diff --git a/nodepool/elements/infra-package-needs/install.d/10-pip-packages b/nodepool/elements/infra-package-needs/install.d/10-pip-packages
index ebcc3e3966..be9ced7ab5 100755
--- a/nodepool/elements/infra-package-needs/install.d/10-pip-packages
+++ b/nodepool/elements/infra-package-needs/install.d/10-pip-packages
@@ -22,6 +22,9 @@ set -e
 
 packages='tox'
 
-for package in $packages ; do
-    pip install $package
-done
+# non-system root installed packages can interfere with things
+if [ "${DISTRO_NAME}" != "gentoo" ]; then
+    for package in $packages ; do
+        pip install $package
+    done
+fi
diff --git a/nodepool/elements/infra-package-needs/package-installs.yaml b/nodepool/elements/infra-package-needs/package-installs.yaml
index 283a38d9b4..a87f5ec08b 100644
--- a/nodepool/elements/infra-package-needs/package-installs.yaml
+++ b/nodepool/elements/infra-package-needs/package-installs.yaml
@@ -32,3 +32,4 @@ centos-release-openstack-ocata:
 redhat-rpm-config:
 redhat-lsb-core:
 curl:
+tox:
diff --git a/nodepool/elements/infra-package-needs/pkg-map b/nodepool/elements/infra-package-needs/pkg-map
index 2c52939f21..aa193ce106 100644
--- a/nodepool/elements/infra-package-needs/pkg-map
+++ b/nodepool/elements/infra-package-needs/pkg-map
@@ -11,9 +11,15 @@
       "build-essential": "",
       "cron": "sys-process/cronie",
       "curl": "net-misc/curl",
+      "dnsutils": "net-dns/bind-tools",
+      "git": "dev-vcs/git",
+      "iptables": "net-firewall/iptables",
+      "iputils-ping": "net-misc/iputils",
       "ntp": "net-misc/ntp",
+      "ntpdate": "net-misc/ntp",
       "python-dev": "",
       "python3-dev": "",
+      "tox": "dev-python/tox",
       "traceroute": "net-analyzer/traceroute",
       "uuid-runtime": ""
     },
@@ -57,6 +63,7 @@
     "redhat-rpm-config": "",
     "redhat-lsb-core": "",
     "python-xml": "",
-    "python3": ""
+    "python3": "",
+    "tox": ""
   }
 }
diff --git a/nodepool/elements/infra-package-needs/post-install.d/80-enable-haveged b/nodepool/elements/infra-package-needs/post-install.d/80-enable-haveged
index 7b50e878b7..e7df41ce35 100755
--- a/nodepool/elements/infra-package-needs/post-install.d/80-enable-haveged
+++ b/nodepool/elements/infra-package-needs/post-install.d/80-enable-haveged
@@ -15,9 +15,7 @@ case "$DIB_INIT_SYSTEM" in
         systemctl enable haveged.service
         ;;
     openrc)
-        # TODO(pabelanger): Make sure we support gentoo if we bring images
-        # online for nodepool.o.o.
-        exit 0
+        rc-update add haveged default
         ;;
     sysv)
         exit 0
diff --git a/nodepool/elements/infra-package-needs/post-install.d/80-enable-infra-services b/nodepool/elements/infra-package-needs/post-install.d/80-enable-infra-services
index c6691faa12..eb44079f84 100755
--- a/nodepool/elements/infra-package-needs/post-install.d/80-enable-infra-services
+++ b/nodepool/elements/infra-package-needs/post-install.d/80-enable-infra-services
@@ -19,8 +19,8 @@ case "$DIB_INIT_SYSTEM" in
         fi
         ;;
     openrc)
-        # let dib-init-system's postinstall handle enabling init scripts
-        exit 0
+        rc-update add ntp-client default
+        rc-update add acpid default
         ;;
     sysv)
         # ntp is enabled by default, nothing to do
diff --git a/nodepool/elements/infra-package-needs/pre-install.d/00-gentoo-useflags b/nodepool/elements/infra-package-needs/pre-install.d/00-gentoo-useflags
new file mode 100755
index 0000000000..3094408f52
--- /dev/null
+++ b/nodepool/elements/infra-package-needs/pre-install.d/00-gentoo-useflags
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
+    set -x
+fi
+set -eu
+set -o pipefail
+
+# needed for unbound
+if [ "${DISTRO_NAME}" == "gentoo" ]; then
+    mkdir -p /etc/portage/package.use
+    echo "dev-libs/openssl static-libs -bindist" >> /etc/portage/package.use/openssl
+    echo "net-misc/openssh -bindist" >> /etc/portage/package.use/openssh
+    echo "sys-libs/zlib static-libs" >> /etc/portage/package.use/zlib
+fi
diff --git a/nodepool/elements/jenkins-slave/install.d/20-jenkins-slave b/nodepool/elements/jenkins-slave/install.d/20-jenkins-slave
index 955870fa1e..1c133750b1 100755
--- a/nodepool/elements/jenkins-slave/install.d/20-jenkins-slave
+++ b/nodepool/elements/jenkins-slave/install.d/20-jenkins-slave
@@ -33,7 +33,7 @@ if [ ! -f $_pub_key ]; then
     die "Can not find Jenkins public key!"
 fi
 
