https://wiki.archlinux.org/api.php?action=feedcontributions&user=GSF1200S&feedformat=atomArchWiki - User contributions [en]2024-03-29T10:44:43ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=List_of_applications/Multimedia&diff=494742List of applications/Multimedia2017-11-02T06:07:39Z<p>GSF1200S: /* Audio tag editors */ Added thunar-media-tags-plugin as thunar is a popular file manager and this is a simple/effective tag editor without need of an external application.</p>
<hr />
<div><noinclude><br />
[[Category:Applications]]<br />
[[Category:Multimedia]]<br />
[[es:List of applications/Multimedia]]<br />
[[it:List of applications/Multimedia]]<br />
[[ja:アプリケーション一覧/マルチメディア]]<br />
[[ru:List of applications/Multimedia]]<br />
[[uk:List of applications/Multimedia]]<br />
[[zh-hans:List of applications/Multimedia]]<br />
[[zh-hant:List of applications/Multimedia]]<br />
{{List of applications navigation}}<br />
</noinclude><br />
== Multimedia ==<br />
<br />
=== Codecs ===<br />
<br />
See the main article: [[Codecs]].<br />
<br />
=== Image ===<br />
<br />
==== Image viewers ====<br />
<br />
See also [[Wikipedia:Comparison of image viewers]].<br />
<br />
===== Console =====<br />
<br />
* {{App|fbi|Image viewer for the linux framebuffer console.|https://www.kraxel.org/blog/linux/fbida/|{{Pkg|fbida}}}}<br />
* {{App|fbv|Very simple graphic file viewer for the framebuffer console.|http://s-tech.elsat.net.pl/fbv/|{{Pkg|fbv}}}}<br />
* {{App|fim|Highly customizable and scriptable framebuffer image viewer based on fbi.|http://www.nongnu.org/fbi-improved/|{{AUR|fim}}}}<br />
* {{App|jfbview|Framebuffer PDF and image viewer based on Imlib2. Features include Vim-like controls, rotation and zoom, zoom-to-fit, and fast multi-threaded rendering.|http://seasonofcode.com/pages/jfbview.html|{{AUR|jfbview}}}}<br />
<br />
===== Graphical =====<br />
<br />
* {{App|Deepin Image Viewer|Image viewer for the Deepin desktop environment.|https://github.com/linuxdeepin/deepin-image-viewer|{{Pkg|deepin-image-viewer}}}}<br />
* {{App|Ephoto|A light image viewer based on EFL.|https://www.enlightenment.org/about-ephoto|{{AUR|ephoto-git}}}}<br />
* {{App|[[Wikipedia:Eye_of_GNOME|Eye of GNOME]]|Image viewing and cataloging program, which is a part of the GNOME desktop environment.|https://wiki.gnome.org/Apps/EyeOfGnome|{{Pkg|eog}}}}<br />
* {{App|Eye of MATE|Simple graphics viewer for the MATE desktop.|https://github.com/mate-desktop/eom|{{Pkg|eom}}}}<br />
* {{App|EyeSight|Image viewer for the Hawaii desktop environment.|http://hawaiios.org/projects/eyesight/|{{AUR|eyesight}}}}<br />
* {{App|[[feh]]|Fast, lightweight image viewer that uses imlib2.|https://feh.finalrewind.org/|{{Pkg|feh}}}}<br />
* {{App|GalaPix|OpenGL-based image viewer for simultaneously viewing and zooming large collections of image files,|https://github.com/Galapix/galapix|{{AUR|galapix}}}}<br />
* {{App|[[Wikipedia:Geeqie|Geeqie]]|Image browser and viewer (fork of GQview) that adds additional functionality such as support for RAW files.|http://geeqie.org/|{{Pkg|geeqie}}}}<br />
* {{App|Gimmage|Gtkmm image viewer.|https://sourceforge.net/projects/gimmage.berlios/|{{Pkg|gimmage}}}}<br />
* {{App|GNOME Photos|Access, organize, and share your photos on GNOME.|https://wiki.gnome.org/Apps/Photos|{{Pkg|gnome-photos}}}}<br />
* {{App|GPicView|Simple and fast image viewer for X, which is part of the [[LXDE]] desktop.|http://lxde.sourceforge.net/gpicview/|GTK+ 2: {{Pkg|gpicview}}, GTK+ 3: {{Pkg|gpicview-gtk3}}}}<br />
* {{App|[[Wikipedia:GQview|GQview]]|Image browser that features single click access to view images and move around the directory tree|http://gqview.sourceforge.net/|{{AUR|gqview-devel}}}}<br />
* {{App|[[Wikipedia:GThumb|gThumb]]|Image viewer for the GNOME desktop.|https://wiki.gnome.org/Apps/gthumb|{{Pkg|gthumb}}}}<br />
* {{App|[[Wikipedia:Gwenview|Gwenview]]|Fast and easy to use image viewer for the KDE desktop.|http://gwenview.sourceforge.net/|{{Pkg|gwenview}}}}<br />
* {{App|imv|Lightweight image viewer with support for Wayland and animated GIFs which uses FreeImage.|https://www.github.com/eXeC64/imv/|{{Pkg|imv}}}}<br />
* {{App|LxImage-Qt|The LXQt image viewer.|https://github.com/lxde/lximage-qt|{{Pkg|lximage-qt}}}}<br />
* {{App|meh|meh is a small, simple, super fast image viewer using raw XLib.|http://www.johnhawthorn.com/meh/|{{AUR|meh-git}}}}<br />
* {{App|Mirage|PyGTK image viewer featuring support for crop and resize, custom actions and a thumbnail panel.|https://sourceforge.net/projects/mirageiv.berlios/|{{Pkg|mirage}}}}<br />
* {{App|nomacs|Free (GPLv3) Qt image viewer for many operating systems. It is feature-rich but starts fast and can be configured to show additional widgets or only the image.|http://www.nomacs.org/|{{Pkg|nomacs}}}}<br />
* {{App|Pantheon Photos|Image viewer for Pantheon.|https://launchpad.net/pantheon-photos|{{Pkg|pantheon-photos}}}}<br />
* {{App|Phototonic|Fast and functional image viewer and organizer (Qt).|http://oferkv.github.io/phototonic/|{{AUR|phototonic}}}}<br />
* {{App|PhotoQt|Fast and highly configurable image viewer with a simple and nice interface.|http://photoqt.org/|{{AUR|photoqt}}}}<br />
* {{App|Quick Image Viewer|Very small and fast image viewer based on GTK+ and imlib2.|http://spiegl.de/qiv/|{{Pkg|qiv}}}}<br />
* {{App|Ristretto|Fast and lightweight image viewer for the Xfce desktop environment.|http://docs.xfce.org/apps/ristretto/start|{{Pkg|ristretto}}}}<br />
* {{App|Shotwell|A digital photo organizer designed for the GNOME desktop environment|https://wiki.gnome.org/Apps/Shotwell|{{Pkg|shotwell}}}}<br />
* {{App|shufti|shufti non-destructively saves and restores the zoom level, rotation, window size, desktop location and viewing area on a per-image/file location basis|https://github.com/danboid/shufti|{{AUR|shufti}}}}<br />
* {{App|[[sxiv]]|Simple image viewer based on imlib2 that works well with tiling window managers.|https://github.com/muennich/sxiv|{{Pkg|sxiv}}}}<br />
* {{App|Viewnior|Minimalistic GTK+ image viewer featuring support for flipping, rotating, animations and configurable mouse actions.|http://siyanpanayotov.com/project/viewnior/|{{Pkg|viewnior}}}}<br />
* {{App|Vimiv|An image viewer with vim-like keybindings. It is written in python3 using the Gtk3 toolkit.|http://karlch.github.io/vimiv|{{Pkg|vimiv}}}}<br />
* {{App|Xloadimage|Classic X image viewer.|http://sioseis.ucsd.edu/xloadimage.html|{{Pkg|xloadimage}}}}<br />
* {{App|[[Wikipedia:XnView|XnView MP]]|Efficient proprietary image viewer, browser and converter.|http://www.xnview.com/en/xnviewmp/|{{AUR|xnviewmp}}}}<br />
* {{App|[[Wikipedia:Xv_(software)|xv]]|Shareware program written by John Bradley to display and modify digital images under the X Window System. Last released in 1994.|http://www.trilon.com/xv/|{{AUR|xv}}}}<br />
<br />
==== Graphics and image manipulation ====<br />
<br />
===== Raster editors =====<br />
<br />
See also [[Wikipedia:Comparison of raster graphics editors]].<br />
<br />
* {{App|AzPainter|A Painting software. |http://azpainter.sourceforge.jp/|{{AUR|azpainter}}}}<br />
* {{App|[[Wikipedia:darktable|darktable]]|Photography workflow and RAW development application.|http://www.darktable.org/|{{Pkg|darktable}}}}<br />
* {{App|[[Wikipedia:RawTherapee|RawTherapee]]|A powerful cross-platform raw image processing program.|http://www.rawtherapee.com/|{{Pkg|rawtherapee}}}}<br />
* {{App|dcraw|Converts many camera RAW formats.|http://www.cybercom.net/~dcoffin/dcraw/|{{Pkg|dcraw}}}}<br />
* {{App|[[Wikipedia:digiKam|digiKam]]|KDE-based image organizer with built-in editing features via a plugin architecture. digiKam asserts it is more full featured than similar applications with a larger set of image manipulation features including RAW image import and manipulation.|http://www.digikam.org/|{{Pkg|digikam}}}}<br />
* {{App|[[GIMP]]|Image editing suite in the vein of proprietary editors such as [[Wikipedia:Adobe Photoshop|Adobe Photoshop]]. GIMP ([[GNU]] Image Manipulation Program) has been started in the mid 1990s and has acquired a large number of [[CMYK support in The GIMP|plugins]] and additional tools.|http://www.gimp.org/|{{Pkg|gimp}}}}<br />
* {{App|G'MIC|Full-featured open-source framework for image processing, providing several different user interfaces to convert/manipulate/filter/visualize generic image datasets, ranging from 1d scalar signals to 3d+t sequences of multi-spectral volumetric images, including 2d color images.|http://www.gmic.eu/|{{Pkg|gmic}}}}<br />
* {{App|[[Wikipedia:GNU Paint|Gpaint]]|[[Wikipedia:PC_Paintbrush|Paintbrush]] clone for GNOME.|https://www.gnu.org/software/gpaint/|{{AUR|gpaint}}}}<br />
* {{App|[[Wikipedia:GraphicsMagick|GraphicsMagick]]|Fork of ImageMagick designed to have API and command-line stability. It also supports multi-CPU for enhanced performance and thus is used by some large commercial sites (Flickr, etsy) for its performance.|http://www.graphicsmagick.org/|{{Pkg|graphicsmagick}}}}<br />
* {{App|[[Wikipedia:ImageMagick|ImageMagick]]|Command-line image manipulation program. It is known for its accurate format conversions with support for over 100 formats. Its API enables it to be scripted and it is usually used as a backend processor.|http://www.imagemagick.org/script/index.php|{{Pkg|imagemagick}}}}<br />
* {{App|[[Wikipedia:KolourPaint|KolourPaint]]|Free raster graphics editor for KDE, similar to Microsoft's Paint application before Windows 7, but with some additional features such as support for transparency. Part of {{Grp|kde-applications}} and {{Grp|kdegraphics}} groups.|http://kolourpaint.org|{{Pkg|kolourpaint}}}}<br />
* {{App|[[Wikipedia:Krita|Krita]]|Digital painting and illustration software included based on the KDE platform.|http://krita.org/|{{Pkg|krita}}}}<br />
* {{App|Luminance HDR|Open source graphical user interface application that aims to provide a workflow for HDR imaging.|http://qtpfsgui.sourceforge.net/|{{Pkg|luminancehdr}}}}<br />
* {{App|mtPaint|Graphics editing program geared towards creating indexed palette images and pixel art.|http://mtpaint.sourceforge.net/|{{Pkg|mtpaint}}}}<br />
* {{App|[[Wikipedia:MyPaint|MyPaint]]|Free software graphics application for digital painters.|http://mypaint.org|{{Pkg|mypaint}}}}<br />
* {{App|[[Wikipedia:Pinta (software)|Pinta]]|Drawing and editing program modeled after [[Wikipedia:Paint.net|Paint.NET]]. Its goal is to provide a simplified alternative to GIMP for casual users.|http://pinta-project.com/|{{Pkg|pinta}}}}<br />
* {{App|[[Wikipedia:XPaint|XPaint]]|Color image editing tool which features most standard paint program options.|https://sourceforge.net/projects/sf-xpaint/|{{AUR|xpaint}}}}<br />
<br />
Some image viewers like Ephoto, GNOME Photos, [[Wikipedia:GThumb|gThumb]], nomacs, Pantheon Photos, Phototonic, [[Wikipedia:Shotwell_(software)|Shotwell]] and [[Wikipedia:XnView|XnView MP]] also provide some basic image manipulation functionality.<br />
<br />
===== Vector graphics - illustration =====<br />
<br />
See also [[Wikipedia:Comparison of vector graphics editors]].<br />
<br />
* {{App|[[Wikipedia:Asymptote_(vector_graphics_language)|Asymptote]]|A descriptive vector graphics language (like PGF/TikZ and Metapost) with a C-like syntax and LaTeX support.|http://asymptote.sourceforge.net|{{Pkg|asymptote}}}}<br />
* {{App|[[Wikipedia:Dia_(software)|Dia]]|GTK+-based diagram creation program.|https://wiki.gnome.org/Apps/Dia|{{Pkg|dia}}}}<br />
* {{App|[[Wikipedia:Graphviz|Graphviz]]|Set of tools for drawing graphs in the descriptive DOT language.|http://www.graphviz.org|{{Pkg|graphviz}}}}<br />
* {{App|Gravit|Vector graphics design tool - For Users of All Skills and Profession|https://gravit.io/|{{AUR|gravit-git}}{{Broken package link|package not found}}}}<br />
* {{App|[[Wikipedia:Inkscape|Inkscape]]|Vector graphics editor, with capabilities similar to [[Wikipedia:Adobe Illustrator|Illustrator]], [[Wikipedia:CorelDRAW|CorelDraw]], or [[Wikipedia:Xara X|Xara X]], using the SVG (Scalable Vector Graphics) file format. Inkscape supports many advanced SVG features (markers, clones, alpha blending, etc.) and great care is taken in designing a streamlined interface. It is very easy to edit nodes, perform complex path operations, trace bitmaps and much more. It's developers also aim to maintain a thriving user and developer community by using open, community-oriented development.|http://inkscape.org/|{{Pkg|inkscape}}}}<br />
* {{App|Mockingbot|Prototyping & collaboration design tool .|http://http://mockingbot.com/|{{AUR|mockingbot}}}}<br />
* {{App|[[Wikipedia:Karbon (software)|Karbon]]|Vector graphics editor, part of the Calligra Suite.|http://www.calligra-suite.org/karbon/|{{Pkg|calligra}}}}<br />
* {{App|[[Wikipedia:Pencil2D|Pencil Project]]|An open-source GUI prototyping and mockup tool.|http://pencil.evolus.vn/|{{AUR|pencil}}}}<br />
* {{App|qasm2circ|Quantum circuit generator for latex|http://www.media.mit.edu/quanta/qasm2circ/|{{AUR|qasm2circ}}}}<br />
* {{App|[[Wikipedia:SK1_(program)|sK1]]|Replacement for Adobe Illustrator or CorelDraw, oriented for "prepress ready" PostScript & PDF output.|http://sk1project.net/|{{Pkg|sk1}}}}<br />
* {{App|[[Wikipedia:yEd|yEd]]|General-purpose diagramming program for flowcharts, network diagrams, UML diagrams, BPMN diagrams, mind maps, organization charts, and Entity Relationship diagrams.|http://www.yworks.com/en/products_yed_about.html|{{AUR|yed}}}}<br />
<br />
===== Vector graphics - CAD =====<br />
<br />
See also [[Wikipedia:List of computer-aided design editors]].<br />
<br />
* {{App|[[Wikipedia:BRL-CAD|BRL-CAD]]|Constructive solid geometry (CSG) solid modeling computer-aided design (CAD) system that includes an interactive geometry editor, ray tracing support for graphics rendering and geometric analysis, computer network distributed framebuffer support, scripting, image-processing and signal-processing tools.|http://brlcad.org/|{{AUR|brlcad}}}}<br />
* {{App|DraftSight|Dassault Systemes' freeware 2D CAD application. DraftSight allows users to access DWG/DXF files, regardless of which CAD software was originally used to create them.|http://www.3ds.com/products-services/draftsight/overview/|{{AUR|draftsight}}}}<br />
* {{App|[[Wikipedia:FreeCAD|FreeCAD]]|CAD/CAE program, based on OpenCascade, Qt and Python with features such as macro recording, workbenches and the ability to run as server.|https://github.com/FreeCAD/FreeCAD|{{Pkg|freecad}}}}<br />
* {{App|LeoCAD|CAD program for creating virtual LEGO models. It has an easy to use interface and currently includes over 6000 different pieces created by the LDraw community.|http://leocad.org|{{AUR|leocad}}}}<br />
* {{App|[[Wikipedia:LibreCAD|LibreCAD]]|Powerful 2D CAD application based on Qt. It has been forked from QCad Community Edition.|http://www.librecad.org/|{{Pkg|librecad}}}}<br />
* {{App|[[Wikipedia:OpenSCAD|OpenSCAD]]|Open source 2D/3D CAD using programmers approach.|http://www.openscad.org|{{Pkg|openscad}} {{AUR|openscad-git}}}}<br />
* {{App|[[Wikipedia:QCad|QCAD]]|Powerful 2D CAD application that began in 1999. QCaD includes DFX standard file format and supports HPGL format.|http://www.qcad.org/|{{Pkg|qcad}}}}<br />
<br />
===== 3D modeling/rendering =====<br />
<br />
See also [[Wikipedia:Comparison of 3D computer graphics software]].<br />
<br />
* {{App|[[Wikipedia:Art_of_Illusion|Art of Illusion]]|3D modeling and rendering studio written in Java.|http://www.artofillusion.org/|{{AUR|aoi}}}}<br />
* {{App|[[Wikipedia:Blender_(software)|Blender]]|Fully integrated 3D graphics creation suite capable of 3D modeling, texturing, and animation, among other things.|http://www.blender.org/|{{Pkg|blender}}}}<br />
* {{App|Goxel|Open Source 3D voxel editor.|https://guillaumechereau.github.io/goxel/|{{AUR|goxel}}}}<br />
* {{App|[[Wikipedia:MakeHuman|MakeHuman™]]|Parametrical modeling program for creating human bodies.|http://www.makehuman.org/|{{AUR|makehuman}}}}<br />
* {{App|[[Wikipedia:POV-Ray|POV-Ray]]|Script-based raytracer for creating 3D graphics.|http://www.povray.org/|{{Pkg|povray}}}}<br />
* {{App|VoxelShop|Extremely intuitive and powerful software to modify and create voxel objects.|https://blackflux.com/node/11|{{AUR|voxelshop}}}}<br />
* {{App|[[Wikipedia:Wings3d|Wings 3D]]|Advanced subdivision modeler that is both powerful and easy to use.|http://www.wings3d.com/|{{Pkg|wings3d}}}}<br />
<br />
==== Screen capture ====<br />
<br />
See also: [[Taking a screenshot]].<br />
<br />
=== Audio ===<br />
<br />
==== Audio systems ====<br />
<br />
See the main article: [[Sound system]].<br />
<br />
See also [[Wikipedia:Sound server]].<br />
<br />
* {{App|wineasio|Provides an ASIO to JACK driver for ''wine''. ASIO is the most common Windows low-latency driver, so is commonly used in audio workstation programs.|https://sourceforge.net/projects/wineasio/|{{AUR|wineasio}}}}<br />
<br />
==== Audio players ====<br />
<br />
See also [[Wikipedia:Comparison of audio player software]].<br />
<br />
===== Music player daemons and clients =====<br />
<br />
See also: [[Music_Player_Daemon#Clients|List of MPD clients]]<br />
<br />
* {{App|[[Music Player Daemon]]|Lightweight and scalable choice for music management.|http://www.musicpd.org/|{{Pkg|mpd}}}}<br />
* {{App|[[Wikipedia:XMMS2|XMMS2]]|Complete rewrite of the popular music player.|https://xmms2.org|{{Pkg|xmms2}}}}<br />
<br />
===== Command-line players =====<br />
<br />
* {{App|[[cmus]]|Very feature-rich ncurses-based music player.|https://cmus.github.io/|{{Pkg|cmus}}}}<br />
* {{App|Cplay|Curses front-end for various audio players (ogg123, mpg123, mpg321, splay, madplay, and mikmod, xmp, and sox).|https://directory.fsf.org/wiki/Cplay|{{AUR|cplay}}}}<br />
* {{App|Herrie|Minimalistic console-based music player with native AudioScrobbler support.|https://github.com/EdSchouten/herrie|{{AUR|herrie}}}}<br />
* {{App|[[Moc|MOC]]|Ncurses console audio player with support for the MP3, OGG, and WAV formats.|https://moc.daper.net/|{{Pkg|moc}}}}<br />
* {{App|MPFC|Gstreamer-based audio player with curses interface.|https://code.google.com/archive/p/mpfc/|{{AUR|mpfc}}}}<br />
* {{App|[[Wikipedia:Mpg123|mpg123]]|Fast free MP3 console audio player for Linux, FreeBSD, Solaris, HP-UX and nearly all other UNIX systems (also decodes MP1 and MP2 files).|https://www.mpg123.org/|{{Pkg|mpg123}}}}<br />
* {{App|mps-youtube|Terminal based YouTube jukebox with playlist management. Plays audio/video through mplayer/mpv.|https://github.com/mps-youtube/mps-youtube|{{Pkg|mps-youtube}}}}<br />
* {{App|pancake|Cli pandora client built with urwid.|https://github.com/osum4est/pancake/}}<br />
* {{App|[[pianobar]]|Console-based frontend for the online radio Pandora.|https://6xq.net/projects/pianobar/|{{Pkg|pianobar}}}}<br />
* {{App|[[Wikipedia:VLC_media_player|VLC]]|Highly portable multimedia player with ncurses interface module, and multimedia framework capable of reading most audio and video formats as well as DVDs, Audio CDs, VCDs, and various streaming protocols.|https://www.videolan.org/vlc/|{{Pkg|vlc}}}}<br />
* {{App|whistle|a curses-based commandline audio player.|https://github.com/ap0calypse/whistle/|{{AUR|whistle-git}}}}<br />
<br />
===== GUI players =====<br />
<br />
* {{App|[[Amarok]]|Mature Qt-based player known for its plethora of features.|https://amarok.kde.org/|{{Pkg|amarok}}}}<br />
* {{App|[[Audacious]]|[[Wikipedia:Winamp|Winamp]] clone like Beep and old XMMS versions.|http://audacious-media-player.org/|{{Pkg|audacious}}}}<br />
* {{App|[[Wikipedia:Banshee (media player)|Banshee]]|[[Wikipedia:iTunes|iTunes]] clone, built with GTK+ and [[Mono]], feature-rich.|http://banshee.fm/|{{AUR|banshee}}}}<br />
* {{App|[[Wikipedia:Clementine_(software)|Clementine]]|Amarok 1.4 clone, ported to Qt 4.|https://www.clementine-player.org/|{{Pkg|clementine}}}}<br />
* {{App|Cuberok|Music player and collection manager with a lightweight interface.|https://code.google.com/archive/p/cuberok/|{{AUR|cuberok}}}}<br />
* {{App|DeaDBeeF|Light and fast music player with many features, no GNOME or KDE dependencies, supports console-only, as well as a GTK+ GUI, comes with many plugins, and has a metadata editor.|http://deadbeef.sourceforge.net/|{{Pkg|deadbeef}}}}<br />
* {{App|[[Exaile]]|GTK+ clone of Amarok.|http://www.exaile.org/|{{AUR|exaile}}}}<br />
* {{App|gmusicbrowser|Open-source jukebox for large collections of MP3/OGG/FLAC files.|https://gmusicbrowser.org/|{{AUR|gmusicbrowser}}}}<br />
* {{App|GNOME Music|Music is the new GNOME music playing application. It aims to combine an elegant and immersive browsing experience with simple and straightforward controls.|https://wiki.gnome.org/Apps/Music|{{Pkg|gnome-music}}}}<br />
* {{App|Goggles Music Manager|Music collection manager and player that automatically categorizes your music, supports gapless playback, features easy tag editing, and internet radio support. Uses the [[Wikipedia:Fox toolkit|Fox toolkit]].|https://gogglesmm.github.io/|{{Pkg|gogglesmm}}}}<br />
* {{App|Guayadeque|Full featured media player that can easily manage large collections and uses the GStreamer media framework.|http://guayadeque.org/|{{AUR|guayadeque}}}}<br />
* {{App|[[Wikipedia:JuK|JuK]]|JuK is an audio jukebox application, supporting collections of MP3, Ogg Vorbis, and FLAC audio files.|https://www.kde.org/applications/multimedia/juk/|{{Pkg|kdemultimedia-juk}}}}<br />
* {{App|Kaku|An highly integrated music player supports different online platform like YouTube, SoundCloud, Vimeo and more.|https://github.com/EragonJ/Kaku|{{AUR|kaku-bin}}}}<br />
* {{App|Listen|Listen is a Music player and management for GNOME written in python.|https://launchpad.net/listen|{{AUR|listen}}}}<br />
* {{App|Lollypop|A GNOME music player.|https://gnumdk.github.io/lollypop-web/|{{Pkg|lollypop}}}}<br />
* {{App|LXMusic|A minimalist xmms2-based music player.|https://wiki.lxde.org/en/LXMusic|{{Pkg|lxmusic}}}}<br />
* {{App|Miam-player|Cross-platform open source music player.|https://miam-player.org/|{{AUR|miam-player}}}}<br />
* {{App|Muine|A music player written in C Sharp.|https://muine.gooeylinux.org/|{{Pkg|muine}}}}<br />
