https://wiki.archlinux.org/api.php?action=feedcontributions&user=Clearmartin&feedformat=atomArchWiki - User contributions [en]2024-03-29T00:58:10ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Firefox&diff=466470Firefox2017-01-23T22:11:40Z<p>Clearmartin: /* KDE/GNOME integration */ - added Unity LauncherAPI add-on link as an e10s+libunity-less alternative of "Unityfox" add-on</p>
<hr />
<div>[[Category:Web browser]]<br />
[[ar:Firefox]]<br />
[[cs:Firefox]]<br />
[[de:Firefox]]<br />
[[es:Firefox]]<br />
[[fr:Firefox]]<br />
[[it:Firefox]]<br />
[[ja:Firefox]]<br />
[[ko:Firefox]]<br />
[[ru:Firefox]]<br />
[[tr:Firefox]]<br />
[[zh-hans:Firefox]]<br />
{{Related articles start}}<br />
{{Related|Browser plugins}}<br />
{{Related|Firefox/Tweaks}}<br />
{{Related|Firefox/Privacy}}<br />
{{Related|Chromium}}<br />
{{Related|Opera}}<br />
{{Related articles end}}<br />
[https://www.mozilla.org/firefox Firefox] is a popular open-source graphical web browser from [https://www.mozilla.org Mozilla].<br />
<br />
== Installing ==<br />
<br />
Firefox can be [[installed]] with the {{Pkg|firefox}} package. For printing support, install {{Pkg|gtk3-print-backends}}, which is an optional dependency of {{Pkg|gtk3}}.<br />
<br />
Other alternatives include:<br />
<br />
* {{App|Firefox Extended Support Release|long-term supported version|https://www.mozilla.org/firefox/organizations/|{{AUR|firefox-esr}} or {{AUR|firefox-esr-bin}}}}<br />
* {{App|Firefox Beta|cutting-edge version|https://www.mozilla.org/firefox/channel/desktop/#beta|{{AUR|firefox-beta}} or {{AUR|firefox-beta-bin}}}}<br />
* {{App|Firefox Developer Edition/Aurora|for developers|https://www.mozilla.org/firefox/developer/|{{AUR|firefox-aurora}}}}<br />
* {{App|Firefox Nightly|nightly builds for testing ([https://developer.mozilla.org/Firefox/Experimental_features experimental features])|https://nightly.mozilla.org/|{{AUR|firefox-nightly}}}} <br />
* {{App|Firefox KDE|Version of Firefox that incorporates an OpenSUSE patch for better KDE integration than is possible through simple Firefox plugins.|https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox|{{AUR|firefox-kde-opensuse}}}}<br />
* On top of the different Mozilla build channels, a number of forks exist with more or less special features; see [[List of applications#Gecko-based]].<br />
<br />
Here you can find an overview of Mozilla's [https://wiki.mozilla.org/Releases releases].<br />
<br />
There are a number of language packs available for Firefox, other than the standard English. Language packs are usually named as {{ic|firefox-i18n-languagecode}} (where {{ic|languagecode}} can be any language code, such as '''de''', '''ja''', '''fr''', etc.). For a list of available language packs see [https://www.archlinux.org/packages/?sort=&q=firefox-i18n&maintainer=&last_update=&flagged=&limit=100 this].<br />
<br />
== Add-ons ==<br />
<br />
Firefox is well known for its large library of add-ons which can be used to add new features or modify the behavior of existing features of Firefox. You can find new add-ons or manage installed add-ons with Firefox's "Add-ons Manager."<br />
<br />
For a list of popular add-ons, see [https://addons.mozilla.org/firefox/extensions/?sort=popular Mozilla's add-on list sorted by popularity]. See also [[Wikipedia:List of Firefox extensions|List of Firefox extensions]] on Wikipedia.<br />
<br />
=== Adding search engines ===<br />
<br />
Search engines can be added to Firefox through normal add-ons, see [https://addons.mozilla.org/firefox/search-tools/ this page] for a list of available search engines.<br />
<br />
A very extensive list of search engines can be found [http://mycroft.mozdev.org/ here].<br />
<br />
Also, you can use the [https://firefox.maltekraus.de/extensions/add-to-search-bar add-to-searchbar] extension to add a search to your search bar from any web site, by simply right clicking on the site's search field and selecting ''Add to Search Bar...''<br />
<br />
==== arch-firefox-search ====<br />
<br />
Install the {{Pkg|arch-firefox-search}} package to add Arch-specific searches (AUR, wiki, forum, etc, as specified by user) to the Firefox search toolbar.<br />
<br />
== Configuration ==<br />
<br />
Firefox exposes a number of configuration options. To examine them, enter:<br />
about:config<br />
in the Firefox address bar.<br />
<br />
Once set, these affect the user's current profile, and may be synchronized across all devices via [https://www.mozilla.org/firefox/sync/ Firefox Sync]. Please note that only a subset of the {{ic|about:config}} entries are synchronized by this method, and the exact subset may be found by searching for {{ic|services.sync.prefs}} in {{ic|about:config}}. Additional preferences and 3rd party preferences may be synchronized by creating new boolean entries prepending the config value with {{ic|services.sync.prefs.sync}} ([https://developer.mozilla.org/en-US/docs/Archive/Mozilla/Firefox_Sync/Syncing_custom_preferences documentation] is still applicable.) To synchronize the whitelist for the extension [https://addons.mozilla.org/firefox/addon/noscript/ NoScript]:<br />
services.sync.prefs.sync.capability.policy.maonoscript.sites<br />
The boolean {{ic|noscript.sync.enabled}} must be set to true to synchronize the remainder of NoScript's preferences via Firefox Sync.<br />
<br />
Firefox also allows configuration for a profile via a {{ic|user.js}} file: [http://kb.mozillazine.org/User.js_file user.js] kept in the profile folder, usually {{ic|~/.mozilla/firefox/''some name''.default/}}. For a useful starting point, see e.g [https://github.com/pyllyukko/user.js custom user.js] which is targeted at privacy/security conscious users.<br />
<br />
One drawback of the above approach is that it is not applied system-wide. Furthermore, this is not useful as a "pre-configuration", since the profile directory is created after first launch of the browser. You can, however, let ''firefox'' create a new profile and, after closing it again, [https://support.mozilla.org/en-US/kb/back-and-restore-information-firefox-profiles#w_restoring-a-profile-backup copy the contents] of an already created profile folder into it. <br />
<br />
Sometimes it may be desired to lock certain settings, a feature useful in widespread deployments of customized Firefox. In order to create a system-wide configuration, follow the steps outlined in [http://kb.mozillazine.org/Locking_preferences Locking preferences]:<br />
<br />
1. Create {{ic|/usr/lib/firefox/defaults/pref/local-settings.js}}:<br />
pref("general.config.obscure_value", 0);<br />
pref("general.config.filename", "mozilla.cfg");<br />
2. Create {{ic|/usr/lib/firefox/mozilla.cfg}} (this stores the actual configuration):<br />
//<br />
//...your settings...<br />
// e.g to disable Pocket, uncomment the following line<br />
// lockPref("browser.pocket.enabled", false);<br />
<br />
Please note that the first line must contain exactly {{ic|//}}. The syntax of the file is similar to that of {{ic|user.js}}.<br />
<br />
=== Multimedia playback ===<br />
<br />
Firefox will try to use [[FFmpeg]] for playing multimedia inside HTML5 {{ic|<audio>}} and {{ic|<video>}} elements. For this to work, the {{Pkg|ffmpeg}} package needs to be installed.<br />
<br />
Restart Firefox, and go to [https://www.youtube.com/html5 YouTube's HTML5 page], [http://www.quirksmode.org/html5/tests/video.html video-test page] or [http://hpr.dogphilosophy.net/test/ audio-test page] to check which formats are actually supported.<br />
<br />
Since Firefox 49 HTML5 DRM playback is supported by the Google Widevine CDM, it is however not enabled by default. See ''Preferences > Content > DRM content'' if you want to learn more.<br />
<br />
See [[Firefox tweaks#Enable additional media codecs]] for advanced configuration and enabling support for Widevine (Netflix, Amazon Video, etc.).<br />
<br />
=== Dictionaries for spell checking ===<br />
<br />
To enable spell checking for a specific language right click on any text field and check the ''Check Spelling'' box. To select a language for spell checking to you have right click again and select your language from the ''Languages'' sub-menu.<br />
<br />
To get more languages just click ''Add Dictionaries...'' and select the dictionary you want to install from the list.<br />
<br />
Alternatively, you can install the {{Pkg|hunspell}} package. You also need to install dictionaries for your language, such as {{Pkg|hunspell-fr}} (for the French language) or {{Pkg|hunspell-he}} (for Hebrew).<br />
<br />
By default, Firefox will try to symlink all your hunspell dictionaries in {{ic|/usr/lib/firefox/dictionaries}}. If you want to have less dictionaries offered to you in Firefox, you can remove some of those links. Be aware that it may not stand an upgrade of Firefox.<br />
<br />
When your default language choice does not stick, see [[#Firefox does not remember default spell check language]].<br />
<br />
=== KDE/GNOME integration ===<br />
<br />
* To bring the [[KDE]] look to GTK apps (including Firefox), install {{Pkg|breeze-gtk}} and {{Pkg|kde-gtk-config}}. Afterwards, go to {{ic|System Settings}} -> {{ic|Application Style}} -> {{ic|GTK}}. Be sure to choose 'Breeze' in 'Select a GTK2/GTK3 Theme' and check 'Show icons in GTK buttons' and 'Show icons in GTK'.<br />
<br />
* For integration with KDE’s mime type system and file dialogs, one can use {{AUR|firefox-kde-opensuse}} variant from AUR with OpenSUSE’s patches applied.<br />
<br />
* Add-ons may provide some integration, such as [https://addons.mozilla.org/firefox/addon/kde5-wallet-password-integrati/ KWallet integration], [https://addons.mozilla.org/firefox/addon/gnotifier/ GNotifier], [https://addons.mozilla.org/firefox/addon/unityfox-revived/ Unityfox Revived] (or e10s compatible {{AUR|firefox-extension-unity-launcher-api-e10s}}), and [https://addons.mozilla.org/firefox/addon/plasmanotify/ Plasma notifications].<br />
<br />
* Install {{AUR|mozilla-extension-gnome-keyring-git}} (all-JavaScript implementation) to integrate Firefox with [[GNOME Keyring]]. To make firefox-gnome-keyring use your login keychain, set extensions.gnome-keyring.keyringName to "login" (without the double quotes) in about:config. Note the lowercase 'l' despite the the keychain name having an uppercase 'L' in Seahorse.<br />
<br />
== Plugins ==<br />
<br />
{{Note|Firefox will remove support for plugins (except for Flash) in Firefox 52 (March 2017).[https://support.mozilla.org/en-US/kb/npapi-plugins] Firefox 52 ESR will still support plugins.}}<br />
<br />
See the main article: [[Browser plugins]]<br />
<br />
To find out what plugins are installed/enabled, enter:<br />
about:plugins<br />
in the Firefox address bar or go to the ''Add-ons'' entry in the Firefox Menu and select the ''Plugins'' tab.<br />
<br />
== Tips and tricks ==<br />
<br />
For general enhancements see [[Firefox/Tweaks]], for privacy related enhancements see [[Firefox/Privacy]].<br />
<br />
=== Screenshot of webpage ===<br />
<br />
To use Firefox to take a screenshot of a webpage open the developer console using {{ic|Shift+F2}}. Then type in:<br />
<br />
screenshot ''filename''<br />
<br />
where ''filename'' is optional.<br />
<br />
To take a screenshot of the entire page, not just the section displayed on the screen, use the {{ic|--fullpage}} option:<br />
<br />
screenshot --fullpage ''filename''<br />
<br />
== Troubleshooting ==<br />
<br />
=== Firefox startup takes very long ===<br />
<br />
If Firefox takes much longer to start up than other browsers, it may be due to lacking configuration of the localhost in {{ic|/etc/hosts}}. See [[Network configuration#Local network hostname resolution]] on how to set it up. <br />
<br />
=== Font troubleshooting ===<br />
<br />
See [[Font configuration]].<br />
<br />
Firefox has a setting which determines how many replacements it will allow from fontconfig. To allow it to use all your replacement-rules, change {{ic|gfx.font_rendering.fontconfig.max_generic_substitutions}} to {{ic|127}} (the highest possible value).<br />
<br />
=== Setting an email client ===<br />
<br />
Inside the browser, {{ic|mailto}} links by default are opened by a web application such as Gmail or Yahoo Mail. To set an external email program, go to ''Preferences > Applications'' and modify the ''action'' corresponding to the {{ic|mailto}} content type; the file path will need to be designated (e.g. {{ic|/usr/bin/kmail}} for Kmail).<br />
<br />
Outside the browser, {{ic|mailto}} links are handled by the {{ic|x-scheme-handler/mailto}} mime type, which can be easily configured with [[xdg-mime]]. See [[Default applications]] for details and alternatives.<br />
<br />
=== File association ===<br />
<br />
See [[Default applications]].<br />
<br />
=== Firefox keeps creating ~/Desktop even when this is not desired ===<br />
<br />
Firefox uses {{ic|~/Desktop}} as the default place for download and upload files. To change it to another folder, set the {{ic|XDG_DESKTOP_DIR}} option as explained in [[XDG user directories]].<br />
<br />
=== Make plugins respect blocked pop-ups ===<br />
<br />
Some plugins can misbehave and bypass the default settings, such as the Flash plugin. You can prevent this by doing the following:<br />
<br />
# Type {{ic|about:config}} into the address bar.<br />
# Right-click on the page and select {{ic|New}} and then {{ic|Integer}}.<br />
# Name it {{ic|privacy.popups.disable_from_plugins}}.<br />
# Set the value to 2.<br />
<br />
The possible values are:<br />
* '''0''': Allow all popups from plugins.<br />
* '''1''': Allow popups, but limit them to dom.popup_maximum.<br />
* '''2''': Block popups from plugins.<br />
* '''3''': Block popups from plugins, even on whitelisted sites.<br />
<br />
=== Middle-click errors ===<br />
<br />
A common error message you can get while using the middle mouse button in Firefox is:<br />
The URL is not valid and cannot be loaded.<br />
<br />
Another symptom is that middle-clicking results in unexpected behavior, like accessing a random web page.<br />
<br />
The reason stems from the use of the middle mouse buttons in UNIX-like operating systems. The middle mouse button is used to paste whatever text has been highlighted/added to the clipboard. Then there is the possibly conflicting feature in Firefox, which defaults to loading the URL of the corresponding text when the button is depressed. This can be easily disabled by going to {{ic|about:config}} and setting the {{ic|middlemouse.contentLoadURL}} option to '''false'''.<br />
<br />
Alternatively, having the traditional scroll cursor on middle-click (default behavior on Windows browsers) can be achieved by searching for {{ic|general.autoScroll}} and setting it to '''true'''.<br />
<br />
=== Backspace does not work as the 'Back' button ===<br />
<br />
As per [http://ubuntu.wordpress.com/2006/12/21/fix-firefox-backspace-to-take-you-to-the-previous-page/ this article], the feature has been removed in order to fix a bug. To re-introduce the original behavior go to {{ic|about:config}} and set the {{ic|browser.backspace_action}} option to '''0''' (zero).<br />
