https://wiki.archlinux.org/api.php?action=feedcontributions&user=Jjacky&feedformat=atomArchWiki - User contributions [en]2024-03-29T11:34:41ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=AUR_helpers/Graphical&diff=249835AUR helpers/Graphical2013-03-07T20:11:16Z<p>Jjacky: /* System Tray Notifiers */</p>
<hr />
<div>[[Category:Arch User Repository]]<br />
[[Category:Package management]]<br />
[[cs:Pacman GUI Frontends]]<br />
[[it:Pacman GUI Frontends]]<br />
[[ru:Pacman GUI Frontends]]<br />
[[tr:Pacman_Önyüzleri]]<br />
[[zh-CN:Pacman GUI Frontends]]<br />
This is a list of frontends for the [[pacman]] CLI tool. The list includes full featured GUI frontends, informational tools, and a variety of system tray notifiers. The list also includes categories for Gtk2 based and Qt based software.<br />
<br />
{{Warning|None of these tools are officially supported by Arch Linux/Pacman developers.}}<br />
<br />
== Pacman Frontends ==<br />
=== X11 ===<br />
* {{App|1=PacmanXG4|2=GUI front-end for pacman. Depends neither GTK nor Qt, just X11. This graphical tool allows to do the following:<br />
:* Install/remove/upgrade packages<br />
:* Search packages / filter packages<br />
:* Retrieve package info include screenshots<br />
:* Downgrade packages (need downgrade utility from AUR)<br />
:* Refresh package database, synchronize mirrors.<br />
:* Update system in one click<br />
:* Find out which package a specific file belongs to (include file with pkgfile utility)<br />
:* YAOURT support<br />
:'''Screenshots''' http://almin-soft.fsay.net/index.php?pacmanxg/4x-hide/pacmanxg-4x-screenshots <br><br />
:'''Direct link to binary:''' http://almin-soft.fsay.net/data/files/pacmanxg/download.php?get=pacmanXG4.tar.bz2 <br />
|3='''Web page:''' http://translate.google.com.hk/translate?act=url&hl=en&ie=UTF8&prev=_t&sl=auto&tl=en&u=http://almin-soft.fsay.net/index.php?pacmanxg/4x-series (en)<br />
|4='''AUR : ''' {{AUR|pacmanxg4-bin}} }}<br />
<br />
* {{App|1=PacmanExpress |2=GUI front-end for pacman. Depends neither GTK nor Qt, just X11. This graphical tool is a lightweight version of PacmanXG<br />
:* Interface "all in one box"<br />
:* No query. Install/remove packages takes place immediately.<br />
:* Ability to run multiple operations / Remove packages (be careful!)<br />
:* YAOURT support<br />
<br />
:'''Direct link to binary:''' http://almin-soft.fsay.net/data/files/pacmanxg/download.php?get=pacmanexpress.tar.bz2<br />
|3='''Web page:''' http://translate.google.com.hk/translate?act=url&hl=en&ie=UTF8&prev=_t&sl=auto&tl=en&u=http://almin-soft.fsay.net/index.php?pacmanxg/pacman-express(en) <br />
|4='''AUR : ''' {{AUR|pacmanexpress}} }}<br />
<br />
=== GNOME/GTK+ ===<br />
* {{App|Wakka|gtk based package manager for Arch Linux, derived from the work done on GtkPacman. The goal is to clean up the code and rework the program to be stable and extensible.<br />
:'''Screenshots:''' http://mibloglinux.wordpress.com/2011/05/23/wakka-interfaz-grafica-para-pacman/<br />
|https://code.google.com/p/wakka-package-manager/|{{AUR|wakka}}}}<br />
:{{Warning|Wakka is currently incompatible with Pacman 4.}}<br />
<br />
* {{App|GNOME PackageKit|distribution-agnostic collection of utilities for managing packages. Using the alpm backend, it supports the following features:<br />
:* Install and remove packages from the repos.<br />
:* Periodically refresh package databases and prompt for updates.<br />
:* Install packages from tarballs.<br />
:* Search for packages by name, description, category or file.<br />
:* Show package dependencies, files and reverse dependencies.<br />
:* Ignore IgnorePkgs and hold HoldPkgs.<br />
:* Report optional dependencies, .pacnew files, etc.<br />
:You can change the remove operation from -Rc to -Rsc by setting the DConf key org.gnome.packagekit.enable-autoremove.<br />
:{{Tip|If you do not wish to install PulseAudio, you can install {{AUR|gnome-settings-daemon-nopulse}} from the AUR.}}<br />
|http://packagekit.org/|{{Pkg|gnome-packagekit}}}}<br />
<br />
=== KDE/Qt ===<br />
* {{App|1=KPackageKit/Apper|2=GUI front-end for [http://www.packagekit.org/ PackageKit]. Pacman integration is accomplished via the {{Pkg|packagekit}}, which gained upstream support for pacman. This graphical tool allows to do the following from KDE's systemsettings:<br />
:* Install/remove/upgrade packages<br />
:* Search packages / filter packages<br />
:* Retrieve package info<br />
:* Refresh package database<br />
:* Choose which repositories will be updated<br />
:* Automatically refresh database (Hourly, daily etc.)<br />
:* Automatically update packages<br />
:While pacman support in PackageKit is relatively new, it works with no major problems, providing ease of use, simplicity, and good integration with KDE (and PolicyKit).<br />
:'''Screenshots:''' http://kde-apps.org/content/show.php/Apper?content=84745<br />
|3=http://kde-apps.org/content/show.php/Apper?content=84745|4={{Pkg|apper}}}}<br />
<br />
* {{App|1=AppSet|2=advanced and feature rich GUI front-end for Package Managers. AppSet has the following features:<br />
:* Software sections (games, office, multimedia, internet etc.)<br />
:* Shows homepages for selected packages in an embedded web browser<br />
:* Shows distributions news with an embedded feed reader<br />
:* Upgrades, installs and removes packages<br />
:* Shows available upgrades with a Tray Icon<br />
:* Updates database periodically<br />
:* Informs about dependencies (for example when trying to remove a package needed by others)<br />
:* Cache clean command (to free disk space)<br />
:* Intelligent launcher that uses what is already installed to get administrative privileges (by searching for kdesu, gksu or at last for an xterm where it starts with a sudo command)<br />
:* Now with AUR support with Packer as backend<br />
:AppSet needs only QT libs as dependence for installation. It can be used in any desktop environment. Currently only works for Archlinux using pacman.<br />
:'''Screenshots''' http://sourceforge.net/project/screenshots.php?group_id=376825<br />
|3=http://appset.sourceforge.net/|4={{AUR|appset-qt}}}}<br />
<br />
=== JAVA ===<br />
* {{App|1=karun|2=JAVA GUI front-end for pacman.<br />
<br />
:* Search packages / filter packages<br />
<br />
It`s seems in develop )<br />
<br />
|3=https://github.com/bahmanm/Karun|4={{AUR|karun-git}}}}<br />
<br />
=== NCurses ===<br />
* {{App|1=pcurses|2=package management in a curses frontend, including:<br />
:* regexp filtering and searching any package property<br />
:* customizable colorcoding<br />
:* customizable sorting<br />
:* external command execution with package list string replacements<br />
:* user defined macros and hotkeys<br />
:'''Screenshots''' https://bbs.archlinux.org/viewtopic.php?id=122749<br />
|3=https://github.com/schuay/pcurses|4={{AUR|pcurses}}}}<br />
<br />
* {{App|1=yaourt-gui|2=Yaourt-GUI is designed for new users who want to start using ArchLinux. Written in bash, it offers a gui from terminal to the common tasks of yaourt and pacman<br />
:'''Screenshots''' http://sourceforge.net/projects/yaourt-gui/ <br><br />
:'''Direct link to source:''' http://sourceforge.net/projects/yaourt-gui/files/yaourt-gui-0.9.tar.gz <br />
|3='''Web page:'''http://dark-linux.net/yaourt-gui-a-bash-gui-per-yaourt-3/<br />
|4='''AUR : ''' {{AUR|yaourt-gui}} }}<br />
<br />
== Pacman / AUR Package Browser ==<br />
* {{App|1=PkgBrowser|2=application for searching and browsing Arch packages, showing details on selected packages.<br />
:* Search and browse Arch packages including the AUR<br />
:* Purely an informational application that cannot be used to install, remove or update packages <br />
:* By design, is an accessory to CLI package management via pacman<br />
:* Further details on use via manual accessed from help menu<br />
:'''Forum page:''' https://bbs.archlinux.org/viewtopic.php?id=117297 <br><br />
|3=https://code.google.com/p/pkgbrowser/|4={{AUR|pkgbrowser}}}}<br />
<br />
* {{App|Pacinfo|application to browse the installed packages and show information like screenshot, installed files, installation date and others. Written in Mono/GTK#<br />
|https://code.google.com/p/pacinfo/|{{AUR|pacinfo}}}}<br />
<br />
== System Tray Notifiers ==<br />
* {{App|1=Aarchup|2=fork of archup. Has the same options as archup plus a few other features. For differences between both please check [https://bbs.archlinux.org/viewtopic.php?id=119129 changelog].<br />
:'''Screenshots''': http://i.imgur.com/yTNvg.png<br />
|3=https://github.com/aericson/aarchup/|4={{AUR|aarchup}}}}<br />
<br />
* {{App|pacman-notifier|Written in Ruby, uses Gtk. Shows an icon in the system tray and popup notifications (using libnotify) for new packages.<br />
:'''Screenshots''': https://github.com/v01d/pacman-notifier/wiki<br />
|https://github.com/v01d/pacman-notifier/wiki|{{AUR|pacman-notifier}}}}<br />
<br />
* {{App|Pacupdate|small application that notifies the user about new updates for Arch Linux. If Pacupdate finds out that a update is available, it will display a notification in SystemTray|https://code.google.com/p/pacupdate/|{{AUR|pacupdate-svn}}}}<br />
<br />
* {{App|1=Yapan (Yet Another Package mAnager Notifier)|2=written in C++ and Qt. It shows an icon in the system tray and popup notifications for new packages and supports AUR helpers.<br />
:'''Forum page''': https://bbs.archlinux.org/viewtopic.php?id=113078<br />
|3=http://code.google.com/p/arch-yapan/|4={{AUR|yapan}}}}<br />
<br />
* {{App|1=ZenMan|2=PacMan frontend (tray update notifier) for GTK/GNOME/zenity/libnotify.<br />
:'''Screenshots''': http://show.harvie.cz/screenshots/zenman-screenshot-2.png<br />
|3=https://aur.archlinux.org/packages.php?ID=25948|4={{AUR|zenman}}}}<br />
<br />
* {{App|1=pkgnotify.sh|2=simple 14 line shell script that displays the number of available updates in the dzen2 title window and a list of these updates in the slave window. Depends on dzen2, inotify-tools, package-query and optionally an AUR helper (yaourt by default).<br />
:'''Screenshots''': http://andreasbwagner.tumblr.com/post/853471635/arch-linux-update-notifier-for-dzen2<br />
|3=http://pointfree.net/repo/?r=dzen2_scripts;a=headblob;f=/src/pkgnotify/pkgnotify.sh|4={{AUR?|pkgnotify}}}}<br />
<br />
* {{App|1=kalu|2=Small C application that adds an icon in the systray and can show notifications for Arch Linux News, Upgrades, AUR upgrades, and watched (AUR) upgrades (upgrades for packages not installed). Also includes a GUI system upgrader.<br />
:'''Screenshots''': http://jjacky.com/kalu<br />
:'''Forum''': https://bbs.archlinux.org/viewtopic.php?id=135773<br />
|3=https://github.com/jjk-jacky/kalu|4=<span style="font-family: monospace">[https://aur.archlinux.org/packages.php?ID=56673 kalu]</span>}}<br />
<br />
== Inactive Software Packages ==<br />
*[https://aur.archlinux.org/packages.php?ID=52039/ pacmanXG 2x series], Pacman and ''yaourt'' GUI without GTK or QT dependencies<br />
*[http://gtkpacman.berlios.de/ GtkPacman], GTK frontend<br />
*[http://guzuta.berlios.de/ Guzuta], GTK frontend<br />
*[http://chakra-linux.org/wiki/index.php/Shaman Shaman], GUI using Pacman’s ''libalpm'' library<br />
*[http://code.google.com/p/pacmon/ pacmon], notification GUI<br />
*[https://gna.org/projects/paku/ Paku], GUI alternative to Pacman<br />
*[http://www.kde-apps.org/content/show.php/YAPG+-+Yet+Another+Pacman+Gui+?content=60052 YAPG]<br />
*[http://sourceforge.net/projects/zenitypacgui/ zenity_pacgui], Zenity GUI for Pacman</div>Jjackyhttps://wiki.archlinux.org/index.php?title=Systemd&diff=217993Systemd2012-08-15T15:27:07Z<p>Jjacky: /* Dynamic (DHCP) */</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Daemons and system services]]<br />
[[Category:Boot process]]<br />
[[fr:Systemd]]<br />
[[it:Systemd]]<br />
[[ru:Systemd]]<br />
[[zh-CN:Systemd]]<br />
{{Article summary start}}<br />
{{Article summary text|'''systemd''' is a system and service manager for Linux, compatible with SysV and LSB init scripts. systemd provides aggressive parallelization capabilities, uses socket and [[D-Bus]] activation for starting services, offers on-demand starting of daemons, keeps track of processes using Linux [[cgroups]], supports snapshotting and restoring of the system state, maintains mount and automount points and implements an elaborate transactional dependency-based service control logic. It can work as a drop-in replacement for sysvinit.}}<br />
<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Systemd/Services}}<br />
{{Article summary end}}<br />
<br />
See [http://0pointer.de/blog/projects/systemd.html Lennart's blog story] for a longer introduction, the three [http://0pointer.de/blog/projects/systemd-update.html status] [http://0pointer.de/blog/projects/systemd-update-2.html updates] [http://0pointer.de/blog/projects/systemd-update-3.html since] then, and the [http://0pointer.de/blog/projects/why.html most recent summary]. Also see the [http://en.wikipedia.org/wiki/Systemd Wikipedia article] and the [http://freedesktop.org/wiki/Software/systemd project web page].<br />
<br />
== Installation ==<br />
Systemd can be installed side-by-side with the regular Arch Linux initscripts, and they can be toggled by adding/removing the {{Ic|1=init=/bin/systemd}} kernel parameter. To try out systemd on Arch you need to:<br />
<br />
=== A pure systemd installation ===<br />
<br />
# Install {{Pkg|systemd}} from [core].<br />
# The {{Pkg|systemd-arch-units}} package has some extra systemd unit files (services) which you may find useful.<br />
# Add {{ic|1=init=/bin/systemd}} to the [[Kernel parameters|kernel parameters]] in your bootloader, or install {{Pkg|systemd-sysvcompat}} to have it symlinked.<br />
# Create [[#Native systemd configuration files|systemd configuration files]].<br />
# [[#Using_Units|Enable services]] with {{ic|systemctl enable ...}}. Services replace the daemons from rc.conf.<br />
<br />
=== A mixed systemd installation ===<br />
<br />
# Install {{Pkg|systemd}} from [core]<br />
# Add {{ic|1=init=/bin/systemd}} to the [[Kernel parameters|kernel parameters]] in your bootloader.<br />
# We recommend that you use [[#Native systemd configuration files|native systemd configuration files]] instead of Arch's classic configuration files. You can still use {{ic|/etc/rc.conf}} to configure a few variables if the native configuration files do not exist, but support will be dropped in the future.<br />
# The {{Pkg|systemd-arch-units}} package has some extra systemd unit files (services) which you may find useful, notably for network configuration.<br />
<br />
=== After booting with systemd ===<br />
# (Optional) If you want a pure systemd setup you can now remove {{Pkg|initscripts}} and {{Pkg|sysvinit}}, and use [[#Power_Management|systemd commands]] such as {{ic|systemctl poweroff}} in place of the usual commands. The reason to wait until after a reboot before doing this step is that a system booted with {{Pkg|initscripts}} still needs {{ic|/etc/inittab}} to shut down properly.<br />
# (Optional) If you want symlinks for {{ic|init}}, {{ic|reboot}} etc, install {{Pkg|systemd-sysvcompat}}. You can then remove the {{ic|1=init=}} parameter on your kernel cmdline.<br />
<br />
=== Supplementary information ===<br />
{{Tip|If you have {{ic|quiet}} in your kernel parameters, you should remove it for your first couple of systemd boots, to assist with identifying any issues during boot.}}<br />
{{Warning|{{ic|/usr}} must be mounted and available at bootup (this is not particular to systemd). If your {{ic|/usr}} is on a separate partition, you will need to make accommodations to mount it from the initramfs and unmount it from a pivoted root on shutdown. See [[Mkinitcpio#/usr_as_a_separate_partition|the mkinitcpio wiki page]] and [http://www.freedesktop.org/wiki/Software/systemd/separate-usr-is-broken freedesktop.org#separate-usr-is-broken]}}<br />
<br />
== Native systemd configuration files ==<br />
{{Moveto|System configuration|Move configuration supported by both initscript and rc.conf into a new file.|Talk:Systemd#Move system configuration into a new file}}<br />
{{Pkg|systemd}} will use {{ic|/etc/rc.conf}} if these files are absent (Note this is temporary and not a long-term solution. It is strongly advised to use the systemd configuration files on any system, since initscripts can use them).<br />
{{Note|You may need to create these files.}}<br />
=== Hostname ===<br />
{{hc|/etc/hostname|myhostname}}<br />
<br />
=== Console and keymap ===<br />
The {{ic|/etc/vconsole.conf}} file configures the virtual console, i.e. keyboard mapping and console font.<br />
{{hc|/etc/vconsole.conf|<nowiki><br />
KEYMAP=us<br />
FONT=lat9w-16<br />
FONT_MAP=8859-1_to_uni</nowiki>}}<br />
<br />
For more info see: [[Fonts#Console_fonts|Console fonts]]<br />
<br />
=== Locale ===<br />
Read {{ic|man locale.conf}} for more options <br />
{{hc|/etc/locale.conf|<nowiki><br />
LANG=en_US.UTF-8<br />
LC_COLLATE=C</nowiki>}}<br />
{{Note| {{Ic|1=/etc/profile.d/locale.sh}} from {{Pkg|systemd-sysvcompat}} or {{Pkg|initscripts}} is necessary to be able to set users' locale correctly}}<br />
<br />
=== Timezone ===<br />
Read {{ic|man 5 timezone}} for more options <br />
{{hc|/etc/timezone|Europe/Minsk}}<br />
{{Note|This file does not obviate the need for {{ic|/etc/localtime}}.}}<br />
<br />
=== Hardware clock time ===<br />
Systemd will use UTC for the hardware clock by default and this is recommended. Dealing with daylight saving time is messy. If the DST changes when your computer is off, your clock will be wrong on next boot ([http://www.cl.cam.ac.uk/~mgk25/mswish/ut-rtc.html there is a lot more to it]). Recent kernels set the system time from the RTC directly on boot without using {{ic|hwclock}}, the kernel will always assume that the RTC is in UTC. This means that if the RTC is in local time, the the system time will first be set up wrongly and then corrected shortly afterwards on every boot. This is possibly the reason for certain weird bugs (time going backwards is rarely a good thing).<br />
<br />
The reason for allowing the RTC to be in local time is to allow dual boot with Windows ([http://blogs.msdn.com/b/oldnewthing/archive/2004/09/02/224672.aspx who uses localtime]). Windows is able to deal with the RTC being in UTC by setting the following DWORD registry key to {{ic|1}}:<br />
{{bc|HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\RealTimeIsUniversal}}<br />
<br />
{{Warning|On recent systems (Windows 7, Vista SP2) this setting prevents Windows from being able to update the system clock at all, and earlier versions do not work correctly when [http://social.msdn.microsoft.com/forums/en-US/tabletandtouch/thread/0b872d8a-69e9-40a6-a71f-45de90c6e243/ resuming from suspend or hibernate]. In addition, recent systems [http://support.microsoft.com/kb/2687252 may become unresponsive during Daylight Saving Time (DST) changeover] if RealTimeIsUniversal is set.}}<br />
<br />
If you run into issues on dual boot with Windows, you can set the hardware clock to local time. Contrary to popular belief, systemd supports this:<br />
{{hc|/etc/adjtime|<nowiki> <br />
0.0 0.0 0.0<br />
0<br />
LOCAL</nowiki>}}<br />
{{Note|The other parameters are still needed but are ignored by systemd.}}<br />
{{Note|It is generally advised to have a [[NTP|Network Time Protocol daemon]] running to keep the hardware clock synchronized with the system time.}}<br />
<br />
=== Kernel modules loaded during boot ===<br />
systemd uses {{ic|/etc/modules-load.d/}} to configure kernel modules to load during boot in a static list. Each configuration file is named in the style of {{ic|/etc/modules-load.d/<program>.conf}}. The configuration files should simply contain a list of kernel module names to load, separated by newlines. Empty lines and lines whose first non-whitespace character is {{ic|#}} or {{ic|;}} are ignored. Example:<br />
{{hc|/etc/modules-load.d/virtio-net.conf|<nowiki><br />
# Load virtio-net.ko at boot<br />
virtio-net</nowiki>}}<br />
See also [[Modprobe#Options]]<br />
<br />
=== Kernel modules blacklist ===<br />
Module blacklisting works the same way as with {{Pkg|initscripts}} since it is actually handled by {{Pkg|kmod}}, see [[Kernel_modules#Blacklisting|Module Blacklisting]] for details.<br />
<br />
=== Temporary files ===<br />
Systemd-tmpfiles uses the configuration files in {{ic|/usr/lib/tmpfiles.d/}} and {{ic|/etc/tmpfiles.d/}} to describe the creation, cleaning and removal of volatile and temporary files and directories which usually reside in directories such as {{ic|/run}} or {{ic|/tmp}}. Each configuration file is named in the style of {{ic|/etc/tmpfiles.d/<program>.conf}}. This will also override any files in {{ic|/usr/lib/tmpfiles.d/}} with the same name.<br />
<br />
tmpfiles are usually provided together with service files to create directories which are expected to exist by certain daemons. For example the [[Samba]] daemon expects the directory {{ic|/var/run/samba}} to exist and to have the correct permissions. The corresponding tmpfile looks like this:<br />
{{hc|/usr/lib/tmpfiles.d/samba.conf|<br />
D /var/run/samba 0755 root root<br />
}}<br />
<br />
However, tmpfiles may also be used to write values into certain files on boot. For example, if you use {{ic|/etc/rc.local}} to disable wakeup from USB devices with {{ic|echo USBE > /proc/acpi/wakeup}}, you may use the following tmpfile instead:<br />
{{hc|/etc/tmpfiles.d/disable-usb-wake.conf|<br />
w /proc/acpi/wakeup - - - - USBE<br />
}}<br />
The tmpfiles method is recommended in this case since systemd doesn't actually support {{ic|/etc/rc.local}}.<br />
<br />
See {{ic|man tmpfiles.d}} for details.<br />
<br />
=== Remote filesystem mounts ===<br />
systemd automatically makes sure that remote filesystem mounts like [[NFS]] or [[Samba]] are only started after the network has been set up. Therefore remote filesystem mounts specified in {{ic|/etc/fstab}} should work out of the box.<br />
<br />
You may however want to use [[#Automount|Automount]] for remote filesystem mounts to mount them only when there are being accessed. Furthermore you can use the {{ic|1=x-systemd.device-timeout=#}} option in {{ic|/etc/fstab}} to specify a timeout in case the network resource is not available.<br />
<br />
See {{ic|man systemd.mount}} for details.<br />
<br />
=== Replacing acpid with systemd ===<br />
Systemd can handle some power-related ACPI events. This is configured via the following options in {{ic|/etc/systemd/logind.conf}}:<br />
* {{ic|HandlePowerKey}} : Power off the system when the power button is pressed<br />
* {{ic|HandleSleepKey}} : Suspend the system when the sleep key is pressed<br />
* {{ic|HandleLidSwitch}} : Suspend the system when the laptop lid is closed<br />
Depending on the value of these options, these events may for example only be triggered when no user is logged in ({{ic|no-session}}) or when only a single user session is active ({{ic|any-session}}). See {{ic|man logind.conf}} for details.<br />
