https://wiki.archlinux.org/api.php?action=feedcontributions&user=Jasper1984&feedformat=atomArchWiki - User contributions [en]2024-03-29T08:47:28ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Talk:Port_knocking&diff=517901Talk:Port knocking2018-04-18T21:34:25Z<p>Jasper1984: ask about underscore being wrong.. maybe i should just edit.</p>
<hr />
<div>== Underscore in {{ic|host_timeout}} is wrong? ==<br />
<br />
Underscore in {{ic|--host_timeout}} should just be a {{ic|-}}, as far as i can see? Don't see how it could be different, but also, here it is..<br />
<br />
Mention {{ic|host}} and {{ic|port}} are parameters? Maybe that is just me being stupid.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 21:34, 18 April 2018 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:NTFS-3G&diff=508008Talk:NTFS-3G2018-01-20T14:46:37Z<p>Jasper1984: /* NTFS full(?) permissions */ new section</p>
<hr />
<div>== [[NTFS-3G#Allowing_user_to_mount]] ==<br />
I added instructions to add users to the {{ic|disk}} group when using {{AUR|ntfs-3g-fuse}}. This was necessary to get access to usb sticks, in general acces to block devices {{ic|/dev/sd[a-z][1-9}}, as those are in the disk groups. <br />
<br />
Is this good practice, or is there another way to achieve this? <br />
<br />
I ask, because [[Users and groups#Pre-systemd groups]] lists {{ic|disk}} as a group that usually doesn't require users to be added to manually because {{ic|systemd}} takes care of it.<br />
<br />
{{unsigned|08:53, 28 May 2017|David the goliath}}<br />
<br />
:No, it's not a good practice (and never has been) to add normal users to the {{ic|disk}} group. If you do this, they have full access to anything stored on any of your disks, including files normally accessible only by root. If you want normal users to be able to mount removable devices, use [[udisks]] or some [[Udisks#Mount_helpers|helper]] - these are safe tools that run with root privileges, either as daemons or with suid. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 12:12, 28 May 2017 (UTC)<br />
<br />
: [[User:Lahwaacz|Lahwaacz]]: Could you please provide some reliable source of information about what are the best practices to allow normal user to be able to mount removable devices? I'm really interested on this, but I'm unable to understand Polkit/Udisks stuff. Excuse me for my lack of intelligence and use Archlinux instead something like Linux Mint or Ubuntu (I don't like them, I'm a difficult person) :( [[User:Timofonic|Timofonic]] ([[User talk:Timofonic|talk]]) 14:51, 21 July 2017 (UTC)<br />
<br />
::Have you read the [[udisks]] article? [[udisks#Mount helpers]] looks like it will do what you want. What specific step is tripping you up? Try it out and post any issues you have on the forum, the wiki talk pages are mainly for discussing issues with wiki content. [[User:Silverhammermba|Silverhammermba]] ([[User talk:Silverhammermba|talk]]) 21:52, 21 July 2017 (UTC)<br />
<br />
== [[NTFS-3G#Resizing_NTFS_partition]] ==<br />
<br />
I had really bad experiences resizing partitions under gparted, it broke a Windows 10 system and had to reinstall it. I needed to resize partitions again and was finding desesperately a trustworthy tool. <br />
<br />
After reading tons of reviews, I found Easeus Partition Master. Despite the process was quite slow, it got done perfectly. <br />
<br />
I did read about Paragon utilities, but I don't trust them because what happened with PTS-DOS (Paragon was founded in Germany by former developers of the PhysTechSoft Russian company, they copied the source code without permission and developed their own fork) plus other bad stuff people say about their products.<br />
<br />
Anyone had experienced with resizing partitions of Windows 10 or other versions can tell about the reliability og using GParted? I'm not sure, maybe parted/GParted got patched these days. [[User:Timofonic|Timofonic]] ([[User talk:Timofonic|talk]]) 14:51, 21 July 2017 (UTC)<br />
<br />
== NTFS full(?) permissions ==<br />
<br />
The [https://wiki.archlinux.org/index.php/NTFS-3G#Linux_compatible_permissions Linux compatible permissions] section doesn't mention that the permissions are static; {{ic|chmod}} does not actually work on it.<br />
<br />
According to [https://askubuntu.com/questions/11840/how-do-i-use-chmod-on-an-ntfs-or-fat32-partition#11843 JanC(/edited by pizzapants184) on askubuntu], the {{ic|permissions}} option can add more.. This might be needed to put (parts) of installations on the harddisk..(like [[systemd-nspawn]] stuff or are some of the directories in the linux tree data-heavy,access-infrequent?) That said "defaulty" any windows using that partition might be a security risk. (ugh my security sucks already, really) [[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 14:46, 20 January 2018 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Firejail&diff=500297Talk:Firejail2017-12-02T01:11:24Z<p>Jasper1984: /* Some of these workarounds need to be in the sandbox' directories? */ new section</p>
<hr />
<div>==What does "depending on your setup" mean?==<br />
You are completely correct, I don't know what I was thinking of. I like to test everything, and, at the time of editing, I knew the example worked with '--profile=/etc/firejail/thunar.profile'. Yet, when I tried the example with '--profile=/etc/firejail/Thunar.profile', it failed. Hence the note. Now that you have brought it to my attention, I checked again, and both worked. Go figure! .... The basic example is sound though(?) [[User:IrvineHimself|IrvineHimself]] ([[User talk:IrvineHimself|talk]]) 15:12, 22 October 2017 (UTC)<br />
<br />
: I've removed the note, should I remove the example? [[User:IrvineHimself|IrvineHimself]] ([[User talk:IrvineHimself|talk]]) 16:35, 22 October 2017 (UTC)<br />
:: I have removed the Accurate flag. Which example? Could you be more specific? --[[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 23:31, 22 October 2017 (UTC)<br />
::: The example to launch 'Thunar Bulk Rename' inside a sandbox. [[User:IrvineHimself|IrvineHimself]] ([[User talk:IrvineHimself|talk]]) 00:35, 23 October 2017 (UTC)<br />
:::: If you have time, I think the whole "Desktop files" section should be merged to Configuration. The example could be removed because it is already explained in Configuration. --[[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 05:29, 23 October 2017 (UTC)<br />
::::: I've removed the example. Are you sure that "Configuration" is the best place for the "Desktop files" section? While "Configuration" might benefit from a minor re-write to bring it more in line with the updated page, "Desktop files" seems a more natural fit inside "Using Firejail by default"? [[User:IrvineHimself|IrvineHimself]] ([[User talk:IrvineHimself|talk]]) 14:13, 25 October 2017 (UTC)<br />
:::::: Sorry, it should be "Using Firejail by default". I wrongly thought this section belongs to Configuration. --[[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 02:54, 26 October 2017 (UTC)<br />
<br />
==Questionable statements, e.g. how does "updatedb"....==<br />
Again, I can only agree. The entry was there before I tried to update the Firejail page to cover recent developments and rationalize the page layout. When I was trying to figure out why 'Thunar' was not being sandboxed, suggestions like 'updatedb' just produced errors. On the other hand, the specific problem with 'Thunar' is fairly common. See https://github.com/netblue30/firejail/issues/1311 [[User:IrvineHimself|IrvineHimself]] ([[User talk:IrvineHimself|talk]]) 15:15, 22 October 2017 (UTC)<br />
<br />
: I have tried to clean up the entry to make it more acceptable. Could you let me no if it's okay. [[User:IrvineHimself|IrvineHimself]] ([[User talk:IrvineHimself|talk]]) 14:03, 25 October 2017 (UTC)<br />
<br />
::Thanks. I have a a question about "Some applications, notably Thunar, run with only one instance. As a result, the profile will not be loaded until the next login". According to the linked report, a new symbolic links needs be created from firejail to {{ic|/usr/local/bin/Thunar}}, and then a new login should occur. That seems something different to me or at least some part of the information is left out. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 15:19, 25 October 2017 (UTC)<br />
:: Since it was in the section about troubleshooting symlinks, I didn't think it needed to be explicitly stated. However I edited the entry to reflect your concerns. [[User:IrvineHimself|IrvineHimself]] ([[User talk:IrvineHimself|talk]]) 16:50, 25 October 2017 (UTC)<br />
<br />
== Some of these workarounds need to be in the sandbox' directories? ==<br />
<br />
If yes? Which? My edit of this being the case for the pulseaudio thing ''might'' be incorrect.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 01:11, 2 December 2017 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Firejail&diff=500296Firejail2017-12-02T00:56:20Z<p>Jasper1984: Pretty sure my issues went away, and that this was my problem with the fix.</p>
<hr />
<div>[[Category:Security]]<br />
[[ja:Firejail]]<br />
{{Related articles start}}<br />
{{Related|Security}}<br />
{{Related articles end}}<br />
[https://firejail.wordpress.com/ Firejail] is an easy to use SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities.<br />
<br />
== Installation ==<br />
<br />
[[Install]] either {{Pkg|firejail}}, {{aur|firejail-git}} or the {{aur|firejail-apparmor}} package. A GUI application for use with Firejail is also available, {{aur|firetools}}.<br />
<br />
{{Note|The User-namespace ({{ic|1=CONFIG_USER_NS=Y}}) is not set in the [[kernel]] configuration. Impact on Firejail users is [https://github.com/netblue30/firejail/issues/1347 deemed negligible]. See {{Bug|36969}} for details why this namespace is disabled by default. User-namespaces are [[Security#Sandboxing_applications|enabled]] by default in {{pkg|linux-hardened}} package.}}<br />
{{Warning|While upstream is gradually adopting whitelists, (cf {{ic|/etc/firejail/firefox.profile}},) most of the supplied profiles still rely heavily on blacklists. This means that anything not explicitly forbidden by the profile will be accessible to the application. For example, if you have btrfs snapshots available in {{ic|/mnt/btrfs}}, a jailed program may be forbidden from accessing {{ic|$HOME/.ssh}}, but would still be able to access {{ic|/mnt/btrfs/@some-snapshot/$HOME/.ssh}}. Make sure to audit your profiles, see [[#Testing profiles]]}}<br />
<br />
== Configuration ==<br />
<br />
Most users will not require any custom configuration and can proceed to [[#Usage]].<br />
<br />
Firejail uses profiles to set the security protections for each of the applications executed inside of it - you can find the default profiles in {{ic|/etc/firejail/''application''.profile}}. Should you require custom profiles for applications not included, or wish to modify the defaults, you may place new rules or copies of the defaults in the {{ic|~/.config/firejail/}} directory. You may have multiple custom profile files for a single application, and you may share the same profile file among several applications.<br />
<br />
If firejail does not have a profile for a particular application, it uses its restrictive system-wide default profile. This can result in the application not functioning as desired, without first creating a custom, and less restrictive profile.<br />
<br />
Refer to {{man|5|firejail-profile}}.<br />
<br />
== Usage ==<br />
<br />
To execute an application using firejail's default protections for that application (the default profile), execute the following:<br />
<br />
$ firejail <program name><br />
<br />
One-time additions to the default profile can be added as command line options (see the man page). For example, to execute ''okular'' with seccomp protection, execute the following:<br />
<br />
$ firejail --seccomp okular<br />
<br />
You may define multiple non-default profiles for a single program. Once you create your profile file, you can use it by executing:<br />
<br />
$ firejail --profile=/absolute/path/to/profile <program name><br />
<br />
=== Using Firejail by default ===<br />
<br />
To use Firejail by default for all applications for which it has profiles, run the ''firecfg'' tool as root.<br />
<br />
# firecfg<br />
<br />
This creates symbolic links in {{ic|/usr/local/bin}} pointing to {{ic|/usr/bin/firejail}}, for all programs for which firejail has default profiles. Once this is done, you only need to prefix a program with ''firejail'' if you want to run it with some custom security setting.<br />
<br />
You can manually do this for individual applications by executing:<br />
<br />
# ln -s /usr/bin/firejail /usr/local/bin/<program name><br />
<br />
{{Note|1=<nowiki></nowiki><br />
* For a daemon, you will need to overwrite the systemd unit file for that daemon to call firejail, see [[systemd#Editing provided units]].<br />
* {{ic|firecfg}} doesn't work with some cli shells such as: {{ic|tar}}, {{ic|curl}}, {{ic|wget}}, {{ic|git}} and {{ic|ssh}} which need to be symlinked manually.<br />
* Symbolic links to {{ic|gzip}} and {{ic|xz}} interfere with {{ic|makepkg}}'s ability to preload {{ic|libfakeroot.so}}. See [https://bbs.archlinux.org/viewtopic.php?id=230913 BBS#230913].}}<br />
<br />
{{Warning|Upstream provides profiles for {{ic|gpg}} and {{ic|gpg-agent}}. If gpg is symlinked with the supplied profile, pacman will be unable to update {{pkg| archlinux-keyring}}.}}<br />
<br />
=== Verifying Firejail is being used ===<br />
<br />
$ firejail --list<br />
<br />
== Creating custom profiles ==<br />
<br />
=== Whitelists and Blacklists ===<br />
<br />
Blacklists are permissive:<br />
<br />
* Permit everything not explicitly forbidden: {{ic|blacklist <location/file>}}<br />
* Permit file or location in any later blacklist: {{ic|noblacklist <location/file>}} <br />
<br />
Whitelists are restrictive: <br />
<br />
* Forbid everything not explicitly permitted: {{ic|whitelist <location/file>}}<br />
* Forbid file or location in any later whitelist: {{ic|nowhitelist <location/file>}}<br />
<br />
=== Profile writing ===<br />
<br />
The basic process is:<br />
<br />
# Copy the default profile (which uses blacklists) to your work folder and give it a unique name:<br />
# Change the line {{ic|include /etc/firejail/default.local}} to {{ic|include /etc/firejail/ProfileName.local}}<br />
# Gradually comment/uncomment the various options while checking at each stage that the application runs inside the new sandbox<br />
# Desirable options not available in the copied default profile can be found by consulting the manual<br />
# [https://firejail.wordpress.com/documentation-2/building-whitelisted-profiles/ Build a whitelist] of permitted locations. For portability, it may be advisable to place at least some of this list it in a {{ic|.local}} file<br />
# Test the profile for security holes, see [[#Testing profiles]]<br />
# Once satisfied, copy your new profile to either {{ic|/etc/firejail/}} or {{ic|~/.config/firejail/}}<br />
<br />
You may find the following to be useful:<br />
<br />
# {{ic|firejail --debug $OtherOptions $PathToProfile $Program > $PathToOutputFile}} Gives a detailed breakdown of the sandbox<br />
# {{ic|firejail --debug-caps}} gives a list of caps supported by the current Firejail software build. This is useful when building a [https://l3net.wordpress.com/2015/03/16/firejail-linux-capabilities-guide/ caps whitelist].<br />
# {{ic|firejail --help}} for a full list of {{ic|--debug}} options<br />
# {{ic|firemon PID}} monitors the running process. See {{ic|firemon --help}} for details<br />
# {{Pkg|checksec}} may also be useful in testing which standard security features are being used<br />
<br />
{{Note|<nowiki></nowiki><br />
* The idea is to be as restrictive as possible, while still maintaining usability. This may involve sacrificing potentially dangerous functionality and a change in cavalier work habits.<br />
* By default, seccomp filters work on a blacklist (which can be found in the manual). It is possible to use {{ic|seccomp.keep}} to build a custom whitelist of filters for an application. [https://firejail.wordpress.com/documentation-2/seccomp-guide/].<br />
* The list of possible options for a firejail profile is extensive, and users should consult the firejail-profile(5) man page.<br />
}}<br />
<br />
==== Persistent local customisation ====<br />
<br />
The standard profile layout now includes the capability to make persistent local customisations through the inclusion of {{ic|.local}} files. Basically, each officially supported profile contains the lines {{ic|include /etc/firejail/ProgramName.local}} and {{ic|include /etc/firejail/globals.local}}. Since the order of precedence is determined by which is read first, this makes for a very powerful way of making local customisations.<br />
For example, with reference [https://github.com/netblue30/firejail/issues/1510#issuecomment-326443650 this firejail question], to globally enable Apparmor and disable Internet connectivity, one could simply create/edit {{ic|/etc/firejail/globals.local}} to include the lines<br />
<br />
# enable Apparmor and disable Internet globally<br />
net none<br />
apparmor<br />
<br />
Then, to allow, for example, "curl" to connect to the internet, yet still maintain its apparmor confinement, one would create/edit {{ic|/etc/firejail/curl.local}} to include the lines.<br />
<br />
# enable internet for curl<br />
ignore net<br />
<br />
Since {{ic|curl.local}} is read before {{ic|globals.local}}, {{ic|ignore net}} overrides {{ic|net none}}, and, as a bonus, the above changes would be persistent across future updates.<br />
<br />
=== Testing profiles ===<br />
<br />
Firejail's built in audit feature allows the user to find gaps in a security profile by replacing the program to be sandboxed with a test program. By default, firejail uses the {{ic|faudit}} program distributed with Firejail. (Note: A custom test program supplied by the user can also be used.) <br />
Examples:<br />
<br />
# Run the default audit program: {{ic|$ firejail --audit transmission-gtk}}<br />
# Run a custom audit program: {{ic|1=$ firejail --audit=~/sandbox-test transmission-gtk}} <br />
<br />
In the examples above, the sandbox configures the transmission-gtk profile and starts the test program. The real program, transmission-gtk, will not be started.<br />
<br />
{{Note|The audit feature is not implemented for --x11 commands.}}<br />
<br />
== Firejail with Apparmor ==<br />
<br />
Since 0.942, {{aur|firejail-apparmor}}, has supported more direct integration with Apparmor through a generic apparmor profile. During installation, the profile, {{ic|firejail-default}}, is placed in {{ic|/etc/apparmor.d}} directory, and needs to be loaded into the kernel by running the following command as root:<br />
<br />
# aa-enforce firejail-default<br />
<br />
To quote the manual: <br />
<br />
:''The installed profile tries to replicate some advanced security features inspired by kernel-based Grsecurity:''<br />
<br />
::''- Prevent information leakage in /proc and /sys directories.The resulting filesystem is barely enough for running commands such as "top" and "ps aux".''<br />
<br />
::''- Allow running programs only from well-known system paths, such as /bin, /sbin, /usr/bin etc. Running programs and scripts from user home or other directories writable by the user is not allowed.''<br />
<br />
::''- Disable D-Bus. D-Bus has long been a huge security hole, and most programs don't use it anyway. You should have no problems running Chromium or Firefox.''<br />
<br />
With the release of 0.9.50, local customisations of the apparmor profile are supported by editing the file {{ic|/etc/apparmor.d/local/firejail-local}}<br />
<br />
====Apparmor usage====<br />
There are a number of ways to enable Apparmor confinement on top of a Firejail security profile:<br />
<br />
* Pass the {{ic|--apparmor}} flag to Firejail in the command line, eg {{ic|firejail --apparmor firefox}}<br />
* Use a custom profile.<br />
* Enable Apparmor globally in {{ic|/etc/firejail/globals.local}} and disable as needed through the use of {{ic|ignore apparmor}} in {{ic|/etc/firejail/<ProgramName>.local}}.<br />
<br />
== Troubleshooting ==<br />
<br />
Some applications do not work properly with Firejail, and others simply require special configuration. In the instance any directories are disallowed or blacklisted for any given application, you may have to further edit the profile to enable nonstandard directories that said application needs to access. One example is wine; wine will not work with seccomp in most cases.<br />
<br />
Other configurations exist; it is suggested you check out the man page for firejail to see them all, as firejail is in rapid development.<br />
<br />
=== Desktop files ===<br />
<br />
Some GUI application launchers ({{ic|.desktop}} files) are coded using absolute paths to an executable, which circumvents firejail's symlink method of ensuring that it is being used. The ''firecfg'' tool includes an option to over-ride this on a per-user basis by copying the {{ic|.desktop}} files from {{ic|/usr/share/applications/*.desktop}} to {{ic|~/.local/share/applications/}} and replacing the absolute paths with simple file names.<br />
<br />
$ firecfg --fix<br />
<br />
There may cases for which you need to manually modify the EXEC line of the {{ic|.desktop}} file in {{ic|~/.local/share/applications/}} to explicitly call Firejail. <br />
<br />
=== Symbolic links ===<br />
{{Accuracy|Questionable statements, e.g. how does "updatedb" which is only relevant to "locate" matter, otherwise vague or trivial}}<br />
# If used, any location database or hash table will need to be updated/reset.<br />
# Some applications, notably ''Thunar'', run with only one instance. As a result, after symlinking firejail to the application, the profile may not be loaded until the next login.[https://github.com/netblue30/firejail/issues/1311]<br />
<br />
=== PulseAudio ===<br />
<br />
If Firejail causes PulseAudio to misbehave, there is a [https://firejail.wordpress.com/support/known-problems/ known issue.] A temporary workaround: (Note: it appears this workaround should be in the relevant file ''in'' the sandboxes if {{ic|--private}} is used.)<br />
<br />
cp /etc/pulse/client.conf ~/.config/pulse/<br />
echo "enable-shm = no" >> ~/.config/pulse/client.conf<br />
<br />
=== Hidepid ===<br />
<br />
If you have hidepid installed, Firemon can only be run as root. This, among other things, will cause problems with the Firetools GUI incorrectly reporting "Capabilities", "Protocols" and the status of "Seccomp". See [https://github.com/netblue30/firejail/issues/1564]<br />
<br />
==Tips and tricks==<br />
<br />
=== Paths containing spaces ===<br />
<br />
If you need to reference, whitelist, or blacklist a directory within a custom profile, such as with {{aur|palemoon}}, you must do so using the absolute path, without encapsulation or escapes:<br />
/home/user/.moonchild productions<br />
<br />
===Private mode===<br />
<br />
Firejail also includes a one time private mode, in which no mounts are made in the chroots to your home directory. In doing this, you can execute applications without performing any changes to disk. For example, to execute okular in private mode, do the following:<br />
<br />
$ firejail --seccomp --private okular<br />
<br />
==See also==<br />
* [https://github.com/netblue30/firejail Firejail GitHub project page]<br />
* [[bubblewrap]], a minimal alternative to Firejail</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Partitioning&diff=465339Talk:Partitioning2017-01-14T00:36:58Z<p>Jasper1984: for value of "it"...</p>
<hr />
<div>== Partition Alignment Verification ==<br />
<br />
''[moved from [[Talk:Solid State Drives#Partition Alignment Verification]] -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:13, 10 July 2014 (UTC)]''<br />
<br />
On my system 'blockdev --getalignoff /dev/sda5' returns zero, even though the partition seems not to be aligned optimally:<br />
Disk /dev/sda: 465.8 GiB, 500107862016 bytes, 976773168 sectors<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: dos<br />
Disk identifier: 0xd9a92553<br />
<br />
Device Boot Start End Blocks Id System<br />
/dev/sda1 * 2048 1026047 512000 7 HPFS/NTFS/exFAT<br />
/dev/sda2 1026048 479475711 239224832 7 HPFS/NTFS/exFAT<br />
/dev/sda3 946051072 976771071 15360000 7 HPFS/NTFS/exFAT<br />
/dev/sda4 479475712 946051071 233287680 5 Extended<br />
/dev/sda5 479475775 518545791 19535008+ 83 Linux<br />
/dev/sda6 518545855 541984626 11719386 83 Linux<br />
/dev/sda7 541984690 557615871 7815591 82 Linux swap / Solaris<br />
/dev/sda8 557615935 946051071 194217568+ 83 Linux<br />
<br />
The command 'parted /dev/sda align-check optimal' gives the right message in my opinion: 'not aligned'. Should we replace blockdev command?<br />
<br />
[[User:Plk|Plk]] ([[User talk:Plk|talk]]) 18:31, 31 May 2014 (UTC)<br />
<br />
:It seems you're right. After reading the warning about cfdisk alignment ("Warning: The first partition created by cfdisk starts at sector 63, instead of the usual 2048. This can lead to reduced performance on SSD and advanced format (4k sector) drives. It will cause problems with GRUB2, but GRUB legacy and Syslinux should work fine."), I created the first partition of the SSD I was working on with cfdisk - thus creating a bad alignment (I checked with ''fdisk -l /dev/sda'', the first partition effectively starts at sector 63 and not 2048).<br />
:The ''blockdev --getalignoff /dev/sda1'' command returned zero (it shouldn't have) while your command ''parted /dev/sda align-check optimal'' returned 'not aligned', as expected.<br />
:It seems to be a bug of blockdev in ArchLinux, as of util-linux v.2.24.<br />
:I upgraded to util-linux v.2.25-3, and the problem is still present in blockdev. However, cfdisk has been entirely rewritten for util-linux 2.25 as described in this [http://karelzak.blogspot.fr/2014/06/new-cfdisk-util-linux-v225.html blog post] and now correctly starts the first partition at sector 2048 when creating it.<br />
<br />
<br />
:So should we edit the wiki page for recommanding upgrade to util-linux 2.25 in order to use cfdisk with correct partition alignment ? As util-linux integrates multiple essential softwares, I don't know if upgrading it will or not break something with the other utilities it includes.<br />
:In any case, I think we should disrecommend using blockdev to check partition alignment, and recommend using parted instead for the time being. Can anyone else confirm this bug, especially on other distributions ? We need to know if the problem is inherent to Arch's implementation of blockdev or to blockdev itself.<br />
<br />
:--[[User:Irrodeus|Irrodeus]] ([[User talk:Irrodeus|talk]]) 01:56, 6 September 2014 (UTC)<br />
<br />
== Restructuring ==<br />
<br />
=== Example tables ===<br />
<br />
[https://wiki.archlinux.org/index.php?title=Partitioning&diff=440209&oldid=438934] moved tables from the [[Beginners' guide]] to [[Partitioning#Partition_scheme]], however it didn't fit in too well so I've removed it for now.<br />
<br />
However, I think the basic idea is a sound one, but perhaps more expansive. We could include suggested [[File systems]], as well as more complex examples such as {{ic|/var}} and GRUB Boot partitions.<br />
<br />
See the updated tables from the BG below for reference. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 00:20, 10 July 2016 (UTC)<br />
<br />
=== Table draft ===<br />
<br />
{| class="wikitable"<br />
!colspan="5" | UEFI/GPT example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:GUID_Partition_Table#Partition_type_GUIDs|Partition type (GUID)]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| /boot<br />
| /dev/sd'''x'''1<br />
| [[EFI System Partition]]<br />
| Yes<br />
| 260–512 MiB<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''2<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''3<br />
| Linux<br />
| No<br />
| Remainder of the device<br />
|-<br />
!colspan="5" | MBR/BIOS example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:Partition type|Partition type]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''1<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''2<br />
| Linux<br />
| Yes<br />
| Remainder of the device<br />
|}<br />
<br />
:I added these tables to the page. I also added one using a separate {{ic|/home}} since I imagine that is the most common scenario. I think 3 examples could be enough, but I am open to more. -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 18:53, 11 October 2016 (UTC)<br />
<br />
::Nice work. One thing I was considering is to have multiple small tables under the various partition sections (like /home), instead of a single large one. Thoughts? -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:56, 13 October 2016 (UTC)<br />
::edit: I noticed you already split the tables; that leaves whether it makes sense to have them under sections like [[Partitioning#.2Fhome]] rather than [[Partitioning#Example layouts]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:01, 13 October 2016 (UTC)<br />
<br />
:::All examples include the {{ic|/}} partition and swap. Avoiding duplication and forward references is probably one of the reasons why people invented [[w:appendix|appendix]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:15, 13 October 2016 (UTC)<br />
<br />
== Alignment ==<br />
<br />
Regarding [https://wiki.archlinux.org/index.php?title=Partitioning&diff=next&oldid=453737], [https://wiki.archlinux.org/index.php?title=Fdisk&diff=next&oldid=453499] and [https://wiki.archlinux.org/index.php?title=GNU_Parted&diff=next&oldid=453736], I think it would be best to keep the info in one place, on this page. No idea what's wrong with the technical explanation - users should be able to understand the problem and verify that the result is OK. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:13, 13 October 2016 (UTC)<br />
<br />
:I'm fine with leaving the detailed explanation. It's just odd to me to introduce a problem to the reader and in the end say that its not really a problem since the tools handle it. Also, my idea was that fdisk and parted have different ways of verifying alignment (just like different ways of creating a table, partition, etc). So if you are creating partitions with fdisk going through the [[fdisk]] page, it would be good to have how to verify alignment on that page (although it looks like fdisk has no built in way to verify it, probably because fdisk aligns things on its own, so we might have to refer to parted in the end anyway). -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 15:32, 13 October 2016 (UTC)<br />
<br />
== mmcblk0p{1,2,3,4}, mmcblk0boot{0,1}, mmcblk0rpmb ==<br />
And my install usb showed up as sda instead.. Don't know how to best deal with that. "Boot" ones don't seem to provide disklabel type and identifier information, and are only 4MiB. My guess is to ignore them. /dev/mmcblk0p3 seems to be the one with windows on it.(ASUS Vivobook E200HA)[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 00:58, 25 December 2016 (UTC)<br />
:Ended up just ignoring the {{ic|mmcblk0boot{0,1\}}} entries, treating {{ic|mmcblk0p1,2,3,4}} as if were just sda, basically, it worked. (dont see the rpmb volumes now) More specifically, didnt reformat the first partition, instead just putting different files there. Tried the bind-mount approach in [[EFI System Partition]], but ended up the more regular approach. (not sure why it didnt co-operate) Would suspect that {{ic|mmcblk0boot{0,1\}}} dont matter much, but would suggest just reusing the first partition nevertheless..(really, little reason to reformat that?)[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 00:34, 14 January 2017 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Partitioning&diff=465338Talk:Partitioning2017-01-14T00:35:14Z<p>Jasper1984: Those mmcblk0boot{0,1} things, install success</p>
<hr />
<div>== Partition Alignment Verification ==<br />
<br />
''[moved from [[Talk:Solid State Drives#Partition Alignment Verification]] -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:13, 10 July 2014 (UTC)]''<br />
<br />
On my system 'blockdev --getalignoff /dev/sda5' returns zero, even though the partition seems not to be aligned optimally:<br />
Disk /dev/sda: 465.8 GiB, 500107862016 bytes, 976773168 sectors<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: dos<br />
Disk identifier: 0xd9a92553<br />
<br />
Device Boot Start End Blocks Id System<br />
/dev/sda1 * 2048 1026047 512000 7 HPFS/NTFS/exFAT<br />
/dev/sda2 1026048 479475711 239224832 7 HPFS/NTFS/exFAT<br />
/dev/sda3 946051072 976771071 15360000 7 HPFS/NTFS/exFAT<br />
/dev/sda4 479475712 946051071 233287680 5 Extended<br />
/dev/sda5 479475775 518545791 19535008+ 83 Linux<br />
/dev/sda6 518545855 541984626 11719386 83 Linux<br />
/dev/sda7 541984690 557615871 7815591 82 Linux swap / Solaris<br />
/dev/sda8 557615935 946051071 194217568+ 83 Linux<br />
<br />
The command 'parted /dev/sda align-check optimal' gives the right message in my opinion: 'not aligned'. Should we replace blockdev command?<br />
<br />
[[User:Plk|Plk]] ([[User talk:Plk|talk]]) 18:31, 31 May 2014 (UTC)<br />
<br />
:It seems you're right. After reading the warning about cfdisk alignment ("Warning: The first partition created by cfdisk starts at sector 63, instead of the usual 2048. This can lead to reduced performance on SSD and advanced format (4k sector) drives. It will cause problems with GRUB2, but GRUB legacy and Syslinux should work fine."), I created the first partition of the SSD I was working on with cfdisk - thus creating a bad alignment (I checked with ''fdisk -l /dev/sda'', the first partition effectively starts at sector 63 and not 2048).<br />
:The ''blockdev --getalignoff /dev/sda1'' command returned zero (it shouldn't have) while your command ''parted /dev/sda align-check optimal'' returned 'not aligned', as expected.<br />
:It seems to be a bug of blockdev in ArchLinux, as of util-linux v.2.24.<br />
:I upgraded to util-linux v.2.25-3, and the problem is still present in blockdev. However, cfdisk has been entirely rewritten for util-linux 2.25 as described in this [http://karelzak.blogspot.fr/2014/06/new-cfdisk-util-linux-v225.html blog post] and now correctly starts the first partition at sector 2048 when creating it.<br />
<br />
<br />
:So should we edit the wiki page for recommanding upgrade to util-linux 2.25 in order to use cfdisk with correct partition alignment ? As util-linux integrates multiple essential softwares, I don't know if upgrading it will or not break something with the other utilities it includes.<br />
:In any case, I think we should disrecommend using blockdev to check partition alignment, and recommend using parted instead for the time being. Can anyone else confirm this bug, especially on other distributions ? We need to know if the problem is inherent to Arch's implementation of blockdev or to blockdev itself.<br />
<br />
:--[[User:Irrodeus|Irrodeus]] ([[User talk:Irrodeus|talk]]) 01:56, 6 September 2014 (UTC)<br />
<br />
== Restructuring ==<br />
<br />
=== Example tables ===<br />
<br />
[https://wiki.archlinux.org/index.php?title=Partitioning&diff=440209&oldid=438934] moved tables from the [[Beginners' guide]] to [[Partitioning#Partition_scheme]], however it didn't fit in too well so I've removed it for now.<br />
<br />
However, I think the basic idea is a sound one, but perhaps more expansive. We could include suggested [[File systems]], as well as more complex examples such as {{ic|/var}} and GRUB Boot partitions.<br />
<br />
See the updated tables from the BG below for reference. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 00:20, 10 July 2016 (UTC)<br />
<br />
=== Table draft ===<br />
<br />
{| class="wikitable"<br />
!colspan="5" | UEFI/GPT example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:GUID_Partition_Table#Partition_type_GUIDs|Partition type (GUID)]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| /boot<br />
| /dev/sd'''x'''1<br />
| [[EFI System Partition]]<br />
| Yes<br />
| 260–512 MiB<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''2<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''3<br />
| Linux<br />
| No<br />
| Remainder of the device<br />
|-<br />
!colspan="5" | MBR/BIOS example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:Partition type|Partition type]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''1<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''2<br />
| Linux<br />
| Yes<br />
| Remainder of the device<br />
|}<br />
<br />
:I added these tables to the page. I also added one using a separate {{ic|/home}} since I imagine that is the most common scenario. I think 3 examples could be enough, but I am open to more. -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 18:53, 11 October 2016 (UTC)<br />
<br />
::Nice work. One thing I was considering is to have multiple small tables under the various partition sections (like /home), instead of a single large one. Thoughts? -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:56, 13 October 2016 (UTC)<br />
::edit: I noticed you already split the tables; that leaves whether it makes sense to have them under sections like [[Partitioning#.2Fhome]] rather than [[Partitioning#Example layouts]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:01, 13 October 2016 (UTC)<br />