<br />
=== Firefox does not remember login information ===<br />
<br />
It may be due to a corrupted {{ic|cookies.sqlite}} file in [http://support.mozilla.com/en-US/kb/Profiles#How_to_find_your_profile Firefox's profile] folder. In order to fix this, just rename or remove {{ic|cookie.sqlite}} while Firefox is not running.<br />
<br />
Open a terminal of choice and type the following:<br />
$ cd ~/.mozilla/firefox/xxxxxxxx.default/<br />
$ rm -f cookies.sqlite<br />
{{Note|xxxxxxxx represents a random string of 8 characters.}}<br />
<br />
Restart Firefox and see if it solved the problem.<br />
<br />
=== Unreadable input fields with dark GTK+ themes ===<br />
<br />
{{Merge|Firefox tweaks#Appearance|Anything on that page might be in troubleshooting section as well, so let us keep the info in one place.}}<br />
<br />
When using a dark [[GTK+]] theme, one might encounter Internet pages with unreadable input and text fields (e.g. Amazon can have white text on white background). This can happen because the site only sets either background or text color, and Firefox takes the other one from the theme. The extension [https://addons.mozilla.org/firefox/addon/text-contrast-for-dark-themes/ Text Contrast for Dark Themes] sets the other color as needed to maintain contrast.<br />
<br />
Another workaround is to explicitly setting standard colors for all web pages in {{ic|~/.mozilla/firefox/xxxxxxxx.default/chrome/userContent.css}} or using [https://addons.mozilla.org/firefox/addon/stylish/ stylish add-on].<br />
<br />
The following sets input fields to standard black text / white background; both can be overridden by the displayed site, so that colors are seen as intended:<br />
<br />
{{Note|If you want {{ic|urlbar}} and {{ic|searchbar}} to be {{ic|white}} remove the two first {{ic|:not}} css selectors.}}<br />
{{bc|<br />
1=input:not(.urlbar-input):not(.textbox-input):not(.form-control):not([type='checkbox']) {<br />
-moz-appearance: none !important;<br />
background-color: white;<br />
color: black;<br />
}<br />
<br />
#downloads-indicator-counter {<br />
color: white;<br />
}<br />
<br />
textarea {<br />
-moz-appearance: none !important;<br />
background-color: white;<br />
color: black;<br />
}<br />
<br />
select {<br />
-moz-appearance: none !important;<br />
background-color: white;<br />
color: black;<br />
}<br />
}}<br />
<br />
Alternatively, force Firefox to use a light theme (e.g. "Adwaita:light"):<br />
<br />
# Copy {{ic|/usr/share/applications/firefox.desktop}} to {{ic|~/.local/share/applications/firefox.desktop}} and replace all occurrences of {{ic|1=Exec=firefox}} with {{ic|1=Exec=env GTK_THEME=Adwaita:light firefox}}.<br />
# Close all running instances of Firefox and restart your window manager/desktop environment.<br />
<br />
=== "Do you want Firefox to save your tabs for the next time it starts?" dialog does not appear ===<br />
<br />
From the [http://support.mozilla.com/en-US/questions/767751 Mozilla support] site:<br />
<br />
# Type {{ic|about:config}} in the address bar.<br />
# Set {{ic|browser.warnOnQuit}} to '''true'''.<br />
# Set {{ic|browser.showQuitWarning}} to '''true'''.<br />
<br />
=== Silently fails when installing desktop apps from marketplace ===<br />
<br />
Installation of apps from Firefox OS Marketplace will silently fail if there is no {{ic|~/.local/share/applications}} folder.<br />
<br />
=== Firefox detects the wrong version of my plugin ===<br />
<br />
When you close Firefox, the latter saves the current timestamp and version of your plugins inside {{ic|pluginreg.dat}} located in your profile folder, typically in {{ic|~/.mozilla/firefox/''some name''.default/}}.<br />
<br />
If you upgraded your plugin when Firefox was still running, you will thus have the wrong information inside that file. The next time you will restart Firefox you will get that message {{ic|Firefox has prevented the outdated plugin "XXXX" from running on ...}} when you will be trying to open content dedicated to that plugin on the web. This problem often appears with the official [[Browser plugins#Flash Player|Adobe Flash Player plugin]] which has been upgraded while Firefox was still running.<br />
<br />
The solution is to remove the file {{ic|pluginreg.dat}} from your profile and that is it. Firefox will not complain about the missing file as it will be recreated the next time Firefox will be closed.<br />
[https://bugzilla.mozilla.org/show_bug.cgi?id=1109795#c16]<br />
<br />
=== Javascript context menu does not appear on some sites ===<br />
<br />
In {{ic|about:config}}, unset the {{ic|dom.w3c_touch_events.enabled}} setting.<br />
<br />
=== Firefox does not remember default spell check language ===<br />
<br />
The default spell checking language can be set as follows:<br />
<br />
# Type {{ic|about:config}} in the address bar.<br />
# Set {{ic|spellchecker.dictionary}} to your language of choice, for instance {{ic|en_GB}}.<br />
# Notice that the for dictionaries installed as a Firefox plugin the notation is {{ic|en-GB}}, and for {{Pkg|hunspell}} dictionaries the notation is {{ic|en_GB}}.<br />
<br />
When you only have system wide dictionaries installed with {{Pkg|hunspell}}, Firefox might not remember your default dictionary language settings. This can be fixed by having at least one [https://addons.mozilla.org/firefox/language-tools/ dictionary] installed as a Firefox plugin. Notice that now you will also have a tab '''Dictionaries''' in '''add-ons'''.<br />
<br />
Related questions on the '''StackExchange''' platform: [http://stackoverflow.com/questions/26936792/change-firefox-spell-check-default-language/29446115], [http://stackoverflow.com/questions/21542515/change-default-language-on-firefox/29446353], [http://askubuntu.com/questions/184300/how-can-i-change-firefoxs-default-dictionary/576877]<br />
<br />
Related bug reports: [https://bugzilla.mozilla.org/show_bug.cgi?id=776028 Bugzilla 776028], [https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1026869 Ubuntu bug 1026869]<br />
<br />
=== Some MathML symbols are missing ===<br />
<br />
You need some Math fonts, namely Latin Modern Math and STIX (see this MDN page: [https://developer.mozilla.org/en-US/docs/Mozilla/MathML_Project/Fonts#Linux]), to display MathML correctly.<br />
<br />
In Arch Linux, these fonts are provided by {{Pkg|texlive-core}} '''and''' {{Pkg|texlive-fontsextra}}, but they are not available to fontconfig by default. See [[TeX Live#Fonts]] for details. You can also try other [[Fonts#Math|Math fonts]].<br />
<br />
=== Picture flickers while scrolling ===<br />
{{Accuracy|Most likely a driver issue, useless without reference}}<br />
{{Note|Problem available in some MATE desktops}}<br />
Uncheck the "smooth scrolling" settings:<br />
Edit > Settings > Advanced > General > Use smooth scrolling<br />
<br />
=== Tearing video in fullscreen mode ===<br />
<br />
If you are using the Xorg Intel or Nouveau drivers and experience tearing video in fullscreen mode, try [[Firefox tweaks#Enable OpenGL Off-Main-Thread Compositing (OMTC)]].<br />
<br />
=== Firefox looks bad with GTK+ >=3.20 ===<br />
<br />
Firefox (as of version 47) [https://bugzilla.mozilla.org/show_bug.cgi?id=1264079 does not support] GTK+ >=3.20 and may look unsightly as a result. A possible resolution is compiling Firefox against GTK2 instead, see {{AUR|firefox-gtk2}}. Alternatively, you may use [[Unofficial_user_repositories#markzz|markzz's repository]] or [[Unofficial_user_repositories#archlinuxcn|archlinuxcn's]] (x86_64 only) for pre-built GTK2 Firefox packages.<br />
<br />
=== Firefox WebRTC module cannot detect a microphone ===<br />
<br />
WebRTC applications for instance [https://mozilla.github.io/webrtc-landing/gum_test.html Firefox WebRTC getUserMedia test page] say that microphone cannot be found. Issue is reproducible for both ALSA or Pulseaudio setup. Firefox debug logs show the following error:<br />
<br />
{{hc|1=$ NSPR_LOG_MODULES=MediaManager:5,GetUserMedia:5 firefox|2=<br />
...<br />
[Unnamed thread 0x7fd7c0654340]: D/GetUserMedia VoEHardware:GetRecordingDeviceName: Failed 1<br />
}}<br />
<br />
You can try setting {{ic|media.navigator.audio.full_duplex}} property to {{ic|false}} at {{ic|about:config}} Firefox page and restart Firefox.<br />
<br />
== See also ==<br />
<br />
* [http://www.mozilla.org/firefox/ Official website]<br />
* [http://www.mozilla.org/ Mozilla Foundation]<br />
* [https://wiki.mozilla.org/Firefox Firefox wiki]<br />
* [https://addons.mozilla.org/ Firefox Add-ons]<br />
* [https://addons.mozilla.org/firefox/themes/ Firefox themes]</div>Clearmartinhttps://wiki.archlinux.org/index.php?title=Dm-crypt/Specialties&diff=381659Dm-crypt/Specialties2015-07-10T05:21:28Z<p>Clearmartin: typo fixed</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Encryption]]<br />
[[Category:File systems]]<br />
[[ja:Dm-crypt/特記事項]]<br />
Back to [[Dm-crypt]].<br />
<br />
==Securing the unencrypted boot partition==<br />
The {{ic|/boot}} partition and the [[Master Boot Record]] are the two areas of the disk that are not encrypted, even in an [[Dm-crypt/Encrypting_an_entire_system|encrypted root]] configuration. They cannot usually be encrypted because the [[boot loader]] and BIOS (respectively) are unable to unlock a dm-crypt container in order to continue the boot process. An exception is [[GRUB]], which gained a feature to unlock a LUKS encrypted {{ic|/boot}} - see [[GRUB#Boot partition]]. <br />
<br />
This section describes steps that can be taken to make the boot process more secure. <br />
<br />
{{Warning|Note that securing the {{ic|/boot}} partition and MBR can mitigate numerous attacks that occur during the boot process, but systems configured this way may still be vulnerable to BIOS/UEFI/firmware tampering, hardware keyloggers, cold boot attacks, and many other threats that are beyond the scope of this article. For an overview of system-trust issues and how these relate to full-disk encryption, refer to [http://www.youtube.com/watch?v&#61;pKeiKYA03eE].}}<br />
<br />
===Booting from a removable device===<br />
<br />
Using a separate device to boot a system is a fairly straightforward procedure, and offers a significant security improvement against some kinds of attacks. Two vulnerable parts of a system employing an [[Dm-crypt/Encrypting_an_entire_system|encrypted root filesystem]] are<br />
* the [[Master Boot Record]], and<br />
* the {{ic|/boot}} partition.<br />
These must be stored unencrypted in order for the system to boot. In order to protect these from tampering, it is advisable to store them on a removable medium, such as a USB drive, and boot from that drive instead of the hard disk. As long as you keep the drive with you at all times, you can be certain that those components have not been tampered with, making authentication far more secure when unlocking your system.<br />
<br />
It is assumed that you already have your system configured with a dedicated partition mounted at {{ic|/boot}}. If you do not, please follow the steps in [[dm-crypt/System configuration#Boot loader]], substituting your hard disk for a removable drive.<br />
{{Note|You must make sure your system supports booting from the chosen medium, be it a USB drive, an external hard drive, an SD card, or anything else.}}<br />
Prepare the removable drive ({{ic|/dev/sdx}}).<br />
# gdisk /dev/sdx #format if necessary. Alternatively, cgdisk, fdisk, cfdisk, gparted...<br />
# mkfs.ext2 /dev/sdx1<br />
# mount /dev/sdx1 /mnt<br />
Copy your existing {{ic|/boot}} contents to the new one.<br />
# cp -R -i -d /boot/* /mnt<br />
Mount the new partition. Do not forget to update your [[fstab]] file accordingly.<br />
# umount /boot<br />
# umount /mnt<br />
# mount /dev/sdx1 /boot<br />
# genfstab -p -U / > /etc/fstab<br />
Update [[GRUB]]. {{ic|grub-mkconfig}} should detect the new partition UUID automatically, but custom menu entries may need to be updated manually.<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
# grub-install /dev/sdx #install to the removable device, not the hard disk.<br />
Reboot and test the new configuration. Remember to set your device boot order accordingly in your [[BIOS]] or [[UEFI]]. If the system fails to boot, you should still be able to boot from the hard drive in order to correct the problem.<br />
<br />
===chkboot===<br />
{{warning|chkboot makes a {{ic|/boot}} partition '''tamper-evident''', not '''tamper-proof'''. By the time the chkboot script is run, you have already typed your password into a potentially compromised boot loader, kernel, or initrd. If your system fails the chkboot integrity test, no assumptions can be made about the security of your data.}}<br />
Referring to an article from the ct-magazine (Issue 3/12, page 146, 01.16.2012, [http://www.heise.de/ct/inhalt/2012/03/6/]) the following script checks files under {{ic|/boot}} for changes of SHA-1 hash, inode, and occupied blocks on the hard drive. It also checks the [[Master Boot Record]]. The script cannot prevent certain type of attacks, but a lot are made harder. No configuration of the script itself is stored in unencrypted {{ic|/boot}}. With a locked/powered-off encrypted system, this makes it harder for some attackers because it is not apparent that an automatic checksum comparison of the partition is done upon boot. However, an attacker who anticipates these precautions can manipulate the firmware to run his own code on top of your kernel and intercept file system access, e.g. to {{ic|boot}}, and present the untampered files. Generally, no security measures below the level of the firmware are able to guarantee trust and tamper evidence.<br />
<br />
The script with installation instructions is [ftp://ftp.heise.de/pub/ct/listings/1203-146.zip available] (Author: Juergen Schmidt, ju at heisec.de; License: GPLv2). There is also package {{AUR|chkboot}} to [[install]].<br />
<br />
After installation add a service file (the package includes one based on the following) and [[enable]] it: <br />
[Unit]<br />
Description=Check that boot is what we want<br />
Requires=basic.target<br />
After=basic.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/usr/local/bin/chkboot.sh<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
<br />
There is a small caveat for systemd: At the time of writing, the original {{ic|chkboot.sh}} script provided contains an empty space at the beginning of {{ic|<u> </u>#!/bin/bash}} which has to be removed for the service to start successfully.<br />
<br />
As {{ic|/usr/local/bin/chkboot_user.sh}} need to be excuted after login, add it to the autostart (e.g. under KDE -> ''System Settings -> Startup and Shutdown -> Autostart''; GNOME 3: ''gnome-session-properties''). <br />
<br />
With Arch Linux, changes to {{ic|/boot}} are pretty frequent, for example by new kernels rolling-in. Therefore it may be helpful to use the scripts with every full system update. One way to do so: <br />
<br />
#!/bin/bash<br />
#<br />
# Note: Insert your <user> and execute it with sudo for pacman & chkboot to work automagically<br />
#<br />
