Gentoo Install notes
- Foreword
- Internet Connectivity
- Disk Partitioning
- Encrypting Root
- Applying Filesystems and Mounting
- Acquiring a stage-3 tarball
- The Chroot Environment
- First Emerge
- Standard Settings
- Configuring Portage
- Final Emerge
- Final Configuration
genkernelandefibootmgr- Further Reading
Foreword⌗
This guide is NOT meant to supplant the gentoo handbook, rather streamline it for my use case.
Commands in explanations will be highlighted in green
Files and directories will be highlighted in blue
Here is what the end state of this guide is:
- Bare Minimal amd64 Install
- We will be using the openrc-nomultilib profile and configuring it for desktop use
- LUKS Full Disk Encryption
- we will be utilizing
cryptsetupto set up strong full disk encryption.
- we will be utilizing
- efibootmgr + genkernel
- we will be using
genkernelto compile our kernel and deposit the vmlinuz and initramfs.img files in /boot, then usingefibootmgrto boot from those
- we will be using
- iwd
- we will be using
iwdas our wireless daemon.
- we will be using
- Note: For our installation media, we will be utilizing an archiso live USB, however, this may also be done from any GNU/Linux system so long as the target disk is not the one you’re currently using
Internet Connectivity⌗
Arch ships iwd out of the box, so we will simply utilize it to connect
$ iwctl
$ station
Disk Partitioning⌗
Here, we will partition and assign filesystems to the new partitions. We will not be creating a swap partition, as if you’re a desktop user with more than 8gb of RAM, it’s largely unneeded in my experience.
$ cgdisk /dev/nvme0n1
...
# 256mb EFI Filesystem / ef00 (for boot)
# 100% Linux Filesystem / 8300 (for LUKS)
...
Encrypting Root⌗
Now, we will encrypt our empty 2nd partition and unlock it
$ cryptsetup -c aes-xts-plain64 -y -s 512 luksFormat /dev/nvme0n1p2
$ cryptsetup luksOpen /dev/nvme0n1p2 cryptroot
Applying Filesystems and Mounting⌗
Before we can download and extract a stage 3 tarball,
$ mkfs.fat -F 32 /dev/nvme0n1p1
$ mkfs.ext4 /dev/mapper/cryptroot
$ mount /dev/mapper/cryptroot /mnt
$ mkdir /mnt/boot
$ mount /dev/nvme0n1p2 /mnt/boot
Now, we must mount directories such as /proc and /sys as slaves. This will allow the chroot environment to access more aspects of the host system, such as efivars and networking (which becomes important later)
$ mount --types proc /proc /mnt/gentoo/proc
$ mount --rbind /sys /mnt/gentoo/sys
$ mount --make-rslave /mnt/gentoo/sys
$ mount --rbind /dev /mnt/gentoo/dev
$ mount --make-rslave /mnt/gentoo/dev
$ mount --bind /run /mnt/gentoo/run
$ mount --make-slave /mnt/gentoo/run
Acquiring a stage-3 tarball⌗
Before we chroot, we have one last thing we must do! We must acquire a stage 3 tarball and extract it into the target device.
A stage-3 tarball is an archive containing a very minimal gentoo root filesystem which we will extract into the target device and chroot into
Ensure your pwd is /mnt
Download the stage 3 tarball with links/lynx
$ cd /mnt
$ lynx https://www.gentoo.org
...