* {{App|Musique|Just another music player, only better.|http://flavio.tordini.org/musique|{{AUR|musique}}}}<br />
* {{App|[[Wikipedia:Nightingale (software)|Nightingale]]|Open source clone of iTunes-based on [[Wikipedia:Songbird (software)|Songbird]], that uses Mozilla technologies and the GStreamer framework.|https://getnightingale.com/|{{AUR|nightingale-git}}}}<br />
* {{App|Noise|Simple, fast, and good looking music player. The official elementary music player. |https://launchpad.net/noise|{{Pkg|noise-player}}{{Broken package link|replaced by {{Pkg|pantheon-music}}}}}}<br />
* {{App|Nuvola Player|Integrated Google Music, 8tracks and Hype Machine player.|https://tiliado.eu/nuvolaplayer/|{{AUR|nuvolaplayer}}{{Broken package link|package not found}}}}<br />
* {{App|pithos|Python/GTK Pandora Radio desktop client.|https://pithos.github.io/|{{AUR|pithos}}}}<br />
* {{App|Pragha|GTK+ music manager. (fork of the Consonance Music Manager)|https://pragha-music-player.github.io/|{{Pkg|pragha}}}}<br />
* {{App|Qmmp|Qt-based multimedia player with a user interface that is similar to Winamp or XMMS.|http://qmmp.ylsoftware.com/|{{Pkg|qmmp}}}}<br />
* {{App|[[Wikipedia:Quod Libet (software)|Quod Libet]]|Audio player written with PyGTK and GStreamer with support for regular expressions in playlists.|https://github.com/quodlibet/quodlibet/|{{Pkg|quodlibet}}}}<br />
* {{App|[[Wikipedia:Rhythmbox|Rhythmbox]]|GTK+ clone of iTunes, used by default in GNOME.|https://wiki.gnome.org/Apps/Rhythmbox|{{Pkg|rhythmbox}}}}<br />
* {{App|Sayonara|Sayonara is a small, clear and fast audio player for Linux written in C++, supported by the Qt framework. |https://sayonara-player.com/|{{AUR|sayonara-player}}}}<br />
* {{App|[[Spotify]]|Proprietary music streaming service. It supports local playback and streaming from Spotify's vast library (requires a free account).|https://www.spotify.com/|{{AUR|spotify}}}}<br />
* {{App|[[SpotCommander]]|A remote control for Spotify, optimized for mobile devices. It works on any device with a modern browser, and it's free and open source.|https://olejon.github.io/spotcommander/|{{AUR|spotcommander}}}}<br />
* {{App|Tomahawk|Music player application written in C++/Qt. It decouples the name of the song from the source it was shared from - and fulfills the request using all of your available sources.|https://www.tomahawk-player.org/|{{AUR|tomahawk}}}}<br />
* {{App|[[Wikipedia:VLC_media_player|VLC]]|Highly portable multimedia player and multimedia framework capable of reading most audio and video formats as well as DVDs, Audio CDs, VCDs, and various streaming protocols.|https://www.videolan.org/vlc/|{{Pkg|vlc}}}}<br />
* {{App|[[wikipedia:XMMS|XMMS]]|Skinnable GTK+ standalone media player similar to Winamp.|https://legacy.xmms2.org/|{{AUR|xmms}}}}<br />
<br />
==== Volume managers ====<br />
<br />
* {{App|GVolWheel|An audio mixer which lets you control the volume through a tray icon.|https://sourceforge.net/projects/gvolwheel/|{{AUR|gvolwheel}}}}<br />
*{{App|pa-applet|PulseAudio system tray applet with volume bar.|https://github.com/fernandotcl/pa-applet|{{Aur|pa-applet-git}}}}<br />
* {{App|PNMixer|A fork of Obmixer. It has many new features such as ALSA channel selection, connect/disconnect detection, shortcuts, etc.|https://github.com/nicklan/pnmixer/wiki|{{AUR|pnmixer}}}}<br />
*{{App|Volctl|Per-application volume control for GNU/Linux desktops.|https://buzz.github.io/volctl/|{{Aur|volctl}}}}<br />
*{{App|[[Volnoti]]|A lightweight volume notification daemon for GNU/Linux and other POSIX operating systems.|https://github.com/davidbrazdil/volnoti|{{Aur|volnoti}}}}<br />
* {{App|Volti|A GTK application for controlling audio volume from system tray with an internal mixer and support for multimedia keys that uses only ALSA.|https://github.com/gen2brain/volti|{{AUR|volti}}}}<br />
* {{App|VolumeIcon|Another volume control for your system tray with channel selection, themes and an external mixer.|http://softwarebakery.com/maato/volumeicon.html|{{Pkg|volumeicon}}}}<br />
* {{App|VolWheel|A little application which lets you control the sound volume easily through a tray icon you can scroll on.|http://oliwer.net/b/volwheel.html|{{Pkg|volwheel}}}}<br />
<br />
==== CD ripping ====<br />
<br />
See [[Optical disc drive#CD 2]].<br />
<br />
==== Visualization ====<br />
<br />
* {{App|[[Wikipedia:MilkDrop|ProjectM]]|Music visualizer which uses 3D accelerated iterative image-based rendering.|http://projectm.sourceforge.net/|{{Pkg|projectm}}}}<br />
* {{App|[[Wikipedia:VSXu|VSXu]]|Free to use program that lets you create and perform real-time audio visual presets.|http://www.vsxu.com/|{{AUR|vsxu}}}}<br />
* {{App|C.A.V.A.|Console-based audio visualizer for Alsa, MPD and PulseAudio.|https://karlstav.github.io/cava/|{{AUR|cava}}}}<br />
* {{App|cli-visualizer|A highly configurable CLI-based audio visualizer.|https://github.com/dpayne/cli-visualizer|{{AUR|cli-visualizer}}}}<br />
<br />
==== Audio tag editors ====<br />
<br />
* {{App|Audio Tag Tool|Tool to edit tags in MP3 and Ogg Vorbis files.|http://tagtool.sourceforge.net/|{{AUR|tagtool}}}}<br />
* {{App|[[Wikipedia:EasyTag|EasyTag]]|Utility for viewing, editing and writing ID3 tags of music files, supports many audio formats.|http://easytag.sourceforge.net/|{{Pkg|easytag}}}}<br />
* {{App|[[Wikipedia:Ex Falso (software)|Ex Falso]]|Cross-platform free and open source audio tag editor and library organizer.|https://github.com/quodlibet/quodlibet/|{{AUR|exfalso}}}}<br />
* {{App|ID3 Mass Tagger|Command-line utility to edit ID3 1.x and 2.x tags.|http://squell.github.io/id3/|{{Pkg|id3}}}}<br />
* {{App|Kid3|MP3, Ogg/Vorbis, FLAC, MPC, MP4/AAC, MP2, Speex, TrueAudio, WavPack, WMA, WAV and AIFF files tag editor.|http://kid3.sourceforge.net/|{{Pkg|kid3}}}}<br />
* {{App|MP3Info|MP3 technical info viewer and ID3 1.x tag editor.|http://ibiblio.org/mp3info/|{{Pkg|mp3info}}}}<br />
* {{App|[[Wikipedia:MusicBrainz Picard|MusicBrainz Picard]]|Cross-platform audio tag editor written in Python (the official MusicBrainz tagger).|http://musicbrainz.org/doc/MusicBrainz_Picard|{{Pkg|picard}}}}<br />
* {{App|[[Wikipedia:Puddletag|Puddletag]]|Replacement for the famous MP3tag for Windows.|http://puddletag.sourceforge.net/|{{Pkg|puddletag}}}}<br />
* {{App|taffy|Simple command-line tag editor for many audio formats.|https://github.com/jangler/taffy|{{AUR|taffy}}}}<br />
* {{App|Tag Editor|A tag editor with Qt 5 GUI and command-line interface supporting MP4/AAC (iTunes), ID3v1, ID3v2, Ogg/Vorbis and Matroska.|https://github.com/Martchus/tageditor|{{AUR|tageditor}}}}<br />
* {{App|Thunar Media Tags Plugin|Adds special features for media files to the Thunar File Manager, including the ability to edit tags.|http://goodies.xfce.org/projects/thunar-plugins/thunar-media-tags-plugin|{{Pkg|thunar-media-tags-plugin}}}}<br />
* {{App|Qoobar|Universal QT-based audio tagger (specialized for classical music)|http://qoobar.sourceforge.net/en/index.htm|{{AUR|qoobar}}}}<br />
<br />
==== Sound editing ====<br />
<br />
* {{App|[[Wikipedia:Ardour (software)|Ardour]]|Multichannel hard disk recorder and digital audio workstation.|http://ardour.org/|{{Pkg|ardour}}}}<br />
* {{App|[[Wikipedia:Audacity (audio editor)|Audacity]]|Program that lets you manipulate digital audio waveforms.|http://audacity.sourceforge.net/|{{Pkg|audacity}}}}<br />
* {{App|Bitwig Studio|Proprietary professional digital audio workstation.|http://bitwig.com/|{{AUR|bitwig-studio}}}}<br />
* {{App|Gnac|Audio converter for GNOME.|http://gnac.sourceforge.net/|{{Pkg|gnac}}}}<br />
* {{App|GNOME Sound Recorder|The Sound Recorder application enables you to record and play .flac, .ogg (OGG audio, or .oga), and .wav sound files.|https://wiki.gnome.org/Design/Apps/SoundRecorder|{{Pkg|gnome-sound-recorder}}}}<br />
* {{App|[[Wikipedia:Jokosher|Jokosher]]|Non-linear multi-track digital audio editor that is being developed in Python, using the GTK+ interface and GStreamer as an audio back-end.|https://launchpad.net/jokosher/|{{AUR|jokosher}}}}<br />
* {{App|KWave|Sound editor for KDE.|http://kwave.sourceforge.net/|{{Pkg|kwave}}}}<br />
* {{App|[[LMMS]]|The Linux MultiMedia Studio. Free cross-platform software which allows you to produce music with your computer.|http://lmms.sourceforge.net/|{{Pkg|lmms}}}}<br />
* {{App|[[Wikipedia:Qtractor|Qtractor]]|Qt-based hard disk recorder and digital audio workstation application that aims to provide digital audio workstation software simple enough for the average home user, and yet powerful enough for the professional user.|http://qtractor.sourceforge.net/qtractor-index.html|{{Pkg|qtractor}}}}<br />
* {{App|[[Wikipedia:Rosegarden|Rosegarden]]|Digital audio workstation program developed with ALSA and Qt that acts as an audio and MIDI sequencer, scorewriter and musical composition and editing tool.|http://www.rosegardenmusic.com/|{{Pkg|rosegarden}}}}<br />
* {{App|XCFA|Tool to extract the contens of audio CDs and convert them to various formats.|http://www.xcfa.tuxfamily.org/|{{AUR|xcfa}}}}<br />
<br />
=== Video ===<br />
<br />
==== Video players ====<br />
<br />
See also [[Wikipedia:Comparison of video player software]].<br />
<br />
===== Console =====<br />
<br />
* {{App|[[FFmpeg|FFplay]]|Very simple and portable media player using the FFmpeg libraries and the SDL library.|http://ffmpeg.org/|{{Pkg|ffmpeg}}}}<br />
* {{App|[[GStreamer|gst-play-1.0]]|Simple command line playback testing tool for GStreamer.|https://gstreamer.freedesktop.org/|{{Pkg|gst-plugins-base-libs}}}}<br />
* {{App|[[MPlayer]]|Video player that supports a complete and versatile array of video and audio formats.|http://www.mplayerhq.hu/design7/news.html|{{Pkg|mplayer}}}}<br />
* {{App|[[mpv]]|Movie player based on MPlayer and mplayer2.|http://mpv.io|{{Pkg|mpv}}}}<br />
* {{App|[[Wikipedia:xine|xine-ui]]|Free multimedia player.|http://www.xine-project.org|{{Pkg|xine-ui}}}}<br />
* {{App|[[VLC media player|VLC media player (Ncurses interface)]]|Command-line version of the famous video player that can play smoothly high definition videos in the TTY. Can be launched with {{ic|vlc -I ncurses}}.|https://www.videolan.org/vlc/|{{Pkg|vlc}}}}<br />
<br />
===== Graphical =====<br />
<br />
See also: [[MPlayer#Frontends/GUIs]], [[mpv#Front ends]].<br />
<br />
* {{App|Deepin Movie|Movie player based on QtAV.|https://github.com/linuxdeepin/deepin-movie|{{Pkg|deepin-movie}}}}<br />
* {{App|[[Wikipedia:Kdemultimedia#Dragon Player|Dragon Player]]|Simple video player for KDE. Part of the {{Grp|kdemultimedia}} group.|https://www.kde.org/applications/multimedia/dragonplayer/|{{Pkg|dragon}}}}<br />
* {{App|[[Wikipedia:GNOME Videos|GNOME Videos]]|Media player (audio and video) for the GNOME desktop that uses GStreamer. Part of {{Grp|gnome}}|https://wiki.gnome.org/Apps/Videos|{{Pkg|totem}}}}<br />
* {{App|[[Wikipedia:Kaffeine|Kaffeine]]|Very versatile KDE media player that, by default, utilizes VLC as its backend and has excellent support of digital TV (DVB).|https://www.kde.org/applications/multimedia/kaffeine/|{{Pkg|kaffeine}}}}<br />
* {{App|Parole|Modern media player based on the GStreamer framework.|http://goodies.xfce.org/projects/applications/parole/|{{Pkg|parole}}}}<br />
* {{App|Rage|Video and audio player written with Enlightenment Foundation Libraries with some extra bells and whistles.|http://www.enlightenment.org/p.php?p&#61;about/rage|{{AUR|rage}}}}<br />
* {{App|Snappy|Powerful media player with a minimalistic interface that uses GStreamer.|https://wiki.gnome.org/Apps/Snappy|{{Pkg|snappy-player}}}}<br />
* {{App|QMLPlayer|Simple media player based on QtAV.|http://www.qtav.org/|{{Pkg|qtav}}}}<br />
* {{App|QMPlay2|QMPlay2 is a QT based video player. It can play and stream all formats supported by ffmpeg and libmodplug. It has on integrated module system, which includes a Youtube browser.|3=http://qt-apps.org/content/show.php/QMPlay2?content=153339|4={{AUR|qmplay2}}}}<br />
* {{App|[[VLC media player]]|Middleweight video player with support for a wide variety of audio and video formats.|https://www.videolan.org/vlc/|{{Pkg|vlc}}}}<br />
* {{App|Whaaw! Media Player|Lightweight GStreamer-based audio and video player that can serve as a good alternative to Totem for those who do not like all of those GNOME dependencies.|http://home.gna.org/whaawmp/|{{AUR|whaawmp}}}}<br />
* {{App|Xnoise|GTK+ and GStreamer-based media player for both audio and video with "a slick GUI, great speed and lots of features." (development ceased)|http://www.xnoise-media-player.com/|{{Pkg|xnoise}}}}<br />
<br />
==== Subtitles ====<br />
<br />
* {{App|[[Wikipedia:Aegisub|Aegisub]]|Subtitle editor.|https://github.com/Aegisub/Aegisub|{{Pkg|aegisub}}}}<br />
* {{App|Gaupol|Full-featured subtitle editor.|http://home.gna.org/gaupol|{{Pkg|gaupol}}}}<br />
* {{App|[[Wikipedia:Gnome Subtitles|Gnome Subtitles]]|Video subtitle editor for GNOME.|http://www.gnomesubtitles.org/|{{Pkg|gnome-subtitles}}}}<br />
* {{App|Jubler|Open-source multiplatform subtitle editor written in Java.|http://www.jubler.org|{{AUR|jubler}}}}<br />
* {{App|Penguin Subtitle Player|Penguin Subtitle Player is an open-source, cross-platform standalone subtitle player, as an alternative to Greenfish Subtitle Player, SrtViewer (Mac), SRTPlayer, JustSubsPlayer and Free Subtitle Player.|https://github.com/carsonip/Penguin-Subtitle-Player|{{AUR|penguin-subtitle-player-git}}}}<br />
* {{App|subdl|Automatic subtitle downloader.|https://github.com/akexakex/subdl|{{Pkg|subdl}}}}<br />
* {{App|Subtitle Composer|open-source Subtitle editor with Qt 5 based GUI supporting various formats, features different player backends, able to display wave form|https://github.com/maxrd2/subtitlecomposer|{{AUR|subtitlecomposer}}}}<br />
* {{App|[[Wikipedia:Subtitle_Edit|Subtitle Edit]]|Subtitle editing program. Written in C# using mono.|https://github.com/SubtitleEdit/subtitleedit|{{AUR|subtitleedit}}}}<br />
* {{App|SubtitlesPrinter|Print subtitles above a X-screen, independently of the video player.|https://github.com/OlivierMarty/SubtitlesPrinter|{{AUR|subtitles-printer-git}}}}<br />
<br />
==== DVD ripping ====<br />
<br />
See [[Optical disc drive#DVD 2]].<br />
<br />
==== Video editors ====<br />
<br />
See also [[Wikipedia:Comparison of video editing software]].<br />
<br />
===== Console =====<br />
<br />
* {{App|[[Wikipedia:Avidemux|Avidemux]]|Free video editor designed for simple cutting, filtering and encoding tasks.|http://fixounet.free.fr/avidemux/|{{Pkg|avidemux-cli}}}}<br />
* {{App|[[FFmpeg]]|Complete, cross-platform solution to record, convert and stream audio and video.|http://ffmpeg.org/|{{Pkg|ffmpeg}}}}<br />
* {{App|HandBrake-CLI|Simple yet powerful video transcoder ideal for batch mkv/x264 ripping.|http://handbrake.fr/|{{Pkg|handbrake-cli}}}}<br />
<br />
===== Graphical =====<br />
<br />
* {{App|[[Wikipedia:Avidemux|Avidemux]]|Free video editor designed for simple cutting, filtering and encoding tasks.|http://fixounet.free.fr/avidemux/| {{Pkg|avidemux-qt}}}}<br />
* {{App|[[Wikipedia:Cinelerra|Cinelerra (Community Version)]]|Professional video editing and compositing environment.|http://cinelerra-cv.org/|{{Pkg|cinelerra-cv}}}}<br />
* {{App|Flowblade|Flowblade is a multitrack non-linear video editor for Linux, designed to provide a fast, robust editing experience.|https://github.com/jliljebl/flowblade|{{AUR|flowblade}}}}<br />
* {{App|HandBrake|Simple yet powerful video transcoder ideal for batch mkv/x264 ripping. GTK+ version.|http://handbrake.fr/|{{Pkg|handbrake}}}}<br />
* {{App|[[Wikipedia:Kdenlive|Kdenlive]]|Non-linear video editor designed for basic to semi-professional work.|http://kdenlive.org/|{{Pkg|kdenlive}}}}<br />
* {{App|[[Wikipedia:Lightworks|Lightworks]]|A proprietary professional non-linear editing system for editing and mastering digital video in various formats.|http://www.lwks.com/|{{AUR|lwks}}}}<br />
* {{App|[[Wikipedia:LiVES|LiVES]]|Video editor and VJ (live performance) platform.| http://lives-video.com/ |{{AUR|lives}}}}<br />
* {{App|[[Wikipedia:OpenShot_Video_Editor|Open Shot]]|Non-linear video editor based on MLT framework.|http://www.openshotvideo.com/|{{Pkg|openshot}}}}<br />
* {{App|[[Wikipedia:Pitivi|Pitivi]]|Video editor designed to be intuitive and integrate well in the GNOME desktop.|http://www.pitivi.org/ |{{Pkg|pitivi}}}}<br />
* {{App|[[Wikipedia:Shotcut|Shotcut]]|Shotcut is a free, open source, cross-platform video editor.|http://www.shotcut.org/ |{{AUR|shotcut-bin}}}}<br />
* {{App|Transmageddon|Simple python application for transcoding video into formats supported by GStreamer.|http://www.linuxrising.org/ |{{Pkg|transmageddon}}}}<br />
* {{App|[[Wikipedia:Blender_(software)#Video_editing|Blender]]|Fully integrated 3D graphics creation suite with a built-in non-linear video editor.|http://www.blender.org/|{{Pkg|blender}}}}<br />
<br />
==== Screencast ====<br />
<br />
See also [[Wikipedia:Comparison of screencasting software]].<br />
<br />
Screencast utilities allow you to create a video of your desktop or individual windows.<br />
<br />
* {{App|byzanz|Simple screencast tool that produces GIF animations.|http://blogs.gnome.org/otte/2009/08/30/byzanz-0-2-0/|{{Pkg|byzanz}}}}<br />
* {{App|Green Recorder|A simple yet functional desktop recorder for Linux systems.|https://github.com/green-project/green-recorder|{{AUR|green-recorder}}}}<br />
* {{App|Istanbul|Simple desktop session recorder that produces ogg videos.|https://wiki.gnome.org/Projects/Istanbul|{{AUR|istanbul}}}}<br />
* {{App|Kazam|Screencasting program with design in mind. Handles multiscreen setups.|https://launchpad.net/kazam|{{AUR|kazam}}}}<br />
* {{App|OBS|Free and open source software for video recording and live streaming.|https://obsproject.com/|{{Pkg|obs-studio}}}}<br />
* {{App|[[Wikipedia:RecordMyDesktop|RecordMyDesktop]]| (inactive) An easy to use utility that records your desktop into the ogg format with a CLI, Qt or GTK+ interface.|http://recordmydesktop.sourceforge.net/|{{Pkg|recordmydesktop}} {{Pkg|gtk-recordmydesktop}} {{Pkg|qt-recordmydesktop}}}}<br />
* {{App|simplescreenrecorder|A feature-rich screen recorder written in C++/Qt4 that supports X11 and OpenGL.|http://www.maartenbaert.be/simplescreenrecorder/|{{Pkg|simplescreenrecorder}}}}<br />
* {{App|vokoscreen|Simple screencast tool, GUI ffmpeg.|http://www.kohaupt-online.de/hp|{{AUR|vokoscreen}}}}<br />
* {{App|[[Wikipedia:XVidCap|XVidCap]]|Application used for recording a screencast or digital recording of an X Window System screen output with an audio narration.|http://xvidcap.sourceforge.net/|{{AUR|xvidcap}}}}<br />
* {{App|FFcast|FFmpeg-based screencast tool written in Bash.|https://github.com/lolilolicon/FFcast|{{AUR|ffcast}}}}<br />
* {{App|peek|Simple screencast tool that produces GIF animations.|https://github.com/phw/peek|{{AUR|peek}}}}<br />
<br />
=== Mobile phone managers ===<br />
<br />
* {{App|[[Wikipedia:Gnokii|gnokii]]|Tools and user space driver for use with mobile phones.|http://www.gnokii.org/|{{Pkg|gnokii}}}}<br />
* {{App|GNOME Phone Manager|Control your mobile phone from your GNOME desktop.|https://wiki.gnome.org/PhoneManager|{{Pkg|gnome-phone-manager}}}}<br />
* {{App|KDE Connect|A project that aims to communicate all your devices.|https://community.kde.org/KDEConnect|{{Pkg|kdeconnect}}}}<br />
<br />
=== Digital camera managers ===<br />
<br />
See [[Digital Cameras#Other frontend applications for libgphoto2]].<br />
<br />
=== Optical media burning ===<br />
<br />
See [[Optical disc drive#Burning CD/DVD/BD with a GUI]].<br />
<br />
=== Podcasts ===<br />
<br />
see [[List of applications/Internet#Podcast_clients|Podcast clients]]<br />
<br />
=== Collection managers ===<br />
<br />
* {{App|[[Beets]]|Music library organizer, tagger and more.|http://beets.radbox.org/|{{Pkg|beets}}}}<br />
* {{App|Demlo|Batch music tagger, encoder, renamer and more.|http://ambrevar.bitbucket.org/demlo/|{{AUR|demlo}}}}<br />
* {{App|[[Wikipedia:GCstar|GCstar]]|GNOME application for organizing various collections (board games, comic books, movies, stamps, etc.).|http://www.gcstar.org/|{{Pkg|gcstar}}}}<br />
* {{App|[[Kodi]]|Application for organizing various collections and automatically retrieving info about them (video, music, photos).|https://kodi.tv/|{{Pkg|kodi}}}}<br />
* {{App|[[Wikipedia:Tellico|Tellico]]|KDE application for organizing various collections (books, video, music, coins, etc.).|http://tellico-project.org/|{{Pkg|tellico}}}}<br />
<br />
=== Lyrics fetchers ===<br />
<br />
* {{App|clyrics|An extensible lyrics fetcher, with daemon support for cmus and mocp.|https://github.com/trizen/clyrics|{{AUR|clyrics}}}}</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=Pdnsd&diff=323923Pdnsd2014-07-07T15:49:23Z<p>GSF1200S: Made a small revision to my earlier explanation of how to get Network Manager working properly with pdnsd.</p>
<hr />
<div>[[Category:Domain Name System]]<br />
[[es:Pdnsd]]<br />
[[fr:pdnsd]]<br />
[http://members.home.nl/p.a.rombouts/pdnsd/index.html pdnsd] is a DNS server designed for local caching of DNS information. Correctly configured, it can significantly increase browsing speed on a broadband connection. Compared to [[bind]] or [[dnsmasq]] it can remember its cache after a reboot; "p" stands for persistent. <br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|pdnsd}} from the [[official repositories]].<br />
<br />
== Configuration==<br />
<br />
=== Initial preparation ===<br />
<br />
The sample configuration file that comes with pdnsd needs a few changes before the daemon can start.<br />
<br />
=== Format ===<br />
<br />
The {{ic|pdnsd.conf}} file uses a fairly simple format, but it has some differences from most other configuration files you have likely encountered. It has a collection of sections of various types. A section is started with the name of the type of section and an opening curly bracket ('''{''') and is ended by a closing curly bracket ('''}'''). Sections cannot be nested.<br />
<br />
Inside each block is a series of options of the following format:<br />
option_name=option_value;<br />
<br />