echo "Pacman update [1] Quickcheck before updating" & <br />
sudo -u <user> /usr/local/bin/chkboot_user.sh # insert your logged on <user> <br />
/usr/local/bin/chkboot.sh<br />
sync # sync disks with any results <br />
sudo -u <user> /usr/local/bin/chkboot_user.sh # insert your logged on <user> <br />
echo "Pacman update [2] Syncing repos for pacman" <br />
pacman -Syu<br />
/usr/local/bin/chkboot.sh<br />
sync <br />
sudo -u <user> /usr/local/bin/chkboot_user.sh # insert your logged on <user><br />
echo "Pacman update [3] All done, let us roll on ..."<br />
<br />
=== mkinitcpio-chkcryptoboot === <br />
{{Warning|This hook does '''not''' encrypt [[GRUB]]'s core (MBR) code or EFI stub, nor does it protect against situations where an attacker is able to modify the behaviour of the bootloader to compromise the kernel and/or initramfs at run-time.}}<br />
{{aur|mkinitcpio-chkcryptoboot}} is a [[mkinitcpio]] hook that performs integrity checks during early-userspace and advises the user not to enter his root partition password if the system appears to have been compromised. Security is achieved through an [[Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29|encrypted boot partition]], which is unlocked using [[GRUB#Boot_partition|GRUB]]'s {{ic|cryptodisk.mod}} module, and a root filesystem partition, which is encrypted with a password different from the former. This way, the [[initramfs]] and [[kernel]] are secured against offline tampering, and the root partition can remain secure even if the {{ic|/boot}} partition password is entered on a compromised machine (provided that the chkcryptoboot hook detects the compromise, and is not itself compromised at run-time). <br />
<br />
This hook requires {{pkg|GRUB}} release >=2.00 to function, and a dedicated, LUKS encrypted {{ic|/boot}} partition with its own password in order to be secure.<br />
<br />
==== Installation ====<br />
[[Install]] {{aur|mkinitcpio-chkcryptoboot}} and edit {{ic|/etc/default/chkcryptoboot.conf}}. If you want the ability of detecting if your boot partition was bypassed, edit the {{ic|CMDLINE_NAME}} and {{ic|CMDLINE_VALUE}} variables, with values known only to you. You can follow the advice of using two hashes as is suggested right after the installation. Also, be sure to make the appropriate changes to the [[Kernel parameters|kernel command line]] in {{ic|/etc/default/grub}}. Edit the {{ic|1=HOOKS=}} line in {{ic|/etc/mkinitcpio.conf}}, and insert the {{ic|chkcryptoboot}} hook '''before''' {{ic|encrypt}}. When finished, [[Mkinitcpio#Image_creation_and_activation|rebuild]] the initramfs.<br />
<br />
==== Technical Overview ====<br />
{{aur|mkinitcpio-chkcryptoboot}} consists of an install hook and a run-time hook for mkinitcpio. The install hook runs every time the initramfs is rebuilt, and hashes the GRUB [[UEFI|EFI]] stub ({{ic|$esp/EFI/grub_uefi/grubx64.efi}}) (in the case of [[UEFI]] systems) or the first 446 bytes of the disk on which GRUB is installed (in the case of BIOS systems), and stores that hash inside the initramfs located inside the encrypted {{ic|/boot}} partition. When the system is booted, GRUB prompts for the {{ic|/boot}} password, then the run-time hook performs the same hashing operation and compares the resulting hashes before prompting for the root partition password. If they do not match, the hook will print an error like this:<br />
{{bc|CHKCRYPTOBOOT ALERT!<br />
CHANGES HAVE BEEN DETECTED IN YOUR BOOT LOADER EFISTUB!<br />
YOU ARE STRONGLY ADVISED NOT TO ENTER YOUR ROOT CONTAINER PASSWORD!<br />
Please type uppercase yes to continue:<br />
}}<br />
<br />
In addition to hashing the boot loader, the hook also checks the parameters of the running kernel against those configured in {{ic|/etc/default/chkcryptoboot.conf}}. This is checked both at run-time and after the boot process is done. This allows the hook to detect if GRUB's configuration was not bypassed at run-time and afterwards to detect if the entire {{ic|/boot}} partition was not bypassed.<br />
<br />
For BIOS systems the hook creates a hash of GRUB's first stage bootloader (installed to the first 446 bytes of the bootdevice) to compare at the later boot processes. The main second-stage GRUB bootloader {{ic|core.img}} is not checked.<br />
<br />
===Other methods ===<br />
<br />
Alternatively to above scripts, a hash check can be set up with [[AIDE]] which can be customized via a very flexible configuration file. <br />
<br />
While one of these methods should serve the purpose for most users, they do not address all security problems associated with the unencrypted {{ic|/boot}}. One approach which endeavours to provide a fully authenticated boot chain was published with POTTS as an academic thesis to implement the [http://www1.informatik.uni-erlangen.de/stark STARK] authentication framework. <br />
<br />
The POTTS proof-of-concept uses Arch Linux as a base distribution and implements a system boot chain with <br />
* POTTS - a boot menu for a one-time authentication message prompt <br />
* TrustedGrub - a [[GRUB Legacy]] implementation which authenticates the kernel and initramfs against TPM chip registers <br />
* TRESOR - a kernel patch which implements AES but keeps the master-key not in RAM but in CPU registers during runtime. <br />
As part of the thesis [http://13.tc/p/potts/manual.html installation] instructions based on Arch Linux (ISO as of 2013-01) have been published. If you want to try it, be aware these tools are not in standard repositories and the solution will be time consuming to maintain.<br />
<br />
==Using GPG or OpenSSL Encrypted Keyfiles==<br />
The following forum posts give instructions to use two factor authentication, gpg or openssl encrypted keyfiles, instead of a plaintext keyfile described earlier in this wiki article [https://bbs.archlinux.org/viewtopic.php?id=120243 System Encryption using LUKS with GPG encrypted keys]:<br />
* GnuPG: [https://bbs.archlinux.org/viewtopic.php?pid=943338#p943338 Post regarding GPG encrypted keys] This post has the generic instructions.<br />
* OpenSSL: [https://bbs.archlinux.org/viewtopic.php?pid=947805#p947805 Post regarding OpenSSL encrypted keys] This post only has the {{ic|ssldec}} hooks.<br />
* OpenSSL: [https://bbs.archlinux.org/viewtopic.php?id=155393 Post regarding OpenSSL salted bf-cbc encrypted keys] This post has the {{ic|bfkf}} initcpio hooks, install, and encrypted keyfile generator scripts.<br />
* LUKS: [https://bbs.archlinux.org/viewtopic.php?pid=1502651#p1502651 Post regarding LUKS encrypted keys] with a {{ic|lukskey}} initcpio hook.<br />
<br />
Note that:<br />
* You can follow the above instructions with only two primary partitions one boot partition <br />
(required because of LVM), and one primary LVM partition. Within the LVM partition you can have <br />
as many partitions as you need, but most importantly it should contain at least root, swap, and <br />
home logical volume partitions. This has the added benefit of having only one keyfile for all <br />
your partitions, and having the ability to hibernate your computer (suspend to disk) where the <br />
swap partition is encrypted. If you decide to do so your hooks in {{ic|/etc/mkinitcpio.conf}} <br />
should look like<br />
{{ic|HOOKS&#61;" ... usb usbinput (etwo or ssldec) encrypt(if using openssl) lvm2 resume ... "}}<br />
and you should add {{ic|"resume&#61;/dev/mapper/<VolumeGroupName>-<LVNameOfSwap>"}} to your [[kernel parameters]].<br />
* If you need to temporarily store the unencrypted keyfile somewhere, do not store them on an unencrypted disk. Even better make sure to store them to RAM such as {{ic|/dev/shm}}.<br />
* If you want to use a GPG encrypted keyfile, you need to use a statically compiled GnuPG version 1.4 or you could edit the hooks and use this AUR package {{AUR|gnupg1}}<br />
* It is possible that an update to OpenSSL could break the custom {{ic|ssldec}} mentioned in the second forum post.<br />
<br />
==Remote unlocking of the root (or other) partition==<br />
If you want to be able to reboot a fully LUKS-encrypted system remotely, or start it with a [[Wake-on-LAN]] service, you will need a way to enter a passphrase for the root partition/volume at startup. This can be achieved by running the [[mkinitcpio]] {{ic|net}} hook along with an [[SSH]] server in initrd. [[Install]] the {{AUR|dropbear_initrd_encrypt}} package and follow the post-installation instructions:<br />
<br />
# If you do not have an SSH key pair yet, [[SSH keys#Generating_an_SSH_key_pair|generate one]] on the client system (the one which will be used to unlock the remote machine).<br />
# Insert your SSH public key (i.e. the one you usually put onto hosts so that you can ssh in without a password, or the one you just created and which ends with ''.pub'') into the remote machine's {{ic|/etc/dropbear/root_key}} file using the method of your choice, e.g.:<br />
#*[[SSH keys#Copying_the_public_key_to_the_remote_server|copy the public key to the remote system]]<br />
#* then enter the following command (on the remote system): {{bc|# cat /home/<user>/.ssh/authorized_keys > /etc/dropbear/root_key}}{{Tip|This method can later be used to add other SSH public keys as needed; in that case verify the content of remote {{ic|~/.ssh/authorized_keys}} contains only keys you agree to be used to unlock the remote machine. When adding additional keys, also regenerate your initrd with mkinitcpio. See also [[SSH keys#Security]].}}<br />
# Add the {{ic|dropbear encryptssh}} [[Mkinitcpio#HOOKS|hooks]] before {{ic|filesystems}} within the "HOOKS" array in {{ic|/etc/mkinitcpio.conf}} (or replace {{ic|encrypt}} with them if it was present). Put the {{ic|net}} hook early in the HOOKS array if your DHCP server takes a long time to lease IP addresses, and in any case place it before the {{ic|dropbear encryptssh}} hooks (between {{ic|modconf}} and {{ic|block}} proves functional). Then [[Mkinitcpio#Image_creation_and_activation|rebuild the initramfs image]].<br />
# Configure the required {{ic|1=cryptdevice=}} [[Dm-crypt/System_configuration#Boot_loader|parameter]] and add the {{ic|1=ip=}} [[Kernel_parameters|kernel command parameter]] to your bootloader configuration with the appropriate arguments (see [[Mkinitcpio#Using_net]]). For example, if the DHCP server does not attribute a static IP to your remote system, making it difficult to access via SSH accross reboots, you can explicitly state the IP you want to be used:{{bc|<nowiki>ip=192.168.1.1:::::eth0:none</nowiki>}}{{Note|Make sure to use kernel device names for the interface name (under the form ''eth#'') and not ''udev'' ones, as those will not work.}}Then update the configuration of your [[Boot_loaders|bootloader]], e.g. for [[GRUB#Generating_main_configuration_file|GRUB]]:{{bc|# grub-mkconfig -o /boot/grub/grub.cfg}}<br />
# Finally, restart the remote system and try to [[Secure_Shell#Connecting_to_the_server|ssh to it]], '''explicitly stating the "root" username''' (even if the root account is disabled on the machine, here it is a special "root" user set by ''dropbear'' for the purpose of unlocking the remote system). You may see a warning about host authenticity that you can safely ignore (type ''yes''), then you should be presented with a prompt asking you to enter the passphrase for unlocking the remote root:<br />
{{hc|$ ssh '''root'''@192.168.1.1|Enter passphrase for /dev/disk/by-id/wwn-...-part2: <br />
Connection to 192.168.1.1 closed.}}<br />
Afterwards, the system will complete its boot process and you can ssh to it [[Secure_Shell#Connecting_to_the_server|as you normally would]] (with the remote user of your choice).<br />
<br />
{{Tip|1=If you would simply like a nice solution to mount other encrypted partitions (such as {{ic|/home}}) remotely, you may want to look at [https://bbs.archlinux.org/viewtopic.php?pid=880484 this forum thread].}}<br />
<br />
=== Remote unlock via wifi ===<br />
The net hook is normally used with an ethernet connection. In case you want to setup a computer with wireless only, and unlock it via wifi, you can create a custom hook to connect to a wifi network before the net hook is run.<br />
<br />
Below example shows a setup using a usb wifi adapter, connecting to a wifi network protected with WPA2-PSK. In case you use for example WEP or another boot loader, you might need to change some things.<br />
<br />
# Modify {{ic|/etc/mkinitcpio.conf}}:<br />
#* Add the needed kernel module for your specific wifi adatper.<br />
#* Include the {{ic|wpa_passphrase}} and {{ic|wpa_supplicant}} binaries.<br />
#* Add a hook {{ic|wifi}} (or a name of your choice, this is the custom hook that will be created) before the {{ic|net}} hook.{{bc|1=MODULES="''module''"<br>BINARIES="wpa_passphrase wpa_supplicant"<br>HOOKS="base udev autodetect ... '''wifi''' net ... dropbear encryptssh ..."}}<br />
# Create the {{ic|wifi}} hook in {{ic|/lib/initcpio/hooks/wifi}}:{{bc|run_hook ()<br>{<br>&#09;# sleep a couple of seconds so wlan0 is setup by kernel<br>&#09;sleep 5<br><br>&#09;# set wlan0 to up<br>&#09;ip link set wlan0 up<br><br>&#09;# assocciate with wifi network<br>&#09;# 1. save temp config file<br>&#09;wpa_passphrase "''network ESSID''" "''pass phrase''" > /tmp/wifi<br><br>&#09;# 2. assocciate<br>&#09;wpa_supplicant -B -D nl80211,wext -i wlan0 -c /tmp/wifi<br><br>&#09;# sleep a couple of seconds so that wpa_supplicant finishes connecting<br>&#09;sleep 5<br><br>&#09;# wlan0 should now be connected and ready to be assigned an ip by the net hook<br>}<br><br>run_cleanuphook ()<br>{<br>&#09;# kill wpa_supplicant running in the background<br>&#09;killall wpa_supplicant<br><br>&#09;# set wlan0 link down<br>&#09;ip link set wlan0 down<br><br>&#09;# wlan0 should now be fully disconnected from the wifi network<br>}|}}<br />
# Create the hook installation file in {{ic|/lib/initcpio/install/wifi}}:{{bc|build ()<br>{<br>&#09;add_runscript<br>}<br>help ()<br>{<br>cat<<HELPEOF<br>&#09;Enables wifi on boot, for dropbear ssh unlocking of disk.<br>HELPEOF<br>}|}}<br />
# Add {{ic|1=ip=:::::wlan0:dhcp}} to the [[kernel parameters]]. Remove {{ic|1=ip=:::::eth0:dhcp}} so it does not conflict.<br />
# Optionally create an additional boot entry with kernel parameter {{ic|1=ip=:::::eth0:dhcp}}.<br />
# [[Mkinitcpio#Image_creation_and_activation|Regenerate the intiramfs image]].<br />
# Update the configuration of your [[boot loader]], e.g. for [[GRUB#Generating_main_configuration_file|GRUB]]:{{bc|# grub-mkconfig -o /boot/grub/grub.cfg}}<br />
Remember to setup [[Wireless_network_configuration|wifi]], so you are able to login once the system is fully booted. In case you are unable to connect to the wifi network, try increasing the sleep times a bit.<br />
<br />
==Discard/TRIM support for solid state drives (SSD)==<br />
Solid state drive users should be aware that by default, Linux's full-drive encryption mechanisms will ''not'' forward TRIM commands from the filesystem to the underlying drive. The device-mapper maintainers have made it clear that TRIM support will never be enabled by default on dm-crypt devices because of the potential security implications.[http://www.saout.de/pipermail/dm-crypt/2011-September/002019.html][http://www.saout.de/pipermail/dm-crypt/2012-April/002420.html]<br />