<br />
:::All examples include the {{ic|/}} partition and swap. Avoiding duplication and forward references is probably one of the reasons why people invented [[w:appendix|appendix]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:15, 13 October 2016 (UTC)<br />
<br />
== Alignment ==<br />
<br />
Regarding [https://wiki.archlinux.org/index.php?title=Partitioning&diff=next&oldid=453737], [https://wiki.archlinux.org/index.php?title=Fdisk&diff=next&oldid=453499] and [https://wiki.archlinux.org/index.php?title=GNU_Parted&diff=next&oldid=453736], I think it would be best to keep the info in one place, on this page. No idea what's wrong with the technical explanation - users should be able to understand the problem and verify that the result is OK. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:13, 13 October 2016 (UTC)<br />
<br />
:I'm fine with leaving the detailed explanation. It's just odd to me to introduce a problem to the reader and in the end say that its not really a problem since the tools handle it. Also, my idea was that fdisk and parted have different ways of verifying alignment (just like different ways of creating a table, partition, etc). So if you are creating partitions with fdisk going through the [[fdisk]] page, it would be good to have how to verify alignment on that page (although it looks like fdisk has no built in way to verify it, probably because fdisk aligns things on its own, so we might have to refer to parted in the end anyway). -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 15:32, 13 October 2016 (UTC)<br />
<br />
== mmcblk0p{1,2,3,4}, mmcblk0boot{0,1}, mmcblk0rpmb ==<br />
And my install usb showed up as sda instead.. Don't know how to best deal with that. "Boot" ones don't seem to provide disklabel type and identifier information, and are only 4MiB. My guess is to ignore them. /dev/mmcblk0p3 seems to be the one with windows on it.(ASUS Vivobook E200HA)[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 00:58, 25 December 2016 (UTC)<br />
:Ended up just ignoring the {{ic|mmcblk0boot{0,1\}}} entries, treating it as if were just sda, basically, it worked. (dont see the rpmb volumes now) More specifically, didnt reformat the first partition, instead just putting different files there. Tried the bind-mount approach in [[EFI System Partition]], but ended up the more regular approach. (not sure why it didnt co-operate) Would suspect that {{ic|mmcblk0boot{0,1\}}} dont matter much, but would suggest just reusing the first partition nevertheless..(really, little reason to reformat that?)[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 00:34, 14 January 2017 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Awesome&diff=465337Talk:Awesome2017-01-14T00:20:22Z<p>Jasper1984: /* Awesome wiki links broke? */ new section</p>
<hr />
<div>== Add a new solution in "Troubleshooting" (4.9) ==<br />
<br />
Grammar/spelling looks okay apart from the first sentence (Once installed...), but I'd leave it out anyway, as redundant.<br />
<br />
About the content, {{ic|/usr/share/X11/xkb/compat/basic}} is owned by extra/xkeyboard-config, and not in its backup array, so this will get undone on upgrades. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 12:44, 23 March 2016 (UTC)<br />
<br />
:Originally or after an upgrade, you are probably faced this problem. -- '''Like this? :-) first sentence.''' Thank you, Alad! -- [[User:Vladimir Shatalin|Vladimir Shatalin]] ([[User talk:Vladimir Shatalin|talk]]) 19:19, March 23, 2016<br />
<br />
=== Mouse does not work in non-Latin keyboard layout ===<br />
<br />
'''In English, please check (grammar and spelling):'''<br />
Once installed, the Awesome, or after an upgrade, you are probably faced this problem. The mouse does not work in non-Latin keyboard layout (for example, in Russian keyboard, mouse clicks are not processed by tags, and you can not call the Awesome menu). See [https://awesome.naquadah.org/bugs/index.php?do=details&task_id=982 this bug] for details.<br />
To resolve this problem, edit the file {{ic|/usr/share/X11/xkb/compat/basic}}, and comment out (using {{ic | //}}) in these lines there, as shown below:<br />
// Group 2 = AltGr;<br />
// Group 3 = AltGr;<br />
// Group 4 = AltGr;<br />
<br />
'''Русский:'''<br />
Сразу после установки Awesome, или после обновления системы, вы вероятно сталкивались с такой проблемой. Мышка не работает в не латинской раскладке клавиатуры (например при Русской раскладки клавиатуры, щелчки мышью по тэгам не обрабатываются, также вы не можете вызвать меню Awesome). Смотрите подробно об [https://awesome.naquadah.org/bugs/index.php?do=details&task_id=982 этой ошибке].<br />
Для решения этой проблемы, отредактируйте файл {{ic|/usr/share/X11/xkb/compat/basic}}, и закомментируйте (при помощи {{ic|//}}) в нём эти строки, как указано ниже:<br />
//group 2 = AltGr;<br />
//group 3 = AltGr;<br />
//group 4 = AltGr;<br />
<br />
-- [[User:Vladimir Shatalin|Vladimir Shatalin]] ([[User talk:Vladimir Shatalin|talk]]) 18:12, March 23, 2016<br />
<br />
== KDM is depracated. ==<br />
<br />
It's best to replace it with instructions for SDDM.<br />
[[User:Dillebidum|Dillebidum]] ([[User talk:Dillebidum|talk]]) 10:16, 28 November 2016 (UTC)<br />
<br />
== Awesome wiki links broke? ==<br />
<br />
[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 00:20, 14 January 2017 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:OpenSSH&diff=462217Talk:OpenSSH2017-01-10T14:44:52Z<p>Jasper1984: Yah, it gives root alright</p>
<hr />
<div>== X11 forwarding == <br />
regarding X11 forwarding:<br />
i don't think it is necessary to enable X11Forwarding on the client on a global base:<br />
"Enable the ForwardX11 option in ssh_config on the client."<br />
<br />
simply specifing -X option to ssh works for me. [The preceding unsigned comment was added 2010-01-11T15:41:54 by [[User:Uwinkelvos|Uwinkelvos]] ([[User_talk:Uwinkelvos|Talk]] | [[Special:Contributions/Uwinkelvos|contribs]]).]<br />
<br />
== SendEnv ==<br />
<br />
I think we should add something about accent/UTF-8/encoding.<br />
Setting SendEnv LANG LC_* in /etc/ssh/ssh_config (client side) would be very useful.<br />
{{unsigned|22 August 2010|LeCrayonVert}}<br />
<br />
== Automatically logout all SSH users when the sshd daemon is shutdown. ==<br />
<br />
edit /lib/systemd/system/systemd-user-sessions.service and append network.target to the after line.<br />
<br />
<br />
[Unit]<br />
Description = Permit User Sessions<br />
<br />
Documentation = man:systemd-user-sessions.service(8)<br />
<br />
After = network.target remote-fs.target<br />
<br />
<br />
then symlink /lib/systemd/system/systemd-user-sessions.service to /etc/systemd/system/<br />
<br />
<br />
[[User:Artomason|artomason]] ([[User talk:Artomason|talk]]) 20:32, 7 February 2013 (UTC)<br />
<br />
== systemd failed to start sshd ==<br />
<br />
It might be good to add, if {{ic|systemctl status sshd}} shows that sshd failed, try and run /usr/sbin/sshd. This way if there is a bad configuration option (ie typo in /etc/ssh/sshd_conf), it is listed with line number.<br />
<br />
[[User:Matyilona200|Matyilona200]] ([[User talk:Matyilona200|talk]]) 13:45, 16 May 2013 (UTC)<br />
<br />
<br />
== follow_symlinks == <br />
<br />
The option 'transform_symlinks' does not work anymore, 'follow_symlinks' is the new one.<br />
<br />
1. Should we correct that at the autossh section?<br />
<br />
2. Should we write that somewhere?<br />
<br />
--[[User:Greenway|Greenway]] ([[User talk:Greenway|talk]]) 17:14, 26 April 2014 (UTC)<br />
<br />
:Are you sure? I've just installed {{Pkg|sshfs}} and the man page still mentions both options as separate functions. If {{ic|transform_symlinks}} is really not working anymore, that's more likely a bug that must be reported upstream.<br />
:Anyway I'm just mentioning that also the [[sshfs]] article would be affected.<br />
:-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 03:12, 28 April 2014 (UTC)<br />
<br />
<br />
Sorry for this discussion and thank you for correcting me.<br />
I referred to this question: http://askubuntu.com/questions/75094/sshfs-transform-symlinks-is-broken<br />
Anyway I tested both parameters:<br />
<br />
<pre><br />
1) sshfs bar: foo<br />
<br />
-a --> /etc l<br />
-b --> c/c1 l<br />
-c d <br />
--c1 f<br />
<br />
2) sshfs -o follow_symlinks bar: foo<br />
<br />
-a d<br />
-b d<br />
-c d<br />
--c1 f<br />
<br />
(works as expected)<br />
<br />
3) sshfs -o transform_symlinks bar: foo<br />
<br />
(same as without the option.)<br />
</pre><br />
<br />
==== Here' s the wiki explanation ====<br />
<br />
===== Following symlinks on the server side =====<br />
<br />
The -o follow_symlinks option will enable this.<br />
<br />
===== Making absolute symlinks work =====<br />
<br />
Use the -o transform_symlinks option, which will transform absolute symlinks (ones which point somewhere inside the mount) into relative ones. <br />
<br />
<br />
--[[User:Greenway|Greenway]] ([[User talk:Greenway|talk]]) 20:38, 28 April 2014 (UTC)<br />
<br />
== Regenerate host keys ==<br />
I am using pre-load arch linux image on Raspberry Pi, which had openssh configured, so I want to regenerate new host keys, which could be archived on Debian with<br />
<br />
rm /etc/ssh/ssh_host_* && dpkg-reconfigure openssh-server<br />
<br />
Do we have equivalent command on Arch? I can't find them on the wiki<br />
<br />
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key<br />
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key<br />
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key<br />
<br />
should be enough? Or more setting is required?<br />
<br />
Ref:<br />
* [http://answers.oreilly.com/topic/62-how-to-generate-new-host-keys/ How to generate new host keys]<br />
* [https://www.digitalocean.com/company/blog/avoid-duplicate-ssh-host-keys/ Avoid Duplicate SSH Host Keys]<br />
<br />
--[[User:Lefthaha|Lefthaha]] ([[User talk:Lefthaha|talk]]) 24 May 2014<br />
<br />
== AutoSSH as a Service ==<br />
<br />
AutoSSH doesn't like to run as a service without specifying a port. Using -M 0 and -f parameters in combination will result in the service not starting. Also, when starting as a service (-f option) SSH will not look in ~/.ssh for public keys. If you're using key authentication, the public key will need to be specified with the -i parameter. I assume this limitation would also apply when running as a systemd service.<br />
<br />
Running AutoSSH this way worked for me for a Socks 5 proxy:<br />
<br />
autossh -f -M 1111 -N -i /home/username/.ssh/id_rsa username@server -D 8080<br />
<br />
--[[User:Twofive0|Twofive0]] ([[User talk:Twofive0|talk]]) 18:24, 12 August 2014 (UTC)<br />
<br />
:Autossh as a service seems to be a little redundant, since autossh itself is basically just a service to restart ssh when it exits. I was about write a .service file for autossh when I realized I could cut out the middleman entirely:<br />
:{{hc|~/.config/systemd/user/autossh.service|<nowiki><br />
[Unit]<br />
Description=SSH tunnel<br />
<br />
[Service]<br />
Type=simple<br />
Restart=always<br />
RestartSec=1min<br />
ExecStart=/usr/bin/ssh -F %h/.ssh/config -N foo@bar<br />
<br />
[Install]<br />
WantedBy=default.target<br />
</nowiki>}}<br />
:This seems a little nicer to me, but I'm not sure how I would edit the article to include it.<br />
:[[User:Silverhammermba|Silverhammermba]] ([[User talk:Silverhammermba|talk]]) 00:32, 12 February 2015 (UTC)<br />
<br />
== Additional steps to setup Dropbear ==<br />
<br />
Noticed that you need to create some keys before Dropbear will run:<br />
<br />
<pre>dropbearkey -t dss -f /etc/dropbear/dropbear.dss<br />
dropbearkey -t rsa -s 4096 -f /etc/dropbear/dropbear.rsa</pre><br />
Maybe it's a good idea to chmod this to 600 or something?<br />
{{unsigned|5 December 2014|MindTooth}}<br />
<br />
:To note: Not relating to dropbear, but generally [[#Regenerate_host_keys]] above suggests the addition of a setup step for that as well. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 14:19, 5 December 2014 (UTC)<br />
<br />
== Allowing SSH Users to Shutdown, Mount, etc. Without Root authentication ==<br />
<br />
:Merged from [[Allow users to shutdown]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 20:48, 23 May 2015 (UTC)<br />
The following describes what I did to allow power [EDIT: and mounting] operations on my machine from a SSH login. I'd be very grateful if anyone could tell me if this was correct and if so, I'll add this section to the page and add a link on the polkit examples.<br />
<br />
I have a miniature server machine I use at home for automatic backups, and I used WOL to startup without user intervention, however I found out that issuing {{bc|systemctl poweroff}} and friends works from a tty but from a remote login I get a message starting: {{bc|<nowiki>==== AUTHENTICATING FOR org.freedesktop.login1.power-off ====</nowiki>}} and asking for a root password. After searching online it seemed that the right thing to do (but I'm not sure) was to write a polkit rule overriding the and place this before the defaults in /etc/polkit-1/rules.d/. Below is my rule:<br />
{{bc|<nowiki><br />
polkit.addRule(function(action, subject) {<br />
if ( action.id == "org.freedesktop.login1.power-off" ||<br />
action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||<br />
<br />
action.id == "org.freedesktop.login1.reboot" ||<br />
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||<br />
<br />
action.id == "org.freedesktop.login1.suspend" ||<br />
action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||<br />
<br />
action.id == "org.freedesktop.login1.hibernate" ||<br />
action.id == "org.freedesktop.login1.hibernate-multiple-sessions" ) {<br />
<br />
if ( subject.isInGroup("mypowergroup") ){<br />
return polkit.Result.YES;<br />
}<br />
}); </nowiki><br />
}}<br />
<br />
There might be a neater way to do this rather than enumerating all the actions but I don't speak JavaScript. EDIT: See below:<br />
<br />
https://gist.github.com/wooptoo/4013294/ccacedd69d54de7f2fd5881b546d5192d6a2bddb<br />
<br />
Someone somewhere seemed to mention that polkit rules weren't the right way to go and there was something wrong with integration with logind/systemd but I didn't understand what he really meant and it was in a different context.<br />
<br />
Thanks in advance for any advice<br />
--[[User:Stellarpower|Stellarpower]] ([[User talk:Stellarpower|talk]]) 12:24, 4 May 2015 (UTC)<br />
<br />
== <s>Disabling root leaves `su`; suggested addition there:</s> ==<br />
<br />
However, this does not disable {{ic|su}}, to do that, add users to wheel, and then disable <br />
<br />
gpasswd -a $USER wheel<br />
<br />
And then uncomment the {{ic|auth required pam_wheel.so use_uid}} line in {{ic|/etc/pam.d/su}} [https://serverfault.com/questions/697607/ssh-su-root-or-sudo (src)][[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 18:22, 9 January 2017 (UTC)<br />
<br />
:This has nothing to do with SSH and is already mentioned on the [[su]] page. Closing. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 22:13, 9 January 2017 (UTC)<br />
<br />
:I agree, I think that most people aren't interested in disabling su in this context, not to mention it provides no real security benefit (being able to sudo is nearly the same as being able to su, the top answer of your link even explains this). -- [[User:Etskinner|Etskinner]] ([[User talk:Etskinner|talk]]) 02:07, 10 January 2017 (UTC)<br />
<br />
::The above gives {{ic|su}} to that user, you'd ssh into another user, which doesn't have wheel and isnt in sudoers. It closes those two avenues to get into root. {{ic|PermitRootLogin no}} is misleading, dont be detached from reality, it gives root login.<br />
<br />
::The attack vector here is a compromised machine on the ssh-ing end here. There is a chance the password is guessable, it makes sense to try prevent that. Probably some other opening, sure, but then closing this hole is hardly much effort, at least if you're using a separate user already.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 14:44, 10 January 2017 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:OpenSSH&diff=462105Talk:OpenSSH2017-01-09T18:22:02Z<p>Jasper1984: /* Disabling root leaves `su`; suggested addition there: */ new section</p>
<hr />
<div>== X11 forwarding == <br />
regarding X11 forwarding:<br />
i don't think it is necessary to enable X11Forwarding on the client on a global base:<br />
"Enable the ForwardX11 option in ssh_config on the client."<br />
<br />
simply specifing -X option to ssh works for me. [The preceding unsigned comment was added 2010-01-11T15:41:54 by [[User:Uwinkelvos|Uwinkelvos]] ([[User_talk:Uwinkelvos|Talk]] | [[Special:Contributions/Uwinkelvos|contribs]]).]<br />
<br />
== SendEnv ==<br />
<br />
I think we should add something about accent/UTF-8/encoding.<br />
Setting SendEnv LANG LC_* in /etc/ssh/ssh_config (client side) would be very useful.<br />
{{unsigned|22 August 2010|LeCrayonVert}}<br />
<br />
== Automatically logout all SSH users when the sshd daemon is shutdown. ==<br />
<br />
edit /lib/systemd/system/systemd-user-sessions.service and append network.target to the after line.<br />
<br />
<br />
[Unit]<br />
Description = Permit User Sessions<br />
<br />
Documentation = man:systemd-user-sessions.service(8)<br />
<br />
After = network.target remote-fs.target<br />
<br />
<br />
then symlink /lib/systemd/system/systemd-user-sessions.service to /etc/systemd/system/<br />
<br />
<br />
[[User:Artomason|artomason]] ([[User talk:Artomason|talk]]) 20:32, 7 February 2013 (UTC)<br />
<br />
== systemd failed to start sshd ==<br />
<br />
It might be good to add, if {{ic|systemctl status sshd}} shows that sshd failed, try and run /usr/sbin/sshd. This way if there is a bad configuration option (ie typo in /etc/ssh/sshd_conf), it is listed with line number.<br />
<br />
[[User:Matyilona200|Matyilona200]] ([[User talk:Matyilona200|talk]]) 13:45, 16 May 2013 (UTC)<br />
<br />
<br />
== follow_symlinks == <br />
<br />
The option 'transform_symlinks' does not work anymore, 'follow_symlinks' is the new one.<br />
<br />
1. Should we correct that at the autossh section?<br />
<br />
2. Should we write that somewhere?<br />
<br />
--[[User:Greenway|Greenway]] ([[User talk:Greenway|talk]]) 17:14, 26 April 2014 (UTC)<br />
<br />
:Are you sure? I've just installed {{Pkg|sshfs}} and the man page still mentions both options as separate functions. If {{ic|transform_symlinks}} is really not working anymore, that's more likely a bug that must be reported upstream.<br />
:Anyway I'm just mentioning that also the [[sshfs]] article would be affected.<br />
:-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 03:12, 28 April 2014 (UTC)<br />
<br />
<br />
Sorry for this discussion and thank you for correcting me.<br />
I referred to this question: http://askubuntu.com/questions/75094/sshfs-transform-symlinks-is-broken<br />
Anyway I tested both parameters:<br />
<br />
<pre><br />
1) sshfs bar: foo<br />
<br />
-a --> /etc l<br />
-b --> c/c1 l<br />
-c d <br />
--c1 f<br />
<br />
2) sshfs -o follow_symlinks bar: foo<br />
<br />
-a d<br />
-b d<br />
-c d<br />
--c1 f<br />
<br />
(works as expected)<br />
<br />
3) sshfs -o transform_symlinks bar: foo<br />
<br />
(same as without the option.)<br />
</pre><br />
<br />
==== Here' s the wiki explanation ====<br />
<br />
===== Following symlinks on the server side =====<br />
<br />
The -o follow_symlinks option will enable this.<br />
<br />
===== Making absolute symlinks work =====<br />
<br />
Use the -o transform_symlinks option, which will transform absolute symlinks (ones which point somewhere inside the mount) into relative ones. <br />
<br />
<br />
--[[User:Greenway|Greenway]] ([[User talk:Greenway|talk]]) 20:38, 28 April 2014 (UTC)<br />
<br />
== Regenerate host keys ==<br />
I am using pre-load arch linux image on Raspberry Pi, which had openssh configured, so I want to regenerate new host keys, which could be archived on Debian with<br />
<br />
rm /etc/ssh/ssh_host_* && dpkg-reconfigure openssh-server<br />
<br />
Do we have equivalent command on Arch? I can't find them on the wiki<br />
<br />
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key<br />
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key<br />
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key<br />
<br />
should be enough? Or more setting is required?<br />
<br />
Ref:<br />
* [http://answers.oreilly.com/topic/62-how-to-generate-new-host-keys/ How to generate new host keys]<br />
* [https://www.digitalocean.com/company/blog/avoid-duplicate-ssh-host-keys/ Avoid Duplicate SSH Host Keys]<br />
<br />
--[[User:Lefthaha|Lefthaha]] ([[User talk:Lefthaha|talk]]) 24 May 2014<br />
<br />
== AutoSSH as a Service ==<br />
<br />
AutoSSH doesn't like to run as a service without specifying a port. Using -M 0 and -f parameters in combination will result in the service not starting. Also, when starting as a service (-f option) SSH will not look in ~/.ssh for public keys. If you're using key authentication, the public key will need to be specified with the -i parameter. I assume this limitation would also apply when running as a systemd service.<br />
<br />
Running AutoSSH this way worked for me for a Socks 5 proxy:<br />
<br />
autossh -f -M 1111 -N -i /home/username/.ssh/id_rsa username@server -D 8080<br />
<br />
--[[User:Twofive0|Twofive0]] ([[User talk:Twofive0|talk]]) 18:24, 12 August 2014 (UTC)<br />
<br />
:Autossh as a service seems to be a little redundant, since autossh itself is basically just a service to restart ssh when it exits. I was about write a .service file for autossh when I realized I could cut out the middleman entirely:<br />
:{{hc|~/.config/systemd/user/autossh.service|<nowiki><br />
[Unit]<br />
Description=SSH tunnel<br />
<br />
[Service]<br />
Type=simple<br />
Restart=always<br />
RestartSec=1min<br />
ExecStart=/usr/bin/ssh -F %h/.ssh/config -N foo@bar<br />
<br />
[Install]<br />
WantedBy=default.target<br />
</nowiki>}}<br />
:This seems a little nicer to me, but I'm not sure how I would edit the article to include it.<br />
:[[User:Silverhammermba|Silverhammermba]] ([[User talk:Silverhammermba|talk]]) 00:32, 12 February 2015 (UTC)<br />
<br />
== Additional steps to setup Dropbear ==<br />
<br />
Noticed that you need to create some keys before Dropbear will run:<br />
<br />
<pre>dropbearkey -t dss -f /etc/dropbear/dropbear.dss<br />
dropbearkey -t rsa -s 4096 -f /etc/dropbear/dropbear.rsa</pre><br />
Maybe it's a good idea to chmod this to 600 or something?<br />
{{unsigned|5 December 2014|MindTooth}}<br />
<br />
:To note: Not relating to dropbear, but generally [[#Regenerate_host_keys]] above suggests the addition of a setup step for that as well. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 14:19, 5 December 2014 (UTC)<br />
<br />
== Allowing SSH Users to Shutdown, Mount, etc. Without Root authentication ==<br />
<br />
:Merged from [[Allow users to shutdown]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 20:48, 23 May 2015 (UTC)<br />
The following describes what I did to allow power [EDIT: and mounting] operations on my machine from a SSH login. I'd be very grateful if anyone could tell me if this was correct and if so, I'll add this section to the page and add a link on the polkit examples.<br />
<br />
I have a miniature server machine I use at home for automatic backups, and I used WOL to startup without user intervention, however I found out that issuing {{bc|systemctl poweroff}} and friends works from a tty but from a remote login I get a message starting: {{bc|<nowiki>==== AUTHENTICATING FOR org.freedesktop.login1.power-off ====</nowiki>}} and asking for a root password. After searching online it seemed that the right thing to do (but I'm not sure) was to write a polkit rule overriding the and place this before the defaults in /etc/polkit-1/rules.d/. Below is my rule:<br />
{{bc|<nowiki><br />
polkit.addRule(function(action, subject) {<br />
if ( action.id == "org.freedesktop.login1.power-off" ||<br />
action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||<br />
<br />
action.id == "org.freedesktop.login1.reboot" ||<br />
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||<br />
<br />
action.id == "org.freedesktop.login1.suspend" ||<br />
action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||<br />
<br />
action.id == "org.freedesktop.login1.hibernate" ||<br />
action.id == "org.freedesktop.login1.hibernate-multiple-sessions" ) {<br />
<br />
if ( subject.isInGroup("mypowergroup") ){<br />
return polkit.Result.YES;<br />
}<br />
}); </nowiki><br />
}}<br />
<br />
There might be a neater way to do this rather than enumerating all the actions but I don't speak JavaScript. EDIT: See below:<br />
<br />
https://gist.github.com/wooptoo/4013294/ccacedd69d54de7f2fd5881b546d5192d6a2bddb<br />
<br />
Someone somewhere seemed to mention that polkit rules weren't the right way to go and there was something wrong with integration with logind/systemd but I didn't understand what he really meant and it was in a different context.<br />
<br />
Thanks in advance for any advice<br />
--[[User:Stellarpower|Stellarpower]] ([[User talk:Stellarpower|talk]]) 12:24, 4 May 2015 (UTC)<br />
<br />
== Disabling root leaves `su`; suggested addition there: ==<br />
<br />
However, this does not disable {{ic|su}}, to do that, add users to wheel, and then disable <br />
<br />
gpasswd -a $USER wheel<br />
<br />
And then uncomment the {{ic|auth required pam_wheel.so use_uid}} line in {{ic|/etc/pam.d/su}} [https://serverfault.com/questions/697607/ssh-su-root-or-sudo (src)][[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 18:22, 9 January 2017 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Partitioning&diff=460020Talk:Partitioning2016-12-25T01:06:42Z<p>Jasper1984: Note: ASUS Vivobook E200HA</p>
<hr />
<div>== Partition Alignment Verification ==<br />
<br />
''[moved from [[Talk:Solid State Drives#Partition Alignment Verification]] -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:13, 10 July 2014 (UTC)]''<br />
<br />
On my system 'blockdev --getalignoff /dev/sda5' returns zero, even though the partition seems not to be aligned optimally:<br />
Disk /dev/sda: 465.8 GiB, 500107862016 bytes, 976773168 sectors<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: dos<br />
Disk identifier: 0xd9a92553<br />
<br />
Device Boot Start End Blocks Id System<br />
/dev/sda1 * 2048 1026047 512000 7 HPFS/NTFS/exFAT<br />
/dev/sda2 1026048 479475711 239224832 7 HPFS/NTFS/exFAT<br />
/dev/sda3 946051072 976771071 15360000 7 HPFS/NTFS/exFAT<br />
/dev/sda4 479475712 946051071 233287680 5 Extended<br />
/dev/sda5 479475775 518545791 19535008+ 83 Linux<br />
/dev/sda6 518545855 541984626 11719386 83 Linux<br />
/dev/sda7 541984690 557615871 7815591 82 Linux swap / Solaris<br />
/dev/sda8 557615935 946051071 194217568+ 83 Linux<br />
<br />
The command 'parted /dev/sda align-check optimal' gives the right message in my opinion: 'not aligned'. Should we replace blockdev command?<br />
<br />
[[User:Plk|Plk]] ([[User talk:Plk|talk]]) 18:31, 31 May 2014 (UTC)<br />
<br />
:It seems you're right. After reading the warning about cfdisk alignment ("Warning: The first partition created by cfdisk starts at sector 63, instead of the usual 2048. This can lead to reduced performance on SSD and advanced format (4k sector) drives. It will cause problems with GRUB2, but GRUB legacy and Syslinux should work fine."), I created the first partition of the SSD I was working on with cfdisk - thus creating a bad alignment (I checked with ''fdisk -l /dev/sda'', the first partition effectively starts at sector 63 and not 2048).<br />
:The ''blockdev --getalignoff /dev/sda1'' command returned zero (it shouldn't have) while your command ''parted /dev/sda align-check optimal'' returned 'not aligned', as expected.<br />
:It seems to be a bug of blockdev in ArchLinux, as of util-linux v.2.24.<br />
:I upgraded to util-linux v.2.25-3, and the problem is still present in blockdev. However, cfdisk has been entirely rewritten for util-linux 2.25 as described in this [http://karelzak.blogspot.fr/2014/06/new-cfdisk-util-linux-v225.html blog post] and now correctly starts the first partition at sector 2048 when creating it.<br />
<br />
<br />
:So should we edit the wiki page for recommanding upgrade to util-linux 2.25 in order to use cfdisk with correct partition alignment ? As util-linux integrates multiple essential softwares, I don't know if upgrading it will or not break something with the other utilities it includes.<br />
:In any case, I think we should disrecommend using blockdev to check partition alignment, and recommend using parted instead for the time being. Can anyone else confirm this bug, especially on other distributions ? We need to know if the problem is inherent to Arch's implementation of blockdev or to blockdev itself.<br />
<br />
:--[[User:Irrodeus|Irrodeus]] ([[User talk:Irrodeus|talk]]) 01:56, 6 September 2014 (UTC)<br />
<br />
== Restructuring ==<br />
<br />
=== Example tables ===<br />
<br />
[https://wiki.archlinux.org/index.php?title=Partitioning&diff=440209&oldid=438934] moved tables from the [[Beginners' guide]] to [[Partitioning#Partition_scheme]], however it didn't fit in too well so I've removed it for now.<br />
<br />
However, I think the basic idea is a sound one, but perhaps more expansive. We could include suggested [[File systems]], as well as more complex examples such as {{ic|/var}} and GRUB Boot partitions.<br />
<br />
See the updated tables from the BG below for reference. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 00:20, 10 July 2016 (UTC)<br />
<br />
=== Table draft ===<br />
<br />
{| class="wikitable"<br />
!colspan="5" | UEFI/GPT example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:GUID_Partition_Table#Partition_type_GUIDs|Partition type (GUID)]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| /boot<br />
| /dev/sd'''x'''1<br />
| [[EFI System Partition]]<br />
| Yes<br />
| 260–512 MiB<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''2<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''3<br />
| Linux<br />
| No<br />
| Remainder of the device<br />
|-<br />
!colspan="5" | MBR/BIOS example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:Partition type|Partition type]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''1<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''2<br />
| Linux<br />
| Yes<br />
| Remainder of the device<br />
|}<br />
<br />
:I added these tables to the page. I also added one using a separate {{ic|/home}} since I imagine that is the most common scenario. I think 3 examples could be enough, but I am open to more. -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 18:53, 11 October 2016 (UTC)<br />
<br />
::Nice work. One thing I was considering is to have multiple small tables under the various partition sections (like /home), instead of a single large one. Thoughts? -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:56, 13 October 2016 (UTC)<br />
::edit: I noticed you already split the tables; that leaves whether it makes sense to have them under sections like [[Partitioning#.2Fhome]] rather than [[Partitioning#Example layouts]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:01, 13 October 2016 (UTC)<br />
<br />
:::All examples include the {{ic|/}} partition and swap. Avoiding duplication and forward references is probably one of the reasons why people invented [[w:appendix|appendix]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:15, 13 October 2016 (UTC)<br />
<br />
== Alignment ==<br />
<br />
Regarding [https://wiki.archlinux.org/index.php?title=Partitioning&diff=next&oldid=453737], [https://wiki.archlinux.org/index.php?title=Fdisk&diff=next&oldid=453499] and [https://wiki.archlinux.org/index.php?title=GNU_Parted&diff=next&oldid=453736], I think it would be best to keep the info in one place, on this page. No idea what's wrong with the technical explanation - users should be able to understand the problem and verify that the result is OK. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:13, 13 October 2016 (UTC)<br />
<br />
:I'm fine with leaving the detailed explanation. It's just odd to me to introduce a problem to the reader and in the end say that its not really a problem since the tools handle it. Also, my idea was that fdisk and parted have different ways of verifying alignment (just like different ways of creating a table, partition, etc). So if you are creating partitions with fdisk going through the [[fdisk]] page, it would be good to have how to verify alignment on that page (although it looks like fdisk has no built in way to verify it, probably because fdisk aligns things on its own, so we might have to refer to parted in the end anyway). -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 15:32, 13 October 2016 (UTC)<br />
<br />
== mmcblk0p{1,2,3,4}, mmcblk0boot{0,1}, mmcblk0rpmb ==<br />
And my install usb showed up as sda instead.. Don't know how to best deal with that. "Boot" ones don't seem to provide disklabel type and identifier information, and are only 4MiB. My guess is to ignore them. /dev/mmcblk0p3 seems to be the one with windows on it.(ASUS Vivobook E200HA)[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 00:58, 25 December 2016 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Partitioning&diff=460019Talk:Partitioning2016-12-25T00:59:12Z<p>Jasper1984: Fix title, should've used preview..</p>
<hr />
<div>== Partition Alignment Verification ==<br />
<br />
''[moved from [[Talk:Solid State Drives#Partition Alignment Verification]] -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:13, 10 July 2014 (UTC)]''<br />
<br />
On my system 'blockdev --getalignoff /dev/sda5' returns zero, even though the partition seems not to be aligned optimally:<br />
Disk /dev/sda: 465.8 GiB, 500107862016 bytes, 976773168 sectors<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: dos<br />
Disk identifier: 0xd9a92553<br />
<br />
Device Boot Start End Blocks Id System<br />
/dev/sda1 * 2048 1026047 512000 7 HPFS/NTFS/exFAT<br />
/dev/sda2 1026048 479475711 239224832 7 HPFS/NTFS/exFAT<br />
/dev/sda3 946051072 976771071 15360000 7 HPFS/NTFS/exFAT<br />
/dev/sda4 479475712 946051071 233287680 5 Extended<br />
/dev/sda5 479475775 518545791 19535008+ 83 Linux<br />
/dev/sda6 518545855 541984626 11719386 83 Linux<br />
/dev/sda7 541984690 557615871 7815591 82 Linux swap / Solaris<br />
/dev/sda8 557615935 946051071 194217568+ 83 Linux<br />
<br />
The command 'parted /dev/sda align-check optimal' gives the right message in my opinion: 'not aligned'. Should we replace blockdev command?<br />
<br />
[[User:Plk|Plk]] ([[User talk:Plk|talk]]) 18:31, 31 May 2014 (UTC)<br />
<br />
:It seems you're right. After reading the warning about cfdisk alignment ("Warning: The first partition created by cfdisk starts at sector 63, instead of the usual 2048. This can lead to reduced performance on SSD and advanced format (4k sector) drives. It will cause problems with GRUB2, but GRUB legacy and Syslinux should work fine."), I created the first partition of the SSD I was working on with cfdisk - thus creating a bad alignment (I checked with ''fdisk -l /dev/sda'', the first partition effectively starts at sector 63 and not 2048).<br />
:The ''blockdev --getalignoff /dev/sda1'' command returned zero (it shouldn't have) while your command ''parted /dev/sda align-check optimal'' returned 'not aligned', as expected.<br />
:It seems to be a bug of blockdev in ArchLinux, as of util-linux v.2.24.<br />
:I upgraded to util-linux v.2.25-3, and the problem is still present in blockdev. However, cfdisk has been entirely rewritten for util-linux 2.25 as described in this [http://karelzak.blogspot.fr/2014/06/new-cfdisk-util-linux-v225.html blog post] and now correctly starts the first partition at sector 2048 when creating it.<br />
<br />
<br />
:So should we edit the wiki page for recommanding upgrade to util-linux 2.25 in order to use cfdisk with correct partition alignment ? As util-linux integrates multiple essential softwares, I don't know if upgrading it will or not break something with the other utilities it includes.<br />
:In any case, I think we should disrecommend using blockdev to check partition alignment, and recommend using parted instead for the time being. Can anyone else confirm this bug, especially on other distributions ? We need to know if the problem is inherent to Arch's implementation of blockdev or to blockdev itself.<br />
<br />
:--[[User:Irrodeus|Irrodeus]] ([[User talk:Irrodeus|talk]]) 01:56, 6 September 2014 (UTC)<br />
<br />
== Restructuring ==<br />
<br />
=== Example tables ===<br />
<br />
[https://wiki.archlinux.org/index.php?title=Partitioning&diff=440209&oldid=438934] moved tables from the [[Beginners' guide]] to [[Partitioning#Partition_scheme]], however it didn't fit in too well so I've removed it for now.<br />
<br />
However, I think the basic idea is a sound one, but perhaps more expansive. We could include suggested [[File systems]], as well as more complex examples such as {{ic|/var}} and GRUB Boot partitions.<br />
<br />
See the updated tables from the BG below for reference. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 00:20, 10 July 2016 (UTC)<br />
<br />
