https://wiki.archlinux.org/api.php?action=feedcontributions&user=Yuvadm&feedformat=atomArchWiki - User contributions [en]2024-03-29T14:23:21ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Unofficial_mirrors&diff=733652Unofficial mirrors2022-06-23T07:40:26Z<p>Yuvadm: Undo and clarify revision 733651 by Yuvadm (talk)</p>
<hr />
<div>[[Category:Package management]]<br />
[[Category:Lists]]<br />
[[es:Unofficial mirrors]]<br />
[[pt:Unofficial mirrors]]<br />
[[ru:Unofficial mirrors]]<br />
[[zh-hans:Unofficial mirrors]]<br />
These [[mirrors]] are ''not'' listed in {{ic|/etc/pacman.d/mirrorlist}}.<br />
<br />
== Worldwide ==<br />
<br />
* https://cloudflaremirrors.com/archlinux/ - ''CloudFlare runs a quasi-mirror service that fronts existing mirrors on their global CDN (might not work correctly with pacman, see {{Bug|67865}})''<br />
* https://sourceforge.net/projects/archlinux/files/ - ''ISO files only; Does not have any releases since 2006. Use it only for getting older ISOs.''<br />
<br />
== Australia ==<br />
<br />
* https://chestm007.ddns.net/archlinux/<br />
<br />
== Belgium ==<br />
<br />
* https://ftp.belnet.be/mirror/archlinux.org/ - ''Belnet''<br />
<br />
== Chile ==<br />
<br />
* http://ip62.inf.utfsm.cl/ ''UTFSM #62''<br />
<br />
== China ==<br />
<br />
'''CDN'''<br />
<br />
* https://mirrors.cloud.tencent.com/archlinux/ - ''Tencent Cloud''<br />
* https://repo.huaweicloud.com/archlinux/ - ''Huawei Cloud''<br />
<br />
'''Cernet'''<br />
<br />
* https://mirror.bit.edu.cn/archlinux/ - ''Beijing Institute of Technology''<br />
<br />
== Finland ==<br />
<br />
* http://95.217.224.159:26704/ArchMirror/$repo/os/$arch - ''IPv4, HTTP''<br />
* http://arch.kyberorg.fi/$repo/os/$arch - ''IPv4, HTTP, HTTPS''<br />
<br />
== France ==<br />
<br />
* https://archlinux.moulticast.net/<br />
* https://mirror.lesviallon.fr - ''https only, 1Gb/s, uptime can be checked at https://stats.lesviallon.fr/786053669''<br />
<br />
== Indonesia ==<br />
<br />
* http://kambing.ui.ac.id/archlinux/<br />
<br />
== Iran ==<br />
<br />
* http://77.238.121.45/archlinux/ - ''Asiatech Data Transmission company''<br />
<br />
== Japan ==<br />
<br />
* http://ftp.nara.wide.ad.jp/pub/Linux/archlinux/ - ''Nara Institute of Science and Technology''<br />
* https://ftp.kddilabs.jp/Linux/packages/archlinux/<br />
* http://srv2.ftp.ne.jp/Linux/packages/archlinux/<br />
<br />
== Netherlands ==<br />
<br />
* https://mirror.transip.net/archlinux/ ''TransIP B.V.''<br />
* https://mirror.previder.nl/archlinux/ ''Previder B.V.''<br />
<br />
== New Zealand ==<br />
<br />
* http://mirror.ece.auckland.ac.nz/archlinux/ ''NZ only''<br />
* https://mirror.ece.auckland.ac.nz/archlinux/ ''NZ only''<br />
<br />
== Poland ==<br />
<br />
* http://repo.skni.umcs.pl/archlinux/ - UMCS<br />
* https://repo.skni.umcs.pl/archlinux/ - UMCS<br />
<br />
== South Africa ==<br />
<br />
* http://ftp.leg.uct.ac.za/pub/linux/arch/ - ''University of Cape Town''<br />
* ftp://ftp.leg.uct.ac.za/pub/linux/arch/<br />
* http://mirror.ufs.ac.za/archlinux/ - ''University of the Free State''<br />
* ftp://mirror.ufs.ac.za/os/linux/distros/archlinux/<br />
* http://archlinux.mirror.ac.za - ''TENET - Tertiary Education and Research Network of South Africa''<br />
* ftp://archlinux.mirror.ac.za<br />
<br />
== Sweden ==<br />
<br />
* ftp://foss.dhyrule.se/linux/archlinux/<br />
<br />
== Thailand ==<br />
<br />
* http://mirror1.ku.ac.th/archlinux/<br />
<br />
== United Kingdom ==<br />
<br />
* https://repo.slithery.uk/<br />
<br />
== United States ==<br />
<br />
* http://mirror.pointysoftware.net/archlinux/<br />
* http://mirror.ziemer.bz/archlinux<br />
* https://lug.mines.edu/mirrors/archlinux/<br />
* http://mirror.cs.umn.edu/arch/<br />
<br />
<br />
== Uzbekistan ==<br />
<br />
* http://mirror.dc.uz/arch/</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Unofficial_mirrors&diff=733651Unofficial mirrors2022-06-23T07:38:33Z<p>Yuvadm: Pacman bug on CF mirror has been fixed</p>
<hr />
<div>[[Category:Package management]]<br />
[[Category:Lists]]<br />
[[es:Unofficial mirrors]]<br />
[[pt:Unofficial mirrors]]<br />
[[ru:Unofficial mirrors]]<br />
[[zh-hans:Unofficial mirrors]]<br />
These [[mirrors]] are ''not'' listed in {{ic|/etc/pacman.d/mirrorlist}}.<br />
<br />
== Worldwide ==<br />
<br />
* https://cloudflaremirrors.com/archlinux/ - ''CloudFlare runs a quasi-mirror service that fronts existing mirrors on their global CDN''<br />
* https://sourceforge.net/projects/archlinux/files/ - ''ISO files only; Does not have any releases since 2006. Use it only for getting older ISOs.''<br />
<br />
== Australia ==<br />
<br />
* https://chestm007.ddns.net/archlinux/<br />
<br />
== Belgium ==<br />
<br />
* https://ftp.belnet.be/mirror/archlinux.org/ - ''Belnet''<br />
<br />
== Chile ==<br />
<br />
* http://ip62.inf.utfsm.cl/ ''UTFSM #62''<br />
<br />
== China ==<br />
<br />
'''CDN'''<br />
<br />
* https://mirrors.cloud.tencent.com/archlinux/ - ''Tencent Cloud''<br />
* https://repo.huaweicloud.com/archlinux/ - ''Huawei Cloud''<br />
<br />
'''Cernet'''<br />
<br />
* https://mirror.bit.edu.cn/archlinux/ - ''Beijing Institute of Technology''<br />
<br />
== Finland ==<br />
<br />
* http://95.217.224.159:26704/ArchMirror/$repo/os/$arch - ''IPv4, HTTP''<br />
* http://arch.kyberorg.fi/$repo/os/$arch - ''IPv4, HTTP, HTTPS''<br />
<br />
== France ==<br />
<br />
* https://archlinux.moulticast.net/<br />
* https://mirror.lesviallon.fr - ''https only, 1Gb/s, uptime can be checked at https://stats.lesviallon.fr/786053669''<br />
<br />
== Indonesia ==<br />
<br />
* http://kambing.ui.ac.id/archlinux/<br />
<br />
== Iran ==<br />
<br />
* http://77.238.121.45/archlinux/ - ''Asiatech Data Transmission company''<br />
<br />
== Japan ==<br />
<br />
* http://ftp.nara.wide.ad.jp/pub/Linux/archlinux/ - ''Nara Institute of Science and Technology''<br />
* https://ftp.kddilabs.jp/Linux/packages/archlinux/<br />
* http://srv2.ftp.ne.jp/Linux/packages/archlinux/<br />
<br />
== Netherlands ==<br />
<br />
* https://mirror.transip.net/archlinux/ ''TransIP B.V.''<br />
* https://mirror.previder.nl/archlinux/ ''Previder B.V.''<br />
<br />
== New Zealand ==<br />
<br />
* http://mirror.ece.auckland.ac.nz/archlinux/ ''NZ only''<br />
* https://mirror.ece.auckland.ac.nz/archlinux/ ''NZ only''<br />
<br />
== Poland ==<br />
<br />
* http://repo.skni.umcs.pl/archlinux/ - UMCS<br />
* https://repo.skni.umcs.pl/archlinux/ - UMCS<br />
<br />
== South Africa ==<br />
<br />
* http://ftp.leg.uct.ac.za/pub/linux/arch/ - ''University of Cape Town''<br />
* ftp://ftp.leg.uct.ac.za/pub/linux/arch/<br />
* http://mirror.ufs.ac.za/archlinux/ - ''University of the Free State''<br />
* ftp://mirror.ufs.ac.za/os/linux/distros/archlinux/<br />
* http://archlinux.mirror.ac.za - ''TENET - Tertiary Education and Research Network of South Africa''<br />
* ftp://archlinux.mirror.ac.za<br />
<br />
== Sweden ==<br />
<br />
* ftp://foss.dhyrule.se/linux/archlinux/<br />
<br />
== Thailand ==<br />
<br />
* http://mirror1.ku.ac.th/archlinux/<br />
<br />
== United Kingdom ==<br />
<br />
* https://repo.slithery.uk/<br />
<br />
== United States ==<br />
<br />
* http://mirror.pointysoftware.net/archlinux/<br />
* http://mirror.ziemer.bz/archlinux<br />
* https://lug.mines.edu/mirrors/archlinux/<br />
* http://mirror.cs.umn.edu/arch/<br />
<br />
<br />
== Uzbekistan ==<br />
<br />
* http://mirror.dc.uz/arch/</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=SMBus&diff=726707SMBus2022-04-16T14:35:15Z<p>Yuvadm: Add SMBus redirect to lm_sensors</p>
<hr />
<div>#REDIRECT [[Lm_sensors]]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Lm_sensors&diff=726706Lm sensors2022-04-16T14:29:56Z<p>Yuvadm: Add I2C related article</p>
<hr />
<div>{{DISPLAYTITLE:lm_sensors}}<br />
[[Category:System monitors]]<br />
[[Category:CPU]]<br />
[[de:Lm sensors]]<br />
[[ja:Lm sensors]]<br />
[[pt:Lm sensors]]<br />
[[ru:Lm sensors]]<br />
[[zh-hant:Lm sensors]]<br />
{{Related articles start}}<br />
{{Related|Fan speed control}}<br />
{{Related|hddtemp}}<br />
{{Related|I2C}}<br />
{{Related|monitorix}}<br />
{{Related articles end}}<br />
[https://hwmon.wiki.kernel.org/lm_sensors lm_sensors] (Linux monitoring sensors) is a free and open-source application that provides tools and drivers for monitoring temperatures, voltage, and fans. This document explains how to install, configure, and use lm_sensors.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|lm_sensors}} package.<br />
<br />
{{Note|More documentation is at the [https://github.com/groeck/lm-sensors/tree/master/doc GitHub repository]. In the future these may be installed, see {{Bug|48354}}.}}<br />
<br />
== Setup ==<br />
<br />
Use ''sensors-detect'' as root to detect and generate a list of kernel modules:<br />
<br />
{{Warning|Do not use anything other than the default options (by just hitting {{ic|Enter}}), unless you know exactly what you are doing. See [[#Laptop screen issues after running sensors-detect]].}}<br />
<br />
# sensors-detect<br />
<br />
It will ask to probe for various hardware. The "safe" answers are the defaults, so just hitting {{ic|Enter}} to all the questions will generally not cause any problems. This will create the {{ic|/etc/conf.d/lm_sensors}} configuration file which is used by {{ic|lm_sensors.service}} to automatically load kernel modules on boot.<br />
<br />
When the detection is finished, a summary of the probes is presented.<br />
<br />
Example:<br />
<br />
{{hc|# sensors-detect|<nowiki><br />
This program will help you determine which kernel modules you need<br />
to load to use lm_sensors most effectively. It is generally safe<br />
and recommended to accept the default answers to all questions,<br />
unless you know what you're doing.<br />
<br />
Some south bridges, CPUs or memory controllers contain embedded sensors.<br />
Do you want to scan for them? This is totally safe. (YES/no): <br />
Module cpuid loaded successfully.<br />
Silicon Integrated Systems SIS5595... No<br />
VIA VT82C686 Integrated Sensors... No<br />
VIA VT8231 Integrated Sensors... No<br />
AMD K8 thermal sensors... No<br />
AMD Family 10h thermal sensors... No<br />
<br />
...<br />
<br />
Now follows a summary of the probes I have just done.<br />
Just press ENTER to continue: <br />
<br />
Driver `coretemp':<br />
* Chip `Intel digital thermal sensor' (confidence: 9)<br />
<br />
Driver `lm90':<br />
* Bus `SMBus nForce2 adapter at 4d00'<br />
Busdriver `i2c_nforce2', I2C address 0x4c<br />
Chip `Winbond W83L771AWG/ASG' (confidence: 6)<br />
<br />
Do you want to overwrite /etc/conf.d/lm_sensors? (YES/no): <br />
ln -s '/usr/lib/systemd/system/lm_sensors.service' '/etc/systemd/system/multi-user.target.wants/lm_sensors.service'<br />
Unloading i2c-dev... OK<br />
Unloading cpuid... OK<br />
</nowiki>}}<br />
<br />
{{Note|A systemd service is automatically enabled if users answer '''YES''' when asked about generating {{ic|/etc/conf.d/lm_sensors}}. Answering '''YES''' also automatically starts the service.}}<br />
<br />
== Running sensors ==<br />
<br />
Example running {{ic|sensors}}:<br />
<br />
{{hc|$ sensors|<nowiki><br />
coretemp-isa-0000<br />
Adapter: ISA adapter<br />
Core 0: +35.0°C (crit = +105.0°C)<br />
Core 1: +32.0°C (crit = +105.0°C)<br />
<br />
w83l771-i2c-0-4c<br />
Adapter: SMBus nForce2 adapter at 4d00<br />
temp1: +28.0°C (low = -40.0°C, high = +70.0°C)<br />
(crit = +85.0°C, hyst = +75.0°C)<br />
temp2: +37.4°C (low = -40.0°C, high = +70.0°C)<br />
(crit = +110.0°C, hyst = +100.0°C)<br />
</nowiki>}}<br />
<br />
=== Adding DIMM Temperature sensors ===<br />
<br />
{{Style|Some style issues. In particular, section should [[Help:Style#Language register|avoid first person]] (i.e. "In my …") and the language in some sentences can be improved for readability and compliance with [[Help:Style#Spelling]] and [[Help:Style#Language]].}}<br />
<br />
To find the temperature sensors of DIMMs, install the {{Pkg|i2c-tools}} package. Once installed, load the {{ic|i2c-dev}} [[kernel module]].<br />
<br />
# modprobe i2c_dev<br />
<br />
To show all the columns, use ''i2cdetect'' [[General recommendations#Security|as root]]: <br />
<br />
{{hc|1=# i2cdetect -l|2=<br />
i2c-2 smbus SMBus PIIX4 adapter port 2 at 0b00 SMBus adapter<br />
i2c-2 smbus SMBus PIIX4 adapter port 1 at 0b20 SMBus adapter<br />
i2c-0 smbus SMBus PIIX4 adapter port 0 at 0b00 SMBus adapter<br />
}}<br />
<br />
Otherwise, its output will appear as follows: <br />
<br />
i2c-2 unknown SMBus PIIX4 adapter port 2 at 0b00 N/A<br />
i2c-2 unknown SMBus PIIX4 adapter port 1 at 0b20 N/A<br />
i2c-0 unknown SMBus PIIX4 adapter port 0 at 0b00 N/A<br />
<br />
In my system, RAM sticks connected to the bus is SMBus 0. The ''i2cdetect'' command will show the devices that connected to the bus. The {{ic|-y 0}} argument means use i2c-0 smbus. You can check other buses if needed.<br />
<br />
{{hc|# i2cdetect -y 0|2=<br />
0 1 2 3 4 5 6 7 8 9 a b c d e f<br />
00: -- -- -- -- 0c -- -- -- <br />
10: 10 -- -- -- -- -- -- -- 18 19 -- -- -- -- -- -- <br />
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
30: -- -- -- -- -- -- 36 -- -- -- -- -- -- -- -- -- <br />
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 4f <br />
50: 50 51 -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
60: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
70: -- -- -- -- -- -- -- 77 <br />
}}<br />
<br />
RAM SPD's are start from address 0x50 and RAM temp sensors start from 0x18 at same bus. In my system, there are 2 DIMMs available. So address of 0x18 and 0x19 are DIMMs temp sensors.<br />
<br />
After found this info, to read temperatures of RAM sticks, we need {{ic|jc42}} [[kernel module]] loaded. After that you need to tell to module that which addresses are need to used. This process consists of writing {{ic|''module_name''}} and {{ic|''address''}} to {{ic|''smbus_path''}}. For example:<br />
<br />
# modprobe jc42<br />
# echo jc42 0x18 > /sys/bus/i2c/devices/i2c-0/new_device<br />
# echo jc42 0x19 > /sys/bus/i2c/devices/i2c-0/new_device<br />
<br />
After that your ram sticks temperature will be visible on {{ic|sensors}} command:<br />
<br />
jc42-i2c-0-19<br />
Adapter: SMBus PIIX4 adapter port 0 at 0b00<br />
temp1: +50.7°C (low = +0.0°C) ALARM (HIGH, CRIT)<br />
(high = +0.0°C, hyst = +0.0°C)<br />
(crit = +0.0°C, hyst = +0.0°C)<br />
<br />
jc42-i2c-0-18<br />
Adapter: SMBus PIIX4 adapter port 0 at 0b00<br />
temp1: +51.8°C (low = +0.0°C) ALARM (HIGH, CRIT)<br />
(high = +0.0°C, hyst = +0.0°C)<br />
(crit = +0.0°C, hyst = +0.0°C)<br />
<br />
=== Reading SPD values from memory modules (optional) ===<br />
<br />
To read the SPD timing values from memory modules, install the {{pkg|i2c-tools}} package. Once installed, load the {{ic|eeprom}} [[kernel module]].<br />
<br />
# modprobe eeprom<br />
<br />
Finally, view memory information with {{ic|decode-dimms}}.<br />
<br />
Here is partial output from one machine:<br />
<br />
{{hc|# decode-dimms|<nowiki><br />
Memory Serial Presence Detect Decoder<br />
By Philip Edelbrock, Christian Zuckschwerdt, Burkart Lingner,<br />
Jean Delvare, Trent Piepho and others<br />
<br />
<br />
Decoding EEPROM: /sys/bus/i2c/drivers/eeprom/0-0050<br />
Guessing DIMM is in bank 1<br />
<br />
---=== SPD EEPROM Information ===---<br />
EEPROM CRC of bytes 0-116 OK (0x583F)<br />
# of bytes written to SDRAM EEPROM 176<br />
Total number of bytes in EEPROM 512<br />
Fundamental Memory type DDR3 SDRAM<br />
Module Type UDIMM<br />
<br />
---=== Memory Characteristics ===---<br />
Fine time base 2.500 ps<br />
Medium time base 0.125 ns<br />
Maximum module speed 1066MHz (PC3-8533)<br />
Size 2048 MB<br />
Banks x Rows x Columns x Bits 8 x 14 x 10 x 64<br />
Ranks 2<br />
SDRAM Device Width 8 bits<br />
tCL-tRCD-tRP-tRAS 7-7-7-33<br />
Supported CAS Latencies (tCL) 8T, 7T, 6T, 5T<br />
<br />
---=== Timing Parameters ===---<br />
Minimum Write Recovery time (tWR) 15.000 ns<br />
Minimum Row Active to Row Active Delay (tRRD) 7.500 ns<br />
Minimum Active to Auto-Refresh Delay (tRC) 49.500 ns<br />
Minimum Recovery Delay (tRFC) 110.000 ns<br />
Minimum Write to Read CMD Delay (tWTR) 7.500 ns<br />
Minimum Read to Pre-charge CMD Delay (tRTP) 7.500 ns<br />
Minimum Four Activate Window Delay (tFAW) 30.000 ns<br />
<br />
---=== Optional Features ===---<br />
Operable voltages 1.5V<br />
RZQ/6 supported? Yes<br />
RZQ/7 supported? Yes<br />
DLL-Off Mode supported? No<br />
Operating temperature range 0-85C<br />
Refresh Rate in extended temp range 1X<br />
Auto Self-Refresh? Yes<br />
On-Die Thermal Sensor readout? No<br />
Partial Array Self-Refresh? No<br />
Thermal Sensor Accuracy Not implemented<br />
SDRAM Device Type Standard Monolithic<br />
<br />
---=== Physical Characteristics ===---<br />
Module Height (mm) 15<br />
Module Thickness (mm) 1 front, 1 back<br />
Module Width (mm) 133.5<br />
Module Reference Card B<br />
<br />
---=== Manufacturer Data ===---<br />
Module Manufacturer Invalid<br />
Manufacturing Location Code 0x02<br />
Part Number OCZ3G1600LV2G <br />
<br />
...<br />
</nowiki>}}<br />
<br />
== Using sensor data ==<br />
<br />
=== Graphical front-ends ===<br />
<br />
There are a variety of front-ends for sensors data.<br />
<br />
* {{App|psensor|GTK application for monitoring hardware sensors, including temperatures and fan speeds. Monitors motherboard and CPU (using lm-sensors), Nvidia GPUs (using XNVCtrl), and harddisks (using [[hddtemp]] or libatasmart).|https://wpitchoune.net/psensor/|{{Pkg|psensor}}}}<br />
* {{App|xsensors|X11 interface to lm_sensors.|https://github.com/Mystro256/xsensors|{{Pkg|xsensors}}}}<br />
<br />
For specific [[Desktop environments]]:<br />
<br />
* {{App|Freon (GNOME Shell extension)|Extension for displaying CPU temperature, disk temperature, video card temperature , voltage and fan RPM in [[GNOME]] Shell.|https://github.com/UshakovVasilii/gnome-shell-extension-freon|{{AUR|gnome-shell-extension-freon}}}}<br />
* {{App|GNOME Sensors Applet|Applet for the [[GNOME]] Panel to display readings from hardware sensors, including CPU temperature, fan speeds and voltage readings.|http://sensors-applet.sourceforge.net/|{{Pkg|sensors-applet}}}}<br />
* {{App|lm-sensors (LXPanel plugin)|Monitor temperature/voltages/fan speeds in [[LXDE]] through lm-sensors.|https://danamlund.dk/sensors_lxpanel_plugin/|{{AUR|sensors-lxpanel-plugin}}}}<br />
* {{App|MATE Sensors Applet|Display readings from hardware sensors in your [[MATE]] panel.|https://github.com/mate-desktop/mate-sensors-applet|{{Pkg|mate-sensors-applet}}}}<br />
* {{App|Sensors (Xfce4 panel plugin)|Hardware sensors plugin for the [[Xfce]] panel.|https://goodies.xfce.org/projects/panel-plugins/xfce4-sensors-plugin|{{Pkg|xfce4-sensors-plugin}}}}<br />
* {{App|Thermal Monitor (Plasma 5 applet)|[[KDE]] Plasma applet for monitoring CPU, GPU and other available temperature sensors.|https://gitlab.com/agurenko/plasma-applet-thermal-monitor|{{Pkg|plasma5-applets-thermal-monitor}}}}<br />
<br />
=== sensord ===<br />
<br />
There is an optional daemon called ''sensord'' (included with the {{Pkg|lm_sensors}} package) which can log data to a round robin database (rrd) and later visualize graphically. See the {{man|8|sensord}} man page for details.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Adjusting values ===<br />
<br />
In some cases, the data displayed might be incorrect or users may wish to rename the output. Use cases include:<br />
<br />
* Incorrect temperature values due to a wrong offset (i.e. temps are reported 20 °C higher than actual).<br />
* Users wish to rename the output of some sensors.<br />
* The cores might be displayed in an incorrect order.<br />
<br />
All of the above (and more) can be adjusted by overriding the package provides settings in {{ic|/etc/sensors3.conf}} by creating {{ic|/etc/sensors.d/''foo''}} wherein any number of tweaks will override the default values. It is recommended to rename 'foo' to the motherboard brand and model but this naming nomenclature is optional.<br />
<br />
{{Note|Do not edit {{ic|/etc/sensors3.conf}} directly since package updates will overwrite any changes thus losing them.}}<br />
<br />
==== Example 1. Adjusting temperature offsets ====<br />
<br />
This is a real example on a Zotac ION-ITX-A-U motherboard. The coretemp values are off by 20 °C (too high) and are adjusted down to Intel specs.<br />
<br />
{{hc|$ sensors|<nowiki><br />
coretemp-isa-0000<br />
Adapter: ISA adapter<br />
Core 0: +57.0°C (crit = +125.0°C)<br />
Core 1: +55.0°C (crit = +125.0°C)<br />
...<br />
</nowiki>}}<br />
<br />
Run {{ic|sensors}} with the {{ic|-u}} switch to see what options are available for each physical chip (raw mode):<br />
<br />
{{hc|$ sensors -u|<nowiki><br />
coretemp-isa-0000<br />
Adapter: ISA adapter<br />
Core 0:<br />
temp2_input: 57.000<br />
temp2_crit: 125.000<br />
temp2_crit_alarm: 0.000<br />
Core 1:<br />
temp3_input: 55.000<br />
temp3_crit: 125.000<br />
temp3_crit_alarm: 0.000<br />
...<br />
</nowiki>}}<br />
<br />
Create the following file overriding the default values:<br />
<br />
{{hc|/etc/sensors.d/Zotac-IONITX-A-U|<nowiki><br />
chip "coretemp-isa-0000"<br />
label temp2 "Core 0"<br />
compute temp2 @-20,@-20<br />
<br />
label temp3 "Core 1"<br />
compute temp3 @-20,@-20<br />
</nowiki>}}<br />
<br />
Now invoking {{ic|sensors}} shows the adjust values:<br />
<br />
{{hc|$ sensors|<nowiki><br />
coretemp-isa-0000<br />
Adapter: ISA adapter<br />
Core 0: +37.0°C (crit = +105.0°C)<br />
Core 1: +35.0°C (crit = +105.0°C)<br />
...<br />
</nowiki>}}<br />
<br />
==== Example 2. Renaming labels ====<br />
<br />
This is a real example on an Asus A7M266. The user wishes more verbose names for the temperature labels {{ic|temp1}} and {{ic|temp2}}:<br />
<br />
{{hc|$ sensors|<nowiki><br />
as99127f-i2c-0-2d<br />
Adapter: SMBus Via Pro adapter at e800<br />
...<br />
temp1: +35.0°C (high = +0.0°C, hyst = -128.0°C)<br />
temp2: +47.5°C (high = +100.0°C, hyst = +75.0°C)<br />
...<br />
</nowiki>}}<br />
<br />
Create the following file to override the default values:<br />
<br />
{{hc|/etc/sensors.d/Asus_A7M266|<nowiki><br />
chip "as99127f-*"<br />
label temp1 "Mobo Temp"<br />
label temp2 "CPU0 Temp"<br />
</nowiki>}}<br />
<br />
Now invoking {{ic|sensors}} shows the adjust values:<br />
<br />
{{hc|$ sensors|<nowiki><br />
as99127f-i2c-0-2d<br />
Adapter: SMBus Via Pro adapter at e800<br />
...<br />
Mobo Temp: +35.0°C (high = +0.0°C, hyst = -128.0°C)<br />
CPU0 Temp: +47.5°C (high = +100.0°C, hyst = +75.0°C)<br />
...<br />
</nowiki>}}<br />
<br />
==== Example 3. Renumbering cores for multi-CPU systems ====<br />
<br />
This is a real example on an HP Z600 workstation with dual Xeons. The actual numbering of physical cores is incorrect: numbered 0, 1, 9, 10 which is repeated into the second CPU. Most users expect the core temperatures to report out in sequential order, i.e. 0,1,2,3,4,5,6,7.<br />
<br />
{{hc|$ sensors|<nowiki><br />
coretemp-isa-0000<br />
Adapter: ISA adapter<br />
Core 0: +65.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core 1: +65.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core 9: +66.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core 10: +66.0°C (high = +85.0°C, crit = +95.0°C)<br />
<br />
coretemp-isa-0004<br />
Adapter: ISA adapter<br />
Core 0: +54.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core 1: +56.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core 9: +60.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core 10: +61.0°C (high = +85.0°C, crit = +95.0°C)<br />
...<br />
</nowiki>}}<br />
<br />
Again, run {{ic|sensors}} with the {{ic|-u}} switch to see what options are available for each physical chip:<br />
<br />
{{hc|$ sensors -u coretemp-isa-0000|<nowiki><br />
coretemp-isa-0000<br />
Adapter: ISA adapter<br />
Core 0:<br />
temp2_input: 61.000<br />
temp2_max: 85.000<br />
temp2_crit: 95.000<br />
temp2_crit_alarm: 0.000<br />
Core 1:<br />
temp3_input: 61.000<br />
temp3_max: 85.000<br />
temp3_crit: 95.000<br />
temp3_crit_alarm: 0.000<br />
Core 9:<br />
temp11_input: 62.000<br />
temp11_max: 85.000<br />
temp11_crit: 95.000<br />
Core 10:<br />
temp12_input: 63.000<br />
temp12_max: 85.000<br />
temp12_crit: 95.000<br />
</nowiki>}}<br />
<br />
{{hc|$ sensors -u coretemp-isa-0004|<nowiki><br />
coretemp-isa-0004<br />
Adapter: ISA adapter<br />
Core 0:<br />
temp2_input: 53.000<br />
temp2_max: 85.000<br />
temp2_crit: 95.000<br />
temp2_crit_alarm: 0.000<br />
Core 1:<br />
temp3_input: 54.000<br />
temp3_max: 85.000<br />
temp3_crit: 95.000<br />
temp3_crit_alarm: 0.000<br />
Core 9:<br />
temp11_input: 59.000<br />
temp11_max: 85.000<br />
temp11_crit: 95.000<br />
Core 10:<br />
temp12_input: 59.000<br />
temp12_max: 85.000<br />
temp12_crit: 95.000<br />
...<br />
</nowiki>}}<br />
<br />
Create the following file overriding the default values:<br />
<br />
{{hc|/etc/sensors.d/HP_Z600|<nowiki><br />
chip "coretemp-isa-0000"<br />
label temp2 "Core 0"<br />
label temp3 "Core 1"<br />
label temp11 "Core 2"<br />
label temp12 "Core 3"<br />
<br />
chip "coretemp-isa-0004"<br />
label temp2 "Core 4"<br />
label temp3 "Core 5"<br />
label temp11 "Core 6"<br />
label temp12 "Core 7"</nowiki>}}<br />
<br />
Now invoking {{ic|sensors}} shows the adjust values:<br />
<br />
{{hc|$ sensors|<nowiki><br />
coretemp-isa-0000<br />
Adapter: ISA adapter<br />
Core0: +64.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core1: +63.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core2: +65.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core3: +66.0°C (high = +85.0°C, crit = +95.0°C)<br />
<br />
coretemp-isa-0004<br />
Adapter: ISA adapter<br />
Core4: +53.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core5: +54.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core6: +59.0°C (high = +85.0°C, crit = +95.0°C)<br />
Core7: +60.0°C (high = +85.0°C, crit = +95.0°C)<br />
...<br />
</nowiki>}}<br />
<br />
=== Automatic lm_sensors deployment ===<br />
<br />
Users wishing to deploy lm_sensors on multiple machines can use the following to accept the defaults to all questions:<br />
<br />
# sensors-detect --auto<br />
<br />
=== S.M.A.R.T. drive temperature ===<br />
<br />
[https://hwmon.wiki.kernel.org/device_support_status Since kernel 5.6] the {{ic|drivetemp}} module will report SATA/SAS temperature through hwmon, but {{ic|sensors-detect}} does not automatically detect this so the module must be [[Kernel_module#Manual_module_handling|manually loaded]].<br />
<br />
# modprobe drivetemp<br />
<br />
You should now see entries similar to this in your {{ic|sensors}} output:<br />
<br />
{{hc|sensors|2=<br />
drivetemp-scsi-1-0<br />
Adapter: SCSI adapter<br />
temp1: +33.0°C <br />
<br />
drivetemp-scsi-2-0<br />
Adapter: SCSI adapter<br />
temp1: +32.0°C (low = +0.0°C, high = +70.0°C)<br />
(crit low = +0.0°C, crit = +70.0°C)<br />
(lowest = +29.0°C, highest = +41.0°C)<br />
}}<br />
<br />
Configure [[Kernel_module#Automatic_module_loading_with_systemd|automatic module loading]] to load the module on boot.<br />
<br />
== Troubleshooting ==<br />
<br />
=== K10Temp module ===<br />
<br />
Some K10 processors have issues with their temperature sensor. See the [https://www.kernel.org/doc/html/latest/hwmon/k10temp.html#description k10temp documentation] for more information.<br />
<br />
On affected machines the module will report "unreliable CPU thermal sensor; monitoring disabled". To force monitoring anyway, you can run the following:<br />
<br />
# rmmod k10temp<br />
# modprobe k10temp force=1<br />
<br />
Confirm that the sensor is in fact valid and reliable. If it is, can edit {{ic|/etc/modprobe.d/k10temp.conf}} and add:<br />
<br />
options k10temp force=1<br />
<br />
This will allow the module to load at boot.<br />
<br />
=== Asus B450M-A/A320M-K/A320M-K-BR motherboards ===<br />
<br />
These motherboards use a IT8655E chip, which is not supported by the it87 kernel driver, as of Nov 2020 [https://www.kernel.org/doc/html/latest/hwmon/it87.html]. However, it is supported by the upstream version of the kernel driver [https://github.com/bbqlinux/it87/blob/master/it87.c#L22]. The [[DKMS]] variant is contained in {{AUR|it87-dkms-git}}.<br />
<br />
=== Asus B450/X399/X470 motherboards with AM4 Socket ===<br />
<br />
Some recent Asus motherboards use a ITE IT8665E chip, accessing the temperature, fan and voltage sensors may require the {{ic|asus-wmi-sensors}} module. [[Install]] {{AUR|asus-wmi-sensors-dkms-git}} and load the {{ic|asus-wmi-sensors}} [[kernel module]], the module uses the UEFI interface and may require a BIOS update on some boards [https://github.com/electrified/asus-wmi-sensors#supported-hardware].<br />
<br />
Alternatively, the {{ic|it87}} module reads the values from the chip directly, install {{AUR|it87-dkms-git}} and load the {{ic|it87}} [[kernel module]].<br />
<br />
=== Asus H97/Z97/Z170/Z370i/X570/B550 motherboards ===<br />
<br />
With some recent Asus motherboards, fan and voltage sensor access may require the {{ic|nct6775}} [[kernel module]] to be loaded.<br />
<br />
You may also need to add the following [[kernel parameter]]:<br />
<br />
acpi_enforce_resources=lax<br />
<br />
See https://bugzilla.kernel.org/show_bug.cgi?id=204807 for more information.<br />
<br />
Note: Starting with Kernel 5.16 [https://bugzilla.kernel.org/show_bug.cgi?id=204807#c199], the above [[kernel parameter]] is no longer be required for most boards and should be avoided. <br />
<br />
=== Gigabyte B250/Z370/B450M/B560M motherboards ===<br />
<br />
Some Gigabyte motherboards use the ITE IT8686E or ITE8689 (for B560) chip, which is not supported by the it87 kernel driver, as of May 2019 [https://www.kernel.org/doc/html/latest/hwmon/it87.html]. However, it is supported by the upstream version of the kernel driver [https://github.com/bbqlinux/it87/blob/master/it87.c#L24]. The [[DKMS]] variant is contained in {{AUR|it87-dkms-git}}. As with [[#Asus H97/Z97/Z170/X570/B550 motherboards]], a [[kernel parameter]] is required before attempting to install the module:<br />
<br />
acpi_enforce_resources=lax<br />
<br />
Furthermore, supply the id of the chip when loading the module as follows:<br />
<br />
# modprobe it87 force_id=0x8686<br />
or<br />
# modprobe it87 force_id=0x8689 # for B560<br />
<br />
Or you can [[Kernel_modules|load the module]] during boot process by creating the following two files:<br />
<br />
{{hc|/etc/modules-load.d/it87.conf|<br />
it87<br />
}}<br />
<br />
{{hc|/etc/modprobe.d/it87.conf|<nowiki><br />
options it87 ignore_resource_conflict=1<br />
</nowiki>}}<br />
<br />
Once the module is loaded you can use the ''sensors'' tool to probe the chip.<br />
Now you can also use [[fancontrol]] to control the speed step of your case fan. <br />
<br />
Optionally installation of {{AUR|zenpower-dkms}} may allow greater fine tuning of the motherboard's cooling system. However, it does disable the default k10temp module.<br />
<br />
=== Gigabyte GA-J1900N-D3V ===<br />
<br />
This motherboard uses the ITE IT8620E chip (useful also to read voltages, mainboard temp, fan speed). As of October 2014, lm_sensors has no driver support for chip ITE IT8620E [https://hwmon.wiki.kernel.org/device_support_status_g_i] [https://marc.info/?l=lm-sensors&m=139496833404519]. lm_sensors developers had a report that the chip is somewhat compatible with the IT8728F for the hardware monitoring part. However, as of August 2016, [https://www.kernel.org/doc/html/latest/hwmon/it87.html] lists the IT8620E as supported.<br />
<br />
You can load the module at runtime with modprobe:<br />
<br />
$ modprobe it87 force_id=0x8728<br />
<br />
Or you can [[Kernel modules|load the modules]] during boot process by creating the following two files:<br />
<br />
{{hc|/etc/modules-load.d/it87.conf|2=<br />
it87<br />
}}<br />
<br />
{{hc|/etc/modprobe.d/it87.conf|2=<br />
options it87 force_id=0x8603<br />
}}<br />
<br />
Once the module is loaded you can use the ''sensors'' tool to probe the chip.<br />
<br />
Now you can also use [[fancontrol]] to control the speedsteps of your case fan.<br />
<br />
=== Laptop screen issues after running sensors-detect ===<br />
<br />
This is caused by lm-sensors messing with the Vcom values of the screen while probing for sensors. It has been discussed and solved at the forums already: https://bbs.archlinux.org/viewtopic.php?id=193048. However, make sure to read through the thread carefully before running any of the suggested commands.<br />
<br />
=== i2c bus errors on AMD Navi 2 GPUs ===<br />
<br />
There is currently a bug in the way the kernel handles reading the i2c bus on AMD Navi 2 GPUs. The bus currently can only be used with EEPROMs and trying to use it with other devices will cause it to fail. This can cause crashes, black screens, and even cause the card to behave oddly like unable to switch power states. Its currently advised not to scan the i2c bus if you have a Navi 2 based card. You can read more here: https://gitlab.freedesktop.org/drm/amd/-/issues/1470</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=I2C&diff=726705I2C2022-04-16T14:29:23Z<p>Yuvadm: Add SMBus details throughout article</p>
<hr />
<div>[[Category:Hardware]]<br />
{{Related articles start}}<br />
{{Related|Lm_sensors}}<br />
{{Related articles end}}<br />
<br />
[https://en.wikipedia.org/wiki/I%C2%B2C I2C] or I²C (Inter-IC) is a synchronous, multi-controller/multi-target (controller/target), packet switched, single-ended, serial communication bus invented in 1982 by Philips Semiconductors.<br />
<br />
It is used by many hardware boards to communicate with general purpose I/O (GPIO) devices.<br />
<br />
A similar extension of I2C is [http://www.smbus.org/ SMBus] which is more specifically used for hardware monitoring purposes.<br />
<br />
== Installation ==<br />
<br />
I2C kernel modules already exist in most default kernel packages.<br />
<br />
Userspace tools can be installed from {{Pkg|i2c-tools}}. Bleeding edge is on {{AUR|i2c-tools-git}}.<br />
<br />
SMBus-specific tools can be installed from {{Pkg|lm_sensors}}.<br />
<br />
== Module Loading ==<br />
<br />
In some cases it might be required to [[Kernel module#Automatic module loading with systemd|explicitly load the I2C kernel modules]].<br />
<br />
{{hc|/etc/modules-load.d/i2c-dev.conf|<br />
i2c-dev}}<br />
<br />
Depending on your system and usage, other hardware-specific modules such as {{ic|i2c_i801}} or {{ic|i2c_smbus}} might have to be loaded as well.<br />
<br />
If the modules are properly loaded, you should see the {{ic|/dev/i2c-*}} devices.<br />
<br />
Permission for using the {{ic|/dev/i2c-*}} devices can be granted by adding the user to the the {{ic|i2c}} [[user group]].<br />
<br />
== Usage ==<br />
<br />
{{ic|i2cdetect}} can detect all the active I2C devices:<br />
<br />
{{hc|$ i2cdetect -l|<br />
i2c-0 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-1 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-2 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-3 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-4 smbus SMBus I801 adapter at f040 SMBus adapter<br />
i2c-5 i2c i915 gmbus dpb I2C adapter<br />
i2c-6 i2c i915 gmbus dpc I2C adapter<br />
i2c-7 i2c i915 gmbus misc I2C adapter<br />
i2c-8 i2c AUX B/DDI B/PHY B I2C adapter<br />
}}<br />
<br />
When an I2C device is connected to a known bus, {{ic|i2cdetect}} can probe it for active addresses: <br />
<br />
{{hc|$ i2cdetect -y -r 1|<br />
0 1 2 3 4 5 6 7 8 9 a b c d e f<br />
00: -- -- -- -- -- -- -- -- <br />
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
60: 60 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
70: -- -- -- -- -- -- 76 --<br />
}}<br />
<br />
== See also ==<br />
<br />
* https://www.i2c-bus.org/<br />
* http://www.smbus.org/</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=I2C&diff=726704I2C2022-04-16T14:22:51Z<p>Yuvadm: Cleanup installation section</p>
<hr />
<div>[[Category:Hardware]]<br />
{{Related articles start}}<br />
{{Related|Lm_sensors}}<br />
{{Related articles end}}<br />
<br />
[https://en.wikipedia.org/wiki/I%C2%B2C I2C] or I²C (Inter-IC) is a synchronous, multi-controller/multi-target (controller/target), packet switched, single-ended, serial communication bus invented in 1982 by Philips Semiconductors.<br />
<br />
It is used by many hardware boards to communicate with general purpose I/O (GPIO) devices.<br />
<br />
== Installation ==<br />
<br />
I2C kernel modules already exist in most default kernel packages.<br />
<br />
Userspace tools can be installed from {{Pkg|i2c-tools}}. Bleeding edge is on {{AUR|i2c-tools-git}}.<br />
<br />
== Module Loading ==<br />
<br />
In some cases it might be required to [[Kernel module#Automatic module loading with systemd|explicitly load the I2C kernel modules]].<br />
<br />
{{hc|/etc/modules-load.d/i2c-dev.conf|<br />
i2c-dev}}<br />
<br />
Depending on your system and usage, other hardware-specific modules such as {{ic|i2c_i801}} or {{ic|i2c_smbus}} might have to be loaded as well.<br />
<br />
If the modules are properly loaded, you should see the {{ic|/dev/i2c-*}} devices.<br />
<br />
Permission for using the {{ic|/dev/i2c-*}} devices can be granted by adding the user to the the {{ic|i2c}} [[user group]].<br />
<br />
== Usage ==<br />
<br />
{{ic|i2cdetect}} can detect all the active I2C devices:<br />
<br />
{{hc|$ i2cdetect -l|<br />
i2c-0 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-1 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-2 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-3 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-4 smbus SMBus I801 adapter at f040 SMBus adapter<br />
i2c-5 i2c i915 gmbus dpb I2C adapter<br />
i2c-6 i2c i915 gmbus dpc I2C adapter<br />
i2c-7 i2c i915 gmbus misc I2C adapter<br />
i2c-8 i2c AUX B/DDI B/PHY B I2C adapter<br />
}}<br />
<br />
When an I2C device is connected to a known bus, {{ic|i2cdetect}} can probe it for active addresses: <br />
<br />
{{hc|$ i2cdetect -y -r 1|<br />
0 1 2 3 4 5 6 7 8 9 a b c d e f<br />
00: -- -- -- -- -- -- -- -- <br />
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
60: 60 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
70: -- -- -- -- -- -- 76 --<br />
}}<br />
<br />
== See also ==<br />
<br />
* https://www.i2c-bus.org/</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=I2C&diff=726659I2C2022-04-16T11:53:00Z<p>Yuvadm: Add I2C naming clarification</p>
<hr />
<div>[[Category:Hardware]]<br />
{{Related articles start}}<br />
{{Related|Lm_sensors}}<br />
{{Related articles end}}<br />
<br />
[https://en.wikipedia.org/wiki/I%C2%B2C I2C] or I²C (Inter-IC) is a synchronous, multi-controller/multi-target (controller/target), packet switched, single-ended, serial communication bus invented in 1982 by Philips Semiconductors.<br />
<br />
It is used by many hardware boards to communicate with general purpose I/O (GPIO) devices.<br />
<br />
== Installation ==<br />
<br />
I2C kernel modules already exist in most default kernel packages.<br />
<br />
Userspace tools can be installed from {{Pkg|i2c-tools}}.<br />
<br />
Bleeding edge is on {{AUR|i2c-tools-git}} in the [[AUR]].<br />
<br />
== Module Loading ==<br />
<br />
In some cases it might be required to [[Kernel module#Automatic module loading with systemd|explicitly load the I2C kernel modules]].<br />
<br />
{{hc|/etc/modules-load.d/i2c-dev.conf|<br />
i2c-dev}}<br />
<br />
Depending on your system and usage, other hardware-specific modules such as {{ic|i2c_i801}} or {{ic|i2c_smbus}} might have to be loaded as well.<br />
<br />
If the modules are properly loaded, you should see the {{ic|/dev/i2c-*}} devices.<br />
<br />
Permission for using the {{ic|/dev/i2c-*}} devices can be granted by adding the user to the the {{ic|i2c}} [[user group]].<br />
<br />
== Usage ==<br />
<br />
{{ic|i2cdetect}} can detect all the active I2C devices:<br />
<br />
{{hc|$ i2cdetect -l|<br />
i2c-0 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-1 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-2 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-3 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-4 smbus SMBus I801 adapter at f040 SMBus adapter<br />
i2c-5 i2c i915 gmbus dpb I2C adapter<br />
i2c-6 i2c i915 gmbus dpc I2C adapter<br />
i2c-7 i2c i915 gmbus misc I2C adapter<br />
i2c-8 i2c AUX B/DDI B/PHY B I2C adapter<br />
}}<br />
<br />
When an I2C device is connected to a known bus, {{ic|i2cdetect}} can probe it for active addresses: <br />
<br />
{{hc|$ i2cdetect -y -r 1|<br />
0 1 2 3 4 5 6 7 8 9 a b c d e f<br />
00: -- -- -- -- -- -- -- -- <br />
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
60: 60 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
70: -- -- -- -- -- -- 76 --<br />
}}<br />
<br />
== See also ==<br />
<br />
* https://www.i2c-bus.org/</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=I2C&diff=726644I2C2022-04-16T10:24:17Z<p>Yuvadm: Initial I2C article</p>
<hr />
<div>[[Category:Hardware]]<br />
{{Related articles start}}<br />
{{Related|Lm_sensors}}<br />
{{Related articles end}}<br />
<br />
[https://en.wikipedia.org/wiki/I%C2%B2C I2C] or I²C is a synchronous, multi-controller/multi-target (controller/target), packet switched, single-ended, serial communication bus invented in 1982 by Philips Semiconductors.<br />
<br />
It is used by many hardware boards to communicate with general purpose I/O devices.<br />
<br />
== Packages ==<br />
<br />
I2C kernel modules already exist in most default kernel packages.<br />
<br />
Userspace tools can be installed from {{Pkg|i2c-tools}} in the [[official repositories]].<br />
<br />
Bleeding edge is on {{AUR|i2c-tools-git}} in the [[AUR]].<br />
<br />
== Module Loading ==<br />
<br />
In some cases it might be required to [[Kernel_modules|explicitly load the I2C kernel modules]].<br />
<br />
{{hc|/etc/modules-load.d/i2c-dev.conf|<br />
i2c-dev}}<br />
<br />
Depending on your system and usage, other hardware-specific modules such as {{ic|i2c_i801}} or {{ic|i2c_smbus}} might have to be loaded as well.<br />
<br />
If the modules are properly loaded, you should see the {{ic|/dev/i2c-*}} devices.<br />
<br />
Permission for using the {{ic|/dev/i2c-*}} devices can be granted by adding the relevant non-root users to the the {{ic|i2c}} group:<br />
<br />
# gpasswd -a user i2c<br />
<br />
== Usage ==<br />
<br />
{{ic|i2cdetect}} can detect all the active I2C devices:<br />
<br />
$ i2cdetect -l<br />
i2c-0 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-1 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-2 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-3 i2c Synopsys DesignWare I2C adapter I2C adapter<br />
i2c-4 smbus SMBus I801 adapter at f040 SMBus adapter<br />
i2c-5 i2c i915 gmbus dpb I2C adapter<br />
i2c-6 i2c i915 gmbus dpc I2C adapter<br />
i2c-7 i2c i915 gmbus misc I2C adapter<br />
i2c-8 i2c AUX B/DDI B/PHY B I2C adapter<br />
<br />
When an I2C device is connected to a known bus, {{ic|i2cdetect}} can probe it for active addresses: <br />
<br />
$ i2cdetect -y -r 1<br />
0 1 2 3 4 5 6 7 8 9 a b c d e f<br />
00: -- -- -- -- -- -- -- -- <br />
10: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
20: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
30: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
40: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
50: -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
60: 60 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- <br />
70: -- -- -- -- -- -- 76 --</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Offline_installation&diff=655581Offline installation2021-03-21T08:16:52Z<p>Yuvadm: Clarify new system pacman config</p>
<hr />
<div>[[Category:Live Arch systems]]<br />
[[Category:Installation process]]<br />
[[ru:Offline installation]]<br />
{{Related articles start}}<br />
{{Related|Offline installation of packages}}<br />
{{Related articles end}}<br />
<br />
If you wish to install the [[Archiso]] (e.g. [https://archlinux.org/download/ the official monthly release]) as it is without an Internet connection, or, if you do not want to download the packages you want again:<br />
<br />
First, follow the [[Installation guide]], skipping the [[Installation guide#Connect to the internet]] section, until the [[Installation guide#Install essential packages]] step.<br />
<br />
There are two main methods to enable bootstrapping the new installation: preparing a local pacman repo with all the required files, and manually copying the files from the archiso. The first version is highly recommended.<br />
<br />
= Local Repo Method (Recommended) =<br />
<br />
== Prepare local repo ==<br />
<br />
Follow [[Pacman/Tips_and_tricks#Installing_packages_from_a_CD/DVD_or_USB_stick]] for instructions on preparing a local repo with the neccesary files on a separate host installation.<br />
<br />
At the very least, for a functioning system, the following packages are recommended:<br />
<br />
# pacman -Syw --cachedir . --dbpath /tmp/blankdb base base-devel linux linux-firmware systemd mkinitcpio vim<br />
<br />
== Mount and configure ==<br />
<br />
Once the repo is prepared, connect the external media to the new installation, and mount it on the newly created root filesystem:<br />
<br />
# mkdir /mnt/repo<br />
# mount /dev/sdX /mnt/repo<br />
<br />
Edit your archiso {{ic|/etc/pacman.conf}} and add a new section:<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///mnt/repo/<br />
<br />
Comment out {{ic|[core]}}, {{ic|[extra]}} and {{ic|[community]}} so that pacman does not fail on the default repos.<br />
<br />
== Pacstrap ==<br />
<br />
You can now continue to pacstrap your locally-available packages to the new installation:<br />
<br />
# pacstrap /mnt base base-devel linux linux-firmware mkinitcpio systemd vim<br />
<br />
== Chroot ==<br />
<br />
In case the new system is expected to remain offline or airgapped, it should be configured to expect local repos only.<br />
<br />
After chrooting into your new installation, edit the new {{ic|/etc/pacman.conf}} in the same way as previously (but without the {{ic|/mnt}} prefix):<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///repo/<br />
<br />
Comment out all other repos and save. Continue configuring the new system as usual.<br />
<br />
From now on any updates to the offline system can be made by bringing an up to date copy of the local repo, mounting it to {{ic|/repo}} and running pacman commands as usual.<br />
<br />
= File Copy Method =<br />
<br />
{{Accuracy|Instead of copying the files from the archiso, the "bootstrap" images available on the Arch mirrors can be extracted directly to the target disk. You will get a minimal system without the need to deal with the archiso modifications.}}<br />
<br />
{{Out of date|The names and locations of multiple files (the kernel, mkinitcpio hooks and configuration file, journald configuration, choose-mirror script, etc.) have changed.}} <br />
<br />
== Install the archiso to the new root ==<br />
Instead of installing the packages with {{ic|pacstrap}} (which would try to download from the remote repositories), copy ''everything'' in the live environment to the new root:<br />
# cp -ax / /mnt<br />
{{Note|The option ({{ic|-x}}) excludes some special directories, as they should not be copied to the new root.}}<br />
Then, copy the kernel image to the new root, in order to keep the integrity of the new system:<br />
# cp -vaT /run/archiso/bootmnt/arch/boot/$(uname -m)/vmlinuz /mnt/boot/vmlinuz-linux<br />
<br />
After that, generate a fstab as described in [[Installation guide#Fstab]].<br />
<br />
== Chroot and configure the base system ==<br />
Next, chroot into your newly installed system:<br />
# arch-chroot /mnt /bin/bash<br />
<br />
{{Note|Before performing the other [[Installation guide#Configure the system]] steps (e.g. locale, keymap, etc.), it is necessary to get rid of the trace of the Live environment (in other words, the customization of archiso which does not fit a non-Live environment).}}<br />
<br />
=== Restore the configuration of journald ===<br />
[https://gitlab.archlinux.org/archlinux/archiso/blob/master/configs/releng/airootfs/root/customize_airootfs.sh#L19 This customization of archiso] will lead to storing the system journal in RAM, it means that the journal will not be available after reboot:<br />
# sed -i 's/Storage=volatile/#Storage=auto/' /etc/systemd/journald.conf<br />
<br />
=== Remove special udev rule ===<br />
[https://projects.archlinux.org/archiso.git/tree/configs/releng/airootfs/etc/udev/rules.d/81-dhcpcd.rules This rule of udev] starts the dhcpcd automatically if there are any wired network interfaces.<br />
<br />
# rm /etc/udev/rules.d/81-dhcpcd.rules<br />
<br />
=== Disable and remove the services created by archiso ===<br />
Some service files are created for the Live environment, please disable the services and remove the file as they are unnecessary for the new system:<br />
# systemctl disable pacman-init.service choose-mirror.service<br />
# rm -r /etc/systemd/system/{choose-mirror.service,pacman-init.service,etc-pacman.d-gnupg.mount,getty@tty1.service.d}<br />
# rm /etc/systemd/scripts/choose-mirror<br />
<br />
=== Remove special scripts of the Live environment ===<br />
There are some scripts installed in the live system by archiso scripts, which are unnecessary for the new system:<br />
# rm /etc/systemd/system/getty@tty1.service.d/autologin.conf<br />
# rm /root/{.automated_script.sh,.zlogin}<br />
# rm /etc/mkinitcpio-archiso.conf<br />
# rm -r /etc/initcpio<br />
<br />
=== Importing archlinux keys ===<br />
<br />
In order to use the official repositories, we need to import the archlinux master keys ([[pacman/Package signing#Initializing the keyring]]). This step is usually done by pacstrap but can be achieved with<br />
<br />
# pacman-key --init<br />
# pacman-key --populate archlinux<br />
<br />
{{Note| Keyboard or mouse activity is needed to generate entropy and speed-up the first step.}}<br />
<br />
=== Configure the system ===<br />
<br />
Now you can follow the skipped steps of the [[Installation guide#Configure the system]] section (setting a locale, timezone, hostname, etc.) and finish the installation by creating an initial ramdisk as described in [[Installation guide#Initramfs]].</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Offline_installation&diff=655580Offline installation2021-03-21T08:12:17Z<p>Yuvadm: Add base-devel to pacstrap</p>
<hr />
<div>[[Category:Live Arch systems]]<br />
[[Category:Installation process]]<br />
[[ru:Offline installation]]<br />
{{Related articles start}}<br />
{{Related|Offline installation of packages}}<br />
{{Related articles end}}<br />
<br />
If you wish to install the [[Archiso]] (e.g. [https://archlinux.org/download/ the official monthly release]) as it is without an Internet connection, or, if you do not want to download the packages you want again:<br />
<br />
First, follow the [[Installation guide]], skipping the [[Installation guide#Connect to the internet]] section, until the [[Installation guide#Install essential packages]] step.<br />
<br />
There are two main methods to enable bootstrapping the new installation: preparing a local pacman repo with all the required files, and manually copying the files from the archiso. The first version is highly recommended.<br />
<br />
= Local Repo Method (Recommended) =<br />
<br />
== Prepare local repo ==<br />
<br />
Follow [[Pacman/Tips_and_tricks#Installing_packages_from_a_CD/DVD_or_USB_stick]] for instructions on preparing a local repo with the neccesary files on a separate host installation.<br />
<br />
At the very least, for a functioning system, the following packages are recommended:<br />
<br />
# pacman -Syw --cachedir . --dbpath /tmp/blankdb base base-devel linux linux-firmware systemd mkinitcpio vim<br />
<br />
== Mount and configure ==<br />
<br />
Once the repo is prepared, connect the external media to the new installation, and mount it on the newly created root filesystem:<br />
<br />
# mkdir /mnt/repo<br />
# mount /dev/sdX /mnt/repo<br />
<br />
Edit your archiso {{ic|/etc/pacman.conf}} and add a new section:<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///mnt/repo/<br />
<br />
Comment out {{ic|[core]}}, {{ic|[extra]}} and {{ic|[community]}} so that pacman does not fail on the default repos.<br />
<br />
== Pacstrap ==<br />
<br />
You can now continue to pacstrap your locally-available packages to the new installation:<br />
<br />
# pacstrap /mnt base base-devel linux linux-firmware mkinitcpio systemd vim<br />
<br />
== Chroot ==<br />
<br />
After chrooting into your new installation, make sure to configure the new {{ic|/etc/pacman.conf}} in the same way as previously (but without the {{ic|/mnt}} prefix):<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///repo/<br />
<br />
Comment out all other repos and save. Continue configuring the new system as usual.<br />
<br />
From now on any updates to the offline system can be made by bringing an up to date copy of the local repo, mounting it to {{ic|/repo}} and running pacman commands as usual.<br />
<br />
= File Copy Method =<br />
<br />
{{Accuracy|Instead of copying the files from the archiso, the "bootstrap" images available on the Arch mirrors can be extracted directly to the target disk. You will get a minimal system without the need to deal with the archiso modifications.}}<br />
<br />
{{Out of date|The names and locations of multiple files (the kernel, mkinitcpio hooks and configuration file, journald configuration, choose-mirror script, etc.) have changed.}} <br />
<br />
== Install the archiso to the new root ==<br />
Instead of installing the packages with {{ic|pacstrap}} (which would try to download from the remote repositories), copy ''everything'' in the live environment to the new root:<br />
# cp -ax / /mnt<br />
{{Note|The option ({{ic|-x}}) excludes some special directories, as they should not be copied to the new root.}}<br />
Then, copy the kernel image to the new root, in order to keep the integrity of the new system:<br />
# cp -vaT /run/archiso/bootmnt/arch/boot/$(uname -m)/vmlinuz /mnt/boot/vmlinuz-linux<br />
<br />
After that, generate a fstab as described in [[Installation guide#Fstab]].<br />
<br />
== Chroot and configure the base system ==<br />
Next, chroot into your newly installed system:<br />
# arch-chroot /mnt /bin/bash<br />
<br />
{{Note|Before performing the other [[Installation guide#Configure the system]] steps (e.g. locale, keymap, etc.), it is necessary to get rid of the trace of the Live environment (in other words, the customization of archiso which does not fit a non-Live environment).}}<br />
<br />
=== Restore the configuration of journald ===<br />
[https://gitlab.archlinux.org/archlinux/archiso/blob/master/configs/releng/airootfs/root/customize_airootfs.sh#L19 This customization of archiso] will lead to storing the system journal in RAM, it means that the journal will not be available after reboot:<br />
# sed -i 's/Storage=volatile/#Storage=auto/' /etc/systemd/journald.conf<br />
<br />
=== Remove special udev rule ===<br />
[https://projects.archlinux.org/archiso.git/tree/configs/releng/airootfs/etc/udev/rules.d/81-dhcpcd.rules This rule of udev] starts the dhcpcd automatically if there are any wired network interfaces.<br />
<br />
# rm /etc/udev/rules.d/81-dhcpcd.rules<br />
<br />
=== Disable and remove the services created by archiso ===<br />
Some service files are created for the Live environment, please disable the services and remove the file as they are unnecessary for the new system:<br />
# systemctl disable pacman-init.service choose-mirror.service<br />
# rm -r /etc/systemd/system/{choose-mirror.service,pacman-init.service,etc-pacman.d-gnupg.mount,getty@tty1.service.d}<br />
# rm /etc/systemd/scripts/choose-mirror<br />
<br />
=== Remove special scripts of the Live environment ===<br />
There are some scripts installed in the live system by archiso scripts, which are unnecessary for the new system:<br />
# rm /etc/systemd/system/getty@tty1.service.d/autologin.conf<br />
# rm /root/{.automated_script.sh,.zlogin}<br />
# rm /etc/mkinitcpio-archiso.conf<br />
# rm -r /etc/initcpio<br />
<br />
=== Importing archlinux keys ===<br />
<br />
In order to use the official repositories, we need to import the archlinux master keys ([[pacman/Package signing#Initializing the keyring]]). This step is usually done by pacstrap but can be achieved with<br />
<br />
# pacman-key --init<br />
# pacman-key --populate archlinux<br />
<br />
{{Note| Keyboard or mouse activity is needed to generate entropy and speed-up the first step.}}<br />
<br />
=== Configure the system ===<br />
<br />
Now you can follow the skipped steps of the [[Installation guide#Configure the system]] section (setting a locale, timezone, hostname, etc.) and finish the installation by creating an initial ramdisk as described in [[Installation guide#Initramfs]].</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Offline_installation_of_packages&diff=655358Offline installation of packages2021-03-19T10:49:48Z<p>Yuvadm: Updated related articles</p>
<hr />
<div>[[Category:Package management]]<br />
[[es:Offline installation of packages]]<br />
[[ja:パッケージのオフラインインストール]]<br />
[[ru:Offline installation of packages]]<br />
{{Related articles start}}<br />
{{Related|Offline installation}}<br />
{{Related articles end}}<br />
{{Style|Use [[Template:ic]] and [[Template:pkg]] where appropriate. See [[Help:Style]].}}<br />
== Normal Method: Pacman ==<br />
This method is based on [[User:Byte|byte's]] post from [https://bbs.archlinux.org/viewtopic.php?id=30431 this] thread.<br />
<br />
Download the package databases on a computer with internet access and transfer them to your computer. If needed, change {{ic|MIRROR}} to any mirror from the [https://archlinux.org/mirrors/status/ mirror status list].<br />
<br />
{{bc|1=<br />
#!/bin/bash<br />
<br />
ARCH="x86_64"<br />
MIRROR="https://mirrors.kernel.org/archlinux/"<br />
<br />
wget "${MIRROR}/community/os/${ARCH}/community.db"<br />
wget "${MIRROR}/core/os/${ARCH}/core.db"<br />
wget "${MIRROR}/extra/os/${ARCH}/extra.db"<br />
wget "${MIRROR}/multilib/os/${ARCH}/multilib.db"<br />
}}<br />
<br />
Following steps will make sure you are working with up-to-date package lists, as if you ran {{ic|pacman -Sy}}.<br />
<br />
After transferring the {{ic|*.db}} files to the offline PC, do the following:<br />
# cp *.db /var/lib/pacman/sync/<br />
# pacman -Sp --noconfirm ''package-name'' > pkglist<br />
<br />
{{Tip|Be aware you have enabled at least one of the servers defined in the {{ic|/etc/pacman.d/mirrorlist}} file. Otherwise all what you get is a misleading error message: {{ic|error: no database for package: package-name}}.}}<br />
<br />
To update a New Arch Linux base system after installation you may enter<br />
# pacman -Sup --noconfirm > pkglist<br />
<br />
Now open that textfile with an editor and delete all lines that are not URLs.<br />
Next, bring that list with you to a place where you have internet and either download the listed packages manually or run {{ic|wget}} in an empty directory:<br />
<br />
# wget -nv -i ../pkglist<br />
<br />
{{Tip|When using [https://www.cygwin.com cygwin] or some other kind of Windows environment to download the packages the filenames will get mangled, since default Windows file naming requires to escape e.g. colons. To avoid this (under cygwin, since it doesn't follow such restrictions) use {{ic|1=wget --restrict-file-names=unix}}.}}<br />
<br />
Take all the {{ic|*.pkg.tar.gz}} files back home, put them in {{ic|/var/cache/pacman/pkg}} and finally run<br />
<br />
# pacman -S ''package-name''<br />
<br />
=== A simple example ===<br />
This is a simple way to install a package you have downloaded:<br />
# pacman -U /root/Download/packagename.tar.gz<br />
This is how to install several packages you have installed into a directory<br />
# pacman -U /root/Download/*.tar.gz<br />
=== A slightly contrived example ===<br />
Scenario: you have two Arch Linux machines, 'Al' (with internet connection) and 'Bob' (without internet connection), and you need to install some [[NVIDIA]] packages and their dependencies on 'Bob'. In this example, the wanted packages are {{pkg|nvidia}}, {{pkg|nvidia-utils}}, and {{pkg|xf86-video-nouveau}}, but you want to use a dedicated directory instead of {{ic|/var/cache/pacman/pkg/}} and a dedicated repository called nvidia (instead of the usual core, extra etc...)<br />
<br />
==== Generate a list of packages to download ====<br />
This can be done on any Arch Linux machine which has up-to-date repository data bases (see above for links to database files); to create the list of links to the required packages, use:<br />
# pacman -Sp nvidia nvidia-utils xf86-video-nouveau > /path/to/nvidia.list<br />
The file {{ic|nvidia.list}} will contain links to the listed packages and any others which they depend on which are not already installed on 'Al'. Unless you have cleared your cache the packages you have installed will be in your cache location. You can check {{ic|/etc/pacman.conf}} for the location. It is probably something like {{ic|/var/cache/pacman/pkg/}}.<br />
<br />
==== Download/copy the packages and their dependencies ====<br />
Obviously this requires an internet connection, so on 'Al' create a directory called {{ic|/path/to/nvidia}} for the files and run:<br />
