https://wiki.archlinux.org/api.php?action=feedcontributions&user=Smasher816&feedformat=atomArchWiki - User contributions [en]2024-03-28T17:36:57ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Firefox&diff=693407Firefox2021-08-29T17:44:59Z<p>Smasher816: Add note about UI translations in nightly</p>
<hr />
<div>[[Category:Web browser]]<br />
[[Category:Mozilla]]<br />
[[ar:Firefox]]<br />
[[de:Firefox]]<br />
[[es:Firefox]]<br />
[[fr:Firefox]]<br />
[[ja:Firefox]]<br />
[[ko:Firefox]]<br />
[[ru:Firefox]]<br />
[[zh-hans:Firefox]]<br />
[[zh-hant:Firefox]]<br />
{{Related articles start}}<br />
{{Related|Firefox/Tweaks}}<br />
{{Related|Firefox/Profile on RAM}}<br />
{{Related|Firefox/Privacy}}<br />
{{Related|Browser extensions}}<br />
{{Related|Chromium}}<br />
{{Related|Opera}}<br />
{{Related articles end}}<br />
[https://www.mozilla.org/firefox Firefox] is a popular open source graphical web browser from [https://www.mozilla.org Mozilla].<br />
<br />
== Installing ==<br />
<br />
Firefox can be [[install]]ed with the {{Pkg|firefox}} package.<br />
<br />
Other alternatives include:<br />
<br />
* {{App|Firefox Developer Edition|for developers|https://www.mozilla.org/firefox/developer/|{{Pkg|firefox-developer-edition}}}}<br />
* {{App|Firefox Extended Support Release|long-term supported version|https://www.mozilla.org/firefox/organizations/|{{AUR|firefox-esr}} or {{AUR|firefox-esr-bin}}}}<br />
* {{App|Firefox Beta|cutting-edge version|https://www.mozilla.org/firefox/channel/desktop/#beta|{{AUR|firefox-beta}} or {{AUR|firefox-beta-bin}}}}<br />
* {{App|Firefox Nightly|nightly builds for testing ([https://developer.mozilla.org/Firefox/Experimental_features experimental features])|https://www.mozilla.org/firefox/channel/desktop/#nightly|{{AUR|firefox-nightly}}}} <br />
* {{App|Firefox KDE|Version of Firefox that incorporates an OpenSUSE patch for better [[#KDE integration|KDE integration]] than is possible through simple Firefox plugins.|https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox|{{AUR|firefox-kde-opensuse}}}}<br />
* On top of the different Mozilla build channels, a number of forks exist with more or less special features; see [[List of applications#Gecko-based]].<br />
<br />
A number of language packs are available for Firefox, other than the standard English. Language packs are usually named as {{ic|firefox-i18n-''languagecode''}} (where {{ic|''languagecode''}} can be any language code, such as '''de''', '''ja''', '''fr''', etc.). For a list of available language packs see [https://archlinux.org/packages/extra/any/firefox-i18n/ firefox-i18n] for {{Pkg|firefox}},[https://archlinux.org/packages/community/any/firefox-developer-edition-i18n/ firefox-developer-edition-i18n] for {{Pkg|firefox-developer-edition}} and [https://aur.archlinux.org/packages/?K=firefox-nightly- firefox-nightly-] for {{AUR|firefox-nightly}}.<br />
<br />
{{Note|1=<nowiki/>language packs are disabled on nightly and developer-edition due to frequent string changes that may cause crashes. To force a change to the UI language, you may set intl.locale.requested in about:config [https://www.reddit.com/r/firefox/comments/lx3dp9/how_to_change_interface_language/gpovlsp/?context=8&depth=9].}}<br />
<br />
== Add-ons ==<br />
<br />
Firefox is well known for its large library of add-ons which can be used to add new features or modify the behavior of existing features. Firefox's "Add-ons Manager" is used to manage installed add-ons or find new ones. <br />
<br />
For instructions on how to install add-ons and a list of add-ons, see [[Browser extensions]].<br />
<br />
=== Adding search engines ===<br />
<br />
Search engines may be added to Firefox by creating bookmarks with the {{ic|Location}} field using search URLs completed with %s in place of the query and the {{ic|Keyword}} field completed with user-defined characters:<br />
<br />
Location:<br />
https://duckduckgo.com/html/?q=%s<br />
Keyword:<br />
d<br />
<br />
Searches are performed by pre-pending the search term with the keyword of the specified search engine: {{ic|d archwiki}} will query DuckDuckGo using the search term {{ic|archwiki}}<br />
<br />
Search engines may also be added to Firefox through add-on extensions, see [https://addons.mozilla.org/firefox/search-tools/ this page] for a list of available search tools and engines.<br />
<br />
A very extensive list of search engines can be found at the [https://mycroftproject.com/ Mycroft Project].<br />
<br />
Also, you can use the [https://firefox.maltekraus.de/extensions/add-to-search-bar add-to-searchbar] extension to add a search to your search bar from any web site, by simply right clicking on the site's search field and selecting ''Add to Search Bar...''<br />
<br />
==== firefox-extension-arch-search ====<br />
<br />
[[Install]] the {{AUR|firefox-extension-arch-search}} package to add Arch-specific searches (AUR, wiki, forum, packages, etc) to the Firefox search toolbar.<br />
<br />
== Plugins ==<br />
<br />
Support for all plugins, including Flash Player, was removed in Firefox 85.[https://support.mozilla.org/kb/npapi-plugins][https://support.mozilla.org/kb/end-support-adobe-flash]<br />
<br />
== Configuration ==<br />
<br />
Firefox exposes a number of configuration options. To examine them, enter in the Firefox address bar:<br />
<br />
about:config<br />
<br />
Once set, these affect the user's current profile, and may be synchronized across all devices via [https://www.mozilla.org/firefox/sync/ Firefox Sync]. Please note that only a subset of the {{ic|about:config}} entries are synchronized by this method, and the exact subset may be found by searching for {{ic|services.sync.prefs}} in {{ic|about:config}}. Additional preferences and third party preferences may be synchronized by creating new boolean entries prepending the config value with [https://support.mozilla.org/en-US/kb/sync-custom-preferences services.sync.prefs.sync]. To synchronize the whitelist for the extension [https://addons.mozilla.org/firefox/addon/noscript/ NoScript]:<br />
<br />
services.sync.prefs.sync.capability.policy.maonoscript.sites<br />
<br />
The boolean {{ic|noscript.sync.enabled}} must be set to {{ic|true}} to synchronize the remainder of NoScript's preferences via Firefox Sync.<br />
<br />
=== Settings storage ===<br />
<br />
Firefox stores the configuration for a profile via a {{ic|prefs.js}} in the profile folder, usually {{ic|~/.mozilla/firefox/xxxxxxxx.default/}}. <br />
<br />
Firefox also allows configuration for a profile via a {{ic|user.js}} file: [http://kb.mozillazine.org/User.js_file user.js] kept also in the profile folder. A {{ic|user.js}} configuration supersedes a {{ic|prefs.js}}. For a useful starting point, see e.g [https://github.com/pyllyukko/user.js custom user.js] which is targeted at privacy/security conscious users.<br />
<br />
One drawback of the above approach is that it is not applied system-wide. Furthermore, this is not useful as a "pre-configuration", since the profile directory is created after first launch of the browser. You can, however, let ''firefox'' create a new profile and, after closing it again, [https://support.mozilla.org/en-US/kb/back-and-restore-information-firefox-profiles#w_restoring-a-profile-backup copy the contents] of an already created profile folder into it. <br />
<br />
Sometimes it may be desired to lock certain settings, a feature useful in widespread deployments of customized Firefox. In order to create a system-wide configuration, follow the steps outlined in [http://kb.mozillazine.org/Locking_preferences Locking preferences]:<br />
<br />
1. Create {{ic|/usr/lib/firefox/defaults/pref/local-settings.js}}:<br />
<br />
pref("general.config.obscure_value", 0);<br />
pref("general.config.filename", "mozilla.cfg");<br />
<br />
2. Create {{ic|/usr/lib/firefox/mozilla.cfg}} (this stores the actual configuration):<br />
<br />
//<br />
//...your settings...<br />
// e.g to disable Pocket, uncomment the following lines<br />
// lockPref("extensions.pocket.enabled", false);<br />
// lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false);<br />
<br />
Please note that the first line must contain exactly {{ic|//}}. The syntax of the file is similar to that of {{ic|user.js}}.<br />
<br />
=== Multimedia playback ===<br />
<br />
Firefox uses [[FFmpeg]] for playing multimedia inside HTML5 {{ic|<audio>}} and {{ic|<video>}} elements. Go to [http://demo.nimius.net/video_test/ video-test page] or [https://hpr.dogphilosophy.net/test/ audio-test page] to check which formats are actually supported.<br />
<br />
Firefox uses [[PulseAudio]] for audio playback and capture. If PulseAudio is not installed, Firefox uses [[alsa]] instead.<br />
<br />
==== HTML5 DRM/Widevine ====<br />
<br />
Widevine is a digital rights management tool that Netflix, Amazon Prime Video, and others use to protect their video content. It can be enabled in ''Preferences > General > Digital Rights Management (DRM) Content''. If you visit a Widevine-enabled page when this setting is disabled, Firefox will display a prompt below the address bar asking for permission to install DRM. Approve this and then wait for the "Downloading" bar to disappear, you are now able to watch videos from Widevine protected sites. <br />
<br />
Firefox can only play 720p video (or lower) with Widevine, due to not using [https://bugzilla.mozilla.org/show_bug.cgi?id=1700815 hardware DRM playback]. It is also required that the private mode browsing is disabled, for the window and in the preferences.<br />
<br />
==== Open With extension ====<br />
<br />
# Install [https://addons.mozilla.org/firefox/addon/open-with/ Open With] add-on.<br />
# Go to ''Add-ons > Open With > Preferences''.<br />
# Proceed with instructions to install a file in your system and test the installation. <br />
# Click ''Add browser''.<br />
# In the dialog write a name for this menu entry and command to start a video streaming capable player (e.g. [[mpv|/usr/bin/mpv]]).<br />
# (Optional step) Add needed arguments to the player (e.g. you may want {{ic|--force-window --ytdl}} for ''mpv'')<br />
# Right click on links or visit pages containing videos. Select newly created entry from Open With's menu and if the site is supported, the player will open as expected.<br />
<br />
The same procedure can be used to associate video downloaders such as ''youtube-dl''.<br />
<br />
==== Hardware video acceleration ====<br />
<br />
[[Hardware video acceleration]] via VA-API is available under [[Wayland]] [https://mastransky.wordpress.com/2020/06/03/firefox-on-fedora-finally-gets-va-api-on-wayland/] and X.org [https://bugzilla.mozilla.org/show_bug.cgi?id=1619523] [https://www.phoronix.com/scan.php?page=news_item&px=Firefox-80-VA-API-X11].<br />
<br />
To enable VA-API in Firefox:<br />
<br />
# Ensure that your video card is correctly configured for VA-API:<br />
#* See [[Hardware video acceleration]] for steps to verify and install VA-API drivers if required.<br />
# Use a compositor that supports hardware acceleration, either:<br />
#* WebRender from the new Servo browser engine, which can be enabled as explained in [[/Tweaks#Enable WebRender compositor]]. It is enabled by default in GNOME and other desktop environments [https://mastransky.wordpress.com/2021/01/10/firefox-were-finally-getting-hw-acceleration-on-linux/]. Ensure you are not running Software WebRender as that won't work as of August 2021 [https://bugzilla.mozilla.org/show_bug.cgi?id=1723540#c1].<br />
#* Gecko's legacy OpenGL back-end, which can be enabled as explained in [[/Tweaks#Enable Legacy OpenGL compositor]].<br />
# Set the following flags in {{ic|about:config}}:<br />
#* {{ic|media.ffmpeg.vaapi.enabled}} to {{ic|true}} in order to enable the use of VA-API with FFmpeg.<br />
#* {{ic|media.ffvpx.enabled}} to {{ic|false}} to disable the internal decoders for VP8/VP9. This is necessary despite [https://bugzilla.mozilla.org/show_bug.cgi?id=1660336 this bug] being fixed [https://bugzilla.mozilla.org/show_bug.cgi?id=1720363#c6][https://bugzilla.mozilla.org/show_bug.cgi?id=1683808].<br />
#* {{ic|media.rdd-vpx.enabled}} to {{ic|false}} to disable the remote data decoder process for VP8/VP9. As of Firefox 85 its sandbox blocks VA-API access [https://bugzilla.mozilla.org/show_bug.cgi?id=1673184].<br />
#* {{ic|media.navigator.mediadatadecoder_vpx_enabled}} to {{ic|true}} to enable hardware VA-API decoding for WebRTC [https://bugzilla.mozilla.org/show_bug.cgi?id=1709009].<br />
#* If you experience page crashes, try setting {{ic|security.sandbox.content.level}} to {{ic|0}} when {{ic|media.rdd-vpx.enabled}} is set to {{ic|false}} [https://bugzilla.mozilla.org/show_bug.cgi?id=1720363#c9].<br />
# Run Firefox with the following [[environment variable]] enabled:<br />
#* {{ic|1=MOZ_DISABLE_RDD_SANDBOX=1}} to disable RDD sandbox, see [https://mastransky.wordpress.com/2020/03/16/wayland-x11-how-to-run-firefox-in-mixed-environment/].<br />
#* In Wayland, with {{ic|1=MOZ_ENABLE_WAYLAND=1}}, see [[#Wayland]].<br />
#* In X.org, with {{ic|1=MOZ_X11_EGL=1}} or set {{ic|gfx.x11-egl.force-enabled}} to {{ic|true}} and {{ic|gfx.x11-egl.force-disabled}} to {{ic|false}} in {{ic|about:config}}.<br />
<br />
{{Tip|<br />
* As well as following [[Hardware video acceleration#Verification]], one can confirm VA-API usage by checking Firefox VA-API logs. Run Firefox with the {{ic|1=MOZ_LOG="PlatformDecoderModule:5"}} environment variable and check in the log output that VA-API is enabled and used (search for the "VA-API" string) when playing a video for example. Pay attention to these logs as they might indicate that only one of the two possible compositors described before (WebRender or OpenGL) works with VA-API on your particular setup.<br />
* To allow hardware decoding in YouTube, the video codec used must be supported by the hardware. The profiles supported by your GPU can be checked with [[Hardware video acceleration#Verifying VA-API]] and the YouTube codecs used can ''sometimes'' (if offered by YouTube!) be controlled with the [https://addons.mozilla.org/firefox/addon/h264ify/ h264ify] or [https://addons.mozilla.org/firefox/addon/enhanced-h264ify/ enhanced-h264ify] extensions. Alternatively, you can install {{AUR|firefox-h264ify}}.<br />
}}<br />
<br />
{{Note|1=<nowiki/><br />
* NVIDIA's proprietary driver potentially has support for DMA-BUF in the 470 drivers [https://bugs.kde.org/show_bug.cgi?id=428089#c2][https://www.phoronix.com/scan.php?page=news_item&px=NVIDIA-DMA-BUF-Wayland-KDE]. DMA-BUF is necessary for hardware video acceleration in Firefox [https://bugzilla.mozilla.org/show_bug.cgi?id=1669189#c4]. If DMA-BUF support is present {{Pkg|libva-vdpau-driver}} will be necessary as Firefox does not natively support [[VDPAU]].<br />
* Currently Firefox's VA-API implemention can decode H.264/AVC, VP8 & VP9 encoded video. AV1 support may be added in the future [https://bugzilla.mozilla.org/show_bug.cgi?id=1652958].<br />
* Multi-GPU systems should automatically choose a suitable GPU for VA-API according to this [https://bugzilla.mozilla.org/show_bug.cgi?id=1588904#c36 solved issue].<br />
* Some videos (e.g. YouTube VR) may show a black image after setting {{ic|media.ffvpx.enabled}} to {{ic|false}} [https://bugzilla.mozilla.org/show_bug.cgi?id=1667537].<br />
* There are some lingering sandboxing issues which prevent this feature being enabled by default.<br />
** Older Firefox versions sometimes needed setting the {{ic|security.sandbox.content.level}} flag to {{ic|0}} (disabling sandbox protection), to use VA-API with the intel iHD driver {{Pkg|intel-media-driver}} due to [https://bugzilla.mozilla.org/show_bug.cgi?id=1619585]. Fortunately, this specific issue does not seem to exist now [https://bugzilla.mozilla.org/show_bug.cgi?id=1619585#c42].<br />
*** As of Firefox 88 both the Intel iHD {{Pkg|intel-media-driver}} and the i965 {{Pkg|libva-intel-driver}} drivers both work well with VA-API in Firefox, meaning one does not need to pick the correct driver anymore.<br />
** However, there are still RDD sandboxing bugs. Specifically, VP8/VP9 decoding is affected by this Intel and AMD [https://bugzilla.mozilla.org/show_bug.cgi?id=1683808 sandboxing bug]. As mentioned in the above instructions, setting {{ic|media.rdd-vpx.enabled}} to {{ic|false}} bypasses the sandboxed RDD process, solving the issue.<br />
** In the future VA-API should be properly sandboxed, since disabling sandboxes is generally not ideal, and this feature will not be shipped by default without sandboxing [https://bugzilla.mozilla.org/show_bug.cgi?id=1619585#c23].<br />
* [[AMDGPU]] users under {{Pkg|linux-hardened}} may need to rebuild ''linux-hardened'' with {{ic|1=CONFIG_CHECKPOINT_RESTORE=y}} due to {{Pkg|mesa}} [https://gitweb.gentoo.org/repo/gentoo.git/tree/media-libs/mesa/mesa-9999.ebuild requiring the kcmp syscall]. This may no longer be necessary due to this [https://bugzilla.mozilla.org/show_bug.cgi?id=1624743 bug being solved].<br />
}}<br />
<br />
=== Spell checking ===<br />
<br />
Firefox can use system-wide installed [[Hunspell]] dictionaries as well as dictionaries installed through its own extension system.<br />
<br />
To enable spell checking for a specific language right click on any text field and check the ''Check Spelling'' box. To select a language for spell checking to you have right click again and select your language from the ''Languages'' sub-menu.<br />
<br />
When your default language choice does not stick, see [[#Firefox does not remember default spell check language]].<br />
<br />
==== System-wide Hunspell dictionaries ====<br />
<br />
Install [[Hunspell]] and its dictionaries for the languages you require.<br />
<br />
==== Dictionaries as extensions ====<br />
<br />
To get more languages right click on any text field and just click ''Add Dictionaries...'' and select the dictionary you want to install from the [https://addons.mozilla.org/firefox/language-tools/ Dictionaries and Language Packs list].<br />
<br />
{{Tip|For Russian, the extension is packaged as {{Pkg|firefox-spell-ru}}.}}<br />
<br />
=== KDE integration ===<br />
<br />
* To bring the [[KDE]] look to GTK apps (including Firefox), install {{Pkg|breeze-gtk}} and {{Pkg|kde-gtk-config}}. Afterwards, go to System Settings and in ''Appearance > Application Style > Configure GNOME/GTK Application Style…'' choose 'Breeze'.<br />
* To use the KDE file selection and print dialogs in Firefox 64 or newer, install {{Pkg|xdg-desktop-portal}} and {{Pkg|xdg-desktop-portal-kde}}, then do one of the following:<br />
** Set {{ic|widget.use-xdg-desktop-portal}} to {{ic|true}} in {{ic|about:config}}.<br />
** Launch firefox with {{ic|1=GTK_USE_PORTAL=1}} [[environment variable]].<br />
* For integration with [[KDE]] MIME type system, proxy and file dialog, one can use {{AUR|firefox-kde-opensuse}} variant from AUR with OpenSUSE’s patches applied. Alternatively, integration with MIME types can be achieved by creating a symbolic link to the MIME database {{ic|~/.config/mimeapps.list}} from the deprecated {{ic|~/.local/share/applications/mimeapps.list}} that is used by Firefox. See [[XDG MIME Applications#mimeapps.list]].<br />
* Extensions/add-ons may provide additional integration, such as:<br />
** Browser integration in [[Plasma]]: requires {{Pkg|plasma-browser-integration}} and the [https://addons.mozilla.org/firefox/addon/plasma-integration/ Plasma Integration add-on].<br />
<br />
== Tips and tricks ==<br />
<br />
For general enhancements see [[Firefox/Tweaks]], for privacy related enhancements see [[Firefox/Privacy]].<br />
<br />
=== Dark themes ===<br />
<br />
If a dark [[GTK]] theme is in use (e.g. Arc Dark), it is recommended to start Firefox with a brighter one (e.g. Adwaita). See [[GTK#Themes]] and [[Firefox/Tweaks#Unreadable input fields with dark GTK themes]] for more information.<br />
<br />
Alternatively, starting with Firefox 68 you can make all the Firefox interfaces and even other websites respect dark themes, irrespective of the system GTK theme and Firefox theme. To do this, set {{ic|browser.in-content.dark-mode}} to {{ic|true}} and {{ic|ui.systemUsesDarkTheme}} to {{ic|1}} in {{ic|about:config}} [https://bugzilla.mozilla.org/show_bug.cgi?id=1488384#c23].<br />
<br />
=== Frame rate ===<br />
<br />
If Firefox is unable to automatically detect the right value, it will default to 60 fps. To manually correct this, set {{ic|layout.frame_rate}} to the refresh rate of your monitor (e.g. 144 for 144 Hz).<br />
<br />
=== Memory limit ===<br />
<br />
To prevent pages from abusing memory (and possible [[Wikipedia:Out_of_memory|OOM]]), we can use [[Firejail]] with the {{ic|rlimit-as}} option.<br />
<br />
=== New tabs position ===<br />
<br />
To control where new tabs appears (relative or absolute), use {{ic|browser.tabs.insertAfterCurrent}} and {{ic|browser.tabs.insertRelatedAfterCurrent}}. See [https://support.mozilla.org/en/questions/1229062] for more information.<br />
<br />
=== Screenshot of webpage ===<br />
<br />
You can ''Take a Screenshot'' by either clicking the ''Page actions'' button (the three horizontal dots) in the address bar or by right-clicking on the webpage. See [https://support.mozilla.org/en-US/kb/firefox-screenshots] for more information.<br />
<br />
As an alternative you can use the screenshot button in the [https://developer.mozilla.org/en-US/docs/Tools/Taking_screenshots Developer Tools].<br />
<br />
=== Wayland ===<br />
<br />
More recent versions of Firefox support opting into [[Wayland]] mode via an environment variable.<br />
<br />
$ MOZ_ENABLE_WAYLAND=1 firefox<br />
<br />
To make this permanent, see [[Environment variables#Graphical environment]] and start Firefox via the desktop launcher like you normally would. To verify it worked check the ''Window Protocol'' again.<br />
<br />
You may enter {{ic|about:support}} in the URL bar to check the ''Window Protocol''. It should say ''wayland'' instead of ''x11'' or ''xwayland''.<br />
<br />
On native Wayland Firefox rendering performance can be significantly improved by setting {{ic|gfx.webrender.compositor.force-enabled}} to true in {{ic|about:config}}. As of Firefox 89, this feature is experimental and Firefox Nightly is recommended for testing.<br />
<br />
All rendering is allowed to occur in native compositor surfaces, resulting in more efficient rendering, improving performance and battery life [https://bugzilla.mozilla.org/show_bug.cgi?id=1617498]. Ensure [[/Tweaks#Enable WebRender compositor]] is also enabled and working. GNOME 40.1/3.38.5 or KDE 5.22 or later are considered testable compositors [https://bugzilla.mozilla.org/show_bug.cgi?id=1617498#c13].<br />
<br />
=== Window manager rules ===<br />
<br />
To apply different configurations to Firefox windows, change the WM_CLASS string by using Firefox's {{ic|--class}} option, to a custom one.<br />
<br />
==== Profiles ====<br />
<br />
To start new Firefox instances, multiple profiles are required. To create a new profile:<br />
<br />
$ firefox [--new-instance] -P<br />
<br />
Class can be specified when launching Firefox with a not-in-use profile:<br />
<br />
$ firefox [--new-instance] -P ''profile_name'' --class=''class_name''<br />
<br />
=== Touchscreen gestures and pixel-perfect trackpad scrolling ===<br />
<br />
{{Merge|Firefox/Tweaks#Enable touchscreen gestures|Same solution.}}<br />
<br />
To enable touch gestures (like scrolling and pinch-to-zoom) and one-to-one trackpad scrolling (as can be witnessed with GTK3 applications like Nautilus), set the {{ic|1=MOZ_USE_XINPUT2=1}} [[environment variable]] before starting Firefox.<br />
<br />
=== Multiple home pages ===<br />
<br />
To have multiple tabs opened when starting Firefox open a new window and then open the sites you want to have as "home tabs".<br />
<br />
Now go to ''Preferences > Home'' and under ''Homepage and new windows'' click the ''Use Current Pages'' button.<br />
<br />
Alternatively go directly to ''Preferences > Home'' and now under ''Homepage and new windows'' set the first field to ''Custom URLs..'' and enter the pages you want as new home pages in the following format:<br />
<br />
<nowiki>https://url1.com|https://url2.com|https://url3.com</nowiki><br />
<br />
== Troubleshooting ==<br />
<br />
=== Safe Mode ===<br />
<br />
The command line switch {{ic|--safe-mode}} starts Firefox in [http://kb.mozillazine.org/Safe_Mode Safe Mode], which disables extensions, themes and some other features for this session.<br />
<br />
=== Disable hardware video acceleration ===<br />
<br />
To force disable hardware video acceleration in Firefox, e.g. in case of freezes, start Firefox in [[#Safe Mode|Safe Mode]] or set {{ic|layers.acceleration.disabled}} to {{ic|true}} in {{ic|about:config}}.<br />
<br />
=== Extension X does not work on some Mozilla owned domains ===<br />
<br />
By default extensions will not affect pages designated by {{ic|extensions.webextensions.restrictedDomains}}. If this is not desired, this field can be cleared (special pages such as {{ic|about:*}} will not be affected).<br />
<br />
=== Firefox startup takes very long ===<br />
<br />
If Firefox takes much longer to start up than other browsers, it may be due to lacking configuration of the localhost in {{ic|/etc/hosts}}. See [[Network configuration#Local network hostname resolution]] on how to set it up.<br />
<br />
=== Font troubleshooting ===<br />
<br />
See [[Font configuration]].<br />
<br />
Firefox has a setting which determines how many replacements it will allow from fontconfig. To allow it to use all your replacement-rules, change {{ic|gfx.font_rendering.fontconfig.max_generic_substitutions}} to {{ic|127}} (the highest possible value).<br />
<br />
Firefox ships with ''Twemoji Mozilla'' font. To use system emoji font set {{ic|font.name-list.emoji}} to {{ic|emoji}} in {{ic|about:config}}.<br />
<br />
Firefox has problems with [[Emoji]] presentation [https://bugzilla.mozilla.org/show_bug.cgi?id=1509988]. Set {{ic|gfx.font_rendering.fontconfig.max_generic_substitutions}} to {{ic|0}} as workaround.<br />
<br />
=== Setting an email client ===<br />
<br />
Inside the browser, {{ic|mailto}} links by default are opened by a web application such as Gmail or Yahoo Mail. To set an external email program, go to ''Preferences > Applications'' and modify the ''action'' corresponding to the {{ic|mailto}} content type; the file path will need to be designated (e.g. {{ic|/usr/bin/kmail}} for Kmail).<br />
<br />
Outside the browser, {{ic|mailto}} links are handled by the {{ic|x-scheme-handler/mailto}} mime type, which can be easily configured with [[xdg-mime]]. See [[Default applications]] for details and alternatives.<br />
<br />
=== File association ===<br />
<br />
See [[Default applications]].<br />
<br />
=== Firefox keeps creating ~/Desktop even when this is not desired ===<br />
<br />
Firefox uses {{ic|~/Desktop}} as the default place for download and upload files. To change it to another folder, set the {{ic|XDG_DESKTOP_DIR}} option as explained in [[XDG user directories]].<br />
<br />
=== Make plugins respect blocked pop-ups ===<br />
<br />
Some plugins can misbehave and bypass the default settings, such as the Flash plugin. You can prevent this by doing the following:<br />
<br />
# Type {{ic|about:config}} into the address bar.<br />
# Right-click on the page and select ''New > Integer''.<br />
# Name it {{ic|privacy.popups.disable_from_plugins}}.<br />
# Set the value to {{ic|2}}.<br />
<br />
The possible values are:<br />
<br />
* {{ic|'''0'''}}: Allow all popups from plugins.<br />
* {{ic|'''1'''}}: Allow popups, but limit them to {{ic|dom.popup_maximum}}.<br />
* {{ic|'''2'''}}: Block popups from plugins.<br />
* {{ic|'''3'''}}: Block popups from plugins, even on whitelisted sites.<br />
<br />
=== Changes to userChrome.css and userContent.css are ignored ===<br />
<br />
Set {{ic|toolkit.legacyUserProfileCustomizations.stylesheets}} to {{ic|true}} in {{ic|about:config}}<br />
<br />
=== Middle-click behavior ===<br />
<br />
To use the middle mouse button to paste whatever text has been highlighted/added to the clipboard, as is common in UNIX-like operating systems, set either {{ic|middlemouse.contentLoadURL}} or {{ic|middlemouse.paste}} to {{ic|true}} in {{ic|about:config}}. Having {{ic|middlemouse.contentLoadURL}} enabled was the default behaviour prior to Firefox 57.<br />
<br />
To scroll on middle-click (default for Windows browsers) set {{ic|general.autoScroll}} to {{ic|true}}.<br />
<br />
=== Backspace does not work as the 'Back' button ===<br />
<br />
According to [http://kb.mozillazine.org/Browser.backspace_action MozillaZine], the {{ic|Backspace}} key was mapped based on which platform the browser was running on. As a compromise, this preference was created to allow the {{ic|Backspace}} key to either go back/forward, scroll up/down a page, or do nothing.<br />
<br />
To make {{ic|Backspace}} go back one page in the tab's history and {{ic|Shift+Backspace}} go forward, set {{ic|browser.backspace_action}} to {{ic|0}} in {{ic|about:config}}.<br />
<br />
To have the {{ic|Backspace}} key scroll up one page and {{ic|Shift+Backspace}} scroll down one page, set {{ic|browser.backspace_action}} to {{ic|1}}. Setting this property to any other value will leave the key unmapped (Arch Linux defaults to {{ic|2}}, in other words, it is unmapped by default).<br />
<br />
=== Firefox does not remember login information ===<br />
<br />
It may be due to a corrupted {{ic|cookies.sqlite}} file in [https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data Firefox's profile] folder. In order to fix this, just rename or remove {{ic|cookie.sqlite}} while Firefox is not running.<br />
<br />
Open a terminal of choice and type the following:<br />
<br />
$ rm -f ~/.mozilla/firefox/<profile id>.default/cookies.sqlite<br />
<br />
The profile id is a random 8 character string.<br />
<br />
Restart Firefox and see if it solved the problem.<br />
<br />
If it did not work, check if there exists a {{ic|cookies.sqlite.bak}} file that you could use to manually restore the cookies.<br />
<br />
=== Cannot enter/leave fullscreen ===<br />
<br />
If Firefox detects an [https://specifications.freedesktop.org/wm-spec/wm-spec-latest.html EWMH/ICCCM] compliant window manager, it will try to send a WM_STATE message to the root window to request Firefox be made to enter (or leave) full-screen mode (as defined by the window manager). Window managers are allowed to ignore it, but if they do, Firefox will assume the request got denied and propagate it to the end user which results in nothing happening. This may result in not being able to full screen a video. A general workaround is to set the {{ic|full-screen-api.ignore-widgets}} to {{ic|true}} in {{ic|about:config}}. <br />
<br />
Related bug reports: [https://bugzilla.mozilla.org/show_bug.cgi?id=1189622 Bugzilla 1189622].<br />
<br />
=== Firefox detects the wrong version of my plugin ===<br />
<br />
When you close Firefox, the latter saves the current timestamp and version of your plugins inside {{ic|pluginreg.dat}} located in your profile folder, typically in {{ic|~/.mozilla/firefox/''xxxxxxxx''.default/}}.<br />
<br />
If you upgraded your plugin when Firefox was still running, you will thus have the wrong information inside that file. The next time you will restart Firefox you will get that message {{ic|Firefox has prevented the outdated plugin "XXXX" from running on ...}} when you will be trying to open content dedicated to that plugin on the web. This problem often appears with the official [[Browser plugins#Adobe Flash Player|Adobe Flash Player plugin]] which has been upgraded while Firefox was still running.<br />
<br />
The solution is to remove the file {{ic|pluginreg.dat}} from your profile and that is it. Firefox will not complain about the missing file as it will be recreated the next time Firefox will be closed. [https://bugzilla.mozilla.org/show_bug.cgi?id=1109795#c16]<br />
<br />
=== JavaScript context menu does not appear on some sites ===<br />
<br />
You can try setting {{ic|dom.w3c_touch_events.enabled}} to {{ic|0}} in {{ic|about:config}}.<br />
<br />
=== Firefox does not remember default spell check language ===<br />
<br />
The default spell checking language can be set as follows:<br />
<br />
# Type {{ic|about:config}} in the address bar.<br />
# Set {{ic|spellchecker.dictionary}} to your language of choice, for instance {{ic|en_GB}}.<br />
# Notice that the for dictionaries installed as a Firefox plugin the notation is {{ic|en-GB}}, and for {{Pkg|hunspell}} dictionaries the notation is {{ic|en_GB}}.<br />
<br />
When you only have system wide dictionaries installed with {{Pkg|hunspell}}, Firefox might not remember your default dictionary language settings. This can be fixed by having at least one [https://addons.mozilla.org/firefox/language-tools/ dictionary] installed as a Firefox plugin. Notice that now you will also have a tab ''Dictionaries'' in ''Add-ons''. You may have to change the order of ''preferred language for displaying pages'' in {{ic|about:preferences#general}} to make the spell check default to the language of the addon dictionary.<br />
<br />
Related questions on the '''StackExchange''' platform: [https://stackoverflow.com/questions/26936792/change-firefox-spell-check-default-language/29446115], [https://stackoverflow.com/questions/21542515/change-default-language-on-firefox/29446353], [https://askubuntu.com/questions/184300/how-can-i-change-firefoxs-default-dictionary/576877]<br />
<br />
Related bug reports: [https://bugzilla.mozilla.org/show_bug.cgi?id=776028 Bugzilla 776028], [https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1026869 Ubuntu bug 1026869]<br />
<br />
=== Some MathML symbols are missing ===<br />
<br />
You need some Math fonts, namely Latin Modern Math and STIX (see this MDN page: [https://developer.mozilla.org/en-US/docs/Mozilla/MathML_Project/Fonts#Linux]), to display MathML correctly.<br />
<br />
In Arch Linux, these fonts are provided by {{Pkg|texlive-core}} '''and''' {{Pkg|texlive-fontsextra}}, but they are not available to fontconfig by default. See [[TeX Live#Making fonts available to Fontconfig]] for details. You can also try other [[Fonts#Math|Math fonts]]. In case you encounter this bug [https://bugzilla.mozilla.org/show_bug.cgi?id=1208776] installing {{Pkg|otf-latinmodern-math}} can help.<br />
<br />
=== Tearing video in fullscreen mode ===<br />
<br />
If you are using the Xorg Intel or Nouveau drivers and experience tearing video in fullscreen mode, try [[Firefox/Tweaks#Enable Legacy OpenGL compositor]].<br />
<br />
=== Tearing when scrolling ===<br />
<br />
Try disabling smooth scrolling in ''Preferences > Browsing''.<br />
<br />
=== Firefox WebRTC module cannot detect a microphone ===<br />
<br />
WebRTC applications for instance [https://mozilla.github.io/webrtc-landing/gum_test.html Firefox WebRTC getUserMedia test page] say that microphone cannot be found. Issue is reproducible for both ALSA or PulseAudio setup. Firefox debug logs show the following error:<br />
<br />
{{hc|1=$ NSPR_LOG_MODULES=MediaManager:5,GetUserMedia:5 firefox|2=<br />
...<br />
[Unnamed thread 0x7fd7c0654340]: D/GetUserMedia VoEHardware:GetRecordingDeviceName: Failed 1<br />
}}<br />
<br />
You can try setting {{ic|media.navigator.audio.full_duplex}} property to {{ic|false}} at {{ic|about:config}} Firefox page and restart Firefox.<br />
<br />
This can also help if you are using the PulseAudio [[PulseAudio#Microphone echo/noise cancellation|module-echo-cancel]] and Firefox does not recognise the virtual echo canceling source.<br />
<br />
=== Cannot login with my Chinese account ===<br />
<br />
Firefox provides a local service for Chinese users, with a local account totally different from the international one. Firefox installed with the {{Pkg|firefox}} package uses the international account system by default, to change into the Chinese local service, you should install the add-on manager on [http://mozilla.com.cn/thread-343905-1-1.html this page], then you can login with your Chinese account now.<br />
<br />
=== No audio on certain videos when using JACK and PulseAudio ===<br />
<br />
If you are using JACK in combination with PulseAudio and cannot hear any sound on some videos it could be because those videos have mono audio. This happens if your JACK setup uses more than just stereo, but you use normal headphones. To fix this you simply have to connect the {{ic|front-center}} port from the PulseAudio JACK Sink to both {{ic|playback_1}} and {{ic|playback_2}} ports of the system output.<br />
<br />
You can also do this automatically using a script:<br />
<br />
{{hc|jack-mono.sh<br />
|2=#!/bin/sh<br />
jack_connect "PulseAudio JACK Sink:front-center" "system:playback_1"<br />
jack_connect "PulseAudio JACK Sink:front-center" "system:playback_2"<br />
}}<br />
<br />
Keep in mind that the names for the sink and the ports might be different for you. You can check what your JACK setup looks like with a Patchbay like Catia from {{Pkg|cadence}}.<br />
<br />
=== Geolocation does not work ===<br />
<br />
Recently, Google limited the use of its location service with Arch Linux, which causes the following error when geolocation is enabled on a website: {{ic|Geolocation error: Unknown error acquiring position}}. Region-locked services such as [https://www.hulu.com/ Hulu] may display a similar error indicating that your location could not be determined even though you have allowed location services for the site.<br />
<br />
To avoid these problems, you can switch to use the [https://location.services.mozilla.com/ Mozilla Location Service]. In {{ic|about:config}} change the {{ic|geo.provider.network.url}} setting to:<br />
<br />
<nowiki>https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%</nowiki><br />
<br />
See {{Bug|65241}} for more details.<br />
<br />
=== Right mouse button instantly clicks the first option in window managers ===<br />
<br />
This problem has been observed in [[i3]], [[bspwm]] and [[xmonad]].<br />
<br />
To fix it, navigate to {{ic|about:config}} and change {{ic|ui.context_menus.after_mouseup}} to {{ic|true}}.<br />
<br />
See [https://www.reddit.com/r/i3wm/comments/88k0yt/right_mouse_btn_instantly_clicks_first_option_in/]<br />
<br />
=== Applications on Wayland can not launch Firefox ===<br />
<br />
Some applications running in XWayland mode try to launch the X11 edition of Firefox. If the browser already runs in Wayland native mode, the user will receive the error {{ic|Firefox is already running, but is not responding. To use Firefox, you must first close the existing Firefox process, restart your device, or use a different profile.}} while Firefox itself is fully operational. <br />
<br />
This can be worked around by setting the [[environment variable]] {{ic|1=MOZ_DBUS_REMOTE=1}}.<br />
<br />
{{Note|1=It is not sufficient to only set this variable in the ''.desktop'' file for Firefox, as it must be set for either the whole session or all XWayland applications. Consider additionally setting [[#Wayland]] globally. [https://bugzilla.mozilla.org/show_bug.cgi?id=1508803]}}<br />
<br />
=== Firefox window does not repaint after disabling or enabling compositing ===<br />
<br />
Unset the environment variable {{ic|MOZ_X11_EGL}}.<br />
<br />
Related bug report: [https://bugzilla.mozilla.org/show_bug.cgi?id=1711039 Bugzilla 1711039].<br />
<br />
=== Firefox continuously asks to be set as default browser upon launch ===<br />
<br />
There are a couple things you can try: if you are using a [[desktop environment]], check if Firefox is set as the default browser in your system settings. If it is not, then set it, otherwise you can run the following {{man|1|xdg-settings}} command, provided by the [[xdg-utils]] package, to query which browser is set as default on your system:<br />
<br />
$ xdg-settings get default-web-browser<br />
<br />
If no value is returned or it is not Firefox, then run this command to set it:<br />
<br />
$ xdg-settings set default-web-browser firefox.desktop<br />
<br />
If Firefox still asks to be set as the default browser, then it may be quieted if it is set to handle ''http'' and ''https'' URL schemes. To do so, run these {{man|1|xdg-mime}} commands: <br />
<br />
$ xdg-mime default firefox.desktop x-scheme-handler/http<br />
$ xdg-mime default firefox.desktop x-scheme-handler/https<br />
<br />
If those do not work either, check if you have set the environment variable {{ic|GTK_USE_PORTAL}} (all values trigger the bug), in which case, unset it. Related bug report: [https://bugzilla.mozilla.org/show_bug.cgi?id=1516290 Bugzilla 1516290]. If that does not work or you did not set it, navigate Firefox to {{ic|about:config}}, check if the variable {{ic|widget.use-xdg-desktop-portal}} is set to {{ic|true}} and, if so, set it to {{ic|false}}.<br />
<br />
=== Video stuttering ===<br />
<br />
If you experience video stuttering and you notice that Firefox is only hitting one core at 100% when watching videos (especially higher resolution videos), this might help you.<br />
<br />
Go into {{ic|about:config}} and search for {{ic|dom.ipc.processCount}} and change {{ic|dom.ipc.processCount.file}} from 1 to a higher number. An ad hoc method to find a good number is to increase it one at a time until you get good results, but 4 seems to be a good value.<br />
<br />
== See also ==<br />
<br />
* [https://www.mozilla.org/firefox/ Official website]<br />
* [https://www.mozilla.org/ Mozilla Foundation]<br />
* [[MozillaWiki:Firefox]]<br />
* [[Wikipedia:Mozilla Firefox]]<br />
* [https://addons.mozilla.org/ Firefox Add-ons]<br />
* [https://addons.mozilla.org/firefox/themes/ Firefox themes]<br />
* [https://ftp.mozilla.org/pub/firefox/releases/ Mozilla's FTP]<br />
* [http://forums.mozillazine.org/ mozillaZine] unofficial forums</div>Smasher816https://wiki.archlinux.org/index.php?title=PCI_passthrough_via_OVMF&diff=524971PCI passthrough via OVMF2018-06-06T18:30:42Z<p>Smasher816: /* Add note about automatically passing through usb devices without needing to pass a whole pci controller */</p>
<hr />
<div>[[Category:Virtualization]]<br />
[[ja:OVMF による PCI パススルー]]<br />
The Open Virtual Machine Firmware ([https://github.com/tianocore/tianocore.github.io/wiki/OVMF OVMF]) is a project to enable UEFI support for virtual machines. Starting with Linux 3.9 and recent versions of [[QEMU]], it is now possible to passthrough a graphics card, offering the VM native graphics performance which is useful for graphic-intensive tasks.<br />
<br />
Provided you have a desktop computer with a spare GPU you can dedicate to the host (be it an integrated GPU or an old OEM card, the brands do not even need to match) and that your hardware supports it (see [[#Prerequisites]]), it is possible to have a VM of any OS with its own dedicated GPU and near-native performance. For more information on techniques see the background [https://www.linux-kvm.org/images/b/b3/01x09b-VFIOandYou-small.pdf presentation (pdf)]. <br />
<br />
== Prerequisites ==<br />
<br />
A VGA Passthrough relies on a number of technologies that are not ubiquitous as of today and might not be available on your hardware. You will not be able to do this on your machine unless the following requirements are met :<br />
<br />
* Your CPU must support hardware virtualization (for kvm) and IOMMU (for the passthrough itself)<br />
** [https://ark.intel.com/Search/FeatureFilter?productType=processors&VTD=true List of compatible Intel CPUs (Intel VT-x and Intel VT-d)]<br />
** All AMD CPUs from the Bulldozer generation and up (including Zen) should be compatible.<br />
*** CPUs from the K10 generation (2007) do not have an IOMMU, so you '''need''' to have a motherboard with a [https://support.amd.com/TechDocs/43403.pdf#page=18 890FX] or [https://support.amd.com/TechDocs/48691.pdf#page=21 990FX] chipset to make it work, as those have their own IOMMU.<br />
* Your motherboard must also support IOMMU<br />
** Both the chipset and the BIOS must support it. It is not always easy to tell at a glance whether or not this is the case, but there is a fairly comprehensive list on the matter on the [https://wiki.xen.org/wiki/VTd_HowTo Xen wiki] as well as [[Wikipedia:List of IOMMU-supporting hardware]].<br />
* Your guest GPU ROM must support UEFI.<br />
** If you can find [https://www.techpowerup.com/vgabios/ any ROM in this list] that applies to your specific GPU and is said to support UEFI, you are generally in the clear. All GPUs from 2012 and later should support this, as Microsoft made UEFI a requirement for devices to be marketed as compatible with Windows 8.<br />
<br />
You will probably want to have a spare monitor or one with multiple input ports connected to different GPUs (the passthrough GPU will not display anything if there is no screen plugged in and using a VNC or Spice connection will not help your performance), as well as a mouse and a keyboard you can pass to your VM. If anything goes wrong, you will at least have a way to control your host machine this way.<br />
<br />
== Setting up IOMMU ==<br />
<br />
{{Note|<br />
* IOMMU is a generic name for Intel VT-d and AMD-Vi.<br />
* VT-d stands for ''Intel Virtualization Technology for Directed I/O'' and should not be confused with VT-x ''Intel Virtualization Technology''. VT-x allows one hardware platform to function as multiple “virtual” platforms while VT-d improves security and reliability of the systems and also improves performance of I/O devices in virtualized environments.}}<br />
<br />
Using IOMMU opens to features like PCI passthrough and memory protection from faulty or malicious devices, see [[wikipedia:Input-output memory management unit#Advantages]] and [https://www.quora.com/Memory-Management-computer-programming/Could-you-explain-IOMMU-in-plain-English Memory Management (computer programming): Could you explain IOMMU in plain English?].<br />
<br />
=== Enabling IOMMU ===<br />
<br />
Ensure that AMD-Vi/Intel VT-d is supported by the CPU and enabled in the BIOS settings. Both normally show up alongside other CPU features (meaning they could be in an overclocking-related menu) either with their actual names ("VT-d" or "AMD-Vi") or in more ambiguous terms such as "Virtualization technology", which may or may not be explained in the manual.<br />
<br />
Enable IOMMU support by setting the correct [[kernel parameter]] depending on the type of CPU in use:<br />
* For Intel CPUs (VT-d) set {{ic|1=intel_iommu=on}} <br />
* For AMD CPUs (AMD-Vi) set {{ic|1=amd_iommu=on}}<br />
<br />
You should also append the {{ic|1=iommu=pt}} parameter. This will prevent Linux from touching devices which cannot be passed through.<br />
<br />
After rebooting, check dmesg to confirm that IOMMU has been correctly enabled:<br />
<br />
{{hc|dmesg {{!}} grep -e DMAR -e IOMMU|<br />
[ 0.000000] ACPI: DMAR 0x00000000BDCB1CB0 0000B8 (v01 INTEL BDW 00000001 INTL 00000001)<br />
[ 0.000000] Intel-IOMMU: enabled<br />
[ 0.028879] dmar: IOMMU 0: reg_base_addr fed90000 ver 1:0 cap c0000020660462 ecap f0101a<br />
[ 0.028883] dmar: IOMMU 1: reg_base_addr fed91000 ver 1:0 cap d2008c20660462 ecap f010da<br />
[ 0.028950] IOAPIC id 8 under DRHD base 0xfed91000 IOMMU 1<br />
[ 0.536212] DMAR: No ATSR found<br />
[ 0.536229] IOMMU 0 0xfed90000: using Queued invalidation<br />
[ 0.536230] IOMMU 1 0xfed91000: using Queued invalidation<br />
[ 0.536231] IOMMU: Setting RMRR:<br />
[ 0.536241] IOMMU: Setting identity map for device 0000:00:02.0 [0xbf000000 - 0xcf1fffff]<br />
[ 0.537490] IOMMU: Setting identity map for device 0000:00:14.0 [0xbdea8000 - 0xbdeb6fff]<br />
[ 0.537512] IOMMU: Setting identity map for device 0000:00:1a.0 [0xbdea8000 - 0xbdeb6fff]<br />
[ 0.537530] IOMMU: Setting identity map for device 0000:00:1d.0 [0xbdea8000 - 0xbdeb6fff]<br />
[ 0.537543] IOMMU: Prepare 0-16MiB unity mapping for LPC<br />
[ 0.537549] IOMMU: Setting identity map for device 0000:00:1f.0 [0x0 - 0xffffff]<br />
[ 2.182790] [drm] DMAR active, disabling use of stolen memory<br />
}}<br />
<br />
=== Ensuring that the groups are valid ===<br />
<br />
The following script should allow you to see how your various PCI devices are mapped to IOMMU groups. If it does not return anything, you either have not enabled IOMMU support properly or your hardware does not support it.<br />
<br />
#!/bin/bash<br />
shopt -s nullglob<br />
for d in /sys/kernel/iommu_groups/*/devices/*; do <br />
n=${d#*/iommu_groups/*}; n=${n%%/*}<br />
printf 'IOMMU Group %s ' "$n"<br />
lspci -nns "${d##*/}"<br />
done;<br />
<br />
Example output:<br />
<br />
IOMMU Group 0 00:00.0 Host bridge [0600]: Intel Corporation 2nd Generation Core Processor Family DRAM Controller [8086:0104] (rev 09)<br />
IOMMU Group 1 00:16.0 Communication controller [0780]: Intel Corporation 6 Series/C200 Series Chipset Family MEI Controller #1 [8086:1c3a] (rev 04)<br />
IOMMU Group 2 00:19.0 Ethernet controller [0200]: Intel Corporation 82579LM Gigabit Network Connection [8086:1502] (rev 04)<br />
IOMMU Group 3 00:1a.0 USB controller [0c03]: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2 [8086:1c2d] (rev <br />
...<br />
<br />
An IOMMU group is the smallest set of physical devices that can be passed to a virtual machine. For instance, in the example above, both the GPU in 06:00.0 and its audio controller in 6:00.1 belong to IOMMU group 13 and can only be passed together. The frontal USB controller, however, has its own group (group 2) which is separate from both the USB expansion controller (group 10) and the rear USB controller (group 4), meaning that [[#USB controller|any of them could be passed to a VM without affecting the others]].<br />
<br />
=== Gotchas ===<br />
<br />
==== Plugging your guest GPU in an unisolated CPU-based PCIe slot ====<br />
<br />
Not all PCI-E slots are the same. Most motherboards have PCIe slots provided by both the CPU and the PCH. Depending on your CPU, it is possible that your processor-based PCIe slot does not support isolation properly, in which case the PCI slot itself will be appear to be grouped with the device that is connected to it.<br />
