二进制包指南

From Gentoo Wiki
Jump to:navigation Jump to:search
This page is a translated version of the page Binary package guide and the translation is 25% complete.
Outdated translations are marked like this.

除了支持常规的 ebuild 之外, Portage 还支持构建、安装二进制包。 本指南将解释如何创建、安装二进制包,以及如何配置一个二进制包服务器。

This guide will focus on binary package use, creation, distribution, and maintenance, and a few more advanced topics on dealing with binary packages will be covered near the end.

另请参阅
See the binary package quickstart article for information on using pre-built binary packages from the Gentoo binary package host.
附注
除非另行指出,本指南中使用的所有的工具都是 sys-apps/portage 的组成部分。

系统管理员喜欢在 Gentoo 中使用二进制软件包是有很多原因的。

  1. 它允许管理员 当保持相似的系统最新时能节省时间。从源代码编译所有东西是很耗费时间的。维护许多相似的系统,可能其中的一些硬件较老,如果一个系统将所有东西从源代码编译好,其他系统使用这些二进制包,工作就会变得轻松。
  2. 执行安全升级。对于关键任务系统来说,保持尽可能大的 可用性 是很重要的。这可以通过一台预备服务器来实现,它首先自己执行所有的更新。一旦预备服务器更新后状态良好,那么更新可以被应用到关键系统上。这种方法的一个变形是在同一个系统的一个 chroot 中执行更新,并且在真正的系统中使用所创建的二进制包。
  3. 作为一个备份。通常二进制包是恢复一个受损系统的唯一方法(例如编译器受损)。拥有一台二进制包服务器上的或者本地的预编译二进制包,对于工具链受损的情况有很大的帮助。
  4. 它也支持 更新非常旧的系统。更新非常旧的系统这项任务可以通过使用二进制包来大大减轻。通常在旧的系统上安装二进制包利大于弊,因为它们不需要安装/更新构建时依赖。因为二进制包是预编译的,这也避免了在构建过程中发生失败。

Binary package formats

Two binary package formats for use in Gentoo exist, XPAK and GPKG. Starting with v3.0.31, Portage supports the new binary package format GPKG. The GPKG format solves issues with the legacy XPAK format and offers the benefit of new features, however it is not backward compatible with the legacy XPAK format.

System administrators using older versions of Portage (<=v3.0.30) should continue to use the legacy XPAK format, which is Portage's default setting on those versions.

Motivation for the newer GPKG format design can be found in GLEP 78: Gentoo binary package container format. Bugs bug #672672 and bug #820578 also provide helpful details.

To instruct Portage to use the GPKG format, change the BINPKG_FORMAT value in /etc/portage/make.conf. Note that current versions of Portage use gpkg by default.

文件 /etc/portage/make.confSpecify GPKG binary package format
BINPKG_FORMAT="gpkg"

This guide mostly applies to both formats; where this is not the case it will be noted. See the Understanding the binary package format section for technical details on the binary package formats themselves.

使用二进制包

General prerequisites

要在其他系统使用二进制包,需要满足一些条件:

  • 客户机和服务器的架构以及CHOST关键字的设置必须是一致的。
  • 用来创建二进制包的CFLAGSCXXFLAGS两个参数的设置必须和所有的客户机兼容。
  • 针对处理器特定指令集的USE设置(如MMX,SSE等)要仔细选择,以保证所有的客户机都支持这些功能。
附注
Binary packages that are distributed as part of Gentoo's official Binhost project use a minimum instruction set and conservative compiler settings in order to be as widely usable as possible. By way of example, amd64 keyworded packages are built with -march=x86-64 -mtune=generic, which works for any machine which runs the x86-64 (amd64) instruction set.
重要
Portage不会验证是否满足上述条件,因为维护这些设置是系统管理员的职责。

Handling *FLAGS in detail

The app-misc/resolve-march-native utility can be used to find a subset of CFLAGS that is supported by both the server and client(s). For example, the host might return:

user $resolve-march-native
 -march=skylake -mabm -mrtm --param=l1-cache-line-size=64 --param=l1-cache-size=32 --param=l2-cache-size=12288 

While the client might return:

user $resolve-march-native
 -march=ivybridge -mno-rdrnd --param=l1-cache-line-size=64 --param=l1-cache-size=32 --param=l2-cache-size=3072 

In this example CFLAGS could be set to -march=ivybridge -mno-rdrnd since -march=ivybridge is a full subset of -march=skylake. -mabm and -mrtm are not included as these are not supported by the client. However, -mno-rdrnd is included as the client does not support -mrdrnd. To find which -march's are subsets of others, check the gcc manual, if there is no suitable subset set e.g. -march=x86-64.