# wget -P /path/to/nvidia/ -i /path/to/nvidia.list<br />
Then copy the dependencies you have already installed from the cache. Either find them manually by browsing https://archlinux.org/packages/ or if the total size of all your packages is not too large just copy them all<br />
# cp /var/cache/pacman/pkg/* /path/to/nvidia/<br />
<br />
==== Create a repository database just for these packages ====<br />
This can be done on either 'Al' or 'Bob' using the {{ic|repo-add}} command which comes with {{pkg|pacman}} (from version 3?); first, change to the {{ic|/path/to/nvidia}} directory where the packages were downloaded, then create database file called {{ic|nvidia.db.tar.gz}}:<br />
$ cd /path/to/nvidia<br />
# repo-add nvidia.db.tar.gz *.pkg.tar.xz<br />
<br />
==== Transfer the packages ====<br />
Now all the packages have been downloaded, you do not need 'Al' anymore. Copy the contents of {{ic|/path/to/nvidia}} to a the temporary NVIDIA packages cache directory on 'Bob'. In this example, this folder is called {{ic|/home/me/nvidia}}:<br />
$ cp /path/to/nvidia/* /home/me/nvidia<br />
<br />
Next, {{pkg|pacman}} must be made aware of this new repository of packages. First copy your current {{ic|pacman.conf}}:<br />
# cp /etc/pacman.conf /etc/pacman.conf.old<br />
Now in {{ic|/etc/pacman.conf}} make sure that your {{ic|SigLevel}} is set to {{ic|Never}} as your repository will not provide signatures<br />
SigLevel = Never<br />
and add the following lines at the bottom of {{ic|pacman.conf}}:<br />
[nvidia]<br />
Server = file:///home/me/nvidia<br />
You may also need to comment out the other repositories so stale defaults do not cause failed attempts to download from online<br />
Now, instruct {{pkg|pacman}} to synchronize with the dedicated NVIDIA repository we created:<br />
# pacman -Sy <br />
This command finds the {{ic|nvidia.db.tar.gz}} file in {{ic|/home/me/nvidia}} and expands it to {{ic|/var/lib/pacman/sync/nvidia}} to create a database of packages contained in the NVIDIA repository.<br />
<br />
==== Install the packages ====<br />
Finally install the packages:<br />
# pacman -S nvidia nvidia-utils xf86-video nouveau<br />
<br />
=== Restoring online sources ===<br />
Should Bob ever be put online we can restore access to the online sources by replacing {{ic|/etc/pacman.conf}} with the previously created {{ic|/etc/pacman.conf.old}}.<br />
<br />
==== Links and sources ====<br />
Compiled from the forums, with thanks to [https://bbs.archlinux.org/viewtopic.php?id=60856) Heller_Barbe] and [https://bbs.archlinux.org/viewtopic.php?id=30431 byte]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Offline_installation&diff=655357Offline installation2021-03-19T10:48:55Z<p>Yuvadm: Remove dead link</p>
<hr />
<div>[[Category:Live Arch systems]]<br />
[[Category:Installation process]]<br />
[[ru:Offline installation]]<br />
{{Related articles start}}<br />
{{Related|Offline installation of packages}}<br />
{{Related articles end}}<br />
<br />
If you wish to install the [[Archiso]] (e.g. [https://archlinux.org/download/ the official monthly release]) as it is without an Internet connection, or, if you do not want to download the packages you want again:<br />
<br />
First, follow the [[Installation guide]], skipping the [[Installation guide#Connect to the internet]] section, until the [[Installation guide#Install essential packages]] step.<br />
<br />
There are two main methods to enable bootstrapping the new installation: preparing a local pacman repo with all the required files, and manually copying the files from the archiso. The first version is highly recommended.<br />
<br />
= Local Repo Method (Recommended) =<br />
<br />
== Prepare local repo ==<br />
<br />
Follow [[Pacman/Tips_and_tricks#Installing_packages_from_a_CD/DVD_or_USB_stick]] for instructions on preparing a local repo with the neccesary files on a separate host installation.<br />
<br />
At the very least, for a functioning system, the following packages are recommended:<br />
<br />
# pacman -Syw --cachedir . --dbpath /tmp/blankdb base base-devel linux linux-firmware systemd mkinitcpio vim<br />
<br />
== Mount and configure ==<br />
<br />
Once the repo is prepared, connect the external media to the new installation, and mount it on the newly created root filesystem:<br />
<br />
# mkdir /mnt/repo<br />
# mount /dev/sdX /mnt/repo<br />
<br />
Edit your archiso {{ic|/etc/pacman.conf}} and add a new section:<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///mnt/repo/<br />
<br />
Comment out {{ic|[core]}}, {{ic|[extra]}} and {{ic|[community]}} so that pacman does not fail on the default repos.<br />
<br />
== Pacstrap ==<br />
<br />
You can now continue to pacstrap your locally-available packages to the new installation:<br />
<br />
# pacstrap /mnt base linux linux-firmware mkinitcpio systemd vim<br />
<br />
== Chroot ==<br />
<br />
After chrooting into your new installation, make sure to configure the new {{ic|/etc/pacman.conf}} in the same way as previously (but without the {{ic|/mnt}} prefix):<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///repo/<br />
<br />
Comment out all other repos and save. Continue configuring the new system as usual.<br />
<br />
From now on any updates to the offline system can be made by bringing an up to date copy of the local repo, mounting it to {{ic|/repo}} and running pacman commands as usual.<br />
<br />
= File Copy Method =<br />
<br />
{{Accuracy|Instead of copying the files from the archiso, the "bootstrap" images available on the Arch mirrors can be extracted directly to the target disk. You will get a minimal system without the need to deal with the archiso modifications.}}<br />
<br />
{{Out of date|The names and locations of multiple files (the kernel, mkinitcpio hooks and configuration file, journald configuration, choose-mirror script, etc.) have changed.}} <br />
<br />
== Install the archiso to the new root ==<br />
Instead of installing the packages with {{ic|pacstrap}} (which would try to download from the remote repositories), copy ''everything'' in the live environment to the new root:<br />
# cp -ax / /mnt<br />
{{Note|The option ({{ic|-x}}) excludes some special directories, as they should not be copied to the new root.}}<br />
Then, copy the kernel image to the new root, in order to keep the integrity of the new system:<br />
# cp -vaT /run/archiso/bootmnt/arch/boot/$(uname -m)/vmlinuz /mnt/boot/vmlinuz-linux<br />
<br />
After that, generate a fstab as described in [[Installation guide#Fstab]].<br />
<br />
== Chroot and configure the base system ==<br />
Next, chroot into your newly installed system:<br />
# arch-chroot /mnt /bin/bash<br />
<br />
{{Note|Before performing the other [[Installation guide#Configure the system]] steps (e.g. locale, keymap, etc.), it is necessary to get rid of the trace of the Live environment (in other words, the customization of archiso which does not fit a non-Live environment).}}<br />
<br />
=== Restore the configuration of journald ===<br />
[https://gitlab.archlinux.org/archlinux/archiso/blob/master/configs/releng/airootfs/root/customize_airootfs.sh#L19 This customization of archiso] will lead to storing the system journal in RAM, it means that the journal will not be available after reboot:<br />
# sed -i 's/Storage=volatile/#Storage=auto/' /etc/systemd/journald.conf<br />
<br />
=== Remove special udev rule ===<br />
[https://projects.archlinux.org/archiso.git/tree/configs/releng/airootfs/etc/udev/rules.d/81-dhcpcd.rules This rule of udev] starts the dhcpcd automatically if there are any wired network interfaces.<br />
<br />
# rm /etc/udev/rules.d/81-dhcpcd.rules<br />
<br />
=== Disable and remove the services created by archiso ===<br />
Some service files are created for the Live environment, please disable the services and remove the file as they are unnecessary for the new system:<br />
# systemctl disable pacman-init.service choose-mirror.service<br />
# rm -r /etc/systemd/system/{choose-mirror.service,pacman-init.service,etc-pacman.d-gnupg.mount,getty@tty1.service.d}<br />
# rm /etc/systemd/scripts/choose-mirror<br />
<br />
=== Remove special scripts of the Live environment ===<br />
There are some scripts installed in the live system by archiso scripts, which are unnecessary for the new system:<br />
# rm /etc/systemd/system/getty@tty1.service.d/autologin.conf<br />
# rm /root/{.automated_script.sh,.zlogin}<br />
# rm /etc/mkinitcpio-archiso.conf<br />
# rm -r /etc/initcpio<br />
<br />
=== Importing archlinux keys ===<br />
<br />
In order to use the official repositories, we need to import the archlinux master keys ([[pacman/Package signing#Initializing the keyring]]). This step is usually done by pacstrap but can be achieved with<br />
<br />
# pacman-key --init<br />
# pacman-key --populate archlinux<br />
<br />
{{Note| Keyboard or mouse activity is needed to generate entropy and speed-up the first step.}}<br />
<br />
=== Configure the system ===<br />
<br />
Now you can follow the skipped steps of the [[Installation guide#Configure the system]] section (setting a locale, timezone, hostname, etc.) and finish the installation by creating an initial ramdisk as described in [[Installation guide#Initramfs]].</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Offline_installation&diff=655349Offline installation2021-03-19T10:07:13Z<p>Yuvadm: Move accuracy warning to second section</p>
<hr />
<div>[[Category:Live Arch systems]]<br />
[[Category:Installation process]]<br />
[[ru:Offline installation]]<br />
{{Related articles start}}<br />
{{Related|Offline installation of packages}}<br />
{{Related|Archiso offline}}<br />
{{Related articles end}}<br />
<br />
If you wish to install the [[Archiso]] (e.g. [https://archlinux.org/download/ the official monthly release]) as it is without an Internet connection, or, if you do not want to download the packages you want again:<br />
<br />
First, follow the [[Installation guide]], skipping the [[Installation guide#Connect to the internet]] section, until the [[Installation guide#Install essential packages]] step.<br />
<br />
There are two main methods to enable bootstrapping the new installation: preparing a local pacman repo with all the required files, and manually copying the files from the archiso. The first version is highly recommended.<br />
<br />
= Local Repo Method (Recommended) =<br />
<br />
== Prepare local repo ==<br />
<br />
Follow [[Pacman/Tips_and_tricks#Installing_packages_from_a_CD/DVD_or_USB_stick]] for instructions on preparing a local repo with the neccesary files on a separate host installation.<br />
<br />
At the very least, for a functioning system, the following packages are recommended:<br />
<br />
# pacman -Syw --cachedir . --dbpath /tmp/blankdb base base-devel linux linux-firmware systemd mkinitcpio vim<br />
<br />
== Mount and configure ==<br />
<br />
Once the repo is prepared, connect the external media to the new installation, and mount it on the newly created root filesystem:<br />
<br />
# mkdir /mnt/repo<br />
# mount /dev/sdX /mnt/repo<br />
<br />
Edit your archiso {{ic|/etc/pacman.conf}} and add a new section:<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///mnt/repo/<br />
<br />
Comment out {{ic|[core]}}, {{ic|[extra]}} and {{ic|[community]}} so that pacman does not fail on the default repos.<br />
<br />
== Pacstrap ==<br />
<br />
You can now continue to pacstrap your locally-available packages to the new installation:<br />
<br />
# pacstrap /mnt base linux linux-firmware mkinitcpio systemd vim<br />
<br />
== Chroot ==<br />
<br />
After chrooting into your new installation, make sure to configure the new {{ic|/etc/pacman.conf}} in the same way as previously (but without the {{ic|/mnt}} prefix):<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///repo/<br />
<br />
Comment out all other repos and save. Continue configuring the new system as usual.<br />
<br />
From now on any updates to the offline system can be made by bringing an up to date copy of the local repo, mounting it to {{ic|/repo}} and running pacman commands as usual.<br />
<br />
= File Copy Method =<br />
<br />
{{Accuracy|Instead of copying the files from the archiso, the "bootstrap" images available on the Arch mirrors can be extracted directly to the target disk. You will get a minimal system without the need to deal with the archiso modifications.}}<br />
<br />
{{Out of date|The names and locations of multiple files (the kernel, mkinitcpio hooks and configuration file, journald configuration, choose-mirror script, etc.) have changed.}} <br />
<br />
== Install the archiso to the new root ==<br />
Instead of installing the packages with {{ic|pacstrap}} (which would try to download from the remote repositories), copy ''everything'' in the live environment to the new root:<br />
# cp -ax / /mnt<br />
{{Note|The option ({{ic|-x}}) excludes some special directories, as they should not be copied to the new root.}}<br />
Then, copy the kernel image to the new root, in order to keep the integrity of the new system:<br />
# cp -vaT /run/archiso/bootmnt/arch/boot/$(uname -m)/vmlinuz /mnt/boot/vmlinuz-linux<br />
<br />
After that, generate a fstab as described in [[Installation guide#Fstab]].<br />
<br />
== Chroot and configure the base system ==<br />
Next, chroot into your newly installed system:<br />
# arch-chroot /mnt /bin/bash<br />
<br />
{{Note|Before performing the other [[Installation guide#Configure the system]] steps (e.g. locale, keymap, etc.), it is necessary to get rid of the trace of the Live environment (in other words, the customization of archiso which does not fit a non-Live environment).}}<br />
<br />
=== Restore the configuration of journald ===<br />
[https://gitlab.archlinux.org/archlinux/archiso/blob/master/configs/releng/airootfs/root/customize_airootfs.sh#L19 This customization of archiso] will lead to storing the system journal in RAM, it means that the journal will not be available after reboot:<br />
# sed -i 's/Storage=volatile/#Storage=auto/' /etc/systemd/journald.conf<br />
<br />
=== Remove special udev rule ===<br />
[https://projects.archlinux.org/archiso.git/tree/configs/releng/airootfs/etc/udev/rules.d/81-dhcpcd.rules This rule of udev] starts the dhcpcd automatically if there are any wired network interfaces.<br />
<br />
# rm /etc/udev/rules.d/81-dhcpcd.rules<br />
<br />
=== Disable and remove the services created by archiso ===<br />
Some service files are created for the Live environment, please disable the services and remove the file as they are unnecessary for the new system:<br />
# systemctl disable pacman-init.service choose-mirror.service<br />
# rm -r /etc/systemd/system/{choose-mirror.service,pacman-init.service,etc-pacman.d-gnupg.mount,getty@tty1.service.d}<br />
# rm /etc/systemd/scripts/choose-mirror<br />
<br />
=== Remove special scripts of the Live environment ===<br />
There are some scripts installed in the live system by archiso scripts, which are unnecessary for the new system:<br />
# rm /etc/systemd/system/getty@tty1.service.d/autologin.conf<br />
# rm /root/{.automated_script.sh,.zlogin}<br />
# rm /etc/mkinitcpio-archiso.conf<br />
# rm -r /etc/initcpio<br />
<br />
=== Importing archlinux keys ===<br />
<br />
In order to use the official repositories, we need to import the archlinux master keys ([[pacman/Package signing#Initializing the keyring]]). This step is usually done by pacstrap but can be achieved with<br />
<br />
# pacman-key --init<br />
# pacman-key --populate archlinux<br />
<br />
{{Note| Keyboard or mouse activity is needed to generate entropy and speed-up the first step.}}<br />
<br />
=== Configure the system ===<br />
<br />
Now you can follow the skipped steps of the [[Installation guide#Configure the system]] section (setting a locale, timezone, hostname, etc.) and finish the installation by creating an initial ramdisk as described in [[Installation guide#Initramfs]].</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Offline_installation&diff=655348Offline installation2021-03-19T10:06:31Z<p>Yuvadm: Add new section on local repo method</p>
<hr />
<div>[[Category:Live Arch systems]]<br />
[[Category:Installation process]]<br />
[[ru:Offline installation]]<br />
{{Related articles start}}<br />
{{Related|Offline installation of packages}}<br />
{{Related|Archiso offline}}<br />
{{Related articles end}}<br />
<br />
{{Accuracy|Instead of copying the files from the archiso, the "bootstrap" images available on the Arch mirrors can be extracted directly to the target disk. You will get a minimal system without the need to deal with the archiso modifications.}}<br />
<br />
If you wish to install the [[Archiso]] (e.g. [https://archlinux.org/download/ the official monthly release]) as it is without an Internet connection, or, if you do not want to download the packages you want again:<br />
<br />
First, follow the [[Installation guide]], skipping the [[Installation guide#Connect to the internet]] section, until the [[Installation guide#Install essential packages]] step.<br />
<br />
There are two main methods to enable bootstrapping the new installation: preparing a local pacman repo with all the required files, and manually copying the files from the archiso. The first version is highly recommended.<br />
<br />
= Local Repo Method (Recommended) =<br />
<br />
== Prepare local repo ==<br />
<br />
Follow [[Pacman/Tips_and_tricks#Installing_packages_from_a_CD/DVD_or_USB_stick]] for instructions on preparing a local repo with the neccesary files on a separate host installation.<br />
<br />
At the very least, for a functioning system, the following packages are recommended:<br />
<br />
# pacman -Syw --cachedir . --dbpath /tmp/blankdb base base-devel linux linux-firmware systemd mkinitcpio vim<br />
<br />
== Mount and configure ==<br />
<br />
Once the repo is prepared, connect the external media to the new installation, and mount it on the newly created root filesystem:<br />
<br />
# mkdir /mnt/repo<br />
# mount /dev/sdX /mnt/repo<br />
<br />
Edit your archiso {{ic|/etc/pacman.conf}} and add a new section:<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///mnt/repo/<br />
<br />
Comment out {{ic|[core]}}, {{ic|[extra]}} and {{ic|[community]}} so that pacman does not fail on the default repos.<br />
<br />
== Pacstrap ==<br />
<br />
You can now continue to pacstrap your locally-available packages to the new installation:<br />
<br />
# pacstrap /mnt base linux linux-firmware mkinitcpio systemd vim<br />
<br />
== Chroot ==<br />
<br />
After chrooting into your new installation, make sure to configure the new {{ic|/etc/pacman.conf}} in the same way as previously (but without the {{ic|/mnt}} prefix):<br />
<br />
[custom]<br />
SigLevel = Optional<br />
Server = file:///repo/<br />
<br />
Comment out all other repos and save. Continue configuring the new system as usual.<br />
<br />
From now on any updates to the offline system can be made by bringing an up to date copy of the local repo, mounting it to {{ic|/repo}} and running pacman commands as usual.<br />
<br />
= File Copy Method =<br />
<br />
{{Out of date|The names and locations of multiple files (the kernel, mkinitcpio hooks and configuration file, journald configuration, choose-mirror script, etc.) have changed.}} <br />
<br />
== Install the archiso to the new root ==<br />
Instead of installing the packages with {{ic|pacstrap}} (which would try to download from the remote repositories), copy ''everything'' in the live environment to the new root:<br />
# cp -ax / /mnt<br />
{{Note|The option ({{ic|-x}}) excludes some special directories, as they should not be copied to the new root.}}<br />
Then, copy the kernel image to the new root, in order to keep the integrity of the new system:<br />
# cp -vaT /run/archiso/bootmnt/arch/boot/$(uname -m)/vmlinuz /mnt/boot/vmlinuz-linux<br />
<br />
After that, generate a fstab as described in [[Installation guide#Fstab]].<br />
<br />
== Chroot and configure the base system ==<br />
Next, chroot into your newly installed system:<br />
# arch-chroot /mnt /bin/bash<br />
<br />
{{Note|Before performing the other [[Installation guide#Configure the system]] steps (e.g. locale, keymap, etc.), it is necessary to get rid of the trace of the Live environment (in other words, the customization of archiso which does not fit a non-Live environment).}}<br />
<br />
=== Restore the configuration of journald ===<br />
[https://gitlab.archlinux.org/archlinux/archiso/blob/master/configs/releng/airootfs/root/customize_airootfs.sh#L19 This customization of archiso] will lead to storing the system journal in RAM, it means that the journal will not be available after reboot:<br />
# sed -i 's/Storage=volatile/#Storage=auto/' /etc/systemd/journald.conf<br />
<br />
=== Remove special udev rule ===<br />
[https://projects.archlinux.org/archiso.git/tree/configs/releng/airootfs/etc/udev/rules.d/81-dhcpcd.rules This rule of udev] starts the dhcpcd automatically if there are any wired network interfaces.<br />
<br />
# rm /etc/udev/rules.d/81-dhcpcd.rules<br />
<br />
=== Disable and remove the services created by archiso ===<br />
Some service files are created for the Live environment, please disable the services and remove the file as they are unnecessary for the new system:<br />
# systemctl disable pacman-init.service choose-mirror.service<br />
# rm -r /etc/systemd/system/{choose-mirror.service,pacman-init.service,etc-pacman.d-gnupg.mount,getty@tty1.service.d}<br />
# rm /etc/systemd/scripts/choose-mirror<br />
<br />
=== Remove special scripts of the Live environment ===<br />
There are some scripts installed in the live system by archiso scripts, which are unnecessary for the new system:<br />
# rm /etc/systemd/system/getty@tty1.service.d/autologin.conf<br />
# rm /root/{.automated_script.sh,.zlogin}<br />
# rm /etc/mkinitcpio-archiso.conf<br />
# rm -r /etc/initcpio<br />
<br />
=== Importing archlinux keys ===<br />
<br />
In order to use the official repositories, we need to import the archlinux master keys ([[pacman/Package signing#Initializing the keyring]]). This step is usually done by pacstrap but can be achieved with<br />
<br />
# pacman-key --init<br />
# pacman-key --populate archlinux<br />
<br />
{{Note| Keyboard or mouse activity is needed to generate entropy and speed-up the first step.}}<br />
<br />
=== Configure the system ===<br />
<br />
Now you can follow the skipped steps of the [[Installation guide#Configure the system]] section (setting a locale, timezone, hostname, etc.) and finish the installation by creating an initial ramdisk as described in [[Installation guide#Initramfs]].</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Pacman/Tips_and_tricks&diff=655347Pacman/Tips and tricks2021-03-19T09:45:25Z<p>Yuvadm: Minor wording cleanup</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Package manager]]<br />
[[de:Pacman-Tipps]]<br />
[[es:Pacman (Español)/Tips and tricks]]<br />
[[fa:Pacman tips]]<br />
[[fr:Pacman/Trucs et Astuces]]<br />
[[it:Pacman (Italiano)/Tips and tricks]]<br />
[[ja:Pacman ヒント]]<br />
[[pt:Pacman (Português)/Tips and tricks]]<br />
[[ru:Pacman (Русский)/Tips and tricks]]<br />
[[zh-hans:Pacman (简体中文)/Tips and tricks]]<br />
{{Related articles start}}<br />
{{Related|Mirrors}}<br />
{{Related|Creating packages}}<br />
{{Related articles end}}<br />
For general methods to improve the flexibility of the provided tips or ''pacman'' itself, see [[Core utilities]] and [[Bash]].<br />
<br />
== Maintenance ==<br />
<br />
{{Expansion|{{ic|1=Usage=}} introduced with pacman 4.2, see [http://allanmcrae.com/2014/12/pacman-4-2-released/]}}<br />
<br />
{{Note|Instead of using ''comm'' (which requires sorted input with ''sort'') in the sections below, you may also use {{ic|grep -Fxf}} or {{ic|grep -Fxvf}}.}}<br />
<br />
See also [[System maintenance]].<br />
<br />
=== Listing packages ===<br />
<br />
==== With version ====<br />
<br />
You may want to get the list of installed packages with their version, which is useful when reporting bugs or discussing installed packages.<br />
<br />
* List all explicitly installed packages: {{ic|pacman -Qe}}.<br />
* List all packages in the [[package group]] named {{ic|''group''}}: {{ic|pacman -Sg ''group''}}<br />
* List all foreign packages (typically manually downloaded and installed or packages removed from the repositories): {{ic|pacman -Qm}}.<br />
* List all native packages (installed from the sync database(s)): {{ic|pacman -Qn}}.<br />
* List all explicitly installed native packages (i.e. present in the sync database) that are not direct or optional dependencies: {{ic|pacman -Qent}}.<br />
* List packages by regex: {{ic|pacman -Qs ''regex''}}.<br />
* List packages by regex with custom output format (needs {{Pkg|expac}}): {{ic|expac -s "%-30n %v" ''regex''}}.<br />
<br />
==== With size ====<br />
<br />
Figuring out which packages are largest can be useful when trying to free space on your hard drive. There are two options here: get the size of individual packages, or get the size of packages and their dependencies.<br />
<br />
===== Individual packages =====<br />
<br />
The following command will list all installed packages and their individual sizes:<br />
<br />
$ LC_ALL=C pacman -Qi | awk '/^Name/{name=$3} /^Installed Size/{print $4$5, name}' | sort -h<br />
<br />
===== Packages and dependencies =====<br />
<br />
To list package sizes with their dependencies,<br />
<br />
* Install {{Pkg|expac}} and run {{ic|<nowiki>expac -H M '%m\t%n' | sort -h</nowiki>}}.<br />
* Run {{Pkg|pacgraph}} with the {{ic|-c}} option.<br />
<br />
To list the download size of several packages (leave {{ic|''packages''}} blank to list all packages):<br />
<br />
$ expac -S -H M '%k\t%n' ''packages''<br />
<br />
To list explicitly installed packages not in the [[meta package]] {{Pkg|base}} nor [[package group]] {{Grp|base-devel}} with size and description:<br />
<br />
$ expac -H M "%011m\t%-20n\t%10d" $(comm -23 <(pacman -Qqen | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort | uniq)) | sort -n<br />
<br />
To list the packages marked for upgrade with their download size<br />
<br />
$ expac -S -H M '%k\t%n' $(pacman -Qqu) | sort -sh<br />
<br />
==== By date ====<br />
<br />
To list the 20 last installed packages with {{Pkg|expac}}, run:<br />
<br />
$ expac --timefmt='%Y-%m-%d %T' '%l\t%n' | sort | tail -n 20<br />
<br />
or, with seconds since the epoch (1970-01-01 UTC):<br />
<br />
$ expac --timefmt=%s '%l\t%n' | sort -n | tail -n 20<br />
<br />
==== Not in a specified group, repository or meta package ====<br />
<br />
{{Note|To get a list of packages installed as dependencies but no longer required by any installed package, see [[#Removing unused packages (orphans)]].<br />
}}<br />
<br />
List explicitly installed packages not in the {{Pkg|base}} [[meta package]]:<br />
<br />
$ comm -23 <(pacman -Qqe | sort) <(expac -l '\n' '%E' base | sort)<br />
<br />
List explicitly installed packages not in the {{Pkg|base}} meta package or {{Grp|base-devel}} [[package group]]:<br />
<br />
$ comm -23 <(pacman -Qqe | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort -u)<br />
<br />
List all installed packages unrequired by other packages, and which are not in the {{Pkg|base}} meta package or {{Grp|base-devel}} package group:<br />
<br />
$ comm -23 <(pacman -Qqt | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort -u)<br />
<br />
As above, but with descriptions:<br />
<br />
$ expac -H M '%-20n\t%10d' $(comm -23 <(pacman -Qqt | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort -u))<br />
<br />
List all installed packages that are ''not'' in the specified repository ''repo_name''<br />
<br />
$ comm -23 <(pacman -Qq | sort) <(pacman -Sql ''repo_name'' | sort)<br />
<br />
List all installed packages that are in the ''repo_name'' repository:<br />
<br />
$ comm -12 <(pacman -Qq | sort) <(pacman -Sql ''repo_name'' | sort)<br />
<br />
List all packages on the Arch Linux ISO that are not in the {{Pkg|base}} meta package:<br />
<br />
<nowiki>$ comm -23 <(curl https://gitlab.archlinux.org/archlinux/archiso/-/raw/master/configs/releng/packages.x86_64) <(expac -l '\n' '%E' base | sort)</nowiki><br />
<br />
==== Development packages ====<br />
<br />
To list all development/unstable packages, run:<br />
<br />
$ pacman -Qq | grep -Ee '-(bzr|cvs|darcs|git|hg|svn)$'<br />
<br />
=== Browsing packages ===<br />
<br />
To browse all installed packages with an instant preview of each package:<br />
<br />
$ pacman -Qq | fzf --preview 'pacman -Qil {}' --layout=reverse --bind 'enter:execute(pacman -Qil {} | less)'<br />
<br />
This uses [[fzf]] to present a two-pane view listing all packages with package info shown on the right.<br />
<br />
Enter letters to filter the list of packages; use arrow keys (or {{ic|Ctrl-j}}/{{ic|Ctrl-k}}) to navigate; press {{ic|Enter}} to see package info under ''less''.<br />
<br />
To browse all packages currently known to pacman (both installed and not yet installed) in a similar way, using fzf, use:<br />
<br />
$ pacman -Slq | fzf --preview 'pacman -Si {}' --layout=reverse'<br />
<br />
The navigational keybindings are the same, although Enter will not work in the same way.<br />
<br />
=== Listing files owned by a package with size ===<br />
<br />
This one might come in handy if you have found that a specific package uses a huge amount of space and you want to find out which files make up the most of that.<br />
<br />
$ pacman -Qlq ''package'' | grep -v '/$' | xargs -r du -h | sort -h<br />
<br />
=== Identify files not owned by any package ===<br />
<br />
If your system has stray files not owned by any package (a common case if you do not [[Enhance system stability#Use the package manager to install software|use the package manager to install software]]), you may want to find such files in order to clean them up.<br />
<br />
One method is to use {{ic|pacreport --unowned-files}} as the root user from {{Pkg|pacutils}} which will list unowned files among other details.<br />
<br />
Another is to list all files of interest and check them against pacman:<br />
<br />
# find /etc /usr /opt /var | LC_ALL=C pacman -Qqo - 2>&1 >&- >/dev/null | cut -d ' ' -f 5-<br />
<br />
{{Tip|The {{Pkg|lostfiles}} script performs similar steps, but also includes an extensive blacklist to remove common false positives from the output.}}<br />
<br />
=== Tracking unowned files created by packages ===<br />
<br />
Most systems will slowly collect several [http://ftp.rpm.org/max-rpm/s1-rpm-inside-files-list-directives.html#S3-RPM-INSIDE-FLIST-GHOST-DIRECTIVE ghost] files such as state files, logs, indexes, etc. through the course of usual operation.<br />
<br />
{{ic|pacreport}} from {{Pkg|pacutils}} can be used to track these files and their associations via {{ic|/etc/pacreport.conf}} (see {{man|1|pacreport|FILES}}).<br />
<br />
An example may look something like this (abridged):<br />
<br />
{{hc|/etc/pacreport.conf|<nowiki><br />
[Options]<br />
IgnoreUnowned = usr/share/applications/mimeinfo.cache<br />
<br />
[PkgIgnoreUnowned]<br />
alsa-utils = var/lib/alsa/asound.state<br />
bluez = var/lib/bluetooth<br />
ca-certificates = etc/ca-certificates/trust-source/*<br />
dbus = var/lib/dbus/machine-id<br />
glibc = etc/ld.so.cache<br />
grub = boot/grub/*<br />
linux = boot/initramfs-linux.img<br />
pacman = var/lib/pacman/local<br />
update-mime-database = usr/share/mime/magic<br />
</nowiki>}}<br />
<br />
Then, when using {{ic|pacreport --unowned-files}} as the root user, any unowned files will be listed if the associated package is no longer installed (or if any new files have been created).<br />
<br />
Additionally, [https://github.com/CyberShadow/aconfmgr aconfmgr] ({{AUR|aconfmgr-git}}) allows tracking modified and orphaned files using a configuration script.<br />
<br />
=== Removing unused packages (orphans) ===<br />
<br />
For recursively removing orphans and their configuration files:<br />
<br />
# pacman -Qtdq | pacman -Rns -<br />
<br />
If no orphans were found, the output is {{ic|error: argument '-' specified with empty stdin}}. This is expected as no arguments were passed to {{ic|pacman -Rns}}.<br />
<br />
{{Note|The arguments {{ic|-Qt}} list only true orphans. To include packages which are ''optionally'' required by another package, pass the {{ic|-t}} flag twice (''i.e.'', {{ic|-Qtt}}).}}<br />
<br />
=== Removing everything but essential packages ===<br />
<br />
If it is ever necessary to remove all packages except the essentials packages, one method is to set the installation reason of the non-essential ones as dependency and then remove all unnecessary dependencies.<br />
<br />
First, for all the packages installed "as explicitly", change their installation reason to "as dependency":<br />
<br />
# pacman -D --asdeps $(pacman -Qqe)<br />
<br />
Then, change the installation reason to "as explicitly" of only the essential packages, those you '''do not''' want to remove, in order to avoid targeting them:<br />
<br />
# pacman -D --asexplicit base linux linux-firmware<br />
<br />
{{Note|<br />
* Additional packages can be added to the above command in order to avoid being removed. See [[Installation guide#Install essential packages]] for more info on other packages that may be necessary for a fully functional base system.<br />
* This will also select the bootloader's package for removal. The system should still be bootable, but the boot parameters might not be changeable without it.<br />
}}<br />
<br />
Finally, follow the instructions in [[#Removing unused packages (orphans)]] to remove all packages that have installation reason "as dependency".<br />
<br />
=== Getting the dependencies list of several packages ===<br />
<br />
Dependencies are alphabetically sorted and doubles are removed.<br />
<br />
{{Note|To only show the tree of local installed packages, use {{ic|pacman -Qi}}.}}<br />
<br />
$ LC_ALL=C pacman -Si ''packages'' | awk -F'[:<=>]' '/^Depends/ {print $2}' | xargs -n1 | sort -u<br />
<br />
Alternatively, with {{Pkg|expac}}: <br />
<br />
$ expac -l '\n' %E -S ''packages'' | sort -u<br />
<br />
=== Listing changed backup files ===<br />
<br />
{{Accuracy|What is the connection of this section to [[System backup]]? Listing modified "backup files" does not show files which are not tracked by pacman.|section=Warning about listing changed backup files}}<br />
<br />
If you want to back up your system configuration files, you could copy all files in {{ic|/etc/}} but usually you are only interested in the files that you have changed. Modified [[Pacnew_and_Pacsave_files#Package_backup_files|backup files]] can be viewed with the following command:<br />
<br />
# pacman -Qii | awk '/^MODIFIED/ {print $2}'<br />
<br />
Running this command with root permissions will ensure that files readable only by root (such as {{ic|/etc/sudoers}}) are included in the output.<br />
<br />
{{Tip|See [[#Listing all changed files from packages]] to list all changed files ''pacman'' knows about, not only backup files.}}<br />
<br />
=== Back up the pacman database ===<br />
<br />
The following command can be used to back up the local ''pacman'' database:<br />
<br />
$ tar -cjf pacman_database.tar.bz2 /var/lib/pacman/local<br />
<br />
Store the backup ''pacman'' database file on one or more offline media, such as a USB stick, external hard drive, or CD-R.<br />
<br />
The database can be restored by moving the {{ic|pacman_database.tar.bz2}} file into the {{ic|/}} directory and executing the following command:<br />
<br />
# tar -xjvf pacman_database.tar.bz2<br />
<br />
{{Note|If the ''pacman'' database files are corrupted, and there is no backup file available, there exists some hope of rebuilding the ''pacman'' database. Consult [[#Restore pacman's local database]].}}<br />
<br />
{{Tip|The {{AUR|pakbak-git}} package provides a script and a [[systemd]] service to automate the task. Configuration is possible in {{ic|/etc/pakbak.conf}}.}}<br />
<br />
=== Check changelogs easily ===<br />
<br />
When maintainers update packages, commits are often commented in a useful fashion. Users can quickly check these from the command line by installing {{AUR|pacolog}}. This utility lists recent commit messages for packages from the official repositories or the AUR, by using {{ic|pacolog <package>}}.<br />
<br />
== Installation and recovery ==<br />
<br />
Alternative ways of getting and restoring packages.<br />
<br />
=== Installing packages from a CD/DVD or USB stick ===<br />
<br />
{{Merge|#Custom local repository|Use as an example and avoid duplication}}<br />
<br />
To download packages, or groups of packages:<br />
<br />
# cd ~/Packages<br />
# pacman -Syw --cachedir . base base-devel grub-bios xorg gimp<br />
# repo-add ./custom.db.tar.gz ./*<br />
<br />
Pacman, which will reference the host installation by default, will not properly resolve and download existing dependencies. In cases where all packages and dependencies are wanted, it is recommended to create a temporary blank DB and reference it with {{ic|--dbpath}}:<br />
<br />
# mkdir /tmp/blankdb<br />
# pacman -Syw --cachedir . --dbpath /tmp/blankdb base base-devel grub-bios xorg gimp<br />
# repo-add ./custom.db.tar.gz ./*<br />
<br />
Then you can burn the "Packages" folder to a CD/DVD or transfer it to a USB stick, external HDD, etc.<br />
<br />
To install:<br />
<br />
'''1.''' Mount the media:<br />
<br />
# mkdir /mnt/repo<br />
# mount /dev/sr0 /mnt/repo #For a CD/DVD.<br />
# mount /dev/sdxY /mnt/repo #For a USB stick.<br />
<br />
'''2.''' Edit {{ic|pacman.conf}} and add this repository ''before'' the other ones (e.g. extra, core, etc.). This is important. Do not just uncomment the one on the bottom. This way it ensures that the files from the CD/DVD/USB take precedence over those in the standard repositories:<br />
<br />
{{hc|/etc/pacman.conf|2=<br />
[custom]<br />
SigLevel = PackageRequired<br />
Server = file:///mnt/repo/Packages}}<br />
<br />
'''3.''' Finally, synchronize the ''pacman'' database to be able to use the new repository:<br />
<br />
# pacman -Syu<br />
<br />
=== Custom local repository ===<br />
<br />
Use the ''repo-add'' script included with ''pacman'' to generate a database for a personal repository. Use {{ic|repo-add --help}} for more details on its usage. <br />
A package database is a tar file, optionally compressed. Valid extensions are ''.db'' or ''.files'' followed by an archive extension of ''.tar'', ''.tar.gz'', ''.tar.bz2'', ''.tar.xz'', ''.tar.zst'', or ''.tar.Z''. The file does not need to exist, but all parent directories must exist.<br />
<br />
To add a new package to the database, or to replace the old version of an existing package in the database, run:<br />
<br />
$ repo-add ''/path/to/repo.db.tar.gz /path/to/package-1.0-1-x86_64.pkg.tar.xz''<br />
<br />
The database and the packages do not need to be in the same directory when using ''repo-add'', but keep in mind that when using ''pacman'' with that database, they should be together. Storing all the built packages to be included in the repository in one directory also allows to use shell glob expansion to add or update multiple packages at once:<br />
<br />
$ repo-add ''/path/to/repo.db.tar.gz /path/to/*.pkg.tar.xz''<br />
<br />
{{Warning|''repo-add'' adds the entries into the database in the same order as passed on the command line. If multiple versions of the same package are involved, care must be taken to ensure that the correct version is added last. In particular, note that lexical order used by the shell depends on the locale and differs from the {{man|8|vercmp}} ordering used by ''pacman''.}}<br />
<br />
If you are looking to support multiple architectures then precautions should be taken to prevent errors from occurring. Each architecture should have its own directory tree:<br />
<br />
{{hc|$ tree ~/customrepo/ {{!}} sed "s/$(uname -m)/<arch>/g"|<br />
/home/archie/customrepo/<br />
└── <arch><br />
├── customrepo.db -> customrepo.db.tar.xz<br />
├── customrepo.db.tar.xz<br />
├── customrepo.files -> customrepo.files.tar.xz<br />
├── customrepo.files.tar.xz<br />
└── personal-website-git-b99cce0-1-<arch>.pkg.tar.xz<br />
<br />
1 directory, 5 files<br />
}}<br />
<br />
The ''repo-add'' executable checks if the package is appropriate. If this is not the case you will be running into error messages similar to this:<br />
<br />
==> ERROR: '/home/archie/customrepo/<arch>/foo-<arch>.pkg.tar.xz' does not have a valid database archive extension.<br />
<br />
''repo-remove'' is used to remove packages from the package database, except that only package names are specified on the command line.<br />
<br />
$ repo-remove ''/path/to/repo.db.tar.gz pkgname''<br />
<br />
Once the local repository database has been created, add the repository to {{ic|pacman.conf}} for each system that is to use the repository. An example of a custom repository is in {{ic|pacman.conf}}. The repository's name is the database filename with the file extension omitted. In the case of the example above the repository's name would simply be ''repo''. Reference the repository's location using a {{ic|file://}} url, or via FTP using ftp://localhost/path/to/directory.<br />
<br />
If willing, add the custom repository to the [[Unofficial user repositories|list of unofficial user repositories]], so that the community can benefit from it.<br />
<br />
=== Network shared pacman cache ===<br />
{{Merge|Package_Proxy_Cache|Same topic}}<br />
If you happen to run several Arch boxes on your LAN, you can share packages so that you can greatly decrease your download times. Keep in mind you should not share between different architectures (i.e. i686 and x86_64) or you will run into problems.<br />
<br />
==== Read-only cache ====<br />
<br />
If you are looking for a quick solution, you can simply run a standalone webserver, e.g. {{Pkg|darkhttpd}}, which other computers can use as a first mirror:<br />
<br />
# ln -s /var/lib/pacman/sync/*.db /var/cache/pacman/pkg<br />
$ sudo -u http darkhttpd /var/cache/pacman/pkg --no-server-id<br />
<br />
You could also run darkhttpd as a systemd service for convenience. Just add this server at the top of your {{ic|/etc/pacman.d/mirrorlist}} in client machines with {{ic|1=Server = http&#58;//mymirror:8080}}. Make sure to keep your mirror updated.<br />
<br />
If you are already running a web server for some other purpose, you might wish to reuse that as your local repo server instead of darkhttpd. For example, if you already serve a site with [[nginx]], you can add an nginx server block listening on port 8080:<br />
<br />
{{hc|/etc/nginx/nginx.conf|<br />
server {<br />
listen 8080;<br />
root /var/cache/pacman/pkg;<br />
server_name myarchrepo.localdomain;<br />
try_files $uri $uri/;<br />
}<br />
}}<br />
<br />
Remember to restart nginx after making this change.<br />
<br />
Whichever web server you use, remember to open port 8080 to local traffic (and you probably want to deny anything not local), so add a rule like the following to [[iptables]]:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
-A TCP -s 192.168.0.0/16 -p tcp -m tcp --dport 8080 -j ACCEPT<br />
}}<br />
<br />
Remember to restart iptables after making this change.<br />
<br />
==== Overlay mount of read-only cache ====<br />
<br />
It is possible to use one machine on a local network as a read-only package cache by [[Overlay_filesystem|overlay mounting]] its {{ic|/var/cache/pacman/pkg}} directory. Such a configuration is advantageous if this server has installed on it a reasonably comprehensive selection of up-to-date packages which are also used by other boxes. This is useful for maintaining a number of machines at the end of a low bandwidth upstream connection.<br />
<br />
As an example, to use this method:<br />
<br />
# mkdir /tmp/remote_pkg /mnt/workdir_pkg /tmp/pacman_pkg<br />
# sshfs <remote_username>@<remote_pkgcache_addr>:/var/cache/pacman/pkg /tmp/remote_pkg -C<br />
# mount -t overlay overlay -o lowerdir=/tmp/remote_pkg,upperdir=/var/cache/pacman/pkg,workdir=/mnt/workdir_pkg /tmp/pacman_pkg<br />
<br />
[[Overlay_filesystem#Usage|Note concerning overlay]]: The working directory must be an empty directory on the same mounted device as the upper directory.<br />
<br />
After this, run pacman using the option {{ic|--cachedir /tmp/pacman_pkg}}, e.g.:<br />
<br />
# pacman -Syu --cachedir /tmp/pacman_pkg<br />
<br />
==== Distributed read-only cache ====<br />
<br />
There are Arch-specific tools for automatically discovering other computers on your network offering a package cache. Try {{Pkg|pacredir}}, [[pacserve]], {{AUR|pkgdistcache}}, or {{AUR|paclan}}. pkgdistcache uses Avahi instead of plain UDP which may work better in certain home networks that route instead of bridge between WiFi and Ethernet.<br />
<br />
Historically, there was [https://bbs.archlinux.org/viewtopic.php?id=64391 PkgD] and [https://github.com/toofishes/multipkg multipkg], but they are no longer maintained.<br />
<br />
==== Read-write cache ====<br />
<br />
In order to share packages between multiple computers, simply share {{ic|/var/cache/pacman/}} using any network-based mount protocol. This section shows how to use [[shfs]] or [[SSHFS]] to share a package cache plus the related library-directories between multiple computers on the same local network. Keep in mind that a network shared cache can be slow depending on the file-system choice, among other factors.<br />
<br />
First, install any network-supporting filesystem packages: {{pkg|shfs-utils}}, {{pkg|sshfs}}, {{pkg|curlftpfs}}, {{pkg|samba}} or {{pkg|nfs-utils}}.<br />
<br />
{{Tip|<br />
* To use ''sshfs'' or ''shfs'', consider reading [[Using SSH Keys]].<br />
* By default, ''smbfs'' does not serve filenames that contain colons, which results in the client downloading the offending package afresh. To prevent this, use the {{ic|mapchars}} mount option on the client.<br />
}}<br />
<br />
Then, to share the actual packages, mount {{ic|/var/cache/pacman/pkg}} from the server to {{ic|/var/cache/pacman/pkg}} on every client machine.<br />
<br />
{{Warning|Do not make {{ic|/var/cache/pacman/pkg}} or any of its ancestors (e.g., {{ic|/var}}) a symlink. ''Pacman'' expects these to be directories. When ''pacman'' re-installs or upgrades itself, it will remove the symlinks and create empty directories instead. However during the transaction ''pacman'' relies on some files residing there, hence breaking the update process. Refer to {{bug|50298}} for further details.}}<br />
<br />
==== two-way with rsync ====<br />
<br />
Another approach in a local environment is [[rsync]]. Choose a server for caching and enable the [[Rsync#rsync daemon]]. On clients synchronize two-way with this share via the rsync protocol. Filenames that contain colons are no problem for the rsync protocol.<br />
<br />
Draft example for a client, using {{ic|uname -m}} within the share name ensures an architecture-dependent sync:<br />
# rsync rsync://server/share_$(uname -m)/ /var/cache/pacman/pkg/ ...<br />
# pacman ...<br />
# paccache ...<br />
# rsync /var/cache/pacman/pkg/ rsync://server/share_$(uname -m)/ ...<br />
<br />
==== Dynamic reverse proxy cache using nginx ====<br />
<br />
[[nginx]] can be used to proxy package requests to official upstream mirrors and cache the results to the local disk. All subsequent requests for that package will be served directly from the local cache, minimizing the amount of internet traffic needed to update a large number of computers. <br />
<br />
In this example, the cache server will run at {{ic|<nowiki>http://cache.domain.example:8080/</nowiki>}} and store the packages in {{ic|/srv/http/pacman-cache/}}. <br />
<br />
Install [[nginx]] on the computer that is going to host the cache. Create the directory for the cache and adjust the permissions so nginx can write files to it:<br />
<br />
# mkdir /srv/http/pacman-cache<br />
# chown http:http /srv/http/pacman-cache<br />
<br />
Use the [https://github.com/nastasie-octavian/nginx_pacman_cache_config/blob/c54eca4776ff162ab492117b80be4df95880d0e2/nginx.conf nginx pacman cache config] as a starting point for {{ic|/etc/nginx/nginx.conf}}. Check that the {{ic|resolver}} directive works for your needs. In the upstream server blocks, configure the {{ic|proxy_pass}} directives with addresses of official mirrors, see examples in the config file about the expected format. Once you are satisfied with the configuration file [[Nginx#Running|start and enable nginx]].<br />
<br />
In order to use the cache each Arch Linux computer (including the one hosting the cache) must have the following line at the top of the {{ic|mirrorlist}} file:<br />
<br />
{{hc|/etc/pacman.d/mirrorlist|<nowiki><br />
Server = http://cache.domain.example:8080/$repo/os/$arch<br />
...<br />
</nowiki>}}<br />
<br />
{{Note| You will need to create a method to clear old packages, as the cache directory will continue to grow over time. {{ic|paccache}} (which is provided by {{pkg|pacman-contrib}}) can be used to automate this using retention criteria of your choosing. For example, {{ic|find /srv/http/pacman-cache/ -type d -exec paccache -v -r -k 2 -c {} \;}} will keep the last 2 versions of packages in your cache directory.}}<br />
<br />
==== Pacoloco proxy cache server ====<br />
<br />
[https://github.com/anatol/pacoloco Pacoloco] is an easy-to-use proxy cache server for pacman repositories. It can be installed as {{pkg|pacoloco}}. Open the configuration file and add pacman mirrors:<br />
<br />
{{hc|/etc/pacoloco.yaml|<nowiki><br />
port: 9129<br />
repos:<br />
mycopy:<br />
urls:<br />
- http://mirror.lty.me/archlinux<br />
- http://mirrors.kernel.org/archlinux<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|pacoloco.service}} and the proxy repository will be available at {{ic|http://<myserver>:9129/repo/mycopy}}.<br />
<br />
==== Flexo proxy cache server ====<br />
<br />
[https://github.com/nroi/flexo Flexo] is yet another proxy cache server for pacman repositories. Flexo is available on the AUR: {{AUR|flexo-git}}. Once installed, [[start]] the {{ic|flexo.service}} service with systemd.<br />
<br />
Flexo runs on port 7878 by default. Enter {{ic|1=Server = http://''myserver'':7878/$repo/os/$arch}} to the top of your {{ic|/etc/pacman.d/mirrorlist}} so that pacman downloads packages via Flexo.<br />
<br />
==== Synchronize pacman package cache using synchronization programs ====<br />
<br />
Use [[Syncthing]] or [[Resilio Sync]] to synchronize the ''pacman'' cache folders (i.e. {{ic|/var/cache/pacman/pkg}}).<br />
<br />
==== Preventing unwanted cache purges ====<br />
<br />
By default, {{Ic|pacman -Sc}} removes package tarballs from the cache that correspond to packages that are not installed on the machine the command was issued on. Because ''pacman'' cannot predict what packages are installed on all machines that share the cache, it will end up deleting files that should not be.<br />
<br />
To clean up the cache so that only ''outdated'' tarballs are deleted, add this entry in the {{ic|[options]}} section of {{ic|/etc/pacman.conf}}:<br />
<br />
CleanMethod = KeepCurrent<br />
<br />
=== Recreate a package from the file system ===<br />
<br />
To recreate a package from the file system, use {{AUR|fakepkg}}. Files from the system are taken as they are, hence any modifications will be present in the assembled package. Distributing the recreated package is therefore discouraged; see [[ABS]] and [[Arch Linux Archive]] for alternatives.<br />
<br />
=== List of installed packages ===<br />
<br />
Keeping a list of all the explicitly installed packages can be useful, to backup a system for example or speed up installation on a new system:<br />
<br />
$ pacman -Qqe > pkglist.txt<br />
<br />
{{Note|<br />
* With option {{ic|-t}}, the packages already required by other explicitly installed packages are not mentioned. If reinstalling from this list they will be installed but as dependencies only.<br />
* With option {{ic|-n}}, foreign packages (e.g. from [[AUR]]) would be omitted from the list.<br />
* Use {{ic|comm -13 <(pacman -Qqdt {{!}} sort) <(pacman -Qqdtt {{!}} sort) > optdeplist.txt}} to also create a list of the installed optional dependencies which can be reinstalled with {{ic|--asdeps}}.<br />
* Use {{ic|pacman -Qqem > foreignpkglist.txt}} to create the list of AUR and other foreign packages that have been explicitly installed.}}<br />
<br />
To keep an up-to-date list of explicitly installed packages (e.g. in combination with a versioned {{ic|/etc/}}), you can set up a [[Pacman#Hooks|hook]]. Example:<br />
<br />
[Trigger]<br />
Operation = Install<br />
Operation = Remove<br />
Type = Package<br />
Target = *<br />
<br />
[Action]<br />
When = PostTransaction<br />
Exec = /bin/sh -c '/usr/bin/pacman -Qqe > /etc/pkglist.txt'<br />
<br />
=== Install packages from a list ===<br />
<br />
To install packages from a previously saved list of packages, while not reinstalling previously installed packages that are already up-to-date, run:<br />
<br />
# pacman -S --needed - < pkglist.txt<br />
<br />
However, it is likely foreign packages such as from the AUR or installed locally are present in the list. To filter out from the list the foreign packages, the previous command line can be enriched as follows:<br />
<br />
# pacman -S --needed $(comm -12 <(pacman -Slq | sort) <(sort pkglist.txt))<br />
<br />
Eventually, to make sure the installed packages of your system match the list and remove all the packages that are not mentioned in it:<br />
<br />
# pacman -Rsu $(comm -23 <(pacman -Qq | sort) <(sort pkglist.txt))<br />
<br />
{{Tip|These tasks can be automated. See {{AUR|bacpac}}, {{AUR|packup}}, {{AUR|pacmanity}}, and {{AUR|pug}} for examples.}}<br />
<br />
=== Listing all changed files from packages ===<br />
<br />
If you are suspecting file corruption (e.g. by software/hardware failure), but are unsure if files were corrupted, you might want to compare with the hash sums in the packages. This can be done with {{Pkg|pacutils}}:<br />
<br />
# paccheck --md5sum --quiet<br />
<br />
For recovery of the database see [[#Restore pacman's local database]]. The {{ic|mtree}} files can also be [[#Viewing a single file inside a .pkg file|extracted as {{ic|.MTREE}} from the respective package files]].<br />
<br />
{{Note|This should '''not''' be used as is when suspecting malicious changes! In this case security precautions such as using a live medium and an independent source for the hash sums are advised.}}<br />
<br />
=== Reinstalling all packages ===<br />
To reinstall all native packages, use:<br />
<br />
# pacman -Qqn | pacman -S -<br />
<br />
Foreign (AUR) packages must be reinstalled separately; you can list them with {{ic|pacman -Qqm}}.<br />
<br />
''Pacman'' preserves the [[installation reason]] by default.<br />
<br />
{{Warning|To force all packages to be overwritten, use {{ic|1=--overwrite=*}}, though this should be an absolute last resort. See [[System maintenance#Avoid certain pacman commands]].}}<br />
<br />
=== Restore pacman's local database ===<br />
<br />
See [[Pacman/Restore local database]].<br />
<br />
=== Recovering a USB key from existing install ===<br />
<br />
If you have Arch installed on a USB key and manage to mess it up (e.g. removing it while it is still being written to), then it is possible to re-install all the packages and hopefully get it back up and working again (assuming USB key is mounted in {{ic|/newarch}})<br />
<br />
# pacman -S $(pacman -Qq --dbpath /newarch/var/lib/pacman) --root /newarch --dbpath /newarch/var/lib/pacman<br />
<br />
=== Viewing a single file inside a .pkg file ===<br />
<br />
For example, if you want to see the contents of {{ic|/etc/systemd/logind.conf}} supplied within the {{Pkg|systemd}} package:<br />
<br />
$ bsdtar -xOf /var/cache/pacman/pkg/systemd-204-3-x86_64.pkg.tar.xz etc/systemd/logind.conf<br />
<br />
Or you can use {{pkg|vim}} to browse the archive:<br />
<br />
$ vim /var/cache/pacman/pkg/systemd-204-3-x86_64.pkg.tar.xz<br />
<br />
=== Find applications that use libraries from older packages ===<br />
<br />
Even if you installed a package the existing long-running programs (like daemons and servers) still keep using code from old package libraries. And it is a bad idea to let these programs running if the old library contains a security bug.<br />
<br />
Here is a way how to find all the programs that use old packages code:<br />
<br />
# lsof +c 0 | grep -w DEL | awk '1 { print $1 ": " $NF }' | sort -u<br />
It will print running program name and old library that was removed or replaced with newer content.<br />
<br />
=== Installing only content in required languages ===<br />
<br />
Many packages attempt to install documentation and translations in several languages. Some programs are designed to remove such unnecessary files, such as {{AUR|localepurge}}, which runs after a package is installed to delete the unneeded locale files. A more direct approach is provided through the {{ic|NoExtract}} directive in {{ic|pacman.conf}}, which prevent these files from ever being installed.<br />
<br />
{{Warning|1=Some users noted that removing locales has resulted in [[Special:Permalink/460285#Dangerous NoExtract example|unintended consequences]], even under [https://bbs.archlinux.org/viewtopic.php?id=250846 Xorg].}}<br />
<br />
The example below installs English (US) files, or none at all:<br />
<br />
{{hc|/etc/pacman.conf|2=<br />
NoExtract = usr/share/help/* !usr/share/help/C/*<br />
NoExtract = usr/share/gtk-doc/html/*<br />
NoExtract = usr/share/locale/* usr/share/X11/locale/*/* usr/share/i18n/locales/* opt/google/chrome/locales/* !usr/share/X11/locale/C/*<br />
NoExtract = !*locale*/en*/* !usr/share/*locale*/locale.*<br />
NoExtract = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso*<br />
NoExtract = usr/share/i18n/charmaps/* !usr/share/i18n/charmaps/UTF-8.gz<br />
NoExtract = !usr/share/*locales/trans*<br />
NoExtract = usr/share/man/* !usr/share/man/man*<br />
NoExtract = usr/share/vim/vim*/lang/*<br />
NoExtract = usr/lib/libreoffice/help/en-US/*<br />
NoExtract = usr/share/kbd/locale/*<br />
NoExtract = usr/share/*/translations/*.qm usr/share/qt/translations/*.pak !*/en-US.pak # Qt apps<br />
NoExtract = usr/share/*/locales/*.pak opt/*/locales/*.pak usr/lib/*/locales/*.pak !*/en-US.pak # Electron apps<br />
NoExtract = opt/onlyoffice/desktopeditors/dictionaries/* !opt/onlyoffice/desktopeditors/dictionaries/en_US/*<br />
NoExtract = usr/share/ibus/dicts/emoji-*.dict !usr/share/ibus/dicts/emoji-en.dict<br />
}}<br />
<br />
== Performance ==<br />
<br />
=== Download speeds ===<br />
<br />
{{Note|If your download speeds have been reduced to a crawl, ensure you are using one of the many [[mirrors]] and not ftp.archlinux.org, which is [https://archlinux.org/news/302/ throttled since March 2007].}}<br />
<br />
When downloading packages ''pacman'' uses the mirrors in the order they are in {{ic|/etc/pacman.d/mirrorlist}}. The mirror which is at the top of the list by default however may not be the fastest for you. To select a faster mirror, see [[Mirrors]].<br />
<br />
''Pacman''<nowiki>'</nowiki>s speed in downloading packages can also be improved by using a different application to download packages, instead of ''pacman''<nowiki>'</nowiki>s built-in file downloader.<br />
<br />
In all cases, make sure you have the latest ''pacman'' before doing any modifications.<br />
<br />
# pacman -Syu<br />
<br />
==== Powerpill ====<br />
<br />
[[Powerpill]] is a ''pacman'' wrapper that uses parallel and segmented downloading to try to speed up downloads for ''pacman''.<br />
<br />
==== wget ====<br />
<br />
This is also very handy if you need more powerful proxy settings than ''pacman''<nowiki>'</nowiki>s built-in capabilities. <br />
<br />
To use {{ic|wget}}, first [[install]] the {{Pkg|wget}} package then modify {{ic|/etc/pacman.conf}} by uncommenting the following line in the {{ic|[options]}} section:<br />
<br />
XferCommand = /usr/bin/wget --passive-ftp --show-progress -c -q -N %u<br />
<br />
Instead of uncommenting the {{ic|wget}} parameters in {{ic|/etc/pacman.conf}}, you can also modify the {{ic|wget}} configuration file directly (the system-wide file is {{ic|/etc/wgetrc}}, per user files are {{ic|$HOME/.wgetrc}}).<br />
<br />
==== aria2 ====<br />
<br />
[[aria2]] is a lightweight download utility with support for resumable and segmented HTTP/HTTPS and FTP downloads. aria2 allows for multiple and simultaneous HTTP/HTTPS and FTP connections to an Arch mirror, which should result in an increase in download speeds for both file and package retrieval.<br />
<br />
{{Note|Using aria2c in ''pacman''<nowiki>'</nowiki>s XferCommand will '''not''' result in parallel downloads of multiple packages. ''Pacman'' invokes the XferCommand with a single package at a time and waits for it to complete before invoking the next. To download multiple packages in parallel, see [[Powerpill]].}}<br />
<br />
Install {{Pkg|aria2}}, then edit {{ic|/etc/pacman.conf}} by adding the following line to the {{ic|[options]}} section:<br />
<br />
XferCommand = /usr/bin/aria2c --allow-overwrite=true --continue=true --file-allocation=none --log-level=error --max-tries=2 --max-connection-per-server=2 --max-file-not-found=5 --min-split-size=5M --no-conf --remote-time=true --summary-interval=60 --timeout=5 --dir=/ --out %o %u<br />
<br />