<br />
These options should not be used on desktop environments like [[Gnome]] and [[XFCE]] since these handle ACPI events by themselves. However, on systems which run no graphical setup or only a simple window manager like [[i3]] or [[awesome]], this may replace the [[acpid]] daemon which is usually used to react to these ACPI events.<br />
<br />
=== Sleep hooks ===<br />
Systemd does not use [[pm-utils]] to put the machine to sleep when using {{ic|systemctl suspend}} or {{ic|systemctl hibernate}}. Therefore all [[pm-utils]] hooks including any [[Pm-utils#Creating_your_own_hooks|custom hooks]] you may have created will not be run. However, systemd provides a similiar mechanism to run custom scripts on these events. Systemd will run all executables in {{ic|/usr/lib/systemd/system-sleep/}} and pass two arguments to each of them:<br />
* argument 1: either {{ic|pre}} or {{ic|post}}, depending on whether the machine is going to sleep or waking up<br />
* argument 2: either {{ic|suspend}} or {{ic|hibernate}}, depending on what has been invoked<br />
<br />
In contrast to [[pm-utils]], systemd will run these scripts in parallel and not one after another.<br />
<br />
The output of your script will be logged by {{ic|systemd-suspend.service}} or {{ic|systemd-hibernate.service}} so you can see its output in the [[Systemd#Systemd Journal|journal]].<br />
<br />
Note that you can also use {{ic|sleep.target}}, {{ic|suspend.target}} or {{ic|hibernate.target}} to hook units into the sleep state logic instead of using scripts.<br />
<br />
See {{ic|man systemd.special}} and {{ic|man systemd-sleep}} for more information.<br />
<br />
=== Unit ===<br />
A unit configuration file encodes information about a service, a socket, a device, a mount point, an automount point, a swap file or partition, a start-up target, a file system path or a timer controlled and supervised by systemd. The syntax is inspired by XDG Desktop Entry Specification .desktop files, which are in turn inspired by Microsoft Windows .ini files. See {{ic|man systemd.unit}} for more info.<br />
<br />
== Systemd commands ==<br />
<br />
*{{ic|systemctl}}: used to introspect and control the state of the systemd system and service manager.<br />
*{{ic|systemd-cgls}}: recursively shows the contents of the selected Linux control group hierarchy in a tree<br />
*{{ic|systemadm}}: a graphical frontend for the systemd system and service manager that allows introspection and control of systemd (avaiable via the {{AUR|systemd-ui-git}} package from the [[AUR]]).<br />
<br />
View the man pages for more details. <br />
<br />
{{Tip|You can use all of the following {{ic|systemctl}} commands with the {{ic|-H <user>@<host>}} switch to control a systemd instance on a remote machine. This will use [[SSH]] to connect to the remote systemd instance.}}<br />
<br />
=== Analyzing the system state ===<br />
<br />
List running units:<br />
<br />
{{bc|$ systemctl}}<br />
<br />
or:<br />
<br />
{{bc|$ systemctl list-units}}<br />
<br />
List failed units:<br />
<br />
{{bc|$ systemctl --failed}}<br />
<br />
The available unit files can be seen in {{ic|/usr/lib/systemd/system/}} and {{ic|/etc/systemd/system/}} (the latter takes precedence).<br />
<br />
=== Using Units ===<br />
<br />
Units can be, for example, services ({{ic|.service}}), mount points ({{ic|.mount}}), devices ({{ic|.device}}) or sockets ({{ic|.socket}}).<br />
When using {{ic|systemctl}}, you generally have to specify the complete name of the unit file, including its suffix, for example {{ic|sshd.socket}}. There are however a few shortforms when specifying the unit in the following {{ic|systemctl}} commands:<br />
* If you don't specify the suffix, systemctl will assume {{ic|.service}}. For example, {{ic|netcfg}} and {{ic|netcfg.service}} are treated equivalent.<br />
* Mount points will automatically be translated into the appropriate {{ic|.mount}} unit. For example, specifying {{ic|/home}} is equivalent to {{ic|home.mount}}.<br />
* Similiar to mount points, devices are automatically translated into the appropriate {{ic|.device}} unit, therefore specifying {{ic|/dev/sda2}} is equivalent to {{ic|dev-sda2.device}}.<br />
<br />
See {{ic|man systemd.unit}} for details.<br />
<br />
Activate a unit immediately:<br />
<br />
{{bc|# systemctl start <unit>}}<br />
<br />
Deactivate a unit immediately:<br />
<br />
{{bc|# systemctl stop <unit>}}<br />
<br />
Restart a unit:<br />
<br />
{{bc|# systemctl restart <unit>}}<br />
<br />
Ask a unit to reload its configuration:<br />
<br />
{{bc|# systemctl reload <unit>}}<br />
<br />
Show the status of a unit, including whether it is running or not:<br />
<br />
{{bc|$ systemctl status <unit>}}<br />
<br />
Check whether a unit is already enabled or not:<br />
<br />
{{bc|$ systemctl is-enabled <unit>}}<br />
<br />
Enable a unit to be started on bootup:<br />
<br />
{{bc|# systemctl enable <unit>}}<br />
<br />
{{Note| If services do not have an Install section, it usually means they are called automatically by other services. But if you need to install them manually, use the following command, replacing "foo" with the name of the service.<br />
<br />
{{bc|# ln -s /usr/lib/systemd/system/foo.service /etc/systemd/system/graphical.target.wants/}}<br />
<br />
}}<br />
<br />
Disable a unit to not start during bootup:<br />
<br />
{{bc|# systemctl disable <unit>}}<br />
<br />
Show the manual page associated with a unit (this has to be supported by the unit file):<br />
<br />
{{bc|$ systemctl help <unit>}}<br />
<br />
=== Power Management ===<br />
<br />
If you are in a local ConsoleKit user session and no other session is active, the following commands will work without root privileges. If not (for example, because another user is logged into a tty), systemd will automatically ask you for the root password.<br />
<br />
Shut down and reboot the system:<br />
<br />
{{bc|$ systemctl reboot}}<br />
<br />
Shut down and power-off the system:<br />
<br />
{{bc|$ systemctl poweroff}}<br />
<br />
Shut down and halt the system:<br />
<br />
{{bc|$ systemctl halt}}<br />
<br />
Suspend the system:<br />
<br />
{{bc|$ systemctl suspend}}<br />
<br />
Hibernate the system:<br />
<br />
{{bc|$ systemctl hibernate}}<br />
<br />
== Runlevels/targets ==<br />
Runlevels is a legacy concept in systemd. Systemd uses ''targets'' which serve a similar purpose as runlevels but act a little different. Each ''target'' is named instead of numbered and is intended to serve a specific purpose with the possibility of having multiple ones active at the same time. Some ''targets'' are implemented by inheriting all of the services of another ''target'' and adding additional services to it. There are systemd ''target''s that mimic the common SystemVinit runlevels so you can still switch ''target''s using the familiar {{ic|telinit RUNLEVEL}} command. <br />
<br />
=== Get current runlevel/targets ===<br />
The following should be used under systemd instead of {{ic|runlevel}}:<br />
{{bc|1=# systemctl list-units --type=target}}<br />
<br />
=== Create custom target ===<br />
The runlevels that are assigned a specific purpose on vanilla Fedora installs; 0, 1, 3, 5, and 6; have a 1:1 mapping with a specific systemd ''target''. Unfortunately, there is no good way to do the same for the user-defined runlevels like 2 and 4. If you make use of those it is suggested that you make a new named systemd ''target'' as {{ic|/etc/systemd/system/<your target>}} that takes one of the existing runlevels as a base (you can look at {{ic|/usr/lib/systemd/system/graphical.target}} as an example), make a directory {{ic|/etc/systemd/system/<your target>.wants}}, and then symlink the additional services from {{ic|/usr/lib/systemd/system/}} that you wish to enable.<br />
<br />
=== Targets table ===<br />
{| border="1"<br />
!SysV Runlevel!!Systemd Target!!Notes<br />
|-<br />
| 0 || runlevel0.target, poweroff.target || Halt the system.<br />
|-<br />
| 1, s, single || runlevel1.target, rescue.target || Single user mode.<br />
|-<br />
| 2, 4 || runlevel2.target, runlevel4.target, multi-user.target || User-defined/Site-specific runlevels. By default, identical to 3.<br />
|-<br />
| 3 || runlevel3.target, multi-user.target || Multi-user, non-graphical. Users can usually login via multiple consoles or via the network.<br />
|-<br />
| 5 || runlevel5.target, graphical.target || Multi-user, graphical. Usually has all the services of runlevel 3 plus a graphical login.<br />
|-<br />
| 6 || runlevel6.target, reboot.target || Reboot<br />
|-<br />
| emergency || emergency.target || Emergency shell<br />
|-<br />
|}<br />
<br />
=== Change current runlevels ===<br />
In systemd runlevels are exposed via "target units". You can change them like this:<br />
{{bc|# systemctl isolate graphical.target}}<br />
This will only change the current runlevel, and has no effect on the next boot. This is equivalent to commands such as {{ic|telinit 3}} or {{ic|telinit 5}} in Sysvinit.<br />
<br />
=== Change default runlevel/target to boot into ===<br />
The standard target is {{ic|default.target}}, which is aliased by default to {{ic|graphical.target}} (which roughly corresponds to the old runlevel 5). To change the default target at boot-time, append one of the following kernel parameters to your bootloader:<br />
* {{ic|1=systemd.unit=multi-user.target}} (which roughly corresponds to the old runlevel 3),<br />
* {{ic|1=systemd.unit=rescue.target}} (which roughly corresponds to the old runlevel 1).<br />
<br />
Alternatively, you may leave the bootloader alone and change {{ic|default.target}}. This can be done using {{ic|systemctl}}:<br />
{{bc|# systemctl enable multi-user.target}}<br />
<br />
The effect of this command is outputted by {{ic|systemctl}}; a symlink to the new default target is made at {{ic|/etc/systemd/system/default.target}}. This works if, and only if:<br />
[Install]<br />
Alias=default.target<br />
is in the target's configuration file. Currently, {{ic|multi-user.target}} and {{ic|graphical.target}} both have it.<br />
<br />
== Running DEs under systemd ==<br />
<br />
=== Using display manager ===<br />
To enable graphical login, run your preferred [[Display Manager]] daemon (e.g. [[KDM]]). At the moment, service files exist for [[GDM]], [[KDM]], [[SLiM]], [[XDM]] and [[LXDM]].<br />
<br />
{{bc|# systemctl enable kdm.service}}<br />
<br />
This should work out of the box. If not, you might have a {{ic|default.target}} set manually or from a older install:<br />
<br />
{{hc|# ls -l /etc/systemd/system/default.target|/etc/systemd/system/default.target -> /usr/lib/systemd/system/graphical.target}}<br />
<br />
Simply delete the symlink and systemd will use its stock {{ic|default.target}} (i.e. {{ic|graphical.target}}).<br />
<br />
{{bc|# rm /etc/systemd/system/default.target}}<br />
<br />
If {{ic|/etc/locale.conf}} is used for setting the locale, add an entry to {{ic|/etc/environment}}:<br />
{{hc|/etc/environment|<nowiki><br />
LANG=en_US.utf8</nowiki>}}<br />
<br />
=== Using service file ===<br />
{{Note|Using this method there will be no PAM session created for your user. Therefore ConsoleKit (which gives you access to shutdown/reboot, audio devices etc.) will not work properly. For the recommended way, see: [[Automatic_login_to_virtual_console#With_systemd]].}}<br />
If you are only looking for a simple way to start X directly without a display manager, you can create a service file similar to this:<br />
<br />
{{hc|/etc/systemd/system/graphical.target.wants/xinit.service|<nowiki><br />
[Unit]<br />
Description=Direct login to X<br />
After=systemd-user-sessions.service<br />
<br />
[Service]<br />
ExecStart=/bin/su <username> -l -c "/bin/bash --login -c xinit"<br />
<br />
[Install]<br />
WantedBy=graphical.target<br />
</nowiki>}}<br />
<br />
== Systemd Journal ==<br />
Since version 38 systemd has an own logging system, the journal.<br />
<br />
By default, running a syslog daemon is no longer required. To read the log, use:<br />
{{bc|# journalctl}}<br />
The journal writes to {{ic|/run/systemd/journal}}, meaning logs will be lost on reboot. For non-volatile logs, create {{ic|/var/log/journal/}}:<br />
{{bc|# mkdir /var/log/journal/}}<br />
<br />
=== Filtering output ===<br />
<br />
{{ic|journalctl}} allows you to filter the output by specific fields.<br />
<br />
Examples:<br />
<br />
Show all messages by a specific executable:<br />
{{bc|# journalctl /usr/lib/systemd/systemd}}<br />
<br />
Show all messages by a specific process:<br />
{{bc|1=# journalctl _PID=1}}<br />
<br />
Show all messages by a specific unit:<br />
{{bc|1=# journalctl _SYSTEMD_UNIT=netcfg.service}}<br />
<br />
See {{ic|man journalctl}} and {{ic|systemd.journal-fields}} for details.<br />
<br />
=== journal size limit ===<br />
<br />
If the journal is made non-volatile, its size limit is set to a default value of 10% of the size of the respective file system. E.g. with {{ic|/var/log/journal}} located on a 50GiB root partition this would lead to 5GiB of journal data. The maximum size of the persistent journal can be controlled by {{ic|SystemMaxUse}} in {{ic|/etc/systemd/journald.conf}}, so to limit it for example to 50MiB uncomment and edit the corresponding line to:<br />
{{bc|1=SystemMaxUse=50M}}<br />
Look at {{ic|man journald.conf}} for more info.<br />
<br />
===Journald in conjunction with a classic syslog daemon===<br />
Compatibility with classic syslog implementations is provided via a<br />
socket {{ic|/run/systemd/journal/syslog}}, to which all messages are forwarded.<br />
To make the syslog daemon work with the journal, it has to bind to this socket instead of {{ic|/dev/log}} ([http://lwn.net/Articles/474968/ official announcement]). For syslog-ng change {{ic|/etc/syslog-ng/syslog-ng.conf}} source section to:<br />
{{bc|<nowiki><br />
source src {<br />
unix-dgram("/run/systemd/journal/syslog");<br />
internal();<br />
file("/proc/kmsg");<br />
};</nowiki>}}<br />
<br />
and enable (or reenable) syslog-ng:<br />
{{bc|# systemctl enable syslog-ng.service}}<br />
<br />
By default, journald is configured to read from {{ic|/proc/kmsg}}, but this will collide with a syslog implementation doing the same ([http://lists.freedesktop.org/archives/systemd-devel/2012-January/004310.html systemd-devel post]). Disable reading {{ic|/proc/kmsg}} by {{ic|systemd-journald}} in {{ic|/etc/systemd/journald.conf}}:<br />
ImportKernel=no<br />
<br />
== Network ==<br />
=== Dynamic (DHCP) ===<br />
If you simply want to use DHCP for your ethernet connection, you can use {{ic|dhcpcd@.service}} (provided by the {{Pkg|dhcpcd}} package).<br />
To enable DHCP for {{ic|eth0}}, simply use:<br />
# systemctl start dhcpcd@eth0.service<br />
<br />
You can enable the service to automatically start at boot with:<br />
# systemctl enable dhcpcd@.service<br />
Note that this will enable the service for {{ic|eth0}} by default. If you want to use another interface, you have to create the symlink manually, e.g.:<br />
# ln -s '/usr/lib/systemd/system/dhcpcd@.service' '/etc/systemd/system/multi-user.target.wants/dhcpcd@eth1.service'<br />
<br />
=== Other configurations ===<br />
For static, wireless or advanced network configuration like bridging you can use [[netcfg]] or [[NetworkManager]] which both provide systemd service files.<br />
<br />
If you need a static ethernet configuration, but don't want to use [[netcfg]], there is a custom service file available on the [[Systemd/Services#Network|Systemd/Services page]].<br />
<br />
{{Note|If using [[NetworkManager]] enable {{ic|NetworkManager-wait-online.service}} to force units dependent on {{ic|network.target}} to wait for a network connection to be completed before starting.}}<br />
<br />
== Arch integration ==<br />
=== Initscripts emulation ===<br />
Integration with Arch's classic configuration is provided by the {{Pkg|initscripts}} package. This is simply meant as a transitional measure to ease users' move to systemd.<br />
<br />
{{ic|/etc/inittab}} is not used at all.<br />
<br />
==== rc.conf ====<br />
Some variables in {{ic|/etc/rc.conf}} are respected by this glue work. For a pure systemd setup it is recommended to use the [[Systemd#Native_systemd_configuration_files|native systemd configuration files]] which will take precedence over {{ic|/etc/rc.conf}}.<br />
<br />
Supported variables:<br />
* LOCALE<br />
* KEYMAP<br />
* CONSOLEFONT<br />
* CONSOLEMAP<br />
* HOSTNAME<br />
<br />
Not supported variables and systemd configuration:<br />
* TIMEZONE: Please symlink {{Ic|/etc/localtime}} to your zoneinfo file manually.<br />
* HARDWARECLOCK: See [[Systemd#Hardware clock time|Hardware clock time]].<br />
* USELVM: use {{ic|lvm.service}} provided by {{Pkg|systemd-arch-units}} instead.<br />
* USECOLOR<br />
* MODULES<br />
* DAEMONS<br />
<br />
=== Total conversion to native systemd ===<br />
{{Note|This is the preferred method, where the system does not rely on {{ic|rc.conf}} centralised configuration anymore, but uses native systemd configuration files.}}<br />
<br />
Follow system configuration as explained in [[#Native_systemd_configuration_files]]. Each file replaces one section of {{ic|/etc/rc.conf}} as shown in that table:<br />
{| class="wikitable"<br />
|-<br />
! scope="col"| Configuration<br />
! scope="col"| Configuration file(s)<br />
! scope="col"| Legacy {{ic|/etc/rc.conf}} section<br />
|-<br />
| align="center"|Hostname<br />
| align="left"|{{ic|/etc/hostname}}<br />
{{ic|/etc/hosts}}<br />
| align="center"|{{ic|NETWORKING}}<br />
|-<br />
| align="center"|Console fonts and Keymap<br />
| align="left"|{{ic|/etc/vconsole.conf}}<br />
| align="center"|{{ic|LOCALIZATION}}<br />
|-<br />
| align="center"|Locale<br />
| align="left"|{{ic|/etc/locale.conf}}<br />
{{ic|/etc/locale.gen}}<br />
| align="center"|{{ic|LOCALIZATION}}<br />
|-<br />
| align="center"|Timezone<br />
| align="left"|{{ic|/etc/timezone}}<br />
{{ic|/etc/localtime}}<br />
| align="center"|{{ic|LOCALIZATION}}<br />
|-<br />
| align="center"|Hardware clock<br />
| align="left"|{{ic|/etc/adjtime}}<br />
| align="center"|{{ic|LOCALIZATION}}<br />
|-<br />
| align="center"|Kernel modules<br />
| align="left"|{{ic|/etc/modules-load.d/}}<br />
| align="center"|{{ic|HARDWARE}}<br />
|}<br />
<br />
For legacy purposes, the '''DAEMONS''' section in {{ic|/etc/rc.conf}} is still compatible with systemd and can be used to start services at boot, even with a "pure" systemd service management. Alternatively, you may remove the {{ic|/etc/rc.conf}} file entirely and enable services in systemd. For each {{ic|<service_name>}} in the '''DAEMONS''' array in {{ic|/etc/rc.conf}}, type:<br />
# systemctl enable <service_name>.service<br />
{{Tip|For a list of commonly used daemons with their initscripts and systemd equivalents, see [[Daemon#List_of_Daemons|this table]].}}<br />
<br />
If {{ic|<service_name>.service}} does not exist:<br />
* the service file may not be available for systemd. In that case, you'll need to keep {{ic|rc.conf}} to start the service during boot up.<br />
* systemd may name services differently, e.g. {{ic|cronie.service}} replaces {{ic|crond}} init daemon; {{ic|alsa-store.service}} and {{ic|alsa-restore.service}} replace the {{ic|alsa}} init daemon. Another important instance is the {{ic|network}} daemon, which is replaced with another set of service files (see [[#Network]] for more details.)<br />
{{Tip|you may look inside a package that contains daemon start scripts for service names. For instance:<br />
# pacman -Ql cronie<br />
[...]<br />
cronie /etc/rc.d/crond #<-- daemon initscript listed in the DAEMONS array (unused in a "pure" systemd configuration)<br />
[...]<br />
cronie /usr/lib/systemd/system/cronie.service #<-- corresponding systemd daemon service<br />
[...]<br />
}}<br />
* systemd will automatically handle the start order of these daemons.<br />
* some services do not need to be explicitely enabled by the user. For instance, {{ic|dbus.service}} will automatically be enabled when {{ic|dbus-core}} is installed. Check the list of available services and their state using the {{ic|systemctl}} command.<br />
<br />
== FAQ ==<br />
For an up-to-date list of known issues, look at the upstream [http://cgit.freedesktop.org/systemd/systemd/tree/TODO TODO].<br />
<br />
{{FAQ<br />
|question=Why are my console fonts ugly?<br />
|answer=If no font is set in {{ic|/etc/vconsole.conf}} (or alternatively {{ic|/etc/rc.conf}}), then a standard font will be used. The standard font is chosen due to it supporting a wide range of character sets. Set your preferred font to fix the issue.}}<br />
<br />
{{FAQ<br />
|question=Why do I get log messages on my console?<br />
|answer=You must set the kernel loglevel yourself. Historically, {{ic|/etc/rc.sysinit}} did this for us and set dmesg loglevel to {{ic|3}}, which was a reasonably quiet loglevel. Either add {{ic|1=loglevel=3}} or {{ic|quiet}} to your kernel cmdline.}}<br />
<br />
{{FAQ<br />
|question=How do I make a custom unit file?<br />
|answer=The unit files in {{ic|/etc/systemd/system/}} take precedence over the ones in {{ic|/usr/lib/systemd/system/}}. To make your own version of a unit (which will not be destroyed by an upgrade), copy the old unit file from {{ic|/usr/lib/}} to {{ic|/etc/}} and make your changes there. Alternatively you can use {{ic|.include}} to parse an existing service file and then add new options. For example, if you simply want to add an additional dependency to a service file, you may use:<br />
{{hc|/etc/systemd/system/<service-name>.service|<br />
<nowiki><br />
.include /usr/lib/systemd/system/<service-name>.service<br />
<br />
[Unit]<br />
Requires=<new dependency><br />
After=<new dependency><br />
</nowiki>}}<br />
}}<br />
{{FAQ<br />
|question=How do I change the number of gettys running by default?<br />
|answer=To add another getty:<br />
<br />
Simply place another symlink for instantiating another getty in the {{ic|/etc/systemd/system/getty.target.wants/}} directory:<br />
<br />
{{bc|<nowiki># ln -sf /usr/lib/systemd/system/getty@.service /etc/systemd/system/getty.target.wants/getty@tty9.service<br />
# systemctl daemon-reload<br />
# systemctl start getty@tty9.service</nowiki>}}<br />
<br />
To remove a getty:<br />
<br />
Simply remove the getty symlinks you want to get rid of in the {{ic|/etc/systemd/system/getty.target.wants/}} directory:<br />
<br />
{{bc|<nowiki># rm /etc/systemd/system/getty.target.wants/getty@tty5.service /etc/systemd/system/getty.target.wants/getty@tty6.service<br />
# systemctl daemon-reload<br />
# systemctl stop getty@tty5.service getty@tty6.service</nowiki>}}<br />
<br />
systemd does not use the {{ic|/etc/inittab}} file.<br />
<br />
{{Note|As of systemd 30, only 1 getty will be launched by default. If you switch to another tty, a getty will be launched there (socket-activation style). You can still force additional agetty processes to start using the above methods.}}}}<br />
<br />
{{FAQ<br />