-mkdir /home/jenkins/.ssh
+mkdir -p /home/jenkins/.ssh
 chmod 700 /home/jenkins/.ssh
 
 cp $_pub_key /home/jenkins/.ssh/authorized_keys
diff --git a/nodepool/elements/nodepool-base/finalise.d/89-unbound b/nodepool/elements/nodepool-base/finalise.d/89-unbound
index c22c3c6ec0..730f75cf51 100755
--- a/nodepool/elements/nodepool-base/finalise.d/89-unbound
+++ b/nodepool/elements/nodepool-base/finalise.d/89-unbound
@@ -53,6 +53,10 @@ echo "$UNBOUND_LOGGING_CONF" > /tmp/unbound-logging.conf
 
 if [[ "$DISTRO_NAME" =~ (centos|fedora|opensuse) ]] ; then
     UNBOUND_CONFD=/etc/unbound/conf.d
+elif [[ "$DISTRO_NAME" =~ 'gentoo' ]] ; then
+    UNBOUND_CONFD=/etc/unbound/conf.d
+    mkdir -p $UNBOUND_CONFD
+    echo "include: \"$UNBOUND_CONFD\"" >> /etc/unbound/unbound.conf
 else
     UNBOUND_CONFD=/etc/unbound/unbound.conf.d
 fi
@@ -67,6 +71,8 @@ chmod 0644 /var/log/unbound.log
 