{{Tip|1=[https://bbs.archlinux.org/viewtopic.php?pid=1491879#p1491879 This alternative configuration for using ''pacman'' with aria2] tries to simplify configuration and adds more configuration options.}}<br />
<br />
See {{man|1|aria2c|OPTIONS}} for used aria2c options.<br />
<br />
* {{ic|-d, --dir}}: The directory to store the downloaded file(s) as specified by ''pacman''.<br />
* {{ic|-o, --out}}: The output file name(s) of the downloaded file(s). <br />
* {{ic|%o}}: Variable which represents the local filename(s) as specified by ''pacman''.<br />
* {{ic|%u}}: Variable which represents the download URL as specified by ''pacman''.<br />
<br />
==== Other applications ====<br />
<br />
There are other downloading applications that you can use with ''pacman''. Here they are, and their associated XferCommand settings:<br />
<br />
* {{ic|snarf}}: {{ic|1=XferCommand = /usr/bin/snarf -N %u}}<br />
* {{ic|lftp}}: {{ic|1=XferCommand = /usr/bin/lftp -c pget %u}}<br />
* {{ic|axel}}: {{ic|1=XferCommand = /usr/bin/axel -n 2 -v -a -o %o %u}}<br />
* {{ic|hget}}: {{ic|1=XferCommand = /usr/bin/hget %u -n 2 -skip-tls false}} (please read the [https://github.com/huydx/hget documentation on the Github project page] for more info)<br />
* {{ic|saldl}}: {{ic|1=XferCommand = /usr/bin/saldl -c6 -l4 -s2m -o %o %u}} (please read the [https://saldl.github.io documentation on the project page] for more info)<br />
<br />
== Utilities ==<br />
<br />
* {{App|Lostfiles|Script that identifies files not owned by any package.|https://github.com/graysky2/lostfiles|{{Pkg|lostfiles}}}}<br />
* {{App|Pacmatic|''Pacman'' wrapper to check Arch News before upgrading, avoid partial upgrades, and warn about configuration file changes.|http://kmkeen.com/pacmatic|{{Pkg|pacmatic}}}}<br />
* {{App|pacutils|Helper library for libalpm based programs.|https://github.com/andrewgregory/pacutils|{{Pkg|pacutils}}}}<br />
* {{App|[[pkgfile]]|Tool that finds what package owns a file.|https://github.com/falconindy/pkgfile|{{Pkg|pkgfile}}}}<br />
* {{App|pkgtools|Collection of scripts for Arch Linux packages.|https://github.com/Daenyth/pkgtools|{{AUR|pkgtools}}}}<br />
* {{App|pkgtop|Interactive package manager and resource monitor designed for the GNU/Linux.|https://github.com/orhun/pkgtop|{{AUR|pkgtop-git}}}}<br />
* {{App|[[Powerpill]]|Uses parallel and segmented downloading through [[aria2]] and [[Reflector]] to try to speed up downloads for ''pacman''.|https://xyne.archlinux.ca/projects/powerpill/|{{AUR|powerpill}}}}<br />
* {{App|repoctl|Tool to help manage local repositories.|https://github.com/cassava/repoctl|{{AUR|repoctl}}}}<br />
* {{App|repose|An Arch Linux repository building tool.|https://github.com/vodik/repose|{{Pkg|repose}}}}<br />
* {{App|[[Snapper#Wrapping_pacman_transactions_in_snapshots|snap-pac]]|Make ''pacman'' automatically use snapper to create pre/post snapshots like openSUSE's YaST.|https://github.com/wesbarnett/snap-pac|{{pkg|snap-pac}}}}<br />
* {{App|vrms-arch|A virtual Richard M. Stallman to tell you which non-free packages are installed.|https://github.com/orospakr/vrms-arch|{{AUR|vrms-arch-git}}}}<br />
<br />
=== Graphical ===<br />
<br />
{{Warning|PackageKit opens up system permissions by default, and is otherwise not recommended for general usage. See {{Bug|50459}} and {{Bug|57943}}.}}<br />
<br />
* {{App|Apper|Qt 5 application and package manager using PackageKit written in C++. Supports [https://www.freedesktop.org/wiki/Distributions/AppStream/ AppStream metadata].|https://userbase.kde.org/Apper|{{Pkg|apper}}}}<br />
* {{App|Discover|Qt 5 application manager using PackageKit written in C++/QML. Supports [https://www.freedesktop.org/wiki/Distributions/AppStream/ AppStream metadata], [[Flatpak]] and [[fwupd|firmware updates]]. |https://userbase.kde.org/Discover|{{Pkg|discover}}}}<br />
* {{App|GNOME PackageKit|GTK 3 package manager using PackageKit written in C.|https://freedesktop.org/software/PackageKit/|{{Pkg|gnome-packagekit}}}}<br />
* {{App|GNOME Software|GTK 3 application manager using PackageKit written in C. Supports [https://www.freedesktop.org/wiki/Distributions/AppStream/ AppStream metadata], [[Flatpak]] and [[fwupd|firmware updates]]. |https://wiki.gnome.org/Apps/Software|{{pkg|gnome-software}}}}<br />
* {{App|pcurses|Curses TUI pacman wrapper written in C++.|https://github.com/schuay/pcurses|{{Pkg|pcurses}}}}<br />
* {{App|tkPacman|Tk pacman wrapper written in Tcl.|https://sourceforge.net/projects/tkpacman|{{AUR|tkpacman}}}}</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Pacman/Tips_and_tricks&diff=655346Pacman/Tips and tricks2021-03-19T09:44:07Z<p>Yuvadm: Remove whitespace</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Package manager]]<br />
[[de:Pacman-Tipps]]<br />
[[es:Pacman (Español)/Tips and tricks]]<br />
[[fa:Pacman tips]]<br />
[[fr:Pacman/Trucs et Astuces]]<br />
[[it:Pacman (Italiano)/Tips and tricks]]<br />
[[ja:Pacman ヒント]]<br />
[[pt:Pacman (Português)/Tips and tricks]]<br />
[[ru:Pacman (Русский)/Tips and tricks]]<br />
[[zh-hans:Pacman (简体中文)/Tips and tricks]]<br />
{{Related articles start}}<br />
{{Related|Mirrors}}<br />
{{Related|Creating packages}}<br />
{{Related articles end}}<br />
For general methods to improve the flexibility of the provided tips or ''pacman'' itself, see [[Core utilities]] and [[Bash]].<br />
<br />
== Maintenance ==<br />
<br />
{{Expansion|{{ic|1=Usage=}} introduced with pacman 4.2, see [http://allanmcrae.com/2014/12/pacman-4-2-released/]}}<br />
<br />
{{Note|Instead of using ''comm'' (which requires sorted input with ''sort'') in the sections below, you may also use {{ic|grep -Fxf}} or {{ic|grep -Fxvf}}.}}<br />
<br />
See also [[System maintenance]].<br />
<br />
=== Listing packages ===<br />
<br />
==== With version ====<br />
<br />
You may want to get the list of installed packages with their version, which is useful when reporting bugs or discussing installed packages.<br />
<br />
* List all explicitly installed packages: {{ic|pacman -Qe}}.<br />
* List all packages in the [[package group]] named {{ic|''group''}}: {{ic|pacman -Sg ''group''}}<br />
* List all foreign packages (typically manually downloaded and installed or packages removed from the repositories): {{ic|pacman -Qm}}.<br />
* List all native packages (installed from the sync database(s)): {{ic|pacman -Qn}}.<br />
* List all explicitly installed native packages (i.e. present in the sync database) that are not direct or optional dependencies: {{ic|pacman -Qent}}.<br />
* List packages by regex: {{ic|pacman -Qs ''regex''}}.<br />
* List packages by regex with custom output format (needs {{Pkg|expac}}): {{ic|expac -s "%-30n %v" ''regex''}}.<br />
<br />
==== With size ====<br />
<br />
Figuring out which packages are largest can be useful when trying to free space on your hard drive. There are two options here: get the size of individual packages, or get the size of packages and their dependencies.<br />
<br />
===== Individual packages =====<br />
<br />
The following command will list all installed packages and their individual sizes:<br />
<br />
$ LC_ALL=C pacman -Qi | awk '/^Name/{name=$3} /^Installed Size/{print $4$5, name}' | sort -h<br />
<br />
===== Packages and dependencies =====<br />
<br />
To list package sizes with their dependencies,<br />
<br />
* Install {{Pkg|expac}} and run {{ic|<nowiki>expac -H M '%m\t%n' | sort -h</nowiki>}}.<br />
* Run {{Pkg|pacgraph}} with the {{ic|-c}} option.<br />
<br />
To list the download size of several packages (leave {{ic|''packages''}} blank to list all packages):<br />
<br />
$ expac -S -H M '%k\t%n' ''packages''<br />
<br />
To list explicitly installed packages not in the [[meta package]] {{Pkg|base}} nor [[package group]] {{Grp|base-devel}} with size and description:<br />
<br />
$ expac -H M "%011m\t%-20n\t%10d" $(comm -23 <(pacman -Qqen | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort | uniq)) | sort -n<br />
<br />
To list the packages marked for upgrade with their download size<br />
<br />
$ expac -S -H M '%k\t%n' $(pacman -Qqu) | sort -sh<br />
<br />
==== By date ====<br />
<br />
To list the 20 last installed packages with {{Pkg|expac}}, run:<br />
<br />
$ expac --timefmt='%Y-%m-%d %T' '%l\t%n' | sort | tail -n 20<br />
<br />
or, with seconds since the epoch (1970-01-01 UTC):<br />
<br />
$ expac --timefmt=%s '%l\t%n' | sort -n | tail -n 20<br />
<br />
==== Not in a specified group, repository or meta package ====<br />
<br />
{{Note|To get a list of packages installed as dependencies but no longer required by any installed package, see [[#Removing unused packages (orphans)]].<br />
}}<br />
<br />
List explicitly installed packages not in the {{Pkg|base}} [[meta package]]:<br />
<br />
$ comm -23 <(pacman -Qqe | sort) <(expac -l '\n' '%E' base | sort)<br />
<br />
List explicitly installed packages not in the {{Pkg|base}} meta package or {{Grp|base-devel}} [[package group]]:<br />
<br />
$ comm -23 <(pacman -Qqe | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort -u)<br />
<br />
List all installed packages unrequired by other packages, and which are not in the {{Pkg|base}} meta package or {{Grp|base-devel}} package group:<br />
<br />
$ comm -23 <(pacman -Qqt | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort -u)<br />
<br />
As above, but with descriptions:<br />
<br />
$ expac -H M '%-20n\t%10d' $(comm -23 <(pacman -Qqt | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort -u))<br />
<br />
List all installed packages that are ''not'' in the specified repository ''repo_name''<br />
<br />
$ comm -23 <(pacman -Qq | sort) <(pacman -Sql ''repo_name'' | sort)<br />
<br />
List all installed packages that are in the ''repo_name'' repository:<br />
<br />
$ comm -12 <(pacman -Qq | sort) <(pacman -Sql ''repo_name'' | sort)<br />
<br />
List all packages on the Arch Linux ISO that are not in the {{Pkg|base}} meta package:<br />
<br />
<nowiki>$ comm -23 <(curl https://gitlab.archlinux.org/archlinux/archiso/-/raw/master/configs/releng/packages.x86_64) <(expac -l '\n' '%E' base | sort)</nowiki><br />
<br />
==== Development packages ====<br />
<br />
To list all development/unstable packages, run:<br />
<br />
$ pacman -Qq | grep -Ee '-(bzr|cvs|darcs|git|hg|svn)$'<br />
<br />
=== Browsing packages ===<br />
<br />
To browse all installed packages with an instant preview of each package:<br />
<br />
$ pacman -Qq | fzf --preview 'pacman -Qil {}' --layout=reverse --bind 'enter:execute(pacman -Qil {} | less)'<br />
<br />
This uses [[fzf]] to present a two-pane view listing all packages with package info shown on the right.<br />
<br />
Enter letters to filter the list of packages; use arrow keys (or {{ic|Ctrl-j}}/{{ic|Ctrl-k}}) to navigate; press {{ic|Enter}} to see package info under ''less''.<br />
<br />
To browse all packages currently known to pacman (both installed and not yet installed) in a similar way, using fzf, use:<br />
<br />
$ pacman -Slq | fzf --preview 'pacman -Si {}' --layout=reverse'<br />
<br />
The navigational keybindings are the same, although Enter will not work in the same way.<br />
<br />
=== Listing files owned by a package with size ===<br />
<br />
This one might come in handy if you have found that a specific package uses a huge amount of space and you want to find out which files make up the most of that.<br />
<br />
$ pacman -Qlq ''package'' | grep -v '/$' | xargs -r du -h | sort -h<br />
<br />
=== Identify files not owned by any package ===<br />
<br />
If your system has stray files not owned by any package (a common case if you do not [[Enhance system stability#Use the package manager to install software|use the package manager to install software]]), you may want to find such files in order to clean them up.<br />
<br />
One method is to use {{ic|pacreport --unowned-files}} as the root user from {{Pkg|pacutils}} which will list unowned files among other details.<br />
<br />
Another is to list all files of interest and check them against pacman:<br />
<br />
# find /etc /usr /opt /var | LC_ALL=C pacman -Qqo - 2>&1 >&- >/dev/null | cut -d ' ' -f 5-<br />
<br />
{{Tip|The {{Pkg|lostfiles}} script performs similar steps, but also includes an extensive blacklist to remove common false positives from the output.}}<br />
<br />
=== Tracking unowned files created by packages ===<br />
<br />
Most systems will slowly collect several [http://ftp.rpm.org/max-rpm/s1-rpm-inside-files-list-directives.html#S3-RPM-INSIDE-FLIST-GHOST-DIRECTIVE ghost] files such as state files, logs, indexes, etc. through the course of usual operation.<br />
<br />
{{ic|pacreport}} from {{Pkg|pacutils}} can be used to track these files and their associations via {{ic|/etc/pacreport.conf}} (see {{man|1|pacreport|FILES}}).<br />
<br />
An example may look something like this (abridged):<br />
<br />
{{hc|/etc/pacreport.conf|<nowiki><br />
[Options]<br />
IgnoreUnowned = usr/share/applications/mimeinfo.cache<br />
<br />
[PkgIgnoreUnowned]<br />
alsa-utils = var/lib/alsa/asound.state<br />
bluez = var/lib/bluetooth<br />
ca-certificates = etc/ca-certificates/trust-source/*<br />
dbus = var/lib/dbus/machine-id<br />
glibc = etc/ld.so.cache<br />
grub = boot/grub/*<br />
linux = boot/initramfs-linux.img<br />
pacman = var/lib/pacman/local<br />
update-mime-database = usr/share/mime/magic<br />
</nowiki>}}<br />
<br />
Then, when using {{ic|pacreport --unowned-files}} as the root user, any unowned files will be listed if the associated package is no longer installed (or if any new files have been created).<br />
<br />
Additionally, [https://github.com/CyberShadow/aconfmgr aconfmgr] ({{AUR|aconfmgr-git}}) allows tracking modified and orphaned files using a configuration script.<br />
<br />
=== Removing unused packages (orphans) ===<br />
<br />
For recursively removing orphans and their configuration files:<br />
<br />
# pacman -Qtdq | pacman -Rns -<br />
<br />
If no orphans were found, the output is {{ic|error: argument '-' specified with empty stdin}}. This is expected as no arguments were passed to {{ic|pacman -Rns}}.<br />
<br />
{{Note|The arguments {{ic|-Qt}} list only true orphans. To include packages which are ''optionally'' required by another package, pass the {{ic|-t}} flag twice (''i.e.'', {{ic|-Qtt}}).}}<br />
<br />
=== Removing everything but essential packages ===<br />
<br />
If it is ever necessary to remove all packages except the essentials packages, one method is to set the installation reason of the non-essential ones as dependency and then remove all unnecessary dependencies.<br />
<br />
First, for all the packages installed "as explicitly", change their installation reason to "as dependency":<br />
<br />
# pacman -D --asdeps $(pacman -Qqe)<br />
<br />
Then, change the installation reason to "as explicitly" of only the essential packages, those you '''do not''' want to remove, in order to avoid targeting them:<br />
<br />
# pacman -D --asexplicit base linux linux-firmware<br />
<br />
{{Note|<br />
* Additional packages can be added to the above command in order to avoid being removed. See [[Installation guide#Install essential packages]] for more info on other packages that may be necessary for a fully functional base system.<br />
* This will also select the bootloader's package for removal. The system should still be bootable, but the boot parameters might not be changeable without it.<br />
}}<br />
<br />
Finally, follow the instructions in [[#Removing unused packages (orphans)]] to remove all packages that have installation reason "as dependency".<br />
<br />
=== Getting the dependencies list of several packages ===<br />
<br />
Dependencies are alphabetically sorted and doubles are removed.<br />
<br />
{{Note|To only show the tree of local installed packages, use {{ic|pacman -Qi}}.}}<br />
<br />
$ LC_ALL=C pacman -Si ''packages'' | awk -F'[:<=>]' '/^Depends/ {print $2}' | xargs -n1 | sort -u<br />
<br />
Alternatively, with {{Pkg|expac}}: <br />
<br />
$ expac -l '\n' %E -S ''packages'' | sort -u<br />
<br />
=== Listing changed backup files ===<br />
<br />
{{Accuracy|What is the connection of this section to [[System backup]]? Listing modified "backup files" does not show files which are not tracked by pacman.|section=Warning about listing changed backup files}}<br />
<br />
If you want to back up your system configuration files, you could copy all files in {{ic|/etc/}} but usually you are only interested in the files that you have changed. Modified [[Pacnew_and_Pacsave_files#Package_backup_files|backup files]] can be viewed with the following command:<br />
<br />
# pacman -Qii | awk '/^MODIFIED/ {print $2}'<br />
<br />
Running this command with root permissions will ensure that files readable only by root (such as {{ic|/etc/sudoers}}) are included in the output.<br />
<br />
{{Tip|See [[#Listing all changed files from packages]] to list all changed files ''pacman'' knows about, not only backup files.}}<br />
<br />
=== Back up the pacman database ===<br />
<br />
The following command can be used to back up the local ''pacman'' database:<br />
<br />
$ tar -cjf pacman_database.tar.bz2 /var/lib/pacman/local<br />
<br />
Store the backup ''pacman'' database file on one or more offline media, such as a USB stick, external hard drive, or CD-R.<br />
<br />
The database can be restored by moving the {{ic|pacman_database.tar.bz2}} file into the {{ic|/}} directory and executing the following command:<br />
<br />
# tar -xjvf pacman_database.tar.bz2<br />
<br />
{{Note|If the ''pacman'' database files are corrupted, and there is no backup file available, there exists some hope of rebuilding the ''pacman'' database. Consult [[#Restore pacman's local database]].}}<br />
<br />
{{Tip|The {{AUR|pakbak-git}} package provides a script and a [[systemd]] service to automate the task. Configuration is possible in {{ic|/etc/pakbak.conf}}.}}<br />
<br />
=== Check changelogs easily ===<br />
<br />
When maintainers update packages, commits are often commented in a useful fashion. Users can quickly check these from the command line by installing {{AUR|pacolog}}. This utility lists recent commit messages for packages from the official repositories or the AUR, by using {{ic|pacolog <package>}}.<br />
<br />
== Installation and recovery ==<br />
<br />
Alternative ways of getting and restoring packages.<br />
<br />
=== Installing packages from a CD/DVD or USB stick ===<br />
<br />
{{Merge|#Custom local repository|Use as an example and avoid duplication}}<br />
<br />
To download packages, or groups of packages:<br />
<br />
# cd ~/Packages<br />
# pacman -Syw --cachedir . base base-devel grub-bios xorg gimp<br />
# repo-add ./custom.db.tar.gz ./*<br />
<br />
Pacman, which will reference the host installation by default, will not download already installed packages. In cases where all packages and dependencies are wanted, it is recommended to create a temporary blank DB and reference it with {{ic|--dbpath}}:<br />
<br />
# mkdir /tmp/blankdb<br />
# pacman -Syw --cachedir . --dbpath /tmp/blankdb base base-devel grub-bios xorg gimp<br />
# repo-add ./custom.db.tar.gz ./*<br />
<br />
Then you can burn the "Packages" folder to a CD/DVD or transfer it to a USB stick, external HDD, etc.<br />
<br />
To install:<br />
<br />
'''1.''' Mount the media:<br />
<br />
# mkdir /mnt/repo<br />
# mount /dev/sr0 /mnt/repo #For a CD/DVD.<br />
# mount /dev/sdxY /mnt/repo #For a USB stick.<br />
<br />
'''2.''' Edit {{ic|pacman.conf}} and add this repository ''before'' the other ones (e.g. extra, core, etc.). This is important. Do not just uncomment the one on the bottom. This way it ensures that the files from the CD/DVD/USB take precedence over those in the standard repositories:<br />
<br />
{{hc|/etc/pacman.conf|2=<br />
[custom]<br />
SigLevel = PackageRequired<br />
Server = file:///mnt/repo/Packages}}<br />
<br />
'''3.''' Finally, synchronize the ''pacman'' database to be able to use the new repository:<br />
<br />
# pacman -Syu<br />
<br />
=== Custom local repository ===<br />
<br />
Use the ''repo-add'' script included with ''pacman'' to generate a database for a personal repository. Use {{ic|repo-add --help}} for more details on its usage. <br />
A package database is a tar file, optionally compressed. Valid extensions are ''.db'' or ''.files'' followed by an archive extension of ''.tar'', ''.tar.gz'', ''.tar.bz2'', ''.tar.xz'', ''.tar.zst'', or ''.tar.Z''. The file does not need to exist, but all parent directories must exist.<br />
<br />
To add a new package to the database, or to replace the old version of an existing package in the database, run:<br />
<br />
$ repo-add ''/path/to/repo.db.tar.gz /path/to/package-1.0-1-x86_64.pkg.tar.xz''<br />
<br />
The database and the packages do not need to be in the same directory when using ''repo-add'', but keep in mind that when using ''pacman'' with that database, they should be together. Storing all the built packages to be included in the repository in one directory also allows to use shell glob expansion to add or update multiple packages at once:<br />
<br />
$ repo-add ''/path/to/repo.db.tar.gz /path/to/*.pkg.tar.xz''<br />
<br />
{{Warning|''repo-add'' adds the entries into the database in the same order as passed on the command line. If multiple versions of the same package are involved, care must be taken to ensure that the correct version is added last. In particular, note that lexical order used by the shell depends on the locale and differs from the {{man|8|vercmp}} ordering used by ''pacman''.}}<br />
<br />
If you are looking to support multiple architectures then precautions should be taken to prevent errors from occurring. Each architecture should have its own directory tree:<br />
<br />
{{hc|$ tree ~/customrepo/ {{!}} sed "s/$(uname -m)/<arch>/g"|<br />
/home/archie/customrepo/<br />
└── <arch><br />
├── customrepo.db -> customrepo.db.tar.xz<br />
├── customrepo.db.tar.xz<br />
├── customrepo.files -> customrepo.files.tar.xz<br />
├── customrepo.files.tar.xz<br />
└── personal-website-git-b99cce0-1-<arch>.pkg.tar.xz<br />
<br />
1 directory, 5 files<br />
}}<br />
<br />
The ''repo-add'' executable checks if the package is appropriate. If this is not the case you will be running into error messages similar to this:<br />
<br />
==> ERROR: '/home/archie/customrepo/<arch>/foo-<arch>.pkg.tar.xz' does not have a valid database archive extension.<br />
<br />
''repo-remove'' is used to remove packages from the package database, except that only package names are specified on the command line.<br />
<br />
$ repo-remove ''/path/to/repo.db.tar.gz pkgname''<br />
<br />
Once the local repository database has been created, add the repository to {{ic|pacman.conf}} for each system that is to use the repository. An example of a custom repository is in {{ic|pacman.conf}}. The repository's name is the database filename with the file extension omitted. In the case of the example above the repository's name would simply be ''repo''. Reference the repository's location using a {{ic|file://}} url, or via FTP using ftp://localhost/path/to/directory.<br />
<br />
If willing, add the custom repository to the [[Unofficial user repositories|list of unofficial user repositories]], so that the community can benefit from it.<br />
<br />
=== Network shared pacman cache ===<br />
{{Merge|Package_Proxy_Cache|Same topic}}<br />
If you happen to run several Arch boxes on your LAN, you can share packages so that you can greatly decrease your download times. Keep in mind you should not share between different architectures (i.e. i686 and x86_64) or you will run into problems.<br />
<br />
==== Read-only cache ====<br />
<br />
If you are looking for a quick solution, you can simply run a standalone webserver, e.g. {{Pkg|darkhttpd}}, which other computers can use as a first mirror:<br />
<br />
# ln -s /var/lib/pacman/sync/*.db /var/cache/pacman/pkg<br />
$ sudo -u http darkhttpd /var/cache/pacman/pkg --no-server-id<br />
<br />
You could also run darkhttpd as a systemd service for convenience. Just add this server at the top of your {{ic|/etc/pacman.d/mirrorlist}} in client machines with {{ic|1=Server = http&#58;//mymirror:8080}}. Make sure to keep your mirror updated.<br />
<br />
If you are already running a web server for some other purpose, you might wish to reuse that as your local repo server instead of darkhttpd. For example, if you already serve a site with [[nginx]], you can add an nginx server block listening on port 8080:<br />
<br />
{{hc|/etc/nginx/nginx.conf|<br />
server {<br />
listen 8080;<br />
root /var/cache/pacman/pkg;<br />
server_name myarchrepo.localdomain;<br />
try_files $uri $uri/;<br />
}<br />
}}<br />
<br />
Remember to restart nginx after making this change.<br />
<br />
Whichever web server you use, remember to open port 8080 to local traffic (and you probably want to deny anything not local), so add a rule like the following to [[iptables]]:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
-A TCP -s 192.168.0.0/16 -p tcp -m tcp --dport 8080 -j ACCEPT<br />
}}<br />
<br />
Remember to restart iptables after making this change.<br />
<br />
==== Overlay mount of read-only cache ====<br />
<br />
It is possible to use one machine on a local network as a read-only package cache by [[Overlay_filesystem|overlay mounting]] its {{ic|/var/cache/pacman/pkg}} directory. Such a configuration is advantageous if this server has installed on it a reasonably comprehensive selection of up-to-date packages which are also used by other boxes. This is useful for maintaining a number of machines at the end of a low bandwidth upstream connection.<br />
<br />
As an example, to use this method:<br />
<br />
# mkdir /tmp/remote_pkg /mnt/workdir_pkg /tmp/pacman_pkg<br />
# sshfs <remote_username>@<remote_pkgcache_addr>:/var/cache/pacman/pkg /tmp/remote_pkg -C<br />
# mount -t overlay overlay -o lowerdir=/tmp/remote_pkg,upperdir=/var/cache/pacman/pkg,workdir=/mnt/workdir_pkg /tmp/pacman_pkg<br />
<br />
[[Overlay_filesystem#Usage|Note concerning overlay]]: The working directory must be an empty directory on the same mounted device as the upper directory.<br />
<br />
After this, run pacman using the option {{ic|--cachedir /tmp/pacman_pkg}}, e.g.:<br />
<br />
# pacman -Syu --cachedir /tmp/pacman_pkg<br />
<br />
==== Distributed read-only cache ====<br />
<br />
There are Arch-specific tools for automatically discovering other computers on your network offering a package cache. Try {{Pkg|pacredir}}, [[pacserve]], {{AUR|pkgdistcache}}, or {{AUR|paclan}}. pkgdistcache uses Avahi instead of plain UDP which may work better in certain home networks that route instead of bridge between WiFi and Ethernet.<br />
<br />
Historically, there was [https://bbs.archlinux.org/viewtopic.php?id=64391 PkgD] and [https://github.com/toofishes/multipkg multipkg], but they are no longer maintained.<br />
<br />
==== Read-write cache ====<br />
<br />
In order to share packages between multiple computers, simply share {{ic|/var/cache/pacman/}} using any network-based mount protocol. This section shows how to use [[shfs]] or [[SSHFS]] to share a package cache plus the related library-directories between multiple computers on the same local network. Keep in mind that a network shared cache can be slow depending on the file-system choice, among other factors.<br />
<br />
First, install any network-supporting filesystem packages: {{pkg|shfs-utils}}, {{pkg|sshfs}}, {{pkg|curlftpfs}}, {{pkg|samba}} or {{pkg|nfs-utils}}.<br />
<br />
{{Tip|<br />
* To use ''sshfs'' or ''shfs'', consider reading [[Using SSH Keys]].<br />
* By default, ''smbfs'' does not serve filenames that contain colons, which results in the client downloading the offending package afresh. To prevent this, use the {{ic|mapchars}} mount option on the client.<br />
}}<br />
<br />
Then, to share the actual packages, mount {{ic|/var/cache/pacman/pkg}} from the server to {{ic|/var/cache/pacman/pkg}} on every client machine.<br />
<br />
{{Warning|Do not make {{ic|/var/cache/pacman/pkg}} or any of its ancestors (e.g., {{ic|/var}}) a symlink. ''Pacman'' expects these to be directories. When ''pacman'' re-installs or upgrades itself, it will remove the symlinks and create empty directories instead. However during the transaction ''pacman'' relies on some files residing there, hence breaking the update process. Refer to {{bug|50298}} for further details.}}<br />
<br />
==== two-way with rsync ====<br />
<br />
Another approach in a local environment is [[rsync]]. Choose a server for caching and enable the [[Rsync#rsync daemon]]. On clients synchronize two-way with this share via the rsync protocol. Filenames that contain colons are no problem for the rsync protocol.<br />
<br />
Draft example for a client, using {{ic|uname -m}} within the share name ensures an architecture-dependent sync:<br />
# rsync rsync://server/share_$(uname -m)/ /var/cache/pacman/pkg/ ...<br />
# pacman ...<br />
# paccache ...<br />
# rsync /var/cache/pacman/pkg/ rsync://server/share_$(uname -m)/ ...<br />
<br />
==== Dynamic reverse proxy cache using nginx ====<br />
<br />
[[nginx]] can be used to proxy package requests to official upstream mirrors and cache the results to the local disk. All subsequent requests for that package will be served directly from the local cache, minimizing the amount of internet traffic needed to update a large number of computers. <br />
<br />
In this example, the cache server will run at {{ic|<nowiki>http://cache.domain.example:8080/</nowiki>}} and store the packages in {{ic|/srv/http/pacman-cache/}}. <br />
<br />
Install [[nginx]] on the computer that is going to host the cache. Create the directory for the cache and adjust the permissions so nginx can write files to it:<br />
<br />
# mkdir /srv/http/pacman-cache<br />
# chown http:http /srv/http/pacman-cache<br />
<br />
Use the [https://github.com/nastasie-octavian/nginx_pacman_cache_config/blob/c54eca4776ff162ab492117b80be4df95880d0e2/nginx.conf nginx pacman cache config] as a starting point for {{ic|/etc/nginx/nginx.conf}}. Check that the {{ic|resolver}} directive works for your needs. In the upstream server blocks, configure the {{ic|proxy_pass}} directives with addresses of official mirrors, see examples in the config file about the expected format. Once you are satisfied with the configuration file [[Nginx#Running|start and enable nginx]].<br />
<br />
In order to use the cache each Arch Linux computer (including the one hosting the cache) must have the following line at the top of the {{ic|mirrorlist}} file:<br />
<br />
{{hc|/etc/pacman.d/mirrorlist|<nowiki><br />
Server = http://cache.domain.example:8080/$repo/os/$arch<br />
...<br />
</nowiki>}}<br />
<br />
{{Note| You will need to create a method to clear old packages, as the cache directory will continue to grow over time. {{ic|paccache}} (which is provided by {{pkg|pacman-contrib}}) can be used to automate this using retention criteria of your choosing. For example, {{ic|find /srv/http/pacman-cache/ -type d -exec paccache -v -r -k 2 -c {} \;}} will keep the last 2 versions of packages in your cache directory.}}<br />
<br />
==== Pacoloco proxy cache server ====<br />
<br />
[https://github.com/anatol/pacoloco Pacoloco] is an easy-to-use proxy cache server for pacman repositories. It can be installed as {{pkg|pacoloco}}. Open the configuration file and add pacman mirrors:<br />
<br />
{{hc|/etc/pacoloco.yaml|<nowiki><br />
port: 9129<br />
repos:<br />
mycopy:<br />
urls:<br />
- http://mirror.lty.me/archlinux<br />
- http://mirrors.kernel.org/archlinux<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|pacoloco.service}} and the proxy repository will be available at {{ic|http://<myserver>:9129/repo/mycopy}}.<br />
<br />
==== Flexo proxy cache server ====<br />
<br />
[https://github.com/nroi/flexo Flexo] is yet another proxy cache server for pacman repositories. Flexo is available on the AUR: {{AUR|flexo-git}}. Once installed, [[start]] the {{ic|flexo.service}} service with systemd.<br />
<br />
Flexo runs on port 7878 by default. Enter {{ic|1=Server = http://''myserver'':7878/$repo/os/$arch}} to the top of your {{ic|/etc/pacman.d/mirrorlist}} so that pacman downloads packages via Flexo.<br />
<br />
==== Synchronize pacman package cache using synchronization programs ====<br />
<br />
Use [[Syncthing]] or [[Resilio Sync]] to synchronize the ''pacman'' cache folders (i.e. {{ic|/var/cache/pacman/pkg}}).<br />
<br />
==== Preventing unwanted cache purges ====<br />
<br />
By default, {{Ic|pacman -Sc}} removes package tarballs from the cache that correspond to packages that are not installed on the machine the command was issued on. Because ''pacman'' cannot predict what packages are installed on all machines that share the cache, it will end up deleting files that should not be.<br />
<br />
To clean up the cache so that only ''outdated'' tarballs are deleted, add this entry in the {{ic|[options]}} section of {{ic|/etc/pacman.conf}}:<br />
<br />
CleanMethod = KeepCurrent<br />
<br />
=== Recreate a package from the file system ===<br />
<br />
To recreate a package from the file system, use {{AUR|fakepkg}}. Files from the system are taken as they are, hence any modifications will be present in the assembled package. Distributing the recreated package is therefore discouraged; see [[ABS]] and [[Arch Linux Archive]] for alternatives.<br />
<br />
=== List of installed packages ===<br />
<br />
Keeping a list of all the explicitly installed packages can be useful, to backup a system for example or speed up installation on a new system:<br />
<br />
$ pacman -Qqe > pkglist.txt<br />
<br />
{{Note|<br />
* With option {{ic|-t}}, the packages already required by other explicitly installed packages are not mentioned. If reinstalling from this list they will be installed but as dependencies only.<br />
* With option {{ic|-n}}, foreign packages (e.g. from [[AUR]]) would be omitted from the list.<br />
* Use {{ic|comm -13 <(pacman -Qqdt {{!}} sort) <(pacman -Qqdtt {{!}} sort) > optdeplist.txt}} to also create a list of the installed optional dependencies which can be reinstalled with {{ic|--asdeps}}.<br />
* Use {{ic|pacman -Qqem > foreignpkglist.txt}} to create the list of AUR and other foreign packages that have been explicitly installed.}}<br />
<br />
To keep an up-to-date list of explicitly installed packages (e.g. in combination with a versioned {{ic|/etc/}}), you can set up a [[Pacman#Hooks|hook]]. Example:<br />
<br />
[Trigger]<br />
Operation = Install<br />
Operation = Remove<br />
Type = Package<br />
Target = *<br />
<br />
[Action]<br />
When = PostTransaction<br />
Exec = /bin/sh -c '/usr/bin/pacman -Qqe > /etc/pkglist.txt'<br />
<br />
=== Install packages from a list ===<br />
<br />
To install packages from a previously saved list of packages, while not reinstalling previously installed packages that are already up-to-date, run:<br />
<br />
# pacman -S --needed - < pkglist.txt<br />
<br />
However, it is likely foreign packages such as from the AUR or installed locally are present in the list. To filter out from the list the foreign packages, the previous command line can be enriched as follows:<br />
<br />
# pacman -S --needed $(comm -12 <(pacman -Slq | sort) <(sort pkglist.txt))<br />
<br />
Eventually, to make sure the installed packages of your system match the list and remove all the packages that are not mentioned in it:<br />
<br />
# pacman -Rsu $(comm -23 <(pacman -Qq | sort) <(sort pkglist.txt))<br />
<br />
{{Tip|These tasks can be automated. See {{AUR|bacpac}}, {{AUR|packup}}, {{AUR|pacmanity}}, and {{AUR|pug}} for examples.}}<br />
<br />
=== Listing all changed files from packages ===<br />
<br />
If you are suspecting file corruption (e.g. by software/hardware failure), but are unsure if files were corrupted, you might want to compare with the hash sums in the packages. This can be done with {{Pkg|pacutils}}:<br />
<br />
# paccheck --md5sum --quiet<br />
<br />
For recovery of the database see [[#Restore pacman's local database]]. The {{ic|mtree}} files can also be [[#Viewing a single file inside a .pkg file|extracted as {{ic|.MTREE}} from the respective package files]].<br />
<br />
{{Note|This should '''not''' be used as is when suspecting malicious changes! In this case security precautions such as using a live medium and an independent source for the hash sums are advised.}}<br />
<br />
=== Reinstalling all packages ===<br />
To reinstall all native packages, use:<br />
<br />
# pacman -Qqn | pacman -S -<br />
<br />
Foreign (AUR) packages must be reinstalled separately; you can list them with {{ic|pacman -Qqm}}.<br />
<br />
''Pacman'' preserves the [[installation reason]] by default.<br />
<br />
{{Warning|To force all packages to be overwritten, use {{ic|1=--overwrite=*}}, though this should be an absolute last resort. See [[System maintenance#Avoid certain pacman commands]].}}<br />
<br />
=== Restore pacman's local database ===<br />
<br />
See [[Pacman/Restore local database]].<br />
<br />
=== Recovering a USB key from existing install ===<br />
<br />
If you have Arch installed on a USB key and manage to mess it up (e.g. removing it while it is still being written to), then it is possible to re-install all the packages and hopefully get it back up and working again (assuming USB key is mounted in {{ic|/newarch}})<br />
<br />
# pacman -S $(pacman -Qq --dbpath /newarch/var/lib/pacman) --root /newarch --dbpath /newarch/var/lib/pacman<br />
<br />
=== Viewing a single file inside a .pkg file ===<br />
<br />
For example, if you want to see the contents of {{ic|/etc/systemd/logind.conf}} supplied within the {{Pkg|systemd}} package:<br />
<br />
$ bsdtar -xOf /var/cache/pacman/pkg/systemd-204-3-x86_64.pkg.tar.xz etc/systemd/logind.conf<br />
<br />
Or you can use {{pkg|vim}} to browse the archive:<br />
<br />
$ vim /var/cache/pacman/pkg/systemd-204-3-x86_64.pkg.tar.xz<br />
<br />
=== Find applications that use libraries from older packages ===<br />
<br />
Even if you installed a package the existing long-running programs (like daemons and servers) still keep using code from old package libraries. And it is a bad idea to let these programs running if the old library contains a security bug.<br />
<br />
Here is a way how to find all the programs that use old packages code:<br />
<br />
# lsof +c 0 | grep -w DEL | awk '1 { print $1 ": " $NF }' | sort -u<br />
It will print running program name and old library that was removed or replaced with newer content.<br />
<br />
=== Installing only content in required languages ===<br />
<br />
Many packages attempt to install documentation and translations in several languages. Some programs are designed to remove such unnecessary files, such as {{AUR|localepurge}}, which runs after a package is installed to delete the unneeded locale files. A more direct approach is provided through the {{ic|NoExtract}} directive in {{ic|pacman.conf}}, which prevent these files from ever being installed.<br />
<br />
{{Warning|1=Some users noted that removing locales has resulted in [[Special:Permalink/460285#Dangerous NoExtract example|unintended consequences]], even under [https://bbs.archlinux.org/viewtopic.php?id=250846 Xorg].}}<br />
<br />
The example below installs English (US) files, or none at all:<br />
<br />
{{hc|/etc/pacman.conf|2=<br />
NoExtract = usr/share/help/* !usr/share/help/C/*<br />
NoExtract = usr/share/gtk-doc/html/*<br />
NoExtract = usr/share/locale/* usr/share/X11/locale/*/* usr/share/i18n/locales/* opt/google/chrome/locales/* !usr/share/X11/locale/C/*<br />
NoExtract = !*locale*/en*/* !usr/share/*locale*/locale.*<br />
NoExtract = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso*<br />
NoExtract = usr/share/i18n/charmaps/* !usr/share/i18n/charmaps/UTF-8.gz<br />
NoExtract = !usr/share/*locales/trans*<br />
NoExtract = usr/share/man/* !usr/share/man/man*<br />
NoExtract = usr/share/vim/vim*/lang/*<br />
NoExtract = usr/lib/libreoffice/help/en-US/*<br />
NoExtract = usr/share/kbd/locale/*<br />
NoExtract = usr/share/*/translations/*.qm usr/share/qt/translations/*.pak !*/en-US.pak # Qt apps<br />
NoExtract = usr/share/*/locales/*.pak opt/*/locales/*.pak usr/lib/*/locales/*.pak !*/en-US.pak # Electron apps<br />
NoExtract = opt/onlyoffice/desktopeditors/dictionaries/* !opt/onlyoffice/desktopeditors/dictionaries/en_US/*<br />
NoExtract = usr/share/ibus/dicts/emoji-*.dict !usr/share/ibus/dicts/emoji-en.dict<br />
}}<br />
<br />
== Performance ==<br />
<br />
=== Download speeds ===<br />
<br />
{{Note|If your download speeds have been reduced to a crawl, ensure you are using one of the many [[mirrors]] and not ftp.archlinux.org, which is [https://archlinux.org/news/302/ throttled since March 2007].}}<br />
<br />
When downloading packages ''pacman'' uses the mirrors in the order they are in {{ic|/etc/pacman.d/mirrorlist}}. The mirror which is at the top of the list by default however may not be the fastest for you. To select a faster mirror, see [[Mirrors]].<br />
<br />
''Pacman''<nowiki>'</nowiki>s speed in downloading packages can also be improved by using a different application to download packages, instead of ''pacman''<nowiki>'</nowiki>s built-in file downloader.<br />
<br />
In all cases, make sure you have the latest ''pacman'' before doing any modifications.<br />
<br />
# pacman -Syu<br />
<br />
==== Powerpill ====<br />
<br />
[[Powerpill]] is a ''pacman'' wrapper that uses parallel and segmented downloading to try to speed up downloads for ''pacman''.<br />
<br />
==== wget ====<br />
<br />
This is also very handy if you need more powerful proxy settings than ''pacman''<nowiki>'</nowiki>s built-in capabilities. <br />
<br />
To use {{ic|wget}}, first [[install]] the {{Pkg|wget}} package then modify {{ic|/etc/pacman.conf}} by uncommenting the following line in the {{ic|[options]}} section:<br />
<br />
XferCommand = /usr/bin/wget --passive-ftp --show-progress -c -q -N %u<br />
<br />
Instead of uncommenting the {{ic|wget}} parameters in {{ic|/etc/pacman.conf}}, you can also modify the {{ic|wget}} configuration file directly (the system-wide file is {{ic|/etc/wgetrc}}, per user files are {{ic|$HOME/.wgetrc}}).<br />
<br />
==== aria2 ====<br />
<br />
[[aria2]] is a lightweight download utility with support for resumable and segmented HTTP/HTTPS and FTP downloads. aria2 allows for multiple and simultaneous HTTP/HTTPS and FTP connections to an Arch mirror, which should result in an increase in download speeds for both file and package retrieval.<br />
<br />
{{Note|Using aria2c in ''pacman''<nowiki>'</nowiki>s XferCommand will '''not''' result in parallel downloads of multiple packages. ''Pacman'' invokes the XferCommand with a single package at a time and waits for it to complete before invoking the next. To download multiple packages in parallel, see [[Powerpill]].}}<br />
<br />
Install {{Pkg|aria2}}, then edit {{ic|/etc/pacman.conf}} by adding the following line to the {{ic|[options]}} section:<br />
<br />
XferCommand = /usr/bin/aria2c --allow-overwrite=true --continue=true --file-allocation=none --log-level=error --max-tries=2 --max-connection-per-server=2 --max-file-not-found=5 --min-split-size=5M --no-conf --remote-time=true --summary-interval=60 --timeout=5 --dir=/ --out %o %u<br />
<br />
{{Tip|1=[https://bbs.archlinux.org/viewtopic.php?pid=1491879#p1491879 This alternative configuration for using ''pacman'' with aria2] tries to simplify configuration and adds more configuration options.}}<br />
<br />
See {{man|1|aria2c|OPTIONS}} for used aria2c options.<br />
<br />
* {{ic|-d, --dir}}: The directory to store the downloaded file(s) as specified by ''pacman''.<br />
* {{ic|-o, --out}}: The output file name(s) of the downloaded file(s). <br />
* {{ic|%o}}: Variable which represents the local filename(s) as specified by ''pacman''.<br />
* {{ic|%u}}: Variable which represents the download URL as specified by ''pacman''.<br />
<br />
==== Other applications ====<br />
<br />
There are other downloading applications that you can use with ''pacman''. Here they are, and their associated XferCommand settings:<br />
<br />
* {{ic|snarf}}: {{ic|1=XferCommand = /usr/bin/snarf -N %u}}<br />
* {{ic|lftp}}: {{ic|1=XferCommand = /usr/bin/lftp -c pget %u}}<br />
* {{ic|axel}}: {{ic|1=XferCommand = /usr/bin/axel -n 2 -v -a -o %o %u}}<br />
* {{ic|hget}}: {{ic|1=XferCommand = /usr/bin/hget %u -n 2 -skip-tls false}} (please read the [https://github.com/huydx/hget documentation on the Github project page] for more info)<br />
* {{ic|saldl}}: {{ic|1=XferCommand = /usr/bin/saldl -c6 -l4 -s2m -o %o %u}} (please read the [https://saldl.github.io documentation on the project page] for more info)<br />
<br />
== Utilities ==<br />
<br />
* {{App|Lostfiles|Script that identifies files not owned by any package.|https://github.com/graysky2/lostfiles|{{Pkg|lostfiles}}}}<br />
* {{App|Pacmatic|''Pacman'' wrapper to check Arch News before upgrading, avoid partial upgrades, and warn about configuration file changes.|http://kmkeen.com/pacmatic|{{Pkg|pacmatic}}}}<br />
* {{App|pacutils|Helper library for libalpm based programs.|https://github.com/andrewgregory/pacutils|{{Pkg|pacutils}}}}<br />
* {{App|[[pkgfile]]|Tool that finds what package owns a file.|https://github.com/falconindy/pkgfile|{{Pkg|pkgfile}}}}<br />
* {{App|pkgtools|Collection of scripts for Arch Linux packages.|https://github.com/Daenyth/pkgtools|{{AUR|pkgtools}}}}<br />
* {{App|pkgtop|Interactive package manager and resource monitor designed for the GNU/Linux.|https://github.com/orhun/pkgtop|{{AUR|pkgtop-git}}}}<br />
* {{App|[[Powerpill]]|Uses parallel and segmented downloading through [[aria2]] and [[Reflector]] to try to speed up downloads for ''pacman''.|https://xyne.archlinux.ca/projects/powerpill/|{{AUR|powerpill}}}}<br />
* {{App|repoctl|Tool to help manage local repositories.|https://github.com/cassava/repoctl|{{AUR|repoctl}}}}<br />
* {{App|repose|An Arch Linux repository building tool.|https://github.com/vodik/repose|{{Pkg|repose}}}}<br />
* {{App|[[Snapper#Wrapping_pacman_transactions_in_snapshots|snap-pac]]|Make ''pacman'' automatically use snapper to create pre/post snapshots like openSUSE's YaST.|https://github.com/wesbarnett/snap-pac|{{pkg|snap-pac}}}}<br />
* {{App|vrms-arch|A virtual Richard M. Stallman to tell you which non-free packages are installed.|https://github.com/orospakr/vrms-arch|{{AUR|vrms-arch-git}}}}<br />
<br />
=== Graphical ===<br />
<br />
{{Warning|PackageKit opens up system permissions by default, and is otherwise not recommended for general usage. See {{Bug|50459}} and {{Bug|57943}}.}}<br />
<br />
* {{App|Apper|Qt 5 application and package manager using PackageKit written in C++. Supports [https://www.freedesktop.org/wiki/Distributions/AppStream/ AppStream metadata].|https://userbase.kde.org/Apper|{{Pkg|apper}}}}<br />
* {{App|Discover|Qt 5 application manager using PackageKit written in C++/QML. Supports [https://www.freedesktop.org/wiki/Distributions/AppStream/ AppStream metadata], [[Flatpak]] and [[fwupd|firmware updates]]. |https://userbase.kde.org/Discover|{{Pkg|discover}}}}<br />
* {{App|GNOME PackageKit|GTK 3 package manager using PackageKit written in C.|https://freedesktop.org/software/PackageKit/|{{Pkg|gnome-packagekit}}}}<br />
* {{App|GNOME Software|GTK 3 application manager using PackageKit written in C. Supports [https://www.freedesktop.org/wiki/Distributions/AppStream/ AppStream metadata], [[Flatpak]] and [[fwupd|firmware updates]]. |https://wiki.gnome.org/Apps/Software|{{pkg|gnome-software}}}}<br />
* {{App|pcurses|Curses TUI pacman wrapper written in C++.|https://github.com/schuay/pcurses|{{Pkg|pcurses}}}}<br />
* {{App|tkPacman|Tk pacman wrapper written in Tcl.|https://sourceforge.net/projects/tkpacman|{{AUR|tkpacman}}}}</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Pacman/Tips_and_tricks&diff=655345Pacman/Tips and tricks2021-03-19T09:43:47Z<p>Yuvadm: Clarify usage of --dbpath</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Package manager]]<br />
[[de:Pacman-Tipps]]<br />
[[es:Pacman (Español)/Tips and tricks]]<br />
[[fa:Pacman tips]]<br />
[[fr:Pacman/Trucs et Astuces]]<br />
[[it:Pacman (Italiano)/Tips and tricks]]<br />
[[ja:Pacman ヒント]]<br />
[[pt:Pacman (Português)/Tips and tricks]]<br />
[[ru:Pacman (Русский)/Tips and tricks]]<br />
[[zh-hans:Pacman (简体中文)/Tips and tricks]]<br />
{{Related articles start}}<br />
{{Related|Mirrors}}<br />
{{Related|Creating packages}}<br />
{{Related articles end}}<br />
For general methods to improve the flexibility of the provided tips or ''pacman'' itself, see [[Core utilities]] and [[Bash]].<br />
<br />
== Maintenance ==<br />
<br />
{{Expansion|{{ic|1=Usage=}} introduced with pacman 4.2, see [http://allanmcrae.com/2014/12/pacman-4-2-released/]}}<br />
<br />
{{Note|Instead of using ''comm'' (which requires sorted input with ''sort'') in the sections below, you may also use {{ic|grep -Fxf}} or {{ic|grep -Fxvf}}.}}<br />
<br />
See also [[System maintenance]].<br />
<br />
=== Listing packages ===<br />
<br />
==== With version ====<br />
<br />
You may want to get the list of installed packages with their version, which is useful when reporting bugs or discussing installed packages.<br />
<br />
* List all explicitly installed packages: {{ic|pacman -Qe}}.<br />
* List all packages in the [[package group]] named {{ic|''group''}}: {{ic|pacman -Sg ''group''}}<br />
* List all foreign packages (typically manually downloaded and installed or packages removed from the repositories): {{ic|pacman -Qm}}.<br />
* List all native packages (installed from the sync database(s)): {{ic|pacman -Qn}}.<br />
* List all explicitly installed native packages (i.e. present in the sync database) that are not direct or optional dependencies: {{ic|pacman -Qent}}.<br />
* List packages by regex: {{ic|pacman -Qs ''regex''}}.<br />
* List packages by regex with custom output format (needs {{Pkg|expac}}): {{ic|expac -s "%-30n %v" ''regex''}}.<br />
<br />
==== With size ====<br />
<br />
Figuring out which packages are largest can be useful when trying to free space on your hard drive. There are two options here: get the size of individual packages, or get the size of packages and their dependencies.<br />
<br />
===== Individual packages =====<br />
<br />
The following command will list all installed packages and their individual sizes:<br />
<br />
$ LC_ALL=C pacman -Qi | awk '/^Name/{name=$3} /^Installed Size/{print $4$5, name}' | sort -h<br />
<br />
===== Packages and dependencies =====<br />
<br />
To list package sizes with their dependencies,<br />
<br />
* Install {{Pkg|expac}} and run {{ic|<nowiki>expac -H M '%m\t%n' | sort -h</nowiki>}}.<br />
* Run {{Pkg|pacgraph}} with the {{ic|-c}} option.<br />
<br />
To list the download size of several packages (leave {{ic|''packages''}} blank to list all packages):<br />
<br />
$ expac -S -H M '%k\t%n' ''packages''<br />
<br />
To list explicitly installed packages not in the [[meta package]] {{Pkg|base}} nor [[package group]] {{Grp|base-devel}} with size and description:<br />
<br />
$ expac -H M "%011m\t%-20n\t%10d" $(comm -23 <(pacman -Qqen | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort | uniq)) | sort -n<br />
<br />
To list the packages marked for upgrade with their download size<br />
<br />
$ expac -S -H M '%k\t%n' $(pacman -Qqu) | sort -sh<br />
<br />
==== By date ====<br />
<br />
To list the 20 last installed packages with {{Pkg|expac}}, run:<br />
<br />
$ expac --timefmt='%Y-%m-%d %T' '%l\t%n' | sort | tail -n 20<br />
<br />
or, with seconds since the epoch (1970-01-01 UTC):<br />
<br />
$ expac --timefmt=%s '%l\t%n' | sort -n | tail -n 20<br />
<br />
==== Not in a specified group, repository or meta package ====<br />
<br />
{{Note|To get a list of packages installed as dependencies but no longer required by any installed package, see [[#Removing unused packages (orphans)]].<br />
}}<br />
<br />
List explicitly installed packages not in the {{Pkg|base}} [[meta package]]:<br />
<br />
$ comm -23 <(pacman -Qqe | sort) <(expac -l '\n' '%E' base | sort)<br />
<br />
List explicitly installed packages not in the {{Pkg|base}} meta package or {{Grp|base-devel}} [[package group]]:<br />
<br />
$ comm -23 <(pacman -Qqe | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort -u)<br />
<br />
List all installed packages unrequired by other packages, and which are not in the {{Pkg|base}} meta package or {{Grp|base-devel}} package group:<br />
<br />
$ comm -23 <(pacman -Qqt | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort -u)<br />
<br />
As above, but with descriptions:<br />
<br />
$ expac -H M '%-20n\t%10d' $(comm -23 <(pacman -Qqt | sort) <({ pacman -Qqg base-devel; expac -l '\n' '%E' base; } | sort -u))<br />
<br />
List all installed packages that are ''not'' in the specified repository ''repo_name''<br />
<br />
$ comm -23 <(pacman -Qq | sort) <(pacman -Sql ''repo_name'' | sort)<br />
<br />
List all installed packages that are in the ''repo_name'' repository:<br />
<br />
$ comm -12 <(pacman -Qq | sort) <(pacman -Sql ''repo_name'' | sort)<br />
<br />
List all packages on the Arch Linux ISO that are not in the {{Pkg|base}} meta package:<br />
<br />
<nowiki>$ comm -23 <(curl https://gitlab.archlinux.org/archlinux/archiso/-/raw/master/configs/releng/packages.x86_64) <(expac -l '\n' '%E' base | sort)</nowiki><br />
<br />
==== Development packages ====<br />
<br />
To list all development/unstable packages, run:<br />
<br />
$ pacman -Qq | grep -Ee '-(bzr|cvs|darcs|git|hg|svn)$'<br />
<br />
=== Browsing packages ===<br />
<br />
To browse all installed packages with an instant preview of each package:<br />
<br />
$ pacman -Qq | fzf --preview 'pacman -Qil {}' --layout=reverse --bind 'enter:execute(pacman -Qil {} | less)'<br />
<br />
This uses [[fzf]] to present a two-pane view listing all packages with package info shown on the right.<br />
<br />
Enter letters to filter the list of packages; use arrow keys (or {{ic|Ctrl-j}}/{{ic|Ctrl-k}}) to navigate; press {{ic|Enter}} to see package info under ''less''.<br />
<br />
To browse all packages currently known to pacman (both installed and not yet installed) in a similar way, using fzf, use:<br />
<br />
$ pacman -Slq | fzf --preview 'pacman -Si {}' --layout=reverse'<br />
<br />
The navigational keybindings are the same, although Enter will not work in the same way.<br />
<br />
=== Listing files owned by a package with size ===<br />
<br />
This one might come in handy if you have found that a specific package uses a huge amount of space and you want to find out which files make up the most of that.<br />
<br />
$ pacman -Qlq ''package'' | grep -v '/$' | xargs -r du -h | sort -h<br />
<br />
=== Identify files not owned by any package ===<br />
<br />
If your system has stray files not owned by any package (a common case if you do not [[Enhance system stability#Use the package manager to install software|use the package manager to install software]]), you may want to find such files in order to clean them up.<br />
<br />
One method is to use {{ic|pacreport --unowned-files}} as the root user from {{Pkg|pacutils}} which will list unowned files among other details.<br />
<br />
Another is to list all files of interest and check them against pacman:<br />
<br />
# find /etc /usr /opt /var | LC_ALL=C pacman -Qqo - 2>&1 >&- >/dev/null | cut -d ' ' -f 5-<br />
<br />
{{Tip|The {{Pkg|lostfiles}} script performs similar steps, but also includes an extensive blacklist to remove common false positives from the output.}}<br />
<br />
=== Tracking unowned files created by packages ===<br />
<br />
Most systems will slowly collect several [http://ftp.rpm.org/max-rpm/s1-rpm-inside-files-list-directives.html#S3-RPM-INSIDE-FLIST-GHOST-DIRECTIVE ghost] files such as state files, logs, indexes, etc. through the course of usual operation.<br />
<br />
{{ic|pacreport}} from {{Pkg|pacutils}} can be used to track these files and their associations via {{ic|/etc/pacreport.conf}} (see {{man|1|pacreport|FILES}}).<br />
<br />
An example may look something like this (abridged):<br />
<br />
{{hc|/etc/pacreport.conf|<nowiki><br />
[Options]<br />
IgnoreUnowned = usr/share/applications/mimeinfo.cache<br />
<br />
[PkgIgnoreUnowned]<br />
alsa-utils = var/lib/alsa/asound.state<br />
bluez = var/lib/bluetooth<br />
ca-certificates = etc/ca-certificates/trust-source/*<br />
dbus = var/lib/dbus/machine-id<br />
glibc = etc/ld.so.cache<br />
grub = boot/grub/*<br />
linux = boot/initramfs-linux.img<br />
pacman = var/lib/pacman/local<br />
update-mime-database = usr/share/mime/magic<br />
</nowiki>}}<br />
<br />
Then, when using {{ic|pacreport --unowned-files}} as the root user, any unowned files will be listed if the associated package is no longer installed (or if any new files have been created).<br />
<br />
Additionally, [https://github.com/CyberShadow/aconfmgr aconfmgr] ({{AUR|aconfmgr-git}}) allows tracking modified and orphaned files using a configuration script.<br />
<br />
=== Removing unused packages (orphans) ===<br />
<br />
For recursively removing orphans and their configuration files:<br />
<br />
# pacman -Qtdq | pacman -Rns -<br />
<br />
If no orphans were found, the output is {{ic|error: argument '-' specified with empty stdin}}. This is expected as no arguments were passed to {{ic|pacman -Rns}}.<br />
<br />
{{Note|The arguments {{ic|-Qt}} list only true orphans. To include packages which are ''optionally'' required by another package, pass the {{ic|-t}} flag twice (''i.e.'', {{ic|-Qtt}}).}}<br />
<br />
=== Removing everything but essential packages ===<br />
<br />
If it is ever necessary to remove all packages except the essentials packages, one method is to set the installation reason of the non-essential ones as dependency and then remove all unnecessary dependencies.<br />
<br />
First, for all the packages installed "as explicitly", change their installation reason to "as dependency":<br />
<br />
# pacman -D --asdeps $(pacman -Qqe)<br />
<br />
Then, change the installation reason to "as explicitly" of only the essential packages, those you '''do not''' want to remove, in order to avoid targeting them:<br />
<br />
# pacman -D --asexplicit base linux linux-firmware<br />
<br />
{{Note|<br />
* Additional packages can be added to the above command in order to avoid being removed. See [[Installation guide#Install essential packages]] for more info on other packages that may be necessary for a fully functional base system.<br />
* This will also select the bootloader's package for removal. The system should still be bootable, but the boot parameters might not be changeable without it.<br />
}}<br />
<br />
Finally, follow the instructions in [[#Removing unused packages (orphans)]] to remove all packages that have installation reason "as dependency".<br />
<br />
=== Getting the dependencies list of several packages ===<br />
<br />
Dependencies are alphabetically sorted and doubles are removed.<br />
<br />
{{Note|To only show the tree of local installed packages, use {{ic|pacman -Qi}}.}}<br />
<br />
$ LC_ALL=C pacman -Si ''packages'' | awk -F'[:<=>]' '/^Depends/ {print $2}' | xargs -n1 | sort -u<br />
<br />
Alternatively, with {{Pkg|expac}}: <br />
<br />
$ expac -l '\n' %E -S ''packages'' | sort -u<br />
<br />
=== Listing changed backup files ===<br />
<br />
{{Accuracy|What is the connection of this section to [[System backup]]? Listing modified "backup files" does not show files which are not tracked by pacman.|section=Warning about listing changed backup files}}<br />
<br />
If you want to back up your system configuration files, you could copy all files in {{ic|/etc/}} but usually you are only interested in the files that you have changed. Modified [[Pacnew_and_Pacsave_files#Package_backup_files|backup files]] can be viewed with the following command:<br />
<br />
# pacman -Qii | awk '/^MODIFIED/ {print $2}'<br />
<br />
Running this command with root permissions will ensure that files readable only by root (such as {{ic|/etc/sudoers}}) are included in the output.<br />
<br />
{{Tip|See [[#Listing all changed files from packages]] to list all changed files ''pacman'' knows about, not only backup files.}}<br />
<br />
=== Back up the pacman database ===<br />
<br />
The following command can be used to back up the local ''pacman'' database:<br />
<br />
$ tar -cjf pacman_database.tar.bz2 /var/lib/pacman/local<br />
<br />
Store the backup ''pacman'' database file on one or more offline media, such as a USB stick, external hard drive, or CD-R.<br />
<br />
The database can be restored by moving the {{ic|pacman_database.tar.bz2}} file into the {{ic|/}} directory and executing the following command:<br />
<br />
# tar -xjvf pacman_database.tar.bz2<br />
<br />
{{Note|If the ''pacman'' database files are corrupted, and there is no backup file available, there exists some hope of rebuilding the ''pacman'' database. Consult [[#Restore pacman's local database]].}}<br />
<br />
{{Tip|The {{AUR|pakbak-git}} package provides a script and a [[systemd]] service to automate the task. Configuration is possible in {{ic|/etc/pakbak.conf}}.}}<br />
<br />
=== Check changelogs easily ===<br />
<br />
When maintainers update packages, commits are often commented in a useful fashion. Users can quickly check these from the command line by installing {{AUR|pacolog}}. This utility lists recent commit messages for packages from the official repositories or the AUR, by using {{ic|pacolog <package>}}.<br />
<br />
== Installation and recovery ==<br />
<br />
Alternative ways of getting and restoring packages.<br />
<br />
=== Installing packages from a CD/DVD or USB stick ===<br />