|question=How do I get more verbose output during boot?<br />
|answer=If you see no output at all in console after the initram message, this means you have the {{ic|quiet}} parameter in your kernel line. It's best to remove it, at least the first time you boot with systemd, to see if everythin is ok. Then, You will see a list [ OK ] in green or [ FAILED ] in red.<br />
<br />
Any messages are logged to the system log and if you want to find out about the status of your system run {{ic|$ systemctl}} or look at the boot/system log with {{ic|journalctl}}.<br />
}}<br />
<br />
{{FAQ<br />
|question=How do I avoid clearing the console after boot ?<br />
|answer=Create a custom getty@tty1.service file<br />
<br />
Copy /usr/lib/systemd/system/getty@.service to /etc/systemd/system/getty.target.wants/getty@tty1.service, and then edit the file:<br />
* add --noclear to the ExecStart line after agetty<br />
* switch TTYVTDisallocate to no<br />
}}<br />
<br />
{{FAQ<br />
|question=What kernel options do I need to enable in my kernel in case I do not use the official Arch kernel?<br />
|answer=Kernels prior to 2.6.39 are unsupported.<br />
<br />
This is a partial list of required/recommended options, there might be more:<br />
<br />
{{bc|<nowiki><br />
CONFIG_AUDIT=y (recommended)<br />
CONFIG_AUDIT_LOGINUID_IMMUTABLE=y (not required, may break sysvinit compat)<br />
CONFIG_CGROUPS=y<br />
CONFIG_IPV6=[y|m] (highly recommended)<br />
CONFIG_UEVENT_HELPER_PATH="" (if you don't use an initramfs)<br />
CONFIG_DEVTMPFS=y<br />
CONFIG_DEVTMPFS_MOUNT=y (recommended, if you don't use an initramfs)<br />
CONFIG_RTC_DRV_CMOS=y (highly recommended)<br />
CONFIG_FANOTIFY=y (required for readahead)<br />
CONFIG_AUTOFS4_FS=[y|m]<br />
CONFIG_TMPFS_POSIX_ACL=y (recommended, if you want to use pam_systemd.so)<br />
</nowiki>}}}}<br />
<br />
{{FAQ<br />
|question=What other units does a unit depend on?<br />
|answer=For example, if you want to figure out which services a target like {{ic|multi-user.target}} pulls in, use something like this: <br />
{{hc|$ systemctl show -p "Wants" multi-user.target|2=Wants=rc-local.service avahi-daemon.service rpcbind.service NetworkManager.service acpid.service dbus.service atd.service crond.service auditd.service ntpd.service udisks.service bluetooth.service cups.service wpa_supplicant.service getty.target modem-manager.service portreserve.service abrtd.service yum-updatesd.service upowerd.service test-first.service pcscd.service rsyslog.service haldaemon.service remote-fs.target plymouth-quit.service systemd-update-utmp-runlevel.service sendmail.service lvm2-monitor.service cpuspeed.service udev-post.service mdmonitor.service iscsid.service livesys.service livesys-late.service irqbalance.service iscsi.service}}<br />
<br />
Instead of {{ic|Wants}} you might also try {{ic|WantedBy}}, {{ic|Requires}}, {{ic|RequiredBy}}, {{ic|Conflicts}}, {{ic|ConflictedBy}}, {{ic|Before}}, {{ic|After}} for the respective types of dependencies and their inverse.}}<br />
<br />
{{FAQ<br />
|question=My computer shuts down, but the power stays on.<br />
|answer=Use <br />
systemctl poweroff<br />
Instead of systemctl halt.}}<br />
<br />
== Optimization ==<br />
=== systemd-analyze ===<br />
Systemd provides a tool called {{ic|systemd-analyze}} that allows you to analyze your boot process so you can see which unit files are causing your boot process to slow down. You can then optimize your system accordingly. You have to install {{Pkg|python2-dbus}} and {{Pkg|python2-cairo}} to use it.<br />
<br />
To see how much time was spent in kernel-/userspace on boot, simply use:<br />
{{bc|$ systemd-analyze}}<br />
{{Tip|If you add the {{ic|timestamp}} hook to your {{ic|HOOKS}} array in {{ic|/etc/mkinitcpio.conf}} and rebuild your initramfs, will also be able to show you how much time was spent in the initramfs.}}<br />
<br />
To list the started unit files, sorted by the time each of them took to start up:<br />
{{bc|$ systemd-analyze blame}}<br />
<br />
You can also create a SVG file which describes your boot process grapically, similiar to [[Bootchart]]:<br />
{{bc|$ systemd-analyze plot > plot.svg}<br />
<br />
====Enabling bootchart in conjunction with systemd====<br />
You can use a version of bootchart to visualize the boot sequence.<br />
Since you are not able to put a second init into the kernel cmdline you won't be able to use any of the standard bootchart setups. However the {{AUR|bootchart2}} package from [[AUR]] comes with an undocumented systemd service. After you've installed bootchart2 do:<br />
{{bc|# systemctl enable bootchart.service}}<br />
Read the [https://github.com/mmeeks/bootchart bootchart documentation] for further details on using this version of bootchart.<br />
<br />
=== Shell Shortcuts ===<br />
Systemd daemon management requires a bit more text entry to accomplish tasks such as start, stopped, enabling, checking status, etc. The following functions can be added one's {{ic|~/.bashrc}} to help streamline interactions with systemd and to improve the overall experience.<br />
<br />
<pre>if ! systemd-notify --booted; then # not using systemd<br />
start() {<br />
sudo rc.d start $1<br />
}<br />
<br />
restart() {<br />
sudo rc.d restart $1<br />
}<br />
<br />
stop() {<br />
sudo rc.d stop $1<br />
}<br />
else<br />
start() {<br />
sudo systemctl start $1<br />
}<br />
<br />
restart() {<br />
sudo systemctl restart $1<br />
}<br />
<br />
stop() {<br />
sudo systemctl stop $1<br />
}<br />
<br />
enable() {<br />
sudo systemctl enable $1<br />
}<br />
<br />
status() {<br />
sudo systemctl status $1<br />
}<br />
<br />
disable() {<br />
sudo systemctl disable $1<br />
}<br />
fi<br />
</pre><br />
<br />
=== Less output ===<br />
Change {{ic|verbose}} to {{ic|quiet}} on the kernel line in GRUB. For some systems, particularly those with an SSD, the slow performance of the TTY is actually a bottleneck, and so less output means faster booting.<br />
<br />
=== Early start ===<br />
One central feature of systemd is dbus and socket activation, this causes services to be started when they are first accessed, and is generally a good thing. However, if you know that a service (like console-kit) will always be started during boot, then the overall boot time might be reduced by starting it as early as possible. This can be achieved (if the service file is set up for it, which in most cases it is) by issuing:<br />
<br />
{{bc|# systemctl enable console-kit-daemon.service}}<br />
<br />
This will cause systemd to start console-kit as soon as possible, without causing races with the socket or dbus activation.<br />
<br />
=== Automount ===<br />
The default setup will fsck and mount all filesystems before starting most daemons and services. If you have a large {{ic|/home}} partition, it might be better to allow services that do not depend on {{ic|/home}} to start while {{ic|/home}} is being fsck'ed. This can be achieved by adding the following options to the fstab entry of your {{ic|/home}} partition:<br />
<br />
noauto,x-systemd.automount<br />
<br />
This will fsck and mount {{ic|/home}} when it is first accessed, and the kernel will buffer all file access to {{ic|/home}} until it is ready.<br />
<br />
If you have encrypted filesystems with keyfiles, you can also add the {{ic|noauto}} parameter to the corresponding entries in {{ic|/etc/crypttab}}. systemd will then not open the encrypted device on boot, but instead wait until it is actually accessed and then automatically open it with the specified keyfile before mounting it. This might save a few seconds on boot if you are using an encrypted RAID device for example, because systemd doesn't have to wait for the device to become available. For example:<br />
{{hc|/etc/crypttab|data /dev/md0 /root/key noauto}}<br />
<br />
=== Readahead ===<br />
systemd comes with its own readahead implementation, this should in principle improve boot time. However, depending on your kernel version and the type of your hard drive, your mileage may vary (i.e. it might be slower). To enable, do:<br />
<br />
{{bc|<nowiki># systemctl enable systemd-readahead-collect.service systemd-readahead-replay.service</nowiki>}}<br />
<br />
Remember that in order for the readahead to work its magic, you should reboot a couple of times.<br />
<br />
=== User sessions ===<br />
systemd can divide user sessions into cgroups. Add {{ic|session optional pam_systemd.so}} to your relevant {{ic|/etc/pam.d/}} files (e.g., {{ic|login}} for tty logins, {{ic|sshd}} for remote access, {{ic|kde}} for password kdm logins, {{ic|kde-np}} for automatic kdm logins).<br />
<br />
Before:<br />
{{hc|$ systemd-cgls systemd:/system/getty@.service|<br />
systemd:/system/getty@.service:<br />
├ tty5<br />
│ └ 904 /sbin/agetty tty5 38400<br />
├ tty2<br />
│ ├ 13312 /bin/login --<br />
│ └ 15765 -zsh<br />
[…]}}<br />
After:<br />
{{hc|$ systemd-cgls systemd:/user/example/|<br />
systemd:/user/example/:<br />
├ 4<br />
│ ├ 902 /bin/login --<br />
│ └ 16016 -zsh<br />
[…]}}<br />
<br />
Further, you can replace [[ConsoleKit]]'s functionality with systemd. To do this, {{Pkg|polkit}} needs to be rebuilt from [[ABS]] with systemd enabled ({{ic|--enable-systemd}}), and stuff like USB automounting will work without consolekit. DBus supports systemd since version 1.6.0, so there's no longer need to build it from Git.<br />
<br />
== Troubleshooting ==<br />
=== Shutdown/Reboot takes terribly long ===<br />
If the shutdown process takes a very long time (or seems to freeze) most likely a service not exiting is to blame. systemd waits some time for each service to exit before trying to kill it.<br />
To find out if you are affected see [http://freedesktop.org/wiki/Software/systemd/Debugging#Shutdown_Completes_Eventually this article].<br />
==== SLiM and xfce-session ====<br />
One setup that can produce a shutdown freeze is Xfce in conjunction with SLiM: Shutting down/rebooting using xfce-session will cause slim.service to hang for half a minute until systemd kills it the hard way.<br />
One workaround is to create a modified slim.service:<br />
{{hc|/etc/systemd/system/slim.service|<nowiki><br />
[Unit]<br />
Description=SLiM Simple Login Manager<br />
After=systemd-user-sessions.service<br />
<br />
[Service]<br />
Type=forking<br />
PIDFile=/var/lock/slim.lock<br />
ExecStart=/usr/bin/slim -d<br />
ExecStop=/bin/kill -9 $MAINPID<br />
ExecStopPost=/bin/rm /var/lock/slim.lock<br />
<br />
[Install]<br />
WantedBy=graphical.target</nowiki>}}<br />
This causes SLiM to be terminated using SIGKILL. Since the lock file is also removed this does not cause a problem.<br />
<br />
=== If the CUPS service isn't starting on demand ===<br />
I found on my machine, even after running "systemctl enable cups.service", cups would never work until I manually issued "systemctl start cups.service". To remedy this you can manually symlink the cups service so its automatically started at boot: {{bc|<nowiki># sudo ln -s '/usr/lib/systemd/system/cups.service' '/etc/systemd/system/multi-user.target.wants/cups.service'</nowiki>}}<br />
<br />
== See also==<br />
*[http://www.freedesktop.org/wiki/Software/systemd Official Web Site]<br />
*[http://0pointer.de/public/systemd-man/ Manual Pages]<br />
*[http://freedesktop.org/wiki/Software/systemd/Optimizations systemd Optimizations]<br />
*[http://www.freedesktop.org/wiki/Software/systemd/FrequentlyAskedQuestions FAQ]<br />
*[http://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks Tips And Tricks]<br />
*[http://0pointer.de/public/systemd-ebook-psankar.pdf systemd for Administrators (PDF)]<br />
*[http://en.gentoo-wiki.com/wiki/Systemd About systemd in Gentoo Wiki]<br />
*[http://fedoraproject.org/wiki/Systemd About systemd on Fedora Project]<br />
*[http://fedoraproject.org/wiki/How_to_debug_Systemd_problems How to debug Systemd problems]<br />
*[https://docs.google.com/document/pub?id=1IC9yOXj7j6cdLLxWEBAGRL6wl97tFxgjLUEHIX3MSTs Background information about systemd journal]<br />
*[http://www.h-online.com/open/features/Booting-up-Tools-and-tips-for-systemd-1570630.html Booting up: Tools and tips for systemd, a Linux init tool. In The H]</div>Jjackyhttps://wiki.archlinux.org/index.php?title=AUR_helpers/Graphical&diff=189596AUR helpers/Graphical2012-03-15T18:23:19Z<p>Jjacky: /* System Tray Notifiers */ added kalu</p>
<hr />
<div>[[Category:Arch User Repository (English)]]<br />
[[Category:Package management (English)]]<br />
{{i18n|Pacman GUI Frontends}}<br />
<br />
This is a list of frontends for the [[pacman]] CLI tool. The list includes full featured GUI frontends, informational tools, and a variety of system tray notifiers. The list also includes categories for Gtk2 based and Qt based software.<br />
<br />
{{Warning|None of these tools are officially supported by Arch Linux/Pacman developers.}}<br />
<br />
== Pacman Frontends ==<br />
=== X11 ===<br />
* {{App|1=PacmanXG|2=GUI front-end for pacman. It does not depend on either GTK or Qt, just X. This graphical tool allows to do the following:<br />
:* Install/remove/upgrade packages<br />
:* Search packages / filter packages<br />
:* Retrieve package info include screenshots<br />
:* Downgrade packages (need downgrade utility from AUR)<br />
:* Refresh package database, synchronize mirrors.<br />
:* Update system in one click<br />
:* YAOURT support (in testing)<br />
:'''Screenshots''' http://almin-soft.nx0.ru/photo-cat-photo-cat-pacmanxg.html <br><br />
:'''Direct link to binary:''' http://almin-soft.nx0.ru/media/files/binaries/download.php?get=pacmanXG.tar.bz2<br />
|3=http://almin-soft.nx0.ru/openiandifree/pacmanxg.html|4={{AUR|pacmanxg-bin}}}}<br />
<br />
=== GNOME/GTK+ ===<br />
* {{App|Wakka|gtk based package manager for Arch Linux, derived from the work done on GtkPacman. The goal is to clean up the code and rework the program to be stable and extensible.<br />
:'''Screenshots:''' http://mibloglinux.wordpress.com/2011/05/23/wakka-interfaz-grafica-para-pacman/<br />
|https://code.google.com/p/wakka-package-manager/|{{AUR|wakka}}}}<br />
<br />
* {{App|GNOME PackageKit|distribution-agnostic collection of utilities for managing packages. Using the alpm backend, it supports the following features:<br />
:* Install and remove packages from the repos.<br />
:* Periodically refresh package databases and prompt for updates.<br />
:* Install packages from tarballs.<br />
:* Search for packages by name, description, category or file.<br />
:* Show package dependencies, files and reverse dependencies.<br />
:* Ignore IgnorePkgs and hold HoldPkgs.<br />
:* Report optional dependencies, .pacnew files, etc.<br />
:You can change the remove operation from -Rc to -Rsc by setting the DConf key org.gnome.packagekit.enable-autoremove.<br />
:{{Tip|If you do not wish to install PulseAudio, you can install {{AUR|gnome-settings-daemon-nopulse}} from the AUR.}}<br />
|http://packagekit.org/|{{Pkg|gnome-packagekit}}}}<br />
<br />
=== KDE/Qt ===<br />
* {{App|1=KPackageKit/Apper|2=GUI front-end for [http://www.packagekit.org/ PackageKit]. Pacman integration is accomplished via the {{Pkg|packagekit}}, which gained upstream support for pacman. This graphical tool allows to do the following from KDE's systemsettings:<br />
:* Install/remove/upgrade packages<br />
:* Search packages / filter packages<br />
:* Retrieve package info<br />
:* Refresh package database<br />
:* Choose which repositories will be updated<br />
:* Automatically refresh database (Hourly, daily etc.)<br />
:* Automatically update packages<br />
:While pacman support in PackageKit is relatively new, it works with no major problems, providing ease of use, simplicity, and good integration with KDE (and PolicyKit).<br />
:'''Screenshots:''' http://kde-apps.org/content/show.php/Apper?content=84745<br />
|3=http://kde-apps.org/content/show.php/Apper?content=84745|4={{AUR|apper}}}}<br />
<br />
* {{App|1=AppSet|2=advanced and feature rich GUI front-end for Package Managers. AppSet has the following features:<br />
:* Software sections (games, office, multimedia, internet etc.)<br />
:* Shows homepages for selected packages in an embedded web browser<br />
:* Shows distributions news with an embedded feed reader<br />
:* Upgrades, installs and removes packages<br />
:* Shows available upgrades with a Tray Icon<br />
:* Updates database periodically<br />
:* Informs about dependencies (for example when trying to remove a package needed by others)<br />
:* Cache clean command (to free disk space)<br />
:* Intelligent launcher that uses what is already installed to get administrative privileges (by searching for kdesu, gksu or at last for an xterm where it starts with a sudo command)<br />
:* Now with AUR support with Packer as backend<br />
:AppSet needs only QT libs as dependence for installation. It can be used in any desktop environment. Currently only works for Archlinux using pacman.<br />
:'''Screenshots''' http://sourceforge.net/project/screenshots.php?group_id=376825<br />
|3=http://appset.sourceforge.net/|4={{AUR|appset-qt}}}}<br />
<br />
=== NCurses ===<br />
* {{App|1=pcurses|2=package management in a curses frontend, including:<br />
:* regexp filtering and searching any package property<br />
:* customizable colorcoding<br />
:* customizable sorting<br />
:* external command execution with package list string replacements<br />
:* user defined macros and hotkeys<br />
:'''Screenshots''' https://bbs.archlinux.org/viewtopic.php?id=122749<br />
|3=https://github.com/schuay/pcurses|4={{AUR|pcurses}}}}<br />
<br />
== Pacman / AUR Package Browser ==<br />
* {{App|1=PkgBrowser|2=application for searching and browsing Arch packages, showing details on selected packages.<br />
:* Search and browse Arch packages including the AUR<br />
:* Purely an informational application that cannot be used to install, remove or update packages <br />
:* By design, is an accessory to CLI package management via pacman<br />
:* Further details on use via manual accessed from help menu<br />
:'''Forum page:''' https://bbs.archlinux.org/viewtopic.php?id=117297 <br><br />
|3=https://code.google.com/p/pkgbrowser/|4={{AUR|pkgbrowser}}}}<br />
<br />
* {{App|Pacinfo|application to browse the installed packages and show information like screenshot, installed files, installation date and others. Written in Mono/GTK#<br />
|https://code.google.com/p/pacinfo/|{{AUR|pacinfo}}}}<br />
<br />
== System Tray Notifiers ==<br />
* {{App|1=Aarchup|2=fork of archup. Has the same options as archup plus a few other features. For differences between both please check [https://bbs.archlinux.org/viewtopic.php?id=119129 changelog].<br />
:'''Screenshots''': http://i.imgur.com/yTNvg.png<br />
|3=https://github.com/aericson/aarchup/|4={{AUR|aarchup}}}}<br />
<br />
* {{App|pacman-notifier|Written in Ruby, uses Gtk. Shows an icon in the system tray and popup notifications (using libnotify) for new packages.<br />
:'''Screenshots''': https://github.com/v01d/pacman-notifier/wiki<br />
|https://github.com/v01d/pacman-notifier/wiki|{{AUR|pacman-notifier}}}}<br />
<br />
* {{App|Pacupdate|small application that notifies the user about new updates for Arch Linux. If Pacupdate finds out that a update is available, it will display a notification in SystemTray|https://code.google.com/p/pacupdate/|{{AUR|pacupdate-svn}}}}<br />
<br />
* {{App|1=Yapan (Yet Another Package mAnager Notifier)|2=written in C++ and Qt. It shows an icon in the system tray and popup notifications for new packages and supports other package manager like clyde or yaourt.<br />
:'''Screenshots''': https://bitbucket.org/otsug/yapan/wiki/Home<br />
:'''Forum page''': https://bbs.archlinux.org/viewtopic.php?id=113078<br />
|3=https://bitbucket.org/otsug/yapan/wiki/Home|4={{AUR|yapan}}}}<br />
<br />
* {{App|1=ZenMan|2=PacMan frontend (tray update notifier) for GTK/GNOME/zenity/libnotify.<br />
:'''Screenshots''': http://show.harvie.cz/screenshots/zenman-screenshot-2.png<br />
|3=https://aur.archlinux.org/packages.php?ID=25948|4={{AUR|zenman}}}}<br />
<br />
* {{App|1=pkgnotify.sh|2=simple 14 line shell script that displays the number of available updates in the dzen2 title window and a list of these updates in the slave window. Depends on dzen2, inotify-tools, package-query and optionally an AUR helper (yaourt by default).<br />
:'''Screenshots''': http://andreasbwagner.tumblr.com/post/853471635/arch-linux-update-notifier-for-dzen2<br />
|3=http://pointfree.net/repo/?r=dzen2_scripts;a=headblob;f=/src/pkgnotify/pkgnotify.sh|4={{AUR?|pkgnotify}}}}<br />
<br />
* {{App|1=kalu|2=Small C application that adds an icon in the systray and can show notifications for Arch Linux News, Upgrades, AUR upgrades, and watched (AUR) upgrades (upgrades for packages not installed). Also includes a GUI system upgrader.<br />
:'''Screenshots''': http://mywaytoarch.tumblr.com/post/19350380240/keep-arch-linux-up-to-date-with-kalu<br />
:'''Forum''': https://bbs.archlinux.org/viewtopic.php?id=135773<br />
|3=https://bitbucket.org/jjacky/kalu|4=<span style="font-family: monospace">[https://aur.archlinux.org/packages.php?ID=56673 kalu]</span>}}<br />
<br />
== Inactive Software Packages ==<br />
*[http://gtkpacman.berlios.de/ GtkPacman]<br />
*[http://guzuta.berlios.de/ Guzuta]<br />
*[http://chakra-project.org/wiki/index.php/Shaman Shaman]<br />
*[http://code.google.com/p/pacmon/ pacmon]<br />
*[https://gna.org/projects/paku/ Paku]<br />
*[http://www.kde-apps.org/content/show.php/YAPG+-+Yet+Another+Pacman+Gui+?content=60052 YAPG]<br />
*[http://sourceforge.net/projects/zenitypacgui/ zenity_pacgui]</div>Jjackyhttps://wiki.archlinux.org/index.php?title=Syslinux&diff=181995Syslinux2012-02-04T12:02:34Z<p>Jjacky: /* Manual Install - syslinux */</p>
<hr />
<div>[[Category:Boot loaders (English)]]<br />
{{i18n|Syslinux}}<br />
<br />
{{Article summary start}}<br />
{{Article summary text|Describes installing and configuring Syslinux, a collection of bootloaders.}}<br />
{{Article summary heading|Overview}}<br />
{{Article summary text|{{Boot process overview}}}}<br />
{{Article summary end}}<br />
<br />
Syslinux is a collection of boot loaders capable of booting from hard drives, CDs and over the network via PXE. It supports the fat, ext2, ext3, ext4 and btrfs file systems.<br />
<br />
{{Note|Since Syslinux 4, Extlinux and Syslinux are the same thing.}} <br />
<br />
== Syslinux Boot Process ==<br />
At boot, the computer loads the [[MBR]] ({{Filename|/usr/lib/syslinux/mbr.bin}}). Then the MBR looks for the partition that is marked as active (boot flag). Once found, the volume boot record (VBR) will be executed. In the case of ext2/3/4 and fat12/16/32, the starting sector of {{Filename|ldlinux.sys}} is hard-coded into the VBR. The VBR will execute ({{Filename|ldlinux.sys}}). Therefore, if the location of {{Filename|ldlinux.sys}} changes, syslinux will no longer boot. In the case of btrfs, the above method will not work since files move around resulting in the sector location of {{Filename|ldlinux.sys}} changing. Therefore, the entire Syslinux code needs to be stored outside the filesystem. The code is stored in the sectors following the VBR. Once Syslinux is fully loaded, it looks for a configuration file, either {{Filename|extlinux.conf}} or {{Filename|syslinux.cfg}}. If one is found, the configuration file is loaded. If no configuration file is found you will be given a syslinux prompt.<br />
