https://wiki.archlinux.org/api.php?action=feedcontributions&user=Beej&feedformat=atomArchWiki - User contributions [en]2024-03-28T16:58:15ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=PulseAudio/Troubleshooting&diff=569962PulseAudio/Troubleshooting2019-03-28T04:26:09Z<p>Beej: case where removing ignore_dB=1 fixes volume issues</p>
<hr />
<div>[[Category:Sound]]<br />
[[it:PulseAudio/Troubleshooting]]<br />
[[ja:PulseAudio/トラブルシューティング]]<br />
[[ru:PulseAudio/Troubleshooting]]<br />
See [[PulseAudio]] for the main article.<br />
<br />
== Volume ==<br />
<br />
Here you will find some hints on volume issues and why you may not hear anything.<br />
<br />
=== Auto-Mute Mode ===<br />
<br />
Auto-Mute Mode may be enabled. It can be disabled using {{ic|alsamixer}}.<br />
<br />
See http://superuser.com/questions/431079/how-to-disable-auto-mute-mode for more.<br />
<br />
To save your current settings as the default options, run {{ic|alsactl store}} as root.<br />
<br />
=== Muted audio device ===<br />
<br />
If one experiences no audio output via any means while using [[ALSA]], attempt to unmute the sound card. To do this, launch {{ic|alsamixer}} and make sure each column has a green {{ic|00}} under it (this can be toggled by pressing {{ic|m}}):<br />
<br />
$ alsamixer -c 0<br />
<br />
{{Note|alsamixer will not tell you which output device is set as the default. One possible cause of no sound after install is that PulseAudio detects the wrong output device as a default. Install {{Pkg|pavucontrol}} and check if there is any output on the pavucontrol panel when playing a ''.wav'' file.}}<br />
<br />
=== Output stuck muted while Master is toggled ===<br />
<br />
In setups with multiple outputs (e.g. 'Headphone' and 'Speaker') using plain amixer to toggle Master can trigger PulseAudio to mute the active output too, but it does not necessarily unmute it when Master is toggled back to be unmuted. [https://lists.freedesktop.org/archives/pulseaudio-discuss/2015-December/025062.html] To resolve this, amixer must have the device flag set to 'pulse':<br />
<br />
$ amixer -D pulse sset Master toggle<br />
<br />
This will cause amixer to ask PulseAudio to do the toggling rather than toggling it directly.<br />
Because of this, PulseAudio will correctly unmute Master as well as any applicable output.<br />
<br />
=== Muted application ===<br />
<br />
If a specific application is muted or low while all else seems to be in order, it may be due to individual {{ic|sink-input}} settings. With the offending application playing audio, run:<br />
<br />
$ pacmd list-sink-inputs<br />
<br />
Find and make note of the {{ic|index}} of the corresponding {{ic|sink input}}. The {{ic|properties:}} {{ic|application.name}} and {{ic|application.process.binary}}, among others, should help here. Ensure sane settings are present, specifically those of {{ic|muted}} and {{ic|volume}}.<br />
If the sink is muted, it can be unmuted by:<br />
<br />
$ pacmd set-sink-input-mute <index> false<br />
<br />
If the volume needs adjusting, it can be set to 100% by:<br />
<br />
$ pacmd set-sink-input-volume <index> 0x10000<br />
<br />
{{Note|If {{ic|pacmd}} reports {{ic|0 sink input(s)}}, double-check that the application is playing audio. If it is still absent, verify that other applications show up as sink inputs.}}<br />
<br />
=== Volume adjustment does not work properly ===<br />
<br />
Check {{ic|/usr/share/pulseaudio/alsa-mixer/paths/analog-output.conf.common}}.<br />
<br />
If the volume does not appear to increment/decrement properly using {{ic|alsamixer}} or {{ic|amixer}}, it may be due to PulseAudio having a larger number of increments (65537 to be exact). Try using larger values when changing volume (e.g. {{ic|amixer set Master 655+}}).<br />
<br />
=== Per-application volumes change when the Master volume is adjusted ===<br />
<br />
This is because PulseAudio uses flat volumes by default, instead of relative volumes, relative to an absolute master volume. If this is found to be inconvenient, asinine, or otherwise undesireable, relative volumes can be enabled by disabling flat volumes in the PulseAudio daemon's configuration file:<br />
<br />
{{hc|/etc/pulse/daemon.conf or ~/.config/pulse/daemon.conf|2=<br />
flat-volumes = no<br />
}}<br />
<br />
and then restarting PulseAudio by executing<br />
<br />
$ pulseaudio -k<br />
$ pulseaudio --start<br />
<br />
=== Volume gets louder every time a new application is started ===<br />
<br />
Per default, it seems as if changing the volume in an application sets the global system volume to that level instead of only affecting the respective application. Applications setting their volume on startup will therefore cause the system volume to "jump".<br />
<br />
Fix this by disabling flat volumes, as demonstrated in the previous section. When Pulse comes back after a few seconds, applications will not alter the global system volume anymore but have their own volume level again.<br />
<br />
{{Note|A previously installed and removed pulseaudio-equalizer may leave behind remnants of the setup in {{ic|~/.config/pulse/default.pa}} or {{ic|~/.pulse/default.pa}} which can also cause maximized volume trouble. Comment that out as needed.}}<br />
<br />
=== Sound output is only mono on M-Audio Audiophile 2496 sound card ===<br />
<br />
Add the following:<br />
<br />
{{hc|/etc/pulseaudio/default.pa|2=<br />
load-module module-alsa-sink sink_name=delta_out device=hw:M2496 format=s24le channels=10 channel_map=left,right,aux0,aux1,aux2,aux3,aux4,aux5,aux6,aux7<br />
load-module module-alsa-source source_name=delta_in device=hw:M2496 format=s24le channels=12 channel_map=left,right,aux0,aux1,aux2,aux3,aux4,aux5,aux6,aux7,aux8,aux9<br />
set-default-sink delta_out<br />
set-default-source delta_in<br />
}}<br />
<br />
=== No sound below a volume cutoff ===<br />
<br />
Known issue (will not fix): https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/223133<br />
<br />
If sound does not play when PulseAudio's volume is set below a certain level, try setting {{ic|1=ignore_dB=1}} in {{ic|/etc/pulse/default.pa}}:<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
load-module module-udev-detect ignore_dB=1<br />
}}<br />
<br />
However, be aware that it may cause another bug preventing PulseAudio to unmute speakers when headphones or other audio devices are unplugged.<br />
<br />
=== Low volume for internal microphone ===<br />
<br />
If you experience low volume on internal notebook microphone, try setting:<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
set-source-volume 1 300000<br />
}}<br />
<br />
=== Clients alter master output volume (a.k.a. volume jumps to 100% after running application) ===<br />
<br />
If changing the volume in specific applications or simply running an application changes the master output volume this is likely due to flat volumes mode of pulseaudio. Before disabling it, KDE users should try lowering their system notifications volume in ''System Settings -> Application and System Notifications -> Manage Notifications'' under the ''Player Settings'' tab to something reasonable. Changing the ''Event Sounds'' volume in KMix or another volume mixer application will not help here. This should make the flat-volumes mode work out as intended, if it does not work, some other application is likely requesting 100% volume when its playing something. If all else fails, you can try to disable flat-volumes:<br />
<br />
{{hc|/etc/pulse/daemon.conf|2=<br />
flat-volumes = no<br />
}}<br />
<br />
Then restart PulseAudio daemon:<br />
<br />
# pulseaudio -k<br />
# pulseaudio --start<br />
<br />
=== No sound after resume from suspend ===<br />
<br />
If audio generally works, but stops after resume from suspend, try "reloading" PulseAudio by executing:<br />
<br />
$ /usr/bin/pasuspender /bin/true<br />
<br />
This is better than completely killing and restarting it ({{ic|pulseaudio -k}} followed by {{ic|pulseaudio --start}}), because it does not break already running applications.<br />
<br />
If the above fixes your problem, you may wish to automate it, by creating a systemd service file.<br />
<br />
1. Create the template service file in {{ic|/etc/systemd/system/resume-fix-pulseaudio@.service}}:<br />
<br />
[Unit]<br />
Description=Fix PulseAudio after resume from suspend<br />
After=suspend.target<br />
<br />
[Service]<br />
User=%I<br />
Type=oneshot<br />
Environment="XDG_RUNTIME_DIR=/run/user/%U"<br />
ExecStart=/usr/bin/pasuspender /bin/true<br />
<br />
[Install]<br />
WantedBy=suspend.target<br />
<br />
2. Enable it for your user account<br />
<br />
# systemctl enable resume-fix-pulseaudio@''YOUR_USERNAME_HERE''.service<br />
<br />
3. Reload systemd<br />
<br />
# systemctl --system daemon-reload<br />
<br />
=== ALSA channels mute when headphones are plugged/unplugged improperly ===<br />
<br />
If when you unplug your headphones or plug them in the audio remains muted in alsamixer on the wrong channel due to it being set to 0%, you may be able to fix it by opening {{ic|/etc/pulse/default.pa}} and commenting out the line:<br />
<br />
load-module module-switch-on-port-available<br />
<br />
=== Volume resets to 50% every few seconds ===<br />
<br />
Install {{Pkg|alsa-tools}} and use:<br />
<br />
$ hdajackretask<br />
<br />
Set "Not Connected" to everything but the ports you are using. It seems the other unused audio ports on the motherboard interfere with the used ones.<br />
Then if you want use the Boot Override to save this change between reboots. There is a possibility it is the Front Green Headphone that is causing the bug, if you need it override the Front Microphone to Headphone and the Front Green Headphone to "Not Connected" and use the Front Microphone port as your headphone port.<br />
<br />
More info about this problem: [https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1585084].<br />
<br />
=== Volume low/too quiet on analog headphones/speakers ===<br />
<br />
If you added the {{ic|1=ignore_dB=1}} option earlier to the {{ic|load-module module-udev-detect}} line in your {{ic|/etc/pulse/default.pa}}, try removing it.<br />
<br />
== Microphone ==<br />
<br />
=== Microphone not detected by PulseAudio ===<br />
<br />
Determine the card and device number of your mic:<br />
<br />
{{hc|$ arecord -l|<br />
**** List of CAPTURE Hardware Devices ****<br />
card 0: PCH [HDA Intel PCH], device 0: ALC269VC Analog [ALC269VC Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
}}<br />
<br />
In {{ic|hw:''CARD'',''DEVICE''}} notation, you would specify the above device as {{ic|hw:0,0}}.<br />
<br />
Then, edit {{ic|/etc/pulse/default.pa}} and insert a {{ic|load-module}} line specifying your device as follows:<br />
<br />
load-module module-alsa-source device=hw:0,0<br />
# the line above should be somewhere before the line below<br />
.ifexists module-udev-detect.so<br />
<br />
Finally, restart pulseaudio to apply the new settings:<br />
<br />
$ pulseaudio -k ; pulseaudio -D<br />
<br />
If everything worked correctly, you should now see your mic show up when running {{ic|pavucontrol}} (under the {{ic|Input Devices}} tab).<br />
<br />
=== PulseAudio uses wrong microphone ===<br />
<br />
If PulseAudio uses the wrong microphone, and changing the Input Device with Pavucontrol did not help, take a look at alsamixer. It seems that Pavucontrol does not always set the input source correctly.<br />
<br />
$ alsamixer<br />
<br />
Press {{ic|F6}} and choose your sound card, e.g. HDA Intel. Now press {{ic|F5}} to display all items. Try to find the item: {{ic|Input Source}}. With the up/down arrow keys you are able to change the input source.<br />
<br />
Now try if the correct microphone is used for recording.<br />
<br />
=== No microphone on ThinkPad T400/T500/T420 ===<br />
<br />
Run:<br />
<br />
$ alsamixer -c 0<br />
<br />
Unmute and maximize the volume of the "Internal Mic".<br />
<br />
Once you see the device with:<br />
<br />
$ arecord -l<br />
<br />
you might still need to adjust the settings. The microphone and the audio jack are duplexed. Set the configuration of the internal audio in pavucontrol to ''Analog Stereo Duplex''.<br />
<br />
=== No microphone input on Acer Aspire One ===<br />
<br />
Install pavucontrol, unlink the microphone channels and turn down the left one to 0.<br />
<br />
=== Static noise in microphone recording ===<br />
<br />
If we are getting static noise in Skype, gnome-sound-recorder, arecord, etc.'s recordings, then the sound card sample rate is incorrect. That is why there is static noise in Linux microphone recordings. To fix this, we need to set the sampling rate in {{ic|/etc/pulse/daemon.conf}} for the sound hardware.<br />
<br />
In addition to the guide below, since [https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/11.0/ PulseAudio 11] it is possible to set {{ic|1=avoid-resampling = yes}} in [[PulseAudio#daemon.conf|daemon.conf]].<br />
<br />
==== Determine sound cards in the system (1/5) ====<br />
<br />
This requires {{Pkg|alsa-utils}} and related packages to be installed:<br />
<br />
{{hc|$ arecord --list-devices|<br />
**** List of CAPTURE Hardware Devices ****<br />
card 0: Intel [HDA Intel], device 0: ALC888 Analog [ALC888 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: Intel [HDA Intel], device 2: ALC888 Analog [ALC888 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
}}<br />
<br />
The sound card is {{ic|hw:''x'',''y''}} where {{ic|''x''}} is the card number and {{ic|''y''}} is the device number. In the above example, it is {{ic|hw:0,0}}.<br />
<br />
==== Determine sampling rate of the sound card (2/5) ====<br />
<br />
We aim to find the highest sample rate supported by the {{ic|hw:0,0}} sound card using a ''trial-and-error'' procedure starting from a low value. When the top value is reached, we got a warning message:<br />
<br />
{{hc|1=arecord -f dat -r 60000 -D hw:0,0 -d 5 test.wav|2=<br />
"Recording WAVE 'test.wav' : Signed 16 bit Little Endian, Rate 60000 Hz, Stereo<br />
Warning: rate is not accurate (requested = 60000Hz, '''got = 44100Hz''')<br />