# Use the / [forward slash] character to search for terms on the page
# look up "downloads", this word will be selected
# hit [enter]/[return] to navigate into the highlighted link
# search [/] for "amd64" within downloads and select it, bringing you here
Advanced choices and other architectures
*amd64
# Utilizing arrow keys, navigate to this block
Stage archives
Stage 3 openrc 2023-07-23 237 MiB Stage 3 desktop profile | openrc
2023-07-23 619 MiB Stage 3 systemd 2023-07-23 259 MiB Stage 3 systemd |
merged usr 2023-07-23 261 MiB Stage 3 desktop profile | systemd
2023-07-23 626 MiB Stage 3 no multilib | openrc 2023-07-23 228 MiB Stage
3 no multilib | systemd 2023-07-23 251 MiB Stage 3 no multilib | systemd
merged usr 2023-07-23 252 MiB Stage 3 x32 | openrc 2023-07-23 255 MiB
Stage 3 x32 | systemd 2023-07-23 281 MiB Stage 3 x32 | systemd | merged
usr 2023-07-23 282 MiB
# Utilizing arrow keys, navigate downward to the following link from the block above
Stage 3 no multilib | openrc 2023-07-23 228 MiB
# Highlight it and press [enter]/[return]
# When prompted in the statusbar below, hit press D to download
# Let it download, when it's complete, ensure you select the following option!
Standard download options:
Save to disk
# Hit enter, it will save to disk.
# Exit lynx using Q
Note: As an optional step, you may verify the authenticity of the downloaded tarball. This is particularly encouraged if you have any reason to believe your network may be compromised.
The Chroot Environment⌗
Now we may extract the stage-3 and begin working within it.
Extracting the stage-3⌗
$ tar xpvf stage3-*.tar.xz --xattrs-include='*.*' --numeric-owner
$ cp --dereference /etc/resolv.conf /mnt/etc/
Optional: genfstab⌗
Before we enter, if you do not feel confident writing your own fstab file, we can utilize archiso’s genfstab utility to make one for us which we will clean up later
$ genfstab -pU /mnt | tee -a /mnt/etc/fstab
Entering the Chroot⌗
To enter the chroot, issue the following command
$ chroot /mnt /bin/bash
$ source /etc/profile
First Emerge⌗
Emerge is Gentoo’s package manager. It is extremely robust in it’s capabilities. Here, we will parse news from it’s internal news feed and issue our first update. Other than emerge and settings we will cover later on regarding /etc/portage, setting up a gentoo system is almost identical to any other GNU/Linux system
# First, we will update emerge's package list.
# This is similar to a "Sync" or "Update" in other distros
$ emerge-webrsync
$ emerge --sync
# Now, we will utilize eselect to check and set our profile
# Our profile should be [15], the asterisk [*] indicates it's selected
$ eselect profile list
...
[14] default/linux/amd64/17.1/developer (exp)
[15] default/linux/amd64/17.1/no-multilib (stable) *
[16] default/linux/amd64/17.1/no-multilib/hardened (stable)
...
# To issue our first update, run the following command
# We will install git and gentoolkit first, as it will help configuring the system later
$ emerge --ask gentoolkit dev-vcs/git
$ emerge --ask --update --quiet --quiet-build --newuse --deep @world
Background Work⌗
The above command may take time, we will let it do it’s thing with it’s default settings and address some alterations we can make later on. For now, let it run in the background.
We will continue bootstrapping our system in another TTY.
Hold down [CTRL] + [ALT], now utilize one of the function keys i.e [F2] to switch to the second TTY.
To switch between TTY’s, you may use the above key combo OR you may hold [ALT] and hit the [LEFT]/[RIGHT] arrow keys to scroll between them.
Note: Check back to the TTY running emerge periodically while working below, as we will emerge some important packages after it’s initial update. In the meantime, continue working below!
Standard Settings⌗
While emerging packages, in another TTY, we may begin configuring the standard options on our system as we would any other GNU/Linux distro.
Timezone and Locale⌗
First, let’s set the timezone
$ ln -s /usr/share/zoneinfo/America/Chicago /etc/localtime
# OR instead, you may do this
$ echo "America/Chicago" > /etc/timezone
$ emerge --config sys-libs/timezone
Now, let’s set the correct locale
$ nano /etc/locale.gen
# uncomment your locale, in my case, en_US UTF-8
$ locale-gen
Users and Hostname⌗
Now, we may add our user and set a hostname.
$ useradd -mG wheel MyUsername
$ passwd MyUsername
# set a root password as well!
$ passwd root
Set the system hostname
$ echo "hostname" > /etc/hostname
fstab cleanup⌗
Whether or not you opted to use arch’s genfstab utility, manual alterations to the fstab entry are likely needed, as genfstab would have likely output USB devices and such into the fstab
First, let’s orient ourselves to the current system in order to get correct UUID’s
$ lsblk -f
....
nvme0n1
├─nvme0n1p1 vfat FAT32 5573-83D6 69.5M 45% /boot
└─nvme0n1p2 crypto_LUKS 2 28f09284-f2b9-475e-b355-efc3c352026e
└─root ext4 1.0 47a9f9b8-98a1-4bc6-b12a-5318a9d25133 196.5G 11% /
There are 3 important entries we must include in our fstab file.