<br />
Most users will still want to use TRIM on their encrypted SSDs. Minimal data leakage in the form of freed block information, perhaps sufficient to determine the filesystem in use, may occur on devices with TRIM enabled. An illustration and discussion of the issues arising from activating TRIM is available in the [http://asalor.blogspot.de/2011/08/trim-dm-crypt-problems.html blog] of a {{ic|cryptsetup}} developer. As a result encryption schemes that rely on plausible deniability should never be used on a device that utilizes TRIM. <br />
<br />
In {{Pkg|linux}} 3.1 and up, support for dm-crypt TRIM pass-through can be toggled upon device creation or mount with dmsetup. Support for this option also exists in {{Pkg|cryptsetup}} version 1.4.0 and up. To add support during boot, you will need to add {{ic|:allow-discards}} to the {{ic|cryptdevice}} option. The TRIM option may look like this:<br />
cryptdevice=/dev/sdaX:root:allow-discards<br />
<br />
For the main {{ic|cryptdevice}} configuration options before the {{ic|:allow-discards}} see [[Dm-crypt/System configuration]].<br />
<br />
Besides the kernel option, it is also required to periodically run {{ic|fstrim}} or mount the filesystem (e.g. {{ic|/dev/mapper/root}} in this example) with the {{ic|discard}} option in {{ic|/etc/fstab}}. For details, please refer to the [[SSD#TRIM|SSD]] page. For LUKS devices unlocked manually on the console or via {{ic|/etc/crypttab}} either {{ic|discard}} or {{ic|allow-discards}} may be used.<br />
<br />
== The encrypt hook and multiple disks == <br />
<br />
The {{ic|encrypt}} hook only allows for a '''single''' {{ic|cryptdevice<nowiki>=</nowiki>}} entry. In system setups with multiple drives this may be limiting, because ''dm-crypt'' has no feature to exceed the physical device. For example, take "LVM on LUKS": The entire LVM exists inside a LUKS mapper. This is perfectly fine for a single-drive system, since there is only one device to decrypt. But what happens when you want to increase the size of the LVM? You cannot, at least not without modifying the {{ic|encrypt}} hook. <br />
<br />
The following sections briefly show alternatives to overcome the limitation. The first deals with how to expand a [[Dm-crypt/Encrypting_an_entire_system#LUKS_on_LVM|LUKS on LVM]] setup to a new disk. The second with modifying the {{ic|encrypt}} hook to unlock multiple disks in LUKS setups without LVM. The third section then again uses LVM, but modifies the {{ic|encrypt}} hook to unlock the encrypted LVM with a remote LUKS header. <br />
<br />
=== Expanding LVM on multiple disks ===<br />
The management of multiple disks is a basic [[LVM]] feature and a major reason for its partitioning flexibility. It can also be used with ''dm-crypt'', but only if LVM is employed as the first mapper. In such a [[Dm-crypt/Encrypting_an_entire_system#LUKS_on_LVM|LUKS on LVM]] setup the encrypted devices are created inside the logical volumes (with a separate passphrase/key per volume). The following covers the steps to expand that setup to another disk. <br />
<br />
{{Warning|Backup! While resizing filesystems may be standard, keep in mind that operations '''may''' go wrong and the following might not apply to a particular setup. Generally, extending a filesystem to free disk space is less problematic than shrinking one. This in particular applies when stacked mappers are used, as it is the case in the following example.}}<br />
<br />
==== Adding a new drive ====<br />
First, it may be desired to prepare a new disk according to [[Dm-crypt/Drive preparation]]. <br />
Second, it is partitioned as a LVM, e.g. all space is allocated to {{ic|/dev/sdY1}} with partition type "8E00" (Linux LVM). <br />
Third, the new disk/partition is attached to the existing LVM volume group, e.g.:<br />
# pvcreate /dev/sdY1<br />
# vgextend MyStorage /dev/sdY1<br />
<br />
==== Extending the logical volume ====<br />
<br />
For the next step, the final allocation of the new diskspace, the logical volume to be extended has to be unmounted. It can be performed for the {{ic|cryptdevice}} root partition, but in this case the procedure has to be performed from an Arch Install ISO. <br />
<br />
In this example, it is assumed that the logical volume for {{ic|/home}} (lv-name {{ic|homevol}}) is going to be expanded with the fresh disk space: <br />
# umount /home<br />
# fsck /dev/mapper/home<br />
# cryptsetup luksClose /dev/mapper/home<br />
# lvextend -l +100%FREE MyStorage/homevol<br />
<br />
Now the logical volume is extended and the LUKS container comes next: <br />
# cryptsetup open --type luks /dev/mapper/MyStorage-homevol home<br />
# umount /home # as a safety, in case it was automatically remounted<br />
# cryptsetup --verbose resize home<br />
<br />
Finally, the filesystem itself is resized: <br />
# e2fsck -f /dev/mapper/home<br />
# resize2fs /dev/mapper/home<br />
<br />
Done! If it went to plan, {{ic|/home}} can be remounted <br />
# mount /dev/mapper/home /home<br />
<br />
and now includes the span to the new disk. Note that the {{ic|cryptsetup resize}} action does not affect encryption keys, they have not changed.<br />
<br />
=== Modifying the encrypt hook for multiple partitions ===<br />
==== Multiple root partitions ====<br />
It is possible to modify the encrypt hook to allow multiple hard drive decrypt root ({{ic|/}}) at boot. The {{AUR|cryptsetup-multi}} package may be used for it. An alternative way according to an Arch user (benke):<br />
<br />
# cp /usr/lib/initcpio/hooks/encrypt /usr/lib/initcpio/hooks/encrypt2<br />
# cp /usr/lib/initcpio/install/encrypt /usr/lib/initcpio/install/encrypt2<br />
# nano /usr/lib/initcpio/hooks/encrypt2<br />
<br />
Change {{ic|$cryptkey}} to {{ic|$cryptkey2}}, and {{ic|$cryptdevice}} to {{ic|$cryptdevice2}}.<br />
Add {{ic|1=cryptdevice2=}} (e.g. {{ic|1=cryptdevice2=/dev/sdb:hdd2}}) to your boot options (and {{ic|1=cryptkey2=}} if needed).<br />
<br />
Change the {{ic|/etc/fstab}} flag for root:<br />
<br />
/dev/sdb /mnt btrfs device=/dev/sda,device=/dev/sdb, ... 0 0<br />
<br />
==== Multiple non-root partitions ====<br />
Maybe you have a requirement for using the {{ic|encrypt}} hook on a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in {{ic|/lib/initcpio/hooks/encrypt}} (the first one to your {{ic|/dev/sd*}} partition, the second to the name you want to attribute). That should be enough.<br />
<br />
The big advantage is you can have everything automated, while setting up {{ic|/etc/crypttab}} with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of {{ic|/etc/fstab}} (at least).<br />
<br />
Of course, if the {{pkg|cryptsetup}} package gets upgraded, you will have to change this script again. Unlike {{ic|/etc/crypttab}}, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.<br />
<br />
{{accuracy|Why not use the supported Grub2 right away? See also [[Mkinitcpio#Using_RAID]]}} <br />
If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the {{ic|/dev/mdX}} device in {{ic|/lib/initcpio/hooks/encrypt}} is not enough; the {{ic|encrypt}} hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the {{ic|encrypt}} hook is run. You can solve this by putting the RAID array in {{ic|/boot/grub/menu.lst}}, like <br />
kernel /boot/vmlinuz-linux md=1,/dev/hda5,/dev/hdb5<br />
<br />
If you set up your root partition as a RAID, you will notice the similarities with that setup ;-). [[GRUB]] can handle multiple array definitions just fine:<br />
kernel /boot/vmlinuz-linux root=/dev/md0 ro md=0,/dev/sda1,/dev/sdb1 md=1,/dev/sda5,/dev/sdb5,/dev/sdc5<br />
<br />
=== Encrypted system using a remote LUKS header ===<br />
This example follows the same setup as in [[Dm-crypt/Encrypting an entire system#Plain dm-crypt]], which should be read first before following this guide.<br />
<br />
By using a remote header the encrypted blockdevice itself only carries encrypted data, which gives [[Wikipedia:Deniable encryption|deniable encryption]] as long as the existence of a header is unknown to the attackers. It is similar to using [[Dm-crypt/Encrypting an entire system#Plain_dm-crypt|plain dm-crypt]], but with the LUKS advantages such as multiple passphrases for the masterkey and key derivation. Further, using a remote header offers a form of two factor authentication with an easier setup than [[Dm-crypt/Specialties#Using_GPG_or_OpenSSL_Encrypted_Keyfiles|using GPG or OpenSSL encrypted keyfiles]], while still having a built-in password prompt for multiple retries. See [[Disk encryption#Cryptographic metadata]] for more information.<br />
<br />
See [[Dm-crypt/Device encryption#Encryption options for LUKS mode]] for encryption options before performing the first step to setup the encrypted system partition and creating a header file to use with {{ic|cryptsetup}}:<br />
# truncate -s 2M header.img<br />
# cryptsetup luksFormat /dev/sdX --header header.img<br />
<br />
Open the container:<br />
# cryptsetup open --header header.img --type luks /dev/sdX enc<br />
<br />
Now follow the [[Dm-crypt/Encrypting_an_entire_system#Preparing_the_non-boot_partitions|LVM on LUKS setup]] to your requirements. The same applies for [[Dm-crypt/Encrypting an entire system#Preparing the boot partition 4|preparing the boot partition]] on the removable device (because if not, there is no point in having a separate header file for unlocking the encrypted disk).<br />
Next move the {{ic|header.img}} onto it:<br />
# mv header.img /mnt/boot<br />
<br />
Follow the installation procedure up to the mkinitcpio step (you should now be {{ic|arch-chroot}}ed inside the encrypted system). <br />
<br />
There are two options for initramfs to support a detached LUKS header.<br />
<br />
==== Using systemd hook ====<br />
<br />
{{Note|This method requires systemd '''219''' or later.}} <br />
<br />
First create {{ic|/etc/crypttab.initramfs}} and add the encrypted device to it. The syntax is defined in [http://www.freedesktop.org/software/systemd/man/crypttab.html crypttab(5)]<br />
{{hc|/etc/crypttab.initramfs|2=MyStorage PARTUUID=00000000-0000-0000-0000-000000000000 none header=/boot/header.img}}<br />
<br />
Modify {{ic|/etc/mkinitcpio.conf}} [[Mkinitcpio#Common_hooks|to use systemd]] and add the header to {{ic|FILES}}.<br />
<br />
{{hc|<br />
/etc/mkinitcpio.conf|2=FILES="'''/boot/header.img'''"<br />
<br />
HOOKS="... '''systemd''' ... block '''sd-encrypt''' sd-lvm2 filesystems ..."<br />
}}<br />
<br />
[[Mkinitcpio#Image_creation_and_activation|Recreate the initramfs]] and you are done.<br />
<br />
{{Note|<br />
* No cryptsetup parameters need to be passed to the kernel command line, since{{ic|/etc/crypttab.initramfs}} will be added as {{ic|/etc/crypttab}} in the initramfs. If you wish to specify them in the kernel command line see [http://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html systemd-cryptsetup-generator(8)] for the supported options. <br />
* Be aware the {{ic|systemd}} hook adds further files to the initramfs (e.g. {{ic|/etc/passwd}} and {{ic|/etc/group}}), in case you consider them sensitive.}}<br />
<br />
==== Modifying encrypt hook ====<br />
<br />
This method shows how to modify the {{ic|encrypt}} hook in order to use a remote LUKS header. <br />
Now the {{ic|encrypt}} hook has to be modified to let {{ic|cryptsetup}} use the separate header (base source and idea for these changes [https://bbs.archlinux.org/viewtopic.php?pid=1076346#p1076346 published on the BBS]). Make a copy so it is not overwritten on a [[mkinitcpio]] update:<br />
<br />
# cp /lib/initcpio/hooks/encrypt{,2}<br />
# cp /usr/lib/initcpio/install/encrypt{,2}<br />
<br />
{{hc|<br />
/lib/initcpio/hooks/encrypt2 (around line 52)|output=warn_deprecated() {<br />
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"<br />
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."<br />
}<br />
<br />
'''local headerFlag=false'''<br />
for cryptopt in ${cryptoptions//,/ }; do<br />
case ${cryptopt} in<br />
allow-discards)<br />
cryptargs="${cryptargs} --allow-discards"<br />
;; <br />
<b>header)<br />
cryptargs="${cryptargs} --header /boot/header.img"<br />
headerFlag=true<br />
;;</b><br />
*) <br />
echo "Encryption option '${cryptopt}' not known, ignoring." >&2 <br />
;; <br />
esac<br />
done<br />
<br />
if resolved=$(resolve_device "${cryptdev}" ${rootdelay}); then<br />
if '''$headerFlag &#124;&#124; '''cryptsetup isLuks ${resolved} >/dev/null 2>&1; then<br />
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated<br />
dopassphrase=1<br />
}}<br />
<br />
Now edit the [[mkinitcpio|mkinitcpio.conf]] to add the {{ic|encrypt2}} and {{ic|lvm2}} hooks, the {{ic|header.img}} to {{ic|FILES}} and the {{ic|loop}} to {{ic|MODULES}}, apart from other configuration the system requires:<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=MODULES="'''loop'''"<br />
<br />
FILES="'''/boot/header.img'''"<br />
<br />
HOOKS="... '''encrypt2''' '''lvm2''' ... filesystems ..."}}<br />
<br />
This is required so the LUKS header is available on boot allowing the decryption of the system, exempting us from a more complicated setup to mount another separate USB device in order to access the header. After this set up [[Mkinitcpio#Image_creation_and_activation|the initramfs]] is created.<br />
<br />
Next the [[Dm-crypt/Encrypting an entire system#Configuring the boot loader 4|boot loader is configured]] to specify the {{ic|1=cryptdevice=}} also passing the new {{ic|header}} option for this setup: <br />
<br />
cryptdevice=/dev/sdX:enc:header<br />
<br />
To finish, following [[Dm-crypt/Encrypting an entire system#Post-installation]] is particularly useful with a {{ic|/boot}} partition on an USB storage medium.<br />
<br />
{{Tip|1=You will notice that since the system partition only has "random" data, it does not have a partition table and by that an {{ic|UUID}} or a {{ic|name}}. But you can still have a consistent mapping using the disk id under {{ic|/dev/disk/by-id/}}}}</div>Clearmartinhttps://wiki.archlinux.org/index.php?title=Hddtemp&diff=378489Hddtemp2015-06-14T13:22:12Z<p>Clearmartin: /* Solid State Drives */</p>
<hr />
<div>[[Category:Status monitoring and notification]]<br />
[[ja:Hddtemp]]<br />
[[ru:Hddtemp]]<br />
{{Related articles start}}<br />
{{Related|lm sensors}}<br />
{{Related articles end}}<br />
[https://savannah.nongnu.org/projects/hddtemp/ hddtemp] is a small utility (with daemon) that gives the hard-drive temperature via S.M.A.R.T. (for drives supporting this feature).<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|hddtemp}} from the [[official repositories]].<br />
<br />
== Usage ==<br />
<br />
Hddtemp requires root privileges. The command {{ic|hddtemp}} must be followed by at least one drive's location, with several directories separated by spaces:<br />
<br />
# hddtemp /dev/sd''X1'' /dev/sd''X2'' ... /dev/sd''Xn''<br />
<br />
== Daemon ==<br />