<br />
IOMMU Group 1 00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor PCI Express Root Port (rev 09)<br />
IOMMU Group 1 01:00.0 VGA compatible controller: NVIDIA Corporation GM107 [GeForce GTX 750] (rev a2)<br />
IOMMU Group 1 01:00.1 Audio device: NVIDIA Corporation Device 0fbc (rev a1)<br />
<br />
This is fine so long as only your guest GPU is included in here, such as above. Depending on what is plugged in your other PCIe slots and whether they are allocated to your CPU or your PCH, you may find yourself with additional devices within the same group, which would force you to pass those as well. If you are ok with passing everything that is in there to your VM, you are free to continue. Otherwise, you will either need to try and plug your GPU in your other PCIe slots (if you have any) and see if those provide isolation from the rest or to install the ACS override patch, which comes with its own drawbacks. See [[#Bypassing the IOMMU groups (ACS override patch)]] for more information.<br />
<br />
{{Note|If they are grouped with other devices in this manner, pci root ports and bridges should neither be bound to vfio at boot, nor be added to the VM.}}<br />
<br />
== Isolating the GPU ==<br />
<br />
In order to assign a device to a virtual machine, this device and all those sharing the same IOMMU group must have their driver replaced by a stub driver or a VFIO driver in order to prevent the host machine from interacting with them. In the case of most devices, this can be done on the fly right before the VM starts.<br />
<br />
However, due to their size and complexity, GPU drivers do not tend to support dynamic rebinding very well, so you cannot just have some GPU you use on the host be transparently passed to a VM without having both drivers conflict with each other. Because of this, it is generally advised to bind those placeholder drivers manually before starting the VM, in order to stop other drivers from attempting to claim it.<br />
<br />
The following section details how to configure a GPU so those placeholder drivers are bound early during the boot process, which makes said device inactive until a VM claims it or the driver is switched back. This is the preferred method, considering it has less caveats than switching drivers once the system is fully online.<br />
<br />
{{warning|Once you reboot after this procedure, whatever GPU you have configured will no longer be usable on the host until you reverse the manipulation. Make sure the GPU you intend to use on the host is properly configured before doing this - your motherboard should be set to display using the host GPU.}}<br />
<br />
=== Using vfio-pci ===<br />
<br />
Starting with Linux 4.1, the kernel includes vfio-pci. This is a VFIO driver, meaning it fulfills the same role as pci-stub, but it can also control devices to an extent, such as by switching them into their D3 state when they are not in use. If your system supports it, which you can try by running the following command, you should use it. If it returns an error, use pci-stub instead.<br />
<br />
{{hc|$ modinfo vfio-pci|<br />
filename: /lib/modules/4.4.5-1-ARCH/kernel/drivers/vfio/pci/vfio-pci.ko.gz<br />
description: VFIO PCI - User Level meta-driver<br />
author: Alex Williamson <alex.williamson@redhat.com><br />
...<br />
}}<br />
<br />
Vfio-pci normally targets PCI devices by ID, meaning you only need to specify the IDs of the devices you intend to passthrough. For the following IOMMU group, you would want to bind vfio-pci with {{ic|10de:13c2}} and {{ic|10de:0fbb}}, which will be used as example values for the rest of this section.<br />
<br />
IOMMU Group 13 06:00.0 VGA compatible controller: NVIDIA Corporation GM204 [GeForce GTX 970] [10de:13c2] (rev a1)<br />
IOMMU Group 13 06:00.1 Audio device: NVIDIA Corporation GM204 High Definition Audio Controller [10de:0fbb] (rev a1)}}<br />
<br />
{{Note|You cannot specify which device to isolate using vendor-device ID pairs if the host GPU and the guest GPU share the same pair (i.e : if both are the same model). If this is your case, read [[#Using identical guest and host GPUs]] instead.}}<br />
<br />
You can then add those vendor-device ID pairs to the default parameters passed to vfio-pci whenever it is inserted into the kernel.<br />
<br />
{{hc|/etc/modprobe.d/vfio.conf|2=<br />
options vfio-pci ids=10de:13c2,10de:0fbb<br />
}}<br />
<br />
{{Note|If, as noted in [[#Plugging your guest GPU in an unisolated CPU-based PCIe slot]], your pci root port is part of your IOMMU group, you '''must not''' pass its ID to {{ic|vfio-pci}}, as it needs to remain attached to the host to function properly. Any other device within that group, however, should be left for {{ic|vfio-pci}} to bind with.}}<br />
<br />
This, however, does not guarantee that vfio-pci will be loaded before other graphics drivers. To ensure that, we need to statically bind it in the kernel image alongside with its dependencies. That means adding, in this order, {{ic|vfio_pci}}, {{ic|vfio}}, {{ic|vfio_iommu_type1}}, and {{ic|vfio_virqfd}} to [[mkinitcpio]]:<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
MODULES=(... vfio_pci vfio vfio_iommu_type1 vfio_virqfd ...)<br />
}}<br />
<br />
{{Note|If you also have another driver loaded this way for [[Kernel mode setting#Early KMS start|early modesetting]] (such as {{ic|nouveau}}, {{ic|radeon}}, {{ic|amdgpu}}, {{ic|i915}}, etc.), all of the aforementioned VFIO modules must precede it.}}<br />
<br />
Also, ensure that the modconf hook is included in the HOOKS list of {{ic|mkinitcpio.conf}}:<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
HOOKS=(... modconf ...)<br />
}}<br />
<br />
Since new modules have been added to the initramfs configuration, you must [[regenerate the initramfs]]. Should you change the IDs of the devices in {{ic|/etc/modprobe.d/vfio.conf}}, you will also have to regenerate it, as those parameters must be specified in the initramfs to be known during the early boot stages.<br />
<br />
Reboot and verify that vfio-pci has loaded properly and that it is now bound to the right devices.<br />
<br />
{{hc|$ dmesg {{!}} grep -i vfio|<br />
[ 0.329224] VFIO - User Level meta-driver version: 0.3<br />
[ 0.341372] vfio_pci: add [10de:13c2[ffff:ffff]] class 0x000000/00000000<br />
[ 0.354704] vfio_pci: add [10de:0fbb[ffff:ffff]] class 0x000000/00000000<br />
[ 2.061326] vfio-pci 0000:06:00.0: enabling device (0100 -> 0103)<br />
}}<br />
<br />
It is not necessary for all devices (or even expected device) from {{ic|vfio.conf}} to be in dmesg output. Sometimes a device does not appear in output at boot but actually is able to be visible and operatable in guest VM.<br />
<br />
{{hc|$ lspci -nnk -d 10de:13c2|<br />
06:00.0 VGA compatible controller: NVIDIA Corporation GM204 [GeForce GTX 970] [10de:13c2] (rev a1)<br />
Kernel driver in use: vfio-pci<br />
Kernel modules: nouveau nvidia<br />
}}<br />
<br />
{{hc|$ lspci -nnk -d 10de:0fbb|<br />
06:00.1 Audio device: NVIDIA Corporation GM204 High Definition Audio Controller [10de:0fbb] (rev a1)<br />
Kernel driver in use: vfio-pci<br />
Kernel modules: snd_hda_intel<br />
}}<br />
<br />
=== Using pci-stub (legacy method, pre-4.1 kernels) ===<br />
{{remove|Linux 4.1 is three years old.}}<br />
<br />
If your kernel does not support vfio-pci, you can use the pci-stub module instead, which is a dummy driver used to claim a device and prevent other drivers from using it.<br />
<br />
Pci-stub normally targets PCI devices by ID, meaning you only need to specify the IDs of the devices you intend to passthrough. For the following IOMMU group, you would want to bind vfio-pci with {{ic|10de:13c2}} and {{ic|10de:0fbb}}, which will be used as example values for the rest of this section.<br />
<br />
IOMMU group 13 06:00.0 VGA compatible controller: NVIDIA Corporation GM204 [GeForce GTX 970] [10de:13c2] (rev a1)<br />
IOMMU group 13 06:00.1 Audio device: NVIDIA Corporation GM204 High Definition Audio Controller [10de:0fbb] (rev a1)}}<br />
<br />
{{Note|You cannot specify which device to isolate using vendor-device ID pairs if the host GPU and the guest GPU share the same pair (i.e : if both are the same model). If this is your case, read [[#Using identical guest and host GPUs]] instead.}}<br />
<br />
{{Pkg|linux}} and {{Pkg|linux-lts}} have pci-stub built as a module. You will need to add it to MODULES array in {{ic|mkinitpcio.conf}}:<br />
<br />
{{hc|/etc/mkinitcpio.conf|2=<br />
MODULES=(... pci-stub ...)<br />
}}<br />
<br />
If you did need to add this module to your kernel image configuration manually, you must also [[regenerate the initramfs]].<br />
<br />
Add the relevant PCI device IDs to the {{ic|pci-stubs.ids}} [[kernel parameter]], e.g. {{ic|1=pci-stub.ids=10de:13c2,10de:0fbb}}.<br />
<br />
{{Note|If, as noted in [[#Plugging your guest GPU in an unisolated CPU-based PCIe slot]], your pci root port is part of your IOMMU group, you '''must not''' pass its ID to {{ic|pci-stub}}, as it needs to remain attached to the host to function properly. Any other device within that group, however, should be left for {{ic|pci-stub}} to bind with.}}<br />
<br />
Check dmesg output for successful assignment of the device to pci-stub:<br />
<br />
{{hc|dmesg {{!}} grep pci-stub|<br />
[ 2.390128] pci-stub: add 10DE:13C2 sub<nowiki>=</nowiki>FFFFFFFF:FFFFFFFF cls<nowiki>=</nowiki>00000000/00000000<br />
[ 2.390143] pci-stub 0000:06:00.0: claimed by stub<br />
[ 2.390150] pci-stub: add 10DE:0FBB sub<nowiki>=</nowiki>FFFFFFFF:FFFFFFFF cls<nowiki>=</nowiki>00000000/00000000<br />
[ 2.390159] pci-stub 0000:06:00.1: claimed by stub<br />
}}<br />
<br />
== Setting up an OVMF-based guest VM ==<br />
<br />
OVMF is an open-source UEFI firmware for QEMU virtual machines. While it's possible to use SeaBIOS to get similar results to an actual PCI passthough, the setup process is different and it is generally preferable to use the EFI method if your hardware supports it.<br />
<br />
=== Configuring libvirt ===<br />
<br />
[[Libvirt]] is a wrapper for a number of virtualization utilities that greatly simplifies the configuration and deployment process of virtual machines. In the case of KVM and QEMU, the frontend it provides allows us to avoid dealing with the permissions for QEMU and make it easier to add and remove various devices on a live VM. Its status as a wrapper, however, means that it might not always support all of the latest qemu features, which could end up requiring the use of a wrapper script to provide some extra arguments to QEMU.<br />
<br />
After installing {{Pkg|qemu}}, {{Pkg|libvirt}}, {{Pkg|ovmf}}, and {{Pkg|virt-manager}}, add the path to your OVMF firmware image and runtime variables template to your libvirt config so {{ic|virt-install}} or {{ic|virt-manager}} can find those later on.<br />
<br />
{{hc|/etc/libvirt/qemu.conf|2=<br />
nvram = [<br />
"/usr/share/ovmf/x64/OVMF_CODE.fd:/usr/share/ovmf/x64/OVMF_VARS.fd"<br />
]<br />
}}<br />
<br />
You can now [[enable]] and [[start]] {{ic|libvirtd.service}} and its logging component {{ic|virtlogd.socket}}.<br />
<br />
=== Setting up the guest OS ===<br />
<br />
The process of setting up a VM using {{ic|virt-manager}} is mostly self-explanatory, as most of the process comes with fairly comprehensive on-screen instructions.<br />
<br />
If using {{ic|virt-manager}}, you have to add your user to the libvirt [[group]] to ensure authentication.<br />
<br />
However, you should pay special attention to the following steps :<br />
<br />
* When the VM creation wizard asks you to name your VM (final step before clicking "Finish"), check the "Customize before install" checkbox.<br />
* In the "Overview" section, [https://i.imgur.com/73r2ctM.png set your firmware to "UEFI"]. If the option is grayed out, make sure that you have correctly specified the location of your firmware in {{ic|/etc/libvirt/qemu.conf}} and restart {{ic|libvirtd.service}}.<br />
* In the "CPUs" section, change your CPU model to "host-passthrough". If it is not in the list, you will have to type it by hand. This will ensure that your CPU is detected properly, since it causes libvirt to expose your CPU capabilities exactly as they are instead of only those it recognizes (which is the preferred default behavior to make CPU behavior easier to reproduce). Without it, some applications may complain about your CPU being of an unknown model.<br />
* If you want to minimize IO overhead, go into "Add Hardware" and add a Controller for SCSI drives of the "VirtIO SCSI" model. You can then change the default IDE disk for a SCSI disk, which will bind to said controller.<br />
** Windows VMs will not recognize those drives by default, so you need to download the ISO containing the drivers from [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/ here] and add an IDE (or SATA for Windows 8.1 and newer) CD-ROM storage device linking to said ISO, otherwise you will not be able to get Windows to recognize it during the installation process. When prompted to select a disk to install windows on, load the drivers contained on the CD-ROM under ''vioscsi''.<br />
<br />
The rest of the installation process will take place as normal using a standard QXL video adapter running in a window. At this point, there is no need to install additional drivers for the rest of the virtual devices, since most of them will be removed later on. Once the guest OS is done installing, simply turn off the virtual machine.<br />
<br />
=== Attaching the PCI devices ===<br />
<br />
With the installation done, it's now possible to edit the hardware details in libvirt and remove virtual integration devices, such as the spice channel and virtual display, the QXL video adapter, the emulated mouse and keyboard and the USB tablet device. Since that leaves you with no input devices, you may want to bind a few USB host devices to your VM as well, but remember to '''leave at least one mouse and/or keyboard assigned to your host''' in case something goes wrong with the guest. At this point, it also becomes possible to attach the PCI device that was isolated earlier; simply click on "Add Hardware" and select the PCI Host Devices you want to passthrough. If everything went well, the screen plugged into your GPU should show the OVMF splash screen and your VM should start up normally. From there, you can setup the drivers for the rest of your VM.<br />
<br />
=== Gotchas ===<br />
<br />
==== Using a non-EFI image on an OVMF-based VM ====<br />
<br />
The OVMF firmware does not support booting off non-EFI mediums. If the installation process drops you in a UEFI shell right after booting, you may have an invalid EFI boot media. Try using an alternate linux/windows image to determine if you have an invalid media.<br />
<br />
== Performance tuning ==<br />
<br />
Most use cases for PCI passthroughs relate to performance-intensive domains such as video games and GPU-accelerated tasks. While a PCI passthrough on its own is a step towards reaching native performance, there are still a few ajustments on the host and guest to get the most out of your VM.<br />
<br />
=== CPU pinning ===<br />
<br />
The default behavior for KVM guests is to run operations coming from the guest as a number of threads representing virtual processors. Those threads are managed by the Linux scheduler like any other thread and are dispatched to any available CPU cores based on niceness and priority queues. Since switching between threads adds a bit of overhead (because context switching forces the core to change its cache between operations), this can noticeably harm performance on the guest. CPU pinning aims to resolve this as it overrides process scheduling and ensures that the VM threads will always run and only run on those specific cores. Here, for instance, the guest cores 0, 1, 2 and 3 are mapped to the host cores 4, 5, 6 and 7 respectively.<br />
<br />
{{Note|For certain users enabling CPU pinning may introduce stuttering and short hangs, especially with the MuQSS scheduler (present in linux-ck and linux-zen kernels). You might want to try disabling pinning first if you experience similar issues, which effectively trades maximum performance for responsiveness at all times.}}<br />
<br />
{{hc|$ virsh edit [vmname]|<nowiki><br />
...<br />
<vcpu placement='static'>4</vcpu><br />
<cputune><br />
<vcpupin vcpu='0' cpuset='4'/><br />
<vcpupin vcpu='1' cpuset='5'/><br />
<vcpupin vcpu='2' cpuset='6'/><br />
<vcpupin vcpu='3' cpuset='7'/><br />
</cputune><br />
...<br />
</nowiki>}}<br />
<br />
==== The case of Hyper-threading ====<br />
<br />
If your CPU supports hardware multitasking, also known as Hyper-threading on Intel chips, there are two ways you can go with your CPU pinning. That is, Hyper-threading is simply a very efficient way of running two threads on one CPU at any given time, so while it may give you 8 logical cores on what would otherwise be a quad-core CPU, if the physical core is overloaded, the logical core will not be of any use. One could pin their VM threads on 2 physical cores and their 2 respective threads, but any task overloading those two cores will not be helped by the extra two logical cores, since in the end you are only passing through two cores out of four, not four out of eight. What you should do knowing this depends on what you intend to do with your host while your VM is running.<br />
<br />
This is the abridged content of {{ic|/proc/cpuinfo}} on a quad-core machine with hyper-threading.<br />
<br />
{{hc|$ grep -e "processor" -e "core id" -e "^$" /proc/cpuinfo|<br />
processor : 0<br />
core id : 0<br />
<br />
processor : 1<br />
core id : 1<br />
<br />
processor : 2<br />
core id : 2<br />
<br />
processor : 3<br />
core id : 3<br />
<br />
processor : 4<br />
core id : 0<br />
<br />
processor : 5<br />
core id : 1<br />
<br />
processor : 6<br />
core id : 2<br />
<br />
processor : 7<br />
core id : 3<br />
}}<br />
<br />
If you do not intend to be doing any computation-heavy work on the host (or even anything at all) at the same time as you would on the VM, it would probably be better to pin your VM threads across all of your logical cores, so that the VM can fully take advantage of the spare CPU time on all your cores.<br />
<br />
On the quad-core machine mentioned above, it would look like this :<br />
<br />
{{hc|$ virsh edit [vmname]|<nowiki><br />
...<br />
<vcpu placement='static'>4</vcpu><br />
<cputune><br />
<vcpupin vcpu='0' cpuset='4'/><br />
<vcpupin vcpu='1' cpuset='5'/><br />
<vcpupin vcpu='2' cpuset='6'/><br />
<vcpupin vcpu='3' cpuset='7'/><br />
</cputune><br />
...<br />
<cpu mode='custom' match='exact'><br />
...<br />
<topology sockets='1' cores='4' threads='1'/><br />
...<br />
</cpu><br />
...<br />
</nowiki>}}<br />
<br />
If you would instead prefer to have the host and guest running intensive tasks at the same time, it would then be preferable to pin a limited amount of physical cores and their respective threads on the guest and leave the rest to the host to avoid the two competing for CPU time.<br />
<br />
On the quad-core machine mentioned above, it would look like this :<br />
<br />
{{hc|$ virsh edit [vmname]|<nowiki><br />
...<br />
<vcpu placement='static'>4</vcpu><br />
<cputune><br />
<vcpupin vcpu='0' cpuset='2'/><br />
<vcpupin vcpu='1' cpuset='6'/><br />
<vcpupin vcpu='2' cpuset='3'/><br />
<vcpupin vcpu='3' cpuset='7'/><br />
</cputune><br />
...<br />
<cpu mode='custom' match='exact'><br />
...<br />
<topology sockets='1' cores='2' threads='2'/><br />
...<br />
</cpu><br />
...<br />
</nowiki>}}<br />
<br />
=== Static huge pages ===<br />
<br />
When dealing with applications that require large amounts of memory, memory latency can become a problem since the more memory pages are being used, the more likely it is that this application will attempt to access information across multiple memory "pages", which is the base unit for memory allocation. Resolving the actual address of the memory page takes multiple steps, and so CPUs normally cache information on recently used memory pages to make subsequent uses on the same pages faster. Applications using large amounts of memory run into a problem where, for instance, a virtual machine uses 4GB of memory divided into 4kB pages (which is the default size for normal pages), meaning that such cache misses can become extremely frequent and greatly increase memory latency. Huge pages exist to mitigate this issue by giving larger individual pages to those applications, increasing the odds that multiple operations will target the same page in succession. This is normally handeled with transparent huge pages, which dynamically manages hugepages to keep up with the demand.<br />
<br />
On a VM with a PCI passthrough, however, it is '''not possible''' to benefit from transparent huge pages, as IOMMU requires that the guest's memory be allocated and pinned as soon as the VM starts. It is therefore required to allocate huge pages statically in order to benefit from them. <br />
<br />
{{Warning|Static huge pages lock down the allocated amount of memory, making it unavailable for applications that are not configured to use them. Allocating 4GBs worth of huge pages on a machine with 8GBs of memory will only leave you with 4GBs of available memory on the host '''even when the VM is not running'''.}}<br />
<br />
To allocate huge pages at boot, one must simply specify the desired amount on their kernel command line with {{ic|1=hugepages=''x''}}. For instance, reserving 1024 pages with {{ic|1=hugepages=1024}} and the default size of 2048kB per huge page creates 2GBs worth of memory for the virtual machine to use.<br />
<br />
If supported by CPU page size could be set manually. 1 GB huge page support could be verified by {{ic|<nowiki>grep pdpe1gb /proc/cpuinfo</nowiki>}}. Setting 1 GB huge page size via kernel parameters : {{ic|1=default_hugepagesz=1G hugepagesz=1G hugepages=X transparent_hugepage=never}}.<br />
<br />
Also, since static huge pages can only be used by applications that specifically request it, you must add this section in your libvirt domain configuration to allow kvm to benefit from them :<br />
<br />
{{hc|$ virsh edit [vmname]|<nowiki><br />
...<br />
<memoryBacking><br />
<hugepages/><br />
</memoryBacking><br />
...<br />
</nowiki>}}<br />
<br />
=== CPU frequency governor ===<br />
<br />
Depending on the way your [[CPU frequency scaling|CPU governor]] is configured, the VM threads may not hit the CPU load thresholds for the frequency to ramp up. Indeed, KVM cannot actually change the CPU frequency on its own, which can be a problem if it does not scale up with vCPU usage as it would result in underwhelming performance. An easy way to see if it behaves correctly is to check if the frequency reported by {{ic|watch lscpu}} goes up when running a CPU-intensive task on the guest. If you are indeed experiencing stutter and the frequency does not go up to reach its reported maximum, it may be due to [https://lime-technology.com/forum/index.php?topic=46664.msg447678#msg447678 cpu scaling being controlled by the host OS]. In this case, try setting all cores to maximum frequency to see if this improves performance. Note that if you are using a modern intel chip with the default pstate driver, cpupower commands will be [[CPU frequency scaling#CPU frequency driver|ineffective]], so monitor {{ic|/proc/cpuinfo}} to make sure your cpu is actually at max frequency.<br />
<br />
=== High DPC Latency ===<br />
<br />
{{Accuracy|As far as I can tell all virtio modules listed here are for virtual devices used when Linux runs as a guest. Loading them on the host serves no purpose.}}<br />
<br />
If you are experiencing high DPC and/or interrupt latency in your Guest VM, ensure you have [[Kernel modules#Manual module handling|loaded the needed virtio kernel modules]] on the host kernel. Loadable virtio kernel modules include: {{ic|virtio-pci}}, {{ic|virtio-net}}, {{ic|virtio-blk}}, {{ic|virtio-balloon}}, {{ic|virtio-ring}} and {{ic|virtio}}. <br />
<br />
After loading one or more of these modules, {{ic|lsmod {{!}} grep virtio}} executed on the host should not return empty.<br />
<br />
==== CPU pinning with isolcpus ====<br />
<br />
Alternatively, make sure that you have isolated CPUs properly. In this example, let us assume you are using CPUs 4-7.<br />
Use the kernel parameters {{ic|isolcpus nohz_full rcu_nocbs}} to completely isolate the CPUs from the kernel. <br />
<br />
{{hc|sudo vim /etc/defaults/grub|<nowiki><br />
...<br />
GRUB_CMDLINE_LINUX="..your other params.. isolcpus=4-7 nohz_full=4-7 rcu_nocbs=4-7"<br />
...<br />
</nowiki>}}<br />
<br />
Then, run {{ic|qemu-system-x86_64}} with taskset and chrt:<br />
<br />
# chrt -r 1 taskset -c 4-7 qemu-system-x86_64 ...<br />
<br />
The {{ic|chrt}} command will ensure that the task scheduler will round-robin distribute work (otherwise it will all stay on the first cpu). For {{ic|taskset}}, the CPU numbers can be comma- and/or dash-separated, like "0,1,2,3" or "0-4" or "1,7-8,10" etc.<br />
<br />
See [https://www.reddit.com/r/VFIO/comments/6vgtpx/high_dpc_latency_and_audio_stuttering_on_windows/dm0sfto/ this reddit comment] for more info.<br />
<br />
=== Improving performance on AMD CPUs ===<br />
<br />
Previously, Nested Page Tables (NPT) had to be disabled on AMD systems running KVM to improve GPU performance because of a [https://sourceforge.net/p/kvm/bugs/230/ very old bug], but the trade off was decreased CPU performance, including stuttering.<br />
<br />
There is a [https://patchwork.kernel.org/patch/10027525/ kernel patch] that resolves this issue, which was accepted into kernel 4.14-stable and 4.9-stable. If you are running the official {{Pkg|linux}} or {{Pkg|linux-lts}} kernel the patch has already been applied (make sure you are on the latest). If you are running another kernel you might need to manually patch yourself.<br />
<br />
{{Note|Several Ryzen users (see [https://www.reddit.com/r/VFIO/comments/78i3jx/possible_fix_for_the_npt_issue_discussed_on_iommu/ this Reddit thread]) have tested the patch, and can confirm that it works, bringing GPU passthrough performance up to near native quality.}}<br />
<br />
=== Further Tuning ===<br />
<br />
More specialized VM tuning tips are available at [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Virtualization_Tuning_and_Optimization_Guide/index.html Red Hat's Virtualization Tuning and Optimization Guide]. This guide may be especially helpful if you are experiencing:<br />
<br />
* Moderate CPU load on the host during downloads/uploads from within the guest: See ''Bridge Zero Copy Transmit'' for a potential fix.<br />
* Guests capping out at certain network speeds during downloads/uploads despite virtio-net being used: See ''Multi-queue virtio-net'' for a potential fix.<br />
* Guests "stuttering" under high I/O, despite the same workload not affecting hosts to the same degree: See ''Multi-queue virtio-scsi'' for a potential fix.<br />
<br />
== Special procedures ==<br />
<br />
Certain setups require specific configuration tweaks in order to work properly. If you are having problems getting your host or your VM to work properly, see if your system matches one of the cases below and try adjusting your configuration accordingly.<br />
<br />
=== Using identical guest and host GPUs ===<br />
<br />
{{Expansion|A number of users have been having issues with this, it should probably be adressed by the article.|Talk:PCI passthrough via OVMF#Additionnal sections}}<br />
<br />
Due to how both pci-stub and vfio-pci use your vendor and device id pair to identify which device they need to bind to at boot, if you have two GPUs sharing such an ID pair you will not be able to get your passthough driver to bind with just one of them. This sort of setup makes it necessary to use a script, so that whichever driver you are using is instead assigned by pci bus address using the {{ic|driver_override}} mechanism.<br />
<br />
==== Script variants ====<br />
<br />
===== Passthrough all GPUs but the boot GPU =====<br />
<br />
Here, we will make a script to bind vfio-pci to all GPUs but the boot gpu. Create the script {{ic|/usr/bin/vfio-pci-override.sh}}:<br />
<br />
{{bc|<nowiki><br />
#!/bin/sh<br />
<br />
for i in /sys/devices/pci*/*/boot_vga; do<br />
if [ $(cat "$i") -eq 0 ]; then<br />
GPU="${i%/boot_vga}"<br />
AUDIO="$(echo "$GPU" | sed -e "s/0$/1/")"<br />
echo "vfio-pci" > "$GPU/driver_override"<br />
if [ -d "$AUDIO" ]; then<br />
echo "vfio-pci" > "$AUDIO/driver_override"<br />
fi<br />
fi<br />
done<br />
<br />
modprobe -i vfio-pci<br />
</nowiki>}}<br />
<br />
===== Passthrough selected GPU =====<br />
<br />
In this case we manually specify the GPU to bind.<br />
<br />
{{bc|<nowiki><br />
#!/bin/sh<br />
<br />
GROUP="0000:00:03.0"<br />
DEVS="0000:03:00.0 0000:03:00.1 ."<br />
<br />
if [ ! -z "$(ls -A /sys/class/iommu)" ]; then<br />
for DEV in $DEVS; do<br />
echo "vfio-pci" > /sys/bus/pci/devices/$GROUP/$DEV/driver_override<br />
done<br />
fi<br />
<br />
modprobe -i vfio-pci<br />
</nowiki>}}<br />
<br />
==== Script installation ====<br />
<br />
Create {{ic|/etc/modprobe.d/vfio.conf}} with the following:<br />
<br />
install vfio-pci /usr/bin/vfio-pci-override.sh<br />
<br />
Edit {{ic|/etc/mkinitcpio.conf}}<br />
<br />
Remove any video drivers from MODULES, and add {{ic|vfio-pci}}, and {{ic|vfio_iommu_type1}}<br />
<br />
MODULES=(ext4 vfat vfio-pci vfio_iommu_type1)<br />
<br />
Add {{ic|/etc/modprobe.d/vfio.conf}} and {{ic|/usr/bin/vfio-pci-override.sh}} to FILES:<br />
<br />
FILES=(/etc/modprobe.d/vfio.conf /usr/bin/vfio-pci-override.sh)<br />
<br />
[[Regenerate the initramfs]] and reboot:<br />
<br />
=== Passing the boot GPU to the guest ===<br />
<br />
{{Expansion|Not possible at the time as far as I'm aware, but a common issue on various forums.|Talk:PCI passthrough via OVMF#Additionnal sections}}<br />
<br />
The GPU marked as {{ic|boot_vga}} is a special case when it comes to doing PCI passthroughs, since the BIOS needs to use it in order to display things like boot messages or the BIOS configuration menu. To do that, it makes [https://www.redhat.com/archives/vfio-users/2016-May/msg00224.html a copy of the VGA boot ROM which can then be freely modified]. This modified copy is the version the system gets to see, which the passthrough driver may reject as invalid. As such, it is generally recommended to change the boot GPU in the BIOS configuration so the host GPU is used instead or, if that's not possible, to swap the host and guest cards in the machine itself.<br />
<br />
=== Using Looking Glass to stream guest screen to the host ===<br />
<br />
It is possible to make VM share the monitor, and optionally a keyboard and a mouse with a help of [https://looking-glass.hostfission.com/ Looking Glass].<br />
<br />
==== Adding IVSHMEM Device to VM ====<br />
<br />
Looking glass works by creating a shared memory buffer between a host and a guest. This is a lot faster than streaming frames via localhost, but requires additional setup. <br />
<br />
With your VM turned off open the machine configuration<br />
<br />
{{hc|$ virsh edit [vmname]|<nowiki><br />
...<br />
<devices><br />
...<br />
<shmem name='looking-glass'><br />
<model type='ivshmem-plain'/><br />
<size unit='M'>32</size><br />
</shmem><br />
</devices><br />
...<br />
</nowiki>}}<br />
<br />
You should replace 32 with your own calculated value based on what resolution you are going to pass through. It can be calculated like this:<br />
<br />
width x height x 4 x 2 = total bytes<br />
total bytes / 1024 / 1024 = total megabytes + 2<br />
<br />
For example, in case of 1920x1080<br />
<br />
1920 x 1080 x 4 x 2 = 16,588,800 bytes<br />
16,588,800 / 1024 / 1024 = 15.82 MB + 2 = 17.82<br />
<br />
The result must be '''rounded up''' to the nearest power of two, and since 17.82 is bigger than 16 we should choose 32.<br />
<br />
Next create a script to create a shared memory file.<br />
<br />
{{hc|/usr/local/bin/looking-glass-init.sh|2=<br />
#!/bin/sh<br />
<br />
touch /dev/shm/looking-glass<br />
chown '''user''':kvm /dev/shm/looking-glass<br />
chmod 660 /dev/shm/looking-glass<br />
}}<br />
<br />
Replace user with your username.<br />
<br />
Remember to make the script [[executable]].<br />
<br />
Create a [[systemd]] unit to execute this script during boot<br />
<br />
{{hc|/etc/systemd/system/looking-glass-init.service|2=<br />
[Unit]<br />
Description=Create shared memory for looking glass<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/usr/local/bin/looking-glass-init.sh<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
}}<br />
<br />
[[Start]] and [[enable]] {{ic|looking-glass-init.service}}<br />
<br />
==== Installing the IVSHMEM Host to Windows guest ====<br />
<br />
Currently Windows would not notify users about a new IVSHMEM device, it would silently install a dummy driver. To actually enable the device you have to go into device manager and update the driver for the device under the "System Devices" node for '''"PCI standard RAM Controller"'''. Download a signed driver [https://github.com/virtio-win/kvm-guest-drivers-windows/issues/217 from issue 217], as it is not yet available elsewhere.<br />
<br />
Once the driver is installed you must download the latest [https://looking-glass.hostfission.com/downloads looking-glass-host] from the looking glass website and start it on your guest. In order to run it you would also need to install Microsoft Visual C++ Redistributable from [https://www.visualstudio.com/downloads/ Microsoft]<br />
It is also possible to make it start automatically on VM boot by editing the {{ic|HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run}} registry and adding a path to the downloaded executable.<br />
<br />
==== Getting a client ====<br />
<br />
Looking glass client can be installed from AUR using {{AUR|looking-glass}} or {{AUR|looking-glass-git}} packages.<br />
You can start it once the VM is set up and running<br />
<br />
$ looking-glass-client<br />
<br />
If you do not want to use Spice to control the guest mouse and keyboard you can disable the Spice server<br />
<br />
$ looking-glass-client -s<br />
<br />
Refer to <br />
<br />
$ looking-glass-client --help<br />
<br />
for more info<br />
<br />
=== Bypassing the IOMMU groups (ACS override patch) ===<br />
<br />
If you find your PCI devices grouped among others that you do not wish to pass through, you may be able to seperate them using Alex Williamson's ACS override patch. Make sure you understand [https://vfio.blogspot.com/2014/08/iommu-groups-inside-and-out.html the potential risk] of doing so. <br />
<br />
You will need a kernel with the patch applied. The easiest method to acquiring this is through the {{AUR|linux-vfio}} package. <br />
<br />
In addition, the ACS override patch needs to be enabled with kernel command line options. The patch file adds the following documentation:<br />
<br />
pcie_acs_override =<br />
[PCIE] Override missing PCIe ACS support for:<br />
downstream<br />
All downstream ports - full ACS capabilties<br />
multifunction<br />
All multifunction devices - multifunction ACS subset<br />
id:nnnn:nnnn<br />
Specfic device - full ACS capabilities<br />
Specified as vid:did (vendor/device ID) in hex<br />
<br />
The option {{ic|1=pcie_acs_override=downstream}} is typically sufficient.<br />
<br />
After installation and configuration, reconfigure your [[Kernel parameters|bootloader kernel parameters]] to load the new kernel with the {{ic|1=pcie_acs_override=}} option enabled.<br />
<br />
== Plain QEMU without libvirt ==<br />
<br />
Instead of setting up a virtual machine with the help of libvirt, plain QEMU commands with custom parameters can be used for running the VM intended to be used with PCI passthrough. This is desirable for some use cases like scripted setups, where the flexibility for usage with other scripts is needed.<br />
<br />
To achieve this after [[#Setting up IOMMU]] and [[#Isolating the GPU]], follow the [[QEMU]] article to setup the virtualized environment, [[QEMU#Enabling KVM|enable KVM]] on it and use the flag {{ic|1=-device vfio-pci,host=07:00.0}} replacing the identifier (07:00.0) with your actual device's ID that you used for the GPU isolation earlier.<br />
<br />
For utilizing the OVMF firmware, make sure the {{Pkg|ovmf}} package is installed, copy the UEFI variables from {{ic|/usr/share/ovmf/x64/OVMF_VARS.fd}} to temporary location like {{ic|/tmp/MY_VARS.fd}} and finally specify the OVMF paths by appending the following parameters to the QEMU command (order matters):<br />
<br />
* {{ic|1=-drive if=pflash,format=raw,readonly,file=/usr/share/ovmf/x64/OVMF_CODE.fd}} for the actual OVMF firmware binary, note the readonly option<br />
* {{ic|1=-drive if=pflash,format=raw,file=/tmp/MY_VARS.fd}} for the variables<br />
<br />
{{Note|QEMU's default SeaBIOS can be used instead of OVMF, but it's not recommended as it can cause issues with passthrough setups.}}<br />
<br />
It's recommended to study the QEMU article for ways to enhance the performance by using the [[QEMU#Installing virtio drivers|virtio drivers]] and other further configurations for the setup.<br />
<br />
You also might have to use the {{ic|1=-cpu host,kvm=off}} parameter to forward the host's CPU model info to the VM and fool the virtualization detection used by Nvidia's and possibly other manufacturers' device drivers trying to block the full hardware usage inside a virtualized system.<br />
<br />
== Passing though other devices ==<br />
<br />
=== USB controller ===<br />
<br />
If your motherboard has multiple USB controllers mapped to multiple groups, it is possible to pass those instead of USB devices. Passing an actual controller over an individual USB device provides the following advantages : <br />
<br />
* If a device disconnects or changes ID over the course of an given operation (such as a phone undergoing an update), the VM will not suddenly stop seeing it.<br />
* Any USB port managed by this controller is directly handled by the VM and can have its devices unplugged, replugged and changed without having to notify the hypervisor.<br />
* Libvirt will not complain if one of the USB devices you usually pass to the guest is missing when starting the VM.<br />
<br />
Unlike with GPUs, drivers for most USB controllers do not require any specific configuration to work on a VM and control can normally be passed back and forth between the host and guest systems with no side effects.<br />
<br />
{{Warning|Make sure your USB controller supports resetting :[[#Passing through a device that does not support resetting]]}}<br />
<br />
You can find out which PCI devices correspond to which controller and how various ports and devices are assigned to each one of them using this command :<br />
<br />
{{hc|$ <nowiki>for usb_ctrl in $(find /sys/bus/usb/devices/usb* -maxdepth 0 -type l); do pci_path="$(dirname "$(realpath "${usb_ctrl}")")"; echo "Bus $(cat "${usb_ctrl}/busnum") --> $(basename $pci_path) (IOMMU group $(basename $(realpath $pci_path/iommu_group)))"; lsusb -s "$(cat "${usb_ctrl}/busnum"):"; echo; done</nowiki>|<br />
Bus 1 --> 0000:00:1a.0 (IOMMU group 4)<br />
Bus 001 Device 004: ID 04f2:b217 Chicony Electronics Co., Ltd Lenovo Integrated Camera (0.3MP)<br />
Bus 001 Device 007: ID 0a5c:21e6 Broadcom Corp. BCM20702 Bluetooth 4.0 [ThinkPad]<br />
Bus 001 Device 008: ID 0781:5530 SanDisk Corp. Cruzer<br />
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub<br />
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub<br />
<br />
Bus 2 --> 0000:00:1d.0 (IOMMU group 9)<br />
Bus 002 Device 006: ID 0451:e012 Texas Instruments, Inc. TI-Nspire Calculator<br />
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub<br />
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub<br />
}}<br />
<br />
This laptop has 3 USB ports managed by 2 USB controllers, each with their own IOMMU group. In this example, Bus 001 manages a single USB port (with a SanDisk USB pendrive plugged into it so it appears on the list), but also a number of internal devices, such as the internal webcam and the bluetooth card. Bus 002, on the other hand, does not apprear to manage anything except for the calculator that is plugged into it. The third port is empty, which is why it does not show up on the list, but is actually managed by Bus 002.<br />
<br />
Once you have identified which controller manages which ports by plugging various devices into them and decided which one you want to passthrough, simply add it to the list of PCI host devices controlled by the VM in your guest configuration. No other configuration should be needed.<br />
<br />
{{Note|If your usb controller does not support resetting, is not in an isolated group, or is otherwise unable to be passed through then it may still be possible to accomplish similar results through udev rules. See https://github.com/olavmrk/usb-libvirt-hotplug which allows any device connected to specified usb ports to be automatically attached to a vm]]}}<br />
<br />
=== Passing VM audio to host via PulseAudio ===<br />
<br />
It is possible to route the virtual machine's audio to the host as an application using libvirt. This has the advantage of multiple audio streams being routable to one host output, and working with audio output devices that do not support passthrough. [[PulseAudio]] is required for this to work.<br />
<br />
First, remove the comment from the {{ic|1=#user = ""}} line. Then add your username in the quotations. This tells QEMU which user's pulseaudio stream to route through.<br />
<br />
{{hc|/etc/libvirt/qemu.conf|2=<br />
user = "example"<br />
}}<br />
<br />
Next, modify the libvirt configuration<br />
<br />
{{hc|$ virsh edit [vmname]|<br />
<domain type<nowiki>=</nowiki>'kvm'><br />
}}<br />
<br />
to<br />
<br />
{{hc|$ virsh edit [vmname]|<br />
<domain type<nowiki>=</nowiki>'kvm' xmlns:qemu<nowiki>='http://libvirt.org/schemas/domain/qemu/1.0'</nowiki>><br />
}}<br />
<br />
Then set the QEMU PulseAudio environment variables at the bottom of the libvirt xml file<br />
<br />
{{hc|$ virsh edit [vmname]|<br />
</devices><br />
</domain><br />
}}<br />
<br />
to<br />
<br />
{{hc|$ virsh edit [vmname]|<br />
</devices><br />
<qemu:commandline><br />
<qemu:env name<nowiki>=</nowiki>'QEMU_AUDIO_DRV' value<nowiki>=</nowiki>'pa'/><br />
<qemu:env name<nowiki>=</nowiki>'QEMU_PA_SERVER' value<nowiki>=</nowiki>'/run/user/1000/pulse/native'/><br />
</qemu:commandline><br />
</domain><br />
}}<br />
<br />
Change 1000 under the user directory to your user uid (which can be found by running the {{ic|id}} command. Remember to save the file and exit it without ending the process before continuing, otherwise the changes will not register. If you get the message {{ic|<nowiki>Domain [vmname] XML configuration edited.</nowiki>}} after exiting, it means that your changes have been applied.<br />
<br />
[[Restart]] {{ic|libvirtd.service}} and [[systemd/User|user service]] {{ic|pulseaudio.service}}.<br />
<br />
Virtual Machine audio will now be routed through the host as an application. The application {{Pkg|pavucontrol}} can be used to control the output device. Be aware that on Windows guests, this can cause audio crackling without [[#Slowed down audio pumped through HDMI on the video card|using Message-Signaled Interrupts.]]<br />
<br />
=== Physical Disk/Partition ===<br />
<br />
A whole disk or a partition may be used as a whole for improved I/O performance by adding an entry to XML<br />
<br />
{{hc|$ virsh edit [vmname]| <nowiki><br />
<devices><br />
...<br />
<disk type='block' device='disk'><br />
<driver name='qemu' type='raw' cache='none' io='native'/><br />
<source dev='/dev/sdXX'/><br />
<target dev='vda' bus='virtio'/><br />
<address type='pci' domain='0x0000' bus='0x02' slot='0x0a' function='0x0'/><br />
</disk><br />
...<br />
</devices><br />
</nowiki><br />
}}<br />
<br />
This would require a driver on Windows guests, refer to [[#Setting up the guest OS]].<br />
<br />
=== Gotchas ===<br />
<br />
==== Passing through a device that does not support resetting ====<br />
<br />
When the VM shuts down, all devices used by the guest are deinitialized by its OS in preparation for shutdown. In this state, those devices are no longer functionnal and must then be power-cycled before they can resume normal operation. Linux can handle this power-cycling on its own, but when a device has no known reset methods, it remains in this disabled state and becomes unavailable. Since Libvirt and Qemu both expect all host PCI devices to be ready to reattach to the host before completely stopping the VM, when encountering a device that will not reset, they will hang in a "Shutting down" state where they will not be able to be restarted until the host system has been rebooted. It is therefore reccomanded to only pass through PCI devices which the kernel is able to reset, as evidenced by the presence of a {{ic|reset}} file in the PCI device sysfs node, such as {{ic|/sys/bus/pci/devices/0000:00:1a.0/reset}}.<br />
<br />
The following bash command shows which devices can and cannot be reset.<br />
<br />
{{hc|<nowiki>for iommu_group in $(find /sys/kernel/iommu_groups/ -maxdepth 1 -mindepth 1 -type d);do echo "IOMMU group $(basename "$iommu_group")"; for device in $(\ls -1 "$iommu_group"/devices/); do if [[ -e "$iommu_group"/devices/"$device"/reset ]]; then echo -n "[RESET]"; fi; echo -n $'\t';lspci -nns "$device"; done; done</nowiki>|<br />
IOMMU group 0<br />
00:00.0 Host bridge [0600]: Intel Corporation Xeon E3-1200 v2/Ivy Bridge DRAM Controller [8086:0158] (rev 09)<br />
IOMMU group 1<br />
00:01.0 PCI bridge [0604]: Intel Corporation Xeon E3-1200 v2/3rd Gen Core processor PCI Express Root Port [8086:0151] (rev 09)<br />
01:00.0 VGA compatible controller [0300]: NVIDIA Corporation GK208 [GeForce GT 720] [10de:1288] (rev a1)<br />
01:00.1 Audio device [0403]: NVIDIA Corporation GK208 HDMI/DP Audio Controller [10de:0e0f] (rev a1)<br />
IOMMU group 2<br />
00:14.0 USB controller [0c03]: Intel Corporation 7 Series/C210 Series Chipset Family USB xHCI Host Controller [8086:1e31] (rev 04)<br />
IOMMU group 4<br />
[RESET] 00:1a.0 USB controller [0c03]: Intel Corporation 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #2 [8086:1e2d] (rev 04)<br />
IOMMU group 5<br />
[RESET] 00:1b.0 Audio device [0403]: Intel Corporation 7 Series/C210 Series Chipset Family High Definition Audio Controller [8086:1e20] (rev 04)<br />
IOMMU group 10<br />
[RESET] 00:1d.0 USB controller [0c03]: Intel Corporation 7 Series/C210 Series Chipset Family USB Enhanced Host Controller #1 [8086:1e26] (rev 04)<br />
IOMMU group 13<br />
06:00.0 VGA compatible controller [0300]: NVIDIA Corporation GM204 [GeForce GTX 970] [10de:13c2] (rev a1)<br />
06:00.1 Audio device [0403]: NVIDIA Corporation GM204 High Definition Audio Controller [10de:0fbb] (rev a1)<br />
}}<br />
<br />
This signals that the xHCI USB controller in 00:14.0 cannot be reset and will therefore stop the VM from shutting down properly, while the integrated sound card in 00:1b.0 and the other two controllers in 00:1a.0 and 00:1d.0 do not share this problem and can be passed without issue.<br />
<br />
== Complete setups and examples ==<br />
<br />
If you have trouble configuring a certain mechanism in your setup, you might want to look up [[PCI_passthrough_via_OVMF/Examples|complete passthrough setup examples]]. A few users have described their setups and you might want to look up certain tricks from their configuration files.<br />
<br />
== Troubleshooting ==<br />
<br />
If your issue is not mentioned below, you may want to browse [[QEMU#Troubleshooting]].<br />
<br />
=== "Error 43: Driver failed to load" on Nvidia GPUs passed to Windows VMs ===<br />
<br />
{{Note|<br />
* This may also fix SYSTEM_THREAD_EXCEPTION_NOT_HANDLED boot crashes related to Nvidia drivers.<br />
* This may also fix problems under linux guests.<br />
}}<br />
<br />
Since version 337.88, Nvidia drivers on Windows check if an hypervisor is running and fail if it detects one, which results in an Error 43 in the Windows device manager. Starting with QEMU 2.5.0 and libvirt 1.3.3, the vendor_id for the hypervisor can be spoofed, which is enough to fool the Nvidia drivers into loading anyway. All one must do is add {{ic|<nowiki>hv_vendor_id=whatever</nowiki>}} to the cpu parameters in their QEMU command line, or by adding the following line to their libvirt domain configuration. It may help for the ID to be set to a 12-character alphanumeric (e.g. '1234567890ab') as opposed to longer or shorter strings.<br />
<br />
{{hc|$ virsh edit [vmname]|<nowiki><br />
...<br />
<features><br />
<hyperv><br />
...<br />
<vendor_id state='on' value='whatever'/><br />
...<br />
</hyperv><br />
...<br />
<kvm><br />
<hidden state='on'/><br />
</kvm><br />
</features><br />
...<br />
</nowiki>}}<br />
<br />
Users with older versions of QEMU and/or libvirt will instead have to disable a few hypervisor extensions, which can degrade performance substantially. If this is what you want to do, do the following replacement in your libvirt domain config file.<br />
<br />
{{hc|$ virsh edit [vmname]|<nowiki><br />
...<br />
<features><br />
<hyperv><br />
<relaxed state='on'/><br />
<vapic state='on'/><br />
<spinlocks state='on' retries='8191'/><br />
</hyperv><br />
...<br />
</features><br />
...<br />
<clock offset='localtime'><br />
<timer name='hypervclock' present='yes'/><br />
</clock><br />
...<br />
</nowiki>}}<br />
<br />
{{bc|<nowiki><br />
...<br />
<clock offset='localtime'><br />
<timer name='hypervclock' present='no'/><br />
</clock><br />
...<br />
<features><br />
<kvm><br />
<hidden state='on'/><br />
</kvm><br />
...<br />
<hyperv><br />
<relaxed state='off'/><br />
<vapic state='off'/><br />
<spinlocks state='off'/><br />
</hyperv><br />
...<br />
</features><br />
...<br />
</nowiki>}}<br />
<br />
