluetooth default
 +
# ##i##rc
 
</console>
 
</console>
  
== OpenRC configuration ==  
+
Once this is done, you should now be able to navigate to ''Settings'' -> ''Bluetooth'' and turn bluetooth on. The icon next to devices should now animate and you should be able to discover and add devices such as keyboards.
 +
 
 +
{{Note|1=
 +
Additional kernel drivers may need to be enabled for certain input devices. For example, for the bluetooth Apple Magic Trackpad, the following option must be enabled in your kernel:
 +
 
 +
{{kernelop|title=Device Drivers,HID support,HID bus support,Special HID drivers|desc=
 +
<M> Apple Magic Mouse/Trackpad multi-touch support
 +
}}}}
 +
 
 +
==== Printing ====
 +
 
 +
To enable printing support, add <code>cupsd</code> to the default runlevel:
  
Don't forget to add nftables service to startup:
 
 
<console>
 
<console>
###i## rc-update add nftables default
+
# ##i##rc-update add cupsd default
 +
# ##i##rc
 
</console>
 
</console>
== Init script - firewall nftables like a firewall iptables ==
 
<pre>
 
#!/sbin/runscript
 
#      Raphael Bastos aka coffnix        #
 
#      Init Script for Funtoo Linux      #
 
##########################################
 
  
depend() {
+
You should now be able to navigate to ''Settings'' -> ''Printers'' and add printers to your system, and print.
        need net
+
        need nftables
+
        }
+
  
start(){
+
==== Scanning ====
##################### PARTE 1 #####################
+
ebegin "Starting Firewall NFTables"
+
  
#######################################################################
+
To enable scanning support, add your user account to the <code>lp</code> group. This will allow your user to access the USB scanner.
### Incompatibilities ###
+
# You cannot use iptables and nft to perform NAT at the same time. So make sure that the iptable_nat module is unloaded
+
rmmod iptable_nat
+
  
#######################################################################
+
Then, <code>emerge xsane</code>, and run it. It should be able to access your scanner.
  
echo 1 > /proc/sys/net/ipv4/ip_forward
+
=== Finishing Touches ===
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
+
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
+
  
#######################################################################
+
==== X ====
  
iptables -t nat -F
+
===== Setting up xdm (GUI log-in) =====
  
#######################################################################
+
Typically, you will want to use <code>gdm</code>, the GNOME display manager, to log in to GNOME. This will allow you to log in graphically, rather than using the text console.
  
# ipv4
+
To enable gdm, edit <code>/etc/conf.d/xdm</code> and set <code>DISPLAYMANAGER</code> to <code>gdm</code> instead of <code>xdm</code>. Then, perform the following steps to add <code>xdm</code> to the default runlevel, and have it start automatically from now on when your system starts:
nft -f /etc/nftables/ipv4-filter
+
  
# ipv4 nat
+
{{Note|Funtoo's <code>/etc/init.d/xdm</code> initscript has been modified to start the requisite services <code>dbus</code>, <code>openrc-settingsd</code> and <code>consolekit</code> prior to starting <code>gdm</code>.}}
nft -f /etc/nftables/ipv4-nat
+
  
# ipv6
+
{{console|recipe=setup|desc=Enable the GNOME display manager|body=
nft -f /etc/nftables/ipv6-filter
+
# ##i## rc-update add xdm default
 +
}}
  
# Rules firewall NTFtables
+
Then, if you want to start it now do:
nft -f /etc/nftables/firewall.rules
+
  
#######################################################################
+
{{console|body=
 +
# ##i##rc
 +
}}
  
}
+
But you should reboot to avoid having an open login terminal.
  
stop(){
+
===== Setting up xinitrc (text log-in) =====
ebegin "Stoping Firewall NFTables"
+
  
#######################################################################
+
Adding the following to your <code>~/.xinitrc</code> file is sufficient:
  