=== Table draft ===<br />
<br />
{| class="wikitable"<br />
!colspan="5" | UEFI/GPT example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:GUID_Partition_Table#Partition_type_GUIDs|Partition type (GUID)]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| /boot<br />
| /dev/sd'''x'''1<br />
| [[EFI System Partition]]<br />
| Yes<br />
| 260–512 MiB<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''2<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''3<br />
| Linux<br />
| No<br />
| Remainder of the device<br />
|-<br />
!colspan="5" | MBR/BIOS example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:Partition type|Partition type]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''1<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''2<br />
| Linux<br />
| Yes<br />
| Remainder of the device<br />
|}<br />
<br />
:I added these tables to the page. I also added one using a separate {{ic|/home}} since I imagine that is the most common scenario. I think 3 examples could be enough, but I am open to more. -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 18:53, 11 October 2016 (UTC)<br />
<br />
::Nice work. One thing I was considering is to have multiple small tables under the various partition sections (like /home), instead of a single large one. Thoughts? -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:56, 13 October 2016 (UTC)<br />
::edit: I noticed you already split the tables; that leaves whether it makes sense to have them under sections like [[Partitioning#.2Fhome]] rather than [[Partitioning#Example layouts]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:01, 13 October 2016 (UTC)<br />
<br />
:::All examples include the {{ic|/}} partition and swap. Avoiding duplication and forward references is probably one of the reasons why people invented [[w:appendix|appendix]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:15, 13 October 2016 (UTC)<br />
<br />
== Alignment ==<br />
<br />
Regarding [https://wiki.archlinux.org/index.php?title=Partitioning&diff=next&oldid=453737], [https://wiki.archlinux.org/index.php?title=Fdisk&diff=next&oldid=453499] and [https://wiki.archlinux.org/index.php?title=GNU_Parted&diff=next&oldid=453736], I think it would be best to keep the info in one place, on this page. No idea what's wrong with the technical explanation - users should be able to understand the problem and verify that the result is OK. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:13, 13 October 2016 (UTC)<br />
<br />
:I'm fine with leaving the detailed explanation. It's just odd to me to introduce a problem to the reader and in the end say that its not really a problem since the tools handle it. Also, my idea was that fdisk and parted have different ways of verifying alignment (just like different ways of creating a table, partition, etc). So if you are creating partitions with fdisk going through the [[fdisk]] page, it would be good to have how to verify alignment on that page (although it looks like fdisk has no built in way to verify it, probably because fdisk aligns things on its own, so we might have to refer to parted in the end anyway). -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 15:32, 13 October 2016 (UTC)<br />
<br />
== mmcblk0p{1,2,3,4}, mmcblk0boot{0,1}, mmcblk0rpmb ==<br />
And my install usb showed up as sda instead.. Don't know how to best deal with that. "Boot" ones don't seem to provide disklabel type and identifier information, and are only 4MiB. My guess is to ignore them. /dev/mmcblk0p3 seems to be the the one with windows on it.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 00:58, 25 December 2016 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Partitioning&diff=460018Talk:Partitioning2016-12-25T00:58:34Z<p>Jasper1984: non-sdX -named devices</p>
<hr />
<div>== Partition Alignment Verification ==<br />
<br />
''[moved from [[Talk:Solid State Drives#Partition Alignment Verification]] -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:13, 10 July 2014 (UTC)]''<br />
<br />
On my system 'blockdev --getalignoff /dev/sda5' returns zero, even though the partition seems not to be aligned optimally:<br />
Disk /dev/sda: 465.8 GiB, 500107862016 bytes, 976773168 sectors<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: dos<br />
Disk identifier: 0xd9a92553<br />
<br />
Device Boot Start End Blocks Id System<br />
/dev/sda1 * 2048 1026047 512000 7 HPFS/NTFS/exFAT<br />
/dev/sda2 1026048 479475711 239224832 7 HPFS/NTFS/exFAT<br />
/dev/sda3 946051072 976771071 15360000 7 HPFS/NTFS/exFAT<br />
/dev/sda4 479475712 946051071 233287680 5 Extended<br />
/dev/sda5 479475775 518545791 19535008+ 83 Linux<br />
/dev/sda6 518545855 541984626 11719386 83 Linux<br />
/dev/sda7 541984690 557615871 7815591 82 Linux swap / Solaris<br />
/dev/sda8 557615935 946051071 194217568+ 83 Linux<br />
<br />
The command 'parted /dev/sda align-check optimal' gives the right message in my opinion: 'not aligned'. Should we replace blockdev command?<br />
<br />
[[User:Plk|Plk]] ([[User talk:Plk|talk]]) 18:31, 31 May 2014 (UTC)<br />
<br />
:It seems you're right. After reading the warning about cfdisk alignment ("Warning: The first partition created by cfdisk starts at sector 63, instead of the usual 2048. This can lead to reduced performance on SSD and advanced format (4k sector) drives. It will cause problems with GRUB2, but GRUB legacy and Syslinux should work fine."), I created the first partition of the SSD I was working on with cfdisk - thus creating a bad alignment (I checked with ''fdisk -l /dev/sda'', the first partition effectively starts at sector 63 and not 2048).<br />
:The ''blockdev --getalignoff /dev/sda1'' command returned zero (it shouldn't have) while your command ''parted /dev/sda align-check optimal'' returned 'not aligned', as expected.<br />
:It seems to be a bug of blockdev in ArchLinux, as of util-linux v.2.24.<br />
:I upgraded to util-linux v.2.25-3, and the problem is still present in blockdev. However, cfdisk has been entirely rewritten for util-linux 2.25 as described in this [http://karelzak.blogspot.fr/2014/06/new-cfdisk-util-linux-v225.html blog post] and now correctly starts the first partition at sector 2048 when creating it.<br />
<br />
<br />
:So should we edit the wiki page for recommanding upgrade to util-linux 2.25 in order to use cfdisk with correct partition alignment ? As util-linux integrates multiple essential softwares, I don't know if upgrading it will or not break something with the other utilities it includes.<br />
:In any case, I think we should disrecommend using blockdev to check partition alignment, and recommend using parted instead for the time being. Can anyone else confirm this bug, especially on other distributions ? We need to know if the problem is inherent to Arch's implementation of blockdev or to blockdev itself.<br />
<br />
:--[[User:Irrodeus|Irrodeus]] ([[User talk:Irrodeus|talk]]) 01:56, 6 September 2014 (UTC)<br />
<br />
== Restructuring ==<br />
<br />
=== Example tables ===<br />
<br />
[https://wiki.archlinux.org/index.php?title=Partitioning&diff=440209&oldid=438934] moved tables from the [[Beginners' guide]] to [[Partitioning#Partition_scheme]], however it didn't fit in too well so I've removed it for now.<br />
<br />
However, I think the basic idea is a sound one, but perhaps more expansive. We could include suggested [[File systems]], as well as more complex examples such as {{ic|/var}} and GRUB Boot partitions.<br />
<br />
See the updated tables from the BG below for reference. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 00:20, 10 July 2016 (UTC)<br />
<br />
=== Table draft ===<br />
<br />
{| class="wikitable"<br />
!colspan="5" | UEFI/GPT example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:GUID_Partition_Table#Partition_type_GUIDs|Partition type (GUID)]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| /boot<br />
| /dev/sd'''x'''1<br />
| [[EFI System Partition]]<br />
| Yes<br />
| 260–512 MiB<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''2<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''3<br />
| Linux<br />
| No<br />
| Remainder of the device<br />
|-<br />
!colspan="5" | MBR/BIOS example layout<br />
|-<br />
! Mount point<br />
! Partition<br />
! [[w:Partition type|Partition type]]<br />
! Bootable flag<br />
! Suggested size<br />
|-<br />
| [SWAP]<br />
| /dev/sd'''x'''1<br />
| Linux [[swap]]<br />
| No<br />
| More than 512 MiB<br />
|-<br />
| /<br />
| /dev/sd'''x'''2<br />
| Linux<br />
| Yes<br />
| Remainder of the device<br />
|}<br />
<br />
:I added these tables to the page. I also added one using a separate {{ic|/home}} since I imagine that is the most common scenario. I think 3 examples could be enough, but I am open to more. -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 18:53, 11 October 2016 (UTC)<br />
<br />
::Nice work. One thing I was considering is to have multiple small tables under the various partition sections (like /home), instead of a single large one. Thoughts? -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 18:56, 13 October 2016 (UTC)<br />
::edit: I noticed you already split the tables; that leaves whether it makes sense to have them under sections like [[Partitioning#.2Fhome]] rather than [[Partitioning#Example layouts]]. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 19:01, 13 October 2016 (UTC)<br />
<br />
:::All examples include the {{ic|/}} partition and swap. Avoiding duplication and forward references is probably one of the reasons why people invented [[w:appendix|appendix]]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:15, 13 October 2016 (UTC)<br />
<br />
== Alignment ==<br />
<br />
Regarding [https://wiki.archlinux.org/index.php?title=Partitioning&diff=next&oldid=453737], [https://wiki.archlinux.org/index.php?title=Fdisk&diff=next&oldid=453499] and [https://wiki.archlinux.org/index.php?title=GNU_Parted&diff=next&oldid=453736], I think it would be best to keep the info in one place, on this page. No idea what's wrong with the technical explanation - users should be able to understand the problem and verify that the result is OK. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 15:13, 13 October 2016 (UTC)<br />
<br />
:I'm fine with leaving the detailed explanation. It's just odd to me to introduce a problem to the reader and in the end say that its not really a problem since the tools handle it. Also, my idea was that fdisk and parted have different ways of verifying alignment (just like different ways of creating a table, partition, etc). So if you are creating partitions with fdisk going through the [[fdisk]] page, it would be good to have how to verify alignment on that page (although it looks like fdisk has no built in way to verify it, probably because fdisk aligns things on its own, so we might have to refer to parted in the end anyway). -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 15:32, 13 October 2016 (UTC)<br />
<br />
== mmcblk0p{1,2,3,4}, mmcblk0boot{0,1}, mmcblk0rpmb<br />
And my install usb showed up as sda instead.. Don't know how to best deal with that. "Boot" ones don't seem to provide disklabel type and identifier information, and are only 4MiB. My guess is to ignore them. /dev/mmcblk0p3 seems to be the the one with windows on it.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 00:58, 25 December 2016 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:OpenVPN&diff=459673Talk:OpenVPN2016-12-20T22:32:12Z<p>Jasper1984: Clarifying.. barely, i dont know how to...</p>
<hr />
<div>== Missing details ==<br />
<br />
There are some things that I think would have been extremely helpful to add in this article, primarily relating to iptables. For example, in Routing_the_LAN_of_a_client_to_the_server it might have been useful to say, "do something like iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.4.4.30" rather than "Use the iptables NAT feature to masquerade the IP packets."<br />
<br />
I think more handholding would help this article a lot--it certainly would have helped me figure this out much faster. If no one disagrees, I'd like to add several sections on appropriate iptables rules to add. [[User:Buhman|Buhman]] 17:11, 9 April 2012 (EDT)<br />
<br />
:No objections, all constructive contributions are welcome, just remember that an article shouldn't be just a list of instructions: "handholding" is fine as long as it also explains ''why'' something needs to be done, so in your example above the existent sentence should be kept and your iptables line should be presented just as an example. -- [[User:Kynikos|Kynikos]] 08:46, 10 April 2012 (EDT)<br />
<br />
:To be honest, I think this article, the way it is now, uses way too much handholding. (I liked it more the way it was [https://wiki.archlinux.org/index.php?title=OpenVPN&oldid=170796] ). It have things like: "Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank)", instead of just "Edit /root/easy-rsa/vars according to your preferences" <br />
:Maybe the solution could be the path [[Beginners' Guide]] and [[Installation Guide]] took; One, super handholding-type guide, and the other as a checklist-type guide... hmm, maybe I'll write such article [[User:Chrisl|Chrisl]] ([[User talk:Chrisl|talk]]) 18:48, 16 August 2012 (UTC)<br />
<br />
:I have some time to work on this again (vacation), hopefully I'll get at least some more stuff done. If someone wants to add iptables instructions please go ahead. There is some preliminary stuff that Kynikos uncovered :) Too much, too little handholding, it's hard too say, and it looks like opinions differ. Maybe let me be verbose and then try to tighten it up and remove unwanted verbosity? [[User:jhernberg|jhernberg]] 21:50, 16 August 2012 (UTC)<br />
<br />
In any case, the article still needs a lot more information about the various ways that openvpn can be configured, and any help would be very much appreciated...:) [[User:jhernberg|jhernberg]] 21:55, 16 August 2012 (UTC)<br />
<br />
:Well, I have created the checklist-type article, is here: [[OpenVPN Checklist Guide]] Right now, it has lots of things of the old openvpn article, but shorter. The idea is that it have links like "click here to see more details" pointing to the section of a full article explaining something, to avoid repetition. I must add that I think this way is more KISS. [[User:Chrisl|Chrisl]] ([[User talk:Chrisl|talk]]) 04:55, 17 August 2012 (UTC)<br />
<br />
Personally and at the moment I don't have much time nor interest in updating this article. But I also think it could really benefit from having sections written on IPv6, L2 bridging and possibly a related article describing how to use iptables and other firewall software with VPN. I really hope that someone can step up to the plate and write the missing sections and to correct whatever I got wrong! [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 14:33, 14 June 2014 (UTC)<br />
<br />
A piece of missing information that I consider particularly useful is the configuration of credentials for the user, so that he/she doesn't have to type them every time the VPN is started. I found out how to do that in [https://my.hostvpn.com/knowledgebase/22/Save-Password-in-OpenVPN-for-Automatic-Login.html an external site], but I'm wondering: is there is a reason that information is not in the guide, or can I just happily add it? --[[User:Bruno.unna|Bruno.unna]] ([[User talk:Bruno.unna|talk]]) 10:53, 26 August 2016 (UTC)<br />
<br />
:Yes, there is a reason: it's an optional feature. The diy server config example in this article does not use --auth-user-pass-verify scripts, so the client must not provide user/pass. Vpn providers like yours use auth directives as a resource efficient method to permit/deny access to their service. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 18:02, 26 August 2016 (UTC)<br />
<br />
::Plus, having a username/password when using the ovpn profiles seems superfluous... after all, we are already using strong keys. I don't see what benefit the username/password provides for security. If anything, it complicates the entire setup. Just my 2 cents [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 18:25, 26 August 2016 (UTC)<br />
<br />
== Link to upstream document instead of duplicating ==<br />
This page is already a little long. OpenVPN has lots of good document [http://openvpn.net/index.php/open-source/documentation.html here]. It is better give some entry point and link to the upstream document instead of duplicate info here. After all, it is Arch Wiki, not OpenVPN wiki. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 03:38, 17 August 2012 (UTC)<br />
<br />
==IPv6==<br />
If someone could add this section, it would be very much appreciated. [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 01:05, 28 June 2014 (UTC)<br />
<br />
== Connecting to vpn server from Android ==<br />
<br />
I recommend using OpenVPN for Android by Arne Schwabe which give allot of detail that can help troubleshooting.<br />
The ovpn file with embedded keys & certificates need to be used, See a proper example in the the link bellow.<br />
The reduced privileges won't work on android and also "key-direction 1" should be added.<br />
Server side configs are the same as in the wiki.<br />
http://dl.dropbox.com/u/6902100/archlinux/openvpn/client-empty.ovpn --[[User:Dhead|Dhead]] ([[User talk:Dhead|talk]]) 22:51, 5 March 2013 (UTC<br />
<br />
== IPv4 forwarding ==<br />
<br />
I'd like to suggest adding a section on IP packet forwarding info to this page. If you follow the instructions for setting up forwarding using iptables and ufw only, it still won't work without forwarding packets. <br />
<br />
Traditionally, this has been a simple process of:<br />
# sysctl net.ipv4.ip_forward=1<br />
<br />
(or editing {{ic|/etc/sysctl.d/30-ipforward.conf}} for a more permanent change) <br />
<br />
But there is a [https://bugs.freedesktop.org/show_bug.cgi?id&#61;89509 bug] right now where systemd-networkd overrides {{ic|net.ipv4.ip_forward}}. This might be good to point out for people trying to setup OpenVPN on Arch. <br />
<br />
As of now, someone setting up OpevVPN could only find this out from from a small link to [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] and then catching the bug note on that page. Setting up OpenVPN was a frustrating experience since this was buried; I was stuck on this for several hours, and finally found the solution. <br />
<br />
Thought this might be helpful for others out there. Respectfully, [[User:Jr000|Jr000]] ([[User talk:Jr000|talk]]) 00:13, 29 May 2015 (UTC)<br />
<br />
:[[OpenVPN#Routing_all_client_traffic_through_the_server]] already says "Now you need to enable packet forwarding on the server.", with a link to [[Internet_sharing#Enable_packet_forwarding]] which contains the instructions and the note you mentioned. There is no point in duplicating the instructions, because sooner or later one version would inevitably become outdated/inaccurate. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:36, 29 May 2015 (UTC)<br />
<br />
== OpenVPN in a container ==<br />
<br />
This is a good solution instead of messing around with iptables: https://www.youtube.com/watch?v=7Obl8_dozh0&<br />
{{unsigned|03:39, 6 August 2015|Hendry}}<br />
<br />
== Nameserver Order ==<br />
In case VPN provided name servers are appended at the end of {{ic|/etc/resolv.conf}} while using {{pkg|networkmanager-openvpn}}, make sure you don't configure your primary network connection by {{pkg|systemd}} (using {{ic|dhcpcd.service}} for example). It is caused by {{pkg|openresolv}} configuration option {{ic|interface_order}} because one set of nameservers is provided by network interface (for example eth0) and second set of nameservers is provided by NetworkManager interface (yes, that is not a typo, all interfaces configured by NetworkManager are presented to openresolv as one "NetworkManager" interface). You can check which nameservers are provided to openresolv by running<br />
<br />
$ resolvconf -l<br />
<br />
To solve this issue, either disable systemd interface configuration ({{ic|systemctl disable dhcpcd}} for example) or change interface order in {{ic|/etc/resolvconf.conf}} ({{ic|1=interface_order="lo lo[0-9]* NetworkManager"}} for example). [[User:Kenny|Kenny]] ([[User talk:Kenny|talk]]) 15:06, 11 March 2016 (UTC)<br />
<br />
:Interesting point. Yet, it is always difficult to mix different network managers. For a mixed conf not to fail one should probably configure, eg NetworkManager and dhcpcd, to exclude the respective other interface first. Anyhow, as I understand your point, the same ordering issue could arise from any combination of network manager tools, and openvpn is just one application triggering openresolv where it may matter. What do you think about adding your input to [[Resolv.conf#Using_openresolv]] instead? It could then be crosslinked better (from [[OpenVPN#DNS]] and other articles where it may matter). --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 19:21, 11 March 2016 (UTC)<br />
<br />
::If OpenVPN needs some special ordering of the name servers, isn't the script ({{AUR|openvpn-update-resolv-conf}}) to blame here? If {{Pkg|openresolv}} does not support ordering, the script should not use it in the first place... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:45, 11 March 2016 (UTC)<br />
<br />
:::Well, {{Pkg|openresolv}} supports different types of ordering (resolvconf.conf(5)), which is another reason the issue applies more to [[resolv.conf#Using_openresolv]] (ordering for the links). The typical approach for openvpn usually is that the server should (not all do, that would be an openvpn troubleshooting matter) push DNS with a low metric. The metric alone is enough to ensure they are ordered first. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:17, 11 March 2016 (UTC)<br />
<br />
== Proposed restructuring ==<br />
<br />
Currently, the article on OpenVPN and those surrounding it are a mess at best. There's [[OpenVPN]] itself, of which the first line says "This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use.", yet it lists none of the basic configuration, but only far more extended stuff. To get it running in it's most basic state, you have to go to [[Easy-rsa]] and [[OpenVPN Checklist Guide]], and still haven't found anything useful in the main article. Besides that, there's [[OpenVPN in Linux containers]] and [[OpenVPN Bridge]].<br />
<br />
Thus I propose a rewrite of all of those: The OpenVPN article should contain the basic configuration to get a simple client-server-setup running, and an additional page called "OpenVPN/Tips and tricks", which contains the advanced configurations currently found in [[OpenVPN]], [[OpenVPN in Linux containers]] and [[OpenVPN Bridge]]. [[Easy-rsa]] and [[OpenVPN Checklist Guide]] could then be deleted, as they are merged into [[OpenVPN]].<br />
<br />
The version I propose to take the place of the current [[OpenVPN]] article is [[User:Dustball/OpenVPN]].<br />
<br />
[[User:Dustball|Dustball]] ([[User talk:Dustball|talk]]) 14:28, 16 October 2016 (UTC)<br />
<br />
: Gotta disagree with your assessment that the article is "a mass at best." It could be compartmentalized as you propose, but all key data are here and linked. As to your draft of a bare-bones article, I recommend simply linking the already streamlined [[easy-rsa]] article rather than duplicating any content. Have you drafted the other broken out pages you alluded to in your post as well? [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 14:52, 16 October 2016 (UTC)<br />
<br />
:: In an article stating it describes basic installation and configuration, those parts shouldn't be linked. The other part isn't written yet, I intend to do so tomorrow and link it here again. [[User:Dustball|Dustball]] ([[User talk:Dustball|talk]]) 14:54, 16 October 2016 (UTC)<br />
<br />
::: We need a primary article that links all sub-articles pertaining to this software if the compartmentalization is to be a success. Looking forward to seeing your proposed changes for the rest of them as well. [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 14:58, 16 October 2016 (UTC)<br />
<br />
== What is for running a server and what is for runnign clients? ==<br />
[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 23:52, 16 December 2016 (UTC)<br />
<br />
: Not sure what you're asking [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 00:24, 17 December 2016 (UTC)<br />
<br />
:: Very simple, i got confused between what is just for servers and just for clients.. Those are distinct ways of using it, arent they?[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 22:32, 20 December 2016 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:OpenVPN&diff=459479Talk:OpenVPN2016-12-16T23:52:30Z<p>Jasper1984: What is for running a server and what is for runnign clients?</p>
<hr />
<div>== Missing details ==<br />
<br />
There are some things that I think would have been extremely helpful to add in this article, primarily relating to iptables. For example, in Routing_the_LAN_of_a_client_to_the_server it might have been useful to say, "do something like iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 10.4.4.30" rather than "Use the iptables NAT feature to masquerade the IP packets."<br />
<br />
I think more handholding would help this article a lot--it certainly would have helped me figure this out much faster. If no one disagrees, I'd like to add several sections on appropriate iptables rules to add. [[User:Buhman|Buhman]] 17:11, 9 April 2012 (EDT)<br />
<br />
:No objections, all constructive contributions are welcome, just remember that an article shouldn't be just a list of instructions: "handholding" is fine as long as it also explains ''why'' something needs to be done, so in your example above the existent sentence should be kept and your iptables line should be presented just as an example. -- [[User:Kynikos|Kynikos]] 08:46, 10 April 2012 (EDT)<br />
<br />
:To be honest, I think this article, the way it is now, uses way too much handholding. (I liked it more the way it was [https://wiki.archlinux.org/index.php?title=OpenVPN&oldid=170796] ). It have things like: "Edit /root/easy-rsa/vars and at a minimum set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters (do not leave any of these parameters blank)", instead of just "Edit /root/easy-rsa/vars according to your preferences" <br />
:Maybe the solution could be the path [[Beginners' Guide]] and [[Installation Guide]] took; One, super handholding-type guide, and the other as a checklist-type guide... hmm, maybe I'll write such article [[User:Chrisl|Chrisl]] ([[User talk:Chrisl|talk]]) 18:48, 16 August 2012 (UTC)<br />
<br />
:I have some time to work on this again (vacation), hopefully I'll get at least some more stuff done. If someone wants to add iptables instructions please go ahead. There is some preliminary stuff that Kynikos uncovered :) Too much, too little handholding, it's hard too say, and it looks like opinions differ. Maybe let me be verbose and then try to tighten it up and remove unwanted verbosity? [[User:jhernberg|jhernberg]] 21:50, 16 August 2012 (UTC)<br />
<br />
In any case, the article still needs a lot more information about the various ways that openvpn can be configured, and any help would be very much appreciated...:) [[User:jhernberg|jhernberg]] 21:55, 16 August 2012 (UTC)<br />
<br />
:Well, I have created the checklist-type article, is here: [[OpenVPN Checklist Guide]] Right now, it has lots of things of the old openvpn article, but shorter. The idea is that it have links like "click here to see more details" pointing to the section of a full article explaining something, to avoid repetition. I must add that I think this way is more KISS. [[User:Chrisl|Chrisl]] ([[User talk:Chrisl|talk]]) 04:55, 17 August 2012 (UTC)<br />
<br />
Personally and at the moment I don't have much time nor interest in updating this article. But I also think it could really benefit from having sections written on IPv6, L2 bridging and possibly a related article describing how to use iptables and other firewall software with VPN. I really hope that someone can step up to the plate and write the missing sections and to correct whatever I got wrong! [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 14:33, 14 June 2014 (UTC)<br />
<br />
A piece of missing information that I consider particularly useful is the configuration of credentials for the user, so that he/she doesn't have to type them every time the VPN is started. I found out how to do that in [https://my.hostvpn.com/knowledgebase/22/Save-Password-in-OpenVPN-for-Automatic-Login.html an external site], but I'm wondering: is there is a reason that information is not in the guide, or can I just happily add it? --[[User:Bruno.unna|Bruno.unna]] ([[User talk:Bruno.unna|talk]]) 10:53, 26 August 2016 (UTC)<br />
<br />
:Yes, there is a reason: it's an optional feature. The diy server config example in this article does not use --auth-user-pass-verify scripts, so the client must not provide user/pass. Vpn providers like yours use auth directives as a resource efficient method to permit/deny access to their service. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 18:02, 26 August 2016 (UTC)<br />
<br />
::Plus, having a username/password when using the ovpn profiles seems superfluous... after all, we are already using strong keys. I don't see what benefit the username/password provides for security. If anything, it complicates the entire setup. Just my 2 cents [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 18:25, 26 August 2016 (UTC)<br />
<br />
== Link to upstream document instead of duplicating ==<br />
This page is already a little long. OpenVPN has lots of good document [http://openvpn.net/index.php/open-source/documentation.html here]. It is better give some entry point and link to the upstream document instead of duplicate info here. After all, it is Arch Wiki, not OpenVPN wiki. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 03:38, 17 August 2012 (UTC)<br />
<br />
==IPv6==<br />
If someone could add this section, it would be very much appreciated. [[User:Jhernberg|Jhernberg]] ([[User talk:Jhernberg|talk]]) 01:05, 28 June 2014 (UTC)<br />
<br />
== Connecting to vpn server from Android ==<br />
<br />
I recommend using OpenVPN for Android by Arne Schwabe which give allot of detail that can help troubleshooting.<br />
The ovpn file with embedded keys & certificates need to be used, See a proper example in the the link bellow.<br />
The reduced privileges won't work on android and also "key-direction 1" should be added.<br />
Server side configs are the same as in the wiki.<br />
http://dl.dropbox.com/u/6902100/archlinux/openvpn/client-empty.ovpn --[[User:Dhead|Dhead]] ([[User talk:Dhead|talk]]) 22:51, 5 March 2013 (UTC<br />
<br />
== IPv4 forwarding ==<br />
<br />
I'd like to suggest adding a section on IP packet forwarding info to this page. If you follow the instructions for setting up forwarding using iptables and ufw only, it still won't work without forwarding packets. <br />
<br />
Traditionally, this has been a simple process of:<br />
# sysctl net.ipv4.ip_forward=1<br />
<br />
(or editing {{ic|/etc/sysctl.d/30-ipforward.conf}} for a more permanent change) <br />
<br />
But there is a [https://bugs.freedesktop.org/show_bug.cgi?id&#61;89509 bug] right now where systemd-networkd overrides {{ic|net.ipv4.ip_forward}}. This might be good to point out for people trying to setup OpenVPN on Arch. <br />
<br />
As of now, someone setting up OpevVPN could only find this out from from a small link to [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] and then catching the bug note on that page. Setting up OpenVPN was a frustrating experience since this was buried; I was stuck on this for several hours, and finally found the solution. <br />
<br />
Thought this might be helpful for others out there. Respectfully, [[User:Jr000|Jr000]] ([[User talk:Jr000|talk]]) 00:13, 29 May 2015 (UTC)<br />
<br />
:[[OpenVPN#Routing_all_client_traffic_through_the_server]] already says "Now you need to enable packet forwarding on the server.", with a link to [[Internet_sharing#Enable_packet_forwarding]] which contains the instructions and the note you mentioned. There is no point in duplicating the instructions, because sooner or later one version would inevitably become outdated/inaccurate. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:36, 29 May 2015 (UTC)<br />
<br />
== OpenVPN in a container ==<br />
<br />
This is a good solution instead of messing around with iptables: https://www.youtube.com/watch?v=7Obl8_dozh0&<br />
{{unsigned|03:39, 6 August 2015|Hendry}}<br />
<br />
== Nameserver Order ==<br />
In case VPN provided name servers are appended at the end of {{ic|/etc/resolv.conf}} while using {{pkg|networkmanager-openvpn}}, make sure you don't configure your primary network connection by {{pkg|systemd}} (using {{ic|dhcpcd.service}} for example). It is caused by {{pkg|openresolv}} configuration option {{ic|interface_order}} because one set of nameservers is provided by network interface (for example eth0) and second set of nameservers is provided by NetworkManager interface (yes, that is not a typo, all interfaces configured by NetworkManager are presented to openresolv as one "NetworkManager" interface). You can check which nameservers are provided to openresolv by running<br />
<br />
$ resolvconf -l<br />
<br />
To solve this issue, either disable systemd interface configuration ({{ic|systemctl disable dhcpcd}} for example) or change interface order in {{ic|/etc/resolvconf.conf}} ({{ic|1=interface_order="lo lo[0-9]* NetworkManager"}} for example). [[User:Kenny|Kenny]] ([[User talk:Kenny|talk]]) 15:06, 11 March 2016 (UTC)<br />
<br />
:Interesting point. Yet, it is always difficult to mix different network managers. For a mixed conf not to fail one should probably configure, eg NetworkManager and dhcpcd, to exclude the respective other interface first. Anyhow, as I understand your point, the same ordering issue could arise from any combination of network manager tools, and openvpn is just one application triggering openresolv where it may matter. What do you think about adding your input to [[Resolv.conf#Using_openresolv]] instead? It could then be crosslinked better (from [[OpenVPN#DNS]] and other articles where it may matter). --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 19:21, 11 March 2016 (UTC)<br />
<br />
::If OpenVPN needs some special ordering of the name servers, isn't the script ({{AUR|openvpn-update-resolv-conf}}) to blame here? If {{Pkg|openresolv}} does not support ordering, the script should not use it in the first place... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 19:45, 11 March 2016 (UTC)<br />
<br />
:::Well, {{Pkg|openresolv}} supports different types of ordering (resolvconf.conf(5)), which is another reason the issue applies more to [[resolv.conf#Using_openresolv]] (ordering for the links). The typical approach for openvpn usually is that the server should (not all do, that would be an openvpn troubleshooting matter) push DNS with a low metric. The metric alone is enough to ensure they are ordered first. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:17, 11 March 2016 (UTC)<br />
<br />
== Proposed restructuring ==<br />
<br />
Currently, the article on OpenVPN and those surrounding it are a mess at best. There's [[OpenVPN]] itself, of which the first line says "This article describes a basic installation and configuration of OpenVPN, suitable for private and small business use.", yet it lists none of the basic configuration, but only far more extended stuff. To get it running in it's most basic state, you have to go to [[Easy-rsa]] and [[OpenVPN Checklist Guide]], and still haven't found anything useful in the main article. Besides that, there's [[OpenVPN in Linux containers]] and [[OpenVPN Bridge]].<br />
<br />
Thus I propose a rewrite of all of those: The OpenVPN article should contain the basic configuration to get a simple client-server-setup running, and an additional page called "OpenVPN/Tips and tricks", which contains the advanced configurations currently found in [[OpenVPN]], [[OpenVPN in Linux containers]] and [[OpenVPN Bridge]]. [[Easy-rsa]] and [[OpenVPN Checklist Guide]] could then be deleted, as they are merged into [[OpenVPN]].<br />
<br />
The version I propose to take the place of the current [[OpenVPN]] article is [[User:Dustball/OpenVPN]].<br />
<br />
[[User:Dustball|Dustball]] ([[User talk:Dustball|talk]]) 14:28, 16 October 2016 (UTC)<br />
<br />
: Gotta disagree with your assessment that the article is "a mass at best." It could be compartmentalized as you propose, but all key data are here and linked. As to your draft of a bare-bones article, I recommend simply linking the already streamlined [[easy-rsa]] article rather than duplicating any content. Have you drafted the other broken out pages you alluded to in your post as well? [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 14:52, 16 October 2016 (UTC)<br />
<br />
:: In an article stating it describes basic installation and configuration, those parts shouldn't be linked. The other part isn't written yet, I intend to do so tomorrow and link it here again. [[User:Dustball|Dustball]] ([[User talk:Dustball|talk]]) 14:54, 16 October 2016 (UTC)<br />
<br />