please, try the plug plugin<br />
}}<br />
<br />
observe, the {{ic|1=got = 44100Hz}}. This is the maximum sampling rate of our card.<br />
<br />
==== Setting the sound card's sampling rate into PulseAudio configuration (3/5) ====<br />
<br />
The default sampling rate in PulseAudio:<br />
<br />
{{hc|1=$ grep "default-sample-rate" /etc/pulse/daemon.conf|2=<br />
; default-sample-rate = 48000<br />
}}<br />
<br />
{{ic|48000}} is disabled and needs to be changed to {{ic|44100}}:<br />
<br />
# sed 's/; default-sample-rate = 48000/default-sample-rate = 44100/g' -i /etc/pulse/daemon.conf<br />
<br />
==== Restart PulseAudio to apply the new settings (4/5) ====<br />
<br />
$ pulseaudio -k<br />
$ pulseaudio --start<br />
<br />
==== Finally check by recording and playing it back (5/5) ====<br />
<br />
Let us record some voice using a microphone for, say, 10 seconds. Make sure the microphone is not muted and all<br />
<br />
$ arecord -f cd -d 10 test-mic.wav<br />
<br />
After 10 seconds, let us play the recording...<br />
<br />
$ aplay test-mic.wav<br />
<br />
Now hopefully, there is no static noise in microphone recording anymore.<br />
<br />
==== Another Possible Cause ====<br />
<br />
Another possible cause is that your mic has two channels but only one channel can provide a valid sound signal. Some information can be found [https://github.com/MaartenBaert/ssr/issues/323#issuecomment-268230548 here]. The solution is to remap the stereo input to a mono input:<br />
<br />
1. Find your source name from the following command; mine is {{ic|alsa_input.pci-0000_00_1f.3.analog-stereo}}<br />
<br />
pacmd list-sources | grep 'name:.*input'<br />
<br />
2. Edit {{ic|/etc/pulse/default.pa}} and add the following lines, where INPUT_NAME is name of the input source from above step:<br />
<br />
load-module module-remap-source source_name=record_mono master=INPUT_NAME master_channel_map=front-left channel_map=mono<br />
set-default-source record_mono<br />
<br />
3. Restart PulseAudio:<br />
<br />
$ pulseaudio -k<br />
$ pulseaudio --start<br />
<br />
Now {{ic|arecord}} hopefully works. You may still need to change the {{ic|RecordStream from}} setting to {{ic|Remapped Built-in Audio Analog Stereo}} of a specific application in the {{ic|Recording}} tab of {{ic|pavucontrol}}.<br />
<br />
==== If using a USB microphone ====<br />
<br />
Try plugging it into a different port (eg: ports at the back rather than front).<br />
<br />
=== No microphone on Steam or Skype with enable-remixing = no ===<br />
<br />
When you set {{ic|1=enable-remixing = no}} on {{ic|/etc/pulse/daemon.conf}} you may find that your microphone has stopped working on certain applications like Skype or Steam. This happens because these applications capture the microphone as mono only and because remixing is disabled, Pulseaudio will no longer remix your stereo microphone to mono.<br />
<br />
To fix this you need to tell Pulseaudio to do this for you:<br />
<br />
1. Find the name of the source <br />
<br />
# pacmd list-sources<br />
<br />
Example output edited for brevity, the name you need is in bold:<br />
<br />
index: 2<br />
name: <'''alsa_input.pci-0000_00_14.2.analog-stereo'''><br />
driver: <module-alsa-card.c><br />
flags: HARDWARE HW_MUTE_CTRL HW_VOLUME_CTRL DECIBEL_VOLUME LATENCY DYNAMIC_LATENCY<br />
<br />
2. Add a remap rule to {{ic|/etc/pulse/default.pa}}, use the name you found with the previous command, here we will use '''alsa_input.pci-0000_00_14.2.analog-stereo''' as an example:<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
### Remap microphone to mono<br />
load-module module-remap-source master=alsa_input.pci-0000_00_14.2.analog-stereo master_channel_map=front-left,front-right channels=2 channel_map=mono,mono<br />
}}<br />
<br />
3. Restart Pulseaudio<br />
<br />
# pulseaudio -k<br />
<br />
{{Note|Pulseaudio may fail to start if you do not exit a program that was using the microphone (e.g. if you tested on Steam before modifying the file), in which case you should exit the application and manually start Pulseaudio}}<br />
<br />
# pulseaudio --start<br />
<br />
=== Microphone distorted due to automatic adjustment ===<br />
If your microphone volume creeps up automatically and causes the sound to be distorted, you can fix it by disabling mic boost:<br />
<br />
In {{ic|/usr/share/pulseaudio/alsa-mixer/paths/analog-input-internal-mic.conf}} and {{ic|/usr/share/pulseaudio/alsa-mixer/paths/analog-input-mic.conf}},<br />
<br />
* Under {{ic|[Element Internal Mic Boost]}} set {{ic|volume}} to {{ic|zero}}.<br />
* Under {{ic|[Element Int Mic Boost]}} set {{ic|volume}} to {{ic|zero}}.<br />
* Under {{ic|[Element Mic Boost]}} set {{ic|volume}} to {{ic|zero}}.<br />
<br />
Then restart PulseAudio:<br />
<br />
# pulseaudio -k<br />
<br />
=== Microphone crackling with Realtek ALC892 ===<br />
<br />
Sometimes ALC892 chips have crackling sound while recording using a microphone. Some Pulseaudio config changes may help:<br />
<br />
{{hc|/etc/pulse/daemon.conf|output=<br />
resample-method = src-sinc-best-quality<br />
default-sample-format = s16le<br />
default-sample-rate = 48000<br />
}}<br />
<br />
and add the {{ic|use_ucm}} option to<br />
<br />
{{hc|/etc/pulse/default.pa|output=<br />
load-module module-udev-detect use_ucm=0 tsched=0<br />
}}<br />
<br />
then restart pulseaudio.<br />
<br />
=== Microphone crackling with Azalia chipsets ===<br />
<br />
Some Azalia based chips have popping/crackling noise and distortion while recording using a microphone with PulseAudio. This can be fixed by loading the {{ic|snd-hda-intel}} module with {{ic|position_fix}} set to an appropriate value. This tells the module to use various DMA pointer fixes. Use trial and error to determine which value works for you. ([https://wiki.sabayon.org/index.php?title=HOWTO:_Resolve_Problems_with_HDA-Intel_Sound_Cards source])<br />
<br />
Create a new {{ic|modprobe.d}} config:<br />
<br />
{{hc|/etc/modprobe.d/azalia-microphone.conf|output=<br />
options snd-hda-intel position_fix=1<br />
}}<br />
<br />
Valid values for {{ic|position_fix}} are:<br />
* {{ic|0}} = Auto<br />
* {{ic|1}} = None<br />
* {{ic|2}} = POSBUF<br />
* {{ic|3}} = FIFO size<br />
<br />
then reload your modules.<br />
<br />
=== Echo test ===<br />
<br />
If you are unsure about your microphone setup, you can hear the input from the microphone in real-time by enabling the [https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/Modules/#index57h3 loopback module] ([https://answers.launchpad.net/ubuntu/+source/pulseaudio/+question/83742 source]):<br />
<br />
$ pactl load-module module-loopback<br />
<br />
The module will show up in the '''Recording''' tab of the {{Pkg|pavucontrol}} program, where the source and volume can be configured. While latency should be low, it should be sufficient to get a feeling of the sound quality as you will hear yourself speak in the microphone. To make the change permanent, add the following pulseaudio configuration:<br />
<br />
{{hc|/etc/pulse/default.pa|output=<br />
load-module module-loopback<br />
}}<br />
<br />
Watch out for feedback! Be ready to lower all volumes in case the microphone picks up the output from the loudspeakers. Naturally, it is better to run such a test with headphones.<br />
<br />
== Audio quality ==<br />
<br />
=== Enable Echo/Noise-Cancellation ===<br />
<br />
Arch does not load the Pulseaudio Echo-Cancellation module by default, therefore, we have to add it in {{ic|/etc/pulse/default.pa}}. First you can test if the module is present with {{ic|pacmd}} and entering {{ic|list-modules}}. If you cannot find a line showing {{ic|name: <module-echo-cancel>}} you have to add <br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
### Enable Echo/Noise-Cancellation<br />
load-module module-echo-cancel use_master_format=1 aec_method=webrtc aec_args="analog_gain_control=0 digital_gain_control=1" source_name=echoCancel_source sink_name=echoCancel_sink<br />
set-default-source echoCancel_source<br />
set-default-sink echoCancel_sink<br />
}}<br />
<br />
then restart Pulseaudio<br />
<br />
$ pulseaudio -k<br />
$ pulseaudio --start<br />
<br />
and check if the module is activated by starting {{ic|pavucontrol}}. Under {{ic|Recording}} the input device should show {{ic|Echo-Cancel Source Stream from"}}.<br />
<br />
If you want existing streams to be automatically moved to the new sink and source, you have to load the [[#Automatically switch to Bluetooth or USB headset|module-switch-on-connect]] with {{ic|1=ignore_virtual=no}} before.<br />
<br />
{{Note|1=If you plug in a USB sound card or headset, or you have for example a 5.1 Speaker configuration and plug in a headset on your front audio connectors after you have loaded the {{ic|module-echo-cancel}}, you have to manually unload and load the {{ic|module-echo-cancel}} again, because unfortunately there is no way to tell the module that it should automatically switch to the new default 'source_master' and 'source_sink'. See [https://gitlab.freedesktop.org/pulseaudio/pulseaudio/issues/196].}}<br />
<br />
==== Possible 'aec_args' for 'aec_method=webrtc' ====<br />
<br />
Here is a list of possible 'aec_args' for 'aec_method=webrtc' with their default values [https://github.com/pulseaudio/pulseaudio/blob/master/src/modules/echo-cancel/webrtc.cc][https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/Modules/#index45h3]:<br />
<br />
* {{ic|1=analog_gain_control=1}} - Analog AGC - 'Automatic Gain Control' done over changing the volume directly - Will most likely lead to [[#Microphone distorted due to automatic adjustment|distortions]].<br />
* {{ic|1=digital_gain_control=0}} - Digital AGC - 'Automatic Gain Control' done in post processing (higher CPU load).<br />
* {{ic|1=experimental_agc=0}} - Allow enabling of the webrtc experimental AGC mechanism.<br />
* {{ic|1=agc_start_volume=85}} - Initial volume when using AGC - Possible values 0-255 - A too low initial volume may prevent the AGC algorithm from ever raising the volume high enough [https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/9.0/].<br />
* {{ic|1=high_pass_filter=1}} - ?<br />
* {{ic|1=noise_suppression=1}} - Noise suppression.<br />
* {{ic|1=voice_detection=1}} - VAD - Voice activity detection.<br />
* {{ic|1=extended_filter=0}} - The extended filter is more complex and less sensitive to incorrect delay reporting from the hardware than the regular filter. The extended filter mode is disabled by default, because it seemed produce worse results during double-talk [https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/9.0/].<br />
* {{ic|1=intelligibility_enhancer=0}} - Some bits for webrtc intelligibility enhancer.<br />
* {{ic|1=drift_compensation=0}} - Drift compensation to allow echo cancellation between different devices (such as speakers on your laptop and the microphone on your USB webcam). - only possible with "mobile=0".<br />
* {{ic|1=beamforming=0}} - See [https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/Modules/#index45h3][https://arunraghavan.net/2016/06/beamforming-in-pulseaudio/]<br />
** {{ic|1=mic_geometry=x1,y1,z1,x2,y2,z2}} - Only with "beamforming=1".<br />
** {{ic|1=target_direction=a,e,r}} - Only with "beamforming=1".<br />
* {{ic|1=mobile=0}} - ?<br />
** {{ic|1=routing_mode=speakerphone}} - Possible Values "quiet-earpiece-or-headset,earpiece,loud-earpiece,speakerphone,loud-speakerphone" - only valid with "mobile=1".<br />
** {{ic|1=comfort_noise=1}} - ? - only valid with "mobile=1".<br />
<br />
==== Disable audio post processing in certain applications ====<br />
<br />
If you are using the [[#Enable Echo/Noise-Cancellation|module-echo-cancel]], you probably do not want other applications to do additional audio post processing. Here is a list for disabling audio post processing in following applications:<br />
<br />
* Mumble:<br />
*# Configure -> Settings -> Check 'Advanced' check box -> Audio Input<br />
*# Echo: Select 'Disabled'<br />
*# Noise Suppression: Set slider to 'Off'<br />
*# Max. Aplification: Set slider to '1.0'<br />
* TeamSpeak:<br />
*# Tools -> Options -> Check 'Advanced Options' check box<br />
*# Uncheck: 'Echo reduction', 'Echo cancellation', 'Remove background noise' and 'Automatic voice gain control'<br />
* Firefox: see [[Firefox tweaks#Disable WebRTC audio post processing]]<br />
* Steam:<br />
*# In window "Friends List" -> Manage friends list settings (gear symbol) -> VOICE -> Show Advanced Settings<br />
*# Set the following sliders to "OFF": "Echo cancellation", "Noise cancellation", "Automatic volume/gain control"<br />
* Skype:<br />
*# Tools -> Settings... -> Audio & Video -> Microphone -> Automatically adjust microphone settings -> off<br />
<br />
==== Script for reloading module-echo-cancel ====<br />
<br />
Since the module-echo-cancel is not always needed, or must be reloaded if the source_master or sink_master has changed, it is nice to have a easy way to load or reload the module-echo-cancel.<br />
<br />
[[Create]] the following script and make it [[executable]]:<br />
<br />
{{hc|echoCancelEnable.sh|<nowiki><br />
#!/bin/bash<br />
aecArgs="$*"<br />
# If no "aec_args" are passed on to the script, use this "aec_args" as default:<br />
[ -z "$aecArgs" ] && aecArgs="analog_gain_control=0 digital_gain_control=1"<br />
newSourceName="echoCancelSource"<br />
newSinkName="echoCancelSink"<br />
<br />
# "module-switch-on-connect" with "ignore_virtual=no" (needs PulseAudio 12 or higher) is needed to automatically move existing streams to a new (virtual) default source and sink.<br />
if ! pactl list modules short | grep "module-switch-on-connect.*ignore_virtual=no" >/dev/null 2>&1; then<br />
echo Load module \"module-switch-on-connect\" with \"ignore_virtual=no\"<br />
pactl unload-module module-switch-on-connect 2>/dev/null<br />
pactl load-module module-switch-on-connect ignore_virtual=no<br />
fi<br />
<br />
# Reload "module-echo-cancel"<br />
echo Reload \"module-echo-cancel\" with \"aec_args=$aecArgs\"<br />
pactl unload-module module-echo-cancel 2>/dev/null<br />