Optionally, it is also possible to set -mtune=some-arch or -mtune=native to tell gcc to tune code to a specific arch. In contrast to -march, the -mtune argument does not prevent code from being executed on other processors. For example, to compile code which is compatible with ivybridge and up but is tuned to run best on skylake set CFLAGS to -march=ivybridge -mtune=skylake. When -mtune is not set it defaults to whatever -march is set to.

When changing -march to a lower subset for using binary packages on a client, a full recompilation is required to make sure that all binaries are compatible with the client's processor, to save time packages that are not compiled with e.g. gcc/clang can be excluded:

user $emerge -e @world --exclude="acct-group/* acct-user/* virtual/* app-eselect/* sys-kernel/* sys-firmware/* dev-python/* dev-java/* dev-ruby/* dev-perl/* dev-lua/* dev-php/* dev-tex/* dev-texlive/* x11-themes/* */*-bin"

Similarly, app-portage/cpuid2cpuflags can be used to find a suitable subset of processor specific instruction set USE flags. For example, the host might return:

user $cpuid2cpuflags
 CPU_FLAGS_X86: aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sse sse2 sse3 sse4_1 sse4_2 ssse3 

While the client might return:

user $cpuid2cpuflags
 CPU_FLAGS_X86: avx f16c mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3 

In this example CPU_FLAGS_X86 can be set to avx f16c mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3 in /etc/portage/make.conf because these flags are supported by both the client and the host

除了这些,Portage将检查创建二进制包时是否用和客户机一样的USE设置。如果二进制包是用不同的USE设置来创建的,Portage将忽略这个二进制包(改为使用基于源代码的方式进行安装)或者提示安装失败,取决于运行emerge命令时所带的选项(参看安装二进制包)。

为了使用二进制包,在客户机上有几个配置需要更改。

安装二进制包

在运行 emerge 命令时有几个选项可以用于告诉 Portage 使用二进制包:

选项 描述
---usepkg (-k) 尝试使用位于本地可用packages目录的二进制包。适用于用NFS或者SSHFS方式来挂载二进制包主机的场景。如果找不到相应的二进制包,就使用常规的方式(基于源代码)进行安装。
--usepkgonly (-K) --usepkg (-k)类似,但当找不到二进制包的时候提示失败。这个选项适用于只使用“预创建”二进制包的场景。
--getbinpkg (-g) 从远程二进制包主机下载二进制包。如果找不到相应的二进制包,就使用常规的方式(基于源代码)进行安装。
--getbinpkgonly (-G) --getbinpkg (-g)类似,但在下载不到二进制包的时候提示失败。这个选项适用于只使用“预创建”二进制包的场景。

| --usepkg (-k) || Tries to use the binary package(s) in the locally available packages directory. Useful when using NFS or SSHFS mounted binary package hosts. If the binary packages are not found, a regular (source-based) installation will be performed. |-

| --usepkgonly (-K) || Similar to --usepkg (-k) but fail if the binary package cannot be found. This option is useful if only pre-built binary packages are to be used. |-

| --getbinpkg (-g) || Download the binary package(s) from a remote binary package host. If the binary packages are not found, a regular (source-based) installation will be performed. |-

| --getbinpkgonly (-G) || Similar to --getbinpkg (-g) but will fail if the binary package(s) cannot be downloaded. This option is useful if only pre-built binary packages are to be used. |-

|}

为了自动使用二进制包进行安装,可以在EMERGE_DEFAULT_OPTS变量增加适当的选项:

文件 /etc/portage/make.conf自动下载二进制包,二进制包不存在的时候提示失败
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --getbinpkgonly"

有一个Portage功能特性可以自动实现和--getbinpkg (-g)一样的作用,而不用通过--getbinpkg的值来更改EMERGE_DEFAULT_OPTS变量。

文件 /etc/portage/make.confFEATURES变量中打开getbinpkg功能特性
FEATURES="getbinpkg"

Verify binary package OpenPGP signatures

重要
OpenPGP signing and verification is only available for the GPKG binpkg format.