<br />
{{Merge|#Custom local repository|Use as an example and avoid duplication}}<br />
<br />
To download packages, or groups of packages:<br />
<br />
# cd ~/Packages<br />
# pacman -Syw --cachedir . base base-devel grub-bios xorg gimp<br />
# repo-add ./custom.db.tar.gz ./*<br />
<br />
Pacman, which will reference the host installation by default, will not download already installed packages. In cases where all packages and dependencies are wanted, it is recommended to create a temporary blank DB and reference it with {{ic|--dbpath}}:<br />
<br />
# mkdir /tmp/blankdb<br />
# pacman -Syw --cachedir . --dbpath /tmp/blankdb base base-devel grub-bios xorg gimp<br />
# repo-add ./custom.db.tar.gz ./*<br />
<br />
<br />
Then you can burn the "Packages" folder to a CD/DVD or transfer it to a USB stick, external HDD, etc.<br />
<br />
To install:<br />
<br />
'''1.''' Mount the media:<br />
<br />
# mkdir /mnt/repo<br />
# mount /dev/sr0 /mnt/repo #For a CD/DVD.<br />
# mount /dev/sdxY /mnt/repo #For a USB stick.<br />
<br />
'''2.''' Edit {{ic|pacman.conf}} and add this repository ''before'' the other ones (e.g. extra, core, etc.). This is important. Do not just uncomment the one on the bottom. This way it ensures that the files from the CD/DVD/USB take precedence over those in the standard repositories:<br />
<br />
{{hc|/etc/pacman.conf|2=<br />
[custom]<br />
SigLevel = PackageRequired<br />
Server = file:///mnt/repo/Packages}}<br />
<br />
'''3.''' Finally, synchronize the ''pacman'' database to be able to use the new repository:<br />
<br />
# pacman -Syu<br />
<br />
=== Custom local repository ===<br />
<br />
Use the ''repo-add'' script included with ''pacman'' to generate a database for a personal repository. Use {{ic|repo-add --help}} for more details on its usage. <br />
A package database is a tar file, optionally compressed. Valid extensions are ''.db'' or ''.files'' followed by an archive extension of ''.tar'', ''.tar.gz'', ''.tar.bz2'', ''.tar.xz'', ''.tar.zst'', or ''.tar.Z''. The file does not need to exist, but all parent directories must exist.<br />
<br />
To add a new package to the database, or to replace the old version of an existing package in the database, run:<br />
<br />
$ repo-add ''/path/to/repo.db.tar.gz /path/to/package-1.0-1-x86_64.pkg.tar.xz''<br />
<br />
The database and the packages do not need to be in the same directory when using ''repo-add'', but keep in mind that when using ''pacman'' with that database, they should be together. Storing all the built packages to be included in the repository in one directory also allows to use shell glob expansion to add or update multiple packages at once:<br />
<br />
$ repo-add ''/path/to/repo.db.tar.gz /path/to/*.pkg.tar.xz''<br />
<br />
{{Warning|''repo-add'' adds the entries into the database in the same order as passed on the command line. If multiple versions of the same package are involved, care must be taken to ensure that the correct version is added last. In particular, note that lexical order used by the shell depends on the locale and differs from the {{man|8|vercmp}} ordering used by ''pacman''.}}<br />
<br />
If you are looking to support multiple architectures then precautions should be taken to prevent errors from occurring. Each architecture should have its own directory tree:<br />
<br />
{{hc|$ tree ~/customrepo/ {{!}} sed "s/$(uname -m)/<arch>/g"|<br />
/home/archie/customrepo/<br />
└── <arch><br />
├── customrepo.db -> customrepo.db.tar.xz<br />
├── customrepo.db.tar.xz<br />
├── customrepo.files -> customrepo.files.tar.xz<br />
├── customrepo.files.tar.xz<br />
└── personal-website-git-b99cce0-1-<arch>.pkg.tar.xz<br />
<br />
1 directory, 5 files<br />
}}<br />
<br />
The ''repo-add'' executable checks if the package is appropriate. If this is not the case you will be running into error messages similar to this:<br />
<br />
==> ERROR: '/home/archie/customrepo/<arch>/foo-<arch>.pkg.tar.xz' does not have a valid database archive extension.<br />
<br />
''repo-remove'' is used to remove packages from the package database, except that only package names are specified on the command line.<br />
<br />
$ repo-remove ''/path/to/repo.db.tar.gz pkgname''<br />
<br />
Once the local repository database has been created, add the repository to {{ic|pacman.conf}} for each system that is to use the repository. An example of a custom repository is in {{ic|pacman.conf}}. The repository's name is the database filename with the file extension omitted. In the case of the example above the repository's name would simply be ''repo''. Reference the repository's location using a {{ic|file://}} url, or via FTP using ftp://localhost/path/to/directory.<br />
<br />
If willing, add the custom repository to the [[Unofficial user repositories|list of unofficial user repositories]], so that the community can benefit from it.<br />
<br />
=== Network shared pacman cache ===<br />
{{Merge|Package_Proxy_Cache|Same topic}}<br />
If you happen to run several Arch boxes on your LAN, you can share packages so that you can greatly decrease your download times. Keep in mind you should not share between different architectures (i.e. i686 and x86_64) or you will run into problems.<br />
<br />
==== Read-only cache ====<br />
<br />
If you are looking for a quick solution, you can simply run a standalone webserver, e.g. {{Pkg|darkhttpd}}, which other computers can use as a first mirror:<br />
<br />
# ln -s /var/lib/pacman/sync/*.db /var/cache/pacman/pkg<br />
$ sudo -u http darkhttpd /var/cache/pacman/pkg --no-server-id<br />
<br />
You could also run darkhttpd as a systemd service for convenience. Just add this server at the top of your {{ic|/etc/pacman.d/mirrorlist}} in client machines with {{ic|1=Server = http&#58;//mymirror:8080}}. Make sure to keep your mirror updated.<br />
<br />
If you are already running a web server for some other purpose, you might wish to reuse that as your local repo server instead of darkhttpd. For example, if you already serve a site with [[nginx]], you can add an nginx server block listening on port 8080:<br />
<br />
{{hc|/etc/nginx/nginx.conf|<br />
server {<br />
listen 8080;<br />
root /var/cache/pacman/pkg;<br />
server_name myarchrepo.localdomain;<br />
try_files $uri $uri/;<br />
}<br />
}}<br />
<br />
Remember to restart nginx after making this change.<br />
<br />
Whichever web server you use, remember to open port 8080 to local traffic (and you probably want to deny anything not local), so add a rule like the following to [[iptables]]:<br />
<br />
{{hc|/etc/iptables/iptables.rules|<br />
-A TCP -s 192.168.0.0/16 -p tcp -m tcp --dport 8080 -j ACCEPT<br />
}}<br />
<br />
Remember to restart iptables after making this change.<br />
<br />
==== Overlay mount of read-only cache ====<br />
<br />
It is possible to use one machine on a local network as a read-only package cache by [[Overlay_filesystem|overlay mounting]] its {{ic|/var/cache/pacman/pkg}} directory. Such a configuration is advantageous if this server has installed on it a reasonably comprehensive selection of up-to-date packages which are also used by other boxes. This is useful for maintaining a number of machines at the end of a low bandwidth upstream connection.<br />
<br />
As an example, to use this method:<br />
<br />
# mkdir /tmp/remote_pkg /mnt/workdir_pkg /tmp/pacman_pkg<br />
# sshfs <remote_username>@<remote_pkgcache_addr>:/var/cache/pacman/pkg /tmp/remote_pkg -C<br />
# mount -t overlay overlay -o lowerdir=/tmp/remote_pkg,upperdir=/var/cache/pacman/pkg,workdir=/mnt/workdir_pkg /tmp/pacman_pkg<br />
<br />
[[Overlay_filesystem#Usage|Note concerning overlay]]: The working directory must be an empty directory on the same mounted device as the upper directory.<br />
<br />
After this, run pacman using the option {{ic|--cachedir /tmp/pacman_pkg}}, e.g.:<br />
<br />
# pacman -Syu --cachedir /tmp/pacman_pkg<br />
<br />
==== Distributed read-only cache ====<br />
<br />
There are Arch-specific tools for automatically discovering other computers on your network offering a package cache. Try {{Pkg|pacredir}}, [[pacserve]], {{AUR|pkgdistcache}}, or {{AUR|paclan}}. pkgdistcache uses Avahi instead of plain UDP which may work better in certain home networks that route instead of bridge between WiFi and Ethernet.<br />
<br />
Historically, there was [https://bbs.archlinux.org/viewtopic.php?id=64391 PkgD] and [https://github.com/toofishes/multipkg multipkg], but they are no longer maintained.<br />
<br />
==== Read-write cache ====<br />
<br />
In order to share packages between multiple computers, simply share {{ic|/var/cache/pacman/}} using any network-based mount protocol. This section shows how to use [[shfs]] or [[SSHFS]] to share a package cache plus the related library-directories between multiple computers on the same local network. Keep in mind that a network shared cache can be slow depending on the file-system choice, among other factors.<br />
<br />
First, install any network-supporting filesystem packages: {{pkg|shfs-utils}}, {{pkg|sshfs}}, {{pkg|curlftpfs}}, {{pkg|samba}} or {{pkg|nfs-utils}}.<br />
<br />
{{Tip|<br />
* To use ''sshfs'' or ''shfs'', consider reading [[Using SSH Keys]].<br />
* By default, ''smbfs'' does not serve filenames that contain colons, which results in the client downloading the offending package afresh. To prevent this, use the {{ic|mapchars}} mount option on the client.<br />
}}<br />
<br />
Then, to share the actual packages, mount {{ic|/var/cache/pacman/pkg}} from the server to {{ic|/var/cache/pacman/pkg}} on every client machine.<br />
<br />
{{Warning|Do not make {{ic|/var/cache/pacman/pkg}} or any of its ancestors (e.g., {{ic|/var}}) a symlink. ''Pacman'' expects these to be directories. When ''pacman'' re-installs or upgrades itself, it will remove the symlinks and create empty directories instead. However during the transaction ''pacman'' relies on some files residing there, hence breaking the update process. Refer to {{bug|50298}} for further details.}}<br />
<br />
==== two-way with rsync ====<br />
<br />
Another approach in a local environment is [[rsync]]. Choose a server for caching and enable the [[Rsync#rsync daemon]]. On clients synchronize two-way with this share via the rsync protocol. Filenames that contain colons are no problem for the rsync protocol.<br />
<br />
Draft example for a client, using {{ic|uname -m}} within the share name ensures an architecture-dependent sync:<br />
# rsync rsync://server/share_$(uname -m)/ /var/cache/pacman/pkg/ ...<br />
# pacman ...<br />
# paccache ...<br />
# rsync /var/cache/pacman/pkg/ rsync://server/share_$(uname -m)/ ...<br />
<br />
==== Dynamic reverse proxy cache using nginx ====<br />
<br />
[[nginx]] can be used to proxy package requests to official upstream mirrors and cache the results to the local disk. All subsequent requests for that package will be served directly from the local cache, minimizing the amount of internet traffic needed to update a large number of computers. <br />
<br />
In this example, the cache server will run at {{ic|<nowiki>http://cache.domain.example:8080/</nowiki>}} and store the packages in {{ic|/srv/http/pacman-cache/}}. <br />
<br />
Install [[nginx]] on the computer that is going to host the cache. Create the directory for the cache and adjust the permissions so nginx can write files to it:<br />
<br />
# mkdir /srv/http/pacman-cache<br />
# chown http:http /srv/http/pacman-cache<br />
<br />
Use the [https://github.com/nastasie-octavian/nginx_pacman_cache_config/blob/c54eca4776ff162ab492117b80be4df95880d0e2/nginx.conf nginx pacman cache config] as a starting point for {{ic|/etc/nginx/nginx.conf}}. Check that the {{ic|resolver}} directive works for your needs. In the upstream server blocks, configure the {{ic|proxy_pass}} directives with addresses of official mirrors, see examples in the config file about the expected format. Once you are satisfied with the configuration file [[Nginx#Running|start and enable nginx]].<br />
<br />
In order to use the cache each Arch Linux computer (including the one hosting the cache) must have the following line at the top of the {{ic|mirrorlist}} file:<br />
<br />
{{hc|/etc/pacman.d/mirrorlist|<nowiki><br />
Server = http://cache.domain.example:8080/$repo/os/$arch<br />
...<br />
</nowiki>}}<br />
<br />
{{Note| You will need to create a method to clear old packages, as the cache directory will continue to grow over time. {{ic|paccache}} (which is provided by {{pkg|pacman-contrib}}) can be used to automate this using retention criteria of your choosing. For example, {{ic|find /srv/http/pacman-cache/ -type d -exec paccache -v -r -k 2 -c {} \;}} will keep the last 2 versions of packages in your cache directory.}}<br />
<br />
==== Pacoloco proxy cache server ====<br />
<br />
[https://github.com/anatol/pacoloco Pacoloco] is an easy-to-use proxy cache server for pacman repositories. It can be installed as {{pkg|pacoloco}}. Open the configuration file and add pacman mirrors:<br />
<br />
{{hc|/etc/pacoloco.yaml|<nowiki><br />
port: 9129<br />
repos:<br />
mycopy:<br />
urls:<br />
- http://mirror.lty.me/archlinux<br />
- http://mirrors.kernel.org/archlinux<br />
</nowiki>}}<br />
<br />
[[Restart]] {{ic|pacoloco.service}} and the proxy repository will be available at {{ic|http://<myserver>:9129/repo/mycopy}}.<br />
<br />
==== Flexo proxy cache server ====<br />
<br />
[https://github.com/nroi/flexo Flexo] is yet another proxy cache server for pacman repositories. Flexo is available on the AUR: {{AUR|flexo-git}}. Once installed, [[start]] the {{ic|flexo.service}} service with systemd.<br />
<br />
Flexo runs on port 7878 by default. Enter {{ic|1=Server = http://''myserver'':7878/$repo/os/$arch}} to the top of your {{ic|/etc/pacman.d/mirrorlist}} so that pacman downloads packages via Flexo.<br />
<br />
==== Synchronize pacman package cache using synchronization programs ====<br />
<br />
Use [[Syncthing]] or [[Resilio Sync]] to synchronize the ''pacman'' cache folders (i.e. {{ic|/var/cache/pacman/pkg}}).<br />
<br />
==== Preventing unwanted cache purges ====<br />
<br />
By default, {{Ic|pacman -Sc}} removes package tarballs from the cache that correspond to packages that are not installed on the machine the command was issued on. Because ''pacman'' cannot predict what packages are installed on all machines that share the cache, it will end up deleting files that should not be.<br />
<br />
To clean up the cache so that only ''outdated'' tarballs are deleted, add this entry in the {{ic|[options]}} section of {{ic|/etc/pacman.conf}}:<br />
<br />
CleanMethod = KeepCurrent<br />
<br />
=== Recreate a package from the file system ===<br />
<br />
To recreate a package from the file system, use {{AUR|fakepkg}}. Files from the system are taken as they are, hence any modifications will be present in the assembled package. Distributing the recreated package is therefore discouraged; see [[ABS]] and [[Arch Linux Archive]] for alternatives.<br />
<br />
=== List of installed packages ===<br />
<br />
Keeping a list of all the explicitly installed packages can be useful, to backup a system for example or speed up installation on a new system:<br />
<br />
$ pacman -Qqe > pkglist.txt<br />
<br />
{{Note|<br />
* With option {{ic|-t}}, the packages already required by other explicitly installed packages are not mentioned. If reinstalling from this list they will be installed but as dependencies only.<br />
* With option {{ic|-n}}, foreign packages (e.g. from [[AUR]]) would be omitted from the list.<br />
* Use {{ic|comm -13 <(pacman -Qqdt {{!}} sort) <(pacman -Qqdtt {{!}} sort) > optdeplist.txt}} to also create a list of the installed optional dependencies which can be reinstalled with {{ic|--asdeps}}.<br />
* Use {{ic|pacman -Qqem > foreignpkglist.txt}} to create the list of AUR and other foreign packages that have been explicitly installed.}}<br />
<br />
To keep an up-to-date list of explicitly installed packages (e.g. in combination with a versioned {{ic|/etc/}}), you can set up a [[Pacman#Hooks|hook]]. Example:<br />
<br />
[Trigger]<br />
Operation = Install<br />
Operation = Remove<br />
Type = Package<br />
Target = *<br />
<br />
[Action]<br />
When = PostTransaction<br />
Exec = /bin/sh -c '/usr/bin/pacman -Qqe > /etc/pkglist.txt'<br />
<br />
=== Install packages from a list ===<br />
<br />
To install packages from a previously saved list of packages, while not reinstalling previously installed packages that are already up-to-date, run:<br />
<br />
# pacman -S --needed - < pkglist.txt<br />
<br />
However, it is likely foreign packages such as from the AUR or installed locally are present in the list. To filter out from the list the foreign packages, the previous command line can be enriched as follows:<br />
<br />
# pacman -S --needed $(comm -12 <(pacman -Slq | sort) <(sort pkglist.txt))<br />
<br />
Eventually, to make sure the installed packages of your system match the list and remove all the packages that are not mentioned in it:<br />
<br />
# pacman -Rsu $(comm -23 <(pacman -Qq | sort) <(sort pkglist.txt))<br />
<br />
{{Tip|These tasks can be automated. See {{AUR|bacpac}}, {{AUR|packup}}, {{AUR|pacmanity}}, and {{AUR|pug}} for examples.}}<br />
<br />
=== Listing all changed files from packages ===<br />
<br />
If you are suspecting file corruption (e.g. by software/hardware failure), but are unsure if files were corrupted, you might want to compare with the hash sums in the packages. This can be done with {{Pkg|pacutils}}:<br />
<br />
# paccheck --md5sum --quiet<br />
<br />
For recovery of the database see [[#Restore pacman's local database]]. The {{ic|mtree}} files can also be [[#Viewing a single file inside a .pkg file|extracted as {{ic|.MTREE}} from the respective package files]].<br />
<br />
{{Note|This should '''not''' be used as is when suspecting malicious changes! In this case security precautions such as using a live medium and an independent source for the hash sums are advised.}}<br />
<br />
=== Reinstalling all packages ===<br />
To reinstall all native packages, use:<br />
<br />
# pacman -Qqn | pacman -S -<br />
<br />
Foreign (AUR) packages must be reinstalled separately; you can list them with {{ic|pacman -Qqm}}.<br />
<br />
''Pacman'' preserves the [[installation reason]] by default.<br />
<br />
{{Warning|To force all packages to be overwritten, use {{ic|1=--overwrite=*}}, though this should be an absolute last resort. See [[System maintenance#Avoid certain pacman commands]].}}<br />
<br />
=== Restore pacman's local database ===<br />
<br />
See [[Pacman/Restore local database]].<br />
<br />
=== Recovering a USB key from existing install ===<br />
<br />
If you have Arch installed on a USB key and manage to mess it up (e.g. removing it while it is still being written to), then it is possible to re-install all the packages and hopefully get it back up and working again (assuming USB key is mounted in {{ic|/newarch}})<br />
<br />
# pacman -S $(pacman -Qq --dbpath /newarch/var/lib/pacman) --root /newarch --dbpath /newarch/var/lib/pacman<br />
<br />
=== Viewing a single file inside a .pkg file ===<br />
<br />
For example, if you want to see the contents of {{ic|/etc/systemd/logind.conf}} supplied within the {{Pkg|systemd}} package:<br />
<br />
$ bsdtar -xOf /var/cache/pacman/pkg/systemd-204-3-x86_64.pkg.tar.xz etc/systemd/logind.conf<br />
<br />
Or you can use {{pkg|vim}} to browse the archive:<br />
<br />
$ vim /var/cache/pacman/pkg/systemd-204-3-x86_64.pkg.tar.xz<br />
<br />
=== Find applications that use libraries from older packages ===<br />
<br />
Even if you installed a package the existing long-running programs (like daemons and servers) still keep using code from old package libraries. And it is a bad idea to let these programs running if the old library contains a security bug.<br />
<br />
Here is a way how to find all the programs that use old packages code:<br />
<br />
# lsof +c 0 | grep -w DEL | awk '1 { print $1 ": " $NF }' | sort -u<br />
It will print running program name and old library that was removed or replaced with newer content.<br />
<br />
=== Installing only content in required languages ===<br />
<br />
Many packages attempt to install documentation and translations in several languages. Some programs are designed to remove such unnecessary files, such as {{AUR|localepurge}}, which runs after a package is installed to delete the unneeded locale files. A more direct approach is provided through the {{ic|NoExtract}} directive in {{ic|pacman.conf}}, which prevent these files from ever being installed.<br />
<br />
{{Warning|1=Some users noted that removing locales has resulted in [[Special:Permalink/460285#Dangerous NoExtract example|unintended consequences]], even under [https://bbs.archlinux.org/viewtopic.php?id=250846 Xorg].}}<br />
<br />
The example below installs English (US) files, or none at all:<br />
<br />
{{hc|/etc/pacman.conf|2=<br />
NoExtract = usr/share/help/* !usr/share/help/C/*<br />
NoExtract = usr/share/gtk-doc/html/*<br />
NoExtract = usr/share/locale/* usr/share/X11/locale/*/* usr/share/i18n/locales/* opt/google/chrome/locales/* !usr/share/X11/locale/C/*<br />
NoExtract = !*locale*/en*/* !usr/share/*locale*/locale.*<br />
NoExtract = !usr/share/*locales/en_?? !usr/share/*locales/i18n* !usr/share/*locales/iso*<br />
NoExtract = usr/share/i18n/charmaps/* !usr/share/i18n/charmaps/UTF-8.gz<br />
NoExtract = !usr/share/*locales/trans*<br />
NoExtract = usr/share/man/* !usr/share/man/man*<br />
NoExtract = usr/share/vim/vim*/lang/*<br />
NoExtract = usr/lib/libreoffice/help/en-US/*<br />
NoExtract = usr/share/kbd/locale/*<br />
NoExtract = usr/share/*/translations/*.qm usr/share/qt/translations/*.pak !*/en-US.pak # Qt apps<br />
NoExtract = usr/share/*/locales/*.pak opt/*/locales/*.pak usr/lib/*/locales/*.pak !*/en-US.pak # Electron apps<br />
NoExtract = opt/onlyoffice/desktopeditors/dictionaries/* !opt/onlyoffice/desktopeditors/dictionaries/en_US/*<br />
NoExtract = usr/share/ibus/dicts/emoji-*.dict !usr/share/ibus/dicts/emoji-en.dict<br />
}}<br />
<br />
== Performance ==<br />
<br />
=== Download speeds ===<br />
<br />
{{Note|If your download speeds have been reduced to a crawl, ensure you are using one of the many [[mirrors]] and not ftp.archlinux.org, which is [https://archlinux.org/news/302/ throttled since March 2007].}}<br />
<br />
When downloading packages ''pacman'' uses the mirrors in the order they are in {{ic|/etc/pacman.d/mirrorlist}}. The mirror which is at the top of the list by default however may not be the fastest for you. To select a faster mirror, see [[Mirrors]].<br />
<br />
''Pacman''<nowiki>'</nowiki>s speed in downloading packages can also be improved by using a different application to download packages, instead of ''pacman''<nowiki>'</nowiki>s built-in file downloader.<br />
<br />
In all cases, make sure you have the latest ''pacman'' before doing any modifications.<br />
<br />
# pacman -Syu<br />
<br />
==== Powerpill ====<br />
<br />
[[Powerpill]] is a ''pacman'' wrapper that uses parallel and segmented downloading to try to speed up downloads for ''pacman''.<br />
<br />
==== wget ====<br />
<br />
This is also very handy if you need more powerful proxy settings than ''pacman''<nowiki>'</nowiki>s built-in capabilities. <br />
<br />
To use {{ic|wget}}, first [[install]] the {{Pkg|wget}} package then modify {{ic|/etc/pacman.conf}} by uncommenting the following line in the {{ic|[options]}} section:<br />
<br />
XferCommand = /usr/bin/wget --passive-ftp --show-progress -c -q -N %u<br />
<br />
Instead of uncommenting the {{ic|wget}} parameters in {{ic|/etc/pacman.conf}}, you can also modify the {{ic|wget}} configuration file directly (the system-wide file is {{ic|/etc/wgetrc}}, per user files are {{ic|$HOME/.wgetrc}}).<br />
<br />
==== aria2 ====<br />
<br />
[[aria2]] is a lightweight download utility with support for resumable and segmented HTTP/HTTPS and FTP downloads. aria2 allows for multiple and simultaneous HTTP/HTTPS and FTP connections to an Arch mirror, which should result in an increase in download speeds for both file and package retrieval.<br />
<br />
{{Note|Using aria2c in ''pacman''<nowiki>'</nowiki>s XferCommand will '''not''' result in parallel downloads of multiple packages. ''Pacman'' invokes the XferCommand with a single package at a time and waits for it to complete before invoking the next. To download multiple packages in parallel, see [[Powerpill]].}}<br />
<br />
Install {{Pkg|aria2}}, then edit {{ic|/etc/pacman.conf}} by adding the following line to the {{ic|[options]}} section:<br />
<br />
XferCommand = /usr/bin/aria2c --allow-overwrite=true --continue=true --file-allocation=none --log-level=error --max-tries=2 --max-connection-per-server=2 --max-file-not-found=5 --min-split-size=5M --no-conf --remote-time=true --summary-interval=60 --timeout=5 --dir=/ --out %o %u<br />
<br />
{{Tip|1=[https://bbs.archlinux.org/viewtopic.php?pid=1491879#p1491879 This alternative configuration for using ''pacman'' with aria2] tries to simplify configuration and adds more configuration options.}}<br />
<br />
See {{man|1|aria2c|OPTIONS}} for used aria2c options.<br />
<br />
* {{ic|-d, --dir}}: The directory to store the downloaded file(s) as specified by ''pacman''.<br />
* {{ic|-o, --out}}: The output file name(s) of the downloaded file(s). <br />
* {{ic|%o}}: Variable which represents the local filename(s) as specified by ''pacman''.<br />
* {{ic|%u}}: Variable which represents the download URL as specified by ''pacman''.<br />
<br />
==== Other applications ====<br />
<br />
There are other downloading applications that you can use with ''pacman''. Here they are, and their associated XferCommand settings:<br />
<br />
* {{ic|snarf}}: {{ic|1=XferCommand = /usr/bin/snarf -N %u}}<br />
* {{ic|lftp}}: {{ic|1=XferCommand = /usr/bin/lftp -c pget %u}}<br />
* {{ic|axel}}: {{ic|1=XferCommand = /usr/bin/axel -n 2 -v -a -o %o %u}}<br />
* {{ic|hget}}: {{ic|1=XferCommand = /usr/bin/hget %u -n 2 -skip-tls false}} (please read the [https://github.com/huydx/hget documentation on the Github project page] for more info)<br />
* {{ic|saldl}}: {{ic|1=XferCommand = /usr/bin/saldl -c6 -l4 -s2m -o %o %u}} (please read the [https://saldl.github.io documentation on the project page] for more info)<br />
<br />
== Utilities ==<br />
<br />
* {{App|Lostfiles|Script that identifies files not owned by any package.|https://github.com/graysky2/lostfiles|{{Pkg|lostfiles}}}}<br />
* {{App|Pacmatic|''Pacman'' wrapper to check Arch News before upgrading, avoid partial upgrades, and warn about configuration file changes.|http://kmkeen.com/pacmatic|{{Pkg|pacmatic}}}}<br />
* {{App|pacutils|Helper library for libalpm based programs.|https://github.com/andrewgregory/pacutils|{{Pkg|pacutils}}}}<br />
* {{App|[[pkgfile]]|Tool that finds what package owns a file.|https://github.com/falconindy/pkgfile|{{Pkg|pkgfile}}}}<br />
* {{App|pkgtools|Collection of scripts for Arch Linux packages.|https://github.com/Daenyth/pkgtools|{{AUR|pkgtools}}}}<br />
* {{App|pkgtop|Interactive package manager and resource monitor designed for the GNU/Linux.|https://github.com/orhun/pkgtop|{{AUR|pkgtop-git}}}}<br />
* {{App|[[Powerpill]]|Uses parallel and segmented downloading through [[aria2]] and [[Reflector]] to try to speed up downloads for ''pacman''.|https://xyne.archlinux.ca/projects/powerpill/|{{AUR|powerpill}}}}<br />
* {{App|repoctl|Tool to help manage local repositories.|https://github.com/cassava/repoctl|{{AUR|repoctl}}}}<br />
* {{App|repose|An Arch Linux repository building tool.|https://github.com/vodik/repose|{{Pkg|repose}}}}<br />
* {{App|[[Snapper#Wrapping_pacman_transactions_in_snapshots|snap-pac]]|Make ''pacman'' automatically use snapper to create pre/post snapshots like openSUSE's YaST.|https://github.com/wesbarnett/snap-pac|{{pkg|snap-pac}}}}<br />
* {{App|vrms-arch|A virtual Richard M. Stallman to tell you which non-free packages are installed.|https://github.com/orospakr/vrms-arch|{{AUR|vrms-arch-git}}}}<br />
<br />
=== Graphical ===<br />
<br />
{{Warning|PackageKit opens up system permissions by default, and is otherwise not recommended for general usage. See {{Bug|50459}} and {{Bug|57943}}.}}<br />
<br />
* {{App|Apper|Qt 5 application and package manager using PackageKit written in C++. Supports [https://www.freedesktop.org/wiki/Distributions/AppStream/ AppStream metadata].|https://userbase.kde.org/Apper|{{Pkg|apper}}}}<br />
* {{App|Discover|Qt 5 application manager using PackageKit written in C++/QML. Supports [https://www.freedesktop.org/wiki/Distributions/AppStream/ AppStream metadata], [[Flatpak]] and [[fwupd|firmware updates]]. |https://userbase.kde.org/Discover|{{Pkg|discover}}}}<br />
* {{App|GNOME PackageKit|GTK 3 package manager using PackageKit written in C.|https://freedesktop.org/software/PackageKit/|{{Pkg|gnome-packagekit}}}}<br />
* {{App|GNOME Software|GTK 3 application manager using PackageKit written in C. Supports [https://www.freedesktop.org/wiki/Distributions/AppStream/ AppStream metadata], [[Flatpak]] and [[fwupd|firmware updates]]. |https://wiki.gnome.org/Apps/Software|{{pkg|gnome-software}}}}<br />
* {{App|pcurses|Curses TUI pacman wrapper written in C++.|https://github.com/schuay/pcurses|{{Pkg|pcurses}}}}<br />
* {{App|tkPacman|Tk pacman wrapper written in Tcl.|https://sourceforge.net/projects/tkpacman|{{AUR|tkpacman}}}}</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Lenovo_ThinkPad_X13_Gen_1_(AMD)&diff=647284Lenovo ThinkPad X13 Gen 1 (AMD)2020-12-27T09:30:04Z<p>Yuvadm: Add fwupd link</p>
<hr />
<div>[[Category:Lenovo]]<br />
<br />
{| class="wikitable" style="float: right;"<br />
|-<br />
! Hardware !! PCI/USB ID !! Working?<br />
|-<br />
| Touchpad || || {{Yes}}<br />
|-<br />
| J-Mouse || || {{Yes}}<br />
|-<br />
| Keyboard || || {{Yes}}<br />
|-<br />
| Video || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Webcam || {{ic|04f2:b6d0}} || {{Yes}}<br />
|-<br />
| Ethernet || {{ic|10ec:8168}} || {{Yes}}<br />
|-<br />
| Bluetooth || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Power management || || {{Yes}}<br />
|-<br />
| USB Ports || {{ic|10ec:816d}} || {{Yes}}<br />
|-<br />
| SD-Card slot || {{ic|}} || {{Yes}}<br />
|-<br />
| HDMI || || {{Yes}}<br />
|-<br />
| Audio || {{ic|1022:15e3}} || {{Yes}}<br />
|-<br />
| Wireless || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Fingerprint reader || {{ic|}} || {{Y|Untested}}<br />
|-<br />
| TPM || || {{Y|Untested}}<br />
|}<br />
<br />
== Installation ==<br />
<br />
No special steps needed for installation.<br />
<br />
=== BIOS ===<br />
<br />
It is recommended to run the latest BIOS version, which is currently 1.29.<br />
<br />
The BIOS update can be downloaded as an [https://download.lenovo.com/pccbbs/mobiles/r1cuj60wd.iso ISO image] from the [https://pcsupport.lenovo.com/mx/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x13-type-20uf-20ug/downloads/ds544980-bios-update-utility-bootable-cd-for-windows-10-64-bit-thinkpad-t14s-x13 X13 support page] and loaded to a USB stick.<br />
<br />
Additionally, there is a BIOS option for customizing the Power profile that by default is tuned to {{ic|Windows 10}} and is recommended to be set to {{ic|Linux}}. This setting has been shown to reduce issues with [[#Power Management]].<br />
<br />
== Accessibility ==<br />
<br />
The BIOS offers two modes of operation, '''GUI''' and '''Simple Text'''. <br />
<br />
The GUI can be navigated to some degree via the keyboard. '''Left''' and '''Right''' arrow keys to move the selection and '''Space''' to activate.<br />
<br />
For full keyboard support switching to simple text would likely be better.<br />
<br />
That can be accomplished by:<br />
* Selecting and activating '''Config''' on the left side under '''Setup'''<br />
* '''Right''' arrowing until the drop down to the right of '''Setup UI''' is selected<br />
* active the drop down and select '''Simple Text'''<br />
* '''F10''' (save and exit)<br />
<br />
{{Note|Blind users may want to request the help of a sighted person to change BIOS settings}}<br />
<br />
== Firmware ==<br />
<br />
[[fwupd]] does not support this device yet.<br />
<br />
== Power Management ==<br />
<br />
Various issues have been reported with resuming from suspend. In order to mitigate them follow the best practices described in [[#BIOS]].<br />
<br />
On systems that use full-disk encryption with sd-encrypt it might be preferred to switch to using the {{ic|encrypt}} mkinitcpio hook.<br />
<br />
== Function keys ==<br />
<br />
{| class="wikitable"<br />
|-<br />
! Key<br />
! Visible?<sup>1</sup><br />
! Marked?<sup>2</sup><br />
! Effect<br />
|-<br />
| {{ic|Fn}} || {{Yes}} || {{No}} || {{ic|XF86WakeUp}}<br />
|-<br />
| {{ic|Fn+Esc}} || {{No}} || {{Yes}} || Enables Fn lock<br />
|-<br />
| {{ic|Fn+F1}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioMute}}<br />
|-<br />
| {{ic|Fn+F2}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioLowerVolume}}<br />
|-<br />
| {{ic|Fn+F3}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioRaiseVolume}}<br />
|-<br />
| {{ic|Fn+F4}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioMicMute}}<br />
|-<br />
| {{ic|Fn+F5}} || {{No}} || {{Yes}} || Monitor Brightness Down<br />
|-<br />
| {{ic|Fn+F6}} || {{No}} || {{Yes}} || Monitor Brightness Up<br />
|-<br />
| {{ic|Fn+F7}} || {{Yes}} || {{Yes}} || {{ic|XF86Display}}<br />
|-<br />
| {{ic|Fn+F8}} || {{Yes}} || {{Yes}} || {{ic|XF86WLAN}}<sup>3</sup><br />
|-<br />
| {{ic|Fn+F9}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F10}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F11}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F12}} || {{Yes}} || {{Yes}} || {{ic|XF86Favorites}}<br />
|-<br />
| {{ic|Fn+Space}} || {{No}} || {{Yes}} || Enables/disables keyboard backlight<br />
|-<br />
| {{ic|Fn+4}} || {{Yes}} || {{No}} || {{ic|XF86Sleep}}<sup>3</sup><br />
|-<br />
| {{ic|Fn+B}} || {{Yes}} || {{No}} || {{ic|Ctrl_L + Break}}<br />
|-<br />
| {{ic|Fn+P}} || {{Yes}} || {{No}} || {{ic|Pause}}<br />
|-<br />
| {{ic|Fn+K}} || {{Yes}} || {{No}} || {{ic|Scroll Lock}}<br />
|-<br />
| {{ic|Fn+Left}} || {{Yes}} || {{No}} || {{ic|Home}}<br />
|-<br />
| {{ic|Fn+Right}} || {{Yes}} || {{No}} || {{ic|End}}<br />
|-<br />
| {{ic|Fn+S}} || {{Yes}} || {{No}} || {{ic|Alt_L + SysRq }}<br />
|-<br />
| {{ic|Fn+End}} || {{Yes}} || {{Yes}} || {{ic|Ins}}<br />
|}<br />
<br />
# The key is visible via {{ic|xev}} and similar tools<br />
# The physical key has a symbol on it, which describes its function<br />
# systemd-logind handles this by default<br />
<br />
== See also ==<br />
<br />
* Specifications: https://psref.lenovo.com/syspool/Sys/PDF/ThinkPad/ThinkPad_x13_Gen_1_AMD/ThinkPad_x13_Gen_1_AMD_Spec.PDF<br />
* Official service manual: https://download.lenovo.com/pccbbs/mobiles_pdf/t14s_gen1_x13_gen1_hmm_en.pdf<br />
* https://certification.ubuntu.com/hardware/202006-27979</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Lenovo_ThinkPad_X13_Gen_1_(AMD)&diff=647258Lenovo ThinkPad X13 Gen 1 (AMD)2020-12-27T06:48:33Z<p>Yuvadm: Clarify power profile setting</p>
<hr />
<div>[[Category:Lenovo]]<br />
<br />
{| class="wikitable" style="float: right;"<br />
|-<br />
! Hardware !! PCI/USB ID !! Working?<br />
|-<br />
| Touchpad || || {{Yes}}<br />
|-<br />
| J-Mouse || || {{Yes}}<br />
|-<br />
| Keyboard || || {{Yes}}<br />
|-<br />
| Video || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Webcam || {{ic|04f2:b6d0}} || {{Yes}}<br />
|-<br />
| Ethernet || {{ic|10ec:8168}} || {{Yes}}<br />
|-<br />
| Bluetooth || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Power management || || {{Yes}}<br />
|-<br />
| USB Ports || {{ic|10ec:816d}} || {{Yes}}<br />
|-<br />
| SD-Card slot || {{ic|}} || {{Yes}}<br />
|-<br />
| HDMI || || {{Yes}}<br />
|-<br />
| Audio || {{ic|1022:15e3}} || {{Yes}}<br />
|-<br />
| Wireless || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Fingerprint reader || {{ic|}} || {{Y|Untested}}<br />
|-<br />
| TPM || || {{Y|Untested}}<br />
|}<br />
<br />
== Installation ==<br />
<br />
No special steps needed for installation.<br />
<br />
=== BIOS ===<br />
<br />
It is recommended to run the latest BIOS version, which is currently 1.29.<br />
<br />
The BIOS update can be downloaded as an [https://download.lenovo.com/pccbbs/mobiles/r1cuj60wd.iso ISO image] from the [https://pcsupport.lenovo.com/mx/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x13-type-20uf-20ug/downloads/ds544980-bios-update-utility-bootable-cd-for-windows-10-64-bit-thinkpad-t14s-x13 X13 support page] and loaded to a USB stick.<br />
<br />
Additionally, there is a BIOS option for customizing the Power profile that by default is tuned to {{ic|Windows 10}} and is recommended to be set to {{ic|Linux}}. This setting has been shown to reduce issues with [[#Power Management]].<br />
<br />
== Accessibility ==<br />
<br />
The BIOS offers two modes of operation, '''GUI''' and '''Simple Text'''. <br />
<br />
The GUI can be navigated to some degree via the keyboard. '''Left''' and '''Right''' arrow keys to move the selection and '''Space''' to activate.<br />
<br />
For full keyboard support switching to simple text would likely be better.<br />
<br />
That can be accomplished by:<br />
* Selecting and activating '''Config''' on the left side under '''Setup'''<br />
* '''Right''' arrowing until the drop down to the right of '''Setup UI''' is selected<br />
* active the drop down and select '''Simple Text'''<br />
* '''F10''' (save and exit)<br />
<br />
{{Note|Blind users may want to request the help of a sighted person to change BIOS settings}}<br />
<br />
== Firmware ==<br />
<br />
fwupd does not support this device yet.<br />
<br />
== Power Management ==<br />
<br />
Various issues have been reported with resuming from suspend. In order to mitigate them follow the best practices described in [[#BIOS]].<br />
<br />
On systems that use full-disk encryption with sd-encrypt it might be preferred to switch to using the {{ic|encrypt}} mkinitcpio hook.<br />
<br />
== Function keys ==<br />
<br />
{| class="wikitable"<br />
|-<br />
! Key<br />
! Visible?<sup>1</sup><br />
! Marked?<sup>2</sup><br />
! Effect<br />
|-<br />
| {{ic|Fn}} || {{Yes}} || {{No}} || {{ic|XF86WakeUp}}<br />
|-<br />
| {{ic|Fn+Esc}} || {{No}} || {{Yes}} || Enables Fn lock<br />
|-<br />
| {{ic|Fn+F1}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioMute}}<br />
|-<br />
| {{ic|Fn+F2}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioLowerVolume}}<br />
|-<br />
| {{ic|Fn+F3}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioRaiseVolume}}<br />
|-<br />
| {{ic|Fn+F4}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioMicMute}}<br />
|-<br />
| {{ic|Fn+F5}} || {{No}} || {{Yes}} || Monitor Brightness Down<br />
|-<br />
| {{ic|Fn+F6}} || {{No}} || {{Yes}} || Monitor Brightness Up<br />
|-<br />
| {{ic|Fn+F7}} || {{Yes}} || {{Yes}} || {{ic|XF86Display}}<br />
|-<br />
| {{ic|Fn+F8}} || {{Yes}} || {{Yes}} || {{ic|XF86WLAN}}<sup>3</sup><br />
|-<br />
| {{ic|Fn+F9}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F10}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F11}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F12}} || {{Yes}} || {{Yes}} || {{ic|XF86Favorites}}<br />
|-<br />
| {{ic|Fn+Space}} || {{No}} || {{Yes}} || Enables/disables keyboard backlight<br />
|-<br />
| {{ic|Fn+4}} || {{Yes}} || {{No}} || {{ic|XF86Sleep}}<sup>3</sup><br />
|-<br />
| {{ic|Fn+B}} || {{Yes}} || {{No}} || {{ic|Ctrl_L + Break}}<br />
|-<br />
| {{ic|Fn+P}} || {{Yes}} || {{No}} || {{ic|Pause}}<br />
|-<br />
| {{ic|Fn+K}} || {{Yes}} || {{No}} || {{ic|Scroll Lock}}<br />
|-<br />
| {{ic|Fn+Left}} || {{Yes}} || {{No}} || {{ic|Home}}<br />
|-<br />
| {{ic|Fn+Right}} || {{Yes}} || {{No}} || {{ic|End}}<br />
|-<br />
| {{ic|Fn+S}} || {{Yes}} || {{No}} || {{ic|Alt_L + SysRq }}<br />
|-<br />
| {{ic|Fn+End}} || {{Yes}} || {{Yes}} || {{ic|Ins}}<br />
|}<br />
<br />
# The key is visible via {{ic|xev}} and similar tools<br />
# The physical key has a symbol on it, which describes its function<br />
# systemd-logind handles this by default<br />
<br />
== See also ==<br />
<br />
* Specifications: https://psref.lenovo.com/syspool/Sys/PDF/ThinkPad/ThinkPad_x13_Gen_1_AMD/ThinkPad_x13_Gen_1_AMD_Spec.PDF<br />
* Official service manual: https://download.lenovo.com/pccbbs/mobiles_pdf/t14s_gen1_x13_gen1_hmm_en.pdf<br />
* https://certification.ubuntu.com/hardware/202006-27979</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Lenovo_ThinkPad_X13_Gen_1_(AMD)&diff=647257Lenovo ThinkPad X13 Gen 1 (AMD)2020-12-27T06:47:08Z<p>Yuvadm: Update and cleanup Power management section</p>
<hr />
<div>[[Category:Lenovo]]<br />
<br />
{| class="wikitable" style="float: right;"<br />
|-<br />
! Hardware !! PCI/USB ID !! Working?<br />
|-<br />
| Touchpad || || {{Yes}}<br />
|-<br />
| J-Mouse || || {{Yes}}<br />
|-<br />
| Keyboard || || {{Yes}}<br />
|-<br />
| Video || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Webcam || {{ic|04f2:b6d0}} || {{Yes}}<br />
|-<br />
| Ethernet || {{ic|10ec:8168}} || {{Yes}}<br />
|-<br />
| Bluetooth || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Power management || || {{Yes}}<br />
|-<br />
| USB Ports || {{ic|10ec:816d}} || {{Yes}}<br />
|-<br />
| SD-Card slot || {{ic|}} || {{Yes}}<br />
|-<br />
| HDMI || || {{Yes}}<br />
|-<br />
| Audio || {{ic|1022:15e3}} || {{Yes}}<br />
|-<br />
| Wireless || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Fingerprint reader || {{ic|}} || {{Y|Untested}}<br />
|-<br />
| TPM || || {{Y|Untested}}<br />
|}<br />
<br />
== Installation ==<br />
<br />
No special steps needed for installation.<br />
<br />
=== BIOS ===<br />
<br />
It is recommended to run the latest BIOS version, which is currently 1.29.<br />
<br />
The BIOS update can be downloaded as an [https://download.lenovo.com/pccbbs/mobiles/r1cuj60wd.iso ISO image] from the [https://pcsupport.lenovo.com/mx/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x13-type-20uf-20ug/downloads/ds544980-bios-update-utility-bootable-cd-for-windows-10-64-bit-thinkpad-t14s-x13 X13 support page] and loaded to a USB stick.<br />
<br />
Additionally, there is a BIOS option for customizing the Power profile that by default is tuned to {{ic|Windows 10}} and is recommended to be set to {{ic|Linux}}.<br />
<br />
== Accessibility ==<br />
<br />
The BIOS offers two modes of operation, '''GUI''' and '''Simple Text'''. <br />
<br />
The GUI can be navigated to some degree via the keyboard. '''Left''' and '''Right''' arrow keys to move the selection and '''Space''' to activate.<br />
<br />
For full keyboard support switching to simple text would likely be better.<br />
<br />
That can be accomplished by:<br />
* Selecting and activating '''Config''' on the left side under '''Setup'''<br />
* '''Right''' arrowing until the drop down to the right of '''Setup UI''' is selected<br />
* active the drop down and select '''Simple Text'''<br />
* '''F10''' (save and exit)<br />
<br />
{{Note|Blind users may want to request the help of a sighted person to change BIOS settings}}<br />
<br />
== Firmware ==<br />
<br />
fwupd does not support this device yet.<br />
<br />
== Power Management ==<br />
<br />
Various issues have been reported with resuming from suspend. In order to mitigate them follow the best practices described in [[#BIOS]].<br />
<br />
On systems that use full-disk encryption with sd-encrypt it might be preferred to switch to using the {{ic|encrypt}} mkinitcpio hook.<br />
<br />
== Function keys ==<br />
<br />
{| class="wikitable"<br />
|-<br />
! Key<br />
! Visible?<sup>1</sup><br />
! Marked?<sup>2</sup><br />
! Effect<br />
|-<br />
| {{ic|Fn}} || {{Yes}} || {{No}} || {{ic|XF86WakeUp}}<br />
|-<br />
| {{ic|Fn+Esc}} || {{No}} || {{Yes}} || Enables Fn lock<br />
|-<br />
| {{ic|Fn+F1}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioMute}}<br />
|-<br />
| {{ic|Fn+F2}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioLowerVolume}}<br />
|-<br />
| {{ic|Fn+F3}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioRaiseVolume}}<br />
|-<br />
| {{ic|Fn+F4}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioMicMute}}<br />
|-<br />
| {{ic|Fn+F5}} || {{No}} || {{Yes}} || Monitor Brightness Down<br />
|-<br />
| {{ic|Fn+F6}} || {{No}} || {{Yes}} || Monitor Brightness Up<br />
|-<br />
| {{ic|Fn+F7}} || {{Yes}} || {{Yes}} || {{ic|XF86Display}}<br />
|-<br />
| {{ic|Fn+F8}} || {{Yes}} || {{Yes}} || {{ic|XF86WLAN}}<sup>3</sup><br />
|-<br />
| {{ic|Fn+F9}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F10}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F11}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F12}} || {{Yes}} || {{Yes}} || {{ic|XF86Favorites}}<br />
|-<br />
| {{ic|Fn+Space}} || {{No}} || {{Yes}} || Enables/disables keyboard backlight<br />
|-<br />
| {{ic|Fn+4}} || {{Yes}} || {{No}} || {{ic|XF86Sleep}}<sup>3</sup><br />
|-<br />
| {{ic|Fn+B}} || {{Yes}} || {{No}} || {{ic|Ctrl_L + Break}}<br />
|-<br />
| {{ic|Fn+P}} || {{Yes}} || {{No}} || {{ic|Pause}}<br />
|-<br />
| {{ic|Fn+K}} || {{Yes}} || {{No}} || {{ic|Scroll Lock}}<br />
|-<br />
| {{ic|Fn+Left}} || {{Yes}} || {{No}} || {{ic|Home}}<br />
|-<br />
| {{ic|Fn+Right}} || {{Yes}} || {{No}} || {{ic|End}}<br />
|-<br />
| {{ic|Fn+S}} || {{Yes}} || {{No}} || {{ic|Alt_L + SysRq }}<br />
|-<br />
| {{ic|Fn+End}} || {{Yes}} || {{Yes}} || {{ic|Ins}}<br />
|}<br />
<br />
# The key is visible via {{ic|xev}} and similar tools<br />
# The physical key has a symbol on it, which describes its function<br />
# systemd-logind handles this by default<br />
<br />
== See also ==<br />
<br />
* Specifications: https://psref.lenovo.com/syspool/Sys/PDF/ThinkPad/ThinkPad_x13_Gen_1_AMD/ThinkPad_x13_Gen_1_AMD_Spec.PDF<br />
* Official service manual: https://download.lenovo.com/pccbbs/mobiles_pdf/t14s_gen1_x13_gen1_hmm_en.pdf<br />
* https://certification.ubuntu.com/hardware/202006-27979</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Laptop/Lenovo&diff=647187Laptop/Lenovo2020-12-26T15:17:53Z<p>Yuvadm: Add link to X13 AMD</p>
<hr />
<div>[[Category:Lenovo]]<br />
[[ja:ノートパソコン/Lenovo]]<br />
{{Laptops navigation}}<br />
{{Related articles start}}<br />
{{Related|ThinkPad docks}}<br />
{{Related articles end}}<br />
<br />
== IBM/Lenovo ==<br />
<br />
=== ThinkPad ===<br />
<br />
==== Edge series ====<br />
<br />
{{Laptops table header}}<br />
| [[Lenovo ThinkPad Edge E330]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad Edge E335]] || NA || Yes || Yes || Yes || Yes || NA || Yes || NA || ||<br />
|-<br />
| Lenovo ThinkPad Edge E420s || Yes || Yes || Yes || Yes || Yes || Yes || NA || NA || SDcard (Yes), Webcam (Yes), Trackpoint (No) || <br />
|-<br />
| [[Lenovo ThinkPad Edge E430]] || Yes || Yes || Yes* || Yes* || Not tested || Yes || NA || NA || SD card (yes) || <br />
|-<br />
| [[Lenovo ThinkPad Edge E455]] || 2015.04.01 || Yes* || Yes || Yes || Yes || Yes || Yes || NA || ||<br />
|-<br />
| Lenovo ThinkPad Edge E460 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (yes), Finger Print (yes), TouchPad/Trackpoint (yes*), Webcam (yes)|| Touchpad and trackpoint needs kernel parameters "i8042.noloop i8042.nomux i8042.nopnp i8042.reset" when using [[libinput]].<br />
|-<br />
| Lenovo ThinkPad Edge E470 || 2020.11.11 || Yes || Yes || Yes || Yes || Yes || Yes || NA || trackpoint (yes) ||<br />
|-<br />
| Lenovo ThinkPad Edge E530 || Yes || Yes || Yes* || Yes* || Yes || Yes || NA || NA || SD card (yes), Finger Print (yes) || E530 without fingerprint reader can be equipt with one.<br />
|-<br />
| Lenovo ThinkPad Edge E531 || Yes || Yes || Yes || Yes || Yes* || Yes || Yes || NA || SD card (yes), Touch Pad/Trackpoint (yes), Webcam (yes) || WiFi only works with {{Pkg|broadcom-wl-dkms}}<br />
|-<br />
| Lenovo ThinkPad Edge E540 || 2015.08.01 || Yes || Yes || Yes || Yes || Yes || Yes* || NA || SD card (yes), Finger Print (yes), touch pad and trackpoint (yes), Webcam (yes) || <br />
|-<br />
| Lenovo ThinkPad Edge E545 || NA || Yes || Yes || Yes || Yes* || Not tested || Yes || NA || SD card (yes), touch pad and trackpoint (yes) Webcam (yes) || wifi works only with {{Pkg|broadcom-wl-dkms}}<br />
|-<br />
| Lenovo ThinkPad Edge E580 || 2018.05.01 || Yes || Yes || Yes || Yes || Yes || Yes || NA || Fingerprint sensor doesn't work because of proprietary firmware ||<br />
|-<br />
|}<br />
<br />
==== E series ====<br />
<br />
{{Laptops table header}}<br />
| Lenovo ThinkPad E485 || 2018-10-01 || Yes || Yes || Yes || Yes || Yes || Yes || N/A || || Missing IVRS map in ACPI Table, add <code>amd_iommu=pt ivrs_ioapic[32]=00:14.0</code> in [[kernel parameters]]. In order to get X to work correctly, add <code>iommu=soft</code> in [[kernel parameters]] (Linux 4.20 only). On Linux 5.2, add <code>iommu=pt</code> to prevent render artifacts on X. In order to get microsd (SDHCI) working, <code>echo 'options sdhci debug_quirks2="0x8000"' > /etc/modprobe.d/sdhci.conf</code> and change module load order <code>MODULES=(sdhci sdhci_pci)</code> in <code>/etc/mkinitcpio.conf</code> (line 7). Don't forget to run <code>mkinitcpio -p linux</code> afterwards. If WiFi doesn't work on RTL8822BE adapter models, create a file <code>/etc/modprobe.d/wifi.conf</code> and add the following lines: <code>blacklist rtw_pci<br />blacklist rtwpci</code>. Then, install {{aur|rtw88-dkms-git}} and reboot.<br />
|-<br />
| Lenovo ThinkPad E585 || 2018-11-01 || Yes || Yes || Yes || Yes || Yes || Yes || N/A || || To solve all these issues mentioned here easier just install the latest BIOS update from Lenovo support website. Missing IVRS map in ACPI Table, add <code>amd_iommu=pt ivrs_ioapic[32]=00:14.0</code> in [[kernel parameters]]. In order to get X to work correctly, add <code>iommu=soft</code> in [[kernel parameters]] (Linux 4.20 only). In order to get microsd (SDHCI) working, <code>echo 'options sdhci debug_quirks2="0x8000"' > /etc/modprobe.d/sdhci.conf</code> and change module load order <code>MODULES=(sdhci sdhci_pci)</code> in <code>/etc/mkinitcpio.conf</code> (line 7). Don't forget to run <code>mkinitcpio -p linux</code> afterwards. Bluetooth doesn't work until a suspend/resume cycle occurs.<br />
|-<br />
| Lenovo ThinkPad E595 || 2020-02-29 (last update: 2020-05-24) || Yes || Yes || Yes || Yes || Yes || Yes || N/A || ||<br />
Update the bios, if missing IVRS map in ACPI Table.<br />
<br />
Bios update can help if Ethernet is not working.<br />
<br />
MicroSD doesn't work out of the box, see above (Lenovo ThinkPad E585) to fix it.<br />
<br />
Wake up from suspend broken on X.Org with kernel >= 5.2; works with kernel >= 5.6<br />
|-<br />
|}<br />
<br />
==== L series ====<br />
<br />
{{Laptops table header}}<br />
| [[Lenovo ThinkPad L380 Yoga]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || Trackpoint*, Fingerprint reader ||<br />
|-<br />
| Lenovo ThinkPad L390 || 2019.09.01 || Yes || Yes || Not tested || Yes || Yes || Yes || NA || Webcam, MicroSD card reader is working out of the box. Not working out of the box: Touchscreen, fingerprint reader, NFC ||<br />
|-<br />
| Lenovo ThinkPad L420 || Yes || Yes || Yes || Yes || Yes || Not tested || Yes || NA || ||<br />
|-<br />
| Lenovo ThinkPad L430 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || Trackpoint* ||<br />
|-<br />
| Lenovo ThinkPad L440 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || Trackpoint (Touchpad cannot be disabled, as mouse buttons are shared with Trackpoint), Fingerprint reader, SD Card Reader ||<br />
|-<br />
| Lenovo ThinkPad L450 || 2019.11.01 || Yes || Yes || Yes || Yes || Yes || Yes || NA || Trackpoint, Fingerprint reader, SD Card Reader ||<br />
|-<br />
| Lenovo ThinkPad L460 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || Not tested || Trackpoint, Fingerprint reader, SD Card Reader ||<br />
|-<br />
| Lenovo ThinkPad L490 || 2020.12.13 || Yes || Yes || Yes || Yes<sup>1</sup> || Yes || Yes || NA<sup>2</sup> || Trackpoint, SD Card Reader, Webcam, USB-C generic dongle, USB-C to HDMI video, USB-C Power Delivery (PD) are working. || <sup>1</sup>Wireless chipset (RTL8822BE) might not work on standard {{Pkg|linux}} kernel, showing errors like {{ic|1=failed to read ASPM, ret=-5}} and/or {{ic|failed to power on mac}} , but it should work by running {{Pkg|linux-lts}} kernel, with no further configuration. Wireless might not work with Arch Linux default installation media, since it uses default linux kernel. In order to install Arch Linux, use a [[Network_configuration|wired connection]], or create a custom installation media with [[Archiso#Kernel|LTS kernel]] to support device's wireless adapter instead. Do not forget to install {{Pkg|linux-lts}} and {{Pkg|linux-firmware}} packages before rebooting to a fresh installation.<br />
<sup>2</sup>There is a variant with LTE, but this specific testing machine does not have that module.<br />
* Fan will not work by default. Consider [[Fan_speed_control#ThinkPad laptops|configuring it]] in order to avoid thermal throttling (tested with {{AUR|thinkfan}}).<br />
* Fingerprint reader not tested.<br />
* ThinkPad [https://www.lenovo.com/us/en/accessories-and-monitors/cables-and-adapters/adapters/CABLE-BO-Ethernet-Extension-Adapter-2/p/4X90Q84427 ''Ethernet Extension Adapter Gen 2''] not tested.<br />
|-<br />
| Lenovo ThinkPad L520 || 2018.09.01-x86_64|| Yes || Yes || Yes || Yes || Not tested|| Not tested|| Not tested|| Not tested ||<br />
|-<br />
| Lenovo ThinkPad L530 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || Trackpoint*, Fingerprint reader ||<br />
|-<br />
| Lenovo ThinkPad L560 || Yes || Yes || Yes || Yes || Yes || Not tested || Not tested || NA || Trackpoint ||<br />
|-<br />
| Lenovo ThinkPad L590 || No || Not tested || Not tested || Not tested || Not tested || Not tested || Not tested || NA || || Kernels >= 5 won't boot at all and freezes at different stages of startup.<br />
|-<br />
| Lenovo ThinkPad L14 Gen1 (Intel) || 2020.09.17 || Yes || Yes || Yes || Yes || Not tested || Yes || NA || Touchpad physical buttons nor working, microphone plugged through jack not working but working when plugged through USB-C. ||<br />
|-<br />
|}<br />
<br />
==== A series ====<br />
<br />
{{Laptops table header}}<br />
| Lenovo ThinkPad A485 || 2018.12 || Yes || Yes || Yes || Yes || Yes || Yes || NA || Touch Pad/Trackpoint (yes), Webcam (yes) || bluetooth does not work when activating [[Laptop Mode Tools]] <code>runtime-pm</code> module<br />
|}<br />
<br />
==== P series ====<br />
<br />
{{Laptops table header}}<br />
| [[Lenovo ThinkPad P50]] || 2016.04 || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Yes), Webcam (Yes), Fingerprint Reader ({{AUR|libfprint-vfs009x-git}}), || Wifi requires Kernel 4.3.3+ <br />
|-<br />
| [[Lenovo ThinkPad P70]] || 2016.04 || Yes || Yes || Yes || Yes || Yes || Suspend working, hibernate not tested || NA || SD card (Yes), Webcam (Yes), Fingerprint Reader ({{AUR|libfprint-vfs009x-git}}), || Wifi requires Kernel 4.3.3+ <br />
|-<br />
| Lenovo ThinkPad P51 || Unknown || Yes || Yes || Yes || Yes || Yes || Yes || Yes (No GNSS/GPS) ||<br />
* Working: SD card, Webcam, Express card, Smartcard reader, Fingerprint Reader ({{AUR|libfprint-vfs009x-git}})<br />
* Not working: TPM, Color calibrator, UEFI flash <br />
|| HDMI audio requires nvhda module<br />
|-<br />
| [[Lenovo ThinkPad P52]] || 2018.09 || Yes || Yes || Yes || Yes || Yes || Suspend working, hibernate not tested || NA || Webcam (yes), IR camera (yes), Touchpad (yes), SD Card Reader (yes), Smartcard Reader (yes with pcscd installed), Fingerprint (no) ||<br />
|-<br />
| [[Lenovo ThinkPad P1]] || 2018.12 || Yes || Yes || Yes || Yes || Yes || Suspend working, hibernate not tested || NA || Webcam (Yes), multi-monitor (yes)|| <br />
|-<br />
| [[Lenovo ThinkPad P1 (Gen 2)]] || 2019.09.01 || Yes || Yes || Yes || Yes || Yes || Suspend working, hibernate working || NA || Webcam (not tested), multi-monitor (yes)|| <br />
|-<br />
| [[Lenovo ThinkPad P52s]] || 2019.02 || Yes* (See Remarks) || Yes || Yes || Yes || Yes || Suspend (Yes), Hibernate (Yes) || Not tested || Webcam (Yes), Multi-monitor (Yes), Card Reader (Yes), Smartcard Reader (Yes), NFC (No, [https://github.com/nfc-tools/libnfc/issues/455 see this]), Fingerprint (No, [https://forums.lenovo.com/t5/Linux-Discussion/Thinkpad-T580-Synaptics-Metallica-MIS-Touch-Fingerprint-Reader/m-p/4057745 see this])|| *Intel graphics needs to be specified in the Xorg config for Xorg to work, see [[Lenovo ThinkPad P52s]]<br />
|-<br />
| Lenovo ThinkPad P53 || 2019.12 || Yes || Yes || Yes || Yes || Yes || Suspend working, hibernate not tested || NA || Webcam (Yes), Multi-monitor (Yes), Hybrid nvidia/intel (Yes), Card Reader (Yes), Smartcard Reader (Yes), Fingerprint (Yes with libfprint and current beta firmware)|| Use nvidia-prime to switch between cards. External outputs are connected to the nvidia gpu.<br />
|-<br />
| Lenovo ThinkPad P53s || 2019.10 || Yes || Yes || Yes || Yes || Not tested || Not tested || Not tested || Webcam (Yes), Multi-monitor (Not testes), Card Reader (Not tested), Smartcard Reader (Not tested), Fingerprint (Not tested)|| Trackpad is really bad compared to the Thinkpad T480.<br />
|-<br />
| Lenovo ThinkPad P73 || 2020.06 || Yes || Yes || Yes || Yes || Not tested || Not tested || Not tested || Webcam (Yes), Multi-monitor (No), Card Reader (Not tested), Smartcard Reader (Not tested), Fingerprint (Not tested)||<br />
|-<br />
| [[Lenovo ThinkPad P43s]] || 2020.07 || Yes || Yes || Yes || Yes || Not tested || Not tested || Not tested || Webcam (Yes - both types), Multi-monitor (Yes), Card Reader (Yes), Smartcard Reader (Not tested), Fingerprint (Not tested)|| Also tested with Thunderbolt 3 eGPU and works well. <br />
|-<br />
| [[Lenovo ThinkPad P15s]] || 2020.05 || Yes || Yes || Yes || Yes || Yes || Yes || NA || Webcam (Yes - both types), Multi-monitor (Yes), Card Reader (Yes), Smartcard Reader (Not tested), Fingerprint (Not tested)|| Also tested with Thunderbolt 3 dock (monitor, usb) and works well. <br />
|}<br />
<br />
==== T series ====<br />
<br />
{{Laptops table header}}<br />
| IBM ThinkPad T60 || Yes || Yes || Yes || Yes || Yes || Yes || ? || NA || ||<br />
|-<br />
| IBM ThinkPad T60p || Yes || Yes || Yes || Yes || Yes || Yes || ? || NA || ThinkFinger ||<br />
|-<br />
| [[IBM ThinkPad T61]] || Yes || Yes || Yes || Yes || Yes || Yes || NA || || ||<br />
|-<br />
| IBM ThinkPad T61p || Yes || Yes || Yes || Yes || Yes || Yes || NA || || ||<br />
|-<br />
| [[Lenovo ThinkPad T400]] || Yes || Yes || Yes || Yes || Yes || Yes || NA || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad T400s]] || Yes || Yes || Yes || Yes || Yes || Yes || NA || NA || ||<br />
|-<br />
| Lenovo ThinkPad T410 || Yes || Yes || Yes || Yes || Yes || Yes || NA || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad T420]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || Card reader tested, no Fingerprint scanner||<br />
|-<br />
| [[Lenovo ThinkPad T420s]] || Yes || Yes || Yes || Yes || Yes || Yes || NA || NA || Card Reader ||<br />
|-<br />
| [[Lenovo ThinkPad T430]] || Yes || Yes || Yes || Yes || Yes || Yes* || Yes* || Not tested || ||<br />
|-<br />
| [[#Lenovo ThinkPad T440p|Lenovo ThinkPad T440p]] || Yes || Yes || Yes || Yes || Yes || Yes* || NA || NA || Card Reader || See below<br />
|-<br />
| [[Lenovo ThinkPad T440s]] || Yes || Yes || Yes || Yes || Yes* || Yes || Yes || ? || || See wiki page for more details about wireless<br />
|-<br />
| [[Lenovo ThinkPad T450]] || ? || Yes || Yes || Yes || Yes || ? || ? || NA || SD Card reader || <br />
|-<br />
| [[Lenovo ThinkPad T450s]] || 2015.10.01 || Yes || Yes || Yes || Yes || Yes || ? || NA || SD Card reader; fingerprint scanner|| <br />
|-<br />
| [[Lenovo ThinkPad T460s]] || Yes || Yes || no beep || Yes || Yes || Yes || ? || NA || SD Card reader|| <br />
|-<br />
| [[Lenovo ThinkPad T25]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD Card reader; fingerprint scanner; Touchscreen|| <br />
|-<br />
| [[Lenovo ThinkPad T470]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD Card reader; fingerprint scanner|| <br />
|-<br />
| [[Lenovo ThinkPad T470s]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD Card reader; fingerprint scanner|| <br />
|-<br />
| [[Lenovo ThinkPad T480]] || 2018.07.01 || Yes || Yes || Yes || Yes || Yes || ? || NA || Thunderbolt 3 (USB-C); SD Card reader; fingerprint scanner|| <br />
|-<br />
| [[Lenovo ThinkPad T480s]] || Yes || Yes || no beep || Yes || Yes || Yes || Yes || Not Tested || Thunderbolt 3 (USB-C); SD Card reader; HDMI|| Can't find a driver for fingerprint reader<br />
|-<br />
| [[Lenovo ThinkPad T490]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || Thunderbolt 3 (USB-C); microSD Card reader ||<br />
|-<br />
| [[Lenovo ThinkPad T495]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD Card reader ||<br />
|-<br />
| [[Lenovo ThinkPad T495s]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || ||<br />
|-<br />
| Lenovo ThinkPad T500 || Yes || Yes || Yes || Yes || Yes || Yes || NA || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad T520]] || Yes || Yes || Yes || Yes || Yes || Yes || NA || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad T530]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad T550]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || DisplayPort ||<br />
|-<br />
| Lenovo ThinkPad T560 || Yes || Yes || Yes || Yes || Yes || Yes || Yes* || NA || MiniDP; Fingerprint scanner; Intel + Nvidia GPU; Card Reader || See special notes for the hardware specifications of this test device<br />