 if [[ "$DISTRO_NAME" =~ (opensuse) ]] ; then
     rclocal=/etc/init.d/boot.local
+elif [[ "${DISTRO_NAME}" =~ "gentoo" ]]; then
+    rclocal=/etc/local.d/unbound.start
 else
     # You'd think rc.local would be simple ...
     #
@@ -147,7 +153,7 @@ fi
 dhcp_file=''
 if [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora) ]] ; then
     dhcp_file=/etc/dhcp/dhclient-eth0.conf
-elif [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
+elif [[ "$DISTRO_NAME" =~ (debian|ubuntu|gentoo) ]] ; then
     dhcp_file=/etc/dhcp/dhclient.conf
 fi
 if [ -n "$dhcp_file" ] ; then
@@ -170,7 +176,7 @@ case "$DIB_INIT_SYSTEM" in
         systemctl enable unbound.service
         ;;
     openrc)
-        # let dib-init-system's postinstall handle enabling init scripts
+        rc-update add unbound default
         ;;
     sysv)
         # nothing to do
diff --git a/nodepool/elements/nodepool-base/install.d/20-iptables b/nodepool/elements/nodepool-base/install.d/20-iptables
index 562bfea25f..8ff049a765 100755
--- a/nodepool/elements/nodepool-base/install.d/20-iptables
+++ b/nodepool/elements/nodepool-base/install.d/20-iptables
@@ -32,6 +32,10 @@ elif [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
     rules_dir=/etc/sysconfig
     ipv4_rules=${rules_dir}/iptables
     ipv6_rules=${rules_dir}/ip6tables
+elif [[ "$DISTRO_NAME" =~ 'gentoo' ]] ; then
+    rules_dir=/var/lib/iptables  # not needed, part of the package install
+    ipv4_rules=/var/lib/iptables/rules-save
+    ipv6_rules=/var/lib/ip6tables/rules-save
 else
     echo "Unsupported operating system $DISTRO_NAME"
     exit 1
@@ -96,5 +100,9 @@ fw_custom_after_finished() {
     /usr/sbin/ip6tables-restore $ipv6_rules
 }
 EOF
-
+fi
+
+if [[ "$DISTRO_NAME" =~ 'gentoo' ]] ; then
+    /sbin/iptables-restore $ipv4_rules
+    /sbin/ip6tables-restore $ipv6_rules
 fi
diff --git a/nodepool/elements/nodepool-base/post-install.d/20-iptables b/nodepool/elements/nodepool-base/post-install.d/20-iptables
index 1b65e08a6d..db5cd4bccf 100755
--- a/nodepool/elements/nodepool-base/post-install.d/20-iptables
+++ b/nodepool/elements/nodepool-base/post-install.d/20-iptables
@@ -30,6 +30,10 @@ elif [[ "$DISTRO_NAME" =~ (centos|fedora) ]] ; then
     service_name=iptables
 elif [[ "$DISTRO_NAME" == 'opensuse' ]] ; then
     service_name=SuSEfirewall2
+elif [[ "$DISTRO_NAME" == 'gentoo' ]] ; then
+    service_name=iptables  # for systemd
+    service_name1=iptables  # for openrc
+    service_name2=ip6tables  # for openrc
 else
     echo "Unsupported operating system $DISTRO_NAME"
     exit 1
@@ -45,6 +49,10 @@ case "$DIB_INIT_SYSTEM" in
             systemctl enable ip6tables.service
         fi
         ;;
+    openrc)
+        rc-update add ${service_name1} default
+        rc-update add ${service_name2} default
+        ;;
     *)
         echo "Unsupported init system $DIB_INIT_SYSTEM"
         exit 1
diff --git a/nodepool/elements/zuul-worker/install.d/60-zuul-worker b/nodepool/elements/zuul-worker/install.d/60-zuul-worker
index a436c9da24..b6e5afbbe0 100755
--- a/nodepool/elements/zuul-worker/install.d/60-zuul-worker
+++ b/nodepool/elements/zuul-worker/install.d/60-zuul-worker
@@ -30,7 +30,7 @@ if [ ! -f $_pub_key ]; then
     die "Can not find Zuul public key!"
 fi
 
-mkdir /home/zuul/.ssh
+mkdir -p /home/zuul/.ssh
 chmod 700 /home/zuul/.ssh
 cp $_pub_key /home/zuul/.ssh/authorized_keys
 
diff --git a/nodepool/nl02.openstack.org.yaml b/nodepool/nl02.openstack.org.yaml
index bd99331e42..d774d41c8f 100644
--- a/nodepool/nl02.openstack.org.yaml
+++ b/nodepool/nl02.openstack.org.yaml
@@ -518,6 +518,26 @@ diskimages:
       DIB_IMAGE_CACHE: /opt/dib_cache
       QEMU_IMG_OPTIONS: compat=0.10
       DIB_GRUB_TIMEOUT: '0'
+  - name: gentoo
+    elements:
+      - gentoo
+      - vm
+      - simple-init
+      - openstack-repos
+      - nodepool-base
+      - growroot
+      - infra-package-needs
+    env-vars:
+      TMPDIR: /opt/dib_tmp
+      DIB_CHECKSUM: '1'
+      DIB_IMAGE_CACHE: /opt/dib_cache
+      QEMU_IMG_OPTIONS: compat=0.10
+      DIB_GRUB_TIMEOUT: '0'
+      GENTOO_PORTAGE_CLEANUP: 'True'
+      DIB_INSTALLTYPE_pip_and_virtualenv: 'package'
+      DIB_INSTALLTYPE_simple_init: 'repo'
+      GENTOO_PYTHON_TARGETS: 'python2_7 python3_5'
+      GENTOO_PYTHON_ACTIVE_VERSION: python3.5
   - name: opensuse-423
     elements:
       - opensuse-minimal