Portage will try to verify the binary package's signature whenever possible, but users must first set up trusted local keys. app-portage/getuto can be used to set up a local trust anchor and update the keys in /etc/portage/gnupg. Portage calls getuto automatically with --getbinpkg or --getbinpkgonly.

This configures portage such that it trusts the Gentoo Release Engineering keys as also contained in the package sec-keys/openpgp-keys-gentoo-release for binary installation purposes.

Changes to the configuration can be done as root using gpg with the parameter --homedir=/etc/portage/gnupg. This way allows importing additional signing keys (e.g. for non-standard installation sources) and declare them as trusted.

To add a custom signing key:

  1. Generate (or use an existing) key with signing abilities, and export the public key to a file.
  2. Run getuto if it has never run:
    root #getuto
  3. Use gpg --homedir=/etc/portage/gnupg --import public.key to import the public key in portage's keyring.
  4. Trust and sign this key using the key created by getuto. In order to do this, first get the password to unlock the key at /etc/portage/gnupg/pass, then use:
    root #gpg --homedir=/etc/portage/gnupg --edit-key YOURKEYID
    Type sign, yes, paste (or type) the password. The key is now signed. To trust it, type trust, then 4 to trust it fully. Finally, type save.
  5. Update the trustdb so that GPG considers the key valid:
    root #gpg --homedir=/etc/portage/gnupg --check-trustdb

If you hit any issues, check if a pre-existing /etc/portage/gnupg existed. If it did, move it away and then repeat the above steps.

Congratulations, Portage now has a working keyring!

重要
Trusting the key marginally or less will not work

By default, Portage will only verify GPG signatures when a signature file is found in a package, which allows the user to mix signed and unsigned GPKG binary packages from different sources, and allows to use old XPAK format binary packages.

If the user wishes to force signature verification, the binpkg-request-signature feature needs to be enabled. This feature assumes that all packages should be signed and rejects any unsigned package. Note that this feature does not support per-binhost configuration.

文件 /etc/portage/make.confEnabling Portage's binpkg-request-signature feature
# Require that all binpkgs be signed and reject them if they are not (or have an invalid sig)
FEATURES="binpkg-request-signature"

从二进制包主机下载包

当使用二进制包主机时,客户机需要配置PORTAGE_BINHOST变量。不然,客户机不知道二进制包的存放位置将导致Portage无法获取二进制包。

When using a binary package host, clients need to have the PORTAGE_BINHOST variable set in /etc/portage/make.conf or the sync-uri variable in /etc/portage/binrepos.conf. Without this configuration, the client will not know where the binary packages are stored which results in Portage being unable to retrieve them.

文件 /etc/portage/binrepos.confSetting binhost sync-uri
[binhost]
sync-uri = https://example.com/binhost
priority = 10

PORTAGE_BINHOST变量使用一个用空格进行分割的URI列表。这可以让管理员可以同时使用不同的二进制包主机。URI地址应该总是指向Packages文件所在的目录。

Many Gentoo stages already come with a preinstalled /etc/portage/binrepos.conf file, which points to the corresponding binary packages generated during the stage builds.