#iptables -t nat -F
+
<pre>
NFT=nft
+
# Fix Missing Applications in Gnome
FAMILIES="ip ip6 arp bridge"
+
export XDG_MENU_PREFIX=gnome-
  
for FAMILY in $FAMILIES; do
+
# Properly Launch the Desired X Session
  TABLES=$($NFT list tables $FAMILY | grep "^table\s" | cut -d' ' -f2)
+
exec ck-launch-session gnome-session
 +
</pre>
  
  for TABLE in $TABLES; do
+
Additionaly, if you need support for different input sources, there is no longer a need to configure IBus or SCIM in your <code>.xinitrc</code> file as GNOME uses IBus natively. Simply configure it in the Control Center under Region & Language.
    CHAINS=$($NFT list table $FAMILY $TABLE | grep "^\schain\s" | cut -d' ' -f2)
+
  
    for CHAIN in $CHAINS; do
+
=== Automatically Starting Applications at Login ===
      echo "Flushing chain: $FAMILY->$TABLE->$CHAIN"
+
      $NFT flush chain $FAMILY $TABLE $CHAIN
+
      $NFT delete chain $FAMILY $TABLE $CHAIN
+
    done
+
  
    echo "Flushing table: $FAMILY->$TABLE"
+
When using an old-fashioned <code>.xinitrc</code>, starting up applications when X starts is relatively easy. When using GDM, this can still be accomplished, by using the <code>~/.xprofile</code> file. Here's my sample <code>.xprofile</code> to start <code>xflux</code> to dim the screen at night:
    $NFT flush table $FAMILY $TABLE
+
    $NFT delete table $FAMILY $TABLE
+
  done
+
done
+
}
+
  
status(){
+
<pre>
nft list ruleset
+
xflux -z 87107
}
+
 
+
# End
+
 
</pre>
 
</pre>
  
[[Category:System]]
+
{{Note|Remember to add a <code>&</code> at the end of any command that doesn't return to the shell prompt after running.}}
 +
 
 +
=== games ===
 +
Gnome has several games that can be added on to your install.  By default most games are not included in gnome's emerge.
 +
 
 +
Users wishing to play games need to be added to the games group:
 +
{{console|body=###i## gpasswd -a $USER games}}
 +
 
 +
game list:
 +
;gnome-sudoku
 +
;gnome-mastermind
 +
;gnome-nibbles
 +
;gnome-robots
 +
;gnome-chess
 +
;gnome-hearts
 +
;gnome-mahjongg
 +
;gnome-mines
 +
;gnome-klotski
 +
;gnome-tetravex
 +
 
 +
game system emulators:
 +
 
 +
;gnomeboyadvance
 +
;gnome-mud
 +
 
 +
=== Significant Known Issues (Workarounds Available) ===
 +
 
 +
[https://bugs.funtoo.org/browse/FL-1678 FL-1678]: Bluetooth interface gives wrong pairing key
 +
 
 +
[https://bugs.funtoo.org/browse/FL-1687 FL-1687]: Wallpaper corruption when resuming from suspend
 +
 
 +
[[Category:Desktop]]
 
[[Category:First Steps]]
 
[[Category:First Steps]]
{{EbuildFooter}}
+
[[Category:Official Documentation]]

Revision as of 17:45, February 22, 2015

What is GNOME?

"GNOME 3 is an easy and elegant way to use your computer. It is designed to put you in control and bring freedom to everybody. GNOME 3 is developed by the GNOME community, a diverse, international group of contributors that is supported by an independent, non-profit foundation." — GNOME

Prerequisites

From a Clean Install

Ensure that the X Window System is installed.

Preparing to emerge

To get your system ready to emerge gnome, first set your system flavor to desktop, and enable the gnome profile mix-in. To accomplish this, do the following:

# eselect profile set-flavor funtoo/1.0/linux-gnu/flavor/desktop
# eselect profile add funtoo/1.0/linux-gnu/mix-ins/gnome

Console: Set profile{{#subobject:|step=|stepCount=1|In recipe=setup,setup-light|+sep=,|action=runcmd|body=# ##i##eselect profile set-flavor funtoo/1.0/linux-gnu/flavor/desktop

  1. ##i##eselect profile add funtoo/1.0/linux-gnu/mix-ins/gnome}}

By enabling the gnome mix-in, various USE and other settings will be optimized to provide you with a pain-free GNOME installation experience.

Emerging

You are provided with two packages that will pull in this desktop environment:

  • gnome
Note

This is the "whole shabang" - pulls in a range of applications made for the gnome desktop environment including a few games, an archive manager, a system monitor, a web browser, a terminal, etc.