if pactl load-module module-echo-cancel use_master_format=1 aec_method=webrtc aec_args=\"$aecArgs\" source_name=$newSourceName sink_name=$newSinkName; then<br />
# Set a new default source and sink, if module-echo-cancel has loaded successfully.<br />
pacmd set-default-source $newSourceName<br />
pacmd set-default-sink $newSinkName<br />
fi<br />
</nowiki>}}<br />
<br />
To run the script easily from the graphical environment, you can create a [[desktop launcher]] for it.<br />
<br />
=== Glitches, skips or crackling ===<br />
<br />
The newer implementation of the PulseAudio sound server uses timer-based audio scheduling instead of the traditional, interrupt-driven approach. <br />
<br />
Timer-based scheduling may expose issues in some ALSA drivers. On the other hand, other drivers might be glitchy without it on, so check to see what works on your system. <br />
<br />
To turn timer-based scheduling off add {{ic|1=tsched=0}} in {{ic|/etc/pulse/default.pa}}:<br />
{{hc|/etc/pulse/default.pa|2=<br />
load-module module-udev-detect tsched=0<br />
}}<br />
<br />
Then restart the PulseAudio server:<br />
<br />
$ pulseaudio -k<br />
$ pulseaudio --start<br />
<br />
Do the reverse to enable timer-based scheduling, if not already enabled by default.<br />
<br />
If you are using Intel's [[Wikipedia:IOMMU|IOMMU]] and experience glitches and/or skips, add {{ic|1=intel_iommu=igfx_off}} to your kernel command line.<br />
<br />
Some Intel audio cards using the {{ic|snd-hda-intel}} module need the otions {{ic|1=vid=8086 pid=8ca0 snoop=0}}. In order to set them permanently, create/modify the following file including the line below.<br />
<br />
{{hc|/etc/modprobe.d/sound.conf|2=<br />
options snd-hda-intel vid=8086 pid=8ca0 snoop=0<br />
}}<br />
<br />
Please report any such cards to [http://www.freedesktop.org/wiki/Software/PulseAudio/Backends/ALSA/BrokenDrivers/ PulseAudio Broken Sound Driver page]<br />
<br />
=== Static noise when using headphones ===<br />
<br />
If you are encountering static in your headphone jack, one possible culprit may be ALSA's loopback mixing. In addition to setting tsched=0 as documented above, it may be helpful to disable loopback mixing. This can be accomplished trivially with alsamixer, part of {{Pkg|alsa-utils}}. This should not impact audio playback or microphone recording negatively, unless you require loopback mixing.<br />
<br />
=== Setting the default fragment number and buffer size in PulseAudio ===<br />
<br />
{{Style|Copied from Linux mint topic with few additions}}<br />
<br />
==== Disabling timer-based scheduling (0/4) ====<br />
<br />
By default, PulseAudio uses timer-based scheduling. In this mode, fragments are not used at all, and so the default-fragments and default-fragment-size-msec parameters are ignored.<br />
To turn timer-based scheduling off add {{ic|1=tsched=0}} in {{ic|/etc/pulse/default.pa}}:<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
load-module module-udev-detect tsched=0<br />
}}<br />
<br />
==== Finding out your audio device parameters (1/4) ====<br />
<br />
To find out what your sound card buffering settings are, use the following command and scroll through the output until you find the correct sink entry.<br />
<br />
{{hc|$ pactl list sinks|2=<br />
Sink #1<br />
State: RUNNING<br />
Name: alsa_output.pci-0000_00_1b.0.analog-stereo<br />
Description: Built-in Audio Analog Stereo<br />
Driver: module-alsa-card.c<br />
Sample Specification: s16le 2ch 44100Hz<br />
Channel Map: front-left,front-right<br />
Owner Module: 7<br />
Mute: no<br />
Volume: front-left: 42600 / 65% / -11.22 dB, front-right: 42600 / 65% / -11.22 dB<br />
balance 0.00<br />
Base Volume: 65536 / 100% / 0.00 dB<br />
Monitor Source: alsa_output.pci-0000_00_1b.0.analog-stereo.monitor<br />
Latency: 70662 usec, configured 85000 usec<br />
Flags: HARDWARE HW_MUTE_CTRL HW_VOLUME_CTRL DECIBEL_VOLUME LATENCY <br />
Properties:<br />
alsa.resolution_bits = "16"<br />
device.api = "alsa"<br />
device.class = "sound"<br />
alsa.class = "generic"<br />
alsa.subclass = "generic-mix"<br />
alsa.name = "ALC283 Analog"<br />
alsa.id = "ALC283 Analog"<br />
alsa.subdevice = "0"<br />
alsa.subdevice_name = "subdevice #0"<br />
alsa.device = "0"<br />
alsa.card = "1"<br />
alsa.card_name = "HDA Intel PCH"<br />
alsa.long_card_name = "HDA Intel PCH at 0xe111c000 irq 43"<br />
alsa.driver_name = "snd_hda_intel"<br />
device.bus_path = "pci-0000:00:1b.0"<br />
sysfs.path = "/devices/pci0000:00/0000:00:1b.0/sound/card1"<br />
device.bus = "pci"<br />
device.vendor.id = "8086"<br />
device.vendor.name = "Intel Corporation"<br />
device.product.id = "9ca0"<br />
device.product.name = "Wildcat Point-LP High Definition Audio Controller"<br />
device.form_factor = "internal"<br />
device.string = "front:1"<br />
device.buffering.buffer_size = "352800"<br />
device.buffering.fragment_size = "176400"<br />
device.access_mode = "mmap+timer"<br />
device.profile.name = "analog-stereo"<br />
device.profile.description = "Analog Stereo"<br />
device.description = "Built-in Audio Analog Stereo"<br />
alsa.mixer_name = "Realtek ALC283"<br />
alsa.components = "HDA:10ec0283,10ec0283,00100003"<br />
module-udev-detect.discovered = "1"<br />
device.icon_name = "audio-card-pci"<br />
Ports:<br />
analog-output-speaker: Speakers (priority: 10000, not available)<br />
analog-output-headphones: Headphones (priority: 9000, available)<br />
Active Port: analog-output-headphones<br />
Formats:<br />
pcm<br />
...<br />
}}<br />
<br />
Take note the {{ic|buffer_size}} and {{ic|fragment_size}} values for the relevant sound card.<br />
<br />
==== Calculate your fragment size in msecs and number of fragments (2/4) ====<br />
<br />
PulseAudio's default sampling rate and bit depth are set to {{ic|44100Hz}} @ {{ic|16 bits}}.<br />
<br />
With this configuration, the bit rate we need is {{ic|44100}}*{{ic|16}} = {{ic|705600}} bits per second. That is {{ic|1411200 bps}} for stereo.<br />
<br />
Let us take a look at the parameters we have found in the previous step:<br />
<br />
device.buffering.buffer_size = "352800" => 352800/1411200 = 0.25 s = 250 ms<br />
device.buffering.fragment_size = "176400" => 176400/1411200 = 0.125 s = 125 ms<br />
<br />
==== Modify PulseAudio's configuration file (3/4) ====<br />
<br />
{{hc|/etc/pulse/daemon.conf|2=<br />
; default-fragments = X<br />
; default-fragment-size-msec = Y<br />
}}<br />
<br />
In the previous step, we calculated the fragment size parameter.<br />
The number of fragments is simply buffer_size/fragment_size, which in this case ({{ic|250/125}}) is {{ic|2}}:<br />
<br />
{{hc|/etc/pulse/daemon.conf|2=<br />
; default-fragments = '''2'''<br />
; default-fragment-size-msec = '''125'''<br />
}}<br />
<br />
==== Restart the PulseAudio daemon (4/4) ====<br />
<br />
$ pulseaudio -k<br />
$ pulseaudio --start<br />
<br />
For more information, see: [http://forums.linuxmint.com/viewtopic.php?f=42&t=44862 Linux Mint topic]<br />
<br />
=== Choppy sound with analog surround sound setup ===<br />
<br />
The low-frequency effects (LFE) or Subwoofer channel is not remixed per default. To enable it the following needs to be set in {{ic|/etc/pulse/daemon.conf}} :<br />
<br />
{{hc|/etc/pulse/daemon.conf|2=<br />
enable-lfe-remixing = yes<br />
}}<br />
<br />
You should also consider to set a proper crossover frequency for the LFE- channel.<br />
The crossover frequency is the frequency up to which the audio signal is rerouted to the LFE sink.<br />
The optimal crossover frequency in Hz depends on the size of all your speakers.<br />
<br />
{{hc|/etc/pulse/daemon.conf|2=<br />
lfe-crossover-freq = <40-200><br />
}}<br />
<br />
=== Laggy sound ===<br />
<br />
This issue is due to incorrect buffer sizes. First verify that the variables {{ic|default-fragments}} and {{ic|default-fragment-size-msec}} are not being set to non default values in the file {{ic|/etc/pulse/daemon.conf}}. If the issue is still present, try setting them to the following values:<br />
<br />
{{hc|/etc/pulse/daemon.conf|2=<br />
default-fragments = 5<br />
default-fragment-size-msec = 2<br />
}}<br />
<br />
=== Choppy/distorted sound ===<br />
<br />
This can result from an incorrectly set sample rate. Try the following setting:<br />
<br />
{{hc|/etc/pulse/daemon.conf|2=<br />
avoid-resampling = yes #(Needs [https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/11.0/ PA11] or higher)<br />
default-sample-rate = 48000<br />
}}<br />
<br />
and restart the PulseAudio server.<br />
<br />
If one experiences choppy sound in applications using [[Wikipedia:OpenAL|OpenAL]], change the sample rate in {{ic|/etc/openal/alsoft.conf}}:<br />
<br />
{{hc|/etc/openal/alsoft.conf|2=<br />
frequency = 48000<br />
}}<br />
<br />
Setting the PCM volume above 0 dB can cause [[Wikipedia:Clipping_(audio)|clipping]]. Running {{ic|alsamixer}} will allow you to see if this is the problem and if so fix it. Note that ALSA may not [https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/PulseAudioStoleMyVolumes/ correctly export] the dB information to PulseAudio. Try the following:<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
load-module module-udev-detect ignore_dB=1<br />
}}<br />
<br />
and restart the PulseAudio server. See also [[#No sound below a volume cutoff]].<br />
<br />
=== Sound stuttering when streaming over network ===<br />
<br />
When streaming over Wi-Fi using module-native-protocol-tcp you can experience periodic sound stuttering with buffer underruns. As a workaround you can try to use rtp protocol. On sender side create rtp sink:<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
load-module module-null-sink sink_name=rtp<br />
load-module module-rtp-send source=rtp.monitor<br />
}}<br />
<br />
and switch to it:<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
set-default-sink rtp<br />
}}<br />
<br />
On receiver side load rtp module:<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
load-module module-rtp-recv<br />
}}<br />
<br />
=== Pops when starting and stopping playback ===<br />
<br />
PulseAudio can suspend sinks after a period of inactivity. This can make an audible noise (like a crack/pop/scratch). Sometimes even when move the slider volume, or open and close windows (KDE4). This behavior is enabled in default configuration files:<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
load-module module-suspend-on-idle<br />
}}<br />
<br />
{{hc|/etc/pulse/system.pa|2=<br />
load-module module-suspend-on-idle<br />
}}<br />
<br />
Commenting that line in relevant file fixes that issue. A better solution is to add the following file:<br />
<br />
{{hc|~/.config/pulse/default.pa|2=<br />
.include /etc/pulse/default.pa<br />
unload-module module-suspend-on-idle<br />
}}<br />
<br />
== Hardware and Cards ==<br />
<br />
=== No HDMI sound output after some time with the monitor turned off ===<br />
<br />
The monitor is connected via HDMI/DisplayPort, and the audio jack is plugged in the headphone jack of the monitor, but PulseAudio insists that it is unplugged:<br />
<br />
{{hc|pactl list sinks|<br />
...<br />
hdmi-output-0: HDMI / DisplayPort (priority: 5900, not available)<br />
...<br />
}}<br />
<br />
This leads to no sound coming from HDMI output. A workaround for this is to switch to another VT and back again. If that does not work, try: turn off your monitor, switch to another VT, turn on your monitor, and switch back. This problem has been reported by ATI/Nvidia/Intel users.<br />
<br />
Another workaround could be to disable the switch-on-port-available module by commenting it in /etc/pulse/default.pa [https://bugs.freedesktop.org/show_bug.cgi?id=93946#c36]:<br />
<br />
{{hc|/etc/pulse/default.pa|<br />
...<br />
### Should be after module-*-restore but before module-*-detect<br />
#load-module module-switch-on-port-available<br />
...<br />
}}<br />
<br />
=== No HDMI sound using a headless server ===<br />
<br />
You might want to use HDMI audio with your a/v receiver but no display. HDMI requires a video signal, which we have from the virtual terminal. <br />
<br />
By default, this signal is turned off after 600 seconds, thus the audio sink gets lost as well.<br />
<br />
To prevent screen blanking, add {{ic|consoleblank&#61;0}} to the kernel command line.<br />
<br />
=== No cards ===<br />
<br />
If PulseAudio starts, run {{ic|pacmd list}}. If no cards are reported, make sure that the ALSA devices are not in use:<br />
<br />
$ fuser -v /dev/snd/*<br />
$ fuser -v /dev/dsp<br />
<br />
Make sure any applications using the pcm or dsp files are shut down before restarting PulseAudio.<br />
<br />
=== Starting an application interrupts other app's sound ===<br />
<br />
If you have trouble with some applications (such as TeamSpeak or Mumble) interrupting sound output of already running applications (such as Deadbeaf), you can solve this by commenting out the line {{ic|load-module module-role-cork}} in {{ic|/etc/pulse/default.pa}} like shown below:<br />
<br />
{{hc|/etc/pulse/default.pa|<br />
### Cork music/video streams when a phone stream is active<br />
# load-module module-role-cork<br />
}}<br />
<br />
Then restart pulseaudo by using your normal user account with<br />
<br />
$ pulseaudio -k<br />
$ pulseaudio --start<br />
<br />
=== The only device shown is "dummy output" or newly connected cards are not detected ===<br />
<br />
If the only playback device is the Dummy Output, PulseAudio cannot access your sound devices. It is possible there is an issue with logind giving permissions, see [[General troubleshooting#Session permissions]] for more information.<br />
<br />
An application might also not have been configured to work with PulseAudio. This happens with [[FluidSynth#Conflicting_with_PulseAudio|FluidSynth]] for example. To see which application is responsible for a direct access to the sound card via alsa, run the following command:<br />
<br />
# fuser -v /dev/snd/*<br />
<br />
Try to close these applications. pulseaudio, if running, should take again precedence over these applications and all the applications relying on pulseaudio should work again like expected.<br />