附注
对于多个二进制包服务器的支持还不是很完整。如果几个服务器提供同一个版本的二进制包,那么只会使用第一个。当这些二进制包的USE变量配置不一样,而且后面的二进制包的USE变量配置是适合当前系统配置的情况下会产生问题。

重安装修改过的二进制包

传递 --rebuilt-binaries 选项给 emerge 将重新安装所有重建过的二进制包。这常用于二进制包服务器运行过像 revdep-rebuild 这种重建工具的场景。

一个相关的选项是--rebuilt-binaries-timestamp。它将使emerge不会重新安装那些在给定的时间标签之前已经建立的二进制包。如果二进制包服务器不得不从头开始重建而又要使用--rebuilt-binaries选项,这对于避免重新安装所有的包来说是很有用。

额外的客户端设置

跟着 getbinpkg 功能特性,Portage还接受 binpkg-logs 这个功能特性。这个特性控制是否保留二进制包成功安装记录的日志文件。它只有在设置了PORT_LOGDIR变量的情况下才会生效,默认为启用。

和从特定的包集合或分类中排除一些二进制包类似,客户机可以配置为从特定的包集合或分类中排除一些二进制包的安装。

--usepkg-exclude选项来实现这一功能:

root #emerge -uDNg @world --usepkg-exclude "sys-kernel/gentoo-sources virtual/*"

要为每个emerge命令启用此类附加设置,请将选项添加到 make.conf 文件中的 EMERGE_DEFAULT_OPTS 变量:

文件 /etc/portage/make.conf在每次调用时启用emerge设置
EMERGE_DEFAULT_OPTS="${EMERGE_DEFAULT_OPTS} --usepkg-exclude 'sys-kernel/gentoo-sources virtual/*'"

Updating packages on the binary package host

重要
Do not use --changed-use(-U) when updating packages on the binary package host, doing so will cause packages with added or removed USE flags to be skipped, which will cause their installation from binary package on the client to fail due to non-matching USE between the source ebuild and binary package (if the client's --binpkg-respect-use=y, the default). Use --newuse(-N), which will always rebuild packages even for added or removed USE flags, ensuring the binary package stays in sync with the source ebuild.

创建二进制包

创建二进制包有三种主要的方法:

  1. 在一次常规安装后,使用quickpkg程序;
  2. emerge 操作中显式使用 --buildpkg (-b) 选项;
  3. 通过使用 Portage 的 FEATURES 变量buildpkg 自动完成。

所有这三种方法都将在 PKGDIR 变量指向的目录创建二进制包(默认为 /var/cache/binpkgs)。

使用 quickpkg

quickpkg 程序接收一个或多个依赖 atoms (或者包集合)并对所有与那个 atom 匹配的 已安装 包创建二进制包。

这种方法有一点要注意:它依赖已安装的文件,会在配置文件上发生问题。管理员经常在安装完软件后改变配置文件。因为这可能向包中泄露重要(甚至可能是机密)数据, quickpkg 默认通过 CONFIG_PROTECT 方法保护配置文件被包含在内。要强制包含配置文件,使用 --include-config--include-unmodified-config 选项。

例如,要对所有已安装 GCC 版本创建二进制包:

root #quickpkg sys-devel/gcc

To create binary packages for the system set:

root #quickpkg @system

要对系统中所有已安装包创建二进制包,使用 * 通配符:

root #quickpkg "*/*"

使用 --buildpkg 作为 emerge 选项

当使用 emerge 安装软件时, Portage 可以通过 --buildpkg (-b) 选项被要求创建二进制包:

root #emerge --ask --buildpkg sys-devel/gcc

还可以要求 Portage 创建二进制包却 在活动系统上安装软件。 这种情况下,使用 --buildpkgonly (-B) 选项:

root #emerge --ask --buildpkgonly sys-devel/gcc

后一种方法还是需要构建时的依赖事先已安装。

作为 Portage 特性实现 buildpkg

最常用的自动创建二进制包的方式是每当使用 Portage 安装一个包就自动创建二进制包,通过使用 buildpkg 特性来实现,可以在 /etc/portage/make.conf 中进行设置,例如:

文件 /etc/portage/make.conf打开Portage的二进制包创建功能
FEATURES="buildpkg"

开启这项特性后,每次 Portage 安装软件,它将也创建一个二进制包。

排除一些包的创建

告诉 Portage 不要对一些指定的包或分类创建二进制包也是可以的。 这个可以通过向 emerge 传递 --buildpkg-exclude 选项:

root #emerge -uDN @world --buildpkg --buildpkg-exclude "virtual/* sys-kernel/*-sources"

这可以对那些不值得创建二进制包的包使用。例如 Linux 内核代码包或上游二进制包(那些以 -bin 结尾如 www-client/firefox-bin)。

Binary package compression formats

It is possible to use a specific compression type on binary packages. Currently, the following formats are supported: bzip2, gzip, lz4, lzip, lzop, xz, and zstd. Defaults to zstd. Review man make.conf and search for BINPKG_COMPRESS for the most up-to-date information.