<br />
Running the daemon allows to access the temperature via TCP/IP, to use for example with scripts.<br />
<br />
The daemon is [[Systemd#Using_units|controlled]] by {{ic|hddtemp.service}}.<br />
<br />
{{Note|1=Arguments to {{ic|hddtemp}} are directly given in {{ic|/usr/lib/systemd/system/hddtemp.service}}. This is especially important with multiple disks, as the default configuration only monitors {{ic|/dev/sda}}. Change {{ic|ExecStart}} [[Systemd#Editing_provided_unit_files|to override]] {{ic|hddtemp.service}}:<br />
<br />
* Create a directory in {{ic|/etc/systemd/system}}:<br />
# mkdir /etc/systemd/system/hddtemp.service.d<br />
* Create {{ic|customexec.conf}} inside and add the drives you want to monitor, e.g.:<br />
{{hc|/etc/systemd/system/hddtemp.service.d/customexec.conf|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/hddtemp -dF /dev/sda /dev/sdb /dev/sdc<br />
}}<br />
You can also the [https://github.com/AndyCrowd/auto-generate-configuration-files/blob/master/gen-customexec.conf-hddtemp.sh auto-generate] script that detects with help of {{Pkg|smartmontools}} all supported by {{Pkg|hddtemp}} hard-drivers and generating to the stdout the {{ic|customexec.conf}} pattern file.<br />
* Reload systemd's unit files:<br />
# systemctl --system daemon-reload<br />
* Restart the hddtemp service:<br />
{{bc|# systemctl restart hddtemp}}<br />
}}<br />
<br />
To get the temperature, connect to the daemon which listens on port 7634. With {{pkg|inetutils}}:<br />
<br />
$ telnet localhost 7634<br />
<br />
With {{pkg|gnu-netcat}}:<br />
<br />
$ nc localhost 7634<br />
<br />
Both outputs are similar to: <br />
<br />
|/dev/sda|ST3500413AS|32|C||/dev/sdb|ST2000DM001-1CH164|36|C|<br />
<br />
For a better looking statistic: <br />
<br />
{{hc|<nowiki>$ nc localhost 7634 |sed 's/|//m' | sed 's/||/ \n/g' | awk -F'|' '{print $1 " " $3 " " $4}'</nowiki>|/dev/sda 32 C <br />
/dev/sdb 36 C}}<br />
<br />
Refer to the manpage for more information:<br />
<br />
$ man hddtemp<br />
<br />
== Monitors ==<br />
<br />
Hddtemp can be integrated with [[List_of_applications#System_monitoring|system monitors]].<br />
<br />
== Solid State Drives ==<br />
<br />
Hddtemp usually reads field {{ic|194}} from the smart data of the drive. In SSDs temperature information is usually stored in field {{ic|190}}. To obtain this information, one can run:<br />
<br />
$ smartctl -a /dev/sdX<br />
or<br />
$ hddtemp --debug /dev/sdX<br />
<br />
where X is a character (e.g. a,b,c...) representing the drive. Use {{ic|lsblk}} to check this.<br />
<br />
Alternatively, add a new entry in {{ic|/usr/share/hddtemp/hddtemp.db}}. For example:<br />
<br />
$ echo '"Samsung SSD 840 EVO 250G B" 190 C "Samsung SSD 840 EVO 250GB"' >> /usr/share/hddtemp/hddtemp.db</div>Clearmartinhttps://wiki.archlinux.org/index.php?title=Fcitx&diff=373109Fcitx2015-05-09T18:02:26Z<p>Clearmartin: Qt5 applications compliance</p>
<hr />
<div>[[Category:Internationalization]]<br />
[[ja:Fcitx]]<br />
[[zh-CN:Fcitx]]<br />
{{Translateme|[[Fcitx (简体中文)]] has been rewritten, but its author's English is too poor for him to translate it here. So if you can read Chinese and you are good at English, please translate it here.}}<br />
<br />
{{Related articles start}}<br />
{{Related|IBus}}<br />
{{Related|SCIM}}<br />
{{Related|UIM}}<br />
{{Related articles end}}<br />
<br />
[http://code.google.com/p/fcitx/ FCITX] (Flexible Input Method Framework) is a [http://en.wikipedia.org/wiki/Input_method input method framework] aimed at providing environment independent language support for Linux. It supports a lot of different languages and also provides many useful non-CJK features.<br />
<br />
==Installation==<br />
[[Pacman|Install]] package {{Pkg|fcitx}} from [[official repositories]].<br />
<br />
Additionally, you might want to install [[Fcitx#Configuration|input method modules]] for GTK+ and Qt applications. <br />
<br />
=== Input method engines ===<br />
<br />
Fcitx provides built-in input methods for Chinese [http://en.wikipedia.org/wiki/Pinyin Pinyin] and table-based input (for example [http://en.wikipedia.org/wiki/Wubi Wubi]).<br />
<br />
Depending on the language you wish to type, other input method engines are available:<br />
<br />
====Chinese====<br />
<br />
* {{Pkg|fcitx-sunpinyin}}, based on {{Pkg|sunpinyin}}. It strikes a good balance between speed and accuracy.<br />
* {{Pkg|fcitx-libpinyin}}, based on {{Pkg|libpinyin}}. It has a better algorithm than {{Pkg|fcitx-sunpinyin}}, but still has bugs and lacks a good dictionary.<br />
* {{Pkg|fcitx-googlepinyin}}, based on {{Pkg|libgooglepinyin}}, the Google pinyin IME for Android.<br />
* {{Pkg|fcitx-cloudpinyin}} uses internet sources to provide input candidates.<br />
* {{Pkg|fcitx-chewing}} is a popular Zhuyin input engine for Traditional Chinese based on {{Pkg|libchewing}}.<br />
* {{Pkg|fcitx-table-extra}} adds [http://en.wikipedia.org/wiki/Cangjie_input_method Cangjie], [http://en.wikipedia.org/wiki/Zhengma_method Zhengma], [http://en.wikipedia.org/wiki/Boshiamy_method Boshiamy] support.<br />
* {{Pkg|fcitx-rime}}, based on schemas from the [[Rime IME]] project.<br />
<br />
==== Other languages ====<br />
<br />
* {{Pkg|fcitx-anthy}}, a popular Japanese input engine. However, it is not actively developed anymore.<br />
* {{Pkg|fcitx-mozc}}, based on [[Mozc]], the Open Source Edition of Google Japanese Input.<br />
* {{Pkg|fcitx-kkc}}, a new Japanese Kana Kanji input engine, based on {{Pkg|libkkc}}.<br />
* {{Pkg|fcitx-hangul}}, for typing Korean hangul, based on {{Pkg|libhangul}}.<br />
* {{Pkg|fcitx-unikey}}, for typing Vietnamese characters.<br />
* {{Pkg|fcitx-sayura}}, for typing Sinhalese.<br />
* {{Pkg|fcitx-m17n}}, for other languages provided by [http://www.nongnu.org/m17n/ M17n].<br />
<br />
==== Others ====<br />
<br />
* {{Pkg|fcitx-ui-light}}, light UI for fcitx.<br />
* {{Pkg|fcitx-fbterm}}, for Fbterm support.<br />
* {{Pkg|fcitx-table-extra}}, extra table.<br />
* {{Pkg|fcitx-table-other}}, tables for Latex, Emoji and others. <br />
<br />
Others packages (including git version) are also available in the [[AUR]].<br />
All components of fcitx will requires fcitx to restart after install.<br />
<br />
==Configuration==<br />
<br />
{{Note|You need to have [[Fonts_FAQ#Chinese.2C_Japanese.2C_Korean.2C_Vietnamese|east Asian fonts]] installed if you want to enter Chinese, Japanese, Korean or Vietnamese characters.}}<br />
<br />
Fcitx provides GUI configure tools. You can install either {{Pkg|kcm-fcitx}} (based on kcm), {{Pkg|fcitx-configtool}} (based on gtk3), or {{AUR|fcitx-configtool-gtk2}} (based on gtk2, unsupported) from the [[Arch User Repository|AUR]].<br />
<br />
Note that Fcitx does not supports manual configuration while its GUI is active.<br />
<br />
=== GTK+ and Qt modules ===<br />
To obtain a better experience in Gtk+ and Qt programs, install the {{Pkg|fcitx-gtk2}}, {{Pkg|fcitx-gtk3}}, {{Pkg|fcitx-qt4}} and {{Pkg|fcitx-qt5}} input method modules as your need, or the {{Grp|fcitx-im}} group to install all of them (with the exception of fcitx-qt5 which is currently not popular).<br />
<br />
Add the following lines to your desktop start up script files to register the input method modules and support xim programs.<br />
<br />
* Use {{ic|.xprofile}} if you are using KDM, GDM, LightDM or SDDM.<br />
* Use {{ic|.xinitrc}} if you are using startx or Slim. <br />
<br />
export GTK_IM_MODULE=fcitx<br />
export QT_IM_MODULE=fcitx<br />
export XMODIFIERS=@im=fcitx<br />
<br />
* Re-login to make these environment changes effective.<br />
<br />
{{Warning|Do NOT use {{ic|.bashrc}} to do this. It is used for initializing an interactive bash session. It is not designed for non-interactive shell, nor for X session initialization. Moreover, setting environment variables in it can confuse diagnostic tools which are generally executed from command line so that these environment will appear as being set coorrectly for them even if they are not for the X session.}}<br />
<br />
{{Note|If all Qt apps have problem with fcitx, run qtconfig (qtconfig-qt4), and go to the third tab, make sure fcitx is in the "Default Input Method" combo-box.}}<br />
<br />
{{Note|It currently appears Qt5 applications + fcitx work only with above exported variables added to .bashrc file, too. (At least for startxed Plasma 5)}}<br />
<br />
=== Xim ===<br />
<br />
Optionally, you can use xim in your GTK+ and/or Qt programs without installing the above modules in which case you need to change the corresponding lines above as following:<br />
<br />
export GTK_IM_MODULE=xim<br />
export QT_IM_MODULE=xim<br />
<br />
{{Warning| Using xim can sometimes cause problems including not being able to input, no cursor following, word selection window issue, application freeze on input method restart. For these xim related problems, Fcitx cannot provide any fix or support. This is the same with any other input method framework, so please use the GTK+ and Qt input method modules instead of xim whenever possible}}<br />
<br />
{{Note|Gtk2 uses {{ic|/usr/lib/gtk-2.0/2.10.0/immodules.cache}} as immodule cache file since 2.24.20. If you have set {{ic|GTM_IM_MODULE_FILE}} environment variable or do not use install script of official packages to update the cache, please change/clear the environment variable and use {{ic|/usr/bin/gtk-query-immodules-2.0 --update-cache}} to update immodule cache.}}<br />
<br />
== Usage ==<br />
<br />
=== Desktop Environment ===<br />
If you are using any XDG compatible desktop environment such as [[KDE]], [[GNOME]], [[XFCE]], [[LXDE]], after you relogin, the autostart should work out of box. If not, open your favorite terminal, type:<br />
<br />
$ fcitx<br />
<br />
To see if fcitx is working correctly, open an application such as leafpad and press CTRL+Space (the default shortcut for switching input method) to invoke FCITX and input some words.<br />
<br />
If Fcitx failed to start with your desktop automatically or if you want to change the parameters to start fcitx, please use tools provided by your desktop environment to configure xdg auto start or edit the {{ic|fcitx-autostart.desktop}} file in your {{ic|~/.config/autostart/}} directory (copy it from {{ic|/etc/xdg/autostart/}} if it doesn't exist yet).<br />
<br />
If your desktop environment does not support xdg auto start, please add the following command to your startup script (after the environment variables are set up properly).<br />
<br />
$ fcitx<br />
<br />
When other input methods with xim support is also running, Fcitx may fail to start due to xim error. Please make sure no other input method is running before you start Fcitx.<br />
<br />
==Desktop Environment Integration==<br />
<br />
===Keyboard layout integration===<br />
fcitx-keyboard is now built-in supported. Open a configuration tool ({{Pkg|kcm-fcitx}} or {{Pkg|fcitx-configtool}} mentioned above), you might want to uncheck the "Show only current language" and find your keyboard layout.<br />
<br />
In order to enable spell checking, press ctrl + alt + h when fcitx is on a input method provides by fcitx-keyboard. Then that's it, you can type long word, to see whether it works.<br />
<br />
===Gnome-Shell===<br />
<br />
You can install kimpanel from extensions.gnome.org or {{AUR|gnome-shell-extension-kimpanel-git}} package in [[Arch User Repository|AUR]], which provides a similar user experience as ibus-gjs.<br />
<br />
Since GNOME is trying its best to break every single input method, in order to use Fcitx, you will need to remove all input sources from gnome-control-center, clear all the hotkeys for input methods and issue the following command to disable iBus integration:<br />
$ gsettings set org.gnome.settings-daemon.plugins.keyboard active false<br />
<br />
===KDE===<br />
<br />
Install these packages:<br />
<br />
*{{Pkg|kcm-fcitx}} - a kcontrol module for fcitx.<br />
<br />
*{{Pkg|kdeplasma-addons-applets-kimpanel}} - a plasmoids providing native feeling under kde. Simply add kimpanel to plasma and fcitx will automatically switch to it without extra configuration.<br />
<br />
==Clipboard Access==<br />
You can use fcitx to input text in you clipboard (as well as a short clipboard history and primary selection). The default trigger key is Control-;. You can change the trigger key as well as other options in the Clipboard addon configure page.<br />
<br />
NOTE: This is NOT a clipboard manager, it doesn't hold the selection or change it's content as what a clipboard manager is supposed to do. It can only be used to input from the clipboard.<br />
<br />
{{Warning| Some client doesn't support multi-line input so you may see the multi-line clipboard content pasted as a single line using fcitx-clipboard. That's either a bug or feature of the program been input and it's not something fcitx is able to help with.}}<br />
<br />
==Troubleshooting==<br />
=== Diagnose the problem ===<br />
If you have problems using fcitx, eg. Ctrl+Space fail to work in all applications, then the first thing you should try is to diagnose using {{ic|fcitx-diagnose}}.<br />
The output of {{ic|fcitx-diagnose}} should contain the clue to most common problems.<br />
Providing the output of it will also help when you consult other people(eg. in IRC or forums).<br />
<br />
=== Emacs ===<br />
If your LC_CTYPE is English, you may not be able to use input method in emacs due to a old emacs' bug. You can set your LC_CTYPE to something else such as "zh_CN.UTF-8" before emacs starts to get rid of this problem.<br />
<br />
The default fontset will use `-*-*-*-r-normal--14-*-*-*-*-*-*-*' as basefont(in src/xfns.c), if you do not have one matched(like terminus、or 75dpi things, you can look the output of `xlsfonts'), XIM can not be activated.<br />
<br />
=== Input method module ===<br />
{{Warning| You may still be able to use input method in most programs without the input method module, however, you may have unsolvable weird problems if you do so.}}<br />
<br />
{{Warning| for firefox above version 13, the popup menu may fail to work due to xim, please make sure that fcitx-gtk2 along with a latest version fcitx are installed.}}<br />
<br />
=== Ctrl+Space fail to work in GTK programs ===<br />
<br />
This problem sometimes happens especially when locale is set as English. Please make sure your GTK_IM_MODULE is set correctly.<br />
<br />
See also [http://fcitx-im.org/wiki/FAQ#When_use_Ctrl_.2B_Space.2C_Fcitx_cannot_be_triggered_on FAQ]<br />
<br />
If you have set the *_IM_MODULE environment variables to fcitx but cannot activate fcitx, please check if you have installed the corresponding input method modules.<br />
<br />
Some programs can only use xim, if you are using these programs, please make sure your XMODIFIERS is set properly and be aware of the problems you may have. These programs includes: all programs that are not using gtk or qt (e.g. programs that use tk, motif, or xlib directly), emacs, opera, openoffice, libreoffice, skype<br />
<br />