Notice the semicolon at the end; unlike some formats, it is not optional.<br />
<br />
Comments are started with either '''#''' or '''/*'''. The former goes to the end of the line, the latter continues until it reaches '''*/'''.<br />
<br />
=== DNS servers ===<br />
<br />
pdnsd needs to know the address of at least one DNS server to collect DNS information from. This part of the setup differs depending on whether you have a broadband connection or dial-up. Broadband users should use the first server section as a starting point, dial-up users the second, leaving the other server sections commented out.<br />
; label : The {{ic|label}} option is used to uniquely identify a server section. It is completely arbitrary, but one good choice is the name of your ISP.<br />
; ip : This option, used in the default broadband configuration, tells pdnsd the addresses of DNS servers to use. Multiple addresses should be separated by a single comma, with optional whitespace before or after the comma. You can just copy the addresses from {{ic|/etc/resolv.conf}}.<br />
; file : The {{ic|file}} option can be used instead of {{ic|ip}} to specify a set of DNS server IPs. Its value is the path to a file with servers listed in {{ic|resolv.conf}} format. The default dial-up configuration uses it because the PPP client writes {{ic|/etc/ppp/resolv.conf}} with the addresses it gets from the PPP server. You should not need to change it unless you want to use a different DNS server than your ISP gives you by default.<br />
<br />
The rest of the server section will work without any more changes. For details on all the available options, see the [http://www.phys.uu.nl/~rombouts/pdnsd/doc.html pdnsd manual].<br />
<br />
==== DNS servers with DHCP connections ====<br />
<br />
When [[netctl]] is installed, pdnsd can be notified of the ip addresses of the name servers by resolvconf (see resolvconf(8) man page) and the notifications become dynamic when you use [[netctl#Automatic switching of profiles|Automatic switching of profiles]].<br />
<br />
To configure this feature, remove the broadband server section and update the dial-up server section with the following changes:<br />
label = resolvconf;<br />
file = /etc/pdnsd-resolv.conf;<br />
Edit {{ic|/etc/resolvconf.conf}} to configure resolvconf with pdnsd as one of its subscribers:<br />
name_servers=127.0.0.1<br />
pdnsd_resolv=/etc/pdnsd-resolv.conf<br />
And run {{ic|resolvconf -u}} to update {{ic|/etc/pdnsd-resolv.conf}} with the addresses of the name servers (ignore the error message saying that the pdnsd socket cannot be accessed). This updating is only needed once before starting manually pdnsd.<br />
<br />
=== OpenDNS ===<br />
<br />
The {{ic|pdnsd.conf}} file comes with OpenDNS settings built in; you can simply remove (or comment out) the dialup and broadband sections above it (being careful not to remove the necessary global setup at the very top of the file), and then uncomment it to use OpenDNS resolution.<br />
<br />
However, OpenDNS does some weird things to Google. You need to deny results from OpenDNS that return one of OpenDNS’s Google-proxy machines if you want to avoid this behaviour (for many people, it can increase Google requests from, say, 15ms, to 75ms+). The exact servers’ IPs change, but you can run an {{ic|drill www.google.com @208.67.222.222}} (provided by {{Pkg|dnsutils}}) to find the current IPs. You’ll know if the query is being proxied, because the server’s name will resolve to something like {{ic|google.navigation.opendns.com}}. For me, these addresses were {{ic|208.67.216.230}} and {{ic|208.67.216.231}}.<br />
<br />
Once you know the IPs, you can replace the {{ic|pdnsd.conf}}’s already-existant {{ic|rejected}} IPs inside the OpenDNS {{ic|1=server { … }}} declaration. Make sure you retain the prefixes.<br />
<br />
[http://wiki.opennicproject.org/Tier2 OpenNIC] is a reliable alternative to OpenDNS.<br />
<br />
=== Testing ===<br />
<br />
You should now have a working {{ic|pdnsd}} daemon. Start it.<br />
<br />
You can test it with the {{ic|drill}} utility (from the {{Pkg|ldns}} package):<br />
<br />
$ drill www.google.com @127.0.0.1<br />
If everything works, you should see a list of IP addresses associated with Google.<br />
<br />
For the second time you look up the address, query time should be under 1 ms.<br />
<br />
=== System setup ===<br />
<br />
Now it is time to point your system toward your brand-new DNS server.<br />
<br />
If you use DHCP to configure your network settings and you use the old netcfg instead of [[netctl]], you need to edit {{ic|/etc/resolv.conf.head}} or {{ic|/etc/resolv.conf}} by adding pdnsd before all of the other nameservers:<br />
# pdnsd cache @ localhost<br />
nameserver 127.0.0.1<br />
<br />
Also if you are using Network Manager, /etc/resolv.conf will be overwritten automatically, and this will prevent the local nameserver (127.0.0.1 for example) from being used. You can go do: [Edit Connections... --> select connection --> Edit... --> Ipv4 Settings --> Change "Automatic (DHCP)" to "Automatic (DHCP) addresses only --> add 127.0.0.1 to the DNS servers line] to resolve this problem. You can also check [[resolv.conf#Preserve DNS settings]]. Note that only using chattr or setting Network Manager via Edit Connections worked for the person writing this. <br />
<br />
Make sure to enable {{ic|pdnsd}} service.<br />
<br />
pdnsd should start after network, as it depends on the network to run, and some services that use the network rely on working DNS.<br />
<br />
Restart {{ic|network.target}} ({{ic|pdnsd}} should already be running):<br />
<br />
Retest the DNS query time, but this time use the system default DNS server:<br />
$ drill google.com | grep "Query time"<br />
<br />
=== Performance settings for home broadband users ===<br />
<br />
Many users have broadband connections where the DNS server is slow or unreliable, and would like to use {{ic|pdnsd}} as a caching server to minimize the number of DNS queries that need to be made. After doing the setup detailed above, the following settings in the {{ic|/etc/pdnsd.conf}} will help improve the performance in this role:<br />
<br />
Under global settings:<br />
neg_rrs_pol=on;<br />
par_queries=1;<br />
<br />
Under server settings:<br />
proxy_only=on;<br />
purge_cache=off;<br />
<br />
The {{ic|1=neg_rrs_pol=on;}} policy means that when a negative response comes back for a query, pdnsd server will still cache the result even if the response is not "authoritative". This is important since watching DNS queries will reveal that there are many requests for AAAA records (DNS queries for IPv6) which will never return results since many domains are not using IPv6, as well as MX records since not every domain has an MX record. Without the negative caching, these requests will be sent even after a domain name has been cached, and in this role you do not want the extra DNS requests being made. It is important to use this option in conjunction with the {{ic|1=proxy_only=on;}} option to minimize the number of queries coming out of the system.<br />
<br />
The {{ic|1=par_queries=1;}} option is useful if you specify more than one DNS server in your "server" section below. It specifies an increment of how many parallel queries will be made at once. For example, if four DNS servers are listed in the "server" section, and {{ic|1=par_queries=2;}} (the default), then the first 2 servers will be queried simultaneously, and if both of the first two servers fail, {{ic|pdnsd}} will move on to the next two and query them simultaneously. The setting used above means that one DNS server at a time gets queried, so you can list two or more DNS servers in the "server" section, and the second one will only be queried if the first one fails. This helps minimize traffic, but if the first server fails you will have to wait through the timeout before the second server will be queried. Tweak this setting for your own preferences, and if you only specify one server in the "server" section then you do not need to worry about it.<br />
<br />
The {{ic|1=proxy_only=on;}} setting is mentioned below in the FAQ and is important for home broadband users since you generally are using only one or two DNS servers instead of trying to do the full-blown hierarchical name resolution that a full DNS server would do. This setting will prevent {{ic|pdnsd}} from resolving all the way back to the "authoritative" name server, and instead accept the results of the DNS servers that were already specified in the "server" section. Once again, this reduces the number of DNS queries you need to make, improving performance.<br />
<br />
The {{ic|1=purge_cache=off;}} setting tells {{ic|pdnsd}} not to remove cache entries even if they have outlived the DNS record's time-to-live metric. This can be very useful when your ISP's DNS server goes down and you want to be able to access name lookups for domains you frequently use despite the outage. Records will still be bumped out of the cache based on age once the cache becomes full (see {{ic|man pdnsd.conf}} on how to set the size of the cache).<br />
<br />
=== Additional performance settings ===<br />
<br />
==== TTLs (Time-To-Live) ====<br />
<br />
Each DNS resource record returned from a server includes a maximum time-to-live, or TTL. This tells the recipient how long to store the record and when to do a new lookup on it. Many DNS records have relatively short TTLs, such as 3600 (one hour). This means that after one hour, pdnsd will attempt a new lookup on this entry, regardless of whether it has a cached record for it available. It will improve performance to override this default TTL by setting a global minimum TTL, causing fewer lookups to be performed. The disadvantage to using a minimum TTL that is too long is that a cached record may be out of date (the IP address of the host may be changed, but your client will not know this because it will receive the cached address). However, most IP addresses do not change hourly or even daily.<br />
<br />
Times are specified in seconds by default, or you may append an "m", "h", "d", or "w" to the time to specify minutes, hours, days, or weeks.<br />
<br />
{{ic|1=min_ttl}} in the global settings sets a minimum TTL for cached records, causing pdnsd to ignore the default TTL in the record received from the server. On a slow connection or with a slow DNS server, you may want to set this to several hours to reduce the number of lookups ( eg {{ic|1=min_ttl=6h;}} ).<br />
<br />
{{ic|1=neg_ttl}} in the global settings sets a minimum TTL for non-existent domains. If a server tells pdnsd that a domain does not exist, it will not try to lookup that domain again until this amount of time has elapsed.<br />
<br />
==== Timeouts ====<br />
<br />
Setting shorter timeouts means that pdnsd will give up on an entire query or a given server query more quickly, resulting in faster performance. The disadvantage to setting timeouts too short is that pdnsd might return an error on a lookup simply because the server was not given enough time to respond.<br />
<br />
{{ic|timeout}} in the global settings determines when pdnsd gives up on an entire query and returns an error to your browser or other client. Setting the global timeout option makes it possible to specify quite short timeout intervals in the server sections (see below). This will have the effect that pdnsd will start querying additional servers fairly quickly if the first servers are slow to respond (but will still continue to listen for responses from the first ones). (If you use query_method=tcp_udp it is recommended that you make the global timeout at least twice as large as the largest server timeout, otherwise pdnsd may not have time to try a UDP query if a TCP connection times out.)<br />
<br />
{{ic|1=tcp_qtimeout}} in the global settings determines how long a TCP query connection may be left open.<br />
<br />
{{ic|1=timeout}} in the server settings determines how long pdnsd will wait for a response from each server. Setting this to a shorter time means that pdnsd will give up on a non-responsive server more quickly and will move on to the next available server, sometimes resulting in a faster overall response time. On a fast connection, setting this to 4 or 5 seconds is not unreasonable.<br />
<br />
==== Debugging ====<br />
<br />
To see what servers pdnsd is using for a particular lookup, how timeouts are working, and what default TTLs are being used by domains, turn debug on in the global settings:<br />
debug=on;<br />
Restart pdnsd and monitor the pdnsd.service for changes with the systemd journal:<br />
journalctl _SYSTEMD_UNIT=pdnsd.service<br />
<br />
Be sure to turn debug off for general use as leaving it on may degrade performance.<br />
<br />
==== Cache size ====<br />
<br />
By default, pdnsd will automatically create authoritative records for all entries in {{ic|/etc/hosts}}. If you have a lot of entries, for example if you are using it for ad blocking, the default maximum cache size provided by {{ic|/etc/pdnsd.conf}} may not be large enough, resulting in DNS requests not being cached for their expected amount of time. <br />
<br />
To increase the cache size, edit the {{ic|1=perm_cache}} line in the 'global settings' section of configuration file (size in kB).<br />
<br />
Alternatively, you can prevent pdnsd from preemptively sourcing your hosts file by adding the option {{ic|1=authrec=off}} to the 'source' section. If, for whatever reason, setting authrec to off does not work, an easy workaround is to create a separate hosts file (eg {{ic|/etc/hosts-pdnsd}}) with only your system information and point your 'source' section to that instead, while leaving your original hosts file intact. This way, pdnsd will reference {{ic|/etc/hosts}} only when performing lookups. So for example:<br />
{{hc|/etc/hosts-pdnsd|2=#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain my_hostname<br />
::1 localhost.localdomain localhost<br />
}}<br />
<br />
== Extras ==<br />
<br />
=== Shared server for your LAN ===<br />
<br />
If you have several computers on your network, you may want to make pdnsd the DNS server for them all. This allows your entire network to share a single DNS cache, making repeated lookups much faster. To allow this, simply set {{ic|server_ip}} in the {{ic|global}} section to the name of your network interface (usually {{ic|eth0}}). If you have set up a firewall, tell it to allow connections to port 53 from any address on your network.<br />
<br />
Now you can configure the other computers on your network to use the computer running pdns as their primary dns server.<br />
<br />
=== Name blocking ===<br />
<br />
pdnsd allows you to specify hosts or domains that it should never return results for. This allows you to use it as a primitive ad or content blocker, among other things. Create a new {{ic|neg}} section in {{ic|pdnsd.conf}}. {{ic|neg}} sections have two main options. {{ic|name}} is the name of the host or domain you want to block. {{ic|types}} can be set to {{ic|domain}} to block all hosts in the given domain. The default {{ic|pdnsd.conf}} gives an example that blocks all ads from doubleclick.net.<br />
<br />
=== pdnsd-ctl ===<br />
<br />
From the pdnsd-ctl(8) manpage:<br />
<br />
:'''''pdnsd-ctl''' controls '''pdnsd''', a proxy dns server with permanent caching. Note that the status control socket must be enabled (by specifying an option on the pdnsd command line or in the configuration file) before you can use '''pdnsd-ctl'''.''<br />
<br />
A couple of useful commands to get you started...<br />
<br />
View cache:<br />
# pdnsd-ctl dump<br />
<br />
Flush cache:<br />
# pdnsd-ctl empty-cache<br />
<br />
== Troubleshooting ==<br />
<br />
If you get the error '''result of uptest for 192.168.1.1: failed''' with '''journalctl -f _SYSTEMD_UNIT=pdnsd.service''' while you can successfully ping your ISP's dDNS server. Please check your interface naming in {{ic|/etc/pdnsd.conf}} global section:<br />
interface = any;<br />
or in the server section:<br />
interface=enp2s0;<br />
Alternatively, you should check currently running interfaces in your system with ifconfig, identify which one connects you to the Internet, and then supply its name to the one of above mentioned fields in {{ic|/etc/pdnsd.conf}}.<br />
<br />
== FAQs ==<br />
<br />
; Q) It does not seem much faster to me. Why? : '''A)''' The extra speed gained from running a local DNS cache is all in how long it takes to connect to a server. Throughput, what people normally think of as speed, will not be affected. The difference is most noticeable when browsing the web, as that typically involves small downloads from several servers. With slower connections, especially dial-up, throughput is the primary bottleneck, so there will not be as large a difference percentage-wise.<br />
; Q) Why is it so much slower now than before? : '''A)''' You almost certainly have the {{ic|proxy_only}} option turned off in one of the server sections of {{ic|pdnsd.conf}}. By default, pdnsd frequently asks several DNS servers about a domain to get the most accurate response possible. The {{ic|proxy_only}} option disables this feature. It should be turned on if you use the DNS server provided by your ISP.</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=Grsecurity&diff=318475Grsecurity2014-06-07T23:36:59Z<p>GSF1200S: </p>
<hr />
<div>[[Category:Kernel]]<br />
[[Category:Security]]<br />
From [https://grsecurity.net/ Grsecurity homepage]:<br />
<br />
:''Unlike other expensive security "solutions" that pretend to achieve security through known-vulnerability patching, signature-based detection, or other reactive methods, grsecurity provides real proactive security. The only solution that hardens both your applications and operating system, grsecurity is essential for public-facing servers and shared-hosting environments.''<br />
<br />
The grsecurity project provides patches to the Linux kernel which enhance security. It hardens the kernel against common attack vectors, preventing a steady stream of vulnerabilities allowing the kernel itself to be compromised. It includes a powerful Mandatory Access Control system with an effortless automatic learning mode. The [[PaX]] patches are also included, for hardening userspace applications against exploits via stronger memory protections and [[Wikipedia:ASLR|ASLR]].<br />
<br />
== Installation ==<br />
<br />
{{Note|An incompatibility between {{pkg|linux-grsec}} and another package should not be reported as a bug in that package. It should be filed against the {{pkg|linux-grsec}} package and will either be fixed or documented as a compatibility issue here.}}<br />
<br />
The {{pkg|linux-grsec}} package in the official repositories provides the grsecurity hardened kernel. In most cases, it is a drop-in replacement for the vanilla kernel and will not cause any issues. By default, most user-facing features are disabled, but there is significant hardening of the kernel itself against exploitation.<br />
<br />
Installing the optional {{pkg|paxd}} package causes the PaX exploit mitigations to be enabled, protecting userspace processes. It ships a daemon setting the necessary exceptions for packages in the repositories and some common third party software as specified in the {{ic|/etc/paxd.conf}} configuration file. These exceptions are re-applied after Pacman transactions or configuration changes. It will be automatically started after a reboot (and can be masked to disable it).<br />
<br />
Also included are {{pkg|checksec}}, {{pkg|pax-utils}} and {{pkg|paxtest}} packages providing useful tooling for working with PaX and verifying that the exploit mitigation techniques are active.<br />
<br />
The optional {{pkg|gradm}} package provides the userspace tooling for managing RBAC policies. RBAC is disabled by default, and the sample policy is not usable without significant configuration (likely via heavy use of the learning mode).<br />
<br />
=== Custom kernel ===<br />
<br />
Compiling a custom kernel based on the official package with [[ABS]] is worth considering. There are several important compromises to make between performance and security, so while the official configuration is solid it is not perfect for every use case. The /proc and /sys restrictions are unacceptable for a general purpose package due to breaking too much software, but can be worth enabling to plug potential information leaks. For the rationale behind the chosen options, see [[DeveloperWiki:Security#grsecurity]].<br />
<br />
Some features like the RANDSTRUCT plugin and hiding symbol addresses are only truly useful with a custom kernel, since the pre-built kernel is available for analysis by any attacker. Other features are currently disabled on due to incompatibility with CONFIG_XEN (UDEREF, KERNEXEC) or a high performance overhead (RANDSTRUCT without the performance option, UDEREF on x86_64, KERNEXEC on x86_64, MEMORY_SANITIZE).<br />
<br />
The /proc hardening based on user isolation is available through the hidepid mount option for /proc, so it's not a large loss. The [https://github.com/nning/linux-grsec original AUR version of {{ic|linux-grsec}}] did enable the strict {{ic|/proc}} restrictions with the alternative group-based whitelisting model. It is installable from the [http://arsch.orgizm.net/README.txt arsch repository] or [https://github.com/nning/linux-grsec manually].<br />
<br />
== PaX ==<br />
<br />
The [[Wikipedia:PaX]] project provides many of the exploit mitigations offered by grsecurity. See [[PaX|the documentation on PaX]] for more information.<br />
<br />
== RBAC ==<br />
<br />
Role Based Access Control<br />
<br />
There are two basic types of access control mechanisms used to prevent unauthorized access to files (or information in general): DAC (Discretionary Access Control) and MAC (Mandatory Access Control). By default, Linux uses a DAC mechanism: the creator of the file can define who has access to the file. A MAC system however forces everyone to follow rules set by the administrator.<br />
<br />