The unencrypted root of the filesystem as is shown at the bottom with the name root,
the vfat boot partition second from the top mounted at /boot
and finally a tmpfs partition which we will write ourselves in the fstab file, but is not in the output of lsblk
Now we will put the appropriate UUID’s from above in fstab and line them up to be in the correct spots
# Keep in mind the first 4 digits of the UUID for the boot and root
# This command will search for the uuid containing 47a9, which
# in this example is the unencrypted root. It will then
# normalize the spaces with xargs and select the correct field
# and append it to the bottom of /etc/fstab
$ lsblk -f | grep 47a9 | xargs | cut -d ' ' -f 4 >> /etc/fstab
$ lsblk -f | grep 5573 | xargs | cut -d ' ' -f 4 >> /etc/fstab
# Now that the correct UUID's are in our fstab, let's put them where they need to go
Now, let’s go into the fstab and make alterations
$ nano /etc/fstab
# In here, we can use [CTRL]+[K] to cut and [CTRL]+[U] to paste the
# UUID's where they need to go.
...
# /dev/mapper/cryptroot ROOT partition
UUID=47a9f9b8-98a1-4bc6-b12a-5318a9d25133 / ext4 rw,noatime,nodiratime 0 1
# /dev/nvme0n1p1, BOOT partition
UUID=5573-83D6 /boot vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
tmpfs /tmp tmpfs rw,nosuid,defaults 0 0
Note:
Genfstab will put some arguments for iocharset as seen above. It’s safe to keep much of this. The important part is putting the correct UUID’s in the UUID blocks as shown above, as well as writing out the tmpfs entry as shown on the bottom line. Whatever else genfstab put in this file is generally safe to delete so long as root, boot, and tmpfs are present
Configuring Portage⌗
Now that we’ve done some system configuration and/or the first emerge is done, we may emerge some important packages and set some important use flags.
Before we get started, let’s speak in a little more depth about how emerge works. The real meat of emerge sits in /etc/portage. We will now do some important (albeit opinionated) tweaks to this directory, including setting some important use flags
We will be setting use flags for, and installing the following packages
| Package | Description | Use |
|---|---|---|
| iwd | network stack | -ofono -systemd -crda standalone client moitor wired |
| doas | minimal sudo alternative | persist |
| seatd | used in lieu of elogind |
builtin server |
| linux-firmware | linux firmware | initramfs |
| vim | text editor | vim-pager |
| git | can be used to sync emerge | -perl -gnome-keyring |
| openrc | installed by default, only changing flags | -netifrc |
Note:
The use flags we’ll set for iwd, doas, and seatd are more or less essential for proper desktop function. The ones for vim, git and openrc are optional
portage/
├── env
│ └── small.conf
├── make.conf
├── make.profile -> ../../var/db/repos/gentoo/profiles/default/linux/amd64/17.1/no-multilib
├── package.accept_keywords
├── package.env
├── package.mask
│ └── rust
├── package.use
│ ├── cryptsetup
│ ├── doas
│ ├── git
│ ├── global
│ ├── imv
│ ├── iwd
│ ├── linux-firmware
│ ├── mpv
│ ├── openrc
│ ├── seatd
│ ├── vim
│ └── zlib
├── profile
│ └── package.use.force
├── repos.conf
│ ├── gentoo.conf
│ ├── guru.conf
│ ├── haarp.conf
│ └── homemade.conf
└── savedconfig
└── sys-kernel
├── linux-firmware-20230625_p20230707
└── linux-firmware-20230625_p20230724
Here’s truncated output of mine. Some important changes I’ve made include turning the package.use file into a directory, in which i can make granular tweaks to individual packages as opposed to having all use flags in a single file.
Turning package.use into a directory⌗
Let’s do that by deleting the default and turning it into a directory
$ rm -rf /etc/portage/package.use
$ mkdir /etc/portage/package/use
Now, in my example output, I have files for important utilities such as iwd, doas and cryptsetup. These are simple plain text files containing one-liners for use flags.