|-<br />
| [[Lenovo ThinkPad T570]] || Yes || Yes || Yes || Yes || Yes || ? || Yes* || NA || not yet fully tested || <br />
|-<br />
| Lenovo ThinkPad T580 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD Card Reader is supported; [https://forums.lenovo.com/t5/Linux-Discussion/Thinkpad-T580-Synaptics-Metallica-MIS-Touch-Fingerprint-Reader/m-p/4057745 Fingerprint reader is not supported] || Tested on ''2 May 2018'' (with ''Linux 4.16.5'')<br />
|-<br />
| [[Lenovo ThinkPad T590]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || || Similar to the T490, the pointer occasionally jumps while pressing trackpad buttons<br />
|-<br />
| Lenovo ThinkPad T14 (AMD) || 2020-10-14 || Yes || Yes || Yes || Yes || Yes || Yes || NA || Card reader || <br />
|-<br />
| Lenovo ThinkPad T14s || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || || Could not get the fingerprint reader to work reliably<br />
|-<br />
|}<br />
<br />
==== W series ====<br />
{{Laptops table header}}<br />
|-<br />
| Lenovo ThinkPad W500 || 2019.12 || Yes || Yes || Yes || Yes || Yes || Yes || Not tested || SD card (Yes), Webcam (Yes), Fingerprint Reader (Yes) || Tested January 2020 / Linux 5.4.11<br />
|-<br />
| Lenovo ThinkPad W510 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Yes), Webcam (Yes), Touchscreen (Yes), Fingerprint Reader (Not tested) || Tested April 2017 / Linux 4.10.8<br />
|-<br />
| Lenovo ThinkPad W530 || 2016.03 || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Yes), Webcam (Yes), Fingerprint Reader (Yes) || Tested April 2018 / Linux 4.15.15<br />
|-<br />
| Lenovo ThinkPad W540 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Yes), Webcam (Yes), Fingerprint Reader (Yes) || Tested April 2017 / Linux 4.10.8<br />
|-<br />
| Lenovo ThinkPad W541 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || Not tested || SD card (Yes), Webcam (Yes), Fingerprint Reader (Not tested) || Tested August 2018 / Linux 4.17.12<br />
|-<br />
| Lenovo ThinkPad W550s || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Yes), Webcam (Yes), Fingerprint Reader (Yes) || Tested April 2018 / Linux 4.15.15<br />
|-<br />
|}<br />
<br />
==== X series ====<br />
<br />
{{Laptops table header}}<br />
| [[IBM ThinkPad X60s]] || Yes|| Yes || Yes || Yes || Yes || Yes || NA || NA || ||<br />
|-<br />
| Lenovo ThinkPad X61s || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD slot ||<br />
|-<br />
| [[Lenovo ThinkPad X100e]] || Yes|| Yes || Yes || Yes || Yes || Yes || Not tested || NA || SD card (Yes), Webcam (Yes) ||<br />
|-<br />
| Lenovo ThinkPad X131e || Yes|| Yes || Yes || Yes || Yes || Yes || Yes || Not tested || SD card (Yes), Webcam (Yes), [https://bbs.archlinux.org/viewtopic.php?id=159014 WLAN Led seems not controlled] ||<br />
|-<br />
| [[Lenovo ThinkPad X140e]] || Yes|| Yes || Yes || Yes || Yes || Yes || Yes || Not tested || SD card (Yes), Webcam (Yes), [https://bbs.archlinux.org/viewtopic.php?id=159014 WLAN Led seems not controlled] ||<br />
|-<br />
| [[Lenovo ThinkPad X200]] || Yes || Yes || Yes || Yes || Yes || Yes || NA || Yes || ||<br />
|-<br />
| [[Lenovo ThinkPad X200S]] || Yes || Yes || Yes || Yes || Yes || Yes || NA || Yes || Everything worked out of the box. However, fingerprint, SD card and webcam were not tested. Modem needs reset after sleep (sometimes). ||<br />
|-<br />
| [[Lenovo ThinkPad X201]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || Not tested || ||<br />
|-<br />
| [[Lenovo ThinkPad X220]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Yes), Webcam (Yes) || Intel Centrino Advanced-N 6205 [Taylor Peak] requires {{Pkg|linux-firmware}} <br />
|-<br />
| [[Lenovo ThinkPad X230]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Yes), Webcam (Yes), UMTS Modem (Yes), Accelerometer (No) ||<br />
|-<br />
| [[Lenovo ThinkPad X240]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || WWAN LTE (yes) || SD card (Yes), Webcam (Yes), Fingerprint (Yes) ||<br />
|-<br />
| [[Lenovo ThinkPad X250]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Yes), Webcam (Yes), Fingerprint (Yes) ||<br />
|-<br />
| [[Lenovo ThinkPad X260]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Yes), Webcam (Yes), Fingerprint (Yes) || PSR powersaving is causing some microfreezes. Fix below.<br />
|-<br />
| [[Lenovo ThinkPad X270]] || Yes || Yes || Yes || Yes || Yes || Not tested || Yes || NA || Webcam (Yes) ||<br />
|-<br />
| [[Lenovo ThinkPad X280]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || Yes (Fibcom L830-EB-00) || Webcam (Yes) ||<br />
|-<br />
| Lenovo ThinkPad X390 || 2019.08.01 || Yes || Yes || Yes || Yes || Yes || Yes || Yes (Fibocom L830-EB) || Webcam (Yes) ||<br />
|-<br />
| [[Lenovo ThinkPad X390 Yoga]] || 2020.02.01 || Yes || Yes || Yes || Yes || Yes || Yes || Yes (Fibocom L830-EB) || Webcam (Yes) ||<br />
|-<br />
| [[Lenovo ThinkPad X395]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || Webcam (Yes), Fingerprint reader requires installing Synaptics drivers with fwupd, refer to [[Lenovo_ThinkPad_X1_Carbon_(Gen_7)#Fingerprint_sensor|here]].<!--No, WIP[https://forums.lenovo.com/t5/Other-Linux-Discussions/Linux-on-T495/m-p/4474320#M13440])--> || Prevent amdgpu issues by updating to latest BIOS [https://support.lenovo.com/us/en/downloads/ds540046]<br />
|-<br />
| [[Lenovo ThinkPad X13 Gen 1 (AMD)]] || Yes || Yes || Yes || Yes || Yes || Proprietary/nonfree || Yes || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad X1 Carbon]] || NA || Yes || Yes || Yes || Yes || Proprietary/nonfree || Yes || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad X1 Carbon (Gen 2)]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad X1 Carbon (Gen 3)]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad X1 Carbon (Gen 4)]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad X1 Carbon (Gen 5)]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || Yes || ||<br />
|-<br />
| [[Lenovo ThinkPad X1 Carbon (Gen 6)]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || Yes || ||<br />
|-<br />
| [[Lenovo ThinkPad X1 Carbon (Gen 7)]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || Yes || Internal Mic not working out of the box || <br />
|-<br />
| [[Lenovo ThinkPad X1 Carbon (Gen 8)]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || Not Tested || || <br />
|-<br />
| [[Lenovo ThinkPad X1 Extreme]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || NA || Fingerprint reader not supported, Thunderbolt ports not tested || Graphics requires some configuration to work correctly<br />
|-<br />
| [[Lenovo ThinkPad X1 Extreme (Gen 2)]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || NA || ||<br />
|-<br />
| [[Lenovo ThinkPad X1 Yoga (Gen 3)]] || NA || Yes || Yes || Yes || Yes || Yes || Partial || NA || SD card (Yes), Webcam (Yes), Fingerprint (No), Touchscreen (Yes), Accelerometer (Yes) ||<br />
|-<br />
| [[Lenovo ThinkPad X1 Yoga (Gen 4)]] || NA || Yes || Yes || Yes || Yes || Yes || Yes || Not tested || Webcam (Yes), Microphone (Yes), Fingerprint (Yes), Touchscreen (Yes), Accelerometer (Yes), NFC (No) ||<br />
|}<br />
<br />
==== Yoga Series ====<br />
<br />
{{Laptops table header}}<br />
| Lenovo ThinkPad Yoga 14 || USB || Yes || Yes || || Yes || Yes || Yes || || SD card (Yes), Webcam (Yes), Touchscreen (Yes), Tablet (Partial) || The Lenovo ThinkPad Yoga 14 (20FY) is a convertible 14-inch Ultrabook developed by Lenovo in 2015. It is one of many iterations in the ThinkPad line. It's also known as P40 Yoga (type 20GR, 20GQ), S3 (20G0, 20G1) and Yoga 460 (20EM, 20EL). A [https://download.lenovo.com/pccbbs/mobiles_pdf/p40_yoga14_mt20fy_yoga460_hmm_en_sp40j47499_01.pdf hardware maintenance manual is provided online].<br />
|-<br />
| [[Lenovo ThinkPad Yoga 260]] || USB || Yes || Yes || Yes || Yes || Yes || Unknown || Yes || SD card (Yes), Webcam (Yes), Fingerprint Reader (Unknown), Touchscreen (Yes), Tablet (Partial), Accelerometer (No) || Wifi requires Kernel 4.3.3+<br />
|-<br />
| Lenovo Yoga 530 || 2019.09.01 || Yes || Yes || Not tested || Yes || Not tested || Not tested || Not tested || SD card (Not tested), Webcam (Yes), Fingerprint Reader (Not tested), Touchscreen (Yes), Tablet (Partial) || Trouble with touchpad, but worked with kernel parameters "i8042.noloop i8042.nomux i8042.nopnp i8042.reset" and xf86-input-synaptics<br />
|-<br />
| Lenovo Yoga 710 || NA || Yes || Yes || Yes || Yes || Not tested || Yes || Not tested || SD card (Yes), Webcam (Yes), Touchscreen || Everything works<br />
|-<br />
| Lenovo Yoga 920 || 2020-09-12 || Yes || Yes || Yes || Yes || Yes || Yes || Not tested || Webcam (Yes), Fingerprint Reader (No), Touchscreen (Yes), Active Pen (Yes), Accelerometer (Yes), Automatic Keyboard and Touchpad Disable (Yes, when screen is flipped all the way) || On KDE, Autorotation can be achieved with custom scripts, the hardware supports it. Not sure whether automatic tablet mode like in Windows could work, would have to find sensor output.<br />
|-<br />
| Lenovo Yoga c930 || 2019.09.01 || Yes || Partially (Fix needed for hinge soundbar, bottom speakers not working. Microphone not working) || N/A || Yes || Not tested || Yes || N/A || Webcam (Yes), Touchscreen || See https://github.com/droserasprout/lenovo-yoga-c930-linux for more information and fixes<br />
|-<br />
| Lenovo Yoga Slim 7 (AMD Ryzen 5) || 2020.09.03 || Yes || Yes || N/A || Yes || Yes || Yes, but no Suspend to RAM || N/A || Webcam (Yes), SD card (Yes), Fingerprint Reader (Unknown) || <br />
|}<br />
<br />
==== Helix Series ====<br />
{{Laptops table header}}<br />
| [[Lenovo ThinkPad Helix]] || Unknown || YES || YES || NA || YES || YES || NA || Touchscreen (yes), Pen (yes), Sensors (yes) || ||<br />
|-<br />
| [[Lenovo ThinkPad Helix 2nd Gen]] || 2018.04.01 (USB) || YES || YES || NA || YES || Not tested || Yes* (with updated BIOS) || Touchscreen (yes), Pen (not tested), Sensors (w/ patched kernel) || NA || Only suspend-to-idle ("freeze") is supported<br />
|-<br />
|}<br />
<br />
== Lenovo ==<br />
<br />
=== IdeaPad ===<br />
<br />
{{Laptops table header}}<br />
| Lenovo IdeaPad 120S || 2018-04-26 || Yes || Yes || NA || Yes || Yes || Yes || NA || Everything works ||<br />
|-<br />
| [[Lenovo IdeaPad Flex 10]] || Yes || Yes* || Yes || NA || Yes || Yes || Yes || NA || Touchscreen* ||<br />
|-<br />
| [[Lenovo IdeaPad S10]] || Yes || Yes || Yes || Yes || Yes || Yes || NA || NA || ||<br />
|-<br />
| [[Lenovo IdeaPad S400 Touch]] || Yes || Yes || Yes || Yes || Yes || Yes || Not tested || NA || ||<br />
|-<br />
| Lenovo IdeaPad U430p || Yes || Yes || Yes || Yes || Yes || Yes || Not tested || NA || ||<br />
|-<br />
| Lenovo IdeaPad Y700 || 2015.12.01 || Yes || Yes* || Yes || Yes || Yes || Not tested || NA || Trackpad - [https://unix.stackexchange.com/questions/362165/lenovo-y700-elantech-touchpad-query-0x01-failed buggy] || [https://bugzilla.kernel.org/show_bug.cgi?id=151681 Trackpad requires pata_legacy to be blacklisted]<br />
|-<br />
| [[Lenovo IdeaPad Z580]] || Yes || Yes || Yes || Yes || Yes || Yes || Yes || NA || ||<br />
|-<br />
| [[Lenovo IdeaPad 720s]] || 2018.03.01 || Yes || Yes || NA* || Yes || Yes || Yes || NA || Fingerprint reader not working || *requires USB or USB C dongle<br />
|-<br />
| [[Lenovo IdeaPad 720s (Ryzen)]] || 2018.02.01 || Not tested || Not tested || Yes* || No || Not tested || Not tested || NA || Fingerprint reader not tested but most likely not working || *requires USB or USB C dongle<br />
|-<br />
| Lenovo Ideapad 320 || 2018.03.01 || Yes || Yes || Yes || Yes || Yes || Not tested || NA || To stop constant annoying messages by AMD-Vi, use 'iommu=soft' & 'amd_iommu=off' in kernel arguments || <br />
|-<br />
| Lenovo Ideapad 320-15IKB || 2018.03.01 || Yes || Yes || Yes || Yes || Yes || Yes|| NA || Synaptics Fingerprint does not work. There is a dead driver project [https://github.com/nmikhailov/Validity90 here] and little/no hope of Lenovo or Synaptics developing a driver for Linux || <br />
|-<br />
| Lenovo Ideapad 330S-14IKB || 2019.10.01 || Yes || Yes || Yes || Yes || Not tested || NA || NA || {{ic|Firmware Error (ACPI): Could not resolve [^^^GFX0.AFN2], AE_NOT_FOUND (20181213/psargs-503)}} is raised every few seconds, and can only be turned off by disabling the ACPI ({{ic|1=acpi=off}}) or by connecting the laptop to a charger. Tried with both the stock BIOS and the latest update (7SCN34WW) to no avail. || <br />
|-<br />
| Lenovo Ideapad N24 || 2018.04.01 || Yes || Yes || NA || Yes || Not tested || Not tested || NA || Touchscreen || <br />
|-<br />
| Lenovo Ideapad 3-15ARE05 || 2020-10-27 || Yes || Yes || N/A || Yes || Yes || Yes || N/A || Touchpad requires blacklisting the {{ic|elants_i2c}} kernel module to work; fingerprint sensor (by Elan Microelectronics Corp. - USB ID 04f3:0c57) doesn't work (no support in [[fprint]]) || <br />
|-<br />
| [[Lenovo IdeaPad 5 15are05]] || 2020.11.9 || Yes || Yes || Yes* || Yes || Yes || Yes || N/A || Screen backlight control requires {{ic|1=acpi_backlight=video}} kernel argument; fingerprint sensor (by Shenzhen Goodix Technology Co., Ltd. - USB ID 27c6:55a2) doesn't work (no support in [[fprint]]) || *required USB or USB C dongle<br />
|-<br />
|}<br />
<br />
====== Battery Conservation Mode on IdeaPad laptops ======<br />
<br />
Battery Conservation Mode is a feature that limits battery charging to 55-60% of its capacity to improve battery life, being most useful when the laptop tends to run on external power much of the time. If your particular laptop model supports it, it can be enabled or disabled in the following manner:<br />
<br />
:First make sure the '''ideapad_laptop''' kernel module is loaded, with the {{ic|lsmod}} command.<br />
:If it is, run the following command as root to enable Battery Conservation Mode:<br />
<br />
# echo 1 >/sys/bus/platform/drivers/ideapad_acpi/VPC2004:00/conservation_mode<br />
<br />
:A 0 will in turn disable the feature.<br />
<br />
{{Note|1=<br><br />
* Both the presence and implementation of this feature vary by model. Particularly, the name of the folder '''VPC2004:00''' could differ.<br />
* If the above doesn't work on your laptop, you can try a different method described [https://forums.linuxmint.com/viewtopic.php?f=49&t=286237#p1583578 here], which may require some (further) trial and error.}}<br />
<br />
=== B series ===<br />
<br />
{{Laptops table header}}<br />
| Lenovo B50 || NA || Yes || Yes || Yes || Yes || Not tested || Not tested || Not tested || ||<br />
|-<br />
| Lenovo B50-70 || Yes || Yes* ||Yes || Yes || Yes || Yes || Not tested || NA || See below* ||<br />
|-<br />
| Lenovo B450 || Yes || Yes ||Yes || Yes || Yes || NA || Not tested || NA || ||<br />
|-<br />
|}<br />
<br />
=== K series ===<br />
<br />
{{Laptops table header}}<br />
| Lenovo K450e || NA || Yes || Yes || Yes || Yes || Not tested || Yes || Not tested || ||<br />
|-<br />
|}<br />
<br />
=== N series ===<br />
<br />
{{Laptops table header}}<br />
| Lenovo N200 (3000) || Yes || Yes* || Yes || Yes || Yes || Yes* || NA || NA || See below ||<br />
|-<br />
|}<br />
<br />
=== S series ===<br />
<br />
{{Laptops table header}}<br />
| [[Lenovo S20-30]] || 2020.06.26 || Yes || Yes || Yes || Yes* || ? || Yes || NA || SD Card (Yes), VGA Out (Yes), Touchpad (Yes) ||<br />
|-<br />
| Lenovo S21e-20 || 2015.07.01 || Yes || Yes || NA || Yes* || ? || Yes || NA || SD Card (Yes), USB 3.0 (Yes), HDMI Out (?), Touchpad (Yes*) ||<br />
|-<br />
|}<br />
<br />
=== U Series ===<br />
<br />
{{Laptops table header}}<br />
| Lenovo U31-70 || 2015.10.01 || Yes || Yes || Yes || Yes* || Yes || Yes || NA || SD Card (Yes), USB 3.0 (Yes), HDMI Out (Yes), Touchpad (Yes), Webcam (Yes) ||<br />
|-<br />
|}<br />
<br />
=== V Series ===<br />
<br />
{{Laptops table header}}<br />
| Lenovo V110-15ISK || ??? || Yes || Yes || Yes || Yes || Not Tested || Yes || NA || SD Card (Not Tested), USB 3.0 (Not Tested), HDMI Out (Not Tested), Touchpad (Yes), Webcam (Yes) ||<br />
|-<br />
| Lenovo V130-15IKB || ??? || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD Card (Yes), USB 3.0 (Yes), HDMI Out (Yes), Touchpad (Yes), Webcam (Yes) ||<br />
|-<br />
| Lenovo V330-15IKB || 2018.10.01 || Yes || Yes || Yes || Yes || Not Tested || Yes || NA || Fingerprint (No, no driver exists for the Validity/Synaptics 06cb:0081 Fingerprint Reader), Touchpad (Yes), Webcam (Yes) ||<br />
|-<br />
| Lenovo V330-14ARR || 2019.06.15 || Yes || Yes || Yes || Yes[[#Lenovo IdeaPad V330-14ARR|*]] || Yes || Yes || NA || SD-Card Reader (Yes) HDMI Out (Yes), USB 3.0 (Yes), Touchpad (Yes), Webcam (Yes) || DOS installable BIOS available[[#Lenovo IdeaPad V330-14ARR|*]] ||<br />
|-<br />
|}<br />
<br />
=== Legion series ===<br />
{{Laptops table header}}<br />
| Lenovo Legion Y520 || 2019.06.01 || Yes || Yes || Yes || Yes || Yes || Yes || Yes || SD card (Not working properly), Webcam (Yes), USB & USB 3.0 (Yes), HDMI (Yes), USB-C (Not tested), Touchpad (Yes), NVMe M.2 SSD (Yes), GeForce GTX 1050 Ti (Yes) || Tested Feb 2020 / Linux 5.5.4. Must change SATA configuration in BIOS from RAID to AHCI in order to recognize SSD.<br />
|-<br />
| Lenovo Legion Y520 || 2020.10.06 || Yes || Yes || Yes || Yes || Yes || Yes || NA || SD card (Not working properly), Webcam (Yes), USB & USB 3.0 (Yes), HDMI (Yes), USB-C (Yes, also works as DisplayPort), Touchpad (Yes), NVMe M.2 SSD (Yes), GeForce GTX 1050 (Yes) || Tested Oct 2020 / Linux 5.8.13. Must change SATA configuration in BIOS from RAID to AHCI in order to recognize SSD. Some CPU throttling is possible [https://unix.stackexchange.com/questions/491944/cpu-temperatures-in-linux-throttling-or-wrong-reading]. Fan control does not seem to work [https://unix.stackexchange.com/questions/523899/laptop-fan-always-says-its-running-at-8-rpm]<br />
|-<br />
| Lenovo Legion Y730 || ??? || Yes || Yes || Yes || Yes || Yes || Yes || Yes || Webcam (Yes), USB & USB 3.0 (Yes), HDMI (Yes), USB-C (Not tested), Touchpad (Yes), NVMe M.2 SSD (Yes), GeForce GTX 1050 Ti (Yes) || Tested September 2019 / Linux 5.2.13. Must change SATA configuration in BIOS from RAID to AHCI in order to recognize SSD. Disable nouveau at kernel command line with module_blacklist=nouveau or nouveau.modeset=0<br />
|-<br />
| Lenovo Legion Y7000P-1060 || 2019.03.01 || Yes || Yes || Yes || Yes || Yes || Yes || No || Webcam (Yes), USB & USB 3.0 (Yes), HDMI (Yes), USB-C (Yes), Mini DisplayPort (Not tested), Touchpad (Yes), NVMe SSD (Yes), GeForce GTX 1060 Mobile (Yes) || First tested Aug 2019 / Linux 5.2.9.<br />
<br />
https://linux-hardware.org/index.php?computer=af3a4bc1494f<br />
|-<br />
| Lenovo Legion Y540 || 2020.02.01 || Yes || Yes || Yes || Yes || Yes || Yes || No || Webcam (Yes), USB & USB C (Yes), HDMI (Yes), TouchPad (Yes), NVMe SSD (Yes with AHCI in UEFI), Geforce GTX 1650,1660Ti (Yes, with nvidia and nvidia-prime, with or without switchable/discrete graphics in UEFI), Mini Display Port (Not tested), Hibernation (Yes, see remarks) || Tested on 4 September 2020 with Linux 5.8.5<br />
Only hibernation to file was tested, setting resume and resume_offset kernel parameters was not enough, adding intel_lpss_pci to [[initramfs]] as mentioned [[Power management/Suspend and hibernate#Suspend/hibernate does not work, or does not work consistently|here]] did the job.<br />
|-<br />
| Lenovo Legion Y545 || 2020.05.01 || Yes || Yes || Yes || Yes || Yes || Yes || No || Webcam (Yes), USB & USB C (Yes), HDMI (Yes), TouchPad (Yes), NVMe SSD (Yes with AHCI in UEFI), Geforce GTX 1650,1660Ti (Yes, with nvidia and nvidia-prime, with or without switchable/discrete graphics in UEFI), Mini Display Port (Not tested), Hibernation (Yes) || Tested on 17 October 2020 with Linux 5.8.14 (Installed Arch on 17 May 2020)<br />
|-<br />
| Lenovo Legion 5 || 2020.11.05 || Yes || Yes || Yes || Yes || Yes || Yes || Untested || USB & USB C (Yes), HDMI (only with NVIDIA Card, Touchpad (Onlwith patched i2c_hid module), NVMe M.2 SSD (Yes), GeForce 1650Ti (Switchable graphical with PRIME, need reboot). || AMD Version. Tested with Linux 5.9.3. <br />
|-<br />
| Lenovo Legion 5i || 2020.08.15 || Yes || Yes || Yes || Yes || Yes || Yes || NA || Webcam (Yes), USB & USB 3.0 (Yes), HDMI (Yes), USB-C (Not tested), Touchpad (Yes), NVMe M.2 SSD (Yes), GeForce RTX 2060 (Yes) || Intel Version<br />
|-<br />
| Lenovo Legion 5Pi || 2020.08.11 || Yes || Yes || Yes || Yes || Untested || Yes || Untested || USB & USB C (Yes), HDMI (Untested), TouchPad (Yes), NVMe SSD (Yes), Nvidia GeForce GTX 1660 Ti Mobile (Yes, switchable graphics works flawlessly with [[NVIDIA Optimus#Using optimus-manager]]) || Tested on 11 Aug 2020 with Linux 5.7.12. Brightness keys don't work.<br />
|-<br />
| [[Lenovo Legion 7i]] || 2020.08.02 || Yes || No || Yes || Yes || Yes || Yes || N/A || Webcam (Yes), USB & USB C (Yes), HDMI (Untested), TouchPad (Yes), NVMe SSD (In AHCI mode in UEFI), Nvidia Card (Untested) || Sound does not work. Tested on 2 Aug 2020 with Linux 5.7.11<br />
|}<br />
<br />
== Special Notes (*): ==<br />
<br />
{{Accuracy|Lots of vague or unproven bugs/workarounds, poor writing}}<br />
<br />
=== Lenovo U31-70 ===<br />
Wireless needs {{Pkg|linux}} >= 4.3 and latest {{Pkg|linux-firmware}}, both packages are currently in testing. Copy one of the firmware blobs {{ic|eeprom_ar6320_2p1_NFA345i.bin}} or {{ic|eeprom_ar6320_2p1_NFA345i_highTX.bin}} from the windows driver to {{ic|/usr/lib/firmware/ath10k/QCA6174/hw2.1/board-pci-168c:0041:17aa:3545.bin}}.<br />
<br />
Wireless with firmware blobs from windows driver may no longer work on {{Pkg|linux}} >= 4.4. Download firmware blob https://github.com/kvalo/ath10k-firmware/blob/f428f53b36b144971c9c4c3d2ebd5fa8cae86c89/QCA6174/hw2.1/board-2.bin and copy it to {{ic|/usr/lib/firmware/ath10k/QCA6174/hw2.1/board-2.bin}}. Tested with {{Pkg|linux}} 4.4.5-1 and {{Pkg|linux-firmware}} 20160113.40e9ae8-1nu<br />
<br />
With packages {{Pkg|linux}} 4.6.1-2 and {{Pkg|linux-firmware}} 20160516.80d463b-1 being in stable, wireless works without any additional steps needed.<br />
<br />
=== Lenovo B50-70 ===<br />
* UEFI:<br />
** to be able to disable Secure Boot (necessary for dual boot, not needed for Linux only), you have to switch from "UEFI first" to "UEFI only" (or something like this) in UEFI setup menu; the Secure Boot option appears then on the Security tab<br />
** after UEFI update having Linux and Windows installed, the Linux bootloader ceased to be the default one, UEFI started to load Windows by default and it was impossible to select the Linux one in the UEFI boot menu and in the UEFI setup - reinstalling the bootloader helped; having no access to a boot media that supports UEFI, a solution might be also replacing the Windows EFI bootloader file with a Linux one temporalily, in order to be able to boot Linux from HDD<br />
** for the UEFI update, a Windows OS is needed<br />
* Touchpad:<br />
** Synaptics - works after installing Synaptics drivers from repo, possible to change behaviour (like reaction for double tap) according to your wish<br />
* Video:<br />
** in laptops with dual video card (Intel and ATI) - detects both, Intel is active as a default, not checked if it's possible at all to switch between them<br />
<br />
==== Operation with a HDD caddy ====<br />
When you install an SSD in the place of the plate HDD drive and you want to have your HDD still inside the laptop, it is possible to install it in the place of the optical drive in a special "HDD caddy". The optical drive is of 9 mm height, but a 9,5 mm caddy (ultra slim) fits in the slot. A caddy with a SATA interface is needed. It is difficult to separate the front bezel from the original optical drive (and opening its case does not help, but brings a danger of making a mess in the opening mechanism; the only option is just to pull the bezel using a bit of force, but you risk breaking the latches).<br />
<br />
While the HDD installed instead of the optical drive operates flawlessly in Windows, it was not going to work out of the box in Linux, at least in one case. The kernel tries to establish a connection with the disk, but fails to do it (''SATA link down'' entry in /var/log/messages). The solution is to force a 1.5 Gbps transfer speed (instead of 6 Gbps) by adding a ''libata.force='' kernel parameter. See [https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html] for details.<br />
<br />
=== Lenovo K450e ===<br />
<br />
After installing Arch Linux and booting, a single beep may be heard. To disable this beep, press F1 during startup, then change Boot Priority to 'UEFI First', as well as enabling 'CSM'.<br />
<br />
=== ThinkPad X1 Carbon 3rd ===<br />
<br />
* http://natalian.org/archives/2015/02/18/Archlinux_on_a_Lenovo_X1C3/<br />
<br />
=== Lenovo 3000 N200 ===<br />
<br />
* Sound:<br />
** You may have to append {{ic|1=options snd_hda_intel model=lenovo}} to {{ic|/etc/modprobe.d/modprobe.conf}} for sound to work.<br />
<br />
=== Lenovo ThinkPad T430 ===<br />
{{Accuracy | I was not able to reproduce this bug as of September 2017 }}<br />
<br />
* Bluetooth (0a5c:21e6 Broadcom Corp. BCM20702 Bluetooth 4.0 [ThinkPad]) appears to be functional, even during standby or hibernation.<br />
<br />
=== Lenovo ThinkPad T440p ===<br />
<br />
* ClickPad: the whole trackpad clicks, and disabling the trackpad using older versions of synclient makes the trackpoint essentially unusable. This has been resolved in newer versions of {{Pkg|xf86-input-synaptics}}.<br />
** See [http://who-t.blogspot.com.au/2014/03/xorg-synaptics-support-for-lenovo-t440.html this article] and [http://who-t.blogspot.com.au/2013/12/lenovo-t440-touchpad-button.html previous version].<br />
** Install {{AUR|xf86-input-mtrack}} for alternative drivers.<br />
* Audio:<br />
** HDMI audio is the default audio output device. Consult the [[ALSA]] page for details on changing the default.<br />
** As the X100e/Mini10, it's possible to mute the headset and speaker outputs separately to the master. Muting the speaker output improves bass output on the headset port.<br />
** If the system fails to wake from sleep, it can lose sync with the internal audio card and speakers/headphones may fail to work. In this case, put the system to sleep, and wake it again and audio functionality should be restored. <br />
* The fingerprint sensor is a Validity VFS5011, Available in [[fprint]].<br />
* thinkpad_acpi:<br />
** To toggle Fn-Lock, press Fn + Esc, this will toggle the LED on the keyboard. While the Fn LED is on all Fn functionalities work as intended out of the box. <br />
** Controlling the 'glowing I' LED is apparently not possible.<br />
** fan control does not seem to work.<br />
* Graphics and Video:<br />
** With the integrated GPU, [[xrandr]] can crash while attaching or detaching displays connected via the dock.<br />
** The built-in miniDisplayPort will sometimes spew I²C issues into the kernel log.<br />
** [[Hardware video acceleration]] is highly recommended as it performs significantly better than CPU decoding of large media files.<br />
** '''The BIOS should not be upgraded past version 1.14, as newer BIOSes cause memory corruption when used with Bumblebee.''' See [https://github.com/Bumblebee-Project/bbswitch/issues/78#issuecomment-42741698 Bumblebee GitHub]<br />
* Connectivity:<br />
** Bluetooth is ''extremely'' fragile. The controller works fine most of the time, but can cause the system to wedge totally on sleep/wake cycles, especially if a connection was active at sleep. Disable the controller using {{ic|bluetoothctl}} before sleeping.<br />
<br />
=== Lenovo ThinkPad T560 ===<br />
* No automatic brightness adjusting when switching power supply battery <-> AC<br />
<br />
* Hardware specifications of test device<br />
** CPU: Intel CORE i7-6600U @ 2.60GHz or Intel CORE i5-6200U @ 2.30GHz or Intel CORE i5-6300U @ 2.40GHz<br />
** GPU Primary: Intel HD 520<br />
** GPU Secondary: Nvidia GeForce 940MX or None<br />
** WiFi: Intel 8260<br />
** Ethernet: Intel I219-LM<br />
** Card reader: Realtek RTS522A<br />
<br />
=== Lenovo S21e-20 ===<br />
<br />
* Tested with {{Pkg|broadcom-wl-dkms}} 802.11 wireless driver<br />
* Synaptics touchpad required 3 patches to {{Pkg|linux}}:drivers/hid/hid-rmi.c on 2015-07-26 ([https://bugs.freedesktop.org/show_bug.cgi?id=91102 bug report], [https://github.com/harisokanovic/archlinux-packages/commit/f4550c211ca7809ecf926f8074c7b7250a74bd92 kernel recipe patch]). The current 4.3 kernel includes these patches. You will also need to [[install]] the {{Pkg|xf86-input-synaptics}} package. <br />
<br />
==== tpacpi-bat ====<br />
<br />
There is an issue with tpacpi-bat not reporting the right value for the stop threshold. This seems to be related to a buggy BIOS and can not be fixed application wise. <br />
<br />
See https://github.com/teleshoes/tpacpi-bat/issues/44<br />
<br />
==== ThinkPad Edge E420s Delay with Space Bar====<br />
Solution: Update BIOS (at least 1.08).<br />
<br />
=== Lenovo IdeaPad Y700 ===<br />
* The subwoofer does not work out of the box.<br />
** Updating to Kernel 4.15 or later seems to fix the subwoofer.<br />
<br />
=== Lenovo IdeaPad V330-14ARR ===<br />
* Lenovo only provide BIOS updates as a WinX64 package. The 3.08 release has been extracted and can be installed in DOS (installation has been confirmed using freeDOS) using H2OFFT-D.EXE and is available [https://drive.google.com/drive/folders/1IgwALJ_LLHY1nRbl3naNJU1QQ7l33Vrv?usp=sharing online], ensure you have an arch install media on hand to reset your bootloader.<br />
* The installed wireless card (atheros based) has shown itself to be troublesome with many pci errors, most caught and corrected but very occasionally the card would fail to come up on boot or drop out during use. intel-9260 works with no errors (tested with bios 3.05) intel-9560 was not initialised by the bios.<br />
<br />
=== Thinkpad X260 ===<br />
* There seems to be a bug in the intel video driver that causes microfreezes every few minutes. This is fixed by adding i915.enable_psr=0 to [[Kernel parameters|kernel options]].<br />
** See https://www.reddit.com/r/archlinux/comments/gu0a8a/psa_solution_for_random_freezes_with_intel_igpu<br />
<br />
=== Thinkpad T14 ===<br />
* In order to get sound you need to install {{Pkg|sof-firmware}}<br />
* On the AMD version, the internal microphone requires a kernel version of at least 5.8-rc7 with {{ic|1=CONFIG_SND_SOC_AMD_RENOIR=m}} and {{ic|1=CONFIG_SND_SOC_AMD_RENOIR_MACH=m}}. 4-pin jack plugs work with a linux kernel of 5.7.<br />
<br />
== See also ==<br />
* [http://www.thinkwiki.org/wiki Think wiki]<br />
* [https://kozikow.com/2016/06/03/installing-and-configuring-arch-linux-on-thinkpad-x1-carbon/Blog Arch on Thinkpad X1 Carbon]{{Dead link|2020|03|29|status=404}}</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Lenovo_ThinkPad_X13_Gen_1_(AMD)&diff=647185Lenovo ThinkPad X13 Gen 1 (AMD)2020-12-26T15:03:36Z<p>Yuvadm: BIOS recommendations</p>
<hr />
<div>[[Category:Lenovo]]<br />
<br />
{| class="wikitable" style="float: right;"<br />
|-<br />
! Hardware !! PCI/USB ID !! Working?<br />
|-<br />
| Touchpad || || {{Yes}}<br />
|-<br />
| J-Mouse || || {{Yes}}<br />
|-<br />
| Keyboard || || {{Yes}}<br />
|-<br />
| Video || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Webcam || {{ic|04f2:b6d0}} || {{Yes}}<br />
|-<br />
| Ethernet || {{ic|10ec:8168}} || {{Yes}}<br />
|-<br />
| Bluetooth || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Power management || || {{Yes}}<br />
|-<br />
| USB Ports || {{ic|10ec:816d}} || {{Yes}}<br />
|-<br />
| SD-Card slot || {{ic|}} || {{Yes}}<br />
|-<br />
| HDMI || || {{Yes}}<br />
|-<br />
| Audio || {{ic|1022:15e3}} || {{Yes}}<br />
|-<br />
| Wireless || {{ic|8086:2723}} || {{Yes}}<br />
|-<br />
| Fingerprint reader || {{ic|}} || {{Y|Untested}}<br />
|-<br />
| TPM || || {{Y|Untested}}<br />
|}<br />
<br />
== Installation ==<br />
<br />
No special steps needed for installation.<br />
<br />
=== BIOS ===<br />
<br />
It is recommended to run the latest BIOS version, which is currently 1.29.<br />
<br />
The BIOS update can be downloaded as an [https://download.lenovo.com/pccbbs/mobiles/r1cuj60wd.iso ISO image] from the [https://pcsupport.lenovo.com/mx/en/products/laptops-and-netbooks/thinkpad-x-series-laptops/thinkpad-x13-type-20uf-20ug/downloads/ds544980-bios-update-utility-bootable-cd-for-windows-10-64-bit-thinkpad-t14s-x13 X13 support page] and loaded to a USB stick.<br />
<br />
Additionally, there is a BIOS option for customizing the Power profile that by default is tuned to {{ic|Windows 10}} and is recommended to be set to {{ic|Linux}}.<br />
<br />
== Accessibility ==<br />
<br />
The BIOS offers two modes of operation, '''GUI''' and '''Simple Text'''. <br />
<br />
The GUI can be navigated to some degree via the keyboard. '''Left''' and '''Right''' arrow keys to move the selection and '''Space''' to activate.<br />
<br />
For full keyboard support switching to simple text would likely be better.<br />
<br />
That can be accomplished by:<br />
* Selecting and activating '''Config''' on the left side under '''Setup'''<br />
* '''Right''' arrowing until the drop down to the right of '''Setup UI''' is selected<br />
* active the drop down and select '''Simple Text'''<br />
* '''F10''' (save and exit)<br />
<br />
{{Note|Blind users may want to request the help of a sighted person to change BIOS settings}}<br />
<br />
== Firmware ==<br />
<br />
fwupd does not support this device yet.<br />
<br />
== Power management ==<br />
<br />
Issues were encountered with resuming from suspend with the following combination:<br />
* BIOS R1CET56W(1.25 ) 09/15/2020<br />
* GPT<br />
* FDE<br />
* partions: UEFI + LUKS1:LVM<br />
* systemd mkinitcpio hooks (systemd/sd-encrypt)<br />
<br />
These could be avoided by either:<br />
* switching mkinitcpio hooks to udev/encrypt<br />
* updating to BIOS R1CET60W(1.29 ) 11/30/2020<br />
<br />
== Function keys ==<br />
<br />
{| class="wikitable"<br />
|-<br />
! Key<br />
! Visible?<sup>1</sup><br />
! Marked?<sup>2</sup><br />
! Effect<br />
|-<br />
| {{ic|Fn}} || {{Yes}} || {{No}} || {{ic|XF86WakeUp}}<br />
|-<br />
| {{ic|Fn+Esc}} || {{No}} || {{Yes}} || Enables Fn lock<br />
|-<br />
| {{ic|Fn+F1}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioMute}}<br />
|-<br />
| {{ic|Fn+F2}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioLowerVolume}}<br />
|-<br />
| {{ic|Fn+F3}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioRaiseVolume}}<br />
|-<br />
| {{ic|Fn+F4}} || {{Yes}} || {{Yes}} || {{ic|XF86AudioMicMute}}<br />
|-<br />
| {{ic|Fn+F5}} || {{No}} || {{Yes}} || Monitor Brightness Down<br />
|-<br />
| {{ic|Fn+F6}} || {{No}} || {{Yes}} || Monitor Brightness Up<br />
|-<br />
| {{ic|Fn+F7}} || {{Yes}} || {{Yes}} || {{ic|XF86Display}}<br />
|-<br />
| {{ic|Fn+F8}} || {{Yes}} || {{Yes}} || {{ic|XF86WLAN}}<sup>3</sup><br />
|-<br />
| {{ic|Fn+F9}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F10}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F11}} || {{No}} || {{Yes}} || <br />
|-<br />
| {{ic|Fn+F12}} || {{Yes}} || {{Yes}} || {{ic|XF86Favorites}}<br />
|-<br />
| {{ic|Fn+Space}} || {{No}} || {{Yes}} || Enables/disables keyboard backlight<br />
|-<br />
| {{ic|Fn+4}} || {{Yes}} || {{No}} || {{ic|XF86Sleep}}<sup>3</sup><br />
|-<br />
| {{ic|Fn+B}} || {{Yes}} || {{No}} || {{ic|Ctrl_L + Break}}<br />
|-<br />
| {{ic|Fn+P}} || {{Yes}} || {{No}} || {{ic|Pause}}<br />
|-<br />
| {{ic|Fn+K}} || {{Yes}} || {{No}} || {{ic|Scroll Lock}}<br />
|-<br />
| {{ic|Fn+Left}} || {{Yes}} || {{No}} || {{ic|Home}}<br />
|-<br />
| {{ic|Fn+Right}} || {{Yes}} || {{No}} || {{ic|End}}<br />
|-<br />
| {{ic|Fn+S}} || {{Yes}} || {{No}} || {{ic|Alt_L + SysRq }}<br />
|-<br />
| {{ic|Fn+End}} || {{Yes}} || {{Yes}} || {{ic|Ins}}<br />
|}<br />
<br />
# The key is visible via {{ic|xev}} and similar tools<br />
# The physical key has a symbol on it, which describes its function<br />
# systemd-logind handles this by default<br />
<br />
== See also ==<br />
<br />
* Specifications: https://psref.lenovo.com/syspool/Sys/PDF/ThinkPad/ThinkPad_x13_Gen_1_AMD/ThinkPad_x13_Gen_1_AMD_Spec.PDF<br />
* Official service manual: https://download.lenovo.com/pccbbs/mobiles_pdf/t14s_gen1_x13_gen1_hmm_en.pdf<br />
* https://certification.ubuntu.com/hardware/202006-27979</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=User:Yuvadm&diff=645781User:Yuvadm2020-12-16T20:31:21Z<p>Yuvadm: Update sig URL</p>
<hr />
<div>0hai :)<br />
<br />
Find me on [https://yuv.al yuv.al] and at [https://twitter.com/yuvadm/ @yuvadm].<br />
<br />
My email is a single underscore at the aforementioned domain.<br />
<br />
Whenever possible, please use my PGP key which can be found [https://yuv.al/static/yuval.asc here], and has fingerprint {{Ic|55E3 6E28 5352 22E2 A206 2848 B75B 5FC2 FA1A FE15}}.</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=User:Yuvadm&diff=645780User:Yuvadm2020-12-16T20:30:59Z<p>Yuvadm: Update sig</p>
<hr />
<div>0hai :)<br />
<br />
Find me on [https://yuv.al yuv.al] and at [https://twitter.com/yuvadm/ @yuvadm].<br />
<br />
My email is a single underscore at the aforementioned domain.<br />
<br />
Whenever possible, please use my PGP key which can be found [https://yuv.al/yuval.asc here], and has fingerprint {{Ic|55E3 6E28 5352 22E2 A206 2848 B75B 5FC2 FA1A FE15}}.</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Unofficial_mirrors&diff=645750Unofficial mirrors2020-12-16T20:11:26Z<p>Yuvadm: Merge sourceforce into worldwide section</p>
<hr />
<div>[[Category:Package management]]<br />
[[Category:Lists]]<br />
[[es:Unofficial mirrors]]<br />
[[pt:Unofficial mirrors]]<br />
[[ru:Unofficial mirrors]]<br />
[[zh-hans:Unofficial mirrors]]<br />
These [[mirrors]] are ''not'' listed in {{ic|/etc/pacman.d/mirrorlist}}.<br />
<br />
== Worldwide ==<br />
<br />
* https://cloudflaremirrors.com/archlinux/ - ''CloudFlare runs a quasi-mirror service that fronts existing mirrors on their global CDN (partially supported, see https://bugs.archlinux.org/task/67865)''<br />
* https://sourceforge.net/projects/archlinux/files/ - ''ISO files only; Does not have any releases since 2006. Use it only for getting older ISOs.''<br />
<br />
== Australia ==<br />
<br />
*https://chestm007.ddns.net/archlinux/<br />
<br />
== Belgium ==<br />
<br />
*https://ftp.belnet.be/mirror/archlinux.org/ - ''Belnet''<br />
<br />
== Chile ==<br />
<br />
*http://ip62.inf.utfsm.cl/ ''UTFSM #62''<br />
<br />
== China ==<br />
<br />
'''CDN'''<br />
*https://mirrors.aliyun.com/archlinux/ - ''Alibaba''<br />
*https://mirrors.cloud.tencent.com/archlinux/ - ''Tencent Cloud''<br />
*https://repo.huaweicloud.com/archlinux/ - ''Huawei Cloud''<br />
<br />
'''Cernet'''<br />
*https://mirror.bit.edu.cn/archlinux/ - ''Beijing Institute of Technology''<br />
*https://mirrors.nju.edu.cn/archlinux/ - ''Nanjing University''<br />
<br />
== France ==<br />
<br />
*http://delta.archlinux.fr/ - ''With Delta package support. Needs {{Pkg|xdelta3}} to run.''<br />
*https://mirror.oldsql.cc/archlinux/<br />
*https://archlinux.moulticast.net/<br />
<br />
== Germany ==<br />
<br />
*https://mirror.mikrogravitation.org/archlinux/ - ''IPv4/IPv6, https, rsync, 20 Gbit/s Bandwidth''<br />
*https://mirror.undisclose.de/archlinux/ - ''IPv4 http, https, rsync, 1GB/s Bandwith''<br />
<br />
== India ==<br />
<br />
*http://nginx:archmirrors@35.207.215.36:8888 - ''Google cloud with no transfer cap''<br />
<br />
== Indonesia ==<br />
<br />
*http://kambing.ui.ac.id/archlinux/<br />
<br />
== Iran ==<br />
<br />
*http://repo.sadjad.ac.ir/arch/<br />
<br />
== Italy ==<br />
<br />
*http://mi.mirror.garr.it/mirrors/archlinux/<br />
<br />
== Japan ==<br />
<br />
*http://ftp.nara.wide.ad.jp/pub/Linux/archlinux/ - ''Nara Institute of Science and Technology''<br />
*http://ftp.kddilabs.jp/Linux/packages/archlinux/<br />
*http://srv2.ftp.ne.jp/Linux/packages/archlinux/<br />
*http://mirror.archlinuxjp.org/<br />
<br />
== Malaysia ==<br />
<br />
*http://mirror.oscc.org.my/archlinux/<br />
<br />
== Netherlands ==<br />
<br />
*http://mirror.transip.net/archlinux/ ''TransIP B.V.''<br />
<br />
== New Zealand ==<br />
<br />
*http://mirror.ece.auckland.ac.nz/archlinux/ ''NZ only''<br />
<br />
== Poland ==<br />
<br />
*ftp://ftp.icm.edu.pl/pub/Linux/dist/archlinux/ - ICM UW<br />
*http://ftp.icm.edu.pl/pub/Linux/dist/archlinux/ - ICM UW<br />
*https://ftp.icm.edu.pl/pub/Linux/dist/archlinux/ - ICM UW<br />
*rsync://ftp.icm.edu.pl/pub/Linux/dist/archlinux/ - ICM UW<br />
<br />
== South Africa ==<br />
<br />
*http://ftp.leg.uct.ac.za/pub/linux/arch/ - ''University of Cape Town''<br />
*ftp://ftp.leg.uct.ac.za/pub/linux/arch/<br />
*http://mirror.ufs.ac.za/archlinux/ - ''University of the Free State''<br />
*ftp://mirror.ufs.ac.za/os/linux/distros/archlinux/<br />
*http://archlinux.mirror.ac.za - ''TENET - Tertiary Education and Research Network of South Africa''<br />
*ftp://archlinux.mirror.ac.za<br />
*http://archlinux.za.mirror.allworldit.com/archlinux-deltarepo/ - ''Automatically generating deltas for the last 3 months to current version. Supports http, https, rsync and IPv6. Check [https://bbs.archlinux.org/viewtopic.php?id=243247 here] for more info.''<br />
<br />
== Sweden ==<br />
<br />
*ftp://foss.dhyrule.se/linux/archlinux/<br />
<br />
== Taiwan ==<br />
<br />
* http://archlinux.ccns.ncku.edu.tw/archlinux/ - NCKU CCNS<br />
<br />
== Thailand ==<br />
<br />
* http://mirror1.ku.ac.th/archlinux/<br />
<br />
== Turkey ==<br />
<br />
* http://mirror.veriteknik.net.tr/archlinux/ - ''VeriTeknik Data Center''<br />
* http://ftp.linux.org.tr/archlinux/<br />
<br />
== United Kingdom ==<br />
<br />
* http://archlinux.uk.mirror.allworldit.com/archlinux-deltarepo/ - ''Automatically generating deltas for the last 3 months to current version. Supports http, https, rsync and IPv6. Check [https://bbs.archlinux.org/viewtopic.php?id=243247 here] for more info.''<br />
<br />
== United States ==<br />
<br />
* http://mirror.clarkson.edu/archlinux/<br />
* http://mirror.pointysoftware.net/archlinux/<br />
* http://mirror.ziemer.bz/archlinux<br />
* https://lug.mines.edu/mirrors/archlinux/<br />
* http://mirror.cs.umn.edu/arch/<br />
* http://mirror.katie.host/archlinux/{{Dead link|2020|04|03|status=404}} - ''Has auto-generated deltas for the last 3 months to current version. Deltas mirrored from [http://archlinux.uk.mirror.allworldit.com/archlinux-deltarepo/ here]. Check [https://bbs.archlinux.org/viewtopic.php?id=243247 here] for more info''</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Unofficial_mirrors&diff=645749Unofficial mirrors2020-12-16T20:10:51Z<p>Yuvadm: Add worldwide section with CloudFlare quasi-mirror</p>
<hr />
<div>[[Category:Package management]]<br />
[[Category:Lists]]<br />
[[es:Unofficial mirrors]]<br />
[[pt:Unofficial mirrors]]<br />
[[ru:Unofficial mirrors]]<br />
[[zh-hans:Unofficial mirrors]]<br />
These [[mirrors]] are ''not'' listed in {{ic|/etc/pacman.d/mirrorlist}}.<br />
<br />
== Worldwide ==<br />
<br />
* https://cloudflaremirrors.com/archlinux/ - ''CloudFlare runs a quasi-mirror service that fronts existing mirrors on their global CDN (partially supported, see https://bugs.archlinux.org/task/67865)''<br />
<br />
== Australia ==<br />
<br />
*https://chestm007.ddns.net/archlinux/<br />
<br />
== Belgium ==<br />
<br />
*https://ftp.belnet.be/mirror/archlinux.org/ - ''Belnet''<br />
<br />
== Chile ==<br />
<br />
*http://ip62.inf.utfsm.cl/ ''UTFSM #62''<br />
<br />
== China ==<br />
<br />
'''CDN'''<br />
*https://mirrors.aliyun.com/archlinux/ - ''Alibaba''<br />
*https://mirrors.cloud.tencent.com/archlinux/ - ''Tencent Cloud''<br />
*https://repo.huaweicloud.com/archlinux/ - ''Huawei Cloud''<br />
<br />
'''Cernet'''<br />
*https://mirror.bit.edu.cn/archlinux/ - ''Beijing Institute of Technology''<br />
*https://mirrors.nju.edu.cn/archlinux/ - ''Nanjing University''<br />
<br />
== France ==<br />
<br />
*http://delta.archlinux.fr/ - ''With Delta package support. Needs {{Pkg|xdelta3}} to run.''<br />
*https://mirror.oldsql.cc/archlinux/<br />
*https://archlinux.moulticast.net/<br />
<br />
== Germany ==<br />
<br />
*https://mirror.mikrogravitation.org/archlinux/ - ''IPv4/IPv6, https, rsync, 20 Gbit/s Bandwidth''<br />
*https://mirror.undisclose.de/archlinux/ - ''IPv4 http, https, rsync, 1GB/s Bandwith''<br />
<br />
== India ==<br />
<br />
*http://nginx:archmirrors@35.207.215.36:8888 - ''Google cloud with no transfer cap''<br />
<br />
== Indonesia ==<br />
<br />
*http://kambing.ui.ac.id/archlinux/<br />
<br />
== Iran ==<br />
<br />
*http://repo.sadjad.ac.ir/arch/<br />
<br />
== Italy ==<br />
<br />
*http://mi.mirror.garr.it/mirrors/archlinux/<br />
<br />
== Japan ==<br />
<br />
*http://ftp.nara.wide.ad.jp/pub/Linux/archlinux/ - ''Nara Institute of Science and Technology''<br />
*http://ftp.kddilabs.jp/Linux/packages/archlinux/<br />
*http://srv2.ftp.ne.jp/Linux/packages/archlinux/<br />
*http://mirror.archlinuxjp.org/<br />
<br />
== Malaysia ==<br />
<br />
*http://mirror.oscc.org.my/archlinux/<br />
<br />
== Netherlands ==<br />
<br />
*http://mirror.transip.net/archlinux/ ''TransIP B.V.''<br />
<br />
== New Zealand ==<br />
<br />
*http://mirror.ece.auckland.ac.nz/archlinux/ ''NZ only''<br />
<br />
== Poland ==<br />
<br />
*ftp://ftp.icm.edu.pl/pub/Linux/dist/archlinux/ - ICM UW<br />
*http://ftp.icm.edu.pl/pub/Linux/dist/archlinux/ - ICM UW<br />
*https://ftp.icm.edu.pl/pub/Linux/dist/archlinux/ - ICM UW<br />
*rsync://ftp.icm.edu.pl/pub/Linux/dist/archlinux/ - ICM UW<br />
<br />
== South Africa ==<br />
<br />
*http://ftp.leg.uct.ac.za/pub/linux/arch/ - ''University of Cape Town''<br />
*ftp://ftp.leg.uct.ac.za/pub/linux/arch/<br />
*http://mirror.ufs.ac.za/archlinux/ - ''University of the Free State''<br />
*ftp://mirror.ufs.ac.za/os/linux/distros/archlinux/<br />
*http://archlinux.mirror.ac.za - ''TENET - Tertiary Education and Research Network of South Africa''<br />
*ftp://archlinux.mirror.ac.za<br />
*http://archlinux.za.mirror.allworldit.com/archlinux-deltarepo/ - ''Automatically generating deltas for the last 3 months to current version. Supports http, https, rsync and IPv6. Check [https://bbs.archlinux.org/viewtopic.php?id=243247 here] for more info.''<br />
<br />
== Sweden ==<br />
<br />
*ftp://foss.dhyrule.se/linux/archlinux/<br />
<br />
== Taiwan ==<br />
<br />
* http://archlinux.ccns.ncku.edu.tw/archlinux/ - NCKU CCNS<br />
<br />
== Thailand ==<br />
<br />
* http://mirror1.ku.ac.th/archlinux/<br />
<br />
== Turkey ==<br />
<br />
* http://mirror.veriteknik.net.tr/archlinux/ - ''VeriTeknik Data Center''<br />
* http://ftp.linux.org.tr/archlinux/<br />
<br />
== United Kingdom ==<br />
<br />
* http://archlinux.uk.mirror.allworldit.com/archlinux-deltarepo/ - ''Automatically generating deltas for the last 3 months to current version. Supports http, https, rsync and IPv6. Check [https://bbs.archlinux.org/viewtopic.php?id=243247 here] for more info.''<br />
<br />
== United States ==<br />
<br />
* http://mirror.clarkson.edu/archlinux/<br />
* http://mirror.pointysoftware.net/archlinux/<br />
* http://mirror.ziemer.bz/archlinux<br />
* https://lug.mines.edu/mirrors/archlinux/<br />
* http://mirror.cs.umn.edu/arch/<br />
* http://mirror.katie.host/archlinux/{{Dead link|2020|04|03|status=404}} - ''Has auto-generated deltas for the last 3 months to current version. Deltas mirrored from [http://archlinux.uk.mirror.allworldit.com/archlinux-deltarepo/ here]. Check [https://bbs.archlinux.org/viewtopic.php?id=243247 here] for more info''<br />
<br />
== Sourceforge (old ISOs) ==<br />
<br />
* https://sourceforge.net/projects/archlinux/files/ - ''ISO files only; Does not have any releases since 2006. Use it only for getting older ISOs.''</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Talk:Archiso&diff=645631Talk:Archiso2020-12-14T20:35:15Z<p>Yuvadm: Add question on non-root users</p>
<hr />
<div>==Archiso doesn't work on non stock kernel==<br />
<br />
I've been having on and off issues when building ISOs with archiso and the other day when I was working on one I did a pacman -Syu before working but didn't reboot. I was running on the stock kernel at that point because the linux-ck kernel had not updated yet. My ISO built fine. Later that day I rebooted and was now running on the updated linux-ck kernel and suddenly the build process would simply die without any errors, even with the -v option. Right after installing all the custom packages, a dd output appears and then a mkfs.vfat version message appears and that's where it dies. Rebooting back to the stock arch kernel fixed the issue. I'm guessing it has something to do with hardcoded names or something like that in the build scripts.<br />
<br />
Is this normal behaviour? I don't mind using the stock kernel on the ISOs I build but I figured I'd at least be able to build them on a different one.<br />
<br />
On that note, is it possible to use a kernel other than the stock one within the ISOs we build? <br />
[[User:Biltong|Biltong]] ([[User talk:Biltong|talk]]) Sun May 6 2012, 21:47 SAST<br />
<br />
== Estimating size? Starting over? ==<br />
<br />
How do you best estimate the size?<br />
<br />
How do you start over? Suppose just take `etc/`, delete the `releng/` directory recopy, put stuff back. [[User:Jasper1984|Jasper1984]] ([[User talk:Jasper1984|talk]]) 13:46, 1 July 2013 (UTC)<br />
<br />
:Best way to start over is delete releng/{work,out} it keeps cached packages, and there is no need to do every step from the beginning. {{Unsigned|14:08, 5 October 2013|Jqvillanova}}<br />
<br />
== Encryption ==<br />
<br />
<br />
* with «cryptsetup», encrypt the file «airootfs.sfs» built with «mkarchiso» :<br />
<br />
# cd /path/to/buildir/<br />
# cd ./work/iso/arch/x86_64/<br />
# cryptsetup --verify-passphrase plainOpen ./airootfs.sfs encrypt<br />
# dd < ./airootfs.sfs > /dev/mapper/encrypt<br />
# sync<br />
# cryptsetup plainClose encrypt<br />
# md5sum ./airootfs.sfs > ./airootfs.md5<br />
# cd -<br />
<br />
''(note that you can't decrypt the encrypted file «airootfs.sfs» in the same «dd» way, instead use {{ic|1=dd of=./airootfs.sfs conv=nocreat,notrunc < /dev/mapper/encrypt}})''<br />
<br />
* add the hook «encrypt» in «mkinitcpio.conf» :<br />
<br />
# grep HOOKS ./work/airootfs/etc/mkinitcpio.conf<br />
HOOKS="... encrypt"<br />
<br />
<br />
* insert these lines in «archiso» hook :<br />
<br />
--- a/work/airootfs/usr/lib/initcpio/hooks/archiso<br />
+++ b/work/airootfs/usr/lib/initcpio/hooks/archiso<br />
@@ -65,6 +65,10 @@<br />
fi<br />
sfs_dev=$(losetup --find --show --read-only "${img}")<br />
echo ${sfs_dev} >> /run/archiso/used_block_devices<br />
+ msg ":: Mapping encrypted squashfs..."<br />
+ local map="${sfs_dev##*/}.map"<br />
+ cryptsetup plainOpen "${sfs_dev}" "${map}"<br />
+ sfs_dev="/dev/mapper/${map}"<br />
_mnt_dev "${sfs_dev}" "${mnt}" "-r" "defaults"<br />
}<br />
<br />
<br />
* rebuild initramfs and iso with «mkarchiso» and test :<br />
<br />
# mkarchiso -r "mkinitcpio -p linux" run<br />
# mkarchiso iso encrypted.iso<br />
# qemu ... ./out/encrypted.iso<br />
<br />
<br />
[[User:Lacsap|Lacsap]] ([[User talk:Lacsap|talk]]) 21:51, 20 Feb 2016 (UTC)<br />
<br />
== Example configurations ==<br />
<br />
Where should sets of ArchISO customizations go? Should there be an "Examples" header added to the bottom? Like for how to enable remote {{ic|ssh}} login, boot with serial console support for headless systems, etc? Or a separate page? [Archiso offline] is a separate page, but it was marked for possible merging since it's an (out of date) clone of this page. [[User:Jamespharvey20|Jamespharvey20]] ([[User talk:Jamespharvey20|talk]]) 02:38, 25 April 2019 (UTC)<br />
:I guess your changes (adding ssh configs) should be done airootfs directory. But I did not yet explored how to add another systemd services to archiso. Adding info about how to enable ssh login to this page seems useful for me. [[User:Ashark|Ashark]] ([[User talk:Ashark|talk]]) 17:42, 25 April 2019 (UTC)<br />
<br />
== ISO does not build with secure boot enabled ==<br />
<br />
It seems that if you have secure boot enabled and have signed the Linux kernel, the ISO will fail to build, saying that /boot/vmlinuz-linux does not exist. However, once you disable secure boot, the ISO starts getting built again. Just tried this, and it appears to go back at least to archiso version 36.<br />
<br />
[[User:Sunflsks|Sunflsks]] ([[User talk:Sunflsks|talk]]) 18:58, 26 May 2020 (UTC)<br />
<br />
:To clarify, I don't really know why it doesn't work. If possible, could someone else test this, to see if it's just a problem on my computer or more widespread. If so, then maybe we should add a warning to the wiki page.<br />
:[[User:Sunflsks|Sunflsks]] ([[User talk:Sunflsks|talk]]) 04:54, 27 May 2020 (UTC)<br />
<br />
::I don't use secure boot myself, so I don't know how it works. Since [https://github.com/archlinux/svntogit-packages/commit/43c5745a17e2ebe413a7140d4ef9326e26d6cb20 5.3.8.1] the {{pkg|linux}} package does not install the kernel to {{ic|/boot/vmlinuz-linux}}, but to {{ic|/usr/lib/modules/VERSION/vmlinuz}} and [https://git.archlinux.org/mkinitcpio.git/tree/libalpm/hooks mkinitcpio's pacman hooks] copy it to {{ic|/boot/}}. If the kernel image is not getting copied somewhere in the ISO's chroot, maybe there is something wrong with the hooks... -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 09:39, 30 May 2020 (UTC)<br />
<br />
== Please add a warning with regards to syncthing interoperability ==<br />
<br />
When mkarchiso is executed to use a working directory (e.g. -w ./tmp) inside a folder that is observed by syncthing, there are 2 issues: mkarchiso will fail and a restart is required in order to be able to delete the working directory. As a simple workaround, the working directory can be added to the syncthing ignore patterns.<br />
<br />
I do not know what causes these errors - especially since mkarchiso does not throw any error message. Deleting the working directory fails due to missing rights although it is run as root. After a restart the working directory can be deleted. [[User:ente|ente]] ([[User talk:ente|talk]]) 11:09, 17 September 2020 (UTC)<br />
<br />
== Add a section to Tips and Tricks to build an ISO for installation entirely over a serial console ==<br />
<br />
I've been looking all over for a good way to do this. I think I have an approach that could work (although it's still to be tried). What do we think about adding this? Has anyone got a recipe? If not, I'm happy to give it a go.<br />
<br />
[[User:Bradwood|Bradwood]] ([[User talk:Bradwood|talk]]) 11:33, 14 November 2020 (UTC)<br />
<br />
:The solution is to simply add a [[Working with the serial console#Kernel|console=ttyS* kernel parameter]] to boot loader configuration. As for why it's not done by default in releng, see https://gitlab.archlinux.org/archlinux/archiso/-/issues/75. -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 12:28, 14 November 2020 (UTC)<br />
<br />
::I get that, but you need to _get_ to the bootloader menu first, and that currently doesn't happen over the console to my knowledge... [[User:Bradwood|Bradwood]] ([[User talk:Bradwood|talk]]) 13:55, 14 November 2020 (UTC)<br />
<br />
:::I meant editing the boot loader configuration for the ISO and then building the ISO. As for seeing the boot loader over serial, it should work when booting in BIOS mode (this doesn't prevent installing the system for UEFI booting, you just need to install the boot loader to the default/fallback boot path). -- [[User:nl6720|nl6720]] ([[User talk:nl6720|talk]]) 05:23, 15 November 2020 (UTC)<br />
<br />
== Permissions and File Additions ==<br />
<br />
Would suggest we document the new changes to permissions requirements as implemented on 11/30/20 in Commit c10004df :<br />
<br />
profiledef.sh needs to have explicit permissions now which is quite different than before.<br />
<br />
file_permissions=(<br />
["/etc/shadow"]="0:0:400"<br />
["/root"]="0:0:750"<br />
["/root/.automated_script.sh"]="0:0:755"<br />
["/usr/local/bin/choose-mirror"]="0:0:755"<br />
["/usr/local/bin/Installation_guide"]="0:0:755"<br />
["/usr/local/bin/livecd-sound"]="0:0:755"<br />
<br />
<br />
Also, the fact that a /skel folder cannot be added to airootfs now is different and requires users to put everything in /etc/skel/<br />
<br />
Users can still add services, but I found the best way to add them was to put them in /usr/local/bin and then add a line to profiledef.sh to give them 755.<br />
<br />
[[User:Jdfthetech|Jdfthetech]] ([[User talk:Jdfthetech|talk]]) 05:34, 2 December 2020 (UTC)<br />
<br />
:Thanks for this update, I've just reached this pitfall attempting to create a non-root user with their own home directory, but failing with {{ic|[mkarchiso] ERROR: Failed to set permissions on 'work/x86_64/airootfs/home/myuser'. Outside of valid path.}} Any thoughts on how to get this working? [[User:Yuvadm|Yuvadm]] ([[User talk:Yuvadm|talk]]) 20:34, 14 December 2020 (UTC)</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=SCP_and_SFTP&diff=627353SCP and SFTP2020-07-31T10:30:02Z<p>Yuvadm: Cleanup redundant whitespace</p>
<hr />
<div>[[Category:Secure Shell]]<br />
[[Category:File Transfer Protocol]]<br />
[[ja:SCP と SFTP]]<br />
{{Related articles start}}<br />
{{Related|SSHFS}}<br />
{{Related|SFTP chroot}}<br />
{{Related|Pure-FTPd}}<br />
{{Related articles end}}<br />
{{Merge|SFTP chroot|Instructions seem to be the same as in [[SFTP chroot]] and has more content.|section=Incorrect 'Considered for redirection' banner?}}<br />
<br />
The [[wikipedia:Secure copy|Secure copy (SCP)]] is a protocol to transfer files via a [[Secure Shell]] connection. The [[wikipedia:SSH_file_transfer_protocol|SSH file transfer protocol (SFTP)]] is a related protocol, also relying on a secure shell back-end. Both protocols allow secure file transfers, encrypting passwords and transferred data. The SFTP protocol, however, features additional capabilities like, for example, resuming broken transfers or remote file manipulation like deletion. <br />
<br />
== Secure file transfer protocol (SFTP) ==<br />
<br />
Install and configure [[OpenSSH]]. Once running, SFTP is available by default.<br />
<br />
Access files with the ''sftp'' program or [[SSHFS]]. Many standard FTP programs should work as well.<br />
<br />
== Secure file transfer protocol (SFTP) with a chroot jail ==<br />
Sysadmins can jail a subset of users to a chroot jail using {{Pkg|openssh}} thus restricting their access to a particular directory tree. This can be useful to simply share some files without granting full system access or shell access. Users with this type of setup may use SFTP clients such as {{Pkg|filezilla}} to put/get files in the chroot jail.<br />
<br />
=== Setup the filesystem ===<br />
<br />
Create a jail directory:<br />
<br />
# mkdir -p /var/lib/jail<br />
<br />
Optionally, bind mount the filesystem to be shared to this directory. In this example, {{ic|/mnt/data/share}} is to be used. It is owned by root and has octal permissions of 755.<br />
<br />
# mount -o bind /mnt/data/share /var/lib/jail<br />
<br />
{{Tip|Consider adding an entry to {{ic|/etc/fstab}} to make the bind mount survive a reboot.}}<br />
<br />
=== Create an unprivileged user ===<br />
<br />
Create the share user and setup a good password:<br />
<br />
# useradd -g sshusers -d /var/lib/jail foo<br />
# passwd foo<br />
<br />
=== Setup OpenSSH ===<br />
<br />
Add the following to the end of {{ic|/etc/ssh/sshd_config}} to enable the share and to enforce the restrictions:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
...<br />
Match group sshusers<br />
ChrootDirectory %h<br />
X11Forwarding no<br />
AllowTcpForwarding no<br />
PasswordAuthentication yes<br />
ForceCommand internal-sftp<br />
}}<br />
<br />
[[Restart]] {{ic|sshd.service}} to re-read the config file.<br />
<br />
Test that in fact, the restrictions are enforced by attempting an ssh connection via the shell. The ssh server should return a polite notice of the setup:<br />
<br />
{{hc|$ ssh foo@someserver.com|<br />
foo@someserver.com's password:<br />
This service allows sftp connections only.<br />
Connection to someserver.com closed.<br />
}}<br />
<br />
== Secure copy protocol (SCP) ==<br />
<br />
[[Install]], configure and [[start]] [[OpenSSH]]. It contains the ''scp'' utility to transfer files.<br />
<br />
More features are available by installing additional packages, for example {{Aur|rssh}} or {{Pkg|scponly}} described below.<br />
<br />
{{Warning|The scp protocol is outdated, inflexible and not readily fixed. Its authors recommend the use of more modern protocols like sftp and rsync for file transfer instead.[https://lists.mindrot.org/pipermail/openssh-unix-dev/2019-March/037672.html]}}<br />
<br />
=== General Usage ===<br />
<br />
==== Linux to Linux ====<br />
<br />
Copy file from a remote host to local host SCP example:<br />
<br />
$ scp username@from_host:file.txt /local/directory/<br />
<br />
Copy file from local host to a remote host SCP example:<br />
<br />
$ scp file.txt username@to_host:/remote/directory/<br />
<br />
Copy directory from a remote host to local host SCP example:<br />
<br />
$ scp -r username@from_host:/remote/directory/ /local/directory/<br />
<br />
Copy directory from local host to a remote host SCP example:<br />
<br />
$ scp -r /local/directory/ username@to_host:/remote/directory/<br />
<br />
Copy file from remote host to remote host SCP example:<br />
<br />
$ scp username@from_host:/remote/directory/file.txt username@to_host:/remote/directory/<br />