==== "BAR 3: cannot reserve [mem]" error in dmesg after starting VM ====<br />
<br />
With respect to [https://www.linuxquestions.org/questions/linux-kernel-70/kernel-fails-to-assign-memory-to-pcie-device-4175487043/ this article]:<br />
<br />
If you still have code 43 check dmesg for memory reservation errors after starting up VM, if you have similar it could be the case:<br />
<br />
vfio-pci 0000:09:00.0: BAR 3: cannot reserve [mem 0xf0000000-0xf1ffffff 64bit pref]<br />
<br />
Find out a PCI Bridge your graphic card is connected to. This will give actual hierarchy of devices:<br />
<br />
$ lspci -t<br />
<br />
Before starting VM run following lines replacing IDs with actual from previous output.<br />
<br />
# echo 1 > /sys/bus/pci/devices/0000\:00\:03.1/remove<br />
# echo 1 > /sys/bus/pci/rescan<br />
<br />
{{Note|Probably setting [[kernel parameter]] {{ic|1=video=efifb:off}} is required as well. [https://pve.proxmox.com/wiki/Pci_passthrough#BAR_3:_can.27t_reserve_.5Bmem.5D_error Source]}}<br />
<br />
=== UEFI (OVMF) Compatibility in VBIOS ===<br />
<br />
With respect to [https://pve.proxmox.com/wiki/Pci_passthrough#How_to_known_if_card_is_UEFI_.28ovmf.29_compatible this article]:<br />
<br />
Error 43 can be caused by the GPU's VBIOS without UEFI support. To check whenever your VBIOS supports it, you will have to use {{ic|rom-parser}}:<br />
<br />
$ git clone https://github.com/awilliam/rom-parser<br />
$ cd rom-parser && make<br />
<br />
Dump the GPU VBIOS:<br />
<br />
# echo 1 > /sys/bus/pci/devices/0000:01:00.0/rom<br />
# cat /sys/bus/pci/devices/0000:01:00.0/rom > /tmp/image.rom<br />
# echo 0 > /sys/bus/pci/devices/0000:01:00.0/rom<br />
<br />
And test it for compatibility:<br />
<br />
{{hc|$ ./rom-parser /tmp/image.rom|<br />
Valid ROM signature found @600h, PCIR offset 190h<br />
PCIR: type 0 (x86 PC-AT), vendor: 10de, device: 1184, class: 030000<br />
PCIR: revision 0, vendor revision: 1<br />
Valid ROM signature found @fa00h, PCIR offset 1ch<br />
PCIR: type 3 (EFI), vendor: 10de, device: 1184, class: 030000<br />
PCIR: revision 3, vendor revision: 0<br />
EFI: Signature Valid, Subsystem: Boot, Machine: X64<br />
Last image<br />
}}<br />
<br />
To be UEFI compatible, you need a "type 3 (EFI)" in the result. If it's not there, try updating your GPU VBIOS. GPU manufacturers often share VBIOS upgrades on their support pages. A large database of known compatible and working VBIOSes (along with their UEFI compatibility status!) is available on [https://www.techpowerup.com/vgabios/ TechPowerUp].<br />
<br />
Updated VBIOS can be used in the VM without flashing. To load it in QEMU:<br />
<br />
-device vfio-pci,host=07:00.0,......,romfile=/path/to/your/gpu/bios.bin \<br />
<br />
And in libvirt:<br />
<br />
{{bc|1=<br />
<hostdev><br />
...<br />
<rom file='/path/to/your/gpu/bios.bin'/><br />
...<br />
</hostdev><br />
}}<br />
<br />
One should compare VBIOS versions between host and guest systems using [https://www.techpowerup.com/download/nvidia-nvflash/ nvflash] (Linux versions under ''Show more versions'') or <br />
[https://www.techpowerup.com/download/techpowerup-gpu-z/ GPU-Z] (in Windows guest). To check the currently loaded VBIOS:<br />
<br />
{{hc|$ ./nvflash --version|<br />
...<br />
Version : 80.04.XX.00.97<br />
...<br />
UEFI Support : No<br />
UEFI Version : N/A<br />
UEFI Variant Id : N/A ( Unknown )<br />
UEFI Signer(s) : Unsigned<br />
...<br />
}}<br />
<br />
And to check a given VBIOS file:<br />
<br />
{{hc|$ ./nvflash --version NV299MH.rom|<br />
...<br />
Version : 80.04.XX.00.95<br />
...<br />
UEFI Support : Yes<br />
UEFI Version : 0x10022 (Jul 2 2013 @ 16377903 )<br />
UEFI Variant Id : 0x0000000000000004 ( GK1xx )<br />
UEFI Signer(s) : Microsoft Corporation UEFI CA 2011<br />
...<br />
}}<br />
<br />
If the external ROM did not work as it should in the guest, you will have to flash the newer VBIOS image to the GPU. In some cases it is possible to create your own VBIOS image with UEFI support using [https://www.win-raid.com/t892f16-AMD-and-Nvidia-GOP-update-No-requests-DIY.html GOPUpd] tool, however this is risky and may result in GPU brick.<br />
<br />
{{Warning|Failure during flashing may "brick" your GPU - recovery may be possible, but rarely easy and often requires additional hardware. '''DO NOT''' flash VBIOS images for other GPU models (different boards may use different VBIOSes, clocks, fan configuration). If it breaks, you get to keep all the pieces.}}<br />
<br />
In order to avoid the irreparable damage to your graphics adapter it is necessary to unload the NVIDIA kernel driver first:<br />
<br />
# modprobe -r nvidia_modeset nvidia <br />
<br />
Flashing the VBIOS can be done with:<br />
<br />
# ./nvflash romfile.bin<br />
<br />
{{Warning|'''DO NOT''' interrupt the flashing process, even if it looks like it's stuck. Flashing should take about a minute on most GPUs, but may take longer.}}<br />
<br />
=== Slowed down audio pumped through HDMI on the video card ===<br />
<br />
For some users VM's audio slows down/starts stuttering/becomes demonic after a while when it's pumped through HDMI on the video card. This usually also slows down graphics.<br />
A possible solution consists of enabling MSI (Message Signaled-Based Interrupts) instead of the default (Line-Based Interrupts).<br />
<br />
In order to check whether MSI is supported or enabled, run the following command as root:<br />
<br />
# lspci -vs $device | grep 'MSI:'<br />
<br />
where `$device` is the card's address (e.g. `01:00.0`).<br />
<br />
The output should be similar to:<br />
<br />
Capabilities: [60] MSI: Enable'''-''' Count=1/1 Maskable- 64bit+<br />
<br />
A {{ic|-}} after {{ic|Enable}} means MSI is supported, but not used by the VM, while a {{ic|+}} says that the VM is using it.<br />
<br />
The procedure to enable it is quite complex, instructions and an overview of the setting can be found [https://forums.guru3d.com/showthread.php?t=378044 here].<br />
<br />
Other hints can be found on the [https://lime-technology.com/wiki/index.php/UnRAID_6/VM_Guest_Support#Enable_MSI_for_Interrupts_to_Fix_HDMI_Audio_Support lime-technology's wiki], or on this article on [https://vfio.blogspot.it/2014/09/vfio-interrupts-and-how-to-coax-windows.html VFIO tips and tricks].<br />
<br />
Some tools named {{ic|MSI_util}} or similar are available on the Internet, but they do not work on Windows 10 64bit.<br />
<br />
In order to fix the issues enabling MSI on the 0 function of a nVidia card ({{ic|01:00.0 VGA compatible controller: NVIDIA Corporation GM206 [GeForce GTX 960] (rev a1) (prog-if 00 [VGA controller])}}) was not enough; it will also be required to enable it on the other function ({{ic|01:00.1 Audio device: NVIDIA Corporation Device 0fba (rev a1)}}) to fix the issue.<br />
<br />
=== No HDMI audio output on host when intel_iommu is enabled ===<br />
<br />
If after enabling {{ic|intel_iommu}} the HDMI output device of Intel GPU becomes unusable on the host then setting the option {{ic|igfx_off}} (i.e. {{ic|1=intel_iommu=on,igfx_off}}) might bring the audio back, please read {{ic|Graphics Problems?}} in [https://www.kernel.org/doc/Documentation/Intel-IOMMU.txt Intel-IOMMU.txt] for details about setting {{ic|igfx_off}}.<br />
<br />
=== X does not start after enabling vfio_pci ===<br />
<br />
This is related to the host GPU being detected as a secondary GPU, which causes X to fail/crash when it tries to load a driver for the guest GPU. To circumvent this, a Xorg configuration file specifying the BusID for the host GPU is required. The correct BusID can be acquired from lspci or the Xorg log. [https://www.redhat.com/archives/vfio-users/2016-August/msg00025.html Source →]<br />
<br />
{{hc|/etc/X11/xorg.conf.d/10-intel.conf|<nowiki><br />
Section "Device"<br />
Identifier "Intel GPU"<br />
Driver "modesetting"<br />
BusID "PCI:0:2:0"<br />
EndSection<br />
</nowiki>}}<br />
<br />
=== Chromium ignores integrated graphics for acceleration ===<br />
<br />
Chromium and friends will try to detect as many GPUs as they can in the system and pick which one is preferred (usually discrete NVIDIA/AMD graphics). It tries to pick a GPU by looking at PCI devices, not OpenGL renderers available in the system - the result is that Chromium may ignore the integrated GPU available for rendering and try to use the dedicated GPU bound to the {{ic|vfio-pci}} driver, and unusable on the host system, regardless of whenever a guest VM is running or not. This results in software rendering being used (leading to higher CPU load, which may also result in choppy video playback, scrolling and general un-smoothness).<br />
<br />
This can be fixed by [[Chromium/Tips and tricks#Forcing specific GPU|explicitly telling Chromium which GPU you want to use]].<br />
<br />
=== VM only uses one core ===<br />
<br />
For some users, even if IOMMU is enabled and the core count is set to more than 1, the VM still only uses one CPU core and thread. To solve this enable "Manually set CPU topology" in {{ic|virt-manager}} and set it to the desirable amount of CPU sockets, cores and threads. Keep in mind that "Threads" refers to the thread count per CPU, not the total count.<br />
<br />
=== Passthrough seems to work but no output is displayed ===<br />
<br />
Make sure if you are using virt-manager that UEFI firmware is selected for your virtual machine. Also, make sure you have passed the correct device to the VM.<br />
<br />
=== virt-manager has permission issues ===<br />
<br />
If you are getting a permission error with virt-manager add the following to your {{ic|/etc/libvirt/qemu.conf}}:<br />
<br />
group="kvm"<br />
user="''user''"<br />
<br />
If that does not work make sure your user account is added to the kvm and libvirt [[groups]].<br />
<br />
=== Host Lockup After VM Shutdown ===<br />
<br />
This issue seems to primarily affect users running a Windows 10 guest and usually after the VM has been run for a prolonged period of time: the host will experience multiple CPU core lockups (see [https://bbs.archlinux.org/viewtopic.php?id=206050&p=2]). To fix this try enabling Message Signal Interrupts on the GPU passed through to the guest. A good guide for how to do this can be found in [https://forums.guru3d.com/threads/windows-line-based-vs-message-signaled-based-interrupts.378044/].<br />
<br />
== See also ==<br />
<br />
* [https://bbs.archlinux.org/viewtopic.php?id=162768 Discussion on Arch Linux forums] | [https://archive.is/kZYMt Archived link]<br />
* [https://docs.google.com/spreadsheet/ccc?key=0Aryg5nO-kBebdFozaW9tUWdVd2VHM0lvck95TUlpMlE User contributed hardware compatibility list]<br />
* [https://pastebin.com/rcnUZCv7 Example script from https://www.youtube.com/watch?v=37D2bRsthfI]<br />
* [https://vfio.blogspot.com/ Complete tutorial for PCI passthrough]<br />
* [https://www.redhat.com/archives/vfio-users/ VFIO users mailing list]<br />
* [https://webchat.freenode.net/?channels=vfio-users #vfio-users on freenode]<br />
* [https://www.youtube.com/watch?v=aLeWg11ZBn0 YouTube: Level1Linux - GPU Passthrough for Virtualization with Ryzen]</div>Smasher816https://wiki.archlinux.org/index.php?title=Talk:WireGuard&diff=520022Talk:WireGuard2018-05-03T03:54:23Z<p>Smasher816: /* systemd-networkd-wait-online.service needed? */ new section</p>
<hr />
<div>== client/server ==<br />
<br />
I'm not sure that we should named both peers as "client" "server" as the documentation will mainly talk about "peer"<br />
<br />
[[User:Bobsaintcool|Bobsaintcool]] ([[User talk:Bobsaintcool|talk]]) 17:36, 29 December 2017 (UTC) bobsaintcool<br />
<br />
:That sounds sane. It was mostly what made sense to me when learning wireguard.<br />
:[[User:Foxboron|Foxboron]] ([[User talk:Foxboron|talk]]) 18:23, 29 December 2017 (UTC)<br />
<br />
::I've done some modication in that way<br />
::[[User:Bobsaintcool|Bobsaintcool]] ([[User talk:Bobsaintcool|talk]]) 19:34, 29 December 2017 (UTC)bobsaintcool<br />
<br />
== Suggest adding advice about IP forwarding ==<br />
<br />
When I set up wireguard it took me a little time to realize I had to enable IP forwarding in the kernel. Once I knew, all I had to do was:<br />
# sysctl net.ipv4.ip_forward=1<br />
So I think that would be good to add to the troubleshooting section or the tips and tricks section. The iptables forwarding rules suggested here won't work with that turned off.<br />
<br />
[[User:Buffalo|Buffalo]] ([[User talk:Buffalo|talk]]) 23:28, 3 February 2018 (UTC)<br />
<br />
:I do not have this parameter set and wireguard works without any issues on my setup [[User:Gregosky|Gregosky]] ([[User talk:Gregosky|talk]]) 10:14, 7 February 2018 (UTC)<br />
<br />
== Sounds Like an Ad ==<br />
<br />
Being a blurb from the project's authors is no excuse. The following, unsubstantiated claim sounds like an advertisement:<br />
<br />
:... it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.<br />
<br />
== systemd-networkd-wait-online.service needed? ==<br />
<br />
{{ic|wq-quick@.service}} already contains {{ic|1=After=network-online.target}}. Enabling the wait online service causes the whole boot process to pause while waiting for a network connection and can dramatically increase boot times.</div>Smasher816https://wiki.archlinux.org/index.php?title=Talk:Improving_performance&diff=492840Talk:Improving performance2017-10-10T00:08:27Z<p>Smasher816: /* ZRam */ new section</p>
<hr />
<div>== Watchdog section ==<br />
<br />
I've added a '''watchdogs''' section.<br />
Tell me what do you think about? --[[User:NTia89|nTia89]] ([[User talk:NTia89|talk]]) 10:42, 29 December 2016 (UTC)<br />
:Is it really recommended to disable watchdog services? See [https://linux.die.net/man/8/watchdog watchdog(8)]. Even when running a 'simple' desktop, it needs to monitor a lot of things. Don't forget most MB use a watchdog service. How to know this is really safe? [[User:Francoism|Francoism]] ([[User talk:Francoism|talk]]) 10:52, 29 December 2016 (UTC)<br />
::1. I've never had a problem, see also: https://bbs.archlinux.org/viewtopic.php?id=163768 --[[User:NTia89|nTia89]] ([[User talk:NTia89|talk]]) 11:01, 29 December 2016 (UTC)<br />
::2. Your watchdog is related to the specific program ''watchdog'' (https://www.archlinux.org/packages/extra/x86_64/watchdog/), a standalone program, not installed by default, not dependency of other packages. --[[User:NTia89|nTia89]] ([[User talk:NTia89|talk]]) 11:05, 29 December 2016 (UTC)<br />
:::You are correct about the watchdog package, but it is just to give you an example of what a watchdog does. It also depends on the hardware and software that's in use. To give you an example, an USB device that causes issues, will be unable to recover if no watchdog is in use. It can also lead to unexpected reboots (a watchdog is able to perform recovery operations) and maybe even hardware damage (see temperature monitoring). The one in the kernel are linked with the CPU/MB it seems, think they are created for some reason. ;) [[User:Francoism|Francoism]] ([[User talk:Francoism|talk]]) 11:13, 29 December 2016 (UTC)<br />
::::No, I don't think so. Low-level hardware interrupt are handled by low-level software, the BIOS/EFI.<br />
::::For what watchdogs do, read the first and third link.<br />
::::I'm with you that "if it exists, there is a good reason, so...", but this doesn't mean everybody need it.<br />
::::PS: What I've written on the wiki is the sum/product of what I have understand/learn about kernel watchdog; an issue started time ago while for the first time I've read about "NMI_watchdog" in the dmesg; the links provided at the end of my edit are the sources from which I extrapolated those information; if you have other sources, share, I'm here to learn in primis. --[[User:NTia89|nTia89]] ([[User talk:NTia89|talk]]) 14:54, 29 December 2016 (UTC)<br />
:::::[https://gist.github.com/lahwaacz/5bef7a353cd8cbe49164d2bf4efd47fa Here] is what I get from time to time after plugging someting into my only USB3 port. After that happens, I need to reboot to make it work again. It's definitely tied up to the hardware driver and I'm not really interested in finding out what might happen without the watchdog. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:42, 29 December 2016 (UTC)<br />
::::::Please, explain better your experience, because if you get an hardware problem that stuck your system, the '''watchdog''' should recognize this situation and it will '''automatically''' reboot the system. Without a watchdog the stuck system will continue to go (even if stuck) until you '''manually''' reboot your machine. This is the purpose of a watchdog. This is why it is not a mandatory piece of a laptop/desktop system where user can operate manually (while the user can do this in an embedded device...). --[[User:NTia89|nTia89]] ([[User talk:NTia89|talk]]) 16:53, 29 December 2016 (UTC)<br />
::::::Unless you have set {{ic|RuntimeWatchdogSec}} in {{ic|/etc/systemd/system.conf}}, watchdog is not doing anything for you in this case. All watchdog does in an Arch install by default is check if a shutdown has proceeded properly after 10 minutes ({{ic|1=ShutdownWatchdogSec=10m}}). -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 21:06, 30 December 2016 (UTC)<br />
<br />
:Since you've put it on the [[Improving performance]] page, what is the performance improvement in practice? -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 11:30, 29 December 2016 (UTC)<br />
::I recorded a decrease in boot and shutdown time of about 0.1 sec over a 2.0 secs boot (systemd-analyze);<br />
::both hardware and software watchdogs are disabled; the later is 'software', so I believe it "consumes" CPU...I have no evidence about it. If you have it, share here<br />
::PS: What I've written on the wiki is the sum/product of what I have understand/learn about kernel watchdog; an issue started time ago while for the first time I've read about "NMI_watchdog" in the dmesg; the links provided at the end of my edit are the sources from which I extrapolated those information; if you have other sources, share, I'm here to learn in primis. --[[User:NTia89|nTia89]] ([[User talk:NTia89|talk]]) 14:54, 29 December 2016 (UTC)<br />
:::And how does that difference compare to the [https://en.wikipedia.org/wiki/Standard_deviation standard deviation] of your measured data? -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 16:42, 29 December 2016 (UTC)<br />
::::These are already ''mean'' values and they are enough for me. If you have an easy way to compute a more detailed report, please tell me. Or better, try by yourself and share your results! --[[User:NTia89|nTia89]] ([[User talk:NTia89|talk]]) 16:53, 29 December 2016 (UTC)<br />
:I like the section and think it should be added somewhere in the Wiki. I think for now this is a reasonable place since the focus is on disabling something that may be consuming resources unnecessarily. Additionally at least 1 user has reported that the {{ic|nowatchdog}} kernel parameter did not work for them [https://bbs.archlinux.org/viewtopic.php?id=221239] and that blacklisting the module was the only way to disable watchdog. -- [[User:Rdeckard|Rdeckard]] ([[User_talk:Rdeckard|talk]]) 14:18, 30 December 2016 (UTC)<br />
::Thank you, I will update the section accordingly --[[User:NTia89|nTia89]] ([[User talk:NTia89|talk]]) 14:24, 30 December 2016 (UTC)<br />
<br />
== Tuning IO schedulers ==<br />
Following the bug tracker and as follow https://bugs.archlinux.org/task/54964 in last page spacecase mention that aparently elevator look depreciated.<br />
checking zen kernel show only elevators for noop, deadline & cfq but not the famous bfq, whis until 4.11 was available on normal disk.<br />
Aparently when they merged bfq the kernel fsck it up so so much that only work on ssd?<br />
I think based on that evidence that the section "Tuning IO schedulers" is now poorly writter, not reflect "modern" usage not mention correctly what to do if one want bfq on a hdd neither mention why was bfq removed or if there a patch or something to reenable.<br />
It have place for improvenment like this, but at this point it look better to "split" it into rotating hdd io scheduling performance and improvements and ssd only with a brief explanation why is split and the concecuences of using ssd performances or scheduler on rotating and viseversa.<br />
<br />
{{unsigned|06:32, 17 August 2017|Jristz}}<br />
:Since 4.12, bfq is only available if blk-mq is enabled by adding {{ic|1=scsi_mod.use_blk_mq=y dm_mod.use_blk_mq=y}} to the kernel command line when booting. Even then, {{ic|1=elevator=bfq}} doesn't work, but it's possible to enable it with a udev rule. This change seems to be related to bfq being adopted in the standard kernel. [[User:Pdc|Pdc]] ([[User talk:Pdc|talk]]) 16:56, 17 August 2017 (UTC)<br />
::Update to my previous answer: From version 4.13, linux-zen includes a single queue version of the bfq scheduler, bfq-sq. That is the default scheduler when liunx-zen is booted without the {{ic|1=scsi_mod.use_blk_mq=y dm_mod.use_blk_mq=y}} options. The standard kernel still only has the multiqueue version of bfq.--[[User:Pdc|Pdc]] ([[User talk:Pdc|talk]]) 16:27, 29 September 2017 (UTC)<br />
<br />
== ZRam ==<br />
<br />
Is this section still accurate? <br />
<br />
"The package {{AUR|zramswap}} provides an automated script for setting up such swap devices with optimal settings for your system (such as RAM size and CPU core number). The script creates one zram device per CPU core with a total space equivalent to the RAM available, so you will have a compressed swap with higher priority than regular swap, which will utilize multiple CPU cores for compressing data."<br />
<br />
According to the Linux Kernel docs [https://www.kernel.org/doc/Documentation/blockdev/zram.txt] "ZRAM will always allocate multiple compression streams - one per online CPUs - thus allowing several concurrent compression operations". On the gentoo wiki making multiple devices to get scaling is mentioned as a workaround for pre 3.15 kernels. https://wiki.gentoo.org/wiki/Zram#Caveats.2FCons</div>Smasher816https://wiki.archlinux.org/index.php?title=Certbot&diff=483006Certbot2017-07-27T03:12:47Z<p>Smasher816: Disable authentication on well-known (ex: if root is password protected)</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Encryption]]<br />
[[ja:Let’s Encrypt]]<br />
[https://letsencrypt.org/ Let’s Encrypt] is a free, automated, and open certificate authority utilizing the [[Wikipedia:Automated Certificate Management Environment|ACME]] protocol.<br />
<br />
The official client is called '''Certbot''', which allows to request valid X.509 certificates straight from the command line.<br />
A minimal client with manual CSR creation is available at {{AUR|acme-tiny}}, clients suitable for scripts are {{AUR|simp_le-git}} and {{AUR|letsencrypt-cli}}.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|certbot}} package.<br />
<br />
Plugins are available for automated configuration and installation of the issued certificates in web servers:<br />
* The experimental plugin for [[Nginx]] is provided with the {{Pkg|certbot-nginx}} package.<br />
* Automated installation using the [[Apache HTTP Server]] is enabled via the {{Pkg|certbot-apache}} package.<br />
<br />
== Configuration ==<br />
<br />
Consult the [https://certbot.eff.org/docs/ Certbot documentation] for more information about creation and usage of certificates.<br />
<br />
=== Webroot ===<br />
{{Note|<br />
* The Webroot method requires '''HTTP on port 80''' for Certbot to validate.<br />
** For Certbot to validate using '''HTTPS on port 443''', the Nginx ('''--nginx''') or Apache ('''--apache''') plugin must be used instead of the Webroot ('''--webroot''') method.<br />
* The Server Name must match that of it's corresponding DNS.<br />
* Permissions may need to be altered on the host to allow read-access to {{ic|http://domain.tld/.well-known}}.<br />
<br />
}}<br />
<br />
When using the webroot method the Certbot client places a challenge response inside {{ic|/path/to/domain.tld/html/.well-known/acme-challenge/}} which is used for validation.<br />
<br />
The use of this method is recommend over a manual install; it offers automatically renewal and easier certificate management.<br />
<br />
{{Tip|1=The following initial [[Nginx#Server_blocks|nginx server]] configuration may be helpful to obtain a first-time certificate:<br />
{{hc|/etc/nginx/servers-available/domain.tld|<br />
<nowiki><br />
server {<br />
listen 80;<br />
listen [::]:80;<br />
server_name domain.tld;<br />
root /usr/share/nginx/html;<br />
location / {<br />
index index.htm index.html;<br />
}<br />
}<br />
<br />
# ACME challenge<br />
location ^~ /.well-known {<br />
allow all;<br />
auth_basic off;<br />
alias /var/lib/letsencrypt/.well-known/;<br />
default_type "text/plain";<br />
try_files $uri =404;<br />
}<br />
</nowiki><br />
}}<br />
}}<br />
<br />
==== Obtain certificate(s) ====<br />
Request a certificate for {{ic|domain.tld}} using {{ic|/var/lib/letsencrypt/}} as public accessible path:<br />
# certbot certonly --email '''email@example.com''' --webroot -w '''/var/lib/letsencrypt/''' -d '''domain.tld'''<br />
<br />
To add a (sub)domain, include all registered domains used on the current setup:<br />
# certbot certonly --email '''email@example.com''' --webroot -w '''/var/lib/letsencrypt/''' -d '''domain.tld,sub.domain.tld'''<br />
<br />
To renew (all) the current certificate(s):<br />
# certbot renew<br />
<br />
See [[#Automatic renewal]] as alternative approach.<br />
<br />
=== Manual ===<br />
<br />
{{Note|<br />
* The running webserver has to temporarily stopped.<br />
* Automatically renewal is not available when performing manual install, see [[#Webroot]] instead.<br />
}}<br />
<br />
If there is no plugin for your web server, use the following command:<br />
# certbot certonly --manual<br />
<br />
When preferring to use DNS challenge (TXT record) use:<br />
# certbot certonly --manual --preferred-challenges dns<br />
<br />
This will automatically verify your domain and create a private key and certificate pair. These are placed in {{ic|/etc/letsencrypt/live/''your.domain''/}}.<br />
<br />
You can then manually configure your web server to use the key and certificate in that directory.<br />
<br />
{{Note|Running this command multiple times will create multiple sets of files with a trailing number in {{ic|/etc/letsencrypt/live/''your.domain''/}} so take care to rename them in that directory or in the webserver config file.}}<br />
<br />
== Advanced Configuration ==<br />
<br />
=== Webserver Configuration ===<br />
Instead of using plugins for automatic configuration, it may be preferred to enable SSL for a server manually.<br />
<br />
{{Tip|<br />
* Mozilla has a useful [https://wiki.mozilla.org/Security/Server_Side_TLS SSL/TLS article] which includes an [https://mozilla.github.io/server-side-tls/ssl-config-generator/ automated tool] to help create a more secure configuration.<br />
* [https://cipherli.st Cipherli.st] provides strong SSL implementation examples and tutorial for most modern webservers.<br />
}}<br />
<br />
==== nginx ====<br />
An example of the server {{ic|domain.tld}} using the signed SSL-certificate of Let's Encrypt:<br />
{{hc|/etc/nginx/servers-available/domain.tld|<br />
<nowiki><br />
# redirect to https<br />
server {<br />
listen 80;<br />
listen [::]:80;<br />
server_name domain.tld;<br />
return 301 https://$host$request_uri;<br />
}<br />
<br />
server {<br />
listen 443 ssl http2;<br />
listen [::]:443 ssl http2;<br />
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;<br />
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;<br />
ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;<br />
ssl_session_timeout 1d;<br />
ssl_session_cache shared:SSL:50m;<br />
ssl_session_tickets off;<br />
ssl_prefer_server_ciphers on;<br />
add_header Strict-Transport-Security max-age=15768000;<br />
ssl_stapling on;<br />
ssl_stapling_verify on;<br />
server_name domain.tld;<br />
..<br />
}<br />
<br />
# A subdomain uses the same SSL-certifcate:<br />
server {<br />
listen 443 ssl http2;<br />
listen [::]:443 ssl http2;<br />
ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;<br />
ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;<br />
ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;<br />
..<br />
server_name sub.domain.tld;<br />
..<br />
}<br />
<br />
# ACME challenge<br />
location ^~ /.well-known {<br />
allow all;<br />
alias /var/lib/letsencrypt/.well-known/;<br />
default_type "text/plain";<br />
try_files $uri =404;<br />
}<br />
</nowiki><br />
}}<br />
<br />
=== Multiple domains ===<br />
Management of can be made easier by mapping all HTTP-requests for {{ic|/.well-known/acme-challenge/}} to a single folder, e.g. {{ic|/var/lib/letsencrypt}}.<br />
<br />
The path has then to be writable for the Let's Encrypt client and the web server (e.g. [[nginx]] or [[Apache]] running as user ''http''):<br />
# mkdir -p /var/lib/letsencrypt/.well-known<br />
# chgrp http /var/lib/letsencrypt<br />
# chmod g+s /var/lib/letsencrypt<br />
<br />
==== nginx ====<br />
<br />
Create a file containing the location block and include this inside a server block:<br />
{{hc|/etc/nginx/conf.d/letsencrypt.conf|<br />
<nowiki><br />
location ^~ /.well-known {<br />
allow all;<br />
alias /var/lib/letsencrypt/.well-known/;<br />
default_type "text/plain";<br />
try_files $uri =404;<br />
}<br />
</nowiki>}}<br />
<br />
Example of a server configuration:<br />
{{hc|/etc/nginx/servers-available/domain.conf|<nowiki><br />
server {<br />
server_name domain.tld<br />
..<br />
include conf.d/letsencrypt.conf;<br />
}<br />
</nowiki>}}<br />
<br />
==== Apache ====<br />
<br />
Create the file {{ic|/etc/httpd/conf/extra/httpd-acme.conf}}:<br />
{{hc|/etc/httpd/conf/extra/httpd-acme.conf|<nowiki><br />
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"<br />
<Directory "/var/lib/letsencrypt/"><br />
AllowOverride None<br />
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec<br />
Require method GET POST OPTIONS<br />
</Directory><br />
</nowiki>}}<br />
Including this in {{ic|/etc/httpd/conf/httpd.conf}}:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
Include conf/extra/httpd-acme.conf<br />
</nowiki>}}<br />
<br />
=== Automatic renewal ===<br />
<br />
==== systemd ====<br />
Create a [[systemd]] {{ic|certbot.service}}:<br />
{{hc|1=/etc/systemd/system/certbot.service|<br />
2=[Unit]<br />
Description=Let's Encrypt renewal<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/usr/bin/certbot renew --quiet --agree-tos}}<br />
<br />
You'll probably want your web server to reload the certificates after each time they're renewed. You can realize that by adding one of these lines to the {{ic|certbot.service}} file:<br />
<br />
* Apache: {{ic|1=ExecStartPost=/bin/systemctl reload httpd.service}}<br />
* nginx: {{ic|1=ExecStartPost=/bin/systemctl reload nginx.service}}<br />
<br />
{{Note|Before adding a [[systemd/Timers|timer]], check that the service is working correctly and is not trying to prompt anything.}}<br />
<br />
Add a timer to check for certificate renewal twice a day and include a randomized delay so that everyone's requests for renewal will be evenly spread over the day to lighten the Let's Encrypt server load [https://certbot.eff.org/#arch-nginx]:<br />
<br />
{{hc|1=/etc/systemd/system/certbot.timer|<br />
2=[Unit]<br />
Description=Twice daily renewal of Let's Encrypt's certificates<br />
<br />
[Timer]<br />
OnCalendar=0/12:00:00<br />
RandomizedDelaySec=1h<br />
Persistent=true<br />
<br />
[Install]<br />
WantedBy=timers.target}}<br />
<br />
[[Enable]] and [[start]] {{ic|certbot.timer}}.<br />
<br />
===== Alternative services =====<br />
When using the standalone method you should stop your webserver before executing the renew request, and start your webserver when Certbot is finished. Certbot provides hooks to automatically stop and restart a web server.<br />
<br />
====== nginx ======<br />
{{hc|1=/etc/systemd/system/certbot.service|<br />
2=[Unit]<br />
Description=Let's Encrypt renewal<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/usr/bin/certbot renew --post-hook "/usr/bin/systemctl restart nginx.service" --agree-tos}}<br />
<br />
====== Apache ======<br />
{{hc|1=/etc/systemd/system/certbot.service|<br />
2=[Unit]<br />
Description=Let's Encrypt renewal<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/usr/bin/certbot renew --pre-hook "/usr/bin/systemctl stop httpd.service" --post-hook "/usr/bin/systemctl start httpd.service" --quiet --agree-tos}}<br />
<br />
== See also ==<br />
<br />
* [https://certbot.eff.org/ EFF's Certbot documentation]<br />
* [https://letsencrypt.org/docs/client-options/ List of ACME clients]</div>Smasher816https://wiki.archlinux.org/index.php?title=Android&diff=471543Android2017-03-21T23:15:31Z<p>Smasher816: Add android-file-transfer to alternative methods</p>
<hr />
<div>[[Category:Development]]<br />
[[Category:Mobile devices]]<br />
[[it:Android]]<br />
[[ja:Android]]<br />
[[ru:Android]]<br />
[[zh-hans:Android]]<br />
{{Related articles start}}<br />
{{Related|Android notifier}}<br />
{{Related|Android tethering}}<br />
{{Related articles end}}<br />
<br />
== Exploring Android device ==<br />
<br />
There are few methods of exploring your device:<br />
<br />
*[[MTP]] over USB for files transferring.<br />
*[[#Alternative connection methods|Alternative methods]] (such as FTP, SSH).<br />
<br />
For more advanced usage, development, flashing and restore:<br />
*[[#Android Debug Bridge (ADB)|ADB]] mostly for development purposes.<br />
*[[#Restoring Android|Restoring Android]] for flashing and restoring Android firmwares (includes fastboot).<br />
<br />
== Android development ==<br />
<br />
There are 3 steps that need to be performed before you can develop Android applications on your Arch Linux box:<br />
<br />
# Install the Android SDK core component,<br />
# Install one or several Android SDK Platform packages,<br />
# Install one of the IDEs compatible with the Android SDK.<br />
<br />
=== Android SDK core components ===<br />
<br />
{{Note|If you are running a 64-bit system, make sure the [[multilib]] repository is enabled to avoid "error: target not found: lib32-zlib" error messages.}}<br />
<br />
{{Note|If you plan to install [[#Android Studio]] and want the IDE to manage your SDK installation, you do not need to install these packages}}<br />
<br />
Before developing Android applications, you need to install the Android SDK, which is made of 4 distinct packages, all installable from [[AUR]]:<br />
<br />
# {{AUR|android-platform}}<br />
# {{AUR|android-sdk}}<br />
# {{AUR|android-sdk-platform-tools}}<br />
# {{AUR|android-sdk-build-tools}}<br />
<br />
If supporting older devices, or working with older code, {{AUR|android-support}} and {{AUR|android-support-repository}} might be required.<br />
<br />
Android-sdk will be installed on {{ic|/opt/android-sdk}}. This folder has root permissions, so keep in mind to run sdk manager as root, otherwise you will not be able to modify anything in this directory. If you intend to use it as a regular user, create the Android sdk users group:<br />
# groupadd sdkusers<br />
<br />
Add your user into this group:<br />
# gpasswd -a <user> sdkusers<br />
<br />
Change folder's group.<br />
# chown -R :sdkusers /opt/android-sdk/<br />
<br />
Change permissions of the folder so the user that was just added to the group will be able to write in it:<br />
# chmod -R g+w /opt/android-sdk/<br />
<br />
Re-login or as <user> log your terminal in to the newly created group:<br />
<br />
$ newgrp sdkusers<br />
<br />
{{Note|As an alternative to a global install with the [[AUR]] packages, the SDK can be installed to a user's home directory via [https://developer.android.com/sdk/index.html the upstream instructions]. You may also use the android-*-dummy packages in the [[AUR]] to handle the system dependencies.}}<br />
<br />
=== Android SDK platform API ===<br />
<br />
{{Note|If you plan to install [[#Android Studio]] and want the IDE to handle your SDK, you don't need to install these packages}}<br />
<br />
Install the desired Android SDK Platform package from the [[AUR]]:<br />
<br />
* {{aur|android-platform}} (latest)<br />
* {{aur|android-platform-24}}<br />
* {{aur|android-platform-23}}<br />
* {{aur|android-platform-22}}<br />
* {{aur|android-platform-21}}<br />
* {{aur|android-platform-20}}<br />
* {{aur|android-platform-19}}<br />
* {{aur|android-platform-18}}<br />
* {{aur|android-platform-17}}<br />
* {{aur|android-platform-16}}<br />
* {{aur|android-platform-15}}<br />
* {{aur|android-platform-14}}<br />
<br />
=== Android System Images ===<br />
<br />
Install the desired [https://aur.archlinux.org/packages/?O=0&K=android+system+image Android system image] package from the [[AUR]]. This step may not be necessary if installing Android Studio. The Images are needed for emulating a specific android device. They are not needed if you want to develop with an android phone.<br />
<br />
=== Development environment ===<br />
<br />
Android Studio is the new official Android development environment based on IntelliJ IDEA. Alternatively, you can use [[Netbeans]] with the NBAndroid plugin. All are described below.<br />
<br />
==== Android Studio ====<br />
<br />
[https://developer.android.com/sdk/index.html Android Studio] is the official Android development environment based on [https://www.jetbrains.com/idea/ IntelliJ Idea]. Android Studio replaces the older [https://developer.android.com/tools/help/adt.html Eclipse Android Developer Tools] and provides integrated Android developer tools for development and debugging.<br />
<br />
You can download and install it with the {{AUR|android-studio}} package from the [[AUR]]. If you get an error about a missing SDK, refer to the section Getting Android SDK platform API above.<br />
<br />
{{Note|1=If you are using a tiling window manager other than i3wm, you may need to apply one of the fixes mentioned in [https://code.google.com/p/android/issues/detail?id=57675 this] issue page.}}<br />
{{Note|1=Make sure you properly [[Java#Change_default_Java_environment|set the Java environment]] otherwise android-studio will not start.}}<br />
<br />
Normally, apps are built through the Android Studio GUI. To build apps from the commandline (using e.g. {{ic|./gradlew assembleDebug}}), add the following to your {{ic|~/.bashrc}}:<br />
<br />
export ANDROID_HOME=/opt/android-sdk<br />
<br />
==== Netbeans ====<br />
<br />
If you prefer using [[Netbeans]] as your IDE and want to develop Android applications, download the [http://www.nbandroid.org NBAndroid] by going to:<br />
<br />
Tools -> Plugins -> Settings<br />
<br />
Add the following URL: http://nbandroid.org/release81/updates/updates.xml<br />
<br />
Then go to '''Available Plugins''' and install the '''Android''' and '''JUnit''' plugins. Once you have installed go to:<br />
<br />
Tools -> Options -> Miscellaneous -> Android<br />
<br />
and select the path where the SDK is installed (/opt/android-sdk by default). That is it, now you can create a new Android project and start developing using Netbeans.<br />
<br />
==== Eclipse ====<br />
<br />
{{Note|The Eclipse ADT plugin is [http://android-developers.blogspot.nl/2016/11/support-ended-for-eclipse-android.html no longer supported]. Google recommends to use Android Studio instead.}}<br />
<br />
The official, but deprecated, [http://developer.android.com/sdk/eclipse-adt.html Eclipse ADT] plugin can be installed with the {{AUR|eclipse-android}} package.<br />
<br />
{{Note|<br />
* if you get a message about unresolvable dependencies, install [[Java]] manually and try again.<br />
* as an alternative, you can install the ADT via eclipse's built in "add new software" command (see instructions on ADT site).<br />
* if you are in real trouble, it is also possible to download Android SDK and use the bundled Eclipse. This usually works without problems.<br />
* if you need to install extra SDK plugins not found in the AUR, you must change the file ownership of /opt/android-sdk first. You can do this with {{ic|# chgrp -R users /opt/android-sdk ; chmod -R 0775 /opt/android-sdk}} (see [[File Permissions]] for more details).<br />
}}<br />
<br />
Enter the path to the Android SDK Location in<br />
<br />
Windows -> Preferences -> Android<br />
<br />
{{Note|<br />
If the plugins do not show up in Eclipse after the AUR package has been upgraded, then eclipse probably has out-of-date caches. Running {{ic|sudo eclipse -clean}} once should clear them. If the problem persists, uninstall eclipse and all the plugins, delete {{ic|/usr/share/eclipse}}, and reinstall everything.<br />
}}<br />
<br />
=== Android Debug Bridge (ADB) ===<br />
<br />
{{Tip|For some devices, you may have to enable MTP on the device, before ADB will work. Some other devices require enable PTP mode to work.}}<br />
{{Tip|Many devices' udev rules are included in {{Pkg|libmtp}}, so if you have this installed, the following steps may not be necessary.}}<br />
<br />
==== Connect device ====<br />
To connect to a real device or phone via ADB under Arch, you must:<br />
<br />
# Install {{Pkg|android-tools}}. In addition, you might want to install {{Pkg|android-udev}} if you wish to connect the device to the proper {{ic|/dev/}} entries.<br />
# plug in your android device via USB.<br />
# Enable USB Debugging on your phone or device:<br />
#* Jelly Bean (4.2) and newer: Go to {{ic|Settings --> About Phone}} tap “Build Number” 7 times until you get a popup that you have become a developer. Then go to {{ic|Settings --> Developer --> USB debugging}} and enable it. The device will ask to allow the computer with its fingerprint to connect. allowing it permanent will copy $HOME/.android/adbkey.pub onto the devices /data/misc/adb/adb_keys folder.<br />
#* Older versions: This is usually done from {{ic|Settings --> Applications --> Development --> USB debugging}}. Reboot the phone after checking this option to make sure USB debugging is enabled.<br />
# If {{Pkg|android-udev}} has been installed, add yourself to the ''adbusers'' group:<br />
# gpasswd -a ''username'' adbusers<br />
<br />
If [[#Detect the device|ADB recognizes your device]] ({{ic|adb devices}} shows it as "device" and not as "unauthorized", or it is visible and accessible in IDE), you are done. Otherwise see instructions below.<br />
<br />
==== Figure out device IDs ====<br />
<br />
<br />
<br />
Each Android device has a USB vendor/product ID. An example for HTC Evo is:<br />
<br />
vendor id: 0bb4<br />
product id: 0c8d<br />
<br />
Plug in your device and execute:<br />
<br />
$ lsusb<br />
<br />
It should come up something like this:<br />
<br />
Bus 002 Device 006: ID 0bb4:0c8d High Tech Computer Corp.<br />
<br />
==== Adding udev Rules ====<br />
<br />
Use the rules from {{Aur|android-udev-git}}, install them manually from [http://source.android.com/source/initializing.html#configuring-usb-access Android developer], or use the following template for your udev rules, just replace [VENDOR ID] and [PRODUCT ID] with yours. Copy these rules into {{ic|/etc/udev/rules.d/51-android.rules}}:<br />
<br />
{{hc|/etc/udev/rules.d/51-android.rules|2=<nowiki>SUBSYSTEM=="usb", ATTR{idVendor}=="[VENDOR ID]", MODE="0660", GROUP="adbusers"<br />
SUBSYSTEM=="usb",ATTR{idVendor}=="[VENDOR ID]",ATTR{idProduct}=="[PRODUCT ID]",SYMLINK+="android_adb"<br />
SUBSYSTEM=="usb",ATTR{idVendor}=="[VENDOR ID]",ATTR{idProduct}=="[PRODUCT ID]",SYMLINK+="android_fastboot"</nowiki>}}<br />
<br />
Then, to reload your new udev rules, execute:<br />
# udevadm control --reload-rules<br />
<br />
Make sure you are member of {{ic|adbusers}} [[group]] to access {{ic|adb}} devices.<br />
<br />
==== Configuring adb ====<br />
<br />
Instead of using udev rules, you may create/edit {{ic|~/.android/adb_usb.ini}} which contains a list of vendor IDs.<br />
<br />
$ cat ~/.android/adb_usb.ini <br />
0x27e8<br />
<br />
==== Detect the device ====<br />
<br />
After you have setup the udev rules, unplug your device and replug it.<br />
<br />
After running:<br />
<br />
$ adb devices<br />
<br />
you should see something like:<br />
<br />
List of devices attached <br />
HT07VHL00676 device<br />
<br />
==== General usage ====<br />
<br />
You can now use adb to transfer files between the device and your computer. To transfer files to the device, use<br />
$ adb push ''<what-to-copy>'' ''<where-to-place>''<br />
<br />
To transfer files from the device, use<br />
$ adb pull ''<what-to-pull>'' ''<where-to-place>''<br />
<br />
==== Notes & Troubleshooting ====<br />
<br />
* '''ADB''' can also be installed via [[#Android SDK platform API|platform tools]](usually available in {{Ic|/opt/android-sdk/platform-tools/}}), so it might not be necesarry to install {{Pkg|android-tools}} (available in {{Ic|/usr/bin/}}).<br />
<br />
* If you are getting an empty list (your device is not there), it may be because you have not enabled USB debugging on your device. You can do that by going to Settings => Applications => Development and enabling USB debugging. On Android 4.2 (Jelly Bean) the Development menu is hidden; to enable it go to Settings => About phone and tap Build number 7 times.<br />
<br />
* If there are still problems such as ''adb'' displaying {{ic|???????? no permissions}} under devices, try restarting the adb server as root.<br />
# adb kill-server<br />
# adb start-server<br />
<br />
* On moto e it could happen to have a different vendor/product id while you are on sideload or fastboot, verify again lsusb if you get no permission.<br />
<br />
=== NVIDIA Tegra platform ===<br />
<br />
If you target your application at NVIDIA Tegra platform, you might also want to install tools, samples and documentation provided by NVIDIA. In [http://developer.nvidia.com/category/zone/mobile-development NVIDIA Developer Zone for Mobile] there are two tools: <br />
<br />
# The [http://developer.nvidia.com/tegra-resources Tegra Android Development Pack] provides tools (NVIDIA Debug Manager) related to [http://developer.android.com/sdk/eclipse-adt.html Eclipse ADT] and their documentation. <br />
# The [http://developer.nvidia.com/tegra-resources Tegra Toolkit] provides tools (mostly CPU and GPU optimization related), samples and documentation. <br />
<br />
Both are currently not available in the [[AUR]] anymore, because NVIDIA requires a registration/login for the download.<br />
<br />
== Building Android ==<br />
<br />
Please note that these instructions are based on the [http://source.android.com/source/building.html official AOSP build instructions]. Other Android-derived systems such as LineageOS will often require extra steps.<br />
<br />
=== OS bitness ===<br />
<br />
Android 2.2.x (Froyo) and below are the only versions of Android that will build on a 32-bit system. For 2.3.x (Gingerbread) and above, you will need a 64-bit installation. <br />
<br />
=== Required packages ===<br />
<br />
To build any version of Android, you need to install these packages:<br />
<br />
* {{Pkg|gcc-multilib}} {{Pkg|git}} {{Pkg|gnupg}} {{Pkg|flex}} {{Pkg|bison}} {{Pkg|gperf}} {{Pkg|sdl}} {{Pkg|wxgtk}} {{Pkg|squashfs-tools}} {{Pkg|curl}} {{Pkg|ncurses}} {{Pkg|zlib}} {{Pkg|schedtool}} {{Pkg|perl-switch}} {{Pkg|zip}} {{Pkg|unzip}} {{Pkg|libxslt}} {{Pkg|python2-virtualenv}} {{Pkg|bc}} {{Pkg|rsync}} {{Aur|ncurses5-compat-libs}} {{Pkg|lib32-zlib}} {{Pkg|lib32-ncurses}} {{Pkg|lib32-readline}} {{Aur|lib32-ncurses5-compat-libs}}<br />
<br />
The {{Aur|aosp-devel}} metapackage provides them all for simple installation.<br />
<br />
{{Note|The PGP signatures for {{Aur|ncurses5-compat-libs}} and {{Aur|lib32-ncurses5-compat-libs}} may cause errors, that can be solved by manually importing the needed signature: <br />
$ gpg --recv-keys 702353E0F7E48EDB<br />
}}<br />
<br />
Additionally, LineageOS requires the following packages:<br />
<br />
*{{Pkg|xml2}} {{Pkg|lzop}} {{Pkg|pngcrush}} {{Pkg|imagemagick}}<br />
<br />
They can be installed with the {{Aur|lineageos-devel}} metapackage.<br />
<br />
{{Note|1=Installing both {{Pkg|maven}} and {{Pkg|gradle}} to build LineageOS may result in a build speed improvement as the build process will prefer the system's }}<br />
<br />
=== Java Development Kit ===<br />
<br />
*For Android 7 (Nougat), OpenJDK 8 is [https://source.android.com/source/requirements.html required], which is available with the {{Pkg|jdk8-openjdk}} package. <br />
*For Android 5 and 6 (Lollipop and Marshmallow), OpenJDK 7 is required, which is available with the {{Pkg|jdk7-openjdk}} package.<br />
<br />
Older versions [http://source.android.com/source/initializing.html require] a working '''Oracle JDK''' installed on your build system. It '''will not''' work with OpenJDK.<br />
*For Gingerbread through KitKat (2.3 - 4.4), Java 6 is required, which is available as {{AUR|jdk6}} from the AUR.<br />
*For Cupcake through Froyo (1.5 - 2.2), Java 5 is required, which is available as {{AUR|jdk5}} from the AUR.<br />
<br />
{{Note|1=<br />
Android expect java in /usr/lib/jvm/java-x-openjdk-amd64, where x is the java version.<br />
Set JAVA_HOME to avoid this requirement and match archlinux installation path.<br />
Example:<br />
$ export JAVA_HOME=/usr/lib/jvm/java-x-openjdk<br />
This change will be valid only for the current terminal session.<br />
}}<br />
<br />
=== Setting up the build environment ===<br />
<br />
[[Install]] the {{Pkg|repo}} package. <br />
<br />
Create a directory to build.<br />
<br />
$ mkdir ~/android<br />
$ cd ~/android<br />
<br />
The Android build process expects {{ic|python}} to be python2. Create a python2 virtual environment and activate it:<br />
<br />
$ virtualenv2 venv<br />
$ source venv/bin/activate<br />
<br />
{{Note|This activation is only active for the current terminal session. The virtual env will be kept in the {{ic|venv}} folder. <br />
}}<br />
<br />