Searching use flags⌗
Now we can parse packages for use flags using equery, which is part of the gentoolkit suite we installed earlier. Gentoolkit contains many useful tools, further reading here
$ equery u iwd
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for net-wireless/iwd-2.4:
U I
+ + client : Enable iwctl client tool
- - crda : Use net-wireless/crda for regulatory domain loading instead of in-kernel (4.15+) support
+ + monitor : Enable iwmon monitor tool
- - ofono : Enable support for oFono SIM authentication
+ + standalone : Enable standalone mode with built-in DHCP client and DNS handling
- - systemd : Use systemd-resolve rather than resolvconf for DNS handling in standalone mode
+ + wired : Enable ethernet authentication daemon
Now that we’ve identified some important use flags for our package, we can set them in the /etc/portage/package.use/ directory as described above
Setting use flags⌗
Note Our working directory for this section will be /etc/portage/package.use
Based on the output above, we’ve identified some important use flags. We’ll want to enable client, monitor, standalone and optionally wired.
Additionally, we’ll want to disable crda and ofono. If you see two “- -” characters on yours, that means it’s already disabled and you won’t have to disable them.
Note There are many ways to accomplish this task, including tools which automate it. This is simply the way I prefer, as it’s the most straightforward in my opinion.
$ cd /etc/portage/package.use
$ echo "net-wireless/iwd -ofono -systemd -crda standalone client moitor wired" > iwd
While we’re here, let’s enable some use flags for and seatd
$ equery u seatd
...
+ + server : Enable standalone seatd server, replacement to (e)logind
+ + builtin : Enable embedded server in libseat
...
$ echo "sys-auth/seatd builtin server" > seatd
now for doas
$ equery u doas
...
+ + persist : Adds support for "persist" feature (experimental)
...
$ echo "app-admin/doas persist" > doas
now for linux-firmware
$ equery u linux-firmware
...
+ + initramfs : Create and install initramfs for early microcode loading in /boot (only AMD for now)
...
$ echo "sys-kernel/linux-firmware initramfs" > linux-firmware
Optional: Setting Global use flags⌗
We may additionally set use flags in this directory which will be respected by every single package. Here’s an example of what mine looks like.
The */* indicates that these flags will be applied to any package within any package group. this file may named anything you want within the package.use directory.
$ cat /etc/portage/package.use/global
*/* -elogind -logind X wayland dbus opengl vulkan udev pulseaudio -bluetooth cryptsetup -valgrind -perl
Optional: Making Portage use git for sync⌗
Portage, by default, will use rsync to sync your local package db located in /var/db/repos/gentoo/. This isn’t a bad thing necessarily, however, to distribute load away from the repo hosted by gentoo itself, we may opt to use git to sync the repo.
If you have installed git prior, it is safe to remove the repos.conf file and replace it with a directory if it’s not already a directory
$ rm -rf /etc/portage/repos.conf
Now, let’s navigate to the portage directory and make it a directory
$ cd /etc/portage
$ mkdir repos.conf
$ cd repos.conf
Within this directory, let’s produce a gentoo.conf repo file and configure it
$ touch gentoo.conf
$ nano gentoo.conf
...
[gentoo]
location = /var/db/repos/gentoo
sync-type = git
sync-uri = https://github.com/gentoo-mirror/gentoo.git
auto-sync = yes
sync-git-verify-commit-signature = true
Note The gentoo.conf file must look exactly like above, including the [gentoo] block
Now we may delete our old package database and sync, this time it will use git as a backend
$ rm -rf /var/db/repos/gentoo/
$ emerge --sync
...
>>> Syncing repository 'gentoo' into '/var/db/repos/gentoo'...
/usr/bin/git clone --depth 1 https://github.com/gentoo-mirror/gentoo.git .
Cloning into '.'...
remote: Enumerating objects: 135320, done.
remote: Counting objects: 100% (135320/135320), done.
remote: Compressing objects: 100% (113227/113227), done.
remote: Total 135320 (delta 31187), reused 69254 (delta 21088), pack-reused 0
Receiving objects: 100% (135320/135320), 65.56 MiB | 978.00 KiB/s, done.
Resolving deltas: 100% (31187/31187), done.
Updating files: 100% (117484/117484), done.
* Using keys from /usr/share/openpgp-keys/gentoo-release.asc
...