::: We need a primary article that links all sub-articles pertaining to this software if the compartmentalization is to be a success. Looking forward to seeing your proposed changes for the rest of them as well. [[User:Graysky|Graysky]] ([[User talk:Graysky|talk]]) 14:58, 16 October 2016 (UTC)<br />
<br />
== What is for running a server and what is for runnign clients? ==<br />
[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 23:52, 16 December 2016 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Squid&diff=411660Squid2015-12-11T16:11:08Z<p>Jasper1984: The domain changed ownership, using caches instead</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:Proxy servers]]<br />
[[ru:Squid]]<br />
[[zh-CN:Squid]]<br />
{{poor writing}}<br />
<br />
From the squid [http://www.squid-cache.org website]:<br />
<br />
:''Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on Unix and Windows and is licensed under the GNU GPL.''<br />
<br />
While squid works wonderfully in large corporations and schools, it can also benefit the home user too. However, if you're looking for a more lightweight single-user proxy, you should try [[Polipo]].<br />
<br />
== Installation ==<br />
<br />
[[pacman|Install]] {{Pkg|squid}} available in the [[Official repositories]].<br />
<br />
== Configuration ==<br />
<br />
By default, the cache directories will be created in {{ic|/var/cache/squid}}, and the appropriate permissions set up for those directories. However, for greater control, we need to delve into {{Ic|/etc/squid/squid.conf}}.<br />
<br />
Everything is well commented, but if you want to strip the comments out you should run:<br />
<br />
sed -i "/^#/d;/^ *$/d" /etc/squid/squid.conf<br />
<br />
The following options might be of some use to you. If you do not have the option present in your configuration file, add it!<br />
<br />
* {{Ic|http_port}} - Sets the port that Squid binds to on your local machine. You can have Squid bind to multiple ports by specifying multiple http_port lines. By default, Squid binds to port 3128.<br />
http_port 3128<br />
http_port 3129<br />
* {{Ic|http_access}} - This is an access control list for who is allowed to use the proxy. By default only localhost is allowed to access the proxy. For testing purposes, you may want to change the option {{Ic|http_access deny all}} to {{Ic|http_access allow all}}, which will allow anyone to connect to your proxy. If you wanted to just allow access to your subnet, you can do:<br />
acl ip_acl src 192.168.1.0/24<br />
http_access allow ip_acl<br />
http_access deny all<br />
*{{Ic|cache_mgr}} - This is the email address of the cache manager.<br />
cache_mgr squid.admin@example.com<br />
*{{Ic|shutdown_lifetime}} - Specifies how long Squid should wait when its service is asked to stop. If you're running squid on your desktop PC, you may want to set this to something short.<br />
shutdown_lifetime 10 seconds<br />
*{{Ic|cache_mem}} - This is how much memory you want Squid to use to keep objects in memory rather than writing them to disk. Squid's total memory usage will exceed this! By default this is 8MB, so you might want to increase it if you have lots of RAM available.<br />
cache_mem 64 MB<br />
*{{Ic|visible_hostname}} - hostname that will be shown in status/error messages<br />
visible_hostname cerberus<br />
*{{Ic|cache_peer}} - If you want your Squid to go through another proxy server, rather than directly out to the Internet, you need to specify it here.<br />
*{{Ic|login}} - Use this option if the parent proxy requires authentication.<br />
*{{Ic|never_direct}} - Tells the cache to never go direct to the internet to retrieve a page. You will want this if you have set the option above.<br />
cache_peer 10.1.1.100 parent 8080 0 no-query default login=user:password<br />
never_direct allow all<br />
*{{Ic|maximum_object_size}} - The largest size of a cached object. By default this is 4 MB, so if you have a lot of disk space you will want to increase the size of it to something reasonable.<br />
maximum_object_size 10 MB<br />
{{Note|After defining a new cache_dir it maybe necessary to initialize the caches directory structure with this command: <code>squid -zN</code> -z for Create missing swap directories and -N for No daemon mode. }}<br />
*{{Ic|cache_dir}} - This is your cache directory, where all the cached files are stored. There are many options here, but the format should generally go like:<br />
cache_dir <storage type> <directory> <size in MB> 16 256<br />
So, in the case of a school's internet proxy:<br />
cache_dir diskd /cache0 200000 16 256<br />
If you change the cache directory from defaults, you must set the correct permissions on the cache directory before starting Squid, else it won't be able to create its cache directories and will fail to start.<br />
<br />
== Accessing services on local hostnames ==<br />
<br />
If you plan to access web servers on the LAN using hostnames that are not fully-defined (e.g. {{ic|http://mywebapp}}), you may need to enable the {{ic|dns_defnames}} option. Without this option, Squid will make a DNS request for the hostname verbatim ({{ic|mywebapp}}), which may fail, depending on your LAN's DNS setup. With the option enabled, Squid will append any domain configured in {{ic|/etc/resolv.conf}} when making the request (e.g. {{ic|mywebapp.company.local}}).<br />
<br />
{{bc|<br />
dns_defnames on<br />
}}<br />
<br />
== Starting ==<br />
<br />
Once you have finished your configuration, you should check that your configuration file is correct:<br />
# squid -k check<br />
Then create your cache directories:<br />
# squid -z<br />
Then you can start Squid!<br />
# systemctl start squid<br />
<br />
To start squid on boot use this command:<br />
# systemctl enable squid<br />
<br />
== Content Filtering ==<br />
<br />
If you're looking for a content filtering solution to work with Squid, you should check out the very powerful [[DansGuardian]].<br />
<br />
== Frontend ==<br />
<br />
If you'd like a web-based frontend for managing Squid, [[Webmin]] is your best bet.<br />
<br />
== Ad blocking with adzapper ==<br />
<br />
Adzapper is a plugin for Squid. It catches ads of all sorts (even Flash animations) and replaces them with an image of your choice, so the layout of the page isn't altered very much. <br />
<br />
=== Installation ===<br />
Adzapper is no longer in the community repository, but it can be found in the [[AUR]].<br />
<br />
=== Configuration ===<br />
echo "redirect_program /usr/bin/adzapper.wrapper" >> /etc/squid/squid.conf<br />
<br />
(squid 2.6.STABLE13-1)<br />
<br />
echo "url_rewrite_program /usr/bin/adzapper.wrapper" >> /etc/squid/squid.conf<br />
echo "url_rewrite_children 10" >> /etc/squid/squid.conf<br />
<br />
If you want, you can configure adzapper to your liking. The configuration out of the box works wonderfully well though.<br />
nano /etc/adzapper/adzapper.conf<br />
<br />
== Anti-virus layer ==<br />
<br />
Adding Anti-virus capabilities to Squid is done using the HAVP program to interface it with ClamAV.<br />
<br />
=== Installing dependencies ===<br />
<br />
Follow [[ClamAV]] to install ClamAV on your system. When it is installed, install {{AUR|havp}}{{Broken package link|{{aur-mirror|havp}}}} from [[AUR]].<br />
<br />
=== Configuration ===<br />
<br />
Once HAVP is installed, create a user group for the HAVP instance:<br />
useradd havp<br />
<br />
Change the owner of the antivirus logs and temporary file-testing directories to havp :<br />
chown -R havp:havp /var/run/havp<br />
chown -R havp:havp /var/log/havp<br />
<br />
Add the mandatory lock option to your filesystem (needed by HAVP) : In your /etc/fstab, modify :<br />
[...] / ext3 defaults 1 1<br />
to :<br />
[...] / ext3 defaults,mand 1 1<br />
<br />
Then reload your filesystem :<br />
mount -o remount /<br />
<br />
Add this info in your /etc/squid/squid.conf :<br />
cache_peer 127.0.0.1 parent 8080 0 no-query no-digest no-netdb-exchange default<br />
cache_peer_access 127.0.0.1 allow all<br />
<br />
Make sure your port in your /etc/havp/havp.config matches the cache_peer port in /etc/squid/squid.conf.<br />
<br />
=== Testing ===<br />
Reload your squid and start HAVP:<br />
systemctl restart squid<br />
systemctl start havp<br />
<br />
Don't forget to add HAVP to your rc.conf if your want it to launch on boot :<br />
systemctl enable squid<br />
systemctl enable havp<br />
<br />
You can try the antivirus capabilities with a test virus (not a real virus) available [http://www.eicar.org/anti_virus_test_file.htm here].<br />
<br />
== Transparent web proxy ==<br />
Transparency happens by redirecting all www requests eth0 picks up, to Squid. You'll need to indicate Squid that it is running like a transparent web proxy by adding the {{Ic|intercept}} (for squid 3.2) parameter to the {{Ic|http_port}} option:<br />
http_port 3128 '''intercept'''<br />
<br />
=== iptables ===<br />
From a terminal with root privileges, run: <br />
# gid=`id -g proxy`<br />
# iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --gid-owner $gid -j ACCEPT<br />
# iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination SQUIDIP:3128<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
Then start Iptables:<br />
# systemctl start iptables.service<br />
<br />
Replace SQUIDIP with the public IP(s) which squid may use for its listening port and outbound connections.<br />
<br />
{{Note|If you are using a content filtering solution, you should put the port for it, not the Squid port, and you need to remove the {{Ic|intercept}} option in the http_port line.}}<br />
<br />
=== Shorewall ===<br />
Edit /etc/shorewall/rules and add<br />
REDIRECT loc 3128 tcp www # redirect to Squid on port 3128<br />
ACCEPT $FW net tcp www # allow Squid to fetch the www content<br />
<br />
systemctl restart shorewall<br />
<br />
== HTTP Authentication ==<br />
<br />
Squid can be configured to require a user and password in order to use it. We will use [[wikipedia:Digest_access_authentication|digest http auth]]<br />
<br />
First create a users file with {{Ic|htdigest -c /etc/squid/users MyRealm username}}. Enter a password when prompted.<br />
<br />
Then add these lines to your {{Ic|squid.conf}}:<br />
<br />
auth_param digest program /usr/lib/squid/digest_file_auth -c /etc/squid/users<br />
auth_param digest children 5<br />
auth_param digest realm MyRealm<br />
<br />
acl users proxy_auth REQUIRED<br />
http_access allow users<br />
<br />
And restart squid. Now you will be prompted to enter a username and password when accessing the proxy.<br />
<br />
You can add more users with {{Ic|htdigest /etc/squid/users MyRealm newuser}}. You probably would like to install Apache package, which contains {{Ic|htdigest}} tool.<br />
<br />
{{Note|Be aware that {{Ic|http_access}} rules cascade, so you need to set them in the desired order.}}<br />
<br />
=== NTLM ===<br />
<br />
{{Warning|NTLM is deprecated and has security problems.}}<br />
<br />
Set up [[samba]] and winbindd and test it with<br />
ntlm_auth --username=DOMAIN\\user<br />
<br />
Grant r-x access to /var/cache/samba/winbindd_privileged/ directory for squid user/group<br />
<br />
Then add something like this to squid.conf:<br />
<br />
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp<br />
auth_param ntlm children 5<br />
auth_param ntlm max_challenge_reuses 0<br />
auth_param ntlm max_challenge_lifetime 2 minutes<br />
auth_param ntlm keep_alive off<br />
<br />
acl ntlm_users proxy_auth REQUIRED<br />
http_access allow ntlm_users<br />
http_access deny all<br />
<br />
== Troubleshooting ==<br />
<br />
=== Squid needs to be restarted after boot ===<br />
<br />
If you are using both squid and NetworkManager, the following error means that squid is launched before the wifi connection is enabled by NetworkManager ({{ic|/etc/resolv.conf}} is empty).<br />
<br />
{{hc|/var/log/squid/cache.log|2=<br />
Warning: Could not find any nameservers. Trying to use localhost <br />
Please check your /etc/resolv.conf file<br />
or use the 'dns_nameservers' option in squid.conf.<br />
}}<br />
<br />
You can:<br />
* Enable [[NetworkManager#Enable NetworkManager Wait Online|NetworkManager-wait-online.service]] {{ic|sudo systemctl enable NetworkManager-wait-online.service}}<br />
* Using [[NetworkManager#Network services with NetworkManager dispatcher|NetworkManager dispatcher]] instead of systemd to start squid<br />
<br />
{{ic|sudo systemctl disable squid.service}}<br />
<br />
{{hc|sudo nano /etc/NetworkManager/dispatcher.d/10_squid|2=<br />
if [ $1 == 'wlp2s0' ]<br />
then<br />
if [ $2 == 'up' ]<br />
then<br />
systemctl start squid<br />
else<br />
systemctl stop squid<br />
fi<br />
fi<br />
}}<br />
<br />
{{ic|sudo chmod u+x /etc/NetworkManager/dispatcher.d/10_squid}}<br />
<br />
== Additional Resources ==<br />
* [https://archive.is/oOdiT Elite Proxy Config Example(cached)] ([https://web.archive.org/web/20130425134032/http://gotux.net/arch-linux/squid-proxy-server/ cache-two])</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Privoxy&diff=380520Talk:Privoxy2015-06-30T14:31:41Z<p>Jasper1984: thanks, feel free to delete</p>
<hr />
<div>== <s>Usage questions</s> ==<br />
Assuming javascript off, does can Privoxy be configured to behave similarly to i.e. the Tor browsing bundle? In any case, how identifiable is behavior, and how many people are you hiding amongst? Really wish the Tor browser bundle had a version that worked as a proxy.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 12:27, 26 June 2015 (UTC)<br />
<br />
Afaics it cannot handle https, and it seems like it might be a tad old, and under-active? Maybe i need to find something else.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 12:50, 26 June 2015 (UTC)<br />
<br />
:I've been using privoxy for 10+ years on one machine or another and think it is a super project. It works so well for multi-user that even routers like dd-wrt offer it in the default images. Regarding your https remark, have a read: http://www.privoxy.org/faq/misc.html#AEN909<br />
:Your questions are [[Help:Discussion#What_does_not_belong|not content related]] though. You better open a topic on the BBS. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 13:54, 26 June 2015 (UTC)<br />
<br />
:: Thanks, sorry for not using the forum.. Feel free to delete/relegate this to history.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 14:31, 30 June 2015 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Privoxy&diff=380131Talk:Privoxy2015-06-26T12:50:55Z<p>Jasper1984: no https</p>
<hr />
<div>Assuming javascript off, does can Privoxy be configured to behave similarly to i.e. the Tor browsing bundle? In any case, how identifiable is behavior, and how many people are you hiding amongst? Really wish the Tor browser bundle had a version that worked as a proxy.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 12:27, 26 June 2015 (UTC)<br />
<br />
Afaics it cannot handle https, and it seems like it might be a tad old, and under-active? Maybe i need to find something else.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 12:50, 26 June 2015 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Privoxy&diff=380130Talk:Privoxy2015-06-26T12:27:19Z<p>Jasper1984: Identifiability of privoxy behavior.</p>
<hr />
<div>Assuming javascript off, does can Privoxy be configured to behave similarly to i.e. the Tor browsing bundle? In any case, how identifiable is behavior, and how many people are you hiding amongst? Really wish the Tor browser bundle had a version that worked as a proxy. [[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 12:27, 26 June 2015 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:GNOME&diff=349130Talk:GNOME2014-12-08T15:31:17Z<p>Jasper1984: Annoying bug..</p>
<hr />
<div>== GNOME applications blocking window manager keyboard shortcuts? Drawing over everything? ==<br />
Seen on Fluxbox, using evince, totem, baobab.(as of 3.14.1-2, 3.14.1-1, 3.14.1-1, well, earlier) Makes these programs near-useless.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 15:31, 8 December 2014 (UTC)<br />
<br />
== GNOME and fontconfig settings ==<br />
<br />
Since there isn't a section dedicated to fonts in GNOME 3 I was thinking about writing one, but I put it here first:<br />
<br />
GNOME doesn't use the dpi settings set by xorg server to scale fonts, instead it uses a fixed dpi of 96 that cannot be changed unlike previous versions:<br />
<br />
/* As we cannot rely on the X server giving us good DPI information, and<br />
* that we don't want multi-monitor screens to have different DPIs (thus<br />
* different text sizes), we'll hard-code the value of the DPI<br />
*<br />
* See also:<br />
* https://bugzilla.novell.com/show_bug.cgi?id=217790•<br />
* https://bugzilla.gnome.org/show_bug.cgi?id=643704<br />
*/<br />
<br />
The gnome-settings-daemon plugin xsettings relies on this hardcoded value for some calculations and there is currently no way of changing it beside customizing the code in abs. The dimension of text can be tweaked changing the text-scaling-factor (1.0 by default), using gnome-tweak-tool or editing the following key in dconf-editor:<br />
<br />
org.gnome.desktop.interface.text-scaling-factor<br />
<br />
The xsettings plugins will also merge some Xft values in the X resources db overwriting values set in .Xresources od .Xdefaults files. The defaults are:<br />
<br />
Xft.antialias: 1<br />
Xft.dpi: 96<br />
Xft.hinting: 1<br />
Xft.hintstyle: hintmedium<br />
Xft.lcdfilter: lcddefault<br />
Xft.rgba: none<br />
<br />
Some of those values can be changed using dconf-editor (org.gnome.settings-daemon.plugins.xsettings) or gnome-tweak-tool. It is possible to change this values using xrdb -merge ~/.Xresources after gnome is started but gnome will still use its values internally so it is not a good idea.<br />
<br />
It is a good idea to configure your fonts.conf in a way consistent with the gnome settings otherwise, at least on my laptop, fonts will looks weird in some gnome apps. <br />
<br />
The dpi setting of the Xserver can be changed to 96 following [https://wiki.archlinux.org/index.php/Xorg#Display_Size_and_DPI this] guide, this way it will be the same for all applications, the drawback is that fonts might look too small or too big in other application if the real DPI of your monitor differs too much from 96.<br />
<br />
For and LCD monitor it is a good idea to activate the lcd filter setting the following keys in dconf-editor:<br />
<br />
org.gnome.settings-daemon.plugins.xsettings.antialiasing rgba<br />
org.gnome.settings-daemon.plugins.xsettings.rgba-order rgb, bgr, vrgb or vbgr (as your monitor requires)<br />
<br />
Since the lcdfilter is not designed to work together with autohinting it is a good idea to disable it also in fonts.conf.<br />
It is also a good idea to use the same hinting value as in your font.conf, the default in gnome is medium:<br />
<br />
org.gnome.settings-daemon.plugins.xsettings.hinting medium<br />
<br />
This values in fonts.conf will match the gnome settings:<br />
<br />
<match target="font"><br />
<edit mode="assign" name="rgba"><const>rgb</const></edit><br />
<edit mode="assign" name="autohint"><bool>false</bool></edit><br />
<edit mode="assign" name="hinting"><bool>true</bool></edit><br />
<edit mode="assign" name="hintstyle"><const>hintmedium</const></edit><br />
<edit mode="assign" name="antialias"><bool>true</bool></edit><br />
<edit mode="assign" name="lcdfilter"><const>lcddefault</const></edit><br />
</match><br />
<br />
(to be finished, please comment or fix) {{Unsigned|23:58, 8 January 2012|Erm67}}<br />
<br />
:I think that info must be in [[Font configuration]], linked from there if needed -- [[User:Kycok|Kycok]] ([[User talk:Kycok|talk]]) 10:57, 3 June 2014 (UTC)<br />
<br />
::Well, it is very GNOME specific and complex at the same time. I would vote for putting it into [[GNOME tips]] and crosslink it from [[GNOME#Fonts]] as well as from [[Font configuration]]. But first: Above contribution of Erm67 is a couple of years back. Does someone know whether the instructions still work like that? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 09:04, 10 November 2014 (UTC)<br />
<br />
== ownCloud Integration ==<br />
I noticed missing [[ownCloud]] functionality in some GNOME applications (Nautilus & Documents) if gfvs-goa is not installed. I am not sure what else is affected or how exactly this works. I also didn't find any mention on the [[File manager functionality]] nor the [[GVFS]] pages. I was thinking of contributing to the Troubleshooting section but I do not know enough about the topic or wiki editing. [[User:Beanaroo|Beanaroo]] ([[User talk:Beanaroo|talk]]) 09:21, 3 June 2014 (UTC)<br />
: Candidate for [[GNOME#Online accounts]] perhaps? -- [[User:Chazza|Chazza]] ([[User talk:Chazza|talk]]) 14:54, 19 November 2014 (UTC)<br />
<br />
== <s>Replacing gsettings instructsions which are offered by gnome-tweak-tools </s>==<br />
<br />
We could keep the howl article shorter, if we generally describe the usage and purpose of gsettings/dconf once.<br />
If not convenient option is available, we describe the actual setting with gsettings.<br />
If a convenient option is available through the gnome-tweak-tool, we should just refer to it.<br />
<br />
Examles: HIDPI, Background, Font-Settings, Application Startup...<br />
<br />
Good/bad?<br />
<br />
[[User:Hoschi|Hoschi]] ([[User talk:Hoschi|talk]]) 15:05, 21 November 2014 (UTC)<br />
<br />
: I don't like the idea for three reasons:<br />
:1) Tweak tool is a third party tool - it's not truly part of GNOME. We can't guarantee that every user will have installed it and we shouldn't be forcing users to install it if they don't particularly want it.<br />
: 2) It probably takes more words to tell users how to navigate a GUI tool than to give them a command.<br />
: 3) Users won't learn anything. If a user familiarises themself with dconf-editor or GSettings they will understand GNOME configuration better. If there's a setting that isn't exposed in Tweak Tool, a user who is familiar dconf-editor/Gsettings will know roughly where to look and will be able to tweak that setting. In my mind, Tweak Tool is very convenient but we shouldn't be making users dependent upon it. <br />
: Just my opinion though. If others want to go down down this route then I won't be disputing it. -- [[User:Chazza|Chazza]] ([[User talk:Chazza|talk]]) 20:05, 21 November 2014 (UTC)<br />
<br />
::I agree to Chazza. However, the gnome-tweak-tool is a very established tool and also very helpful to configure the shell according to your own needs, e.g. trial-error what you like best in its tabs is quick - you have to wade a lot of settings to get to that. How about we make it more prominent to make readers not familiar with it aware of it (e.g. at the beginning of "Advanced settings")? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 21:36, 21 November 2014 (UTC)<br />
<br />
:::You're both right. We should explain gsettings/dconf thorough, so users can learn the internals of GNOME. And we should also present the tweak-tool als quick solution, for everyone who want just change a simple setting (it is semiofficial: hosted on gnome.org and even Allan Day contributed to the design, which is somewhat ironic but a good thing).<br />
<br />
:::[[User:Hoschi|Hoschi]] ([[User talk:Hoschi|talk]]) 10:05, 25 November 2014 (UTC)<br />
<br />
::::Ok then. I added another pkg link and sentence for it with [https://wiki.archlinux.org/index.php?title=GNOME&diff=346218&oldid=346152]. Feel free to add, if you like. Closing this. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 12:17, 25 November 2014 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Mumble&diff=307788Mumble2014-03-31T13:07:45Z<p>Jasper1984: troubleshooting advice flakification</p>
<hr />
<div>[[Category:Sound]]<br />
From [[Wikipedia:Mumble (software)|Wikipedia, the free encyclopedia]]:<br />
<br />
:''Mumble is a voice over IP (VoIP) application primarily designed for use by gamers, similar to programs such as TeamSpeak and Ventrilo.''<br />
<br />
This page goes over installation and configuration of both the client portion of the software (Mumble) and the server portion (Murmur).<br />
<br />
== Client ==<br />
<br />
=== Installation ===<br />
[[pacman|Install]] {{pkg|mumble}} from the [[official repositories]].<br />
<br />
=== Configuration ===<br />
When you first launch the client, a configuration wizard will take you through the setup process.<br />
Settings can be changed later through the menu.<br />
<br />
For a discussion of advanced settings, see the<br />
[http://mumble.sourceforge.net/ official documentation].<br />
The<br />
[http://mumble.sourceforge.net/Mumbleguide Mumbleguide]<br />
is a good starting point.<br />
<br />
== Server ==<br />
The Mumble project maintains a good guide for setting up the server here:<br />
[http://mumble.sourceforge.net/Murmurguide Murmurguide].<br />
What follows is a quick-and-dirty, abridged version of that guide.<br />
<br />
=== Installation ===<br />
[[pacman|Install]] {{pkg|murmur}} from the [[official repositories]].<br />
<br />
The postinstall script will tell you to reload dbus and set the supervisor password.<br />
The default configuration doesn't use dbus, so you can ignore that if you want.<br />
Setting the supervisor password is recommended, however.<br />
<br />
=== Configuration ===<br />
<br />
==== Network ====<br />
If you use a [[firewall]], you will need to open TCP and UDP ports 64738.<br />
Depending on your network, you may also need to set a static IP, port forwarding, etc.<br />
<br />
==== Config File ====<br />
The default Murmur config file is at {{ic|/etc/murmur.ini}} and is heavily commented.<br />
Reading through all the comments is highly recommended.<br />
<br />
==== Startup ====<br />
Enable and then start Murmur with {{ic|systemctl enable murmur}} and {{ic|systemctl start murmur}}.<br />
If all went smoothly, you should have a functioning Murmur server.<br />
<br />
<!-- Not sure if this works when reverse lookups don't work properly and want to test before uncommenting<br />
==== Self-Signed Certificate ====<br />
By default, murmur will generate a default self-signed certificate.<br />
Clients connecting to the server will warn users about the host name not matching and the certificate being untrusted.<br />
If your server is in DNS, you can get rid of the hostname mismatch by creating your own self-signed certificate.<br />
<br />
Create a secure directory for the certificate and key to live in and switch to it.<br />
{{bc|<br />
mkdir /etc/murmur/ssl<br />
chmod 700 /etc/murmur/ssl<br />
chown murmur.murmur /etc/murmur/ssl<br />
cd /etc/murmur/ssl<br />
}}<br />
<br />
Generate a private key, create a certificate signing request from it, strip the password from your private key, <br />
{{bc|<br />
openssl genrsa -des3 -out voip.example.com.key 1024<br />
openssl req -new -key voip.example.com.key -out voip.example.com.csr<br />
cp voip.example.com.key{,.orig}<br />
openssl rsa -in voip.example.com.key.orig -out voip.example.com.key<br />
openssl x509 -req -days 365 -in voip.example.com.csr -signkey voip.example.com.key -out voip.example.com.crt<br />
}}<br />
<br />
Edit murmur.ini and tell it where your key and cert is.<br />
{{hc|/etc/murmur.ini|2=<br />
sslKey=/var/lib/murmur/ssl/voip.example.com.key<br />
sslCert=/var/lib/murmur/ssl/voip.example.com.crt<br />
}}<br />
--><br />
<br />
=Troubleshooting=<br />
<br />
===Mpd sound stops entirely with mumble enabled===<br />
In settings, turn on advanced mode, then in 'audio output' under 'attenuate applications by...' disable both checkboxes. (not perfect, because you lose that feature) Edit: 5 minutes later.. it stopped again >< maybe not so much of a solution.. Setting input to ALSA changed stuff too.</div>Jasper1984https://wiki.archlinux.org/index.php?title=Mumble&diff=307786Mumble2014-03-31T12:38:55Z<p>Jasper1984: mumble-mpd interaction</p>
<hr />
<div>[[Category:Sound]]<br />
From [[Wikipedia:Mumble (software)|Wikipedia, the free encyclopedia]]:<br />
<br />
:''Mumble is a voice over IP (VoIP) application primarily designed for use by gamers, similar to programs such as TeamSpeak and Ventrilo.''<br />
<br />
This page goes over installation and configuration of both the client portion of the software (Mumble) and the server portion (Murmur).<br />
<br />
== Client ==<br />
<br />
=== Installation ===<br />
[[pacman|Install]] {{pkg|mumble}} from the [[official repositories]].<br />
<br />
=== Configuration ===<br />
When you first launch the client, a configuration wizard will take you through the setup process.<br />
Settings can be changed later through the menu.<br />
<br />
For a discussion of advanced settings, see the<br />
[http://mumble.sourceforge.net/ official documentation].<br />
The<br />
[http://mumble.sourceforge.net/Mumbleguide Mumbleguide]<br />
is a good starting point.<br />
<br />
== Server ==<br />
The Mumble project maintains a good guide for setting up the server here:<br />
[http://mumble.sourceforge.net/Murmurguide Murmurguide].<br />
What follows is a quick-and-dirty, abridged version of that guide.<br />
<br />
=== Installation ===<br />
[[pacman|Install]] {{pkg|murmur}} from the [[official repositories]].<br />
<br />
The postinstall script will tell you to reload dbus and set the supervisor password.<br />
The default configuration doesn't use dbus, so you can ignore that if you want.<br />
Setting the supervisor password is recommended, however.<br />
<br />
=== Configuration ===<br />
<br />
==== Network ====<br />
If you use a [[firewall]], you will need to open TCP and UDP ports 64738.<br />
Depending on your network, you may also need to set a static IP, port forwarding, etc.<br />
<br />
==== Config File ====<br />
The default Murmur config file is at {{ic|/etc/murmur.ini}} and is heavily commented.<br />
Reading through all the comments is highly recommended.<br />
<br />
==== Startup ====<br />
Enable and then start Murmur with {{ic|systemctl enable murmur}} and {{ic|systemctl start murmur}}.<br />
If all went smoothly, you should have a functioning Murmur server.<br />
<br />
<!-- Not sure if this works when reverse lookups don't work properly and want to test before uncommenting<br />
==== Self-Signed Certificate ====<br />
By default, murmur will generate a default self-signed certificate.<br />
Clients connecting to the server will warn users about the host name not matching and the certificate being untrusted.<br />
If your server is in DNS, you can get rid of the hostname mismatch by creating your own self-signed certificate.<br />
<br />
Create a secure directory for the certificate and key to live in and switch to it.<br />
{{bc|<br />
mkdir /etc/murmur/ssl<br />
chmod 700 /etc/murmur/ssl<br />
chown murmur.murmur /etc/murmur/ssl<br />
cd /etc/murmur/ssl<br />
}}<br />
<br />
Generate a private key, create a certificate signing request from it, strip the password from your private key, <br />
{{bc|<br />
openssl genrsa -des3 -out voip.example.com.key 1024<br />
openssl req -new -key voip.example.com.key -out voip.example.com.csr<br />
cp voip.example.com.key{,.orig}<br />
openssl rsa -in voip.example.com.key.orig -out voip.example.com.key<br />
openssl x509 -req -days 365 -in voip.example.com.csr -signkey voip.example.com.key -out voip.example.com.crt<br />
}}<br />
<br />
Edit murmur.ini and tell it where your key and cert is.<br />
{{hc|/etc/murmur.ini|2=<br />
sslKey=/var/lib/murmur/ssl/voip.example.com.key<br />
sslCert=/var/lib/murmur/ssl/voip.example.com.crt<br />
}}<br />
--><br />
<br />
=Troubleshooting=<br />
<br />
===Mpd sound stops entirely with mumble enabled===<br />
In settings, turn on advanced mode, then in 'audio output' under 'attenuate applications by...' disable both checkboxes. (not perfect, because you lose that feature)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Mobile_phone&diff=307679Mobile phone2014-03-30T14:29:35Z<p>Jasper1984: </p>
<hr />
<div>[[Category:Mobile devices]]<br />
{{stub}}<br />
==iPhone==<br />
You will need {{AUR|libimobiledevice-git}} and {{AUR|libgpod-git}} compiled with afc support. You can use the {{AUR|ifuse-git}} to mount your [[iPod]] or if you use [[GNOME]] you can compile [[Gvfs]] with the option {{ic|--with-afc}} [https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gvfs].<br />
<br />
For more info see the [[iPod#iPhone/iPod_Touch|iPod]] page.<br />
<br />
==CDMA==<br />
[[Wikipedia:CDMA|CDMA]] includes phones on Samsung, LG, Sanyo, and more.<br />
<br />
Right now there is no easy way to use CDMA phones. The best option is Bitpim.<br />
<br />
You can use the latest version of {{AUR|bitpim-release}} for these phones. Make sure you run Bitpim as root and everything should work.<br />
<br />
==Installing archlinux onto phone==<br />
[http://rubiojr.rbel.co/hack/2013/01/10/installing-arch-linux-in-your-android-phone-chroot/ People have installed archlinux onto phones], however it is unclear to me how to get a nice GUI for mobile phones, and android applications going. Also, phones need to be secure.</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:TOMOYO_Linux&diff=304118Talk:TOMOYO Linux2014-03-12T10:34:52Z<p>Jasper1984: </p>
<hr />
<div>== Activation section ==<br />
I got a message that {{ic|/sbin/init}} doesnt exist, i think this advice doesnt go with systemd. After a quick search using editing inside grub, I manually changed that to effectively:<br />
<pre>GRUB_CMDLINE_LINUX_DEFAULT="init=/lib/systemd/systemd quiet security=tomoyo TOMOYO_trigger=/lib/systemd/systemd"</pre><br />
And {{ic|grub-mkconfig -o /boot/grub/grub.cfg}}-ed that. Actually havent rebooted with that yet.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 13:03, 26 February 2014 (UTC)<br />
<br />
[https://bbs.archlinux.org/viewtopic.php?id=177718 The forum topic] [[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 10:34, 12 March 2014 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:TOMOYO_Linux&diff=302204Talk:TOMOYO Linux2014-02-26T13:04:04Z<p>Jasper1984: Hit preview, you idiot</p>
<hr />
<div>== Activation section ==<br />
I got a message that {{ic|/sbin/init}} doesnt exist, i think this advice doesnt go with systemd. After a quick search using editing inside grub, I manually changed that to effectively:<br />
<pre>GRUB_CMDLINE_LINUX_DEFAULT="init=/lib/systemd/systemd quiet security=tomoyo TOMOYO_trigger=/lib/systemd/systemd"</pre><br />
And {{ic|grub-mkconfig -o /boot/grub/grub.cfg}}-ed that. Actually havent rebooted with that yet.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 13:03, 26 February 2014 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:TOMOYO_Linux&diff=302203Talk:TOMOYO Linux2014-02-26T13:03:10Z<p>Jasper1984: Problem i encountered</p>
<hr />
<div>== Activation section ==<br />
I got a message that {{ic /sbin/init}} doesnt exist, i think this advice doesnt go with systemd. After a quick search using editing inside grub, I manually changed that to effectively:<br />
<pre>GRUB_CMDLINE_LINUX_DEFAULT="init=/lib/systemd/systemd quiet security=tomoyo TOMOYO_trigger=/lib/systemd/systemd"</pre><br />
And {{ic grub-mkconfig -o /boot/grub/grub.cfg}}-ed that. Actually havent rebooted with that yet.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 13:03, 26 February 2014 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Archiso&diff=264819Talk:Archiso2013-07-01T13:46:53Z<p>Jasper1984: /* Estimating size? Starting over? */ new section</p>
<hr />
<div>==Archiso doesn't work on non stock kernel==<br />
<br />
I've been having on and off issues when building ISOs with archiso and the other day when I was working on one I did a pacman -Syu before working but didn't reboot. I was running on the stock kernel at that point because the linux-ck kernel had not updated yet. My ISO built fine. Later that day I rebooted and was now running on the updated linux-ck kernel and suddenly the build process would simply die without any errors, even with the -v option. Right after installing all the custom packages, a dd output appears and then a mkfs.vfat version message appears and that's where it dies. Rebooting back to the stock arch kernel fixed the issue. I'm guessing it has something to do with hardcoded names or something like that in the build scripts.<br />
<br />
Is this normal behaviour? I don't mind using the stock kernel on the ISOs I build but I figured I'd at least be able to build them on a different one.<br />
<br />
On that note, is it possible to use a kernel other than the stock one within the ISOs we build? <br />
[[User:Biltong|Biltong]] ([[User talk:Biltong|talk]]) Sun May 6 2012, 21:47 SAST<br />
<br />
== Installation ==<br />
<br />
If you wish to install the Archiso you created '''-as it is-''' on the machine where you booted it, there are several ways to do this, but either way we're following the [[Beginners' Guide]] mostly.<br />
<br />
'''1:''' To install it as if it were an ArchLinux release, simply follow the [[Beginners' Guide]]. Good luck.<br />
<br />
'''2:''' To install it without an internet connection or if you don't want to download every packages you want again:<br />
<br />
First of all read the [[Beginners' Guide]], because we'll be skipping some parts.<br />
Remember to '''create the partitions''', '''format them''', '''manage labels''' and then '''mount them''' while you're booted into Archiso. <br />