The compression format can be specified via make.conf.

文件 /etc/portage/make.confSpecify binary package compression format
BINPKG_COMPRESS="lz4"

Note that the compression type used might require extra dependencies to be installed, for example, in this case app-arch/lz4.

Binary package OpenPGP signing

重要
OpenPGP signing and verification is only available for the GPKG binpkg format.

A PGP signature enables Portage to check the creator and integrity of a binary package, and to perform trust management based on PGP keys. The binary package signing feature is disabled by default. To use it, enable the binpkg-signing feature. Note that whether this feature is enabled does not affect the signature verification feature.

文件 /etc/portage/make.confEnabling Portage's binpkg-signing feature
FEATURES="binpkg-signing"

Users also need to set the BINPKG_GPG_SIGNING_GPG_HOME and BINPKG_GPG_SIGNING_KEY variables for Portage to find the signing key.

文件 /etc/portage/make.confConfiguring Portage's signing key
BINPKG_GPG_SIGNING_GPG_HOME="/root/.gnupg"
BINPKG_GPG_SIGNING_KEY="0x1234567890ABCDEF"

Portage will only try to unlock the PGP private key at the beginning. If the user's key will expire over time, then consider enabling gpg-keepalive to prevent signing failures.

文件 /etc/portage/make.confEnabling Portage's gpg-keepalive feature
FEATURES="gpg-keepalive"
提示
gpg-agent by default expires cache entries after 2 hours. This means that, by default, if an emerge session lasts longer than 2 hours, signing of binpkgs will eventually fail regardless of FEATURES="gpg-keepalive". To prevent this problem, set max-cache-ttl to some large value (e.g. 34560000) in $BINPKG_GPG_SIGNING_GPG_HOME/gpg-agent.conf.

配置二进制包主机

Portage 支持多种下载二进制包的协议:FTP、FTPS、HTTP、HTTPS和SSH/SFTP。这为多种可能的二进制包主机的实现提供了空间。

可是,Portage 并没有提供一个“现成”的方法来分发二进制包。根据需求还需要安装额外的软件。

基于 Web 的二进制包主机

一种常用的分发二进制包的方法是创建一个基于 web 的二进制包主机。

HTTPD

使用一个 web 服务器如 lighttpd (www-servers/lighttpd) 并且将其配置为提供对 /etc/portage/make.confPKGDIR 位置的读权限。

文件 /etc/lighttpd/lighttpd.conflighttpd 配置范例
# add this to the end of the standard configuration
server.modules += ( "mod_alias" )
alias.url = ( "/packages" => "/var/cache/binpkgs/" )

Caddy

To set up the Caddy HTTP server to provide a web-based binary package host, create a Caddyfile containing:

文件 Caddyfile
x.x.x.x:80 { # Replace x.x.x.x with your host's IPv4 address
    root * /path/to/binhost/var/cache/binpkgs
    file_server browse # Needed to server 
}

Once that is created, run Caddy with:

root #caddy run --config /path/to/Caddyfile

之后,在客户系统,对应地设置 PORTAGE_BINHOST 变量:

文件 /etc/portage/make.conf使用基于Web的二进制包主机
PORTAGE_BINHOST="http://binhost.example.com/packages"

SSH 二进制包主机

若要为二进制包提供更多身份验证的方法,可以考虑使用 SSH。

当使用 SSH ,可以使用 root Linux 用户的 SSH 密钥 (without passphrase as the installations need to happen in the background) 来连接到远程二进制包主机。