The MAC implementation grsecurity supports is called Role Based Access Control. RBAC associates roles with each user. Each role defines what operations can be performed on certain objects. Given a well-written collection of roles and operations your users will be restricted to perform only those tasks that you tell them they can do. The default "deny-all" ensures you that a user cannot perform an action you have not thought of.<br />
<br />
=== Working with gradm ===<br />
<br />
{{pkg|gradm}} is a tool which allows you to administer and maintain a policy for your system. With it, you can enable or disable the RBAC system, reload the RBAC roles, change your role, set a password for admin mode, etc.<br />
<br />
When you install gradm a default policy will be installed in /etc/grsec/policy.<br />
<br />
By default, the RBAC policies are not activated. It is the sysadmin's job to determine when the system should have an RBAC policy enforced. Before activating the RBAC system you should set an admin password.<br />
<br />
# gradm -P admin<br />
Setting up grsecurity RBAC password<br />
Password: (Enter a well-chosen password)<br />
Re-enter Password: (Enter the same password for confirmation)<br />
Password written in /etc/grsec/pw<br />
# gradm -E<br />
<br />
To disable the RBAC system, run gradm -D. If you are not allowed to, you first need to switch to the admin role:<br />
<br />
# gradm -a admin<br />
Password: (Enter your admin role password)<br />
# gradm -D<br />
<br />
If you want to leave the admin role, run gradm -u admin:<br />
<br />
# gradm -u admin<br />
<br />
=== Generating a policy ===<br />
<br />
The RBAC system comes with a great feature called "learning mode". The learning mode can generate an anticipatory least privilege policy for your system. This allows for time and money savings by being able to rapidly deploy multiple secure servers.<br />
<br />
To use the learning mode, activate it using gradm:<br />
<br />
# gradm -F -L /etc/grsec/learning.log<br />
<br />
Now use your system, do the things you would normally do. Try to avoid rsyncing, running locate or any other heavy file i/o operation as this can really slow down the processing time.<br />
<br />
When you believe you have used your system sufficiently to obtain a good policy, let gradm process them and propose roles under {{ic|/etc/grsec/learning.roles}}:<br />
<br />
# gradm -D<br />
# gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles<br />
<br />
Audit the {{ic|/etc/grsec/learning.roles}} and save it as {{ic|/etc/grsec/policy}} (mode {{ic|0600}}) when you are finished.<br />
<br />
# mv /etc/grsec/learning.roles /etc/grsec/policy<br />
# chmod 0600 /etc/grsec/policy<br />
<br />
You will now be able to enable the RBAC system with your new learned policy.<br />
<br />
# gradm -E<br />
<br />
=== Tweaking your policy ===<br />
<br />
An interesting feature of grsecurity 2.x is Set Operation Support for the configuration file. Currently it supports unions, intersections and differences of sets (of objects in this case).<br />
<br />
define objset1 {<br />
/root/blah rw<br />
/root/blah2 r<br />
/root/blah3 x<br />
}<br />
<br />
define somename2 {<br />
/root/test1 rw<br />
/root/blah2 rw<br />
/root/test3 h<br />
}<br />
<br />
Here is an example of its use, and the resulting objects that will be added to your subject:<br />
<br />
subject /somebinary o<br />
$objset1 & $somename2<br />
<br />
The above would expand to:<br />
<br />
subject /somebinary o<br />
/root/blah2 r<br />
<br />
This is the result of the & operator which takes both sets and returns the files that exist in both sets and the permission for those files that exist in both sets.<br />
<br />
subject /somebinary o<br />
$objset1 | $somename2<br />
<br />
This example would expand to:<br />
<br />
subject /somebinary o<br />
/root/blah rw<br />
/root/blah2 rw<br />
/root/blah3 x<br />
/root/test1 rw<br />
/root/test3 h<br />
<br />
This is the result of the | operator which takes both sets and returns the files that exist in either set. If a file exists in both sets, it is returned as well and the mode contains the flags that exist in either set.<br />
<br />
subject /somebinary o<br />
$objset1 - $somename2<br />
<br />
This example would expand to:<br />
<br />
subject /somebinary o<br />
/root/blah rw<br />
/root/blah2 h<br />
/root/blah3 x<br />
<br />
This is the result of the - operator which takes both sets and returns the files that exist in the set on the left but not in the match of the file in set on the right. If a file exists on the left and a match is found on the right (either the filenames are the same, or a parent directory exists in the right set), the file is returned and the mode of the second set is removed from the first set, and that file is returned.<br />
<br />
In some obscure pseudo-language you could see this as:<br />
<br />
if ( ($objset1 contained /tmp/blah rw) and<br />
($objset2 contained /tmp/blah r) )<br />
then<br />
$objset1 - $objset2 would contain /tmp/blah w<br />
<br />
if ( ($objset1 contained /tmp/blah rw) and<br />
($objset2 contained / rwx) )<br />
then <br />
$objset1 - $objset2 would contain /tmp/blah h<br />
<br />
As for order of precedence (from highest to lowest): "-, & |".<br />
<br />
If you do not want to bother remembering precedence, parenthesis support is also included, so you can do things like:<br />
<br />
(($set1 - $set2) | $set3) & $set4<br />
<br />
=== Tweaking /etc/grsec/policy directly ===<br />
Sometimes, full learning mode doesnt work for a particular program and direct revisions to the policy file will need to be made. One might simply want to tweak the policy file to add or remove access to directories without requiring one to reinitiate learning mode or recreating a policy file. The file itself is composed of Roles and Subjects. A Role determines what user the ruleset applies to, while the Subject could be seen as what process/program the ruleset applies to. <br />
<br />
Consider a situation where the role is "username", while the subject is /usr/lib/firefox/firefox. Within the curly braces of this role/subject rule, directories will be listed, along with flags that dictate what capacities (read, write, execute, etc) you wish to give that subject (firefox for example) under that role (username, when firefox is ran under the user "username" for example). Here is a list of flags and what they do:<br />
<br />
a This object can be opened for appending.<br />
c Allow creation of the file/directory.<br />
d Allow deletion of the file/directory.<br />
f Needed to mark the pipe used for communication with init to transfer the privilege of the persistent role; only valid within a persistent role. Transfer only occurs when the file is opened for writing.<br />
h This object is hidden.<br />
i This mode only applies to binaries. When the object is executed, it inherits the ACL of the subject in which it was contained.<br />
l Lowercase L. Allow a hardlink at this path. Hardlinking requires a minimum of c and l modes, and the target link cannot have any greater permission than the source file.<br />
m Allow creation of setuid/setgid files/directories and modification of files/directories to be setuid/setgid.<br />
p Reject all ptraces to this object.<br />
r This object can be opened for reading.<br />
t This object can be ptraced, but cannot modify the running task. This is referred to as a 'read-only ptrace'.<br />
w This object can be opened for writing or appending.<br />
x This object can be executed (or mmap'd with PROT_EXEC into a task).<br />
<br />
So for example, if you want firefox to have read access to the home folder of the user username, be able to do everything (read, write, create and destroy files, execute) in /home/username/Downloads, but not be able to see /home/username/secretstuff or anything in /, your ruleset might look like this:<br />
# Role: username<br />
subject /usr/lib/firefox/firefox o {<br />
/ h<br />
/home/username r<br />
/home/username/Downloads rwxcd<br />
/home/username/secretstuff h<br />
}<br />
Of course, a Firefox ruleset will need more than just the above (like access to directories it needs to run in /usr for example); compare the above with what is generated by full-learning-mode and you quickly see the pattern. The idea is that you want to limit each process as much as possible to limit the changes it can make to the filesystem in the event it is compromised. Much more info is available on the [http://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System GRsecurity RBAC wiki page.]<br />
<br />
=== Using Wine; Changes needed to /etc/grsec/policy ===<br />
In the event you use wine, your executables for wine apps are on an NTFS partition, and you want it to work while RBAC is enabled, you will need to append "O" to the Subject mode of /usr/bin/wine-preloader for the Role (user) using this subject. I am unsure if this applies to executables in .wine as I do not have the free space to test it. I put my system into full-learning mode and ran wine, and after generating a /etc/grsec/policy from this session RBAC still prevented my wine program from running with:<br />
grsec: (username:U:/usr/bin/wine-preloader) denied load of writable library /mnt/winblows/Program Files (x86)/Diablo II/Game.exe by /usr/bin/wine-preloader[Game.exe:7518] uid...<br />
<br />
Appending "O" to the end of the Subject mode will fix this problem. An example of a working ruleset (notice the capital O after subject /usr/bin/wine-preloader):<br />
# Role: username<br />
subject /usr/bin/wine-preloader O {<br />
/ r<br />
<other listed files generated by full-learning mode> rwcdx<br />
}<br />
<br />
"O" is one of a number of flags you might append to the Subject mode. Others include:<br />
A Protect the shared memory of this subject. No other processes but processes contained within this subject may access the shared memory of this subject.<br />
C Auto-kill all processes belonging to the attacker's IP address upon violation of security policy.<br />
K When processes belonging to this subject generate an alert, kill the process.<br />
O Allow loading of writable libraries.<br />
T Deny execution of binaries or scripts that are writable by any other subject in the policy. This flag is evaluated at policy enable time. All binaries with execute permission that are writable by another subject (ignoring special roles) will be reported and the RBAC system will not allow itself to be enabled until the changes are made.<br />
<br />
See [http://en.wikibooks.org/wiki/Grsecurity/Appendix/Subject_Modes this link.]<br />
== Other features ==<br />
<br />
{{poor writing|reason=This is in serious need of a rewrite along with being extended quite a bit.}}<br />
<br />
=== Filesystem protection ===<br />
<br />
==== Fighting chroot and filesystem abuse ====<br />
<br />
Grsecurity includes many patches that prohibits users from gaining unnecessary knowledge about the system. This includes restrictions on using the {{ic|ptrace}} system call and isolation chroots.<br />
<br />
===== Triggering the Security Mechanism =====<br />
<br />
The {{ic|/etc/sysctl.d/05-grsecurity.conf}} configuration file can be used to enable and disable the various security features at boot. For more information, see [[sysctl]].<br />
<br />
=== Kernel auditing ===<br />
<br />
==== Extend your system's logging facilities ====<br />
<br />
grsecurity adds extra functionality to the kernel pertaining the logging. With grsecurity's Kernel Auditing the kernel informs you when applications are started, devices (un)mounted, etc.<br />
<br />
=== Process restrictions ===<br />
<br />
{{Note|The {{pkg|linux-grsec}} package does not enable the strict {{ic|/proc}} restrictions by default. Instead, the {{ic|1=hidepid=2}} mount option can be set on {{ic|/proc}} to hide processes of other users. This will cause breakage in {{pkg|systemd}} due to temporary hacks used to work around the limitations of the [[cgroup]] filesystem.}}<br />
<br />
==== Executable protection ====<br />
<br />
With grsecurity you can restrict executables. Since most exploits work through one or more running processes this protection can save your system's health.<br />
<br />
==== Network protection ====<br />
<br />
Linux' TCP/IP stack is vulnerable to prediction-based attacks. grsecurity includes randomization patches to counter these attacks. Apart from these you can also enable socket restrictions, disallowing certain groups network access altogether.</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=Grsecurity&diff=318473Grsecurity2014-06-07T23:30:12Z<p>GSF1200S: Added information on the use of Wine programs with RBAC</p>
<hr />
<div>[[Category:Kernel]]<br />
[[Category:Security]]<br />
From [https://grsecurity.net/ Grsecurity homepage]:<br />
<br />
:''Unlike other expensive security "solutions" that pretend to achieve security through known-vulnerability patching, signature-based detection, or other reactive methods, grsecurity provides real proactive security. The only solution that hardens both your applications and operating system, grsecurity is essential for public-facing servers and shared-hosting environments.''<br />
<br />
The grsecurity project provides patches to the Linux kernel which enhance security. It hardens the kernel against common attack vectors, preventing a steady stream of vulnerabilities allowing the kernel itself to be compromised. It includes a powerful Mandatory Access Control system with an effortless automatic learning mode. The [[PaX]] patches are also included, for hardening userspace applications against exploits via stronger memory protections and [[Wikipedia:ASLR|ASLR]].<br />
<br />
== Installation ==<br />
<br />
{{Note|An incompatibility between {{pkg|linux-grsec}} and another package should not be reported as a bug in that package. It should be filed against the {{pkg|linux-grsec}} package and will either be fixed or documented as a compatibility issue here.}}<br />
<br />
The {{pkg|linux-grsec}} package in the official repositories provides the grsecurity hardened kernel. In most cases, it is a drop-in replacement for the vanilla kernel and will not cause any issues. By default, most user-facing features are disabled, but there is significant hardening of the kernel itself against exploitation.<br />
<br />
Installing the optional {{pkg|paxd}} package causes the PaX exploit mitigations to be enabled, protecting userspace processes. It ships a daemon setting the necessary exceptions for packages in the repositories and some common third party software as specified in the {{ic|/etc/paxd.conf}} configuration file. These exceptions are re-applied after Pacman transactions or configuration changes. It will be automatically started after a reboot (and can be masked to disable it).<br />
<br />
Also included are {{pkg|checksec}}, {{pkg|pax-utils}} and {{pkg|paxtest}} packages providing useful tooling for working with PaX and verifying that the exploit mitigation techniques are active.<br />
<br />
The optional {{pkg|gradm}} package provides the userspace tooling for managing RBAC policies. RBAC is disabled by default, and the sample policy is not usable without significant configuration (likely via heavy use of the learning mode).<br />
<br />
=== Custom kernel ===<br />
<br />
Compiling a custom kernel based on the official package with [[ABS]] is worth considering. There are several important compromises to make between performance and security, so while the official configuration is solid it is not perfect for every use case. The /proc and /sys restrictions are unacceptable for a general purpose package due to breaking too much software, but can be worth enabling to plug potential information leaks. For the rationale behind the chosen options, see [[DeveloperWiki:Security#grsecurity]].<br />
<br />
Some features like the RANDSTRUCT plugin and hiding symbol addresses are only truly useful with a custom kernel, since the pre-built kernel is available for analysis by any attacker. Other features are currently disabled on due to incompatibility with CONFIG_XEN (UDEREF, KERNEXEC) or a high performance overhead (RANDSTRUCT without the performance option, UDEREF on x86_64, KERNEXEC on x86_64, MEMORY_SANITIZE).<br />
<br />
The /proc hardening based on user isolation is available through the hidepid mount option for /proc, so it's not a large loss. The [https://github.com/nning/linux-grsec original AUR version of {{ic|linux-grsec}}] did enable the strict {{ic|/proc}} restrictions with the alternative group-based whitelisting model. It is installable from the [http://arsch.orgizm.net/README.txt arsch repository] or [https://github.com/nning/linux-grsec manually].<br />
<br />
== PaX ==<br />
<br />
The [[Wikipedia:PaX]] project provides many of the exploit mitigations offered by grsecurity. See [[PaX|the documentation on PaX]] for more information.<br />
<br />
== RBAC ==<br />
<br />
Role Based Access Control<br />
<br />
There are two basic types of access control mechanisms used to prevent unauthorized access to files (or information in general): DAC (Discretionary Access Control) and MAC (Mandatory Access Control). By default, Linux uses a DAC mechanism: the creator of the file can define who has access to the file. A MAC system however forces everyone to follow rules set by the administrator.<br />
<br />
The MAC implementation grsecurity supports is called Role Based Access Control. RBAC associates roles with each user. Each role defines what operations can be performed on certain objects. Given a well-written collection of roles and operations your users will be restricted to perform only those tasks that you tell them they can do. The default "deny-all" ensures you that a user cannot perform an action you have not thought of.<br />
<br />
=== Working with gradm ===<br />
<br />
{{pkg|gradm}} is a tool which allows you to administer and maintain a policy for your system. With it, you can enable or disable the RBAC system, reload the RBAC roles, change your role, set a password for admin mode, etc.<br />
<br />
When you install gradm a default policy will be installed in /etc/grsec/policy.<br />
<br />
By default, the RBAC policies are not activated. It is the sysadmin's job to determine when the system should have an RBAC policy enforced. Before activating the RBAC system you should set an admin password.<br />
<br />
# gradm -P admin<br />
Setting up grsecurity RBAC password<br />
Password: (Enter a well-chosen password)<br />
Re-enter Password: (Enter the same password for confirmation)<br />
Password written in /etc/grsec/pw<br />
# gradm -E<br />
<br />
To disable the RBAC system, run gradm -D. If you are not allowed to, you first need to switch to the admin role:<br />
<br />
# gradm -a admin<br />
Password: (Enter your admin role password)<br />
# gradm -D<br />
<br />
If you want to leave the admin role, run gradm -u admin:<br />
<br />
# gradm -u admin<br />
<br />
=== Generating a policy ===<br />
<br />
The RBAC system comes with a great feature called "learning mode". The learning mode can generate an anticipatory least privilege policy for your system. This allows for time and money savings by being able to rapidly deploy multiple secure servers.<br />
<br />
To use the learning mode, activate it using gradm:<br />
<br />
# gradm -F -L /etc/grsec/learning.log<br />
<br />
Now use your system, do the things you would normally do. Try to avoid rsyncing, running locate or any other heavy file i/o operation as this can really slow down the processing time.<br />
<br />
When you believe you have used your system sufficiently to obtain a good policy, let gradm process them and propose roles under {{ic|/etc/grsec/learning.roles}}:<br />
<br />
# gradm -D<br />
# gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles<br />
<br />
Audit the {{ic|/etc/grsec/learning.roles}} and save it as {{ic|/etc/grsec/policy}} (mode {{ic|0600}}) when you are finished.<br />
<br />
# mv /etc/grsec/learning.roles /etc/grsec/policy<br />
# chmod 0600 /etc/grsec/policy<br />
<br />
You will now be able to enable the RBAC system with your new learned policy.<br />
<br />
# gradm -E<br />
<br />
=== Tweaking your policy ===<br />
<br />
An interesting feature of grsecurity 2.x is Set Operation Support for the configuration file. Currently it supports unions, intersections and differences of sets (of objects in this case).<br />
<br />
define objset1 {<br />
/root/blah rw<br />
/root/blah2 r<br />
/root/blah3 x<br />
}<br />
<br />
define somename2 {<br />
/root/test1 rw<br />
/root/blah2 rw<br />
/root/test3 h<br />
}<br />
<br />
Here is an example of its use, and the resulting objects that will be added to your subject:<br />
<br />
subject /somebinary o<br />
$objset1 & $somename2<br />
<br />
The above would expand to:<br />
<br />
subject /somebinary o<br />
/root/blah2 r<br />
<br />
This is the result of the & operator which takes both sets and returns the files that exist in both sets and the permission for those files that exist in both sets.<br />
<br />
subject /somebinary o<br />
$objset1 | $somename2<br />
<br />
This example would expand to:<br />
<br />
subject /somebinary o<br />
/root/blah rw<br />
/root/blah2 rw<br />
/root/blah3 x<br />
/root/test1 rw<br />
/root/test3 h<br />
<br />
This is the result of the | operator which takes both sets and returns the files that exist in either set. If a file exists in both sets, it is returned as well and the mode contains the flags that exist in either set.<br />
<br />
subject /somebinary o<br />
$objset1 - $somename2<br />
<br />
This example would expand to:<br />
<br />
subject /somebinary o<br />
/root/blah rw<br />
/root/blah2 h<br />
/root/blah3 x<br />
<br />
This is the result of the - operator which takes both sets and returns the files that exist in the set on the left but not in the match of the file in set on the right. If a file exists on the left and a match is found on the right (either the filenames are the same, or a parent directory exists in the right set), the file is returned and the mode of the second set is removed from the first set, and that file is returned.<br />