{{Note|During build you may receive error pertaining to missing python modules. A quick and dirty fix is to symlink /usr/lib/python2.7/* to ~/android/venv/python2.7/ (Change ~/android to reflect your build directory if different than above).<br />
Example:<br />
$ ln -s /usr/lib/python2.7/* /Data/Android_Build/venv/lib/python2.7/<br />
}}<br />
<br />
=== Downloading the source code ===<br />
<br />
This will clone the repositories. You '''only''' need to do this the first time you build Android, or if you want to switch branches.<br />
<br />
* The {{ic|repo}} has a {{ic|-j}} switch that operates similarly to the one used with {{ic|make}}. Since it controls the number of simultaneous downloads, you should adjust the value depending on downstream network bandwidth.<br />
<br />
* You will need to specify a '''branch''' (release of Android) to check out with the {{ic|-b}} switch. If you leave the switch out, you will get the so-called '''master branch'''.<br />
<br />
$ repo init -u https://android.googlesource.com/platform/manifest -b master<br />
$ repo sync -j4<br />
<br />
{{Note|To further decrease sync times, you can utilize the -c switch with the repo command as such:<br />
$ repo sync -j8 -c<br />
The {{ic|-c}} switch will only sync the branch which is specified in the manifest, which in turn is determined by the branch specified with the {{ic|-b}} switch, or the default branch set by the repository maintainer.<br />
}}<br />
<br />
Wait a long time. Just the uncompiled source code, along with the {{ic|.repo}} and {{ic|.git}} directories that are used to keep track of it, are well over 10 GB. As of Android 6.0.1, the entire codebase totals 40 GB.<br />
<br />
{{Note|If you want to update your local copy of the Android source, at a later time, simply enter the build directory, load the Virtualenv, and re-sync:<br />
$ repo sync<br />
}}<br />
<br />
=== Building the code ===<br />
<br />
This should do what you need for AOSP:<br />
<br />
$ source build/envsetup.sh<br />
$ lunch full-eng<br />
$ make -j4<br />
<br />
If you run '''lunch''' without arguments, it will ask what build you want to create. Use -j with a number between one and two times number of cores/threads.<br />
<br />
The build takes a very long time.<br />
<br />
{{Note|Make sure you have enough RAM.<br />
Android will use the /tmp directory heavily. By default the size of the partition the /tmp folder is mounted on is half the size of your RAM. If it fills up, the build will fail. 4GB of RAM or more is recommended.<br />
* Alternatively, you can get rid of the tmpfs from [[fstab]] all together. <br />
}}<br />
<br />
{{Note|From the [https://source.android.com/source/building-running.html#build-the-code Android Building and Running guide]:<br />
<br />
"GNU make can handle parallel tasks with a -jN argument, and it's common to use a number of tasks N that's between 1 and 2 times the number of hardware threads on the computer being used for the build. E.g. on a dual-E5520 machine (2 CPUs, 4 cores per CPU, 2 threads per core), the fastest builds are made with commands between make -j16 and make -j32."<br />
<br />
}}<br />
=== Testing the build ===<br />
<br />
When finished, run/test the final image(s).<br />
<br />
$ emulator<br />
<br />
=== Creating a Flashable Image ===<br />
To create an image that can be flashed it is necessary to:<br />
<br />
make -j8 updatepackage<br />
<br />
This will create a zip image under '''out/target/product/hammerhead''' (hammerhead being the device name) that can be flashed.<br />
<br />
== Restoring Android ==<br />
<br />
{{Expansion}}<br />
<br />
In some cases, you want to return to the stock Android after flashing custom ROMs to your Android mobile device. For flashing instructions of your device, please use [http://forum.xda-developers.com/ XDA forums].<br />
<br />
=== Fastboot ===<br />
<br />
Fastboot (as well as [[#Android Debug Bridge (ADB)|ADB]]) comes together with a package {{Pkg|android-tools}} from the [[official repositories]].<br />
<br />
{{Note|Restoring firmwares using {{ic|fastboot}} can be quite tricky, but you might want to browse [http://www.xda-developers.com/ XDA developers forums] for a stock firmware, which is mostly a {{ic|*.zip}} file, but inside of it, comes with the firmware files and {{ic|flash-all.sh}} script. For example, [https://developers.google.com/android/nexus/images Google Nexus] firmwares include {{ic|flash-all.sh}} script or another example could be for OnePlus One - [http://forum.xda-developers.com/oneplus-one/general/guide-return-opo-to-100-stock-t2826541 XDA thread], where you can find firmwares with included {{ic|flash-all.sh}} script.}}<br />
<br />
=== Samsung devices ===<br />
<br />
Samsung devices can't be flashed using '''Fastboot''' tool. Alternatives are only '''Heimdall''' and '''Odin''' (by using Windows and VirtualBox).<br />
<br />
==== Heimdall ====<br />
<br />
[http://glassechidna.com.au/heimdall/ Heimdall] is a cross-platform open-source tool suite used to flash firmware (also known as ROMs) onto Samsung mobile devices and is also known as an alternative to [http://odindownload.com/ Odin]. It can be installed as {{Pkg|heimdall}} or {{AUR|heimdall-git}}.<br />
<br />
The flashing instructions can be found on Heimdall's [https://github.com/Benjamin-Dobell/Heimdall/tree/master/Linux GitHub page] or on [http://forum.xda-developers.com/showthread.php?t=1922461 XDA forums].<br />
<br />
==== Odin (Virtualbox) ====<br />
<br />
It is also possible to restore stock Android on the Samsung devices using [http://odindownload.com/ Odin], but inside the [[VirtualBox]]. For more information, see [http://forum.xda-developers.com/showthread.php?t=758634 XDA thread].<br />
<br />
Arch Linux related steps:<br />
# Install [[VirtualBox]] together with its [[VirtualBox#Extension_pack|extension pack]] and [[VirtualBox#Guest_additions_disc|guest additions]].<br />
# Install your preferred, but compatible with Odin, Windows operating system (with VirtualBox guest additions) into a virtual hard drive using VirtualBox<br />
# Open VirtualBox settings of your Windows operating system, navigate to '''USB''', then tick (or make sure it is ticked) '''Enable USB 2.0 (EHCI) Controller'''.<br />
# At VirtualBox running Windows operating system, click in the menu bar '''Devices''', then '''USB Devices''', then click on your Samsung mobile device connected to your computer via USB.<br />
<br />
Windows related links:<br />
* Samsung drivers can be downloaded from [http://androidxda.com/download-samsung-usb-drivers here].<br />
* Odin can be downloaded from [https://www.androidfilehost.com/?fid=23501681358557126 here].<br />
* Samsung Android firmware can be downloaded from [http://www.sammobile.com/firmwares/ here].<br />
<br />
If you want to make sure that everything is working and ready:<br />
# Turn your device into Download mode and connect to your Linux machine.<br />
# In virtual machine toolbar, select {{ic|devices}} --> {{ic|USB}} --> {{ic|...Samsung...}} device.<br />
# Open Odin. The white box (a big one at the bottom-left side) named '''Message''', should print a line similar to this:<br />
<ID:0/003> Added!!<br />
which means that your device is visible to Odin and is ready to be flashed.<br />
<br />
{{Note|There are no general instructions of restoring stock firmware on Samsung mobile devices. You have to use [https://www.google.com Google] and [http://www.xda-developers.com XDA developers forums] to find a flashing instructions for specific device. For example, this is how the [http://goo.gl/cZLyF8 thread] about the Samsung Galaxy S4 looks like}}<br />
<br />
== Alternative connection methods ==<br />
<br />
=== Android File Transfer ===<br />
<br />
{{Pkg|android-file-transfer}} — reliable MTP client with minimalistic UI similar to Android File Transfer for Mac. It just works™.<br />
<br />
=== adb-sync ===<br />
<br />
[https://github.com/google/adb-sync adb-sync] (available in {{AUR|adb-sync-git}}) is a tool to synchronize files between a PC and an Android device using the ADB protocol.<br />
<br />
=== AirDroid ===<br />
<br />
[http://goo.gl/EZQ9GQ AirDroid] is an Android app to access files from your web browser.<br />
<br />
=== AndroidScreencast ===<br />
<br />
[http://xsavikx.github.io/AndroidScreencast AndroidScreencast] was developed to view and control your android device from a PC (using ADB).<br />
<br />
=== FTP ===<br />
<br />
You run a FTP server on Arch and connect to it from your phone, or the other way around: run a FTP server on your phone and connect to it from Arch.<br />
<br />
See [[List of applications/Internet#FTP]]. There are a lot of FTP clients/servers available for Android.<br />
<br />
=== KDE Connect ===<br />
<br />
{{Pkg|kdeconnect}} integrates your android device with the KDE desktop. Its features include synced notifications, clipboard sync, multimedia control, and file/URL sharing.<br />
<br />
=== SSH Server ===<br />
<br />
There are many SSH servers available for Android, it allows you to transfer files using {{ic|scp}} command. See also [[SSH]].<br />
<br />
=== Samba ===<br />
<br />
See [[Samba]].<br />
<br />
== Tips & Tricks ==<br />
<br />
=== During Debugging "Source not found" ===<br />
<br />
Most probably the debugger wants to step into the Java code. As the source code of Android does not come with the Android SDK, this leads to an error. The best solution is to use step filters to not jump into the Java source code. Step filters are not activated by default. To activate them: <br />
Window -> Preferences -> Java -> Debug -> Step Filtering<br />
Consider to select them all. If appropriate you can add the android.* package. See the forum post for more information: http://www.eclipsezone.com/eclipse/forums/t83338.rhtml<br />
<br />
=== Linux distribution on the sdcard ===<br />
<br />
You can install Debian like in this [http://forum.xda-developers.com/showthread.php?t=631389 thread]. Excellent guide to installing Arch in chroot (in parallel with Android) can be found on [http://archlinuxarm.org/forum/viewtopic.php?f=27&t=1361&start=40 archlinuxarm.org forum].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Android Studio: Android Virtual Devices show 'failed to load'. ===<br />
Make sure you've exported the variable {{ic|ANDROID_HOME}} as explained in [[#Android Studio]].<br />
<br />
=== Android Studio: 'failed to create the SD card' ===<br />
If you try to run an AVD (Android Virtual Device) under x86_64 Arch and get the error above, install the {{Pkg|lib32-gcc-libs}} and {{Pkg|lib32-ncurses}} packages from the [[Multilib]] repository.<br />
<br />
=== aapt: No such file or directory ===<br />
<br />
The build tools include 32-bit binaries. For this reason they require 32-bit libraries. If you happened to install the SDK manually, you will additionally need to install<br />
'''multilib/lib32-libstdc++5''' and '''multilib/lib32-zlib'''.<br />
<br />
=== ValueError: unsupported pickle protocol ===<br />
<br />
One fix is to issue:<br />
<br />
rm ~/.repopickle_.gitconfig<br />
<br />
If that does not work, then try this:<br />
<br />
rm `find /path/to/android-root -name .repopickle_config`<br />
<br />
=== libGL error: failed to load driver: swrast===<br />
<br />
The AVD loads an incorrect version of libstdc++, you can remove the folder libstdc++ from <br />
~/Android/Sdk/emulator/lib64/ (for 64-bit) or<br />
~/Android/Sdk/emulator/lib/ (for 32-bit) , e.g.:<br />
<br />
rm -r ~/Android/Sdk/emulator/lib64/libstdc++<br />
<br />
=== sh: glxinfo: command not found===<br />
<br />
Here's the full error:<br />
<br />
Cannot launch AVD in emulator.<br />
Output:<br />
sh: glxinfo: command not found<br />
sh: glxinfo: command not found<br />
libGL error: unable to load driver: swrast_dri.so<br />
libGL error: failed to load driver: swrast<br />
X Error of failed request: BadValue (integer parameter out of range for operation)<br />
Major opcode of failed request: 154 (GLX)<br />
Minor opcode of failed request: 24 (X_GLXCreateNewContext)<br />
Value in failed request: 0x0<br />
Serial number of failed request: 32<br />
Current serial number in output stream: 33<br />
QObject::~QObject: Timers cannot be stopped from another thread<br />
<br />
You can try to install glxinfo (Its {{Pkg|mesa-demos}}) but if your computer has enough power you could simply use software to render graphics. To do so, go to Tools -> Android -> AVD Manager, edit the AVD (click the pencil icon), then select "Software - GLES 2.0" for "Emulated Performance -> Graphics".</div>Smasher816https://wiki.archlinux.org/index.php?title=OpenSSH&diff=452410OpenSSH2016-09-30T06:03:10Z<p>Smasher816: Add note that fonts should be installed on remote system for X11Forwarding</p>
<hr />
<div>[[Category:Secure Shell]]<br />
[[ar:Secure Shell]]<br />
[[de:SSH]]<br />
[[es:Secure Shell]]<br />
[[fr:ssh]]<br />
[[it:Secure Shell]]<br />
[[ja:Secure Shell]]<br />
[[ko:Secure Shell]]<br />
[[pl:Secure Shell]]<br />
[[pt:Secure Shell]]<br />
[[ru:Secure Shell]]<br />
[[sr:Secure Shell]]<br />
[[zh-cn:Secure Shell]]<br />
{{Related articles start}}<br />
{{Related|SSH keys}}<br />
{{Related|Pam abl}}<br />
{{Related|fail2ban}}<br />
{{Related|sshguard}}<br />
{{Related|Sshfs}}<br />
{{Related|Syslog-ng}}<br />
{{Related|SFTP chroot}}<br />
{{Related|SCP_and_SFTP}}<br />
{{Related articles end}}<br />
<br />
Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.<br />
<br />
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; file transfer can be accomplished using the associated SFTP or SCP protocols.<br />
<br />
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an ''sshd'' daemon accepting remote connections. Both are commonly present on most modern operating systems, including macOS, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.<br />
<br />
== OpenSSH ==<br />
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
=== Installation ===<br />
<br />
[[Install]] the {{Pkg|openssh}} package.<br />
<br />
=== Client usage ===<br />
<br />
To connect to a server, run:<br />
<br />
$ ssh -p ''port'' ''user''@''server-address''<br />
<br />
If the server only allows public-key authentication, follow [[SSH keys]].<br />
<br />
==== Configuration ====<br />
<br />
The client can be configured to store common options and hosts. All options can be declared globally or restricted to specific hosts. For example:<br />
<br />
{{hc|~/.ssh/config|# global options<br />
User user<br />
<br />
# host-specific options<br />
Host ''myserver''<br />
HostName ''server-address''<br />
Port ''port''}}<br />
<br />
With such a configuration, the following commands are equivalent<br />
<br />
$ ssh -p ''port'' ''user''@''server-address''<br />
$ ssh ''myserver''<br />
<br />
See {{man|5|ssh_config}} for more information.<br />
<br />
Some options do not have command line switch equivalents, but you can specify config options on the command line with {{ic|-o}}. For example {{ic|1=-oKexAlgorithms=+diffie-hellman-group1-sha1}}.<br />
<br />
=== Server usage ===<br />
<br />
==== Configuration ====<br />
<br />
The SSH daemon configuration file can be found and edited in {{ic|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
To allow access only for some users add this line:<br />
AllowUsers ''user1 user2''<br />
<br />
To allow access only for some groups:<br />
AllowGroups ''group1 group2''<br />
<br />
To disable root login over SSH, change the PermitRootLogin line into this:<br />
PermitRootLogin no<br />
<br />
{{Note|1={{ic|PermitRootLogin prohibit-password}} is the default since version 7.0p1. See {{man|5|sshd_config}}.}}<br />
<br />
To add a nice welcome message (e.g. from the {{ic|/etc/issue}} file), configure the {{ic|Banner}} option:<br />
Banner /etc/issue<br />
<br />
Host keys will be generated automatically by the ''sshd'' [[#Daemon_management|service files]]. If you want sshd to use a particular key which you have provided, you can configure it manually:<br />
HostKey /etc/ssh/ssh_host_rsa_key<br />
<br />
If the server is to be exposed to the WAN, it is recommended to change the default port from 22 to a random higher one like this:<br />
Port 39901<br />
<br />
To help select a port review the [[Wikipedia:List of TCP and UDP port numbers|list of TCP and UDP port numbers]]. You can also find port information locally in {{ic|/etc/services}}. Select an alternative port that is '''not''' already assigned to a common service to prevent conflicts. A port change from default port 22 is recommended, because it will reduce the ''number'' of log entries caused by automated authentication attempts - not eliminate them. See [[Port knocking]] for related information. <br />
<br />
{{Note|OpenSSH can also listen on multiple ports simply by having multiple '''Port x''' lines in the config file.}}<br />
<br />
It is also recommended to disable password logins entirely. This will greatly increase security, see [[#Force public key authentication]] for more information.<br />
<br />
==== Daemon management ====<br />
<br />
{{Pkg|openssh}} comes with two kinds of [[systemd]] service files:<br />
#{{ic|sshd.service}}, which will keep the SSH daemon permanently active and fork for each incoming connection.[https://projects.archlinux.org/svntogit/packages.git/tree/trunk/sshd.service?h=packages/openssh#n16] It is especially suitable for systems with a large amount of SSH traffic.[https://projects.archlinux.org/svntogit/packages.git/tree/trunk/sshd.service?h=packages/openssh&id=4cadf5dff444e4b7265f8918652f4e6dff733812#n15] <br />
#{{ic|sshd.socket}} + {{ic|sshd@.service}}, which spawn on-demand instances of the SSH daemon per connection. Using it implies that ''systemd'' listens on the SSH socket and will only start the daemon process for an incoming connection. It is the recommended way to run {{ic|sshd}} in almost all cases.[https://projects.archlinux.org/svntogit/packages.git/tree/trunk/sshd.service?h=packages/openssh&id=4cadf5dff444e4b7265f8918652f4e6dff733812#n18][http://lists.freedesktop.org/archives/systemd-devel/2011-January/001107.html][http://0pointer.de/blog/projects/inetd.html]<br />
<br />
You can [[start]] and [[enable]] either {{ic|sshd.service}} '''or''' {{ic|sshd.socket}} to begin using the daemon.<br />
<br />
If using the socket service, you will need to [[systemd#Editing provided units|edit]] the unit file if you want it to listen on a port other than the default 22:<br />
<br />
{{hc|# systemctl edit sshd.socket|<nowiki><br />
[Socket]<br />
ListenStream=<br />
ListenStream=12345<br />
</nowiki>}}<br />
<br />
{{Warning|Using {{ic|sshd.socket}} negates the {{ic|ListenAddress}} setting, so it will allow connections over any address. To achieve the effect of setting {{ic|ListenAddress}}, you must specify the port ''and'' IP for {{ic|ListenStream}} (e.g. {{ic|1=ListenStream=192.168.1.100:22}}). You must also add {{ic|1=FreeBind=true}} under {{ic|[Socket]}} or else setting the IP address will have the same drawback as setting {{ic|ListenAddress}}: the socket will fail to start if the network is not up in time.}}<br />
<br />
{{Tip|When using socket activation neither {{ic|sshd.socket}} nor the daemon's regular {{ic|sshd.service}} allow to monitor connection attempts in the log, but executing {{ic|# journalctl /usr/bin/sshd}} does.}}<br />
<br />
==== Protection ====<br />
<br />
Allowing remote log-on through SSH is good for administrative purposes, but can pose a threat to your server's security. Often the target of brute force attacks, SSH access needs to be limited properly to prevent third parties gaining access to your server.<br />
<br />
Several other good guides are available on the topic, for example:<br />
*[https://wiki.mozilla.org/Security/Guidelines/OpenSSH Article by Mozilla Infosec Team]<br />
*[https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure sshd]<br />
<br />
===== Force public key authentication =====<br />
<br />
If a client cannot authenticate through a public key, by default the SSH server falls back to password authentication, thus allowing a malicious user to attempt to gain access by [[#Protecting against brute force attacks|brute-forcing]] the password. One of the most effective ways to protect against this attack is to disable password logins entirely, and force the use of [[SSH keys]]. This can be accomplished by disabling the following options in {{ic|sshd_config}}:<br />
<br />
PasswordAuthentication no<br />
ChallengeResponseAuthentication no<br />
<br />
{{Warning|Before adding this to your configuration, make sure that all accounts which require SSH access have public-key authentication set up in the corresponding {{ic|authorized_keys}} files. See [[SSH keys#Copying the public key to the remote server]] for more information.}}<br />
<br />
===== Two-factor authentication and public keys =====<br />
<br />
Since OpenSSH 6.2, you can add your own chain to authenticate with using the {{ic|AuthenticationMethods}} option. This enables you to use public keys as well as a two-factor authorization.<br />
<br />
See [[Google Authenticator]] to set up Google Authenticator.<br />
<br />
To use [[PAM]] with OpenSSH, edit the following files:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
ChallengeResponseAuthentication yes<br />
AuthenticationMethods publickey keyboard-interactive:pam<br />
}}<br />
<br />
Then you can log in with either a publickey '''or''' the user authentication as required by your PAM setup.<br />
<br />
If, on the other hand, you want to authenticate the user on both a publickey '''and''' the user authentication as required by your PAM setup, use a comma instead of a space to separate the AuthenticationMethods:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
ChallengeResponseAuthentication yes<br />
AuthenticationMethods publickey,keyboard-interactive:pam<br />
}}<br />
<br />
With required pubkey '''and''' pam authentication you may wish to disable the password requirement:<br />
{{hc|/etc/pam.d/sshd|<br />
auth required pam_securetty.so #disable remote root<br />
#Require google authenticator<br />
auth required pam_google_authenticator.so<br />
#But not password<br />
#auth include system-remote-login<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
}}<br />
<br />
===== Protecting against brute force attacks =====<br />
Brute forcing is a simple concept: One continuously tries to log in to a webpage or server log-in prompt like SSH with a high number of random username and password combinations.<br />
<br />
====== Using iptables ======<br />
<br />
{{Merge|Simple_stateful_firewall#Bruteforce_attacks|Out of scope, same technique as already described in the SSF.}}<br />
<br />
If you are already using iptables you can easily protect SSH against brute force attacks by using the following rules. <br />
<br />
{{note|In this example the SSH port was changed to port 42660 TCP.}}<br />
<br />
Before the following rules can be used we create a new rule chain to log and drop to many connection attempts:<br />
<br />
# iptables -N LOG_AND_DROP<br />
<br />
The first rule will be applied to packets that signal the start of new connections headed for TCP port 42660<br />
<br />
# iptables -A INPUT -p tcp -m tcp --dport 42660 -m state --state NEW -m recent --set --name DEFAULT --rsource<br />
<br />
The next rule tells iptables to look for packets that match the previous rule's parameters, and which also come from hosts already added to the watch list.<br />
<br />
# iptables -A INPUT -p tcp -m tcp --dport 42660 -m state --state NEW -m recent --update --seconds 90 --hitcount 4 --name DEFAULT --rsource -j LOG_AND_DROP<br />
<br />
Now iptables decides what to do with TCP traffic to port 42660 which does not match the previous rule.<br />
<br />
# iptables -A INPUT -p tcp -m tcp --dport 42660 -j ACCEPT<br />
<br />
We are appending this rule to the LOG_AND_DROP table, and we use the -j (jump) operator to pass the packet's information to the logging facility<br />
<br />
# iptables -A LOG_AND_DROP -j LOG --log-prefix "iptables deny: " --log-level 7<br />
<br />
After they are logged by the first rule, all packets are then dropped<br />
<br />
# iptables -A LOG_AND_DROP -j DROP<br />
<br />
====== Anti-brute-force tools ======<br />
<br />
You can protect yourself from brute force attacks by using an automated script that blocks anybody trying to brute force their way in, for example [[fail2ban]] or [[sshguard]].<br />
<br />
* Only allow incoming SSH connections from trusted locations<br />
* Use [[fail2ban]] or [[sshguard]] to automatically block IP addresses that fail password authentication too many times.<br />
* Use [https://github.com/jtniehof/pam_shield pam_shield] to block IP addresses that perform too many login attempts within a certain period of time. In contrast to [[fail2ban]] or [[sshguard]], this program does not take login success or failure into account.<br />
<br />
===== Limit root login =====<br />
It is generally considered bad practice to allow the root user to log in without restraint over SSH. There are two methods by which SSH root access can be restricted for increased security.<br />
<br />
====== Deny ======<br />
<br />
Sudo selectively provides root rights for actions requiring these without requiring authenticating against the root account. This allows locking the root account against access via SSH and potentially functions as a security measure against brute force attacks, since now an attacker must guess the account name in addition to the password.<br />
<br />
SSH can be configured to deny remote logins with the root user by editing the "Authentication" section in {{ic|/etc/ssh/sshd_config}}. Simply change {{ic|#PermitRootLogin prohibit-password}} to {{ic|no}} and uncomment the line:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
PermitRootLogin no<br />
...<br />
}}<br />
<br />
Next, [[restart]] the SSH daemon.<br />
<br />
You will now be unable to log in through SSH under root, but will still be able to log in with your normal user and use [[su]] or [[sudo]] to do system administration.<br />
<br />
====== Restrict ======<br />
<br />
Some automated tasks such as remote, full-system backup require full root access. To allow these in a secure way, instead of disabling root login via SSH, it is possible to only allow root logins for selected commands. This can be achieved by editing {{ic|~root/.ssh/authorized_keys}}, by prefixing the desired key, e.g. as follows:<br />
<br />
command="/usr/lib/rsync/rrsync -ro /" ssh-rsa …<br />
<br />
This will allow any login with this specific key only to execute the command specified between the quotes.<br />
<br />
The increased attack surface created by exposing the root user name at login can be compensated by adding the following to {{ic|sshd_config}}:<br />
<br />
PermitRootLogin forced-commands-only<br />
<br />
This setting will not only restrict the commands which root may execute via SSH, but it will also disable the use of passwords, forcing use of public key authentication for the root account.<br />
<br />
A slightly less restrictive alternative will allow any command for root, but makes brute force attacks infeasible by enforcing public key authentication. For this option, set:<br />
<br />
PermitRootLogin without-password<br />
<br />
===== Securing the authorized_keys file =====<br />
<br />
For additional protection, you can prevent users from adding new public keys and connecting from them.<br />
<br />
In the server, make the {{ic|authorized_keys}} file read-only for the user and deny all other permissions:<br />
$ chmod 400 ~/.ssh/authorized_keys<br />
<br />
To keep the user from simply changing the permissions back, [[File permissions and attributes#chattr and lsattr|set the immutable bit]] on the {{ic|authorized_keys}} file. After that the user could rename the {{ic|~/.ssh}} directory to something else and create a new {{ic|~/.ssh}} directory and {{ic|authorized_keys}} file. To prevent this, set the immutable bit on the {{ic|~/.ssh}} directory too.<br />
<br />
{{Note|If you find yourself needing to add a new key, you will first have to remove the immutable bit from {{ic|authorized_keys}} and make it writable. Follow the steps above to secure it again.}}<br />
<br />
== Other SSH clients and servers ==<br />
Apart from OpenSSH, there are many SSH [[Wikipedia:Comparison of SSH clients|clients]] and [[Wikipedia:Comparison of SSH servers|servers]] available.<br />
<br />
=== Dropbear ===<br />
[[Wikipedia:Dropbear (software)|Dropbear]] is a SSH-2 client and server. {{Pkg|dropbear}} is available in the [[official repositories]].<br />
<br />
The command-line ssh client is named dbclient.<br />
<br />
=== Mosh ===<br />
From the Mosh [http://mosh.mit.edu/ website]:<br />
<br />
:Remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes. Mosh is a replacement for SSH. It is more robust and responsive, especially over slow connections such as Wi-Fi, cellular, and long-distance.<br />
<br />
[[Install]] the {{Pkg|mosh}} package, or {{AUR|mosh-git}} for the latest revision.<br />
<br />
Mosh has an undocumented command line option {{ic|1=--predict=experimental}} which produces more aggressive echoing of local keystrokes. Users interested in low-latency visual confirmation of keyboard input may prefer this prediction mode.<br />
<br />
{{Note|Mosh by design does not let you access session history, consider installing a terminal multiplexer such as [[tmux]] or [[screen]].}}<br />
<br />
== Tips and tricks ==<br />
<br />
{{Accuracy|According to the current layout, this section seems rather generic, but in fact most of the offered tips work only in ''openssh''. For example ''dropbear'' (listed in [[#Other SSH clients and servers]]) does not support SOCKS proxy.[https://en.wikipedia.org/wiki/Comparison_of_SSH_clients#Technical]}}<br />
<br />
=== Encrypted SOCKS tunnel ===<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you do not have to remember your IP-address.<br />
<br />
==== Step 1: start the connection ====<br />
<br />
You only have to execute this single command to start the connection:<br />
<br />
$ ssh -TND 4711 ''user''@''host''<br />
<br />
where {{Ic|''user''}} is your username at the SSH server running at the {{Ic|''host''}}. It will ask for your password, and then you are connected! The {{Ic|N}} flag disables the interactive prompt, and the {{Ic|D}} flag specifies the local port on which to listen on (you can choose any port number if you want). The {{Ic|T}} flag disables pseudo-tty allocation.<br />
<br />
It is nice to add the verbose ({{Ic|-v}}) flag, because then you can verify that it is actually connected from that output.<br />
<br />
==== Step 2: configure your browser (or other programs) ====<br />
<br />
The above step is completely useless if you do not configure your web browser (or other programs) to use this newly created socks tunnel. Since the current version of SSH supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Edit > Preferences > Advanced > Network > Connection > Setting'': <br> Check the ''Manual proxy configuration'' radio button, and enter {{ic|localhost}} in the ''SOCKS host'' text field, and then enter your port number in the next text field ({{ic|4711}} in the example above).<br />
<br />
Firefox does not automatically make DNS requests through the socks tunnel. This potential privacy concern can be mitigated by the following steps:<br />
<br />
# Type about:config into the Firefox location bar.<br />
# Search for network.proxy.socks_remote_dns<br />
# Set the value to true.<br />
# Restart the browser.<br />
<br />
* For Chromium: You can set the SOCKS settings as environment variables or as command line options. I recommend to add one of the following functions to your {{ic|.bashrc}}:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
OR<br />
function secure_chromium {<br />
port=4711<br />
chromium --proxy-server="socks://localhost:$port" &<br />
exit<br />
}<br />
<br />
Now open a terminal and just do:<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
=== X11 forwarding ===<br />
X11 forwarding is a mechanism that allows graphical interfaces of X11 programs running on a remote system to be displayed on a local client machine. For X11 forwarding the remote host does not need to have a full X11 system installed, however it needs at least to have ''xauth'' installed. ''xauth'' is a utility that maintains {{ic|Xauthority}} configurations used by server and client for authentication of X11 session ([http://xmodulo.com/2012/11/how-to-enable-x11-forwarding-using-ssh.html source]).<br />
<br />
{{Warning|X11 forwarding has important security implications which should be at least acknowledged by reading relevant sections of {{man|1|ssh}}, {{man|5|sshd_config}}, and {{man|5|ssh_config}} manual pages. See also [https://security.stackexchange.com/questions/14815/security-concerns-with-x11-forwarding a short writeup]}}<br />
<br />
{{Note|You may need to install fonts on the remote system or windows may appear with missing character boxes}}<br />
<br />
==== Setup ====<br />
<br />
On the remote system:<br />
<br />
*[[pacman#Installing specific packages|install]] {{Pkg|xorg-xauth}} and {{Pkg|xorg-xhost}} from the [[official repositories]]<br />
*in {{ic|/etc/ssh/ssh'''d'''_config}}:<br />
**verify that {{ic|AllowTcpForwarding}} and {{ic|X11UseLocalhost}} options are set to ''yes'', and that {{ic|X11DisplayOffset}} is set to ''10'' (those are the default values if nothing has been changed, see {{man|5|sshd_config}})<br />
**set {{ic|X11Forwarding}} to ''yes''<br />
* then [[restart]] the [[#Daemon management|''sshd'' daemon]]. <br />
<br />
On the client's side, enable the {{ic|ForwardX11}} option by either specifying the {{ic|-X}} switch on the command line for opportunistic connections, or by setting {{ic|ForwardX11}} to ''yes'' in the [[#Configuration|client's configuration]].<br />
<br />
{{Tip|You can enable the {{ic|ForwardX11Trusted}} option ({{ic|-Y}} switch on the command line) if GUI is drawing badly or you receive errors; this will prevent X11 forwardings from being subjected to the [http://www.x.org/wiki/Development/Documentation/Security/ X11 SECURITY extension] controls. Be sure you have read [[#X11 forwarding|the warning]] at the beginning of this section if you do so.}}<br />
<br />
==== Usage ====<br />
<br />
{{Accuracy|{{ic|xhost}} is [http://unix.stackexchange.com/questions/12755/how-to-forward-x-over-ssh-from-ubuntu-machine#comment-17148 generally not needed]}}<br />
<br />
Log on to the remote machine normally, specifying the {{ic|-X}} switch if ''ForwardX11'' was not enabled in the client's configuration file:<br />
$ ssh -X ''user@host''<br />
If you receive errors trying to run graphical applications, try ''ForwardX11Trusted'' instead:<br />
$ ssh -Y ''user@host''<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
$ xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
$ xhost +<br />
<br />
The above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. See {{man|1|xhost|url=https://docs.oracle.com/cd/E36784_01/html/E36870/xhost-1.html}} for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. [[Firefox]] is an example: either close the running Firefox instance or use the following start parameter to start a remote instance on the local machine:<br />
$ firefox --no-remote<br />
<br />
If you get "X11 forwarding request failed on channel 0" when you connect (and the server {{ic|/var/log/errors.log}} shows "Failed to allocate internet-domain X11 display socket"), make sure package {{Pkg|xorg-xauth}} is installed. If its installation is not working, try to either:<br />
<br />
* enable the {{ic|AddressFamily any}} option in {{ic|ssh'''d'''_config}} on the ''server'', or<br />
* set the {{ic|AddressFamily}} option in {{ic|ssh'''d'''_config}} on the ''server'' to inet.<br />
Setting it to inet may fix problems with Ubuntu clients on IPv4.<br />
<br />
For running X applications as other user on the SSH server you need to {{Ic|xauth add}} the authentication line taken from {{Ic|xauth list}} of the SSH logged in user.<br />
<br />
{{Tip|[http://unix.stackexchange.com/a/12772/29867 Here] are [http://unix.stackexchange.com/a/46748/29867 some] useful [http://superuser.com/a/805060/185665 links] for troubleshooting {{ic|X11 Forwarding}} issues.}}<br />
<br />
=== Forwarding other ports ===<br />
In addition to SSH's built-in support for X11, it can also be used to securely tunnel any TCP connection, by use of local forwarding or remote forwarding.<br />
<br />
Local forwarding opens a port on the local machine, connections to which will be forwarded to the remote host and from there on to a given destination. Very often, the forwarding destination will be the same as the remote host, thus providing a secure shell and, e.g. a secure VNC connection, to the same machine. Local forwarding is accomplished by means of the {{Ic|-L}} switch and it is accompanying forwarding specification in the form of {{Ic|<tunnel port>:<destination address>:<destination port>}}.<br />
<br />
Thus:<br />
<br />
$ ssh -L 1000:mail.google.com:25 192.168.0.100<br />
<br />
will use SSH to login to and open a shell on 192.168.0.100, and will also create a tunnel from the local machine's TCP port 1000 to mail.google.com on port 25. Once established, connections to localhost:1000 will connect to the Gmail SMTP port. To Google, it will appear that any such connection (though not necessarily the data conveyed over the connection) originated from 192.168.0.100, and such data will be secure as between the local machine and 192.168.0.100, but not between 192.168.0.100, unless other measures are taken.<br />
<br />
Similarly:<br />
<br />
$ ssh -L 2000:192.168.0.100:6001 192.168.0.100<br />
<br />
will allow connections to localhost:2000 which will be transparently sent to the remote host on port 6001. The preceding example is useful for VNC connections using the vncserver utility--part of the tightvnc package--which, though very useful, is explicit about its lack of security.<br />
<br />
Remote forwarding allows the remote host to connect to an arbitrary host via the SSH tunnel and the local machine, providing a functional reversal of local forwarding, and is useful for situations where, e.g., the remote host has limited connectivity due to firewalling. It is enabled with the {{Ic|-R}} switch and a forwarding specification in the form of {{Ic|<tunnel port>:<destination address>:<destination port>}}.<br />
<br />
Thus:<br />
<br />
$ ssh -R 3000:irc.freenode.net:6667 192.168.0.200<br />
<br />
will bring up a shell on 192.168.0.200, and connections from 192.168.0.200 to itself on port 3000 (remotely speaking, localhost:3000) will be sent over the tunnel to the local machine and then on to irc.freenode.net on port 6667, thus, in this example, allowing the use of IRC programs on the remote host to be used, even if port 6667 would normally be blocked to it.<br />
<br />
Both local and remote forwarding can be used to provide a secure "gateway," allowing other computers to take advantage of an SSH tunnel, without actually running SSH or the SSH daemon by providing a bind-address for the start of the tunnel as part of the forwarding specification, e.g. {{Ic|<tunnel address>:<tunnel port>:<destination address>:<destination port>}}. The {{Ic|<tunnel address>}} can be any address on the machine at the start of the tunnel, {{Ic|localhost}}, {{Ic|*}} (or blank), which, respectively, allow connections via the given address, via the loopback interface, or via any interface. By default, forwarding is limited to connections from the machine at the "beginning" of the tunnel, i.e. the {{Ic|<tunnel address>}} is set to {{Ic|localhost}}. Local forwarding requires no additional configuration, however remote forwarding is limited by the remote server's SSH daemon configuration. See the {{Ic|GatewayPorts}} option in {{Ic|sshd_config(5)}} for more information.<br />
<br />
=== Multiplexing ===<br />
<br />
The SSH daemon usually listens on port 22. However, it is common practice for many public internet hotspots to block all traffic that is not on the regular HTTP/S ports (80 and 443, respectively), thus effectively blocking SSH connections. The immediate solution for this is to have {{ic|sshd}} listen additionally on one of the whitelisted ports:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
Port 22<br />
Port 443<br />
}}<br />
<br />
However, it is likely that port 443 is already in use by a web server serving HTTPS content, in which case it is possible to use a multiplexer, such as {{Pkg|sslh}}, which listens on the multiplexed port and can intelligently forward packets to many services.<br />
<br />
=== Speeding up SSH ===<br />
<br />
{{Tip|If you intend to use SSH for SFTP or SCP, installing {{AUR|openssh-hpn-git}} can significantly increase throughput.[https://www.psc.edu/index.php/hpn-ssh]}}<br />
<br />
There are several [[#Configuration|client configuration]] options which can speed up connections either globally or for specific hosts. See {{man|5|ssh_config}} for full descriptions of these options.<br />
<br />
You can make all sessions to the same host share a single connection using these options:<br />
ControlMaster auto<br />
ControlPersist yes<br />
ControlPath ~/.ssh/sockets/socket-%r@%h:%p<br />
<br />
where {{ic|~/.ssh/sockets}} can be any directory not writable by other users. <br />
<br />
Another option to improve speed is to enable compression with the {{ic|Compression yes}} option or the {{ic|-C}} flag.<br />
<br />
{{Warning|{{man|1|ssh}} states that "''Compression is desirable on modem lines and other slow connections, but will only slow down things on fast networks''". This tip might be counterproductive depending on your network configuration.}}<br />
<br />
Login time can be shortened by bypassing IPv6 lookup using the {{ic|AddressFamily inet}} option or {{ic|-4}} flag.<br />
<br />
=== Mounting a remote filesystem with SSHFS ===<br />
Please refer to the [[Sshfs]] article to use sshfs to mount a remote system - accessible via SSH - to a local folder, so you will be able to do any operation on the mounted files with any tool (copy, rename, edit with vim, etc.). Using sshfs instead of shfs is generally preferred as a new version of shfs has not been released since 2004.<br />
<br />
=== Keep alive ===<br />
Your ssh session will automatically log out if it is idle. To send a "keep alive" signal to the server every 120 seconds add the {{ic|ServerAliveInterval 120}} option to your [[#Configuration|client configuration]]. See also the {{ic|ServerAliveCountMax}} and {{ic|TCPKeepAlive}} options.<br />
<br />
Conversely, to keep incoming connections alive, set the {{ic|ClientAliveInterval}} option in your [[#Configuration_2|server configuration]].<br />
<br />
=== Automatically restart SSH tunnels with systemd ===<br />
<br />
[[systemd]] can automatically start SSH connections on boot/login ''and'' restart them when they fail. This makes it a useful tool for maintaining SSH tunnels.<br />
<br />
The following service can start an SSH tunnel on login using the connection settings in your [[#Saving connection data in ssh config|ssh config]]. If the connection closes for any reason, it waits 10 seconds before restarting it:<br />
<br />
{{hc|~/.config/systemd/user/tunnel.service|<nowiki><br />
[Unit]<br />
Description=SSH tunnel to myserver<br />
<br />
[Service]<br />
Type=simple<br />
Restart=always<br />
RestartSec=10<br />
ExecStart=/usr/bin/ssh -F %h/.ssh/config -N myserver<br />
</nowiki>}}<br />
<br />
Then [[enable]] and [[start]] the user service. See [[#Keep alive]] for how to prevent the tunnel from timing out. If you wish to start the tunnel on boot, you will need to rewrite the unit as a system service.<br />
<br />
=== Autossh - automatically restarts SSH sessions and tunnels ===<br />
<br />
When a session or tunnel cannot be kept alive, for example due to bad network conditions causing client disconnections, you can use {{Pkg|autossh}} to automatically restart them.<br />
<br />
Usage examples:<br />
$ autossh -M 0 -o "ServerAliveInterval 45" -o "ServerAliveCountMax 2" username@example.com<br />
<br />
Combined with [[sshfs]]:<br />
$ sshfs -o reconnect,compression=yes,transform_symlinks,ServerAliveInterval=45,ServerAliveCountMax=2,ssh_command='autossh -M 0' username@example.com: /mnt/example <br />
<br />
Connecting through a SOCKS-proxy set by [[Proxy settings]]:<br />
$ autossh -M 0 -o "ServerAliveInterval 45" -o "ServerAliveCountMax 2" -NCD 8080 username@example.com <br />
<br />
With the {{ic|-f}} option autossh can be made to run as a background process. Running it this way however means the passphrase cannot be entered interactively.<br />
<br />
The session will end once you type {{ic|exit}} in the session, or the autossh process receives a SIGTERM, SIGINT of SIGKILL signal.<br />
<br />
==== Run autossh automatically at boot via systemd ====<br />
<br />
If you want to automatically start autossh, you can create a systemd unit file:<br />
<br />
{{hc|/etc/systemd/system/autossh.service|2=<br />
[Unit]<br />
Description=AutoSSH service for port 2222<br />
After=network.target<br />
<br />
[Service]<br />
Environment="AUTOSSH_GATETIME=0"<br />
ExecStart=/usr/bin/autossh -M 0 -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
}}<br />
<br />
Here {{ic|1=AUTOSSH_GATETIME=0}} is an environment variable specifying how long ssh must be up before autossh considers it a successful connection, setting it to 0 autossh also ignores the first run failure of ssh. This may be useful when running autossh at boot. Other environment variables are available on the manpage. Of course, you can make this unit more complex if necessary (see the systemd documentation for details), and obviously you can use your own options for autossh, but note that the {{ic|-f}} implying {{ic|1=AUTOSSH_GATETIME=0}} does not work with systemd. <br />
<br />
Remember to [[start]] and/or [[enable]] the service afterwards.<br />
<br />
You may also need to disable ControlMaster e.g.<br />
<br />
$ ExecStart=/usr/bin/autossh -M 0 -o ControlMaster=no -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com<br />
<br />
{{Tip|It is also easy to maintain several autossh processes, to keep several tunnels alive. Just create multiple service files with different names.}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Checklist ===<br />
<br />
Check these simple issues before you look any further.<br />
<br />
# The config directory {{ic|~/.ssh}} and its contents should be accessible only by your user (check this on both the client and the server): {{bc|<nowiki><br />
$ chmod 700 ~/.ssh<br />
$ chmod 600 ~/.ssh/*<br />
$ chown -R $USER ~/.ssh<br />
</nowiki>}}<br />
# Check that the client's public key (e.g. {{ic|id_rsa.pub}}) is in {{ic|~/.ssh/authorized_keys}} on the server.<br />
# Check that you did not limit SSH access with {{ic|AllowUsers}} or {{ic|AllowGroups}} in the [[#Configuration_2|server config]].<br />
# Check if the user has set a password. Sometimes new users who have not yet logged in to the server do not have a password.<br />
# [[Restart]] {{ic|sshd}} and logout/login on both client and server.<br />
<br />
=== SSH connection hangs after poweroff/reboot ===<br />
<br />
SSH connections hang after poweroff or reboot if systemd stops the network before sshd. To fix this, change the {{ic|After}} statement for user sessions:<br />
{{hc|# systemctl edit systemd-user-sessions.service|2=<br />
[Unit]<br />
After=network.target}}<br />
<br />
=== Connection refused or timeout problem ===<br />
<br />
==== Port forwarding ====<br />
<br />
If you are behind a NAT mode/router (which is likely unless you are on a VPS or publicly addressed host), make sure that your router is forwarding incoming ssh connections to your machine. Find the server's internal IP address with {{ic|$ ip addr}} and set up your router to forward TCP on your SSH port to that IP. [http://portforward.com portforward.com] can help with that.<br />
<br />
==== Is SSH running and listening? ====<br />
$ ss -tnlp<br />
<br />
If the above command do not show SSH port is open, SSH is NOT running. Check {{ic|/var/log/messages}} for errors etc.<br />
<br />
==== Are there firewall rules blocking the connection? ====<br />
<br />
[[Iptables]] may be blocking connections on port {{ic|22}}. Check this with:<br />
{{bc|# iptables -nvL}}<br />
and look for rules that might be dropping packets on the {{ic|INPUT}} chain. Then, if necessary, unblock the port with a command like: <br />
{{bc|<br />
# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT<br />
}}<br />
For more help configuring firewalls, see [[firewalls]].<br />
<br />
==== Is the traffic even getting to your computer? ====<br />
Start a traffic dump on the computer you are having problems with:<br />
<br />
# tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you do not see any output when you attempt to connect, then something outside of your computer is blocking the traffic (e. g., hardware firewall, NAT router etc.).<br />
<br />
==== Your ISP or a third party blocking default port? ====<br />
{{Note|Try this step if you '''know''' you are not running any firewalls and you know you have configured the router for DMZ or have forwarded the port to your computer and it still does not work. Here you will find diagnostic steps and a possible solution.}}<br />
<br />
In some cases, your ISP might block the default port (SSH port 22) so whatever you try (opening ports, hardening the stack, defending against flood attacks, et al) ends up useless. To confirm this, create a server on all interfaces (0.0.0.0) and connect remotely. <br />
<br />
If you get an error message comparable to this:<br />
ssh: connect to host www.inet.hr port 22: Connection refused<br />
<br />
That means the port is '''not''' being blocked by the ISP, but the server does not run SSH on that port (See [[wikipedia:Security_through_obscurity|security through obscurity]]).<br />
<br />
However, if you get an error message comparable to this:<br />
ssh: connect to host 111.222.333.444 port 22: Operation timed out <br />
<br />