<br />
==Installation==<br />
===Automatic Install - syslinux===<br />
The syslinux-install_update script will install Syslinux, copy COM32 modules to {{Filename|/boot/syslinux}}, set the boot flag and install the MBR. It can handle MBR and GPT disks along with softraid.<br />
<br />
1. Install Syslinux<br />
pacman -S syslinux<br />
2. Make sure {{Filename|/boot}} is mounted<br/><br />
3. Run syslinux-install_update script -i (install) -a (set boot flag) -m (install mbr)<br />
/usr/sbin/syslinux-install_update -iam<br />
4. Edit {{Filename|/boot/syslinux/syslinux.cfg}}<br />
<br />
===Manual Install - syslinux===<br />
{{Note| If you are unsure of which partition table you are using (MBR or GPT), you are likely using the MBR partition table. Most of the time, GPT will create a special MBR-style partition (type 0xEE) using the whole disk which will be displayed with the following command:<br />
# fdisk -l /dev/sda<br />
or alternatively<br />
# sgdisk -l /dev/sda<br />
will show " GPT: not present" if it is not a GPT disk.<br />
}}<br />
<br />
{{Note| If you are trying to rescue an installed system with a live CD, be sure to [[Change_Root|chroot]] into it before executing these commands. If you do not chroot first, you must prepend all file paths (not /dev/ paths) with the mount point.}}<br />
<br />
Make sure you have the ''syslinux'' package installed. Then install Syslinux onto your boot partition, which must contain a fat, ext2, ext3, ext4, or btrfs file system.<br />
You should install it on a mounted directory, not a /dev/sdXY device. You do not have to install it on the root directory of a filesystem, e.g. with device /dev/sda1 mounted on /boot you can install syslinux in a folder syslinux :<br />
# mkdir /boot/syslinux<br />
# extlinux --install /boot/syslinux <br />
<br />
====MBR Partition Table====<br />
Next, you need mark your boot partition active in your partition table. Applications capable of doing this include fdisk, cfdisk, sfdisk, (g)parted. It should look like this:<br />
# fdisk -l /dev/sda<br />
[...]<br />
Device Boot Start End Blocks Id System<br />
/dev/sda1 * 2048 104447 51200 83 Linux<br />
/dev/sda2 104448 625142447 312519000 83 Linux<br />
<br />
Install the master boot record:<br />
# dd bs=440 conv=notrunc count=1 if=/usr/lib/syslinux/mbr.bin of=/dev/sda<br />
<!-- conv=notrunc helps if /dev/sda is actually a file not a block device --><br />
<br />
====GUID Partition Table aka GPT====<br />
Main article [[GUID Partition Table]].<br />
<br />
Bit 2 of the attributes for the {{Filename|/boot}} partition need to be set.<br />
<br />
# sgdisk /dev/sda --attributes=1:set:2<br />
<br />
This would toggle the attribute legacy BIOS bootable on partition 1 <br />
<br />
Verify:<br />
# sgdisk /dev/sda --attributes=1:show<br />
1:2:1 (legacy BIOS bootable)<br />
<br />
Install the master boot record:<br />
# dd bs=440 conv=notrunc count=1 if=/usr/lib/syslinux/gptmbr.bin of=/dev/sda<br />
<br />
====Rebooting====<br />
When you reboot your system now, you will have a syslinux prompt. To automatically boot your system or get a boot menu, you still need to create a configuration file.<br />
<br />
== Configuring syslinux ==<br />
The syslinux configuration file, {{Filename|syslinux.cfg}} should be created in the same directory where you installed syslinux. In our case '/boot/syslinux/'<br />
<br />
The bootloader will look for either {{Filename|syslinux.cfg}} (preferred) or {{Filename| extlinux.conf}}<br />
<br />
'''Tips''':<br />
*Instead of LINUX, the keyword KERNEL can also be used. KERNEL tries to detect the type of the file, while LINUX always expects a Linux kernel.<br />
*TIMEOUT value is in units of 1/10 of a second.<br />
<br />
=== Examples ===<br />
==== Basic Syslinux Config ====<br />
This is a simple configuration file that will show a boot: prompt and automatically boot after 5 seconds.<br />
<br />
Config:<br />
PROMPT 1<br />
TIMEOUT 50<br />
DEFAULT arch<br />
<br />
LABEL arch<br />
LINUX ../vmlinuz-linux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux.img<br />
<br />
LABEL archfallback<br />
LINUX ../vmlinuz-linux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux-fallback.img<br />
<br />
If you want to boot directly without seeing a prompt, set PROMPT to 0.<br />
<br />
If you want to use [[UUID]] for persistent device naming instead of device names, change:<br />
APPEND root=/dev/sda2 ro<br />
<br />
to:<br />
APPEND root=UUID=<uuid here> ro<br />
<br />
==== Text Boot menu ====<br />
Syslinux also allows you to use a boot menu. To use it, copy the menu COM32 module to your syslinux folder:<br />
# cp /usr/lib/syslinux/menu.c32 /boot/syslinux/<br />
If /boot is in the same partition as /usr, a symlink will also work:<br />
# ln -s /usr/lib/syslinux/menu.c32 /boot/syslinux/<br />
<br />
Config:<br />
UI menu.c32<br />
PROMPT 0<br />
<br />
MENU TITLE Boot Menu<br />
TIMEOUT 50<br />
DEFAULT arch<br />
<br />
LABEL arch<br />
MENU LABEL Arch Linux<br />
LINUX ../vmlinuz-linux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux.img<br />
<br />
LABEL archfallback<br />
MENU LABEL Arch Linux Fallback<br />
LINUX /vmlinuz-linux<br />
APPEND root=/dev/sda2 ro<br />
INITRD /initramfs-linux-fallback.img<br />
<br />
For more details about the menu system, see http://git.kernel.org/?p=boot/syslinux/syslinux.git;a=blob;f=doc/menu.txt.<br />
<br />
==== Graphical Boot menu ====<br />
Syslinux also allows you to use a graphical boot menu. To use it, copy the vesamenu COM32 module to your syslinux folder:<br />
# cp /usr/lib/syslinux/vesamenu.c32 /boot/syslinux/<br />
If {{Filename|/boot}} is the same partition as {{Filename|/}}, a symlink will also work:<br />
# ln -s /usr/lib/syslinux/vesamenu.c32 /boot/syslinux/<br />
<br />
[http://projects.archlinux.org/archiso.git/tree/configs/releng/syslinux This config] uses the same menu design as the Arch Install CD. The background file can be found there too.<br />
<br />
Config:<br />
UI vesamenu.c32<br />
DEFAULT arch<br />
PROMPT 0<br />
MENU TITLE Boot Menu<br />
MENU BACKGROUND splash.png<br />
TIMEOUT 50<br />
<br />
MENU WIDTH 78<br />
MENU MARGIN 4<br />
MENU ROWS 5<br />
MENU VSHIFT 10<br />
MENU TIMEOUTROW 13<br />
MENU TABMSGROW 11<br />
MENU CMDLINEROW 11<br />
MENU HELPMSGROW 16<br />
MENU HELPMSGENDROW 29<br />
<br />
# Refer to http://syslinux.zytor.com/wiki/index.php/Doc/menu<br />
<br />
MENU COLOR border 30;44 #40ffffff #a0000000 std<br />
MENU COLOR title 1;36;44 #9033ccff #a0000000 std<br />
MENU COLOR sel 7;37;40 #e0ffffff #20ffffff all<br />
MENU COLOR unsel 37;44 #50ffffff #a0000000 std<br />
MENU COLOR help 37;40 #c0ffffff #a0000000 std<br />
MENU COLOR timeout_msg 37;40 #80ffffff #00000000 std<br />
MENU COLOR timeout 1;37;40 #c0ffffff #00000000 std<br />
MENU COLOR msg07 37;40 #90ffffff #a0000000 std<br />
MENU COLOR tabmsg 31;40 #30ffffff #00000000 std<br />
<br />
<br />
LABEL arch<br />
MENU LABEL Arch Linux<br />
LINUX ../vmlinuz-linux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux.img<br />
<br />
<br />
LABEL archfallback<br />
MENU LABEL Arch Linux Fallback<br />
LINUX ../vmlinuz-linux<br />
APPEND root=/dev/sda2 ro<br />
INITRD ../initramfs-linux-fallback.img<br />
<br />
<br />
Since Syslinux 3.84 vesamenu.c32 supports the "MENU RESOLUTION $WIDTH $HEIGHT" directive.<br />
To use it, insert "MENU RESOLUTION 1440 900" into your config for a 1440x900 resolution.<br />
The background picture has to have exactly the right resolution however as syslinux will otherwise refuse to load the menu.<br />
<br />
=== Chainloading ===<br />
If you want to chainload other operating systems (such as Windows) or boot loaders, copy (or symlink) the ''chain.c32'' module to the syslinux folder (for details, see the instructions in the previous section). Then, create a section in the configuration file:<br />
<br />
LABEL windows<br />
MENU LABEL Windows<br />
COM32 chain.c32<br />
APPEND hd0 3<br />
<br />
''hd0 3'' is the third partition on the first BIOS drive - drives are counted from zero, but partitions are counted from one. For more details about chainloading, see [http://syslinux.zytor.com/wiki/index.php/Comboot/chain.c32].<br />
<br />
If you have [[grub2]] installed in your boot partition, you can chainload it by using: <br />
<br />
LABEL grub2<br />
MENU LABEL Grub2<br />
COM32 chain.c32<br />
append file=../grub/boot.img<br />
<br />
This maybe required for booting from iso images.<br />
<br />
=== Using memtest ===<br />
Use this LABEL section to launch memtest (install the ''memtest86+'' package):<br />
<br />
LABEL memtest<br />
MENU LABEL Memtest86+<br />
LINUX ../memtest86+/memtest.bin<br />
<br />
=== HDT ===<br />
HDT (Hardware Detection Tool) displays hardware information. Like before, the .c32 file has to be copied or symlinked from /boot/syslinux/.<br />
For pci info either copy or symlink {{Filename|/usr/share/hwdata/pci.ids}} to {{Filename|/boot/syslinux/pci.ids}}<br />
<br />
LABEL hdt<br />
MENU LABEL Hardware Info<br />
COM32 hdt.c32<br />
<br />
=== Reboot and power off ===<br />
Use the following sections to reboot or power off your machine.<br />
<br />
LABEL reboot<br />
MENU LABEL Reboot<br />
COM32 reboot.c32<br />
<br />
LABEL poweroff<br />
MENU LABEL Power Off<br />
COMBOOT poweroff.com<br />
=== Clear Menu ===<br />
To clear the screen when exiting the menu, add the following line.<br />
MENU CLEAR<br />
<br />
==Troubleshooting==<br />
===I have a Syslinux Prompt - Yikes!===<br />
You can type in the LABEL name of the entry that you want to boot (as per your syslinux.cfg). If you used the example configs just type<br />
boot: arch<br />
<br />
If you get an error that the config file could not be loaded you can pass your needed boot parameters, e.g.:<br />
boot: ../vmlinuz-linux root=/dev/sda2 ro initrd=../initramfs-linux.img<br />
<br />
If you do not have access to 'boot:' in ramfs, and therefore temporarily unable to boot kernel again<br />
<br />
1) create temp directory, in order to mount your root partition (if it does not exist already)<br />
<br />
mkdir -p /new_root<br />
<br />
2) mount / under /new_root (in case /boot/ is on same partition, otherwise you will need to mount them both) '''Note: if /boot is on it's own ext2 partition then busybox cannot mount it.'''<br />
<br />
mount /dev/sd[a-z][1-9] /new_root<br />
<br />
3) use 'vi' and edit syslinux.cfg again to suit your needs and save file;<br />
<br />
4) reboot<br />
<br />
===No Default or UI found on some computers===<br />
Certain motherboard manufacturers have less compatibility for booting from USB devices than others. While an ext4 formatted usb drive may boot on a more recent computer, some computers may hang if the boot partition containing the kernel and initrd are not on a fat16 partition. to prevent an older machine from loading ldlinux and failing to read syslinux.cfg, use cfdisk to create a fat-16 partition (<=2GB) and format with <br />
# pacman -S dosfstools<br />
# mkfs.msdos -F 16 /dev/sda1<br />
then install and configure syslinux.<br />
<br />
===Windows boots up! No Syslinux!===<br />
'''Solution:''' Make sure the partition that contains /boot has the boot flag enabled. Also, make sure the boot flag is not enabled on the windows partition. See the installation section above.<br />
<br />
The MBR that comes with syslinux looks for the first active partition that has the boot flag set. The windows partition was likely found first and had the boot flag set. If you wanted you could use the MBR that windows or msdos fdisk provides.<br />
<br />
===Menu Entries do nothing===<br />
You select a menu entry and it does nothing. It "refreshes" the menu<br/><br />
This usually means that you have an error in your configuration. Hit {{Keypress| TAB }} to edit your boot parameters. Alternatively, press {{Keypress| ESC}} and type in the LABEL of your boot entry (Example: arch)<br />
<br />
===Cannot remove ldlinux.sys===<br />
ldlinux.sys has the immutable attribute set which prevents the file from being deleted or overwritten. This is because the sector location of the file must not change or else syslinux has to be reinstalled.<br />
To remove: <br />
chattr -i /boot/syslinux/ldlinux.sys<br />
rm /boot/syslinux/ldlinux.sys<br />
<br />
===A white block on the upper left corner appears when a kernel is loaded with modesetting on in early stage and when using vesamenu===<br />
'''Brain0''' said: ''As of linux-3.0, the modesetting driver tries to keep the current contents of the screen after changing the resolution (at least it does so with my intel, when having syslinux in text mode). It seems that this goes wrong when combined with the vesamenu module in syslinux (the white block is actually an attempt to keep the syslinux menu, but the driver fails to capture the picture from vesa graphics mode).''<br />
<br />
If you have a custom resolution and a vesamenu, with early modesetting try to append the following in the '''kernel line''' in syslinux.cfg to remove the white block and continue in graphics mode:<br />
<br />
APPEND root=/dev/sda6 ro 5 radeon.modeset=1 '''vga=current''' logo.nologo quiet splash<br />
<br />
== External link ==<br />
* [http://syslinux.zytor.com/ The Syslinux Project]'s website.</div>Jjackyhttps://wiki.archlinux.org/index.php?title=Browser_plugins&diff=171466Browser plugins2011-11-28T20:02:33Z<p>Jjacky: /* Black bars in fullscreen video playback on multiheaded desktops */</p>
<hr />
<div>{{i18n|Browser Plugins}}<br />
[[Category:Web Browser (English)]]<br />
<br />
[[fr:Plugins navigateur]]<br />
These plugins work in [[Firefox]], [[Opera]] and WebKit derivatives. <!-- Chrome? --><br />
<br />
==Flash Player==<br />
<br />
===Adobe Flash Player===<br />
<br />
Flash Player is in the [[Official Repositories|official repositories]] for both i686 and x86_64 architectures: {{Pkg|flashplugin}}<br />
<br />
====Epiphany====<br />
Note that for {{Pkg|Epiphany}}, you have to wrap Adobe Flash Player in the same fashion as described for x86_64. See [[Epiphany#Flash]] for more details.<br />
<br />
====Misc====<br />
In addition, it may be needed to install {{AUR|ttf-ms-fonts}} from the [[AUR]] in order to properly render text.<br />
<br />
====Configuration====<br />
<!-- Change this heading to Flash configuration once more than one plugin needs a similar section --><br />
To change general plug-in preferences (privacy settings, resource usage, etc.), right click on embedded Flash content and choose preferences from the menu, or go to the [http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html Macromedia website]. There, a Flash animation will give access to local settings.<br />
<br />
You can make your own settings file for Flash, just use the file {{ic|/etc/adobe/mms.cfg}}. Example config below:<br />
# Adobe player settings<br />
AVHardwareDisable = 0<br />
FullScreenDisable = 0<br />
LocalFileReadDisable = 1<br />
FileDownloadDisable = 1<br />
FileUploadDisable = 1<br />
LocalStorageLimit = 1<br />
ThirdPartyStorage = 1<br />
AssetCacheSize = 10<br />
AutoUpdateDisable = 1<br />
LegacyDomainMatching = 0<br />
LocalFileLegacyAction = 0<br />
AllowUserLocalTrust = 0<br />
# DisableSockets = 1 <br />
OverrideGPUValidation = 1<br />
<br />
You can also refer to the [http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-plugins/adobe-flash/files/mms.cfg mms.cfg from Gentoo], which is extensively commented.<br />
<br />
====Flash leaks on other pages with a Nvidia card====<br />
<br />
If Flash animations "leak" on other webpages with {{Pkg|chromium}} or {{Pkg|firefox}}, you can try to turn off hardware acceleration in the {{ic|/etc/adobe/mms.cfg}} file and/or in the Flash parameters dialogue. See [https://bugs.archlinux.org/task/22878 https://bugs.archlinux.org/task/22878].<br />
<br />
==PDF viewer==<br />
<br />
===Evince===<br />
If you want to view PDF files in [[Firefox]] without opening a new window, follow this guide: https://wiki.archlinux.org/index.php/Firefox_Tips_and_Tweaks#Viewing_PDF.2FPS_inside_Firefox<br />
<br />
===Adobe Reader===<br />
Due to licensing restrictions, Adobe Reader cannot be distributed from any of the official Arch Linux repositories. There are versions available in the [[AUR]]. Please note that no matter how many votes it receives, Adobe Reader will never be included in the [[Official Repositories|official repositories]]. See this [http://aur.archlinux.org/packages.php?ID=16980 comment] for an explanation.<br />
<br />
Also, there are [http://aur.archlinux.org/packages.php?O=0&K=acroread-&do_Search=Go localizations] available in many languages.<br />
<br />
====32-bit====<br />
32-bit AUR package: {{AUR|acroread}}<br />
<br />
It installs the Acrobat Reader application as well as the Firefox plugin. Note that hardware-assisted rendering is unavailable under Linux (at least using a Geforce 8600GTS with driver version 185.18.14).<br />
<br />
Also can install from a repository, just need to edit {{ic|/etc/pacman.conf}} and put this lines<br />
[archlinuxfr]<br />
Server = http://repo.archlinux.fr/i686<br />
<br />
This repository have playonlinux, and other apps, click on them and you see. After that<br />
# pacman -S acroread<br />
<br />
====64-bit====<br />
Adobe Reader is a closed-source application, meaning that users desiring a 64-bit binary have no other choice other than to wait for official support. Workarounds to be considered:<br />
<br />
* Follow [[Install bundled 32-bit system in Arch64|this guide]] originally posted in the forums. It involves creating a chrooted environment that could be reused for other 32-bit only applications.<br />
<br />
* Or, simply get the 32-bit binary along with the 32-bit dependencies. Install {{AUR|bin32-acroread}}. Also, consider installing the extra font packages suggested by the package. Be advised that the [[Firefox]] plugin cannot be used ''directly'' with this binary -- it will not load in the 64-bit browser. {{AUR|nspluginwrapper-flash}} is required to load the plugin. Finally, be sure to run:<br />
$ nspluginwrapper -v -a -i<br />
as a '''normal user'''. This checks the plugin directory and links the plugins as needed. Everything should work as expected now.<br />
<br />
{{Note|There seems to also be a {{Pkg|nspluginwrapper}} in the [[Official Repositories|official repositories]] which may be the new way to go.}}<br />
<br />
==Citrix==<br />
See: [[Citrix]]<br />
<br />
== Java ==<br />
<br />
=== IcedTea ===<br />
<br />
Provided by {{Pkg|openjdk6}} and {{Pkg|icedtea-web}} from the [[Official Repositories|official repositories]].<br />
<br />
=== Weird symlink ===<br />
Either [[Java]] package contains the Java run-time environment as well as the fitting browser-plugin.<br />
The recommended Java package is {{Pkg|openjdk6}}, or you could install Oracle's proprietary version of Java -- {{AUR|jre}} -- from the [[AUR]].<br />
<br />
Keep in mind that the open-source and closed-source versions cannot be installed simultaneously. The open-source version is nearly perfect at the time of writing, and there is mostly no need anymore to install Oracle's proprietary version of Java.<br />
<br />
{{Note|The section below is likely outdated.}}<br />
<br />
But if you want to, since {{Pkg|firefox}} v3.6 does not seem to look in {{ic|/usr/lib/mozilla/plugins}}, which is the default location where {{AUR|jre}} v1.6.0_22 places the Java plugin, just<br />
# ln -s /opt/java/jre/lib/i386/libnpjp2.so ~/mozilla/plugins/libnpjp2.so<br />
and it is safe to<br />
# rm -R /usr/lib/mozilla<br />
unless you use it for something else! Be careful here.<br />
<br />
==Video Plugins==<br />
<br />
===Gecko Media Player===<br />
A good replacement of the now obsolete mplayer-plugin is [http://code.google.com/p/gecko-mediaplayer/ Gecko Media Player] packaged as {{Pkg|gecko-mediaplayer}}. More stable combined with MPlayer 1.0RC2. (No more crashes with Apple Trailers.)<br />
<br />
===Totem Plugin===<br />
The {{Pkg|totem-plugin}} might be the right choice for those seeking a [[GStreamer]]-based plugin.<br />
<br />
==Other==<br />
<br />
===Mozplugger===<br />
{{Stub}}<br />
Install {{AUR|mozplugger}} through the [[AUR]].<br />
<br />
==Troubleshooting==<br />
===Flash blocks sound and/or delayed playback===<br />
If sound is delayed within flash video and/or if Flash stops sound from any other application, then make sure you do not have {{ic|snd_pcm_oss}} module loaded:<br />
$ lsmod | grep snd_pcm_oss<br />
You can unload it<br />
# rmmod snd_pcm_oss<br />
and restart the browser to see if it helps.<br />
<br />
===No sound in Flash===<br />
Flash Player outputs its sound only through the default ALSA device, which is number 0. If you have multiple sound devices (a very common example is having a sound card and HDMI output in video card), then your preferred device may have a different number.<br />
For example:<br />
$ aplay -l<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: Generic [HD-Audio Generic], device 3: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: DX [Xonar DX], device 0: Multichannel [Multichannel]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0<br />
card 1: DX [Xonar DX], device 1: Digital [Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
In this case, HDMI output is "card 0" and sound card is "card 1". To make it default for ALSA, create a file named {{ic|~/.asoundrc}} with the following content:<br />
pcm.!default {<br />
type hw<br />
card 1<br />
}<br />
<br />
ctl.!default {<br />
type hw<br />
card 1<br />
}<br />
<br />
===Flash performance===<br />
Adobe's Flash plugin has some serious performance issues, especially when CPU frequency scaling is used. There seems to be a policy not to use the whole CPU workload, so the frequency scaling governor does not clock the CPU any higher. To work around this issue, see: [[cpufrequtils#Changing the ondemand governor's threshold]]<br />
<br />
===Plugins are installed but not working===<br />
A common problem is that the plugin path is unset. This typically occurs on a new install, when the user has not re-logged in before running Firefox after the installation. Test if the path is unset:<br />
echo $MOZ_PLUGIN_PATH<br />
If unset, then either re-login, or source {{ic|/etc/profile.d/mozilla-common.sh}} and start Firefox from the same shell:<br />
. /etc/profile.d/mozilla-common.sh && firefox<br />
<br />
===Gecko Media Player will not play Apple trailers===<br />
If Apple Trailers appear to start to play and then fail, try setting the user agent for your browser to:<br />
QuickTime/7.6.2 (qtver=7.6.2;os=Windows NT 5.1Service Pack 3)<br />
<br />
===Low webcam resolution in Flash===<br />