{{Note|The following example assumes only one partition which will be used as /root (which includes /home).}}<br />
# mkdir /mnt<br />
# mount /dev/sdx /mnt<br />
{{Note|'''Don't''' mix up /dev/sdx (/dev/sda1 or /dev/sdb1) with other partitions.}}<br />
{{Note|You can create /mnt/home and mount that as well if you wish, so that fstab will detect it automatically.}}<br />
<br />
And now we'll be installing the [[Beginners' Guide#Install_the_base_system]], but instead of downloading it, we'll just copy everything over with rsync: [[Full System Backup with rsync]] to the hard drive:<br />
# rsync -aAXv /* /mnt --exclude={/dev/*,/proc/*,/sys/*,/tmp/*,/run/*,/mnt/*,/media/*,/lost+found,/home/*/.gvfs}<br />
{{Note|If you plan on backing up your system somewhere other than /mnt or /media, don't forget to add it to the list, to avoid an infinite loop.}}<br />
Afterwards simply follow the [[Beginners' Guide#Generate_an_fstab]] to finish the installation and customization.<br />
With an internet connection and with that guide you'll finish real quick.<br />
<br />
If you '''don't''' have an internet connection (like me), I had problems with the following:<br />
[[Beginners' Guide#Create_an_initial_ramdisk_environment]]<br />
This happened because as far as I know, this is a live environment, therefore the -linux- package is not located under /boot.<br />
I have bypassed this by simply downloading the -linux- package on another computer, and then installing it with pacman -U linux-0.0.0.0-xyxy.pkg.tar.xz . After this, the -'''mkinitcpio -p linux'''- works as it should. (or if you have an internet connection: -pacman -S linux- and then -mkinitcpio -p linux- just in case)<br />
<br />
Same thing with '''grub'''. {{Pkg|grub-bios}}. Get the package, install it, and then keep following the guide.<br />
<br />
== Sidenote: ==<br />
Re-initializing pacman can be important, though I'm not sure. [[Pacman-key#Initializing_the_keyring]]<br />
<br />
Consider trying out -Archboot- GUI for installation: [[FAQ#Q.29_Arch_needs_an_installer._Maybe_a_GUI_installer]]<br />
<br />
== Estimating size? Starting over? ==<br />
<br />
How do you best estimate the size?[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 13:46, 1 July 2013 (UTC)<br />
<br />
How do you start over? Suppose just take `etc/`, delete the `releng/` directory recopy, put stuff back.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 13:46, 1 July 2013 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Installation_Guide_Troubleshooting&diff=246723Installation Guide Troubleshooting2013-02-07T18:28:35Z<p>Jasper1984: This way of escaping '=' sucks(wikimedia.. a really good markdown wiki would be better)</p>
<hr />
<div>= Installing the base system =<br />
Errors when running {{ic|pacstrap}}<br />
<br />
=== (PGP)Key "..." could not be imported ===<br />
<br />
{{ic|error: linux-api-headers: key "F990EB20FAEsomhing" is unknown<br />
:: Import PGP key EAE999BD, "Allan McRae <me@allanmcrae.com>", created on 2011-06-03? [Y/n]<br />
error: key "Allan McRae <me@allanmcrae.com>" could not be imported}}<br />
<br />
Can be due to incorrect date, to fix set the time manually or use {{ic|ntpd -qg}} to use the network to set the time.([https://bbs.archlinux.org/viewtopic.php?id=149759 a case])<br />
<br />
=== Key import fails otherwise ===<br />
One solution is to change the core repo in {{ic|/etc/pacman.conf}} from {{ic|1=SigLevel = PackageRequired}} to {{ic|1=SigLevel = Optional TrustAll}} But that would decrease security by a lot.</div>Jasper1984https://wiki.archlinux.org/index.php?title=Installation_Guide_Troubleshooting&diff=246722Installation Guide Troubleshooting2013-02-07T18:25:49Z<p>Jasper1984: Had some issues, thought, why no troubleshooting page</p>
<hr />
<div>= Installing the base system =<br />
Errors when running {{ic|pacstrap}}<br />
<br />
=== (PGP)Key "..." could not be imported ===<br />
<br />
{{ic|error: linux-api-headers: key "F990EB20FAEsomhing" is unknown<br />
:: Import PGP key EAE999BD, "Allan McRae <me@allanmcrae.com>", created on 2011-06-03? [Y/n]<br />
error: key "Allan McRae <me@allanmcrae.com>" could not be imported}}<br />
<br />
Can be due to incorrect date, to fix set the time manually or use {{ic|ntpd -qg}} to use the network to set the time.([https://bbs.archlinux.org/viewtopic.php?id=149759 a case])<br />
<br />
=== Key import fails otherwise ===<br />
One solution is to change the core repo {{ic|SigLevel = PackageRequired}} to {{ic|Optional TrustAll}} But that would decrease security by a lot.</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Raspberry_Pi&diff=233884Talk:Raspberry Pi2012-11-05T14:43:03Z<p>Jasper1984: </p>
<hr />
<div>19:39:03 +leming | yeah, i just saw that trash a few minutes ago<br />
<br />
19:39:13 +leming | feel free to use some superpowers and make that disappear<br />
<br />
19:40:24 +leming | not sure what logic was used in the decision to just duplicate random parts of our site<br />
<br />
19:42:58 +leming | it would be one thing if it was done extraordinarily well, it's another being done in the most fantastically awful way possible<br />
<br />
19:43:18 +leming | nevermind wholly off-topic for the arch (read: x86) wiki<br />
[[User:Danielwallace|gtmanfred]] ([[User talk:Danielwallace|talk]]) 23:44, 22 October 2012 (UTC)<br />
<br />
I am not for duplicating stuff at [http://archlinuxarm.org/ archlinuxarm.org] but it'd be silly not to put a little mention to there..[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 14:43, 5 November 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Security&diff=233877Talk:Security2012-11-05T13:01:36Z<p>Jasper1984: Other side of the coin of security?</p>
<hr />
<div>Just a thing to take into consideration - it's a great idea to have one central page for security, but we should try to add most of the information to the articles about the specific software and then link to there from here. An example would be putting the grub2 password protection stuff on the grub2 page, and linking to there. There are also already a lot of security-related articles, and we should link to them here too, along with some info/rationale. [[User:Thestinger|thestinger]] 23:07, 23 November 2010 (EST)<br />
<br />
==Todo==<br />
*descriptions/rationale for all the links to other articles (MAC)<br />
*base64 /dev/urandom | dd bs=1 count=10 2>/dev/null<br />
*[[SSH]]/[[fail2ban]]<br />
*use (enhanced?) ACL on partitions<br />
*[[Disk quota|quotas]]<br />
*limits/cgroups<br />
*TMOUT for root shell<br />
*sudo timeout<br />
*DNSSEC<br />
*[[Securely Wipe HDD]]<br />
*[[Using File Capabilities Instead Of Setuid]]<br />
*VNC, proxies, ssl, etc<br />
*rvim/rgvim<br />
*browser security (requestpolicy, noscript, sand-boxing browser)<br />
*PAX/grsecurity<br />
*merge [[Hardening Guides]] into this article<br />
*kernel options (which could be added as FRs on the bug tracker)<br />
*stack protector gcc flag<br />
<br />
== chmod user's home folder ==<br />
<br />
find ~ -type d -print0 | xargs -0 chmod 700<br />
find ~ -type f -print0 | xargs -0 chmod 600<br />
<br />
:Why? The top level directory (~) is already 700. Do you have an example of when this would add protection? [[User:Thestinger|thestinger]] 18:09, 11 January 2011 (EST)<br />
<br />
== The other side of the coin ==<br />
I am sure there aught to be a page, linked to from here, indicating how security of the contents of packages is maintained. Not only signing, but how well the sources of projects are checked, if you use the binaries as supplied, if it is checked if the binary corresponds to the source it alledgedly is. If the compiler is checked. <br />
<br />
After all, if that side of things is insecure, any other security measures could unravel rather quickly.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 13:01, 5 November 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:SHA_hashes&diff=233876Talk:SHA hashes2012-11-05T12:55:18Z<p>Jasper1984: Slightly unclear</p>
<hr />
<div>Does not seem clear where {{ic|1=rounds=N}} is supposed to go, i suppose {{ic|1=/etc/pam.d/passwd}}?<br />
<br />
Looking at the {{ic|1=passwd}} man page, you can just set {{ic|1=ENCRYPT_METHOD}} in {{ic|1=/etc/login.defs}}, but it isn't in the file as an example. Or is that an inferior way of doing it?(id prefer if there were only one way of doing it.) [[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 12:55, 5 November 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=TrueCrypt&diff=232998TrueCrypt2012-11-01T13:02:01Z<p>Jasper1984: Backdoors?</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:File systems]]<br />
{{Article summary start}}<br />
{{Article summary text|Setup and usage of TrueCrypt.}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Disk Encryption}}<br />
{{Article summary end}}<br />
<br />
'''TrueCrypt''' is a free open source on-the-fly encryption (OTFE) program. Some of its features are:<br />
* Virtual encrypted disks within files that can be mounted as real disks.<br />
* Encryption of an entire hard disk partition or a storage device/medium.<br />
* All encryption algorithms use the LRW mode of operation, which is more secure than CBC mode with predictable initialization vectors for storage encryption.<br />
* "Hidden volumes" within a normal "outer" encrypted volume. A hidden volume can not be distinguished from random data without access to a passphrase and/or keyfile.<br />
<br />
For more details on how TrueCrypt compares to other disk encryption solution, see [[Disk Encryption#Comparison table]].<br />
<br />
== Installation ==<br />
Type as root in a terminal:<br />
# pacman -S truecrypt<br />
If you use any kernel other than {{Pkg|linux}} install the corresponding kernel module.<br />
<br />
If you are using truecrypt to encrypt a virtual filesystem (e.g. a file), the module will be automatically loaded whenever you run the {{ic|truecrypt}} command. Add it to the MODULES array in /etc/rc.conf.<br />
<br />
If you are using truecrypt to encrypt a physical device (e.g. a hard disk or usb drive), you will likely want to load the module during the boot sequence:<br />
<br />
Add the module to /etc/modules-load.d/:<br />
# tee /etc/modules-load.d/truecrypt.conf <<< "truecrypt"<br />
<br />
{{Note | It does not appear that loading a module applies with TrueCrypt 7.0a, the current version in Arch as of 4/19/2011. The above advice may be outdated with respect to the module, however it is still important to enable {{ic|fuse}}, {{ic|loop}} and your encryption algorithm (e.g. {{ic|AES}}, {{ic|XTS}}, {{ic|SHA512}}) in custom kernels.}}<br />
<br />
== Encrypting a file as a virtual volume ==<br />
The following instructions will create a file that will act as a virtual filesystem, allowing you to mount it and store files within the encrypted file. This is a convenient way to store sensitive information, such as financial data or passwords, in a single file that can be accessed from Linux, Windows, or Macs.<br />
<br />
To create a new truecrypt file interactively, type the following in a terminal:<br />
$ truecrypt -c<br />
<br />
{{Box Note | This command will not work in newer version of truecrypt. Type "truecrypt" instead and manage your encrypted volumes from the GUI or specify the necessary options to work in the command line. (truecrypt -h)}}<br />
<br />
Follow the instructions, choosing the default values unless you know what you are doing:<br />
<br />
Volume type:<br />
1) Normal<br />
2) Hidden<br />
Select [1]: 1<br />
<br />
Enter file or device path for new volume: /home/user/myEncryptedFile.tc<br />
<br />
Enter volume size (bytes - size/sizeK/sizeM/sizeG): 32M<br />
<br />
Encryption algorithm:<br />
1) AES<br />
2) Blowfish<br />
3) CAST5<br />
4) Serpent<br />
5) Triple DES<br />
6) Twofish<br />
7) AES-Twofish<br />
8) AES-Twofish-Serpent<br />
9) Serpent-AES<br />
10) Serpent-Twofish-AES<br />
11) Twofish-Serpent<br />
Select [1]: 1<br />
<br />
Hash algorithm:<br />
1) RIPEMD-160<br />
2) SHA-1<br />
3) Whirlpool<br />
Select [1]: 1 <br />
<br />
Filesystem:<br />
1) FAT<br />
2) None<br />
Select [1]: 1<br />
<br />
Enter password for new volume '/home/user/myEncryptedFile.tc': *****************************<br />
Re-enter password: *****************************<br />
<br />
Enter keyfile path [none]: <br />
<br />
TrueCrypt will now collect random data.<br />
Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: <br />
Please move the mouse randomly until the required amount of data is captured...<br />
Mouse data captured: 100% <br />
<br />
Done: 32.00 MB Speed: 10.76 MB/s Left: 0:00:00 <br />
Volume created.<br />
<br />
[user@host:~] $<br />
<br />
You can now mount the new encrypted file to a previously-created directory:<br />
$ truecrypt /home/user/myEncryptedFile.tc /home/user/myEncryptedFileFolder<br />
<br />
'''''Note:''' Truecrypt requires root privileges and as such, running the above command as a user will attempt to use ''{{Ic|sudo}}'' for authentication. To work with files as a regular user, please see the appropriate section below.<br />
<br />
Once mounted, you can copy or create new files within the encrypted directory as if it was any normal directory. When you are you ready to re-encrypt the contents and unmount the directory, run:<br />
$ truecrypt -d<br />
<br />
Again, this will require administrator privileges through the use of {{Ic|sudo}}. After running it check if the files that are to be encrypted are indeed no longer in the directory. (might want to try unimportant data first) If they are still there, note that {{ic|rm}} doesn't make the data unrecoverable.<br />
<br />
For more information about truecrypt in general, run:<br />
$ man truecrypt #Note: as of 1:7.1a-1 dont see a man or info page<br />
<br />
Several options can be passed at the command line, making automated access and creation a simple task. The man page is highly recommended reading.<br />
<br />
== Encrypting a physical volume ==<br />
If you want to use a keyfile, create one with this command:<br />
truecrypt --create-keyfile /etc/disk.key<br />
By default both passphrase and key will be needed to unlock the volume.<br />
<br />
Create a new volume in the device /dev/sda1:<br />
truecrypt --volume-type normal -c /dev/sda1<br />
<br />
Map the volume to /dev/mapper/truecrypt1:<br />
truecrypt -N 1 /dev/sda1<br />
<br />
If this command does not for you try this to map the volume:<br />
truecrypt --filesystem=none --slot=1 /dev/sda1<br />
<br />
If you want to use another file system than ext3 simply format the disk like you normally would, except use the path /dev/mapper/truecrypt1.<br />
mkfs.ext3 /dev/mapper/truecrypt1<br />
<br />
Mount the volume:<br />
mount /dev/mapper/truecrypt1 /media/disk<br />
<br />
Map and mount a volume:<br />
truecrypt /dev/sda1 /media/disk<br />
<br />
Unmount and unmap a volume:<br />
truecrypt -d /dev/sda1<br />
<br />
== Creating a hidden volume ==<br />
First, create a normal outer volume as described above.<br />
<br />
Map the outer volume to /dev/mapper/truecrypt1:<br />
truecrypt -N 1 /dev/sda1<br />
<br />
Create a hidden truecrypt volume in the free space of the outer volume:<br />
truecrypt --type hidden -c /dev/sda1<br />
You need to use another passphrase and/or keyfile here than the one you used for the outer volume.<br />
<br />
Unmap the outer truecrypt volume and map the hidden one:<br />
truecrypt -d /dev/sda1<br />
truecrypt -N 1 /dev/sda1<br />
Just use the passphrase you chose for the hidden volume and TrueCrypt will automatically choose it before the outer.<br />
<br />
Create a file system on it (if you have not already) and mount it:<br />
mkfs.ext3 /dev/mapper/truecrypt1<br />
mount /dev/mapper/truecrypt1 /media/disk<br />
<br />
Map and mount the outer volume with the hidden write-protected:<br />
truecrypt -P /dev/sda1 /media/disk<br />
<br />
==Mount a special filesystem==<br />
{{Box Note | Current Versions of truecrypt seem to support ntfs write support by default so the {{ic|--filesystem}} flag no longer seems to be necessary.}}<br />
<br />
In my example I want to mount a ntfs-volume, but truecrypt does not use ntfs-3g by default (so there is no write access; checked in version 6.1).<br />
The following command works for me:<br />
truecrypt --filesystem=ntfs-3g --mount /file/you/want/to/mount<br />
You may also want to mount ntfs volume without execute flag on all files<br />
truecrypt --filesystem=ntfs-3g --fs-options=users,uid=$(id -u),gid=$(id -g),fmask=0113,dmask=0002<br />
<br />
== Mount volumes via fstab ==<br />
First of all, we need to write a script which will handle the way mounting via fstab is done. Place the following in {{ic|/sbin/mount.truecrypt}}:<br />
<br />
#!/usr/bin/env sh <br />
DEV="$1"<br />
MNTPT="$2"<br />
OPTIONS=""<br />
TCOPTIONS=""<br />
shift 3<br />
IFS=','<br />
for arg in $*; do<br />
if [ "${arg}" == "system" ]; then<br />
TCOPTIONS="${TCOPTIONS}-m=system "<br />
elif [[ "${arg}" == fs=* ]]; then<br />
FS=${arg#*=}<br />
TCOPTIONS="${TCOPTIONS}--filesystem=${FS} "<br />
else<br />
OPTIONS="${OPTIONS}${arg},"<br />
fi<br />
done<br />
truecrypt ${DEV} ${MNTPT} ${TCOPTIONS% *} --fs-options="${OPTIONS%,*}"<br />
<br />
Also do not forget to make the file executable:<br />
<br />
chmod +x /sbin/mount.truecrypt<br />
<br />
Finally, add the device to fstab somewhat like this:<br />
<br />
/dev/sdb3 /mnt truecrypt fs=vfat,defaults 0 0<br />
<br />
==Mount volumes using a systemd service==<br />
To use Truecrypt with systemd, it is advised to use truecrypt as decryptor and mapper and fstab to do the mounting of encrypted volumes.<br />
<br />
First, create this service [[Systemd/Services#truecrypt_volume_setup]] in {{ic|/usr/lib/systemd/system}}. Enable it with (assuming your encrypted volume is {{ic|/dev/sda2}}):<br />
# systemctl enable truecrypt@dev-sda2.service<br />
<br />
Secondly, create a line similar to that one in your fstab (the {{ic|2}} means your fs will be fscked regularly):<br />
{{hc|/etc/fstab|<nowiki><br />
/dev/mapper/truecrypt1 /home/ ext4 defaults 0 2</nowiki>}}<br />
<br />
And you should be set.<br />
<br />
==Mount volumes as a normal user==<br />
<br />
TrueCrypt needs root privileges to work: this procedure will allow normal users to use it, also giving writing permissions to mounted volumes.<br />
<br />
Both methods below require [[Sudo]]. Make sure it is configured before proceeding.<br />
<br />
===Method 1 (Add a truecrypt group)===<br />
<br />
Create a new group called truecrypt and give it the necessary permissions. Any users that belongs to that group, will be able to use TrueCrypt.<br />
# groupadd truecrypt<br />
<br />
Edit the sudo configuration:<br />
# visudo<br />
<br />
Append the following lines at the bottom of the sudo configuration file:<br />
# Users in the truecrypt group are allowed to run TrueCrypt as root.<br />
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt<br />
<br />
You can now add your users to the truecrypt group:<br />
# gpasswd -a USER_1 truecrypt<br />
# gpasswd -a USER_2 truecrypt<br />
...<br />
<br />
'''''Note:''' In order to make these changes active, any user that has been added to the truecrypt group have to logout.''<br />
<br />
After that, you can mount your device by<br />
<br />
# truecrypt --mount /PATH/TO/DEVICE /PATH/TO/MOUNTPOINT<br />
<br />
Default mountpoint is ''/media/truecrypt1''. Normally, it is not necessary to explicitly specify the filesystem of your device using the ''--filesystem'' flag.<br />
<br />
It is definitely reasonable to give truecrypt some permission masks. Otherwise, every file on your mounted device will be executable. So instead of the above, you can use<br />
<br />
# truecrypt --fs-options=users,uid=$(id -u),gid=$(id -g),fmask=0113,dmask=0002 --mount /PATH/TO/DEVICE /PATH/TO/MOUNTPOINT<br />
<br />
and add this line to your bash configuration file, ''~/.bashrc'' as an alias:<br />
<br />
alias tc1='truecrypt --fs-options=users,uid=$(id -u),gid=$(id -g),fmask=0113,dmask=0002 --mount /PATH/TO/DEVICE /PATH/TO/MOUNTPOINT'<br />
<br />
To mount this specific device, use<br />
<br />
# tc1<br />
<br />
as a normal user.<br />
<br />
===Method 2 (sudo simplified)===<br />
Simply enable desired user to run truecrypt without a password:<br />
# visudo<br />
<br />
Append the following:<br />
USERNAME ALL = (root) NOPASSWD:/usr/bin/truecrypt<br />
<br />
alternatively, if you make use of the wheel group:<br />
%wheel ALL = (root) NOPASSWD:/usr/bin/truecrypt<br />
<br />
If you have any difficulties with permissions as a normal user, just add the '-u' flag to the truecrypt mount command, for example:<br />
$ truecrypt -u /home/user/myEncryptedFile.tc /home/user/myEncryptedFileFolder<br />
<br />
===Automatic mount on login===<br />
Simply add <br />
$ truecrypt /home/user/myEncryptedFile.tc /home/user/myEncryptedFileFolder <<EOF<br />
password<br />
EOF<br />
to your startup procedure. Do not use the -p switch, this method is more secure. Otherwise everyone can just look up the password via [[ps]] and similar tools, as it is in the process name! [http://thoughtyblog.wordpress.com/2009/07/05/truecrypt-linux-hide-password-from-ps/ source]<br />
<br />
==Safely unmount and unmap volumes (on shutdown)==<br />
You can unmount a specific device by<br />
<br />
# truecrypt -d /PATH/TO/MOUNTPOINT<br />
<br />
or leave away the path to unmount all truecrypt volumes.<br />
<br />
If you want your truecrypt device to be unmounted automatically at shutdown, add the following to the file ''/etc/rc.local.shutdown'':<br />
<br />
if (/usr/bin/truecrypt --text --list)<br />
then {<br />
/usr/bin/truecrypt -d<br />
sleep 3<br />
}<br />
fi<br />
You can also leave away the ''sleep'' command, it is just to give the unmounting some time to complete before the actual shutdown.<br />
<br />
If you're using [[systemd]], there is a service trying to unmount truecrypt-encrypted filesystems at shutdown automatically on the [[Systemd/Services]] page.<br />
<br />
==Errors==<br />
===TrueCrypt is already running===<br />
If a messagebox ''TrueCrypt is already running'' appears when starting TrueCrypt, check for a hidden file in the home directory of the concerned user called ''.TrueCrypt-lock-username''. Substitute ''username'' with the individual username. Delete the file and start TrueCrypt again.<br />
<br />
===Deleted stale lockfile===<br />
If you always get a message "Delete stale lockfile [....]" after starting Truecrypt, the Truecrypt process with the lowest ID has to be killed during Gnome log out. A user in the Ubuntuforum provided the following solution: edit<br />
/etc/gdm/PostSession/Default <br />
and add the following line before exit 0:<br />
kill `ps -ef | grep truecrypt | tr -s ' ' | cut -d ' ' -f 2`<br />
<br />
===Issues with Unicode file / folder names ===<br />
====NTFS====<br />
Should files resp. folders containing Unicode characters in their names be incorrectly or not at all displayed on TrueCrypt NTFS volumes (while e. g. being correctly handled on non-encrypted NTFS partitions), first verify that you have the [[NTFS-3G]] driver installed and then create the following symlink as root:<br />
ln -s /sbin/mount.ntfs-3g /sbin/mount.ntfs<br />
That will cause TrueCrypt to automatically use this driver for NTFS volumes, having the same effect as the explicit use of<br />
truecrypt --filesystem=ntfs-3g /path/to/volume<br />
via the console.<br />
<br />
One may also consider setting e. g.<br />
rw,noatime<br />
amongst other options in the TrueCrypt GUI (Settings → Preferences → Mount Options).<br />
<br />
====FAT====<br />
Similarly, FAT32 volumes created using Windows may use Unicode rather than ISO 8859-1. In order to use UTF-8, set the mount option<br />
iocharset=utf8<br />
when mounting such volumes, or globally as described above.<br />
<br />
===Unmount error (device mapper)===<br />
If you always get a message "device-mapper: remove ioctl failed: Device or resource busy" when attempting to dismount your truecrypt volume, the solution is to goto: Setting > Preferences > System Integration > Kernel Service and check the box<br />
Do not use kernel cryptographic services<br />
{{Note|I have only seen this with a truecrypt partition. Not with a truecrypt file.}}<br />
<br />
===Failed to set up a loop device===<br />
If you get a message "Failed to set up a loop device" when trying to create/mount a TrueCrypt volume, it may be because you updated your kernel recently without rebooting.<br />
Rebooting should fix this error.<br />
<br />
Otherwise, check if {{ic|loop}} has been loaded as kernel module:<br />
<br />
lsmod | grep loop<br />
<br />
If not listed, retry the TrueCrypt command after {{ic|modprobe loop}}. Should it work, consider to add {{ic|loop}} to the MODULES array in {{ic|/etc/modules-load.d}}:<br />
<br />
# tee /etc/modules-load.d/truecrypt.conf <<< "loop"<br />
<br />
{{Note|As of udev 181-5, the loop device module is no longer auto-loaded, and the procedure described here is necessary.}}<br />
<br />
==Related links==<br />
* [http://www.truecrypt.org/ TrueCrypt Homepage]<br />
* [http://en.gentoo-wiki.com/wiki/TrueCrypt HOWTO: Truecrypt Gentoo wiki]<br />
* [http://www.howtoforge.com/truecrypt_data_encryption Truecrypt Tutorial on HowToForge]<br />
* [http://www.privacylover.com/encryption/analysis-is-there-a-backdoor-in-truecrypt-is-truecrypt-a-cia-honeypot/ There is a good chance the CIA has a backdoor?] (via [https://secure.wikimedia.org/wikipedia/en/wiki/Truecrypt wp])</div>Jasper1984https://wiki.archlinux.org/index.php?title=TrueCrypt&diff=230459TrueCrypt2012-10-21T19:09:55Z<p>Jasper1984: After noticing the files *not* disappear i feel i must add this sentence, also noted the lack of man page</p>
<hr />
<div>[[Category:Security]]<br />
[[Category:File systems]]<br />
{{Article summary start}}<br />
{{Article summary text|Setup and usage of TrueCrypt.}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Disk Encryption}}<br />
{{Article summary end}}<br />
<br />
'''TrueCrypt''' is a free open source on-the-fly encryption (OTFE) program. Some of its features are:<br />
* Virtual encrypted disks within files that can be mounted as real disks.<br />
* Encryption of an entire hard disk partition or a storage device/medium.<br />
* All encryption algorithms use the LRW mode of operation, which is more secure than CBC mode with predictable initialization vectors for storage encryption.<br />
* "Hidden volumes" within a normal "outer" encrypted volume. A hidden volume can not be distinguished from random data without access to a passphrase and/or keyfile.<br />
<br />
For more details on how TrueCrypt compares to other disk encryption solution, see [[Disk Encryption#Comparison table]].<br />
<br />
== Installation ==<br />
Type as root in a terminal:<br />
# pacman -S truecrypt<br />
If you use any kernel other than {{Pkg|linux}} install the corresponding kernel module.<br />
<br />
If you are using truecrypt to encrypt a virtual filesystem (e.g. a file), the module will be automatically loaded whenever you run the {{ic|truecrypt}} command. Add it to the MODULES array in /etc/rc.conf.<br />
<br />
If you are using truecrypt to encrypt a physical device (e.g. a hard disk or usb drive), you will likely want to load the module during the boot sequence:<br />
<br />
Add the module to /etc/modules-load.d/:<br />
# tee /etc/modules-load.d/truecrypt.conf <<< "truecrypt"<br />
<br />
{{Note | It does not appear that loading a module applies with TrueCrypt 7.0a, the current version in Arch as of 4/19/2011. The above advice may be outdated with respect to the module, however it is still important to enable {{ic|fuse}}, {{ic|loop}} and your encryption algorithm (e.g. {{ic|AES}}, {{ic|XTS}}, {{ic|SHA512}}) in custom kernels.}}<br />
<br />
== Encrypting a file as a virtual volume ==<br />
The following instructions will create a file that will act as a virtual filesystem, allowing you to mount it and store files within the encrypted file. This is a convenient way to store sensitive information, such as financial data or passwords, in a single file that can be accessed from Linux, Windows, or Macs.<br />
<br />
To create a new truecrypt file interactively, type the following in a terminal:<br />
$ truecrypt -c<br />
<br />
{{Box Note | This command will not work in newer version of truecrypt. Type "truecrypt" instead and manage your encrypted volumes from the GUI or specify the necessary options to work in the command line. (truecrypt -h)}}<br />
<br />
Follow the instructions, choosing the default values unless you know what you are doing:<br />
<br />
Volume type:<br />
1) Normal<br />
2) Hidden<br />
Select [1]: 1<br />
<br />
Enter file or device path for new volume: /home/user/myEncryptedFile.tc<br />
<br />
Enter volume size (bytes - size/sizeK/sizeM/sizeG): 32M<br />
<br />
Encryption algorithm:<br />
1) AES<br />
2) Blowfish<br />
3) CAST5<br />
4) Serpent<br />
5) Triple DES<br />
6) Twofish<br />
7) AES-Twofish<br />
8) AES-Twofish-Serpent<br />
9) Serpent-AES<br />
10) Serpent-Twofish-AES<br />
11) Twofish-Serpent<br />
Select [1]: 1<br />
<br />
Hash algorithm:<br />
1) RIPEMD-160<br />
2) SHA-1<br />
3) Whirlpool<br />
Select [1]: 1 <br />
<br />
Filesystem:<br />
1) FAT<br />
2) None<br />
Select [1]: 1<br />
<br />
Enter password for new volume '/home/user/myEncryptedFile.tc': *****************************<br />
Re-enter password: *****************************<br />
<br />
Enter keyfile path [none]: <br />
<br />
TrueCrypt will now collect random data.<br />
Is your mouse connected directly to computer where TrueCrypt is running? [Y/n]: <br />
Please move the mouse randomly until the required amount of data is captured...<br />
Mouse data captured: 100% <br />
<br />
Done: 32.00 MB Speed: 10.76 MB/s Left: 0:00:00 <br />
Volume created.<br />
<br />
[user@host:~] $<br />
<br />
You can now mount the new encrypted file to a previously-created directory:<br />
$ truecrypt /home/user/myEncryptedFile.tc /home/user/myEncryptedFileFolder<br />
<br />
'''''Note:''' Truecrypt requires root privileges and as such, running the above command as a user will attempt to use ''{{Ic|sudo}}'' for authentication. To work with files as a regular user, please see the appropriate section below.<br />
<br />
Once mounted, you can copy or create new files within the encrypted directory as if it was any normal directory. When you are you ready to re-encrypt the contents and unmount the directory, run:<br />
$ truecrypt -d<br />
<br />
Again, this will require administrator privileges through the use of {{Ic|sudo}}. After running it check if the files that are to be encrypted are indeed no longer in the directory. (might want to try unimportant data first) If they are still there, note that {{ic|rm}} doesn't make the data unrecoverable.<br />
<br />
For more information about truecrypt in general, run:<br />
$ man truecrypt #Note: as of 1:7.1a-1 dont see a man or info page<br />
<br />
Several options can be passed at the command line, making automated access and creation a simple task. The man page is highly recommended reading.<br />
<br />
== Encrypting a physical volume ==<br />
If you want to use a keyfile, create one with this command:<br />
truecrypt --create-keyfile /etc/disk.key<br />
By default both passphrase and key will be needed to unlock the volume.<br />
<br />
Create a new volume in the device /dev/sda1:<br />
truecrypt --type normal -c /dev/sda1<br />
<br />
Map the volume to /dev/mapper/truecrypt1:<br />
truecrypt -N 1 /dev/sda1<br />
<br />
If this command does not for you try this to map the volume:<br />
truecrypt --filesystem=none --slot=1 /dev/sda1<br />
<br />
If you want to use another file system than ext3 simply format the disk like you normally would, except use the path /dev/mapper/truecrypt1.<br />
mkfs.ext3 /dev/mapper/truecrypt1<br />
<br />
Mount the volume:<br />
mount /dev/mapper/truecrypt1 /media/disk<br />
<br />
Map and mount a volume:<br />
truecrypt /dev/sda1 /media/disk<br />
<br />
Unmount and unmap a volume:<br />
truecrypt -d /dev/sda1<br />
<br />
== Creating a hidden volume ==<br />
First, create a normal outer volume as described above.<br />
<br />
Map the outer volume to /dev/mapper/truecrypt1:<br />
truecrypt -N 1 /dev/sda1<br />
<br />
Create a hidden truecrypt volume in the free space of the outer volume:<br />
truecrypt --type hidden -c /dev/sda1<br />
You need to use another passphrase and/or keyfile here than the one you used for the outer volume.<br />
<br />
Unmap the outer truecrypt volume and map the hidden one:<br />
truecrypt -d /dev/sda1<br />
truecrypt -N 1 /dev/sda1<br />
Just use the passphrase you chose for the hidden volume and TrueCrypt will automatically choose it before the outer.<br />
<br />
Create a file system on it (if you have not already) and mount it:<br />
mkfs.ext3 /dev/mapper/truecrypt1<br />
mount /dev/mapper/truecrypt1 /media/disk<br />
<br />
Map and mount the outer volume with the hidden write-protected:<br />
truecrypt -P /dev/sda1 /media/disk<br />
<br />
==Mount a special filesystem==<br />
{{Box Note | Current Versions of truecrypt seem to support ntfs write support by default so the {{ic|--filesystem}} flag no longer seems to be necessary.}}<br />
<br />
In my example I want to mount a ntfs-volume, but truecrypt does not use ntfs-3g by default (so there is no write access; checked in version 6.1).<br />
The following command works for me:<br />
truecrypt --filesystem=ntfs-3g --mount /file/you/want/to/mount<br />
You may also want to mount ntfs volume without execute flag on all files<br />
truecrypt --filesystem=ntfs-3g --fs-options=users,uid=$(id -u),gid=$(id -g),fmask=0113,dmask=0002<br />
<br />
== Mount volumes via fstab ==<br />
First of all, we need to write a script which will handle the way mounting via fstab is done. Place the following in {{ic|/sbin/mount.truecrypt}}:<br />
<br />
#!/usr/bin/env sh <br />
DEV="$1"<br />
MNTPT="$2"<br />
OPTIONS=""<br />
TCOPTIONS=""<br />
shift 3<br />
IFS=','<br />
for arg in $*; do<br />
if [ "${arg}" == "system" ]; then<br />
TCOPTIONS="${TCOPTIONS}-m=system "<br />
elif [[ "${arg}" == fs=* ]]; then<br />
FS=${arg#*=}<br />
TCOPTIONS="${TCOPTIONS}--filesystem=${FS} "<br />
else<br />
OPTIONS="${OPTIONS}${arg},"<br />
fi<br />
done<br />
truecrypt ${DEV} ${MNTPT} ${TCOPTIONS% *} --fs-options="${OPTIONS%,*}"<br />
<br />
Also do not forget to make the file executable:<br />
<br />
chmod +x /sbin/mount.truecrypt<br />
<br />
Finally, add the device to fstab somewhat like this:<br />
<br />
/dev/sdb3 /mnt truecrypt fs=vfat,defaults 0 0<br />
<br />
==Mount volumes using a systemd service==<br />
To use Truecrypt with systemd, it is advised to use truecrypt as decryptor and mapper and fstab to do the mounting of encrypted volumes.<br />
<br />
First, create this service [[Systemd/Services#truecrypt_volume_setup]] in {{ic|/usr/lib/systemd/system}}. Enable it with (assuming your encrypted volume is {{ic|/dev/sda2}}):<br />
# systemctl enable truecrypt@dev-sda2.service<br />
<br />
Secondly, create a line similar to that one in your fstab (the {{ic|2}} means your fs will be fscked regularly):<br />
{{hc|/etc/fstab|<nowiki><br />
/dev/mapper/truecrypt1 /home/ ext4 defaults 0 2</nowiki>}}<br />
<br />
And you should be set.<br />
<br />
==Mount volumes as a normal user==<br />
<br />
TrueCrypt needs root privileges to work: this procedure will allow normal users to use it, also giving writing permissions to mounted volumes.<br />
<br />
Both methods below require [[Sudo]]. Make sure it is configured before proceeding.<br />
<br />
===Method 1 (Add a truecrypt group)===<br />
<br />
Create a new group called truecrypt and give it the necessary permissions. Any users that belongs to that group, will be able to use TrueCrypt.<br />
# groupadd truecrypt<br />
<br />
Edit the sudo configuration:<br />
# visudo<br />
<br />
Append the following lines at the bottom of the sudo configuration file:<br />
# Users in the truecrypt group are allowed to run TrueCrypt as root.<br />
%truecrypt ALL=(root) NOPASSWD:/usr/bin/truecrypt<br />
<br />
You can now add your users to the truecrypt group:<br />
# gpasswd -a USER_1 truecrypt<br />
# gpasswd -a USER_2 truecrypt<br />
...<br />
<br />
'''''Note:''' In order to make these changes active, any user that has been added to the truecrypt group have to logout.''<br />
<br />
After that, you can mount your device by<br />
<br />
# truecrypt --mount /PATH/TO/DEVICE /PATH/TO/MOUNTPOINT<br />
<br />
Default mountpoint is ''/media/truecrypt1''. Normally, it is not necessary to explicitly specify the filesystem of your device using the ''--filesystem'' flag.<br />
<br />
It is definitely reasonable to give truecrypt some permission masks. Otherwise, every file on your mounted device will be executable. So instead of the above, you can use<br />
<br />
# truecrypt --fs-options=users,uid=$(id -u),gid=$(id -g),fmask=0113,dmask=0002 --mount /PATH/TO/DEVICE /PATH/TO/MOUNTPOINT<br />
<br />
and add this line to your bash configuration file, ''~/.bashrc'' as an alias:<br />
<br />
alias tc1='truecrypt --fs-options=users,uid=$(id -u),gid=$(id -g),fmask=0113,dmask=0002 --mount /PATH/TO/DEVICE /PATH/TO/MOUNTPOINT'<br />
<br />
To mount this specific device, use<br />
<br />
# tc1<br />
<br />
as a normal user.<br />
<br />
===Method 2 (sudo simplified)===<br />
Simply enable desired user to run truecrypt without a password:<br />
# visudo<br />
<br />
Append the following:<br />
USERNAME ALL = (root) NOPASSWD:/usr/bin/truecrypt<br />