要实现这个,确保 root 用户的 SSH 密钥被服务器所接受的。这需要每台通过 SSH 链接到二进制包主机的客户机的 SSH 密钥都是被服务器接受的。

root #cat root.id_rsa.pub >> /home/binpkguser/.ssh/authorized_keys

PORTAGE_BINHOST 看起来如下:

文件 /etc/portage/make.conf配置PORTAGE_BINHOST用于SSH访问
PORTAGE_BINHOST="ssh://binpkguser@binhostserver/var/cache/binpkgs"

If the SSH server is listening to a different port (e.g 25), then it must be specified after the address, like so:

文件 /etc/portage/make.confSetting PORTAGE_BINHOST for SSH access on port 25
PORTAGE_BINHOST="ssh://binpkguser@binhostserver:25/var/cache/binpkgs"
附注
不要使用 SSH 配置文件 ~/.ssh/config 中设置的端口号和用户名,因为当 Portage 在试图同步包的时候会忽略这些配置。正确的方式是在 PORTAGE_BINHOST 变量中设置。

NFS 导出

当在内网中使用二进制包,可以更简单地通过 NFS 导出包并在客户系统进行挂载。

/etc/exports 文件看起来如下:

文件 /etc/exports导出包目录
/var/cache/binpkgs
2001:db8:81:e2::/48(ro,no_subtree_check,root_squash) 192.168.100.1/24(ro,no_subtree_check,root_squash)

在客户系统,这个位置就可以被挂载。例如 /etc/fstab 看起来如下:

文件 /etc/fstab包目录的挂载点
binhost:/var/cache/binpkgs      /var/cache/binpkgs    nfs    defaults    0 0

The NFS share is mounted on the local filesystem, so there is no need to set PORTAGE_BINHOST or use the --getbinpkg option. Instead, follow the normal procedures for installing binary packages, remembering to point PKGDIR to the NFS share so that portage knows where to find the packages:

文件 /etc/portage/make.confSetting the package directory for portage
PKGDIR="/var/cache/binpkgs"
附注
If PKGDIR is network-mounted, it may be advantageous to enable FEATURES="pkgdir-index-trusted". This feature disables checking the entire PKGDIR for added or removed packages and instead trusts the contents of the Packages file to be accurate. This significantly improves performance on high-latency networks.

维护二进制包

如果二进制包列表不积极维护,导出和分发二进制包只会白白浪费存储空间。

删除过期的二进制包

app-portage/gentoolkit 包提供了一个叫 eclean 的应用。它可以用来维护Portage相关的一系列文件,如下载的源代码文件和二进制包。

以下命令将删除所有在已安装的ebuild仓库中没有对应ebuild文件的二进制包:

root #eclean packages

请阅读Eclean的相关文章以了解更多细节。

另外一个可用的工具是 app-portage/portage-utils 包所提供的 qpkg 工具。不过,这个工具的可配置性稍微差些。

清理“无用”的二进制包(应用于存放二进制包的服务器上):

root #qpkg -c

维护包文件

提示
As of portage-3.0.52, Portage defaults to FEATURES=pkgdir-index-trusted for performance, which requires an accurate Packages index. This can be disabled if it is an inconvenience to regularly fix up the index with emaint after manual changes.

在存放二进制包的目录里有一个叫 Packages清单文件存在,这个文件缓存了包目录里所有二进制包的元数据。每当 Portage 添加一个二进制包到目录里去的时候就会更新这个文件。类似的,当 eclean 删除二进制包的时候也会更新它。

当出于某些原因要简单地删除二进制包或将它们复制到包目录里去的时侯;或者 Packages 文件损坏或被删除了的时候,那么就必须重建这个文件。通过使用 emaint 命令来完成这个工作:

root #emaint binhost --fix

To clear the cache of all binary packages:

root #rm -r /var/cache/binpkgs/*

高级主题

Chrooting

If creating packages for a different Portage profile or system with different USE flags, a chroot can be created.

附注
This example uses /var/chroot/buildenv as the chroot path, but any path can be used.