<br />
In some obscure pseudo-language you could see this as:<br />
<br />
if ( ($objset1 contained /tmp/blah rw) and<br />
($objset2 contained /tmp/blah r) )<br />
then<br />
$objset1 - $objset2 would contain /tmp/blah w<br />
<br />
if ( ($objset1 contained /tmp/blah rw) and<br />
($objset2 contained / rwx) )<br />
then <br />
$objset1 - $objset2 would contain /tmp/blah h<br />
<br />
As for order of precedence (from highest to lowest): "-, & |".<br />
<br />
If you do not want to bother remembering precedence, parenthesis support is also included, so you can do things like:<br />
<br />
(($set1 - $set2) | $set3) & $set4<br />
<br />
=== Tweaking /etc/grsec/policy directly ===<br />
Sometimes, full learning mode doesnt work for a particular program and direct revisions to the policy file will need to be made. One might simply want to tweak the policy file to add or remove access to directories without requiring one to reinitiate learning mode or recreating a policy file. The file itself is composed of Roles and Subjects. A Role determines what user the ruleset applies to, while the Subject could be seen as what process/program the ruleset applies to. <br />
<br />
Consider a situation where the role is "username", while the subject is /usr/lib/firefox/firefox. Within the curly braces of this role/subject rule, directories will be listed, along with flags that dictate what capacities (read, write, execute, etc) you wish to give that subject (firefox for example) under that role (username, when firefox is ran under the user "username" for example). Here is a list of flags and what they do:<br />
<br />
a This object can be opened for appending.<br />
c Allow creation of the file/directory.<br />
d Allow deletion of the file/directory.<br />
f Needed to mark the pipe used for communication with init to transfer the privilege of the persistent role; only valid within a persistent role. Transfer only occurs when the file is opened for writing.<br />
h This object is hidden.<br />
i This mode only applies to binaries. When the object is executed, it inherits the ACL of the subject in which it was contained.<br />
l Lowercase L. Allow a hardlink at this path. Hardlinking requires a minimum of c and l modes, and the target link cannot have any greater permission than the source file.<br />
m Allow creation of setuid/setgid files/directories and modification of files/directories to be setuid/setgid.<br />
p Reject all ptraces to this object.<br />
r This object can be opened for reading.<br />
t This object can be ptraced, but cannot modify the running task. This is referred to as a 'read-only ptrace'.<br />
w This object can be opened for writing or appending.<br />
x This object can be executed (or mmap'd with PROT_EXEC into a task).<br />
<br />
So for example, if you want firefox to have read access to the home folder of the user username, be able to do everything (read, write, create and destroy files, execute) in /home/username/Downloads, but not be able to see /home/username/secretstuff or anything in /, your ruleset might look like this:<br />
# Role: username<br />
subject /usr/lib/firefox/firefox o {<br />
/ h<br />
/home/username r<br />
/home/username/Downloads rwxcd<br />
/home/username/secretstuff h<br />
}<br />
Of course, a Firefox ruleset will need more than just the above (like access to directories it needs to run in /usr for example); compare the above with what is generated by full-learning-mode and you quickly see the pattern. The idea is that you want to limit each process as much as possible to limit the changes it can make to the filesystem in the event it is compromised. Much more info is available on the [http://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System GRsecurity RBAC wiki page.]<br />
<br />
=== Using Wine; Changes needed to /etc/grsec/policy ===<br />
In the event you use wine, your executables for wine apps are on an NTFS partition, and you want it to work while RBAC is enabled, you will need to append "O" to the Subject mode of /usr/bin/wine-preloader for the Role (user) using this subject. I am unsure if this applies to executables in .wine as I do not have the free space to test it. I put my system into full-learning mode and ran wine, and after generating a /etc/grsec/policy from this session RBAC still prevented my wine program from running with:<br />
grsec: (username:U:/usr/bin/wine-preloader) denied load of writable library /mnt/winblows/Program Files (x86)/Diablo II/Game.exe by /usr/bin/wine-preloader[Game.exe:7518] uid...<br />
<br />
An example of a working ruleset (notice the capital O after subject /usr/bin/wine-preloader):<br />
# Role: username<br />
subject /usr/bin/wine-preloader O {<br />
/ r<br />
<other listed files generated by full-learning mode> rwcdx<br />
}<br />
<br />
"O" is one of a number of flags you might append to the Subject mode. Others include:<br />
A Protect the shared memory of this subject. No other processes but processes contained within this subject may access the shared memory of this subject.<br />
C Auto-kill all processes belonging to the attacker's IP address upon violation of security policy.<br />
K When processes belonging to this subject generate an alert, kill the process.<br />
O Allow loading of writable libraries.<br />
T Deny execution of binaries or scripts that are writable by any other subject in the policy. This flag is evaluated at policy enable time. All binaries with execute permission that are writable by another subject (ignoring special roles) will be reported and the RBAC system will not allow itself to be enabled until the changes are made.<br />
<br />
See [http://en.wikibooks.org/wiki/Grsecurity/Appendix/Subject_Modes this link.]<br />
== Other features ==<br />
<br />
{{poor writing|reason=This is in serious need of a rewrite along with being extended quite a bit.}}<br />
<br />
=== Filesystem protection ===<br />
<br />
==== Fighting chroot and filesystem abuse ====<br />
<br />
Grsecurity includes many patches that prohibits users from gaining unnecessary knowledge about the system. This includes restrictions on using the {{ic|ptrace}} system call and isolation chroots.<br />
<br />
===== Triggering the Security Mechanism =====<br />
<br />
The {{ic|/etc/sysctl.d/05-grsecurity.conf}} configuration file can be used to enable and disable the various security features at boot. For more information, see [[sysctl]].<br />
<br />
=== Kernel auditing ===<br />
<br />
==== Extend your system's logging facilities ====<br />
<br />
grsecurity adds extra functionality to the kernel pertaining the logging. With grsecurity's Kernel Auditing the kernel informs you when applications are started, devices (un)mounted, etc.<br />
<br />
=== Process restrictions ===<br />
<br />
{{Note|The {{pkg|linux-grsec}} package does not enable the strict {{ic|/proc}} restrictions by default. Instead, the {{ic|1=hidepid=2}} mount option can be set on {{ic|/proc}} to hide processes of other users. This will cause breakage in {{pkg|systemd}} due to temporary hacks used to work around the limitations of the [[cgroup]] filesystem.}}<br />
<br />
==== Executable protection ====<br />
<br />
With grsecurity you can restrict executables. Since most exploits work through one or more running processes this protection can save your system's health.<br />
<br />
==== Network protection ====<br />
<br />
Linux' TCP/IP stack is vulnerable to prediction-based attacks. grsecurity includes randomization patches to counter these attacks. Apart from these you can also enable socket restrictions, disallowing certain groups network access altogether.</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=PaX&diff=318385PaX2014-06-07T09:05:02Z<p>GSF1200S: Added a little snippet on getfattr just to round out the already existing setfattr example.</p>
<hr />
<div>[[Category:Kernel]]<br />
[[Category:Security]]<br />
<br />
[[Wikipedia:PaX|PaX]] is included in the [[grsecurity]] kernel package in the official repositories. This page also applies to the standalone {{aur|linux-pax}} package in the [[AUR]].<br />
<br />
== PaX exceptions ==<br />
<br />
Some of the PaX exploit mitigations prevent certain applications from running and require the executables to be marked with exceptions. Extended attributes can be used to exclude executables from one or more of the features. For example, to disable the MPROTECT and RANDMMAP features:<br />
<br />
$ setfattr -n user.pax.flags -v "mr" /usr/bin/problematic_binary<br />
<br />
{{Note|The {{pkg|linux-grsec}} package ''only'' supports the extended attributes, and does not include support for the ELF exception markers. The extended attributes do not require special tooling and leave the binaries unaltered, making them a far better option.}}<br />
<br />
The MPROTECT feature is by far the most common source of issues, and {{pkg|linux-grsec}} defaults to logging messages to the kernel log when this results in a process being killed.<br />
<br />
The {{pkg|pax-utils}} package includes some useful tools. For example, the {{ic|pspax}} utility can display PaX permissions from the kernel's perspective along with capabilities. The {{ic|scanelf}} tool can be used to query attributes of binaries.<br />
<br />
One might also use getfattr to retrieve extended attributes set above (or set by paxd described below) if they choose not to run pax-utils or if they want to check the attributes of a process not running:<br />
$ getfattr -n user.pax.flags /usr/bin/problematic_binary<br />
<br />
=== Using the paxd package ===<br />
<br />
The {{pkg|paxd}} package provided in the official repositories uses a daemon to automatically apply PaX exceptions from {{ic|/etc/paxd.conf}} whenever a Pacman transaction occurs or the configuration file is modified. This is the officially supported way of applying these exceptions for binaries provided by packages. When Pacman gains support for hooks, the daemon can be dropped in favour of a post-install/upgrade hook.<br />
<br />
The alternative method below is still useful for unpackaged binaries in a user's home directory located at common paths such as Steam games.<br />
<br />
=== Using linux-pax-flags AUR package ===<br />
<br />
{{note|{{aur|linux-pax-flags}} defaults to using ELF markers rather than extended attributes, so it will not work with {{pkg|linux-grsec}} by default.}}<br />
<br />
The linux-pax-flags program takes care of marking exceptions on executables in user home directories in addition to global ones, which is not covered by {{pkg|paxd}}. When you run this program it will set the PaX flags for most problematic programs for you. After you find what PaX flags need to be set post a comment on the linux-pax-flags AUR package so it can be added.<br />
<br />
More extensive documentation of the linux-pax-flags utility is to be found on its man page.<br />
<br />
=== Soft mode ===<br />
<br />
Setting {{ic|1=kernel.pax.softmode=1}} with [[sysctl]] will result in the mitigations being opt-in rather than opt-out. This could be used to apply the mitigations only to certain high-risk binaries such as web services on a server without causing any issues. However, opting out of the mitigations results in a significantly more secure system and {{pkg|paxd}} takes care of nearly all the work automatically.<br />
<br />
== Verifying the PaX settings ==<br />
<br />
Peter Busser has written a regression test suite called paxtest. This tool will check various cases of possible attack vectors and inform you of the result. When you run it, it will leave a logfile called paxtest.log in the current working directory.<br />
<br />
{{hc|PaX disabled|Executable anonymous mapping : Killed<br />
Executable bss : Killed<br />
Executable data : Killed<br />
Executable heap : Killed<br />
Executable stack : Killed<br />
Executable shared library bss : Killed<br />
Executable shared library data : Killed<br />
Executable anonymous mapping (mprotect) : Vulnerable<br />
Executable bss (mprotect) : Vulnerable<br />
Executable data (mprotect) : Vulnerable<br />
Executable heap (mprotect) : Vulnerable<br />
Executable stack (mprotect) : Vulnerable<br />
Executable shared library bss (mprotect) : Vulnerable<br />
Executable shared library data (mprotect): Vulnerable<br />
Writable text segments : Vulnerable<br />
Anonymous mapping randomisation test : 28 bits (guessed)<br />
Heap randomisation test (ET_EXEC) : No randomisation<br />
Heap randomisation test (PIE) : 28 bits (guessed)<br />
Main executable randomisation (ET_EXEC) : 28 bits (guessed)<br />
Main executable randomisation (PIE) : 28 bits (guessed)<br />
Shared library randomisation test : 28 bits (guessed)<br />
Stack randomisation test (SEGMEXEC) : 28 bits (guessed)<br />
Stack randomisation test (PAGEEXEC) : 28 bits (guessed)<br />
Arg/env randomisation test (SEGMEXEC) : 32 bits (guessed)<br />
Arg/env randomisation test (PAGEEXEC) : 32 bits (guessed)<br />
Randomization under memory exhaustion @~0: 28 bits (guessed)<br />
Randomization under memory exhaustion @0 : 28 bits (guessed)<br />
Return to function (strcpy) : paxtest: return address contains a NULL byte.<br />
Return to function (memcpy) : Killed<br />
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.<br />
Return to function (memcpy, PIE) : Killed}}<br />
<br />
{{hc|PaX enabled|Executable anonymous mapping : Killed<br />
Executable bss : Killed<br />
Executable data : Killed<br />
Executable heap : Killed<br />
Executable stack : Killed<br />
Executable shared library bss : Killed<br />
Executable shared library data : Killed<br />
Executable anonymous mapping (mprotect) : Killed<br />
Executable bss (mprotect) : Killed<br />
Executable data (mprotect) : Killed<br />
Executable heap (mprotect) : Killed<br />
Executable stack (mprotect) : Killed<br />
Executable shared library bss (mprotect) : Killed<br />
Executable shared library data (mprotect): Killed<br />
Writable text segments : Killed<br />
Anonymous mapping randomisation test : 33 bits (guessed)<br />
Heap randomisation test (ET_EXEC) : 22 bits (guessed)<br />
Heap randomisation test (PIE) : 40 bits (guessed)<br />
Main executable randomisation (ET_EXEC) : 33 bits (guessed)<br />
Main executable randomisation (PIE) : 33 bits (guessed)<br />
Shared library randomisation test : 33 bits (guessed)<br />
Stack randomisation test (SEGMEXEC) : 40 bits (guessed)<br />
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)<br />
Arg/env randomisation test (SEGMEXEC) : 44 bits (guessed)<br />
Arg/env randomisation test (PAGEEXEC) : 44 bits (guessed)<br />
Randomization under memory exhaustion @~0: 33 bits (guessed)<br />
Randomization under memory exhaustion @0 : 33 bits (guessed)<br />
Return to function (strcpy) : paxtest: return address contains a NULL byte.<br />
Return to function (memcpy) : Killed<br />
Return to function (strcpy, PIE) : paxtest: return address contains a NULL byte.<br />
Return to function (memcpy, PIE) : Killed}}<br />
<br />
== Fighting the exploitation of software bugs ==<br />
<br />
PaX introduces a couple of security mechanisms that make it harder for attackers to exploit software bugs that involve memory corruption (so do not treat PaX as if it protects against all possible software bugs). The PaX introduction document talks about three possible exploit techniques:<br />
<br />
# introduce/execute arbitrary code<br />
# execute existing code out of original program order<br />
# execute existing code in original program order with arbitrary data<br />
<br />
One prevention method disallows executable code to be stored in writable memory. When we look at a process, it requires five memory regions:<br />
<br />
# a data section which contains the statically allocated and global data<br />
# a BSS region (Block Started by Symbol) which contains information about the zero-initialized data of the process<br />
# a code region, also called the text segment, which contains the executable instructions<br />
# a heap which contains the dynamically allocated memory<br />
# a stack which contains the local variables<br />
<br />
The first PaX prevention method, called NOEXEC, is meant to give control over the runtime code generation. It marks memory pages that do not contain executable code as non-executable. This means that the heap and the stack, which only contain variable data and should not contain executable code, are marked as non-executable. Exploits that place code in these areas with the intention of running it will fail.<br />
<br />
NOEXEC does more than this actually, interested readers should focus their attention to the [https://pax.grsecurity.net/docs/noexec.txt PaX NOEXEC documentation].<br />
<br />
The second PaX prevention method, called ASLR (Address Space Layout Randomization), randomize the addresses given to memory requests. Where previously memory was assigned contiguously (which means exploits know where the tasks' memory regions are situated) ASLR randomizes this allocation, rendering techniques that rely on this information useless.<br />
<br />
More information about ASLR can be found [https://pax.grsecurity.net/docs/aslr.txt online].</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=Grsecurity&diff=318380Grsecurity2014-06-07T08:50:28Z<p>GSF1200S: Added more explanation about RBAC's policy file, as well as added details on flag/variable options used by the policy file. I spent a lot of time scratching my head on something easy to understand but poorly documented, so figured id contribute...</p>
<hr />
<div>[[Category:Kernel]]<br />
[[Category:Security]]<br />
From [https://grsecurity.net/ Grsecurity homepage]:<br />
<br />
:''Unlike other expensive security "solutions" that pretend to achieve security through known-vulnerability patching, signature-based detection, or other reactive methods, grsecurity provides real proactive security. The only solution that hardens both your applications and operating system, grsecurity is essential for public-facing servers and shared-hosting environments.''<br />
<br />
The grsecurity project provides patches to the Linux kernel which enhance security. It hardens the kernel against common attack vectors, preventing a steady stream of vulnerabilities allowing the kernel itself to be compromised. It includes a powerful Mandatory Access Control system with an effortless automatic learning mode. The [[PaX]] patches are also included, for hardening userspace applications against exploits via stronger memory protections and [[Wikipedia:ASLR|ASLR]].<br />
<br />
== Installation ==<br />
<br />
The {{pkg|linux-grsec}} package in the official repositories provides the grsecurity hardened kernel. In most cases, it is a drop-in replacement for the vanilla kernel and will not cause any issues. By default, most user-facing features are disabled, but there is significant hardening of the kernel itself against exploitation.<br />
<br />
Installing the optional {{pkg|paxd}} package causes the PaX exploit mitigations to be enabled, protecting userspace processes. It ships a daemon setting the necessary exceptions for packages in the repositories and some common third party software as specified in the {{ic|/etc/paxd.conf}} configuration file. These exceptions are re-applied after Pacman transactions or configuration changes. It will be automatically started after a reboot (and can be masked to disable it).<br />
<br />
Also included are {{pkg|checksec}}, {{pkg|pax-utils}} and {{pkg|paxtest}} packages providing useful tooling for working with PaX and verifying that the exploit mitigation techniques are active.<br />
<br />
The optional {{pkg|gradm}} package provides the userspace tooling for managing RBAC policies. RBAC is disabled by default, and the sample policy is not usable without significant configuration (likely via heavy use of the learning mode).<br />
<br />
=== Custom kernel ===<br />
<br />
Compiling a custom kernel based on the official package with [[ABS]] is worth considering. There are several important compromises to make between performance and security, so while the official configuration is solid it is not perfect for every use case. The /proc and /sys restrictions are unacceptable for a general purpose package due to breaking too much software, but can be worth enabling to plug potential information leaks. For the rationale behind the chosen options, see [[DeveloperWiki:Security#grsecurity]].<br />
<br />
Some features like the RANDSTRUCT plugin and hiding symbol addresses are only truly useful with a custom kernel, since the pre-built kernel is available for analysis by any attacker. Other features are currently disabled on due to incompatibility with CONFIG_XEN (UDEREF, KERNEXEC) or a high performance overhead (RANDSTRUCT without the performance option, UDEREF on x86_64, KERNEXEC on x86_64, MEMORY_SANITIZE).<br />
<br />
The /proc hardening based on user isolation is available through the hidepid mount option for /proc, so it's not a large loss. The [https://github.com/nning/linux-grsec original AUR version of {{ic|linux-grsec}}] did enable the strict {{ic|/proc}} restrictions with the alternative group-based whitelisting model. It is installable from the [http://arsch.orgizm.net/README.txt arsch repository] or [https://github.com/nning/linux-grsec manually].<br />
<br />
== PaX ==<br />
<br />
The [[Wikipedia:PaX]] project provides many of the exploit mitigations offered by grsecurity. See [[PaX|the documentation on PaX]] for more information.<br />
<br />
== RBAC ==<br />
<br />
Role Based Access Control<br />
<br />
There are two basic types of access control mechanisms used to prevent unauthorized access to files (or information in general): DAC (Discretionary Access Control) and MAC (Mandatory Access Control). By default, Linux uses a DAC mechanism: the creator of the file can define who has access to the file. A MAC system however forces everyone to follow rules set by the administrator.<br />
<br />