Action: sync for repo: gentoo, returned code = 0
Final Emerge⌗
Now, we may use emerge to install the base system, including the kernel and firmware.
Note We will be using gentoo-sources and genkernel to compile to aforementioned source.
emerge --ask iwd seatd cryptsetup efibootmgr genkernel gentoo-sources linux-firmware doas
Similar to earlier, this may take some time to download and compile. While that’s running, let’s move to Final Configuration and set up iwd, doas and genkernel for usage.
Final Configuration⌗
Strictly speaking, there’s no need to wait for these programs to be installed to configure them. For my use, I typically backup/deploy all of the appropriate config files and directories within. This guide follows roughly the flow of the handbook, and we’ve been configuring the system in parts as we install the system.
It is completely viable to configure every utility all in one go, before even a single thing has been emerged.
The working directory for this section will be /etc
iwd configuration⌗
iwd is configured via a plain text file, /etc/iwd/main.conf
below is an example of a bog standard one, using the standalone name resolver as set in the use flags earlier
# make the iwd directory if it's not already there
$ mkdir /etc/iwd
$ nano /etc/iwd/main.conf
...
[General]
EnableNetworkConfiguration=true
[Network]
NameResolvingService=resolvconf
doas configuration⌗
doas is a portable fork of OpenBSD doas, which in our use case will serve as a minimal replacement to sudo.
By default, doas does not support persistence, i.e entering your password to execute a command which requires root privilege and not having to enter it again for a few minutes after authentication
We rectified this earlier with the “persist” use flag
the doas config file exists as /etc/doas.conf, here’s an example of mine, including syntax to not prompt for password for a few utilities which I use often (brightnessctl and lsblk)
$ nano /etc/doas.conf
...
permit keepenv persist :wheel
permit keepenv nopass MyUsername cmd /bin/lsblk
permit keepenv nopass MyUsername cmd /usr/bin/lsblk
permit keepenv nopass MyUsername as root cmd lsblk
permit keepenv nopass MyUsername cmd /bin/brightnessctl
permit keepenv nopass MyUsername cmd /usr/bin/brightnessctl
permit keepenv nopass MyUsername as root cmd brightnessctl
...
genkernel configuration⌗
genkernel is a tool which we will use to compile gentoo-sources. The genkernel config file is located at /etc/genkernel.conf
We will be making a few changes to make it better suit our use case. For instance, by default it will generate a vmlinuz and initrd.img file with version numbers appended. We will be removing this similar to how Arch Linux handles this in order to remove the need to manually update our efibootmgr entry on kernel upgrade.
The genkernel config file is very large. Below are important components I have either uncommented or altered in some way. Check it out and tweak to your liking.
# Install to $BOOTDIR
INSTALL="yes"
# Run 'make nconfig' (ncurses 'menuconfig') before compiling this kernel
NCONFIG="yes"
# Mount BOOTDIR automatically if it isn't mounted
MOUNTBOOT="yes"
# Save the new configuration in /etc/kernels upon
# successful compilation
SAVE_CONFIG="no"
# Enable color output in genkernel
NOCOLOR="false"
# Add LUKS support
LUKS="yes"
# Add GnuPG support
GPG="no"
# Enables keymap selection support
KEYMAP="yes"
# Set kernel filename which will be used when kernel will be installed
# into BOOTDIR. See man page to learn more about available placeholders.
#KERNEL_FILENAME="vmlinuz-%%KV%%"
KERNEL_FILENAME="vmlinuz"
# Set initramfs filename which will be used when initramfs will be
# installed into BOOTDIR. See man page to learn more about available
# placeholders.
#INITRAMFS_FILENAME="initramfs-%%KV%%.img"
INITRAMFS_FILENAME="initramfs.img"
genkernel and efibootmgr⌗
Once what we installed under Final Emerge has completed, now we can compile our kernel and use efibootmgr to point to the vmlinuz and initramfs.img in /boot.
eselect the kernel⌗
we will use eselect to tell the system which kernel from gentoo-sources to use. by default, gentoo will never remove old kernel sources unless you select a new/different one and emerge --depclean --deep --ask after an update.