<br />
==== Linux to Windows ====<br />
<br />
Use a Windows program such as [https://winscp.net/eng/download.php WinSCP]<br />
<br />
=== Scponly ===<br />
<br />
[https://github.com/scponly/scponly/wiki Scponly] is a limited shell for allowing users scp/sftp access and only scp/sftp access. Additionally, one can setup ''scponly'' to chroot the user into a particular directory increasing the level of security. <br />
<br />
[[install]] {{Pkg|scponly}}. <br />
<br />
For existing users, simply set the user's shell to scponly:<br />
<br />
# usermod -s /usr/bin/scponly ''username''<br />
<br />
==== Adding a chroot jail ====<br />
<br />
The package comes with a script to create a chroot. To use it, run: <br />
<br />
# /usr/share/doc/scponly/setup_chroot.sh<br />
<br />
* Provide answers<br />
* Check that {{ic|/path/to/chroot}} has {{ic|root:root}} owner and {{ic|r-x}} for others<br />
* Change the shell for selected user to {{ic|/usr/bin/scponlyc}}<br />
* sftp-server may require some libnss modules such as libnss_files. Copy them to chroot's {{ic|/lib}} path.<br />
<br />
==== Uploads to Chroot jail root dir ====<br />
<br />
For security reasons the directory set as the chroot directory must be owned by root with only root having write access to it otherwise sftp/ssh connections will be denied. This of course means regular users cannot upload files to the root directory. In order to get around this while not compromising security you can create a folder inside the chroot directory which the regular user or group has write access to, e.g:<br />
<br />
# cd /var/lib/jail<br />
# mkdir uploads<br />
# chown :sshusers uploads<br />
# chmod 730 uploads<br />
<br />
{{Note|This will only allow users of group "sshusers" to upload to (but not list the contents of) the "uploads" directory. Use {{ic|chmod 770}} to allow sshusers to view contents.}}<br />
<br />
Some applications utilizing SFTP do not allow input of sub-directories when performing operations (e.g. uploading files), and will attempt to upload files to the chroot base directory (which will be denied). In order to force these applications to use a specific sub-directory you can append the following to the "ForceCommand" option:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
...<br />
Match group sshusers<br />
...<br />
ForceCommand internal-sftp -d /uploads<br />
}}<br />
<br />
Users on connect will then have their start directory change to the specified sub-directory (remember to restart the sshd server).</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=GPS&diff=617249GPS2020-05-31T07:42:58Z<p>Yuvadm: Update GPSD homepage link</p>
<hr />
<div>[[Category:Laptops]]<br />
[[Category:Hardware]]<br />
[[ja:GPS]]<br />
There is a variety of [[Wikipedia:Global Positioning System|Global Positioning System]] (GPS) hardware receivers supported in Arch Linux:<br />
<br />
* [[Bluetooth]] GPS adapters<br />
* USB GPS adapters (internal or external)<br />
* WWAN-integrated adapters (some HP EliteBook modules for example)<br />
* Smartphones are able to relay GPS data over USB or Bluetooth with additional software<br />
<br />
== Drivers ==<br />
Usually a GPS device is presented as a serial device and the kernel uses a standard driver, but in some cases the drivers such as {{AUR|mtkbabel}} or {{AUR|mbm-gpsd-pl4nkton-git}} need to be installed.<br />
<br />
== Interfaces ==<br />
GPS does not have a very unified interfacing and configuration in Linux. The raw GPS data is printed on the serial device and programs interpret the location by themselves, occupying the device in the process. Sharing the GPS adapter to multiple applications is possible with {{Pkg|gpsd}}.<br />
<br />
=== GPSD ===<br />
[https://gpsd.gitlab.io/gpsd/index.html GPSD] is a deamon to query the serial GPS device and make its output available on a TCP server. It is the most standard GPS interface in Linux and GPS-aware applications usually support it.<br />
<br />
=== ModemManager ===<br />
ModemManager is some kind of a Linux WWAN modem support package which interfaces with [[NetworkManager]]. It also supports querying GPS coordinates from GPS-enabled WWAN cards and it even displays the location in the {{Pkg|modem-manager-gui}}. The most important commands are:<br />
<br />
==== View locationing capabilities ====<br />
mmcli -m 0 --location-status<br />
<br />
==== Enable GPS ====<br />
mmcli -m 0 --location-enable-gps-raw --location-enable-gps-nmea<br />
<br />
==== Display location ====<br />
watch mmcli -m 0 --location-get<br />
<br />
==== Disable GPS ====<br />
mmcli -m 0 --location-disable-gps-raw --location-disable-gps-nmea<br />
<br />
== Clients ==<br />
The {{Pkg|gpsd}} package provides {{Ic|cgps}}, a simple console-based client for showing the current GPS device status.<br />
<br />
=== Time Synchronization ===<br />
<br />
See [[Network Time Protocol daemon#Using ntpd with GPS]]<br />
<br />
== See also ==<br />
* [https://sigquit.wordpress.com/2012/03/29/enabling-gps-location-in-modemmanager/ Enabling GPS location in ModemManager]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=WireGuard&diff=591479WireGuard2019-12-09T19:52:21Z<p>Yuvadm: Fix link in mainline note</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[ja:WireGuard]]<br />
[[zh-hans:WireGuard]]<br />
From the [https://www.wireguard.com/ WireGuard] project homepage: <br />
:WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable.<br />
<br />
{{Warning|WireGuard has not undergone proper degrees of security auditing and the protocol is still subject to change [https://www.wireguard.com/#work-in-progress].}}<br />
<br />
== Installation ==<br />
<br />
# [[Install]] {{Pkg|wireguard-tools}}.<br />
# Install the appropriate kernel module:<br />
#* {{Pkg|wireguard-arch}} for the default {{Pkg|linux}} kernel.<br />
#* {{Pkg|wireguard-lts}} for the LTS {{Pkg|linux-lts}} kernel.<br />
#* {{Pkg|wireguard-dkms}} for the DKMS variant for other [[kernel]]s.<br />
<br />
{{Note|1=WireGuard has been merged into net-next and is scheduled to be mainlined in kernel version 5.6. [https://lists.zx2c4.com/pipermail/wireguard/2019-December/004704.html]}}<br />
<br />
{{Tip|[[systemd-networkd]] and [[NetworkManager]] both have native support for setting up WireGuard interfaces, they only require the kernel module.<br />
<br />
* For for details on systemd-networkd, see [[#Using systemd-networkd]].<br />
* For NetworkManager, read the [https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/ WireGuard in NetworkManager blog post].<br />
}}<br />
<br />
== Usage ==<br />
<br />
The below commands demonstrate how to setup a basic tunnel between two peers with the following settings:<br />
<br />
{{Expansion|Add Peer C to better demonstrate routing and PSK, and add IPv6.}}<br />
<br />
{| class="wikitable"<br />
! <br />
! Peer A<br />
! Peer B<br />
|-<br />
! External IP address<br />
| 198.51.100.101<br />
| 203.0.113.102<br />
|-<br />
! Internal IP address<br />
| 10.0.0.1/24<br />
| 10.0.0.2/24<br />
|-<br />
! WireGuard listening port<br />
| UDP/51871<br />
| UDP/51902<br />
|}<br />
<br />
The external addresses should already exist. For example, peer A should be able to ping peer B via {{ic|ping 203.0.113.102}}, and vice versa. The internal addresses will be new addresses created by the {{man|8|ip}} commands below and will be shared internally within the new WireGuard network using {{man|8|wg}}. The {{ic|/24}} in the IP addresses is the [[wikipedia:Classless_Inter-Domain_Routing#CIDR_notation|CIDR]].<br />
<br />
=== Key generation ===<br />
<br />
To create a private key:<br />
<br />
$ wg genkey > privatekey<br />
<br />
{{Note|It is recommended to only allow reading and writing access for the owner:<br />
<br />
$ chmod 600 privatekey<br />
<br />
}}<br />
<br />
To create a public key:<br />
<br />
$ wg pubkey < privatekey > publickey<br />
<br />
Alternatively, do this all at once:<br />
<br />
$ wg genkey | tee privatekey | wg pubkey > publickey<br />
<br />
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.<br />
<br />
{{Expansion|A pre-shared key should be created for each peer pair. E.g. with peers A, B and C, there should be three pre-shared keys, {{ic|peer_A-peer_B-psk}} for the connection between Peer A and Peer B, {{ic|peer_A-peer_C-psk}} for the connection between Peer A and Peer C and {{ic|peer_B-peer_C-psk}} for the connection between Peer B and Peer C.}}<br />
<br />
# wg genpsk > preshared<br />
<br />
=== Peer A setup ===<br />
<br />
This peer will listen on UDP port 51871 and will accept connection from peer B by linking its public key with both its inner and outer IPs addresses.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.1/24 dev wg0<br />
# wg set wg0 listen-port 51871 private-key ./privatekey<br />
# wg set wg0 peer ''PEER_B_PUBLIC_KEY'' persistent-keepalive 25 allowed-ips 10.0.0.2/32 endpoint 203.0.113.102:51902<br />
# ip link set wg0 up<br />
<br />
{{ic|''PEER_B_PUBLIC_KEY''}} should have the same format as {{ic|1=EsnHH9m6RthHSs+sd9uM6eCHe/mMVFaRh93GYadDDnM=}}. The keyword {{ic|allowed-ips}} is a list of addresses that peer A will be able to send traffic to; {{ic|allowed-ips 0.0.0.0/0}} would allow sending traffic to any IPv4 address, {{ic|::/0}} allows sending traffic to any IPv6 address.<br />
<br />
=== Peer B setup ===<br />
<br />
As with peer A, whereas the wireguard daemon is listening on the UDP port 51902 and accept connection from peer A only.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.2/24 dev wg0<br />
# wg set wg0 listen-port 51902 private-key ./privatekey<br />
# wg set wg0 peer ''PEER_A_PUBLIC_KEY'' persistent-keepalive 25 allowed-ips 10.0.0.1/32 endpoint 198.51.100.101:51871<br />
# ip link set wg0 up<br />
<br />
=== Basic checkups ===<br />
<br />
Invoking the {{man|8|wg}} command without parameter will give a quick overview of the current configuration.<br />
<br />
As an example, when Peer A has been configured we are able to see its identity and its associated peers:<br />
<br />
{{hc|[user@peer-a]# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51871<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
endpoint: 203.0.113.102:51902<br />
allowed ips: 10.0.0.2/32<br />
}}<br />
<br />
At this point one could reach the end of the tunnel:<br />
<br />
[user@peer-a]$ ping 10.0.0.2<br />
<br />
=== Persistent configuration ===<br />
<br />
The configuration can be saved by utilizing {{ic|showconf}}:<br />
<br />
# wg showconf wg0 > /etc/wireguard/wg0.conf<br />
# wg setconf wg0 /etc/wireguard/wg0.conf<br />
<br />
=== Example peer configuration ===<br />
<br />
{{hc|1=/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.0.0.1/32<br />
PrivateKey = ''CLIENT_PRIVATE_KEY''<br />
<br />
[Peer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
AllowedIPs = 10.0.0.0/24, 10.123.45.0/24, 1234:4567:89ab::/48<br />
Endpoint = ''SERVER_ENDPOINT'':51871<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
=== Example configuration for systemd-networkd ===<br />
<br />
See [[#Using systemd-networkd]].<br />
<br />
== Specific use-case: VPN server ==<br />
{{Note|Usage of the terms "server" and "client" are used here specifically for newcomers to WireGuard and for current users of OpenVPN to help familiarize with the construction of configuration files. WireGuard documentation simply refers to both of these concepts as "peers."}}<br />
<br />
The purpose of this section is to setup a WireGuard "server" and generic "clients" to enable access to the server/network resources through an encrypted and secured tunnel like [[OpenVPN]] and others. The server runs on Linux and the clients can run any number of platforms (the WireGuard Project offers apps on both iOS and Android platforms in addition to Linux, Windows and MacOS). See the official project [https://www.wireguard.com/install/ install link] for more.<br />
<br />
{{Tip|Instead of using {{pkg|wireguard-tools}} for server/client configuration, one may want to use [[#Using systemd-networkd|systemd-networkd]] native WireGuard support.}}<br />
<br />
=== Server ===<br />
<br />
On the peer that will act as the "server", first enable IPv4 forwarding using [[sysctl]]:<br />
<br />
# sysctl -w net.ipv4.ip_forward=1<br />
<br />
To make the change permanent, add {{ic|1=net.ipv4.ip_forward = 1}} to {{ic|/etc/sysctl.d/99-sysctl.conf}}.<br />
<br />
A properly configured [[firewall]] is ''HIGHLY recommended'' for any Internet-facing device.<br />
<br />
If the server have the public IP configured, be sure to:<br />
<br />
* Allow UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp).<br />
* Setup the forwarding policy for the firewall if it is not included in the WireGuard config for the interface itself {{ic|/etc/wireguard/wg0.conf}}. The example below should have the iptables rules and work as-is.<br />
<br />
If the server is behind NAT, be sure to forward the specified port(s) on which WireGuard will be running (for example, 51820/UDP) from the router to the WireGuard server.<br />
<br />
=== Key generation ===<br />
<br />
Generate key pairs for the server and for each client as explained in [[#Key generation]].<br />
<br />
=== Server config ===<br />
<br />
Create the "server" config file:<br />
<br />
{{hc|/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.200.200.1/24<br />
ListenPort = 51820<br />
PrivateKey = ''SERVER_PRIVATE_KEY''<br />
<br />
# note - substitute ''eth0'' in the following lines to match the Internet-facing interface<br />
# if the server is behind a router and receive traffic via NAT, this iptables rules are not needed<br />
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br />
<br />
[Peer]<br />
# foo<br />
PublicKey = ''PEER_FOO_PUBLIC_KEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[Peer]<br />
# bar<br />
PublicKey = ''PEER_BAR_PUBLIC_KEY''<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
Additional peers ("clients") can be listed in the same format as needed. Each peer requires the {{ic|PublicKey}} to be set. However, specifying {{ic|PresharedKey}} is optional.<br />
<br />
Notice that the {{ic|Address}} have mask "/24" and the clients on {{ic|AllowedIPs}} "/32". The client only use their IP and the server only send back their respective address.<br />
<br />
The interface can be managed manually using {{man|8|wg-quick}} or using a [[systemd]] service managed via {{man|1|systemctl}}.<br />
<br />
The interface may be brought up using {{ic|wg-quick up wg0}} respectively by [[start|starting]] and potentially [[enable|enabling]] the interface via {{ic|wg-quick@''interface''.service}}, e.g. {{ic|wg-quick@wg0.service}}. To close the interface use {{ic|wg-quick down wg0}} respectively [[stop]] {{ic|wg-quick@''interface''.service}}.<br />
<br />
=== Client config ===<br />
<br />
Create the corresponding "client" config file(s):<br />
<br />
{{hc|foo.conf|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
PrivateKey = ''PEER_FOO_PRIVATE_KEY''<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.example.com:51820<br />
}}<br />
<br />
{{hc|bar.conf|2=<br />
[Interface]<br />
Address = 10.200.200.3/24<br />
PrivateKey = ''PEER_BAR_PRIVATE_KEY''<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED KEY''<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.example.com:51820<br />
}}<br />
<br />
Using the catch-all {{ic|1=AllowedIPs = 0.0.0.0/0, ::/0}} will forward all IPv4 ({{ic|0.0.0.0/0}}) and IPv6 ({{ic|::/0}}) traffic over the VPN.<br />
<br />
{{Note|Users of [[NetworkManager]], may need to [[enable]] the {{ic|NetworkManager-wait-online.service}} and users of [[systemd-networkd]] may need to [[enable]] the {{ic|systemd-networkd-wait-online.service}} to wait until devices are network ready before attempting wireguard connection.}}<br />
<br />
== Testing the tunnel ==<br />
<br />
Once a tunnel has been established, one can use {{Pkg|gnu-netcat}} to send traffic through it to test out throughput, CPU usage, etc.<br />
On one side of the tunnel, run {{ic|nc}} in listen mode and on the other side, pipe some data from {{ic|/dev/zero}} into {{ic|nc}} in sending mode.<br />
<br />
In the example below, port 2222 is used for the traffic (be sure to allow traffic on port 2222 if using a firewall).<br />
<br />
On one side of the tunnel listen for traffic:<br />
<br />
$ nc -vvlnp 2222<br />
<br />
On the other side of the tunnel, send some traffic:<br />
<br />
$ dd if=/dev/zero bs=1024K count=1024 | nc -v 10.0.0.203 2222<br />
<br />
Status can be monitored using {{ic|wg}} directly.<br />
<br />
{{hc|# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
preshared key: (hidden)<br />
endpoint: 192.168.1.216:53207<br />
allowed ips: 10.0.0.0/0<br />
latest handshake: 1 minutes, 17 seconds ago<br />
transfer: 56.43 GiB received, 1.06 TiB sent<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Routes are periodically reset ===<br />
<br />
If you are not configuring WireGuard from [[NetworkManager]], make sure that NetworkManager is not managing the WireGuard interface(s):<br />
<br />
{{hc|/etc/NetworkManager/conf.d/unmanaged.conf|2=<br />
[keyfile]<br />
unmanaged-devices=interface-name:wg*<br />
}}<br />
<br />
=== Broken DNS resolution ===<br />
<br />
When tunneling all traffic through a WireGuard interface, the connection can become seemingly lost after a while or upon new connection. This could be caused by a [[network manager]] or [[DHCP]] client overwriting {{ic|/etc/resolv.conf}}.<br />
<br />
By default ''wg-quick'' uses ''resolvconf'' to register new [[DNS]] entries (from the {{ic|DNS}} keyword in the configuration file). This will cause issues with [[network manager]]s and [[DHCP]] clients that do not use ''resolvconf'', as they will overwrite {{ic|/etc/resolv.conf}} thus removing the DNS servers added by wg-quick.<br />
<br />
The solution is to use networking software that supports [[resolvconf]].<br />
<br />
{{Note|If you are using [[systemd-resolved]], make sure that {{Pkg|systemd-resolvconf}} is [[install]]ed.}}<br />
<br />
In case of [[NetworkManager]], it does not use resolvconf by default. This will not be an issue when using [[systemd-resolved]], but if you do not use systemd-resolved, [[install]] {{Pkg|openresolv}} and configure NetworkManager to use it: [[NetworkManager#Use openresolv]].<br />
<br />
=== Low MTU ===<br />
<br />
Due to too low MTU (lower than 1280), wg-quick may have failed to create the WireGuard interface. This can be solved by setting the MTU value in WireGuard configuration in Interface section on client.<br />
{{hc|/foo.config|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
MTU = 1500<br />
PrivateKey = ''PEER_FOO_PRIVATE_KEY''<br />
DNS = 10.200.200.1<br />
}} <br />
<br />
== Tips and tricks ==<br />
<br />
=== Using systemd-networkd ===<br />
<br />
[[systemd-networkd]] has native support for WireGuard protocols and therefore does not require the {{Pkg|wireguard-tools}} package.<br />
<br />
In order to prevent leak of private keys, it is recommended to set the permissions of the ''.netdev'' file:<br />
<br />
# chown root:systemd-network /etc/systemd/network/99-*.netdev<br />
# chmod 0640 /etc/systemd/network/99-*.netdev<br />
<br />
==== Server ====<br />
<br />
{{hc|/etc/systemd/network/99-server.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = WireGuard<br />
<br />
[WireGuard]<br />
ListenPort = 51820<br />
PrivateKey = ''SERVER_PRIVATE_KEY''<br />
<br />
[WireGuardPeer]<br />
PublicKey = PEER_FOO_PUBLIC_KEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[WireGuardPeer]<br />
PublicKey = ''PEER_BAR_PUBLIC_KEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-server.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.1/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
}}<br />
<br />
==== Client foo ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = WireGuard<br />
<br />
[WireGuard]<br />
PrivateKey = ''FOO_PRIVATE_KEY''<br />
<br />
[WireGuardPeer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.example.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.2/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnlink=true<br />
}}<br />
<br />
==== Client bar ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = WireGuard<br />
<br />
[WireGuard]<br />
PrivateKey = ''PEER_BAR_PRIVATE_KEY''<br />
<br />
[WireGuardPeer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.example.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.3/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnLink=true<br />
}}<br />
<br />
=== Store private keys in encrypted form ===<br />
<br />
It may be desirable to store private keys in encrypted form, such as through use of {{pkg|pass}}. Just replace the PrivateKey line under [Interface] in the configuration file with:<br />
<br />
PostUp = wg set %i private-key <(su user -c "export PASSWORD_STORE_DIR=/path/to/your/store/; pass WireGuard/private-keys/%i")<br />
<br />
where ''user'' is the Linux username of interest. See the {{man|8|wg-quick}} man page for more details.<br />
<br />
=== Endpoint with changing IP ===<br />
<br />
After resolving a server's domain, WireGuard [https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html will not check for changes in DNS again].<br />
<br />
If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, ..., any WireGuard client is going to lose its connection, until its endpoint is updated via something like {{ic|wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"}}.<br />
<br />
Also be aware, if the endpoint is ever going to change its address (for example when moving to a new provider/datacenter), just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.<br />
<br />
Luckily, {{Pkg|wireguard-tools}} provides an example script {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh}}, that parses WG configuration files and automatically resets the endpoint address.<br />
<br />
One needs to run the {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh /etc/wireguard/wg.conf}} periodically to recover from an endpoint that has changed its IP.<br />
<br />
One way of doing so is by updating all WireGuard endpoints once every thirty seconds[https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns/README] via a systemd timer:<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.timer|2=<br />
[Unit]<br />
Description=Periodically reresolve DNS of all WireGuard endpoints<br />
<br />
[Timer]<br />
OnCalendar=*:*:0/30<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.service|2=<br />
[Unit]<br />
Description=Reresolve DNS of all WireGuard endpoints<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh "$i"; done'<br />
}}<br />
<br />
Afterwards [[enable]] and [[start]] {{ic|wireguard_reresolve-dns.timer}}<br />
<br />
=== Generate QR code ===<br />
<br />
If the client is a mobile device such as a phone, {{Pkg|qrencode}} can be used to generate client's configuration QR code and display it in terminal:<br />
<br />
$ qrencode -t ansiutf8 < client.conf<br />
<br />
== See also ==<br />
<br />
* [[Wikipedia:WireGuard]]<br />
* [https://www.wireguard.com/presentations/ Presentations by Jason Donenfeld].<br />
* [https://lists.zx2c4.com/mailman/listinfo/wireguard Mailing list]<br />
* [https://docs.sweeting.me/s/wireguard Unofficial WireGuard Documentation]<br />
* [[Debian:Wireguard]]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=WireGuard&diff=591477WireGuard2019-12-09T19:49:35Z<p>Yuvadm: Updated on wireguard being mainlined in kernel 5.6</p>
<hr />
<div>[[Category:Virtual Private Network]]<br />
[[ja:WireGuard]]<br />
[[zh-hans:WireGuard]]<br />
From the [https://www.wireguard.com/ WireGuard] project homepage: <br />
:WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it plans to be cross-platform and widely deployable.<br />
<br />
{{Warning|WireGuard has not undergone proper degrees of security auditing and the protocol is still subject to change [https://www.wireguard.com/#work-in-progress].}}<br />
<br />
== Installation ==<br />
<br />
# [[Install]] {{Pkg|wireguard-tools}}.<br />
# Install the appropriate kernel module:<br />
#* {{Pkg|wireguard-arch}} for the default {{Pkg|linux}} kernel.<br />
#* {{Pkg|wireguard-lts}} for the LTS {{Pkg|linux-lts}} kernel.<br />
#* {{Pkg|wireguard-dkms}} for the DKMS variant for other [[kernel]]s.<br />
<br />
{{Note|1=WireGuard has been merged into net-next and is scheduled to be [https://lists.zx2c4.com/pipermail/wireguard/2019-December/004704.html mainlined] in kernel version 5.6.}}<br />
<br />
{{Tip|[[systemd-networkd]] and [[NetworkManager]] both have native support for setting up WireGuard interfaces, they only require the kernel module.<br />
<br />
* For for details on systemd-networkd, see [[#Using systemd-networkd]].<br />
* For NetworkManager, read the [https://blogs.gnome.org/thaller/2019/03/15/wireguard-in-networkmanager/ WireGuard in NetworkManager blog post].<br />
}}<br />
<br />
== Usage ==<br />
<br />
The below commands demonstrate how to setup a basic tunnel between two peers with the following settings:<br />
<br />
{{Expansion|Add Peer C to better demonstrate routing and PSK, and add IPv6.}}<br />
<br />
{| class="wikitable"<br />
! <br />
! Peer A<br />
! Peer B<br />
|-<br />
! External IP address<br />
| 198.51.100.101<br />
| 203.0.113.102<br />
|-<br />
! Internal IP address<br />
| 10.0.0.1/24<br />
| 10.0.0.2/24<br />
|-<br />
! WireGuard listening port<br />
| UDP/51871<br />
| UDP/51902<br />
|}<br />
<br />
The external addresses should already exist. For example, peer A should be able to ping peer B via {{ic|ping 203.0.113.102}}, and vice versa. The internal addresses will be new addresses created by the {{man|8|ip}} commands below and will be shared internally within the new WireGuard network using {{man|8|wg}}. The {{ic|/24}} in the IP addresses is the [[wikipedia:Classless_Inter-Domain_Routing#CIDR_notation|CIDR]].<br />
<br />
=== Key generation ===<br />
<br />
To create a private key:<br />
<br />
$ wg genkey > privatekey<br />
<br />
{{Note|It is recommended to only allow reading and writing access for the owner:<br />
<br />
$ chmod 600 privatekey<br />
<br />
}}<br />
<br />
To create a public key:<br />
<br />
$ wg pubkey < privatekey > publickey<br />
<br />
Alternatively, do this all at once:<br />
<br />
$ wg genkey | tee privatekey | wg pubkey > publickey<br />
<br />
One can also generate a preshared key to add an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.<br />
<br />
{{Expansion|A pre-shared key should be created for each peer pair. E.g. with peers A, B and C, there should be three pre-shared keys, {{ic|peer_A-peer_B-psk}} for the connection between Peer A and Peer B, {{ic|peer_A-peer_C-psk}} for the connection between Peer A and Peer C and {{ic|peer_B-peer_C-psk}} for the connection between Peer B and Peer C.}}<br />
<br />
# wg genpsk > preshared<br />
<br />
=== Peer A setup ===<br />
<br />
This peer will listen on UDP port 51871 and will accept connection from peer B by linking its public key with both its inner and outer IPs addresses.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.1/24 dev wg0<br />
# wg set wg0 listen-port 51871 private-key ./privatekey<br />
# wg set wg0 peer ''PEER_B_PUBLIC_KEY'' persistent-keepalive 25 allowed-ips 10.0.0.2/32 endpoint 203.0.113.102:51902<br />
# ip link set wg0 up<br />
<br />
{{ic|''PEER_B_PUBLIC_KEY''}} should have the same format as {{ic|1=EsnHH9m6RthHSs+sd9uM6eCHe/mMVFaRh93GYadDDnM=}}. The keyword {{ic|allowed-ips}} is a list of addresses that peer A will be able to send traffic to; {{ic|allowed-ips 0.0.0.0/0}} would allow sending traffic to any IPv4 address, {{ic|::/0}} allows sending traffic to any IPv6 address.<br />
<br />
=== Peer B setup ===<br />
<br />
As with peer A, whereas the wireguard daemon is listening on the UDP port 51902 and accept connection from peer A only.<br />
<br />
# ip link add dev wg0 type wireguard<br />
# ip addr add 10.0.0.2/24 dev wg0<br />
# wg set wg0 listen-port 51902 private-key ./privatekey<br />
# wg set wg0 peer ''PEER_A_PUBLIC_KEY'' persistent-keepalive 25 allowed-ips 10.0.0.1/32 endpoint 198.51.100.101:51871<br />
# ip link set wg0 up<br />
<br />
=== Basic checkups ===<br />
<br />
Invoking the {{man|8|wg}} command without parameter will give a quick overview of the current configuration.<br />
<br />
As an example, when Peer A has been configured we are able to see its identity and its associated peers:<br />
<br />
{{hc|[user@peer-a]# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51871<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
endpoint: 203.0.113.102:51902<br />
allowed ips: 10.0.0.2/32<br />
}}<br />
<br />
At this point one could reach the end of the tunnel:<br />
<br />
[user@peer-a]$ ping 10.0.0.2<br />
<br />
=== Persistent configuration ===<br />
<br />
The configuration can be saved by utilizing {{ic|showconf}}:<br />
<br />
# wg showconf wg0 > /etc/wireguard/wg0.conf<br />
# wg setconf wg0 /etc/wireguard/wg0.conf<br />
<br />
=== Example peer configuration ===<br />
<br />
{{hc|1=/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.0.0.1/32<br />
PrivateKey = ''CLIENT_PRIVATE_KEY''<br />
<br />
[Peer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
AllowedIPs = 10.0.0.0/24, 10.123.45.0/24, 1234:4567:89ab::/48<br />
Endpoint = ''SERVER_ENDPOINT'':51871<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
=== Example configuration for systemd-networkd ===<br />
<br />
See [[#Using systemd-networkd]].<br />
<br />
== Specific use-case: VPN server ==<br />
{{Note|Usage of the terms "server" and "client" are used here specifically for newcomers to WireGuard and for current users of OpenVPN to help familiarize with the construction of configuration files. WireGuard documentation simply refers to both of these concepts as "peers."}}<br />
<br />
The purpose of this section is to setup a WireGuard "server" and generic "clients" to enable access to the server/network resources through an encrypted and secured tunnel like [[OpenVPN]] and others. The server runs on Linux and the clients can run any number of platforms (the WireGuard Project offers apps on both iOS and Android platforms in addition to Linux, Windows and MacOS). See the official project [https://www.wireguard.com/install/ install link] for more.<br />
<br />
{{Tip|Instead of using {{pkg|wireguard-tools}} for server/client configuration, one may want to use [[#Using systemd-networkd|systemd-networkd]] native WireGuard support.}}<br />
<br />
=== Server ===<br />
<br />
On the peer that will act as the "server", first enable IPv4 forwarding using [[sysctl]]:<br />
<br />
# sysctl -w net.ipv4.ip_forward=1<br />
<br />
To make the change permanent, add {{ic|1=net.ipv4.ip_forward = 1}} to {{ic|/etc/sysctl.d/99-sysctl.conf}}.<br />
<br />
A properly configured [[firewall]] is ''HIGHLY recommended'' for any Internet-facing device.<br />
<br />
If the server have the public IP configured, be sure to:<br />
<br />
* Allow UDP traffic on the specified port(s) on which WireGuard will be running (for example allowing traffic on 51820/udp).<br />
* Setup the forwarding policy for the firewall if it is not included in the WireGuard config for the interface itself {{ic|/etc/wireguard/wg0.conf}}. The example below should have the iptables rules and work as-is.<br />
<br />
If the server is behind NAT, be sure to forward the specified port(s) on which WireGuard will be running (for example, 51820/UDP) from the router to the WireGuard server.<br />
<br />
=== Key generation ===<br />
<br />
Generate key pairs for the server and for each client as explained in [[#Key generation]].<br />
<br />
=== Server config ===<br />
<br />
Create the "server" config file:<br />
<br />
{{hc|/etc/wireguard/wg0.conf|2=<br />
[Interface]<br />
Address = 10.200.200.1/24<br />
ListenPort = 51820<br />
PrivateKey = ''SERVER_PRIVATE_KEY''<br />
<br />
# note - substitute ''eth0'' in the following lines to match the Internet-facing interface<br />
# if the server is behind a router and receive traffic via NAT, this iptables rules are not needed<br />
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE<br />
<br />
[Peer]<br />
# foo<br />
PublicKey = ''PEER_FOO_PUBLIC_KEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[Peer]<br />
# bar<br />
PublicKey = ''PEER_BAR_PUBLIC_KEY''<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
Additional peers ("clients") can be listed in the same format as needed. Each peer requires the {{ic|PublicKey}} to be set. However, specifying {{ic|PresharedKey}} is optional.<br />
<br />
Notice that the {{ic|Address}} have mask "/24" and the clients on {{ic|AllowedIPs}} "/32". The client only use their IP and the server only send back their respective address.<br />
<br />
The interface can be managed manually using {{man|8|wg-quick}} or using a [[systemd]] service managed via {{man|1|systemctl}}.<br />
<br />
The interface may be brought up using {{ic|wg-quick up wg0}} respectively by [[start|starting]] and potentially [[enable|enabling]] the interface via {{ic|wg-quick@''interface''.service}}, e.g. {{ic|wg-quick@wg0.service}}. To close the interface use {{ic|wg-quick down wg0}} respectively [[stop]] {{ic|wg-quick@''interface''.service}}.<br />
<br />
=== Client config ===<br />
<br />
Create the corresponding "client" config file(s):<br />
<br />
{{hc|foo.conf|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
PrivateKey = ''PEER_FOO_PRIVATE_KEY''<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.example.com:51820<br />
}}<br />
<br />
{{hc|bar.conf|2=<br />
[Interface]<br />
Address = 10.200.200.3/24<br />
PrivateKey = ''PEER_BAR_PRIVATE_KEY''<br />
DNS = 10.200.200.1<br />
<br />
[Peer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED KEY''<br />
AllowedIPs = 0.0.0.0/0, ::/0<br />
Endpoint = my.ddns.example.com:51820<br />
}}<br />
<br />
Using the catch-all {{ic|1=AllowedIPs = 0.0.0.0/0, ::/0}} will forward all IPv4 ({{ic|0.0.0.0/0}}) and IPv6 ({{ic|::/0}}) traffic over the VPN.<br />
<br />
{{Note|Users of [[NetworkManager]], may need to [[enable]] the {{ic|NetworkManager-wait-online.service}} and users of [[systemd-networkd]] may need to [[enable]] the {{ic|systemd-networkd-wait-online.service}} to wait until devices are network ready before attempting wireguard connection.}}<br />
<br />
== Testing the tunnel ==<br />
<br />
Once a tunnel has been established, one can use {{Pkg|gnu-netcat}} to send traffic through it to test out throughput, CPU usage, etc.<br />
On one side of the tunnel, run {{ic|nc}} in listen mode and on the other side, pipe some data from {{ic|/dev/zero}} into {{ic|nc}} in sending mode.<br />
<br />
In the example below, port 2222 is used for the traffic (be sure to allow traffic on port 2222 if using a firewall).<br />
<br />
On one side of the tunnel listen for traffic:<br />
<br />
$ nc -vvlnp 2222<br />
<br />
On the other side of the tunnel, send some traffic:<br />
<br />
$ dd if=/dev/zero bs=1024K count=1024 | nc -v 10.0.0.203 2222<br />
<br />
Status can be monitored using {{ic|wg}} directly.<br />
<br />
{{hc|# wg|2=<br />
interface: wg0<br />
public key: UguPyBThx/+xMXeTbRYkKlP0Wh/QZT3vTLPOVaaXTD8=<br />
private key: (hidden)<br />
listening port: 51820<br />
<br />
peer: 9jalV3EEBnVXahro0pRMQ+cHlmjE33Slo9tddzCVtCw=<br />
preshared key: (hidden)<br />
endpoint: 192.168.1.216:53207<br />
allowed ips: 10.0.0.0/0<br />
latest handshake: 1 minutes, 17 seconds ago<br />
transfer: 56.43 GiB received, 1.06 TiB sent<br />
}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Routes are periodically reset ===<br />
<br />
If you are not configuring WireGuard from [[NetworkManager]], make sure that NetworkManager is not managing the WireGuard interface(s):<br />
<br />
{{hc|/etc/NetworkManager/conf.d/unmanaged.conf|2=<br />
[keyfile]<br />
unmanaged-devices=interface-name:wg*<br />
}}<br />
<br />
=== Broken DNS resolution ===<br />
<br />
When tunneling all traffic through a WireGuard interface, the connection can become seemingly lost after a while or upon new connection. This could be caused by a [[network manager]] or [[DHCP]] client overwriting {{ic|/etc/resolv.conf}}.<br />
<br />
By default ''wg-quick'' uses ''resolvconf'' to register new [[DNS]] entries (from the {{ic|DNS}} keyword in the configuration file). This will cause issues with [[network manager]]s and [[DHCP]] clients that do not use ''resolvconf'', as they will overwrite {{ic|/etc/resolv.conf}} thus removing the DNS servers added by wg-quick.<br />
<br />
The solution is to use networking software that supports [[resolvconf]].<br />
<br />
{{Note|If you are using [[systemd-resolved]], make sure that {{Pkg|systemd-resolvconf}} is [[install]]ed.}}<br />
<br />
In case of [[NetworkManager]], it does not use resolvconf by default. This will not be an issue when using [[systemd-resolved]], but if you do not use systemd-resolved, [[install]] {{Pkg|openresolv}} and configure NetworkManager to use it: [[NetworkManager#Use openresolv]].<br />
<br />
=== Low MTU ===<br />
<br />
Due to too low MTU (lower than 1280), wg-quick may have failed to create the WireGuard interface. This can be solved by setting the MTU value in WireGuard configuration in Interface section on client.<br />
{{hc|/foo.config|2=<br />
[Interface]<br />
Address = 10.200.200.2/24<br />
MTU = 1500<br />
PrivateKey = ''PEER_FOO_PRIVATE_KEY''<br />
DNS = 10.200.200.1<br />
}} <br />
<br />
== Tips and tricks ==<br />
<br />
=== Using systemd-networkd ===<br />
<br />
[[systemd-networkd]] has native support for WireGuard protocols and therefore does not require the {{Pkg|wireguard-tools}} package.<br />
<br />
In order to prevent leak of private keys, it is recommended to set the permissions of the ''.netdev'' file:<br />
<br />
# chown root:systemd-network /etc/systemd/network/99-*.netdev<br />
# chmod 0640 /etc/systemd/network/99-*.netdev<br />
<br />
==== Server ====<br />
<br />
{{hc|/etc/systemd/network/99-server.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = WireGuard<br />
<br />
[WireGuard]<br />
ListenPort = 51820<br />
PrivateKey = ''SERVER_PRIVATE_KEY''<br />
<br />
[WireGuardPeer]<br />
PublicKey = PEER_FOO_PUBLIC_KEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.200.2/32<br />
<br />
[WireGuardPeer]<br />
PublicKey = ''PEER_BAR_PUBLIC_KEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.200.3/32<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-server.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.1/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
}}<br />
<br />
==== Client foo ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = WireGuard<br />
<br />
[WireGuard]<br />
PrivateKey = ''FOO_PRIVATE_KEY''<br />
<br />
[WireGuardPeer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.example.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.2/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnlink=true<br />
}}<br />
<br />
==== Client bar ====<br />
<br />
{{hc|/etc/systemd/network/99-client.netdev|2=<br />
[NetDev]<br />
Name = wg0<br />
Kind = wireguard<br />
Description = WireGuard<br />
<br />
[WireGuard]<br />
PrivateKey = ''PEER_BAR_PRIVATE_KEY''<br />
<br />
[WireGuardPeer]<br />
PublicKey = ''SERVER_PUBLICKEY''<br />
PresharedKey = ''PRE-SHARED_KEY''<br />
AllowedIPs = 10.200.0.0/24<br />
Endpoint = my.ddns.example.com:51820<br />
PersistentKeepalive = 25<br />
}}<br />
<br />
{{hc|/etc/systemd/network/99-client.network|2=<br />
[Match]<br />
Name = wg0<br />
<br />
[Network]<br />
Address = 10.200.200.3/32<br />
<br />
[Route]<br />
Gateway = 10.200.200.1<br />
Destination = 10.200.200.0/24<br />
GatewayOnLink=true<br />
}}<br />
<br />
=== Store private keys in encrypted form ===<br />
<br />
It may be desirable to store private keys in encrypted form, such as through use of {{pkg|pass}}. Just replace the PrivateKey line under [Interface] in the configuration file with:<br />
<br />
PostUp = wg set %i private-key <(su user -c "export PASSWORD_STORE_DIR=/path/to/your/store/; pass WireGuard/private-keys/%i")<br />
<br />
where ''user'' is the Linux username of interest. See the {{man|8|wg-quick}} man page for more details.<br />
<br />
=== Endpoint with changing IP ===<br />
<br />
After resolving a server's domain, WireGuard [https://lists.zx2c4.com/pipermail/wireguard/2017-November/002028.html will not check for changes in DNS again].<br />
<br />
If the WireGuard server is frequently changing its IP-address due DHCP, Dyndns, IPv6, ..., any WireGuard client is going to lose its connection, until its endpoint is updated via something like {{ic|wg set "$INTERFACE" peer "$PUBLIC_KEY" endpoint "$ENDPOINT"}}.<br />
<br />
Also be aware, if the endpoint is ever going to change its address (for example when moving to a new provider/datacenter), just updating DNS will not be enough, so periodically running reresolve-dns might make sense on any DNS-based setup.<br />
<br />
Luckily, {{Pkg|wireguard-tools}} provides an example script {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh}}, that parses WG configuration files and automatically resets the endpoint address.<br />
<br />
One needs to run the {{ic|/usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh /etc/wireguard/wg.conf}} periodically to recover from an endpoint that has changed its IP.<br />
<br />
One way of doing so is by updating all WireGuard endpoints once every thirty seconds[https://git.zx2c4.com/WireGuard/tree/contrib/examples/reresolve-dns/README] via a systemd timer:<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.timer|2=<br />
[Unit]<br />
Description=Periodically reresolve DNS of all WireGuard endpoints<br />
<br />
[Timer]<br />
OnCalendar=*:*:0/30<br />
<br />
[Install]<br />
WantedBy=timers.target<br />
}}<br />
<br />
{{hc|/etc/systemd/system/wireguard_reresolve-dns.service|2=<br />
[Unit]<br />
Description=Reresolve DNS of all WireGuard endpoints<br />
Wants=network-online.target<br />
After=network-online.target<br />
<br />
[Service]<br />
Type=oneshot<br />
ExecStart=/bin/sh -c 'for i in /etc/wireguard/*.conf; do /usr/share/wireguard/examples/reresolve-dns/reresolve-dns.sh "$i"; done'<br />
}}<br />
<br />
Afterwards [[enable]] and [[start]] {{ic|wireguard_reresolve-dns.timer}}<br />
<br />
=== Generate QR code ===<br />
<br />
If the client is a mobile device such as a phone, {{Pkg|qrencode}} can be used to generate client's configuration QR code and display it in terminal:<br />
<br />
$ qrencode -t ansiutf8 < client.conf<br />
<br />
== See also ==<br />
<br />
* [[Wikipedia:WireGuard]]<br />
* [https://www.wireguard.com/presentations/ Presentations by Jason Donenfeld].<br />
* [https://lists.zx2c4.com/mailman/listinfo/wireguard Mailing list]<br />
* [https://docs.sweeting.me/s/wireguard Unofficial WireGuard Documentation]<br />
* [[Debian:Wireguard]]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=GPS&diff=582440GPS2019-09-15T18:48:33Z<p>Yuvadm: Add time sync section</p>
<hr />
<div>[[Category:Laptops]]<br />
[[Category:Other hardware]]<br />
[[ja:GPS]]<br />
There is a variety of [[Wikipedia:Global Positioning System|Global Positioning System]] (GPS) hardware receivers supported in Arch Linux:<br />
<br />
* [[Bluetooth]] GPS adapters<br />
* USB GPS adapters (internal or external)<br />
* WWAN-integrated adapters (some HP EliteBook modules for example)<br />
* smartphones are able to relay GPS data over USB or Bluetooth with additional software<br />
<br />
== Drivers ==<br />
Usually a GPS device is presented as a serial device and the kernel uses a standard driver, but in some cases the drivers such as {{AUR|mtkbabel}} or {{AUR|mbm-gpsd-pl4nkton-git}} need to be installed.<br />
<br />
== Interfaces ==<br />
GPS does not have a very unified interfacing and configuration in Linux. The raw GPS data is printed on the serial device and programs interpret the location by themselves, occupying the device in the process. Sharing the GPS adapter to multiple applications is possible with {{Pkg|gpsd}}.<br />
<br />
=== GPSD ===<br />
[http://www.catb.org/gpsd/ GPSD] is a deamon to query the serial GPS device and make its output available on a TCP server. It is the most standard GPS interface in Linux and GPS-aware applications usually support it.<br />
<br />
=== ModemManager ===<br />
ModemManager is some kind of a Linux WWAN modem support package which interfaces with [[NetworkManager]]. It also supports querying GPS coordinates from GPS-enabled WWAN cards and it even displays the location in the {{Pkg|modem-manager-gui}}. The most important commands are:<br />
<br />
==== View locationing capabilities ====<br />
mmcli -m 0 --location-status<br />
<br />
==== Enable GPS ====<br />
mmcli -m 0 --location-enable-gps-raw --location-enable-gps-nmea<br />
<br />
==== Display location ====<br />
watch mmcli -m 0 --location-get<br />
<br />
==== Disable GPS ====<br />
mmcli -m 0 --location-disable-gps-raw --location-disable-gps-nmea<br />
<br />
== Clients ==<br />
The {{Pkg|gpsd}} package provides {{Ic|cgps}}, a simple console-based client for showing the current GPS device status.<br />
<br />
=== Time Synchronization ===<br />
<br />
See [[Network_Time_Protocol_daemon#Using_ntpd_with_GPS]]<br />
<br />
== See also ==<br />
* [https://sigquit.wordpress.com/2012/03/29/enabling-gps-location-in-modemmanager/ Enabling GPS location in ModemManager]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=GPS&diff=582439GPS2019-09-15T18:47:15Z<p>Yuvadm: Add clients section</p>
<hr />
<div>[[Category:Laptops]]<br />
[[Category:Other hardware]]<br />
[[ja:GPS]]<br />
There is a variety of [[Wikipedia:Global Positioning System|Global Positioning System]] (GPS) hardware receivers supported in Arch Linux:<br />
<br />
* [[Bluetooth]] GPS adapters<br />
* USB GPS adapters (internal or external)<br />
* WWAN-integrated adapters (some HP EliteBook modules for example)<br />
* smartphones are able to relay GPS data over USB or Bluetooth with additional software<br />
<br />
== Drivers ==<br />
Usually a GPS device is presented as a serial device and the kernel uses a standard driver, but in some cases the drivers such as {{AUR|mtkbabel}} or {{AUR|mbm-gpsd-pl4nkton-git}} need to be installed.<br />
<br />
== Interfaces ==<br />
GPS does not have a very unified interfacing and configuration in Linux. The raw GPS data is printed on the serial device and programs interpret the location by themselves, occupying the device in the process. Sharing the GPS adapter to multiple applications is possible with {{Pkg|gpsd}}.<br />
<br />
=== GPSD ===<br />
[http://www.catb.org/gpsd/ GPSD] is a deamon to query the serial GPS device and make its output available on a TCP server. It is the most standard GPS interface in Linux and GPS-aware applications usually support it.<br />
<br />
=== ModemManager ===<br />
ModemManager is some kind of a Linux WWAN modem support package which interfaces with [[NetworkManager]]. It also supports querying GPS coordinates from GPS-enabled WWAN cards and it even displays the location in the {{Pkg|modem-manager-gui}}. The most important commands are:<br />
<br />
==== View locationing capabilities ====<br />
mmcli -m 0 --location-status<br />
<br />
==== Enable GPS ====<br />
mmcli -m 0 --location-enable-gps-raw --location-enable-gps-nmea<br />
<br />
==== Display location ====<br />
watch mmcli -m 0 --location-get<br />
<br />
==== Disable GPS ====<br />
mmcli -m 0 --location-disable-gps-raw --location-disable-gps-nmea<br />
<br />
== Clients ==<br />
The {{Pkg|gpsd}} package provides {{Ic|cgps}}, a simple console-based client for showing the current GPS device status.<br />
<br />
== See also ==<br />
* [https://sigquit.wordpress.com/2012/03/29/enabling-gps-location-in-modemmanager/ Enabling GPS location in ModemManager]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=VirtualBox&diff=577754VirtualBox2019-07-22T06:08:20Z<p>Yuvadm: Add USB device crash section</p>
<hr />
<div>[[Category:Hypervisors]]<br />
[[Category:Oracle]]<br />
[[cs:VirtualBox]]<br />
[[de:VirtualBox]]<br />
[[el:VirtualBox]]<br />
[[es:VirtualBox]]<br />
[[fr:VirtualBox]]<br />
[[hu:VirtualBox]]<br />
[[it:VirtualBox]]<br />
[[ja:VirtualBox]]<br />
[[pt:VirtualBox]]<br />
[[ru:VirtualBox]]<br />
[[zh-hans:VirtualBox]]<br />
{{Related articles start}}<br />
{{Related|VirtualBox/Tips and tricks}}<br />
{{Related|:Category:Hypervisors}}<br />
{{Related|PhpVirtualBox}}<br />
{{Related|RemoteBox}}<br />
{{Related|Moving an existing install into (or out of) a virtual machine}}<br />
{{Related articles end}}<br />
<br />
[https://www.virtualbox.org VirtualBox] is a [[Wikipedia:Hypervisor|hypervisor]] used to run operating systems in a special environment, called a virtual machine, on top of the existing operating system. VirtualBox is in constant development and new features are implemented continuously. It comes with a [[Qt]] GUI interface, as well as headless and [[Wikipedia:Simple DirectMedia Layer|SDL]] command-line tools for managing and running virtual machines.<br />
<br />
In order to integrate functions of the host system to the guests, including shared folders and clipboard, video acceleration and a seamless window integration mode, ''guest additions'' are provided for some guest operating systems.<br />
<br />
== Installation steps for Arch Linux hosts ==<br />
<br />
In order to launch VirtualBox virtual machines on your Arch Linux box, follow these installation steps.<br />
<br />
=== Install the core packages ===<br />
<br />
[[Install]] the {{Pkg|virtualbox}} package. You will need to choose a package to provide host modules:<br />
<br />
* for {{Pkg|linux}} kernel choose {{Pkg|virtualbox-host-modules-arch}}<br />
* for other [[kernels]] choose {{Pkg|virtualbox-host-dkms}}<br />
<br />
To compile the VirtualBox modules provided by {{Pkg|virtualbox-host-dkms}}, it will also be necessary to install the appropriate headers package(s) for your installed kernel(s) (e.g. {{Pkg|linux-lts-headers}} for {{Pkg|linux-lts}}). [https://lists.archlinux.org/pipermail/arch-dev-public/2016-March/027808.html] When either VirtualBox or the kernel is updated, the kernel modules will be automatically recompiled thanks to the [[DKMS]] Pacman hook.<br />
<br />
=== Sign modules ===<br />
<br />
When using a custom kernel with {{ic|CONFIG_MODULE_SIG_FORCE}} option enabled, you must sign your modules with a key generated during kernel compilation.<br />
<br />
Navigate to your kernel tree folder and execute the following command:<br />
<br />
# for module in `ls /lib/modules/$(uname -r)/kernel/misc/{vboxdrv.ko,vboxnetadp.ko,vboxnetflt.ko,vboxpci.ko}` ; do ./scripts/sign-file sha1 certs/signing_key.pem certs/signing_key.x509 $module ; done<br />
<br />
{{Note|Hashing algorithm does not have to match the one configured, but it must be built into the kernel.}}<br />
<br />
=== Load the VirtualBox kernel modules ===<br />
<br />
{{Pkg|virtualbox-host-modules-arch}} and {{Pkg|virtualbox-host-dkms}} use {{ic|systemd-modules-load.service}} to load all four VirtualBox modules automatically at boot time. For the modules to be loaded after installation, either reboot or load the modules once manually.<br />
<br />
{{Note|If you do not want the VirtualBox modules to be automatically loaded at boot time, you have to [[mask]] the default {{ic|/usr/lib/modules-load.d/virtualbox-host-modules-arch.conf}} (or {{ic|/usr/lib/modules-load.d/virtualbox-host-dkms.conf}}) by creating an empty file (or symlink to {{ic|/dev/null}}) with the same name in {{ic|/etc/modules-load.d/}}.}}<br />
<br />
Among the [[kernel modules]] VirtualBox uses, there is a mandatory module named {{ic|vboxdrv}}, which must be loaded before any virtual machines can run.<br />
<br />
To load the module manually, run:<br />
<br />
# modprobe vboxdrv<br />
<br />
The following modules are only required in advanced configurations:<br />
<br />
* {{ic|vboxnetadp}} and {{ic|vboxnetflt}} are both needed when you intend to use the [https://www.virtualbox.org/manual/ch06.html#network_bridged bridged] or [https://www.virtualbox.org/manual/ch06.html#network_hostonly host-only networking] feature. More precisely, {{ic|vboxnetadp}} is needed to create the host interface in the VirtualBox global preferences, and {{ic|vboxnetflt}} is needed to launch a virtual machine using that network interface.<br />
* {{ic|vboxpci}} is needed when your virtual machine needs to pass through a PCI device on your host.<br />
<br />
{{Note|If the VirtualBox kernel modules were loaded in the kernel while you updated the modules, you need to reload them manually to use the new updated version. To do it, run {{ic|vboxreload}} as root.}}<br />
<br />
=== Accessing host USB devices in guest ===<br />
<br />
To use the USB ports of your host machine in your virtual machines, add users that will be authorized to use this feature to the {{ic|vboxusers}} [[user group]].<br />
<br />
=== Guest additions disc ===<br />
<br />
It is also recommended to install the {{Pkg|virtualbox-guest-iso}} package on the host running VirtualBox. This package will act as a disc image that can be used to install the guest additions onto guest systems other than Arch Linux. The ''.iso'' file will be located at {{ic|/usr/lib/virtualbox/additions/VBoxGuestAdditions.iso}}, and may have to be mounted manually inside the virtual machine. Once mounted, you can run the guest additions installer inside the guest.<br />
<br />
=== Extension pack ===<br />
<br />
The Oracle Extension Pack provides [https://www.virtualbox.org/manual/ch01.html#intro-installing additional features] and is released under a non-free license '''only available for personal use'''. To install it, the {{aur|virtualbox-ext-oracle}} package is available, and a prebuilt version can be found in the [[Unofficial user repositories#seblu|seblu]] repository.<br />
<br />
If you prefer to use the traditional and manual way: download the extension manually and install it via the GUI (''File > Preferences > Extensions'') or via {{ic|VBoxManage extpack install <.vbox-extpack>}}, make sure you have a toolkit like [[Polkit]] to grant privileged access to VirtualBox. The installation of this extension [https://www.virtualbox.org/ticket/8473 requires root access].<br />
<br />
=== Front-ends ===<br />
<br />
VirtualBox comes with three front-ends:<br />
<br />
* If you want to use VirtualBox with the regular GUI, use {{ic|VirtualBox}}.<br />
* If you want to launch and manage your virtual machines from the command-line, use the {{ic|VBoxSDL}} command, which only provides a plain window for the virtual machine without any overlays.<br />
* If you want to use VirtualBox without running any GUI (e.g. on a server), use the {{ic|VBoxHeadless}} command. With the VRDP extension you can still remotely access the displays of your virtual machines.<br />
<br />
Finally, you can also use [[phpVirtualBox]] to administrate your virtual machines via a web interface.<br />
<br />
Refer to the [https://www.virtualbox.org/manual VirtualBox manual] to learn how to create virtual machines.<br />
<br />
{{Warning|If you intend to store virtual disk images on a [[Btrfs]] file system, before creating any images, you should consider disabling [[Btrfs#Copy-on-Write (CoW)|copy-on-write]] for the destination directory of these images.}}<br />
<br />
== Installation steps for Arch Linux guests ==<br />
<br />
Boot the Arch installation media through one of the virtual machine's virtual drives. Then, complete the installation of a basic Arch system as explained in the [[Installation guide]].<br />
<br />
=== Installation in EFI mode ===<br />
<br />
{{Expansion|Explain how to set firmware to {{ic|efi32}} (i.e. IA32 UEFI).}}<br />
<br />
If you want to install Arch Linux in EFI mode inside VirtualBox, in the settings of the virtual machine, choose ''System'' item from the panel on the left and ''Motherboard'' tab from the right panel, and check the checkbox ''Enable EFI (special OSes only)''. After selecting the kernel from the Arch Linux installation media's menu, the media will hang for a minute or two and will continue to boot the kernel normally afterwards. Be patient.<br />
<br />
Once the system and the boot loader are installed, VirtualBox will first attempt to run {{ic|/EFI/BOOT/BOOTX64.EFI}} from the [[ESP]]. If that first option fails, VirtualBox will then try the EFI shell script {{ic|startup.nsh}} from the root of the ESP. This means that in order to boot the system you have the following options:<br />
<br />
* [[Unified Extensible Firmware Interface#UEFI Shell|Launch the bootloader manually]] from the EFI shell every time;<br />
* Move the bootloader to the default {{ic|/EFI/BOOT/BOOTX64.EFI}} path;<br />
* Create a script named {{ic|startup.nsh}} at the ESP root containing the path to the boot loader application, e.g. {{ic|\EFI\grub\grubx64.efi}}.<br />
* Boot directly from the ESP partition using a [[EFISTUB#Using a startup.nsh script|startup.nsh script]]. <br />
<br />
Do not bother with the VirtualBox Boot Manager (accessible with {{ic|F2}} at boot), as it is buggy and incomplete. It does not store efivars set interactively. Therefore, EFI entries added to it manually in the firmware (accessed with {{ic|F12}} at boot time) or with {{Pkg|efibootmgr}} will persist after a reboot [https://www.virtualbox.org/ticket/11177 but are lost when the VM is shut down].<br />
<br />
See also [https://bbs.archlinux.org/viewtopic.php?id=158003 UEFI VirtualBox installation boot problems].<br />
<br />
=== Install the Guest Additions ===<br />
<br />
VirtualBox [https://www.virtualbox.org/manual/ch04.html Guest Additions] provides drivers and applications that optimize the guest operating system including improved image resolution and better control of the mouse. Within the installed guest system, install:<br />
<br />
* {{Pkg|virtualbox-guest-utils}} for VirtualBox Guest utilities with X support<br />
* {{Pkg|virtualbox-guest-utils-nox}} for VirtualBox Guest utilities without X support<br />
<br />
Both packages will make you choose a package to provide guest modules:<br />
<br />
* for the default {{Pkg|linux}} kernel choose {{Pkg|virtualbox-guest-modules-arch}}<br />
* for non-default [[kernels]] choose {{Pkg|virtualbox-guest-dkms}}<br />
<br />
To compile the virtualbox modules provided by {{Pkg|virtualbox-guest-dkms}}, it will also be necessary to install the appropriate headers package(s) for your installed kernel(s) (e.g. {{Pkg|linux-lts-headers}} for {{Pkg|linux-lts}}). [https://lists.archlinux.org/pipermail/arch-dev-public/2016-March/027808.html] When either VirtualBox or the kernel is updated, the kernel modules will be automatically recompiled thanks to the [[DKMS]] Pacman hook.<br />
<br />
{{Note|<nowiki></nowiki><br />
* You can alternatively install the Guest Additions with the ISO from the {{Pkg|virtualbox-guest-iso}} package, provided you installed this on the host system. To do this, go to the device menu click Insert Guest Additions CD Image.<br />
* To recompile the vbox kernel modules, run {{ic|rcvboxdrv}} as root.<br />
}}<br />
<br />
The guest additions running on your guest, and the VirtualBox application running on your host must have matching versions, otherwise the guest additions (like shared clipboard) may stop working. If you upgrade your guest (e.g. {{ic|pacman -Syu}}), make sure your VirtualBox application on this host is also the latest version. "Check for updates" in the VirtualBox GUI is sometimes not sufficient; check the [https://www.virtualbox.org/ VirtualBox.org] website.<br />
<br />
=== Set optimal framebuffer resolution ===<br />
<br />
{{Merge|VirtualBox/Tips and tricks#Set guest starting resolution|Keep guest resolution information in one place.}}<br />
<br />
Typically after installing Guest Additions, a fullscreen Arch guest running X will be set to the optimal resolution for your display; however, the virtual console's framebuffer will be set to a standard, often smaller, resolution detected from VirtualBox's custom VESA driver.<br />
<br />
To use the virtual consoles at optimal resolution, Arch needs to recognize that resolution as valid, which in turn requires VirtualBox to pass this information along to the guest OS.<br />
<br />
First, check if your desired resolution is not already recognized by running the command:<br />
<br />
hwinfo --framebuffer<br />
<br />
If the optimal resolution does not show up, then you will need to run the {{ic|VBoxManage}} tool on the host machine and add "extra resolutions" to your virtual machine (on a Windows host, go to the VirtualBox installation directory to find {{ic|VBoxManage.exe}}). For example:<br />
<br />
$ VBoxManage setextradata "Arch Linux" "CustomVideoMode1" "1360x768x24"<br />
<br />
The parameters "Arch Linux" and "1360x768x24" in the example above should be replaced with your VM name and the desired framebuffer resolution. Incidentally, this command allows for defining up to 16 extra resolutions ("CustomVideoMode1" through "CustomVideoMode16").<br />
<br />
Afterwards, restart the virtual machine and run {{ic|hwinfo --framebuffer}} once more to verify that the new resolutions have been recognized by your guest system (which does not guarantee they will all work, depending on your hardware limitations).<br />
<br />
{{Note|As of VirtualBox 5.2, {{ic|hwinfo --framebuffer}} might not show any output, but you should still be able to set a custom resolution following this procedure.}}<br />
<br />
Finally, add a {{ic|1=video=''resolution''}} [[kernel parameter]] to set the framebuffer to the new resolution, for example:<br />
<br />
video=1360x768<br />
<br />