The MAC implementation grsecurity supports is called Role Based Access Control. RBAC associates roles with each user. Each role defines what operations can be performed on certain objects. Given a well-written collection of roles and operations your users will be restricted to perform only those tasks that you tell them they can do. The default "deny-all" ensures you that a user cannot perform an action you have not thought of.<br />
<br />
=== Working with gradm ===<br />
<br />
{{pkg|gradm}} is a tool which allows you to administer and maintain a policy for your system. With it, you can enable or disable the RBAC system, reload the RBAC roles, change your role, set a password for admin mode, etc.<br />
<br />
When you install gradm a default policy will be installed in /etc/grsec/policy.<br />
<br />
By default, the RBAC policies are not activated. It is the sysadmin's job to determine when the system should have an RBAC policy enforced. Before activating the RBAC system you should set an admin password.<br />
<br />
# gradm -P admin<br />
Setting up grsecurity RBAC password<br />
Password: (Enter a well-chosen password)<br />
Re-enter Password: (Enter the same password for confirmation)<br />
Password written in /etc/grsec/pw<br />
# gradm -E<br />
<br />
To disable the RBAC system, run gradm -D. If you are not allowed to, you first need to switch to the admin role:<br />
<br />
# gradm -a admin<br />
Password: (Enter your admin role password)<br />
# gradm -D<br />
<br />
If you want to leave the admin role, run gradm -u admin:<br />
<br />
# gradm -u admin<br />
<br />
=== Generating a policy ===<br />
<br />
The RBAC system comes with a great feature called "learning mode". The learning mode can generate an anticipatory least privilege policy for your system. This allows for time and money savings by being able to rapidly deploy multiple secure servers.<br />
<br />
To use the learning mode, activate it using gradm:<br />
<br />
# gradm -F -L /etc/grsec/learning.log<br />
<br />
Now use your system, do the things you would normally do. Try to avoid rsyncing, running locate or any other heavy file i/o operation as this can really slow down the processing time.<br />
<br />
When you believe you have used your system sufficiently to obtain a good policy, let gradm process them and propose roles under {{ic|/etc/grsec/learning.roles}}:<br />
<br />
# gradm -D<br />
# gradm -F -L /etc/grsec/learning.log -O /etc/grsec/learning.roles<br />
<br />
Audit the {{ic|/etc/grsec/learning.roles}} and save it as {{ic|/etc/grsec/policy}} (mode {{ic|0600}}) when you are finished.<br />
<br />
# mv /etc/grsec/learning.roles /etc/grsec/policy<br />
# chmod 0600 /etc/grsec/policy<br />
<br />
You will now be able to enable the RBAC system with your new learned policy.<br />
<br />
# gradm -E<br />
<br />
=== Tweaking your policy ===<br />
<br />
An interesting feature of grsecurity 2.x is Set Operation Support for the configuration file. Currently it supports unions, intersections and differences of sets (of objects in this case).<br />
<br />
define objset1 {<br />
/root/blah rw<br />
/root/blah2 r<br />
/root/blah3 x<br />
}<br />
<br />
define somename2 {<br />
/root/test1 rw<br />
/root/blah2 rw<br />
/root/test3 h<br />
}<br />
<br />
Here is an example of its use, and the resulting objects that will be added to your subject:<br />
<br />
subject /somebinary o<br />
$objset1 & $somename2<br />
<br />
The above would expand to:<br />
<br />
subject /somebinary o<br />
/root/blah2 r<br />
<br />
This is the result of the & operator which takes both sets and returns the files that exist in both sets and the permission for those files that exist in both sets.<br />
<br />
subject /somebinary o<br />
$objset1 | $somename2<br />
<br />
This example would expand to:<br />
<br />
subject /somebinary o<br />
/root/blah rw<br />
/root/blah2 rw<br />
/root/blah3 x<br />
/root/test1 rw<br />
/root/test3 h<br />
<br />
This is the result of the | operator which takes both sets and returns the files that exist in either set. If a file exists in both sets, it is returned as well and the mode contains the flags that exist in either set.<br />
<br />
subject /somebinary o<br />
$objset1 - $somename2<br />
<br />
This example would expand to:<br />
<br />
subject /somebinary o<br />
/root/blah rw<br />
/root/blah2 h<br />
/root/blah3 x<br />
<br />
This is the result of the - operator which takes both sets and returns the files that exist in the set on the left but not in the match of the file in set on the right. If a file exists on the left and a match is found on the right (either the filenames are the same, or a parent directory exists in the right set), the file is returned and the mode of the second set is removed from the first set, and that file is returned.<br />
<br />
In some obscure pseudo-language you could see this as:<br />
<br />
if ( ($objset1 contained /tmp/blah rw) and<br />
($objset2 contained /tmp/blah r) )<br />
then<br />
$objset1 - $objset2 would contain /tmp/blah w<br />
<br />
if ( ($objset1 contained /tmp/blah rw) and<br />
($objset2 contained / rwx) )<br />
then <br />
$objset1 - $objset2 would contain /tmp/blah h<br />
<br />
As for order of precedence (from highest to lowest): "-, & |".<br />
<br />
If you do not want to bother remembering precedence, parenthesis support is also included, so you can do things like:<br />
<br />
(($set1 - $set2) | $set3) & $set4<br />
<br />
=== Tweaking /etc/grsec/policy directly ===<br />
Sometimes, full learning mode doesnt work for a particular program and direct revisions to the policy file will need to be made. One might simply want to tweak the policy file to add or remove access to directories without requiring one to reinitiate learning mode or recreating a policy file. The file itself is composed of Roles and Subjects. A Role determines what user the ruleset applies to, while the Subject could be seen as what process/program the ruleset applies to. <br />
<br />
Consider a situation where the role is "username", while the subject is /usr/lib/firefox/firefox. Within the curly braces of this role/subject rule, directories will be listed, along with flags that dictate what capacities (read, write, execute, etc) you wish to give that subject (firefox for example) under that role (username, when firefox is ran under the user "username" for example). Here is a list of flags and what they do:<br />
<br />
a This object can be opened for appending.<br />
c Allow creation of the file/directory.<br />
d Allow deletion of the file/directory.<br />
f Needed to mark the pipe used for communication with init to transfer the privilege of the persistent role; only valid within a persistent role. Transfer only occurs when the file is opened for writing.<br />
h This object is hidden.<br />
i This mode only applies to binaries. When the object is executed, it inherits the ACL of the subject in which it was contained.<br />
l Lowercase L. Allow a hardlink at this path. Hardlinking requires a minimum of c and l modes, and the target link cannot have any greater permission than the source file.<br />
m Allow creation of setuid/setgid files/directories and modification of files/directories to be setuid/setgid.<br />
p Reject all ptraces to this object.<br />
r This object can be opened for reading.<br />
t This object can be ptraced, but cannot modify the running task. This is referred to as a 'read-only ptrace'.<br />
w This object can be opened for writing or appending.<br />
x This object can be executed (or mmap'd with PROT_EXEC into a task).<br />
<br />
So for example, if you want firefox to have read access to the home folder of the user username, be able to do everything (read, write, create and destroy files, execute) in /home/username/Downloads, but not be able to see /home/username/secretstuff or anything in /, your ruleset might look like this:<br />
# Role: username<br />
subject /usr/lib/firefox/firefox o {<br />
/ h<br />
/home/username r<br />
/home/username/Downloads rwxcd<br />
/home/username/secretstuff h<br />
}<br />
Of course, a Firefox ruleset will need more than just the above (like access to directories it needs to run in /usr for example); compare the above with what is generated by full-learning-mode and you quickly see the pattern. The idea is that you want to limit each process as much as possible to limit the changes it can make to the filesystem in the event it is compromised. Much more info is available on the [http://en.wikibooks.org/wiki/Grsecurity/The_RBAC_System GRsecurity RBAC wiki page.]<br />
== Other features ==<br />
<br />
{{poor writing|reason=This is in serious need of a rewrite along with being extended quite a bit.}}<br />
<br />
=== Filesystem protection ===<br />
<br />
==== Fighting chroot and filesystem abuse ====<br />
<br />
Grsecurity includes many patches that prohibits users from gaining unnecessary knowledge about the system. This includes restrictions on using the {{ic|ptrace}} system call and isolation chroots.<br />
<br />
===== Triggering the Security Mechanism =====<br />
<br />
The {{ic|/etc/sysctl.d/05-grsecurity.conf}} configuration file can be used to enable and disable the various security features at boot. For more information, see [[sysctl]].<br />
<br />
=== Kernel auditing ===<br />
<br />
==== Extend your system's logging facilities ====<br />
<br />
grsecurity adds extra functionality to the kernel pertaining the logging. With grsecurity's Kernel Auditing the kernel informs you when applications are started, devices (un)mounted, etc.<br />
<br />
=== Process restrictions ===<br />
<br />
{{Note|The {{pkg|linux-grsec}} package does not enable the strict {{ic|/proc}} restrictions by default. Instead, the {{ic|1=hidepid=2}} mount option can be set on {{ic|/proc}} to hide processes of other users. This will cause breakage in {{pkg|systemd}} due to temporary hacks used to work around the limitations of the [[cgroup]] filesystem.}}<br />
<br />
==== Executable protection ====<br />
<br />
With grsecurity you can restrict executables. Since most exploits work through one or more running processes this protection can save your system's health.<br />
<br />
==== Network protection ====<br />
<br />
Linux' TCP/IP stack is vulnerable to prediction-based attacks. grsecurity includes randomization patches to counter these attacks. Apart from these you can also enable socket restrictions, disallowing certain groups network access altogether.</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=Pdnsd&diff=317485Pdnsd2014-06-01T02:07:48Z<p>GSF1200S: Added a small section in system setup concerning Network Manager's overwriting of the resolv.conf and a link to a section of the resolv.conf ArchWiki that offers solutions.</p>
<hr />
<div>[[es:Pdnsd]]<br />
[[fr:pdnsd]]<br />
[[Category:Domain Name System]]<br />
'''[http://members.home.nl/p.a.rombouts/pdnsd/index.html pdnsd]''' is a DNS server designed for local caching of DNS information. Correctly configured, it can significantly increase browsing speed on a broadband connection. Compared to [[bind]] or [[dnsmasq]] it can remember its cache after a reboot; "p" stands for persistent. <br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|pdnsd}} from the [[official repositories]].<br />
<br />
== Configuration==<br />
<br />
=== Initial preparation ===<br />
<br />
The sample configuration file that comes with pdnsd needs a few changes before the daemon can start.<br />
<br />
=== Format ===<br />
<br />
The {{ic|pdnsd.conf}} file uses a fairly simple format, but it has some differences from most other configuration files you have likely encountered. It has a collection of sections of various types. A section is started with the name of the type of section and an opening curly bracket ('''{''') and is ended by a closing curly bracket ('''}'''). Sections cannot be nested.<br />
<br />
Inside each block is a series of options of the following format:<br />
option_name=option_value;<br />
<br />
Notice the semicolon at the end; unlike some formats, it is not optional.<br />
<br />
Comments are started with either '''#''' or '''/*'''. The former goes to the end of the line, the latter continues until it reaches '''*/'''.<br />
<br />
=== DNS servers ===<br />
<br />
pdnsd needs to know the address of at least one DNS server to collect DNS information from. This part of the setup differs depending on whether you have a broadband connection or dial-up. Broadband users should use the first server section as a starting point, dial-up users the second, leaving the other server sections commented out.<br />
; label : The {{ic|label}} option is used to uniquely identify a server section. It is completely arbitrary, but one good choice is the name of your ISP.<br />
; ip : This option, used in the default broadband configuration, tells pdnsd the addresses of DNS servers to use. Multiple addresses should be separated by a single comma, with optional whitespace before or after the comma. You can just copy the addresses from {{ic|/etc/resolv.conf}}.<br />
; file : The {{ic|file}} option can be used instead of {{ic|ip}} to specify a set of DNS server IPs. Its value is the path to a file with servers listed in {{ic|resolv.conf}} format. The default dial-up configuration uses it because the PPP client writes {{ic|/etc/ppp/resolv.conf}} with the addresses it gets from the PPP server. You should not need to change it unless you want to use a different DNS server than your ISP gives you by default.<br />
<br />
The rest of the server section will work without any more changes. For details on all the available options, see the [http://www.phys.uu.nl/~rombouts/pdnsd/doc.html pdnsd manual].<br />
<br />
==== DNS servers with DHCP connections ====<br />
<br />
When [[netctl]] is installed, pdnsd can be notified of the ip addresses of the name servers by resolvconf (see resolvconf(8) man page) and the notifications become dynamic when you use [[netctl#Automatic switching of profiles|Automatic switching of profiles]].<br />
<br />
To configure this feature, remove the broadband server section and update the dial-up server section with the following changes:<br />
label = resolvconf;<br />
file = /etc/pdnsd-resolv.conf;<br />
Edit {{ic|/etc/resolvconf.conf}} to configure resolvconf with pdnsd as one of its subscribers:<br />
name_servers=127.0.0.1<br />
pdnsd_resolv=/etc/pdnsd-resolv.conf<br />
And run {{ic|resolvconf -u}} to update {{ic|/etc/pdnsd-resolv.conf}} with the addresses of the name servers (ignore the error message saying that the pdnsd socket cannot be accessed). This updating is only needed once before starting manually pdnsd.<br />
<br />
=== OpenDNS ===<br />
<br />
The {{ic|pdnsd.conf}} file comes with OpenDNS settings built in; you can simply remove (or comment out) the dialup and broadband sections above it (being careful not to remove the necessary global setup at the very top of the file), and then uncomment it to use OpenDNS resolution.<br />
<br />
However, OpenDNS does some weird things to Google. You need to deny results from OpenDNS that return one of OpenDNS’s Google-proxy machines if you want to avoid this behaviour (for many people, it can increase Google requests from, say, 15ms, to 75ms+). The exact servers’ IPs change, but you can run an {{ic|drill www.google.com @208.67.222.222}} (provided by {{Pkg|dnsutils}}) to find the current IPs. You’ll know if the query is being proxied, because the server’s name will resolve to something like {{ic|google.navigation.opendns.com}}. For me, these addresses were {{ic|208.67.216.230}} and {{ic|208.67.216.231}}.<br />
<br />
Once you know the IPs, you can replace the {{ic|pdnsd.conf}}’s already-existant {{ic|rejected}} IPs inside the OpenDNS {{ic|1=server { … }}} declaration. Make sure you retain the prefixes.<br />
<br />
[http://wiki.opennicproject.org/Tier2 OpenNIC] is a reliable alternative to OpenDNS.<br />
<br />
=== Testing ===<br />
<br />
You should now have a working {{ic|pdnsd}} daemon. Start it.<br />
<br />
You can test it with the {{ic|drill}} utility (from the {{Pkg|ldns}} package):<br />
<br />
$ drill www.google.com @127.0.0.1<br />
If everything works, you should see a list of IP addresses associated with Google.<br />
<br />
For the second time you look up the address, query time should be under 1 ms.<br />
<br />
=== System setup ===<br />
<br />
Now it is time to point your system toward your brand-new DNS server.<br />
<br />
If you use DHCP to configure your network settings and you use the old netcfg instead of [[netctl]], you need to edit {{ic|/etc/resolv.conf.head}} or {{ic|/etc/resolv.conf}} by adding pdnsd before all of the other nameservers:<br />
# pdnsd cache @ localhost<br />
nameserver 127.0.0.1<br />
<br />
Also if you are using Network Manager, /etc/resolv.conf will be overwritten automatically, and this will prevent the local nameserver (127.0.0.1 for example) from being used. To solve this, check this section of the [https://wiki.archlinux.org/index.php/resolv.conf#Preserve_DNS_settings resolv.conf] ArchWiki.<br />
<br />
Make sure to enable {{ic|pdnsd}} service.<br />
<br />
pdnsd should start after network, as it depends on the network to run, and some services that use the network rely on working DNS.<br />
<br />
Restart {{ic|network.target}} ({{ic|pdnsd}} should already be running):<br />
<br />
Retest the DNS query time, but this time use the system default DNS server:<br />
$ drill google.com | grep "Query time"<br />
<br />
=== Performance settings for home broadband users ===<br />
<br />
Many users have broadband connections where the DNS server is slow or unreliable, and would like to use {{ic|pdnsd}} as a caching server to minimize the number of DNS queries that need to be made. After doing the setup detailed above, the following settings in the {{ic|/etc/pdnsd.conf}} will help improve the performance in this role:<br />
<br />
Under global settings:<br />
neg_rrs_pol=on;<br />
par_queries=1;<br />
<br />
Under server settings:<br />
proxy_only=on;<br />
purge_cache=off;<br />
<br />
The {{ic|1=neg_rrs_pol=on;}} policy means that when a negative response comes back for a query, pdnsd server will still cache the result even if the response is not "authoritative". This is important since watching DNS queries will reveal that there are many requests for AAAA records (DNS queries for IPv6) which will never return results since many domains are not using IPv6, as well as MX records since not every domain has an MX record. Without the negative caching, these requests will be sent even after a domain name has been cached, and in this role you do not want the extra DNS requests being made. It is important to use this option in conjunction with the {{ic|1=proxy_only=on;}} option to minimize the number of queries coming out of the system.<br />
<br />
The {{ic|1=par_queries=1;}} option is useful if you specify more than one DNS server in your "server" section below. It specifies an increment of how many parallel queries will be made at once. For example, if four DNS servers are listed in the "server" section, and {{ic|1=par_queries=2;}} (the default), then the first 2 servers will be queried simultaneously, and if both of the first two servers fail, {{ic|pdnsd}} will move on to the next two and query them simultaneously. The setting used above means that one DNS server at a time gets queried, so you can list two or more DNS servers in the "server" section, and the second one will only be queried if the first one fails. This helps minimize traffic, but if the first server fails you will have to wait through the timeout before the second server will be queried. Tweak this setting for your own preferences, and if you only specify one server in the "server" section then you do not need to worry about it.<br />
<br />
The {{ic|1=proxy_only=on;}} setting is mentioned below in the FAQ and is important for home broadband users since you generally are using only one or two DNS servers instead of trying to do the full-blown hierarchical name resolution that a full DNS server would do. This setting will prevent {{ic|pdnsd}} from resolving all the way back to the "authoritative" name server, and instead accept the results of the DNS servers that were already specified in the "server" section. Once again, this reduces the number of DNS queries you need to make, improving performance.<br />
<br />
The {{ic|1=purge_cache=off;}} setting tells {{ic|pdnsd}} not to remove cache entries even if they have outlived the DNS record's time-to-live metric. This can be very useful when your ISP's DNS server goes down and you want to be able to access name lookups for domains you frequently use despite the outage. Records will still be bumped out of the cache based on age once the cache becomes full (see {{ic|man pdnsd.conf}} on how to set the size of the cache).<br />
<br />
=== Additional performance settings ===<br />
<br />
==== TTLs (Time-To-Live) ====<br />
<br />
Each DNS resource record returned from a server includes a maximum time-to-live, or TTL. This tells the recipient how long to store the record and when to do a new lookup on it. Many DNS records have relatively short TTLs, such as 3600 (one hour). This means that after one hour, pdnsd will attempt a new lookup on this entry, regardless of whether it has a cached record for it available. It will improve performance to override this default TTL by setting a global minimum TTL, causing fewer lookups to be performed. The disadvantage to using a minimum TTL that is too long is that a cached record may be out of date (the IP address of the host may be changed, but your client will not know this because it will receive the cached address). However, most IP addresses do not change hourly or even daily.<br />
<br />
Times are specified in seconds by default, or you may append an "m", "h", "d", or "w" to the time to specify minutes, hours, days, or weeks.<br />
<br />
{{ic|1=min_ttl}} in the global settings sets a minimum TTL for cached records, causing pdnsd to ignore the default TTL in the record received from the server. On a slow connection or with a slow DNS server, you may want to set this to several hours to reduce the number of lookups ( eg {{ic|1=min_ttl=6h;}} ).<br />