<br />
=== No HDMI 5/7.1 Selection for Device ===<br />
<br />
If you are unable to select 5/7.1 channel output for a working HDMI device, then turning off "stream device reading" in {{ic|/etc/pulse/default.pa}} might help. <br />
<br />
See [[#Fallback device is not respected]].<br />
<br />
=== Failed to create sink input: sink is suspended ===<br />
<br />
If you do not have any output sound and receive dozens of errors related to a suspended sink in your {{ic|journalctl -b}} log, then backup first and then delete your user-specific pulse folders:<br />
<br />
$ rm -r ~/.pulse ~/.pulse-cookie ~/.config/pulse<br />
<br />
=== Simultaneous output to multiple sound cards / devices ===<br />
<br />
Simultaneous output to two different devices can be very useful. For example, being able to send audio to your A/V receiver via your graphics card's HDMI output, while also sending the same audio through the analogue output of your motherboard's built-in audio. This is much less hassle than it used to be (in this example, we are using GNOME desktop).<br />
<br />
Using {{Pkg|paprefs}}, simply select "Add virtual output device for simultaneous output on all local sound cards" from under the "Simultaneous Output" tab. Then, under GNOME's "sound settings", select the simultaneous output you have just created.<br />
<br />
If this does not work, try adding the following to {{ic|~/.asoundrc}}:<br />
<br />
pcm.dsp {<br />
type plug<br />
slave.pcm "dmix"<br />
}<br />
<br />
{{Tip|Simultaneous output can also be achieved manually using alsamixer. Disable "auto mute" item, then unmute other output sources you want to hear and increase their volume.}}<br />
<br />
=== Simultaneous output to multiple sinks on the same sound card not working ===<br />
<br />
This can be useful for users who have multiple sound sources and want to play them on different sinks/outputs. <br />
An example use-case for this would be if you play music and also voice chat and want to output music to speakers (in this case Digital S/PDIF) and voice to headphones. (Analog)<br />
<br />
This is sometimes auto detected by PulseAudio but not always. If you know that your sound card can output to both Analog and S/PDIF at the same time and PulseAudio does not have this option in its profiles in pavucontrol, or veromix then you probably need to create a configuration file for your sound card.<br />
<br />
More in detail you need to create a profile-set for your specific sound card.<br />
This is done in two steps mostly.<br />
<br />
* Create udev rule to make PulseAudio choose your PulseAudio configuration file specific to the sound card.<br />
* Create the actual configuration.<br />
<br />
Create a pulseadio udev rule.<br />
<br />
{{Note|This is only an example for Asus Xonar Essence STX.<br />
Read [[udev]] to find out the correct values.}}<br />
<br />
{{Note|Your configuration file should have lower number than the original PulseAudio rule to take effect.}}<br />
<br />
{{hc|/usr/lib/udev/rules.d/90-pulseaudio-Xonar-STX.rules|<br />
ACTION&#61;&#61;"change", SUBSYSTEM&#61;&#61;"sound", KERNEL&#61;&#61;"card*", \<br />
ATTRS&#123;subsystem_vendor&#125;&#61;&#61;"0x1043", ATTRS&#123;subsystem_device&#125;&#61;&#61;"0x835c", ENV&#123;PULSE_PROFILE_SET&#125;&#61;"asus-xonar-essence-stx.conf" <br />
}}<br />
<br />
Now, create a configuration file. If you bother, you can start from scratch and make it saucy. However you can also use the default configuration file, rename it, and then add your profile there that you know works. Less pretty but also faster.<br />
<br />
To enable multiple sinks for Asus Xonar Essence STX you need only to add this in.<br />
<br />
{{Note|{{ic|asus-xonar-essence-stx.conf}} also includes all code/mappings from {{ic|default.conf}}.}}<br />
<br />
{{hc|/usr/share/pulseaudio/alsa-mixer/profile-sets/asus-xonar-essence-stx.conf|<br />
[Profile analog-stereo+iec958-stereo]<br />
description &#61; Analog Stereo Duplex + Digital Stereo Output<br />
input-mappings &#61; analog-stereo<br />
output-mappings &#61; analog-stereo iec958-stereo<br />
skip-probe &#61; yes<br />
}}<br />
<br />
This will auto-profile your Asus Xonar Essence STX with default profiles and add your own profile so you can have multiple sinks.<br />
<br />
You need to create another profile in the configuration file if you want to have the same functionality with AC3 Digital 5.1 output.<br />
<br />
[http://www.freedesktop.org/wiki/Software/PulseAudio/Backends/ALSA/Profiles/ See PulseAudio article about profiles]<br />
<br />
=== Some profiles like SPDIF are not enabled by default on the card ===<br />
<br />
Some profiles like IEC-958 (i.e. S/PDIF) may not be enabled by default on the selected sink. Each time the system starts up, the card profile is disabled and the pulseaudio daemon cannot select it.<br />
You have to add the profile selection to you default.pa file. <br />
Verify the card and profile name with :<br />
<br />
$ pacmd list-cards<br />
<br />
Then edit the config to add the profile<br />
<br />
{{hc|~/.config/pulse/default.pa|<br />
## Replace with your card name and the profile you want to activate<br />
set-card-profile alsa_card.pci-0000_00_1b.0 output:iec958-stereo+input:analog-stereo<br />
}}<br />
<br />
Pulse audio will add this profile the pool of available profiles<br />
<br />
=== Only S/PDIF output available ===<br />
<br />
This might happen if PulseAudio use the wrong output device. Firstly, set up proper card profile:<br />
<br />
$ pacmd set-card-profile alsa_card.pci-0000_00_1f.3 output:analog-stereo<br />
<br />
or<br />
<br />
$ pacmd set-card-profile alsa_card.pci-0000_00_1f.3 output:analog-stereo+input:analog-stereo<br />
<br />
Replace {{ic|alsa_card.pci-0000_00_1f.3}} with your card, and {{ic|output:analog-stereo}} or {{ic|output:analog-stereo+input:analog-stereo}} with your profile, remember to choose the profile with analog. Using shell auto completion could help you a lot. One could also use check available cards and profiles with:<br />
<br />
$ pacmd list-cards<br />
<br />
One might also need to set sink port by:<br />
<br />
$ pacmd set-sink-port alsa_output.pci-0000_00_1f.3.analog-stereo analog-output-headphones<br />
<br />
Check available sink ports with:<br />
<br />
$ pacmd list-sinks<br />
<br />
To keep these setting, add them to PulseAudio's configuration file {{ic|default.pa}}.<br />
<br />
{{hc|~/.config/pulse/default.pa|<br />
.include /etc/pulse/default.pa<br />
<br />
set-card-profile alsa_card.pci-0000_00_1f.3 output:analog-stereo+input:analog-stereo<br />
set-sink-port alsa_output.pci-0000_00_1f.3.analog-stereo analog-output-headphones<br />
}}<br />
<br />
== Bluetooth ==<br />
<br />
=== Disable Bluetooth support ===<br />
<br />
If you do not use Bluetooth, you may experience the following error in your journal:<br />
<br />
bluez5-util.c: GetManagedObjects() failed: org.freedesktop.DBus.Error.ServiceUnknown: The name org.bluez was not provided by any .service files<br />
<br />
To disable Bluetooth support in PulseAudio, make sure that the following lines are commented out in the configuration file in use ({{ic|~/.config/pulse/default.pa}} or {{ic|/etc/pulse/default.pa}}):<br />
<br />
{{hc|~/.config/pulse/default.pa|<br />
### Automatically load driver modules for Bluetooth hardware<br />
#.ifexists module-bluetooth-policy.so<br />
#load-module module-bluetooth-policy<br />
#.endif<br />
<br />
#.ifexists module-bluetooth-discover.so<br />
#load-module module-bluetooth-discover<br />
#.endif<br />
}}<br />
<br />
=== Bluetooth headset replay problems ===<br />
<br />
Some user [https://bbs.archlinux.org/viewtopic.php?id=117420 reports] huge delays or even no sound when the Bluetooth connection does not send any data. This is due to the {{ic|module-suspend-on-idle}} module, which automatically suspends sinks/sources on idle. As this can cause problems with headset, the responsible module can be deactivated.<br />
<br />
To disable loading of the {{ic|module-suspend-on-idle}} module, comment out the following line in the configuration file in use ({{ic|~/.config/pulse/default.pa}} or {{ic|/etc/pulse/default.pa}}):<br />
<br />
{{hc|~/.config/pulse/default.pa|<br />
### Automatically suspend sinks/sources that become idle for too long<br />
#load-module module-suspend-on-idle<br />
}}<br />
<br />
Finally restart PulseAudio to apply the changes.<br />
<br />
=== Automatically switch to Bluetooth or USB headset ===<br />
<br />
Add the following:<br />
{{hc|/etc/pulse/default.pa|output=<br />
# automatically switch to newly-connected devices<br />
load-module module-switch-on-connect<br />
# or switch also to newly-connected virtual devices<br />
load-module module-switch-on-connect ignore_virtual=no<br />
}}<br />
<br />
Since [https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/11.0/ PulseAudio 11] USB and bluetooth devices are preferred over internal sound cards by default, but as in the above link described, you still need module-switch-on-connect to also moves existing streams to the new sink.<br />
<br />
Since [https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/12.0/ PulseAudio 12] virtual devices are ignored by default.<br />
If you do not want this behavior because you want to move existing streams to freshly loaded [[#Enable Echo/Noise-Cancellation|module-echo-cancel]] for example, you have to add {{ic|1=ignore_virtual=no}}.<br />
<br />
=== My Bluetooth device is paired but does not play any sound ===<br />
<br />
[[Bluetooth headset#A2DP_not_working_with_PulseAudio|See the article in Bluetooth headset section]]<br />
<br />
Starting from PulseAudio 2.99 and bluez 4.101 you should '''avoid''' using Socket interface. Do NOT use:<br />
<br />
{{hc|/etc/bluetooth/audio.conf|2=<br />
[General]<br />
Enable=Socket<br />
}}<br />
<br />
If you face problems with A2DP and PA 2.99 make sure you have {{Pkg|sbc}} library.<br />
<br />
== Applications ==<br />
<br />
=== Flash content ===<br />
<br />
Since Adobe Flash does not directly support PulseAudio, the recommended way is to [[PulseAudio#ALSA|configure ALSA to use the virtual PulseAudio sound card]].<br />
<br />
If Flash audio is lagging, you may try to have Flash access ALSA directly. See [[PulseAudio#ALSA/dmix without grabbing hardware device]] for details.<br />
<br />
=== Permission errors bug ===<br />
<br />
{{hc|pulseaudio --start|<br />
E: [autospawn] core-util.c: Failed to create secure directory (/run/user/1000/pulse): Operation not permitted<br />
W: [autospawn] lock-autospawn.c: Cannot access autospawn lock.<br />
E: [pulseaudio] main.c: Failed to acquire autospawn lock<br />
}}<br />
<br />
Known programs that changes permissions for {{ic|/run/user/''user id''/pulse}} when using [[Polkit]] for root elevation:<br />
<br />
* {{AUR|sakis3g}} <br />
<br />
As a workaround, include {{Pkg|kdesu}} in a [[desktop entry]], or add {{ic|1=''username'' ALL=NOPASSWD: /usr/bin/''program_name''}} to [[sudoers]] to run it with {{Pkg|sudo}} without a password.<br />
<br />
The other workaround is to uncomment and set {{ic|1=daemonize = yes}} in the {{ic|/etc/pulse/daemon.conf}}.<br />
<br />
See also [https://bbs.archlinux.org/viewtopic.php?id=135955].<br />
<br />
=== Audacity ===<br />
<br />
To work with PulseAudio, Audacity requires the {{Pkg|pulseaudio-alsa}} is installed. This provides the {{ic|1=pulse:...}} playback and recording devices.<br />
<br />
When starting Audacity you may find that your headphones no longer work. This can be because Audacity is trying to use them as a recording device. To fix this, open Audacity, then set its recording device to {{ic|1=pulse:Internal Mic:0}}.<br />
<br />
Under some circumstances, playback may be distorted, very fast, or freeze, as discussed in the [http://wiki.audacityteam.org/wiki/Linux_Issues#ALSA_and_other_sound_systems Audacity Wiki's Linux Issues page].<br />
<br />
The solution proposed in this page may work: start Audacity with:<br />
<br />
$ env PULSE_LATENCY_MSEC=30 audacity<br />
<br />
If the solution above does not fix this issue, one may wish to temporarily disable pulseaudio while running Audacity by using the {{ic|pasuspender}} command:<br />
<br />
$ pasuspender -- audacity<br />
<br />
Then, be sure to select the appropriate ALSA input and output devices in Audacity.<br />
<br />
See also [[#Setting the default fragment number and buffer size in PulseAudio]].<br />
<br />
== Other Issues ==<br />
<br />
=== Bad configuration files ===<br />
<br />
After starting PulseAudio, if the system outputs no sound, it may be necessary to delete the contents of {{ic|~/.config/pulse}} and/or {{ic|~/.pulse}}. PulseAudio will automatically create new configuration files on its next start.<br />
<br />
=== Cannot update configuration of sound device in pavucontrol ===<br />
<br />
{{Pkg|pavucontrol}} is a handy GUI utility for configuring PulseAudio. Under its 'Configuration' tab, you can select different profiles for each of your sound devices e.g. analogue stereo, digital output (IEC958), HDMI 5.1 Surround etc.<br />
<br />
However, you may run into an instance where selecting a different profile for a card results in the pulse daemon crashing and auto restarting without the new selection "sticking". If this occurs, use the other useful GUI tool, {{Pkg|paprefs}}, to check under the "Simultaneous Output" tab for a virtual simultaneous device. If this setting is active (checked), it will prevent you changing any card's profile in pavucontrol. Uncheck this setting, then adjust your profile in pavucontrol prior to re-enabling simultaneous output in paprefs.<br />
<br />
=== Failed to create sink input: sink is suspended ===<br />
<br />
If you do not have any output sound and receive dozens of errors related to a suspended sink in your {{ic|journalctl -b}} log, then backup first and then delete your user-specific pulse folders:<br />
<br />
$ rm -r ~/.pulse ~/.pulse-cookie ~/.config/pulse<br />
<br />
=== Pulse overwrites ALSA settings ===<br />
<br />