That means that something is rejecting your TCP traffic on port 22. Basically that port is stealth, either by your firewall or 3rd party intervention (like an ISP blocking and/or rejecting incoming traffic on port 22). If you know you are not running any firewall on your computer, and you know that Gremlins are not growing in your routers and switches, then your ISP is blocking the traffic.<br />
<br />
To double check, you can run Wireshark on your server and listen to traffic on port 22. Since Wireshark is a Layer 2 Packet Sniffing utility, and TCP/UDP are Layer 3 and above (see [[wikipedia:Internet protocol suite|IP Network stack]]), if you do not receive anything while connecting remotely, a third party is most likely to be blocking the traffic on that port to your server.<br />
<br />
===== Diagnosis =====<br />
<br />
[[Install]] either {{Pkg|tcpdump}} or Wireshark with the {{Pkg|wireshark-cli}} package.<br />
<br />
For tcpdump:<br />
<br />
# tcpdump -ni ''interface'' "port 22"<br />
<br />
For Wireshark:<br />
<br />
$ tshark -f "tcp port 22" -i ''interface''<br />
<br />
where {{ic|''interface''}} is the network interface for a WAN connection (see {{ic|ip a}} to check). If you are not receiving any packets while trying to connect remotely, you can be very sure that your ISP is blocking the incoming traffic on port 22.<br />
<br />
===== Possible solution =====<br />
The solution is just to use some other port that the ISP is not blocking. Open the {{ic|/etc/ssh/sshd_config}} and configure the file to use different ports. For example, add:<br />
<br />
Port 22<br />
Port 1234<br />
<br />
Also make sure that other "Port" configuration lines in the file are commented out. Just commenting "Port 22" and putting "Port 1234" will not solve the issue because then sshd will only listen on port 1234. Use both lines to run the SSH server on both ports. <br />
<br />
[[Restart]] the server {{ic|sshd.service}} and you are almost done. You still have to configure your client(s) to use the other port instead of the default port. There are numerous solutions to that problem, but let us cover two of them here.<br />
<br />
==== Read from socket failed: connection reset by peer ====<br />
<br />
Recent versions of openssh sometimes fail with the above error message when connecting to older ssh servers. This can be worked around by setting various [[#Configuration|client options]] for that host. See {{man|5|ssh_config}} for more information about the following options.<br />
<br />
The problem could be the {{ic|ecdsa-sha2-nistp*-cert-v01@openssh}} elliptical host key algorithms. These can be disabled by setting {{ic|HostKeyAlgorithms}} to a list excluding those algorithms.<br />
<br />
If that does not work, it could be that the list of ciphers is too long. Set the {{ic|Ciphers}} option to a shorter list (fewer than 80 characters should be enough). Similarly, you can also try shortening the list of {{ic|MACs}}.<br />
<br />
See also the [http://www.gossamer-threads.com/lists/openssh/dev/51339 discussion] on the openssh bug forum.<br />
<br />
=== "[your shell]: No such file or directory" / ssh_exchange_identification problem ===<br />
One possible cause for this is the need of certain SSH clients to find an absolute path (one returned by {{Ic|whereis -b [your shell]}}, for instance) in {{Ic|$SHELL}}, even if the shell's binary is located in one of the {{Ic|$PATH}} entries.<br />
<br />
==="Terminal unknown" or "Error opening terminal" error message===<br />
If you receive the above errors upon logging in, this means the server does not recognize your terminal. Ncurses applications like nano may fail with the message "Error opening terminal".<br />
<br />
The correct solution is to install the client terminal's terminfo file on the server. This tells console programs on the server how to correctly interact with your terminal. You can get info about current terminfo using {{ic|$ infocmp}} and then find out [[Pacman#Querying_package_databases|which package owns it]].<br />
<br />
If you cannot [[install]] it normally, you can copy your terminfo to your home directory on the server:<br />
<br />
$ ssh myserver mkdir -p ~/.terminfo/${TERM:0:1}<br />
$ scp /usr/share/terminfo/${TERM:0:1}/$TERM myserver:~/.terminfo/${TERM:0:1}/<br />
<br />
After logging in and out from the server the problem should be fixed.<br />
<br />
==== TERM hack ====<br />
<br />
{{warning|This should only be used as a last resort.}}<br />
<br />
Alternatively, you can simply set {{ic|1=TERM=xterm}} in your environment on the server (e.g. in {{ic|.bash_profile}}). This will silence the error and allow ncurses applications to run again, but you may experience strange behavior and graphical glitches unless your terminal's control sequences exactly match xterm's.<br />
<br />
=== Connection closed by x.x.x.x [preauth] ===<br />
If you are seeing this error in your sshd logs, make sure you have set a valid HostKey<br />
HostKey /etc/ssh/ssh_host_rsa_key<br />
<br />
=== id_dsa refused by OpenSSH 7.0 ===<br />
<br />
OpenSSH 7.0 deprecated DSA public keys for security reasons. If you absolutely must enable them, set the [[#Configuration|config]] option {{ic|PubkeyAcceptedKeyTypes +ssh-dss}} (http://www.openssh.com/legacy.html does not mention this).<br />
<br />
=== No matching key exchange method found by OpenSSH 7.0 ===<br />
<br />
OpenSSH 7.0 deprecated the diffie-hellman-group1-sha1 key algorithm because it is weak and within theoretical range of the so-called Logjam attack (see http://www.openssh.com/legacy.html). If the key algorithm is needed for a particular host, ssh will produce an error message like this:<br />
<br />
Unable to negotiate with 127.0.0.1: no matching key exchange method found.<br />
Their offer: diffie-hellman-group1-sha1<br />
<br />
The best resolution for these failures is to upgrade/configure the server to not use deprecated algorithms. If that is not possible, you can force the client to reenable the algorithm with the [[#Configuration|client option]] {{ic|KexAlgorithms +diffie-hellman-group1-sha1}}.<br />
<br />
== See also ==<br />
<br />
* [[Wikipedia:Secure Shell]]<br />
* [http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]<br />
* [http://www.ibm.com/developerworks/library/l-keyc/index.html OpenSSH key management, Part 1] and [http://www.ibm.com/developerworks/library/l-keyc2 Part 2] on IBM developerWorks<br />
* [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell]</div>Smasher816https://wiki.archlinux.org/index.php?title=OpenVPN&diff=450220OpenVPN2016-09-11T02:44:39Z<p>Smasher816: Use a real example domain</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[de:OpenVPN]]<br />
[[ru:OpenVPN]]<br />
[[zh-CN:OpenVPN]]<br />
{{Related articles start}}<br />
{{Related|OpenVPN in Linux containers}}<br />
{{Related|Easy-rsa}}<br />
{{Related articles end}}<br />
<br />
This article describes a basic installation and configuration of [http://openvpn.net OpenVPN], suitable for private and small business use. For more detailed information, please see the [https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage OpenVPN 2.3 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation]. OpenVPN is a robust and highly flexible [[Wikipedia:VPN|VPN]] daemon. It supports [[Wikipedia:SSL/TLS|SSL/TLS]] security, [[Wikipedia:Bridging_(networking)|Ethernet bridging]], [[Wikipedia:Transmission_Control_Protocol|TCP]] or [[Wikipedia:User_Datagram_Protocol|UDP]] [[Wikipedia:Tunneling_protocol|tunnel transport]] through [[Wikipedia:Proxy_server|proxies]] or [[Wikipedia:Network address translation|NAT]]. Additionally it has support for dynamic IP addresses and [[Wikipedia:Dynamic_Host_Configuration_Protocol|DHCP]], scalability to hundreds or thousands of users, and portability to most major OS platforms.<br />
<br />
OpenVPN is tightly bound to the [http://www.openssl.org OpenSSL] library, and derives much of its crypto capabilities from it. It supports conventional encryption using a [[Wikipedia:Pre-shared_key|pre-shared secret key]] (Static Key mode) or [[Wikipedia:Public_key|public key security]] ([[Wikipedia:SSL/TLS|SSL/TLS]] mode) using client & server certificates. Additionally it supports unencrypted TCP/UDP tunnels.<br />
<br />
OpenVPN is designed to work with the [[Wikipedia:TUN/TAP|TUN/TAP]] virtual networking interface that exists on most platforms. Overall, it aims to offer many of the key features of [[Wikipedia:Ipsec|IPSec]] but with a relatively lightweight footprint. OpenVPN was written by James Yonan and is published under the [[Wikipedia:GNU General Public License|GNU General Public License (GPL)]].<br />
<br />
== Install OpenVPN ==<br />
<br />
[[Install]] the {{Pkg|openvpn}} package.<br />
<br />
{{Note|The software contained in this package supports both server and client mode, so install it on all machines that need to create VPN connections.}}<br />
<br />
== Kernel configuration ==<br />
{{Note|OpenVPN requires TUN/TAP support, which is already configured in the default kernel. Users of custom kernel should make sure to enable the {{ic|tun}} module as below.}}<br />
<br />
{{hc|Kernel config file|<br />
Device Drivers<br />
--> Network device support<br />
[M] Universal TUN/TAP device driver support}}<br />
<br />
Read [[Kernel modules]] for more information.<br />
<br />
== Connect to a VPN provided by a third party ==<br />
<br />
To connect to a VPN service provided by a third party, most of the following can most likely be ignored, especially regarding server setup. Begin with [[#The client config profile (OpenVPN)|#The client config profile]] and skip ahead to [[#Starting OpenVPN]] after that. One should use the provider certificates and instructions, for instance see: [[Airvpn]].<br />
<br />
{{Note|Most free VPN providers will (often only) offer [[PPTP server|PPTP]], which is drastically easier to setup and configure, but is [http://poptop.sourceforge.net/dox/protocol-security.phtml not secure].}}<br />
<br />
== Create a Public Key Infrastructure (PKI) from scratch ==<br />
<br />
When setting up an OpenVPN server, users need to create a [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] which is detailed in the [[easy-rsa]] article. Once the needed certificates, private keys, and associated files are created via following the steps in the separate article, one should have 4 files in {{ic|/etc/openvpn}} at this point:<br />
*{{ic|/etc/openvpn/ca.crt}}<br />
*{{ic|/etc/openvpn/dh.pem}}<br />
*{{ic|/etc/openvpn/servername.crt}}<br />
*{{ic|/etc/openvpn/ta.key}}<br />
<br />
The server private key can simply be symlinked:<br />
# ln -sf /etc/easy-rsa/pki/private/servername.key /etc/openvpn<br />
<br />
== A basic L3 IP routing configuration ==<br />
<br />
{{Note|Unless otherwise explicitly stated, the rest of this article assumes this basic configuration.}}<br />
<br />
OpenVPN is an extremely versatile piece of software and many configurations are possible, in fact machines can be both "servers" and "clients", blurring the distinction between server and client.<br />
<br />
What really distinguishes a server from a client (apart from the type of certificate used) is the configuration file itself. The OpenVPN daemon start-up script reads all the .conf configuration files it finds in {{ic|/etc/openvpn}} on start-up and acts accordingly. If it finds more than one configuration file, it will start one OpenVPN process per configuration file.<br />
<br />
This article explains how to set up a server named elmer and a client that connects to it named bugs. More servers and clients can easily be added by creating more key/certificate pairs and adding more server and client configuration files.<br />
<br />
The OpenVPN package comes with a collection of example configuration files for different purposes. The sample server and client configuration files make an ideal starting point for a basic OpenVPN setup with the following features:<br />
<br />
* Uses [[Wikipedia:Public key infrastructure|Public Key Infrastructure (PKI)]] for authentication.<br />
* Creates a VPN using a virtual TUN network interface (OSI L3 IP routing).<br />
* Listens for client connections on UDP port 1194 (OpenVPN's [[Wikipedia:Port_number|official IANA port number]]).<br />
* Distributes virtual addresses to connecting clients from the 10.8.0.0/24 subnet.<br />
<br />
For more advanced configurations, please see the official [http://openvpn.net/index.php/manuals/427-openvpn-22.html OpenVPN 2.2 man page] and the [http://openvpn.net/index.php/open-source/documentation OpenVPN documentation].<br />
<br />
=== The server configuration file ===<br />
{{Note|Note that if the server is behind a firewall or a NAT translating router, the OpenVPN port must be forward on to the server.}}<br />
<br />
Copy the example server configuration file to {{ic|/etc/openvpn/server.conf}}:<br />
<br />
# cp /usr/share/openvpn/examples/server.conf /etc/openvpn/server.conf<br />
<br />
Edit the file making a minimum of the following changes:<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/server.crt<br />
key /etc/openvpn/server.key # This file should be kept secret<br />
dh /etc/openvpn/dh.pem<br />
.<br />
tls-auth /etc/openvpn/ta.key '''0'''<br />
.<br />
user nobody<br />
group nobody<br />
}}<br />
<br />
==== Hardening the server ====<br />
If security is a priority, additional configuration is recommended including: limiting the server to use a strong cipher/auth method and limiting the newer tls ciphers. Do so by adding the following to {{ic|/etc/openvpn/server.conf}}<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
.<br />
cipher AES-256-CBC<br />
auth SHA512<br />
tls-version-min 1.2<br />
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-2}56-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA<br />
.<br />
}}<br />
<br />
{{Note|The .ovpn client profile MUST contain a matching cipher and auth line to work properly (at least with the iOS client)!}}<br />
<br />
==== Deviating from the standard port and/or protocol ====<br />
Some public/private network admins may not allow OpenVPN connections on its default port and/or protocol. One strategy to circumvent this is to mimic https/SSL traffic which is very likely unobstructed.<br />
<br />
To do so, configure {{ic|/etc/openvpn/server.conf}} as such:<br />
{{hc|/etc/openvpn/server.conf|<br />
.<br />
port 443<br />
proto tcp<br />
.<br />
}}<br />
<br />
{{Note|The .ovpn client profile MUST contain a matching port and proto line to work properly!}}<br />
<br />
===== TCP vs UDP =====<br />
There are subtle differences between TCP and UDP.<br />
<br />
TCP<br />
* So-called "stateful protocol."<br />
* High reliability due to error correction (i.e. waits for packet acknowledgment).<br />
* Potentially slower than UDP.<br />
<br />
UDP<br />
* So-called "stateless protocol."<br />
* Less reliable than TCP as no error correction is in use.<br />
* Potentially faster than TCP.<br />
<br />
=== The client config profile (OpenVPN) ===<br />
<br />
Copy the example client configuration file to {{ic|/etc/openvpn/client.conf}}:<br />
<br />
# cp /usr/share/openvpn/examples/client.conf /etc/openvpn/client.conf<br />
<br />
Edit the following:<br />
<br />
* The {{ic|remote}} directive to reflect either the server's [[Wikipedia:Fully qualified domain name|Fully Qualified Domain Name]], hostname (as known to the client), or its IP address.<br />
* Uncomment the {{ic|user}} and {{ic|group}} directives to drop privileges.<br />
* The {{ic|ca}}, {{ic|cert}}, and {{ic|key}} parameters to reflect the path and names of the keys and certificates.<br />
* Enable the SSL/TLS HMAC handshake protection. '''Note the use of the parameter 1 for a client'''.<br />
<br />
{{hc|/etc/openvpn/client.conf|<br />
remote elmer.acmecorp.org 1194<br />
.<br />
user nobody<br />
group nobody<br />
ca /etc/openvpn/ca.crt<br />
cert /etc/openvpn/client.crt<br />
key /etc/openvpn/client.key<br />
.<br />
tls-auth /etc/openvpn/ta.key '''1'''<br />
}}<br />
<br />
==== Drop root privileges after connecting ====<br />
<br />
Using the options {{ic|user nobody}} and {{ic|group nobody}} in the configuration file makes ''openvpn'' drop its privileges after establishing the connection. The downside is that upon VPN disconnect the daemon is unable to delete its set network routes again. If one wants to limit transmitting traffic without the VPN connection, this may be advantageous. However, it requires manual action to delete the routes and will, hence, often be undesired. Further, it can happen that the OpenVPN server pushes updates to routes at runtime of the tunnel. A client with dropped privileges will be unable to perform the update and exit with an error. <br />
<br />
Depending on setup, there are four ways to handle these situations: <br />
<br />
* For errors of the unit, a simple way is to [[edit]] it and add a {{ic|1=Restart=on-failure}} to the {{ic|[Service]}} section. Though, this alone will not delete any obsoleted routes, so it may happen that the restarted tunnel is not routed properly. <br />
* The package contains the {{ic|/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so}} (see README in its directory), which can be used to let ''openvpn'' fork a process with root privileges with the only task to execute a custom script when receiving a down signal from the main process, which is handling the tunnel with dropped privileges.[https://community.openvpn.net/openvpn/browser/plugin/down-root/README?rev=d02a86d37bed69ee3fb63d08913623a86c88da15] <br />
* The [https://openvpn.net/index.php/open-source/documentation/howto.html#security OpenVPN HowTo] explains another way how to create an unprivileged user mode and wrapper script to have the routes restored automatically. <br />
* Further, it is possible to let OpenVPN start as a non-privileged user in the first place, without ever running as root, see [https://community.openvpn.net/openvpn/wiki/UnprivilegedUser this OpenVPN wiki HowTo].<br />
<br />
{{Note|The OpenVPN HowTos linked above create a dedicated non-privileged user/group, instead of the already existing {{ic|nobody}}. The advantage is that this avoids potential risks when sharing a user among daemons.}}<br />
<br />
=== The client profile (generic for Linux, iOS, or Android) ===<br />
The {{AUR|ovpngen}} package provides a simple shell script that creates OpenVPN compatible tunnel profiles in the unified file format suitable for the iOS version of OpenVPN Connect as well as for the Android app.<br />
<br />
Simply invoke the script with 5 tokens:<br />
# Server Fully Qualified Domain Name of the OpenVPN server (or IP address).<br />
# Full path to the CA cert.<br />
# Full path to the client cert.<br />
# Full path to the client private key.<br />
# Full path to the server TLS shared secret key.<br />
# Optionally a port number.<br />
# Optionally a protocol (udp or tcp).<br />
<br />
Example:<br />
# ovpngen example.org /etc/openvpn/ca.crt /etc/easy-rsa/pki/signed/client1.crt /etc/easy-rsa/pki/private/client1.key /etc/openvpn/ta.key > iphone.ovpn<br />
<br />
The resulting {{ic|iphone.ovpn}} can be edited if desired as the script does insert some commented lines.<br />
<br />
{{Tip|If the server.conf contains a specified cipher and/or auth line, it is highly recommended that users manually edit the generated .ovpn file adding matching lines for cipher and auth. Failure to do so may results in connection errors!}}<br />
<br />
=== Converting certificates to encrypted .p12 format ===<br />
Some software will only read VPN certificates that are stored in a password-encrypted .p12 file. These can be generated with the following command:<br />
{{bc|# openssl pkcs12 -export -inkey keys/bugs.key -in keys/bugs.crt -certfile keys/ca.crt -out keys/bugs.p12}}<br />
<br />
=== Testing the OpenVPN configuration ===<br />
<br />
Run {{ic|# openvpn /etc/openvpn/server.conf}} on the server, and {{ic|# openvpn /etc/openvpn/client.conf}} on the client. Example output should be similar to the following:<br />
<br />
{{hc|# openvpn /etc/openvpn/server.conf|2=<br />
Wed Dec 28 14:41:26 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:26 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:26 2011 Diffie-Hellman initialized with 2048 bit key<br />
.<br />
.<br />
Wed Dec 28 14:41:54 2011 bugs/95.126.136.73:48904 MULTI: primary virtual IP for bugs/95.126.136.73:48904: 10.8.0.6<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 PUSH: Received control message: 'PUSH_REQUEST'<br />
Wed Dec 28 14:41:57 2011 bugs/95.126.136.73:48904 SENT CONTROL [bugs]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)<br />
}}<br />
<br />
{{hc|# openvpn /etc/openvpn/client.conf|2=<br />
Wed Dec 28 14:41:50 2011 OpenVPN 2.2.1 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Aug 13 2011<br />
Wed Dec 28 14:41:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables<br />
Wed Dec 28 14:41:50 2011 LZO compression initialized<br />
.<br />
.<br />
Wed Dec 28 14:41:57 2011 GID set to nobody<br />
Wed Dec 28 14:41:57 2011 UID set to nobody<br />
Wed Dec 28 14:41:57 2011 Initialization Sequence Completed<br />
}}<br />
<br />
On the server, find the IP address assigned to the tunX device:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
40: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0<br />
}}<br />
<br />
Here we see that the server end of the tunnel has been given the IP address 10.8.0.1.<br />
<br />
Do the same on the client:<br />
<br />
{{hc|# ip addr show|2=<br />
.<br />
.<br />
37: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100<br />
link/none<br />
inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0<br />
}}<br />
<br />
And the client side has been given the IP address 10.8.0.6.<br />
<br />
Now try pinging the interfaces.<br />
<br />
On the server:<br />
<br />
{{hc|# ping -c3 10.8.0.6|2=<br />
PING 10.8.0.6 (10.8.0.6) 56(84) bytes of data.<br />
64 bytes from 10.8.0.6: icmp_req=1 ttl=64 time=238 ms<br />
64 bytes from 10.8.0.6: icmp_req=2 ttl=64 time=237 ms<br />
64 bytes from 10.8.0.6: icmp_req=3 ttl=64 time=205 ms<br />
<br />
--- 10.8.0.6 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2002ms<br />
rtt min/avg/max/mdev = 205.862/227.266/238.788/15.160 ms<br />
}}<br />
<br />
On the client:<br />
<br />
{{hc|# ping -c3 10.8.0.1|2=<br />
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.<br />
64 bytes from 10.8.0.1: icmp_req=1 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=2 ttl=64 time=158 ms<br />
64 bytes from 10.8.0.1: icmp_req=3 ttl=64 time=157 ms<br />
<br />
--- 10.8.0.1 ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2001ms<br />
rtt min/avg/max/mdev = 157.426/158.278/158.940/0.711 ms<br />
}}<br />
<br />
{{Note|If using a firewall, make sure that IP packets on the TUN device are not blocked.}}<br />
<br />
=== Configure the MTU with Fragment and MSS ===<br />
<br />
{{Note|If you do not configure MTU, then you will notice that small packets like ping and DNS will work, however web browsing will not work.}}<br />
<br />
Now it is time to configure the maximum segment size (MSS). In order to do this we need to discover what is the smallest MTU along the path between the client and server. In order to do this you can ping the server and disable fragmentation. Then specify the max packet size.<br />
<br />
{{Accuracy|Output is different - I do not see anything like {{ic|...Frag needed and DF set...}}}}<br />
<br />
{{hc|# ping -c5 -M do -s 1500 elmer.acmecorp.org|2=<br />
PING elmer.acmecorp.org (99.88.77.66) 1500(1528) bytes of data.<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
From 1.2.3.4 (99.88.77.66) icmp_seq=1 Frag needed and DF set (mtu = 576)<br />
<br />
--- core.myrelay.net ping statistics ---<br />
0 packets transmitted, 0 received, +5 errors<br />
}}<br />
<br />
We received an ICMP message telling us the MTU is 576 bytes. The means we need to fragment the UDP packets smaller then 576 bytes to allow for some UDP overhead.<br />
<br />
{{hc|# ping -c5 -M do -s 548 elmer.acmecorp.org|2=<br />
PING elmer.acmecorp.org (99.88.77.66) 548(576) bytes of data.<br />
556 bytes from 99.88.77.66: icmp_seq=1 ttl=48 time=206 ms<br />
556 bytes from 99.88.77.66: icmp_seq=2 ttl=48 time=224 ms<br />
556 bytes from 99.88.77.66: icmp_seq=3 ttl=48 time=206 ms<br />
556 bytes from 99.88.77.66: icmp_seq=4 ttl=48 time=207 ms<br />
556 bytes from 99.88.77.66: icmp_seq=5 ttl=48 time=208 ms<br />
<br />
--- myrelay.net ping statistics ---<br />
5 packets transmitted, 5 received, 0% packet loss, time 4001ms<br />
rtt min/avg/max/mdev = 206.027/210.603/224.158/6.832 ms<br />
}}<br />
<br />
After some trial and error..., we discover that we need to fragment packets on 548 bytes. In order to do this we specify this fragment size in the configuration and instruct OpenVPN to fix the Maximum Segment Size (MSS).<br />
<br />
{{hc|/etc/openvpn/client.conf|<br />
remote elmer.acmecorp.org 1194<br />
...<br />
fragment 548<br />
mssfix 548<br />
...}}<br />
<br />
We also need to tell the server about the fragmentation. Note that "mssfix" is NOT needed in the server configuration.<br />
<br />
{{Note|Clients that do not support the 'fragment' directive (e.g. OpenELEC, [https://forums.openvpn.net/topic13201.html#p31156 iOS app]) are not able to connect to a server that uses the 'fragment' directive. To support such clients, skip this section and configure the clients with the 'mtu-test' directive described below.}}<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
...<br />
fragment 548<br />
}}<br />
<br />
{{Note|The following will add about 3 minutes to OpenVPN start time. It is advisable to configure the fragment size unless your client is a laptop that will be connecting over many different networks and the bottle neck is on the client side.}}<br />
<br />
You can also allow OpenVPN to do this for you by having OpenVPN do the ping testing every time the client connects to the VPN. Be patient, since your client may not inform you about the test being run and the connection may appear as nonfunctional until finished.<br />
{{hc|/etc/openvpn/client.conf|<br />
remote elmer.acmecorp.org 1194<br />
...<br />
mtu-test<br />
...<br />
tls-auth /etc/openvpn/ta.key '''1'''<br />
}}<br />
<br />
=== IPv6 ===<br />
==== Connect to the server via IPv6 ====<br />
<br />
In order to enable Dual Stack for OpenVPN, you have to change {{ic|proto udp}} to {{ic|proto udp6}} in both server.conf and client.conf. Afterwards both IPv4 and IPv6 are enabled.<br />
<br />
==== Provide IPv6 inside the tunnel ====<br />
<br />
In order to provide IPv6 inside the tunnel, you need to have a IPv6 prefix routed to your OpenVPN server. Either set up a static route on your gateway (if you have a static block assigned), or use a DHCPv6 client to get a prefix with DHCPv6 Prefix delegation (see [[IPv6#Prefix delegation (DHCPv6-PD)|IPv6 Prefix delegation]] for details). You can also use a unique local address from the address block fc00::/7. Both methods have advantages and disadvantages:<br />
<br />
* Many ISPs only provide dynamically changing IPv6 prefixes. OpenVPN does not support prefix changes, so you need to change your server.conf every time the prefix is changed (Maybe can be automated with a script).<br />
* ULA addresses are not routed to the Internet, and setting up NAT is not as straightforward as with IPv4. So you cannot route the entire traffic over the tunnel. If you only want to connect two sites via IPv6, without the need to connect to the Internet over the tunnel, the ULA addresses may be easier to use.<br />
<br />
After you have received a prefix (a /64 is recommended), append the following to the server.conf:<br />
<br />
server-ipv6 2001:db8:0:123::/64<br />
<br />
This is the IPv6 equivalent to the default 10.8.0.0/24 network of OpenVPN and needs to be taken from the DHCPv6 client. Or use for example fd00:1234::/64.<br />
<br />
If you want to push a route to your home network (192.168.1.0/24 equivalent), also append:<br />
<br />
push "route-ipv6 2001:db8:0:abc::/64"<br />
<br />
OpenVPN does not yet include DHCPv6, so there is no method to e.g. push DNS server over IPv6. This needs to be done with IPv4. The [https://community.openvpn.net/openvpn/wiki/IPv6 OpenVPN Wiki] provides some other configuration options.<br />
<br />
== Starting OpenVPN ==<br />
<br />
=== Manual startup ===<br />
<br />
To troubleshoot a VPN connection, start the client's daemon manually with {{ic|openvpn /etc/openvpn/client.conf}} as root. The server can be started the same way using its own configuration file (e.g., {{ic|openvpn /etc/openvpn/server.conf}}).<br />
<br />
=== systemd service configuration ===<br />
<br />
To start OpenVPN automatically at system boot, either for a client or for a server, [[enable]] {{ic|openvpn@''<configuration>''.service}} on the applicable machine.<br />
<br />
For example, if the client configuration file is {{ic|/etc/openvpn/client.conf}}, the service name is {{ic|openvpn@client.service}}. Or, if the server configuration file is {{ic|/etc/openvpn/server.conf}}, the service name is {{ic|openvpn@server.service}}.<br />
<br />
=== Letting NetworkManager start a connection ===<br />
<br />
On a client you might not always need to run a VPN tunnel and/or only want to establish it for a specific NetworkManager connection. This can be done by adding a script to {{ic|/etc/NetworkManager/dispatcher.d/}}. In the following example "Provider" is the name of the NetworkManager connection:<br />
<br />
{{hc|/etc/NetworkManager/dispatcher.d/10-openvpn|2=<br />
#!/bin/bash<br />
<br />
case "$2" in<br />
up)<br />
if [ "$CONNECTION_ID" == "Provider" ]; then<br />
systemctl start openvpn@client<br />
fi<br />
;;<br />
down)<br />
systemctl stop openvpn@client<br />
;;<br />
esac}}<br />
<br />
See [[NetworkManager#Network services with NetworkManager dispatcher]] for more details.<br />
<br />
=== Gnome configuration ===<br />
<br />
If you would like to connect a client to an OpenVPN server through Gnome's built-in network configuration do the following. First, install {{ic|networkmanager-openvpn}}. Then go to the Settings menu and choose Network. Click the plus sign to add a new connection and choose VPN. From there you can choose OpenVPN and manually enter the settings. You can also choose to import [[#The client configuration file]], if you have already created one. Yet, be aware NetworkManager does not show error messages for options it does not import. To connect to the VPN simply turn the connection on and check the options are applied as you configured (e.g. via {{ic|journalctl -b -u NetworkManager}}).<br />
<br />
== Routing all client traffic through the server ==<br />
<br />
{{Note|There are potential pitfalls when routing all traffic through a VPN server. Refer to [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect the OpenVPN documentation on this topic] for more information.}}<br />
<br />
By default only traffic directly to and from an OpenVPN server passes through the VPN. To have all traffic, including web traffic, pass through the VPN do the following. First add the following to your server's configuration file (i.e., {{ic|/etc/openvpn/server.conf}}) [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect]:<br />
<br />
push "redirect-gateway def1 bypass-dhcp"<br />
push "dhcp-option DNS 8.8.8.8"<br />
<br />
Change {{ic|8.8.8.8}} to your preferred DNS IP address if configured to run on the same box as the server or else leave it at 8.8.8.8 to use google's DNS.<br />
<br />
If you have problems with non responsive DNS after connecting to server, install [[BIND]] as simple DNS forwarder and push the IP address of the OpenVPN server as DNS to clients.<br />
<br />
After setting up the configuration file, one must [[Internet_sharing#Enable_packet_forwarding|enable packet forwarding]] on the server. Additionally, the server's firewall will need to be set up to allow VPN traffic through it, which is described below for both [[ufw]] and [[iptables]].<br />
<br />
To allow clients to be able to reach other (private) subnets behind the server, you may want to use the {{ic|push "route <address pool> <subnet>"}} option:<br />
<br />
push "route 172.10.142.0 255.255.255.0"<br />
push "route 172.20.142.0 255.255.255.0"<br />
<br />
=== Firewall configuration ===<br />
<br />
==== ufw ====<br />
<br />
In order to configure your ufw settings for VPN traffic first add the following to {{ic|/etc/default/ufw}}:<br />
<br />
{{hc|/etc/default/ufw|2=<br />
DEFAULT_FORWARD_POLICY="ACCEPT"<br />
}}<br />
<br />
Now change {{ic|/etc/ufw/before.rules}}, and add the following code after the header and before the "*filter" line. Do not forget to change the IP/subnet mask to match the one in {{ic|/etc/openvpn/server.conf}}. The adapter ID in the example is generically called {{ic|eth0}} so edit it for your system accordingly.<br />
<br />
{{hc|/etc/ufw/before.rules|2=<br />
# NAT (Network Address Translation) table rules<br />
*nat<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Allow traffic from clients to eth0<br />
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
<br />
# do not delete the "COMMIT" line or the NAT table rules above will not be processed<br />
COMMIT<br />
}}<br />
<br />
Open OpenVPN port 1194:<br />
<br />
# ufw allow 1194<br />
<br />
Lastly, reload UFW:<br />
<br />
# ufw reload<br />
<br />
==== iptables ====<br />
<br />
In order to allow VPN traffic through your iptables firewall of your server, first create an iptables rule for NAT forwarding [http://openvpn.net/index.php/open-source/documentation/howto.html#redirect] on the server, assuming the interface you want to forward to is named {{ic|eth0}}:<br />
<br />
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE<br />
<br />
If you have difficulty pinging the server through the VPN, you may need to add explicit rules to open up TUN/TAP interfaces to all traffic. If that is the case, do the following [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn]:<br />
<br />
{{Warning|There are security implications for the following rules if you do not trust all clients which connect to the server. Refer to the [https://community.openvpn.net/openvpn/wiki/255-qconnection-initiated-with-xxxxq-but-i-cannot-ping-the-server-through-the-vpn OpenVPN documentation on this topic] for more details.}}<br />
<br />
iptables -A INPUT -i tun+ -j ACCEPT<br />
iptables -A FORWARD -i tun+ -j ACCEPT<br />
iptables -A INPUT -i tap+ -j ACCEPT<br />
iptables -A FORWARD -i tap+ -j ACCEPT<br />
<br />
Additionally be sure to accept connections from the OpenVPN port (default 1194) and through the physical interface.<br />
<br />
When you are satisfied make the changes permanent as shown in [[iptables#Configuration and usage]].<br />
<br />
If you have multiple {{ic|tun}} or {{ic|tap}} interfaces, or more than one VPN configuration, you can "pin" the name of your interface by specifying it in the OpenVPN config file, e.g. {{ic|tun22}} instead of {{ic|tun}}. This is advantageous if you have different firewall rules for different interfaces or OpenVPN configurations.<br />
<br />
=== Prevent leaks if vpn goes down ===<br />
<br />
The idea is simple: prevent all traffic through our default interface (enp3s0 for example) and only allow tun0.<br />
If the openvpn connection drops, your computer will lose its internet access and therefore, avoid your programs to continue connecting through an insecure network adapter.<br />
<br />
Be sure to set up a script to restart openvpn if it goes down if you do not want to manually restart it.<br />
<br />
==== ufw ====<br />
<br />
# Default policies<br />
ufw default deny incoming<br />
ufw default deny outgoing<br />
<br />
# Openvpn interface (adjust interface accordingly to your configuration)<br />
ufw allow in on tun0<br />
ufw allow out on tun0<br />
<br />
# Local Network (adjust ip accordingly to your configuration)<br />
ufw allow in on enp3s0 from 192.168.1.0/24<br />
ufw allow out on enp3s0 to 192.168.1.0/24<br />
<br />
# Openvpn (adjust port accordingly to your configuration)<br />
ufw allow out on enp3s0 to any port 1194<br />
ufw allow in on enp3s0 from any port 1194<br />
<br />
{{Warning| DNS '''will not''' work '''unless''' you run your own dns server like [[BIND]]<br />
Otherwise, you will need to allow dns leak. '''Be sure to trust your dns server!'''<br />
# DNS<br />
ufw allow in from any to any port 53<br />
ufw allow out from any to any port 53<br />
}}<br />
<br />
== L3 IPv4 routing==<br />
<br />
This section describes how to connect client/server LANs to each other using L3 IPv4 routing.<br />
<br />
=== Prerequisites for routing a LAN ===<br />
<br />
For a host to be able to forward IPv4 packets between the LAN and VPN, it must be able to forward the packets between its NIC and its tun/tap device. See [[Internet sharing#Enable packet forwarding]] for configuration details.<br />
<br />
==== Routing tables ====<br />
<br />
{{Accuracy|Investigate if a routing protocol like RIP, QUAGGA, BIRD, etc can be used}}<br />
<br />
By default, all IP packets on a LAN addressed to a different subnet get sent to the default gateway. If the LAN/VPN gateway is also the default gateway, there is no problem and the packets get properly forwarded. If not, the gateway has no way of knowing where to send the packets. There are a couple of solutions to this problem.<br />
<br />
* Add a static route to the default gateway routing the VPN subnet to the LAN/VPN gateway's IP address.<br />
* Add a static route on each host on the LAN that needs to send IP packets back to the VPN.<br />
* Use [[iptables]]' NAT feature on the LAN/VPN gateway to masquerade the incoming VPN IP packets.<br />
<br />
=== Connect the server LAN to a client ===<br />
<br />
The server is on a LAN using the 10.66.0.0/24 subnet. To inform the client about the available subnet, add a push directive to the server configuration file:{{hc|/etc/openvpn/server.conf|push "route 10.66.0.0 255.255.255.0"}}<br />
<br />
{{Note|To route more LANs from the server to the client, add more push directives to the server configuration file, but keep in mind that the server side LANs will need to know how to route to the client.<br />
}}<br />
<br />
=== Connect the client LAN to a server ===<br />
<br />
Prerequisites:<br />
<br />
* Any subnets used on the client side, must be unique and not in use on the server or by any other client. In this example we will use 192.168.4.0/24 for the clients LAN.<br />
* Each client's certificate has a unique Common Name, in this case bugs.<br />
* The server may not use the duplicate-cn directive in its config file.<br />
<br />
Create a client configuration directory on the server. It will be searched for a file named the same as the client's common name, and the directives will be applied to the client when it connects.<br />
<br />
# mkdir -p /etc/openvpn/ccd<br />
<br />
Create a file in the client configuration directory called bugs, containing the {{ic|iroute 192.168.4.0 255.255.255.0}} directive. It tells the server what subnet should be routed to the client:<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
Add the client-config-dir and the {{ic|route 192.168.4.0 255.255.255.0}} directive to the server configuration file. It tells the server what subnet should be routed from the tun device to the server LAN:<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{Note|To route more LANs from the client to the server, add more iroute and route directives to the appropriate configuration files, but keep in mind that the client side LANs will need to know how to route to the server.<br />
}}<br />
<br />
=== Connect both the client and server LANs ===<br />
<br />
Combine the two previous sections:<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
push "route 10.66.0.0 255.255.255.0"<br />
.<br />
.<br />
client-config-dir ccd<br />
route 192.168.4.0 255.255.255.0<br />
}}<br />
<br />
{{hc|/etc/openvpn/ccd/bugs|iroute 192.168.4.0 255.255.255.0}}<br />
<br />
{{Note|Remember to make sure that all the LANs or the needed hosts can route to all the destinations.}}<br />
<br />
=== Connect clients and client LANs ===<br />
<br />
By default clients will not see each other. To allow IP packets to flow between clients and/or client LANs, add a client-to-client directive to the server configuration file: {{hc|/etc/openvpn/server.conf|client-to-client}}<br />
<br />
In order for another client or client LAN to see a specific client LAN, you will need to add a push directive for each client subnet to the server configuration file (this will make the server announce the available subnet(s) to other clients):<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
client-to-client<br />
push "route 192.168.4.0 255.255.255.0"<br />
push "route 192.168.5.0 255.255.255.0"<br />
.<br />
.<br />
}}<br />
<br />
{{Note|As always, make sure that the routing is properly configured.}}<br />
<br />
== DNS ==<br />
<br />
The DNS servers used by the system are defined in {{ic|/etc/resolv.conf}}. Traditionally, this file is the responsibility of whichever program deals with connecting the system to the network (e.g. Wicd, NetworkManager, etc.). However, OpenVPN will need to modify this file if you want to be able to resolve names on the remote side. To achieve this in a sensible way, install {{pkg|openresolv}}, which makes it possible for more than one program to modify {{ic|resolv.conf}} without stepping on each-other's toes.<br />
<br />
Before continuing, test openresolv by restarting your network connection and ensuring that {{ic|resolv.conf}} states that it was generated by ''resolvconf'', and that your DNS resolution still works as before. You should not need to configure openresolv; it should be automatically detected and used by your network system.<br />
<br />
For Linux, OpenVPN can send DNS host information, but expects an external process to act on it. This can be done with the {{ic|client.up}} and {{ic|client.down}} scripts packaged in {{ic|/usr/share/openvpn/contrib/pull-resolv-conf/}}. See their comments on how to install them to {{ic|/etc/openvpn}}. The following is an excerpt of a resulting client configuration using the scripts in conjunction with ''resolvconf'' and options to [[#Drop root privileges after connecting]]: <br />
{{hc|/etc/openvpn/clienttunnel.conf|<br />
user nobody<br />
group nobody<br />
# Optional, choose a suitable path to chroot into for your system<br />
chroot /srv<br />
script-security 2<br />
up /etc/openvpn/client.up <br />
plugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client.down tun0"}}<br />
<br />
=== Update resolv-conf script === <br />
<br />
The [https://github.com/masterkorp/openvpn-update-resolv-conf openvpn-update-resolv-conf] script is available as an alternative to packaged scripts. It needs to be saved for example at {{ic|/etc/openvpn/update-resolv-conf}} and made executable with [[chmod]]. There is also an AUR package: {{AUR|openvpn-update-resolv-conf}} which will take care of the script installation for you.<br />
<br />
Once the script is installed add lines like the following into your OpenVPN client configuration file:<br />
<br />
script-security 2<br />
up /etc/openvpn/update-resolv-conf<br />
down /etc/openvpn/update-resolv-conf<br />
<br />
Now, when your launch your OpenVPN connection, you should find that your resolv.conf file is updated accordingly, and also returns to normal when your close the connection.<br />
<br />
=== Update systemd-resolved script === <br />
<br />
Since systemd-229, [[systemd-networkd]]'s {{ic|systemd-resolved.service}} has exposed an API through DBus allowing management of DNS configuration on a per-link basis. Tools such as {{pkg|openresolv}} may not work reliably when {{ic|/etc/resolv.conf}} is managed by {{ic|systemd-resolved}}, and will not work at all if you are using {{ic|resolve}} instead of {{ic|dns}} in your {{ic|/etc/nsswitch.conf}} file. The [https://github.com/jonathanio/update-systemd-resolved update-systemd-resolved] script is another alternative and links OpenVPN with {{ic|systemd-resolved}} via DBus to update the DNS records.<br />
<br />
If you copy the script into {{ic|/etc/openvpn}} and mark as executable with [[chmod]], or install it via the AUR package ({{AUR|openvpn-update-systemd-resolved}}), you can add lines like the following into your OpenVPN client configuration file:<br />
<br />
script-security 2<br />
setenv PATH /usr/bin<br />
up /etc/openvpn/update-systemd-resolved<br />
down /etc/openvpn/update-systemd-resolved<br />
<br />
== L2 Ethernet bridging ==<br />
<br />
{{Expansion|Please add a well thought out section on L2 bridging.}}<br />
<br />
For now see: [[OpenVPN Bridge]]<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client daemon not restarting after suspend ===<br />
<br />
If you put your client system to sleep, and on resume openvpn does not restart, resulting in broken connectivity, create the following file:<br />
<br />
{{hc|/usr/lib/systemd/system-sleep/vpn.sh|2=<br />
#!/bin/sh<br />
if [ "$1" == "pre" ]<br />
then<br />
killall openvpn<br />
fi<br />
}}<br />
<br />
Make it executable {{ic|chmod a+x /usr/lib/systemd/system-sleep/vpn.sh}}<br />
<br />
{{hc|/etc/systemd/system/openvpn@.service.d/restart.conf|2=<br />
[Service]<br />
Restart=always<br />
}}<br />
<br />
=== Connection drops out after some time of inactivity ===<br />
<br />
If the VPN-Connection drops some seconds after it stopped transmitting data and, even though it states it is connected, no data can be transmitted through the tunnel, try adding a {{ic|keepalive}}directive to the server's configuration:<br />
<br />
{{hc|/etc/openvpn/server.conf|<br />
.<br />
.<br />
keepalive 10 120<br />
.<br />
.<br />
}}<br />
<br />
In this case the server will send ping-like messages to all of its clients every {{ic|10}} seconds, thus keeping the tunnel up.<br />
If the server does not receive a response within {{ic|120}} seconds from a specific client, it will assume this client is down.<br />
<br />
A small ping-interval can increase the stability of the tunnel, but will also cause slightly higher traffic. Depending on your connection, also try lower intervals than 10 seconds.<br />
<br />
== See Also ==<br />
* [https://openvpn.net/index.php/open-source.html OpenVPN Official Site]<br />
* [[Airvpn]]</div>Smasher816https://wiki.archlinux.org/index.php?title=RTorrent&diff=449702RTorrent2016-09-07T08:19:37Z<p>Smasher816: Note that rtorrent-ps requires a 256 color TERM by default</p>
<hr />
<div>{{DISPLAYTITLE:rTorrent}}<br />
[[Category:Internet applications]]<br />
[[es:RTorrent]]<br />
[[ja:RTorrent]]<br />
[[ru:RTorrent]]<br />
[[zh-CN:RTorrent]]<br />
[https://rakshasa.github.io/rtorrent/ rTorrent] is a quick and efficient BitTorrent client that uses, and is in development alongside, the libTorrent (not to be confused with {{Pkg|libtorrent-rasterbar}}) library. It is written in C++ and uses the [[Wikipedia:ncurses|ncurses]] programming library, which means it uses a text user interface. When combined with a terminal multiplexer (e.g. [[GNU Screen]] or [[Tmux]]) and [[Secure Shell]], it becomes a convenient remote [[Wikipedia:BitTorrent (protocol)#Operation|BitTorrent client]].<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|rtorrent}} package that is available in the [[official repositories]].<br />
<br />
Alternatively, install {{AUR|rtorrent-git}} or {{AUR|rtorrent-vi-color}} or {{AUR|rtorrent-extended}}{{Broken package link|{{aur-mirror|rtorrent-extended}}}} from the [[AUR]].<br />
<br />
== Configuration ==<br />
<br />
{{Note|See the rTorrent wiki article on this subject for more information: [http://web.archive.org/web/20140213003955/http://libtorrent.rakshasa.no/wiki/RTorrentCommonTasks Common Tasks in rTorrent for Dummies].}}<br />
<br />
Before running rTorrent, find the example configuration file {{ic|/usr/share/doc/rtorrent/rtorrent.rc}} and copy it to {{ic|~/.rtorrent.rc}}:<br />
<br />
$ cp /usr/share/doc/rtorrent/rtorrent.rc ~/.rtorrent.rc<br />
<br />
=== Performance ===<br />
<br />
{{Note|See the rTorrent wiki article on this subject for more information: [http://web.archive.org/web/20140213011439/http://libtorrent.rakshasa.no/wiki/RTorrentPerformanceTuning Performance Tuning]}}<br />
<br />
The values for the following options are dependent on the system's hardware and Internet connection speed. To find the optimal values read: [http://torrentfreak.com/optimize-your-BitTorrent-download-speed Optimize Your BitTorrent Download Speed]<br />
{{bc|<nowiki><br />
min_peers = 40<br />
max_peers = 52<br />
<br />
min_peers_seed = 10<br />
max_peers_seed = 52<br />
<br />
max_uploads = 8<br />
<br />
download_rate = 200<br />
upload_rate = 28<br />
</nowiki>}}<br />
<br />
The {{ic|check_hash}} option executes a hash check when a torrent download is complete or rTorrent is started. When starting, it checks for errors in your completed files. <br />
check_hash = yes<br />
<br />
=== Create and manage files ===<br />
<br />
The {{ic|directory}} option will determine where your torrent data will be saved (could be a relative path):<br />
directory = ~/downloaded<br />
<br />
The {{ic|session}} option allows rTorrent to save the progess of your torrents. It is recommended to create a directory in home directory (e.g. {{ic|mkdir ~/.rtorrent.session}}).<br />
session = ~/.rtorrent.session<br />
<br />
The {{ic|schedule}} option has rTorrent watch a particular directory for new torrent files. Saving a torrent file to this directory will automatically start the download. Remember to create the directory that will be watched (e.g. {{ic|mkdir ~/watch}}). Also, be careful when using this option as rTorrent will move the torrent file to your session folder and rename it to its hash value.<br />
schedule = watch_directory,5,5,load_start=/home/''user''/watch/*.torrent<br />
schedule = untied_directory,5,5,stop_untied=<br />
schedule = tied_directory,5,5,start_tied=<br />
<br />
The following {{ic|schedule}} option is intended to stop rTorrent from downloading data when disk space is low.<br />