<br />
{{ic|1=neg_ttl}} in the global settings sets a minimum TTL for non-existent domains. If a server tells pdnsd that a domain does not exist, it will not try to lookup that domain again until this amount of time has elapsed.<br />
<br />
==== Timeouts ====<br />
<br />
Setting shorter timeouts means that pdnsd will give up on an entire query or a given server query more quickly, resulting in faster performance. The disadvantage to setting timeouts too short is that pdnsd might return an error on a lookup simply because the server was not given enough time to respond.<br />
<br />
{{ic|timeout}} in the global settings determines when pdnsd gives up on an entire query and returns an error to your browser or other client. Setting the global timeout option makes it possible to specify quite short timeout intervals in the server sections (see below). This will have the effect that pdnsd will start querying additional servers fairly quickly if the first servers are slow to respond (but will still continue to listen for responses from the first ones). (If you use query_method=tcp_udp it is recommended that you make the global timeout at least twice as large as the largest server timeout, otherwise pdnsd may not have time to try a UDP query if a TCP connection times out.)<br />
<br />
{{ic|1=tcp_qtimeout}} in the global settings determines how long a TCP query connection may be left open.<br />
<br />
{{ic|1=timeout}} in the server settings determines how long pdnsd will wait for a response from each server. Setting this to a shorter time means that pdnsd will give up on a non-responsive server more quickly and will move on to the next available server, sometimes resulting in a faster overall response time. On a fast connection, setting this to 4 or 5 seconds is not unreasonable.<br />
<br />
==== Debugging ====<br />
<br />
To see what servers pdnsd is using for a particular lookup, how timeouts are working, and what default TTLs are being used by domains, turn debug on in the global settings:<br />
debug=on;<br />
Restart pdnsd and monitor the pdnsd.service for changes with the systemd journal:<br />
journalctl _SYSTEMD_UNIT=pdnsd.service<br />
<br />
Be sure to turn debug off for general use as leaving it on may degrade performance.<br />
<br />
==== Cache size ====<br />
<br />
By default, pdnsd will automatically create authoritative records for all entries in {{ic|/etc/hosts}}. If you have a lot of entries, for example if you are using it for ad blocking, the default maximum cache size provided by {{ic|/etc/pdnsd.conf}} may not be large enough, resulting in DNS requests not being cached for their expected amount of time. <br />
<br />
To increase the cache size, edit the {{ic|1=perm_cache}} line in the 'global settings' section of configuration file (size in kB).<br />
<br />
Alternatively, you can prevent pdnsd from preemptively sourcing your hosts file by adding the option {{ic|1=authrec=off}} to the 'source' section. If, for whatever reason, setting authrec to off does not work, an easy workaround is to create a separate hosts file (eg {{ic|/etc/hosts-pdnsd}}) with only your system information and point your 'source' section to that instead, while leaving your original hosts file intact. This way, pdnsd will reference {{ic|/etc/hosts}} only when performing lookups. So for example:<br />
{{hc|/etc/hosts-pdnsd|2=#<ip-address> <hostname.domain.org> <hostname><br />
127.0.0.1 localhost.localdomain my_hostname<br />
::1 localhost.localdomain localhost<br />
}}<br />
<br />
== Extras ==<br />
<br />
=== Shared server for your LAN ===<br />
<br />
If you have several computers on your network, you may want to make pdnsd the DNS server for them all. This allows your entire network to share a single DNS cache, making repeated lookups much faster. To allow this, simply set {{ic|server_ip}} in the {{ic|global}} section to the name of your network interface (usually {{ic|eth0}}). If you have set up a firewall, tell it to allow connections to port 53 from any address on your network.<br />
<br />
Now you can configure the other computers on your network to use the computer running pdns as their primary dns server.<br />
<br />
=== Name blocking ===<br />
<br />
pdnsd allows you to specify hosts or domains that it should never return results for. This allows you to use it as a primitive ad or content blocker, among other things. Create a new {{ic|neg}} section in {{ic|pdnsd.conf}}. {{ic|neg}} sections have two main options. {{ic|name}} is the name of the host or domain you want to block. {{ic|types}} can be set to {{ic|domain}} to block all hosts in the given domain. The default {{ic|pdnsd.conf}} gives an example that blocks all ads from doubleclick.net.<br />
<br />
=== pdnsd-ctl ===<br />
<br />
From the pdnsd-ctl(8) manpage:<br />
<br />
:'''''pdnsd-ctl''' controls '''pdnsd''', a proxy dns server with permanent caching. Note that the status control socket must be enabled (by specifying an option on the pdnsd command line or in the configuration file) before you can use '''pdnsd-ctl'''.''<br />
<br />
A couple of useful commands to get you started...<br />
<br />
View cache:<br />
# pdnsd-ctl dump<br />
<br />
Flush cache:<br />
# pdnsd-ctl empty-cache<br />
<br />
== Troubleshooting ==<br />
<br />
If you get the error '''result of uptest for 192.168.1.1: failed''' with '''journalctl -f _SYSTEMD_UNIT=pdnsd.service''' while you can successfully ping your ISP's dDNS server. Please check your interface naming in {{ic|/etc/pdnsd.conf}} global section:<br />
interface = any;<br />
or in the server section:<br />
interface=enp2s0;<br />
Alternatively, you should check currently running interfaces in your system with ifconfig, identify which one connects you to the Internet, and then supply its name to the one of above mentioned fields in {{ic|/etc/pdnsd.conf}}.<br />
<br />
== FAQs ==<br />
<br />
; Q) It does not seem much faster to me. Why? : '''A)''' The extra speed gained from running a local DNS cache is all in how long it takes to connect to a server. Throughput, what people normally think of as speed, will not be affected. The difference is most noticeable when browsing the web, as that typically involves small downloads from several servers. With slower connections, especially dial-up, throughput is the primary bottleneck, so there will not be as large a difference percentage-wise.<br />
; Q) Why is it so much slower now than before? : '''A)''' You almost certainly have the {{ic|proxy_only}} option turned off in one of the server sections of {{ic|pdnsd.conf}}. By default, pdnsd frequently asks several DNS servers about a domain to get the most accurate response possible. The {{ic|proxy_only}} option disables this feature. It should be turned on if you use the DNS server provided by your ISP.</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=HexChat&diff=311925HexChat2014-04-26T19:21:33Z<p>GSF1200S: /* Issues Joining Channels */</p>
<hr />
<div>{{Stub}}<br />
[[Category:Internet applications]]<br />
[[Category:Internet Relay Chat]]<br />
[http://xchat.org XChat] is a multi-platform IRC chat program.<br />
<br />
==Gnome 3==<br />
To use the new Notifications and messaging tray, activate the following options in Settings > Preferences > Chatting > Alerts:<br />
* Show tray balloons<br />
* Blink tray icon (optional)<br />
* Enable system tray icon: unchecked (the icon appears automatically if you have pending notifications)<br />
<br />
==Spell Check==<br />
You can enable spell check as-you-type in the preferences, but you might notice that the red squiggly lines never appear, no matter how hard you try to write badly. To enable it completely, you need to install not just the optional dependency {{Pkg|enchant}}, but also the correct dictionary. Find your correct dictionary by searching for {{Pkg|hunspell}}.<br />
<br />
$ pacman -Ss hunspell<br />
<br />
Pick out the correct one and install it, eg for English you'll need {{Pkg|hunspell-en}}. You may need to restart XChat after this.<br />
<br />
==Issues Joining Channels==<br />
Many channels, including #archlinux (on freenode), require that you be identified before you can join the channel. Since it takes Xchat a number of seconds to connect to a network, and then a number of seconds to identify, often times Xchat will try to join channels *before* you are identified, resulting in channels requiring identification not loading. Put another way, if you can't figure out why some channels seem to fail to load when you start xchat, but seem to load fine when you manually join them, you should try the following.<br />
<br />
Input the following into xchat (where you would normally type text):<br />
<br />
/set irc_join_delay 10<br />
<br />
where 10 represents seconds. You can change this to whatever you need, depending on the speed of the process for you.<br />
<br />
==Additional Resources==<br />
* [http://wiki.gotux.net/code/bash/txc Toxin XChat Theme Installer Script]</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=HexChat&diff=311924HexChat2014-04-26T19:18:23Z<p>GSF1200S: Added a note about "irc_join_delay"</p>
<hr />
<div>{{Stub}}<br />
[[Category:Internet applications]]<br />
[[Category:Internet Relay Chat]]<br />
[http://xchat.org XChat] is a multi-platform IRC chat program.<br />
<br />
==Gnome 3==<br />
To use the new Notifications and messaging tray, activate the following options in Settings > Preferences > Chatting > Alerts:<br />
* Show tray balloons<br />
* Blink tray icon (optional)<br />
* Enable system tray icon: unchecked (the icon appears automatically if you have pending notifications)<br />
<br />
==Spell Check==<br />
You can enable spell check as-you-type in the preferences, but you might notice that the red squiggly lines never appear, no matter how hard you try to write badly. To enable it completely, you need to install not just the optional dependency {{Pkg|enchant}}, but also the correct dictionary. Find your correct dictionary by searching for {{Pkg|hunspell}}.<br />
<br />
$ pacman -Ss hunspell<br />
<br />
Pick out the correct one and install it, eg for English you'll need {{Pkg|hunspell-en}}. You may need to restart XChat after this.<br />
<br />
==Issues Joining Channels==<br />
Many channels, including #archlinux (on freenode), require that you be identified before you can join the channel. Since it takes Xchat a number of seconds to connect to a network, and then a number of seconds to identify, often times Xchat will try to join channels *before* you are identified, resulting in channels requiring identification not loading. A solution is to input the following into xchat (where you would normally type text):<br />
<br />
/set irc_join_delay 10<br />
<br />
where 10 represents seconds. You can change this to whatever you need, depending on the speed of the process for you. <br />
<br />
==Additional Resources==<br />
* [http://wiki.gotux.net/code/bash/txc Toxin XChat Theme Installer Script]</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=Install_Arch_Linux_from_existing_Linux&diff=311435Install Arch Linux from existing Linux2014-04-22T02:50:52Z<p>GSF1200S: Added a note to help prevent issues with mounting from within chroot and issues with pacstrap</p>
<hr />
<div>[[Category:Getting and installing Arch]]<br />
[[es:Install from Existing Linux]]<br />
[[fr:Install chroot]]<br />
[[it:Install from Existing Linux]]<br />
[[ja:Install from Existing Linux]]<br />
[[pt:Install from Existing Linux]]<br />
[[ru:Install from Existing Linux]]<br />
[[uk:Install from Existing Linux]]<br />
[[zh-CN:Install from Existing Linux]]<br />
[[zh-TW:Install from Existing Linux]]<br />
This document describes the bootstrapping process required to install Arch Linux from a running Linux host system.<br />
After bootstrapping, the installation proceeds as described in the [[Installation guide]].<br />
<br />
Installing Arch Linux from a running Linux is useful for:<br />
* remotely installing Arch Linux, e.g. a (virtual) root server<br />
* replacing an existing Linux without a LiveCD (see [[#Replacing the Existing System without a LiveCD]])<br />
* creating a new Linux distribution or LiveCD based on Arch Linux<br />
* creating an Arch Linux chroot environment, e.g. for a Docker base container<br />
* [[Diskless_network_boot_NFS_root|rootfs-over-NFS for diskless machines]]<br />
<br />
The goal of the bootstrapping procedure is to setup an environment from which {{Pkg|arch-install-scripts}} (such as {{ic|pacstrap}} and {{ic|arch-root}}) run.<br />
This goal is achieved by installing {{Pkg|arch-install-scripts}} natively on the host system, or setting up an Arch Linux-based chroot.<br />
<br />
If the host system runs Arch Linux, installing {{Pkg|arch-install-scripts}} is straightforward.<br />
<br />
{{Note|This guide requires that the existing host system be able to execute the new target Arch Linux architecture programs. In the case of an x86_64 host, it is possible to use i686-pacman to build a 32-bit chroot environment. See [[Arch64 Install bundled 32bit system]]. However it is not so easy to build a 64-bit environment when the host only supports running 32-bit programs.}}<br />
<br />
==Arch Linux-based chroot==<br />
The idea is to run an Arch system inside the host system.<br />
The actual installation is then executed from this Arch system.<br />
This nested system is contained inside a chroot.<br />
Three methods to setup and enter this chroot are presented below, from the easiest to the most complicated.<br />
<br />
{{Note|Your host system must run Linux 2.6.32 or later.}}<br />
{{Note|Select only one of the following three methods and then read the rest of the article to complete the install.}}<br />
===Method 1: Using the Bootstrap Image===<br />
<br />
Download the bootstrap image from a [https://www.archlinux.org/download mirror]:<br />
$ curl -O http://mirrors.kernel.org/archlinux/iso/2014.03.01/archlinux-bootstrap-2014.03.01-x86_64.tar.gz<br />
{{Note|For this next step, its a good idea to run the tar command as root. If you dont, you will have issues with mounting filesystems or using pacstrap. Otherwise, change to appropriate permissions after extraction.}}<br />
Extract the tarball:<br />
# cd /tmp<br />
# tar xzf <path-to-bootstrap-image>/archlinux-bootstrap-2014.03.01-x86_64.tar.gz<br />
Select a repository server:<br />
# nano /tmp/root.x86_64/etc/pacman.d/mirrorlist<br />
<br />
{{Note|If you are bootstrapping an i686 image from an x86_64 host system, you must also edit {{Ic|/tmp/root.i686/etc/pacman.conf}} and explicitly define {{Ic|1=Architecture = i686}} in order for pacman to pull the proper i686 packages.}}<br />
<br />
Enter the chroot<br />
* If you have bash 4 or later installed:<br />
# /tmp/root.x86_64/bin/arch-chroot /tmp/root.x86_64/<br />
* Else run the following commands:<br />
# cp /etc/resolv.conf /tmp/root.x86_64/etc<br />
# mount --rbind /proc /tmp/root.x86_64/proc<br />
# mount --rbind /sys /tmp/root.x86_64/sys<br />
# mount --rbind /dev /tmp/root.x86_64/dev<br />
# mount --rbind /run /tmp/root.x86_64/run<br />
(assuming /run exists on your system)<br />
# chroot /tmp/root.x86_64/<br />
<br />
===Method 2: Using the LiveCD Image===<br />
<br />
It is possible to mount the root image of the latest Arch Linux installation media and then chroot into it. This method has the advantage of providing you with a working Arch Linux installation right within your host system without the need to prepare it by installing specific packages.<br />
<br />
{{Note|Before proceeding, make sure the latest version of [http://squashfs.sourceforge.net/ squashfs] is installed on the host system. Otherwise you will get errors like: {{ic|FATAL ERROR aborting: uncompress_inode_table: failed to read block}}.}}<br />
<br />
* The root image can be found on one of the [https://www.archlinux.org/download mirrors] under either arch/x86_64/ or arch/i686/ depending on the desired architecture. The squashfs format is not editable so we unsquash the root image and then mount it.<br />
<br />
*To unsquash the root image, run<br />
{{bc|# unsquashfs -d /squashfs-root root-image.fs.sfs}}<br />
<br />
* Now you can loop mount the root image<br />
{{bc|<br />
# mkdir /arch<br />
# mount -o loop /squashfs-root/root-image.fs /arch<br />
}}<br />
<br />
* Before [[Change Root|chrooting]] to it, we need to set up some mount points and copy the resolv.conf for networking.<br />
{{bc|<br />
# mount -t proc none /arch/proc<br />
# mount -t sysfs none /arch/sys<br />
# mount -o bind /dev /arch/dev<br />
# mount -o bind /dev/pts /arch/dev/pts # important for pacman (for signature check)<br />
# cp -L /etc/resolv.conf /arch/etc #this is needed to use networking within the chroot<br />
}}<br />
<br />
* Now everything is prepared to chroot into your newly installed Arch environment<br />
{{bc|# chroot /arch bash}}<br />
<br />
===Method 3: Assembling the chroot Manually (with a script)===<br />
<br />
The script creates a directory called {{ic|archinstall-pkg}} and downloads the required packages in it. It then extracts them in the {{ic|archinstall-chroot}} directory. Finally, it prepares mount points, configures pacman and enters a chroot.<br />
<br />
{{hc|archinstall-bootstrap.sh|<nowiki><br />
#!/bin/bash<br />
# last edited 02. March 2014<br />
# This script is inspired on the archbootstrap script.<br />
<br />
FIRST_PACKAGE=(filesystem)<br />
BASH_PACKAGES=(glibc ncurses readline bash)<br />
PACMAN_PACKAGES=(acl archlinux-keyring attr bzip2 coreutils curl e2fsprogs expat gnupg gpgme keyutils krb5 libarchive libassuan libgpg-error libgcrypt libssh2 lzo2 openssl pacman xz zlib)<br />
# EXTRA_PACKAGES=(pacman-mirrorlist tar libcap arch-install-scripts util-linux systemd)<br />
PACKAGES=(${FIRST_PACKAGE[*]} ${BASH_PACKAGES[*]} ${PACMAN_PACKAGES[*]})<br />
<br />
# Change to the mirror which best fits for you<br />
# USA<br />
MIRROR='http://mirrors.kernel.org/archlinux' <br />
# Germany<br />
# MIRROR='http://archlinux.limun.org'<br />
<br />
# You can set the ARCH variable to i686 or x86_64<br />
ARCH=`uname -m`<br />
LIST=`mktemp`<br />
CHROOT_DIR=archinstall-chroot<br />
DIR=archinstall-pkg<br />
mkdir -p "$DIR"<br />
mkdir -p "$CHROOT_DIR"<br />
# Create a list of filenames for the arch packages<br />
wget -q -O- "$MIRROR/core/os/$ARCH/" | sed -n "s|.*href=\"\\([^\"]*xz\\)\".*|\\1|p" >> $LIST<br />
# Download and extract each package.<br />
for PACKAGE in ${PACKAGES[*]}; do<br />
FILE=`grep "$PACKAGE-[0-9]" $LIST|head -n1`<br />
wget "$MIRROR/core/os/$ARCH/$FILE" -c -O "$DIR/$FILE"<br />
xz -dc "$DIR/$FILE" | tar x -k -C "$CHROOT_DIR"<br />
rm -f "$CHROOT_DIR/.PKGINFO" "$CHROOT_DIR/.MTREE" "$CHROOT_DIR/.INSTALL"<br />
done<br />
# Create mount points<br />
mount -t proc proc "$CHROOT_DIR/proc/"<br />
mount -t sysfs sys "$CHROOT_DIR/sys/"<br />
mount -o bind /dev "$CHROOT_DIR/dev/"<br />
mkdir -p "$CHROOT_DIR/dev/pts"<br />
mount -t devpts pts "$CHROOT_DIR/dev/pts/"<br />
<br />
# Hash for empty password Created by doing: openssl passwd -1 -salt ihlrowCo and entering an empty password (just press enter)<br />
# echo 'root:$1$ihlrowCo$sF0HjA9E8up9DYs258uDQ0:10063:0:99999:7:::' > "$CHROOT_DIR/etc/shadow"<br />
# echo "myhost" > "$CHROOT_DIR/etc/hostname"<br />
[ -f "/etc/resolv.conf" ] && cp "/etc/resolv.conf" "$CHROOT_DIR/etc/"<br />
<br />
mkdir -p "$CHROOT_DIR/etc/pacman.d/"<br />
echo "Server = $MIRROR/\$repo/os/$ARCH" >> "$CHROOT_DIR/etc/pacman.d/mirrorlist"<br />
<br />
chroot $CHROOT_DIR pacman-key --init<br />
chroot $CHROOT_DIR pacman-key --populate archlinux<br />
chroot $CHROOT_DIR pacman -Syu pacman --force<br />
[ -f "/etc/resolv.conf" ] && cp "/etc/resolv.conf" "$CHROOT_DIR/etc/"<br />
echo "Server = $MIRROR/\$repo/os/$ARCH" >> "$CHROOT_DIR/etc/pacman.d/mirrorlist"<br />
chroot $CHROOT_DIR<br />
</nowiki>}}<br />
<br />
===Using the chroot Environment===<br />
<br />
====Initializing pacman keyring====<br />
Before starting the installation, pacman keys need to be setup. Before running the following two commands read [[pacman-key#Initializing the keyring]] to understand the entropy requirements:<br />
{{bc|<br />
# pacman-key --init<br />
# pacman-key --populate archlinux<br />
}}<br />
<br />
====Installation====<br />
Follow the [[Installation guide#Mount the partitions|Mount the partitions]] and [[Installation guide#Install the base system|Install the base system]] sections of the [[Installation guide]].<br />
<br />
=====Debian-based host=====<br />
On Debian-based host systems, {{ic|pacstrap}} produces the following error:<br />
# pacstrap /mnt base<br />
# ==> Creating install root at /mnt<br />
# mount: mount point /mnt/dev/shm is a symbolic link to nowhere<br />
# ==> ERROR: failed to setup API filesystems in new root<br />
<br />
In Debian, /dev/shm points to /run/shm. However, in the Arch-based chroot, /run/shm does not exist and the link is broken. To correct this error, create a directory /run/shm:<br />
# mkdir /run/shm<br />
<br />
====Configure the system====<br />
<br />
From that point, simply follow the [[Installation guide#Mount the partitions|Mount the partitions]] section of the [[Installation guide]] and following sections.<br />
<br />
==Replacing the Existing System without a LiveCD==<br />
Find ~500MB of free space somewhere on the disk, e.g. by partitioning a swap partition.<br />
Install the new Arch Linux system there, reboot into the newly created system, and [[Full system backup with rsync#With_a_single_command|rsync the entire system]] to the primary partition.<br />
Fix the bootloader configuration before rebooting.</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=Lenovo_ThinkPad_T530&diff=300143Lenovo ThinkPad T5302014-02-23T11:15:34Z<p>GSF1200S: </p>
<hr />
<div>[[Category:Lenovo]]<br />
== Base System ==<br />
* You can follow the [[Beginners' guide]] for this<br />
** Basically everything that is there is what is needed, I will expand on the extra configs and weird tweaks that may be needed.<br />
** Go up to '''not through''' the GUI configurations, since we may be changing some things.<br />
<br />