PulseAudio usually overwrites the ALSA settings — for example set with alsamixer — at start-up, even when the ALSA daemon is loaded. Since there seems to be no other way to restrict this behaviour, a workaround is to restore the ALSA settings again after PulseAudio has started. Add the following command to {{ic|.xinitrc}} or {{ic|.bash_profile}} or any other [[autostart]] file:<br />
<br />
restore_alsa() {<br />
while [ -z "$(pidof pulseaudio)" ]; do<br />
sleep 0.5<br />
done<br />
alsactl -f /var/lib/alsa/asound.state restore <br />
}<br />
restore_alsa &<br />
<br />
=== Prevent Pulse from restarting after being killed ===<br />
<br />
{{Remove|Obsolete due to [[PulseAudio#Running]]. Controlling systemd units is explained in [[systemd#Using units]].}}<br />
<br />
Sometimes you may wish to temporarily disable Pulse. In order to do so you will have to prevent Pulse from restarting after being killed. To disable autospawning you can [https://bbs.archlinux.org/viewtopic.php?pid=1807567#p1807567 issue]:<br />
<br />
$ systemctl --user mask pulseaudio.socket<br />
$ systemctl --user stop pulseaudio<br />
<br />
To re-enable autospawning:<br />
<br />
$ systemctl --user unmask pulseaudio.socket<br />
<br />
On older systems you could set this option:<br />
<br />
{{hc|~/.config/pulse/client.conf|2=<br />
# Disable autospawning the PulseAudio daemon<br />
autospawn = no<br />
}}<br />
<br />
=== Daemon startup failed ===<br />
<br />
Try resetting PulseAudio:<br />
<br />
$ rm -rf /tmp/pulse* ~/.pulse* ~/.config/pulse<br />
$ pulseaudio -k<br />
$ pulseaudio --start<br />
<br />
* Check that options for sinks are set up correctly.<br />
* If you configured in default.pa to load and use the OSS modules then check with {{Pkg|lsof}} that {{ic|/dev/dsp}} device is not used by another application.<br />
* Set a preferred working resample method. Use {{ic|pulseaudio --dump-resample-methods}} to see a list with all available resample methods you can use.<br />
* To get details about currently appeared unfixed errors or just get status of daemon use commands like {{ic|pax11publish -d}} and {{ic|pulseaudio -v}} where {{ic|v}} option can be used multiple time to set verbosity of log output equal to the {{ic|1=--log-level[=LEVEL]}} option where LEVEL is from 0 to 4. See the [[#Outputs by PulseAudio error status check utilities]] section.<br />
<br />
See also man pages for {{man|1|pax11publish}} and {{man|1|pulseaudio}} for more details.<br />
<br />
==== Outputs by PulseAudio error status check utilities ====<br />
<br />
If the {{ic|pax11publish -d}} shows error like:<br />
<br />
N: [pulseaudio] main.c: User-configured server at "user", refusing to start/autospawn.<br />
<br />
then run {{ic|pax11publish -r}} command then could be also good to logout and login again.<br />
<br />
If the {{ic|pulseaudio -vvvv}} command shows error like:<br />
<br />
E: [pulseaudio] module-udev-detect.c: You apparently ran out of inotify watches, probably because Tracker/Beagle took them all away. I wished people would do their homework first and fix inotify before using it for watching whole directory trees which is something the current inotify is certainly not useful for. Please make sure to drop the Tracker/Beagle guys a line complaining about their broken use of inotify.<br />
<br />
This can be resolved temporary by:<br />
<br />
$ echo 100000 > /proc/sys/fs/inotify/max_user_watches<br />
<br />
For permanent use save settings in the ''99-sysctl.conf'' file:<br />
<br />
{{hc|/etc/sysctl.d/99-sysctl.conf|2=<br />
# Increase inotify max watchs per user<br />
fs.inotify.max_user_watches = 100000<br />
}}<br />
<br />
{{Warning|It may cause much bigger consumption of memory by kernel.}}<br />
<br />
'''See also''' <br />
<br />
* [http://www.linuxinsight.com/proc_sys_fs_inotify.html proc_sys_fs_inotify] and [http://lwn.net/Articles/604686/ dnotify, inotify]- more details about ''inotify/max_user_watches''<br />
* [http://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux?answertab=votes#tab-top reasonable amount of inotify watches with Linux]<br />
* {{man|7|inotify}} - man page<br />
<br />
=== Daemon already running ===<br />
<br />
On some systems, PulseAudio may be started multiple times. journalctl will report:<br />
<br />
[pulseaudio] pid.c: Daemon already running.<br />
<br />
Make sure to use only one method of autostarting applications. {{Pkg|pulseaudio}} includes these files:<br />
<br />
* {{ic|/etc/X11/xinit/xinitrc.d/pulseaudio}}<br />
* {{ic|/etc/xdg/autostart/pulseaudio.desktop}}<br />
* {{ic|/etc/xdg/autostart/pulseaudio-kde.desktop}}<br />
<br />
Also check user autostart files and directories, such as [[xinitrc]], {{ic|~/.config/autostart/}} etc.<br />
<br />
=== Subwoofer stops working after end of every song ===<br />
<br />
Known issue: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/494099<br />
<br />
To fix this, {{ic|1=enable-lfe-remixing = yes}} must be set as described in [[#Choppy sound with analog surround sound setup]].<br />
<br />
=== Unable to select surround configuration other than "Surround 4.0" ===<br />
<br />
If you are unable to set 5.1 surround output in pavucontrol because it only shows "Analog Surround 4.0 Output", open the ALSA mixer and change the output configuration there to 6 channels. Then restart pulseaudio, and pavucontrol will list many more options.<br />
<br />
=== Realtime scheduling ===<br />
<br />
If rtkit does not work, you can manually set up your system to run PulseAudio with real-time scheduling, which can help performance. To do this, add the following lines to {{ic|/etc/security/limits.conf}}:<br />
<br />
@pulse-rt - rtprio 9<br />
@pulse-rt - nice -11<br />
<br />
Afterwards, you need to add your user to the {{ic|pulse-rt}} group:<br />
<br />
# gpasswd -a <user> pulse-rt<br />
<br />
=== pactl "invalid option" error with negative percentage arguments ===<br />
<br />
{{ic|pactl}} commands that take negative percentage arguments will fail with an 'invalid option' error. Use the standard shell '--' pseudo argument<br />
to disable argument parsing before the negative argument. ''e.g.'' {{ic|pactl set-sink-volume 1 -- -5%}}.<br />
<br />
=== Fallback device is not respected ===<br />
<br />
PulseAudio does not have a true default device. Instead it uses a [http://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/DefaultDevice/ "fallback"], which only applies to new sound streams. This means previously run applications are not affected by the newly set fallback device.<br />
<br />
{{Pkg|gnome-control-center}}, {{Pkg|mate-media}} and {{AUR|paswitch}} handle this gracefully. Alternatively: <br />
<br />
1. Move the old streams in {{Pkg|pavucontrol}} manually to the new sound card.<br />
<br />
2. Stop Pulse, erase the "stream-volumes" in {{ic|~/.config/pulse}} and/or {{ic|~/.pulse}} and restart Pulse. This also resets application volumes.<br />
<br />
3. Disable stream device reading. This may be not wanted when using different soundcards with different applications.<br />
<br />
{{hc|/etc/pulse/default.pa|2=<br />
load-module module-stream-restore restore_device=false<br />
}}<br />
<br />
=== RTP/UDP packet flood ===<br />
<br />
In some cases the default configuration might flood the network with UDP packets.[https://gitlab.freedesktop.org/pulseaudio/pulseaudio/issues/505] <br />
To fix this problem, launch {{ic|paprefs}} and disable "Multicast/RTP Sender".[https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/411688/comments/36]</div>Beejhttps://wiki.archlinux.org/index.php?title=Chromium&diff=514337Chromium2018-03-21T20:58:27Z<p>Beej: Add note about solving startup hangs in Chrome by specifying a password store</p>
<hr />
<div>[[Category:Web browser]]<br />
[[de:Chromium]]<br />
[[es:Chromium]]<br />
[[fr:chromium]]<br />
[[it:Chromium]]<br />
[[ja:Chromium]]<br />
[[ru:Chromium]]<br />
[[zh-hans:Chromium]]<br />
{{Related articles start}}<br />
{{Related|Chromium/Tips and tricks}}<br />
{{Related|Browser plugins}}<br />
{{Related|Firefox}}<br />
{{Related|Opera}}<br />
{{Related articles end}}<br />
<br />
[[Wikipedia:Chromium (web browser)|Chromium]] is an open-source graphical web browser based on the [[Wikipedia:Blink (web engine)|Blink]] rendering engine. It is the basis for the proprietary Google Chrome browser.<br />
<br />
== Installation ==<br />
<br />
The open-source project, '''Chromium''', can be [[install]]ed with the {{Pkg|chromium}} package.<br />
<br />
Other alternatives include:<br />
<br />
* {{App|Chromium Beta Channel|the beta version|https://googlechromereleases.blogspot.com/|{{AUR|chromium-beta}}}}<br />
* {{App|Chromium Dev Channel|the development version|https://googlechromereleases.blogspot.com/|{{AUR|chromium-dev}}}}<br />
* {{App|Chromium snapshot builds|the untested nightly version|https://build.chromium.org/|{{AUR|chromium-snapshot-bin}}}}<br />
* {{App|Chromium with [[VA-API]] support|with a patch to enable VA-API|https://chromium-review.googlesource.com/c/chromium/src/+/532294|{{AUR|chromium-vaapi}}}}<br />
<br />
The derived browser, '''Google Chrome''', which automatically installs Flash Player and Widevine [[Wikipedia:Encrypted Media Extensions|EME]] (for e.g. Netflix), can be [[install]]ed with the {{AUR|google-chrome}} package.<br />
<br />
Other alternatives include:<br />
<br />
* {{App|Google Chrome Beta Channel|the beta version|https://www.google.com/chrome/browser/beta.html|{{AUR|google-chrome-beta}}}}<br />
* {{App|Google Chrome Dev Channel|the development version|https://www.google.com/chrome/browser/|{{AUR|google-chrome-dev}}}}<br />
<br />
{{Note|Support for native client (NaCl) has been dropped in {{pkg|chromium}} version 54, see {{Bug|51511}}. Opening NaCl applications will display this error message: "This plugin is not supported". The {{aur|google-chrome}} package supports NaCl.}}<br />
<br />
See these [https://chromium.googlesource.com/chromium/src/+/master/docs/chromium_browser_vs_google_chrome.md two] [https://www.howtogeek.com/202825/what%E2%80%99s-the-difference-between-chromium-and-chrome/ articles] for an explanation of the differences between Chromium and Chrome.<br />
<br />
On top of the different Chromium build channels, a number of forks exist with more or less special features; see [[List of applications#Blink-based]].<br />
<br />
== Configuration ==<br />
<br />
=== Default applications ===<br />
<br />
To set Chromium as the default browser and to change which applications Chromium launches when opening downloaded files, see [[default applications]].<br />
<br />
=== Flash Player plugin ===<br />
<br />
Flash Player is automatically installed when using Google Chrome.<br />
<br />
To install it for Chromium, [[install]] the {{Pkg|pepper-flash}} package.<br />
<br />
Make sure Flash is allowed to run in {{ic|chrome://settings/content/flash}}.<br />
<br />
=== Widevine Content Decryption Module plugin ===<br />
<br />
Widevine is Google's Encrypted Media Extensions (EME) Content Decryption Module (CDM). It is used to watch premium video content such as Netflix. It is automatically installed when using Google Chrome.<br />
<br />
To install it for Chromium, [[install]] the {{AUR|chromium-widevine}} package. Make sure ''Allow sites to play protected content'' is checked in {{ic|chrome://settings/content/protectedContent}}.<br />
<br />
=== PDF viewer plugin ===<br />
<br />
Chromium and Google Chrome are bundled with the ''Chromium PDF Viewer'' plugin. If you don't want to use this plugin, check ''Open PDFs using a different application'' in {{ic|chrome://settings/content/pdfDocuments}}.<br />
<br />
=== Certificates ===<br />
<br />
Chromium uses [[Network Security Services|NSS]] for certificate management. Certificates can be managed in {{ic|chrome://settings/certificates}}.<br />
<br />
== Tips and tricks ==<br />
<br />
See the main article: [[Chromium/Tips and tricks]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Fonts ===<br />
<br />
{{Note|Chromium does not fully integrate with fontconfig/GTK/Pango/X/etc. due to its sandbox. For more information, see the [https://dev.chromium.org/developers/linux-technical-faq Linux Technical FAQ].}}<br />
<br />
==== Font rendering issues in PDF plugin ====<br />
<br />
To fix the font rendering in some PDFs one has to install the {{Pkg|ttf-liberation}} package, otherwise the substituted font causes text to run into other text. This was [https://code.google.com/p/chromium/issues/detail?id=369991 reported on the chromium bug tracker] by an Arch user.<br />
<br />
=== Force 3D acceleration ===<br />
<br />
{{Warning|Disabling the rendering blacklist may cause unstable behaviour, including crashes of the host. See the bug reports in {{ic|chrome://gpu}}.}}<br />
<br />
First follow [[Hardware video acceleration]]. Then, to force 3D rendering, ''enable'' the flags: "Override software rendering list", "GPU rasterization", "Zero-copy rasterizer" in {{ic|chrome://flags}}. Check if it is working in {{ic|chrome://gpu}}. This may also alleviate tearing issues with the [[radeon]] driver.<br />
<br />
If "Native GpuMemoryBuffers" under {{ic|chrome://gpu}} mentions software rendering, you additionally need to pass the {{ic|--enable-native-gpu-memory-buffers}} flag, or some optimizations (like the zero-copy rasterizer) won't do anything. This flag isn't available under {{ic|chrome://flags}} - it must be passed in either the chromium-flags.conf file (as noted in [[Chromium/Tips and tricks#Making flags persistent]]) or directly on the command line.<br />
<br />
=== WebGL ===<br />
There is the possibility that your graphics card has been blacklisted by Chromium. See [[#Force 3D acceleration]].<br />
<br />
If you are using Chromium with [[Bumblebee]], WebGL might crash due to GPU sandboxing. In this case, you can disable GPU sandboxing with {{ic|optirun chromium --disable-gpu-sandbox}}.<br />
<br />
Visit {{ic|chrome://gpu/}} for debugging information about WebGL support.<br />
<br />