Additionally you may want to configure your [[bootloader]] to use the same resolution. If you use GRUB, see [[GRUB/Tips and tricks#Setting the framebuffer resolution]].<br />
<br />
{{Note|Neither the kernel parameter {{ic|vga}} nor the bootloader's resolution settings (e.g. GRUB's {{ic|GRUB_GFXPAYLOAD_LINUX}}) will fix the framebuffer, since they are overriden by virtue of Kernel Mode Setting. The framebuffer resolution must be set by the kernel parameter {{ic|video}} as described above.}}<br />
<br />
=== Load the VirtualBox kernel modules ===<br />
<br />
To load the modules automatically, [[enable]] {{ic|vboxservice.service}} which loads the modules and synchronizes the guest's system time with the host.<br />
<br />
To load the modules manually, type:<br />
<br />
# modprobe -a vboxguest vboxsf vboxvideo<br />
<br />
{{Pkg|virtualbox-guest-dkms}} uses {{ic|systemd-modules-load.service}} to load its modules at boot time.<br />
<br />
{{Note|If you do not want the VirtualBox modules to be loaded at boot time, you have to [[mask]] the default {{ic|/usr/lib/modules-load.d/virtualbox-guest-dkms.conf}} by creating an empty file (or symlink to {{ic|/dev/null}}) with the same name in {{ic|/etc/modules-load.d/}}.}}<br />
<br />
=== Launch the VirtualBox guest services ===<br />
<br />
After the rather big installation step dealing with VirtualBox kernel modules, now you need to start the guest services. The guest services are actually just a binary executable called {{ic|VBoxClient}} which will interact with your X Window System. {{ic|VBoxClient}} manages the following features:<br />
<br />
* shared clipboard and drag and drop between the host and the guest;<br />
* seamless window mode;<br />
* the guest display is automatically resized according to the size of the guest window;<br />
* checking the VirtualBox host version<br />
<br />
All of these features can be enabled independently with their dedicated flags:<br />
<br />
$ VBoxClient --clipboard<br />
$ VBoxClient --draganddrop<br />
$ VBoxClient --seamless<br />
$ VBoxClient --display<br />
$ VBoxClient --checkhostversion<br />
$ VBoxClient --vmsvga-x11<br />
<br />
Notice that {{ic|VBoxClient}} can only be called with one flag at a time, each call spawning a dedicated service process. As a shortcut, the {{ic|VBoxClient-all}} bash script enables all of these features.<br />
<br />
{{Pkg|virtualbox-guest-utils}} installs {{ic|/etc/xdg/autostart/vboxclient.desktop}} that launches {{ic|VBoxClient-all}} on logon. If your [[desktop environment]] or [[window manager]] does not support [[XDG Autostart]], you will need to set up autostarting yourself, see [[Autostarting#On desktop environment startup]] and [[Autostarting#On window manager startup]] for more details.<br />
<br />
VirtualBox can also synchronize the time between the host and the guest, to do this, [[start/enable]] the {{ic|vboxservice.service}}.<br />
<br />
Now, you should have a working Arch Linux guest. Note that features like clipboard sharing are disabled by default in VirtualBox, and you will need to turn them on in the per-VM settings if you actually want to use them (e.g. ''Settings > General > Advanced > Shared Clipboard'').<br />
<br />
=== Hardware acceleration ===<br />
<br />
Hardware acceleration can be activated in the VirtualBox options. The [[GDM]] display manager 3.16+ is known to break hardware acceleration support. [https://bugzilla.gnome.org/show_bug.cgi?id=749390] So if you get issues with hardware acceleration, try out another display manager (lightdm seems to work fine). [https://bbs.archlinux.org/viewtopic.php?id=200025] [https://bbs.archlinux.org/viewtopic.php?pid=1607593#p1607593]<br />
<br />
If the hardware acceleration does not work as expected, try changing the ''Graphics Controller'' option found under the ''Screen'' tab in the ''Display'' options of the settings GUI. It seems that depending on the host GPU type, not all emulated controllers work equally well.<br />
<br />
=== Enable shared folders ===<br />
<br />
Shared folders are managed on the host, in the settings of the Virtual Machine accessible via the GUI of VirtualBox, in the ''Shared Folders'' tab. There, ''Folder Path'', the name of the mount point identified by ''Folder name'', and options like ''Read-only'', ''Auto-mount'' and ''Make permanent'' can be specified. These parameters can be defined with the {{ic|VBoxManage}} command line utility. See [https://www.virtualbox.org/manual/ch04.html#sharedfolders there for more details].<br />
<br />
No matter which method you will use to mount your folder, all methods require some steps first.<br />
<br />
To avoid this issue {{ic|/sbin/mount.vboxsf: mounting failed with the error: No such device}}, make sure the {{ic|vboxsf}} kernel module is properly loaded. It should be, since we enabled all guest kernel modules previously.<br />
<br />
Two additional steps are needed in order for the mount point to be accessible from users other than root:<br />
<br />
* the {{Pkg|virtualbox-guest-utils}} package created a group {{ic|vboxsf}} (done in a previous step);<br />
* your user must be in {{ic|vboxsf}} [[user group]].<br />
<br />
==== Manual mounting ====<br />
<br />
Use the following command to mount your folder in your Arch Linux guest:<br />
<br />
# mount -t vboxsf -o gid=vboxsf ''shared_folder_name'' ''mount_point_on_guest_system''<br />
<br />
where {{ic|''shared_folder_name''}} is the ''Folder name'' assigned by the hypervisor when the share was created.<br />
<br />
If the user is not in the ''vboxsf'' group, to give them access to our mountpoint we can specify the {{man|8|mount}} options {{ic|1=uid=}} and {{ic|1=gid=}} with the corresponding values of the user. These values can obtained from the {{ic|id}} command run against this user. For example:<br />
<br />
# mount -t vboxsf -o uid=1000,gid=1000 home /mnt<br />
<br />
==== Automounting ====<br />
<br />
{{Note|Automounting requires the {{ic|vboxservice.service}} to be [[enabled]]/[[started]].}}<br />
<br />
In order for the automounting feature to work you must have checked the auto-mount checkbox in the GUI or used the optional {{ic|--automount}} argument with the command {{ic|VBoxManage sharedfolder}}.<br />
<br />
The shared folder should now appear in {{ic|/media/sf_''shared_folder_name''}}. If users in {{ic|media}} cannot access the shared folders, check that {{ic|media}} has permissions {{ic|755}} or has group ownership {{ic|vboxsf}} if using permission {{ic|750}}. This is currently not the default if media is created by installing {{Pkg|virtualbox-guest-utils}}.<br />
<br />
You can use symlinks if you want to have a more convenient access and avoid to browse in that directory, e.g.:<br />
<br />
$ ln -s /media/sf_''shared_folder_name'' ~/''my_documents''<br />
<br />
==== Mount at boot ====<br />
<br />
You can mount your directory with [[fstab]]. However, to prevent startup problems with systemd, {{ic|1=noauto,x-systemd.automount}} should be added to {{ic|/etc/fstab}}. This way, the shared folders are mounted only when those mount points are accessed and not during startup. This can avoid some problems, especially if the guest additions are not loaded yet when systemd reads fstab and mounts the partitions.<br />
<br />
''sharedFolderName'' ''/path/to/mntPtOnGuestMachine'' vboxsf uid=''user'',gid=''group'',rw,dmode=700,fmode=600,noauto,x-systemd.automount <br />
<br />
* {{ic|''sharedFolderName''}}: the value from the VirtualMachine's ''Settings > SharedFolders > Edit > FolderName'' menu. This value can be different from the name of the real folder name on the host machine. To see the VirtualMachine's ''Settings'' go to the host OS VirtualBox application, select the corresponding virtual machine and click on ''Settings''.<br />
* {{ic|''/path/to/mntPtOnGuestMachine''}}: if not existing, this directory should be created manually (for example by using [[Core utilities#Essentials|mkdir]]).<br />
* {{ic|dmode}}/{{ic|fmode}} are directory/file permissions for directories/files inside {{ic|''/path/to/mntPtOnGuestMachine''}}.<br />
<br />
As of 2012-08-02, mount.vboxsf does not support the {{ic|nofail}} option:<br />
<br />
''desktop'' ''/media/desktop'' vboxsf uid=''user'',gid=''group'',rw,dmode=700,fmode=600,nofail 0 0<br />
<br />
=== SSH from host to guest ===<br />
<br />
The network tab of the virtual machine settings contains, in "Advanced", a tool to create port forwarding. <br />
It is possible to use it to forward the Guest ssh port {{ic|22}} to a Host port, e.g. {{ic|3022}} :<br />
<br />
user@host$ ssh -p 3022 $USER@localhost<br />
<br />
will establish a connection from Host to Guest.<br />
<br />
==== SSHFS as alternative to the shared folder ====<br />
<br />
Using this port forwarding and sshfs, it is straightforward to mount the Guest filesystem onto the Host one:<br />
<br />
user@host$ sshfs -p 3022 $USER@localhost:$HOME ~/shared_folder<br />
<br />
and then transfer files between both.<br />
<br />
== Virtual disks management ==<br />
<br />
See also [[VirtualBox/Tips and tricks#Import/export VirtualBox virtual machines from/to other hypervisors]].<br />
<br />
=== Formats supported by VirtualBox ===<br />
<br />
VirtualBox supports the following virtual disk formats:<br />
<br />
* '''VDI''': The Virtual Disk Image is the VirtualBox own open container used by default when you create a virtual machine with VirtualBox.<br />
* '''VMDK''': The Virtual Machine Disk has been initially developed by VMware for their products. The specification was initially closed source, but it became now an open format which is fully supported by VirtualBox. This format offers the ability to be split into several 2GB files. This feature is especially useful if you want to store the virtual machine on machines which do not support very large files. Other formats, excluding the HDD format from Parallels, do not provide such an equivalent feature.<br />
* '''VHD''': The Virtual Hard Disk is the format used by Microsoft in Windows Virtual PC and Hyper-V. If you intend to use any of these Microsoft products, you will have to choose this format.<br />
:{{Tip|Since Windows 7, this format can be mounted directly without any additional application.}} <br />
* '''VHDX''' (read only): This is the eXtended version of the Virtual Hard Disk format developed by Microsoft, which has been released on 2012-09-04 with Hyper-V 3.0 coming with Windows Server 2012. This new version of the disk format does offer enhanced performance (better block alignment), larger blocks size, and journal support which brings power failure resiliency. VirtualBox [https://www.virtualbox.org/manual/ch15.html#idp63002176 should support this format in read only].<br />
* '''HDD''' (version 2): The HDD format is developed by Parallels Inc and used in their hypervisor solutions like Parallels Desktop for Mac. Newer versions of this format (i.e. 3 and 4) are not supported due to the lack of documentation for this proprietary format. {{Note|There is currently a controversy regarding the support of the version 2 of the format. While the official VirtualBox manual [https://www.virtualbox.org/manual/ch05.html#vdidetails only reports the second version of the HDD file format as supported], Wikipedia's contributors are [[Wikipedia:Comparison of platform virtual machines#Image type compatibility|reporting the first version may work too]]. Help is welcome if you can perform some tests with the first version of the HDD format.}}<br />
* '''QED''': The QEMU Enhanced Disk format is an old file format for QEMU, another free and open source hypervisor. This format was designed from 2010 in a way to provide a superior alternative to QCOW2 and others. This format features a fully asynchronous I/O path, strong data integrity, backing files, and sparse files. QED format is supported only for compatibility with virtual machines created with old versions of QEMU.<br />
* '''QCOW''': The QEMU Copy On Write format is the current format for QEMU. The QCOW format does support zlib-based transparent compression and encryption (the latter is flawed and is not recommended). QCOW is available in two versions: QCOW and QCOW2. QCOW2 tends to supersede the first one. QCOW is [https://www.virtualbox.org/manual/ch15.html#idp63002176 currently fully supported by VirtualBox]. QCOW2 comes in two revisions: QCOW2 0.10 and QCOW2 1.1 (which is the default when you create a virtual disk with QEMU). VirtualBox does not support QCOW2.<br />
* '''OVF''': The Open Virtualization Format is an open format which has been designed for interoperability and distributions of virtual machines between different hypervisors. VirtualBox supports all revisions of this format via the [https://www.virtualbox.org/manual/ch08.html#idp55423424 VBoxManage import/export feature] but with [https://www.virtualbox.org/manual/ch14.html#KnownProblems known limitations].<br />
* '''RAW''': This is the mode when the virtual disk is exposed directly to the disk without being contained in a specific file format container. VirtualBox supports this feature in several ways: converting RAW disk [https://www.virtualbox.org/manual/ch08.html#idp59139136 to a specific format], or by [https://www.virtualbox.org/manual/ch08.html#vboxmanage-clonevdi cloning a disk to RAW], or by using directly a VMDK file [https://www.virtualbox.org/manual/ch09.html#idp57804112 which points to a physical disk or a simple file].<br />
<br />
=== Disk image format conversion ===<br />
<br />
[https://www.virtualbox.org/manual/ch08.html#vboxmanage-clonevdi VBoxManage clonehd] can be used to convert between VDI, VMDK, VHD and RAW.<br />
<br />
$ VBoxManage clonehd ''inputfile'' ''outputfile'' --format ''outputformat''<br />
<br />
For example to convert VDI to VMDK:<br />
<br />
$ VBoxManage clonehd ''source.vdi'' ''destination.vmdk'' --format VMDK<br />
<br />
==== QCOW ====<br />
<br />
VirtualBox does not support [[QEMU]]'s QCOW2 disk image format. To use a QCOW2 disk image with VirtualBox you therefore need to convert it, which you can do with {{Pkg|qemu}}'s {{ic|qemu-img}} command. {{ic|qemu-img}} can convert QCOW to / from VDI, VMDK, VHDX, RAW and various other formats (which you can see by running {{ic|qemu-img --help}}).<br />
<br />
$ qemu-img convert -O ''output_fmt'' ''inputfile'' ''outputfile''<br />
<br />
For example to convert QCOW2 to VDI:<br />
<br />
$ qemu-img convert -O vdi ''source.qcow2'' ''destination.vdi''<br />
<br />
{{Tip|The {{ic|-p}} parameter is used to get the progression of the conversion task.}}<br />
<br />
There are two revisions of QCOW2: 0.10 and 1.1. You can specify the revision to use with {{ic|1=-o compat=''revision''}}.<br />
<br />
=== Mount virtual disks ===<br />
<br />
==== VDI ====<br />
<br />
Mounting VDI images only works with fixed size images (a.k.a. static images); dynamic (dynamically size allocating) images are not easily mountable.<br />
<br />
The offset of the partition (within the VDI) is needed, then add the value of {{ic|offData}} to {{ic|32256}} (e.g. 69632 + 32256 = 101888):<br />
<br />
$ VBoxManage internalcommands dumphdinfo <storage.vdi> | grep "offData"<br />
<br />
The storage can now be mounted with:<br />
<br />
# mount -t ext4 -o rw,noatime,noexec,loop,offset=101888 <storage.vdi> /mntpoint/<br />
<br />
You can also use [https://github.com/pld-linux/VirtualBox/blob/master/mount.vdi mount.vdi] script that, which you can use as (install script itself to {{ic|/usr/bin/}}):<br />
<br />
# mount -t vdi -o fstype=ext4,rw,noatime,noexec ''vdi_file_location'' ''/mnt/''<br />
<br />
Alternately you can use {{Pkg|qemu}}'s kernel module that can do this [http://bethesignal.org/blog/2011/01/05/how-to-mount-virtualbox-vdi-image/ attrib]:<br />
<br />
# modprobe nbd max_part=16<br />
# qemu-nbd -c /dev/nbd0 <storage.vdi><br />
# mount /dev/nbd0p1 /mnt/dir/<br />
# # to unmount:<br />
# umount /mnt/dir/<br />
# qemu-nbd -d /dev/nbd0<br />
<br />
If the partition nodes are not propagated try using {{ic|partprobe /dev/nbd0}}; otherwise, a VDI partition can be mapped directly to a node by: {{ic|qemu-nbd -P 1 -c /dev/nbd0 <storage.vdi>}}.<br />
<br />
==== VHD ====<br />
<br />
Like VDI, VHD images can be mounted with [[QEMU]]'s nbd module:<br />
<br />
# modprobe nbd<br />
# qemu-nbd -c /dev/nbd0 ''storage''.vhd<br />
# mount /dev/nbd0p1 /mnt<br />
<br />
To unmount:<br />
<br />
# umount /mnt<br />
# qemu-nbd -d /dev/nbd0<br />
<br />
=== Compact virtual disks ===<br />
<br />
Compacting virtual disks only works with ''.vdi'' files and basically consists of the following steps.<br />
<br />
Boot your virtual machine and remove all bloat manually or by using cleaning tools like {{Pkg|bleachbit}} which is [http://bleachbit.sourceforge.net/download/windows available for Windows systems too].<br />
<br />
Wiping free space with zeroes can be achieved with several tools:<br />
<br />
* If you were previously using Bleachbit, check the checkbox ''System > Free disk space'' in the GUI, or use {{ic|bleachbit -c system.free_disk_space}} in CLI;<br />
* On UNIX-based systems, by using {{ic|dd}} or preferably {{Pkg|dcfldd}} (see [http://superuser.com/a/355322 here] to learn the differences):<br />
:{{bc|1=# dcfldd if=/dev/zero of=''/fillfile'' bs=4M}}<br />
:When {{ic|fillfile}} reaches the limit of the partition, you will get a message like {{ic|1280 blocks (5120Mb) written.dcfldd:: No space left on device}}. This means that all of the user-space and non-reserved blocks of the partition will be filled with zeros. Using this command as root is important to make sure all free blocks have been overwritten. Indeed, by default, when using partitions with ext filesystem, a specified percentage of filesystem blocks is reserved for the super-user (see the {{ic|-m}} argument in the {{ic|mkfs.ext4}} man pages or use {{ic|tune2fs -l}} to see how much space is reserved for root applications).<br />
:When the aforementioned process has completed, you can remove the file {{ic|''fillfile''}} you created.<br />
<br />
* On Windows, there are two tools available:<br />
** {{ic|sdelete}} from the [http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx Sysinternals Suite], type {{ic|sdelete -s -z ''c:''}}, where you need to reexecute the command for each drive you have in your virtual machine;<br />
** or, if you love scripts, there is a [http://blog.whatsupduck.net/2012/03/powershell-alternative-to-sdelete.html PowerShell solution], but which still needs to be repeated for all drives.<br />
::{{bc|PS> ./Write-ZeroesToFreeSpace.ps1 -Root ''c:\'' -PercentFree 0}}<br />
::{{Note|This script must be run in a PowerShell environment with administrator privileges. By default, scripts cannot be run, ensure the execution policy is at least on {{ic|RemoteSigned}} and not on {{ic|Restricted}}. This can be checked with {{ic|Get-ExecutionPolicy}} and the required policy can be set with {{ic|Set-ExecutionPolicy RemoteSigned}}.}}<br />
<br />
Once the free disk space have been wiped, shut down your virtual machine.<br />
<br />
The next time you boot your virtual machine, it is recommended to do a filesystem check.<br />
<br />
* On UNIX-based systems, you can use {{ic|fsck}} manually;<br />
** On GNU/Linux systems, and thus on Arch Linux, you can force a disk check at boot [[Fsck#Forcing the check|thanks to a kernel boot parameter]];<br />
* On Windows systems, you can use:<br />
** either {{ic|chkdsk ''c:'' /F}} where {{ic|''c:''}} needs to be replaced by each disk you need to scan and fix errors;<br />
** or {{ic|FsckDskAll}} [http://therightstuff.de/2009/02/14/ChkDskAll-ChkDsk-For-All-Drives.aspx from here] which is basically the same software as {{ic|chkdsk}}, but without the need to repeat the command for all drives;<br />
<br />
Now, remove the zeros from the ''.vdi'' file with [https://www.virtualbox.org/manual/ch08.html#vboxmanage-modifyvdi VBoxManage modifyhd]:<br />
<br />
$ VBoxManage modifyhd ''your_disk.vdi'' --compact<br />
<br />
{{Note|If your virtual machine has snapshots, you need to apply the above command on each {{ic|.vdi}} files you have.}}<br />
<br />
=== Increase virtual disks ===<br />
<br />
==== General procedure ====<br />
<br />
If you are running out of space due to the small hard drive size you selected when you created your virtual machine, the solution adviced by the VirtualBox manual is to use [https://www.virtualbox.org/manual/ch08.html#vboxmanage-modifyvdi VBoxManage modifyhd]. However this command only works for VDI and VHD disks and only for the dynamically allocated variants. If you want to resize a fixed size virtual disk disk too, read on this trick which works either for a Windows or UNIX-like virtual machine.<br />
<br />
First, create a new virtual disk next to the one you want to increase:<br />
<br />
$ VBoxManage createhd -filename ''new.vdi'' --size ''10000''<br />
<br />
where size is in MiB, in this example 10000MiB ~= 10GiB, and ''new.vdi'' is name of new hard drive to be created.<br />
<br />
{{Note|By default, this command uses the ''Standard'' (corresponding to dynamic allocated) file format variant and thus will not use the same file format variant as your source virtual disk. If your ''old.vdi'' has a fixed size and you want to keep this variant, add the parameter {{ic|--variant Fixed}}.}}<br />
<br />
Next, the old virtual disk needs to be cloned to the new one which this may take some time:<br />
<br />
$ VBoxManage clonehd ''old.vdi'' ''new.vdi'' --existing<br />
<br />
Detach the old hard drive and attach new one, replace all mandatory italic arguments by your own:<br />
<br />
$ VBoxManage storageattach ''VM_name'' --storagectl ''SATA'' --port ''0'' --medium none<br />
$ VBoxManage storageattach ''VM_name'' --storagectl ''SATA'' --port ''0'' --medium ''new.vdi'' --type hdd<br />
<br />
To get the storage controller name and the port number, you can use the command {{ic|VBoxManage showvminfo ''VM_name''}}. Among the output you will get such a result (what you are looking for is in italic):<br />
<br />
{{bc|<br />
[...]<br />
Storage Controller Name (0): IDE<br />
Storage Controller Type (0): PIIX4<br />
Storage Controller Instance Number (0): 0<br />
Storage Controller Max Port Count (0): 2<br />
Storage Controller Port Count (0): 2<br />
Storage Controller Bootable (0): on<br />
Storage Controller Name (1): SATA<br />
Storage Controller Type (1): IntelAhci<br />
Storage Controller Instance Number (1): 0<br />
Storage Controller Max Port Count (1): 30<br />
Storage Controller Port Count (1): 1<br />
Storage Controller Bootable (1): on<br />
IDE (1, 0): Empty<br />
''SATA'' (''0'', 0): /home/wget/IT/Virtual_machines/GNU_Linux_distributions/ArchLinux_x64_EFI/Snapshots/{6bb17af7-e8a2-4bbf-baac-fbba05ebd704}.vdi (UUID: 6bb17af7-e8a2-4bbf-baac-fbba05ebd704)<br />
[...]<br />
}}<br />
<br />
Download [http://gparted.org/download.php GParted live image] and mount it as a virtual CD/DVD disk file, boot your virtual machine, increase/move your partitions, umount GParted live and reboot.<br />
<br />
{{Note|On GPT disks, increasing the size of the disk will result in the backup GPT header not being at the end of the device. GParted will ask to fix this, click on ''Fix'' both times. On MBR disks, you do not have such a problem as this partition table as no trailer at the end of the disk.}}<br />
<br />
Finally, unregister the virtual disk from VirtualBox and remove the file:<br />
<br />
$ VBoxManage closemedium disk ''old.vdi''<br />
$ rm ''old.vdi''<br />
<br />
==== Increasing the size of VDI disks ====<br />
<br />
If your disk is a VDI one, run:<br />
<br />
$ VBoxManage modifyhd ''your_virtual_disk.vdi'' --resize ''the_new_size''<br />
<br />
Then jump back to the Gparted step, to increase the size of the partition on the virtual disk.<br />
<br />
=== Replace a virtual disk manually from the .vbox file ===<br />
<br />
If you think that editing a simple ''XML'' file is more convenient than playing with the GUI or with {{ic|VBoxManage}} and you want to replace (or add) a virtual disk to your virtual machine, in the ''.vbox'' configuration file corresponding to your virtual machine, simply replace the GUID, the file location and the format to your needs:<br />
<br />
{{hc|ArchLinux_vm.vbox|2=<br />
<HardDisk uuid="''{670157e5-8bd4-4f7b-8b96-9ee412a712b5}''" location="''ArchLinux_vm.vdi''" format="''VDI''" type="Normal"/><br />
}}<br />
<br />
then in the {{ic|<AttachedDevice>}} sub-tag of {{ic|<StorageController>}}, replace the GUID by the new one.<br />
<br />
{{hc|ArchLinux_vm.vbox|2=<br />
<AttachedDevice type="HardDisk" port="0" device="0"><br />
<Image uuid="''{670157e5-8bd4-4f7b-8b96-9ee412a712b5}''"/><br />
</AttachedDevice><br />
}}<br />
<br />
{{Note|If you do not know the GUID of the drive you want to add, you can use the {{ic|VBoxManage showhdinfo ''file''}}. If you previously used {{ic|VBoxManage clonehd}} to copy/convert your virtual disk, this command should have outputted the GUID just after the copy/conversion completed. Using a random GUID does not work, as each [http://www.virtualbox.org/manual/ch05.html#cloningvdis UUID is stored inside each disk image].}}<br />
<br />
==== Transfer between Linux host and other OS ====<br />
<br />
The information about path to harddisks and the snapshots is stored between {{ic|<HardDisks> .... </HardDisks>}} tags in the file with the ''.vbox'' extension. You can edit them manually or use this script where you will need change only the path or use defaults, assumed that ''.vbox'' is in the same directory with a virtual harddisk and the snapshots folder. It will print out new configuration to stdout.<br />
<br />
{{bc|1=<br />
#!/bin/bash<br />
NewPath="${PWD}/"<br />
Snapshots="Snapshots/"<br />
Filename="$1"<br />
<br />
awk -v SetPath="$NewPath" -v SnapPath="$Snapshots" '{if(index($0,"<HardDisk uuid=") != 0){A=$3;split(A,B,"=");<br />
L=B[2];<br />
gsub(/\"/,"",L);<br />
sub(/^.*\//,"",L);<br />
sub(/^.*\\/,"",L);<br />
if(index($3,"{") != 0){SnapS=SnapPath}else{SnapS=""};<br />
print $1" "$2" location="\"SetPath SnapS L"\" "$4" "$5}<br />
else print $0}' "$Filename"<br />
}}<br />
<br />
{{Note|<br />
* If you will prepare virtual machine for use in Windows host then in the path name end you should use backslash \ instead of / .<br />
* The script detects snapshots by looking for {{ic|{}} in the file name.<br />
* To make it run on a new host you will need to add it first to the register by clicking on '''Machine -> Add...''' or use hotkeys Ctrl+A and then browse to ''.vbox'' file that contains configuration or use command line {{ic|VBoxManage registervm ''filename''.vbox}}<br />
}}<br />
<br />
=== Clone a virtual disk and assigning a new UUID to it ===<br />
<br />
UUIDs are widely used by VirtualBox. Each virtual machines and each virtual disk of a virtual machine must have a different UUID. When you launch a virtual machine in VirtualBox, VirtualBox will keep track of all UUIDs of your virtual machine instance. See the [http://www.virtualbox.org/manual/ch08.html#vboxmanage-list VBoxManage list] to list the items registered with VirtualBox.<br />
<br />
If you cloned a virtual disk manually by copying the virtual disk file, you will need to assign a new UUID to the cloned virtual drive if you want to use the disk in the same virtual machine or even in another (if that one has already been opened, and thus registered, with VirtualBox).<br />
<br />
You can use this command to assign a new UUID to a virtual disk:<br />
<br />
$ VBoxManage internalcommands sethduuid ''/path/to/disk.vdi''<br />
<br />
{{Tip|To avoid copying the virtual disk and assigning a new UUID to your file manually you can use [http://www.virtualbox.org/manual/ch08.html#vboxmanage-clonevdi VBoxManage clonehd].}}<br />
<br />
{{Note|The commands above support all [[#Formats supported by VirtualBox|virtual disk formats supported by VirtualBox]].}}<br />
<br />
== Tips and tricks ==<br />
<br />
For advanced configuration, see [[VirtualBox/Tips and tricks]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Keyboard and mouse are locked into virtual machine ===<br />
<br />
This means your virtual machine has captured the input of your keyboard and your mouse. Simply press the right {{ic|Ctrl}} key and your input should control your host again.<br />
<br />
To control transparently your virtual machine with your mouse going back and forth your host, without having to press any key, and thus have a seamless integration, install the guest additions inside the guest. Read from the [[#Install the Guest Additions]] step if you guest is Arch Linux, otherwise read the official VirtualBox help.<br />
<br />
=== No 64-bit OS client options ===<br />
<br />
When launching a VM client, and no 64-bit options are available, make sure your CPU virtualization capabilities (usually named {{ic|VT-x}}) are enabled in the BIOS.<br />
<br />
If you are using a Windows host, you may need to disable Hyper-V, as it prevents VirtualBox from using VT-x. [https://www.virtualbox.org/ticket/12350]<br />
<br />
=== VirtualBox GUI does not match host GTK theme ===<br />
<br />
See [[Uniform look for Qt and GTK applications]] for information about theming Qt-based applications like VirtualBox.<br />
<br />
=== Cannot send Ctrl+Alt+Fn to guest ===<br />
<br />
Your guest operating system is a GNU/Linux distribution and you want to open a new TTY shell by hitting {{ic|Ctrl+Alt+F2}} or exit your current X session with {{ic|Ctrl+Alt+Backspace}}. If you type these keyboard shortcuts without any adaptation, the guest will not receive any input and the host (if it is a GNU/Linux distribution too) will intercept these shortcut keys. To send {{ic|Ctrl+Alt+F2}} to the guest for example, simply hit your ''Host Key'' (usually the right {{ic|Ctrl}} key) and press {{ic|F2}} simultaneously.<br />
<br />
=== USB subsystem not working ===<br />
<br />
Your user must be in the {{ic|vboxusers}} group and you need to install the [[#Extension pack|extension pack]] if you want USB 2 support. Then you will be able to enable USB 2 in the VM settings and add one or several filters for the devices you want to access from the guest OS.<br />
<br />
If {{ic|VBoxManage list usbhost}} does not show any USB devices even if run as root, make sure that there is no old udev rules (from VirtualBox 4.x) in {{ic|/etc/udev/rules.d/}}. VirtualBox 5.0 installs udev rules to {{ic|/usr/lib/udev/rules.d/}}. You can use command like {{ic|pacman -Qo /usr/lib/udev/rules.d/60-vboxdrv.rules}} to determine if the udev rule file is outdated.<br />
<br />
Sometimes, on old Linux hosts, the USB subsystem is not auto-detected resulting in an error {{ic|Could not load the Host USB Proxy service: VERR_NOT_FOUND}} or in a not visible USB drive on the host, [https://bbs.archlinux.org/viewtopic.php?id=121377 even when the user is in the '''vboxusers''' group]. This problem is due to the fact that VirtualBox switched from ''usbfs'' to ''sysfs'' in version 3.0.8. If the host does not understand this change, you can revert to the old behaviour by defining the following environment variable in any file that is sourced by your shell (e.g. your {{ic|~/.bashrc}} if you are using ''bash''):<br />
<br />
{{hc|~/.bashrc|2=<br />
VBOX_USB=usbfs<br />
}}<br />
<br />
Then make sure, the environment has been made aware of this change (reconnect, source the file manually, launch a new shell instance or reboot).<br />
<br />
Also make sure that your user is a member of the {{ic|storage}} group.<br />
<br />
=== USB modem not working on host ===<br />
<br />
If you have a USB modem which is being used by the guest OS, killing the guest OS can cause the modem to become unusable by the host system. Killing and restarting {{ic|VBoxSVC}} should fix this problem.<br />
<br />
=== USB device crashes guest ===<br />
<br />
If attaching a USB device to the guest causes a crash or any other erroneous behavior, try switching the USB controller from USB 2 (EHCI) to USB 3 (xHCI) or vice versa.<br />
<br />
=== Access serial port from guest ===<br />
<br />
Check you permission for the serial port:<br />
<br />
{{hc|$ ls -l /dev/ttyS*|<br />
crw-rw---- 1 root uucp 4, 64 Feb 3 09:12 /dev/ttyS0<br />
crw-rw---- 1 root uucp 4, 65 Feb 3 09:12 /dev/ttyS1<br />
crw-rw---- 1 root uucp 4, 66 Feb 3 09:12 /dev/ttyS2<br />
crw-rw---- 1 root uucp 4, 67 Feb 3 09:12 /dev/ttyS3<br />
}}<br />
<br />
Add your user to the {{ic|uucp}} [[user group]].<br />
<br />
=== Guest freezes after starting Xorg ===<br />
<br />
Faulty or missing drivers may cause the guest to freeze after starting Xorg, see for example [https://bbs.archlinux.org/viewtopic.php?pid=1167838] and [https://bbs.archlinux.org/viewtopic.php?id=156079]. Try disabling 3D acceleration in ''Settings > Display'', and check if all [[Xorg]] drivers are installed.<br />
<br />
=== Fullscreen mode shows blank screen ===<br />
<br />
On some window managers ([[i3]], [[awesome]]), VirtualBox has issues with fullscreen mode properly due to the overlay bar. To work around this issue, disable "Show in Full-screen/Seamless" option in "Guest Settings > User Interface > Mini ToolBar". See the [https://www.virtualbox.org/ticket/14323 upstream bug report] for more information.<br />
<br />
=== Host freezes on virtual machine start ===<br />
<br />
{{Expansion|Needs a link to a bug report.}}<br />
<br />
Possible causes/solutions:<br />
<br />
* SMAP<br />
This is a known incompatiblity with SMAP enabled kernels affecting (mostly) Intel Broadwell chipsets. A solution to this problem is disabling SMAP support in your kernel by appending the {{ic|nosmap}} option to your [[kernel parameters]].<br />
* Hardware Virtualisation<br />
Disabling hardware virtualisation (VT-x/AMD-V) may solve the problem.<br />
* Various Kernel bugs<br />
** Fuse mounted partitions (like ntfs) [https://bbs.archlinux.org/viewtopic.php?id=185841], [https://bugzilla.kernel.org/show_bug.cgi?id=82951#c12]<br />
<br />
Generally, such issues are observed after upgrading VirtualBox or linux kernel. Downgrading them to the previous versions of theirs might solve the problem.<br />
<br />
=== Linux guests have slow/distorted audio ===<br />
<br />
The AC97 audio driver within the Linux kernel occasionally guesses the wrong clock settings when running inside Virtual Box, leading to audio that is either too slow or too fast. To fix this, create a file in {{ic|/etc/modprobe.d/}} with the following line:<br />
<br />
options snd-intel8x0 ac97_clock=48000<br />
<br />
=== Analog microphone not working ===<br />
<br />
If the audio input from an analog microphone is working correctly on the host, but no sound seems to get through to the guest, despite the microphone device apparently being detected normally, installing a [[Sound system#Sound servers|sound server]] such as [[PulseAudio]] on the host might fix the problem.<br />
<br />
If after installing [[PulseAudio]] the microphone still refuses to work, setting ''Host Audio Driver'' (under ''VirtualBox > Machine > Settings > Audio'') to ''ALSA Audio Driver'' might help.<br />
<br />
=== Microphone not working after upgrade ===<br />
<br />
There have been issues reported around sound input in 5.1.x versions. [https://forums.virtualbox.org/viewtopic.php?f=7&t=78797]<br />
<br />
[[Downgrading]] may solve the problem. You can use {{aur|virtualbox-bin-5.0}} to ease downgrading.<br />
<br />
=== Problems with images converted to ISO ===<br />
<br />
Some image formats cannot be reliably converted to ISO. For instance, {{Pkg|ccd2iso}} ignores .ccd and .sub files, which can result in disk images with broken files. <br />
<br />
In this case, you will either have to use [[CDemu]] for Linux inside VirtualBox or any other utility used to mount disk images.<br />
<br />
=== Failed to create the host-only network interface ===<br />
<br />
Make sure all required kernel modules are loaded. See [[#Load the VirtualBox kernel modules]].<br />
<br />
If all required kernel modules are loaded and you are still unable to create the host-only adapter, navigate to ''File > Host Network Manager'' and click the ''Create'' button to add the network interface.<br />
<br />
=== Failed to insert module ===<br />
<br />
When you get the following error when trying to load modules:<br />
<br />
Failed to insert 'vboxdrv': Required key not available<br />
<br />
[[#Sign modules|Sign]] your modules or disable {{ic|CONFIG_MODULE_SIG_FORCE}} in your kernel config.<br />
<br />
=== VBOX_E_INVALID_OBJECT_STATE (0x80BB0007) ===<br />
<br />
This can occur if a VM is exited ungracefully. Run the following command:<br />
<br />
$ VBoxManage controlvm ''virtual_machine_name'' poweroff<br />
<br />
=== NS_ERROR_FAILURE and missing menu items ===<br />
<br />
This happens sometimes when selecting ''QCOW''/''QCOW2''/''QED'' disk format when creating a new virtual disk.<br />
<br />
If you encounter this message the first time you start the virtual machine:<br />
<br />
{{bc|<br />
Failed to open a session for the virtual machine debian.<br />
Could not open the medium '/home/.../VirtualBox VMs/debian/debian.qcow'.<br />
QCow: Reading the L1 table for image '/home/.../VirtualBox VMs/debian/debian.qcow' failed (VERR_EOF).<br />
VD: error VERR_EOF opening image file '/home/.../VirtualBox VMs/debian/debian.qcow' (VERR_EOF).<br />
<br />
Result Code: <br />
NS_ERROR_FAILURE (0x80004005)<br />
Component: <br />
Medium<br />
}}<br />
<br />
Exit VirtualBox, delete all files of the new machine and from virtualbox config file remove the last line in {{ic|MachineRegistry}} menu (or the offending machine you are creating):<br />
<br />
{{hc|~/.config/VirtualBox/VirtualBox.xml|2=<br />
...<br />
<MachineRegistry><br />
<MachineEntry uuid="{00000000-0000-0000-0000-000000000000}" src="/home/void/VirtualBox VMs/debian/debian.vbox"/><br />
<MachineEntry uuid="{00000000-0000-0000-0000-000000000000}" src="/home/void/VirtualBox VMs/ubuntu/ubuntu.vbox"/><br />
<strike><MachineEntry uuid="{00000000-0000-0000-0000-000000000000}" src="/home/void/VirtualBox VMs/lastvmcausingproblems/lastvmcausingproblems.qcow"/></strike><br />
</MachineRegistry><br />
...<br />
}}<br />
<br />
=== Arch: pacstrap script fails ===<br />
<br />
If you used ''pacstrap'' in the [[#Installation steps for Arch Linux guests]] to also [[#Install the Guest Additions]] '''before''' performing a first boot into the new guest, you will need to {{ic|umount -l /mnt/dev}} as root before using ''pacstrap'' again; a failure to do this will render it unusable.<br />
<br />
=== OpenBSD unusable when virtualisation instructions unavailable ===<br />
<br />
While OpenBSD is reported to work fine on other hypervisors without virtualisation instructions (VT-x AMD-V) enabled, an OpenBSD virtual machine running on VirtualBox without these instructions will be unusable, manifesting with a bunch of segmentation faults. Starting VirtualBox with the ''-norawr0'' argument [https://www.virtualbox.org/ticket/3947 may solve the problem]. You can do it like this:<br />
<br />
$ VBoxSDL -norawr0 -vm ''name_of_OpenBSD_VM''<br />
<br />
=== Windows host: VERR_ACCESS_DENIED ===<br />
<br />
To access the raw VMDK image on a Windows host, run the VirtualBox GUI as administrator.<br />
<br />
=== Windows: "The specified path does not exist. Check the path and then try again." ===<br />
<br />
This error message may appear when running an {{ic|.exe}} file which requires administrator privileges from a shared folder in windows guests. [https://www.virtualbox.org/ticket/5732#comment:39]<br />
<br />
As a workaround, copy the file to the virtual drive or use [[w:Uniform Naming Convention|UNC paths]] ({{ic|\\vboxsvr}}). See [https://support.microsoft.com/de-de/help/2019185/copying-files-from-a-mapped-drive-to-a-local-directory-fails-with-erro] for more information.<br />
<br />
=== Windows 8.x error code 0x000000C4===<br />
<br />
If you get this error code while booting, even if you choose OS Type Win 8, try to enable the {{ic|CMPXCHG16B}} CPU instruction:<br />
<br />
$ vboxmanage setextradata ''virtual_machine_name'' VBoxInternal/CPUM/CMPXCHG16B 1<br />
<br />
=== Windows 8, 8.1 or 10 fails to install, boot or has error "ERR_DISK_FULL" ===<br />
<br />
Update the VM's settings by going to ''Settings > Storage > Controller:SATA'' and check "Use Host I/O Cache".<br />
<br />
=== WinXP: Bit-depth cannot be greater than 16 ===<br />
<br />
If you are running at 16-bit color depth, then the icons may appear fuzzy/choppy. However, upon attempting to change the color depth to a higher level, the system may restrict you to a lower resolution or simply not enable you to change the depth at all. To fix this, run {{ic|regedit}} in Windows and add the following key to the Windows XP VM's registry:<br />
<br />
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]<br />
"ColorDepth"=dword:00000004<br />
<br />
Then update the color depth in the "desktop properties" window. If nothing happens, force the screen to redraw through some method (i.e. {{ic|Host+f}} to redraw/enter full screen).<br />
<br />
=== Windows: Screen flicker if 3D acceleration enabled ===<br />
<br />
VirtualBox > 4.3.14 has a regression in which Windows guests with 3D acceleration flicker. Since r120678 a patch has been implemented to recognize an [[environment variable]] setting, launch VirtualBox like this:<br />
<br />
$ CR_RENDER_FORCE_PRESENT_MAIN_THREAD=0 VirtualBox<br />
<br />
Make sure no VirtualBox services are still running. See [https://www.virtualbox.org/ticket/13653 VirtualBox bug 13653].<br />
<br />
=== No hardware 3D acceleration in Arch Linux guest ===<br />
<br />
{{Pkg|virtualbox-guest-utils}} package as of version 5.2.16-2 does not contain the file {{ic|VBoxEGL.so}}. This causes the Arch Linux guest does not have proper 3D acceleration. See {{Bug|49752}}.<br />
<br />
To deal with this problem, apply the patch set at {{Bug|49752#comment152254}}. Some fix to the patch set is required to make it work for version 5.2.16-2.<br />
<br />
=== Cannot launch VirtualBox on Wayland: Segmentation fault ===<br />
<br />
This problem is usually caused by Qt on Wayland, see {{Bug|58761}}. <br />
<br />
The best thing, not to affect the rest of Qt applications (which usually work well in Wayland), is to unset the {{ic|QT_QPA_PLATFORM}} [[environment variable]] in the VirtualBox's [[desktop entry]]. Follow the instructions in [[Desktop entries#Modify environment variables]] and change the lines starting with<br />
<br />
Exec=VirtualBox ...<br />
<br />
to<br />
<br />
Exec=env -u QT_QPA_PLATFORM VirtualBox ...<br />
<br />
== Known issues ==<br />
<br />
=== Automounting does not work ===<br />
<br />
Automounting does not work with the packaged guest additions {{Pkg|virtualbox-guest-utils}} and {{Pkg|virtualbox-guest-utils-nox}} starting with version 6.0.0-1. See {{Bug|61307}}.<br />
<br />
== See also ==<br />
<br />
* [https://www.virtualbox.org/manual/UserManual.html VirtualBox User Manual]<br />
* [[Wikipedia:VirtualBox]]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=GNU_Radio&diff=570738GNU Radio2019-04-08T13:58:56Z<p>Yuvadm: Add GUI section</p>
<hr />
<div>[[Category:Science]]<br />
[[ja:GNU Radio]]<br />
[[es:GNU Radio]]<br />
{{Related articles start}}<br />
{{Related|DVB-T}}<br />
{{Related|RTL-SDR}}<br />
{{Related articles end}}<br />
<br />
[http://gnuradio.org/redmine/projects/gnuradio/wiki GNU Radio] is a free & open-source software development toolkit that provides signal processing blocks to implement software radios. It can be used with readily-available low-cost external RF hardware to create software-defined radios, or without hardware in a simulation-like environment. It is widely used in hobbyist, academic and commercial environments to support both wireless communications research and real-world radio systems.<br />
<br />
==Packages==<br />
<br />
The latest stable GNU Radio version can be installed with {{Pkg|gnuradio}} from the [[official repositories]].<br />
<br />
Bleeding edge is {{AUR|gnuradio-git}} in the [[AUR]], and in some cases VOLK may need to be built separately from {{AUR|libvolk-git}}.<br />
<br />
If you want {{ic|gnuradio-companion}}, just install the {{Pkg|gnuradio-companion}} package which will install GNU Radio, as well as some additional required packages.<br />
<br />
Another popular package is {{Pkg|gnuradio-osmosdr}} which provides the GRC source blocks for many of the popular SDR devices (Funcube Dongle, [[RTL-SDR]], USRP, OsmoSDR, BladeRF and HackRF).<br />
<br />
===GUI===<br />
<br />
The core GNU Radio packages do not support flowgraphs with GUI widgets. For such flowgraphs it is recommended to install QT GUI support via {{AUR|python2-pyqt4}}.<br />
<br />
Usage of WX GUI is not recommended since it will be phased out in the 3.8 release of GNU Radio, will also include widget upgrades to QT5.<br />
<br />
==Troubleshooting==<br />
<br />
===GetSize() doesn't work without window===<br />
<br />
If such errors occur when running flow graphs, make sure that the optional dependency {{Pkg|python2-opengl}} is installed.<br />
<br />
This should be fixed in the next GNU Radio release. [https://bbs.archlinux.org/viewtopic.php?id=182732]<br />
<br />
===TypeError: in method 'source_sptr_set_gain_mode', argument 2 of type 'bool'===<br />
<br />
When using an (osmocom) RTL-SDR source, you might see this error. The workaround is to manually set the Gain Mode to {{Ic|True}} or {{Ic|False}}.</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Intel_graphics&diff=569892Intel graphics2019-03-26T23:25:49Z<p>Yuvadm: Add note</p>
<hr />
<div>[[Category:Graphics]]<br />
[[Category:X server]]<br />
[[cs:Intel graphics]]<br />
[[de:Intel]]<br />
[[es:Intel graphics]]<br />
[[fr:Intel]]<br />
[[hu:Intel graphics]]<br />
[[it:Intel graphics]]<br />
[[ja:Intel Graphics]]<br />
[[pl:Intel graphics]]<br />
[[pt:Intel graphics]]<br />
[[ru:Intel graphics]]<br />
[[zh-hans:Intel graphics]]<br />
[[zh-hant:Intel graphics]]<br />
{{Related articles start}}<br />
{{Related|Intel GMA 3600}}<br />
{{Related|Xorg}}<br />
{{Related|Kernel mode setting}}<br />
{{Related|Xrandr}}<br />
{{Related|Hybrid graphics}}<br />
{{Related|Vulkan}}<br />
{{Related articles end}}<br />
<br />
Since Intel provides and supports open source drivers, Intel graphics are essentially plug-and-play.<br />
<br />
For a comprehensive list of Intel GPU models and corresponding chipsets and CPUs, see [[Wikipedia:List of Intel graphics processing units]].<br />
<br />
{{Note|PowerVR-based graphics ([[Intel GMA 3600|GMA 3600]] series) are not supported by open source drivers.}}<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|mesa}} package, which provides the DRI driver for 3D acceleration.<br />
<br />
* For 32-bit application support, also install the {{Pkg|lib32-mesa}} package from the [[multilib]] repository.<br />
* For the DDX driver (which provides 2D acceleration in [[Xorg]]), [[install]] the {{Pkg|xf86-video-intel}} package. (Often not recommended, see note below.)<br />
* For [[Vulkan]] support (''Ivy Bridge'' and newer), install the {{Pkg|vulkan-intel}} package.<br />
<br />
Also see [[Hardware video acceleration]].<br />
<br />
{{Note|1=Some ([http://www.phoronix.com/scan.php?page=news_item&px=Ubuntu-Debian-Abandon-Intel-DDX Debian & Ubuntu], [http://www.phoronix.com/scan.php?page=news_item&px=Fedora-Xorg-Intel-DDX-Switch Fedora], [https://community.kde.org/Plasma/5.9_Errata#Intel_GPUs KDE]) recommend not installing the {{Pkg|xf86-video-intel}} driver, and instead falling back on the modesetting driver for fourth generation and newer GPUs. See [https://www.reddit.com/r/archlinux/comments/4cojj9/it_is_probably_time_to_ditch_xf86videointel/], [http://www.phoronix.com/scan.php?page=article&item=intel-modesetting-2017&num=1], [[Xorg#Installation]], and {{man|4|modesetting}}. However, the modesetting driver can cause problems such as [https://bugs.chromium.org/p/chromium/issues/detail?id=370022 Chromium Issue 370022]. Also, the modesetting driver will not be benefited by Intel GuC/HuC/DMC firmware.}}<br />
<br />
== Loading ==<br />
<br />
The Intel kernel module should load fine automatically on system boot.<br />
<br />
If it does not happen, then:<br />
<br />
* Make sure you do '''not''' have {{ic|nomodeset}} or {{ic|1=vga=}} as a [[kernel parameter]], since Intel requires kernel mode-setting.<br />
* Also, check that you have not disabled Intel by using any modprobe blacklisting within {{ic|/etc/modprobe.d/}} or {{ic|/usr/lib/modprobe.d/}}.<br />
<br />
=== Enable early KMS ===<br />
<br />
[[Kernel mode setting]] (KMS) is supported by Intel chipsets that use the i915 DRM driver and is mandatory and enabled by default.<br />
<br />
Refer to [[Kernel mode setting#Early KMS start]] for instructions on how to enable KMS as soon as possible at the boot process.<br />
<br />
=== Enable GuC / HuC firmware loading ===<br />
<br />
For Skylake and newer processors, some video features (e.g. CBR rate control on SKL low-power encoding mode) may require the use of an updated GPU firmware, which is currently (as of 4.16) not enabled by default. Enabling GuC/HuC firmware loading can cause issues on some systems; disable it if you experience freezing (for example, after resuming from hibernation).<br />
<br />
{{Note|See [[Gentoo:Intel#Feature support]] for an overview of Intel processor generations.}}<br />
<br />
For those processors it is necessary to add {{ic|1=i915.enable_guc=2}} to the [[kernel parameters]] to enable both GuC and HuC firmware loading. Alternatively, if the [[initramfs]] already includes the {{ic|i915}} module (see [[Kernel mode setting#Early KMS start]]), you can set these options through a file in {{ic|/etc/modprobe.d/}}, e.g.:<br />
<br />
{{hc|/etc/modprobe.d/i915.conf|2=<br />
options i915 enable_guc=2<br />
}}<br />
<br />
It is possible to enable both GuC/HuC firmware loading and GuC submission by using the {{ic|1=enable_guc=3}} module parameter, although this is generally discouraged and may even negatively affect your system stability.<br />
<br />
You can verify both are enabled by using [[dmesg]]:<br />
<br />
{{hc|$ dmesg|2=<br />
[drm] HuC: Loaded firmware i915/kbl_huc_ver02_00_1810.bin (version 2.0)<br />
[drm] GuC: Loaded firmware i915/kbl_guc_ver9_39.bin (version 9.39)<br />
i915 0000:00:02.0: GuC firmware version 9.39<br />
i915 0000:00:02.0: GuC submission enabled<br />
i915 0000:00:02.0: HuC enabled<br />
}}<br />
<br />
Alternatively, check using:<br />
<br />
# cat /sys/kernel/debug/dri/0/i915_huc_load_status<br />
# cat /sys/kernel/debug/dri/0/i915_guc_load_status<br />
<br />
{{Warning|1=Using [[Intel GVT-g|GVT-g graphics virtualization]] by setting {{ic|1=enable_gvt=1}} is not supported as of linux 4.20.11 when GuC/HuC is also enabled. The i915 module would fail to initialize as shown in system journal.<br />
{{hc|$ journalctl|<br />
... kernel: [drm:intel_gvt_init [i915]] *ERROR* i915 GVT-g loading failed due to Graphics virtualization is not yet supported with GuC submission<br />
... kernel: i915 0000:00:02.0: [drm:i915_driver_load [i915]] Device initialization failed (-5)<br />
... kernel: i915: probe of 0000:00:02.0 failed with error -5<br />
... kernel: snd_hda_intel 0000:00:1f.3: failed to add i915 component master (-19)<br />
}}<br />
}}<br />
<br />
== Xorg configuration ==<br />
<br />
There may be no need for any configuration to run [[Xorg]].<br />
<br />
However, if [[Xorg]] does not start, and to take advantage of some driver options, you can create an Xorg configuration file similar to the one below:<br />
<br />
{{hc|/etc/X11/xorg.conf.d/20-intel.conf|<br />
Section "Device"<br />
Identifier "Intel Graphics"<br />
Driver "intel"<br />
EndSection}}<br />
<br />
Additional options are added by the user on new lines below {{ic|Driver}}.<br />
For the full list of options, see the {{man|4|intel}} man page.<br />
<br />
{{Note|<br />
*You may need to indicate {{ic|Option "AccelMethod"}} when creating a configuration file, even just to set it to the default method (currently {{ic|"sna"}}); otherwise, X may crash.<br />
*You might need to add more device sections than the one listed above. This will be indicated where necessary.<br />
}}<br />
<br />
== Module-based options ==<br />
<br />
The {{ic|i915}} kernel module allows for configuration via [[Kernel modules#Setting module options|module options]]. Some of the module options impact power saving.<br />
<br />
A list of all options along with short descriptions and default values can be generated with the following command:<br />
<br />
$ modinfo -p i915<br />
<br />
To check which options are currently enabled, run<br />
<br />
# systool -m i915 -av<br />
<br />
You will note that many options default to -1, resulting in per-chip powersaving defaults. It is however possible to configure more aggressive powersaving by using [[Kernel modules#Setting module options|module options]].<br />
<br />
{{Warning|1=Diverting from the defaults will mark the kernel as [https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=fc9740cebc3ab7c65f3c5f6ce0caf3e4969013ca tainted] from Linux 3.18 onwards. This basically implies using other options than the per-chip defaults is considered experimental and not supported by the developers. }}<br />
<br />
=== Framebuffer compression (enable_fbc) ===<br />
<br />
Making use of Framebuffer compression (FBC) can reduce power consumption while reducing memory bandwidth needed for screen refreshes.<br />
<br />
To enable FBC, use {{ic|1=i915.enable_fbc=1}} as [[kernel parameter]] or set in {{ic|/etc/modprobe.d/i915.conf}}:<br />
<br />
{{hc|/etc/modprobe.d/i915.conf|2=<br />
options i915 enable_fbc=1<br />
}}<br />
<br />
{{Note|Framebuffer compression may be unreliable or unavailable on Intel GPU generations before Sandy Bridge (generation 6). This results in messages logged to the system journal similar to this one:<br />
<br />
kernel: drm: not enough stolen space for compressed buffer, disabling.<br />
<br />
Enabling frame buffer compression on pre-Sandy Bridge CPUs results in endless error messages:<br />
<br />
{{hc|$ dmesg|<br />
[ 2360.475430] [drm] not enough stolen space for compressed buffer (need 4325376 bytes), disabling<br />
[ 2360.475437] [drm] hint: you may be able to increase stolen memory size in the BIOS to avoid this<br />
}}<br />
<br />
The solution is to disable frame buffer compression which will imperceptibly increase power consumption (around 0.06 W). In order to disable it add {{ic|1=i915.enable_fbc=0}} to the kernel line parameters. More information on the results of disabled compression can be found [http://kernel.ubuntu.com/~cking/power-benchmarking/background-colour-and-framebuffer-compression/ here].}}<br />
<br />
=== Fastboot ===<br />
<br />
The goal of Intel Fastboot is to preserve the frame-buffer as setup by the BIOS or [[bootloader]] to avoid any flickering until [[Xorg]] has started [https://www.phoronix.com/scan.php?page=news_item&px=MTEwNzc].<br />
<br />
To enable fastboot, set {{ic|1=i915.fastboot=1}} as [[kernel parameter]] or set in {{ic|/etc/modprobe.d/i915.conf}}:<br />
<br />
{{hc|/etc/modprobe.d/i915.conf|2=<br />
options i915 fastboot=1<br />
}}<br />
<br />
{{Warning|1=This parameter is not enabled by default and may cause issues on some older (pre-Skylake) systems.[https://www.phoronix.com/scan.php?page=news_item&px=Intel-Fastboot-Default-2019-Try]}}<br />
<br />
=== Intel GVT-g graphics virtualization support ===<br />
<br />
See [[Intel GVT-g]] for details.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Setting scaling mode ===<br />
<br />
This can be useful for some full screen applications:<br />
<br />
$ xrandr --output LVDS1 --set PANEL_FITTING ''param''<br />
<br />
where {{ic|''param''}} can be:<br />
<br />
* {{ic|center}}: resolution will be kept exactly as defined, no scaling will be made,<br />
* {{ic|full}}: scale the resolution so it uses the entire screen or<br />
* {{ic|full_aspect}}: scale the resolution to the maximum possible but keep the aspect ratio.<br />
<br />
If it does not work, try:<br />
<br />
$ xrandr --output LVDS1 --set "scaling mode" ''param''<br />
<br />
where {{ic|''param''}} is one of {{ic|"Full"}}, {{ic|"Center"}} or {{ic|"Full aspect"}}.<br />
<br />
{{Note|1=This option currently does not work for external displays (e.g. VGA, DVI, HDMI, DP). [https://bugs.freedesktop.org/show_bug.cgi?id=90989]}}<br />
<br />
=== Hardware accelerated H.264 decoding on GMA 4500 ===<br />
<br />
The {{Pkg|libva-intel-driver}} package only provides hardware accelerated MPEG-2 decoding for GMA 4500 series GPUs. The H.264 decoding support is maintained in a separated g45-h264 branch, which can be used by installing {{AUR|libva-intel-driver-g45-h264}} package. Note however that this support is experimental and its development has been abandoned. Using the VA-API with this driver on a GMA 4500 series GPU will offload the CPU but may not result in as smooth a playback as non-accelerated playback. Tests using mplayer showed that using vaapi to play back an H.264 encoded 1080p video halved the CPU load (compared to the XV overlay) but resulted in very choppy playback, while 720p worked reasonably well [https://bbs.archlinux.org/viewtopic.php?id=150550]. This is echoed by other experiences [http://www.emmolution.org/?p=192&cpage=1#comment-12292].<br />
Setting the preallocated video ram size higher in bios results in much better hardware decoded playback. Even 1080p h264 works well if this is done.<br />
Smooth playback (1080p/720p) works also with {{AUR|mpv-git}} in combination with {{AUR|ffmpeg-git}} and {{AUR|libva-intel-driver-g45-h264}}. With MPV and the Firefox plugin "Watch with MPV"[https://addons.mozilla.org/de/firefox/addon/watch-with-mpv/] it is possible to watch hardware accelerated YouTube videos.<br />
<br />
=== Setting brightness and gamma ===<br />
<br />
See [[Backlight]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Tearing ===<br />
<br />
The SNA acceleration method causes tearing on some machines. To fix this, enable the {{ic|"TearFree"}} option in the driver by adding the following line to your [[#Xorg configuration|configuration file]]:<br />
<br />
{{hc|/etc/X11/xorg.conf.d/20-intel.conf|<br />
Section "Device"<br />
Identifier "Intel Graphics"<br />
Driver "intel"<br />
Option "TearFree" "true"<br />
EndSection}}<br />
<br />
See the [https://bugs.freedesktop.org/show_bug.cgi?id=37686 original bug report] for more info.<br />
<br />
{{Note|1=<nowiki></nowiki><br />
* This option may not work when {{ic|SwapbuffersWait}} is {{ic|false}}.<br />
* This option may increases memory allocation considerably and reduce performance. [https://bugs.freedesktop.org/show_bug.cgi?id=37686#c123]<br />
* This option is problematic for applications that are very picky about vsync timing, like [[Wikipedia:Super Meat Boy|Super Meat Boy]].<br />
* This option does not work with UXA acceleration method, only with SNA.<br />
* This option does not work with the modesetting driver, which is not yet tear-free [https://gitlab.freedesktop.org/xorg/xserver/merge_requests/24]<br />
}}<br />
<br />
=== Disable Vertical Synchronization (VSYNC) ===<br />
<br />
Useful when:<br />
<br />
* Chomium/Chrome has lags and slow performance due to GPU and runs smoothly with --disable-gpu switch<br />
* glxgears test does not show desired performance<br />
<br />
The intel-driver uses [http://www.intel.com/support/graphics/sb/CS-004527.htm Triple Buffering] for vertical synchronization, this allows for full performance and avoids tearing. To turn vertical synchronization off (e.g. for benchmarking) use this {{ic|.drirc}} in your home directory:<br />
<br />
{{hc|~/.drirc|<br />
<device screen&#61;"0" driver&#61;"dri2"><br />
<application name&#61;"Default"><br />
<option name&#61;"vblank_mode" value&#61;"0"/><br />
</application><br />
</device><br />
}}<br />
<br />
{{Note|Do not use {{Pkg|driconf}} to create this file. It is buggy and will set the wrong driver.}}<br />
<br />
=== SNA issues ===<br />
<br />
''SNA'' is the default acceleration method in {{Pkg|xf86-video-intel}}. If you experience issues with ''SNA'' (e.g. pixelated graphics, corrupt text, etc.), try using ''UXA'' instead, which can be done by adding the following line to your [[#Xorg configuration|configuration file]]:<br />
<br />
Option "AccelMethod" "uxa"<br />
<br />
See {{man|4|intel}} under {{ic|Option "AccelMethod"}}.<br />
<br />
=== DRI3 issues ===<br />
<br />
''DRI3'' is the default DRI version in {{Pkg|xf86-video-intel}}. On some systems this can cause issues such as [https://bugs.chromium.org/p/chromium/issues/detail?id=370022 this]. To switch back to ''DRI2'' add the following line to your [[#Xorg configuration|configuration file]]:<br />
<br />
Option "DRI" "2"<br />
<br />
For the {{ic|modesetting}} driver, this method of disabling DRI3 does not work. Instead, one can set the environment variable {{ic|1=LIBGL_DRI3_DISABLE=1}}.<br />
<br />
=== Font and screen corruption in GTK+ applications (missing glyphs after suspend/resume) ===<br />
<br />
Should you experience missing font glyphs in GTK+ applications, the following workaround might help. [[textedit|Edit]] {{ic|/etc/environment}} to add the following line:<br />
<br />
{{hc|/etc/environment|output=<br />
COGL_ATLAS_DEFAULT_BLIT_MODE=framebuffer<br />
}}<br />
<br />
See also [https://bugs.freedesktop.org/show_bug.cgi?id=88584 FreeDesktop bug 88584].<br />
<br />
=== Blank screen during boot, when "Loading modules" ===<br />
<br />
If using "late start" KMS and the screen goes blank when "Loading modules", it may help to add {{ic|i915}} and {{ic|intel_agp}} to the initramfs. See [[Kernel mode setting#Early KMS start]] section.<br />
<br />