If your webcam has low resolution in Flash (the image looks very pixelated) you can try starting your browser with this:<br />
LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so chromium<br />
<br />
===Black bars in fullscreen video playback on multiheaded desktops===<br />
<br />
The Flash plugin has a known bug, where the full screen mode doesn't really work when you have a multi-monitor setup. Apparently it incorrectly determines the fullscreen resolution, so the video fill the correct monitor but gets scaled as if the monitor had the resolution of the total display area.<br />
<br />
To fix this, you can use the "hack" described [http://al.robotfuzz.com/content/workaround-fullscreen-flash-linux-multiheaded-desktops here]. Simply download the file linked and follow instructions from the README.<br />
<br />
Note that while the author mentions using nvidia twinview, this actually applies regardless.</div>Jjackyhttps://wiki.archlinux.org/index.php?title=Browser_plugins&diff=171465Browser plugins2011-11-28T20:01:48Z<p>Jjacky: Undo revision 171464 by Jjacky (talk)</p>
<hr />
<div>{{i18n|Browser Plugins}}<br />
[[Category:Web Browser (English)]]<br />
<br />
[[fr:Plugins navigateur]]<br />
These plugins work in [[Firefox]], [[Opera]] and WebKit derivatives. <!-- Chrome? --><br />
<br />
==Flash Player==<br />
<br />
===Adobe Flash Player===<br />
<br />
Flash Player is in the [[Official Repositories|official repositories]] for both i686 and x86_64 architectures: {{Pkg|flashplugin}}<br />
<br />
====Epiphany====<br />
Note that for {{Pkg|Epiphany}}, you have to wrap Adobe Flash Player in the same fashion as described for x86_64. See [[Epiphany#Flash]] for more details.<br />
<br />
====Misc====<br />
In addition, it may be needed to install {{AUR|ttf-ms-fonts}} from the [[AUR]] in order to properly render text.<br />
<br />
====Configuration====<br />
<!-- Change this heading to Flash configuration once more than one plugin needs a similar section --><br />
To change general plug-in preferences (privacy settings, resource usage, etc.), right click on embedded Flash content and choose preferences from the menu, or go to the [http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html Macromedia website]. There, a Flash animation will give access to local settings.<br />
<br />
You can make your own settings file for Flash, just use the file {{ic|/etc/adobe/mms.cfg}}. Example config below:<br />
# Adobe player settings<br />
AVHardwareDisable = 0<br />
FullScreenDisable = 0<br />
LocalFileReadDisable = 1<br />
FileDownloadDisable = 1<br />
FileUploadDisable = 1<br />
LocalStorageLimit = 1<br />
ThirdPartyStorage = 1<br />
AssetCacheSize = 10<br />
AutoUpdateDisable = 1<br />
LegacyDomainMatching = 0<br />
LocalFileLegacyAction = 0<br />
AllowUserLocalTrust = 0<br />
# DisableSockets = 1 <br />
OverrideGPUValidation = 1<br />
<br />
You can also refer to the [http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-plugins/adobe-flash/files/mms.cfg mms.cfg from Gentoo], which is extensively commented.<br />
<br />
====Flash leaks on other pages with a Nvidia card====<br />
<br />
If Flash animations "leak" on other webpages with {{Pkg|chromium}} or {{Pkg|firefox}}, you can try to turn off hardware acceleration in the {{ic|/etc/adobe/mms.cfg}} file and/or in the Flash parameters dialogue. See [https://bugs.archlinux.org/task/22878 https://bugs.archlinux.org/task/22878].<br />
<br />
==PDF viewer==<br />
<br />
===Evince===<br />
If you want to view PDF files in [[Firefox]] without opening a new window, follow this guide: https://wiki.archlinux.org/index.php/Firefox_Tips_and_Tweaks#Viewing_PDF.2FPS_inside_Firefox<br />
<br />
===Adobe Reader===<br />
Due to licensing restrictions, Adobe Reader cannot be distributed from any of the official Arch Linux repositories. There are versions available in the [[AUR]]. Please note that no matter how many votes it receives, Adobe Reader will never be included in the [[Official Repositories|official repositories]]. See this [http://aur.archlinux.org/packages.php?ID=16980 comment] for an explanation.<br />
<br />
Also, there are [http://aur.archlinux.org/packages.php?O=0&K=acroread-&do_Search=Go localizations] available in many languages.<br />
<br />
====32-bit====<br />
32-bit AUR package: {{AUR|acroread}}<br />
<br />
It installs the Acrobat Reader application as well as the Firefox plugin. Note that hardware-assisted rendering is unavailable under Linux (at least using a Geforce 8600GTS with driver version 185.18.14).<br />
<br />
Also can install from a repository, just need to edit {{ic|/etc/pacman.conf}} and put this lines<br />
[archlinuxfr]<br />
Server = http://repo.archlinux.fr/i686<br />
<br />
This repository have playonlinux, and other apps, click on them and you see. After that<br />
# pacman -S acroread<br />
<br />
====64-bit====<br />
Adobe Reader is a closed-source application, meaning that users desiring a 64-bit binary have no other choice other than to wait for official support. Workarounds to be considered:<br />
<br />
* Follow [[Install bundled 32-bit system in Arch64|this guide]] originally posted in the forums. It involves creating a chrooted environment that could be reused for other 32-bit only applications.<br />
<br />
* Or, simply get the 32-bit binary along with the 32-bit dependencies. Install {{AUR|bin32-acroread}}. Also, consider installing the extra font packages suggested by the package. Be advised that the [[Firefox]] plugin cannot be used ''directly'' with this binary -- it will not load in the 64-bit browser. {{AUR|nspluginwrapper-flash}} is required to load the plugin. Finally, be sure to run:<br />
$ nspluginwrapper -v -a -i<br />
as a '''normal user'''. This checks the plugin directory and links the plugins as needed. Everything should work as expected now.<br />
<br />
{{Note|There seems to also be a {{Pkg|nspluginwrapper}} in the [[Official Repositories|official repositories]] which may be the new way to go.}}<br />
<br />
==Citrix==<br />
See: [[Citrix]]<br />
<br />
== Java ==<br />
<br />
=== IcedTea ===<br />
<br />
Provided by {{Pkg|openjdk6}} and {{Pkg|icedtea-web}} from the [[Official Repositories|official repositories]].<br />
<br />
=== Weird symlink ===<br />
Either [[Java]] package contains the Java run-time environment as well as the fitting browser-plugin.<br />
The recommended Java package is {{Pkg|openjdk6}}, or you could install Oracle's proprietary version of Java -- {{AUR|jre}} -- from the [[AUR]].<br />
<br />
Keep in mind that the open-source and closed-source versions cannot be installed simultaneously. The open-source version is nearly perfect at the time of writing, and there is mostly no need anymore to install Oracle's proprietary version of Java.<br />
<br />
{{Note|The section below is likely outdated.}}<br />
<br />
But if you want to, since {{Pkg|firefox}} v3.6 does not seem to look in {{ic|/usr/lib/mozilla/plugins}}, which is the default location where {{AUR|jre}} v1.6.0_22 places the Java plugin, just<br />
# ln -s /opt/java/jre/lib/i386/libnpjp2.so ~/mozilla/plugins/libnpjp2.so<br />
and it is safe to<br />
# rm -R /usr/lib/mozilla<br />
unless you use it for something else! Be careful here.<br />
<br />
==Video Plugins==<br />
<br />
===Gecko Media Player===<br />
A good replacement of the now obsolete mplayer-plugin is [http://code.google.com/p/gecko-mediaplayer/ Gecko Media Player] packaged as {{Pkg|gecko-mediaplayer}}. More stable combined with MPlayer 1.0RC2. (No more crashes with Apple Trailers.)<br />
<br />
===Totem Plugin===<br />
The {{Pkg|totem-plugin}} might be the right choice for those seeking a [[GStreamer]]-based plugin.<br />
<br />
==Other==<br />
<br />
===Mozplugger===<br />
{{Stub}}<br />
Install {{AUR|mozplugger}} through the [[AUR]].<br />
<br />
==Troubleshooting==<br />
===Flash blocks sound and/or delayed playback===<br />
If sound is delayed within flash video and/or if Flash stops sound from any other application, then make sure you do not have {{ic|snd_pcm_oss}} module loaded:<br />
$ lsmod | grep snd_pcm_oss<br />
You can unload it<br />
# rmmod snd_pcm_oss<br />
and restart the browser to see if it helps.<br />
<br />
===No sound in Flash===<br />
Flash Player outputs its sound only through the default ALSA device, which is number 0. If you have multiple sound devices (a very common example is having a sound card and HDMI output in video card), then your preferred device may have a different number.<br />
For example:<br />
$ aplay -l<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: Generic [HD-Audio Generic], device 3: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: DX [Xonar DX], device 0: Multichannel [Multichannel]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0<br />
card 1: DX [Xonar DX], device 1: Digital [Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
In this case, HDMI output is "card 0" and sound card is "card 1". To make it default for ALSA, create a file named {{ic|~/.asoundrc}} with the following content:<br />
pcm.!default {<br />
type hw<br />
card 1<br />
}<br />
<br />
ctl.!default {<br />
type hw<br />
card 1<br />
}<br />
<br />
===Flash performance===<br />
Adobe's Flash plugin has some serious performance issues, especially when CPU frequency scaling is used. There seems to be a policy not to use the whole CPU workload, so the frequency scaling governor does not clock the CPU any higher. To work around this issue, see: [[cpufrequtils#Changing the ondemand governor's threshold]]<br />
<br />
===Plugins are installed but not working===<br />
A common problem is that the plugin path is unset. This typically occurs on a new install, when the user has not re-logged in before running Firefox after the installation. Test if the path is unset:<br />
echo $MOZ_PLUGIN_PATH<br />
If unset, then either re-login, or source {{ic|/etc/profile.d/mozilla-common.sh}} and start Firefox from the same shell:<br />
. /etc/profile.d/mozilla-common.sh && firefox<br />
<br />
===Gecko Media Player will not play Apple trailers===<br />
If Apple Trailers appear to start to play and then fail, try setting the user agent for your browser to:<br />
QuickTime/7.6.2 (qtver=7.6.2;os=Windows NT 5.1Service Pack 3)<br />
<br />
===Low webcam resolution in Flash===<br />
If your webcam has low resolution in Flash (the image looks very pixelated) you can try starting your browser with this:<br />
LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so chromium<br />
<br />
===Black bars in fullscreen video playback on multiheaded desktops===<br />
Follow the instructions on this page: [http://al.robotfuzz.com/content/workaround-fullscreen-flash-linux-multiheaded-desktops link]</div>Jjackyhttps://wiki.archlinux.org/index.php?title=Browser_plugins&diff=171464Browser plugins2011-11-28T20:00:06Z<p>Jjacky: /* Flash Player */</p>
<hr />
<div>{{i18n|Browser Plugins}}<br />
[[Category:Web Browser (English)]]<br />
<br />
[[fr:Plugins navigateur]]<br />
These plugins work in [[Firefox]], [[Opera]] and WebKit derivatives. <!-- Chrome? --><br />
<br />
==Flash Player==<br />
<br />
===Adobe Flash Player===<br />
<br />
Flash Player is in the [[Official Repositories|official repositories]] for both i686 and x86_64 architectures: {{Pkg|flashplugin}}<br />
<br />
====Epiphany====<br />
Note that for {{Pkg|Epiphany}}, you have to wrap Adobe Flash Player in the same fashion as described for x86_64. See [[Epiphany#Flash]] for more details.<br />
<br />
====Misc====<br />
In addition, it may be needed to install {{AUR|ttf-ms-fonts}} from the [[AUR]] in order to properly render text.<br />
<br />
====Configuration====<br />
<!-- Change this heading to Flash configuration once more than one plugin needs a similar section --><br />
To change general plug-in preferences (privacy settings, resource usage, etc.), right click on embedded Flash content and choose preferences from the menu, or go to the [http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html Macromedia website]. There, a Flash animation will give access to local settings.<br />
<br />
You can make your own settings file for Flash, just use the file {{ic|/etc/adobe/mms.cfg}}. Example config below:<br />
# Adobe player settings<br />
AVHardwareDisable = 0<br />
FullScreenDisable = 0<br />
LocalFileReadDisable = 1<br />
FileDownloadDisable = 1<br />
FileUploadDisable = 1<br />
LocalStorageLimit = 1<br />
ThirdPartyStorage = 1<br />
AssetCacheSize = 10<br />
AutoUpdateDisable = 1<br />
LegacyDomainMatching = 0<br />
LocalFileLegacyAction = 0<br />
AllowUserLocalTrust = 0<br />
# DisableSockets = 1 <br />
OverrideGPUValidation = 1<br />
<br />
You can also refer to the [http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-plugins/adobe-flash/files/mms.cfg mms.cfg from Gentoo], which is extensively commented.<br />
<br />
====Flash leaks on other pages with a Nvidia card====<br />
<br />
If Flash animations "leak" on other webpages with {{Pkg|chromium}} or {{Pkg|firefox}}, you can try to turn off hardware acceleration in the {{ic|/etc/adobe/mms.cfg}} file and/or in the Flash parameters dialogue. See [https://bugs.archlinux.org/task/22878 https://bugs.archlinux.org/task/22878].<br />
<br />
====Black Bars while watching full screen flash videos (multihead)====<br />
<br />
The Flash plugin has a known bug, where the full screen mode doesn't really work when you have a multi-monitor setup. Apparently it incorrectly determines the fullscreen resolution, so the video fill the correct monitor but gets scaled as if the monitor had the resolution of the total display area.<br />
<br />
To fix this, you can use the "hack" described [http://al.robotfuzz.com/content/workaround-fullscreen-flash-linux-multiheaded-desktops here]. Simply download the file linked and follow instructions from the README.<br />
<br />
Note that while the author mentions using nvidia twinview, this actually applies regardless.<br />
<br />
==PDF viewer==<br />
<br />
===Evince===<br />
If you want to view PDF files in [[Firefox]] without opening a new window, follow this guide: https://wiki.archlinux.org/index.php/Firefox_Tips_and_Tweaks#Viewing_PDF.2FPS_inside_Firefox<br />
<br />
===Adobe Reader===<br />
Due to licensing restrictions, Adobe Reader cannot be distributed from any of the official Arch Linux repositories. There are versions available in the [[AUR]]. Please note that no matter how many votes it receives, Adobe Reader will never be included in the [[Official Repositories|official repositories]]. See this [http://aur.archlinux.org/packages.php?ID=16980 comment] for an explanation.<br />
<br />
Also, there are [http://aur.archlinux.org/packages.php?O=0&K=acroread-&do_Search=Go localizations] available in many languages.<br />
<br />
====32-bit====<br />
32-bit AUR package: {{AUR|acroread}}<br />
<br />
It installs the Acrobat Reader application as well as the Firefox plugin. Note that hardware-assisted rendering is unavailable under Linux (at least using a Geforce 8600GTS with driver version 185.18.14).<br />
<br />
Also can install from a repository, just need to edit {{ic|/etc/pacman.conf}} and put this lines<br />
[archlinuxfr]<br />
Server = http://repo.archlinux.fr/i686<br />
<br />
This repository have playonlinux, and other apps, click on them and you see. After that<br />
# pacman -S acroread<br />
<br />
====64-bit====<br />
Adobe Reader is a closed-source application, meaning that users desiring a 64-bit binary have no other choice other than to wait for official support. Workarounds to be considered:<br />
<br />
* Follow [[Install bundled 32-bit system in Arch64|this guide]] originally posted in the forums. It involves creating a chrooted environment that could be reused for other 32-bit only applications.<br />
<br />
* Or, simply get the 32-bit binary along with the 32-bit dependencies. Install {{AUR|bin32-acroread}}. Also, consider installing the extra font packages suggested by the package. Be advised that the [[Firefox]] plugin cannot be used ''directly'' with this binary -- it will not load in the 64-bit browser. {{AUR|nspluginwrapper-flash}} is required to load the plugin. Finally, be sure to run:<br />
$ nspluginwrapper -v -a -i<br />
as a '''normal user'''. This checks the plugin directory and links the plugins as needed. Everything should work as expected now.<br />
<br />
{{Note|There seems to also be a {{Pkg|nspluginwrapper}} in the [[Official Repositories|official repositories]] which may be the new way to go.}}<br />
<br />
==Citrix==<br />
See: [[Citrix]]<br />
<br />
== Java ==<br />
<br />
=== IcedTea ===<br />
<br />
Provided by {{Pkg|openjdk6}} and {{Pkg|icedtea-web}} from the [[Official Repositories|official repositories]].<br />
<br />
=== Weird symlink ===<br />
Either [[Java]] package contains the Java run-time environment as well as the fitting browser-plugin.<br />
The recommended Java package is {{Pkg|openjdk6}}, or you could install Oracle's proprietary version of Java -- {{AUR|jre}} -- from the [[AUR]].<br />
<br />
Keep in mind that the open-source and closed-source versions cannot be installed simultaneously. The open-source version is nearly perfect at the time of writing, and there is mostly no need anymore to install Oracle's proprietary version of Java.<br />
<br />
{{Note|The section below is likely outdated.}}<br />
<br />
But if you want to, since {{Pkg|firefox}} v3.6 does not seem to look in {{ic|/usr/lib/mozilla/plugins}}, which is the default location where {{AUR|jre}} v1.6.0_22 places the Java plugin, just<br />
# ln -s /opt/java/jre/lib/i386/libnpjp2.so ~/mozilla/plugins/libnpjp2.so<br />
and it is safe to<br />
# rm -R /usr/lib/mozilla<br />
unless you use it for something else! Be careful here.<br />
<br />
==Video Plugins==<br />
<br />
===Gecko Media Player===<br />
A good replacement of the now obsolete mplayer-plugin is [http://code.google.com/p/gecko-mediaplayer/ Gecko Media Player] packaged as {{Pkg|gecko-mediaplayer}}. More stable combined with MPlayer 1.0RC2. (No more crashes with Apple Trailers.)<br />
<br />
===Totem Plugin===<br />
The {{Pkg|totem-plugin}} might be the right choice for those seeking a [[GStreamer]]-based plugin.<br />
<br />
==Other==<br />
<br />
===Mozplugger===<br />
{{Stub}}<br />
Install {{AUR|mozplugger}} through the [[AUR]].<br />
<br />
==Troubleshooting==<br />
===Flash blocks sound and/or delayed playback===<br />
If sound is delayed within flash video and/or if Flash stops sound from any other application, then make sure you do not have {{ic|snd_pcm_oss}} module loaded:<br />
$ lsmod | grep snd_pcm_oss<br />
You can unload it<br />
# rmmod snd_pcm_oss<br />
and restart the browser to see if it helps.<br />
<br />
===No sound in Flash===<br />
Flash Player outputs its sound only through the default ALSA device, which is number 0. If you have multiple sound devices (a very common example is having a sound card and HDMI output in video card), then your preferred device may have a different number.<br />
For example:<br />
$ aplay -l<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: Generic [HD-Audio Generic], device 3: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: DX [Xonar DX], device 0: Multichannel [Multichannel]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0<br />
card 1: DX [Xonar DX], device 1: Digital [Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
In this case, HDMI output is "card 0" and sound card is "card 1". To make it default for ALSA, create a file named {{ic|~/.asoundrc}} with the following content:<br />
pcm.!default {<br />
type hw<br />
card 1<br />
}<br />
<br />
ctl.!default {<br />
type hw<br />
card 1<br />
}<br />
<br />
===Flash performance===<br />
Adobe's Flash plugin has some serious performance issues, especially when CPU frequency scaling is used. There seems to be a policy not to use the whole CPU workload, so the frequency scaling governor does not clock the CPU any higher. To work around this issue, see: [[cpufrequtils#Changing the ondemand governor's threshold]]<br />
<br />
===Plugins are installed but not working===<br />
A common problem is that the plugin path is unset. This typically occurs on a new install, when the user has not re-logged in before running Firefox after the installation. Test if the path is unset:<br />
echo $MOZ_PLUGIN_PATH<br />
If unset, then either re-login, or source {{ic|/etc/profile.d/mozilla-common.sh}} and start Firefox from the same shell:<br />
. /etc/profile.d/mozilla-common.sh && firefox<br />
<br />
===Gecko Media Player will not play Apple trailers===<br />
If Apple Trailers appear to start to play and then fail, try setting the user agent for your browser to:<br />
QuickTime/7.6.2 (qtver=7.6.2;os=Windows NT 5.1Service Pack 3)<br />
<br />
===Low webcam resolution in Flash===<br />
If your webcam has low resolution in Flash (the image looks very pixelated) you can try starting your browser with this:<br />
LD_PRELOAD=/usr/lib/libv4l/v4l1compat.so chromium<br />
<br />
===Black bars in fullscreen video playback on multiheaded desktops===<br />
Follow the instructions on this page: [http://al.robotfuzz.com/content/workaround-fullscreen-flash-linux-multiheaded-desktops link]</div>Jjackyhttps://wiki.archlinux.org/index.php?title=Dm-crypt&diff=169346Dm-crypt2011-11-09T18:21:45Z<p>Jjacky: /* Backup the cryptheader */</p>
<hr />
<div>[[Category:Security (English)]]<br />
[[Category:File systems (English)]]<br />
{{i18n|System Encryption with LUKS for dm-crypt}}<br />
{{Article summary start}}<br />
{{Article summary text|This tutorial will show you how to set up system encryption with LUKS for dm-crypt.}}<br />
{{Article summary end}}<br />
<br />
== Introduction ==<br />
=== Why Use Encryption? ===<br />
<br />
In the simplest terms encryption is a method for establishing privacy. <br />
<br />
There are presently two approaches to partition level encryption '''data encryption''' and '''system encryption'''.<br />
<br />
'''Data encryption''', defined as encrypting a users data, provides for many benefits including: <br />
<br />
::*Preventing unauthorized physical access to private data.<br />
::*Some confidence in data disposal when discarding obsolete systems.<br />
<br />
However data encryption alone has some significant drawbacks. In modern computing systems, there are many background processes that may store information about encrypted data or parts of the encrypted data itself in non-encrypted areas of the hard drive. Thus reducing the effectiveness of any data encryption system in place.<br />
<br />
'''System encryption''', defined as the encryption of the operating system and user data, helps to address some of the inadequacies of data encryption. The benefits of system encryption over data encryption alone include:<br />
<br />
::*Preventing unauthorized physical access to operating system files<br />
::*Preventing unauthorized physical access to private data that may cached by the system.<br />
<br />