Chromium can save incorrect data about your GPU in your user profile (e.g. if you use switch between an Nvidia card using Optimus and Intel, it will show the Nvidia card in {{ic|chrome://gpu}} even when you're not using it or primusrun/optirun). Running using a different user directory, e.g, {{ic|1=chromium --user-data-dir=$(mktemp -d)}} may solve this issue. For a persistent solution you can reset the GPU information by deleting {{ic|~/.config/chromium/Local\ State}}.<br />
<br />
=== Zoomed-in GUI ===<br />
<br />
Chromium's graphical interface will automatically scale on high-DPI displays. To disable this, use {{ic|1=--force-device-scale-factor=1}}.<br />
<br />
=== Password prompt on every start with GNOME Keyring ===<br />
<br />
See [[GNOME/Keyring#Passwords are not remembered]].<br />
<br />
=== Chromecasts in the network are not discovered ===<br />
<br />
You will need to enable the Media Router Component Extension in {{ic|chrome://flags/#load-media-router-component-extension}}.<br />
<br />
=== Losing cookies and passwords when switching between desktop environments ===<br />
<br />
If you see the message {{ic|Failed to decrypt token for service AccountId-*}} in the terminal when you start Chromium, it might try to use the wrong password storage backend. This might happen when you switch between Desktop Environments.<br />
<br />
See [[Chromium/Tips and tricks#Force a password store]].<br />
<br />
=== Hang on startup when Google Sync enabled ===<br />
<br />
Try launching Chrome with {{ic|1=--password-store=basic}} or another appropriate password store.<br />
<br />
See [[Chromium/Tips and tricks#Force a password store]].<br />
<br />
== See also ==<br />
<br />
* [https://www.chromium.org/ Chromium homepage]<br />
* [https://googlechromereleases.blogspot.com Google Chrome release notes]<br />
* [https://chrome.google.com/webstore/category/home Chrome web store]<br />
* [[Wikipedia:Chromium (web browser)#Differences from Google Chrome|Differences between Chromium and Google Chrome]]<br />
* [http://peter.sh/experiments/chromium-command-line-switches/ List of Chromium command-line switches]</div>Beejhttps://wiki.archlinux.org/index.php?title=Nginx&diff=479655Nginx2017-06-12T02:09:53Z<p>Beej: Add section on per-user directories</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Web server]]<br />
[[de:Nginx]]<br />
[[ja:Nginx]]<br />
[[ru:Nginx]]<br />
[[zh-hans:Nginx]]<br />
<br />
[[Wikipedia:nginx|nginx]] (pronounced "engine X"), is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server, written by Igor Sysoev in 2005. According to Netcraft's [http://news.netcraft.com/archives/2015/04/20/april-2015-web-server-survey.html April 2015 Web Server Survey], nginx now hosts 14.48% of all domains worldwide, while [[Apache]] hosts about 38.39%. nginx is now well known for its stability, rich feature set, simple configuration, and low resource consumption.<br />
<br />
Nginx is often used together with a scripting language such as [[PHP]] and database such as [[MySQL]]. This combination is often referred to as a LEMP stack (Linux, EngineX, MySQL, PHP).<br />
<br />
== Installation ==<br />
<br />
[[Install]] the package {{Pkg|nginx-mainline}} (mainline branch : new features, updates, bugfixes) or {{Pkg|nginx}} (stable branch : major bufixes only).<br />
Using the mainline branch is recommended.<br />
<br />
The main reason to use the stable branch is that you are concerned about possible impacts of new features,<br />
such as incompatibility with third-party modules or the inadvertent introduction of bugs in new features[https://www.nginx.com/blog/nginx-1-6-1-7-released/].<br />
<br />
For a Ruby on Rails setup with nginx, see [[Ruby on Rails#The Perfect Rails Setup]].<br />
<br />
For a chroot-based installation for additional security, see [[#Installation in a chroot]].<br />
<br />
== Running ==<br />
<br />
[[Start/enable]] {{ic|nginx.service}}.<br />
<br />
The default served page at http://127.0.0.1 is {{ic|/usr/share/nginx/html/index.html}}.<br />
<br />
== Configuration ==<br />
<br />
First steps with nginx are described in the [http://nginx.org/en/docs/beginners_guide.html Beginner’s Guide]. You can modify the configuration by editing the files in {{ic|/etc/nginx/}} The main configuration file is located at {{ic|/etc/nginx/nginx.conf}}.<br />
<br />
More details and examples can be found in http://wiki.nginx.org/Configuration and the [http://nginx.org/en/docs/ official documentation].<br />
<br />
The examples below cover the most common use cases. It is assumed that you use the default location for documents ({{ic|/usr/share/nginx/html}}). If that is not the case, substitute your path instead.<br />
<br />
=== Configuration Example ===<br />
{{hc|/etc/nginx/nginx.conf|<nowiki><br />
user http;<br />
worker_processes auto;<br />
worker_cpu_affinity auto;<br />
pcre_jit on;<br />
<br />
events {<br />
worker_connections 2048;<br />
}<br />
<br />
<br />
http {<br />
include mime.types;<br />
default_type application/octet-stream;<br />
sendfile on;<br />
tcp_nopush on;<br />
aio threads;<br />
server_tokens off; # Security: Disables nginx version in error messages and in the “Server” response header field.<br />
charset utf-8; # Force usage of UTF-8<br />
index index.php index.html index.htm;<br />
# include sites-enabled/*; # See Server blocks<br />
}<br />
</nowiki>}}<br />
<br />
=== General configuration ===<br />
<br />
==== Processes and connections ====<br />
<br />
You should choose a fitting value for {{ic|worker_processes}}. This settings ultimately defines how many connection nginx will accept and how many processors it will be able to make use of. Generally, making it the number of hardware threads in your system is a good start. Alternatively, {{ic|worker_processes}} accepts the {{ic|auto}} value since versions 1.3.8 and 1.2.5, which will try to autodetect the optimal value ([http://nginx.org/en/docs/ngx_core_module.html#worker_processes source]).<br />
<br />
The maximum connections nginx will accept is given by {{ic|1=max_clients = worker_processes * worker_connections}}.<br />
<br />
==== Running under different user ====<br />
<br />
By default, {{Pkg|nginx}} runs the master process as {{ic|root}} and worker processes as user {{ic|http}}. To run worker processes as another user, change the {{ic|user}} directive in {{ic|nginx.conf}}:<br />
<br />
{{hc|/etc/nginx/nginx.conf|<br />
user ''user'' [''group''];<br />
}}<br />
<br />
If the group is omitted, a group whose name equals that of ''user'' is used.<br />
<br />
{{Tip|1=It is also possible to run nginx without anything running as {{ic|root}} using [[systemd]]. See [[#Running unprivileged using systemd]].}}<br />
<br />
==== Server blocks ====<br />
<br />
It is possible to serve multiple domains using {{ic|server}} blocks. It may be referred as "VirtualHosts", however this is an [[Apache]] term. The usage of {{ic|server}} blocks also differs from [http://wiki.nginx.org/ServerBlockExample Apache].<br />
<br />
In the example below the server listens for incoming connections for two domains: {{ic|domainname1.dom}} and {{ic|domainname2.dom}}:<br />
<br />
{{hc|/etc/nginx/nginx.conf|<nowiki><br />
...<br />
server {<br />
listen 80;<br />
server_name domainname1.dom;<br />
root /usr/share/nginx/domainname1.dom/html;<br />
location / {<br />
index index.php index.html index.htm;<br />
}<br />
}<br />
<br />
server {<br />
listen 80;<br />
server_name domainname2.dom;<br />
root /usr/share/nginx/domainname2.dom/html;<br />
...<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
[[Restart]] the {{ic|nginx}} service to apply any changes.<br />
<br />
You should configure a DNS-server like [[BIND]] or [[dnsmasq]] so that these domain names could be resolved for connecting clients.<br />
<br />
For now you can just add them manually in {{ic|/etc/hosts}} replacing {{ic|192.168.0.101}} with the actual IP address of server:<br />
<br />
192.168.0.101 domainname1.dom<br />
192.168.0.101 domainname2.dom<br />
<br />
=====Managing server entries=====<br />
<br />
It may be easier to use an [[Apache]] like [[Apache#Managing_many_virtual_hosts|Virtual hosts]] system.<br />
<br />
Create the following directories:<br />
<br />
# mkdir /etc/nginx/sites-available<br />
# mkdir /etc/nginx/sites-enabled<br />
<br />
Create a file inside the {{ic|sites-available}} directory that contains one or more server blocks:<br />
<br />
{{hc|/etc/nginx/sites-available/example|<nowiki><br />
server {<br />
..<br />
}<br />
</nowiki>}}<br />
<br />
Append the following line at the end of the {{ic|http}} block in /etc/nginx/nginx.conf: <br />
<br />
include sites-enabled/*;<br />
<br />
To enable a {{ic|server}}, simple create a symlink:<br />
<br />
# ln -s /etc/nginx/sites-available/example /etc/nginx/sites-enabled/example<br />
<br />
To remove a {{ic|server}}, delete the symlink:<br />
<br />
# unlink /etc/nginx/sites-enabled/example<br />
<br />
Reload or restart {{ic|nginx}} service to enable the new configuration.<br />
<br />
==== TLS/SSL ====<br />
<br />
[[OpenSSL]] provides TLS/SSL support and is installed by default on Arch installations.<br />
<br />
{{Tip|<br />
* You may want to read the [http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate ngx_http_ssl_module] docs first before configuring SSL.<br />
* [[Let’s Encrypt]] is a free, automated, and open certificate authority. A plugin is available to request valid SSL certificates straight from the command line and automatic configuration.<br />
* Mozilla has a useful [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS article] which includes [https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx nginx specific] configuration guidelines as well as an [https://mozilla.github.io/server-side-tls/ssl-config-generator/ automated tool] to help create a more secure configuration.<br />
* [https://cipherli.st Cipherli.st] provides strong SSL implementation examples and tutorial for most modern webservers.<br />
}}<br />
<br />
{{Warning|If you plan on implementing SSL/TLS, know that some variations and implementations are [https://weakdh.org/#affected still] [[wikipedia:Transport_Layer_Security#Attacks_against_TLS.2FSSL|vulnerable to attack]]. For details on these current vulnerabilities within SSL/TLS and how to apply appropriate changes to nginx, visit http://disablessl3.com/ and https://weakdh.org/sysadmin.html}}<br />
<br />
Create a private key and self-signed certificate. This is adequate for most installations that do not require a [[OpenSSL#Making_requests|CSR]]:<br />
<br />
# mkdir /etc/nginx/ssl<br />
# cd /etc/nginx/ssl<br />
# openssl req -new -x509 -nodes -newkey rsa:4096 -keyout server.key -out server.crt -days 1095<br />
# chmod 400 server.key<br />
# chmod 444 server.crt<br />
<br />
{{Note|The {{ic|-days}} switch is optional and RSA keysize can be as low as 2048 (default).}}<br />
<br />
If you need to create a CSR, follow these instructions instead of the above:<br />
<br />
# mkdir /etc/nginx/ssl<br />
# cd /etc/nginx/ssl<br />
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out server.key<br />
# chmod 400 server.key<br />
# openssl req -new -sha256 -key server.key -out server.csr<br />
# openssl x509 -req -days 1095 -in server.csr -signkey server.key -out server.crt<br />
<br />
{{Note|For more ''openssl'' options, read its [https://www.openssl.org/docs/apps/openssl.html man page] or peruse its [https://www.openssl.org/docs/ extensive documentation].}}<br />
<br />
Example of a {{ic|nginx.conf}} using SSL:<br />
<br />
{{hc|/etc/nginx/nginx.conf|<nowiki><br />
http {<br />
...<br />
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";<br />
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br />
ssl_prefer_server_ciphers on;<br />
ssl_session_cache shared:SSL:10m;<br />
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";<br />
add_header X-Frame-Options DENY;<br />
add_header X-Content-Type-Options nosniff;<br />
ssl_session_tickets off;<br />
ssl_stapling on;<br />
ssl_stapling_verify on;<br />
resolver 8.8.8.8 8.8.4.4 valid=300s; # Google DNS Servers<br />
resolver_timeout 5s;<br />
<br />
# Redirect to HTTPS<br />
server {<br />
listen 80;<br />
server_name localhost;<br />
return 301 https://$server_name$request_uri;<br />
}<br />
<br />
server {<br />
#listen 80; # Uncomment to also listen for HTTP requests<br />
listen 443 ssl http2; # HTTP/2 is only possible when using SSL<br />
server_name localhost;<br />
<br />
ssl_certificate ssl/server.crt;<br />
ssl_certificate_key ssl/server.key;<br />
<br />
root /usr/share/nginx/html;<br />
location / {<br />
index index.html index.htm;<br />
}<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
[[Restart]] the {{ic|nginx}} service to apply any changes.<br />
<br />
==== Per-User Directories ====<br />
<br />
To replicate Apache-style {{ic|~user}} URLs to users' {{ic|~/public_html}} directories, try the following. (Note: if both rules are used, below, the more-specific PHP rule must come first.)<br />
<br />
{{hc|/etc/nginx/nginx.conf|<nowiki><br />
...<br />
server {<br />
...<br />
# PHP in user directories, e.g. http://example.com/~user/test.php<br />
location ~ ^/~(.+?)(/.+\.php)$ {<br />
alias /home/$1/public_html$2;<br />
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;<br />
fastcgi_index index.php;<br />
include fastcgi.conf;<br />
}<br />
<br />
# User directories, e.g. http://example.com/~user/<br />
location ~ ^/~(.+?)(/.*)?$ {<br />
alias /home/$1/public_html$2;<br />
index index.html index.htm;<br />
autoindex on;<br />
}<br />
...<br />
}<br />
...<br />
</nowiki>}}<br />
<br />
See [[#PHP implementation]] for more information on PHP configuration with {{ic|nginx}}.<br />
<br />
Reload or restart {{ic|nginx}} service to enable the new configuration.<br />
<br />
=== FastCGI ===<br />
<br />
FastCGI, also FCGI, is a protocol for interfacing interactive programs with a web server. FastCGI is a variation on the earlier CGI (Common Gateway Interface); FastCGI's main aim is to reduce the overhead associated with interfacing the web server and CGI programs, allowing a server to handle more web page requests at once.<br />
<br />
FastCGI technology is introduced into nginx to work with many external tools, i.e.: Perl, [[PHP]] and [[Python]].<br />