<br />
alternatively, if you make use of the wheel group:<br />
%wheel ALL = (root) NOPASSWD:/usr/bin/truecrypt<br />
<br />
If you have any difficulties with permissions as a normal user, just add the '-u' flag to the truecrypt mount command, for example:<br />
$ truecrypt -u /home/user/myEncryptedFile.tc /home/user/myEncryptedFileFolder<br />
<br />
===Automatic mount on login===<br />
Simply add <br />
$ truecrypt /home/user/myEncryptedFile.tc /home/user/myEncryptedFileFolder <<EOF<br />
password<br />
EOF<br />
to your startup procedure. Do not use the -p switch, this method is more secure. Otherwise everyone can just look up the password via [[ps]] and similar tools, as it is in the process name! [http://thoughtyblog.wordpress.com/2009/07/05/truecrypt-linux-hide-password-from-ps/ source]<br />
<br />
==Safely unmount and unmap volumes (on shutdown)==<br />
You can unmount a specific device by<br />
<br />
# truecrypt -d /PATH/TO/MOUNTPOINT<br />
<br />
or leave away the path to unmount all truecrypt volumes.<br />
<br />
If you want your truecrypt device to be unmounted automatically at shutdown, add the following to the file ''/etc/rc.local.shutdown'':<br />
<br />
if (/usr/bin/truecrypt --text --list)<br />
then {<br />
/usr/bin/truecrypt -d<br />
sleep 3<br />
}<br />
fi<br />
You can also leave away the ''sleep'' command, it is just to give the unmounting some time to complete before the actual shutdown.<br />
<br />
If you're using [[systemd]], there is a service trying to unmount truecrypt-encrypted filesystems at shutdown automatically on the [[Systemd/Services]] page.<br />
<br />
==Errors==<br />
===TrueCrypt is already running===<br />
If a messagebox ''TrueCrypt is already running'' appears when starting TrueCrypt, check for a hidden file in the home directory of the concerned user called ''.TrueCrypt-lock-username''. Substitute ''username'' with the individual username. Delete the file and start TrueCrypt again.<br />
<br />
===Deleted stale lockfile===<br />
If you always get a message "Delete stale lockfile [....]" after starting Truecrypt, the Truecrypt process with the lowest ID has to be killed during Gnome log out. A user in the Ubuntuforum provided the following solution: edit<br />
/etc/gdm/PostSession/Default <br />
and add the following line before exit 0:<br />
kill `ps -ef | grep truecrypt | tr -s ' ' | cut -d ' ' -f 2`<br />
<br />
===Issues with Unicode file / folder names ===<br />
====NTFS====<br />
Should files resp. folders containing Unicode characters in their names be incorrectly or not at all displayed on TrueCrypt NTFS volumes (while e. g. being correctly handled on non-encrypted NTFS partitions), first verify that you have the [[NTFS-3G]] driver installed and then create the following symlink as root:<br />
ln -s /sbin/mount.ntfs-3g /sbin/mount.ntfs<br />
That will cause TrueCrypt to automatically use this driver for NTFS volumes, having the same effect as the explicit use of<br />
truecrypt --filesystem=ntfs-3g /path/to/volume<br />
via the console.<br />
<br />
One may also consider setting e. g.<br />
rw,noatime<br />
amongst other options in the TrueCrypt GUI (Settings → Preferences → Mount Options).<br />
<br />
====FAT====<br />
Similarly, FAT32 volumes created using Windows may use Unicode rather than ISO 8859-1. In order to use UTF-8, set the mount option<br />
iocharset=utf8<br />
when mounting such volumes, or globally as described above.<br />
<br />
===Unmount error (device mapper)===<br />
If you always get a message "device-mapper: remove ioctl failed: Device or resource busy" when attempting to dismount your truecrypt volume, the solution is to goto: Setting > Preferences > System Integration > Kernel Service and check the box<br />
Do not use kernel cryptographic services<br />
{{Note|I have only seen this with a truecrypt partition. Not with a truecrypt file.}}<br />
<br />
===Failed to set up a loop device===<br />
If you get a message "Failed to set up a loop device" when trying to create/mount a TrueCrypt volume, it may be because you updated your kernel recently without rebooting.<br />
Rebooting should fix this error.<br />
<br />
Otherwise, check if {{ic|loop}} has been loaded as kernel module:<br />
<br />
lsmod | grep loop<br />
<br />
If not listed, retry the TrueCrypt command after {{ic|modprobe loop}}. Should it work, consider to add {{ic|loop}} to the MODULES array in {{ic|/etc/modules-load.d}}:<br />
<br />
# tee /etc/modules-load.d/truecrypt.conf <<< "loop"<br />
<br />
{{Note|As of udev 181-5, the loop device module is no longer auto-loaded, and the procedure described here is necessary.}}<br />
<br />
==Related links==<br />
* [http://www.truecrypt.org/ TrueCrypt Homepage]<br />
* [http://en.gentoo-wiki.com/wiki/TrueCrypt HOWTO: Truecrypt Gentoo wiki]<br />
* [http://www.howtoforge.com/truecrypt_data_encryption Truecrypt Tutorial on HowToForge]</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:TrueCrypt&diff=230458Talk:TrueCrypt2012-10-21T19:05:43Z<p>Jasper1984: files were still there after truecrypt -d</p>
<hr />
<div>==Automatic mount home on login==<br />
You need to create an encrypted physical volume with the same password that your login. Then install pam_mount from AUR and change the following lines.<br />
/etc/security/pam_mount.conf.xml<br />
<cryptmount>bash -c "grep -q %(MNTPT) /etc/mtab || truecrypt --text --protect-hidden=no --keyfiles=&#39;&#39; %(VOLUME) %(MNTPT)"</cryptmount><br />
<cryptumount>truecrypt -d</cryptumount><br />
<volume fstype="crypt" path="/dev/sdXX" mountpoint="/home" /><br />
/etc/pam.d/{login,gdm,kdm,...}<br />
auth optional pam_mount.so<br />
session optional pam_mount.so<br />
<br />
'''Note:''' The volume label can be especified per home (~/.pam_mount.conf.xml)<br />
<br />
--[[User:Nak|Nak]] 09:03, 26 December 2010 (EST)<br />
<br />
==Outdated==<br />
Some of the information on this page is outdated since truecrypt 5.1, for example the steps to use ext3 as filesystem on the encrypted volume. I'd update it but am not sure if we should keep the present information as reference or replace it with the updated one. --[[User:Chimeric|chi]] 19:29, 2 May 2008 (EDT)<br />
<br />
==bashrc==<br />
Is there an error in ''Method 1 (Add a truecrypt group)''? It says that some lines should be added to ''/etc/bash/bashrc''. In my opinion it should say that these lines have to be added to each user's ''.bashrc''. --[[User:Sandstorm|Sandstorm]] 13:45, 1 June 2008 (EDT)<br />
: That file doesn't exist in my system, but I guess adding them to /etc/bash.bashrc should work, if people use bash. However, wouldn't it be most general if you put it in /etc/profile? --[[User:Unhammer|Unhammer]] 14:13, 12 March 2010 (EST)<br />
<br />
==GUI==<br />
What are the GUI options? (I found [http://www.kde-apps.org/content/show.php/TCmount?content=54314&PHPSESSID=e5af TCMount], but it's discontinued since it had security problems.)<br />
<br />
:: Why the fuck does it separate into a gui and a cli version like normal people, where did the man page go? You cant even do {{ic|truecrypt -l |grep someshit}} because it pops up a gui. Is this cruel and arbitrary and should it affect my trust in the software? It boggles the mind.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 18:55, 21 October 2012 (UTC)<br />
<br />
== tcplay ==<br />
<br />
Anyone else is trying it? Is that ok in this page?<br />
<br />
== Proper wipe? ==<br />
I created a truecrypted directory, then incrypted it with {{ic|truecrypt -d}}. I look at the files -'''still there?!''' Therefore i will add a comment telling people to check it. And that {{ic|rm}} doesn't make them unrecoverable.(after removing them remounting with truecrypt did return the files, so it does look like it worked) <br />
<br />
This will make the page ''look'' worse. [[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 19:05, 21 October 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:TrueCrypt&diff=230457Talk:TrueCrypt2012-10-21T18:55:29Z<p>Jasper1984: wtf gui</p>
<hr />
<div>==Automatic mount home on login==<br />
You need to create an encrypted physical volume with the same password that your login. Then install pam_mount from AUR and change the following lines.<br />
/etc/security/pam_mount.conf.xml<br />
<cryptmount>bash -c "grep -q %(MNTPT) /etc/mtab || truecrypt --text --protect-hidden=no --keyfiles=&#39;&#39; %(VOLUME) %(MNTPT)"</cryptmount><br />
<cryptumount>truecrypt -d</cryptumount><br />
<volume fstype="crypt" path="/dev/sdXX" mountpoint="/home" /><br />
/etc/pam.d/{login,gdm,kdm,...}<br />
auth optional pam_mount.so<br />
session optional pam_mount.so<br />
<br />
'''Note:''' The volume label can be especified per home (~/.pam_mount.conf.xml)<br />
<br />
--[[User:Nak|Nak]] 09:03, 26 December 2010 (EST)<br />
<br />
==Outdated==<br />
Some of the information on this page is outdated since truecrypt 5.1, for example the steps to use ext3 as filesystem on the encrypted volume. I'd update it but am not sure if we should keep the present information as reference or replace it with the updated one. --[[User:Chimeric|chi]] 19:29, 2 May 2008 (EDT)<br />
<br />
==bashrc==<br />
Is there an error in ''Method 1 (Add a truecrypt group)''? It says that some lines should be added to ''/etc/bash/bashrc''. In my opinion it should say that these lines have to be added to each user's ''.bashrc''. --[[User:Sandstorm|Sandstorm]] 13:45, 1 June 2008 (EDT)<br />
: That file doesn't exist in my system, but I guess adding them to /etc/bash.bashrc should work, if people use bash. However, wouldn't it be most general if you put it in /etc/profile? --[[User:Unhammer|Unhammer]] 14:13, 12 March 2010 (EST)<br />
<br />
==GUI==<br />
What are the GUI options? (I found [http://www.kde-apps.org/content/show.php/TCmount?content=54314&PHPSESSID=e5af TCMount], but it's discontinued since it had security problems.)<br />
<br />
:: Why the fuck does it separate into a gui and a cli version like normal people, where did the man page go? You cant even do {{ic|truecrypt -l |grep someshit}} because it pops up a gui. Is this cruel and arbitrary and should it affect my trust in the software? It boggles the mind.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 18:55, 21 October 2012 (UTC)<br />
<br />
== tcplay ==<br />
<br />
Anyone else is trying it? Is that ok in this page?</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Bumblebee&diff=229963Talk:Bumblebee2012-10-20T11:55:42Z<p>Jasper1984: noted that issue is fixed</p>
<hr />
<div>== Wiki rewritten ==<br />
<br />
Hi, I followed this wiki two days ago and now Optimus technology works fine on my laptop, but I found this wiki a bit confusing. I decided to rewrite it. I'm not a linux-expert and i'm not English (I'm Italian), so feel free to correct what I wrote.<br />
<br />
:1) Setup X Server: I put this section as the first. New Bumblebee's versions create a xorg.conf.nvidia.pacnew file, so I added a cp command.<br />
:2) Load Kernel Module: I reordered this section with this logic in mind: first, get rid of nouveau at all; second, load nvidia module.<br />
:3) Start Bumblebee Daemon: I created a section for this. This way you don't need to reboot and it's more clear what you're doing.<br />
:4) Start VirtualGL Client: Well, I deleted this section because I think it's not needed to make bumblebee to work. I never run that command to use optirun or optirun32.<br />
:5) Usage: I added optirun32. It seems to work fine with Unigine Tropics benchmark.<br />
:6) Autostart Bumblebee: I created a section for this because this operations were all around the wiki. This way it's more compact.<br />
:7) Nvidia ON/OFF... : Everything is fine here. I added the command to check battery rate only.<br />
:About last section: I got an ACER Aspire 5742g (Nvidia gt540M) and if I followed the steps to turn off my card: well, my power usage is higher(+400mA) with the card turned off and nvidia module unloaded! I know it's unbelievable, but it's true. Anyone is experiencing this? Bye<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
=== Samsagax Reply on thewall changes ===<br />
<br />
It's nice someone got interested!<br />
Now I'll argue some points for what takes precedence, what are bugs and what is planned to the future of Bumblebee in ArchLinux:<br />
:1) I would put the kernel module load first, before the configuration of the X server, I think is better logic. <br />
:2) The issue with the ".pacnew" file is a bug, should create it only if there is an "xorg.conf.nvidia" (on upgrade). I'm also planning to move this conf file to /etc/bumblebee directory. <br />
:3) Liked that (: <br />
:4) I really wouldn't delete that, don't know why, but some people need the vglclient running, should be an optional and explanatory section maybe. <br />
:5) As the new package of bumblebee I'm trying to split into smaller packages containing the libraries apart from the scripts and optirun32 didn't work fine for most people (specially under wine). <br />
:6) Liked that, is more clean this way <br />
:7) This is a dark spot. as long as acpi_call does not work reliably on most laptops there is no safe way to tell if it's working. For this reason I'm putting this as purely experimental state and not supporting it for now. Your issue was reported and is known on a variety of ASUS laptops. I'll recommend to read about acpi_call and their known-to-work laptops. <br />
BTW: Thanks!<br />
<br />
==== Reply to Samsagax ====<br />
<br />
:1) Ok.<br />
:2) I tried to clarify. Is that bug solved?<br />
:3) Great (:<br />
:4) I re-entered the VGL Client section with a note.<br />
:5) You really made a good job here (:<br />
:6) Ok.<br />
:7) Nothing to say.<br />
:Other) A user on italian Arhlinux forum says that he must manually run the bumblebee daemon AFTER logging in with GNOME3. When he puts it in /etc/rc.conf he gets this: "[VGL] ERROR: Could not open display :1." It would be good to write that somewhere? Maybe a "troubleshooting" section?<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
<br />
<br />
==== Addition to 7) ====<br />
I think the higher Power consumption is caused by the X-Server that gets hung up (it hogs 100% of one CPU Core) when you switch off the Card via acpi_call. I've got the same issue here on a ASUS X53S, which also has a NVidia GT 540M.<br />
<br />
[[User:florianb|florianb]] 00:19, 1 August 2011 (CET)<br />
<br />
:Try disabling the X server first or you will have some issues. If there is still a problem try the vga-switcheroo option. <br />
:[[User:Samsagax|Samsagax]] 19:27, 31 July 2011 (EDT)<br />
<br />
::I tried to reproduce the errors successfully<br />
::1. If you switch off the NVIDIA Card before you stop the bumblebee daemon (which starts/stops the 2nd X-Server) you get into trouble, the X process hogs 100% CPU, gets unkillable and the overall power consumption (in my case) goes from about 1500mA to 2100mA<br />
::2. If you only stop the bumblebee daemon without switching off the NVIDIA Card, power consumption goes from about 1500mA to 1800-1900mA (maybe user "thewall" only stopped the daemon without switching off the NVIDIA Card?)<br />
::3. If you switch off the NVIDIA Card (which is a GT 540M in my case) via acpi_call, power consumption goes down to 1200mA, which is quite nice *BUT* the Fan goes 100% some seconds after you switch it off.. this seems to consume about 50mA more power.. blah blah and first of all is totally annoying<br />
::A guy in the ubuntu forum apparently already fixed 3) on similar hardware as i have, but i guess the differences are in detail, i'm trying to find it out.<br />
::[[User:florianb|florianb]] 08:07, 1 August 2011 (CET)<br />
<br />
:::I'll try to release today the new model for nvidia driver, similar to the one of nouveau. That way power switching is made automatically and by means of vga-switcheroo by default. I have to remind you that acpi_call method calls are guessed and (in your case) they may be incorrect. [[User:Samsagax|Samsagax]] 10:42, 1 August 2011 (EDT)<br />
<br />
::::Okay, sounds nice. I'd really like to contribute something to your work, if there's anything i could do, let me know.<br />
::::[[User:florianb|florianb]] 10:37, 2 August 2011 (CET)<br />
<br />
== <s> We are making some progress </s> ==<br />
<br />
Well, some developers (real ones) and me are getting somewhere on a stable Bumblebee due to this week. Will update the package as soon as we get it done. [[User:Samsagax|Samsagax]] 14:27, 11 August 2011 (EDT)<br />
<br />
== <s> No devices detected, error encountered due to different cause </s> ==<br />
While i was trying to use bumblebee with nouveau, i encountered<br />
<br />
<code> [ERROR]Cannot access secondary GPU - error: [XORG] (EE) No devices detected.<br />
<br />
[ERROR]Aborting because fallback start is disabled. </code><br />
<br />
But apparently for a different reason, i haven't figured out what it was, changing to nvidia(extra/nvidia 290.10-2) fixed it. (I also had to update to core/linux 3.2.2-1 for it.)<br />
<br />
== ... socket path /var/run/bumblebee.socket was incorrect. ==<br />
<br />
I get the following error:<br />
<br />
{{bc|[42641.769973] [ERROR]The Bumblebee daemon has not been started yet or the socket path /var/run/bumblebee.socket was incorrect.<br />
[42641.770121] [ERROR]Could not connect to bumblebee daemon - is it running?}}<br />
<br />
I am in the bumblebee group, {{ic|bumblebeed}} is running, i both {{ic|bumblebee-git 20120726-1}} and {{ic|bumblebee 3.0.1-2}} in the AUR show the same problem.(aside: {{ic|bumblebee}} initially had the '{{ic|Cannot access secondary GPU}}' issue above but updating linux, and maybe some other stuff fixed that) I current use the `extra/nvidia`<br />
package, but had same issue with `libgl`. Edit: fixed it, breaking xorg, fixed that, broke this again ><[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 23:11, 23 August 2012 (UTC)<br />
(continued)well using the systemd version instead didn't work.. Running {{ic|/usr/sbin/bumblebeed}} directly i get {{ic|[ 4917.535145] [ERROR]Module 'nvidia' is not found.}}, maybe it doesn't look in {{ic|/usr/lib/modules/extramodules-3.4-ARCH/nvidia.ko.gz}}?[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 14:03, 24 August 2012 (UTC)<br />
<br />
:::: [https://bbs.archlinux.org/viewtopic.php?pid=1178729#p1178729 It is fixed] i also added the troubleshooting item to the wiki.(this discussion section can be deleted)[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 11:55, 20 October 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Bumblebee&diff=229961Bumblebee2012-10-20T11:53:18Z<p>Jasper1984: Added troubleshooting item.</p>
<hr />
<div>[[Category:Graphics]]<br />
[[Category:X Server]]<br />
[[es:Bumblebee]]<br />
[[fr:Bumblebee]]<br />
[[it:Bumblebee]]<br />
[[ru:Bumblebee]]<br />
[[tr:Bumblebee]]<br />
[[zh-CN:Bumblebee]]<br />
From Bumblebee's [https://github.com/Bumblebee-Project/Bumblebee/wiki/FAQ FAQ]:<br />
<br />
''Bumblebee is an effort to make NVIDIA Optimus enabled laptops work in GNU/Linux systems. Such feature involves two graphics cards with two different power consumption profiles plugged in a layered way sharing a single framebuffer.''<br />
<br />
== Bumblebee: Optimus for Linux ==<br />
<br />
[http://www.nvidia.com/object/optimus_technology.html Optimus Technology] is an ''[http://hybrid-graphics-linux.tuxfamily.org/index.php?title=Hybrid_graphics hybrid graphics]'' implementation without a hardware multiplexer. The integrated GPU manages the display while the dedicated GPU manages the most demanding rendering and ships the work to the integrated GPU to be displayed. When the laptop is running on battery supply, the dedicated GPU is turned off to save power and prolong the battery life.<br />
<br />
Bumblebee is a software implementation based on VirtualGL and a kernel driver to be able to use the dedicated GPU, which is not physically connected to the screen.<br />
<br />
Bumblebee tries to mimic the Optimus technology behavior; using the dedicated GPU for rendering when needed and power it down when not in use. The present releases only support rendering on-demand, power-management is a work in progress.<br />
<br />
The NVIDIA dedicated card is managed as a separate X server connected to a "fake" screen (the screen is configured but not used). The second server is called using VirtualGL as if it were a remote server. That said, you will need a series of steps to set-up the kernel driver, the X server and a daemon.<br />
<br />
{{Warning|Bumblebee is still under heavy development! But your help is very welcome.}}<br />
<br />
==Installation==<br />
<br />
Before installing Bumblebee check your BIOS and activate Optimus (shareable graphics), if possible (BIOS doesn't have to provide this option), and install the [[Intel|intel driver]] for the secondary on board graphics card.<br />
<br />
{{Note|If you want to run a 32-bit application on a 64-bit system you must install {{AUR|lib32-virtualgl}} and proper lib32-* libraries.}}<br />
<br />
=== Installing Bumblebee with Intel / nvidia ===<br />
<br />
* Install {{AUR|bumblebee}} ( {{AUR|bumblebee-systemd}} if you are using {{Pkg|systemd}} ) from [[Arch User Repository|AUR]].<br />
<br />
* Install the special nvidia package {{aur|nvidia-utils-bumblebee}} for bumblebee. <br />
<br />
{{Note|If you want to run 32-bit applications (like games with wine) on a 64-bit system you need the {{AUR|lib32-nvidia-utils-bumblebee}} from AUR additionally.}}<br />
<br />
{{Warning|Don't install the original {{Pkg|nvidia-utils}} with Bumblebee - it will break your system !}}<br />
<br />
* Install the {{AUR|nvidia-bumblebee}} ( You can install {{AUR|dkms-nvidia}} instead if you need it) from the [[AUR]].<br />
<br />
{{Note|It makes it possible to avoid installing {{Pkg|nvidia-utils}} as a dependency when installing the nvidia driver.}}<br />
<br />
{{note|If you'd like bumblebee to turn off the NVIDIA card automatically after usage, use {{AUR|bbswitch}} from AUR. See [[#Power Management|below]].}}<br />
<br />
=== Installing Bumblebee with Intel / nouveau ===<br />
<br />
Install nouveau and required packages first:<br />
{{bc|# pacman -S xf86-video-nouveau nouveau-dri mesa}}<br />
<br />
* {{Pkg|xf86-video-nouveau}} experimental 3D acceleration driver<br />
* {{Pkg|nouveau-dri}} Mesa classic DRI + Gallium3D drivers<br />
* {{Pkg|mesa}} Mesa 3-D graphics libraries<br />
<br />
Now Install {{AUR|bumblebee}} or {{AUR|bumblebee-systemd}} from [[Arch User Repository|AUR]]:<br />
<br />
{{note|If you like bumblebee to turn off the NVIDIA card automatically after usage, use {{AUR|bbswitch}} from AUR. See [[#Power Management|below]].}}<br />
<br />
==Start Bumblebee==<br />
<br />
In order to use Bumblebee it is necessary add yourself (and other users) to the bumblebee group:<br />
<br />
# usermod -a -G bumblebee $USER<br />
<br />
where {{ic|$USER}} is the login name of the user to be added. Then log off and on again to apply the group changes.<br />
<br />
To start bumblebee automatically at startup, enable {{ic|bumblebeed}} service:<br />
<br />
# systemctl enable bumblebeed.service<br />
<br />
Finished - reboot system and use the shell program {{ic|[[#Usage|optirun]]}} for Optimus NVIDIA rendering!<br />
<br />
== Usage ==<br />
<br />
The command line programm {{ic|optirun}} shipped with bumblebee is your best friend for running applications on your Optimus NVIDIA card.<br />
<br />
Test Bumblebee if it works with your Optimus system:<br />
{{bc|$ optirun glxgears}}<br />
<br />
If it succeeds and the terminal you are running from mentions something about your NVIDIA - Optimus with Bumblebee is working!<br />
<br />
General Usage:<br />
<br />
{{bc|$ optirun [options] <application> [application-parameters]}}<br />
<br />
Some Examples:<br />
<br />
Start Firefox accelerated with Optimus:<br />
<br />
{{bc|$ optirun firefox}}<br />
<br />
Start Windows applications with Optimus:<br />
<br />
{{bc|$ optirun wine <windows application>.exe}}<br />
<br />
Use NVIDIA Settings with Optimus:<br />
<br />
{{bc|$ optirun nvidia-settings -c :8 }}<br />
<br />
For a list of options for {{ic|optirun}} run:<br />
{{bc|$ optirun --help}}<br />
<br />
== Configuration ==<br />
<br />
You can configure the behaviour of Bumblebee to fit your needs. Fine tuning like speed optimization, power managment and other stuff can be configured in {{ic|/etc/bumblebee/bumblebee.conf}}<br />
<br />
=== Optimizing Speed ===<br />
<br />
Bumblebee renders frames for your Optimus NVIDIA card in an invisible X Server with VirtualGL and transports them back to your visible X Server.<br />
<br />
Frames will be compressed before they are transported - this saves bandwith and can be used for speedup optimization of bumblebee:<br />
<br />
To use an other compression method for a single application:<br />
<br />
$ optirun -c <compress-method> application<br />
<br />
The method of compres will affect performance in the GPU/GPU usage. Compressed methods (such as {{ic|jpeg}}) will load the CPU the most but will load GPU the minimum necessary; uncompressed methods loads the most on GPU and the CPU will have the minimum load possible.<br />
<br />
Compressed Methods are: {{ic|jpeg}}, {{ic|rgb}}, {{ic|yuv}}<br />
<br />
Uncompressed Methods are: {{ic|proxy}}, {{ic|xv}}<br />
<br />
To use a standard compression for all applications set the {{ic|VGLTransport}} to {{ic|<compress-method>}} in {{ic|/etc/bumblebee/bumblebee.conf}}<br />
<br />
{{hc|/etc/bumblebee/bumblebee.conf|<nowiki><br />
...<br />
[optirun]<br />
VGLTransport=proxy<br />
...<br />
</nowiki>}}<br />
<br />
You can also play with the way VirtualGL reads back the pixels from your graphic card. Setting {{ic|VGL_READBACK}} environment variable to {{ic|pbo}} should increase the performance. Compare these two:<br />
<br />
# PBO should be faster.<br />
VGL_READBACK=pbo optirun glxspheres<br />
# The default value is sync.<br />
VGL_READBACK=sync optirun glxspheres<br />
<br />
{{Note|CPU frequency scaling will affect directly on render performance}}<br />
<br />
=== Power Management ===<br />
<br />
The goal of power management feature is to turnoff the NVIDIA card when it is not used by bumblebee anymore.<br />
<br />
To enable power managment for bumblebee install {{AUR|bbswitch}} from AUR.<br />
<br />
{{Warning|Make sure the secondary Xorg server is stopped when not in use !}}<br />
<br />
Set the {{ic|PMMethod}} to {{ic|bbswitch}} in the driver section of {{ic|/etc/bumblebee/bumblebee.conf}}:<br />
<br />
{{hc|/etc/bumblebee/bumblebee.conf|<nowiki><br />
[bumblebeed]<br />
KeepUnusedXServer=false<br />
...<br />
[driver-nvidia]<br />
PMMethod=bbswitch<br />
...<br />
[driver-nouveau]<br />
PMMethod=bbswitch<br />
...<br />
</nowiki>}}<br />
<br />
==== Default power state of NVIDIA card ====<br />
<br />
Set {{ic|load_state}} and {{ic|unload_state}} module options according to your needs (see [https://github.com/Bumblebee-Project/bbswitch bbswitch documentation]).<br />
{{hc|/etc/modprobe.d/bbswitch.conf|<nowiki><br />
options bbswitch load_state=0 unload_state=0<br />
</nowiki>}}<br />
<br />
Just restart bumblebee daemon to activate power managment:<br />
{{bc|# systemctl restart bumblebeed.service}}<br />
<br />
==== Enable NVIDIA card during shutdown ====<br />
<br />
The NVIDIA card may not correctly initialize during boot if the card was powered off when the system was last shutdown. One option is to set {{ic|TurnCardOffAtExit&#61;false}} in {{ic|/etc/bumblebee/bumblebee.conf}}, however this will enable the card everytime you stop the Bumblebee daemon, even if done manually. To ensure that the NVIDIA card is always powered on during shutdown, add the following [[Boot process#Custom_hooks|hook function]] (if using {{AUR|bbswitch}}):<br />
<br />
{{hc|/etc/rc.d/functions.d/nvidia-card-enable|<nowiki><br />
nvidia_card_enable() {<br />
BBSWITCH=/proc/acpi/bbswitch<br />
<br />
stat_busy "Enabling NVIDIA GPU"<br />
<br />
if [ -w ${BBSWITCH} ]; then<br />
echo ON > ${BBSWITCH}<br />
stat_done<br />
else<br />
stat_fail<br />
fi<br />
}<br />
<br />
add_hook shutdown_poweroff nvidia_card_enable<br />
</nowiki>}}<br />
<br />
=== Multiple monitors ===<br />
<br />
{{Note|This configuration is only valid for laptops, where the extra output is hardwired to the intel card. Unfortunately this is not the case for some (or most?) laptops, where, lets say, the HDMI output is hardwired to the NVIDIA card. In that case there is no such an ideal solution, as shown here. But you can make your extra output at least usable with the instructions on the bumblebee [https://github.com/Bumblebee-Project/Bumblebee/wiki/Multi-monitor-setup wiki page].}}<br />
<br />
You can set up multiple monitors with xorg.conf. Set them to use the Intel card, but Bumblebee can still use the NVIDIA card. One example configuration is below for two identical screens with 1080p resolution and using the HDMI out.<br />
<br />
{{hc|/etc/X11/xorg.conf|<nowiki><br />
Section "Screen"<br />
Identifier "Screen0"<br />
Device "intelgpu0"<br />
Monitor "Monitor0"<br />
DefaultDepth 24<br />
Option "TwinView" "0"<br />
SubSection "Display"<br />
Depth 24<br />
Modes "1980x1080_60.00"<br />
EndSubSection<br />
EndSection<br />
<br />
Section "Screen"<br />
Identifier "Screen1"<br />
Device "intelgpu1"<br />
Monitor "Monitor1"<br />
DefaultDepth 24<br />
Option "TwinView" "0"<br />
SubSection "Display"<br />
Depth 24<br />
Modes "1980x1080_60.00"<br />
EndSubSection<br />
EndSection<br />
<br />
Section "Monitor"<br />
Identifier "Monitor0"<br />
Option "Enable" "true"<br />
EndSection<br />
<br />
Section "Monitor"<br />
Identifier "Monitor1"<br />
Option "Enable" "true"<br />
EndSection<br />
<br />
Section "Device"<br />
Identifier "intelgpu0"<br />
Driver "intel"<br />
Option "XvMC" "true"<br />
Option "UseEvents" "true"<br />
Option "AccelMethod" "UXA"<br />
BusID "PCI:0:2:0"<br />
EndSection<br />
<br />
Section "Device"<br />
Identifier "intelgpu1"<br />
Driver "intel"<br />
Option "XvMC" "true"<br />
Option "UseEvents" "true"<br />
Option "AccelMethod" "UXA"<br />
BusID "PCI:0:2:0"<br />
EndSection<br />
</nowiki>}}<br />
<br />
You need to probably change the BusID:<br />
<br />
{{hc|<nowiki>$ lspci | grep VGA</nowiki>|<br />
00:02.0 VGA compatible controller: Intel Corporation 2nd Generation Core Processor Family Integrated Graphics Controller (rev 09)<br />
}}<br />
<br />
The BusID is 0:2:0<br />
<br />
==CUDA Without Bumblebee==<br />
<br />
This is not well documented, but you do not need Bumblebee to use CUDA and it may work even on machines where optirun fails. For a guide on how to get it working with the Lenovo IdeaPad Y580 (which uses the GeForce 660M), see: https://wiki.archlinux.org/index.php/Lenovo_IdeaPad_Y580#NVIDIA_Card. Those instructions are very likely to work with other machines (except for the acpi-handle-hack part, which may not be necessary).<br />
<br />
==Troubleshooting==<br />
<br />
{{Note|Please report bugs at [https://github.com/Bumblebee-Project/Bumblebee Bumblebee-Project]'s GitHub tracker as described in its [https://github.com/Bumblebee-Project/Bumblebee/wiki/Reporting-Issues Wiki].}}<br />
<br />
=== [VGL] ERROR: Could not open display :8 ===<br />
<br />
There is a known problem with some wine applications that fork and kill the parent process without keeping track of it (for example the free to play online game "Runes of Magic")<br />
<br />
A workaround for this problem is:<br />
<br />
{{bc|<br />
$ optirun bash<br />
$ optirun wine <windows program>.exe<br />
}}<br />
<br />
If using NVIDA drivers a fix for this problem is to edit {{ic|/etc/bumblebee/xorg.conf.nvidia}} and change Option {{ic|ConnectedMonitor}} to {{ic|CRT-0}}.<br />
<br />
=== [ERROR]Cannot access secondary GPU ===<br />
<br />
==== No devices detected. ====<br />
<br />
In some instances, running optirun will return:<br />
<br />
{{bc|<br />
[ERROR]Cannot access secondary GPU - error: [XORG] (EE) No devices detected.<br />
[ERROR]Aborting because fallback start is disabled.<br />
}}<br />
<br />
In this case, you will need to move the file {{ic|/etc/X11/xorg.conf.d/20-intel.conf}} to somewhere else. Restart the bumblebeed daemon, and it should work.<br />
<br />
It could be also necessary to comment the driver line in {{ic|/etc/X11/xorg.conf.d/10-monitor.conf}}.<br />
<br />
If you're using the nouveau driver you could try switching to the nVidia driver.<br />
<br />
==== NVIDIA(0): Failed to assign any connected display devices to X screen 0 ====<br />
<br />
If the console output is:<br />
<br />
{{bc|<br />
[ERROR]Cannot access secondary GPU - error: [XORG] (EE) NVIDIA(0): Failed to assign any connected display devices to X screen 0<br />
[ERROR]Aborting because fallback start is disabled.<br />
}}<br />
<br />
You can change this line in {{ic|/etc/bumblebee/xorg.conf.nvidia}}:<br />
{{bc|<br />
Option "ConnectedMonitor" "DFP"<br />
}}<br />
to<br />
{{bc|<br />
Option "ConnectedMonitor" "CRT"<br />
}}<br />
<br />
=== Fatal IO error 11 (Resource temporarily unavailable) on X server ===<br />
<br />
Change {{ic|KeepUnusedXServer}} in {{ic|/etc/bumblebee/bumblebee.conf}} from {{ic|false}} to {{ic|true}}. Your program forks into background and bumblebee don't know anything about it.<br />
<br />
=== Video tearing ===<br />
<br />
Video tearing is a somewhat common problem on Bumblebee. To fix it, you need to enable vsync. It should be enabled by default on the Intel card, but verify that from Xorg logs. To check whether or not it is enabled for nvidia, run <br />
<br />
{{bc|$ optirun nvidia-settings -c :8 }}<br />
<br />
{{ic|1=X Server XVideo Settings -> Sync to VBlank}} and {{ic|1=OpenGL Settings -> Sync to VBlank}} should both be enabled. The Intel card has in general less tearing, so use it for video playback. Especially use VA-API for video decoding (e.g. {{ic|mplayer-vaapi}} and with {{ic|-vsync}} parameter).<br />
<br />
Refer to the [[Intel#Video_tearing|Intel]] article on how to fix tearing on the Intel card.<br />
<br />
If it is still not fixed, try to disable compositing from your desktop environment. Try also disabling triple buffering.<br />
<br />
=== It tells you you're not in the group, but you are ===<br />
First, check that you are actually in the group; {{ic|groups}}. If you aren't in the group add yourself(as above) and login and logout, try again.<br />
<br />
Otherwise removing {{ic|/var/run/bumblebeed.socket}} might help.[https://bbs.archlinux.org/viewtopic.php?pid=1178729#p1178729 (forum thread)]<br />
<br />
== Important Links ==<br />
* [http://www.bumblebee-project.org Bumblebee Project repository]<br />
* [http://wiki.bumblebee-project.org/ Bumblebee Project Wiki]<br />
* [https://github.com/Bumblebee-Project/bbswitch Bumblebee Project bbswitch repository]<br />
<br />
Join us at #bumblebee at freenode.net</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:CUPS&diff=227200Talk:CUPS2012-10-06T17:30:23Z<p>Jasper1984: /* How to get the damned IP. */ new section</p>
<hr />
<div>==Kernel modules==<br />
<br />
The whole Kernel modules section is confusing. Is it mandatory? What exactly should we do?<br />
<br />
== Print button greyed-out in GNOME print dialogs ==<br />
<br />
As suggested by the Arch wiki, I used the <br />
# HostNameLookups Double<br />
option. However, that resulted in following error message: <br />
IP lookup failed - connection from localhost closed!<br />
<br />
and I wasn't able to add printers via the CUPS web interface (internal server error)<br />
<br />
It seems there is an outstanding bug with respect to the HostNameLookups:<br />
http://www.cups.org/str.php?L4070+Qversion:%20-feature<br />
<br />
Removing the HostNameLookups double form the cups config file resolved my issue. Not sure why this used to solve instead of create problems.<br />
<br />
== Device node permissions ==<br />
<br />
I got a problem after update of hplip / cups and foomatic. My printer not working anymore.<br />
<br />
So I first check possible problems and read section Device node permissions. It's recommended to verify that permissions are 660. It was my case so I am looking to find another solution.<br />
<br />
After a long time and read I was back to this section. I read also section below Device node permission troubleshooting. As my conf was with well permission I don't really read all carefully. It was the 3rd/4th time before I see the note about 666 permissions. I tried this and it's solved my problem.<br />
<br />
So I think it would be great to make also a note on Device node permissions about 666. Because my conf look allright as writing in wiki, but in fact not.<br />
<br />
== How to get the damned IP. ==<br />
<br />
"Then add your cups server IP or hostname into /etc/cups/client.conf." ... begs the question how you get the freaking IP or hostname.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 17:30, 6 October 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Webcam_setup&diff=223860Talk:Webcam setup2012-09-18T13:41:09Z<p>Jasper1984: /* Image preprocessing */ new section</p>
<hr />
<div>==v4l2==<br />
The VLC section recommends v4l:// to view and record from the webcam. This produces errors unless v4l2:// is used. http://en.wikipedia.org/wiki/Video4Linux says V4L1 support was dropped in kernel 2.6.38. Should this be changed or additional information included to the wiki? [[User:Corburn|Corburn]] 16:02, 5 March 2012 (EST)<br />