In the context of overall system security, system encryption should be viewed as an adjunct to the existing security mechanisms of the operating system that focuses on physical attempts to breach system security which includes:<br />
<br />
::*Attempts to bypass the operating system by inserting a boot CD/USB<br />
::*Copying, modifying, or removing the hard disk drives when the computer is off<br />
<br />
Despite the use of system encryption, there are still points of physical insecurity. These issues revolve around the {{ic|/boot}} partition which must remain unencrypted in order for the machine to properly boot. However, system encryption is presently the best way to minimize the loss of data privacy by physical attempts at invasion.<br />
<br />
{{Warning|Any encryption method employed is only as good as its associated key management. Partition level encryption does not protect you from all forms of security compromise. There are ways to break into computers while they are powered on that are unaffected by disk level encryption. Read the [[System Encryption with LUKS for dm-crypt#Caveats | caveats]] section below!}}<br />
<br />
=== What Methods are Available for System Encryption? ===<br />
<br />
There are multiple current methods that can be employed for system encryption, including:<br />
<br />
;loop-AES ([http://loop-aes.sourceforge.net/ loop-AES]):loop-AES is a descendant of cryptoloop and is a secure and fast solution to system encryption.<br />
:However loop-AES is considered less user-friendly than other options as it requires non-standard kernel support.<br />
<br />
;standard device-mapper encryption ([http://www.saout.de/misc/dm-crypt/ dm-crypt]):This is the standard device mapper which can be used for those who like to have control over all aspects partition management.<br />
<br />
;LUKS for dm-crypt ([http://code.google.com/p/cryptsetup/ LUKS]):LUKS stores all of the needed setup information for dm-crypt on the disk itself and abstracts partition and key management in an attempt to improve ease of use.<br />
<br />
:Briefly some key features that LUKS provides include:<br />
<br />
::*Support for either passphrase or keyfiles as encryption keys<br />
::*Per partition key creation and revocation<br />
::*Multiple passphrases or keyfiles for a particular partition<br />
<br />
=== Caveats ===<br />
<br />
For any type of encryption the security of your privacy is dependent on two things:<br />
<br />
::*The complexity/availability of your key (see [[Wikipedia:Kerckhoffs's principle]])<br />
::*The usage of a proven encryption algorithm<br />
<br />
====Key Complexity and Availability====<br />
<br />
The user provided key used for encryption, whether a passphrase or a keyfile, must be complex enough that is it not easy to guess. Having a strong encryption algorithm does nothing to provide privacy if the key used for encryption is too simple. The tenets of strong keys are based on length and randomness. There are many sources available with instructions on how to create strong encryption keys. <br />
<br />
Part of key complexity is key availability. For example a complex key written on a sticky note pasted to the computer's keyboard would not provide much in the way privacy. Therefore in addition to creating a strong key, maintaining it in a secure location is necessary as well.<br />
<br />
====Encryption Algorithm====<br />
<br />
There are many peer-reviewed encryption algorithms in existence. The encryption algorithms and block ciphers used in any of the mentioned methods for applying encryption in this wiki page are considered strong algorithms that have been subjected to cryptographic review by the cryptography community.<br />
<br />
====discard/TRIM support for solid state disks====<br />
<br />
Solid state disk users should be aware that by default, Linux's full-disk encryption mechanisms will ''not'' forward TRIM commands from the filesystem to the underlying disk. The device-mapper maintainers have made it clear that TRIM support will never be enabled by default on dm-crypt devices because of the potential security implications; if TRIM support were enabled, an attacker may be able to tell which blocks have been used, how many blocks have been used, and other information that is exposed directly to the device when a TRIM is issued.<br />
<br />
It may be possible to determine the filesystem utilized by your encrypted device through the data that is leaked by TRIM. Furthermore, any information that may be derived by a profile of block usage may be exposed by enabling TRIM support on an encrypted device.<br />
<br />
As of kernel 3.1, support for dm-crypt TRIM pass-through can be toggled upon device creation or mount with dmsetup. Support for this option also exists in cryptsetup version 1.4.0 and up. This configuration has not been thoroughly tested. It is strongly advised that users who are not willing to lose data in this process wait until official userspace support is realized. A testing package of cryptsetup already supports this. You need to install {{Pkg|cryptsetup}} from [testing] (at least cryptsetup-1.4.0-1) and append "{{ic|:allow-discards}}" to the cryptdevice option. The option should look like this then:<br />
cryptdevice=/dev/mapper/root:root:allow-discards<br />
<br />
For more information, including specific commands and details on dm-crypt TRIM pass-through, see these mailing list threads:<br />
* http://article.gmane.org/gmane.linux.kernel.device-mapper.devel/14134<br />
* http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/5166<br />
<br />
==== System Encryption ====<br />
<br />
System encryption provides security against unauthorized physical access to a machine that is powered off. It does not effect any security advantages for a system that is powered on with its partitions mounted in an unencrypted state. For a powered on user accessible system the normal precautions to prevent viruses, trojans, worms, or other attempts to access private data should be exercised. Furthermore, system encryption has been shown to be penetrable in cases where a system has been recently shutdown. This is due to the fact that cessation of power does not immediately degrade data that was stored in RAM prior to shutdown. Therefore someone with physical access to your computer within a few moments of shutdown could cool the RAM modules and use them extract your encryption key - thus obtaining access to your data.<br />
<br />
{{Note|System Encryption assume encryption of all mounted partitions this includes all partitions except for {{ic|/boot}} - meaning that the root file system, swap partition, and all other partitions must be encrypted. If the swap, {{ic|/tmp}}, or root filesystems are unencrypted, only Data Encryption level of security has been accomplished.}}<br />
<br />
==== Data Encryption ====<br />
<br />
There are two common forms of data encryption:<br />
<br />
::*Encryption of data partitions on the same physical disk as the system.<br />
::*Encryption of data partitions on separate physical disks from the system.<br />
<br />
=====Encryption of data partitions on the same physical disk as the system=====<br />
<br />
The most common form of data encryption is encrypting the {{ic|/home}} partition.<br />
<br />
In cases where the encrypted data are located on the same physical disk as the system accessing the drive the privacy of data has already been decreased by orders of magnitude when compared to system encryption. The reason for this is that the host operating systems employ background methods to assist the user in the access and management of their data. The problem lies in where these processes store this data which is most commonly in the unencrypted system partition. <br />
<br />
For example, {{Pkg|mlocate}} will scan all currently mounted file systems regularly and write the list of filenames to {{ic|/var/lib/mlocate/mlocate.db}}, which is located in the non-encrypted root or {{ic|/var}} partition. Thus an attacker will have a list of all filenames for that computer, even the ones on the encrypted {{ic|/home}} partition, readily available to assist them in accessing the encrypted data present on the disk.<br />
<br />
Some have compared this to reducing the level of security from partition-based encryption to filesystem level encryption like [[System_Encryption_with_eCryptfs|System Encryption with eCryptfs]].<br />
<br />
=====Encryption of data partitions on separate physical disks from the system=====<br />
<br />
Popular forms of data encryption on physically separate partitions include the encryption of removable media such as:<br />
<br />
::*USB Flash Drives<br />
::*External Hard Disk Drives or Separate Internal Hard Disk Drives<br />
::*CD/DVD/Blu-Ray Optical Media<br />
::*Magnetic Storage Media<br />
<br />
The most important part of this form of data encryption is to remember that the encryption protects the privacy of the data that is located within the encrypted media only when it is not mounted. Data encryption does not protect the privacy of data once it is made accessible to a system. For example, attaching an encrypted USB flash drive, and subsequently decrypting a file for use temporarily on a non-secured system could result in remnants of that file existing on the host system in an unencrypted form.<br />
<br />
== Initial Setup ==<br />
=== Overview and Preparation ===<br />
<br />
The Arch installer comes with all the tools required for system encryption. Setup of encrypted partitions can be accomplished either manually prior to executing the arch installer or using the menu interface from the arch installer itself. The installation of an encrypted system is largely the same as installing an unencrypted system, so you can follow the [[Official Arch Linux Install Guide]] or the [[Beginners' Guide]] after the encrypted partitions are setup.<br />
<br />
Routine creation of an encrypted system follows these general steps:<br />
<br />
::* Secure erasure of the harddisk drive(s)<br />
::* Partitioning and setup of encryption ([[LVM]] optional)<br />
::* Routine package selection and installation<br />
::* System Configuration<br />
<br />
{{Warning | Encrypting a partition will erase everything currently on that partition. Please make appropriate data backups prior to starting.}}<br />
<br />
=== Secure Erasure of the Hard Disk Drive ===<br />
<br />
Secure erasure of the hard disk drive involves overwriting the entire drive with random data.<br />
<br />
{{Note|Overwriting a hard disk drive ''multiple'' times with random data serves no purpose. Data existing prior to overwriting cannot be recovered after it has been overwritten. [http://www.springerlink.com/content/408263ql11460147/ Overwriting Hard Drive Data: The Great Wiping Controversy]}}<br />
<br />
====Why perform secure of erasure of a drive?====<br />
<br />
There are two types of hard disk drives, new and used, both kinds should be securely overwritten. The reasoning is slightly different for each but the goal is to help ensure the privacy of data located within the encrypted partitions.<br />
<br />
::'''New Hard Disk Drives'''<br />
<br />
::In hard drives that have been directly purchased from a manufacturer there is no preexisting private data to protect. The problem is that there is no consistency in what is presently on the drive. Ideally the drive should be completely filled with random bits. However some drives have been overwritten completely with zeros. Therefore once the drive is used to write encrypted data, it is relatively simple to identify where the encrypted data ends and the zeroed data begins compared to a drive that was written with random data before usage as an encrypted drive. Since an encrypted partition is supposed to be indistinguishable from random data, the lack of random data on a zeroed drive makes an encrypted drive an easier target for cryptanalysis.<br />
<br />
::'''Used Hard Disk Drives'''<br />
<br />
::Repartitioning or reformatting a used hard drive removes the file system structure for identifying where the original data was located while leaving the actual data intact on the drive itself. It is relatively straight forward using data tools like [http://foremost.sourceforge.net/ Foremost] to access the remnant data. Therefore hard drives should be securely overwritten with random data prior to encryption to prevent unintentional data recovery.<br />
<br />
====Overwriting a hard disk drive with random data====<br />
<br />
There are two sources of random data commonly used for securely overwritting hard disk partitions.<br />
<br />
::*{{ic|/dev/urandom}}<br />
::*badblocks<br />
<br />
=====Using urandom=====<br />
<br />
#dd if=/dev/urandom of=/dev/<drive> bs=1M<br />
<br />
Where {{ic|/dev/<drive>}} is the drive to be encrypted.<br />
<br />
{{Note| Using {{ic|/dev/urandom}} will take a long time to completely overwrite a drive with "random" data. In the strictest sense, {{ic|/dev/urandom}} is less random than {{ic|/dev/random}}; however, {{ic|/dev/random}} uses the kernel entropy pool and will halt overwriting until more input entropy once this pool has been exhausted. This makes the use of {{ic|/dev/random}} for overwriting hard disks impractical.}}<br />
<br />
{{Note| Users may also find that {{ic|/dev/urandom}} takes an excessively long time on large drives of several hundred gigabytes or more (more than twenty-four hours). [[Frandom]] offers a faster alternative.}}<br />
<br />
=====Using badblocks=====<br />
<br />
#badblocks -c 10240 -wsvt random /dev/<drive><br />
<br />
Where {{ic|/dev/<drive>}} is the drive to be encrypted.<br />
<br />
{{Note|The {{ic|badblocks}} command overwrites the drive at a much faster rate by generating data that is not truly random.}}<br />
<br />
{{Tip|In deciding which method to use for secure erasure of a hard disk drive, remember that this will not need to be performed more than once for as long as the drive is used as an encrypted drive.}}<br />
<br />
=== Partitioning ===<br />
<br />
After the drive has been securely overwritten, it is time to create partitions and begin setting up an encrypted system.<br />
<br />
There are multiple ways to create disk partitions:<br />
<br />
::*Standard partitions<br />
::*[[LVM]]<br />
::*[[RAID]]<br />
<br />
LUKS is compatible in systems that require both LVM and/or RAID as well as with with standard primary, extended, and logical partitions.<br />
<br />
====Standard Partitions====<br />
<br />
These are the partitions that most people are familiar with. They come in 3 flavors: primary partitions, extended partitions, and logical partitions.<br />
<br />
;Primary Partitions: These are the normal partitions recognized by the system BIOS. There can be up to 4 of these stored in the MBR.<br />
<br />
;Extended Partitions: These are primary partitions that also define another partition within themselves. Extended partitions were created to work around the original 4 partition limit of primary partitions.<br />
<br />
;Logical Partitions: These are the partitions that are defined within extended partitions.<br />
<br />
====LVM: Logical Volume Manager====<br />
<br />
The LVM allows for creation of volume groups for systems that require complex combinations of multiple hard disk drives and partitions that are not possible with standard partitions. LVM is covered in detail in the [[LVM|Arch Linux LVM Wiki Article]] which is recommended reading prior to continuing with the instructions on setting up LUKS with LVM located below.<br />
<br />
====How does LVM fit into the overall system?====<br />
<br />
There is a growing preference towards logical volume management of LUKS encrypted physical media (LVM on LUKS). It is possible there may exist usage scenarios where encrypting logical volumes rather than physical disks is required (LUKS on LVM). However, the deployment of LVM on LUKS is considered much more generalizable. One reason for this is that using LUKS as the lowest level of infrastructure most closely approximates the deployment of physical disks with built-in hardware encryption. In which case, logical volume management would be layered on top of the hardware encryption -- usage of LUKS would be superfluous.<br />
<br />
==== Creating Disk Partitions ====<br />
<br />
Disk partitions are created using:<br />
<br />
# cfdisk<br />
<br />
This will display a graphical interface for creating disk partitions.<br />
<br />
There are 2 required partitions for any encrypted system:<br />
<br />
::A root file system<br />
<br />
:::*{{ic|'''/'''}}<br />
:::*Will be encrypted and store all system and user files ({{ic|/usr}}, {{ic|/bin}}, {{ic|/var}}, {{ic|/home}}, etc.)<br />
<br />
::An initial boot partition<br />
<br />
:::*{{ic|'''/boot'''}}<br />
:::*Will ''not'' be encrypted; the bootloader needs to access the {{ic|/boot}} directory where it will load the initramfs/encryption modules needed to load the rest of the system which ''is'' encrypted (see [[Mkinitcpio]] for details). For this reason, {{ic|/boot}} needs to reside on its own, unencrypted partition.<br />
<br />
{{Note| A swap partition is optional; it can be encrypted with dm-crypt/LUKS. See [[#Encrypting_the_Swap_partition|Encrypting the Swap Partition]] for details.}}<br />
<br />
=====Single Disk Systems=====<br />
<br />
Depending on the system demands, there may be additional partitions desired. These partitions can be individually created at this level by defining separate primary or extended/logical partitions. However, if LVM is to be used, the space unoccupied by {{ic|/boot}} and swap should be defined as single large partition which will be divided up later at the LVM level.<br />
<br />
=====Multiple Disk Systems=====<br />
<br />
In systems that will have multiple hard disk drives, the same options exist as a single disk system. After the creation of the {{ic|/boot}} and swap partitions, the remaining free space on physical disks can divided up into their respective partitions at this level, or large partitions can define all free space per physical disk with intent to partition them within the LVM.<br />
<br />
== Configuring LUKS ==<br />
<br />
Creating LUKS partitions with a passphrase is supported by the {{ic|/arch/setup}} program. <br />
<br />
This section of the Wiki will cover how to manually utilize LUKS from the command line to encrypt a system. <br />
<br />
The steps for accomplishing this through the graphical installer are very similar and can be located in the dialogue for manual configuration of the hard drive.<br />
<br />
=== Mapping Physical Partitions to LUKS ===<br />
<br />
Once the desired partitions are created it is time to format them as LUKS partitions and then mount them through the device mapper.<br />
<br />
When creating LUKS partitions they must be associated with a key. <br />
<br />
A key is either a: <br />
<br />
::*Passphrase<br />
::*Keyfile <br />
<br />
It is possible to define up to 8 different keys per LUKS partition.<br />
<br />
==== Using LUKS to Format Partitions with a Passphrase ====<br />
<br />
Cryptsetup is used to interface with LUKS for formatting, mounting and unmounting encrypted partitions.<br />
<br />
A full list of options {{ic|cryptsetup}} accepts can be found in the [[http://www.linuxcommand.org/man_pages/cryptsetup8.html Cryptsetup Manpage]]<br />
<br />
The options used here are:<br />
<br />
::*{{ic|-c}} defines the cipher type<br />
::*{{ic|-y}} prompts for password confirmation on password creation<br />
::*{{ic|-s}} defines the key size<br />
<br />
::luksFormat addresses the LUKS extensions built into cryptsetup.<br />
<br />
In the following examples for creating LUKS partitions, we will use the AES cipher in XTS mode, at present this is most generally used preferred cipher.<br />
Other ciphers can be used with cryptsetup, and details about them can be found here: [[Wikipedia:Block_cipher]]<br />
<br />
'''Formatting LUKS Partitions'''<br />
<br />
First of all make sure the device mapper kernel module is loaded by executing the following: {{ic|# modprobe dm_mod}}<br />
<br />
In order to format a desired partition as an encrypted LUKS partition execute:<br />
{{hc|# cryptsetup -c <cipher> -y -s <key size> luksFormat /dev/<partition name>|<br />
Enter passphrase: <password><br />
Verify passphrase: <password>}}<br />
<br />
This should be repeated for all partitions except for {{ic|/boot}} and possibly swap.<br />
<br />
The example below will create an encrypted root partition using the AES cipher in XTS mode (generally referred to as ''XTS-AES'').<br />
{{bc|cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda2}}<br />
<br />
{{Note|If hibernation usage is planned, swap must be encrypted in this fashion; otherwise, if hibernation is not a planned feature for the system, encrypting the swap file will be performed in a alternative manner.}}<br />
<br />
{{Warning|Irrespective of the chosen partitioning method, the {{ic|/boot}} partition must remain separate and unencrypted in order to load the kernel and boot the system.}}<br />
<br />
'''Unlocking/Mapping LUKS Partitions with the Device Mapper'''<br />
<br />
Once the LUKS partitions have been created it is time to unlock them.<br />
<br />
The unlocking process will map the partitions to a new device name using the device mapper. This alerts the kernel that {{ic|/dev/<partition name>}} is actually an encrypted device and should be addressed through LUKS using the {{ic|/dev/mapper/<name>}} so as not to overwrite the encrypted data. <br />
<br />
In order to open an encrypted LUKS partition execute:<br />
{{hc|# cryptsetup luksOpen /dev/<partition name> <device-mapper name>|<br />
Enter any LUKS passphrase: <password><br />
key slot 0 unlocked.<br />
Command successful.}}<br />
<br />
Usually the device mapped name is descriptive of the function of the partition that is mapped, example:<br />
<br />
::*cryptsetup luksOpen /dev/sda2 '''swap'''<br />
::::Once opened, the swap partition device address would be '''{{ic|/dev/mapper/swap}}''' instead of {{ic|/dev/sda2}}.<br />
<br />
::*cryptsetup luksOpen /dev/sda3 '''root'''<br />
::::Once opened, the root partition device address would be '''{{ic|/dev/mapper/root}}''' instead of {{ic|/dev/sda3}}.<br />
<br />
{{Note|Since {{ic|/boot}} is not encrypted, it does not need a device mapped name and will be addressed as {{ic|/dev/sda1}}.}}<br />
<br />
{{Warning|In order to write encrypted data into the partition it must be accessed through the device mapped name.}}<br />
<br />
==== Using LUKS to Format Partitions with a Keyfile ====<br />
<br />
'''What is a Keyfile?'''<br />
<br />
A keyfiles is any file in which the data contained within is used as the passphrase to unlock an encrypted volume.<br />
Therefore if these files are lost or changed, decrypting the volume will no longer be possible.<br />
<br />
{{Tip|Define a passphrase in addition to the keyfile for backup access to encrypted volumes in the event the defined keyfile is lost or changed.}}<br />
<br />
'''Why use a Keyfile?'''<br />
<br />