Creating the directories

First, the directories for this chroot must be created:

root #mkdir --parents /var/chroot/buildenv

Deploying the build environment

Next, the appropriate stage 3 tarball must be downloaded and extracted, here the desktop profile | openrc tarball is being used:

This can be extracted with the following command:

/var/chroot/buildenv/ #tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner

Configuring the build environment

重要
{{{1}}}

The build environment should be configured to match that of the system it is building for. The simplest way to do this is to copy the /etc/portage and /var/lib/portage/world files. This can be done with rsync:

附注
This command should be executed on the build target machine, where the remote host has the chroot.
user $rsync --archive --whole-file --verbose /etc/portage/* larry@remote_host:/var/chroot/buildenv/etc/portage
user $rsync --archive --whole-file --verbose /var/db/repos/* larry@remote_host:/var/chroot/buildenv/var/db/repos
附注
{{{1}}}

This process should be repeated for the world file:

user $rsync --archive --whole-file --verbose /var/lib/portage/world larry@remote_host:/var/chroot/buildenv/var/lib/portage/world
附注
/var/lib/portage and /var/lib/portage/world should have the root:portage permissions.

Configuring the chroot

Once created, mounts must be bound for the chroot to work:

/var/chroot/buildenv #mount --types proc /proc proc
/var/chroot/buildenv #mount --rbind /dev dev
/var/chroot/buildenv #cp --dereference /etc/resolv.conf etc
附注
If a tmpfs is being used for portage's temp dir, ensure that is mounted.

Entering the chroot

To enter this chroot, the following command can be used:

/var/chroot/buildenv #chroot . /bin/bash

Optionally, the prompt can be set to reflect the fact that the chroot is active:

/ #export PS1="(chroot) $PS1"
Performing an initial build
附注
This step assumes this configuration has been completed: Setting portage to use buildpkg.

This step is optional, but rebuilds all packages in the new world:

(chroot) #emerge --emptytree @world

Building for other architectures

crossdev is a tool to easily build cross-compile toolchains. This is useful to create binary packages for installation on a system whose architecture differs from that of the system used to build the packages. A common example would be building binary packages for a device like an arm64 Raspberry Pi from a more powerful amd64 desktop PC.

An installation guide for sys-devel/crossdev can be found at the crossdev page.

Build a cross compiler

Using crossdev with the following command can build a toolchain for the desired system:

root #crossdev --stable -t <arch-vendor-os-libc>

For the rest of this section, the example target will be for a Raspberry Pi 4:

root #crossdev --stable -t aarch64-unknown-linux-gnu

After this has built, a toolchain will have been created in /usr/aarch64-unknown-linux-gnu, and will look like a bare-bones Gentoo install where it is possible to edit Portage settings as normal.

提示
Replacing aarch64-unknown-linux-gnu with aarch64-unknown-linux-musl would build a system with the Musl libc rather than Glibc.

Basic setup

Removing the -pam flag from the USE line in /usr/aarch64-unknown-linux-gnu/etc/portage/make.conf is generally recommended in a setup like this:

文件 /usr/aarch64-unknown-linux-gnu/etc/portage/make.confDisable the pam USE flag
CHOST=aarch64-unknown-linux-gnu
CBUILD=x86_64-pc-linux-gnu
 
ROOT=/usr/${CHOST}/
 
ACCEPT_KEYWORDS="${ARCH}"
 
USE="${ARCH}"
 
CFLAGS="-O2 -pipe -fomit-frame-pointer"
CXXFLAGS="${CFLAGS}"
 
FEATURES="-collision-protect sandbox buildpkg noman noinfo nodoc"
# Ensure pkgs from another repository are not overwritten
PKGDIR=${ROOT}var/cache/binpkgs/
 
#If you want to redefine PORTAGE_TMPDIR uncomment (and/or change the directory location) the following line
PORTAGE_TMPDIR=${ROOT}var/tmp/
 
PKG_CONFIG_PATH="${ROOT}usr/lib/pkgconfig/"
#PORTDIR_OVERLAY="/var/db/repos/local/"

Profiles

List available profiles for the device by running:

root #PORTAGE_CONFIGROOT=/usr/aarch64-unknown-linux-gnu eselect profile list

Next, select the profile that best suits:

root #PORTAGE_CONFIGROOT=/usr/aarch64-unknown-linux-gnu eselect profile set <profile number>

Build a single package

To build a single binary package for use on the device, use the following:

root #emerge-aarch64-unknown-linux-gnu --ask foo

Build world file

To build every package in the world file, then the following command is needed:

root #emerge-aarch64-unknown-linux-gnu --emptytree @world

Binary location

By default, all binary packages will be stored in /usr/aarch64-unknown-linux-gnu/var/cache/binpkgs, so this is the location needed to be selected when setting up a binary package host.