:Definitely, please just update the article, there's no need to keep outdated information. If you want you can also spend a few words about the deprecation of v4l in favour of v4l2. -- [[User:Kynikos|Kynikos]] 05:19, 6 March 2012 (EST)<br />
<br />
== Image preprocessing ==<br />
<br />
Any programs with configuration to make a dark image/detect broken pixels and set up preprocessing to help against it?(preferably in the configuration) I guess it is a bit of an 'advanced' feature.<br />
<br />
Note: xawtv still freezes the system for me even after adding /etc/modprobe.d/uvcvideo.conf (Other programs work)[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 13:41, 18 September 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:GNOME/Keyring&diff=219687Talk:GNOME/Keyring2012-08-25T11:50:37Z<p>Jasper1984: </p>
<hr />
<div>== <s> Capital GNOME </s> ==<br />
Anybody there? Anyway, should this page be renamed to GNOME Keyring? Capital GNOME?<br />
: Alread done. --[[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 08:16, 4 June 2012 (UTC)<br />
<br />
== How ==<br />
<br />
"and make them available to applications." ... how do you use it?(firefox?) What applications are supported? [https://live.gnome.org/GnomeKeyring the gnome page] unclear as usual...[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 11:39, 25 August 2012 (UTC) Edit: modification made to add it. [[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 11:50, 25 August 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=GNOME/Keyring&diff=219686GNOME/Keyring2012-08-25T11:49:51Z<p>Jasper1984: Added integration with firefox. Just a link to the firefox page.</p>
<hr />
<div>[[Category:Daemons and system services]]<br />
[[Category:Desktop environments]]<br />
From [https://live.gnome.org/GnomeKeyring/ GnomeKeyring]:<br />
:''GNOME Keyring is a collection of components in GNOME that store secrets, passwords, keys, certificates and make them available to applications.''<br />
<br />
== Manage using GUI ==<br />
pacman -S seahorse<br />
It is possible to leave the GNOME keyring password blank or change it. In seahorse, in the "View" dropdown, select "By Keyring". On the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."<br />
<br />
== Use Without GNOME ==<br />
It is possible to use GNOME Keyring without the rest of the GNOME desktop. To do this, add the following to your {{ic|~/.xinitrc}} file:<br />
# Start a D-Bus session<br />
source /etc/X11/xinit/xinitrc.d/30-dbus<br />
# Start GNOME Keyring<br />
eval $(/usr/bin/gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh)<br />
# You probably need to do this too:<br />
export SSH_AUTH_SOCK<br />
export GPG_AGENT_INFO<br />
export GNOME_KEYRING_CONTROL<br />
export GNOME_KEYRING_PID<br />
See {{bug|13986}} for more info.<br />
<br />
On [[Xfce]] you may need to disable {{ic|gpg-agent}}, silently [http://docs.xfce.org/xfce/xfce4-session/advanced loaded at startup] by {{ic|xfce4-session}}, otherwise the above environment variables will be overwritten. Execute the following command, then log out and log in again:<br />
xfconf-query -c xfce4-session -p /startup/ssh-agent/enabled -n -t bool -s false<br />
<br />
== SSH Keys ==<br />
To add your SSH key:<br />
<br />
$ ssh-add ~/.ssh/id_dsa<br />
Enter passphrase for /home/mith/.ssh/id_dsa:<br />
<br />
To list automatically loaded keys:<br />
<br />
$ ssh-add -L<br />
<br />
To disable all keys;<br />
<br />
$ ssh-add -D<br />
<br />
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you login. If you check this you will not need to enter your passphrase again!<br />
<br />
== Integration with applications ==<br />
<br />
* [[Firefox#GNOME_integration]]<br />
<br />
== The gnome-keyring dialog does not appear in some terminals when connecting with SSH ==<br />
Solution:<br />
<br />
Add the following lines to your {{ic|~/.bashrc}}<br />
<br />
SSH_AUTH_SOCK=`netstat -xl | grep -o "$HOME"'/.cache/keyring-.*/ssh$'`<br />
[ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK<br />
<br />
If you run on your terminal the following:<br />
<br />
echo $SSH_AUTH_SOCK<br />
<br />
will return something like the following:<br />
<br />
/home/USER/.cache/keyring-ABCDEF/ssh<br />
<br />
Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase"<br />
<br />
== Unlock at Startup ==<br />
GNOME's login manager ({{pkg|gdm}}) will automatically unlock the keyring once you log in; for others it is not so easy.<br />
<br />
For SLiM, see [[SLiM#SLiM_and_Gnome_Keyring]], This method works for KDM as well, but you need to edit {{ic|/etc/pam.d/kde}} instead of {{ic|/etc/pam.d/slim}}.<br />
<br />
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring. '''Note''': your passwords will be stored unencrypted if you do this.<br />
<br />
== Useful Tools ==<br />
=== gnome-keyring-query ===<br />
{{AUR|gnome-keyring-query}} from the AUR provides a simple command-line tool for querying passwords from the password store of the GNOME Keyring.</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:GNOME/Keyring&diff=219685Talk:GNOME/Keyring2012-08-25T11:39:10Z<p>Jasper1984: /* How */ new section</p>
<hr />
<div>== <s> Capital GNOME </s> ==<br />
Anybody there? Anyway, should this page be renamed to GNOME Keyring? Capital GNOME?<br />
: Alread done. --[[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 08:16, 4 June 2012 (UTC)<br />
<br />
== How ==<br />
<br />
"and make them available to applications." ... how do you use it?(firefox?) What applications are supported? [https://live.gnome.org/GnomeKeyring the gnome page] unclear as usual...[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 11:39, 25 August 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Bumblebee&diff=219569Talk:Bumblebee2012-08-24T14:03:56Z<p>Jasper1984: /* ... socket path /var/run/bumblebee.socket was incorrect. */</p>
<hr />
<div>== Wiki rewritten ==<br />
<br />
Hi, I followed this wiki two days ago and now Optimus technology works fine on my laptop, but I found this wiki a bit confusing. I decided to rewrite it. I'm not a linux-expert and i'm not English (I'm Italian), so feel free to correct what I wrote.<br />
<br />
:1) Setup X Server: I put this section as the first. New Bumblebee's versions create a xorg.conf.nvidia.pacnew file, so I added a cp command.<br />
:2) Load Kernel Module: I reordered this section with this logic in mind: first, get rid of nouveau at all; second, load nvidia module.<br />
:3) Start Bumblebee Daemon: I created a section for this. This way you don't need to reboot and it's more clear what you're doing.<br />
:4) Start VirtualGL Client: Well, I deleted this section because I think it's not needed to make bumblebee to work. I never run that command to use optirun or optirun32.<br />
:5) Usage: I added optirun32. It seems to work fine with Unigine Tropics benchmark.<br />
:6) Autostart Bumblebee: I created a section for this because this operations were all around the wiki. This way it's more compact.<br />
:7) Nvidia ON/OFF... : Everything is fine here. I added the command to check battery rate only.<br />
:About last section: I got an ACER Aspire 5742g (Nvidia gt540M) and if I followed the steps to turn off my card: well, my power usage is higher(+400mA) with the card turned off and nvidia module unloaded! I know it's unbelievable, but it's true. Anyone is experiencing this? Bye<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
=== Samsagax Reply on thewall changes ===<br />
<br />
It's nice someone got interested!<br />
Now I'll argue some points for what takes precedence, what are bugs and what is planned to the future of Bumblebee in ArchLinux:<br />
:1) I would put the kernel module load first, before the configuration of the X server, I think is better logic. <br />
:2) The issue with the ".pacnew" file is a bug, should create it only if there is an "xorg.conf.nvidia" (on upgrade). I'm also planning to move this conf file to /etc/bumblebee directory. <br />
:3) Liked that (: <br />
:4) I really wouldn't delete that, don't know why, but some people need the vglclient running, should be an optional and explanatory section maybe. <br />
:5) As the new package of bumblebee I'm trying to split into smaller packages containing the libraries apart from the scripts and optirun32 didn't work fine for most people (specially under wine). <br />
:6) Liked that, is more clean this way <br />
:7) This is a dark spot. as long as acpi_call does not work reliably on most laptops there is no safe way to tell if it's working. For this reason I'm putting this as purely experimental state and not supporting it for now. Your issue was reported and is known on a variety of ASUS laptops. I'll recommend to read about acpi_call and their known-to-work laptops. <br />
BTW: Thanks!<br />
<br />
==== Reply to Samsagax ====<br />
<br />
:1) Ok.<br />
:2) I tried to clarify. Is that bug solved?<br />
:3) Great (:<br />
:4) I re-entered the VGL Client section with a note.<br />
:5) You really made a good job here (:<br />
:6) Ok.<br />
:7) Nothing to say.<br />
:Other) A user on italian Arhlinux forum says that he must manually run the bumblebee daemon AFTER logging in with GNOME3. When he puts it in /etc/rc.conf he gets this: "[VGL] ERROR: Could not open display :1." It would be good to write that somewhere? Maybe a "troubleshooting" section?<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
<br />
<br />
==== Addition to 7) ====<br />
I think the higher Power consumption is caused by the X-Server that gets hung up (it hogs 100% of one CPU Core) when you switch off the Card via acpi_call. I've got the same issue here on a ASUS X53S, which also has a NVidia GT 540M.<br />
<br />
[[User:florianb|florianb]] 00:19, 1 August 2011 (CET)<br />
<br />
:Try disabling the X server first or you will have some issues. If there is still a problem try the vga-switcheroo option. <br />
:[[User:Samsagax|Samsagax]] 19:27, 31 July 2011 (EDT)<br />
<br />
::I tried to reproduce the errors successfully<br />
::1. If you switch off the NVIDIA Card before you stop the bumblebee daemon (which starts/stops the 2nd X-Server) you get into trouble, the X process hogs 100% CPU, gets unkillable and the overall power consumption (in my case) goes from about 1500mA to 2100mA<br />
::2. If you only stop the bumblebee daemon without switching off the NVIDIA Card, power consumption goes from about 1500mA to 1800-1900mA (maybe user "thewall" only stopped the daemon without switching off the NVIDIA Card?)<br />
::3. If you switch off the NVIDIA Card (which is a GT 540M in my case) via acpi_call, power consumption goes down to 1200mA, which is quite nice *BUT* the Fan goes 100% some seconds after you switch it off.. this seems to consume about 50mA more power.. blah blah and first of all is totally annoying<br />
::A guy in the ubuntu forum apparently already fixed 3) on similar hardware as i have, but i guess the differences are in detail, i'm trying to find it out.<br />
::[[User:florianb|florianb]] 08:07, 1 August 2011 (CET)<br />
<br />
:::I'll try to release today the new model for nvidia driver, similar to the one of nouveau. That way power switching is made automatically and by means of vga-switcheroo by default. I have to remind you that acpi_call method calls are guessed and (in your case) they may be incorrect. [[User:Samsagax|Samsagax]] 10:42, 1 August 2011 (EDT)<br />
<br />
::::Okay, sounds nice. I'd really like to contribute something to your work, if there's anything i could do, let me know.<br />
::::[[User:florianb|florianb]] 10:37, 2 August 2011 (CET)<br />
<br />
== We are making some progress ==<br />
<br />
Well, some developers (real ones) and me are getting somewhere on a stable Bumblebee due to this week. Will update the package as soon as we get it done. [[User:Samsagax|Samsagax]] 14:27, 11 August 2011 (EDT)<br />
<br />
==<s>What about lib32-nvidia-utils-bumblebee</s>==<br />
Nowhere in the wiki article lib32-nvidia-utils-bumblebee is mentioned. But this is necessary if I would like to run 32bit wine games, right? --[[User:Onny|Onny]] 16:17, 29 January 2012 (EST)<br />
<br />
:I've added the lib32-nvidia-utils-bumblebee in the installation instructions --[[User:febLey|febLey]] 13:37, 13 July 2012 (GMT+1)<br />
<br />
== No devices detected, error encountered due to different cause ==<br />
While i was trying to use bumblebee with nouveau, i encountered<br />
<br />
<code> [ERROR]Cannot access secondary GPU - error: [XORG] (EE) No devices detected.<br />
<br />
[ERROR]Aborting because fallback start is disabled. </code><br />
<br />
But apparently for a different reason, i haven't figured out what it was, changing to nvidia(extra/nvidia 290.10-2) fixed it. (I also had to update to core/linux 3.2.2-1 for it.)<br />
<br />
== ... socket path /var/run/bumblebee.socket was incorrect. ==<br />
<br />
I get the following error:<br />
<br />
{{bc|[42641.769973] [ERROR]The Bumblebee daemon has not been started yet or the socket path /var/run/bumblebee.socket was incorrect.<br />
[42641.770121] [ERROR]Could not connect to bumblebee daemon - is it running?}}<br />
<br />
I am in the bumblebee group, {{ic|bumblebeed}} is running, i both {{ic|bumblebee-git 20120726-1}} and {{ic|bumblebee 3.0.1-2}} in the AUR show the same problem.(aside: {{ic|bumblebee}} initially had the '{{ic|Cannot access secondary GPU}}' issue above but updating linux, and maybe some other stuff fixed that) I current use the `extra/nvidia`<br />
package, but had same issue with `libgl`. Edit: fixed it, breaking xorg, fixed that, broke this again ><[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 23:11, 23 August 2012 (UTC)<br />
(continued)well using the systemd version instead didn't work.. Running {{ic|/usr/sbin/bumblebeed}} directly i get {{ic|[ 4917.535145] [ERROR]Module 'nvidia' is not found.}}, maybe it doesn't look in {{ic|/usr/lib/modules/extramodules-3.4-ARCH/nvidia.ko.gz}}?[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 14:03, 24 August 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Bumblebee&diff=219476Talk:Bumblebee2012-08-24T00:23:01Z<p>Jasper1984: /* ... socket path /var/run/bumblebee.socket was incorrect. */</p>
<hr />
<div>== Wiki rewritten ==<br />
<br />
Hi, I followed this wiki two days ago and now Optimus technology works fine on my laptop, but I found this wiki a bit confusing. I decided to rewrite it. I'm not a linux-expert and i'm not English (I'm Italian), so feel free to correct what I wrote.<br />
<br />
:1) Setup X Server: I put this section as the first. New Bumblebee's versions create a xorg.conf.nvidia.pacnew file, so I added a cp command.<br />
:2) Load Kernel Module: I reordered this section with this logic in mind: first, get rid of nouveau at all; second, load nvidia module.<br />
:3) Start Bumblebee Daemon: I created a section for this. This way you don't need to reboot and it's more clear what you're doing.<br />
:4) Start VirtualGL Client: Well, I deleted this section because I think it's not needed to make bumblebee to work. I never run that command to use optirun or optirun32.<br />
:5) Usage: I added optirun32. It seems to work fine with Unigine Tropics benchmark.<br />
:6) Autostart Bumblebee: I created a section for this because this operations were all around the wiki. This way it's more compact.<br />
:7) Nvidia ON/OFF... : Everything is fine here. I added the command to check battery rate only.<br />
:About last section: I got an ACER Aspire 5742g (Nvidia gt540M) and if I followed the steps to turn off my card: well, my power usage is higher(+400mA) with the card turned off and nvidia module unloaded! I know it's unbelievable, but it's true. Anyone is experiencing this? Bye<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
=== Samsagax Reply on thewall changes ===<br />
<br />
It's nice someone got interested!<br />
Now I'll argue some points for what takes precedence, what are bugs and what is planned to the future of Bumblebee in ArchLinux:<br />
:1) I would put the kernel module load first, before the configuration of the X server, I think is better logic. <br />
:2) The issue with the ".pacnew" file is a bug, should create it only if there is an "xorg.conf.nvidia" (on upgrade). I'm also planning to move this conf file to /etc/bumblebee directory. <br />
:3) Liked that (: <br />
:4) I really wouldn't delete that, don't know why, but some people need the vglclient running, should be an optional and explanatory section maybe. <br />
:5) As the new package of bumblebee I'm trying to split into smaller packages containing the libraries apart from the scripts and optirun32 didn't work fine for most people (specially under wine). <br />
:6) Liked that, is more clean this way <br />
:7) This is a dark spot. as long as acpi_call does not work reliably on most laptops there is no safe way to tell if it's working. For this reason I'm putting this as purely experimental state and not supporting it for now. Your issue was reported and is known on a variety of ASUS laptops. I'll recommend to read about acpi_call and their known-to-work laptops. <br />
BTW: Thanks!<br />
<br />
==== Reply to Samsagax ====<br />
<br />
:1) Ok.<br />
:2) I tried to clarify. Is that bug solved?<br />
:3) Great (:<br />
:4) I re-entered the VGL Client section with a note.<br />
:5) You really made a good job here (:<br />
:6) Ok.<br />
:7) Nothing to say.<br />
:Other) A user on italian Arhlinux forum says that he must manually run the bumblebee daemon AFTER logging in with GNOME3. When he puts it in /etc/rc.conf he gets this: "[VGL] ERROR: Could not open display :1." It would be good to write that somewhere? Maybe a "troubleshooting" section?<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
<br />
<br />
==== Addition to 7) ====<br />
I think the higher Power consumption is caused by the X-Server that gets hung up (it hogs 100% of one CPU Core) when you switch off the Card via acpi_call. I've got the same issue here on a ASUS X53S, which also has a NVidia GT 540M.<br />
<br />
[[User:florianb|florianb]] 00:19, 1 August 2011 (CET)<br />
<br />
:Try disabling the X server first or you will have some issues. If there is still a problem try the vga-switcheroo option. <br />
:[[User:Samsagax|Samsagax]] 19:27, 31 July 2011 (EDT)<br />
<br />
::I tried to reproduce the errors successfully<br />
::1. If you switch off the NVIDIA Card before you stop the bumblebee daemon (which starts/stops the 2nd X-Server) you get into trouble, the X process hogs 100% CPU, gets unkillable and the overall power consumption (in my case) goes from about 1500mA to 2100mA<br />
::2. If you only stop the bumblebee daemon without switching off the NVIDIA Card, power consumption goes from about 1500mA to 1800-1900mA (maybe user "thewall" only stopped the daemon without switching off the NVIDIA Card?)<br />
::3. If you switch off the NVIDIA Card (which is a GT 540M in my case) via acpi_call, power consumption goes down to 1200mA, which is quite nice *BUT* the Fan goes 100% some seconds after you switch it off.. this seems to consume about 50mA more power.. blah blah and first of all is totally annoying<br />
::A guy in the ubuntu forum apparently already fixed 3) on similar hardware as i have, but i guess the differences are in detail, i'm trying to find it out.<br />
::[[User:florianb|florianb]] 08:07, 1 August 2011 (CET)<br />
<br />
:::I'll try to release today the new model for nvidia driver, similar to the one of nouveau. That way power switching is made automatically and by means of vga-switcheroo by default. I have to remind you that acpi_call method calls are guessed and (in your case) they may be incorrect. [[User:Samsagax|Samsagax]] 10:42, 1 August 2011 (EDT)<br />
<br />
::::Okay, sounds nice. I'd really like to contribute something to your work, if there's anything i could do, let me know.<br />
::::[[User:florianb|florianb]] 10:37, 2 August 2011 (CET)<br />
<br />
== We are making some progress ==<br />
<br />
Well, some developers (real ones) and me are getting somewhere on a stable Bumblebee due to this week. Will update the package as soon as we get it done. [[User:Samsagax|Samsagax]] 14:27, 11 August 2011 (EDT)<br />
<br />
==<s>What about lib32-nvidia-utils-bumblebee</s>==<br />
Nowhere in the wiki article lib32-nvidia-utils-bumblebee is mentioned. But this is necessary if I would like to run 32bit wine games, right? --[[User:Onny|Onny]] 16:17, 29 January 2012 (EST)<br />
<br />
:I've added the lib32-nvidia-utils-bumblebee in the installation instructions --[[User:febLey|febLey]] 13:37, 13 July 2012 (GMT+1)<br />
<br />
== No devices detected, error encountered due to different cause ==<br />
While i was trying to use bumblebee with nouveau, i encountered<br />
<br />
<code> [ERROR]Cannot access secondary GPU - error: [XORG] (EE) No devices detected.<br />
<br />
[ERROR]Aborting because fallback start is disabled. </code><br />
<br />
But apparently for a different reason, i haven't figured out what it was, changing to nvidia(extra/nvidia 290.10-2) fixed it. (I also had to update to core/linux 3.2.2-1 for it.)<br />
<br />
== ... socket path /var/run/bumblebee.socket was incorrect. ==<br />
<br />
I get the following error:<br />
<br />
{{bc|[42641.769973] [ERROR]The Bumblebee daemon has not been started yet or the socket path /var/run/bumblebee.socket was incorrect.<br />
[42641.770121] [ERROR]Could not connect to bumblebee daemon - is it running?}}<br />
<br />
I am in the bumblebee group, {{ic|bumblebeed}} is running, i both {{ic|bumblebee-git 20120726-1}} and {{ic|bumblebee 3.0.1-2}} in the AUR show the same problem.(aside: {{ic|bumblebee}} initially had the '{{ic|Cannot access secondary GPU}}' issue above but updating linux, and maybe some other stuff fixed that) I current use the `extra/nvidia`<br />
package, but had same issue with `libgl`. Edit: fixed it, breaking xorg, fixed that, broke this again ><[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 23:11, 23 August 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Bumblebee&diff=219467Talk:Bumblebee2012-08-23T23:11:03Z<p>Jasper1984: /* ... socket path /var/run/bumblebee.socket was incorrect. */</p>
<hr />
<div>== Wiki rewritten ==<br />
<br />
Hi, I followed this wiki two days ago and now Optimus technology works fine on my laptop, but I found this wiki a bit confusing. I decided to rewrite it. I'm not a linux-expert and i'm not English (I'm Italian), so feel free to correct what I wrote.<br />
<br />
:1) Setup X Server: I put this section as the first. New Bumblebee's versions create a xorg.conf.nvidia.pacnew file, so I added a cp command.<br />
:2) Load Kernel Module: I reordered this section with this logic in mind: first, get rid of nouveau at all; second, load nvidia module.<br />
:3) Start Bumblebee Daemon: I created a section for this. This way you don't need to reboot and it's more clear what you're doing.<br />
:4) Start VirtualGL Client: Well, I deleted this section because I think it's not needed to make bumblebee to work. I never run that command to use optirun or optirun32.<br />
:5) Usage: I added optirun32. It seems to work fine with Unigine Tropics benchmark.<br />
:6) Autostart Bumblebee: I created a section for this because this operations were all around the wiki. This way it's more compact.<br />
:7) Nvidia ON/OFF... : Everything is fine here. I added the command to check battery rate only.<br />
:About last section: I got an ACER Aspire 5742g (Nvidia gt540M) and if I followed the steps to turn off my card: well, my power usage is higher(+400mA) with the card turned off and nvidia module unloaded! I know it's unbelievable, but it's true. Anyone is experiencing this? Bye<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
=== Samsagax Reply on thewall changes ===<br />
<br />
It's nice someone got interested!<br />
Now I'll argue some points for what takes precedence, what are bugs and what is planned to the future of Bumblebee in ArchLinux:<br />
:1) I would put the kernel module load first, before the configuration of the X server, I think is better logic. <br />
:2) The issue with the ".pacnew" file is a bug, should create it only if there is an "xorg.conf.nvidia" (on upgrade). I'm also planning to move this conf file to /etc/bumblebee directory. <br />
:3) Liked that (: <br />
:4) I really wouldn't delete that, don't know why, but some people need the vglclient running, should be an optional and explanatory section maybe. <br />
:5) As the new package of bumblebee I'm trying to split into smaller packages containing the libraries apart from the scripts and optirun32 didn't work fine for most people (specially under wine). <br />
:6) Liked that, is more clean this way <br />
:7) This is a dark spot. as long as acpi_call does not work reliably on most laptops there is no safe way to tell if it's working. For this reason I'm putting this as purely experimental state and not supporting it for now. Your issue was reported and is known on a variety of ASUS laptops. I'll recommend to read about acpi_call and their known-to-work laptops. <br />
BTW: Thanks!<br />
<br />
==== Reply to Samsagax ====<br />
<br />
:1) Ok.<br />
:2) I tried to clarify. Is that bug solved?<br />
:3) Great (:<br />
:4) I re-entered the VGL Client section with a note.<br />
:5) You really made a good job here (:<br />
:6) Ok.<br />
:7) Nothing to say.<br />
:Other) A user on italian Arhlinux forum says that he must manually run the bumblebee daemon AFTER logging in with GNOME3. When he puts it in /etc/rc.conf he gets this: "[VGL] ERROR: Could not open display :1." It would be good to write that somewhere? Maybe a "troubleshooting" section?<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
<br />
<br />
==== Addition to 7) ====<br />
I think the higher Power consumption is caused by the X-Server that gets hung up (it hogs 100% of one CPU Core) when you switch off the Card via acpi_call. I've got the same issue here on a ASUS X53S, which also has a NVidia GT 540M.<br />
<br />
[[User:florianb|florianb]] 00:19, 1 August 2011 (CET)<br />
<br />
:Try disabling the X server first or you will have some issues. If there is still a problem try the vga-switcheroo option. <br />
:[[User:Samsagax|Samsagax]] 19:27, 31 July 2011 (EDT)<br />
<br />
::I tried to reproduce the errors successfully<br />
::1. If you switch off the NVIDIA Card before you stop the bumblebee daemon (which starts/stops the 2nd X-Server) you get into trouble, the X process hogs 100% CPU, gets unkillable and the overall power consumption (in my case) goes from about 1500mA to 2100mA<br />
::2. If you only stop the bumblebee daemon without switching off the NVIDIA Card, power consumption goes from about 1500mA to 1800-1900mA (maybe user "thewall" only stopped the daemon without switching off the NVIDIA Card?)<br />
::3. If you switch off the NVIDIA Card (which is a GT 540M in my case) via acpi_call, power consumption goes down to 1200mA, which is quite nice *BUT* the Fan goes 100% some seconds after you switch it off.. this seems to consume about 50mA more power.. blah blah and first of all is totally annoying<br />
::A guy in the ubuntu forum apparently already fixed 3) on similar hardware as i have, but i guess the differences are in detail, i'm trying to find it out.<br />
::[[User:florianb|florianb]] 08:07, 1 August 2011 (CET)<br />
<br />
:::I'll try to release today the new model for nvidia driver, similar to the one of nouveau. That way power switching is made automatically and by means of vga-switcheroo by default. I have to remind you that acpi_call method calls are guessed and (in your case) they may be incorrect. [[User:Samsagax|Samsagax]] 10:42, 1 August 2011 (EDT)<br />
<br />
::::Okay, sounds nice. I'd really like to contribute something to your work, if there's anything i could do, let me know.<br />
::::[[User:florianb|florianb]] 10:37, 2 August 2011 (CET)<br />
<br />
== We are making some progress ==<br />
<br />
Well, some developers (real ones) and me are getting somewhere on a stable Bumblebee due to this week. Will update the package as soon as we get it done. [[User:Samsagax|Samsagax]] 14:27, 11 August 2011 (EDT)<br />
<br />
==<s>What about lib32-nvidia-utils-bumblebee</s>==<br />
Nowhere in the wiki article lib32-nvidia-utils-bumblebee is mentioned. But this is necessary if I would like to run 32bit wine games, right? --[[User:Onny|Onny]] 16:17, 29 January 2012 (EST)<br />
<br />
:I've added the lib32-nvidia-utils-bumblebee in the installation instructions --[[User:febLey|febLey]] 13:37, 13 July 2012 (GMT+1)<br />
<br />
== No devices detected, error encountered due to different cause ==<br />
While i was trying to use bumblebee with nouveau, i encountered<br />
<br />
<code> [ERROR]Cannot access secondary GPU - error: [XORG] (EE) No devices detected.<br />
<br />
[ERROR]Aborting because fallback start is disabled. </code><br />
<br />
But apparently for a different reason, i haven't figured out what it was, changing to nvidia(extra/nvidia 290.10-2) fixed it. (I also had to update to core/linux 3.2.2-1 for it.)<br />
<br />
== ... socket path /var/run/bumblebee.socket was incorrect. ==<br />
<br />
I get the following error:<br />
<br />
{{bc|[42641.769973] [ERROR]The Bumblebee daemon has not been started yet or the socket path /var/run/bumblebee.socket was incorrect.<br />
[42641.770121] [ERROR]Could not connect to bumblebee daemon - is it running?}}<br />
<br />
I am in the bumblebee group, {{ic|bumblebeed}} is running, i both {{ic|bumblebee-git 20120726-1}} and {{ic|bumblebee 3.0.1-2}} in the AUR show the same problem.(aside: {{ic|bumblebee}} initially had the '{{ic|Cannot access secondary GPU}}' issue above but updating linux, and maybe some other stuff fixed that) I current use the `extra/nvidia`<br />
package, but had same issue with `libgl`.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 23:11, 23 August 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Bumblebee&diff=219466Talk:Bumblebee2012-08-23T23:06:37Z<p>Jasper1984: /* ... socket path /var/run/bumblebee.socket was incorrect. */ new section</p>
<hr />
<div>== Wiki rewritten ==<br />
<br />
Hi, I followed this wiki two days ago and now Optimus technology works fine on my laptop, but I found this wiki a bit confusing. I decided to rewrite it. I'm not a linux-expert and i'm not English (I'm Italian), so feel free to correct what I wrote.<br />
<br />
:1) Setup X Server: I put this section as the first. New Bumblebee's versions create a xorg.conf.nvidia.pacnew file, so I added a cp command.<br />
:2) Load Kernel Module: I reordered this section with this logic in mind: first, get rid of nouveau at all; second, load nvidia module.<br />
:3) Start Bumblebee Daemon: I created a section for this. This way you don't need to reboot and it's more clear what you're doing.<br />
:4) Start VirtualGL Client: Well, I deleted this section because I think it's not needed to make bumblebee to work. I never run that command to use optirun or optirun32.<br />
:5) Usage: I added optirun32. It seems to work fine with Unigine Tropics benchmark.<br />
:6) Autostart Bumblebee: I created a section for this because this operations were all around the wiki. This way it's more compact.<br />
:7) Nvidia ON/OFF... : Everything is fine here. I added the command to check battery rate only.<br />
:About last section: I got an ACER Aspire 5742g (Nvidia gt540M) and if I followed the steps to turn off my card: well, my power usage is higher(+400mA) with the card turned off and nvidia module unloaded! I know it's unbelievable, but it's true. Anyone is experiencing this? Bye<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
=== Samsagax Reply on thewall changes ===<br />
<br />
It's nice someone got interested!<br />
Now I'll argue some points for what takes precedence, what are bugs and what is planned to the future of Bumblebee in ArchLinux:<br />
:1) I would put the kernel module load first, before the configuration of the X server, I think is better logic. <br />
:2) The issue with the ".pacnew" file is a bug, should create it only if there is an "xorg.conf.nvidia" (on upgrade). I'm also planning to move this conf file to /etc/bumblebee directory. <br />
:3) Liked that (: <br />
:4) I really wouldn't delete that, don't know why, but some people need the vglclient running, should be an optional and explanatory section maybe. <br />
:5) As the new package of bumblebee I'm trying to split into smaller packages containing the libraries apart from the scripts and optirun32 didn't work fine for most people (specially under wine). <br />
:6) Liked that, is more clean this way <br />
:7) This is a dark spot. as long as acpi_call does not work reliably on most laptops there is no safe way to tell if it's working. For this reason I'm putting this as purely experimental state and not supporting it for now. Your issue was reported and is known on a variety of ASUS laptops. I'll recommend to read about acpi_call and their known-to-work laptops. <br />
BTW: Thanks!<br />
<br />
==== Reply to Samsagax ====<br />
<br />
:1) Ok.<br />
:2) I tried to clarify. Is that bug solved?<br />
:3) Great (:<br />
:4) I re-entered the VGL Client section with a note.<br />
:5) You really made a good job here (:<br />
:6) Ok.<br />
:7) Nothing to say.<br />
:Other) A user on italian Arhlinux forum says that he must manually run the bumblebee daemon AFTER logging in with GNOME3. When he puts it in /etc/rc.conf he gets this: "[VGL] ERROR: Could not open display :1." It would be good to write that somewhere? Maybe a "troubleshooting" section?<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
<br />
<br />
==== Addition to 7) ====<br />
I think the higher Power consumption is caused by the X-Server that gets hung up (it hogs 100% of one CPU Core) when you switch off the Card via acpi_call. I've got the same issue here on a ASUS X53S, which also has a NVidia GT 540M.<br />
<br />
[[User:florianb|florianb]] 00:19, 1 August 2011 (CET)<br />
<br />
:Try disabling the X server first or you will have some issues. If there is still a problem try the vga-switcheroo option. <br />
:[[User:Samsagax|Samsagax]] 19:27, 31 July 2011 (EDT)<br />
<br />
::I tried to reproduce the errors successfully<br />
::1. If you switch off the NVIDIA Card before you stop the bumblebee daemon (which starts/stops the 2nd X-Server) you get into trouble, the X process hogs 100% CPU, gets unkillable and the overall power consumption (in my case) goes from about 1500mA to 2100mA<br />
::2. If you only stop the bumblebee daemon without switching off the NVIDIA Card, power consumption goes from about 1500mA to 1800-1900mA (maybe user "thewall" only stopped the daemon without switching off the NVIDIA Card?)<br />
::3. If you switch off the NVIDIA Card (which is a GT 540M in my case) via acpi_call, power consumption goes down to 1200mA, which is quite nice *BUT* the Fan goes 100% some seconds after you switch it off.. this seems to consume about 50mA more power.. blah blah and first of all is totally annoying<br />
::A guy in the ubuntu forum apparently already fixed 3) on similar hardware as i have, but i guess the differences are in detail, i'm trying to find it out.<br />
::[[User:florianb|florianb]] 08:07, 1 August 2011 (CET)<br />
<br />
:::I'll try to release today the new model for nvidia driver, similar to the one of nouveau. That way power switching is made automatically and by means of vga-switcheroo by default. I have to remind you that acpi_call method calls are guessed and (in your case) they may be incorrect. [[User:Samsagax|Samsagax]] 10:42, 1 August 2011 (EDT)<br />
<br />
::::Okay, sounds nice. I'd really like to contribute something to your work, if there's anything i could do, let me know.<br />
::::[[User:florianb|florianb]] 10:37, 2 August 2011 (CET)<br />
<br />
== We are making some progress ==<br />
<br />
Well, some developers (real ones) and me are getting somewhere on a stable Bumblebee due to this week. Will update the package as soon as we get it done. [[User:Samsagax|Samsagax]] 14:27, 11 August 2011 (EDT)<br />
<br />
==<s>What about lib32-nvidia-utils-bumblebee</s>==<br />
Nowhere in the wiki article lib32-nvidia-utils-bumblebee is mentioned. But this is necessary if I would like to run 32bit wine games, right? --[[User:Onny|Onny]] 16:17, 29 January 2012 (EST)<br />
<br />
:I've added the lib32-nvidia-utils-bumblebee in the installation instructions --[[User:febLey|febLey]] 13:37, 13 July 2012 (GMT+1)<br />
<br />
== No devices detected, error encountered due to different cause ==<br />
While i was trying to use bumblebee with nouveau, i encountered<br />
<br />
<code> [ERROR]Cannot access secondary GPU - error: [XORG] (EE) No devices detected.<br />
<br />
[ERROR]Aborting because fallback start is disabled. </code><br />
<br />
But apparently for a different reason, i haven't figured out what it was, changing to nvidia(extra/nvidia 290.10-2) fixed it. (I also had to update to core/linux 3.2.2-1 for it.)<br />
<br />
== ... socket path /var/run/bumblebee.socket was incorrect. ==<br />
<br />
I get the following error:<br />
<br />
{{bc|[42641.769973] [ERROR]The Bumblebee daemon has not been started yet or the socket path /var/run/bumblebee.socket was incorrect.<br />
[42641.770121] [ERROR]Could not connect to bumblebee daemon - is it running?}}<br />
<br />