schedule = low_diskspace,5,60,close_low_diskspace=100M<br />
<br />
=== Port configuration ===<br />
<br />
The {{ic|port_range}} option sets which port(s) to use for listening. It is recommended to use a port that is higher than 49152 (see: [[Wikipedia:List of TCP and UDP port numbers|List of port numbers]]). Although, rTorrent allows a range of ports, a single port is recommended.<br />
port_range = 49164-49164<br />
<br />
Additionally, make sure port forwarding is enabled for the proper port(s) (see: [http://portforward.com/english/routers/port_forwarding/routerindex.htm Port Forward guides]).<br />
<br />
=== Additional settings ===<br />
<br />
The {{ic|encryption}} option enables or disables encryption. It is very important to enable this option, not only for yourself, but also for your peers in the torrent swarm. Some users need to obscure their bandwidth usage from their ISP. And it does not hurt to enable it even if you do not need the added security.<br />
encryption = allow_incoming,try_outgoing,enable_retry<br />
It is also possible to force all connections to use encryption. However, be aware that this stricter rule will reduce your client's availability:<br />
encryption = require,require_RC4,allow_incoming,try_outgoing<br />
<br />
See also [[Wikipedia:BitTorrent Protocol Encryption]].<br />
<br />
This final {{ic|dht}} option enables [[Wikipedia:Distributed hash table|DHT]] support. DHT is common among public trackers and will allow the client to acquire more peers.<br />
{{bc|<nowiki><br />
dht = auto<br />
dht_port = 6881<br />
peer_exchange = yes<br />
</nowiki>}}<br />
<br />
== Key bindings ==<br />
<br />
rTorrent relies exclusively on keyboard shortcuts for user input. A quick reference is available in the table below. A complete guide is available on the rTorrent wiki (see: [https://github.com/rakshasa/rtorrent/wiki/User-Guide rTorrent User Guide]).<br />
<br />
{{Note|Striking {{ic|Ctrl-q}} twice in quick succession will make rTorrent shutdown without waiting to send a stop announce to the connected trackers.}}<br />
<br />
{| class="wikitable"<br />
|-<br />
!width="75" |Cmd<br />
!Action<br />
|-<br />
|Ctrl-q<br />
|Quit application<br />
|-<br />
|Ctrl-s<br />
|Start download. Runs hash first unless already done.<br />
|-<br />
|Ctrl-d<br />
|Stop an active download or remove a stopped download<br />
|-<br />
|Ctrl-k<br />
|Stop and close the files of an active download.<br />
|-<br />
|Ctrl-r<br />
|Initiate hash check of torrent. Starts downloading if file is not available.<br />
|-<br />
|Ctrl-o<br />
|Specify the download directory for a added, but not started torrent.<br />
|-<br />
|Left<br />
|Returns to the previous screen<br />
|-<br />
|Right<br />
|Goes to the next screen<br />
|-<br />
|Backspace<br />
|Adds and starts the specified *.torrent<br />
|-<br />
|Return<br />
|Adds and doesn't start the specified *.torrent<br />
|-<br />
|<nowiki>a|s|d</nowiki><br />
|<nowiki>Increase global upload throttle about 1|5|50 KB/s</nowiki><br />
|-<br />
|<nowiki>A|S|D</nowiki><br />
|<nowiki>Increase global download throttle about 1|5|50 KB/s</nowiki><br />
|-<br />
|<nowiki>z|x|c</nowiki><br />
|<nowiki>Decrease global upload throttle about 1|5|50 KB/s</nowiki><br />
|-<br />
|<nowiki>Z|X|C</nowiki><br />
|<nowiki>Decrease global download throttle about 1|5|50 KB/s</nowiki><br />
|}<br />
<br />
=== Redundant mapping ===<br />
<br />
{{ic|Ctrl-s}} is often used for terminal control to stop screen output while {{ic|Ctrl-q}} is used to start it. These mappings may interfere with rTorrent. Check to see if these terminal options are bound to a mapping:<br />
{{hc|$ stty -a|<nowiki>...<br />
swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V;<br />
...<br />
</nowiki>}}<br />
<br />
To remove the mappings, change the terminal characteristics to undefine the aforementioned special characters (i.e. {{ic|stop}} and {{ic|start}}):<br />
# stty stop undef<br />
# stty start undef<br />
<br />
To remove these mappings automatically at startup you may add the two preceding commands to your {{ic|~/.bashrc}} file.<br />
<br />
== Additional tips ==<br />
<br />
=== systemd service file with tmux or screen ===<br />
<br />
*With tmux (Restart rtorrent if crashed)<br />
{{hc|/etc/systemd/user/rt.service|<nowiki><br />
[Unit]<br />
Description=rTorrent<br />
After=network.target<br />
<br />
[Service]<br />
Type=forking<br />
KillMode=none<br />
ExecStart=/usr/bin/tmux new-session -s rt -n rtorrent -d rtorrent<br />
ExecStop=/usr/bin/bash -c "/usr/bin/tmux send-keys -t rt:rtorrent.0 C-q && while pidof rtorrent > /dev/null; do sleep 0.5; echo rtorrent still running...; done"<br />
WorkingDirectory=%h<br />
Restart=on-failure<br />
<br />
[Install]<br />
WantedBy=default.target<br />
</nowiki>}}<br />
<br />
*With tmux running as user rtorrent (Restart rtorrent if crashed)<br />
{{hc|/etc/systemd/system/rtorrent.service|<nowiki><br />
[Unit]<br />
Description=rTorrent Daemon<br />
After=network.target<br />
<br />
[Service]<br />
Type=forking<br />
KillMode=none<br />
User=rtorrent<br />
ExecStart=/usr/bin/tmux new-session -c /mnt/storage/rtorrent -s rtorrent -n rtorrent -d rtorrent<br />
ExecStop=/usr/bin/bash -c "/usr/bin/tmux send-keys -t rtorrent C-q && while pidof rtorrent > /dev/null; do sleep 0.5; done"<br />
WorkingDirectory=/home/rtorrent/<br />
Restart=on-failure<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</nowiki>}}<br />
<br />
*With screen<br />
<br />
{{hc|/etc/systemd/user/rt.service|<nowiki><br />
[Unit]<br />
Description=rTorrent<br />
After=network.target<br />
<br />
[Service]<br />
Type=forking<br />
KillMode=none<br />
ExecStart=/usr/bin/screen -d -m -fa -S rtorrent /usr/bin/rtorrent<br />
ExecStop=/usr/bin/killall -w -s 2 /usr/bin/rtorrent<br />
WorkingDirectory=%h<br />
<br />
[Install]<br />
WantedBy=default.target<br />
</nowiki>}}<br />
<br />
Start at boot time:<br />
$ systemctl --user enable rt<br />
Start manually:<br />
$ systemctl --user start rt<br />
Stop:<br />
$ systemctl --user stop rt<br />
Attach to rtorrent's session:<br />
tmux attach -t rt<br />
Or if you use screen:<br />
screen -D -r rtorrent<br />
<br />
Detach:<br />
Ctrl-b d<br />
<br />
=== systemd service file with dtach ===<br />
<br />
{{Style|Creating multiple rtorrent sessions this way is far from perfect, why don't we just assume for simplicity that there is only one session? This is assumed in [[#systemd service file with tmux or screen]] anyway.}}<br />
<br />
When running dtach from systemd unit, the {{ic|TERM}} environment variable [[systemd/User#Environment_variables|has to be set explicitly]] for rtorrent to work.<br />
<br />
This service file has no restart because the author occasionally takes the drive in question offline, and rtorrent fails, shall we say, "suboptimally" when started in this scenario and loses many torrent specific settings such as the specific directories each torrent is stored in. In fact the symlinks that kick off rtorrent live on the relevant drive; if it is unmounted rtorrent cannot start. This use case of blocking rtorrent from starting is relevant to users who put the downloaded files on removable media such as NAS, USB or eSATA drives.<br />
<br />
{{hc|~/.config/systemd/user/rtorrent.service|<nowiki><br />
[Unit]<br />
Description=rTorrent<br />
#After=network.target<br />
<br />
[Service]<br />
# set TERM according to your terminal<br />
Environment="TERM=xterm"<br />
#Environment="TERM=linux" <br />
Type=forking<br />
KillMode=none<br />
ExecStart=-/usr/bin/dtach -n /home/sam/run/dtach_fifos/fifo -e "^T" /home/sam/bin/rtr_new -n -o import=/home/sam/.config/rtorrent/new_.rc <br />
# dtach -n <separate filename for each instance><br />
# <br />
# rtr_new -n to ignore the default .rtorrent.rc<br />
# rtr_new -o import to load the instance-specific rc<br />
ExecStop=-/usr/bin/killall -u sam -e -w -s INT /home/sam/bin/rtr_new<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</nowiki>}}<br />
<br />
Note some other issues exposed in this service file other than just dtach:<br />
<br />
{{ic|/home/sam/bin/rtr_new}} is a symlink to {{ic|/usr/bin/rtorrent}}<br />
<br />
This lets us run several instances and kill each one independently with a different version of the ExecStop, to wit:<br />
<br />
{{bc|1=ExecStop=-/usr/bin/killall -u sam -e -w -s INT /home/sam/bin/rtr_new<br />
ExecStop=-/usr/bin/killall -u sam -e -w -s INT /home/sam/bin/rtr_academic<br />
ExecStop=-/usr/bin/killall -u sam -e -w -s INT /home/sam/bin/rtr_other_stuff}}<br />
<br />
These are each in a different service file, each of which controls one instance.<br />
<br />
Without this step, when running multiple instances a killall solution would kill all the running rtorrent instances. <br />
<br />
If multiple rtorrent instances are not needed and the rtorrent rc file is in the default location the above service file may be simplified. The entire file is included but only the ExecStart and <br />
ExecStop lines change. <br />
<br />
{{hc|~/.config/systemd/user/rtorrent.service|<nowiki><br />
[Unit]<br />
Description=rTorrent<br />
#After=network.target<br />
<br />
[Service]<br />
# set TERM according to your terminal<br />
Environment="TERM=xterm"<br />
#Environment="TERM=linux" <br />
Type=forking<br />
KillMode=none<br />
ExecStart=-/usr/bin/dtach -n /home/sam/run/dtach_fifos/fifo -e "^T" /usr/bin/rtorrent <br />
# dtach -n <user specified FIFO name> -e <user specified character> /usr/bin/rtorrent <br />
ExecStop=/usr/bin/killall -w -s INT /usr/bin/rtorrent<br />
# -e (exact match) and -u (user name) were added above to stop specific processes<br />
# and may be omitted here because only one rtorrent will be running<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
</nowiki>}}<br />
<br />
The service can be controlled with [[systemctl --user]]. When it is started, you can attach to the session:<br />
<br />
$ dtach -a /home/sam/run/dtach_fifos/fifo -e "^T"<br />
<br />
=== Pre-allocation ===<br />
<br />
The rTorrent package in the community repository lacks pre-allocation. Compiling rTorrent with pre-allocation allows files to be allocated before downloading the torrent. The major benefit is that it limits and avoids fragmentation of the filesystem. However, this introduces a delay during the pre-allocation if the filesystem does not support the fallocate syscall natively.<br />
<br />
Therefore this switch is recommended for xfs, ext4 and btrfs filesystems, which have native fallocate syscall support. They will see no delay during preallocation and no fragmented filesystem. Pre-allocation on others filesystems will cause a delay but will not fragment the files.<br />
<br />
To make pre-allocation available, recompile libTorrent from the [[ABS]] tree with the following new switch:<br />
$ ./configure --prefix=/usr --disable-debug --with-posix-fallocate<br />
<br />
To enable it, add the following to your {{ic|~/rtorrent.rc}}:<br />
{{hc|~/rtorrent.rc|<nowiki><br />
# Preallocate files; reduces defragmentation on filesystems.<br />
system.file_allocate.set = yes<br />
</nowiki>}}<br />
<br />
=== Manage completed files ===<br />
<br />
{{Note|<br />
*Currently, this part requires either the git version of rtorrent/libtorrent or having applied the patch to 0.8.6 that adds 'equal'.<br />
* If you are having trouble with this tip, it is probably easier to follow [http://web.archive.org/web/20140213003955/http://libtorrent.rakshasa.no/wiki/RTorrentCommonTasks#Movecompletedtorrentstodifferentdirectorydependingonwatchdirectory this].<br />
}}<br />
<br />
It is possible to have rtorrent sort completed torrent data to specific folders based on which 'watch' folder you drop the *.torrent into while continuing to seed. Many examples show how to do this with torrents downloaded by rtorrent. The problem is when you try to drop in 100% done torrent data and then have rtorrent check the data and resume, it will not be sorted.<br />
<br />
As a solution, use the following example in your {{ic|~/.rtorrent.rc}}.<br />
Make sure to change the paths.<br />
<br />
{{bc|1=<br />
# location where new torrent data is placed, and where you should place your<br />
# 'complete' data before you place your *.torrent file into the watch folder<br />
directory = /home/user/torrents/incomplete<br />
<br />
# schedule a timer event named 'watch_directory_1':<br />
# 1) triggers 10 seconds after rtorrent starts<br />
# 2) triggers at 10 second intervals thereafter<br />
# 3) Upon trigger, attempt to load (and start) new *.torrent files found in /home/user/torrents/watch/<br />
# 4) set a variable named 'custom1' with the value "/home/user/torrents/complete"<br />
# NOTE: if you do not want it to automatically start the torrent, change 'load_start' to 'load'<br />
schedule = watch_directory_1,10,10,"load_start=/home/user/torrents/watch/*.torrent,d.set_custom1=/home/user/torrents/complete"<br />
<br />
# insert a method with the alias 'checkdirs1'<br />
# 1) returns true if the current path of the torrent data is not equal to the value of custom1<br />
# 2) otherwise, returns false<br />
system.method.insert=checkdirs1,simple,"not=\"$equal={d.get_custom1=,d.get_base_path=}\""<br />
<br />
# insert a method with the alias 'movecheck1'<br />
# 1) returns true if all 3 commands return true ('result of checkdirs1' && 'torrent is 100% done', 'custom1 variable is set')<br />
# 2) otherwise, returns false<br />
system.method.insert=movecheck1,simple,"and={checkdirs1=,d.get_complete=,d.get_custom1=}"<br />
<br />
# insert a method with the alias 'movedir1'<br />
# (a series of commands, separated by ';') <br />
# 1) "set path of torrent to equal the value of custom1";<br />
# 2) "mv -u <current data path> <custom1 path>";<br />
# 3) "clear custom1", "stop the torrent","resume the torrent"<br />
# 4) stop the torrent<br />
# 5) start the torrent (to get the torrent to update the 'base path')<br />
system.method.insert=movedir1,simple,"d.set_directory=$d.get_custom1=;execute=mv,-u,$d.get_base_path=,$d.get_custom1=;d.set_custom1=;d.stop=;d.start="<br />
<br />
# set a key with the name 'move_hashed1' that is triggered by the hash_done event.<br />
# 1) When hashing of a torrent completes, this custom key will be triggered.<br />
# 2) when triggered, execute the 'movecheck1' method and check the return value.<br />
# 3) if the 'movecheck' method returns 'true', execute the 'movedir1' method we inserted above.<br />
# NOTE-0: *Only* data that has had their hash checked manually with ^R [^R = Control r].<br />
# Or on a rtorrent restart[which initiates a hash check]. Will the data move; ~/torrents/incomplete => ~/torrents/complete for example.<br />
# NOTE-1: 'branch' is an 'if' conditional statement: if(movecheck1){movedir1}<br />
system.method.set_key=event.download.hash_done,move_hashed1,"branch={$movecheck1=,movedir1=}"<br />
}}<br />
<br />
You can add additional watch folders and rules should you like to sort your torrents into special folders.<br />
<br />
For example, if you would like the torrents to download in:<br />
/home/user/torrents/incomplete<br />
and then sort the torrent data based on which folder you dropped the *.torrent into:<br />
/home/user/torrents/watch => /home/user/torrents/complete<br />
/home/user/torrents/watch/iso => /home/user/torrents/complete/iso<br />
/home/user/torrents/watch/music => /home/user/torrents/complete/music<br />
<br />
You can have the following in your .rtorrent.rc:<br />
{{bc|1=<br />
directory = /home/user/torrents/incomplete<br />
schedule = watch_directory_1,10,10,"load_start=/home/user/torrents/watch/*.torrent,d.set_custom1=/home/user/torrents/complete"<br />
<br />
schedule = watch_directory_2,10,10,"load_start=/home/user/torrents/watch/iso/*.torrent,d.set_custom1=/home/user/torrents/complete/iso"<br />
<br />
schedule = watch_directory_3,10,10,"load_start=/home/user/torrents/watch/music/*.torrent,d.set_custom1=/home/user/torrents/complete/music"<br />
<br />
system.method.insert=checkdirs1,simple,"not=\"$equal={d.get_custom1=,d.get_base_path=}\""<br />
system.method.insert=movecheck1,simple,"and={checkdirs1=,d.get_complete=,d.get_custom1=}"<br />
system.method.insert=movedir1,simple,"d.set_directory=$d.get_custom1=;execute=mv,-u,$d.get_base_path=,$d.get_custom1=;d.set_custom1=;d.stop=;d.start="<br />
system.method.set_key=event.download.hash_done,move_hashed1,"branch={$movecheck1=,movedir1=}"<br />
}}<br />
<br />
Also see [http://code.google.com/p/pyroscope/ pyroscope] especially the rtcontrol examples. There is an AUR package.<br />
<br />
==== Notification with Google Mail ====<br />
<br />
Cell phone providers allow you to "email" your phone:<br />
{{bc|<nowiki><br />
Verizon: 10digitphonenumber@vtext.com<br />
AT&T: 10digitphonenumber@txt.att.net<br />
Former AT&T customers: 10digitphonenumber@mmode.com<br />
Sprint: 10digitphonenumber@messaging.sprintpcs.com<br />
T-Mobile: 10digitphonenumber@tmomail.net<br />
Nextel: 10digitphonenumber@messaging.nextel.com<br />
Cingular: 10digitphonenumber@cingularme.com<br />
Virgin Mobile: 10digitphonenumber@vmobl.com<br />
Alltel: 10digitphonenumber@alltelmessage.com OR<br />
10digitphonenumber@message.alltel.com<br />
CellularOne: 10digitphonenumber@mobile.celloneusa.com<br />
Omnipoint: 10digitphonenumber@omnipointpcs.com<br />
Qwest: 10digitphonenumber@qwestmp.com<br />
Telus: 10digitphonenumber@msg.telus.com<br />
Rogers Wireless: 10digitphonenumber@pcs.rogers.com<br />
Fido: 10digitphonenumber@fido.ca<br />
Bell Mobility: 10digitphonenumber@txt.bell.ca<br />
Koodo Mobile: 10digitphonenumber@msg.koodomobile.com<br />
MTS: 10digitphonenumber@text.mtsmobility.com<br />
President's Choice: 10digitphonenumber@txt.bell.ca<br />
Sasktel: 10digitphonenumber@sms.sasktel.com<br />
Solo: 10digitphonenumber@txt.bell.ca<br />
</nowiki>}}<br />
<br />
*Install mailx which is provided by the {{Pkg|s-nail}} package that is found in the [[official repositories]].<br />
<br />
*Clear the {{ic|/etc/mail.rc}} file and enter:<br />
<br />
{{bc|<nowiki><br />
set sendmail="/usr/bin/mailx"<br />
set smtp=smtp.gmail.com:587<br />
set smtp-use-starttls<br />
set ssl-verify=ignore<br />
set ssl-auth=login<br />
set smtp-auth-user=USERNAME@gmail.com<br />
set smtp-auth-password=PASSWORD<br />
</nowiki>}}<br />
<br />
Now to send the text, we must pipe a message to the mailx program.<br />
*Make a Bash script:<br />
{{hc|/path/to/mail.sh|<nowiki><br />
echo "$@: Done" | mailx 5551234567@vtext.com<br />
</nowiki>}}<br />
Where the $@ is a variable holding all the arguments passed to our script.<br />
<br />
*And finally, add the important {{ic|~/.rtorrent.rc}} line:<br />
system.method.set_key = event.download.finished,notify_me,"execute=/path/to/mail.sh,$d.get_name="<br />
<br />
Breaking it down:<br />
<br />
{{ic|notify_me}} is the command id, which may be used by other commands, it can be just about anything you like, so long as it is unique.<br />
<br />
{{ic|1=execute=}} is the rtorrent command, in this case to execute a shell command.<br />
<br />
{{ic|/path/to/mail.sh}} is the name of our script (or whatever command you want to execute) followed by a comma separated list of all the switches/arguments to be passed.<br />
<br />
{{ic|1=$d.get_name=}} 'd' is an alias to whatever download triggered the command, get_name is a function which returns the name of our download, and the '$' tells rTorrent to replace the command with its output before it calls execute.<br />
<br />
The end result? When that torrent, 'All Live Nudibranches', that we started before leaving for work finishes, we will be texted:<br />
All Live Nudibranches: Done<br />
<br />
=== UI Tricks ===<br />
<br />
rTorrent does not list the active tab properly by default, add this line to your {{ic|.rtorrent.rc}} to show only active torrents<br />
schedule = filter_active,30,30,"view_filter = active,\"or={d.get_up_rate=,d.get_down_rate=}\""<br />
<br />
Then press {{ic|9}} in your rTorrent client to see the changes in action.<br />
<br />
To sort the seeding view by the upload rate and only show torrents with peers:<br />
<br />
# Sort the seeding view by the upload rate and only show torrents with peers<br />
view.sort_current = seeding,greater=d.get_up_rate=<br />
view.filter = seeding,"and=d.get_complete=,d.get_peers_connected="<br />
view.sort_new = seeding,less=d.get_up_rate=<br />
view.sort = seeding<br />
<br />
To sort the complete view by the upload rate:<br />
<br />
# Sort the complete view by the upload rate<br />
view.sort_current = complete,greater=d.get_up_rate=<br />
view.filter = seeding,"and=d.get_complete="<br />
view.sort_new = seeding,less=d.get_up_rate=<br />
view.sort = seeding<br />
<br />
=== Manually adding trackers to torrents ===<br />
<br />
# Select torrent to edit from rTorrent console view.<br />
# Hit {{ic|Ctrl+x}}.<br />
# If you had four trackers type following lines one at a time (always press {{ic|Ctrl+x}} first) to add four more for example:<br />
<br />
d.tracker.insert="5","udp://tracker.publicbt.com:80"<br />
d.tracker.insert="6","udp://tracker.openbittorrent.com:80"<br />
d.tracker.insert="7","udp://tracker.istole.it:80"<br />
d.tracker.insert="8","udp://tracker.ccc.de:80"<br />
<br />
== Troubleshooting ==<br />
<br />
=== CA certificates ===<br />
<br />
To use rTorrent with a tracker that uses HTTPS, do the following as root:<br />
<br />
{{bc|<br />
# cd /etc/ssl/certs<br />
<nowiki># wget --no-check-certificate https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.cer</nowiki><br />
# mv Equifax_Secure_Global_eBusiness_CA-1.cer Equifax_Secure_Global_eBusiness_CA-1.pem<br />
# c_rehash<br />
}}<br />
<br />
And from now on run rTorrent with:<br />
$ rtorrent -o http_capath=/etc/ssl/certs<br />
<br />
If you use GNU Screen, update the {{ic|.screenrc}} configuration file to reflect this change:<br />
$ screen -t rtorrent rtorrent -o http_capath=/etc/ssl/certs<br />
<br />
In rTorrent 0.8.9, set {{ic|<nowiki>network.http.ssl_verify_peer.set=0</nowiki>}} to [https://bbs.archlinux.org/viewtopic.php?pid=981832#p981832 fix the problem].<br />
<br />
For more information see: [https://bbs.archlinux.org/viewtopic.php?pid=331850 rTorrent Error & CA Certificate] and [https://bbs.archlinux.org/viewtopic.php?id=45800 rTorrent Certificates Problem]<br />
<br />
=== Locked directories ===<br />
<br />
rTorrent can sometimes lock up after a crash or incorrect shutdown, and will complain about a lock file.<br />
<br />
Per the error message, the file called "'''rtorrent.lock'''" can be found within the hidden folder {{ic|.rtorrentsession}} for your download directory and manually removed.<br />
<br />
=== Event failed: bad return code ===<br />
<br />
This is caused by there being spaces in your system.method.* lines. Remove the spaces and it will work.<br />
<br />
== Web interface ==<br />
<br />
There are numerous web interfaces and front ends for rTorrent including:<br />
* [[WTorrent]] is a web interface to rtorrent programmed in php using Smarty templates and XMLRPC for PHP library.<br />
* [http://code.google.com/p/ntorrent/ nTorrent] is a graphical user interface client to rtorrent written in Java.<br />
* [https://rtwi.jmk.hu/ rTWi] is a simple rTorrent web interface written in PHP.<br />
* [[Rtgui]] is a web based front end for rTorrent written in PHP and uses XML-RPC to communicate with the rTorrent client.<br />
* [https://github.com/Novik/ruTorrent rutorrent] and [http://forums.rutorrent.org/ Forum] - A web-based front-end with an interface very similar to uTorrent which supports many plugins and advanced features (see also: [[ruTorrent]] and [https://bbs.archlinux.org/viewtopic.php?pid=897577#p897577 Guide on forum]).<br />
<br />
{{Note|rTorrent is currently built using [http://xmlrpc-c.sourceforge.net/ XML-RPC for C/C++], which is required for some web interfaces (e.g. ruTorrent).}}<br />
<br />
=== XMLRPC interface ===<br />
<br />
If you want to use rtorrent with some web interfaces (e.g. rutorrent) you need to add the following line to the configuration file:<br />
scgi_port = localhost:5000<br />
<br />
For more information see: [https://github.com/rakshasa/rtorrent/wiki/RPC-Setup-XMLRPC Using XMLRPC with rtorrent]<br />
<br />
=== Saving magnet links as torrent files in watch folder ===<br />
<br />
{{Note| Rtorrent natively supports downloading torrents through magnet links. At the main view (reached by starting Rtorrent and pressing 1), press enter. At "load.normal>" paste the magnet link and press enter again. This will start the download.}}<br />
<br />
If you wish to have magnet links automatically added to your watch folder, here is a script that will do the trick:<br />
<br />
<nowiki><br />
#!/bin/bash<br />
watch_folder=~/.rtorrent/watch<br />
cd $watch_folder<br />
[[ "$1" =~ xt=urn:btih:([^&/]+) ]] || exit;<br />
echo "d10:magnet-uri${#1}:${1}e" > "meta-${BASH_REMATCH[1]}.torrent"</nowiki><br />
<br />
(adapted from http://blog.gonzih.org/blog/2012/02/17/how-to-use-magnet-links-with-rtorrent/).<br />
<br />
Save it, for instance as rtorrent-magnet, give it execution permission, and place it somewhere under your $PATH. Then in Firefox:<br />
# Type {{ic|about:config}} into the Location Bar (address bar) and press {{ic|Enter}}.<br />
# Right-click: ''New > Boolean > Name: '''network.protocol-handler.expose.magnet''' > Value > false''.<br />
# Next time you click a magnet link you will be asked which application to open it with. Select the script we just created and you will be done.<br />
<br />
If you want xdg-open to handle this, which you need if you are using chrome instead of firefox, (though gnome and other DE might have their own programs overriding xdg-open) you need to create the desktop entry for the rtorrent-magnet script in {{ic|~/.local/share/applications/rtorrent-magnet.desktop}} with the following content:<br />
<br />
<nowiki><br />
[Desktop Entry]<br />
Type=Application<br />
Name=rtorrent-magnet<br />
Exec=rtorrent-magnet %U<br />
MimeType=x-scheme-handler/magnet;<br />
NoDisplay=true</nowiki><br />
<br />
Then all you need to do is to register the mimetype using<br />
$ xdg-mime default rtorrent-magnet.desktop x-scheme-handler/magnet<br />
<br />
== Magnet to Torrent ==<br />
You could also use the {{AUR|magnet2torrent-git}} package which downloads the metadata and creates a torrent file.<br />
<br />
How to use:<br />
$ magnet2torrent <magnet link> [torrent file]<br />
<br />
==== In order to use this with an ARM device ====<br />
You should have package versions<br />
python-libtorrent-rasterbar 1.0.8-1<br />
libtorrent-rasterbar 1:1.0.9-1<br />
Then you can compile magnet2torrent-git package.<br />
<br />
== rtorrent-pyro ==<br />
<br />
{{AUR|rtorrent-pyro-git}} from the [[AUR]] comes with an extended rtorrent console interface. It does not contain the pyroscope tools yet though. If you also need the pyroscope tools see [[#PyroScope]] .<br />
<br />
Make sure you add following command to ~/.rtorrent.rc, which makes the asterisk key * to a shortcut for toggling between extended and collapsed view within rtorrent's interface:<br />
{{bc|<nowiki>schedule = bind_collapse,0,0,"ui.bind_key=download_list,*,view.collapsed.toggle="</nowiki>}}<br />
<br />
Also set "pyro.extended" to 1 to activate rTorrent-PS features.<br />
{{bc|<nowiki>system.method.insert = pyro.extended, value|const, 1</nowiki>}}<br />
<br />
{{Note|You may notice that some systemd service scripts for rtorrent do not work with rtorrent-ps installed. If you are using tmux or screen this may because it is exiting with the error, "your terminal only supports 8 colors". To fix this make sure your tmux/screen config sets the TERM variable to a 256 color variant, or change your rtorrent theme to an 8 color one such as https://github.com/pyroscope/rtorrent-ps/blob/master/docs/examples/color_scheme8.rc.}}<br />
<br />
=== PyroScope ===<br />
<br />
We create a directory for the installation of pyroscope, then download and update the source code from subversion:<br />
{{bc|<nowiki>mkdir -p ~/.lib<br />
git clone "https://github.com/pyroscope/pyrocore.git" ~/.lib/pyroscope<br />
~/.lib/pyroscope/update-to-head.sh</nowiki>}}<br />
Adding pyroscope bin's PATH to .bashrc:<br />
{{bc|<nowiki>export PATH=$PATH:path_to_the_bin # Example path for pyroscope bin's: /home/user/.lib/pyroscope/bin/</nowiki>}}<br />
Creating the ~/.pyroscope/config.ini:<br />
{{bc|<nowiki>pyroadmin --create-config</nowiki>}}<br />
<br />
Add this to your ~/.rtorrent.rc. Do not forget to add the path of your pyroscope bin's dir (see below).<br />
{{bc|<nowiki>system.method.insert = pyro.bin_dir, string|const, write_here_path_to_your_pyroscope_bin_dir # Example path: /home/user/.lib/pyroscope/bin/<br />
system.method.insert = pyro.rc_dialect, string|const|simple, "execute_capture=bash,-c,\"test $1 = 0.8.6 && echo -n 0.8.6 || echo -n 0.8.9\",dialect,$system.client_version="<br />
system.method.insert = pyro.rtorrent_rc, string|const|private, "$cat=~/.pyroscope/rtorrent-,\"$pyro.rc_dialect=\",.rc.default"<br />
import = $pyro.rtorrent_rc=</nowiki>}}<br />
<br />
Optionally: TORQUE: Daemon watchdog schedule. Must be activated by touching the "~/.pyroscope/run/pyrotorque" file!<br />
You can also just use rtorrent watch dir or give pyro_watchdog a try, which comes with 'treewatch' ability, meaning it also watches for torrents recursively within the given watch path. Further documentation for pyro_watchdog is here: <br />
[http://code.google.com/p/pyroscope/wiki/QueueManager] <br />
To enable pyro_watchdog, add this in ~/.rtorrent.rc and further configurations are in ~/.pyroscope/torque.ini. <br />
{{bc|<nowiki>schedule = pyro_watchdog,30,300,"pyro.watchdog=~/.pyroscope,-v"</nowiki>}}<br />
<br />
Following steps are important. Before using pyroscope tools you have to set the missing "loaded" times to that of the .torrent file. Run this in your terminal:<br />
{{bc|<nowiki>rtcontrol '!*"*' loaded=0 -q -sname -o 'echo "$(name)s"\ntest -f "$(metafile)s" && rtxmlrpc -q d.set_custom $(hash)s tm_loaded \$(\<br />
ls -l --time-style "+%%s" "$(metafile)s" \<br />
| cut -f6 -d" ")\nrtxmlrpc -q d.save_session $(hash)s' | bash</nowiki>}}<br />
<br />
And now set the missing "completed" times to that of the data file or directory:<br />
{{bc|<nowiki>rtcontrol '!*"*' completed=0 done=100 path=\! is_ghost=no -q -sname -o 'echo "$(name)s"\ntest -e "$(realpath)s" && rtxmlrpc -q d.set_custom $(hash)s tm_completed \$(\<br />
ls -ld --time-style "+%%s" "$(realpath)s" \<br />
| cut -f6 -d" ")\nrtxmlrpc -q d.save_session $(hash)s' | bash</nowiki>}}<br />
<br />
Example usage:<br />
Will print out all torrents older than 2 hours:<br />
{{bc|<nowiki>rtcontrol -V completed=+2h -scompleted -ocompleted</nowiki>}}<br />
Deletes all torrents older than 48 hours:<br />
{{bc|<nowiki>rtcontrol -V completed=+48h -scompleted -ocompleted --cull --yes</nowiki>}}<br />
<br />
== See also ==<br />
<br />
* [http://linux.die.net/man/1/rtorrent Manpage for rtorrent]<br />
* [[Screen Tips]]<br />
* [[Wikipedia:Comparison of BitTorrent clients|Comparison of BitTorrent clients]] on Wikipedia<br />
* [http://community.rutorrent.org/ rTorrent Community Wiki] - Public place for information on rTorrent and any project related to rTorrent, regarding setup, configuration, operations, and development.<br />
* [http://code.google.com/p/pyroscope/ PyroScope] - Collection of command line tools for rTorrent. It provides commands for creating and modifying torrent files, moving data on completion without having multiple watch folders, and mass-controlling download items via rTorrent's XML-RPC interface: searching, start/stop, deleting items with or without their data, etc. It also offers a documented [[Python]] API.<br />
* [[Rutorrent with lighttpd|ruTorrent with Lighttpd]]<br />
* [http://wiki.theaveragegeek.com/howto/installing_rtorrent_and_hellanzb_on_centos5_64-bit_vps How-to install rTorrent and Hellanzb on CentOS 5 64-bit VPS]<br />
* [http://code.google.com/p/pyroscope/wiki/DebianInstallFromSource Installation guide for rTorrent and Pyroscope on Debian] - Collection of tools for the BitTorrent protocol and especially the rTorrent client<br />
* [http://mktorrent.sourceforge.net/ mktorrent] - Command line application used to generate torrent files, which is available as {{Pkg|mktorrent}} in the [[official repositories]].<br />
* [https://github.com/kfei/docktorrent docktorrent] - Using Docker, rTorrent and ruTorrent to run a full-featured BitTorrent box.<br />
* [https://github.com/nelhage/reptyr reptyr] - another tool to take over a program's TTY (it is in the standard repos). The process may have started being attached to a terminal or to a socket in tmux, screen or dtach.<br />
* [http://caca.zoy.org/wiki/neercs neercs] - a more screen/tmux like tool than reptyr, but, like reptyr, neercs can also "steal" a process that may have started slaved to a terminal or to a socket in tmux, screen or dtach. {{AUR|neercs-git}}{{Broken package link|{{aur-mirror|neercs-git}}}}<br />
<br />
'''Forum threads'''<br />
* 2009-03-11 - Arch Linux - [https://bbs.archlinux.org/viewtopic.php?id=67304 HOWTO: rTorrent stats in Conky]</div>Smasher816https://wiki.archlinux.org/index.php?title=Certbot&diff=449277Certbot2016-09-04T00:03:03Z<p>Smasher816: Let's acme work even if dotfiles are denied. See https://github.com/letsencrypt/acme-spec/issues/221</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Encryption]]<br />
[[ja:Let’s Encrypt]]<br />
[https://letsencrypt.org/ Let’s Encrypt] is a free, automated, and open certificate authority utilizing the [[Wikipedia:Automated Certificate Management Environment|ACME]] protocol.<br />
<br />
The official client is called '''Certbot''', which allows to request valid X.509 certificates straight from the command line.<br />
A minimal client with manual CSR creation is available at {{AUR|acme-tiny}}. More integrated clients suitable for scripts are e.g. {{AUR|simp_le-git}} and {{AUR|letsencrypt-cli}}.<br />
<br />
{{Note|The official client, which was previously called ''the Let’s Encrypt client'', is now called ''Certbot''.}}<br />
<br />
== Certbot ==<br />
<br />
''Certbot'', previously called ''the Let’s Encrypt client'', is the official reference client. It is written in Python and provides a command-line tool to obtain certificates.<br />
<br />
=== Installation ===<br />
<br />
[[Install]] the {{Pkg|certbot}} package.<br />
<br />
Plugins are available for automated configuration and installation of the issued certificates in web servers:<br />
* The experimental plugin for [[Nginx]] is provided with the {{Pkg|certbot-nginx}} package.<br />
* Although a package {{Pkg|certbot-apache}} exists, automated installation using the [[Apache HTTP Server]] is currently only supported on Debian and derivatives.<br />
<br />
=== Configuration ===<br />
<br />
Please consult the [https://certbot.eff.org/docs/ Certbot documentation] on how to create and install certificates.<br />
<br />
==== Manual ====<br />
<br />
{{Note|With this method, you must temporarily stop your web server. You can also run the verification through your already running web server with the [[#Webroot]] method.}}<br />
<br />
If there is no plugin for your web server, use the following command:<br />
# certbot certonly --manual<br />
<br />
This will automatically verify your domain and create a private key and certificate pair. These are placed in {{ic|/etc/letsencrypt/live/''your.domain''/}}.<br />
<br />
You can then manually configure your web server to use the key and certificate in that directory.<br />
<br />
==== Webroot ====<br />
<br />
The webroot method lets the client place a challenge response at {{ic|yourdomain.tld/.well-known/acme-challenge/}}.<br />
You can use it to get/renew certificates with a running webserver (e.g. Apache/nginx).<br />
# certbot certonly --email ''email@example.com'' --webroot -w ''/path/to/html/'' -d ''your.domain''<br />
<br />
Make sure the server configuration for the certificates points to {{ic|/etc/letsencrypt/live/''your.domain''/}}.<br />
<br />
===== Multiple domains =====<br />
<br />
If you use more than one domain or subdomains, the webroot has to be given for every domain. If no new webroot is given, the previous is taken.<br />
<br />
Management of this can be made much easier, if you map all http requests for {{ic|/.well-known/acme-challenge/}} to a single folder, e.g. {{ic|/var/lib/letsencrypt}}.<br />
For nginx you can achieve this by placing creating a file containing this location block then including it in server blocks of sites you want to request certificates for:<br />
{{hc|/etc/nginx/letsencrypt.conf|<nowiki><br />
location ^~ /.well-known/acme-challenge {<br />
alias /var/lib/letsencrypt;<br />
default_type "text/plain";<br />
try_files $uri =404;<br />
}<br />
</nowiki>}}<br />
<br />
Then within the server block:<br />
{{hc|/etc/nginx/servers/example.com|<nowiki><br />
server {<br />
...<br />
<br />
include letsencrypt.conf;<br />
}<br />
</nowiki>}}<br />
<br />
For Apache you can achieve this by creating the file {{ic|httpd-acme.conf}}:<br />
{{hc|/etc/httpd/conf/extra/httpd-acme.conf|<nowiki><br />
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"<br />
<Directory "/var/lib/letsencrypt/"><br />
AllowOverride None<br />
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec<br />
Require method GET POST OPTIONS<br />
</Directory><br />
</nowiki>}}<br />
and including it in {{ic|httpd.conf}}:<br />
{{hc|/etc/httpd/conf/httpd.conf|<nowiki><br />
Include conf/extra/httpd-acme.conf<br />
</nowiki>}}<br />
The chosen path has then to be writable for the chosen letsencrypt client. It also has to be readable by the web server; you can achieve this thereby : {{ic|chgrp http /var/lib/letsencrypt && chmod g+s /var/lib/letsencrypt}}.<br />
<br />
===== Automatic renewal =====<br />
When running {{ic|certbot certonly}}, Certbot stores the domains and webroot directories in {{ic|/etc/letsencrypt/renewal}}, so the certificates can be renewed later automatically by running {{ic|certbot renew}}.<br />
<br />
====== Service ======<br />
<br />
You can fully automate this by creating a systemd service<br />
{{hc|1=/etc/systemd/system/certbot.service|<br />
2=[Unit]<br />
Description=Let's Encrypt renewal<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/usr/bin/certbot renew --quiet --agree-tos}}<br />
<br />
====== Standonly service ======<br />
When using the standalone method you'll want to stop your webserver before executing the renew request and start your webserver when certbot is finished, luckily certbot provides some hooks that do just that.<br />
<br />
'''Nginx'''<br />
{{hc|1=/etc/systemd/system/certbot.service|<br />
2=[Unit]<br />
Description=Let's Encrypt renewal<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/usr/bin/certbot renew --pre-hook "/usr/bin/systemctl stop nginx.service" --post-hook "/usr/bin/systemctl start nginx.service" --quiet --agree-tos}}<br />
<br />
'''Apache'''<br />
{{hc|1=/etc/systemd/system/certbot.service|<br />
2=[Unit]<br />
Description=Let's Encrypt renewal<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/usr/bin/certbot renew --pre-hook "/usr/bin/systemctl stop httpd.service" --post-hook "/usr/bin/systemctl start httpd.service" --quiet --agree-tos}}<br />
<br />
====== Automatic renewal timer ======<br />
<br />
Before adding a [[systemd/Timers|timer]], check that the service is working correctly and is not trying to prompt anything.<br />
Then, you can add a timer to renew the certificates daily. Include a randomized delay so that everyone's requests for renewal will be evenly spread over the day to lighten the Let's Encrypt server load.<br />
<br />
{{hc|1=/etc/systemd/system/certbot.timer|<br />
2=[Unit]<br />
Description=Daily renewal of Let's Encrypt's certificates<br />
<br />
[Timer]<br />
OnCalendar=daily<br />
RandomizedDelaySec=1day<br />
Persistent=true<br />
<br />
[Install]<br />
WantedBy=timers.target}}<br />
<br />
[[Enable]] and [[start]] {{ic|certbot.timer}}.<br />
<br />
You'll probably want your web server to reload the certificates after each time they're renewed. You can realize that by adding one of these lines to the {{ic|certbot.service}} file:<br />
<br />
* Apache: {{ic|1=ExecStartPost=/bin/systemctl reload httpd.service}}<br />
* nginx: {{ic|1=ExecStartPost=/bin/systemctl reload nginx.service}}<br />
<br />
== See also ==<br />
<br />
* [https://letsencrypt.org/docs/client-options/ List of ACME clients]</div>Smasher816https://wiki.archlinux.org/index.php?title=RTorrent/RuTorrent&diff=443268RTorrent/RuTorrent2016-07-26T04:12:32Z<p>Smasher816: Make it easier to find the conf folder</p>
<hr />
<div>[[Category:Internet applications]]<br />
[[ja:RuTorrent]]<br />
[[ru:RuTorrent]]<br />
{{Merge|Rutorrent with lighttpd|Same topic.|Talk:Rutorrent with lighttpd#Merge}}<br />
<br />
'''[https://github.com/Novik/ruTorrent ruTorrent]''' is a web interface to [[rTorrent]] (a console based BitTorrent client). It uses rTorrent's built-in XML-RPC server to communicate with it.<br />
<br />
It is lightweight, highly extensible, and is designed to look similar to uTorrent.<br />
<br />
== Installation ==<br />
Install {{AUR|rutorrent}} from the AUR. If you want to use the development version install {{AUR|rutorrent-git}}.<br />
<br />
== Web Server Configuration ==<br />
<br />
=== Apache ===<br />
Install and configure Apache with PHP according to the [[LAMP]] page.<br />
<br />
* Edit the ''open_basedir'' value in /etc/php/php.ini to include:<br />
/etc/webapps/rutorrent/conf/:/usr/share/webapps/rutorrent/php/:/usr/share/webapps/rutorrent/<br />
<br />
Install {{AUR|mod_scgi}} from the AUR.<br />
<br />
* Load the SCGI module in {{ic|/etc/httpd/conf/httpd.conf}}:<br />
LoadModule scgi_module modules/mod_scgi.so<br />
<br />
* Enable the rTorrent XMLRPC interface: [[rTorrent#XMLRPC interface]]<br />
<br />
* Enable SCGI on the port you chose for rTorrent by adding this to {{ic|/etc/httpd/conf/httpd.conf}}:<br />
SCGIMount /RPC2 127.0.0.1:5000<br />
<br />
* Lastly, add the ruTorrent folder to {{ic|/etc/httpd/conf/httpd.conf}} with something similar to this anywhere after the inital ''</Directory>'':<br />
<IfModule alias_module><br />
Alias /rutorrent /usr/share/webapps/rutorrent<br />
<Directory "/usr/share/webapps/rutorrent"><br />
Order allow,deny<br />
Allow from all<br />
</Directory><br />
</IfModule><br />
<br />
For Apache 2.4 the access control would be:<br />
<IfModule alias_module><br />
Alias /rutorrent /usr/share/webapps/rutorrent<br />
<Directory "/usr/share/webapps/rutorrent"><br />
Require all granted<br />
</Directory><br />
</IfModule><br />
<br />
{{Note|You should enable authentication through Apache if your site is public.}}<br />
<br />
=== Nginx ===<br />
<br />
* Create a link from your web root to rutorrent<br />
ln -s /usr/share/webapps/rutorrent/ /usr/share/nginx/html/rutorrent<br />
<br />
* Edit the ''open_basedir'' value in /etc/php/php.ini to include:<br />
/etc/webapps/rutorrent/conf/:/usr/share/webapps/rutorrent/php/:/usr/share/webapps/rutorrent/<br />
<br />
* Enable the rTorrent XMLRPC interface: [[rTorrent#XMLRPC interface]]<br />
<br />
* Add following location to your nginx configuration:<br />
location /RPC2 {<br />
include scgi_params;<br />
scgi_pass localhost:5000;<br />
}<br />
<br />
* Restart nginx:<br />
# systemctl restart nginx<br />
<br />
* You can now access ruTorrent at http://127.0.0.1/rutorrent<br />
<br />
== ruTorrent Configuration ==<br />
See upstream wiki [https://github.com/Novik/ruTorrent/wiki/Config here]. By default the configuration files are symlinked to <code>/etc/webapps/rutorrent/conf</code>.<br />
<br />
== See Also ==<br />
* [[LAMP]]<br />
* [[RTorrent]]<br />
<br />
== External Links == <br />
* https://github.com/Novik/ruTorrent/wiki<br />
* http://httpd.apache.org/docs/2.2/configuring.html</div>Smasher816https://wiki.archlinux.org/index.php?title=Advanced_Linux_Sound_Architecture/Troubleshooting&diff=436917Advanced Linux Sound Architecture/Troubleshooting2016-06-02T11:04:24Z<p>Smasher816: The nrpacks option no longer exists for snd-usb-audio. See https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=976b6c0</p>
<hr />
<div>[[Category:Sound]]<br />
[[ja:Advanced Linux Sound Architecture/トラブルシューティング]]<br />
See [[Advanced Linux Sound Architecture]] for the main article.<br />
<br />
== Volume ==<br />
<br />
=== Output is muted after reboot ===<br />
<br />
Run the following command:<br />
<br />
# alsactl restore<br />
<br />
If the problem persists, verify that the {{ic|Auto-Mute}} option in ''alsamixer'' is set to {{ic|Disabled}}.<br />
<br />
=== Volume is too low ===<br />
<br />
Run ''alsamixer'' and try to increase the value of the sliders, unmuting channels if necessary. Note that if you have many sliders, you may have to scroll to the right to see any missing sliders.<br />
<br />
If all the sliders are maxed out, and the volume is still too low, you can try running the following [http://www.alsa-project.org/hda-analyzer.py script] to reset your codec settings:<br />
<br />
$ wget http://www.alsa-project.org/hda-analyzer.py<br />
$ su -c 'python2 hda-analyzer.py'<br />
<br />
The script assumes that {{ic|/usr/bin/python}} refers to Python 2, which is incorrect on Arch by default. To avoid this issue run the following command:<br />
<br />
$ sed -i 's/python %s/python2 %s/' hda-analyzer.py<br />
<br />
Close the analyzer, and when prompted as to whether you want to reset the codecs, say "yes".<br />
<br />
If the volume is *still* too low, run ''alsamixer'' again: resetting the codecs may have caused new sliders to become enabled and some of them may be set to a low value.<br />
<br />
=== Low Sound Volume ===<br />
<br />
If you are facing low sound even after maxing out your speakers/headphones, you can give the softvol plugin a try. Add the following to {{ic|/etc/asound.conf}}.<br />
{{bc|1=<br />
pcm.!default {<br />
type plug<br />
slave.pcm "softvol"<br />
}<br />
<br />
pcm.softvol {<br />
type softvol<br />
slave {<br />
pcm "dmix"<br />
}<br />
control {<br />
name "Pre-Amp"<br />
card 0<br />
}<br />
min_dB -5.0<br />
max_dB 20.0<br />
resolution 6<br />
}<br />
}}<br />
<br />
{{Note|You will probably have to restart the computer, as restarting the alsa daemon did not load the new configuration for me. Also, if the configuration does not work even after restarting, try changing {{ic|plug}} with {{ic|hw}} in the above configuration.}}<br />
<br />
After the changes are loaded successfully, you will see a {{ic|Pre-Amp}} section in alsamixer. You can adjust the levels there.<br />
{{Note|<br />
* Setting a high value for {{ic|Pre-Amp}} can cause sound distortion, so adjust it according to the level that suits you.<br />
* Some audio codecs may need to have settings adjusted in the HDA Analyzer (see [[#Volume is too low]]) in order to achieve proper volume without distortion. Checking the HP option under widget control in the Playback Switch (Node[0x14] PIN in the ALC892 codec, for instance) can sometimes improve audio quality and volume significantly.<br />
}}<br />
<br />
=== Random lack of sound on startup ===<br />
<br />
You can quickly test sound by running {{ic|speaker-test}}. If there is no sound, the error message might look something like<br />
<br />
ALSA lib pcm_dmix.c:1022:(snd_pcm_dmix_open) unable to open slave<br />
Playback open error: -16<br />
Device or resource busy<br />
<br />
If you have no sound on startup, this may be because your system has multiple sound cards, and their order may sometimes change on startup. If this is the case, try [[ALSA#Set the default sound card|setting the default sound card]].<br />
<br />
If you use mpd and the configuration tips above do not work for you, try [http://mpd.wikia.com/wiki/Configuration#ALSA_MPD_software_volume_control reading this] instead.<br />
<br />
== Microphone ==<br />
<br />
=== No microphone input ===<br />
<br />
In alsamixer, make sure that all the volume levels are up under recording, and that CAPTURE is toggled active on the microphone (e.g. Mic, Internal Mic) and/or on Capture (in alsamixer, select these items and press space). Try making positive Mic Boost and raising Capture and Digital levels higher; this make make static or distortion, but then you can adjust them back down once you are hearing ''something'' when you record<br />
<br />
As the pulseaudio wrapper is shown as "default" in alsamixer, you may have to press F6 to select your actual soundcard first. You may also need to enable and increase the volume of Line-in in the Playback section.<br />
<br />
To test the microphone, run these commands (see arecord's man page for further information):<br />
<br />
$ arecord -d 5 -f dat test-mic.wav<br />
$ aplay test-mic.wav<br />
<br />
Alternatively, you can run this command:<br />
<br />
$ arecord -vv -f dat /dev/null<br />
<br />
alongside alsamixer to easily identify channel which you should select and unmute.<br />
<br />
<br />
If all fails, you may want to eliminate hardware failure by testing the microphone with a different device.<br />
<br />
For at least some computers, muting a microphone (MM) simply means its input does not go immediately to the speakers. It still receives input.<br />
<br />
Many Dell laptops need "-dmic" to be appended to the model name in {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
options snd-hda-intel model=dell-m6-dmic<br />
<br />
Some programs use try to use OSS as the main input software. If you have enabled the {{ic|snd_pcm_oss}}, {{ic|snd_mixer_oss}} or {{ic|snd_seq_oss}} [[kernel modules]] previously (they are not loaded by default), try unloading them.<br />
<br />
See also:<br />
* http://www.alsa-project.org/main/index.php/SoundcardTesting<br />
* http://alsa.opensrc.org/Record_from_mic<br />
<br />
=== Setting the default microphone/capture device ===<br />
<br />
Some applications (Pidgin, Adobe Flash) do not provide an option to change the capture device. It becomes a problem if your microphone is on a separate device (e.g. USB webcam or microphone) than your internal sound card. To change only the default capture device, leaving the default playback device as is, you can modify your {{ic|~/.asoundrc}} file to include the following:<br />