If you cannot enable fcitx in gnome-terminal under gnome and the above way doesn't work, try selecting Fcitx in the right click Input method menu.<br />
<br />
=== Buildin Chinese Pinyin Default NOT ACTIVE ===<br />
<br />
If your locale is {{ic|en_US.UTF-8}}, fcitx did NOT enable the buildin Chinese Pinyin input method by default. There is only {{ic|fcitx-keyboard-us}} input method enabled. You can get a notice by {{ic|fcitx-diagnose}} command like this:<br />
<br />
## Input Methods:<br />
1. Found 1 enabled input methods:<br />
fcitx-keyboard-us<br />
2. Default input methods:<br />
**You only have one input method enabled, please add a keyboard input method as the first one and your main input method as the second one.**<br />
<br />
Then you should add {{ic|Pinyin}} or {{ic|Shuangpin}} input method to actived input methods by the GUI configure tool.<br />
<br />
=== fcitx and KDE ===<br />
<br />
For some reasons, [[KDE]] doesn't handle keyboard layouts properly. For example, if you switch from US (English) to LT (Lithuanian), all numbers on the keyboard should produce Lithuanian letters, but they still produce numbers as the output. This can be fixed by these steps:<br />
<br />
# Install required packages mentioned [[Fcitx#KDE|here]].<br />
# Turn off {{ic|fcitx}} if it's running in the background.<br />
# Disable stuff related to KDE:<br />
## At ''System settings --> Input devices --> Layouts (tab)'' make sure that "Configure layouts" is unchecked.<br />
## At ''System settings --> Input devices --> Advanced (tab)'' make sure that "Configure keyboard options" is unchecked.<br />
# Open terminal and type {{ic|fcitx}} to start it. You can close terminal - {{ic|fcitx}} will still be running in the background.<br />
# Set up your needed layouts (Right click on the system tray icon, then "Configure").<br />
# Right click on the system tray icon, then "Exit"<br />
<br />
At this point you should have working layouts, native KDE layouts switch icon should appear and you can switch them by mouse scroll or click on it.<br />
<br />
==See also==<br />
*[https://github.com/fcitx/fcitx/ Fcitx GitHub]<br />
*[https://code.google.com/p/fcitx/ Fcitx Google Code]<br />
*[http://fcitx-im.org/ Fcitx Wiki]</div>Clearmartinhttps://wiki.archlinux.org/index.php?title=Archiso&diff=293270Archiso2014-01-16T21:03:24Z<p>Clearmartin: /* Adding files to image */</p>
<hr />
<div>[[Category:Live Arch systems]]<br />
[[ar:Archiso]]<br />
[[el:Archiso]]<br />
[[es:Archiso]]<br />
[[fr:Archiso]]<br />
[[it:Archiso]]<br />
[[nl:Archiso]]<br />
[[ru:Archiso]]<br />
[[uk:Archiso]]<br />
'''Archiso''' is a small set of bash scripts capable of building fully functional Arch Linux based live CD and USB images. It is a very generic tool, so it could potentially be used to generate anything from rescue systems, install disks, to special interest live CD/DVD/USB systems, and who knows what else. Simply put, if it involves Arch on a shiny coaster, it can do it. The heart and soul of Archiso is mkarchiso. All of its options are documented in its usage output, so its direct usage won't be covered here. Instead, this wiki article will act as a guide for rolling your own live media in no time!<br />
<br />
== Setup ==<br />
{{Note|The script is to be used on an x86_64 machine.}}<br />
Before we begin, we need to [[pacman|install]] {{Pkg|archiso}} from the [[official repositories]]. Alternatively, {{AUR|archiso-git}} can be found in the [[AUR]].<br />
<br />
Create a directory to work within, this is where all the modifications to the live image will take place: {{ic|~/archlive}} should do fine.<br />
$ mkdir ~/archlive<br />
<br />
The archiso scripts that were installed to the host system earlier now need to be copied over into the newly created directory you will be working within.<br />
Archiso comes with two "profiles": ''releng'' and ''baseline''.<br />
If you wish to create a fully customised live version of Arch Linux, pre-installed with all your favourite programs and configurations, use ''releng''.<br />
If you just want to create the most basic live medium, with no pre-installed packages and a minimalistic configuration, use ''baseline''.<br />
<br />
So, depending on your needs, execute the following, replacing 'PROFILE' with either '''releng''' or '''baseline'''.<br />
# cp -r /usr/share/archiso/configs/'''PROFILE'''/ ~USER/archlive<br />
<br />
If you are using the ''releng'' profile to make a fully customised image, then you can proceed onto [[#Configure our live medium]].<br />
<br />
If you are using the ''baseline'' profile to create a bare image, then you won't be needing to do any customisations and can proceed onto [[#Build the ISO]].<br />
<br />
== Configure our live medium ==<br />
<br />
This section details configuring the image you will be creating, allowing you to define the packages and configurations you want your live image to contain.<br />
<br />
Change into the directory we created earlier (~/archlive/releng/ if you have been following this guide), you will see a number of files and directories; we are only concerned with a few of these, mainly: <br />
packages.* - this is where you list, line by line, the packages you want to have installed, and<br />
the root-image directory - this directory acts as an overlay and it is where you make all the customisations.<br />
<br />
=== Installing packages ===<br />
<br />
You will want to create a list of packages you want installed on your live CD system. A file full of package names, one-per-line, is the format for this. This is '''''great''''' for special interest live CDs, just specify packages you want in packages.both and bake the image.<br />
The packages.i686 and packages.x86_64 files allow you to install software on just 32bit or 64bit, respectively.<br />
<br />
{{Tip|You can also create a '''[[custom local repository]]''' for the purpose of preparing custom packages or packages from [[AUR]]/[[ABS]]. Just add your local repository at the first position (for top priority) of your build machine's '''pacman.conf''' and you are good to go!}}<br />
I recommend installing "rsync" if you wish to install the system later on with no internet connection or skipping downloading it all over again. ([[#Installation]])<br />
<br />
=== Adding a user ===<br />
<br />
Copy your /etc/shadow, /etc/passwd, and /etc/group from your '''host''' system to the /etc/ directory '''of the new live system''' (which should be ~/archlive/releng/root-image/etc)<br />
e.g.<br />
# cp /etc/{shadow,passwd,group} ~/archlive/releng/root-image/etc/<br />
<br />
{{Warning|The shadow file will contain your encrypted password. I recommend before you copy the shadow file over, you change the password of your host user to that which you want your live user to have, copy the shadow file over, and then change back your password.}}<br />
<br />
=== Adding files to image ===<br />
<br />
{{Note|You must be root to do this, do not change the ownership of any of the files you copy over, '''everything''' within the root-image directory must be root owned. Proper ownerships will be sorted out shortly.}}<br />
<br />
The root-image directory acts as an overlay, think of it as root directory '/' on your current system, so any files you place within this directory will be copied over on boot-up.<br />
<br />
So if you have a set of iptables scripts on your current system you want to be used on you live image, copy them over as such:<br />
# cp -r /etc/iptables ~/archlive/releng/root-image/etc<br />
<br />
Placing files in the users home directory is a little different. Do not place them within root-image/home, but instead create a skel directory within root-image/ and place them there. We will then add the relevant commands to the customize_root_image.sh which we are going to use to copy them over on boot and sort out the permissions.<br />
<br />
First, create the skel directory; making sure you are within ~/archlive/releng/root-image/etc directory (if this is where you are working from):<br />
# cd ~/archlive/releng/root-image/etc && mkdir skel<br />
<br />
Now copy the 'home' files to the skel directory, again doing everything as root!<br />
e.g for .bashrc. <br />
# cp ~/.bashrc ~/archlive/releng/root-image/etc/skel/<br />
<br />
Now add the all of following to ~/archlive/releng/root-image/root/customize_root_image.sh , replacing 'youruser' with the user you specified earlier.<br />
# Create the user directory for live session<br />
if [ ! -d /home/'''youruser''' ]; then<br />
mkdir /home/'''youruser''' && chown '''youruser''' /home/'''youruser'''<br />
fi<br />
# Copy files over to home<br />
su -c "cp -r /etc/skel/* /home/'''youruser'''/" '''youruser'''<br />
<br />
=== aitab ===<br />
<br />
The default file should work fine, so you should not need to touch it.<br />
<br />
The aitab file holds information about the filesystems images that must be created by mkarchiso and mounted at initramfs stage from the archiso hook.<br />
It consists of some fields which define the behaviour of images.<br />
<br />
# <img> <mnt> <arch> <sfs_comp> <fs_type> <fs_size><br />
<br />
; <img>: Image name without extension (.fs .fs.sfs .sfs).<br />
; <mnt>: Mount point.<br />
; <arch>: Architecture { i686 | x86_64 | any }.<br />
; <sfs_comp>: SquashFS compression type { gzip | lzo | xz }.<br />
; <fs_type>: Set the filesystem type of the image { ext4 | ext3 | ext2 | xfs }. A special value of "none" denotes no usage of a filesystem. In that case all files are pushed directly to SquashFS filesystem.<br />
; <fs_size>: An absolute value of file system image size in MiB (example: 100, 1000, 4096, etc) A relative value of file system free space [in percent] {1%..99%} (example 50%, 10%, 7%). This is an estimation, and calculated in a simple way. Space used + 10% (estimated for metadata overhead) + desired %<br />
<br />
{{Note|Some combinations are invalid. Example both sfs_comp and fs_type are set to none}}<br />
<br />
=== Boot Loader ===<br />
The default file should work fine, so you should not need to touch it.<br />
<br />
Due to the modular nature of isolinux, you are able to use lots of addons since all *.c32 files are copied and available to you. Take a look at the [http://syslinux.zytor.com/wiki/index.php/SYSLINUX official syslinux site] and the [https://projects.archlinux.org/archiso.git/tree/configs/syslinux-iso/boot-files archiso git repo]. Using said addons, it is possible to make visually attractive and complex menus. See [http://syslinux.zytor.com/wiki/index.php/Comboot/menu.c32 here].<br />
<br />
=== Login manager ===<br />
<br />
Starting X at boot time was done by modifying ''inittab'' on [[sysvinit]] systems. On a [[systemd]] based system things are handled by enabling your login manager's service. If you know which .service file needs a softlink: Great. If not, you can easily find out in case you're using the same program on the system you build your iso on. Just use<br />
<br />
# systemctl disable '''nameofyourloginmanager'''<br />
<br />
to temporarily turn it off. Next type the same command again and replace "disable" with "enable" to activate it again. Systemctl prints information about softlink it creates. Now change to ~/archiso/releng/root-image/etc/systemd/system and create the same softlink there.<br />
<br />
An example (make sure you're either in ~/archiso/releng/root-image/etc/systemd/system or add it to the command):<br />
<br />
# ln -s /usr/lib/systemd/system/lxdm.service display-manager.service<br />
<br />
This will enable LXDM at system start on your live system.<br />
<br />
== Build the ISO ==<br />
<br />
Now you are ready to turn your files into the .iso which you can then burn to CD or USB:<br />
Inside the directory you are working with, either ~/archlive/releng, or ~/archlive/baseline, execute:<br />
<br />
# ./build.sh -v<br />
<br />
The script will now download and install the packages you specified to work/*/root-image, create the kernel and init images, apply your customizations and finally build the iso into out/.<br />
<br />
== Using the ISO ==<br />
=== CD ===<br />
Just burn the iso to a cd. You can follow [[CD Burning]] as you wish.<br />
=== USB ===<br />
You can now dd the iso file onto a USB using dd, an example of which:<br />
# dd if=~/archlive/releng/out/*.iso of=/dev/sdx<br />
You will have to adjust accordingly, and make sure you choose the right output file! A simple mistake here will destroy data on your harddisk.<br />
<br />
=== grub4dos ===<br />
Grub4dos is a utility that can be used to create multiboot usbs, able to boot multiple linux distros from the same usb stick.<br />
<br />
To boot the generated system on a usb with grub4dos already installed, loop mount the ISO and copy the entire {{ic|/arch}} directory to the '''root of the usb'''.<br />
Then edit the {{ic|menu.lst}} file from the grub4dos (it must be on the usb root) and add this lines:<br />
{{bc|<nowiki><br />
title Archlinux x86_64<br />
kernel /arch/boot/x86_64/vmlinuz archisolabel=<your usb label><br />
initrd /arch/boot/x86_64/archiso.img<br />
</nowiki>}}<br />
Change the {{ic|x86_64}} part as necessary and put your '''real''' usb label there.<br />
<br />
=== Installation ===<br />
<br />
Boot the created CD/DVD/USB. If you wish to install the Archiso you created '''-as it is-''', there are several ways to do this, but either way we're following the [[Beginners' Guide]] mostly.<br />
<br />
If you don't have an internet connection on that PC, or if you don't want to download every packages you want again, follow the guide, and when you get to [[Beginners' Guide#Install_the_base_system]], instead of downloading, use this: [[Full System Backup with rsync]]. (more info here: [[Talk:Archiso]])<br />
<br />
You can also try: [[Archboot]], GUI installer.<br />
<br />
== See also ==<br />
*[https://projects.archlinux.org/?p=archiso.git;a=summary Archiso project page]<br />
*[[Archiso_as_pxe_server|Archiso as pxe server]]<br />
*[https://kroweer.wordpress.com/2011/09/07/creating-a-custom-arch-linux-live-usb Step-by-step tutorial on using ArchISO]<br />
*[http://didjix.blogspot.com/ A live DJ distribution powered by ArchLinux and built with Archiso]</div>Clearmartinhttps://wiki.archlinux.org/index.php?title=NFS&diff=289808NFS2013-12-21T19:45:32Z<p>Clearmartin: /* Mounting from Linux */</p>
<hr />
<div>[[Category:File systems]]<br />
[[Category:Networking]]<br />
[[ar:NFS]]<br />
[[de:Network File System]]<br />
[[es:NFS]]<br />
[[fr:NFS]]<br />
[[it:NFSv4]]<br />
[[zh-CN:NFS]]<br />
{{Related articles start}}<br />
{{Related|NFS Troubleshooting}}<br />
{{Related articles end}}<br />
From [[Wikipedia: Network File System|Wikipedia]]: <br />
: ''Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed.''<br />
<br />
== Installation ==<br />
<br />
Both client and server only require the [[pacman|installation]] of the {{Pkg|nfs-utils}} package.<br />
<br />
{{Note|It is HIGHLY recommended to use a time sync daemon on ALL nodes of your network to keep client/server clocks in sync. Without accurate clocks on all nodes, NFS can introduce unwanted delays! The [[NTP]] system is recommended to sync both the server and the clients to the highly accurate NTP servers available on the Internet.}}<br />