There are many kinds of keyfiles, each type of keyfile used has benefits and disadvantages summarized below:<br />
<br />
:'''keyfile.passphrase:'''<br />
::this is my passphrase I would have typed during boot but I have placed it in a file instead<br />
<br />
This is a keyfile containing a simple passphrase. The benefit of this type of keyfile is that if the file is lost the data it contained is known and hopefully easily remembered by the owner of the encrypted volume. However the disadvantage is that this does not add any security over entering a passphrase during the initial system start.<br />
<br />
:'''keyfile.randomtext:'''<br />
::fjqweifj830149-57 819y4my1- 38t1934yt8-91m 34co3;t8y;9p3y-<br />
<br />
This is a keyfile containing a block of random characters. The benefit of this type of keyfile is that it is much more resistant to dictionary attacks than a simple passphrase. An additional strength of keyfiles can be utilized in this situation which is the length of data used. Since this is not a string meant to be memorized by a person for entry, it is trivial to create files containing thousands of random characters as the key. The disadvantage is that if this file is lost or changed, it will most likely not be possible to access the encrypted volume without a backup passphrase.<br />
<br />
:'''keyfile.binary:'''<br />
::where any binary file, images, text, video could be chosen as the keyfile<br />
<br />
This is a binary file that has been defined as a keyfile. When identifying files as candidates for a keyfile, it is recommended to choose files that are relatively static such as photos, music, video clips. The benefit of these files is that they serve a dual function which can make them harder to identify as keyfiles. Instead of having a text file with a large amount of random text, the keyfile would like a regular image file, or music clip to the casual observer. The disadvantage is that if this file is lost or changed, it will most likely not be possible to access the encrypted volume without a backup passphrase. Additionally, there is a theoretical loss of randomness when compared to a randomly generated text file. This is due to the fact that images, videos, music have some intrinsic relationship between neighboring bits of data that is not existent for a text file. However this is controversial and has never been exploited publicly.<br />
<br />
'''Creating a Keyfile with Random Characters'''<br />
<br />
Here {{ic|dd}} is used to generate a keyfile of 2048 bits of random characters.<br />
<br />
# dd if=/dev/urandom of=mykeyfile bs=512 count=4<br />
<br />
The usage of {{ic|dd}} is similar to initially wiping the volume with random data prior to encryption. While badblocks may also be used, most key files are on the order of a few kilobytes and there is no noticable speed difference between dd, or badblocks.<br />
<br />
'''Creating a new LUKS encrypted partition with a Keyfile'''<br />
<br />
When creating a new LUKS encrypted partition, a keyfile may be associated with the partition on its creation using:<br />
<br />
# cryptsetup -c <desired cipher> -s <key size> -v luksFormat /dev/<volume to encrypt> '''/path/to/mykeyfile'''<br />
<br />
This is accomplished by appending the bold area to the standard cryptsetup command which defines where the keyfile is located.<br />
<br />
==== Adding Additional Passphrases or Keyfiles to a LUKS Encrypted Partition ====<br />
<br />
LUKS supports the association of up to 8 keys with any single encrypted volume.<br />
Keys can be either keyfiles or passphrases.<br />
<br />
Once an encrytped partition has been created, the initial key is associated at slot0.<br />
Additional keys will occupy slots 1 - 7.<br />
<br />
The addition of new keys to an encrypted partition is accomplished using cryptsetup with the {{ic|luksAddKey}} extension.<br />
<br />
# cryptsetup luksAddKey /dev/<encrypted volume> '''/path/to/mykeyfile'''<br />
<br />
Where {{ic|/dev/<encrypted volume>}} is the volume that is to have the new key associated with it.<br />
<br />
If the bolded area is present, cryptsetup will look for the keyfile defined at that location to associate with the encrypted volume specified.<br />
<br />
=== Storing the Key File ===<br />
<br />
==== External Storage on a USB Drive ====<br />
<br />
===== Preparation for permanent device names =====<br />
For reading the file from an USB stick it is important to access it through a permanent device name.<br />
The numbering of the normal device names e.g. {{ic|/dev/sdb1}} is somewhat arbitrary and depends on how many storage devices are attached and in what order, etc.<br />
So in order to assure that the {{ic|encrypt}} HOOK in the initcpio finds your keyfile, you must use a permanent device name. <br />
<br />
===== Quick method =====<br />
A quick method (as opposed to setting up a [[udev]] rule) for doing so involves referencing your removable device by its label (or UUID). To find your label or UUID, plug in your USB drive and run the following:<br />
<br />
{{hc|# ls -l /dev/disk/by-label/|<br />
lrwxrwxrwx 1 root root 10 12. Feb 10:11 Keys -> ../../sdb1}}<br />
<br />
or<br />
<br />
{{hc|# ls -l /dev/disk/by-uuid/|<br />
lrwxrwxrwx 1 root root 10 12. Feb 10:11 4803-8A7B -> ../../sdb1}}<br />
<br />
In this case, I labeled the vfat partition on my USB drive as "Keys" so my device is always symlinked in {{ic|/dev/disk/by-label/Keys}}, or if I had wanted to use the UUID I would find {{ic|/dev/disk/by-uuid/4803-8A7B}}. This allows me to have a consistent naming of my USB devices regardless of the order they are plugged into the system. These device names can be used in the "cryptkey" kernel option or any where else. Filesystem UUIDs are stored in the filesystem itself, meaning that the UUID will be the same if you plug it into any other computer, and that a dd backup of it will always have the same UUID since dd does a bitwise copy.<br />
<br />
{{Note|If you plan to store the keyfile between [[#Storing_the_key_between_MBR_and_1st_partition|MBR and the 1st partition]] you '''cannot use this method''', since it only allows access to the partitions ({{ic|sdb1}}, {{ic|sdb2}}, ...) but not to the USB device ({{ic|sdb}}) itself.<br />
Create a udev rule instead as described in the following section.}}<br />
<br />
==== Using udev ====<br />
Optionally you may choose to set up your flash drive with a [[udev]] rule. There is some documentation in the Arch wiki about that already; if you want more in-depth, structural info, read [http://reactivated.net/writing_udev_rules.html this guide]. Here is quickly how it goes.<br />
<br />
Get the serial number from your USB flash drive:<br />
lsusb -v | grep -A 5 Vendor<br />
<br />
Create a udev rule for it by adding the following to a file in {{ic|/etc/udev/rules.d/}}, such as {{ic|8-usbstick.rules}}:<br />
KERNEL=="sd*", ATTRS{serial}=="$SERIAL", SYMLINK+="$SYMLINK%n"<br />
<br />
Replace {{ic|$SYMLINK}} and {{ic|$SERIAL}} with their respective values. {{ic|%n}} will expand to the partition (just like sda is subdivided into sda1, sda2, ...). You do not need to go with the 'serial' attribute. If you have a custom rule of your own, you can put it in as well (e.g. using the vendor name).<br />
<br />
Rescan your sysfs:<br />
udevadm trigger<br />
Now check the contents of {{ic|/dev}}:<br />
ls /dev<br />
It should show your device with your desired name.<br />
<br />
==== Generating the keyfile ====<br />
Optionally you can mount a tmpfs for storing the temporary keyfile.<br />
# mkdir ./mytmpfs<br />
# mount tmpfs ./mytmpfs -t tmpfs -o size=32m<br />
# cd ./mytmpfs<br />
The advantage is that it resides in RAM and not on a physical disk, so after unmounting your keyfile is securly gone.<br />
So copy your keyfile to some place you consider as secure before unmounting.<br />
If you are planning to store the keyfile as a plain file on your USB device, you can also simply execute the following command in the corresponding directory, e.g. {{ic|/media/sdb1}}<br />
<br />
The keyfile can be of arbitrary content and size. We will generate a random temporary keyfile of 2048 bytes:<br />
# dd if=/dev/urandom of=secretkey bs=512 count=4<br />
<br />
If you stored your temporary keyfile on a physical storage, remember to not just (re)move the keyfile later on, but use something like<br />
cp secretkey /destination/path<br />
shred --remove --zero secretkey<br />
to securely overwrite it. (However due to journaling filesystems this is also not 100% secure.)<br />
<br />
Add the temporary keyfile with cryptsetup:<br />
# cryptsetup luksAddKey /dev/sda2 secretkey<br />
Enter any LUKS passphrase:<br />
key slot 0 unlocked.<br />
Command successful.<br />
<br />
==== Storing the keyfile ====<br />
To store the key file, you have two options. The first is less risky than the other, but perhaps a bit more secure (if you consider security by obscurity as more secure).<br />
In any case you have to do some further configuration, if not already done above.<br />
<br />
==== Configuration of initcpio ====<br />
You have to add two extra modules in your {{ic|/etc/mkinitcpio.conf}}, one for the drive's file system and one for the codepage. Further if you created a udev rule, you should tell {{ic|mkinitcpio}} about it:<br />
MODULES="ata_generic ata_piix nls_cp437 vfat"<br />
FILES="/etc/udev/rules.d/8-usbstick.rules"<br />
In this example it is assumed that you use a FAT formatted USB drive. Replace those module names if you use another file system on your USB stick (e.g. ext2) or another codepage. Users running the stock Arch kernel should stick to the codepage mentioned here.<br />
<br />
Additionally, insert the {{ic|usb}} hook somewhere before the {{ic|encrypt}} hook.<br />
HOOKS="... '''usb''' encrypt ... filesystems ..."<br />
<br />
Generate a new image (maybe you should take a copy of your old kernel26.img before):<br />
mkinitcpio -g /boot/kernel26.img<br />
<br />
==== Storing the key as plain (visible) file ====<br />
Be sure to choose a plain name for your key - a bit of 'security through obscurity' is always nice ;-). Avoid using dots (hidden files) and similar characters - the {{ic|encrypt}} hook will fail to find the keyfile during the boot process.<br />
<br />
You have to add a kernel parameter in your {{ic|/boot/grub/menu.lst}} ([[GRUB]]), it should look something like this:<br />
kernel /vmlinuz26 root=/dev/hda3 ro vga=791 cryptkey=/dev/usbstick:vfat:/secretkey<br />
This assumes {{ic|/dev/usbstick}} is the FAT partition of your choice. Replace it with {{ic|/dev/disk/by-...}} or whatever your device is.<br />
<br />
That is all, reboot and have fun!<br />
<br />
==== Storing the key between MBR and 1st partition ====<br />
We will write the key directly between the Master Boot Record (MBR) and the first partition.<br />
<br />
{{Warning|You should only follow this step if you know what you are doing -- '''it can cause data loss and damage your partitions or MBR on the stick!'''}}<br />
<br />
If you have a bootloader installed on your drive you have to adjust the values. E.g. [[GRUB]] needs the first 16 sectors (actually, it depends on the type of the file system, so do not rely on this too much), you would have to replace {{ic|seek<nowiki>=</nowiki>4}} with {{ic|seek<nowiki>=</nowiki>16}}; otherwise you would overwrite parts of your GRUB installation. When in doubt, take a look at the first 64 sectors of your drive and decide on your own where to place your key. <br />
<br />
''Optional''<br />
If you do not know if you have enough free space before the first partition, you can do<br />
dd if=/dev/usbstick of=64sectors bs=512 count=64 # gives you copy of your first 64 sectors<br />
hexcurse 64sectors # determine free space<br />
xxd 64sectors | less # alternative hex viewer<br />
<br />
Write your key to the disk:<br />
dd if=secretkey of=/dev/usbstick bs=512 seek=4<br />
<br />
If everything went fine you can now overwrite and delete your temporary secretkey as noted above.<br />
You should not simply use {{ic|rm}} as the keyfile would only be unlinked from your filesystem and be left physically intact.<br />
<br />
Now you have to add a kernel parameter in your {{ic|/boot/grub/menu.lst}} file (GRUB); it should look something like this:<br />
kernel /vmlinuz26 root=/dev/hda3 ro vga=791 cryptkey=/dev/usbstick:2048:2048<br />
Format for the {{ic|cryptkey}} option:<br />
cryptkey=BLOCKDEVICE:OFFSET:SIZE<br />
{{ic|OFFSET}} and {{ic|SIZE}} match in this example, but this is just coincidence - they can differ (and often will). An other possible example could be<br />
kernel /vmlinuz26 root=/dev/hda3 ro vga=791 cryptkey=/dev/usbstick:8192:2048<br />
That is all, reboot and have fun! And look if your partitions still work after that ;-).<br />
<br />
=== Encrypting the Swap partition ===<br />
<br />
==== Encrypting Swap without Suspend Support ====<br />
<br />
In systems where suspend to disk is not a desired feature, it is possible to create a swap file that will have a random passphrase with each boot.<br />
<br />
This is accomplished by using dm-crypt directly without LUKS extensions.<br />
<br />
Execute the following command to setup a randomly encrypted swap partition:<br />
<br />
# echo <device-mapper name> <swap physical partition> SWAP "-c aes-xts-plain -h whirlpool -s 512" >> /mnt/etc/crypttab<br />
<br />
This command adds the following swap partition details to {{ic|/mnt/etc/crypttab}}:<br />
<br />
::*'echo' and '>> /mnt/etc/crypttab' adds the command to the file {{ic|/mnt/etc/crypttab}} directly<br />
::*SWAP identifies the partition as a swap partition<br />
::*{{ic|-c}} defines a cipher<br />
::*{{ic|-h}} defines a hash algorithm<br />
::*{{ic|-s}} defines the key size<br />
<br />
Example ({{ic|/dev/sda2}} is the physical swap partition and {{ic|/dev/mapper/swapmapper}} is the device-mapper):<br />
<br />
::*echo swapmapper /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> /mnt/etc/crypttab<br />
:::Maps {{ic|/dev/sda2}} to {{ic|/dev/mapper/swapmapper}} as a swap partition which is encrypted by AES with Whirlpool as the hash algorithm.<br />
<br />
There are many hash algorithms that can be employed. For further details, read [[Wikipedia:Cryptographic_hash_function]]. <br />
<br />
{{Tip|Many people prefer Whirlpool as it is patent free. On modern hardware there is minimal performance difference between algorithms.}}<br />
<br />
If the partition chosen for swap was previously a LUKS partition, crypttab will not overwite to partition to create a swap partition. This is safetly measure to prevent data loss from accidental miss identification of the swap partition in crypttab. In order to use such a partition the LUKS header must be removed. This can be accomplished by<br />
<br />
# dd if=/dev/zero of=/dev/sdaX # where X is your swap partition number<br />
<br />
==== Using UUIDs with encrypted swap partitions ====<br />
If there are multiple hard drives installed in the system, their naming order (sda, sdb,...) can occasionally be scrambled upon boot. When {{ic|/etc/rc.sysinit}} parses the {{ic|/etc/crypttab}} file and sees the SWAP line, it will create a new dm-crypt mapping backed by that device partition and initialize encrypted swap space on top of it. This operation destroys all data on the partition, which can be catastrophic if the disk names have been switched upon reboot. To prevent such mistakes on multi-drive systems, always reference disk partitions using UUIDs rather than device names. {{ic|/etc/rc.sysinit}} will refuse to overwrite any known file system, partition table, RAID/LVM volume or valid LUKS partition.<br />
<br />
Create a regular swap partition with a new UUID:<br />
# mkswap /dev/sdaX # where X is your swap partition number <br />
Note the new random UUID and edit {{ic|/etc/crypttab}}<br />
swap /dev/disk/by-uuid/<your UUID> SWAP --offset 8 -c aes-xts-plain -h whirlpool -s 512<br />
The {{ic|--offset}} parameter will prevent the UUID (stored within the first eight 512 byte blocks) from being overwritten by cryptsetup each time new encrypted swap space is initialized. <br />
<br />
Edit your {{ic|/etc/rc.sysinit}}, find the following lines<br />
{{bc|<nowiki><br />
/sbin/blkid -p "$2" &>/dev/null<br />
if [[ $? -eq 2 ]]; then<br />
_overwriteokay=1<br />
fi<br />
</nowiki>}}<br />
and replace it with<br />
{{bc|<nowiki><br />
/sbin/blkid -p "$2" &>/dev/null<br />
if [[ $? -eq 2 ]]; then<br />
_overwriteokay=1<br />
else<br />
if /sbin/blkid -p -s TYPE "$2"|/bin/grep -q "swap" ; then<br />
_overwriteokay=1<br />
fi<br />
fi<br />
</nowiki>}}<br />
<br />
You can now use {{ic|/dev/mapper/swap}} as swap device in {{ic|/etc/fstab}}.<br />
<br />
An additional advantage of this method is that the swap partition can be shared among several operating systems, in encrypted and unencrypted forms.<br />
<br />
==== Encrypted swap with suspend-to-disk support ====<br />
{{Warning|Do not use this setup with a key file, please read about the issue reported [[Talk:System_Encryption_with_LUKS_for_dm-crypt#Suspend_to_disk_instructions_are_insecure|here]]}}<br />
<br />
To be able to resume after suspending the computer to disk (hibernate), it is required to keep the swap filesystem intact. Therefore, it is required to have a presistent LUKS swap partition, which can be stored on the disk or input manually at startup. Because the resume takes place before {{ic|/etc/crypttab}} can be used, it is required to create a hook in {{ic|/etc/mkinitcpio.conf}} to open the swap LUKS device before resuming. The following setup has the disadvantage of having to insert a key manually for the swap partition.<br />
<br />
If you want to use a partition which is currently used by the system, you have to disable it, first:<br />
# swapoff /dev/<device><br />
To create the swap partition, follow steps similar to those described in [[#Mapping_partitions | mapping partitions]] above.<br><br />
* Format the partition you want to use as swap with the {{ic|cryptsetup}} command. For performance reasons, you might want to use different ciphers with different key sizes. A benchmark can be found [http://www.saout.de/tikiwiki/tiki-index.php?page=UserPageChonhulio here]{{Linkrot|2011|09|05}}.<br />
<br />
# cryptsetup -c aes-xts-plain -s 512 -h sha512 -v luksFormat /dev/<device><br />
<br />
Check result with:<br />
<br />
# cryptsetup luksDump /dev/<device><br />
<br />
* Open the partition in {{ic|/dev/mapper}}:<br />
<br />
# cryptsetup luksOpen /dev/<device> swapDevice<br />
<br />
* Create a swap filesystem inside the mapped partition:<br />
<br />
# mkswap /dev/mapper/swapDevice<br />
<br />
Now you should have a LUKS swap partition which asks for the passphrase before mounting. Make sure you remove any line in {{ic|/etc/crypttab}} which uses this device. Now you have to create a hook to open the swap at boot time.<br />
<br />
* Create a hook file containing the open command:<br />
<br />
{{hc|/lib/initcpio/hooks/openswap|<nowiki><br />
# vim: set ft=sh:<br />
run_hook ()<br />
{<br />
cryptsetup luksOpen /dev/<device> swapDevice<br />
}<br />
</nowiki>}}<br />
<br />
* Then create and edit the hook setup file:<br />
{{hc|/lib/initcpio/install/openswap|<nowiki><br />
# vim: set ft=sh:<br />
build ()<br />
{<br />
MODULES=""<br />
BINARIES=""<br />
FILES=""<br />
SCRIPT="openswap"<br />
}<br />
help ()<br />
{<br />
cat<<HELPEOF<br />
This opens the swap encrypted partition /dev/<device> in /dev/mapper/swapDevice<br />
HELPEOF<br />
}<br />
</nowiki>}}<br />
<br />
* Add the hook {{ic|openswap}} in the {{ic|HOOKS}} array in {{ic|/etc/mkinitcpio.conf}}, before {{ic|filesystem}}, but '''after''' {{ic|encrypt}} which is mandatory as well. Do not forget to add the {{ic|resume}} hook between {{ic|openswap}} and {{ic|filesystem}} as well.<br />
<br />
* Regenerate the boot image:<br />
<br />
# mkinitcpio -p linux<br />
<br />
* Add the mapped partition to {{ic|/etc/fstab}} by adding the following line:<br />
/dev/mapper/swapDevice swap swap defaults 0 0<br />
<br />
* Set-up your system to resume from {{ic|/dev/mapper/swapDevice}}. For example, if you use [[GRUB]] with kernel hibernation support, add {{ic|resume<nowiki>=</nowiki>/dev/mapper/swapDevice}} to the kernel line in {{ic|/boot/grub/menu.lst}}. A line with encrypted root and swap partitions can look like this:<br />
<br />
kernel /vmlinuz26 cryptdevice=/dev/sda2:rootDevice root=/dev/mapper/rootDevice resume=/dev/mapper/swapDevice ro<br />
<br />
At boot time, the {{ic|openswap}} hook will open the swap partition so the kernel resume may use it. If you use special hooks for resuming from hibernation, make sure they are placed '''after''' {{ic|openswap}} in the {{ic|HOOKS}} array. Please note that because of initrd opening swap, there is no entry for swapDevice in {{ic|/etc/crypttab}} needed in this case.<br />
<br />
== Installing the system ==<br />
Now that {{ic|/dev/mapper/root}} and {{ic|/dev/mapper/home}} are in place, we can enter the regular Arch setup script to install the system into the encrypted volumes.<br />
# /arch/setup<br />
{{Note | Most of the installation can be carried out normally. However, there are a few areas where it is important to make certain selections these are marked below.}}<br />
<br />
==== Prepare hard drive ====<br />
Skip the Partitioning and Auto-Prepare business and go straight to manually configuration.<br />
Instead of choosing the hardware devices ({{ic|/dev/sdaX}}) directly, you have to select the mapper devices created above:<br />
Choose {{ic|/dev/mapper/root}} for your root and {{ic|/dev/mapper/home}} as {{ic|/home}} partition respectively and format them with any filesystem you like.<br />
The same is valid for a swap partition which is set up like the {{ic|/home}} partition. Make sure you mount {{ic|/dev/sda1}} as the {{ic|/boot}} partition or else the installer will not properly set up the bootloader.<br />
<br />
=== Select and Install packages ===<br />
Select and install the packages as usual, the base package contains all required programs.<br />
<br />
=== Configure System ===<br />
{{Note|The {{ic|encrypt}} hook is only needed if your root partition is a ''LUKS'' partition (or for a LUKS partition that needs to be mounted ''before'' root). The {{ic|encrypt}} hook is not needed in case any other partition (swap, for example) is encrypted. System initialization scripts ({{ic|/etc/rc.sysinit}} and {{ic|/etc/crypttab}} among others) take care of those.<br />
<br />
Afterwards you can check the files presented to you by the installer, the most important one being {{ic|/etc/mkinitcpio.conf}}. For detailed info on mkinitcpio (and its configuration) refer to [[Mkinitcpio]]. You have to make sure that your {{ic|HOOKS}} array in {{ic|/etc/mkinitcpio.conf}} looks something like this:<br />
HOOKS="... encrypt ... filesystems ..."<br />
It is important that the {{ic|encrypt}} hook comes ''before'' the {{ic|filesystems}} one. If you store your key on an external USB device (e.g. a USB stick), you need to add the USB hook too:<br />