== Sound ==<br />
{{Note|With {{pkg|linux}} 3.11.x, this seems not to be necessary any more.}}<br />
{{Note|As of {{pkg|linux}} 3.6.x, auto-mute may have to be disabled for working sound.}}<br />
<br />
'''Temporary Fix Options:'''<br />
# launch the Alsa Mixer CLI interface (in the terminal just type alsamixer) and then hit "F6". Select ''HDA Intel PCH'' and scroll over to "Auto-Mute" and hit the down arrow.<br />
# Just enter this in the terminal ''/usr/bin/amixer -c 0 sset "Auto-Mute Mode" Disabled''<br />
<br />
'''Permanent Fix Options:'''<br />
# Make the above command (''/usr/bin/amixer -c 0 sset "Auto-Mute Mode" Disabled'') launch at login.<br />
#* Gnome/Cinnamon: Alt+F2, gnome-session-properties, add the command and title/describe it as you wish)<br />
#* Mate: Follow "Gnome/Cinnamon" with "mate-session-properties" instead.<br />
#* Openbox: Add the command to the ~/.openbox/autorun file.<br />
<br />
<br />
Internal speakers and headphones (including optional auto-mute and DisplayPort audio) work out-of-the-box.<br />
<br />
<br />
To enable sound you need to configure the kernel module<br />
<br />
{{hc|/etc/modprobe.d/alsa-base.conf|2=options snd-hda-intel model=thinkpad}}<br />
<br />
(see [[Lenovo ThinkPad T400s]])<br />
<br />
== GUI (X) ==<br />
<br />
You should install the {{Pkg|xorg-server}} {{Pkg|xorg-xinit}} and {{Pkg|xorg-server-utils}} packages.<br />
<br />
Also, I am going to assume that you have the same set-up as me so you'll need to do the following items.<br />
<br />
I was in process of configuring [[Bumblebee]], but after trying it both ways on my T530 - I don't really see a huge gain for the pain. So I dropped it. In my specific case, if I really need the extension to the battery life, you can just turn off the Dedicated card in the BIOS.<br />
<br />
=== Intel HD 4000 ===<br />
<br />
You will need to install the {{Pkg|xf86-video-intel}} package.<br />
{{bc|<nowiki># pacman -S xf86-video-intel</nowiki>}}<br />
<br />
==== Backlight Control ====<br />
<br />
If backlight control does not work properly (eg in KDE), check {{ic|/sys/class/backlight}}:<br />
<br />
{{hc|# ls /sys/class/backlight/|<br />
acpi_video0 intel_backlight<br />
}}<br />
<br />
If the output looks similar to the above (ie more than one backlight device), your Desktop Environment might choose the wrong device for backlight control.<br />
<br />
You can try creating a configuration file for Xorg specifying the device to use. Create the file {{ic|/etc/X11/xorg.conf.d/20-intel.conf}} with the following contents:<br />
<br />
{{hc|/etc/X11/xorg.conf.d/20-intel.conf|<br />
Section "Device" <br />
Identifier "HD 4000" <br />
Driver "Intel" <br />
Option "Backlight" "intel_backlight" <br />
EndSection<br />
}}<br />
<br />
This tells Xorg to use {{ic|intel_backlight}} for controlling backlight. After a reboot, you should be able to control the backlight and get OSD notifications about it (KDE).<br />
<br />
=== NVIDIA NVS 5400M ===<br />
<br />
Now you have a few options as far as what driver to use.<br />
<br />
Arch recommends the {{Pkg|xf86-video-nouveau}} driver, which is Open Source. However, while it has fast 2D, it only has basic 3D support and does not fully support power saving at this point.<br />
<br />
{{bc|<nowiki># pacman -S xf86-video-nouveau</nowiki>}}<br />
<br />
The other option is the {{Pkg|nvidia}} package, which supports 3D and provides power saving. That being said, however, it will take some configuration to get it right. See the [[nvidia]] page for config.<br />
<br />
When in discrete graphics mode, The backlight does not work while in UEFI Mode. This limitation does not exist in Legacy Mode.<br />
<br />
'''Probably a waste, but I disabled this card in the BIOS for when I don't use it. Took battery from ~2hrs to ~4.5hrs'''<br />
<br />
== Input ==<br />
<br />
=== TrackPoint ===<br />
You need to add a new XORG Config file to handle the TrackPoint events (mostly the Middle Button handling horizontal and vertical scrolling, the MiddleClick works by default).<br />
<br />
Create {{ic|/etc/X11/xorg.conf.d/10-trackpoint.conf}} with these contents:<br />
<br />
# vim /etc/X11/xorg.conf.d/10-trackpoint.conf<br /><br/><br />
Section "InputClass"<br />
Identifier "Trackpoint Wheel Emulation"<br />
MatchProduct "TPPS/2 IBM TrackPoint|DualPoint Stick|Synaptics Inc. Composite TouchPad / TrackPoint|ThinkPad USB Keyboard with TrackPoint|USB Trackpoint pointing device"<br />
MatchDevicePath "/dev/input/event*"<br />
Option "EmulateWheel" "true"<br />
Option "EmulateWheelButton" "2"<br />
Option "Emulate3Buttons" "false"<br />
Option "XAxisMapping" "6 7"<br />
Option "YAxisMapping" "4 5"<br />
EndSection<br />
<br />
<br />
Once you reboot - you should be good-to-go with both vertical and horizontal scrolling while holding the middle TrackPoint button.<br />
<br />
=== Hotkeys (Media Keys) ===<br />
<br />
Media keys that work out of the box:<br />
* Wireless On/Off<br />
* Backlight Brightness (If you use the nVidia driver, configuration will be needed - documented on the Nvidia wiki page)<br />
* Thinklight / Keyboard Backlighting<br />
* Sleep<br />
<br />
Keys that do not work out of the box, depending on your DE (you can [[#keybinding|bind]] them):<br />
* Mute<br />
* Vol+/-<br />
* Prev/PlayPause/Next<br />
* Lock<br />
* Mic Mute (doesn't even register on my keymapper)<br />
* Fn+F7 - Display Toggle (Projector?)<br />
* Fn+F6 - WebCam Toggle<br />
* Launcher (right of the Mic Mute)<br />
<br />
'''<div id="keybinding">Keybindings</div>'''<br />
<br />
Install the {{pkg|xbindkeys}} packages from the community repo. To run xbindkeys, it will want you to have a .xbindkeysrc file and will offer the default. Personally, I think the default options are terrible for a US layout (example: Rebinding Ctrl-F to not be find). So I just make my own to make it to my liking.<br />
<br />
Here are the main ones, just open your preferred file editor and save the following as ~/.xbindkeysrc:<br />
<br />
# Volume Controls<br />
"amixer set Master 5%+"<br />
XF86AudioRaiseVolume<br />
"amixer set Master 5%-"<br />
XF86AudioLowerVolume<br />
"amixer set Master toggle"<br />
XF86AudioMute<br />
# Lock (Fn+F3)<br />
"gnome-screensaver-command -l"<br />
XF86ScreenSaver<br />
# I use {{pkg|banshee}} for my audio<br />
"banshee --next"<br />
XF86AudioNext<br />
"banshee --restart-or-prev"<br />
XF86AudioPrev<br />
"banshee --toggle-playing"<br />
XF86AudioPlay<br />
# Launcher (right of the Mic Mute)<br />
"action"<br />
XF86Launch1<br />
<br />
Be sure to set {{pkg|xbindkeys}} to run at startup, and any time you edit the file you need to restart the process. In Gnome/Cinnamon hit Alt+F2 and type "gnome-session-properties" and hit enter. Click "Add" and type in xbindkeys for the command. You can call it and describe it however you want.<br />
<br />
If I get time, I plan to make a script that will change the program the PlayPause/Prev/Next control. This will just do banshee in my example, but I would like to expand that to control VLC if it is open and banshee is not.<br />
<br />
== Networking ==<br />
<br />
Both the Ethernet and wireless are supported by Arch out of the box. All the available Intel wireless cards are very well supported, including good powersaving. The Lenovo branded (Realtek) card does not work as well and does not support powersaving on Linux.<br />
<br />
== Thinkpad Specific Modules ==<br />
<br />
While many of the system resources will be realized by the system, you may want to add the {{pkg|thinkpad_acpi}} module to boot.<br />
<br />
sudo echo thinkpad_acpi > /etc/modules-load.d/thinkpad.conf<br />
<br />
This will let you check fan speeds and such with<br />
<br />
cat /proc/acpi/ibm/fan<br />
<br />
== Battery Usage for T530 ==<br />
<br />
As a barometer, my Arch system uses about 6.9 watts (as per Powertop) at idle with minimum screen brightness wifi connected. My Fedora install uses about 10 watts idle, and my Windows 7 install uses about 8 watts idle according to the lenovo power manager. Tips to extend battery life:<br />
<br />
* Install powertop and run it as root. Pay special attention to any applications (as opposed to system processes) which cause CPU wakeups. I have had a clipboard manager use .5 watts on its own, so pay special attention to any apps or services you use. Also pay attention to bluetooth and network devices so you can disable them.<br />
<br />
* Use Integrated Graphics mode under Display in the BIOS setup. Even with Nvidia Optimus selected, no applications launched with 'optirun' and the card OFF as listed by<br />
<br />
cat /proc/acpi/bbswitch<br />
<br />
Powertop still consistently reports .3 watts more idle usage than with Integrated Graphics only mode set in BIOS. If you run Optimus, use <br />
<br />
cat /proc/acpi/bbswitch <br />
<br />
to check the power status of the nvidia card, and use <br />
<br />
echo OFF >> /proc/acpi/bbswitch<br />
<br />
to disable it. The power consumption is noticeably less than having the discrete card enabled, but still higher than the Intel card alone. NOTE: You may have to unload the nvidia module first before turning it off: 'rmmod nvidia' as root...<br />
<br />
* Laptop-mode-tools: Install/enable as per the wiki. Nearly all options work fine for the T530. For some reason, the ethernet device (enp0s25) uses upwards of a watt on my system. Laptop-mode-tools doesnt seem to disable this by default, even with /etc/laptop-mode/conf.d/ethernet.conf properly labeled with my ethernet device. If powertop reports such usage, go to /etc/laptop-mode/conf.d/exec-commands.conf and change:<br />
<br />
BATT_EXEC_COMMAND_0="<br />
LM_AC_EXEC_COMMAND_0=""<br />
NOLM_AC_EXEC_COMMAND_0=""<br />
<br />
to<br />
<br />
BATT_EXEC_COMMAND_0="ip link set enp0s25 down"<br />
LM_AC_EXEC_COMMAND_0="ip link set enp0s25 up"<br />
NOLM_AC_EXEC_COMMAND_0="ip link set enp0s25 up"<br />
<br />
* profile-sync-daemon available in the AUR. When using the web browser on battery, write operations for cache, etc will wakeup the hard drive. profile-sync-daemon allows all write operations to go to RAM (as the profile is stored there), and then syncs to disk every hour (configurable). This will also reduce the wear on your hard drive, make the web browser feel faster, and reduce write cycles for SSD users.<br />
<br />
* Use 'noatime' in /etc/fstab if access times arent important to you. This is another way to reduce write cycles, and thereby disk wakeups.<br />
<br />
* Dont use any compositing at all. I tried using compton for panel transparency and this increased power consumption consistently by 4-4.5 watts idle using just the Intel card. Powertop will inform you of gpu operations as well.<br />
<br />
<br />
== See also ==<br />
<br />
* [https://www.lenovo.com/products/us/tech-specs/laptop/thinkpad/t-series/t530/ Technical specifications]</div>GSF1200Shttps://wiki.archlinux.org/index.php?title=Lenovo_ThinkPad_T530&diff=292363Lenovo ThinkPad T5302014-01-11T06:27:25Z<p>GSF1200S: </p>
<hr />
<div>[[Category:Lenovo]]<br />
== Base System ==<br />
* You can follow the [[Beginners' Guide]] for this<br />
** Basically everything that is there is what is needed, I will expand on the extra configs and weird tweaks that may be needed.<br />
** Go up to '''not through''' the GUI configurations, since we may be changing some things.<br />
<br />
== Sound ==<br />
{{Note|With {{pkg|linux}} 3.11.x, this seems not to be necessary any more.}}<br />
{{Note|As of {{pkg|linux}} 3.6.x, auto-mute may have to be disabled for working sound.}}<br />
<br />
'''Temporary Fix Options:'''<br />
# launch the Alsa Mixer CLI interface (in the terminal just type alsamixer) and then hit "F6". Select ''HDA Intel PCH'' and scroll over to "Auto-Mute" and hit the down arrow.<br />
# Just enter this in the terminal ''/usr/bin/amixer -c 0 sset "Auto-Mute Mode" Disabled''<br />
<br />
'''Permanent Fix Options:'''<br />
# Make the above command (''/usr/bin/amixer -c 0 sset "Auto-Mute Mode" Disabled'') launch at login.<br />
#* Gnome/Cinnamon: Alt+F2, gnome-session-properties, add the command and title/describe it as you wish)<br />
#* Mate: Follow "Gnome/Cinnamon" with "mate-session-properties" instead.<br />
#* Openbox: Add the command to the ~/.openbox/autorun file.<br />
<br />
<br />
Internal speakers and headphones (including optional auto-mute and DisplayPort audio) work out-of-the-box.<br />
<br />
== GUI (X) ==<br />
<br />
You should install the {{Pkg|xorg-server}} {{Pkg|xorg-xinit}} and {{Pkg|xorg-server-utils}} packages.<br />
<br />
Also, I am going to assume that you have the same set-up as me so you'll need to do the following items.<br />
<br />
I was in process of configuring [[Bumblebee]], but after trying it both ways on my T530 - I don't really see a huge gain for the pain. So I dropped it. In my specific case, if I really need the extension to the battery life, you can just turn off the Dedicated card in the BIOS.<br />
<br />
=== Intel HD 4000 ===<br />
<br />
You will need to install the {{Pkg|xf86-video-intel}} package.<br />
{{bc|<nowiki># pacman -S xf86-video-intel</nowiki>}}<br />
<br />
==== Backlight Control ====<br />
<br />
If backlight control does not work properly (eg in KDE), check {{ic|/sys/class/backlight}}:<br />
<br />
{{hc|# ls /sys/class/backlight/|<br />
acpi_video0 intel_backlight<br />
}}<br />
<br />
If the output looks similar to the above (ie more than one backlight device), your Desktop Environment might choose the wrong device for backlight control.<br />
<br />
You can try creating a configuration file for Xorg specifying the device to use. Create the file {{ic|/etc/X11/xorg.conf.d/20-intel.conf}} with the following contents:<br />
<br />
{{hc|/etc/X11/xorg.conf.d/20-intel.conf|<br />
Section "Device" <br />
Identifier "HD 4000" <br />
Driver "Intel" <br />
Option "Backlight" "intel_backlight" <br />
EndSection<br />
}}<br />
<br />
This tells Xorg to use {{ic|intel_backlight}} for controlling backlight. After a reboot, you should be able to control the backlight and get OSD notifications about it (KDE).<br />
<br />
=== NVIDIA NVS 5400M ===<br />
<br />
Now you have a few options as far as what driver to use.<br />
<br />
Arch recommends the {{Pkg|xf86-video-nouveau}} driver, which is Open Source. However, while it has fast 2D, it only has basic 3D support and does not fully support power saving at this point.<br />
<br />
{{bc|<nowiki># pacman -S xf86-video-nouveau</nowiki>}}<br />
<br />
The other option is the {{Pkg|nvidia}} package, which supports 3D and provides power saving. That being said, however, it will take some configuration to get it right. See the [[nvidia]] page for config.<br />
<br />
When in discrete graphics mode, The backlight does not work while in UEFI Mode. This limitation does not exist in Legacy Mode.<br />
<br />
'''Probably a waste, but I disabled this card in the BIOS for when I don't use it. Took battery from ~2hrs to ~4.5hrs'''<br />
<br />
== Input ==<br />
<br />
=== TrackPoint ===<br />
You need to add a new XORG Config file to handle the TrackPoint events (mostly the Middle Button handling horizontal and vertical scrolling, the MiddleClick works by default).<br />
<br />
Create {{ic|/etc/X11/xorg.conf.d/10-trackpoint.conf}} with these contents:<br />
<br />
# vim /etc/X11/xorg.conf.d/10-trackpoint.conf<br /><br/><br />
Section "InputClass"<br />
Identifier "Trackpoint Wheel Emulation"<br />
MatchProduct "TPPS/2 IBM TrackPoint|DualPoint Stick|Synaptics Inc. Composite TouchPad / TrackPoint|ThinkPad USB Keyboard with TrackPoint|USB Trackpoint pointing device"<br />
MatchDevicePath "/dev/input/event*"<br />
Option "EmulateWheel" "true"<br />
Option "EmulateWheelButton" "2"<br />
Option "Emulate3Buttons" "false"<br />
Option "XAxisMapping" "6 7"<br />
Option "YAxisMapping" "4 5"<br />
EndSection<br />
<br />
<br />
Once you reboot - you should be good-to-go with both vertical and horizontal scrolling while holding the middle TrackPoint button.<br />
<br />
=== Hotkeys (Media Keys) ===<br />
<br />
Media keys that work out of the box:<br />
* Wireless On/Off<br />
* Backlight Brightness (If you use the nVidia driver, configuration will be needed - documented on the Nvidia wiki page)<br />
* Thinklight / Keyboard Backlighting<br />
* Sleep<br />
<br />
Keys that do not work out of the box, depending on your DE (you can [[#keybinding|bind]] them):<br />
* Mute<br />
* Vol+/-<br />
* Prev/PlayPause/Next<br />
* Lock<br />
* Mic Mute (doesn't even register on my keymapper)<br />
* Fn+F7 - Display Toggle (Projector?)<br />
* Fn+F6 - WebCam Toggle<br />
* Launcher (right of the Mic Mute)<br />
<br />
'''<div id="keybinding">Keybindings</div>'''<br />
<br />
Install the {{pkg|xbindkeys}} packages from the community repo. To run xbindkeys, it will want you to have a .xbindkeysrc file and will offer the default. Personally, I think the default options are terrible for a US layout (example: Rebinding Ctrl-F to not be find). So I just make my own to make it to my liking.<br />
<br />
Here are the main ones, just open your preferred file editor and save the following as ~/.xbindkeysrc:<br />
<br />
# Volume Controls<br />
"amixer set Master 5%+"<br />
XF86AudioRaiseVolume<br />
"amixer set Master 5%-"<br />
XF86AudioLowerVolume<br />
"amixer set Master toggle"<br />
XF86AudioMute<br />
# Lock (Fn+F3)<br />
"gnome-screensaver-command -l"<br />
XF86ScreenSaver<br />
# I use {{pkg|banshee}} for my audio<br />
"banshee --next"<br />
XF86AudioNext<br />
"banshee --restart-or-prev"<br />
XF86AudioPrev<br />
"banshee --toggle-playing"<br />
XF86AudioPlay<br />
# Launcher (right of the Mic Mute)<br />
"action"<br />
XF86Launch1<br />
<br />
Be sure to set {{pkg|xbindkeys}} to run at startup, and any time you edit the file you need to restart the process. In Gnome/Cinnamon hit Alt+F2 and type "gnome-session-properties" and hit enter. Click "Add" and type in xbindkeys for the command. You can call it and describe it however you want.<br />
<br />
If I get time, I plan to make a script that will change the program the PlayPause/Prev/Next control. This will just do banshee in my example, but I would like to expand that to control VLC if it is open and banshee is not.<br />
<br />
== Networking ==<br />
<br />
Both the Ethernet and wireless are supported by Arch out of the box. All the available Intel wireless cards are very well supported, including good powersaving. The Lenovo branded (Realtek) card does not work as well and does not support powersaving on Linux.<br />
<br />
== Thinkpad Specific Modules ==<br />
<br />
While many of the system resources will be realized by the system, you may want to add the {{pkg|thinkpad_acpi}} module to boot.<br />
<br />
sudo echo thinkpad_acpi > /etc/modules-load.d/thinkpad.conf<br />
<br />
This will let you check fan speeds and such with<br />
<br />
cat /proc/acpi/ibm/fan<br />
<br />
== Battery Usage for T530 ==<br />
<br />
As a barometer, my Arch system uses about 6.9 watts (as per Powertop) at idle with minimum screen brightness wifi connected. My Fedora install uses about 10 watts idle, and my Windows 7 install uses about 8 watts idle according to the lenovo power manager. Tips to extend battery life:<br />
<br />
* Install powertop and run it as root. Pay special attention to any applications (as opposed to system processes) which cause CPU wakeups. I have had a clipboard manager use .5 watts on its own, so pay special attention to any apps or services you use. Also pay attention to bluetooth and network devices so you can disable them.<br />
<br />
* Use Integrated Graphics mode under Display in the BIOS setup. Even with Nvidia Optimus selected, no applications launched with 'optirun' and the card OFF as listed by<br />
<br />
cat /proc/acpi/bbswitch<br />
<br />
Powertop still consistently reports .3 watts more idle usage than with Integrated Graphics only mode set in BIOS. If you run Optimus, use <br />
<br />
cat /proc/acpi/bbswitch <br />
<br />
to check the power status of the nvidia card, and use <br />
<br />
echo OFF >> /proc/acpi/bbswitch<br />
<br />
to disable it. The power consumption is noticeably less than having the discrete card enabled, but still higher than the Intel card alone. NOTE: You may have to unload the nvidia module first before turning it off: 'rmmod nvidia' as root...<br />
<br />
* Laptop-mode-tools: Install/enable as per the wiki. Nearly all options work fine for the T530. For some reason, the ethernet device (enp0s25) uses upwards of a watt on my system. Laptop-mode-tools doesnt seem to disable this by default, even with /etc/laptop-mode/conf.d/ethernet.conf properly labeled with my ethernet device. If powertop reports such usage, go to /etc/laptop-mode/conf.d/exec-commands.conf and change:<br />
<br />
BATT_EXEC_COMMAND_0="<br />
LM_AC_EXEC_COMMAND_0=""<br />
NOLM_AC_EXEC_COMMAND_0=""<br />
<br />
to<br />
<br />
BATT_EXEC_COMMAND_0="ip link set enp0s25 down"<br />
LM_AC_EXEC_COMMAND_0="ip link set enp0s25 up"<br />
NOLM_AC_EXEC_COMMAND_0="ip link set enp0s25 up"<br />
<br />
* profile-sync-daemon available in the AUR. When using the web browser on battery, write operations for cache, etc will wakeup the hard drive. profile-sync-daemon allows all write operations to go to RAM (as the profile is stored there), and then syncs to disk every hour (configurable). This will also reduce the wear on your hard drive, make the web browser feel faster, and reduce write cycles for SSD users.<br />
<br />
* Use 'noatime' in /etc/fstab if access times arent important to you. This is another way to reduce write cycles, and thereby disk wakeups.<br />
<br />
* Dont use any compositing at all. I tried using compton for panel transparency and this increased power consumption consistently by .5 watts idle using just the Intel card. Powertop will inform you of gpu operations as well.<br />
<br />
<br />
== See also ==<br />
<br />
* [https://www.lenovo.com/products/us/tech-specs/laptop/thinkpad/t-series/t530/ Technical specifications]</div>GSF1200S