  • gnome-light
Note

As the name implies, this pulls in the base minimal you need to get a functioning GNOME Desktop Environment.

GNOME 3.14 from a clean install

gnome

To emerge gnome run the following command

#  emerge gnome

Console: Emerging GNOME

gnome-light

To emerge gnome-light run the following command

#  emerge gnome-light

Console: Emerging a minimal GNOME environment (alternative){{#subobject:|step=|stepCount=2|In recipe=setup-light|+sep=,|action=runcmd|body=# ##i## emerge gnome-light}}

Upgrading from GNOME 3.12

To update either gnome or gnome-light run the following command:

#  emerge -vauDN world

Subsystems

Bluetooth

For bluetooth support, ensure that:

  1. Bluetooth support is enabled in your kernel (using modules is fine).
  2. Your bluetooth hardware is turned on.
  3. Add the bluetooth startup script to the default runlevel, and start it.

This can be done as follows:

# rc-update add bluetooth default
# rc

Once this is done, you should now be able to navigate to Settings -> Bluetooth and turn bluetooth on. The icon next to devices should now animate and you should be able to discover and add devices such as keyboards.

Note

Additional kernel drivers may need to be enabled for certain input devices. For example, for the bluetooth Apple Magic Trackpad, the following option must be enabled in your kernel:

Under Device Drivers-->HID support-->HID bus support-->Special HID drivers:

<M> Apple Magic Mouse/Trackpad multi-touch support

Printing

To enable printing support, add cupsd to the default runlevel:

# rc-update add cupsd default
# rc

You should now be able to navigate to Settings -> Printers and add printers to your system, and print.

Scanning

To enable scanning support, add your user account to the lp group. This will allow your user to access the USB scanner.

Then, emerge xsane, and run it. It should be able to access your scanner.

Finishing Touches

X

Setting up xdm (GUI log-in)

Typically, you will want to use gdm, the GNOME display manager, to log in to GNOME. This will allow you to log in graphically, rather than using the text console.

To enable gdm, edit /etc/conf.d/xdm and set DISPLAYMANAGER to gdm instead of xdm. Then, perform the following steps to add xdm to the default runlevel, and have it start automatically from now on when your system starts:

Note

Funtoo's /etc/init.d/xdm initscript has been modified to start the requisite services dbus, openrc-settingsd and consolekit prior to starting gdm.

#  rc-update add xdm default

Console: Enable the GNOME display manager{{#subobject:|step=|stepCount=3|In recipe=setup|+sep=,|action=runcmd|body=# ##i## rc-update add xdm default}}

Then, if you want to start it now do:

# rc


But you should reboot to avoid having an open login terminal.

Setting up xinitrc (text log-in)

Adding the following to your ~/.xinitrc file is sufficient:

# Fix Missing Applications in Gnome
export XDG_MENU_PREFIX=gnome-

# Properly Launch the Desired X Session
exec ck-launch-session gnome-session

Additionaly, if you need support for different input sources, there is no longer a need to configure IBus or SCIM in your .xinitrc file as GNOME uses IBus natively. Simply configure it in the Control Center under Region & Language.

Automatically Starting Applications at Login

When using an old-fashioned .xinitrc, starting up applications when X starts is relatively easy. When using GDM, this can still be accomplished, by using the ~/.xprofile file. Here's my sample .xprofile to start xflux to dim the screen at night:

xflux -z 87107
Note

Remember to add a & at the end of any command that doesn't return to the shell prompt after running.

games

Gnome has several games that can be added on to your install. By default most games are not included in gnome's emerge.

Users wishing to play games need to be added to the games group:

# gpasswd -a $USER games


game list:

gnome-sudoku
gnome-mastermind
gnome-nibbles
gnome-robots
gnome-chess
gnome-hearts
gnome-mahjongg
gnome-mines
gnome-klotski
gnome-tetravex

game system emulators:

gnomeboyadvance
gnome-mud

Significant Known Issues (Workarounds Available)

FL-1678: Bluetooth interface gives wrong pairing key

FL-1687: Wallpaper corruption when resuming from suspend