HOOKS="... usb encrypt ... filesystems ..."<br />
For safety, add in {{ic|usb}} before {{ic|encrypt}} because the hooks are run in the order they appear.<br />
If you need support for foreign keymaps for your encryption password, you have to specify the hook {{ic|keymap}} as well. I suggest to put this in {{ic|/etc/mkinitcpio.conf}} right before {{ic|encrypt}}.<br />
<br />
If you have a USB keyboard, you need the {{ic|usbinput}} hook in {{ic|/etc/mkinitcpio.conf}}. Without it, no USB keyboard will work in early userspace.<br />
<br />
If your root partition is a ''LUKS'' partition, add the used filesystem to the {{ic|MODULES}} section.<br />
MODULES="... ext3 ext4 xfs ..."<br />
<br />
=== Install Bootloader ===<br />
'''[[GRUB]]:''' You have to make some small changes to the entries generated by the installer by replacing {{ic|/dev/mapper/root}} with {{ic|/dev/sda3}}. The corrected config looks like this:<br />
# (0) Arch Linux<br />
title Arch Linux<br />
root (hd0,0)<br />
kernel /vmlinuz26 root=/dev/sda3 ro<br />
initrd /kernel26.img<br />
<br />
For kernel >= 2.6.30:<br />
# (0) Arch Linux<br />
title Arch Linux<br />
root (hd0,0)<br />
kernel /vmlinuz26 cryptdevice=/dev/sda3:root root=/dev/mapper/root ro<br />
initrd /kernel26.img<br />
<br />
'''LILO:''' On Lilo, edit the Arch Linux section on {{ic|/etc/lilo.conf}} and include a line for the {{ic|append}} option, over the initrd, with the {{ic|root<nowiki>=</nowiki>/dev/sda3}} parameter. The {{ic|append}} section make the same kernel line on GRUB. Also, you can omit the {{ic|root}} option, over the {{ic|image}} option. The section look like this:<br />
# Arch Linux lilo section<br />
image = /vmlinuz26<br />
# root = /dev/sda3<br />
label = Arch<br />
initrd = /kernel26.img<br />
append = "root=/dev/sda3"<br />
read-only<br />
<br />
{{Note|If you want to use a USB flash drive with a keyfile, you have to append the {{ic|cryptkey}} option. See the corresponding section below.}}<br />
<br />
=== Exit Install ===<br />
Now that the install is finished the only thing left to do is add entries to the {{ic|/etc/crypttab}} file so you do not have to enter the passphrase for all encrypted partitions. This works only for non-root partitions e.g. /home, swap, etc.<br />
# vi /etc/crypttab<br />
Add the following line for the {{ic|/home}} partition<br />
home /dev/sda5 "myotherpassword"<br />
<br />
You can also use a keyfile instead of a passphrase. If not already done, create a keyfile and add the key to the corresponding LUKS partition as described [[#Keyfile|above]].<br />
Then add the following information to the {{ic|/etc/crypttab}} file for automounting:<br />
home /dev/sda5 /path/of/your/keyfile<br />
<br />
After rebooting you should now be presented with the text<br />
A password is required to access the root filesystem:<br />
followed by a prompt for any LUKS password. Type it in and everything should boot.<br />
Once you've logged in, have a look at your mounted partitions by typing {{ic|mount}}. You should have {{ic|/dev/mapper/root}} mounted at {{ic|/}} and, if you set up a separate encrypted home partition, {{ic|/dev/mapper/home}} mounted at {{ic|/home}}. If you set up encrypted swap, {{ic|swapon -s}} should have {{ic|/dev/mapper/swap}} listed as your swap partition.<br />
<br />
{{Note | eventually the text prompting for the password is mixed up with other boot messages. So the boot process may seem frozen at first glance, but it isn't, simply enter your password and press return.}}<br />
<br />
== Remote unlocking of the root (or other) partition ==<br />
If you want to be able to reboot a fully LUKS encrypted system remotely or start it with a Wake-on-LAN service you will need a way to enter a passphrase for the root partition/volume at startup. This can be achived by running the {{ic|net}} hook along with an [[SSH]] server in initrd. Install the {{AUR|dropbear_initrd_encrypt}} package from the [[Arch User Repository|AUR]] and follow the post-installation instructions. Replace the {{ic|encrypt}} hook with {{ic|encryptssh}} in {{ic|/etc/mkinitcpio.conf}}. Put the {{ic|net}} hook early in the HOOKS array if your DHCP server takes a long time to lease IP addresses.<br />
<br />
If you simply would like a nice solution to mount other encrypted partitions (like {{ic|/home}}) remotely, you may want to look at the [https://bbs.archlinux.org/viewtopic.php?pid=880484 this forum thread].<br />
<br />
== Backup the cryptheader ==<br />
If the header of your crypted partition gets destroyed, you will not be able to decrypt your data. Therefore, having a backup of the headers and storing them on another disk might be a good idea.<br />
<br />
'''Attention:''' Many people recommend NOT to backup the cryptheader, even so it's a single point failure!<br />
In short, the problem is, that LUKS isn't aware of the duplicated cryptheader, which contains the masterkey which is used to encrypt all files on your partition. Of course this masterkey is encrypted with your passphrases or keyfiles.<br />
But if one of those gets compromised and you want to revoke it you have to do this on all copies of the cryptheader!<br />
I.e. if someone has got your cryptheader and one of your keys he can decrypt the masterkey and access all your data.<br />
Of course the same is true for all backups you create of your partions.<br />
So you decide if you are one of those paranoids brave enough to go without a backup for the sake of security or not.<br />
See also [http://www.saout.de/tikiwiki/tiki-slideshow.php?page=LUKSFaq&slide=1|LUKSFaq]{{Linkrot|2011|09|05}} for further details on this.<br />
<br />
'''Note:''' you can also backup the header into a tmpfs/ramfs and encrypt it with gpg or whatever before writing it to a physical disk. Of course you can wrap your encrypted backup into another encryption layer and so on until you feel safe enough :-)<br />
<br />
=== Backup ===<br />
==== Manually ====<br />
First you have to find out the payload offset of the crypted partition (replace sdaX with the corresponding partition)<br />
cryptsetup luksDump /dev/sdaX | grep "Payload offset"<br />
Payload offset: 4040<br />
Now that you know the value, you can backup the header with a simple dd command<br />
dd if=/dev/sdaX of=./backup.img bs=512 count=4040<br />
<br />
==== Using cryptsetup ====<br />
You can also use the luksHeaderBackup command instead:<br />
cryptsetup luksHeaderBackup /dev/sdaX --header-backup-file ./backup.img<br />
<br />
=== Restore ===<br />
Be careful before restore: make sure that you chose the right partition (again replace sdaX with the corresponding partition).<br />
Restoring the wrong header or restoring to an unencrypted partition will cause data loss.<br />
==== Manually ====<br />
Again, you will need to the same values as when backuping:<br />
dd if=./backup.img of=/dev/sdX bs=512 count=4040<br />
==== Using cryptsetup ====<br />
Or you can use the luksHeaderRestore command:<br />
cryptsetup luksHeaderRestore /dev/sdaX --header-backup-file ./backup.img<br />
<br />
'''Note:''' All the keyslot areas are overwritten, only active keyslots from backup file are available after issuing this command.<br />
<br />
== Encrypting a loopback filesystem ==<br />
''[This paragraph has been merged from another page; its consistency with the other paragraphs should be improved]''<br />
<br />
=== Preparation and mapping ===<br />
First, start start by creating an encrypted container!<br />
<br />
dd if=/dev/urandom of=/bigsecret bs=1M count=10<br />
<br />
This will create the file {{ic|bigsecret}} with a size of 10 megabytes.<br />
<br />
losetup /dev/loop0 /bigsecret<br />
<br />
This will create the device node {{ic|/dev/loop0}}, so that we can mount/use our container.<br />
<br />
{{Note|If it gives you the error {{ic|/dev/loop0: No such file or directory}}, you need to first load the kernel module with {{ic|modprobe loop}}.}}<br />
<br />
cryptsetup luksFormat /dev/loop0<br />
<br />
This will ask you for a password for your new container file.<br />
<br />
{{Note|If you get an error like {{ic|Command failed: Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/loop0 contains at least 133 sectors|}}, then run {{ic|modprobe dm-mod}}.}}<br />
<br />
cryptsetup luksOpen /dev/loop0 secret<br />
<br />
The encrypted container is now available through the device file {{ic|/dev/mapper/secret}}.<br />
Now we are able to create a partition in the container:<br />
<br />
mkfs.ext2 /dev/mapper/secret<br />
<br />
and mount it...<br />
<br />
mkdir /mnt/secret<br />
mount -t ext2 /dev/mapper/secret /mnt/secret<br />
<br />
We can now use the container as if it was a normal partition!<br />
To unmount the container:<br />
<br />
umount /mnt/secret<br />
cryptsetup luksClose secret<br />
losetup -d /dev/loop0 # free the loopdevice.<br />
<br />
so, if you want to mount the container again, you just apply the following commands:<br />
<br />
losetup /dev/loop0 /bigsecret<br />
cryptsetup luksOpen /dev/loop0 secret<br />
mount -t ext2 /dev/mapper/secret /mnt/secret<br />
<br />
=== Encrypt using a key-file ===<br />
Let us first generate a 2048 byte random keyfile:<br />
<br />
dd if=/dev/urandom of=keyfile bs=1k count=2<br />
<br />
We can now format our container using this key<br />
<br />
cryptsetup luksFormat /dev/loop0 keyfile<br />
<br />
or our partition : <br />
<br />
cryptsetup luksFormat /dev/hda2 keyfile<br />
<br />
Once formatted, we can now open the LUKS device using the key:<br />
<br />
cryptsetup -d keyfile luksOpen /dev/loop0 container<br />
<br />
You can now like before format the device {{ic|/dev/mapper/container}} with your favorite filesystem and then mount it just as easily.<br />
<br />
The keyfile is now the only key to your file. I personally advise to encrypt your keyfile using your private GPG key and storing an off-site secured copy of the file.<br />
<br />
=== Resizing the loopback filesystem ===<br />
First we should unmount the encrypted container:<br />
umount /mnt/secret<br />
cryptsetup luksClose secret<br />
losetup -d /dev/loop0 # free the loopdevice.<br />
<br />
After this we need to create a second file with the size of the data we want to add:<br />
dd if=/dev/urandom of=zeros bs=1M count=1024<br />
<br />
You could use {{ic|/dev/zero}} instead of {{ic|/dev/urandom}} to significantly speed up the process, but {{ic|/dev/zero}} your encrypted filesystems will ''not be as secure''.<br />
<br />
Next we need to add the created file to our container. Be careful to really use TWO {{ic|>}}, or you will override your current container!<br />
cat zeros >> /bigsecret<br />
Now we have to map the container to the loopdevice:<br />
losetup /dev/loop0 /bigsecret<br />
cryptsetup luksOpen /dev/loop0 secret<br />
After this we will resize the encrypted part of the container to the maximum size of the container file:<br />
cryptsetup resize secret<br />
Finally, we can resize the filesystem. Here is an example for ext2/3/4:<br />
e2fsck -f /dev/mapper/secret # Just doing a filesystem check, because it's a bad idea to resize a broken fs<br />
resize2fs /dev/mapper/secret<br />
You can now mount your container again:<br />
mount /dev/mapper/secret /mnt/secret<br />
<br />
== Encrypting a LVM setup ==<br />
It's really easy to use encryption with [[LVM]]. If you do not know how to set up LVM, then read [[Installing_with_Software_RAID_or_LVM]].<br />
<br />
The easiest and best method is to set up LVM on top of the encrypted partition instead of the other way around. This link here is easy to follow and explains everything: [http://www.pindarsign.de/webblog/?p=767 Arch Linux: LVM on top of an encrypted partition]<br />
<br />
The most important thing in setting LVM on '''top''' of encryption is that you need to have the {{ic|encrypt}} hook '''before''' the {{ic|lvm2}} hook (and those two before the {{ic|filesystems}} hook, but that's repeating) ''because they are processed in order''.<br />
<br />
To use encryption on top of LVM, you have to first set up your LVM volumes and then use them as the base for the encrypted partitions. That means in short that you have to set up LVM first. Then follow this guide, but replace all occurrences of {{ic|/dev/sdXy}} in the guide with its LVM counterpart. (eg: {{ic|/dev/sda5}} -> {{ic|/dev/<volume group name>/home}}).<br />
<br />
Do not forget to add the {{ic|encrypt}} hook in {{ic|/etc/mkinitcpio.conf}} '''before''' the {{ic|lvm2}} hook, if you chose to set up encrypted partitions on '''top''' of LVM. Also remember to change {{ic|USELVM}} in {{ic|/etc/rc.conf}} to {{ic|"yes"}}.<br />
<br />
=== LVM with Arch Linux Installer (>2009.08) ===<br />
<br />
Since Arch Linux images 2009.08, LVM and dm_crypt is supported by the installer out of the box.<br />
This makes it very easy to configure your system for [[LVM]] on dm-crypt or vice versa.<br />
Actually the configuration is done exactly as without LVM, see the [[#Arch Linux Installer (>2009.08)|corresponding]] section above. It differs only in two aspects.<br />
<br />
==== The partition and filesystem choice ====<br />
Create a small, unencrypted boot partition and use the remaining space for a single partition which can later be split up into multiple logic volumes by [[LVM]].<br />
<br />
For a LVM-on-dm-crypt system set up the filesystems and mounting points for example like this:<br />
/dev/sda1 raw->ext2;yes;/boot;no_opts;no_label;no_params<br />
/dev/sda2 raw->dm_crypt;yes;no_mountpoint;no_opts;sda2crypt;-c_aes-xts-plain_-y_-s_512<br />
/dev/mapper/sda2crypt dm_crypt->lvm-vg;yes;no_mountpoint;no_opts;no_label;no_params<br />
/dev/mapper/sda2crypt+ lvm-pv->lvm-vg;yes;no_mountpoint;no_opts;cryptpool;no_params<br />
/dev/mapper/cryptpool lvm-vg(cryptpool)->lvm-lv;yes;no_mountpoint;no_opts;cryptroot;10000M|lvm-lv;yes;no_mountpoint;no_opts;crypthome;20000M<br />
/dev/mapper/cryptpool-cryptroot lvm-lv(cryptroot)->ext3;yes;/;no_opts;cryptroot;no_params<br />
/dev/mapper/cryptpool-crypthome lvm-lv(crypthome)->ext3;yes;/home;no_opts;cryptroot;no_params<br />
<br />
==== The configuration stage ====<br />
<br />
* In {{ic|/etc/rc.conf}} set {{ic|USELVM}} to {{ic|"yes"}}<br />
* In {{ic|/etc/mkinitcpio.conf}} add the {{ic|encrypt}} hook '''before''' the {{ic|lvm2}} hook in the {{ic|HOOKS}} array, if you set up LVM on top of the encrypted partition.<br />
<br />
That is it for the LVM & dm_crypt specific part. The rest is done as usual.<br />
<br />
=== Applying this to a non-root partition ===<br />
You might get tempted to apply all this fancy stuff to a non-root partition. Arch does not support this out of the box, however, you can easily change the cryptdev and cryptname values in {{ic|/lib/initcpio/hooks/encrypt}} (the first one to your {{ic|/dev/sd*}} partition, the second to the name you want to attribute). That should be enough.<br />
<br />
The big advantage is you can have everything automated, while setting up {{ic|/etc/crypttab}} with an external key file (i.e. the keyfile is not on any internal hard drive partition) can be a pain - you need to make sure the USB/FireWire/... device gets mounted before the encrypted partition, which means you have to change the order of {{ic|/etc/fstab}} (at least).<br />
<br />
Of course, if the {{Pkg|cryptsetup}} package gets upgraded, you will have to change this script again. However, this solution is to be preferred over hacking {{ic|/etc/rc.sysinit}} or similar files. Unlike {{ic|/etc/crypttab}}, only one partition is supported, but with some further hacking one should be able to have multiple partitions unlocked.<br />
<br />
If you want to do this on a software RAID partition, there is one more thing you need to do. Just setting the {{ic|/dev/mdX}} device in {{ic|/lib/initcpio/hooks/encrypt}} is not enough; the {{ic|encrypt}} hook will fail to find the key for some reason, and not prompt for a passphrase either. It looks like the RAID devices are not brought up until after the {{ic|encrypt}} hook is run. You can solve this by putting the RAID array in {{ic|/boot/grub/menu.lst}}, like <br />
kernel /boot/vmlinuz26 md=1,/dev/hda5,/dev/hdb5<br />
<br />
If you set up your root partition as a RAID, array you will notice the similarities with that setup ;-). [[GRUB]] can handle multiple array definitions just fine:<br />
kernel /boot/vmlinuz26 root=/dev/md0 ro md=0,/dev/sda1,/dev/sdb1 md=1,/dev/sda5,/dev/sdb5,/dev/sdc5<br />
<br />
=== LVM and dm-crypt manually (short version) ===<br />
<br />
==== Notes ====<br />
If you are enough smart enough for this, you will be smart enough to ignore/replace LVM-specific things, if you do not want to use LVM.<br />
<br />
{{Note|This brief uses reiserfs for some of the partitions, so change this accordingly if you want to use a more "normal" file system, like ext4.}}<br />
<br />
==== Partitioning scheme ====<br />
{{ic|/dev/sda1}} -> {{ic|/boot}}<br />
{{ic|/dev/sda2}} -> LVM<br />
<br />
==== The commands ====<br />
cryptsetup -d /dev/random -c aes-xts-plain -s 512 create lvm /dev/sda2<br />
dd if=/dev/urandom of=/dev/mapper/lvm<br />
cryptsetup remove lvm<br />
lvm pvcreate /dev/sda2<br />
lvm vgcreate lvm /dev/sda2<br />
lvm lvcreate -L 10G -n root lvm<br />
lvm lvcreate -L 500M -n swap lvm<br />
lvm lvcreate -L 500M -n tmp lvm<br />
lvm lvcreate -l 100%FREE -n home lvm<br />
cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/root<br />
cryptsetup luksOpen /dev/lvm/root root<br />
mkreiserfs /dev/mapper/root<br />
mount /dev/mapper/root /mnt<br />
dd if=/dev/zero of=/dev/sda1 bs=1M<br />
mkreiserfs /dev/sda1<br />
mkdir /mnt/boot<br />
mount /dev/sda1 /mnt/boot<br />
mkdir -p -m 700 /mnt/etc/luks-keys<br />
dd if=/dev/random of=/mnt/etc/luks-keys/home bs=1 count=256<br />
<br />
==== Install Arch Linux ====<br />
Run {{ic|/arch/setup}}<br />
<br />
==== Configuration ====<br />
<br />
===== /etc/rc.conf =====<br />
Change {{ic|USELVM<nowiki>=</nowiki>"no"}} to {{ic|USELVM<nowiki>=</nowiki>"yes"}}.<br />
<br />
===== /etc/mkinitcpio.conf =====<br />
Put {{ic|lvm2}} and {{ic|encrypt}} (in that order) before {{ic|filesystems}} in the {{ic|HOOKS}} array. Again, note that you are setting encryption on '''top''' of LVM.)<br />
<br />
===== /boot/grub/menu.lst =====<br />
Change {{ic|root<nowiki>=</nowiki>/dev/hda3}} to {{ic|root<nowiki>=</nowiki>/dev/lvm/root}}.<br />
<br />
For kernel >= 2.6.30, you should change {{ic|root<nowiki>=</nowiki>/dev/hda3}} to the following:<br />
cryptdevice=/dev/lvm/root:root root=/dev/mapper/root<br />
<br />
===== /etc/fstab =====<br />
/dev/mapper/root / reiserfs defaults 0 1<br />
/dev/sda1 /boot reiserfs defaults 0 2<br />
/dev/mapper/tmp /tmp tmpfs defaults 0 0<br />
/dev/mapper/swap none swap sw 0 0<br />
<br />
===== /etc/crypttab =====<br />
swap /dev/lvm/swap SWAP -c aes-xts-plain -h whirlpool -s 512<br />
tmp /dev/lvm/tmp /dev/urandom -c aes-xts-plain -s 512<br />
<br />
==== After rebooting ====<br />
<br />
===== The commands =====<br />
cryptsetup luksFormat -c aes-xts-plain -s 512 /dev/lvm/home /etc/luks-keys/home<br />
cryptsetup luksOpen -d /etc/luks-keys/home /dev/lvm/home home<br />
mkreiserfs /dev/mapper/home<br />
mount /dev/mapper/home /home<br />
<br />
===== /etc/crypttab =====<br />
home /dev/lvm/home /etc/luks-keys/home<br />
<br />
===== /etc/fstab =====<br />
/dev/mapper/home /home reiserfs defaults 0 0<br />
<br />
=== / on LVM on LUKS ===<br />
Make sure your kernel command line looks like this:<br />
root=/dev/mapper/<volume-group>-<logical-volume> cryptdevice=/dev/<luks-part>:<volume-group><br />
For example:<br />
root=/dev/mapper/vg-arch cryptdevice=/dev/sda4:vg<br />
<br />
Or like this:<br />
cryptdevice=/dev/<volume-group>/<logical-volume>:root root=/dev/mapper/root<br />
<br />
== Resources ==<br />
* [http://yannickloth.be/blog/2010/08/01/installing-archlinux-with-software-raid1-encrypted-filesystem-and-lvm2/ Setup Archlinux on top of raid, LVM2 and encrypted partitions]<br />
* [http://www.freeotfe.org/ FreeOTFE] - Supports unlocking LUKS encrypted volumes in Microsoft Windows.</div>Jjackyhttps://wiki.archlinux.org/index.php?title=Netbeans&diff=169344Netbeans2011-11-09T17:59:21Z<p>Jjacky: /* Netbeans doesn't start after its first start */</p>
<hr />
<div>[[Category:Development (English)]]<br />
Netbeans IDE is an integrated development environment (IDE) for developing with Java, JavaScript, PHP, Python, Ruby, Groovy, C, C++, Scala, Clojure, and other languages.<br />
<br />
The NetBeans IDE is written in Java and runs everywhere where a JVM is installed, including Windows, Mac OS, Linux, and Solaris. A JDK is required for Java development functionality, but is not required for development in other programming languages.<br />
<br />
(based on wikipedia)<br />
<br />
== Font antialiasing in Netbeans ==<br />
<br />
Based on: http://ibnaziz.wordpress.com/2009/06/10/netbeans-anti-aliasing/<br />
<br />
Problem :<br />
<br />
For some time now, the newer version of netbeans, no longer displays the “Advanced Options” that allows for anti-aliased fonts. And frankly speaking, the fonts look terrible.<br />
<br />
Solution :<br />
<br />
Edit the file ''/usr/share/netbeans/etc/netbeans.conf'' and add the switches ‘-J-Dswing.aatext=true -J-Dawt.useSystemAAFontSettings=on’ to ‘netbeans_default_options’.<br />
<br />
== GTK look and feel ==<br />
<br />
For change netbeans look and feel to GTK Edit the file ''/usr/share/netbeans/etc/netbeans.conf'' and add the switchs ‘--laf com.sun.java.swing.plaf.gtk.GTKLookAndFeel’ to ‘netbeans_default_options’.<br />
<br />
== Troubleshooting ==<br />
<br />
=== OpenJDK vs Sun's JDK ===<br />
Netbeans 7.0-1 will not ALWAYS work with OpenJDK. Some reported issues are:<br />
* Starting - In some cases, netbeans will not start.<br />
* Installation - The .sh script provided by netbeans will not launch wizard.<br />
<br />
=== Glassfish server - Can`t download Glassfish server I/O Exception ===<br />
If you are trying add new Glassfish server, you can`t download the server. Netbeans returns<br />
I/O Exception: http://java.net/download/glassgish/3.0.1/release/glassfish-3.0.1-ml.zip<br />
<br />
Solution is:<br />
* Download GlassFish Server Open Source Edition manualy from official site, actual link is http://download.java.net/glassfish/3.0.1/release/glassfish-3.0.1-ml.zip<br />
* Extract from zip to any location<br />
<br />
=== Netbeans doesn't start after its first start ===<br />
<br />
If you receive a message like this when executing from terminal:<br />
<pre style='overflow:auto'><br />
# netbeans -h<br />
Exception in thread "main" java.lang.UnsatisfiedLinkError: /usr/lib/jvm/java-6-openjdk/jre/lib/i386/libsplashscreen.so: libgif.so.4: cannot open shared object file: No such file or directory</pre><br />
<br />
You have two options:<br />
* You can start Netbeans using the --nosplash option:<br />
# netbeans --nosplash<br />
* Or, install the missing library (then starting Netbeans as usual will work) :<br />
# sudo pacman -S libungif<br />
<br />
[https://bbs.archlinux.org/viewtopic.php?id=118930 Arch forum thread]</div>Jjacky