<br />
==== PHP implementation ====<br />
<br />
[http://php-fpm.org/ PHP-FPM] is the recommended solution to run as FastCGI server for PHP.<br />
<br />
===== PHP configuration =====<br />
<br />
[[Install]] the {{Pkg|php}} and {{Pkg|php-fpm}} packages.<br />
<br />
Make sure [[PHP#Configuration|open_basedir]] allows the directories containing PHP files to be accessed (starting with PHP 7.0 it is [https://www.archlinux.org/news/php-70-packages-released/ unset by default], so no change is required).<br />
<br />
Next, configure modules you need. For example, if you want to use sqlite3, install {{Pkg|php-sqlite}} then enable it in {{ic|/etc/php/php.ini}} by uncommenting following line:<br />
<br />
extension=sqlite3.so<br />
<br />
The main configuration file of PHP-FPM is {{ic|/etc/php/php-fpm.conf}}. [[Enable]] and [[start]] the {{ic|php-fpm}} service.<br />
<br />
{{Note|If you run nginx in chrooted environment (chroot is {{ic|/srv/nginx-jail}}, web pages are served at {{ic|/srv/nginx-jail/www}}), you must modify the file {{ic|/etc/php/php-fpm.conf}} to include the {{ic|chroot /srv/nginx-jail}} and {{ic|1=listen = /srv/nginx-jail/run/php-fpm/php-fpm.sock}} directives within the pool section (a default one is {{ic|[www]}}). Create the directory for the socket file, if missing.}}<br />
<br />
====== MariaDB ======<br />
<br />
Configure MySQL/MariaDB as described in [[MariaDB]].<br />
<br />
Uncomment [http://www.php.net/manual/en/mysqlinfo.api.choosing.php at least one] of the following lines in {{ic|/etc/php/php.ini}}:<br />
<br />
extension=pdo_mysql.so<br />
extension=mysqli.so<br />
<br />
{{Warning|{{ic|mysql.so}} was [http://php.net/manual/en/migration70.removed-exts-sapis.php removed] in PHP 7.0.}}<br />
<br />
You can add minor privileged MySQL users for your web scripts. You might also want to edit {{ic|/etc/mysql/my.cnf}} and uncomment the {{ic|skip-networking}} line so the MySQL server is only accessible by the localhost. You have to restart MySQL for changes to take effect.<br />
<br />
{{Tip|You may want to install a tool like [[phpMyAdmin]], [[Adminer]] or {{Pkg|mysql-workbench}} to work with your databases.}}<br />
<br />
===== nginx configuration =====<br />
<br />
====== Adding to main configuration ======<br />
<br />
Inside each {{ic|server}} block serving a PHP web application should appear a {{ic|location}} block similar to:<br />
<br />
location ~ \.php$ {<br />
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;<br />
root /usr/share/nginx/html;<br />
fastcgi_index index.php;<br />
include fastcgi.conf;<br />
}<br />
<br />
If it is needed to process other extensions with PHP (e.g. ''.html'' and ''.htm''):<br />
<br />
location ~ \.(php'''|html|htm''')$ {<br />
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;<br />
root /usr/share/nginx/html;<br />
fastcgi_index index.php;<br />
include fastcgi.conf;<br />
}<br />
<br />
Non ''.php'' extension processing in php-fpm should be explicitly added in {{ic|/etc/php/php-fpm.d/www.conf}}:<br />
<br />
security.limit_extensions = .php .html .htm<br />
<br />
{{Note|Pay attention to the {{ic|fastcgi_pass}} argument, as it must be the TCP or Unix socket defined by the chosen FastCGI server in its config file. The '''default''' (Unix) socket for {{ic|php-fpm}} is:<br />
<br />
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;<br />
<br />
You might use the common TCP socket, '''not default''',<br />
<br />
fastcgi_pass 127.0.0.1:9000;<br />
<br />
Unix domain sockets should however be faster.}}<br />
<br />
The example shown below is a copy of a working configuration. Notice that in this example the {{ic|root}} path is specified directly under {{ic|server}}, and not inside {{ic|location}} (as it is in the default config).<br />
<br />
{{hc|/etc/nginx/nginx.conf|<br />
server {<br />
listen 80;<br />
server_name localhost;<br />
root /usr/share/nginx/html;<br />
location / {<br />
index index.html index.htm index.php;<br />
}<br />
<br />
location ~ \.php$ {<br />
#fastcgi_pass 127.0.0.1:9000; (depending on your php-fpm socket configuration)<br />
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;<br />
root /usr/share/nginx/html;<br />
fastcgi_index index.php;<br />
include fastcgi.conf;<br />
}<br />
}<br />
}}<br />
<br />
======PHP configuration file======<br />
If using multiple {{ic|server}} blocks with enabled PHP support, it might be easier to create a PHP config file instead:<br />
{{hc|/etc/nginx/conf/php.conf|<nowiki><br />
location ~ \.php$ {<br />
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;<br />
fastcgi_index index.php;<br />
include fastcgi.conf;<br />
}<br />
</nowiki>}}<br />
<br />
To enable PHP support for a particular server, simple include {{ic|php.conf}}:<br />
{{hc|/etc/nginx/nginx.conf|<nowiki><br />
server = {<br />
server_name example.com;<br />
...<br />
include php.conf;<br />
}<br />
</nowiki>}}<br />
<br />
===== Test configuration =====<br />
<br />
You need to [[restart]] the {{ic|php-fpm}} and {{ic|nginx}} daemons if the configuration has been changed in order to apply changes.<br />
<br />
To test the FastCGI implementation, create a new PHP file inside the {{ic|root}} folder containing:<br />
<br />
<?php<br />
phpinfo();<br />
?><br />
<br />
Navigate this file inside a browser and you will see the informational page with the current PHP configuration.<br />
<br />
See [[#Troubleshooting]] section if you are experiencing problems with your configuration.<br />
<br />
==== CGI implementation ====<br />
<br />
This implementation is needed for CGI applications.<br />
<br />
===== fcgiwrap =====<br />
<br />
[[Install]] the {{Pkg|fcgiwrap}}. The configuration file is {{ic|/usr/lib/systemd/system/fcgiwrap.socket}}. [[Enable]] and [[start]] the {{ic|fcgiwrap.socket}}.<br />
<br />
====== Multiple worker threads ======<br />
<br />
If you want to spawn multiple worker threads, it is recommended that you use {{AUR|multiwatch}}, which will take care of restarting crashed children. You will need to use {{ic|spawn-fcgi}} to create the unix socket, as multiwatch seems unable to handle the systemd-created socket, even though fcgiwrap itself does not have any trouble if invoked directly in the unit file.<br />
<br />
Copy the unit file from {{ic|/usr/lib/systemd/system/fcgiwrap.service}} to {{ic|/etc/systemd/system/fcgiwrap.service}} (and the {{ic|fcgiwrap.socket}} unit, if present), and modify the {{ic|ExecStart}} line to suit your needs. Here is a unit file that uses {{AUR|multiwatch}}. Make sure {{ic|fcgiwrap.socket}} is not started or enabled, because it will conflict with this unit:<br />
<br />
{{hc|/etc/systemd/system/fcgiwrap.service|2=<br />
[Unit]<br />
Description=Simple CGI Server<br />
After=nss-user-lookup.target<br />
<br />
[Service]<br />
ExecStartPre=/bin/rm -f /run/fcgiwrap.socket<br />
ExecStart=/usr/bin/spawn-fcgi -u http -g http -s /run/fcgiwrap.sock -n -- /usr/bin/multiwatch -f 10 -- /usr/sbin/fcgiwrap<br />
ExecStartPost=/usr/bin/chmod 660 /run/fcgiwrap.sock<br />
PrivateTmp=true<br />
Restart=on-failure<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
}}<br />
<br />
Tweak {{ic|-f 10}} to change the number of children that are spawned.<br />
<br />
{{Warning|The {{ic|ExecStartPost}} line is required because of strange behaviour I'm seeing when I use the {{ic|-M 660}} option for {{ic|spawn-fcgi}}. The wrong mode is set. This may be a bug?}}<br />
<br />
===== nginx configuration =====<br />
<br />
Inside each {{ic|server}} block serving a CGI web application should appear a {{ic|location}} block similar to:<br />
<br />
location ~ \.cgi$ {<br />
root /path/to/server/cgi-bin;<br />
fastcgi_pass unix:/run/fcgiwrap.sock;<br />
include fastcgi.conf;<br />
}<br />
<br />
The default socket file for {{ic|fcgiwrap}} is {{ic|/run/fcgiwrap.sock}}.<br />
<br />
If you keep getting a {{ic|502 - bad Gateway}} error, you should check if your CGI-application first announces the mime-type of the following content. For html this needs to be {{ic|Content-type: text/html}}.<br />
<br />
== Installation in a chroot ==<br />
<br />
Installing nginx in a [[chroot]] adds an additional layer of security. For maximum security the chroot should include only the files needed to run the nginx server and all files should have the most restrictive permissions possible, e.g., as much as possible should be owned by root, directories such as {{ic|/usr/bin}} should be unreadable and unwriteable, etc.<br />
<br />
Arch comes with an {{ic|http}} user and group by default which will run the server. The chroot will be in {{ic|/srv/http}}.<br />
<br />
A perl script to create this jail is available at [https://gist.github.com/4365696 jail.pl gist]. You can either use that or follow the instructions in this article. It expects to be run as root. You will need to uncomment a line before it makes any changes.<br />
<br />
=== Create necessary devices ===<br />
<br />
nginx needs {{ic|/dev/null}}, {{ic|/dev/random}}, and {{ic|/dev/urandom}}. To install these in the chroot create the {{ic|/dev/}} directory and add the devices with ''mknod''. Avoid mounting all of {{ic|/dev/}} to ensure that, even if the chroot is compromised, an attacker must break out of the chroot to access important devices like {{ic|/dev/sda1}}.<br />
<br />
{{Tip|Be sure that {{ic|/srv/http}} is mounted without no-dev option}}<br />
{{Tip|See {{ic|man mknod}} and {{ic|<nowiki>ls -l /dev/{null,random,urandom}</nowiki>}} to better understand the ''mknod'' options.}}<br />
<br />
# export JAIL=/srv/http<br />
# mkdir $JAIL/dev<br />
# mknod -m 0666 $JAIL/dev/null c 1 3<br />
# mknod -m 0666 $JAIL/dev/random c 1 8<br />
# mknod -m 0444 $JAIL/dev/urandom c 1 9<br />
<br />
=== Create necessary directories ===<br />
<br />
nginx requires a bunch of files to run properly. Before copying them over, create the folders to store them. This assumes your nginx document root will be {{ic|/srv/http/www}}.<br />
<br />
# mkdir -p $JAIL/etc/nginx/logs<br />
# mkdir -p $JAIL/usr/{lib,bin}<br />
# mkdir -p $JAIL/usr/share/nginx<br />
# mkdir -p $JAIL/var/{log,lib}/nginx<br />
# mkdir -p $JAIL/www/cgi-bin<br />
# mkdir -p $JAIL/{run,tmp}<br />
# cd $JAIL; ln -s usr/lib lib<br />
<br />
{{Note|If using a 64 bit kernel you will need to create symbolic links {{ic|lib64}} and {{ic|usr/lib64}} to {{ic|usr/lib}}: {{ic|cd $JAIL; ln -s usr/lib lib64}} and {{ic|cd $JAIL/usr; ln -s lib lib64}}.}}<br />
<br />
Then mount {{ic|$JAIL/tmp}} and {{ic|$JAIL/run}} as tmpfs's. The size should be limited to ensure an attacker cannot eat all the RAM.<br />
<br />
# mount -t tmpfs none $JAIL/run -o 'noexec,size=1M'<br />
# mount -t tmpfs none $JAIL/tmp -o 'noexec,size=100M'<br />
<br />
In order to preserve the mounts across reboots, the following entries should be added to {{ic|/etc/fstab}}:<br />
<br />
{{hc|/etc/fstab|<nowiki><br />
tmpfs /srv/http/run tmpfs rw,noexec,relatime,size=1024k 0 0<br />
tmpfs /srv/http/tmp tmpfs rw,noexec,relatime,size=102400k 0 0<br />
</nowiki>}}<br />
<br />
=== Populate the chroot ===<br />
<br />
First copy over the easy files.<br />
<br />
# cp -r /usr/share/nginx/* $JAIL/usr/share/nginx<br />
# cp -r /usr/share/nginx/html/* $JAIL/www<br />
# cp /usr/bin/nginx $JAIL/usr/bin/<br />
# cp -r /var/lib/nginx $JAIL/var/lib/nginx<br />
<br />
Now copy over required libraries. Use ''ldd'' to list them and then copy them all to the correct location. Copying is preferred over hardlinks to ensure that even if an attacker gains write access to the files they cannot destroy or alter the true system files.<br />
<br />
{{hc|$ ldd /usr/bin/nginx|<nowiki><br />
linux-vdso.so.1 (0x00007fffc41fe000)<br />
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f57ec3e8000)<br />
libcrypt.so.1 => /usr/lib/libcrypt.so.1 (0x00007f57ec1b1000)<br />
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x00007f57ebead000)<br />
libm.so.6 => /usr/lib/libm.so.6 (0x00007f57ebbaf000)<br />
libpcre.so.1 => /usr/lib/libpcre.so.1 (0x00007f57eb94c000)<br />
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f57eb6e0000)<br />
libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f57eb2d6000)<br />
libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f57eb0d2000)<br />
libz.so.1 => /usr/lib/libz.so.1 (0x00007f57eaebc000)<br />
libGeoIP.so.1 => /usr/lib/libGeoIP.so.1 (0x00007f57eac8d000)<br />
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x00007f57eaa77000)<br />
libc.so.6 => /usr/lib/libc.so.6 (0x00007f57ea6ca000)<br />
/lib64/ld-linux-x86-64.so.2 (0x00007f57ec604000)</nowiki>}}<br />
<br />
# cp /lib64/ld-linux-x86-64.so.2 $JAIL/lib<br />
<br />
For files residing in {{ic|/usr/lib}} you may try the following one-liner:<br />
<br />
# cp $(ldd /usr/bin/nginx | grep /usr/lib | sed -sre 's/(.+)(\/usr\/lib\/\S+).+/\2/g') $JAIL/usr/lib<br />
<br />
{{Note|Do not try to copy {{ic|linux-vdso.so}}: it is not a real library and does not exist in {{ic|/usr/lib}}. Also {{ic|ld-linux-x86-64.so}} will likely be listed in {{ic|/lib64}} for a 64 bit system.}}<br />
<br />
Copy over some miscellaneous but necessary libraries and system files.<br />
<br />
# cp /usr/lib/libnss_* $JAIL/usr/lib<br />
# cp -rfvL /etc/{services,localtime,nsswitch.conf,nscd.conf,protocols,hosts,ld.so.cache,ld.so.conf,resolv.conf,host.conf,nginx} $JAIL/etc<br />
<br />
Create restricted user/group files for the chroot. This way only the users needed for the chroot to function exist as far as the chroot knows, and none of the system users/groups are leaked to attackers should they gain access to the chroot.<br />
<br />
{{hc|$JAIL/etc/group|<br />
http:x:33:<br />
nobody:x:99:<br />
}}<br />
<br />
{{hc|$JAIL/etc/passwd|<br />
http:x:33:33:http:/:/bin/false<br />
nobody:x:99:99:nobody:/:/bin/false<br />
}}<br />
<br />
{{hc|$JAIL/etc/shadow|<br />
http:x:14871::::::<br />
nobody:x:14871::::::<br />
}}<br />
<br />
{{hc|$JAIL/etc/gshadow|<br />
http:::<br />
nobody:::<br />
}}<br />
<br />
# touch $JAIL/etc/shells<br />
# touch $JAIL/run/nginx.pid<br />
<br />
Finally make set very restrictive permissions. As much as possible should be owned by root and set unwritable.<br />