建立二进制包目录的快照

当需要分发二进制包给大量的客户机系统的时候,建立包目录的快照可能会比较划算。客户机系统就不是直接使用包目录,而是使用快照所提供的二进制包。

可以使用 /usr/lib64/portage/python2.7/binhost-snapshot 或者 /usr/lib64/portage/python3.3/binhost-snapshot 工具来创建快照。它需要四个参数:

  1. 一个源目录(包目录的路径)。
  2. 一个目标目录(目录必须不存在)。
  3. 一个URI地址。
  4. 一个二进制包服务器目录。

将包目录的文件复制到目标目录,然后在URI地址所指向的二进制包服务器的目录(第四个参数)里创建一个Packages文件。

客户系统需要使用一个指向二进制包服务器的 URI 地址。然后他们将会被重定向到被传递给 binhost-snapshot 的快照URI地址。这个快照 URI 地址必须指向目标目录。

理解二进制包的格式

XPAK format

Portage 所创建的二进制包的文件名以 tbz2 结尾,这种文件由两部分构成:

  1. 一个 .tar.bz2 的归档文件,包含了将会安装到系统中的文件;
  2. 一个 xpak 的归档文件包含了包的元数据,ebuild 和环境文件。

查看 man xpak 来了解格式描述。

app-portage/portage-utils 中有一些工具能分解或创建 tbz2xpak 文件。

下列命令可以将 tbz2 文件分解成一个 .tar.bz2 和一个 .xpak 文件:

user $qtbz2 -s <package>.tbz2

.xpak 文件可以用 qxpak 工具来检查。

列出其内容:

user $qxpak -l <package>.xpak

下一条命令将生成一个叫 USE 的文件,文件包含了这个包所使用的 USE 设置:

user $qxpak -x package-manager-0.xpak USE

GPKG format

GPKG format binary packages created by Portage have the file name ending with .gpkg.tar. These files consist of four parts at least:

  1. A gpkg-1 empty file that used to identify the format.
  2. A C/PV/metadata.tar{.compression} archive containing package metadata, the ebuild, and the environment file.
  3. A C/PV/image.tar{.compression} archive containing the files that will be installed on the system.
  4. A Manifest file containing checksums to protect against file corruption.
  5. Multiple optional .sig files containing OpenPGP signature are used for integrity checking and verification of trust.

The format can be extracted by tar without the need for additional tools.

PKGDIR的布局

目前使用的布局(版本2)如下:

代码 包目录布局 (版本2)
PKGDIR
`+- Packages
 +- app-accessibility/
 |  +- pkg1-version.tbz2
 |  `- pkgN-version.tbz2
 +- app-admin/
 |  `- ...
 `- ...

Packages 文件是在第一个二进制包目录布局(版本1)之上最主要的改进(同时也是让 Portage 知道二进制包目录使用版本2的触发器)。在版本1中,所有二进制包都被放在一个叫 All/ 的目录里,而分类目录只是指向 All/ 目录中二进制包的符号链接。

In portage-3.0.15 and later, FEATURES=binpkg-multi-instance is enabled by default:

代码 Packages directory layout (version 2 + FEATURES=binpkg-multi-instance)
PKGDIR
`+- Packages
 +- app-accessibility/
 |  +- pkg1/
 |    +- pkg1-version-build_id.xpak
 |    `- pkgN-version-build_id.xpak
 +- app-admin/
 |  `- ...
 `- ...

用 quickunpkg 来解包

Zoobab 编写了一个叫 quickunpkg 的简单脚本程序来快速解包 tbz2 文件。

See also

External resources

quickpkg man page.