I am in the bumblebee group, {{ic|bumblebeed}} is running, i both {{ic|bumblebee-git 20120726-1}} and {{ic|bumblebee 3.0.1-2}} in the AUR show the same problem.(aside: {{ic|bumblebee}} initially had the '{{ic|Cannot access secondary GPU}}' issue above but updating linux, and maybe some other stuff fixed that)[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 23:06, 23 August 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:GRUB&diff=213767Talk:GRUB2012-07-20T16:03:16Z<p>Jasper1984: /* Please make the different options for changing the MBR more clear */ new section</p>
<hr />
<div>== <s> Grub2 vs grub-gfx </s> ==<br />
'''Q:''' So what are the advantages of using grub2 instead of grub-gfx ? --[[User:Oliwer|Oliwer]] 23:44, 26 December 2008 (EDT)<br />
<br />
'''A''': Grub-gfx only adds the support for .xpm files, grub2 instead has builtin support for .tga, .jpeg/.jpg and .png formats. At some point the .tft files will also be supported (the ones that grub2-gxmenu supports) but I dunno when that's gonna happen. <br />
--[[User:Det|Det]] 10:22, 24 February 2010 (EST)<br />
<br />
== <s> System Recovery Section </s> ==<br />
<br />
I suggest we something like this for people who do not back up there old grub installation and forgot to generate their cfg file.<br />
<br />
From an Arch Live Cd Do Prepare Hard Drives, Manually Configure Mount Points, Make Sure These Are the Same as your original Arch Installation<br />
<br />
Switch to Another Window and Chroot into Your Installed Arch<br />
<br />
mount -o bind /dev /mnt/dev<br />
<br />
mount -t proc /proc /mnt/proc/<br />
<br />
mount -t sysfs /sys /mnt/sys/<br />
<br />
chroot /mnt bash<br />
<br />
Then generate the config file.<br />
<br />
GRUB_PREFIX="/boot/grub" grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
== <s> Grub2 1.98 </s> ==<br />
<br />
The new stuff brought by 1.98 should probably be explained. --[[User:Det|Det]] 10:57, 16 March 2010 (EDT)<br />
<br />
'''E:''' I added a few "/etc/default/grub notes". The article only needs a bit expansion and the move from those notes I made to the actual instructions, anymore. --[[User:Det|Det]] 13:44, 28 March 2010 (EDT)<br />
<br />
'''E2:''' OK, done. I changed the notes to the actual instructions and removed the '''Expansion''' flag. If somebody feels that the other stuff too, such as what's in /etc/grub.d/* should be mentioned here, you are free to re-add the flag. I did some other stuff too, which you can check from the page history if you are interested. The only problem is that I'm still that stupid that I test the changes by updating the page itself, which makes the page history go nuts. Just give me some time to get used to the magic *Show preview* button :). --[[User:Det|Det]] 15:58, 8 April 2010 (EDT)<br />
<br />
== <s> Upgrading from grub 0.97 to grub2 - MBR </s> ==<br />
<br />
To fix the problem described on section [[GRUB2#Other]] you can remove grub 0.97 from MBR by following command:<br />
<pre>dd if=/dev/zero of=/dev/sdX bs=446 count=1</pre><br />
where /dev/sdX is hard disk with grub installed in MBR (I have no idea if that works when you have grub installed on partition instead of hd, like /dev/sda1).<br />
<br />
It is good idea to create backup of bootloader before that by executing:<br />
<pre>dd if=/dev/sdX of=your/backup.img bs=446 count=1</pre><br />
After that you can install grub2 on MBR, and it works (hopefully) without any dirty hacks.<br />
<br />
== <s> Make up your mind on when to modprobe dm-mod </s> ==<br />
@Skodabenz & NTia89<br />
:On Feb 17 NTia89 took the time to suggest the probing of dm-mod at the beginning of the Installation section, not deleting it from the section below but just inserting a note. On Mar 15 Skodabenz only removed the modprobe command inserted by NTia89, but not the related note, so this leaves the article inaccurate on stating when to load dm-mod. I think either the note should be removed (if Skodabenz is right), or the modprobe dm-mod command should be moved to the beginning of the Installation section (if NTia89 is right)). I cannot test this at the moment. -- [[User:Kynikos|Kynikos]] 14:13, 15 March 2011 (EDT)<br />
<br />
@Kynikos: Whether grub2 install happens during Arch Linux installation or in a existing system, dm-mod (device-mapper module) needs to be loaded for the sake of grub-setup utility. Even during Arch Linux installation, the user has to anyway go to one of the bootloader installation section where dm-mod loading comes again. Therefore i do not think it is appropriate to move it to the beginning of the Installation section since it is not specific to Arch Linux installation. Also where is the 'related note' you are talking about? -- [[User:the.ridikulus.rat|Keshav P R]] 17:37, 16 March 2011 (EDT)<br />
<br />
:Perfectly explained, thanks. The "related note" is this one I've just removed ([https://wiki.archlinux.org/index.php?title=GRUB2&action=historysubmit&diff=133989&oldid=133721 see diff]); it was added by NTia89 when he edited the article. -- [[User:Kynikos|Kynikos]] 19:53, 16 March 2011 (EDT)<br />
<br />
== EFI ==<br />
<br />
Is there any reason why grub should be installed to /boot/efi/efi/grub and not to /boot/efi? UEFI wants to have the efi-image unter <EFI SYSTEM PARTITION>/efi/name, so /boot/efi/grub should do the trick.<br />
Additionally, mounting (e.g.) /dev/sda1 to /boot/efi and just placing the grub there will possibly conflict with having a LVM+LUKS setup, where /boot will then be encrypted. At the moment I'm running a funtoo installation on a thinkpad x121e with /dev/sda1 (200MB, fat32, sectors 1 - 201) mounted to /boot and /dev/sda2 being a LUKS encrypted system. /boot contains the bzImage and /boot/efi/boot/bootx64.efi is the grub-image.<br />
<br />
Note: there should possibly be a section/table here containing information what firmware expects what name. having /boot/efi/grub/grub.efi didn't work for me, and as noted in the thinkwiki for an x220, /boot/efi/boot/bootx64.efi works fine. --[[User:Rochus|Rochus]] 13:59, 16 August 2011 (EDT)<br />
<br />
<br />
@Rochus: You have mounted your EFISYS partition at /boot ir you are using same part as both EFISYS and /boot and it is FAT32 formatted. The actual path is <EFI_SYS_PART>/efi/grub/grub.efi wherein <EFI_SYS_PART> is usually /boot/efi or in your case /boot itself. <br />
<br />
But I do not understand your argument about mounting EFISYS at /boot/efi conflicting with LVM+LUKS. I don't have such a config in my system to understand what you are coming to say. <EFI_SYS_PART>/efi/boot/bootx64.efi is just a fallback path incase there's no boot entry in UEFI Boot Manager (see efibootmgr section). I already mentioned in the article that "If you have mounted EFISYS part at a different mountpoint, replace /boot/efi with that mountpoint in all the commands". I suppose that explains it. It is better to have /boot separate from EFISYS partition. I have /dev/sda1 as 200 MiB FAT32 EFISYS mounted at /boot/efi and /dev/sda3 as 400 MiB ext4 /boot part. For /boot/efi/grub/grub.efi to work you have to add a boot entry to grub.efi in the UEFI Boot Manager using efibootmgr utility. -- [[User:the.ridikulus.rat|Keshav P R]] 23:15, 28 August 2011 (IST)<br />
<br />
== <s> grub-mkconfig and UEFI </s> ==<br />
<br />
The grub-mkconfig script seems to be hardcoded to have /boot/grub as the grub install. Is the best answer for this to mount /efi/grub as /boot/grub or edit the script?<br />
<br />
http://comments.gmane.org/gmane.comp.boot-loaders.grub.devel/17950 -- [[User:The.ridikulus.rat|Keshav P R]] 09:57, 19 October 2011 (EDT)<br />
<br />
== <s> Confusing information on a running system; combining MBR and GPT information; an initial MBR portion that seems contradicted later </s> ==<br />
<br />
I started working through this; it looks like the installation is easy, at the top. Then there are more MBR instructions that require additional preparation, but it isn't clear if this is replacement information to the initial instructions, or more detailed information. If the top information is inadequate, it should be deleted and put into the MBR detailed instructions. If it is one way of doing it that does not require the more detailed instructions, that should be noted as well.<br />
<br />
Should be clear now -- [[User:The.ridikulus.rat|Keshav P R]] 14:53, 24 October 2011 (EDT)<br />
<br />
Ok, another one. I know I'm literal, and sometimes that's good, other times bad.<br />
<br />
The page talks about installing to the 440-byte area.<br />
Then later it talks about replacing legacy in that area.<br />
That doesn't make sense to me.<br />
<br />
What I'm really seeing, I think, is that there are so many ways of going about this that it might make sense to split this page into a couple; EFI - GPT - MBR. There may be some duplication in that, but trying to figure out what applies to what is difficult, at least for me. I think the overlapping technology changes make it seem more difficult than it is.<br />
<br />
I've been trying unsuccessfully to install this for a couple of days (gave up on a running system and just started from scratch; good backups are handy things); and while it may make more sense for me to do it in a different order, I don't understand it enough to feel comfortable contributing many changes to the article, as my interpretation may well be wrong. I'm no newbie, but neither am I a master.<br />
<br />
------<br />
<br />
There are many ways to install grub2 - UEFI is easy part, only one way (to the UEFI SYSTEM PARTITION). But in case of bios, you can install to the disk's MBR boot code region (in which case it becomes the primary or the only bootloader of the system), to a partition (in which case it need to be chainloaded from the primary bootloader) or generate the core.img (again needs to be chainloaded by another bootloader, difference being chainloading a file instead of partition boot sector). I created the sections in the article based on my understanding of the sectioning etc. I tried to avoid duplication mainly.<br />
<br />
About your problem, its better to open a thread in the forum wherein we can discuss what exactly is preventing you from installing grub2. I have installed grub2-bios to MBR 440-byte area (GPT partitioning) and grub2-efi-x86_64 to UEFISYS partition (both in the same system and in the same disk).<br />
<br />
(also please sign your text - I don't know who is talking here) -- [[User:The.ridikulus.rat|Keshav P R]] 17:44, 27 October 2011 (EDT)<br />
<br />
------<br />
<br />
Ok, sorry about that. I'm a long time arch user but new to working in the wiki. -- [[User:Timm|Timm]] 11:24, 29 October 2011 (EDT)<br />
<br />
== <s> Moving the partitioning information to the preface </s> ==<br />
<br />
In the article, I think it would be a good idea to move the information on partitions to the preface section, as I think it is a preliminary consideration that people should see as they begin, rather than running across it in the text. I know people should read all of the instructions before beginning, but in real life that rarely happens. However, since that's a significant change in the page, I didn't want to do that when I wasn't involved in the original page creation; not sure of the etiquette on that. -- [[User:Timm|Timm]] 11:33, 29 October 2011 (EDT)<br />
<br />
I rearranged the text. Is it ok now? -- [[User:The.ridikulus.rat|Keshav P R]] 11:47, 29 October 2011 (EDT)<br />
<br />
I don't think so. If you are installing on a new install, the information about the partitions still isn't evident, as it is down in the sections about installing on a running system, or in the UEFI section. I'd suggest moving the information up to a new section either in the preface or right after it, called partitioning information or such. Either something like "Note: In a GPT system you will need a partition, etc. In a UEFI system you will need a partition, etc.", or just moving the existing text on the partition information, which seems to cover the information well. That way people get their system hardware set up before they begin the process of installing. No matter how much you simplify this, it is a complex process, and IMHO will be far less frustrating to people if they don't get halfway through the install and only then realize they don't have the necessary partitions. This is, I think, even more important to those of us who are used to being able to set up our partitions in the install, because at least as far as I understand it, you can't do some of this through the arch install process. -- [[User:Timm|Timm]] 13:00, 29 October 2011 (EDT)<br />
<br />
== GRUB_GFXMODE may not work with a depth parameter ==<br />
<br />
I'm installing on an i5 system with Intel graphics, and found that I could not get a background image if I used any depth parameter in GRUB_GFXMODE=; if I used the 0x value I got the same errors. I would get a black screen with a blue box, titled "Out of Range" and some H. Frequency and V. Frequency parameters. The boot continued in the background, and eventually I got the normal scroll of information during the boot. What I found was that if I just used a resolution, e.g., 800x600, with nothing more, it worked fine. Not sure if this is something for the wiki here or elsewhere, or something to post in the forums; but it should be somewhere to save the next person the hassle of figuring it out, I think. -- [[User:Timm|Timm]] 13:08, 29 October 2011 (EDT)<br />
<br />
== <s> grub-mkstandalone? </s> ==<br />
<br />
And where is that coming from? It's not part of grub2-common.<br />
<br />
Future update https://bugs.archlinux.org/task/23901 , but grub-mkstandalone is a very important tool -- [[User:The.ridikulus.rat|Keshav P R]] 15:13, 24 December 2011 (EST)<br />
<br />
== <s> Why did you remove double quotes in efibootmgr part </s> ==<br />
<br />
@Fallacy: Why did you do https://wiki.archlinux.org/index.php?title=GRUB2&diff=175798&oldid=174885 . You even removed the part that explained why this is being done. I am reverting it because that command simply will not work without double backward slashes.<br />
<br />
: You mean FelipeC? Notice that I changed from to double quotes (") to single quotes ('), thus the backslash escaping is not needed. See:<br />
<br />
% echo -E "\\foo\\bar"<br />
\foo\bar<br />
% echo -E '\foo\bar'<br />
\foo\bar<br />
<br />
: The two strings are exactly identical. -- [[User:Felipec|FelipeC]] 16:03, 24 December 2011 (EST)<br />
<br />
== <s> Standalone UEFI </s> ==<br />
<br />
I went through the ordeal of trying to figure out how to make the section "Create GRUB2 Standalone UEFI Application" work, however, it's a complete mess.<br />
<br />
First of all, grub-mkstandalone does not exist. Secondly, grub_efi_x86_64-install already has an option to specify which modules you want to install in the image (maybe this should be added as a note on the section that explains grub_efi_x86_64-install). And thirdly, the script is doing a bunch of unnecessary steps, like saving and restoring $PWD, while it's always changing directory to $PWD, so doing nothing at all, and also unsetting the environment variables, which happens when the script finishes anyway.<br />
<br />
I rewrote the whole thing so it actually works, and it's actually simple. Too much stuff to write as the summary of the change. -- [[User:Felipec|FelipeC]] 16:32, 24 December 2011 (EST)<br />
<br />
grub-mkstandalone does exist (http://bzr.savannah.gnu.org/lh/grub/trunk/grub/annotate/head:/util/grub-mkstandalone.in). Like I mentioned it is coming in a update to grub2-common for which I have sent the updated PKGBUILD to Ronald Van Haren (pressh). Do you have any idea how grub2 actually works internally and how different tools are involved. The upstream does not recommend using --modules directly in grub-install or grub-mkimage for the sake of stability. Like I mentioned grub-mkstandalone embeds a memdisk inside the generated grub_standalone.efi file and the prefix is (memdisk)/boot/grub . For the record I wrote most of the UEFI related stuff in this page. Maybe unsetting the env variables were unnecessary (I rewrote another local script of mine which had export and unset commands) but the $PWD etc are required once you understand how grub-mkstandalone works. Go to https://bugs.archlinux.org/task/23901#comment84826 for the updated PKGBUILDs. With grub_standalone.efi, you don't need the modules to exist in the same directory since they are present in the file itself. It is not same as using grub-install with --modules. -- [[User:The.ridikulus.rat|Keshav P R]] 17:04, 24 December 2011 (EST)<br />
<br />
:The fact that you wrote a lot of stuff doesn't mean you are automatically right. I looked at the script, and it's '''clearly''' not intended for what you want to use it. It's intended to create a '''rescue''' image, and if you look at the code, at the end of the day it's using grub-mkimage, the same as grub*-install. The only difference is that, as you say, it creates a memdisk image, but it uses that image to put '''all''' modules inside. So really, there's no advantage to the normal GRUB 2 setup, except that you don't need a filesystem. But given that EFI already requires a filesystem anyway, there's no point in using a tool that is intended for rescue images.<br />
<br />
:And BTW, I tried grub*-install specifying all the modules that I use and the dependencies, and then I removed all the contents in /boot/efi/efi/grub (except grub.efi and grub.cfg), and guess what... It works perfectly fine. So that solution is already better.<br />
<br />
:-- [[User:Felipec|FelipeC]] 12:56, 10 January 2012 (EST)<br />
<br />
Specifying all the modules embeds all the modules in the grub.efi and thus all the modules are already loaded when grub.efi is launched, which can cause stability issues, as some modules conflict with another and stuff like that. The reason the script is named grub-mkstandalone is because it is a creates a standalone image which is portable, the difference being all the modules are part of memdisk, not directly part of the image. If you want to know the finer details as to why mkstandalone is recommended I suggest you talk to grub2 lead developer phcoder in #grub irc channel in freenode. <br />
<br />
The "script" you looked at puts all the modules in the memdisk image, but in that way the modules are not automatically loaded when grub.efi is launched, thus maintaining stability. THAT IS NOT THE CASE WITH grub*-install <all modulues> or grub-mkimage <all modules>. -- [[User:The.ridikulus.rat|Keshav P R]] 11:14, 15 January 2012 (EST)<br />
<br />
@FelipeC: Read [[GRUB2#Create_GRUB2_Standalone_UEFI_Application]] now. That is basically what my script used to do. -- [[User:The.ridikulus.rat|Keshav P R]] 11:32, 15 January 2012 (EST)<br />
<br />
:Did I say specify "all the modules" in grub*-install? No. I said all the modules I '''use'''. The modules being used are going to be loaded regardless of which method you use.<br />
<br />
:Having all the modules in a memdisk, or having all the modules in a directory in the EFI system partition makes practically no difference. Having the modules you '''use''' directly into the image should make a performance difference, as the image loaded is smaller, and there's no overhead in loading modules.<br />
<br />
:-- [[User:Felipec|FelipeC]] 11:55, 18 January 2012 (EST)<br />
<br />
== Custom keyboard layout ==<br />
Hi. Could we add a section explaining how you can set your preferred keyboard layout within GRUB2? As i found [http://lists.gnu.org/archive/html/grub-devel/2011-06/msg00008.html here], we need the ckbcomp script, which can be obtained from Debian console-setup package.<br />
<br />
Here's how I made things work:<br />
<br />
ckbcomp it | grub-mklayout -o /boot/grub/it.gkb<br />
<br />
Then, I manually edited {{ic|/boot/grub/grub.cfg}}, adding the following lines:<br />
<br />
{{hc|/boot/grub/grub.cfg|<br />
<nowiki><br />
terminal_input at_keyboard<br />
keymap (hd0,2)/boot/grub/it.gkb<br />
</nowiki>}}<br />
<br />
This worked for me, but as of now, i think it's a very dirty method. Is there some support for keyboard layouts within {{ic|/etc/default/grub}}?<br />
<br />
Cheers. --[[User:Hilinus|Hilinus]] 12:50, 26 December 2011 (EST)<br />
<br />
<br />
<br />
I followed [http://lists.gnu.org/archive/html/grub-devel/2011-03/msg00051.html instructions] on the grub-devel mailing list. First you insert <br />
<br />
{{hc|/etc/default/grub|<br />
<nowiki><br />
GRUB_TERMINAL_INPUT=at_keyboard<br />
</nowiki>}}<br />
<br />
in {{ic|/etc/default/grub}}. Then you get ckbcomp Perl script from Ubuntu or Debian and execute (for Slovene layout)<br />
<br />
$ ckbcomp si | grub-mklayout -o si.gkb<br />
Unknown key KP_Comma<br />
Unknown key KP_Comma<br />
Unknown key KP_Comma<br />
Unknown key KP_Comma<br />
Unknown keycode 0x79<br />
$ sudo mv si.gkb /boot/grub/<br />
<br />
After that you add <br />
<br />
{{hc|/etc/grub.d/40_custom|<br />
<nowiki><br />
insmod keylayouts<br />
keymap /boot/grub/si.gkb<br />
</nowiki>}}<br />
<br />
to {{ic|/etc/grub.d/40_custom}} and finally generate new grub.cfg with<br />
<br />
$ sudo grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
Cheers. --[[User:drevo|drevo]] 17:47, 6 January 2012 (EST)<br />
<br />
== Please make the different options for changing the MBR more clear ==<br />
<br />
The three options [https://wiki.archlinux.org/index.php/GRUB2#Install_grub-bios_boot_files here] are only separated by a bit unclear titles, and if people follow the links, they might be confused.[[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 16:03, 20 July 2012 (UTC)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Bumblebee&diff=182474Talk:Bumblebee2012-02-06T21:05:45Z<p>Jasper1984: "No devices detected" due to other cause(s)</p>
<hr />
<div>== Wiki rewritten ==<br />
<br />
Hi, I followed this wiki two days ago and now Optimus technology works fine on my laptop, but I found this wiki a bit confusing. I decided to rewrite it. I'm not a linux-expert and i'm not English (I'm Italian), so feel free to correct what I wrote.<br />
<br />
:1) Setup X Server: I put this section as the first. New Bumblebee's versions create a xorg.conf.nvidia.pacnew file, so I added a cp command.<br />
:2) Load Kernel Module: I reordered this section with this logic in mind: first, get rid of nouveau at all; second, load nvidia module.<br />
:3) Start Bumblebee Daemon: I created a section for this. This way you don't need to reboot and it's more clear what you're doing.<br />
:4) Start VirtualGL Client: Well, I deleted this section because I think it's not needed to make bumblebee to work. I never run that command to use optirun or optirun32.<br />
:5) Usage: I added optirun32. It seems to work fine with Unigine Tropics benchmark.<br />
:6) Autostart Bumblebee: I created a section for this because this operations were all around the wiki. This way it's more compact.<br />
:7) Nvidia ON/OFF... : Everything is fine here. I added the command to check battery rate only.<br />
:About last section: I got an ACER Aspire 5742g (Nvidia gt540M) and if I followed the steps to turn off my card: well, my power usage is higher(+400mA) with the card turned off and nvidia module unloaded! I know it's unbelievable, but it's true. Anyone is experiencing this? Bye<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
=== Samsagax Reply on thewall changes ===<br />
<br />
It's nice someone got interested!<br />
Now I'll argue some points for what takes precedence, what are bugs and what is planned to the future of Bumblebee in ArchLinux:<br />
:1) I would put the kernel module load first, before the configuration of the X server, I think is better logic. <br />
:2) The issue with the ".pacnew" file is a bug, should create it only if there is an "xorg.conf.nvidia" (on upgrade). I'm also planning to move this conf file to /etc/bumblebee directory. <br />
:3) Liked that (: <br />
:4) I really wouldn't delete that, don't know why, but some people need the vglclient running, should be an optional and explanatory section maybe. <br />
:5) As the new package of bumblebee I'm trying to split into smaller packages containing the libraries apart from the scripts and optirun32 didn't work fine for most people (specially under wine). <br />
:6) Liked that, is more clean this way <br />
:7) This is a dark spot. as long as acpi_call does not work reliably on most laptops there is no safe way to tell if it's working. For this reason I'm putting this as purely experimental state and not supporting it for now. Your issue was reported and is known on a variety of ASUS laptops. I'll recommend to read about acpi_call and their known-to-work laptops. <br />
BTW: Thanks!<br />
<br />
==== Reply to Samsagax ====<br />
<br />
:1) Ok.<br />
:2) I tried to clarify. Is that bug solved?<br />
:3) Great (:<br />
:4) I re-entered the VGL Client section with a note.<br />
:5) You really made a good job here (:<br />
:6) Ok.<br />
:7) Nothing to say.<br />
:Other) A user on italian Arhlinux forum says that he must manually run the bumblebee daemon AFTER logging in with GNOME3. When he puts it in /etc/rc.conf he gets this: "[VGL] ERROR: Could not open display :1." It would be good to write that somewhere? Maybe a "troubleshooting" section?<br />
[[User:Thewall|Thewall]] 18:06, 1 July 2011 (EDT)<br />
<br />
<br />
==== Addition to 7) ====<br />
I think the higher Power consumption is caused by the X-Server that gets hung up (it hogs 100% of one CPU Core) when you switch off the Card via acpi_call. I've got the same issue here on a ASUS X53S, which also has a NVidia GT 540M.<br />
<br />
[[User:florianb|florianb]] 00:19, 1 August 2011 (CET)<br />
<br />
:Try disabling the X server first or you will have some issues. If there is still a problem try the vga-switcheroo option. <br />
:[[User:Samsagax|Samsagax]] 19:27, 31 July 2011 (EDT)<br />
<br />
::I tried to reproduce the errors successfully<br />
::1. If you switch off the NVIDIA Card before you stop the bumblebee daemon (which starts/stops the 2nd X-Server) you get into trouble, the X process hogs 100% CPU, gets unkillable and the overall power consumption (in my case) goes from about 1500mA to 2100mA<br />
::2. If you only stop the bumblebee daemon without switching off the NVIDIA Card, power consumption goes from about 1500mA to 1800-1900mA (maybe user "thewall" only stopped the daemon without switching off the NVIDIA Card?)<br />
::3. If you switch off the NVIDIA Card (which is a GT 540M in my case) via acpi_call, power consumption goes down to 1200mA, which is quite nice *BUT* the Fan goes 100% some seconds after you switch it off.. this seems to consume about 50mA more power.. blah blah and first of all is totally annoying<br />
::A guy in the ubuntu forum apparently already fixed 3) on similar hardware as i have, but i guess the differences are in detail, i'm trying to find it out.<br />
::[[User:florianb|florianb]] 08:07, 1 August 2011 (CET)<br />
<br />
:::I'll try to release today the new model for nvidia driver, similar to the one of nouveau. That way power switching is made automatically and by means of vga-switcheroo by default. I have to remind you that acpi_call method calls are guessed and (in your case) they may be incorrect. [[User:Samsagax|Samsagax]] 10:42, 1 August 2011 (EDT)<br />
<br />
::::Okay, sounds nice. I'd really like to contribute something to your work, if there's anything i could do, let me know.<br />
::::[[User:florianb|florianb]] 10:37, 2 August 2011 (CET)<br />
<br />
== We are making some progress ==<br />
<br />
Well, some developers (real ones) and me are getting somewhere on a stable Bumblebee due to this week. Will update the package as soon as we get it done. [[User:Samsagax|Samsagax]] 14:27, 11 August 2011 (EDT)<br />
<br />
== What about lib32-nvidia-utils-bumblebee ==<br />
Nowhere in the wiki article lib32-nvidia-utils-bumblebee is mentioned. But this is necessary if I would like to run 32bit wine games, right? --[[User:Onny|Onny]] 16:17, 29 January 2012 (EST)<br />
<br />
== No devices detected, error encountered due to different cause ==<br />
While i was trying to use bumblebee with nouveau, i encountered<br />
<br />
<code> [ERROR]Cannot access secondary GPU - error: [XORG] (EE) No devices detected.<br />
<br />
[ERROR]Aborting because fallback start is disabled. </code><br />
<br />
But apparently for a different reason, i haven't figured out what it was, changing to nvidia(extra/nvidia 290.10-2) fixed it. (I also had to update to core/linux 3.2.2-1 for it.)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Talk:Browser_plugins&diff=126369Talk:Browser plugins2010-12-30T13:29:49Z<p>Jasper1984: /* RDFM */</p>
<hr />
<div>==Relocating Firefox specific content==<br />
Should this be moved back into [[Firefox]]? [[User:Dres|Dres]] 15:40, 16 January 2010 (EST)<br />
<br />
:The only Firefox-specific content I see is [[Browser Plugins#Plugins cannot be downloaded]]; the other troubleshooting tips are valid for other browsers (which tend to use the <tt>$MOZ_PLUGIN_PATH</tt> as well). This could easily be moved back.<br />
:-- [[User:Pointone|pointone]] 13:04, 19 January 2010 (EST)<br />
<br />
::I can't personally gage on that, so I delegate to what's been pointed out. [[User:Dres|Dres]] 03:25, 23 January 2010 (EST)<br />
<br />
==TODO: mozplugger==<br />
mozplugger certainly deserves mention here.<br />
<br />
-- [[User:Pointone|pointone]] 09:21, 20 January 2010 (EST)<br />
<br />
==RDFM==<br />
followed the guide and so it has erased my Tea-plugins;<br />
i hope to be in error, but i think this guide is out of date (firefox till now is 3.6 not 3.0)<br />
-- [[User:Ahel|ahel]] 2 December 2010<br />
<br />
:Can you be any more specific? What part of the guide? -- [[User:Pointone|pointone]] 19:48, 2 December 2010 (EST)<br />
<br />
::sorry man,-please- my f*cking fault.[[User:Ahel|Ahel] 6 December 2010<br />
<br />
==Permissions of /usr/bin/mozilla/ going to 700==<br />
While for use they need 755, apparently. Should this be filed as a bug? [[User:Jasper1984|Jasper1984]] 08:29, 30 December 2010 (EST)</div>Jasper1984https://wiki.archlinux.org/index.php?title=Browser_plugins&diff=126368Browser plugins2010-12-30T13:28:09Z<p>Jasper1984: Added fix to problem i encountered (see also discussion)</p>
<hr />
<div>[[Category:Internet and Email (English)]]<br />
[[Category:HOWTOs (English)]]<br />
{{i18n|Browser Plugins}}<br />
<br />
These plugins work in [[Firefox]], [[Opera]] and WebKit derivatives. <!-- Chrome? --><br />
<br />
==Adobe Flash Player==<br />
<br />
===32-bit===<br />
Flash Player is in [extra]:<br />
<br />
# pacman -S flashplugin<br />
<br />
===64-bit===<br />
Adobe dropped x86_64 support for Flash for version 10.1. You can either install the new 64-bit {{package AUR|flashplugin-prerelease}} or get the stable 32-bit plugin (with nspluginwrapper) from the '''[multilib]''' repository ([[Install 32bit Flash on a 64bit System]]).<br />
<br />
===Misc===<br />
In addition, it may be needed to install {{package AUR|ttf-ms-fonts}} from the [[AUR]] in order to properly render text.<br />
<br />
If you are using a flashplugin from multilib and still having problems, e.g., fullscreen doesn't work, try to install lib32-'''your-driver'''-utils. Here's an example for nvidia card users:<br />
<br />
# pacman -S lib32-nvidia-utils<br />
<br />
This will replace your driver-utils with the lib32-driver-utils.<br />
<br />
===Configuration===<br />
<!-- Change this heading to Flash configuration once more than one plugin needs a similar section --><br />
To change general plug-in preferences (privacy settings, resource usage, etc.), right click on embedded Flash content and choose preferences from the menu, or go to the [http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html Macromedia website]. There, a Flash animation will give access to local settings.<br />
<br />
==Adobe Reader==<br />
Due to licensing restrictions, Adobe Reader cannot be distributed from any of the official Arch repositories. There are versions available in the [[AUR]]. Please note that no matter how many votes it receives, this package will never be included in the [community] repository. See this [http://aur.archlinux.org/packages.php?ID=16980 comment] for an explanation.<br />
<br />
Also, there are [http://aur.archlinux.org/packages.php?O=0&K=acroread-&do_Search=Go localizations] available in many languages.<br />
<br />
===32-bit===<br />
32-bit AUR package: {{Package AUR|acroread}}<br />
<br />
It installs the Acrobat Reader application as well as the Firefox plugin. Note that hardware-assisted rendering is unavailable under Linux (at least using a Geforce 8600GTS with driver version 185.18.14).<br />
<br />
===64-bit===<br />
Adobe Reader is a closed-source application, meaning that users desiring a 64-bit binary have no other choice other than to wait for official support. Workarounds to be considered:<br />
<br />
* Follow [[Install bundled 32-bit system in Arch64|this guide]] originally posted in the forums. It involves creating a chrooted environment that could be reused for other 32-bit only applications.<br />
<br />
* Or, simply get the 32-bit binary along with the 32-bit dependencies. Install {{Package AUR|bin32-acroread}}. Also, consider installing the extra font packages suggested by the package. Be advised that the Firefox plugin cannot be used ''directly'' with this binary -- it will not load in the 64-bit browser. {{Package AUR|nspluginwrapper-flash}} is required to load the plugin. Finally, be sure to run:<br />
$ nspluginwrapper -v -a -i<br />
as a '''normal user'''. This checks the plugin directory and links the plugins as needed. Everything should work as expected now.<br />
<br />
==Citrix==<br />
See: [[Citrix]]<br />
<br />
==Java==<br />
Either [[Java]] package contains the Java runtime as well as the fitting browser-plugin.<br />
# pacman -S openjdk6<br />
<br />
Or install the proprietary version of Java:<br />
# pacman -S jre<br />
<br />
Keep in mind that the open-source and closed-source versions cannot be installed in parallel. The open-source version is nearly perfect at the time of writing and there is mostly no need anymore to install the proprietary version of Java. But if you want to, since firefox v.3.6 does not seem to look in /usr/lib/mozilla/plugins, which is the default location where jre v.1.6.0_22 place the java plugin, just<br />
# cd to ~/mozilla/plugins<br />
# ln -s /opt/java/jre/lib/i386/libnpjp2.so<br />
and it is safe to<br />
# rm -R /usr/lib/mozilla<br />
unless you use it for something else! Be careful here.<br />
<br />
==Video Plugins==<br />
<br />
===Gecko Media Player===<br />
A good replacement of the now obsolete mplayer-plugin is [http://code.google.com/p/gecko-mediaplayer/ Gecko Media Player]. More stable combined with MPlayer 1.0RC2. (No more crashes with Apple Trailers.)<br />
# pacman -S gecko-mediaplayer<br />
<br />
===Totem Plugin===<br />
The {{package Official|totem-plugin}} might be the choice for those seeking a gstreamer-based plugin:<br />
# pacman -S totem-plugin<br />
<br />
==Troubleshooting==<br />
<br />
===Adobe Reader fails to run===<br />
{{note|This problem may not exist anymore.}}<br />
Due to a missing path one may have to run:<br />
# ln -s /usr/share/Adobe/Reader8/bin/acroread /usr/bin/<br />
<br />
===Flash blocks sound and/or delayed playback===<br />
If sound is delayed within flash video and/or if Flash stops sound from any other application, then:<br />
# vim /etc/rc.conf<br />
<br />
Locate the {{codeline|MODULES}} array and add {{codeline|snd-pcm-oss}} to banned modules, which should look like:<br />
MODULES=( !snd-pcm-oss )<br />
<br />
===No sound in Flash with OSSv4===<br />
If you use OSSv4 on '''x86_64''' with the '''multilib''' {{codeline|flashplugin}} you should install the {{codeline|lib32-libflashsupport}} library: <br />
# pacman -S lib32-libflashsupport<br />
<br />
===No sound in Flash with jack/x86_64/multilib===<br />
If you use jack-audio-connection-kit on '''x86_64''' with the '''multilib''' {{codeline|flashplugin}} you should install the {{codeline|lib32-libflashsupport-jack}} from AUR. To make this work you will also need lib32-alsa-plugins, which is not listed as a lib32-libflashsupport-jack dependancy.<br />
# pacman -S lib32-alsa-plugins<br />
<br />
===Flash performance===<br />
Adobe's Flash plugin has some serious performance issues, especially when CPU frequency scaling is used. There seems to be a policy not to use the whole CPU workload, so the frequency scaling governor does not clock the CPU any higher. To work around this issue, see: [[cpufrequtils#Changing the ondemand governor's threshold]]<br />
<br />
===Plugins are installed but not working===<br />
A common problem is that the plugin path is unset. This typically occurs on a new install, when the user has not re-logged in before running Firefox after the installation. Test if the path is unset:<br />
echo $MOZ_PLUGIN_PATH<br />
If unset, then either re-login, or source {{Filename|/etc/profile.d/mozilla-common.sh}} and start Firefox from the same shell:<br />
. /etc/profile.d/mozilla-common.sh && firefox<br />
<br />
===Gecko Media Player Won't Play Apple Trailers===<br />
<br />
If Apple Trailers appear to start to play and then fail, try setting the user agent for your browser to:<br />
QuickTime/7.6.2 (qtver=7.6.2;os=Windows NT 5.1Service Pack 3)<br />
<br />
=== Plugins don't show up at all ===<br />
<br />
If they don't show up at all in about:plugins, and pacman -S nspluginwrapper says:<br />
<br />
# warning: directory permissions differ on usr/lib/mozilla/<br />
# filesystem: 700 package: 755<br />
<br />
Just as superuser 'chmod 755 /usr/bin/mozilla/' so users can read/execute from it.</div>Jasper1984