<br />
# chown -R root:root $JAIL/<br />
<br />
# chown -R http:http $JAIL/www<br />
# chown -R http:http $JAIL/etc/nginx<br />
# chown -R http:http $JAIL/var/{log,lib}/nginx<br />
# chown http:http $JAIL/run/nginx.pid<br />
<br />
# find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod -rw<br />
# find $JAIL/ -gid 0 -uid 0 -type d -print | xargs chmod +x<br />
# find $JAIL/etc -gid 0 -uid 0 -type f -print | xargs chmod -x<br />
# find $JAIL/usr/bin -type f -print | xargs chmod ug+rx<br />
# find $JAIL/ -group http -user http -print | xargs chmod o-rwx<br />
# chmod +rw $JAIL/tmp<br />
# chmod +rw $JAIL/run<br />
<br />
If your server will bind port 80 (or any other port in range [1-1023]), give the chrooted executable permission to bind these ports without root.<br />
<br />
# setcap 'cap_net_bind_service=+ep' $JAIL/usr/bin/nginx<br />
<br />
=== Modify nginx.service to start chroot ===<br />
<br />
Before modifying the {{ic|nginx.service}} unit file, it may be a good idea to copy it to {{ic|/etc/systemd/system/}} since the unit files there take priority over those in {{ic|/usr/lib/systemd/system/}}. This means upgrading nginx would not modify your custom ''.service'' file.<br />
<br />
# cp /usr/lib/systemd/system/nginx.service /etc/systemd/system/nginx.service<br />
<br />
The systemd unit must be changed to start up nginx in the chroot, as the http user, and store the pid file in the chroot.<br />
<br />
{{Note|I'm not sure if the pid file needs to be stored in the chroot jail.}}<br />
<br />
{{hc|/etc/systemd/system/nginx.service|<nowiki><br />
[Unit]<br />
Description=A high performance web server and a reverse proxy server<br />
After=syslog.target network.target<br />
<br />
[Service]<br />
Type=forking<br />
PIDFile=/srv/http/run/nginx.pid<br />
ExecStartPre=/usr/bin/chroot --userspec=http:http /srv/http /usr/bin/nginx -t -q -g 'pid /run/nginx.pid; daemon on; master_process on;'<br />
ExecStart=/usr/bin/chroot --userspec=http:http /srv/http /usr/bin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;'<br />
ExecReload=/usr/bin/chroot --userspec=http:http /srv/http /usr/bin/nginx -g 'pid /run/nginx.pid; daemon on; master_process on;' -s reload<br />
ExecStop=/usr/bin/chroot --userspec=http:http /srv/http /usr/bin/nginx -g 'pid /run/nginx.pid;' -s quit<br />
<br />
[Install]<br />
WantedBy=multi-user.target</nowiki>}}<br />
<br />
{{Note|Upgrading nginx with pacman will not upgrade the chrooted nginx installation. You have to take care of the updates manually by repeating some of the steps above. Do not forget to also update the libraries it links against.}}<br />
<br />
You can now safely get rid of the non-chrooted nginx installation.<br />
<br />
# pacman -Rsc nginx<br />
<br />
If you do not remove the non-chrooted nginx installation, you may want to make sure that the running nginx process is in fact the chrooted one. You can do so by checking where {{ic|/proc/''PID''/root}} symmlinks to. If should link to {{ic|/srv/http}} instead of {{ic|/}}.<br />
<br />
# ps -C nginx | awk '{print $1}' | sed 1d | while read -r PID; do ls -l /proc/$PID/root; done<br />
<br />
== Tips and tricks ==<br />
<br />
<br />
==== Running unprivileged using [[systemd]] ====<br />
<br />
[[systemd#Editing_provided_units|Edit nginx.service]] and set the {{ic|User}} and optionally {{ic|Group}} options under {{ic|[Service]}}:<br />
{{hc|/etc/systemd/system/nginx.service.d/user.conf|2=<br />
[Service]<br />
User=''user''<br />
Group=''group''<br />
}}<br />
<br />
We can harden the service against ever elevating privileges:<br />
{{hc|/etc/systemd/system/nginx.service.d/user.conf|2=<br />
[Service]<br />
...<br />
NoNewPrivileges=yes<br />
}}<br />
<br />
{{Tip|1=See [http://www.freedesktop.org/software/systemd/man/systemd.exec.html#User= systemd.exec(5)] for more options of confinement.}}<br />
<br />
Then we need to ensure that {{ic|''user''}} has access to everything it needs:<br />
<br />
<dl><br />
<dt>Port</dt><br />
<dd><br />
Linux does not permit non-{{ic|root}} processes to bind to ports below 1024 by default. A port above 1024 can be used:<br />
<br />
{{hc|/etc/nginx/nginx.conf|<br />
server {<br />
listen 8080;<br />
}<br />
}}<br />
<br />
{{Tip|1=If you want nginx accessible on port 80 or 443, configure your [[firewall]] to redirect requests from 80 or 443 to the ports nginx listens to.}}<br />
</dd><br />
<dd><br />
Or you may grant the nginx process the CAP_NET_BIND_SERVICE capability which will allow it to bind to ports below 1024:<br />
<br />
{{hc|/etc/systemd/system/nginx.service.d/user.conf|2=<br />
[Service]<br />
...<br />
CapabilityBoundingSet=<br />
CapabilityBoundingSet=CAP_NET_BIND_SERVICE<br />
AmbientCapabilities=<br />
AmbientCapabilities=CAP_NET_BIND_SERVICE<br />
}}<br />
</dd><br />
<br />
<dt>PID file</dt><br />
<dd><br />
{{Pkg|nginx}} uses {{ic|/run/nginx.pid}} by default. We can create a directory that ''user'' has write access to and place our PID file in there. An example using [[systemd#Temporary_files|systemd-tmpfiles]]:<br />
<br />
{{hc|/etc/tmpfiles.d/nginx.conf|2=<br />
d /run/nginx 0775 root ''group'' - -<br />
}}<br />
<br />
Run the configuration:<br />
<br />
# systemd-tmpfiles --create<br />
<br />
[[systemd#Editing_provided_units|Edit nginx.service]]:<br />
<br />
{{hc|/etc/systemd/system/nginx.service.d/user.conf|2=<br />
[Service]<br />
...<br />
PIDFile=/run/nginx/nginx.pid<br />
ExecStart=<br />
ExecStart=/usr/bin/nginx -g 'pid /run/nginx/nginx.pid; error_log stderr;' # copied from nginx.service<br />
}}<br />
</dd><br />
<br />
<dt>{{ic|/var/lib/nginx/*}}</dt><br />
<dd><br />
Some directories under {{ic|/var/lib/nginx}} need to be bootstrapped by nginx running as {{ic|root}}. It is not necessary to start the whole server to do that, nginx will do it on a simple [[#Configuration_validation|configuration test]]. So just run one of those and you're good to go.<br />
</dd><br />
<br />
<dt>Remove logs</dt><br />
<dd><br />
The step of running a configuration test will create a dangling {{ic|root}}-owned log. Remove logs in {{ic|/var/log/nginx}} to start fresh.<br />
</dl><br />
<br />
Now we should be good to go. Go ahead and [[start]] nginx, and enjoy your completely rootless nginx.<br />
<br />
{{Tip|The same setup may be desirable for your [[#FastCGI|FastCGI server]] as well.}}<br />
<br />
==== Nginx Beautifier ====<br />
Nginx beautifier is a commandline tool used to beautify and format nginx configuration files, it is available on AUR {{AUR|nginxbeautifier}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Configuration validation ===<br />
<br />
# nginx -t<br />
<br />
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok<br />
nginx: configuration file /etc/nginx/nginx.conf test is successful<br />
<br />
=== Accessing local IP redirects to localhost ===<br />
<br />
Solution from the Arch Linux [https://bbs.archlinux.org/viewtopic.php?pid=780561#p780561 forum].<br />
<br />
In {{ic|/etc/nginx/nginx.conf}} locate the {{ic|server_name localhost}} line without a {{ic|#}} in front of it, and add below:<br />
<br />
server_name_in_redirect off;<br />
<br />
Default behavior is that nginx redirects any requests to the value given as {{ic|server_name}} in the config.<br />
<br />
=== Error: The page you are looking for is temporarily unavailable. Please try again later. (502 Bad Gateway) ===<br />
<br />
This is because the FastCGI server has not been started, or the socket used has wrong permissions.<br />
<br />
Try [https://stackoverflow.com/questions/4252368/nginx-502-bad-gateway/16497957#16497957 out this answer] to fix the 502 error.<br />
<br />
In Archlinux, the configure file mentioned in above link is {{ic|/etc/php/php-fpm.conf}}.<br />
<br />
On some condition, {{ic|fcgiwrap.socket}} may not start properly and create a useless unix domain socket {{ic|/run/fcgiwrap.sock}}.<br />
<br />
Try [[stop]] the {{ic|fcgiwrap.socket}} service, and remove the default unix domain socket file:<br />
{{ic|# rm /run/fcgiwrap.sock}}<br />
Then [[start]] {{ic|fcgiwrap.service}} instead.<br />
Check the status of {{ic|fcgiwrap.service}} and the new unix domain socket {{ic|/run/fcgiwrap.sock}}:<br />
{{bc|$ systemctl status fcgiwrap.service<br />
$ ls /run/fcgiwrap.sock}}<br />
If it work, [[disable]] {{ic|fcgiwrap.socket}} and [[enable]] {{ic|fcgiwrap.service}}.<br />
<br />
=== Error: No input file specified ===<br />
<br />
1. Verify that variable {{ic|open_basedir}} in {{ic|/etc/php/php.ini}} contains the correct path specified as {{ic|root}} argument in {{ic|nginx.conf}} (usually {{ic|/usr/share/nginx/}}). When using [http://php-fpm.org/ PHP-FPM] as FastCGI server for PHP, you may add {{ic|<nowiki>fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:/tmp/:/proc/"</nowiki>;}} in the {{ic|location}} block which aims for processing php file in {{ic|nginx.conf}}.<br />
<br />
2. Another occasion is that, wrong {{ic|root}} argument in the {{ic|location ~ \.php$}} section in {{ic|nginx.conf}}. Make sure the {{ic|root}} points to the same directory as it in {{ic|location /}} in the same server. Or you may just set root as global, do not define it in any location section.<br />
<br />
3. Check permissions: e.g. {{ic|http}} for user/group, {{ic|755}} for directories and {{ic|644}} for files. Remember the entire path to the {{ic|html}} directory should have the correct permissions. See [[File permissions and attributes#Bulk chmod]] to bulk modify a directory tree. <br />
<br />
4. You do not have the {{ic|SCRIPT_FILENAME}} containing the full path to your scripts. If the configuration of nginx ({{ic|fastcgi_param SCRIPT_FILENAME}}) is correct, this kind of error means php failed to load the requested script. Usually it is simply a permissions issue, you can just run php-cgi as root:<br />
<br />
# spawn-fcgi -a 127.0.0.1 -p 9000 -f /usr/bin/php-cgi<br />
<br />
or you should create a group and user to start the php-cgi:<br />
<br />
# groupadd www<br />
# useradd -g www www<br />
# chmod +w /srv/www/nginx/html<br />
# chown -R www:www /srv/www/nginx/html<br />
# spawn-fcgi -a 127.0.0.1 -p 9000 -u www -g www -f /usr/bin/php-cgi<br />
<br />
5. If you are running php-fpm with chrooted nginx ensure {{ic|chroot}} is set correctly within {{ic|/etc/php-fpm/php-fpm.d/www.conf}} (or {{ic|/etc/php-fpm/php-fpm.conf}} if working on older version)<br />
<br />
=== Error: "File not found" in browser or "Primary script unknown" in log file ===<br />
<br />
Ensure you have specified a {{ic|root}} and {{ic|index}} in your {{ic|server}} or {{ic|location}} directive:<br />
<br />
location ~ \.php$ {<br />
root /srv/http/root_dir;<br />
index index.php;<br />
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;<br />
include fastcgi.conf;<br />
}<br />
<br />
=== Error: chroot: '/usr/sbin/nginx' No such file or directory ===<br />
<br />
If you encounter this error when running the ''nginx'' daemon using chroot, this is likely due to missing 64 bit libraries in the jailed environment.<br />
<br />
If you are running chroot in {{ic|/srv/http}} you need to add the required 64-bit libraries.<br />
<br />
First, set up the directories:<br />
<br />
# mkdir /srv/http/usr/lib64<br />
# cd /srv/http; ln -s usr/lib64 lib64<br />
<br />
Then copy the required 64 bit libraries listed with {{ic|ldd /usr/sbin/nginx}} to {{ic|/srv/http/usr/lib64}}.<br />
<br />
If run as root, permissions for the libraries should be read and executable for all users, so no modification is required.<br />
<br />
=== Alternative script for systemd ===<br />
<br />
On pure systemd you can get advantages of chroot + systemd. [http://0pointer.de/blog/projects/changing-roots.html] Based on set [http://wiki.nginx.org/CoreModule#user user group] an pid on:<br />
<br />
{{hc|/etc/nginx/nginx.conf|2=<br />
user http;<br />
pid /run/nginx.pid;<br />
}}<br />
<br />
the absolute path of file is {{ic|/srv/http/etc/nginx/nginx.conf}}.<br />
<br />
{{hc|/etc/systemd/system/nginx.service|2=<br />
[Unit]<br />
Description=nginx (Chroot)<br />
After=syslog.target network.target<br />
<br />
[Service]<br />
Type=forking<br />
PIDFile=/srv/http/run/nginx.pid<br />
RootDirectory=/srv/http<br />
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf<br />
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf<br />
ExecReload=/usr/sbin/nginx -c /etc/nginx/nginx.conf -s reload<br />
ExecStop=/usr/sbin/nginx -c /etc/nginx/nginx.conf -s stop<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
}}<br />
<br />
It is not necesary to set the default location, nginx loads at default {{ic| -c /etc/nginx/nginx.conf}}, but it is a good idea though.<br />
<br />
Alternatively you can run '''only''' {{ic|ExecStart}} as chroot with parameter {{ic|RootDirectoryStartOnly}} set as {{ic|yes}} [http://www.freedesktop.org/software/systemd/man/systemd.service.html man systemd service] or start it before mount point as effective or a [http://www.freedesktop.org/software/systemd/man/systemd.path.html systemd path] is available.<br />
<br />
{{hc|/etc/systemd/system/nginx.path|2=<br />
[Unit]<br />
Description=nginx (Chroot) path<br />
[Path]<br />
PathExists=/srv/http/site/Public_html<br />
[Install]<br />
WantedBy=default.target<br />
}}<br />
<br />
[[Enable]] the created {{ic|nginx.path}} and change the {{ic|1=WantedBy=default.target}} to {{ic|1=WantedBy=nginx.path}} in {{ic|/etc/systemd/system/nginx.service}}.<br />
<br />
The {{ic|PIDFile}} in unit file allows systemd to monitor process (absolute path required). If it is undesired, you can change to default one-shoot type, and delete the reference from the unit file.<br />
<br />
== See also ==<br />
<br />
* [https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ nginix configuration pitfalls]<br />
* [https://calomel.org/nginx.html Very good in-depth 2014 look at nginx security and Reverse Proxying]<br />
* [http://www.tecmint.com/install-nginx-php-mysql-with-mariadb-engine-and-phpmyadmin-in-arch-linux/ Installing LEMP (nginx, PHP, MySQL with MariaDB engine and PhpMyAdmin) in Arch Linux]<br />
* [[Let’s Encrypt|Using SSL certificates generated with Let's Encrypt]]</div>Beej