<br />
==Configuration==<br />
<br />
===Server===<br />
<br />
==== ID mapping ====<br />
<br />
Edit {{ic|/etc/idmapd.conf}} and set the {{ic|Domain}} field to your domain name.<br />
<br />
{{hc|/etc/idmapd.conf|<nowiki><br />
[General]<br />
<br />
Verbosity = 1<br />
Pipefs-Directory = /var/lib/nfs/rpc_pipefs<br />
Domain = atomic<br />
<br />
[Mapping]<br />
<br />
Nobody-User = nobody<br />
Nobody-Group = nobody<br />
</nowiki>}}<br />
<br />
==== File system ====<br />
<br />
{{Note|For security reasons, it is recommended to use an NFS export root which will keep users limited to that mount point only. The following example illustrates this concept.}}<br />
<br />
Define any NFS shares in {{ic|/etc/exports}} which are relative to the NFS root. In this example, the NFS root will be {{ic|/srv/nfs4}} and we will be sharing {{ic|/mnt/music}}.<br />
<br />
# mkdir -p /srv/nfs4/music<br />
<br />
Read/Write permissions must be set on the music directory so clients may write to it. <br />
<br />
Now mount the actual target share, {{ic|/mnt/music}} to the NFS share via the mount command:<br />
<br />
# mount --bind /mnt/music /srv/nfs4/music<br />
<br />
To make it stick across server reboots, add the bind mount to {{ic|fstab}}:<br />
{{hc|/etc/fstab|<br />
/mnt/music /srv/nfs4/music none bind 0 0<br />
}}<br />
<br />
==== Exports ====<br />
<br />
Add directories to be shared and an ip address or hostname(s) of client machines that will be allowed to mount them in {{ic|exports}}:<br />
{{hc|/etc/exports|<nowiki><br />
/srv/nfs4/ 192.168.0.1/24(rw,fsid=root,no_subtree_check)<br />
/srv/nfs4/music 192.168.0.1/24(rw,no_subtree_check,nohide) # note the nohide option which is applied to mounted directories on the file system.<br />
</nowiki>}}<br />
<br />
Users need-not open the share to the entire subnet; one can specify a single IP address or hostname as well.<br />
<br />
For more information about all available options see {{ic|man 5 exports}}.<br />
<br />
If you modify {{ic|/etc/exports}} while the server is running, you must re-export them for changes to take effect:<br />
# exportfs -rav<br />
<br />
==== Starting the server ====<br />
<br />
Start {{ic|rpc-idmapd.service}} and {{ic|rpc-mountd.service}} [[systemd#Using units|using systemd]]. If you want them running at boot time, enable them. Note that these units require other services, which are launched automatically by [[systemd]].<br />
<br />
==== Firewall configuration ====<br />
<br />
To enable access through a firewall, tcp and udp ports 111, 2049, and 20048 need to be opened. To configure this for [[iptables]], edit {{ic|/etc/iptables/iptables.rules}} to include the following lines:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT<br />
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT<br />
-A INPUT -p tcp -m tcp --dport 20048 -j ACCEPT<br />
-A INPUT -p udp -m udp --dport 111 -j ACCEPT<br />
-A INPUT -p udp -m udp --dport 2049 -j ACCEPT<br />
-A INPUT -p udp -m udp --dport 20048 -j ACCEPT<br />
</nowiki>}}<br />
<br />
To apply changes, restart {{ic|iptables}} service.<br />
<br />
=== Client ===<br />
<br />
Clients need to start {{ic|rpc-gssd.service}} to avoid an approx 15 seconds delay with an accompanying error in dmsg that reads, "RPC: AUTH_GSS upcall timed out".<br />
<br />
{{Note|The server does not need to run this service.}}<br />
<br />
==== Mounting from Linux ====<br />
<br />
Show the server's exported filesystems:<br />
$ showmount -e servername<br />
<br />
Then mount omitting the server's NFS export root: <br />
# mount -t nfs4 servername:/music /mountpoint/on/client<br />
<br />
{{Note|Server name needs to be a valid hostname (not just IP address). Otherwise mounting of remote share will hang.}}<br />
<br />
===== using /etc/fstab =====<br />
<br />
Using [[fstab]] is useful for a server which is always on, and the NFS shares are available whenever the client boots up. Edit {{ic|/etc/fstab}} file, and add an appropriate line reflecting the setup. Again, the server's NFS export root is omitted.<br />
<br />
{{hc|/etc/fstab|<nowiki><br />
servername:/music /mountpoint/on/client nfs4 rsize=8192,wsize=8192,timeo=14,intr,_netdev 0 0<br />
</nowiki>}}<br />
<br />
{{Note|Consult the NFS and mount man pages for more mount options.}}<br />
<br />
Some additional mount options to consider are include:<br />
<br />
; rsize and wsize: The {{ic|rsize}} value is the number of bytes used when reading from the server. The {{ic|wsize}} value is the number of bytes used when writing to the server. The default for both is 1024, but using higher values such as 8192 can improve throughput. This is not universal. It is recommended to test after making this change, see [[#Performance tuning]].<br />
<br />
; timeo: The {{ic|timeo}} value is the amount of time, in tenths of a second, to wait before resending a transmission after an RPC timeout. After the first timeout, the timeout value is doubled for each retry for a maximum of 60 seconds or until a major timeout occurs. If connecting to a slow server or over a busy network, better performance can be achieved by increasing this timeout value. <br />
<br />
; intr: The {{ic|intr}} option allows signals to interrupt the file operation if a major timeout occurs for a hard-mounted share.<br />
<br />
; _netdev: The {{ic|_netdev}} option tells the system to wait until the network is up before trying to mount the share. systemd assumes this for NFS, but anyway it is good practice to use it for all types of networked filesystems<br />
<br />
===== Using autofs =====<br />
<br />
Using [[autofs]] is useful when multiple machines want to connect via NFS; they could both be clients as well as servers. The reason this method is preferable over the earlier one is that if the server is switched off, the client will not throw errors about being unable to find NFS shares. See [[autofs#NFS network mounts]] for details.<br />
<br />
==== Mounting from Windows ====<br />
<br />
{{Note|Only the Ultimate and Enterprise editions of Windows 7 and the Enterprise edition of Windows 8 include "Client for NFS".}}<br />
NFS shares can be mounted from Windows if the "Client for NFS" service is activated (which it is not by default).<br />
To install the service go to "Programs and features" in the Control Panel and click on "Turn Windows features on or off". Locate "Services for NFS" and activate it as well as both subservices ("Administrative tools" and "Client for NFS").<br />
<br />
Some global options can be set by opening the "Services for Network File System" (locate it with the search box) and right click on ''client > properties''.<br />
<br />
{{Warning|Serious performance issues may occur (it randomly takes 30-60 seconds to display a folder, 2 MB/s file copy speed on gigabit LAN, ...) to which Microsoft does not have a solution yet.[https://social.technet.microsoft.com/Forums/en-CA/w7itpronetworking/thread/40cc01e3-65e4-4bb6-855e-cef1364a60ac]}}<br />
<br />
To mount a share using Explorer:<br />
<br />
{{ic|Computer}} > {{ic|Map network drive}} > {{ic|servername:/srv/nfs4/music}}<br />
<br />
==== Mounting from OS X ====<br />
<br />
{{Note|OS X by default uses an insecure (>1024) port to mount a share.}}<br />
Either export the share with the {{ic|insecure}} flag, and mount using Finder:<br />
<br />
{{ic|Go}} > {{ic|Connect to Server}} > {{ic|nfs://servername/}}<br />
<br />
Or, mount the share using a secure port using the terminal:<br />
# mount -t nfs -o resvport servername:/srv/nfs4 /Volumes/servername<br />
<br />
== Tips and tricks ==<br />
<br />
=== Performance tuning ===<br />
<br />
In order to get the most out of NFS, it is necessary to tune the {{ic|rsize}} and {{ic|wsize}} mount options to meet the requirements of the network configuration.<br />
<br />
=== Automatic mount handling ===<br />
<br />
This trick is useful for laptops that require nfs shares from a local wireless network. If the nfs host becomes unreachable, the nfs share will be unmounted to hopefully prevent system hangs when using the hard mount option. See https://bbs.archlinux.org/viewtopic.php?pid=1260240#p1260240<br />
<br />
Make sure that the NFS mount points are correctly indicated in {{ic|/etc/fstab}}:<br />
<br />
{{hc|$ cat /etc/fstab|<nowiki><br />
lithium:/mnt/data /mnt/data nfs noauto,noatime,rsize=32768,wsize=32768,intr,hard 0 0<br />
lithium:/var/cache/pacman /var/cache/pacman nfs noauto,noatime,rsize=32768,wsize=32768,intr,hard 0 0</nowiki><br />
}}<br />
<br />
The {{ic|noauto}} mount option tells systemd not to automatically mount the shares at boot. systemd would otherwise attempt to mount the nfs shares that may or may not exist on the network causing the boot process to appear to stall on a blank screen.<br />
<br />
In order to mount NFS share by non-root user {{ic|user}} may be required to be added to fstab entry. Also enable rpc-statd.service.<br />
<br />
Create the {{ic|auto_share}} script that will be used by ''cron'' to check if the NFS host is reachable,<br />
<br />
{{hc|/root/bin/auto_share|<nowiki><br />
#!/bin/bash<br />
<br />
SERVER="YOUR_NFS_HOST"<br />
<br />
MOUNT_POINTS=$(sed -e '/^.*#/d' -e '/^.*:/!d' -e 's/\t/ /g' /etc/fstab | tr -s " " | cut -f2 -d" ")<br />
<br />
ping -c 1 "${SERVER}" &>/dev/null<br />
<br />
if [ $? -ne 0 ]; then<br />
# The server could not be reached, unmount the shares<br />
for umntpnt in ${MOUNT_POINTS}; do<br />
umount -l -f $umntpnt &>/dev/null<br />
done<br />
else<br />
# The server is up, make sure the shares are mounted<br />
for mntpnt in ${MOUNT_POINTS}; do<br />
mountpoint -q $mntpnt || mount $mntpnt<br />
done<br />
fi<br />
</nowiki>}}<br />
<br />
# chmod +x /root/bin/auto_share<br />
<br />
Create the root cron entry to run {{ic|auto_share}} every minute:<br />
<br />
{{hc|# crontab -e|<nowiki><br />
* * * * * /root/bin/auto_share<br />
</nowiki>}}<br />
<br />
A systemd unit file can also be used to mount the NFS shares at startup. The unit file is not necessary if NetworkManager is installed and configured on the client system. See [[#NetworkManager dispatcher]].<br />
<br />
{{hc|/etc/systemd/system/auto_share.service|<nowiki><br />
[Unit]<br />
Description=NFS automount<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
ExecStart=/root/bin/auto_share<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</nowiki>}}<br />
<br />
Now enable {{ic|auto_share}}.<br />
<br />
==== NetworkManager dispatcher ====<br />
<br />
In addition to the method described previously, NetworkManager can also be configured to run a script on network status change.<br />
<br />
Enable and start the {{ic|NetworkManager-dispatcher}} service.<br />
<br />
The easiest method for mount shares on network status change is to just symlink to the {{ic|auto_share}} script:<br />
<br />
# ln -s /root/bin/auto_share /etc/NetworkManager/dispatcher.d/30_nfs.sh<br />
<br />
Or use the following mounting script that checks for network availability:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/30_nfs.sh|<nowiki><br />
#!/bin/bash<br />
<br />
SSID="CHANGE_ME"<br />
<br />
MOUNT_POINTS=$(sed -e '/^.*#/d' -e '/^.*:/!d' -e 's/\t/ /g' /etc/fstab | tr -s " " | cut -f2 -d" ")<br />
<br />
ISNETUP=$(nmcli dev wifi | \grep $SSID | tr -s ' ' | cut -f 10 -d ' ') 2>/dev/null<br />
<br />
# echo "$ISNETUP" >> /tmp/nm_dispatch_log<br />
<br />
if [[ "$ISNETUP" == "yes" ]]; then<br />
for mntpnt in ${MOUNT_POINTS}; do<br />
mountpoint -q $mntpnt || mount $mntpnt<br />
done<br />
else<br />
for srvexp in ${MOUNT_POINTS}; do<br />
umount -l -f $srvexp &>/dev/null<br />
done<br />
fi<br />
</nowiki>}}<br />
<br />
Now when the wireless SSID "CHANGE_ME" goes up or down, the {{ic|nfs.sh}} script will be called to mount or unmount the shares as soon as possible.<br />
<br />
=== Configure NFS fixed ports ===<br />
<br />
{{Out of date|This section was originally refered to NFS version 3.}}<br />
If you have a port-based [[firewall]], you might want to set up a fixed ports. For rpc.statd and rpc.mountd you should set following settings in {{ic|/etc/conf.d/nfs-common}} and {{ic|/etc/conf.d/nfs-server}} (ports can be different):<br />
<br />
{{hc|/etc/conf.d/nfs-common|2=STATD_OPTS="-p 4000 -o 4003"}}<br />
{{hc|/etc/conf.d/nfs-server|2=MOUNTD_OPTS="--no-nfs-version 2 -p 4002"}}<br />
{{hc|/etc/modprobe.d/lockd.conf|2=# Static ports for NFS lockd<br />
options lockd nlm_udpport=4001 nlm_tcpport=4001}}<br />
<br />
After restart {{ic|nfs-common}} {{ic|nfs-server}} daemons and reload {{ic|lockd}} modules you can check used ports with following command:<br />
{{hc|$ rpcinfo -p|<br />
program vers proto port service<br />
100000 4 tcp 111 portmapper<br />
100000 3 tcp 111 portmapper<br />
100000 2 tcp 111 portmapper<br />
100000 4 udp 111 portmapper<br />
100000 3 udp 111 portmapper<br />
100000 2 udp 111 portmapper<br />
100024 1 udp 4000 status<br />
100024 1 tcp 4000 status<br />
100021 1 udp 4001 nlockmgr<br />
100021 3 udp 4001 nlockmgr<br />
100021 4 udp 4001 nlockmgr<br />
100021 1 tcp 4001 nlockmgr<br />
100021 3 tcp 4001 nlockmgr<br />
100021 4 tcp 4001 nlockmgr<br />
100003 2 tcp 2049 nfs<br />
100003 3 tcp 2049 nfs<br />
100003 4 tcp 2049 nfs<br />
100003 2 udp 2049 nfs<br />
100003 3 udp 2049 nfs<br />
100003 4 udp 2049 nfs<br />
100005 3 udp 4002 mountd<br />
100005 3 tcp 4002 mountd<br />
}}<br />
<br />
Then, you need to open the ports 111-2049-4000-4001-4002-4003 TCP and UDP.<br />
<br />
== Troubleshooting ==<br />
<br />
There is a dedicated article [[NFS Troubleshooting]].<br />
<br />
== See also ==<br />
<br />
* See also [[Avahi]], a Zeroconf implementation which allows automatic discovery of NFS shares.<br />
* HOWTO: [[Diskless network boot NFS root]]<br />
* [http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.prftungd/doc/prftungd/nfs_perf.htm NFS Performance Management]<br />
* If you are setting up the Arch Linux NFS server for use by Windows clients through Microsoft's SFU, you will save a lot of time and hair-scratching by looking at [https://bbs.archlinux.org/viewtopic.php?pid=523934#p523934 this forum post] first !<br />
* [http://blogs.msdn.com/sfu/archive/2008/04/14/all-well-almost-about-client-for-nfs-configuration-and-performance.aspx Microsoft Services for Unix NFS Client info]<br />
* [http://blogs.msdn.com/sfu/archive/2007/05/01/unix-interoperability-and-windows-vista.aspx Unix interoperability and Windows Vista] Prerequisites to connect to NFS with Vista</div>Clearmartinhttps://wiki.archlinux.org/index.php?title=NFS&diff=289807NFS2013-12-21T19:44:20Z<p>Clearmartin: /* Mounting from Linux */</p>
<hr />
<div>[[Category:File systems]]<br />
[[Category:Networking]]<br />
[[ar:NFS]]<br />
[[de:Network File System]]<br />
[[es:NFS]]<br />
[[fr:NFS]]<br />
[[it:NFSv4]]<br />
[[zh-CN:NFS]]<br />
{{Related articles start}}<br />
{{Related|NFS Troubleshooting}}<br />
{{Related articles end}}<br />
From [[Wikipedia: Network File System|Wikipedia]]: <br />
: ''Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed.''<br />