<br />
{{bc|<br />
pcm.usb<br />
{<br />
type hw<br />
card U0x46d0x81d<br />
}<br />
<br />
pcm.!default<br />
{<br />
type asym<br />
playback.pcm<br />
{<br />
type plug<br />
slave.pcm "dmix"<br />
}<br />
capture.pcm<br />
{<br />
type plug<br />
slave.pcm "usb"<br />
}<br />
}<br />
}}<br />
<br />
Replace "U0x46d0x81d" with your capture device's card name in ALSA. You can use {{ic|arecord -L}} to list all the capture devices detected by ALSA.<br />
<br />
=== Internal microphone not working ===<br />
<br />
First make sure the volume is enabled under the {{ic|Capture}} view in ''alsamixer''. In some case, the "Internal Microphone" is not displayed in the capture list available when pressing F4. If so, specifying the card number given by {{ic|aplay -l}} to start ''alsamixer'' (for example {{ic|alsamixer -c 0}} ) can make it appears. <br />
<br />
<br />
Then add the following to {{ic|/etc/modprobe.d/snd-hda-intel.conf}}:<br />
<br />
options snd-hda-intel enable_msi=1<br />
<br />
Then reload the module:<br />
<br />
# rmmod snd-hda-intel && modprobe snd-hda-intel<br />
<br />
Now there should be an additional input under the previously mentioned {{ic|Capture}} view.<br />
<br />
=== Crackling microphone ===<br />
<br />
If you are getting a crackling or popping from your microphone that cannot be resolved with ALSA settings or cleaning your microphone jack, try adding the following line to {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
<br />
options snd-hda-intel model=MODEL position_fix=3<br />
<br />
This option will fix crackling on pure ALSA, but will cause issues to pulseaudio. To let Pulse use these settings effectively, edit {{ic|/etc/pulse/default.pa}} and find this line:<br />
<br />
load-module module-udev-detect<br />
<br />
And change it to this:<br />
<br />
load-module module-udev-detect tsched=0<br />
<br />
See the DMA-Position Problem in the kernel docs.<br />
<br />
* [https://www.kernel.org/doc/Documentation/sound/alsa/HD-Audio.txt HD-audio Kernel Docs]<br />
<br />
== Audio Quality ==<br />
<br />
=== Crackling sound through mini-jack (headphones connector) ===<br />
<br />
Whether you followed [[Advanced_Linux_Sound_Architecture#Simultaneous_output|simultaneous output tip]] or managed to get it done on your own, you might get crackling sound through headphones or external speakers. This can be fixed by muting '''or''' setting volume to 0% on item '''Mic'''. Use {{ic|alsamixer}} or {{ic|amixer}}:<br />
$ amixer sset "Mic" 0%<br />
$ amixer sset "Mic" mute<br />
<br />
=== Popping sound after resuming from suspension ===<br />
<br />
You might hear a popping sound after resuming the computer from suspension. This can be fixed by editing {{ic|/etc/pm/sleep.d/90alsa}} and removing the line that says {{ic|aplay -d 1 /dev/zero}}<br />
<br />
=== Sound skipping during playback ===<br />
<br />
Run ''alsamixer'', and if channels exist for nonexistent output devices then disable them (e.g. ''alsamixer'' showing a center speaker but you not having one).<br />
<br />
=== Poor sound quality or clipping ===<br />
<br />
If you experience poor sound quality, try setting the PCM volume (in alsamixer) to a level such that gain is 0.<br />
<br />
If snd-usb-audio driver has been loaded, you could try to enable {{ic|softvol}} in {{ic|/etc/asound.conf}} file. Example configuration for the first audio device:<br />
<br />
{{bc|1=<br />
pcm.!default {<br />
type plug<br />
slave.pcm "softvol"<br />
}<br />
pcm.dmixer {<br />
type dmix<br />
ipc_key 1024<br />
slave {<br />
pcm "hw:0"<br />
period_size 4096<br />
buffer_size 131072<br />
rate 50000<br />
}<br />
bindings {<br />
0 0<br />
1 1<br />
}<br />
}<br />
pcm.dsnooper {<br />
type dsnoop<br />
ipc_key 1024<br />
slave {<br />
pcm "hw:0"<br />
channels 2<br />
period_size 4096<br />
buffer_size 131072<br />
rate 50000<br />
}<br />
bindings {<br />
0 0<br />
1 1<br />
}<br />
}<br />
pcm.softvol {<br />
type softvol<br />
slave { pcm "dmixer" }<br />
control {<br />
name "Master"<br />
card 0<br />
}<br />
}<br />
ctl.!default {<br />
type hw<br />
card 0<br />
}<br />
ctl.softvol {<br />
type hw<br />
card 0<br />
}<br />
ctl.dmixer {<br />
type hw<br />
card 0<br />
}<br />
}}<br />
<br />
=== Pops when starting and stopping playback ===<br />
<br />
Some modules (e.g. snd_ac97_codec and snd_hda_intel) can power off your sound card when not in use. This can make an audible noise (like a crack/pop/scratch) when turning on/off your sound card. Sometimes even when move the slider volume, or open and close windows (KDE4). If you find this annoying try {{ic|modinfo snd_MY_MODULE}}, and look for a module option that adjusts or disables this feature.<br />
<br />
''Example'': disable the power saving mode and solve cracking sound trough speakers problem, using snd_hda_intel add in {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
options snd_hda_intel power_save=0<br />
or:<br />
options snd_hda_intel power_save=0 power_save_controller=N<br />
<br />
You can also try it with {{ic|1=modprobe snd_hda_intel power_save=0}} before.<br />
<br />
You may also have to unmute the 'Line' ALSA channel for this to work. Any value will do (other than '0' or something too high).<br />
<br />
''Example:'' on an onboard VIA VT1708S (using the snd_hda_intel module) these cracks occured even though 'power_save' was set to 0. Unmuting the 'Line' channel and setting a value of '1' solved the problem.<br />
<br />
Source: https://www.kernel.org/doc/Documentation/sound/alsa/powersave.txt<br />
<br />
If you use a laptop, pm-utils will change {{ic|power_save}} back to 1 when you go onto battery power even if you disable power saving in {{ic|/etc/modprobe.d}}. Disable this for pm-utils by disabling the script that makes the change (see [[Pm-utils#Disabling_a_hook|Disabling a hook]] for more information):<br />
# touch /etc/pm/power.d/intel-audio-powersave<br />
<br />
=== Sound skipping while using dynamic CPU frequency scaling ===<br />
<br />
Some combinations of ALSA drivers and chipsets may cause audio from all sources to skip when used in combination with a dynamic frequency scaling governor such as {{ic|ondemand}} or {{ic|conservative}}. Currently, the solution is to switch back to the {{ic|performance}} governor.<br />
<br />
Refer to the [[CPU frequency scaling]] for more information.<br />
<br />
== Hardware and Cards ==<br />
<br />
=== Verifying output parameters ===<br />
<br />
Check the contents of {{ic|/proc/asound/cardX/pcmYp/subZ/hw_params}}, where {{ic|X}}, {{ic|Y}}, and {{ic|Z}} are system dependent.<br />
In order to find this file, execute the following command while outputting anything via ALSA:<br />
$ find /proc/asound/ -name hw_params | xargs -I FILE grep -v -l "closed" FILE | grep '/proc/asound/card./pcm.p/sub./hw_params'<br />
If nothing is playing there should be no results.<br />
<br />
Here is an example output for audio with a [[Wikipedia:Audio_bit_depth|bit depth]] of 24 bits and a [[Wikipedia:Sampling frequency|sampling frequency]] of 44.1 kilohertz:<br />
{{hc|cat /proc/asound/card1/pcm0p/sub0/hw_params|<br />
access: RW_INTERLEAVED<br />
format: S24_3LE<br />
subformat: STD<br />
channels: 2<br />
rate: 44100 (44100/1)<br />
period_size: 5513<br />
buffer_size: 22050<br />
}}<br />
<br />
More info is available in the [http://alsa.opensrc.org/Proc_asound_documentation ALSA documentation].<br />
<br />
=== Error 'Unknown hardware' appears after kernel update ===<br />
<br />
The following messages may be displayed during ALSA's initialization:<br />
Unknown hardware "foo" "bar" ...<br />
Hardware is initialized using a guess method<br />
/usr/bin/alsactl: set_control:nnnn:failed to obtain info for control #mm (No such file or directory)<br />
<br />
or:<br />
Found hardware: "HDA-Intel" "VIA VT1705" "HDA:11064397,18490397,00100000" "0x1849" "0x0397"<br />
Hardware is initialized using a generic method<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #1 (No such file or directory)<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #2 (No such file or directory)<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #25 (No such file or directory)<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #26 (No such file or directory)<br />
<br />
Simply store ALSA mixer settings again:<br />
# alsactl -f /var/lib/alsa/asound.state store<br />
<br />
It may be necessary configure ALSA again with alsamixer<br />
<br />
=== Fix wrong audio pin mapping ===<br />
<br />
If the mappings to your audio pins(plugs) do not correspond but ALSA works fine, you could try HDA Analyzer -- a pyGTK2 GUI for HD-audio control can be found [http://www.alsa-project.org/main/index.php/HDA_Analyzer at the ALSA wiki].<br />
Try tweaking the Widget Control section of the PIN nodes, to make microphones IN and headphone jacks OUT. Referring to the Config Defaults heading is a good idea.<br />
<br />
{{Note|The script is incompatible with Python 3, which is the default Python implementation on Arch Linux. In order to use the script, replace all occurrences of {{ic|python}} in the {{ic|run.py}} file with {{ic|python2}} to point the script to the Python 2 version. Then make the script [[chmod|executable]] and run it.}}<br />
<br />
=== S/PDIF output does not work ===<br />
<br />
If the optical/coaxial digital output of your motherboard/sound card is not working or stopped working, and have already enabled and unmuted it in alsamixer, try running the following:<br />
$ iecset audio on<br />
<br />
You can also put this command in an enabled [[systemd]] service as it sometimes it may stop working after a reboot.<br />
<br />
=== Conflicting PC speaker ===<br />
<br />
If you are sure nothing is muted, that your drivers are installed correctly, and that your volume is right, but you still do not hear anything, then try adding the following line to {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
<br />
options snd-NAME-OF-MODULE ac97_quirk=0<br />
<br />
The above fix has been observed to work with {{ic|via82xx}}<br />
options snd-NAME-OF-MODULE ac97_quirk=1<br />
The above fix has been reported to work with {{ic|snd-intel8x0}}<br />
<br />
{{Poor writing|Duplicated sections (e.g. for microphone) should be merged with eachother}}<br />
<br />
=== HP TX2500 ===<br />
<br />
Add these 2 lines into {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
options snd-cmipci mpu_port=0x330 fm_port=0x388<br />
options snd-hda-intel index=0 model=toshiba position_fix=1<br />
options snd-hda-intel model=hp (works for tx2000cto)<br />
<br />
=== No sound when S/PDIF video card is installed ===<br />
<br />
Discover available modules and their order:<br />
<br />
{{hc|$ cat /proc/asound/modules|<br />
0 snd_hda_intel<br />
1 snd_ca0106<br />
}}<br />
<br />
Disable the undesired video card audio codec in {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
<br />
{{hc|/etc/modprobe.d/modprobe.conf|<br />
install snd_hda_intel /bin/false<br />
}}<br />
<br />
If both devices use the same module then we can use the {{ic|enable}} parameter from snd_hda_intel module; it is an array of booleans that can enable/disable the desired sound card.<br />
<br />
options snd_hda_intel enable=1,0<br />
<br />
=== Wrong sound card model type ===<br />
<br />
Although ALSA detects your soundcard through the BIOS, at times ALSA may not be able to recognize your [http://www.kernel.org/doc/Documentation/sound/alsa/HD-Audio-Models.txt model type]. The soundcard chip can be found in {{ic|alsamixer}} (e.g. ALC662) and the model can be set in {{ic|/etc/modprobe.d/modprobe.conf}} or {{ic|/etc/modprobe.d/sound.conf}}. For example:<br />
options snd-hda-intel model=MODEL<br />
<br />
There are other model settings too. For most cases ALSA defaults will do. If you want to look at more specific settings for your soundcard take a look at the [http://bugtrack.alsa-project.org/main/index.php/Matrix:Main ALSA Soundcard List] find your model, then Details, then look at the "Setting up modprobe..." section. Enter these values in {{ic|/etc/modprobe.d/modprobe.conf}}. For example, for an Intel AC97 audio:<br />
<br />
{{bc|<br />
# ALSA portion<br />
alias char-major-116 snd<br />
alias snd-card-0 snd-intel8x0<br />
# module options should go here<br />
<br />
# OSS/Free portion<br />
alias char-major-14 soundcore<br />
alias sound-slot-0 snd-card-0<br />
<br />
# card #1<br />
alias sound-service-0-0 snd-mixer-oss<br />
alias sound-service-0-1 snd-seq-oss<br />
alias sound-service-0-3 snd-pcm-oss<br />
alias sound-service-0-8 snd-seq-oss<br />
alias sound-service-0-12 snd-pcm-oss<br />
}}<br />
<br />
=== Intel onboard sound ===<br />
<br />
==== No sound with onboard Intel sound card ====<br />
<br />
There may be a problem with two conflicting modules loaded, namely {{ic|snd-intel8x0}} and {{ic|snd-intel8x0m}}. In this case, blacklist {{ic|snd-intel8x0m}}:<br />
<br />
{{hc|/etc/modprobe.d/modprobe.conf|blacklist snd-intel8x0m}}<br />
<br />
''Muting'' the "External Amplifier" in {{ic|alsamixer}} or {{ic|amixer}} may also help. See [http://alsa.opensrc.org/Intel8x0#Dell_Inspiron_8600_.28and_probably_others.29 the ALSA wiki].<br />
<br />
Unmuting the "Mix" setting in the mixer might help, also.<br />
<br />
==== No headphone sound with onboard intel sound card ====<br />
<br />
With '''Intel Corporation 82801 I (ICH9 Family) HD Audio Controller''' on laptop, you may need to add this line to modprobe or sound.conf:<br />
<br />
options snd-hda-intel model=''model''<br />
<br />
Where ''model'' is any one of the following:<br />
<br />
* dell-m6<br />
* dell-vostro<br />
* generic<br />
* laptop<br />
* laptop-hpsense<br />
* olpc-xo-1_5<br />
<br />
{{Note|It may be necessary to put this "options" line below (after) any "alias" lines about your card.}}<br />
<br />
You can see all the available models in the kernel documentation. For example [http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/Documentation/sound/alsa/HD-Audio-Models.txt here], but check that it is the correct version of that document for your kernel version.<br />
<br />
A list of available models is also available [http://www.mjmwired.net/kernel/Documentation/sound/alsa/HD-Audio-Models.txt here]. To know your chip name type the following command (with * being corrected to match your files). Note that some chips could have been renamed and do not directly match the available ones in the file.<br />
<br />
$ grep Codec /proc/asound/card*/codec*<br />
<br />
Note that there is a high chance none of the input devices (all internal and external mics) will work if you choose to do this, so it is either your headphones or your mic. Please report to ALSA if you are affected by this bug.<br />
<br />
And also, if you have problems getting beeps to work (pcspkr):<br />
<br />
options snd-hda-intel model=$model enable=1 index=0<br />
<br />
=== HDMI ===<br />
<br />
==== HDMI Output does not work ====<br />
<br />
The procedure described below can be used to test HDMI audio. Before proceeding, make sure you have enabled and unmuted the output with {{ic|alsamixer}}.<br />
<br />
{{Note|If you are using an AMD card a necessary kernel module is disabled by default. See [[ATI#HDMI audio]].}}<br />
<br />
Connect your PC to the Display via HDMI cable and enable the display with [[xrandr]].<br />
<br />
Use {{ic|aplay -l}} to get the discover the card and device number. For example:<br />
<br />
{{hc|$ aplay -l|2=<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: SB [HDA ATI SB], device 0: ALC892 Analog [ALC892 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: SB [HDA ATI SB], device 1: ALC892 Digital [ALC892 Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
'''card 1''': Generic [HD-Audio Generic], '''device 3''': HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
}}<br />
<br />
Send sound to the device. Following the example in the previous step, you would send sound to {{ic|'''card 1'''}}, {{ic|'''device 3'''}}:<br />
<br />
$ aplay -D plughw:1,3 /usr/share/sounds/alsa/Front_Center.wav<br />
<br />
If aplay does not output any errors, but still no sound is heard, "reboot" the receiver, monitor or tv set. Since the HDMI interface executes a handshake on connection, it might have noticed before that there was no audio stream embedded, and disabled audio decoding. If you are using a standalone window manager, you may need to have sound playing while plugging in the HDMI cable.<br />
<br />
mplay and other application could be configured to use special HDMI device as audio output. But flashplugin could only use default device. The following method is used to override default device. But you need to change it back when your TV is disconnected from HDMI port.<br />
<br />
If the test is successful, create or edit your {{ic|~/.asoundrc}} file to set HDMI as the default audio device.<br />
<br />
{{hc|~/.asoundrc|<br />
pcm.!default {<br />
type hw<br />
card 1<br />
device 3<br />
}<br />
}}<br />
<br />
Or if the above configuration does not work try:<br />
<br />
{{hc|~/.asoundrc|<br />
defaults.pcm.card 1<br />
defaults.pcm.device 3<br />
defaults.ctl.card 1<br />
}}<br />
<br />
==== PCM through HDMI does not work (Intel Gfx) ====<br />
<br />
As of Linux 3.1 multi-channel PCM output through HDMI with a Intel card (Intel Eaglelake, IbexPeak/Ironlake,SandyBridge/CougarPoint and IvyBridge/PantherPoint) is not yet supported. Support for it has been recently added and expected to be available in Linux 3.2. To make it work in Linux 3.1 you need to apply the following patches:<br />
<br />
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=patch;h=76adaa34db407f174dd06370cb60f6029c33b465 drm: support routines for HDMI/DP ELD]<br />
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=patch;h=e0dac65ed45e72fe34cc7ccc76de0ba220bd38bb drm/i915: pass ELD to HDMI/DP audio driver]<br />
<br />
==== HDMI 5.1 sound goes to wrong speakers ====<br />
<br />
Sound can be redirected to the intended speakers using ALSA's {{ic|remap}} function. To do so, add the following to {{ic|/etc/asound.conf}}:<br />
<br />
{{bc|1=<br />
pcm.!hdmi-remap {<br />
type asym<br />
playback.pcm {<br />
type plug<br />
slave.pcm "remap-surround51"<br />
}<br />
}<br />
<br />
pcm.!remap-surround51 {<br />
type route<br />
slave.pcm "hw:0,3"<br />
ttable {<br />
0.0= 1<br />
1.1= 1<br />
2.4= 1<br />
3.5= 1<br />
4.2= 1<br />
5.3= 1<br />
}<br />
}<br />
}}<br />
<br />
== Applications ==<br />
<br />
=== SDL: No sound with SDL applications ===<br />
<br />
If you get no sound using SDL based applications, try setting the [[environment variable]] {{ic|SDL_AUDIODRIVER}} to {{ic|alsa}}.<br />
<br />
=== OpenAL: No sound in applications that use OpenAL ===<br />
<br />
Openal defaults to pulseaudio, to change the order, add the following configuration to {{ic|/etc/openal/alsoft.conf}}:<br />
<br />
{{bc|1=<br />
drivers=alsa,pulse<br />
}}<br />
<br />
=== VirtualBox: Virtual machine has no sound ===<br />
<br />
If you experience problems with VirtualBox, the following command might be helpful:<br />
<br />
{{hc|$ alsactl init|2=<br />
Found hardware: "ICH" "SigmaTel STAC9700,83,84" "AC97a:83847600" "0x8086" "0x0000"<br />
Hardware is initialized using a generic method<br />
}}<br />
<br />
You might need to activate the ALSA output in your audio software as well.<br />
<br />
=== Others: General application problems ===<br />
<br />
For other applications who insist on their own audio setup, e.g., XMMS or MPlayer, you would need to set their specific options.<br />
<br />
For [[MPlayer]] or [[mpv]], add the following line to the respective configuration file:<br />
ao=alsa<br />
<br />
Eg. for XMMS2, go into their options and make sure the sound driver is set to ALSA, not oss.<br />
<br />
To do this in XMMS:<br />
* Open XMMS<br />
** Options > Preferences.<br />
** Choose the ALSA output plugin.<br />
<br />
For applications which do not provide a ALSA output, you can use aoss from the alsa-oss package. To use aoss, when you run the program, prefix it with {{ic|aoss}}, e.g.:<br />
aoss realplay<br />
<br />
pcm.!default{ ... } doesnt work for me anymore. but this does:<br />
pcm.default pcm.dmixer<br />
<br />
== Other Issues ==<br />
<br />
=== Simultaneous playback problems ===<br />
<br />
If you are having problems with simultaneous playback, and if [[PulseAudio]] is installed, its default configuration is set to "hijack" the soundcard. Some users of ALSA may not want to use [[PulseAudio]] and are quite content with their current ALSA settings. One fix is to edit {{ic|/etc/asound.conf}} and comment out the following lines:<br />
{{bc|1=<br />
# Use PulseAudio by default<br />
pcm.!default {<br />
type pulse<br />
fallback "sysdefault"<br />
hint {<br />
show on<br />
description "Default ALSA Output (currently PulseAudio Sound Server)"<br />
}<br />
}<br />
}}<br />
<br />
Commenting the following out also may help:<br />
{{bc|1=<br />
ctl.!default {<br />
type pulse<br />
fallback "sysdefault"<br />
}<br />
}}<br />
<br />
This may be a much simpler solution than completely uninstalling [[PulseAudio]].<br />
<br />
Effectively, here is an example of a working {{ic|/etc/asound.conf}}:<br />
{{bc|1=<br />
pcm.dmixer {<br />
type dmix<br />
ipc_key 1024<br />
ipc_key_add_uid 0<br />
ipc_perm 0660<br />
}<br />
pcm.dsp {<br />
type plug<br />
slave.pcm "dmix"<br />
}<br />
}}<br />
<br />
{{Note|This {{ic|/etc/asound.conf}} file was intended for and used successfully with a global [[MPD]] configuration. See [[#Problems with availability to only one user at a time]].}}<br />
<br />
=== Removing old ALSA state file (asound.state) ===<br />
<br />
The {{Pkg|alsa-utils}} package provides {{ic|alsa-store.service}} which automatically stores the current ALSA state to {{ic|/var/lib/alsa/asound.state}} upon system shutdown. This can be problematic for users who are trying to reset their current ALSA state as the {{ic|asound.state}} file will be recreated with the current state upon every shutdown (e.g., attempting to remove user-defined channels from the mixer). The {{ic|alsa-store.service}} service may be temporarily disabled by creating the following empty file:<br />
<br />
# mkdir -p /etc/alsa<br />
# touch /etc/alsa/state-daemon.conf<br />
<br />
The presence of {{ic|state-daemon.conf}} prevents {{ic|alsa-store.service}} from saving {{ic|asound.state}} during shutdown. After disabling this service, the {{ic|asound.state}} file may be removed as such:<br />
<br />
# rm /var/lib/alsa/asound.state<br />
<br />
After rebooting, the previous ALSA state should be lost and the current state should be reset to defaults. Re-enable {{ic|alsa-store.service}} by deleting the condition file we created:<br />
<br />
# rm /etc/alsa/state-daemon.conf<br />
<br />
On the next shutdown, the {{ic|asound.state}} file should be recreated with ALSA defaults. The file may also be generated immediately using:<br />
<br />
# alsactl store<br />
<br />
=== Problems with availability to only one user at a time ===<br />
<br />
You might find that only one user can use the dmixer at a time. This is probably ok for most, but for those who run [[mpd]] as a separate user this poses a problem. When mpd is playing a normal user cannot play sounds though the dmixer. While it is quite possible to just run mpd under a user's login account, another solution has been found. Adding the line {{ic|ipc_key_add_uid 0}} to the {{ic|pcm.dmixer}} block disables this locking. The following is a snippet from {{ic|asound.conf}}, the rest is the same as above.<br />
<br />
{{bc|1=<br />
...<br />
pcm.dmixer {<br />
type dmix<br />
ipc_key 1024<br />
ipc_key_add_uid 0<br />
ipc_perm 0666<br />
slave {<br />
...<br />
}}</div>Smasher816https://wiki.archlinux.org/index.php?title=Advanced_Linux_Sound_Architecture/Troubleshooting&diff=436916Advanced Linux Sound Architecture/Troubleshooting2016-06-02T11:00:39Z<p>Smasher816: Use "dat" format for arecord. The default makes mics sound terrible and can easily make people think they need to fix it, when in reality nothing is wrong.</p>
<hr />
<div>[[Category:Sound]]<br />
[[ja:Advanced Linux Sound Architecture/トラブルシューティング]]<br />
See [[Advanced Linux Sound Architecture]] for the main article.<br />
<br />
== Volume ==<br />
<br />
=== Output is muted after reboot ===<br />
<br />
Run the following command:<br />
<br />
# alsactl restore<br />
<br />
If the problem persists, verify that the {{ic|Auto-Mute}} option in ''alsamixer'' is set to {{ic|Disabled}}.<br />
<br />
=== Volume is too low ===<br />
<br />
Run ''alsamixer'' and try to increase the value of the sliders, unmuting channels if necessary. Note that if you have many sliders, you may have to scroll to the right to see any missing sliders.<br />
<br />
If all the sliders are maxed out, and the volume is still too low, you can try running the following [http://www.alsa-project.org/hda-analyzer.py script] to reset your codec settings:<br />
<br />
$ wget http://www.alsa-project.org/hda-analyzer.py<br />
$ su -c 'python2 hda-analyzer.py'<br />
<br />
The script assumes that {{ic|/usr/bin/python}} refers to Python 2, which is incorrect on Arch by default. To avoid this issue run the following command:<br />
<br />
$ sed -i 's/python %s/python2 %s/' hda-analyzer.py<br />
<br />
Close the analyzer, and when prompted as to whether you want to reset the codecs, say "yes".<br />
<br />
If the volume is *still* too low, run ''alsamixer'' again: resetting the codecs may have caused new sliders to become enabled and some of them may be set to a low value.<br />
<br />
=== Low Sound Volume ===<br />
<br />
If you are facing low sound even after maxing out your speakers/headphones, you can give the softvol plugin a try. Add the following to {{ic|/etc/asound.conf}}.<br />
{{bc|1=<br />
pcm.!default {<br />
type plug<br />
slave.pcm "softvol"<br />
}<br />
<br />
pcm.softvol {<br />
type softvol<br />
slave {<br />
pcm "dmix"<br />
}<br />
control {<br />
name "Pre-Amp"<br />
card 0<br />
}<br />
min_dB -5.0<br />
max_dB 20.0<br />
resolution 6<br />
}<br />
}}<br />
<br />
{{Note|You will probably have to restart the computer, as restarting the alsa daemon did not load the new configuration for me. Also, if the configuration does not work even after restarting, try changing {{ic|plug}} with {{ic|hw}} in the above configuration.}}<br />
<br />
After the changes are loaded successfully, you will see a {{ic|Pre-Amp}} section in alsamixer. You can adjust the levels there.<br />
{{Note|<br />
* Setting a high value for {{ic|Pre-Amp}} can cause sound distortion, so adjust it according to the level that suits you.<br />
* Some audio codecs may need to have settings adjusted in the HDA Analyzer (see [[#Volume is too low]]) in order to achieve proper volume without distortion. Checking the HP option under widget control in the Playback Switch (Node[0x14] PIN in the ALC892 codec, for instance) can sometimes improve audio quality and volume significantly.<br />
}}<br />
<br />
=== Random lack of sound on startup ===<br />
<br />
You can quickly test sound by running {{ic|speaker-test}}. If there is no sound, the error message might look something like<br />
<br />
ALSA lib pcm_dmix.c:1022:(snd_pcm_dmix_open) unable to open slave<br />
Playback open error: -16<br />
Device or resource busy<br />
<br />
If you have no sound on startup, this may be because your system has multiple sound cards, and their order may sometimes change on startup. If this is the case, try [[ALSA#Set the default sound card|setting the default sound card]].<br />
<br />
If you use mpd and the configuration tips above do not work for you, try [http://mpd.wikia.com/wiki/Configuration#ALSA_MPD_software_volume_control reading this] instead.<br />
<br />
== Microphone ==<br />
<br />
=== No microphone input ===<br />
<br />
In alsamixer, make sure that all the volume levels are up under recording, and that CAPTURE is toggled active on the microphone (e.g. Mic, Internal Mic) and/or on Capture (in alsamixer, select these items and press space). Try making positive Mic Boost and raising Capture and Digital levels higher; this make make static or distortion, but then you can adjust them back down once you are hearing ''something'' when you record<br />
<br />
As the pulseaudio wrapper is shown as "default" in alsamixer, you may have to press F6 to select your actual soundcard first. You may also need to enable and increase the volume of Line-in in the Playback section.<br />
<br />
To test the microphone, run these commands (see arecord's man page for further information):<br />
<br />
$ arecord -d 5 -f dat test-mic.wav<br />
$ aplay test-mic.wav<br />
<br />
Alternatively, you can run this command:<br />
<br />
$ arecord -vv -f dat /dev/null<br />
<br />
alongside alsamixer to easily identify channel which you should select and unmute.<br />
<br />
<br />
If all fails, you may want to eliminate hardware failure by testing the microphone with a different device.<br />
<br />
For at least some computers, muting a microphone (MM) simply means its input does not go immediately to the speakers. It still receives input.<br />
<br />
Many Dell laptops need "-dmic" to be appended to the model name in {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
options snd-hda-intel model=dell-m6-dmic<br />
<br />
Some programs use try to use OSS as the main input software. If you have enabled the {{ic|snd_pcm_oss}}, {{ic|snd_mixer_oss}} or {{ic|snd_seq_oss}} [[kernel modules]] previously (they are not loaded by default), try unloading them.<br />
<br />
See also:<br />
* http://www.alsa-project.org/main/index.php/SoundcardTesting<br />
* http://alsa.opensrc.org/Record_from_mic<br />
<br />
=== Setting the default microphone/capture device ===<br />
<br />
Some applications (Pidgin, Adobe Flash) do not provide an option to change the capture device. It becomes a problem if your microphone is on a separate device (e.g. USB webcam or microphone) than your internal sound card. To change only the default capture device, leaving the default playback device as is, you can modify your {{ic|~/.asoundrc}} file to include the following:<br />
<br />
{{bc|<br />
pcm.usb<br />
{<br />
type hw<br />
card U0x46d0x81d<br />
}<br />
<br />
pcm.!default<br />
{<br />
type asym<br />
playback.pcm<br />
{<br />
type plug<br />
slave.pcm "dmix"<br />
}<br />
capture.pcm<br />
{<br />
type plug<br />
slave.pcm "usb"<br />
}<br />
}<br />
}}<br />
<br />
Replace "U0x46d0x81d" with your capture device's card name in ALSA. You can use {{ic|arecord -L}} to list all the capture devices detected by ALSA.<br />
<br />
=== Internal microphone not working ===<br />
<br />
First make sure the volume is enabled under the {{ic|Capture}} view in ''alsamixer''. In some case, the "Internal Microphone" is not displayed in the capture list available when pressing F4. If so, specifying the card number given by {{ic|aplay -l}} to start ''alsamixer'' (for example {{ic|alsamixer -c 0}} ) can make it appears. <br />
<br />
<br />
Then add the following to {{ic|/etc/modprobe.d/snd-hda-intel.conf}}:<br />
<br />
options snd-hda-intel enable_msi=1<br />
<br />
Then reload the module:<br />
<br />
# rmmod snd-hda-intel && modprobe snd-hda-intel<br />
<br />
Now there should be an additional input under the previously mentioned {{ic|Capture}} view.<br />
<br />
=== Crackling microphone ===<br />
<br />
If you are getting a crackling or popping from your microphone that cannot be resolved with ALSA settings or cleaning your microphone jack, try adding the following line to {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
<br />
options snd-hda-intel model=MODEL position_fix=3<br />
<br />
This option will fix crackling on pure ALSA, but will cause issues to pulseaudio. To let Pulse use these settings effectively, edit {{ic|/etc/pulse/default.pa}} and find this line:<br />
<br />
load-module module-udev-detect<br />
<br />
And change it to this:<br />
<br />
load-module module-udev-detect tsched=0<br />
<br />
See the DMA-Position Problem in the kernel docs.<br />
<br />
* [https://www.kernel.org/doc/Documentation/sound/alsa/HD-Audio.txt HD-audio Kernel Docs]<br />
<br />
== Audio Quality ==<br />
<br />
=== Crackling sound through mini-jack (headphones connector) ===<br />
<br />
Whether you followed [[Advanced_Linux_Sound_Architecture#Simultaneous_output|simultaneous output tip]] or managed to get it done on your own, you might get crackling sound through headphones or external speakers. This can be fixed by muting '''or''' setting volume to 0% on item '''Mic'''. Use {{ic|alsamixer}} or {{ic|amixer}}:<br />
$ amixer sset "Mic" 0%<br />
$ amixer sset "Mic" mute<br />
<br />
=== Popping sound after resuming from suspension ===<br />
<br />
You might hear a popping sound after resuming the computer from suspension. This can be fixed by editing {{ic|/etc/pm/sleep.d/90alsa}} and removing the line that says {{ic|aplay -d 1 /dev/zero}}<br />
<br />
=== Sound skipping during playback ===<br />
<br />
Run ''alsamixer'', and if channels exist for nonexistent output devices then disable them (e.g. ''alsamixer'' showing a center speaker but you not having one).<br />
<br />
=== Crackling sound with USB sound devices ===<br />
<br />
Try modifying the parameters of the {{ic|snd-usb-audio}} [[kernel module]] for minimal latency via {{ic|modprobe.conf}}.<br />
<br />
{{hc|/etc/modprobe.d/modprobe.conf|2=<br />
options snd-usb-audio nrpacks=1}}<br />
<br />
For more information, see the following: [http://alsa.opensrc.org/Usb-audio#Tuning_USB_devices_for_minimal_latencies Tuning USB devices for minimal latency]<br />
<br />
=== Poor sound quality or clipping ===<br />
<br />
If you experience poor sound quality, try setting the PCM volume (in alsamixer) to a level such that gain is 0.<br />
<br />
If snd-usb-audio driver has been loaded, you could try to enable {{ic|softvol}} in {{ic|/etc/asound.conf}} file. Example configuration for the first audio device:<br />
<br />
{{bc|1=<br />
pcm.!default {<br />
type plug<br />
slave.pcm "softvol"<br />
}<br />
pcm.dmixer {<br />
type dmix<br />
ipc_key 1024<br />
slave {<br />
pcm "hw:0"<br />
period_size 4096<br />
buffer_size 131072<br />
rate 50000<br />
}<br />
bindings {<br />
0 0<br />
1 1<br />
}<br />
}<br />
pcm.dsnooper {<br />
type dsnoop<br />
ipc_key 1024<br />
slave {<br />
pcm "hw:0"<br />
channels 2<br />
period_size 4096<br />
buffer_size 131072<br />
rate 50000<br />
}<br />
bindings {<br />
0 0<br />
1 1<br />
}<br />
}<br />
pcm.softvol {<br />
type softvol<br />
slave { pcm "dmixer" }<br />
control {<br />
name "Master"<br />
card 0<br />
}<br />
}<br />
ctl.!default {<br />
type hw<br />
card 0<br />
}<br />
ctl.softvol {<br />
type hw<br />
card 0<br />
}<br />
ctl.dmixer {<br />
type hw<br />
card 0<br />
}<br />
}}<br />
<br />
=== Pops when starting and stopping playback ===<br />
<br />
Some modules (e.g. snd_ac97_codec and snd_hda_intel) can power off your sound card when not in use. This can make an audible noise (like a crack/pop/scratch) when turning on/off your sound card. Sometimes even when move the slider volume, or open and close windows (KDE4). If you find this annoying try {{ic|modinfo snd_MY_MODULE}}, and look for a module option that adjusts or disables this feature.<br />
<br />
''Example'': disable the power saving mode and solve cracking sound trough speakers problem, using snd_hda_intel add in {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
options snd_hda_intel power_save=0<br />
or:<br />
options snd_hda_intel power_save=0 power_save_controller=N<br />
<br />
You can also try it with {{ic|1=modprobe snd_hda_intel power_save=0}} before.<br />
<br />
You may also have to unmute the 'Line' ALSA channel for this to work. Any value will do (other than '0' or something too high).<br />
<br />
''Example:'' on an onboard VIA VT1708S (using the snd_hda_intel module) these cracks occured even though 'power_save' was set to 0. Unmuting the 'Line' channel and setting a value of '1' solved the problem.<br />
<br />
Source: https://www.kernel.org/doc/Documentation/sound/alsa/powersave.txt<br />
<br />
If you use a laptop, pm-utils will change {{ic|power_save}} back to 1 when you go onto battery power even if you disable power saving in {{ic|/etc/modprobe.d}}. Disable this for pm-utils by disabling the script that makes the change (see [[Pm-utils#Disabling_a_hook|Disabling a hook]] for more information):<br />
# touch /etc/pm/power.d/intel-audio-powersave<br />
<br />
=== Sound skipping while using dynamic CPU frequency scaling ===<br />
<br />
Some combinations of ALSA drivers and chipsets may cause audio from all sources to skip when used in combination with a dynamic frequency scaling governor such as {{ic|ondemand}} or {{ic|conservative}}. Currently, the solution is to switch back to the {{ic|performance}} governor.<br />
<br />
Refer to the [[CPU frequency scaling]] for more information.<br />
<br />
== Hardware and Cards ==<br />
<br />
=== Verifying output parameters ===<br />
<br />
Check the contents of {{ic|/proc/asound/cardX/pcmYp/subZ/hw_params}}, where {{ic|X}}, {{ic|Y}}, and {{ic|Z}} are system dependent.<br />
In order to find this file, execute the following command while outputting anything via ALSA:<br />
$ find /proc/asound/ -name hw_params | xargs -I FILE grep -v -l "closed" FILE | grep '/proc/asound/card./pcm.p/sub./hw_params'<br />
If nothing is playing there should be no results.<br />
<br />
Here is an example output for audio with a [[Wikipedia:Audio_bit_depth|bit depth]] of 24 bits and a [[Wikipedia:Sampling frequency|sampling frequency]] of 44.1 kilohertz:<br />
{{hc|cat /proc/asound/card1/pcm0p/sub0/hw_params|<br />
access: RW_INTERLEAVED<br />
format: S24_3LE<br />
subformat: STD<br />
channels: 2<br />
rate: 44100 (44100/1)<br />
period_size: 5513<br />
buffer_size: 22050<br />
}}<br />
<br />
More info is available in the [http://alsa.opensrc.org/Proc_asound_documentation ALSA documentation].<br />
<br />
=== Error 'Unknown hardware' appears after kernel update ===<br />
<br />
The following messages may be displayed during ALSA's initialization:<br />
Unknown hardware "foo" "bar" ...<br />
Hardware is initialized using a guess method<br />
/usr/bin/alsactl: set_control:nnnn:failed to obtain info for control #mm (No such file or directory)<br />
<br />
or:<br />
Found hardware: "HDA-Intel" "VIA VT1705" "HDA:11064397,18490397,00100000" "0x1849" "0x0397"<br />
Hardware is initialized using a generic method<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #1 (No such file or directory)<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #2 (No such file or directory)<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #25 (No such file or directory)<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #26 (No such file or directory)<br />
<br />
Simply store ALSA mixer settings again:<br />
# alsactl -f /var/lib/alsa/asound.state store<br />
<br />
It may be necessary configure ALSA again with alsamixer<br />
<br />
=== Fix wrong audio pin mapping ===<br />
<br />
If the mappings to your audio pins(plugs) do not correspond but ALSA works fine, you could try HDA Analyzer -- a pyGTK2 GUI for HD-audio control can be found [http://www.alsa-project.org/main/index.php/HDA_Analyzer at the ALSA wiki].<br />
Try tweaking the Widget Control section of the PIN nodes, to make microphones IN and headphone jacks OUT. Referring to the Config Defaults heading is a good idea.<br />
<br />
{{Note|The script is incompatible with Python 3, which is the default Python implementation on Arch Linux. In order to use the script, replace all occurrences of {{ic|python}} in the {{ic|run.py}} file with {{ic|python2}} to point the script to the Python 2 version. Then make the script [[chmod|executable]] and run it.}}<br />
<br />
=== S/PDIF output does not work ===<br />
<br />
If the optical/coaxial digital output of your motherboard/sound card is not working or stopped working, and have already enabled and unmuted it in alsamixer, try running the following:<br />
$ iecset audio on<br />
<br />
You can also put this command in an enabled [[systemd]] service as it sometimes it may stop working after a reboot.<br />
<br />
=== Conflicting PC speaker ===<br />
<br />
If you are sure nothing is muted, that your drivers are installed correctly, and that your volume is right, but you still do not hear anything, then try adding the following line to {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
<br />
options snd-NAME-OF-MODULE ac97_quirk=0<br />
<br />
The above fix has been observed to work with {{ic|via82xx}}<br />
options snd-NAME-OF-MODULE ac97_quirk=1<br />
The above fix has been reported to work with {{ic|snd-intel8x0}}<br />
<br />
{{Poor writing|Duplicated sections (e.g. for microphone) should be merged with eachother}}<br />
<br />
=== HP TX2500 ===<br />
<br />
Add these 2 lines into {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
options snd-cmipci mpu_port=0x330 fm_port=0x388<br />
options snd-hda-intel index=0 model=toshiba position_fix=1<br />
options snd-hda-intel model=hp (works for tx2000cto)<br />
<br />
=== No sound when S/PDIF video card is installed ===<br />
<br />
Discover available modules and their order:<br />
<br />
{{hc|$ cat /proc/asound/modules|<br />
0 snd_hda_intel<br />
1 snd_ca0106<br />
}}<br />
<br />
Disable the undesired video card audio codec in {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
<br />
{{hc|/etc/modprobe.d/modprobe.conf|<br />
install snd_hda_intel /bin/false<br />
}}<br />
<br />
If both devices use the same module then we can use the {{ic|enable}} parameter from snd_hda_intel module; it is an array of booleans that can enable/disable the desired sound card.<br />
<br />
options snd_hda_intel enable=1,0<br />
<br />
=== Wrong sound card model type ===<br />
<br />
Although ALSA detects your soundcard through the BIOS, at times ALSA may not be able to recognize your [http://www.kernel.org/doc/Documentation/sound/alsa/HD-Audio-Models.txt model type]. The soundcard chip can be found in {{ic|alsamixer}} (e.g. ALC662) and the model can be set in {{ic|/etc/modprobe.d/modprobe.conf}} or {{ic|/etc/modprobe.d/sound.conf}}. For example:<br />
options snd-hda-intel model=MODEL<br />
<br />
There are other model settings too. For most cases ALSA defaults will do. If you want to look at more specific settings for your soundcard take a look at the [http://bugtrack.alsa-project.org/main/index.php/Matrix:Main ALSA Soundcard List] find your model, then Details, then look at the "Setting up modprobe..." section. Enter these values in {{ic|/etc/modprobe.d/modprobe.conf}}. For example, for an Intel AC97 audio:<br />
<br />
{{bc|<br />
# ALSA portion<br />
alias char-major-116 snd<br />
alias snd-card-0 snd-intel8x0<br />
# module options should go here<br />
<br />
# OSS/Free portion<br />
alias char-major-14 soundcore<br />
alias sound-slot-0 snd-card-0<br />
<br />
# card #1<br />
alias sound-service-0-0 snd-mixer-oss<br />
alias sound-service-0-1 snd-seq-oss<br />
alias sound-service-0-3 snd-pcm-oss<br />
alias sound-service-0-8 snd-seq-oss<br />
alias sound-service-0-12 snd-pcm-oss<br />
}}<br />
<br />
=== Intel onboard sound ===<br />
<br />
==== No sound with onboard Intel sound card ====<br />
<br />
There may be a problem with two conflicting modules loaded, namely {{ic|snd-intel8x0}} and {{ic|snd-intel8x0m}}. In this case, blacklist {{ic|snd-intel8x0m}}:<br />
<br />
{{hc|/etc/modprobe.d/modprobe.conf|blacklist snd-intel8x0m}}<br />
<br />
''Muting'' the "External Amplifier" in {{ic|alsamixer}} or {{ic|amixer}} may also help. See [http://alsa.opensrc.org/Intel8x0#Dell_Inspiron_8600_.28and_probably_others.29 the ALSA wiki].<br />
<br />
Unmuting the "Mix" setting in the mixer might help, also.<br />
<br />
==== No headphone sound with onboard intel sound card ====<br />
<br />
With '''Intel Corporation 82801 I (ICH9 Family) HD Audio Controller''' on laptop, you may need to add this line to modprobe or sound.conf:<br />
<br />
options snd-hda-intel model=''model''<br />
<br />
Where ''model'' is any one of the following:<br />
<br />
* dell-m6<br />
* dell-vostro<br />
* generic<br />
* laptop<br />
* laptop-hpsense<br />
* olpc-xo-1_5<br />
<br />
{{Note|It may be necessary to put this "options" line below (after) any "alias" lines about your card.}}<br />
<br />
You can see all the available models in the kernel documentation. For example [http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/Documentation/sound/alsa/HD-Audio-Models.txt here], but check that it is the correct version of that document for your kernel version.<br />
<br />
A list of available models is also available [http://www.mjmwired.net/kernel/Documentation/sound/alsa/HD-Audio-Models.txt here]. To know your chip name type the following command (with * being corrected to match your files). Note that some chips could have been renamed and do not directly match the available ones in the file.<br />
<br />
$ grep Codec /proc/asound/card*/codec*<br />
<br />
Note that there is a high chance none of the input devices (all internal and external mics) will work if you choose to do this, so it is either your headphones or your mic. Please report to ALSA if you are affected by this bug.<br />
<br />
And also, if you have problems getting beeps to work (pcspkr):<br />
<br />
options snd-hda-intel model=$model enable=1 index=0<br />
<br />
=== HDMI ===<br />
<br />
==== HDMI Output does not work ====<br />
<br />
The procedure described below can be used to test HDMI audio. Before proceeding, make sure you have enabled and unmuted the output with {{ic|alsamixer}}.<br />
<br />
{{Note|If you are using an AMD card a necessary kernel module is disabled by default. See [[ATI#HDMI audio]].}}<br />
<br />
Connect your PC to the Display via HDMI cable and enable the display with [[xrandr]].<br />
<br />
Use {{ic|aplay -l}} to get the discover the card and device number. For example:<br />
<br />
{{hc|$ aplay -l|2=<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: SB [HDA ATI SB], device 0: ALC892 Analog [ALC892 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: SB [HDA ATI SB], device 1: ALC892 Digital [ALC892 Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
'''card 1''': Generic [HD-Audio Generic], '''device 3''': HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
}}<br />
<br />
Send sound to the device. Following the example in the previous step, you would send sound to {{ic|'''card 1'''}}, {{ic|'''device 3'''}}:<br />
<br />
$ aplay -D plughw:1,3 /usr/share/sounds/alsa/Front_Center.wav<br />
<br />
If aplay does not output any errors, but still no sound is heard, "reboot" the receiver, monitor or tv set. Since the HDMI interface executes a handshake on connection, it might have noticed before that there was no audio stream embedded, and disabled audio decoding. If you are using a standalone window manager, you may need to have sound playing while plugging in the HDMI cable.<br />
<br />
mplay and other application could be configured to use special HDMI device as audio output. But flashplugin could only use default device. The following method is used to override default device. But you need to change it back when your TV is disconnected from HDMI port.<br />
<br />
If the test is successful, create or edit your {{ic|~/.asoundrc}} file to set HDMI as the default audio device.<br />
<br />
{{hc|~/.asoundrc|<br />
pcm.!default {<br />
type hw<br />
card 1<br />
device 3<br />
}<br />
}}<br />
<br />
Or if the above configuration does not work try:<br />
<br />
{{hc|~/.asoundrc|<br />
defaults.pcm.card 1<br />
defaults.pcm.device 3<br />
defaults.ctl.card 1<br />
}}<br />
<br />
==== PCM through HDMI does not work (Intel Gfx) ====<br />
<br />
As of Linux 3.1 multi-channel PCM output through HDMI with a Intel card (Intel Eaglelake, IbexPeak/Ironlake,SandyBridge/CougarPoint and IvyBridge/PantherPoint) is not yet supported. Support for it has been recently added and expected to be available in Linux 3.2. To make it work in Linux 3.1 you need to apply the following patches:<br />
<br />
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=patch;h=76adaa34db407f174dd06370cb60f6029c33b465 drm: support routines for HDMI/DP ELD]<br />
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=patch;h=e0dac65ed45e72fe34cc7ccc76de0ba220bd38bb drm/i915: pass ELD to HDMI/DP audio driver]<br />
<br />
==== HDMI 5.1 sound goes to wrong speakers ====<br />
<br />
Sound can be redirected to the intended speakers using ALSA's {{ic|remap}} function. To do so, add the following to {{ic|/etc/asound.conf}}:<br />
<br />
{{bc|1=<br />
pcm.!hdmi-remap {<br />
type asym<br />
playback.pcm {<br />
type plug<br />
slave.pcm "remap-surround51"<br />
}<br />
}<br />
<br />
pcm.!remap-surround51 {<br />
type route<br />
slave.pcm "hw:0,3"<br />
ttable {<br />
0.0= 1<br />
1.1= 1<br />
2.4= 1<br />
3.5= 1<br />
4.2= 1<br />
5.3= 1<br />
}<br />
}<br />
}}<br />
<br />
== Applications ==<br />
<br />
=== SDL: No sound with SDL applications ===<br />
<br />
If you get no sound using SDL based applications, try setting the [[environment variable]] {{ic|SDL_AUDIODRIVER}} to {{ic|alsa}}.<br />
<br />
=== OpenAL: No sound in applications that use OpenAL ===<br />
<br />
Openal defaults to pulseaudio, to change the order, add the following configuration to {{ic|/etc/openal/alsoft.conf}}:<br />
<br />
{{bc|1=<br />
drivers=alsa,pulse<br />
}}<br />
<br />
=== VirtualBox: Virtual machine has no sound ===<br />
<br />
If you experience problems with VirtualBox, the following command might be helpful:<br />
<br />
{{hc|$ alsactl init|2=<br />
Found hardware: "ICH" "SigmaTel STAC9700,83,84" "AC97a:83847600" "0x8086" "0x0000"<br />
Hardware is initialized using a generic method<br />
}}<br />
<br />
You might need to activate the ALSA output in your audio software as well.<br />
<br />