Let’s view what we can set it to, and set it appropriately
$ eselect kernel list
Available kernel symlink targets:
[1] linux-6.1.41-gentoo
$ eselect kernel set 1
$ eselect kernel list
Available kernel symlink targets:
[1] linux-6.1.41-gentoo *
genkernel the source⌗
Now that we’ve set the appropriate kernel, we can compile it using genkernel
This will take some time. The default kernel config is solid, and will not require any tweaks for a functional system. Let’s compile it with default settings.
$ genkernel all
This will bring up an ncurses config window. No alteration is needed here, yet! Later on, feel free to tweak and change components as is discussed elsewhere, but let’s stick with the defaults for now.
Press [F9] to exit the window and compile the kernel.
We’re in the home stretch! After this, we can set the efi entry and have a bootable system!
efibootmgr configuration⌗
Now that genkernel has finished, let’s verify the files made it successfully to /boot
Note Genkernel will automatically move the prior version to the same name appended with “.old” If you’ve followed along so far, your /boot will look like mine below, but not yet as you haven’t used this install long enough to have upgraded kernel version
$ ls /boot
-rwxr-xr-x 1 root 9.9M Jul 27 17:59 vmlinuz.old
-rwxr-xr-x 1 root 14M Jul 27 19:30 vmlinuz
-rwxr-xr-x 1 root 12M Jul 27 18:31 initramfs.img.old
-rwxr-xr-x 1 root 12M Jul 27 19:58 initramfs.img
-rwxr-xr-x 1 root 54K Jul 27 01:49 amd-uc.img
-rwxr-xr-x 1 root 4.0M Jul 27 17:59 System.map-6.1.41-gentoo-eternal.old
-rwxr-xr-x 1 root 5.0M Jul 27 19:30 System.map-6.1.41-gentoo-eternal
Now that we’ve verified that the vmlinuz and initramfs.img files are present, let’s do our boot entry and reboot!
Verifying target device⌗
Back to lsblk, let’s ensure we use the right UUID’s for our efiboot
$ lsblk -f
nvme0n1
├─nvme0n1p1 vfat FAT32 5573-83D6 69.5M 45% /boot
└─nvme0n1p2 crypto_LUKS 2 28f09284-f2b9-475e-b355-efc3c352026e
└─root ext4 1.0 47a9f9b8-98a1-4bc6-b12a-5318a9d25133 198.8G 10% /
Running efibootmgr⌗
We only ever need to run this command once, as future genkernel usage will simply overwrite the previous images present in this directory and move/appending the old one with “.old”
This time, the crypto_LUKS partition starting with 28f0 will be placed after “crypt_root=UUID=” in the syntax below. Likewise, the ext4 partition below it beginning in 47a9 will be placed after “root=UUID=”
$ echo "efibootmgr -d /dev/nvme0n1 -p 1 -c -L Gentoo -l /vmlinuz -u 'quiet loglevel=0 crypt_root=UUID= root=UUID= initrd=\initramfs.img initrd=\amd-uc.img'" > efishot
$ chmod +x efishot
$ lsblk -f | grep 28f0 | xargs | cut -d ' ' -f 4 >> efishot
$ lsblk -f | grep 47a9 | xargs | cut -d ' ' -f 4 >> efishot
Now, as we did with fstab, we must line up the correct UUID to where they need to go In my example, the command would look like this once I’ve moved the UUID to where they need to be
$ cat efishot
efibootmgr -d /dev/nvme0n1 -p 1 -c -L Gentoo -l /vmlinuz -u 'quiet loglevel=0 crypt_root=UUID=28f09284-f2b9-475e-b355-efc3c352026e root=UUID=47a9f9b8-98a1-4bc6-b12a-5318a9d25133 initrd=\initramfs.img initrd=\amd-uc.img'
After you’ve altered your one-liner, run it.
Verify it took by running efibootmgr with no arguments. Your new boot item should be present and in boot the boot order.
Note
On some firmware, new entries will NOT actually make it into the boot order. To rectify this, you must add the boot number to the boot order
If this is the case, identify the bootnumber of your entry by viewing the output of efibootmgr with no arguments, for instance my boot entry is Boot0000* Gentoo
To add it to the boot order, run
$ efibootmgr -o 0000
# You may add comma separted numbers after your number to add additional entries
You’ve done it! Now you may reboot and use your new system
Move on to further reading for recommended bits regarding gentoo, service management and installation of desktop utilities