<br />
== Installation ==<br />
<br />
Both client and server only require the [[pacman|installation]] of the {{Pkg|nfs-utils}} package.<br />
<br />
{{Note|It is HIGHLY recommended to use a time sync daemon on ALL nodes of your network to keep client/server clocks in sync. Without accurate clocks on all nodes, NFS can introduce unwanted delays! The [[NTP]] system is recommended to sync both the server and the clients to the highly accurate NTP servers available on the Internet.}}<br />
<br />
==Configuration==<br />
<br />
===Server===<br />
<br />
==== ID mapping ====<br />
<br />
Edit {{ic|/etc/idmapd.conf}} and set the {{ic|Domain}} field to your domain name.<br />
<br />
{{hc|/etc/idmapd.conf|<nowiki><br />
[General]<br />
<br />
Verbosity = 1<br />
Pipefs-Directory = /var/lib/nfs/rpc_pipefs<br />
Domain = atomic<br />
<br />
[Mapping]<br />
<br />
Nobody-User = nobody<br />
Nobody-Group = nobody<br />
</nowiki>}}<br />
<br />
==== File system ====<br />
<br />
{{Note|For security reasons, it is recommended to use an NFS export root which will keep users limited to that mount point only. The following example illustrates this concept.}}<br />
<br />
Define any NFS shares in {{ic|/etc/exports}} which are relative to the NFS root. In this example, the NFS root will be {{ic|/srv/nfs4}} and we will be sharing {{ic|/mnt/music}}.<br />
<br />
# mkdir -p /srv/nfs4/music<br />
<br />
Read/Write permissions must be set on the music directory so clients may write to it. <br />
<br />
Now mount the actual target share, {{ic|/mnt/music}} to the NFS share via the mount command:<br />
<br />
# mount --bind /mnt/music /srv/nfs4/music<br />
<br />
To make it stick across server reboots, add the bind mount to {{ic|fstab}}:<br />
{{hc|/etc/fstab|<br />
/mnt/music /srv/nfs4/music none bind 0 0<br />
}}<br />
<br />
==== Exports ====<br />
<br />
Add directories to be shared and an ip address or hostname(s) of client machines that will be allowed to mount them in {{ic|exports}}:<br />
{{hc|/etc/exports|<nowiki><br />
/srv/nfs4/ 192.168.0.1/24(rw,fsid=root,no_subtree_check)<br />
/srv/nfs4/music 192.168.0.1/24(rw,no_subtree_check,nohide) # note the nohide option which is applied to mounted directories on the file system.<br />
</nowiki>}}<br />
<br />
Users need-not open the share to the entire subnet; one can specify a single IP address or hostname as well.<br />
<br />
For more information about all available options see {{ic|man 5 exports}}.<br />
<br />
If you modify {{ic|/etc/exports}} while the server is running, you must re-export them for changes to take effect:<br />
# exportfs -rav<br />
<br />
==== Starting the server ====<br />
<br />
Start {{ic|rpc-idmapd.service}} and {{ic|rpc-mountd.service}} [[systemd#Using units|using systemd]]. If you want them running at boot time, enable them. Note that these units require other services, which are launched automatically by [[systemd]].<br />
<br />
==== Firewall configuration ====<br />
<br />
To enable access through a firewall, tcp and udp ports 111, 2049, and 20048 need to be opened. To configure this for [[iptables]], edit {{ic|/etc/iptables/iptables.rules}} to include the following lines:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<nowiki><br />
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT<br />
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT<br />
-A INPUT -p tcp -m tcp --dport 20048 -j ACCEPT<br />
-A INPUT -p udp -m udp --dport 111 -j ACCEPT<br />
-A INPUT -p udp -m udp --dport 2049 -j ACCEPT<br />
-A INPUT -p udp -m udp --dport 20048 -j ACCEPT<br />
</nowiki>}}<br />
<br />
To apply changes, restart {{ic|iptables}} service.<br />
<br />
=== Client ===<br />
<br />
Clients need to start {{ic|rpc-gssd.service}} to avoid an approx 15 seconds delay with an accompanying error in dmsg that reads, "RPC: AUTH_GSS upcall timed out".<br />
<br />
{{Note|The server does not need to run this service.}}<br />
<br />
==== Mounting from Linux ====<br />
<br />
Show the server's exported filesystems:<br />
$ showmount -e servername<br />
<br />
Then mount omitting the server's NFS export root: <br />
# mount -t nfs4 servername:/music /mountpoint/on/client<br />
<br />
{{Note|Server name needs to be a valid hostname, not just IP address. Otherwise mounting of remote share will hang.}}<br />
<br />
===== using /etc/fstab =====<br />
<br />
Using [[fstab]] is useful for a server which is always on, and the NFS shares are available whenever the client boots up. Edit {{ic|/etc/fstab}} file, and add an appropriate line reflecting the setup. Again, the server's NFS export root is omitted.<br />
<br />
{{hc|/etc/fstab|<nowiki><br />
servername:/music /mountpoint/on/client nfs4 rsize=8192,wsize=8192,timeo=14,intr,_netdev 0 0<br />
</nowiki>}}<br />
<br />
{{Note|Consult the NFS and mount man pages for more mount options.}}<br />
<br />
Some additional mount options to consider are include:<br />
<br />
; rsize and wsize: The {{ic|rsize}} value is the number of bytes used when reading from the server. The {{ic|wsize}} value is the number of bytes used when writing to the server. The default for both is 1024, but using higher values such as 8192 can improve throughput. This is not universal. It is recommended to test after making this change, see [[#Performance tuning]].<br />
<br />
; timeo: The {{ic|timeo}} value is the amount of time, in tenths of a second, to wait before resending a transmission after an RPC timeout. After the first timeout, the timeout value is doubled for each retry for a maximum of 60 seconds or until a major timeout occurs. If connecting to a slow server or over a busy network, better performance can be achieved by increasing this timeout value. <br />
<br />
; intr: The {{ic|intr}} option allows signals to interrupt the file operation if a major timeout occurs for a hard-mounted share.<br />
<br />
; _netdev: The {{ic|_netdev}} option tells the system to wait until the network is up before trying to mount the share. systemd assumes this for NFS, but anyway it is good practice to use it for all types of networked filesystems<br />
<br />
===== Using autofs =====<br />
<br />
Using [[autofs]] is useful when multiple machines want to connect via NFS; they could both be clients as well as servers. The reason this method is preferable over the earlier one is that if the server is switched off, the client will not throw errors about being unable to find NFS shares. See [[autofs#NFS network mounts]] for details.<br />
<br />
==== Mounting from Windows ====<br />
<br />
{{Note|Only the Ultimate and Enterprise editions of Windows 7 and the Enterprise edition of Windows 8 include "Client for NFS".}}<br />
NFS shares can be mounted from Windows if the "Client for NFS" service is activated (which it is not by default).<br />
To install the service go to "Programs and features" in the Control Panel and click on "Turn Windows features on or off". Locate "Services for NFS" and activate it as well as both subservices ("Administrative tools" and "Client for NFS").<br />
<br />
Some global options can be set by opening the "Services for Network File System" (locate it with the search box) and right click on ''client > properties''.<br />
<br />
{{Warning|Serious performance issues may occur (it randomly takes 30-60 seconds to display a folder, 2 MB/s file copy speed on gigabit LAN, ...) to which Microsoft does not have a solution yet.[https://social.technet.microsoft.com/Forums/en-CA/w7itpronetworking/thread/40cc01e3-65e4-4bb6-855e-cef1364a60ac]}}<br />
<br />
To mount a share using Explorer:<br />
<br />
{{ic|Computer}} > {{ic|Map network drive}} > {{ic|servername:/srv/nfs4/music}}<br />
<br />
==== Mounting from OS X ====<br />
<br />
{{Note|OS X by default uses an insecure (>1024) port to mount a share.}}<br />
Either export the share with the {{ic|insecure}} flag, and mount using Finder:<br />
<br />
{{ic|Go}} > {{ic|Connect to Server}} > {{ic|nfs://servername/}}<br />
<br />
Or, mount the share using a secure port using the terminal:<br />
# mount -t nfs -o resvport servername:/srv/nfs4 /Volumes/servername<br />
<br />
== Tips and tricks ==<br />
<br />
=== Performance tuning ===<br />
<br />
In order to get the most out of NFS, it is necessary to tune the {{ic|rsize}} and {{ic|wsize}} mount options to meet the requirements of the network configuration.<br />
<br />
=== Automatic mount handling ===<br />
<br />
This trick is useful for laptops that require nfs shares from a local wireless network. If the nfs host becomes unreachable, the nfs share will be unmounted to hopefully prevent system hangs when using the hard mount option. See https://bbs.archlinux.org/viewtopic.php?pid=1260240#p1260240<br />
<br />
Make sure that the NFS mount points are correctly indicated in {{ic|/etc/fstab}}:<br />
<br />
{{hc|$ cat /etc/fstab|<nowiki><br />
lithium:/mnt/data /mnt/data nfs noauto,noatime,rsize=32768,wsize=32768,intr,hard 0 0<br />
lithium:/var/cache/pacman /var/cache/pacman nfs noauto,noatime,rsize=32768,wsize=32768,intr,hard 0 0</nowiki><br />
}}<br />
<br />
The {{ic|noauto}} mount option tells systemd not to automatically mount the shares at boot. systemd would otherwise attempt to mount the nfs shares that may or may not exist on the network causing the boot process to appear to stall on a blank screen.<br />
<br />
In order to mount NFS share by non-root user {{ic|user}} may be required to be added to fstab entry. Also enable rpc-statd.service.<br />
<br />
Create the {{ic|auto_share}} script that will be used by ''cron'' to check if the NFS host is reachable,<br />
<br />
{{hc|/root/bin/auto_share|<nowiki><br />
#!/bin/bash<br />
<br />
SERVER="YOUR_NFS_HOST"<br />
<br />
MOUNT_POINTS=$(sed -e '/^.*#/d' -e '/^.*:/!d' -e 's/\t/ /g' /etc/fstab | tr -s " " | cut -f2 -d" ")<br />
<br />
ping -c 1 "${SERVER}" &>/dev/null<br />
<br />
if [ $? -ne 0 ]; then<br />
# The server could not be reached, unmount the shares<br />
for umntpnt in ${MOUNT_POINTS}; do<br />
umount -l -f $umntpnt &>/dev/null<br />
done<br />
else<br />
# The server is up, make sure the shares are mounted<br />
for mntpnt in ${MOUNT_POINTS}; do<br />
mountpoint -q $mntpnt || mount $mntpnt<br />
done<br />
fi<br />
</nowiki>}}<br />
<br />
# chmod +x /root/bin/auto_share<br />
<br />
Create the root cron entry to run {{ic|auto_share}} every minute:<br />
<br />
{{hc|# crontab -e|<nowiki><br />
* * * * * /root/bin/auto_share<br />
</nowiki>}}<br />
<br />
A systemd unit file can also be used to mount the NFS shares at startup. The unit file is not necessary if NetworkManager is installed and configured on the client system. See [[#NetworkManager dispatcher]].<br />
<br />
{{hc|/etc/systemd/system/auto_share.service|<nowiki><br />
[Unit]<br />
Description=NFS automount<br />
<br />
[Service]<br />
Type=oneshot<br />
RemainAfterExit=yes<br />
ExecStart=/root/bin/auto_share<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</nowiki>}}<br />
<br />
Now enable {{ic|auto_share}}.<br />
<br />
==== NetworkManager dispatcher ====<br />
<br />
In addition to the method described previously, NetworkManager can also be configured to run a script on network status change.<br />
<br />
Enable and start the {{ic|NetworkManager-dispatcher}} service.<br />
<br />
The easiest method for mount shares on network status change is to just symlink to the {{ic|auto_share}} script:<br />
<br />
# ln -s /root/bin/auto_share /etc/NetworkManager/dispatcher.d/30_nfs.sh<br />
<br />
Or use the following mounting script that checks for network availability:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/30_nfs.sh|<nowiki><br />
#!/bin/bash<br />
<br />
SSID="CHANGE_ME"<br />
<br />
MOUNT_POINTS=$(sed -e '/^.*#/d' -e '/^.*:/!d' -e 's/\t/ /g' /etc/fstab | tr -s " " | cut -f2 -d" ")<br />
<br />
ISNETUP=$(nmcli dev wifi | \grep $SSID | tr -s ' ' | cut -f 10 -d ' ') 2>/dev/null<br />
<br />
# echo "$ISNETUP" >> /tmp/nm_dispatch_log<br />
<br />
if [[ "$ISNETUP" == "yes" ]]; then<br />
for mntpnt in ${MOUNT_POINTS}; do<br />
mountpoint -q $mntpnt || mount $mntpnt<br />
done<br />
else<br />
for srvexp in ${MOUNT_POINTS}; do<br />
umount -l -f $srvexp &>/dev/null<br />
done<br />
fi<br />
</nowiki>}}<br />
<br />
Now when the wireless SSID "CHANGE_ME" goes up or down, the {{ic|nfs.sh}} script will be called to mount or unmount the shares as soon as possible.<br />
<br />
=== Configure NFS fixed ports ===<br />
<br />
{{Out of date|This section was originally refered to NFS version 3.}}<br />
If you have a port-based [[firewall]], you might want to set up a fixed ports. For rpc.statd and rpc.mountd you should set following settings in {{ic|/etc/conf.d/nfs-common}} and {{ic|/etc/conf.d/nfs-server}} (ports can be different):<br />
<br />
{{hc|/etc/conf.d/nfs-common|2=STATD_OPTS="-p 4000 -o 4003"}}<br />
{{hc|/etc/conf.d/nfs-server|2=MOUNTD_OPTS="--no-nfs-version 2 -p 4002"}}<br />
{{hc|/etc/modprobe.d/lockd.conf|2=# Static ports for NFS lockd<br />
options lockd nlm_udpport=4001 nlm_tcpport=4001}}<br />
<br />
After restart {{ic|nfs-common}} {{ic|nfs-server}} daemons and reload {{ic|lockd}} modules you can check used ports with following command:<br />
{{hc|$ rpcinfo -p|<br />
program vers proto port service<br />
100000 4 tcp 111 portmapper<br />
100000 3 tcp 111 portmapper<br />
100000 2 tcp 111 portmapper<br />
100000 4 udp 111 portmapper<br />
100000 3 udp 111 portmapper<br />
100000 2 udp 111 portmapper<br />
100024 1 udp 4000 status<br />
100024 1 tcp 4000 status<br />
100021 1 udp 4001 nlockmgr<br />
100021 3 udp 4001 nlockmgr<br />
100021 4 udp 4001 nlockmgr<br />
100021 1 tcp 4001 nlockmgr<br />
100021 3 tcp 4001 nlockmgr<br />
100021 4 tcp 4001 nlockmgr<br />
100003 2 tcp 2049 nfs<br />
100003 3 tcp 2049 nfs<br />
100003 4 tcp 2049 nfs<br />
100003 2 udp 2049 nfs<br />
100003 3 udp 2049 nfs<br />
100003 4 udp 2049 nfs<br />
100005 3 udp 4002 mountd<br />
100005 3 tcp 4002 mountd<br />
}}<br />
<br />
Then, you need to open the ports 111-2049-4000-4001-4002-4003 TCP and UDP.<br />
<br />
== Troubleshooting ==<br />
<br />
There is a dedicated article [[NFS Troubleshooting]].<br />
<br />
== See also ==<br />
<br />
* See also [[Avahi]], a Zeroconf implementation which allows automatic discovery of NFS shares.<br />
* HOWTO: [[Diskless network boot NFS root]]<br />
* [http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.prftungd/doc/prftungd/nfs_perf.htm NFS Performance Management]<br />
* If you are setting up the Arch Linux NFS server for use by Windows clients through Microsoft's SFU, you will save a lot of time and hair-scratching by looking at [https://bbs.archlinux.org/viewtopic.php?pid=523934#p523934 this forum post] first !<br />
* [http://blogs.msdn.com/sfu/archive/2008/04/14/all-well-almost-about-client-for-nfs-configuration-and-performance.aspx Microsoft Services for Unix NFS Client info]<br />
* [http://blogs.msdn.com/sfu/archive/2007/05/01/unix-interoperability-and-windows-vista.aspx Unix interoperability and Windows Vista] Prerequisites to connect to NFS with Vista</div>Clearmartin