=== Others: General application problems ===<br />
<br />
For other applications who insist on their own audio setup, e.g., XMMS or MPlayer, you would need to set their specific options.<br />
<br />
For [[MPlayer]] or [[mpv]], add the following line to the respective configuration file:<br />
ao=alsa<br />
<br />
Eg. for XMMS2, go into their options and make sure the sound driver is set to ALSA, not oss.<br />
<br />
To do this in XMMS:<br />
* Open XMMS<br />
** Options > Preferences.<br />
** Choose the ALSA output plugin.<br />
<br />
For applications which do not provide a ALSA output, you can use aoss from the alsa-oss package. To use aoss, when you run the program, prefix it with {{ic|aoss}}, e.g.:<br />
aoss realplay<br />
<br />
pcm.!default{ ... } doesnt work for me anymore. but this does:<br />
pcm.default pcm.dmixer<br />
<br />
== Other Issues ==<br />
<br />
=== Simultaneous playback problems ===<br />
<br />
If you are having problems with simultaneous playback, and if [[PulseAudio]] is installed, its default configuration is set to "hijack" the soundcard. Some users of ALSA may not want to use [[PulseAudio]] and are quite content with their current ALSA settings. One fix is to edit {{ic|/etc/asound.conf}} and comment out the following lines:<br />
{{bc|1=<br />
# Use PulseAudio by default<br />
pcm.!default {<br />
type pulse<br />
fallback "sysdefault"<br />
hint {<br />
show on<br />
description "Default ALSA Output (currently PulseAudio Sound Server)"<br />
}<br />
}<br />
}}<br />
<br />
Commenting the following out also may help:<br />
{{bc|1=<br />
ctl.!default {<br />
type pulse<br />
fallback "sysdefault"<br />
}<br />
}}<br />
<br />
This may be a much simpler solution than completely uninstalling [[PulseAudio]].<br />
<br />
Effectively, here is an example of a working {{ic|/etc/asound.conf}}:<br />
{{bc|1=<br />
pcm.dmixer {<br />
type dmix<br />
ipc_key 1024<br />
ipc_key_add_uid 0<br />
ipc_perm 0660<br />
}<br />
pcm.dsp {<br />
type plug<br />
slave.pcm "dmix"<br />
}<br />
}}<br />
<br />
{{Note|This {{ic|/etc/asound.conf}} file was intended for and used successfully with a global [[MPD]] configuration. See [[#Problems with availability to only one user at a time]].}}<br />
<br />
=== Removing old ALSA state file (asound.state) ===<br />
<br />
The {{Pkg|alsa-utils}} package provides {{ic|alsa-store.service}} which automatically stores the current ALSA state to {{ic|/var/lib/alsa/asound.state}} upon system shutdown. This can be problematic for users who are trying to reset their current ALSA state as the {{ic|asound.state}} file will be recreated with the current state upon every shutdown (e.g., attempting to remove user-defined channels from the mixer). The {{ic|alsa-store.service}} service may be temporarily disabled by creating the following empty file:<br />
<br />
# mkdir -p /etc/alsa<br />
# touch /etc/alsa/state-daemon.conf<br />
<br />
The presence of {{ic|state-daemon.conf}} prevents {{ic|alsa-store.service}} from saving {{ic|asound.state}} during shutdown. After disabling this service, the {{ic|asound.state}} file may be removed as such:<br />
<br />
# rm /var/lib/alsa/asound.state<br />
<br />
After rebooting, the previous ALSA state should be lost and the current state should be reset to defaults. Re-enable {{ic|alsa-store.service}} by deleting the condition file we created:<br />
<br />
# rm /etc/alsa/state-daemon.conf<br />
<br />
On the next shutdown, the {{ic|asound.state}} file should be recreated with ALSA defaults. The file may also be generated immediately using:<br />
<br />
# alsactl store<br />
<br />
=== Problems with availability to only one user at a time ===<br />
<br />
You might find that only one user can use the dmixer at a time. This is probably ok for most, but for those who run [[mpd]] as a separate user this poses a problem. When mpd is playing a normal user cannot play sounds though the dmixer. While it is quite possible to just run mpd under a user's login account, another solution has been found. Adding the line {{ic|ipc_key_add_uid 0}} to the {{ic|pcm.dmixer}} block disables this locking. The following is a snippet from {{ic|asound.conf}}, the rest is the same as above.<br />
<br />
{{bc|1=<br />
...<br />
pcm.dmixer {<br />
type dmix<br />
ipc_key 1024<br />
ipc_key_add_uid 0<br />
ipc_perm 0666<br />
slave {<br />
...<br />
}}</div>Smasher816https://wiki.archlinux.org/index.php?title=Advanced_Linux_Sound_Architecture/Troubleshooting&diff=436914Advanced Linux Sound Architecture/Troubleshooting2016-06-02T10:58:10Z<p>Smasher816: Change ipc_perm to allow all users. mpd did not work with 0660 but does with 0666.</p>
<hr />
<div>[[Category:Sound]]<br />
[[ja:Advanced Linux Sound Architecture/トラブルシューティング]]<br />
See [[Advanced Linux Sound Architecture]] for the main article.<br />
<br />
== Volume ==<br />
<br />
=== Output is muted after reboot ===<br />
<br />
Run the following command:<br />
<br />
# alsactl restore<br />
<br />
If the problem persists, verify that the {{ic|Auto-Mute}} option in ''alsamixer'' is set to {{ic|Disabled}}.<br />
<br />
=== Volume is too low ===<br />
<br />
Run ''alsamixer'' and try to increase the value of the sliders, unmuting channels if necessary. Note that if you have many sliders, you may have to scroll to the right to see any missing sliders.<br />
<br />
If all the sliders are maxed out, and the volume is still too low, you can try running the following [http://www.alsa-project.org/hda-analyzer.py script] to reset your codec settings:<br />
<br />
$ wget http://www.alsa-project.org/hda-analyzer.py<br />
$ su -c 'python2 hda-analyzer.py'<br />
<br />
The script assumes that {{ic|/usr/bin/python}} refers to Python 2, which is incorrect on Arch by default. To avoid this issue run the following command:<br />
<br />
$ sed -i 's/python %s/python2 %s/' hda-analyzer.py<br />
<br />
Close the analyzer, and when prompted as to whether you want to reset the codecs, say "yes".<br />
<br />
If the volume is *still* too low, run ''alsamixer'' again: resetting the codecs may have caused new sliders to become enabled and some of them may be set to a low value.<br />
<br />
=== Low Sound Volume ===<br />
<br />
If you are facing low sound even after maxing out your speakers/headphones, you can give the softvol plugin a try. Add the following to {{ic|/etc/asound.conf}}.<br />
{{bc|1=<br />
pcm.!default {<br />
type plug<br />
slave.pcm "softvol"<br />
}<br />
<br />
pcm.softvol {<br />
type softvol<br />
slave {<br />
pcm "dmix"<br />
}<br />
control {<br />
name "Pre-Amp"<br />
card 0<br />
}<br />
min_dB -5.0<br />
max_dB 20.0<br />
resolution 6<br />
}<br />
}}<br />
<br />
{{Note|You will probably have to restart the computer, as restarting the alsa daemon did not load the new configuration for me. Also, if the configuration does not work even after restarting, try changing {{ic|plug}} with {{ic|hw}} in the above configuration.}}<br />
<br />
After the changes are loaded successfully, you will see a {{ic|Pre-Amp}} section in alsamixer. You can adjust the levels there.<br />
{{Note|<br />
* Setting a high value for {{ic|Pre-Amp}} can cause sound distortion, so adjust it according to the level that suits you.<br />
* Some audio codecs may need to have settings adjusted in the HDA Analyzer (see [[#Volume is too low]]) in order to achieve proper volume without distortion. Checking the HP option under widget control in the Playback Switch (Node[0x14] PIN in the ALC892 codec, for instance) can sometimes improve audio quality and volume significantly.<br />
}}<br />
<br />
=== Random lack of sound on startup ===<br />
<br />
You can quickly test sound by running {{ic|speaker-test}}. If there is no sound, the error message might look something like<br />
<br />
ALSA lib pcm_dmix.c:1022:(snd_pcm_dmix_open) unable to open slave<br />
Playback open error: -16<br />
Device or resource busy<br />
<br />
If you have no sound on startup, this may be because your system has multiple sound cards, and their order may sometimes change on startup. If this is the case, try [[ALSA#Set the default sound card|setting the default sound card]].<br />
<br />
If you use mpd and the configuration tips above do not work for you, try [http://mpd.wikia.com/wiki/Configuration#ALSA_MPD_software_volume_control reading this] instead.<br />
<br />
== Microphone ==<br />
<br />
=== No microphone input ===<br />
<br />
In alsamixer, make sure that all the volume levels are up under recording, and that CAPTURE is toggled active on the microphone (e.g. Mic, Internal Mic) and/or on Capture (in alsamixer, select these items and press space). Try making positive Mic Boost and raising Capture and Digital levels higher; this make make static or distortion, but then you can adjust them back down once you are hearing ''something'' when you record<br />
<br />
As the pulseaudio wrapper is shown as "default" in alsamixer, you may have to press F6 to select your actual soundcard first. You may also need to enable and increase the volume of Line-in in the Playback section.<br />
<br />
To test the microphone, run these commands (see arecord's man page for further information):<br />
<br />
$ arecord -d 5 test-mic.wav<br />
$ aplay test-mic.wav<br />
<br />
Alternatively, you can run this command:<br />
<br />
$ arecord -vv -f dat /dev/null<br />
<br />
alongside alsamixer to easily identify channel which you should select and unmute.<br />
<br />
<br />
If all fails, you may want to eliminate hardware failure by testing the microphone with a different device.<br />
<br />
For at least some computers, muting a microphone (MM) simply means its input does not go immediately to the speakers. It still receives input.<br />
<br />
Many Dell laptops need "-dmic" to be appended to the model name in {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
options snd-hda-intel model=dell-m6-dmic<br />
<br />
Some programs use try to use OSS as the main input software. If you have enabled the {{ic|snd_pcm_oss}}, {{ic|snd_mixer_oss}} or {{ic|snd_seq_oss}} [[kernel modules]] previously (they are not loaded by default), try unloading them.<br />
<br />
See also:<br />
* http://www.alsa-project.org/main/index.php/SoundcardTesting<br />
* http://alsa.opensrc.org/Record_from_mic<br />
<br />
=== Setting the default microphone/capture device ===<br />
<br />
Some applications (Pidgin, Adobe Flash) do not provide an option to change the capture device. It becomes a problem if your microphone is on a separate device (e.g. USB webcam or microphone) than your internal sound card. To change only the default capture device, leaving the default playback device as is, you can modify your {{ic|~/.asoundrc}} file to include the following:<br />
<br />
{{bc|<br />
pcm.usb<br />
{<br />
type hw<br />
card U0x46d0x81d<br />
}<br />
<br />
pcm.!default<br />
{<br />
type asym<br />
playback.pcm<br />
{<br />
type plug<br />
slave.pcm "dmix"<br />
}<br />
capture.pcm<br />
{<br />
type plug<br />
slave.pcm "usb"<br />
}<br />
}<br />
}}<br />
<br />
Replace "U0x46d0x81d" with your capture device's card name in ALSA. You can use {{ic|arecord -L}} to list all the capture devices detected by ALSA.<br />
<br />
=== Internal microphone not working ===<br />
<br />
First make sure the volume is enabled under the {{ic|Capture}} view in ''alsamixer''. In some case, the "Internal Microphone" is not displayed in the capture list available when pressing F4. If so, specifying the card number given by {{ic|aplay -l}} to start ''alsamixer'' (for example {{ic|alsamixer -c 0}} ) can make it appears. <br />
<br />
<br />
Then add the following to {{ic|/etc/modprobe.d/snd-hda-intel.conf}}:<br />
<br />
options snd-hda-intel enable_msi=1<br />
<br />
Then reload the module:<br />
<br />
# rmmod snd-hda-intel && modprobe snd-hda-intel<br />
<br />
Now there should be an additional input under the previously mentioned {{ic|Capture}} view.<br />
<br />
=== Crackling microphone ===<br />
<br />
If you are getting a crackling or popping from your microphone that cannot be resolved with ALSA settings or cleaning your microphone jack, try adding the following line to {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
<br />
options snd-hda-intel model=MODEL position_fix=3<br />
<br />
This option will fix crackling on pure ALSA, but will cause issues to pulseaudio. To let Pulse use these settings effectively, edit {{ic|/etc/pulse/default.pa}} and find this line:<br />
<br />
load-module module-udev-detect<br />
<br />
And change it to this:<br />
<br />
load-module module-udev-detect tsched=0<br />
<br />
See the DMA-Position Problem in the kernel docs.<br />
<br />
* [https://www.kernel.org/doc/Documentation/sound/alsa/HD-Audio.txt HD-audio Kernel Docs]<br />
<br />
== Audio Quality ==<br />
<br />
=== Crackling sound through mini-jack (headphones connector) ===<br />
<br />
Whether you followed [[Advanced_Linux_Sound_Architecture#Simultaneous_output|simultaneous output tip]] or managed to get it done on your own, you might get crackling sound through headphones or external speakers. This can be fixed by muting '''or''' setting volume to 0% on item '''Mic'''. Use {{ic|alsamixer}} or {{ic|amixer}}:<br />
$ amixer sset "Mic" 0%<br />
$ amixer sset "Mic" mute<br />
<br />
=== Popping sound after resuming from suspension ===<br />
<br />
You might hear a popping sound after resuming the computer from suspension. This can be fixed by editing {{ic|/etc/pm/sleep.d/90alsa}} and removing the line that says {{ic|aplay -d 1 /dev/zero}}<br />
<br />
=== Sound skipping during playback ===<br />
<br />
Run ''alsamixer'', and if channels exist for nonexistent output devices then disable them (e.g. ''alsamixer'' showing a center speaker but you not having one).<br />
<br />
=== Crackling sound with USB sound devices ===<br />
<br />
Try modifying the parameters of the {{ic|snd-usb-audio}} [[kernel module]] for minimal latency via {{ic|modprobe.conf}}.<br />
<br />
{{hc|/etc/modprobe.d/modprobe.conf|2=<br />
options snd-usb-audio nrpacks=1}}<br />
<br />
For more information, see the following: [http://alsa.opensrc.org/Usb-audio#Tuning_USB_devices_for_minimal_latencies Tuning USB devices for minimal latency]<br />
<br />
=== Poor sound quality or clipping ===<br />
<br />
If you experience poor sound quality, try setting the PCM volume (in alsamixer) to a level such that gain is 0.<br />
<br />
If snd-usb-audio driver has been loaded, you could try to enable {{ic|softvol}} in {{ic|/etc/asound.conf}} file. Example configuration for the first audio device:<br />
<br />
{{bc|1=<br />
pcm.!default {<br />
type plug<br />
slave.pcm "softvol"<br />
}<br />
pcm.dmixer {<br />
type dmix<br />
ipc_key 1024<br />
slave {<br />
pcm "hw:0"<br />
period_size 4096<br />
buffer_size 131072<br />
rate 50000<br />
}<br />
bindings {<br />
0 0<br />
1 1<br />
}<br />
}<br />
pcm.dsnooper {<br />
type dsnoop<br />
ipc_key 1024<br />
slave {<br />
pcm "hw:0"<br />
channels 2<br />
period_size 4096<br />
buffer_size 131072<br />
rate 50000<br />
}<br />
bindings {<br />
0 0<br />
1 1<br />
}<br />
}<br />
pcm.softvol {<br />
type softvol<br />
slave { pcm "dmixer" }<br />
control {<br />
name "Master"<br />
card 0<br />
}<br />
}<br />
ctl.!default {<br />
type hw<br />
card 0<br />
}<br />
ctl.softvol {<br />
type hw<br />
card 0<br />
}<br />
ctl.dmixer {<br />
type hw<br />
card 0<br />
}<br />
}}<br />
<br />
=== Pops when starting and stopping playback ===<br />
<br />
Some modules (e.g. snd_ac97_codec and snd_hda_intel) can power off your sound card when not in use. This can make an audible noise (like a crack/pop/scratch) when turning on/off your sound card. Sometimes even when move the slider volume, or open and close windows (KDE4). If you find this annoying try {{ic|modinfo snd_MY_MODULE}}, and look for a module option that adjusts or disables this feature.<br />
<br />
''Example'': disable the power saving mode and solve cracking sound trough speakers problem, using snd_hda_intel add in {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
options snd_hda_intel power_save=0<br />
or:<br />
options snd_hda_intel power_save=0 power_save_controller=N<br />
<br />
You can also try it with {{ic|1=modprobe snd_hda_intel power_save=0}} before.<br />
<br />
You may also have to unmute the 'Line' ALSA channel for this to work. Any value will do (other than '0' or something too high).<br />
<br />
''Example:'' on an onboard VIA VT1708S (using the snd_hda_intel module) these cracks occured even though 'power_save' was set to 0. Unmuting the 'Line' channel and setting a value of '1' solved the problem.<br />
<br />
Source: https://www.kernel.org/doc/Documentation/sound/alsa/powersave.txt<br />
<br />
If you use a laptop, pm-utils will change {{ic|power_save}} back to 1 when you go onto battery power even if you disable power saving in {{ic|/etc/modprobe.d}}. Disable this for pm-utils by disabling the script that makes the change (see [[Pm-utils#Disabling_a_hook|Disabling a hook]] for more information):<br />
# touch /etc/pm/power.d/intel-audio-powersave<br />
<br />
=== Sound skipping while using dynamic CPU frequency scaling ===<br />
<br />
Some combinations of ALSA drivers and chipsets may cause audio from all sources to skip when used in combination with a dynamic frequency scaling governor such as {{ic|ondemand}} or {{ic|conservative}}. Currently, the solution is to switch back to the {{ic|performance}} governor.<br />
<br />
Refer to the [[CPU frequency scaling]] for more information.<br />
<br />
== Hardware and Cards ==<br />
<br />
=== Verifying output parameters ===<br />
<br />
Check the contents of {{ic|/proc/asound/cardX/pcmYp/subZ/hw_params}}, where {{ic|X}}, {{ic|Y}}, and {{ic|Z}} are system dependent.<br />
In order to find this file, execute the following command while outputting anything via ALSA:<br />
$ find /proc/asound/ -name hw_params | xargs -I FILE grep -v -l "closed" FILE | grep '/proc/asound/card./pcm.p/sub./hw_params'<br />
If nothing is playing there should be no results.<br />
<br />
Here is an example output for audio with a [[Wikipedia:Audio_bit_depth|bit depth]] of 24 bits and a [[Wikipedia:Sampling frequency|sampling frequency]] of 44.1 kilohertz:<br />
{{hc|cat /proc/asound/card1/pcm0p/sub0/hw_params|<br />
access: RW_INTERLEAVED<br />
format: S24_3LE<br />
subformat: STD<br />
channels: 2<br />
rate: 44100 (44100/1)<br />
period_size: 5513<br />
buffer_size: 22050<br />
}}<br />
<br />
More info is available in the [http://alsa.opensrc.org/Proc_asound_documentation ALSA documentation].<br />
<br />
=== Error 'Unknown hardware' appears after kernel update ===<br />
<br />
The following messages may be displayed during ALSA's initialization:<br />
Unknown hardware "foo" "bar" ...<br />
Hardware is initialized using a guess method<br />
/usr/bin/alsactl: set_control:nnnn:failed to obtain info for control #mm (No such file or directory)<br />
<br />
or:<br />
Found hardware: "HDA-Intel" "VIA VT1705" "HDA:11064397,18490397,00100000" "0x1849" "0x0397"<br />
Hardware is initialized using a generic method<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #1 (No such file or directory)<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #2 (No such file or directory)<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #25 (No such file or directory)<br />
/usr/bin/alsactl: set_control:1328: failed to obtain info for control #26 (No such file or directory)<br />
<br />
Simply store ALSA mixer settings again:<br />
# alsactl -f /var/lib/alsa/asound.state store<br />
<br />
It may be necessary configure ALSA again with alsamixer<br />
<br />
=== Fix wrong audio pin mapping ===<br />
<br />
If the mappings to your audio pins(plugs) do not correspond but ALSA works fine, you could try HDA Analyzer -- a pyGTK2 GUI for HD-audio control can be found [http://www.alsa-project.org/main/index.php/HDA_Analyzer at the ALSA wiki].<br />
Try tweaking the Widget Control section of the PIN nodes, to make microphones IN and headphone jacks OUT. Referring to the Config Defaults heading is a good idea.<br />
<br />
{{Note|The script is incompatible with Python 3, which is the default Python implementation on Arch Linux. In order to use the script, replace all occurrences of {{ic|python}} in the {{ic|run.py}} file with {{ic|python2}} to point the script to the Python 2 version. Then make the script [[chmod|executable]] and run it.}}<br />
<br />
=== S/PDIF output does not work ===<br />
<br />
If the optical/coaxial digital output of your motherboard/sound card is not working or stopped working, and have already enabled and unmuted it in alsamixer, try running the following:<br />
$ iecset audio on<br />
<br />
You can also put this command in an enabled [[systemd]] service as it sometimes it may stop working after a reboot.<br />
<br />
=== Conflicting PC speaker ===<br />
<br />
If you are sure nothing is muted, that your drivers are installed correctly, and that your volume is right, but you still do not hear anything, then try adding the following line to {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
<br />
options snd-NAME-OF-MODULE ac97_quirk=0<br />
<br />
The above fix has been observed to work with {{ic|via82xx}}<br />
options snd-NAME-OF-MODULE ac97_quirk=1<br />
The above fix has been reported to work with {{ic|snd-intel8x0}}<br />
<br />
{{Poor writing|Duplicated sections (e.g. for microphone) should be merged with eachother}}<br />
<br />
=== HP TX2500 ===<br />
<br />
Add these 2 lines into {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
options snd-cmipci mpu_port=0x330 fm_port=0x388<br />
options snd-hda-intel index=0 model=toshiba position_fix=1<br />
options snd-hda-intel model=hp (works for tx2000cto)<br />
<br />
=== No sound when S/PDIF video card is installed ===<br />
<br />
Discover available modules and their order:<br />
<br />
{{hc|$ cat /proc/asound/modules|<br />
0 snd_hda_intel<br />
1 snd_ca0106<br />
}}<br />
<br />
Disable the undesired video card audio codec in {{ic|/etc/modprobe.d/modprobe.conf}}:<br />
<br />
{{hc|/etc/modprobe.d/modprobe.conf|<br />
install snd_hda_intel /bin/false<br />
}}<br />
<br />
If both devices use the same module then we can use the {{ic|enable}} parameter from snd_hda_intel module; it is an array of booleans that can enable/disable the desired sound card.<br />
<br />
options snd_hda_intel enable=1,0<br />
<br />
=== Wrong sound card model type ===<br />
<br />
Although ALSA detects your soundcard through the BIOS, at times ALSA may not be able to recognize your [http://www.kernel.org/doc/Documentation/sound/alsa/HD-Audio-Models.txt model type]. The soundcard chip can be found in {{ic|alsamixer}} (e.g. ALC662) and the model can be set in {{ic|/etc/modprobe.d/modprobe.conf}} or {{ic|/etc/modprobe.d/sound.conf}}. For example:<br />
options snd-hda-intel model=MODEL<br />
<br />
There are other model settings too. For most cases ALSA defaults will do. If you want to look at more specific settings for your soundcard take a look at the [http://bugtrack.alsa-project.org/main/index.php/Matrix:Main ALSA Soundcard List] find your model, then Details, then look at the "Setting up modprobe..." section. Enter these values in {{ic|/etc/modprobe.d/modprobe.conf}}. For example, for an Intel AC97 audio:<br />
<br />
{{bc|<br />
# ALSA portion<br />
alias char-major-116 snd<br />
alias snd-card-0 snd-intel8x0<br />
# module options should go here<br />
<br />
# OSS/Free portion<br />
alias char-major-14 soundcore<br />
alias sound-slot-0 snd-card-0<br />
<br />
# card #1<br />
alias sound-service-0-0 snd-mixer-oss<br />
alias sound-service-0-1 snd-seq-oss<br />
alias sound-service-0-3 snd-pcm-oss<br />
alias sound-service-0-8 snd-seq-oss<br />
alias sound-service-0-12 snd-pcm-oss<br />
}}<br />
<br />
=== Intel onboard sound ===<br />
<br />
==== No sound with onboard Intel sound card ====<br />
<br />
There may be a problem with two conflicting modules loaded, namely {{ic|snd-intel8x0}} and {{ic|snd-intel8x0m}}. In this case, blacklist {{ic|snd-intel8x0m}}:<br />
<br />
{{hc|/etc/modprobe.d/modprobe.conf|blacklist snd-intel8x0m}}<br />
<br />
''Muting'' the "External Amplifier" in {{ic|alsamixer}} or {{ic|amixer}} may also help. See [http://alsa.opensrc.org/Intel8x0#Dell_Inspiron_8600_.28and_probably_others.29 the ALSA wiki].<br />
<br />
Unmuting the "Mix" setting in the mixer might help, also.<br />
<br />
==== No headphone sound with onboard intel sound card ====<br />
<br />
With '''Intel Corporation 82801 I (ICH9 Family) HD Audio Controller''' on laptop, you may need to add this line to modprobe or sound.conf:<br />
<br />
options snd-hda-intel model=''model''<br />
<br />
Where ''model'' is any one of the following:<br />
<br />
* dell-m6<br />
* dell-vostro<br />
* generic<br />
* laptop<br />
* laptop-hpsense<br />
* olpc-xo-1_5<br />
<br />
{{Note|It may be necessary to put this "options" line below (after) any "alias" lines about your card.}}<br />
<br />
You can see all the available models in the kernel documentation. For example [http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/tree/Documentation/sound/alsa/HD-Audio-Models.txt here], but check that it is the correct version of that document for your kernel version.<br />
<br />
A list of available models is also available [http://www.mjmwired.net/kernel/Documentation/sound/alsa/HD-Audio-Models.txt here]. To know your chip name type the following command (with * being corrected to match your files). Note that some chips could have been renamed and do not directly match the available ones in the file.<br />
<br />
$ grep Codec /proc/asound/card*/codec*<br />
<br />
Note that there is a high chance none of the input devices (all internal and external mics) will work if you choose to do this, so it is either your headphones or your mic. Please report to ALSA if you are affected by this bug.<br />
<br />
And also, if you have problems getting beeps to work (pcspkr):<br />
<br />
options snd-hda-intel model=$model enable=1 index=0<br />
<br />
=== HDMI ===<br />
<br />
==== HDMI Output does not work ====<br />
<br />
The procedure described below can be used to test HDMI audio. Before proceeding, make sure you have enabled and unmuted the output with {{ic|alsamixer}}.<br />
<br />
{{Note|If you are using an AMD card a necessary kernel module is disabled by default. See [[ATI#HDMI audio]].}}<br />
<br />
Connect your PC to the Display via HDMI cable and enable the display with [[xrandr]].<br />
<br />
Use {{ic|aplay -l}} to get the discover the card and device number. For example:<br />
<br />
{{hc|$ aplay -l|2=<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: SB [HDA ATI SB], device 0: ALC892 Analog [ALC892 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: SB [HDA ATI SB], device 1: ALC892 Digital [ALC892 Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
'''card 1''': Generic [HD-Audio Generic], '''device 3''': HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
}}<br />
<br />
Send sound to the device. Following the example in the previous step, you would send sound to {{ic|'''card 1'''}}, {{ic|'''device 3'''}}:<br />
<br />
$ aplay -D plughw:1,3 /usr/share/sounds/alsa/Front_Center.wav<br />
<br />
If aplay does not output any errors, but still no sound is heard, "reboot" the receiver, monitor or tv set. Since the HDMI interface executes a handshake on connection, it might have noticed before that there was no audio stream embedded, and disabled audio decoding. If you are using a standalone window manager, you may need to have sound playing while plugging in the HDMI cable.<br />
<br />
mplay and other application could be configured to use special HDMI device as audio output. But flashplugin could only use default device. The following method is used to override default device. But you need to change it back when your TV is disconnected from HDMI port.<br />
<br />
If the test is successful, create or edit your {{ic|~/.asoundrc}} file to set HDMI as the default audio device.<br />
<br />
{{hc|~/.asoundrc|<br />
pcm.!default {<br />
type hw<br />
card 1<br />
device 3<br />
}<br />
}}<br />
<br />
Or if the above configuration does not work try:<br />
<br />
{{hc|~/.asoundrc|<br />
defaults.pcm.card 1<br />
defaults.pcm.device 3<br />
defaults.ctl.card 1<br />
}}<br />
<br />
==== PCM through HDMI does not work (Intel Gfx) ====<br />
<br />
As of Linux 3.1 multi-channel PCM output through HDMI with a Intel card (Intel Eaglelake, IbexPeak/Ironlake,SandyBridge/CougarPoint and IvyBridge/PantherPoint) is not yet supported. Support for it has been recently added and expected to be available in Linux 3.2. To make it work in Linux 3.1 you need to apply the following patches:<br />
<br />
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=patch;h=76adaa34db407f174dd06370cb60f6029c33b465 drm: support routines for HDMI/DP ELD]<br />
* [http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=patch;h=e0dac65ed45e72fe34cc7ccc76de0ba220bd38bb drm/i915: pass ELD to HDMI/DP audio driver]<br />
<br />
==== HDMI 5.1 sound goes to wrong speakers ====<br />
<br />
Sound can be redirected to the intended speakers using ALSA's {{ic|remap}} function. To do so, add the following to {{ic|/etc/asound.conf}}:<br />
<br />
{{bc|1=<br />
pcm.!hdmi-remap {<br />
type asym<br />
playback.pcm {<br />
type plug<br />
slave.pcm "remap-surround51"<br />
}<br />
}<br />
<br />
pcm.!remap-surround51 {<br />
type route<br />
slave.pcm "hw:0,3"<br />
ttable {<br />
0.0= 1<br />
1.1= 1<br />
2.4= 1<br />
3.5= 1<br />
4.2= 1<br />
5.3= 1<br />
}<br />
}<br />
}}<br />
<br />
== Applications ==<br />
<br />
=== SDL: No sound with SDL applications ===<br />
<br />
If you get no sound using SDL based applications, try setting the [[environment variable]] {{ic|SDL_AUDIODRIVER}} to {{ic|alsa}}.<br />
<br />
=== OpenAL: No sound in applications that use OpenAL ===<br />
<br />
Openal defaults to pulseaudio, to change the order, add the following configuration to {{ic|/etc/openal/alsoft.conf}}:<br />
<br />
{{bc|1=<br />
drivers=alsa,pulse<br />
}}<br />
<br />
=== VirtualBox: Virtual machine has no sound ===<br />
<br />
If you experience problems with VirtualBox, the following command might be helpful:<br />
<br />
{{hc|$ alsactl init|2=<br />
Found hardware: "ICH" "SigmaTel STAC9700,83,84" "AC97a:83847600" "0x8086" "0x0000"<br />
Hardware is initialized using a generic method<br />
}}<br />
<br />
You might need to activate the ALSA output in your audio software as well.<br />
<br />
=== Others: General application problems ===<br />
<br />
For other applications who insist on their own audio setup, e.g., XMMS or MPlayer, you would need to set their specific options.<br />
<br />
For [[MPlayer]] or [[mpv]], add the following line to the respective configuration file:<br />
ao=alsa<br />
<br />
Eg. for XMMS2, go into their options and make sure the sound driver is set to ALSA, not oss.<br />
<br />
To do this in XMMS:<br />
* Open XMMS<br />
** Options > Preferences.<br />
** Choose the ALSA output plugin.<br />
<br />
For applications which do not provide a ALSA output, you can use aoss from the alsa-oss package. To use aoss, when you run the program, prefix it with {{ic|aoss}}, e.g.:<br />
aoss realplay<br />
<br />
pcm.!default{ ... } doesnt work for me anymore. but this does:<br />
pcm.default pcm.dmixer<br />
<br />
== Other Issues ==<br />
<br />
=== Simultaneous playback problems ===<br />
<br />
If you are having problems with simultaneous playback, and if [[PulseAudio]] is installed, its default configuration is set to "hijack" the soundcard. Some users of ALSA may not want to use [[PulseAudio]] and are quite content with their current ALSA settings. One fix is to edit {{ic|/etc/asound.conf}} and comment out the following lines:<br />
{{bc|1=<br />
# Use PulseAudio by default<br />
pcm.!default {<br />
type pulse<br />
fallback "sysdefault"<br />
hint {<br />
show on<br />
description "Default ALSA Output (currently PulseAudio Sound Server)"<br />
}<br />
}<br />
}}<br />
<br />
Commenting the following out also may help:<br />
{{bc|1=<br />
ctl.!default {<br />
type pulse<br />
fallback "sysdefault"<br />
}<br />
}}<br />
<br />
This may be a much simpler solution than completely uninstalling [[PulseAudio]].<br />
<br />
Effectively, here is an example of a working {{ic|/etc/asound.conf}}:<br />
{{bc|1=<br />
pcm.dmixer {<br />
type dmix<br />
ipc_key 1024<br />
ipc_key_add_uid 0<br />
ipc_perm 0660<br />
}<br />
pcm.dsp {<br />
type plug<br />
slave.pcm "dmix"<br />
}<br />
}}<br />
<br />
{{Note|This {{ic|/etc/asound.conf}} file was intended for and used successfully with a global [[MPD]] configuration. See [[#Problems with availability to only one user at a time]].}}<br />
<br />
=== Removing old ALSA state file (asound.state) ===<br />
<br />
The {{Pkg|alsa-utils}} package provides {{ic|alsa-store.service}} which automatically stores the current ALSA state to {{ic|/var/lib/alsa/asound.state}} upon system shutdown. This can be problematic for users who are trying to reset their current ALSA state as the {{ic|asound.state}} file will be recreated with the current state upon every shutdown (e.g., attempting to remove user-defined channels from the mixer). The {{ic|alsa-store.service}} service may be temporarily disabled by creating the following empty file:<br />
<br />
# mkdir -p /etc/alsa<br />
# touch /etc/alsa/state-daemon.conf<br />
<br />
The presence of {{ic|state-daemon.conf}} prevents {{ic|alsa-store.service}} from saving {{ic|asound.state}} during shutdown. After disabling this service, the {{ic|asound.state}} file may be removed as such:<br />
<br />
# rm /var/lib/alsa/asound.state<br />
<br />
After rebooting, the previous ALSA state should be lost and the current state should be reset to defaults. Re-enable {{ic|alsa-store.service}} by deleting the condition file we created:<br />
<br />
# rm /etc/alsa/state-daemon.conf<br />
<br />
On the next shutdown, the {{ic|asound.state}} file should be recreated with ALSA defaults. The file may also be generated immediately using:<br />
<br />
# alsactl store<br />
<br />
=== Problems with availability to only one user at a time ===<br />
<br />
You might find that only one user can use the dmixer at a time. This is probably ok for most, but for those who run [[mpd]] as a separate user this poses a problem. When mpd is playing a normal user cannot play sounds though the dmixer. While it is quite possible to just run mpd under a user's login account, another solution has been found. Adding the line {{ic|ipc_key_add_uid 0}} to the {{ic|pcm.dmixer}} block disables this locking. The following is a snippet from {{ic|asound.conf}}, the rest is the same as above.<br />
<br />
{{bc|1=<br />
...<br />
pcm.dmixer {<br />
type dmix<br />
ipc_key 1024<br />
ipc_key_add_uid 0<br />
ipc_perm 0666<br />
slave {<br />
...<br />
}}</div>Smasher816https://wiki.archlinux.org/index.php?title=Talk:Rxvt-unicode&diff=353739Talk:Rxvt-unicode2014-12-28T08:28:10Z<p>Smasher816: /* Error in Colors Section? */ new section</p>
<hr />
<div>== "Improved Kuake-like behavior in Openbox" section should have its own page ==<br />
<br />
I was thinking of refactoring the urxvt page to have 'Tips and tricks' for non Perl extensions, and create a new section 'Perl extensions'. While I was thinking which should go first in the doc order I noticed that "Improved Kuake..." is like a page within a page. It adds a lot of content to what would be a compact 'Tips and tricks' section, once the Perl exts are moved out. I'm not bold enough to make this edit, what do others think? --[[User:StephenB|StephenB]] 16:37, 14 August 2010 (EDT)<br />
<br />
== "Using urxvt with Nautilus "Open in Terminal" ==<br />
<br />
I use Openbox but figured this information is most relevant to rxvt-unicode and so might like to be included on the wiki page. I found that the gnome-terminal package opens xterm by default. This [https://bbs.archlinux.org/viewtopic.php?id=108388 thread] in the forums provides a solution.<br />
<br />
Install gnome-vfs and gconf-editor and edit the config using gconf-editor<br />
<br />
pacman -S gnome-vfs gconf-editor<br />
<br />
As normal user run:<br />
<br />
gconf-editor<br />
<br />
Drill down to desktop/gnome/applications/terminal/ and alter the values to:<br />
<br />
{| border="1"<br />
|exec<br />
|urxvt<br />
|-<br />
|exec_arg<br />
| -e<br />
|}<br />
<br />
I removed gnome-vfs (as its deprecated) afterward without any issues as all I needed was the keys created in gconf-editor. I suppose you might be able to manually create the key as an alternative. --[[User:James_Robertson|James_Robertson]] 14:29, 27 February 2011 (AEDT)<br />
<br />
=== Sourcing Xresources ===<br />
<br />
Does anyone know how to source ~/.Xresources when opening urxvt -e from Nautilus?<br />
--[[User:Orschiro|Orschiro]] ([[User talk:Orschiro|talk]]) 19:46, 12 November 2014 (UTC)<br />
<br />
:See [[Rxvt-unicode#Creating_.7E.2F.Xresources]] and [[X resources]], you need to do {{ic|xrdb -merge ~/.Xresources}}. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:00, 12 November 2014 (UTC)<br />
<br />
== A better alternative to URxvt.colorUL ==<br />
<br />
URxvt.colorUL changes the appearance of ALL underlined text. A better solution would be to use something like this:<br />
<br />
<code>URxvt.matcher.rend.0: Uline Bold fg8</code><br />
<br />
<br />
''Source: http://nion.modprobe.de/blog/archives/653-URL-highlighting-in-rxvt-unicode.html''<br />
<br />
== Sample Xresources File ==<br />
<br />
I actually dug in to the publicly available rxvt source code to compile this list. [http://uploads.askapache.com/2013/07/Xresources.txt]<br />
<br />
-[[User:AskApache|AskApache]] ([[User talk:AskApache|talk]]) 00:22, 3 August 2013 (UTC)<br />
<br />
== Error in Colors Section? ==<br />
<br />
In the .Xresources file for the color section there are lines such as "URxvt*background = black" and "URxvt*foreground = white" which will produce errors with xrdb (at least for me). I have not tested the actual color codes yet but it would seem like this section could be looked at for correctness.</div>Smasher816https://wiki.archlinux.org/index.php?title=Irssi&diff=217723Irssi2012-08-14T00:21:58Z<p>Smasher816: '/save layouts' creates a file named 'layouts'. '/layout save' will save the current layout. More info @ http://irssi.org/beginner/#c4</p>
<hr />
<div>[[Category:Internet Relay Chat]]<br />
[[bg:Irssi]]<br />
[[es:Irssi]]<br />
[[fr:Irssi]]<br />
[[sv:Irssi]]<br />
[[tr:Irssi]]<br />
[[zh-CN:Irssi]]<br />
[[zh-TW:Irssi]]<br />
{{Article summary start}}<br />
{{Article summary text|This article covers irssi installation and configuration.}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|IRC Channels}}<br />
{{Article summary wiki|IRC Channel}}<br />
{{Article summary end}}<br />
<br />
[http://www.irssi.org/ irssi] is a modular, ncurses based IRC (Internet Relay Chat) client for UNIX systems. It also supports SILC and ICB protocols via plugins.<br />
<br />
==Installation==<br />
[[pacman|Install]] {{Pkg|irssi}}, available in the [[Official Repositories]].<br />
<br />
==Configuration==<br />
Personal configuration file should be located at {{ic|~/.irssi/config}}. You can start irssi with an alternate config file using the {{ic|--config}} flag.<br />
<br />
* You can use {{ic|/save}} to save your current configuration to the config file.<br />
<br />
* You can save the location of your currently opened windows by entering {{ic|/layout save}}<br />
<br />
* It sometimes might happen that umlauts are not correctly displayed. To fix this problem you have to set the right encoding with the following commands directly in irssi.<br />
<br />
/set recode_autodetect_utf8 ON <br />
/set recode_fallback CP1252<br />
/save<br />
<br />
===Auto-connect to #archlinux on startup===<br />
Start irssi and then type the following in it:<br />
{{bc|/server add -auto -network fn irc.freenode.net}}<br />
{{ic|fn}} is a common abbreviation for the freenode network, but any preferred word can be substituted for it (e.g. {{ic|foo}}).<br />
<br />
Now to automatically identify your nick for a given password, type:<br />
/network add -nick user -autosendcmd "/^msg nickserv IDENTIFY *******" fn<br />
where {{ic|user}} is the nick with which you registered to nickserv and {{ic|*******}} is the password for that nick, replace {{ic|fn}} with the word that you used in the first command (e.g foo) if that is the case.<br />
{{Note|Password will be visible when you type it and also it can be seen in ~/.irssi/config, so you can omit this step if you want to.}}<br />
/channel add -auto #archlinux fn<br />
/channel add -auto #archlinux-offtopic fn<br />
/save<br />
/quit<br />
<br />
===Hide joins, parts, and quits===<br />
In order to ignore showing of joining,leaving,quiting of users for all channels type the following in irssi:<br />
/ignore * joins<br />
/ignore * parts<br />
/ignore * quits<br />
/save<br />
<br />
==Basic Usage==<br />
{{Note|This section assumes you already know the basics of [[Wikipedia:Internet Relay Chat|IRC]] and have used other clients in the past. For a more detailed introduction check the [http://irssi.org/documentation official documentation].}}<br />
<br />
To start irssi issue the following command in a terminal:<br />
{{bc|$ irssi}}<br />
<br />
Many people prefer to run irssi within a terminal multiplexer since some scripts like the [http://wouter.coekaerts.be/site/irssi/nicklist nicklist.pl] script are dependent on a secondary window. Additionally, it allows the user to easily disconnect and reconnect to a session. Therefore, it is recommended that you select a multiplexer (e.g. [[GNU Screen]] or [[tmux]]) and review how it functions.<br />
<br />
===Commands===<br />
{|<br />
|-<br />
!width= 100 |<br />
!width= 65 |<br />
!<br />
|-<br />
|colspan="3"|'''Connection'''<br />
|-<br />
| {{ic|/server}}<br />
| {{ic|/s}}<br />
| These change the server of the current network.<br />
|-<br />
| {{ic|/connect}}<br />
| {{ic|/c}}<br />
| These open a new connection to a server. This is what you want to use in order to connect to multiple servers simultaneously (Ctrl+X switches between multiple servers).<br />
|-<br />
| {{ic|/disconnect}}<br />
| {{ic|/dc}}<br />
| These close the current connection to a server.<br />
|-<br />
|colspan="3"|'''Movement'''<br />
|-<br />
| colspan="2" | {{ic|ALT+(1-0,q-p,etc)}}<br />
| Changes the currently active window. Or use Ctrl+n for the next window or Ctrl+p for the previous window. <br />
|-<br />
| {{ic|/window 1}}<br />
| {{ic|/w 1}}<br />
| Takes you to the first window. Windows go from are numbered across the top of your keyboard (1-0) and then start on the next row down (q-p).<br />
|-<br />
| {{ic|/window close}}<br />
| {{ic|/wc}}<br />
| These close the current window.<br />
|-<br />
| {{ic|/window move 1}}<br />
| {{ic|/w move 1}}<br />
| These move the current window to the first window position.<br />
|-<br />
| colspan="2" | {{ic|/layout save}}<br />
| This will save the current window positions for the next time you start irssi.<br />
|-<br />
|colspan="3"|'''Miscellaneous'''<br />
|-<br />
| colspan="2" | {{ic|/set}}<br />
| This shows a list of all your current settings.<br />
|-<br />
| colspan="2" | {{ic|/help}}<br />
| This provides a helpful description/explanation for whatever parameter provided.<br />
|-<br />
| colspan="2" | {{ic|/alias}}<br />
| Lets you create your own shortcuts.<br />
|}<br />
<br />
== Script installation ==<br />
As an example, this section will outline the installation of a spell checking script.<br />
<br />
Install {{Pkg|ispell}}, an interactive spell-checking program for Unix:<br />
# pacman -S ispell<br />
<br />
Create a directory to hold your irssi scripts and within that, a directory that contains scripts which will be automatically run when starting irssi:<br />
$ mkdir -p ~/.irssi/scripts/autorun<br />
<br />
Download the irssi spell-checking script, {{ic|spell.pl}} into the script directory:<br />
$ cd ~/.irssi/scripts<br />
$ wget http://scripts.irssi.org/scripts/spell.pl .<br />
<br />
As root run the following command:<br />
# perl -MCPAN -e 'install Lingua::Ispell'<br />
If you do not want to use CPAN review [http://search.cpan.org/~jdporter/Lingua-Ispell-0.07/lib/Lingua/Ispell.pm].<br />
<br />
Start irssi and load the spell-checking script:<br />
{{hc|/script load spell.pl|- - Irssi: Loaded script spell}}<br />
<br />
Bind {{Keypress|Alt + s}} to spell check your current line.<br />
/bind meta-s /_spellcheck<br />
<br />
If you want to autorun the script when you start irssi, just link the script into the autorun folder:<br />
$ cd ~/.irssi/scripts/autorun/<br />
$ ln -s ../spell.pl .<br />
<br />
==HTTP Proxy==<br />
<br />
To use ''irssi'' behind a HTTP proxy, the following commands are required:<br />
/SET use_proxy ON<br />
/SET proxy_address <Proxy host address><br />
/SET proxy_port <Proxy port><br />
/SET -clear proxy_string<br />
/SET proxy_string_after conn %s %d<br />
/EVAL SET proxy_string CONNECT %s:%d HTTP/1.0\n\n<br />
<br />
''irssi'' should then alter its config file correspondingly; if the proxy is not required, just set use_proxy to OFF.<br />
<br />
Should the proxy require a password, try:<br />
<br />
/SET proxy_password your_pass<br />
<br />
Otherwise:<br />
<br />
/SET -clear proxy_password<br />
<br />
{{Note|SSL behind a proxy will fail with these settings.}}<br />
<br />
==irssi with nicklist in tmux ==<br />
<br />
The ''irssi'' plugin '[http://scripts.irssi.org/scripts/nicklist.pl nicklist]' offers to add a pane listing the users on the channel currently viewed. It has two methods to do this:<br />
<br />
* '''screen''', which simply adds the list to the right of ''irssi'', but brings the disadvantage that the entire window gets redrawn every time ''irssi'' prints a line.<br />
<br />
* '''fifo''', which like the name suggests writes the list into a fifo that can then be continuously read with e. g. ''cat ~/.irssi/nicklistfifo''.<br />
<br />
nicklist will use the more efficient ''fifo'' with:<br />
<br />
/NICKLIST FIFO<br />
<br />
This fifo can be used in a [[tmux]] window split vertically with ''irssi'' in its left pane and the ''cat'' from above in a small one in its right. Since the pane is dependent on its creating tmux session's geometry, a subsequent session with a different one needs to recreate it (which also implies a switch in ''irssi'' windows to refill the fifo).<br />
<br />
E. g., the following script first checks for a running ''irssi'', presumed to have been run by a previous execution of itself. Unless found it creates a new tmux session, a window named after and running ''irssi'' and then the pane with ''cat''. If however ''irssi'' was found it merely attaches to the session and recreates the ''cat'' pane.<br />
<br />
#!/bin/bash<br />
<br />
T3=$(pidof irssi)<br />
<br />
irssi_nickpane() {<br />
tmux setw main-pane-width $(( $(tput cols) - 21));<br />
tmux splitw -v "cat ~/.irssi/nicklistfifo";<br />
tmux selectl main-vertical;<br />
tmux selectw -t irssi;<br />
tmux selectp -t 0;<br />
}<br />
<br />
irssi_repair() {<br />
tmux selectw -t irssi<br />
(( $(tmux lsp | wc -l) > 1 )) && tmux killp -a -t 0<br />
irssi_nickpane<br />
}<br />
<br />
if [ -z "$T3" ]; then<br />
tmux new-session -d -s main;<br />
tmux new-window -t main -n irssi irssi;<br />
irssi_nickpane ;<br />
fi<br />
tmux attach-session -d -t main;<br />
irssi_repair ;<br />
exit 0<br />
<br />
==Virtual hostname (vhost)==<br />
A vhost can be used to change your hostname when connected to an IRC-server, commonly viewed when joining/parting or doing a whois. This is most commonly done on a server which have a static IP address. Without a vhost it would commonly look like so when doing a 'whois':<br />
nick@123.456.78.90.isp.com<br />
The result of a successfull vhost could be like so if you have the domain example.com available:<br />
nick@example.com<br />
Keep in mind that not every IRC-server supports the use of vhost. This might be individually set between the servers and not the network, so if you're experiencing issues with one server try another on the same network.<br />
<br />
===Required preconfigurations===<br />
irssi supports using a vhost as long as the required configurations has been set. This includes especially that your host supports [https://en.wikipedia.org/wiki/Reverse_DNS_lookup Recursive DNS Lookup (rDNS)] using [https://en.wikipedia.org/wiki/List_of_DNS_record_types Pointer record (PTR)]. Additionally you should add an appropriate line to your /etc/hosts file. <br />
<br />
To see if this is working, test with the 'host' DNS lookup utility included in [https://www.archlinux.org/packages/?sort=&q=dnsutils&maintainer=&last_update=&flagged=&limit=50 dnsutils] like so (where <ip> is a normal IPv4 address):<br />
host <ip><br />
If this returns something in the lines of this then you know that your rDNS is working.<br />
<ip>.in-addr.arpa domain name pointer example.com<br />
<br />
===Enabling the vhost===<br />
There are a couple of ways to connect to a server with a given hostname. One is using the 'server' command with a -host argument like so:<br />
/server -host example.com irc.freenode.org<br />
Another way would be to set your hostname (vhost) with the 'set' command which will save your hostname to ~/.irssi/config:<br />
/set hostname example.com<br />
/save<br />
/server irc.freenode.org<br />
<br />
==See also==<br />
* [http://linuxtidbits.wordpress.com/2008/01/09/setting-up-irssi/ Setting Up Irssi] post on Helpful Linux Tidbits<br />
* [http://quadpoint.org/articles/irssi Guide to Efficiently Using Irssi & Screen] page by Matt Sparks<br />
* [http://scripts.irssi.org/ Official List of Irssi Scripts]<br />
* [http://jasonwryan.com/post/12460674834/inotify IRC notifications with dzen2] post by Jason Ryan<br />
* [http://pthree.org/2010/02/02/irssis-channel-network-server-and-connect-what-it-means/ Irssi’s /channel, /network, /server and /connect – What It Means] post by Aaron Toponce</div>Smasher816