Alternatively, appending the following [[kernel parameter]] seems to work as well:<br />
<br />
video=SVIDEO-1:d<br />
<br />
If you need to output to VGA then try this:<br />
<br />
video=VGA-1:1280x800<br />
<br />
=== X freeze/crash with intel driver ===<br />
<br />
Some issues with X crashing, GPU hanging, or problems with X freezing, can be fixed by disabling the GPU usage with the {{ic|NoAccel}} option - add the following lines to your [[#Xorg configuration|configuration file]]:<br />
<br />
Option "NoAccel" "True"<br />
<br />
Alternatively, try to disable the 3D acceleration only with the {{ic|DRI}} option:<br />
<br />
Option "DRI" "False"<br />
<br />
=== Baytrail complete freeze ===<br />
<br />
If you are using kernel > 3.16 on Baytrail architecture and randomly encounter total system freezes, the following kernel option is a workaround until [https://bugzilla.kernel.org/show_bug.cgi?id=109051 this bug] is fixed in the linux kernel.<br />
<br />
intel_idle.max_cstate=1<br />
<br />
This is originally an Intel CPU bug that can be triggered by certain c-state transitions. It can also happen with Linux kernel 3.16 or Windows, though apparently much more rarely.<br />
The kernel option will prevent the freeze by avoiding c-state transitions but will also increase power consumption.<br />
<br />
=== Adding undetected resolutions ===<br />
<br />
This issue is covered on the [[Xrandr#Adding undetected resolutions|Xrandr page]].<br />
<br />
=== Backlight is not adjustable===<br />
<br />
If after resuming from suspend, the hotkeys for changing the screen brightness do not take effect, check your configuration against the [[Backlight]] article.<br />
<br />
If the problem persists, try one of the following [[kernel parameters]]:<br />
<br />
acpi_osi=Linux<br />
acpi_osi="!Windows 2012"<br />
acpi_osi=<br />
<br />
=== Corruption/Unresponsiveness in Chromium and Firefox ===<br />
<br />
If you experience corruption, unresponsiveness, lags or slow performance in Chromium and/or Firefox: <br />
<br />
* [[#SNA issues|Set the AccelMethod to "uxa"]]<br />
* [[#Disable Vertical Synchronization (VSYNC)|Disable VSYNC]]<br />
<br />
=== Kernel crashing w/kernels 4.0+ on Broadwell/Core-M chips ===<br />
<br />
A few seconds after X/Wayland loads the machine will freeze and journalctl will log a kernel crash referencing the Intel graphics as below:<br />
<br />
Jun 16 17:54:03 hostname kernel: BUG: unable to handle kernel NULL pointer dereference at (null)<br />
Jun 16 17:54:03 hostname kernel: IP: [< (null)>] (null)<br />
...<br />
Jun 16 17:54:03 hostname kernel: CPU: 0 PID: 733 Comm: gnome-shell Tainted: G U O 4.0.5-1-ARCH #1<br />
...<br />
Jun 16 17:54:03 hostname kernel: Call Trace:<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa055cc27>] ? i915_gem_object_sync+0xe7/0x190 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa0579634>] intel_execlists_submission+0x294/0x4c0 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa05539fc>] i915_gem_do_execbuffer.isra.12+0xabc/0x1230 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa055d349>] ? i915_gem_object_set_to_cpu_domain+0xa9/0x1f0 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff811ba2ae>] ? __kmalloc+0x2e/0x2a0<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa0555471>] i915_gem_execbuffer2+0x141/0x2b0 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa042fcab>] drm_ioctl+0x1db/0x640 [drm]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffffa0555330>] ? i915_gem_execbuffer+0x450/0x450 [i915]<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff8122339b>] ? eventfd_ctx_read+0x16b/0x200<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff811ebc36>] do_vfs_ioctl+0x2c6/0x4d0<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff811f6452>] ? __fget+0x72/0xb0<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff811ebec1>] SyS_ioctl+0x81/0xa0<br />
Jun 16 17:54:03 hostname kernel: [<ffffffff8157a589>] system_call_fastpath+0x12/0x17<br />
Jun 16 17:54:03 hostname kernel: Code: Bad RIP value.<br />
Jun 16 17:54:03 hostname kernel: RIP [< (null)>] (null)<br />
<br />
This can be fixed by disabling execlist support which was changed to default on with kernel 4.0. Add the following [[kernel parameter]]:<br />
<br />
i915.enable_execlists=0<br />
<br />
This is known to be broken to at least kernel 4.0.5.<br />
<br />
=== Lag in Windows guests ===<br />
<br />
The video output of a Windows guest in VirtualBox sometimes hangs until the host forces a screen update (e.g. by moving the mouse cursor). Removing the {{ic|1=enable_fbc=1}} option fixes this issue.<br />
<br />
=== Screen flickering ===<br />
<br />
Panel Self Refresh (PSR), a power saving feature used by Intel iGPUs is known to cause flickering in some instances {{Bug|49628}} {{Bug|49371}} {{Bug|50605}}. A temporary solution is to disable this feature using the [[kernel parameter]] {{ic|1=i915.enable_psr=0}}.<br />
<br />
=== OpenGL 2.1 with i915 driver ===<br />
<br />
The update of {{Pkg|mesa}} from version 13.x to 17 may break support for OpenGL 2.1 on third gen Intel GPUs (GMA3100, see [[wikipedia:List_of_Intel_graphics_processing_units#Third_generation|here]]), as described in this [http://www.phoronix.com/scan.php?page=news_item&px=Mesa-i915-OpenGL-2-Drop article], reverting it back to OpenGL 1.4. However this could be restored manually by setting {{ic|/etc/drirc}} or {{ic|~/.drirc}} options like:<br />
<br />
{{hc|/etc/drirc|output=<br />
<driconf><br />
...<br />
<device driver="i915"><br />
<application name="Default"><br />
<option name="'''stub_occlusion_query'''" value="'''true'''" /><br />
<option name="'''fragment_shader'''" value="'''true'''" /><br />
</application><br />
</device><br />
...<br />
</driconf><br />
}}<br />
<br />
{{Note|the reason of this step back was Chromium and other apps bad experience. If needed, you might edit the drirc file in a "app-specific" style, see [https://dri.freedesktop.org/wiki/ConfigurationInfrastructure/ here], to disable gl2.1 on executable chromium for instance.}}<br />
<br />
=== KMS Issue: console is limited to small area ===<br />
<br />
One of the low-resolution video ports may be enabled on boot which is causing the terminal to utilize a small area of the screen. To fix, explicitly disable the port with an i915 module setting with {{ic|1=video=SVIDEO-1:d}} in the kernel command line parameter in the bootloader. See [[Kernel parameters]] for more info.<br />
<br />
If that does not work, try disabling TV1 or VGA1 instead of SVIDEO-1. Video port names can be listed with [[xrandr]].<br />
<br />
=== Weathered colors (color range problems) ===<br />
<br />
The "Broadcast RGB" property in the Intel driver defines the color range which can be used by the display - either "Limited 16:235" (which limits the color range for some displays that can't properly display all colors) and "Full". Since kernel 3.9, the new default property "Automatic" tries to determine whenever the display supports the full color range, and if it doesn't/detection fails, color range falls back to "Limited 16:235". This results in weathered colors and grey blacks. On some displays/connectors, despite the full color range being supported properly, automatic detection fails and falls back to the limited color range ([https://bugs.freedesktop.org/show_bug.cgi?id=108821 upstream bug report, kernels 4.18-4.20]).<br />
<br />
You can forcefully set the desired color range by running {{ic|xrandr --output <OUT> --set "Broadcast RGB" "Full"}} (replace {{ic|<OUT>}} with the appropriate output device, listed by running {{ic|xrandr}}). There is no way to persist this setting in {{ic|xorg.conf}}.<br />
<br />
== See also ==<br />
<br />
* https://01.org/linuxgraphics/documentation (includes a list of supported hardware)</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=RTL-SDR&diff=568770RTL-SDR2019-03-15T11:31:17Z<p>Yuvadm: Remove stale gqrx link</p>
<hr />
<div>[[Category:TV cards]]<br />
[[ja:RTL-SDR]]<br />
{{Related articles start}}<br />
{{Related|DVB-T}}<br />
{{Related|GNU Radio}}<br />
{{Related articles end}}<br />
<br />
[http://sdr.osmocom.org/trac/wiki/rtl-sdr RTL-SDR] is a set of tools that enables [[DVB-T]] USB dongles based on the Realtek RTL2832U chipset to be used as cheap software defined radios, given that the chip allows transferring raw I/Q samples from the tuner straight to the host device.<br />
<br />
See the [http://sdr.osmocom.org/trac/wiki/rtl-sdr RTL-SDR wiki] for exact technical specifications.<br />
<br />
==Packages==<br />
<br />
The latest stable RTL-SDR version can be installed from {{Pkg|rtl-sdr}} in the [[official repositories]].<br />
<br />
Bleeding edge is on {{AUR|rtl-sdr-git}} in the [[AUR]].<br />
<br />
{{Note|RTL-SDR conflicts with existing [[DVB-T]] drivers in the kernel, and upon installation blacklists the relevant drivers as can be seen in {{Ic|/etc/modprobe.d/rtlsdr.conf}}. To use the dongle with the original DVB-T drivers, it is required to manually load them, see [[DVB-T#Driver]].}}<br />
<br />
udev rules are installed at {{Ic|/usr/lib/udev/rules.d/10-rtl-sdr.rules}} and set the proper permissions such that non-root users can access the device.<br />
<br />
{{Tip|The official RTL-SDR software does not include an infrared module. If one is desired, this [https://github.com/librtlsdr/librtlsdr fork], which includes an rtl_ir module, should be used instead.}}<br />
<br />
==Usage==<br />
<br />
Performing a simple test, and make sure the dongle works and that there are no lost samples:<br />
<br />
$ rtl_test<br />
<br />
Raw samples can be captured directly to file (or fifo), for example to tune to 123.4MHz and capture 1.8M samples/sec:<br />
<br />
$ rtl_sdr capture.bin -s 1.8e6 -f 123.4e6<br />
<br />
Tune to your favorite radio station and pipe to [[PulseAudio|sox]] for audio:<br />
$ rtl_fm -f 102.7e6 -M wbfm -s 200000 -r 48000 - | aplay -r 48000 -f S16_LE<br />
<br />
==Applications==<br />
<br />
Some popular applications that use RTL-SDR:<br />
<br />
* {{AUR|dump1090-git}} - a lightweight ModeS (1090Mhz) decoder<br />
* {{AUR|multimon-ng-git}} - a decoder for various digital modes<br />
* {{Pkg|gqrx}} - A popular sdr radio reciver for linux</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=OpenSSH&diff=565434OpenSSH2019-02-01T09:41:48Z<p>Yuvadm: Require xorg-xauth package on client as well</p>
<hr />
<div>[[Category:Secure Shell]]<br />
[[Category:Servers]]<br />
[[Category:OpenBSD]]<br />
[[de:SSH]]<br />
[[es:OpenSSH]]<br />
[[fa:SSH]]<br />
[[fr:ssh]]<br />
[[ja:Secure Shell]]<br />
[[ru:Secure Shell]]<br />
[[zh-hans:Secure Shell]]<br />
{{Related articles start}}<br />
{{Related|SSH keys}}<br />
{{Related|Pam abl}}<br />
{{Related|fail2ban}}<br />
{{Related|sshguard}}<br />
{{Related|Sshfs}}<br />
{{Related|Syslog-ng}}<br />
{{Related|SFTP chroot}}<br />
{{Related|SCP and SFTP}}<br />
{{Related articles end}}<br />
<br />
[[Wikipedia:OpenSSH|OpenSSH]] (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the [[Secure Shell]] (SSH) protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|openssh}} package.<br />
<br />
== Client usage ==<br />
<br />
To connect to a server, run:<br />
<br />
$ ssh -p ''port'' ''user''@''server-address''<br />
<br />
If the server only allows public-key authentication, follow [[SSH keys]].<br />
<br />
=== Configuration ===<br />
<br />
The client can be configured to store common options and hosts. All options can be declared globally or restricted to specific hosts. For example:<br />
<br />
{{hc|~/.ssh/config|# global options<br />
User ''user''<br />
<br />
# host-specific options<br />
Host ''myserver''<br />
HostName ''server-address''<br />
Port ''port''<br />
}}<br />
<br />
With such a configuration, the following commands are equivalent<br />
<br />
$ ssh -p ''port'' ''user''@''server-address''<br />
$ ssh ''myserver''<br />
<br />
See {{man|5|ssh_config}} for more information.<br />
<br />
Some options do not have command line switch equivalents, but you can specify config options on the command line with {{ic|-o}}. For example {{ic|1=-oKexAlgorithms=+diffie-hellman-group1-sha1}}.<br />
<br />
== Server usage ==<br />
<br />
=== Configuration ===<br />
<br />
The SSH daemon configuration file can be found and edited in {{ic|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
To allow access only for some users add this line:<br />
<br />
AllowUsers ''user1 user2''<br />
<br />
To allow access only for some groups:<br />
<br />
AllowGroups ''group1 group2''<br />
<br />
To add a nice welcome message (e.g. from the {{ic|/etc/issue}} file), configure the {{ic|Banner}} option:<br />
<br />
Banner /etc/issue<br />
<br />
Public and private host keys are automatically generated in {{ic|/etc/ssh}} by the ''sshd'' [[#Daemon management|service files]] on the first run after installation. Four key pairs are provided based on the algorithms [[SSH keys#Choosing the authentication key type|dsa, rsa, ecdsa and ed25519]]. To have sshd use a particular key, specify the following option:<br />
<br />
HostKey /etc/ssh/ssh_host_rsa_key<br />
<br />
If the server is to be exposed to the WAN, it is recommended to change the default port from 22 to a random higher one like this:<br />
Port 39901<br />
<br />
{{Tip|<br />
* To help select an alternative port that is not already assigned to a common service, review the [[Wikipedia:List of TCP and UDP port numbers|list of TCP and UDP port numbers]]. You can also find port information locally in {{ic|/etc/services}}. A port change from default port 22 will reduce the number of log entries caused by automated authentication attempts but will not eliminate them. See [[Port knocking]] for related information.<br />
* It is recommended to disable password logins entirely. This will greatly increase security, see [[#Force public key authentication]] for more information. See [[#Protection]] for more recommend security methods.<br />
* OpenSSH can listen to multiple ports simply by having multiple {{ic|Port ''port_number''}} lines in the config file.<br />
}}<br />
<br />
=== Daemon management ===<br />
<br />
{{Pkg|openssh}} comes with two kinds of [[systemd]] service files:<br />
<br />
# {{ic|sshd.service}}, which will keep the SSH daemon permanently active and fork for each incoming connection.[https://projects.archlinux.org/svntogit/packages.git/tree/trunk/sshd.service?h=packages/openssh#n16] It is especially suitable for systems with a large amount of SSH traffic.[https://projects.archlinux.org/svntogit/packages.git/tree/trunk/sshd.service?h=packages/openssh&id=4cadf5dff444e4b7265f8918652f4e6dff733812#n15] <br />
# {{ic|sshd.socket}} + {{ic|sshd@.service}}, which spawn on-demand instances of the SSH daemon per connection. Using it implies that ''systemd'' listens on the SSH socket and will only start the daemon process for an incoming connection. It is the recommended way to run {{ic|sshd}} in almost all cases.[https://projects.archlinux.org/svntogit/packages.git/tree/trunk/sshd.service?h=packages/openssh&id=4cadf5dff444e4b7265f8918652f4e6dff733812#n18][http://lists.freedesktop.org/archives/systemd-devel/2011-January/001107.html][http://0pointer.de/blog/projects/inetd.html]<br />
<br />
You can [[start]] and [[enable]] either {{ic|sshd.service}} '''or''' {{ic|sshd.socket}} to begin using the daemon.<br />
<br />
If using the socket service, you will need to [[edit]] the unit file if you want it to listen on a port other than the default 22:<br />
<br />
{{hc|# systemctl edit sshd.socket|<nowiki><br />
[Socket]<br />
ListenStream=<br />
ListenStream=12345<br />
</nowiki>}}<br />
<br />
{{Warning|Using {{ic|sshd.socket}} negates the {{ic|ListenAddress}} setting, so it will allow connections over any address. To achieve the effect of setting {{ic|ListenAddress}}, you must specify the port ''and'' IP for {{ic|ListenStream}} (e.g. {{ic|1=ListenStream=192.168.1.100:22}}). You must also add {{ic|1=FreeBind=true}} under {{ic|[Socket]}} or else setting the IP address will have the same drawback as setting {{ic|ListenAddress}}: the socket will fail to start if the network is not up in time.}}<br />
<br />
{{Tip|When using socket activation a transient instance of {{ic|sshd@.service}} will be started for each connection (with different instance names). Therefore, neither {{ic|sshd.socket}} nor the daemon's regular {{ic|sshd.service}} allow to monitor connection attempts in the log. The logs of socket-activated instances of SSH can be seen with {{ic|journalctl -u "sshd@*"}} or with {{ic|journalctl /usr/bin/sshd}}.}}<br />
<br />
{{Note|Even the {{ic|sshd.socket}} unit may fail (e.g. due to out-of-memory situation) and {{ic|1=Restart=always}} cannot be specified on socket units. [https://github.com/systemd/systemd/issues/11553]}}<br />
<br />
=== Protection ===<br />
<br />
Allowing remote log-on through SSH is good for administrative purposes, but can pose a threat to your server's security. Often the target of brute force attacks, SSH access needs to be limited properly to prevent third parties gaining access to your server.<br />
<br />
Several other good guides and tools are available on the topic, for example:<br />
<br />
* [[MozillaWiki:Security/Guidelines/OpenSSH|Article by Mozilla Infosec Team]]<br />
* [https://github.com/mozilla/ssh_scan Mozilla ssh_scan]<br />
* [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure sshd]<br />
<br />
==== Force public key authentication ====<br />
<br />
If a client cannot authenticate through a public key, by default the SSH server falls back to password authentication, thus allowing a malicious user to attempt to gain access by [[#Protecting against brute force attacks|brute-forcing]] the password. One of the most effective ways to protect against this attack is to disable password logins entirely, and force the use of [[SSH keys]]. This can be accomplished by disabling the following options in the daemon configuration file:<br />
<br />
{{hc|/etc/ssh/sshd_config|PasswordAuthentication no}}<br />
<br />
{{Warning|Before adding this to your configuration, make sure that all accounts which require SSH access have public-key authentication set up in the corresponding {{ic|authorized_keys}} files. See [[SSH keys#Copying the public key to the remote server]] for more information.}}<br />
<br />
==== Two-factor authentication and public keys ====<br />
<br />
SSH can be set up to require multiple ways of authentication, you can tell which authentication methods are required using the {{ic|AuthenticationMethods}} option. This enables you to use public keys as well as a two-factor authorization.<br />
<br />
See [[Google Authenticator]] to set up Google Authenticator.<br />
<br />
To use [[PAM]] with OpenSSH, edit the following files:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
ChallengeResponseAuthentication yes<br />
AuthenticationMethods publickey keyboard-interactive:pam<br />
}}<br />
<br />
Then you can log in with either a publickey '''or''' the user authentication as required by your PAM setup.<br />
<br />
If, on the other hand, you want to authenticate the user on both a publickey '''and''' the user authentication as required by your PAM setup, use a comma instead of a space to separate the AuthenticationMethods:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
ChallengeResponseAuthentication yes<br />
AuthenticationMethods publickey''','''keyboard-interactive:pam<br />
}}<br />
<br />
With required pubkey '''and''' pam authentication you may wish to disable the password requirement:<br />
<br />
{{hc|/etc/pam.d/sshd|<br />
auth required pam_securetty.so #disable remote root<br />
#Require google authenticator<br />
auth required pam_google_authenticator.so<br />
#But not password<br />
#auth include system-remote-login<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
}}<br />
<br />
==== Protecting against brute force attacks ====<br />
<br />
Brute forcing is a simple concept: One continuously tries to log in to a webpage or server log-in prompt like SSH with a high number of random username and password combinations.<br />
<br />
===== Using ufw =====<br />
<br />
See [[ufw#Rate limiting with ufw]].<br />
<br />
===== Using iptables =====<br />
<br />
{{Merge|Simple stateful firewall#Bruteforce attacks|Out of scope, same technique as already described in the SSF.}}<br />
<br />
If you are already using iptables you can easily protect SSH against brute force attacks by using the following rules. <br />
<br />
{{note|In this example the SSH port was changed to port 42660 TCP.}}<br />
<br />
Before the following rules can be used we create a new rule chain to log and drop too many connection attempts:<br />
<br />
# iptables -N LOG_AND_DROP<br />
<br />
The first rule will be applied to packets that signal the start of new connections headed for TCP port 42660<br />
<br />
# iptables -A INPUT -p tcp -m tcp --dport 42660 -m state --state NEW -m recent --set --name DEFAULT --rsource<br />
<br />
The next rule tells iptables to look for packets that match the previous rule's parameters, and which also come from hosts already added to the watch list.<br />
<br />
# iptables -A INPUT -p tcp -m tcp --dport 42660 -m state --state NEW -m recent --update --seconds 90 --hitcount 4 --name DEFAULT --rsource -j LOG_AND_DROP<br />
<br />
Now iptables decides what to do with TCP traffic to port 42660 which does not match the previous rule.<br />
<br />
# iptables -A INPUT -p tcp -m tcp --dport 42660 -j ACCEPT<br />
<br />
We are appending this rule to the LOG_AND_DROP table, and we use the -j (jump) operator to pass the packet's information to the logging facility<br />
<br />
# iptables -A LOG_AND_DROP -j LOG --log-prefix "iptables deny: " --log-level 7<br />
<br />
After they are logged by the first rule, all packets are then dropped<br />
<br />
# iptables -A LOG_AND_DROP -j DROP<br />
<br />
===== Anti-brute-force tools =====<br />
<br />
You can protect yourself from brute force attacks by using an automated script that blocks anybody trying to brute force their way in, for example [[fail2ban]] or [[sshguard]].<br />
<br />
* Only allow incoming SSH connections from trusted locations<br />
* Use [[fail2ban]] or [[sshguard]] to automatically block IP addresses that fail password authentication too many times.<br />
* Use [https://github.com/jtniehof/pam_shield pam_shield] to block IP addresses that perform too many login attempts within a certain period of time. In contrast to [[fail2ban]] or [[sshguard]], this program does not take login success or failure into account.<br />
<br />
==== Limit root login ====<br />
<br />
{{Out of date|Root login has been disabled by default upstream in the current version. Unclear to me what parts of this section and subsections are redundant.}}<br />
<br />
It is generally considered bad practice to allow the root user to log in without restraint over SSH. There are two methods by which SSH root access can be restricted for increased security.<br />
<br />
===== Deny =====<br />
<br />
Sudo selectively provides root rights for actions requiring these without requiring authenticating against the root account. This allows locking the root account against access via SSH and potentially functions as a security measure against brute force attacks, since now an attacker must guess the account name in addition to the password.<br />
<br />
SSH can be configured to deny remote logins with the root user by editing the "Authentication" section in the daemon configuration file. Simply set {{ic|PermitRootLogin}} to {{ic|no}}:<br />
<br />
{{hc|/etc/ssh/sshd_config|PermitRootLogin no}}<br />
<br />
Next, [[restart]] the SSH daemon.<br />
<br />
You will now be unable to log in through SSH under root, but will still be able to log in with your normal user and use [[su]] or [[sudo]] to do system administration.<br />
<br />
===== Restrict =====<br />
<br />
Some automated tasks such as remote, full-system backup require full root access. To allow these in a secure way, instead of disabling root login via SSH, it is possible to only allow root logins for selected commands. This can be achieved by editing {{ic|~root/.ssh/authorized_keys}}, by prefixing the desired key, e.g. as follows:<br />
<br />
command="/usr/lib/rsync/rrsync -ro /" ssh-rsa …<br />
<br />
This will allow any login with this specific key only to execute the command specified between the quotes.<br />
<br />
The increased attack surface created by exposing the root user name at login can be compensated by adding the following to {{ic|sshd_config}}:<br />
<br />
PermitRootLogin forced-commands-only<br />
<br />
This setting will not only restrict the commands which root may execute via SSH, but it will also disable the use of passwords, forcing use of public key authentication for the root account.<br />
<br />
A slightly less restrictive alternative will allow any command for root, but makes brute force attacks infeasible by enforcing public key authentication. For this option, set:<br />
<br />
PermitRootLogin prohibit-password<br />
<br />
==== Securing the authorized_keys file ====<br />
<br />
For additional protection, you can prevent users from adding new public keys and connecting from them.<br />
<br />
In the server, make the {{ic|authorized_keys}} file read-only for the user and deny all other permissions:<br />
<br />
$ chmod 400 ~/.ssh/authorized_keys<br />
<br />
To keep the user from simply changing the permissions back, [[File permissions and attributes#chattr and lsattr|set the immutable bit]] on the {{ic|authorized_keys}} file. After that the user could rename the {{ic|~/.ssh}} directory to something else and create a new {{ic|~/.ssh}} directory and {{ic|authorized_keys}} file. To prevent this, set the immutable bit on the {{ic|~/.ssh}} directory too.<br />
<br />
{{Note|If you find yourself needing to add a new key, you will first have to remove the immutable bit from {{ic|authorized_keys}} and make it writable. Follow the steps above to secure it again.}}<br />
<br />
== Tips and tricks ==<br />
<br />
{{Accuracy|According to the current layout, this section seems rather generic, but in fact most of the offered tips work only in ''openssh''. For example ''dropbear'' (listed in [[#Other SSH clients and servers]]) does not support SOCKS proxy.[https://en.wikipedia.org/wiki/Comparison_of_SSH_clients#Technical]}}<br />
<br />
=== Encrypted SOCKS tunnel ===<br />
<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you do not have to remember your IP-address.<br />
<br />
==== Step 1: start the connection ====<br />
<br />
You only have to execute this single command to start the connection:<br />
<br />
$ ssh -TND 4711 ''user''@''host''<br />
<br />
where {{Ic|''user''}} is your username at the SSH server running at the {{Ic|''host''}}. It will ask for your password, and then you are connected. The {{Ic|N}} flag disables the interactive prompt, and the {{Ic|D}} flag specifies the local port on which to listen on (you can choose any port number if you want). The {{Ic|T}} flag disables pseudo-tty allocation.<br />
<br />
It is nice to add the verbose ({{Ic|-v}}) flag, because then you can verify that it is actually connected from that output.<br />
<br />
==== Step 2: configure your browser (or other programs) ====<br />
<br />
The above step is useful only in combination with a web browser or another program that uses this newly created SOCKS tunnel. Since SSH currently supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Preferences > General > Network Proxy > Manual proxy'', and enter {{ic|localhost}} in the ''SOCKS host'' text field, and the port number in the next text field ({{ic|4711}} in the example above).<br />
<br />
Firefox does not automatically make DNS requests through the socks tunnel. This potential privacy concern can be mitigated by the following steps:<br />
<br />
# Type {{ic|about:config}} into the Firefox location bar<br />
# Set {{ic|network.proxy.socks_remote_dns}} to {{ic|true}}<br />
# Restart Firefox<br />
<br />
* For Chromium: You can set the SOCKS settings as environment variables or as command line options. I recommend to add one of the following functions to your {{ic|.bashrc}}:<br />
<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
<br />
OR<br />
<br />
function secure_chromium {<br />
port=4711<br />
chromium --proxy-server="socks://localhost:$port" &<br />
exit<br />
}<br />
<br />
Now open a terminal and just do:<br />
<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
=== X11 forwarding ===<br />
<br />
X11 forwarding is a mechanism that allows graphical interfaces of X11 programs running on a remote system to be displayed on a local client machine. For X11 forwarding the remote host does not need to have a full X11 system installed, however it needs at least to have ''xauth'' installed. ''xauth'' is a utility that maintains {{ic|Xauthority}} configurations used by server and client for authentication of X11 session ([http://xmodulo.com/2012/11/how-to-enable-x11-forwarding-using-ssh.html source]).<br />
<br />
{{Warning|X11 forwarding has important security implications which should be at least acknowledged by reading relevant sections of {{man|1|ssh}}, {{man|5|sshd_config}}, and {{man|5|ssh_config}} manual pages. See also [https://security.stackexchange.com/questions/14815/security-concerns-with-x11-forwarding this StackExchange question.]}}<br />
<br />
==== Setup ====<br />
<br />
===== Remote =====<br />
<br />
* [[install]] the {{Pkg|xorg-xauth}} and {{Pkg|xorg-xhost}} packages<br />
* in {{ic|/etc/ssh/ssh'''d'''_config}}:<br />
** verify that {{ic|AllowTcpForwarding}} and {{ic|X11UseLocalhost}} options are set to ''yes'', and that {{ic|X11DisplayOffset}} is set to ''10'' (those are the default values if nothing has been changed, see {{man|5|sshd_config}})<br />
** set {{ic|X11Forwarding}} to ''yes''<br />
* then [[restart]] the [[#Daemon management|''sshd'' daemon]]. <br />
<br />
===== Client =====<br />
<br />
* [[install]] the {{Pkg|xorg-xauth}} package<br />
* enable the {{ic|ForwardX11}} option by either specifying the {{ic|-X}} switch on the command line for opportunistic connections, or by setting {{ic|ForwardX11}} to ''yes'' in the [[#Configuration|client's configuration]].<br />
<br />
{{Tip|You can enable the {{ic|ForwardX11Trusted}} option ({{ic|-Y}} switch on the command line) if GUI is drawing badly or you receive errors; this will prevent X11 forwardings from being subjected to the [http://www.x.org/wiki/Development/Documentation/Security/ X11 SECURITY extension] controls. Be sure you have read [[#X11 forwarding|the warning]] at the beginning of this section if you do so.}}<br />
<br />
==== Usage ====<br />
<br />
{{Accuracy|{{ic|xhost}} is [http://unix.stackexchange.com/questions/12755/how-to-forward-x-over-ssh-from-ubuntu-machine#comment17148_12772 generally not needed]|section=X11 forwarding}}<br />
<br />
Log on to the remote machine normally, specifying the {{ic|-X}} switch if ''ForwardX11'' was not enabled in the client's configuration file:<br />
<br />
$ ssh -X ''user@host''<br />
<br />
If you receive errors trying to run graphical applications, try ''ForwardX11Trusted'' instead:<br />
<br />
$ ssh -Y ''user@host''<br />
<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
<br />
$ xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
<br />
$ xhost +<br />
<br />
The above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. See {{man|1|xhost}} for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. [[Firefox]] is an example: either close the running Firefox instance or use the following start parameter to start a remote instance on the local machine:<br />
<br />
$ firefox --no-remote<br />
<br />
If you get "X11 forwarding request failed on channel 0" when you connect (and the server {{ic|/var/log/errors.log}} shows "Failed to allocate internet-domain X11 display socket"), make sure package {{Pkg|xorg-xauth}} is installed. If its installation is not working, try to either:<br />
<br />
* enable the {{ic|AddressFamily any}} option in {{ic|ssh'''d'''_config}} on the ''server'', or<br />
* set the {{ic|AddressFamily}} option in {{ic|ssh'''d'''_config}} on the ''server'' to inet.<br />
Setting it to inet may fix problems with Ubuntu clients on IPv4.<br />
<br />
For running X applications as other user on the SSH server you need to {{Ic|xauth add}} the authentication line taken from {{Ic|xauth list}} of the SSH logged in user.<br />
<br />
{{Tip|[http://unix.stackexchange.com/a/12772/29867 Here] are [http://unix.stackexchange.com/a/46748/29867 some] useful [http://superuser.com/a/805060/185665 links] for troubleshooting {{ic|X11 Forwarding}} issues.}}<br />
<br />
=== Forwarding other ports ===<br />
<br />
In addition to SSH's built-in support for X11, it can also be used to securely tunnel any TCP connection, by use of local forwarding or remote forwarding.<br />
<br />
Local forwarding opens a port on the local machine, connections to which will be forwarded to the remote host and from there on to a given destination. Very often, the forwarding destination will be the same as the remote host, thus providing a secure shell and, e.g. a secure VNC connection, to the same machine. Local forwarding is accomplished by means of the {{Ic|-L}} switch and it is accompanying forwarding specification in the form of {{Ic|<tunnel port>:<destination address>:<destination port>}}.<br />
<br />
Thus:<br />
<br />
$ ssh -L 1000:mail.google.com:25 192.168.0.100<br />
<br />
will use SSH to login to and open a shell on {{ic|192.168.0.100}}, and will also create a tunnel from the local machine's TCP port 1000 to mail.google.com on port 25. Once established, connections to {{ic|localhost:1000}} will connect to the Gmail SMTP port. To Google, it will appear that any such connection (though not necessarily the data conveyed over the connection) originated from {{ic|192.168.0.100}}, and such data will be secure between the local machine and 192.168.0.100, but not between {{ic|192.168.0.100}} and Google, unless other measures are taken.<br />
<br />
Similarly:<br />
<br />
$ ssh -L 2000:192.168.0.100:6001 192.168.0.100<br />
<br />
will allow connections to {{ic|localhost:2000}} which will be transparently sent to the remote host on port 6001. The preceding example is useful for VNC connections using the vncserver utility--part of the tightvnc package--which, though very useful, is explicit about its lack of security.<br />
<br />
Remote forwarding allows the remote host to connect to an arbitrary host via the SSH tunnel and the local machine, providing a functional reversal of local forwarding, and is useful for situations where, e.g., the remote host has limited connectivity due to firewalling. It is enabled with the {{Ic|-R}} switch and a forwarding specification in the form of {{Ic|<tunnel port>:<destination address>:<destination port>}}.<br />
<br />
Thus:<br />
<br />
$ ssh -R 3000:irc.freenode.net:6667 192.168.0.200<br />
<br />
will bring up a shell on {{ic|192.168.0.200}}, and connections from {{ic|192.168.0.200}} to itself on port 3000 (the remote host's {{ic|localhost:3000}}) will be sent over the tunnel to the local machine and then on to irc.freenode.net on port 6667, thus, in this example, allowing the use of IRC programs on the remote host to be used, even if port 6667 would normally be blocked to it.<br />
<br />
Both local and remote forwarding can be used to provide a secure "gateway", allowing other computers to take advantage of an SSH tunnel, without actually running SSH or the SSH daemon by providing a bind-address for the start of the tunnel as part of the forwarding specification, e.g. {{Ic|<tunnel address>:<tunnel port>:<destination address>:<destination port>}}. The {{Ic|<tunnel address>}} can be any address on the machine at the start of the tunnel. The address {{Ic|localhost}} allows connections via the {{ic|localhost}} or loopback interface, and an empty address or {{Ic|*}} allow connections via any interface. By default, forwarding is limited to connections from the machine at the "beginning" of the tunnel, i.e. the {{Ic|<tunnel address>}} is set to {{Ic|localhost}}. Local forwarding requires no additional configuration, however remote forwarding is limited by the remote server's SSH daemon configuration. See the {{Ic|GatewayPorts}} option in {{man|5|sshd_config}} and {{ic|-L address}} option in {{man|1|ssh}} for more information about remote forwarding and local forwarding, respectively.<br />
<br />
=== Jump hosts ===<br />
<br />
In certain scenarios, there might not be a direct connection to your target SSH daemon, and the use of a jump server (or bastion server) is required. Thus, we attempt to connect together two or more SSH tunnels, and assuming your local keys are authorized against each server in the chain. This is possible using SSH agent forwarding ({{ic|-A}}) and pseudo-terminal allocation ({{ic|-t}}) which forwards your local key with the following syntax:<br />
<br />
$ ssh -A -t -l user1 bastion1 \<br />
ssh -A -t -l user2 intermediate2 \<br />
ssh -A -t -l user3 target<br />
<br />
An easier way to do this is using the {{ic|-J}} flag:<br />
<br />
$ ssh -J user1@bastion1,user2@intermediate2 user3@target<br />
<br />
Multiple hosts in the {{ic|-J}} directive can be separted with a comma, they will be connected to in the order listed. The {{ic|user...@}} part is not required, but can be used. The host specifications for {{ic|-J}} use the ssh configuration file, so specific per-host options can be set there, if needed.<br />
<br />
=== Reverse SSH through a relay ===<br />
<br />
{{Style|The idea of SSH tunneling is classic, so some references for detailed explanation would be nice. E.g. [https://unix.stackexchange.com/questions/46235/how-does-reverse-ssh-tunneling-work/118650#118650] which includes other scenarios.}}<br />
<br />
The idea is that client connects to the server via another relay, while the server is connected to the same relay using a reverse SSH tunnel. This is for example useful when the server is behind a NAT and relay is a publicly accessible SSH server used as a proxy to which the user has access. So the prerequisite is that client's keys are authorized against both the relay and the server and server's need to be authorized against the relay as well for the reverse SSH connection.<br />
<br />
The following configuration example assumes that user1 is the user account used on client, user2 on relay and user3 on server. First the server needs to establish the reverse tunnel with:<br />
<br />
ssh -R 2222:localhost:22 -N user2@relay<br />
<br />
Which can also be automated with a startup script, systemd service or {{Pkg|autossh}}.<br />
<br />
{{Expansion|Explain why {{ic|ssh user3@relay -p 2222}} is not sufficient.}}<br />
<br />
At the client side the connection is established with:<br />
<br />
ssh user2@relay ssh user3@localhost -p 2222<br />
<br />
The remote command to establish the connection to reverse tunnel can also be defined in relay's {{ic|~/.ssh/authorized_keys}} by including the {{ic|command}} field as follows:<br />
<br />
command="ssh user3@localhost -p 2222" ssh-rsa KEY2 user1@client<br />
<br />
In this case the connection is established with:<br />
<br />
ssh user2@relay<br />
<br />
Note that SCP's autocomplete function in client's terminal is not working and even the SCP transfers themselves are not working under some configurations.<br />
<br />
=== Multiplexing ===<br />
<br />
The SSH daemon usually listens on port 22. However, it is common practice for many public internet hotspots to block all traffic that is not on the regular HTTP/S ports (80 and 443, respectively), thus effectively blocking SSH connections. The immediate solution for this is to have {{ic|sshd}} listen additionally on one of the whitelisted ports:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
Port 22<br />
Port 443<br />
}}<br />
<br />
However, it is likely that port 443 is already in use by a web server serving HTTPS content, in which case it is possible to use a multiplexer, such as {{Pkg|sslh}}, which listens on the multiplexed port and can intelligently forward packets to many services.<br />
<br />
=== Speeding up SSH ===<br />
<br />
There are several [[#Configuration|client configuration]] options which can speed up connections either globally or for specific hosts. See {{man|5|ssh_config}} for full descriptions of these options.<br />
<br />
* You can make all sessions to the same host share a single connection using these options: {{bc|<nowiki><br />
ControlMaster auto<br />
ControlPersist yes<br />
ControlPath ~/.ssh/sockets/socket-%r@%h:%p<br />
</nowiki>}}<br />
: where {{ic|~/.ssh/sockets}} can be any directory not writable by other users.<br />
<br />
* {{ic|ControlPersist}} specifies how long the master should wait in the background for new clients after the initial client connection has been closed. Possible values are either: <br />
** {{ic|no}} to close the connection immediately after the last client disconnects, <br />
** a time in seconds,<br />
** {{ic|yes}} to wait forever, the connection will never be closed automatically.<br />
<br />
* Compression can increase speed on slow connections, it is enabled with the {{ic|Compression yes}} option or the {{ic|-C}} flag. However the compression algorithm used is the relatively slow {{man|1|gzip}} which becomes the bottleneck on fast networks. In order to speed up the connection one should use the {{ic|Compression no}} option on local or fast networks.<br />
<br />
* Login time can be shortened by bypassing IPv6 lookup using the {{ic|AddressFamily inet}} option or {{ic|-4}} flag.<br />
<br />
* Last, if you intend to use SSH for SFTP or SCP, [https://www.psc.edu/index.php/hpn-ssh High Performance SSH/SCP] can significantly increase throughput by raising dynamically the SSH buffer sizes. Install the package {{AUR|openssh-hpn-git}} to use a patched version of OpenSSH with this enhancement.<br />
<br />
=== Mounting a remote filesystem with SSHFS ===<br />
<br />
Please refer to the [[SSHFS]] article to mount a SSH-accessible remote system to a local folder, so you will be able to do any operation on the mounted files with any tool (copy, rename, edit with vim, etc.). ''sshfs'' is generally preferred over ''shfs'', the latter has not been updated since 2004.<br />
{{Tip|There is a package {{AUR|autosshfs-git}} that can be used to run autosshfs automatically at login.}}<br />
<br />
=== Keep alive ===<br />
<br />
By default, the SSH session automatically logs out if it has been idle for a certain time. To keep the session up, the client can send a keep-alive signal to the server if no data has been received for some time, or symmetrically the server can send messages at regular intervals if it has not heard from the client.<br />
<br />
* On the '''server''' side, {{ic|ClientAliveInterval}} sets the timeout in seconds after which if no data has been received from the client, ''sshd'' will send a request for response. The default is 0, no message is sent. For example to request a response every 60 seconds from the client, set the {{ic|ClientAliveInterval 60}} option in your [[#Configuration_2|server configuration]]. See also the {{ic|ClientAliveCountMax}} and {{ic|TCPKeepAlive}} options.<br />
* On the '''client''' side, {{ic|ServerAliveInterval}} controls the interval between the requests for response sent from the client to the server. For example to request a response every 120 seconds from the server, add the {{ic|ServerAliveInterval 120}} option to your [[#Configuration|client configuration]]. See also the {{ic|ServerAliveCountMax}} and {{ic|TCPKeepAlive}} options.<br />
<br />
{{Note| To ensure a session is kept alive, only one of either the client or the server needs to send keep alive requests. If ones control both the servers and the clients, a reasonable choice is to only configure the clients that require a persistent session with a positive {{ic|ServerAliveInterval}} and leave other clients and servers in their default configuration.}}<br />
<br />
=== Automatically restart SSH tunnels with systemd ===<br />
<br />
[[systemd]] can automatically start SSH connections on boot/login ''and'' restart them when they fail. This makes it a useful tool for maintaining SSH tunnels.<br />
<br />
The following service can start an SSH tunnel on login using the connection settings in your [[#Configuration|ssh configuration]]. If the connection closes for any reason, it waits 10 seconds before restarting it:<br />
<br />
{{hc|~/.config/systemd/user/tunnel.service|<nowiki><br />
[Unit]<br />
Description=SSH tunnel to myserver<br />
<br />
[Service]<br />
Type=simple<br />
Restart=always<br />
RestartSec=10<br />
ExecStart=/usr/bin/ssh -F %h/.ssh/config -N myserver<br />
</nowiki>}}<br />
<br />
Then [[enable]] and [[start]] the user service. See [[#Keep alive]] for how to prevent the tunnel from timing out. If you wish to start the tunnel on boot, you will need to rewrite the unit as a system service.<br />
<br />
=== Autossh - automatically restarts SSH sessions and tunnels ===<br />
<br />
When a session or tunnel cannot be kept alive, for example due to bad network conditions causing client disconnections, you can use {{Pkg|autossh}} to automatically restart them.<br />
<br />
Usage examples:<br />
<br />
$ autossh -M 0 -o "ServerAliveInterval 45" -o "ServerAliveCountMax 2" username@example.com<br />
<br />
Combined with [[SSHFS]]:<br />
<br />
$ sshfs -o reconnect,compression=yes,transform_symlinks,ServerAliveInterval=45,ServerAliveCountMax=2,ssh_command='autossh -M 0' username@example.com: /mnt/example <br />
<br />
Connecting through a SOCKS-proxy set by [[Proxy settings]]:<br />
<br />
$ autossh -M 0 -o "ServerAliveInterval 45" -o "ServerAliveCountMax 2" -NCD 8080 username@example.com <br />
<br />
With the {{ic|-f}} option autossh can be made to run as a background process. Running it this way however means the passphrase cannot be entered interactively.<br />
<br />
The session will end once you type {{ic|exit}} in the session, or the autossh process receives a SIGTERM, SIGINT of SIGKILL signal.<br />
<br />
==== Run autossh automatically at boot via systemd ====<br />
<br />
If you want to automatically start autossh, you can create a systemd unit file:<br />
<br />
{{hc|/etc/systemd/system/autossh.service|2=<br />
[Unit]<br />
Description=AutoSSH service for port 2222<br />
After=network.target<br />
<br />
[Service]<br />
Environment="AUTOSSH_GATETIME=0"<br />
ExecStart=/usr/bin/autossh -M 0 -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
}}<br />
<br />
Here {{ic|1=AUTOSSH_GATETIME=0}} is an environment variable specifying how long ssh must be up before autossh considers it a successful connection, setting it to 0 autossh also ignores the first run failure of ssh. This may be useful when running autossh at boot. Other environment variables are available on the manpage. Of course, you can make this unit more complex if necessary (see the systemd documentation for details), and obviously you can use your own options for autossh, but note that the {{ic|-f}} implying {{ic|1=AUTOSSH_GATETIME=0}} does not work with systemd. <br />
<br />
Remember to [[start]] and/or [[enable]] the service afterwards.<br />
<br />
You may also need to disable ControlMaster e.g.<br />
<br />
ExecStart=/usr/bin/autossh -M 0 -o ControlMaster=no -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com<br />
<br />
{{Tip|It is also easy to maintain several autossh processes, to keep several tunnels alive. Just create multiple service files with different names.}}<br />
<br />
=== Alternative service should SSH daemon fail ===<br />
<br />
For remote or headless servers which rely exclusively on SSH, a failure to start the SSH daemon (e.g., after a system upgrade) may prevent administration access. [[systemd]] offers a simple solution via {{ic|OnFailure}} option.<br />
<br />
Let us suppose the server runs {{ic|sshd}} and [[telnet]] is the fail-safe alternative of choice. Create a file as follows. Do '''not''' [[enable]] telnet.socket!<br />
<br />
{{hc|/etc/systemd/system/sshd.service.d/override.conf|2=<br />
[Unit]<br />
OnFailure=telnet.socket<br />
}}<br />
<br />
That's it. Telnet is not available when {{ic|sshd}} is running. Should {{ic|sshd}} fail to start, a telnet session can be opened for recovery.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Checklist ===<br />
<br />
Check these simple issues before you look any further.<br />
<br />
# The config directory {{ic|~/.ssh}} and its contents should be accessible only by your user (check this on both the client and the server): {{bc|<nowiki><br />
$ chmod 700 ~/.ssh<br />
$ chmod 600 ~/.ssh/*<br />
$ chown -R $USER ~/.ssh<br />
</nowiki>}}<br />
# Check that the client's public key (e.g. {{ic|id_rsa.pub}}) is in {{ic|~/.ssh/authorized_keys}} on the server.<br />
# Check that you did not limit SSH access with {{ic|AllowUsers}} or {{ic|AllowGroups}} in the [[#Configuration_2|server config]].<br />
# Check if the user has set a password. Sometimes new users who have not yet logged in to the server do not have a password.<br />
# [[Append]] {{ic|LogLevel DEBUG}} to {{ic|/etc/ssh/sshd_config}}.<br />
# Use {{ic|journalctl -xe}} for possible (error) messages.<br />
# [[Restart]] {{ic|sshd}} and logout/login on both client and server.<br />
<br />
=== Connection refused or timeout problem ===<br />
<br />
==== Port forwarding ====<br />
<br />
If you are behind a NAT mode/router (which is likely unless you are on a VPS or publicly addressed host), make sure that your router is forwarding incoming ssh connections to your machine. Find the server's internal IP address with {{ic|$ ip addr}} and set up your router to forward TCP on your SSH port to that IP. [http://portforward.com portforward.com] can help with that.<br />
<br />
==== Is SSH running and listening? ====<br />
<br />
The [[ss]] utility shows all the processes listening to a TCP port with the following command line:<br />
<br />
$ ss --tcp --listening<br />
<br />
If the above command do not show the system is listening to the port {{ic|ssh}}, then SSH is NOT running: check {{ic|/var/log/messages}} for errors etc.<br />
<br />
==== Are there firewall rules blocking the connection? ====<br />
<br />
[[Iptables]] may be blocking connections on port {{ic|22}}. Check this with:<br />
{{bc|# iptables -nvL}}<br />
and look for rules that might be dropping packets on the {{ic|INPUT}} chain. Then, if necessary, unblock the port with a command like: <br />
{{bc|<br />
# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT<br />
}}<br />
For more help configuring firewalls, see [[firewalls]].<br />
<br />
==== Is the traffic even getting to your computer? ====<br />
<br />
Start a traffic dump on the computer you are having problems with:<br />
<br />
# tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you do not see any output when you attempt to connect, then something outside of your computer is blocking the traffic (e. g., hardware firewall, NAT router etc.).<br />
<br />
==== Your ISP or a third party blocking default port? ====<br />
<br />
{{Note|Try this step if you '''know''' you are not running any firewalls and you know you have configured the router for DMZ or have forwarded the port to your computer and it still does not work. Here you will find diagnostic steps and a possible solution.}}<br />
<br />
In some cases, your ISP might block the default port (SSH port 22) so whatever you try (opening ports, hardening the stack, defending against flood attacks, et al) ends up useless. To confirm this, create a server on all interfaces (0.0.0.0) and connect remotely. <br />
<br />
If you get an error message comparable to this:<br />
<br />
ssh: connect to host www.inet.hr port 22: Connection refused<br />
<br />
That means the port is '''not''' being blocked by the ISP, but the server does not run SSH on that port (See [[wikipedia:Security through obscurity|security through obscurity]]).<br />
<br />
However, if you get an error message comparable to this:<br />
<br />
ssh: connect to host 111.222.333.444 port 22: Operation timed out <br />
<br />
That means that something is rejecting your TCP traffic on port 22. Basically that port is stealth, either by your firewall or 3rd party intervention (like an ISP blocking and/or rejecting incoming traffic on port 22). If you know you are not running any firewall on your computer, and you know that Gremlins are not growing in your routers and switches, then your ISP is blocking the traffic.<br />
<br />
To double check, you can run Wireshark on your server and listen to traffic on port 22. Since Wireshark is a Layer 2 Packet Sniffing utility, and TCP/UDP are Layer 3 and above (see [[wikipedia:Internet protocol suite|IP Network stack]]), if you do not receive anything while connecting remotely, a third party is most likely to be blocking the traffic on that port to your server.<br />
<br />
===== Diagnosis =====<br />
<br />
[[Install]] either {{Pkg|tcpdump}} or Wireshark with the {{Pkg|wireshark-cli}} package.<br />
<br />
For tcpdump:<br />
<br />
# tcpdump -ni ''interface'' "port 22"<br />
<br />
For Wireshark:<br />
<br />
$ tshark -f "tcp port 22" -i ''interface''<br />
<br />
where {{ic|''interface''}} is the network interface for a WAN connection (see {{ic|ip a}} to check). If you are not receiving any packets while trying to connect remotely, you can be very sure that your ISP is blocking the incoming traffic on port 22.<br />
<br />
===== Possible solution =====<br />
<br />
The solution is just to use some other port that the ISP is not blocking. Open the {{ic|/etc/ssh/sshd_config}} and configure the file to use different ports. For example, add:<br />
<br />
Port 22<br />
Port 1234<br />
<br />
Also make sure that other "Port" configuration lines in the file are commented out. Just commenting "Port 22" and putting "Port 1234" will not solve the issue because then sshd will only listen on port 1234. Use both lines to run the SSH server on both ports. <br />
<br />
[[Restart]] the server {{ic|sshd.service}} and you are almost done. You still have to configure your client(s) to use the other port instead of the default port. There are numerous solutions to that problem, but let us cover two of them here.<br />
<br />
==== Read from socket failed: connection reset by peer ====<br />
<br />
Recent versions of openssh sometimes fail with the above error message when connecting to older ssh servers. This can be worked around by setting various [[#Configuration|client options]] for that host. See {{man|5|ssh_config}} for more information about the following options.<br />
<br />
The problem could be the {{ic|ecdsa-sha2-nistp*-cert-v01@openssh}} elliptical host key algorithms. These can be disabled by setting {{ic|HostKeyAlgorithms}} to a list excluding those algorithms.<br />
<br />
If that does not work, it could be that the list of ciphers is too long. Set the {{ic|Ciphers}} option to a shorter list (fewer than 80 characters should be enough). Similarly, you can also try shortening the list of {{ic|MACs}}.<br />
<br />
See also the [http://www.gossamer-threads.com/lists/openssh/dev/51339 discussion] on the openssh bug forum.<br />
<br />
=== "[your shell]: No such file or directory" / ssh_exchange_identification problem ===<br />
<br />
One possible cause for this is the need of certain SSH clients to find an absolute path (one returned by {{Ic|whereis -b [your shell]}}, for instance) in {{Ic|$SHELL}}, even if the shell's binary is located in one of the {{Ic|$PATH}} entries.<br />
<br />
==="Terminal unknown" or "Error opening terminal" error message===<br />
<br />
If you receive the above errors upon logging in, this means the server does not recognize your terminal. Ncurses applications like nano may fail with the message "Error opening terminal".<br />
<br />
The correct solution is to install the client terminal's terminfo file on the server. This tells console programs on the server how to correctly interact with your terminal. You can get info about current terminfo using {{ic|$ infocmp}} and then find out [[pacman#Querying package databases|which package owns it]].<br />
<br />
If you cannot [[install]] it normally, you can copy your terminfo to your home directory on the server:<br />
<br />
$ ssh myserver mkdir -p ~/.terminfo/${TERM:0:1}<br />
$ scp /usr/share/terminfo/${TERM:0:1}/$TERM myserver:~/.terminfo/${TERM:0:1}/<br />
<br />
After logging in and out from the server the problem should be fixed.<br />
<br />
==== TERM hack ====<br />
<br />
{{Note|This should only be used as a last resort.}}<br />
<br />
Alternatively, you can simply set {{ic|1=TERM=xterm}} in your environment on the server (e.g. in {{ic|.bash_profile}}). This will silence the error and allow ncurses applications to run again, but you may experience strange behavior and graphical glitches unless your terminal's control sequences exactly match xterm's.<br />
<br />
=== Connection closed by x.x.x.x [preauth] ===<br />
<br />
If you are seeing this error in your sshd logs, make sure you have set a valid HostKey<br />
<br />
HostKey /etc/ssh/ssh_host_rsa_key<br />
<br />
=== id_dsa refused by OpenSSH 7.0 ===<br />
<br />
OpenSSH 7.0 deprecated DSA public keys for security reasons. If you absolutely must enable them, set the [[#Configuration|config]] option {{ic|PubkeyAcceptedKeyTypes +ssh-dss}} (http://www.openssh.com/legacy.html does not mention this).<br />
<br />
=== No matching key exchange method found by OpenSSH 7.0 ===<br />
<br />
OpenSSH 7.0 deprecated the diffie-hellman-group1-sha1 key algorithm because it is weak and within theoretical range of the so-called Logjam attack (see http://www.openssh.com/legacy.html). If the key algorithm is needed for a particular host, ssh will produce an error message like this:<br />
<br />
Unable to negotiate with 127.0.0.1: no matching key exchange method found.<br />
Their offer: diffie-hellman-group1-sha1<br />
<br />
The best resolution for these failures is to upgrade/configure the server to not use deprecated algorithms. If that is not possible, you can force the client to reenable the algorithm with the [[#Configuration|client option]] {{ic|KexAlgorithms +diffie-hellman-group1-sha1}}.<br />
<br />
=== tmux/screen session killed when disconnecting from SSH ===<br />
<br />
If your processes get killed at the end of the session, it is possible that you are using socket activation and it gets killed by {{Pkg|systemd}} when it notices that the SSH session process exited. In that case there are two solutions. One is to avoid using socket activation by using {{ic|ssh.service}} instead of {{ic|ssh.socket}}. The other is to set {{ic|1=KillMode=process}} in the Service section of {{ic|ssh@.service}}.<br />
<br />
The {{ic|1=KillMode=process}} setting may also be useful with the classic {{ic|ssh.service}}, as it avoids killing the SSH session process or the {{Pkg|screen}} or {{Pkg|tmux}} processes when the server gets stopped or restarted.<br />
<br />
=== SSH session stops responding ===<br />
<br />
SSH responds to [[Wikipedia:Software flow control|flow control commands]] {{ic|XON}} and {{ic|XOFF}}. It will freeze/hang/stop responding when you hit {{ic|Ctrl+s}}. Use {{ic|Ctrl+q}} to resume your session.<br />
<br />
=== Broken pipe ===<br />
<br />
If you attempt to create a connection which results in a {{ic|Broken pipe}} response for {{ic|packet_write_wait}}, you should reattempt the connection in debug mode and see if the output ends in error:<br />
{{bc|debug3: send packet: type 1<br />
packet_write_wait: Connection to A.B.C.D port 22: Broken pipe}}<br />
The {{ic|send packet}} line above indicates that the reply packet was never received. So, it follows that this is a ''QoS'' issue. To decrease the likely-hood of a packet being dropped, set {{ic|IPQoS}}:<br />
{{hc|/etc/ssh/ssh_config|Host *<br />
IPQoS reliability}}<br />
The {{ic|reliability}} ({{ic|0x04}}) type-of-service should resolve the issue, as well as {{ic|0x00}} and {{ic|throughput}} ({{ic|0x08}}).<br />
<br />
=== Slow daemon startup after reboot ===<br />
<br />
If you are experiencing excessively long daemon startup times after reboots (e.g. several minutes before the daemon starts accepting connections), especially on headless or virtualized servers, it may be due to a lack of entropy.[https://bbs.archlinux.org/viewtopic.php?id=241954] This can be remedied by installing either [[Rng-tools]] or [[Haveged]], as appropriate for your system. However, take note of the associated security implications discussed in each package's respective wiki page.<br />
<br />
== See also ==<br />
<br />
* [http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]<br />
* [http://www.ibm.com/developerworks/library/l-keyc/index.html OpenSSH key management, Part 1] and [http://www.ibm.com/developerworks/library/l-keyc2 Part 2] on IBM developerWorks<br />
* [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Unofficial_user_repositories&diff=534955Unofficial user repositories2018-08-14T19:59:47Z<p>Yuvadm: Add y3xz signed repo</p>
<hr />
<div>[[Category:Package management]]<br />
[[ja:非公式ユーザーリポジトリ]]<br />
[[zh-hans:Unofficial user repositories]]<br />
{{Related articles start}}<br />
{{Related|pacman-key}}<br />
{{Related|Official repositories}}<br />
{{Related articles end}}<br />
This article lists binary repositories freely created and shared by the community, often providing pre-built versions of PKGBUILDS found in the [[AUR]].<br />
<br />
{{Warning|The official Arch Linux Developers and the Trusted Users do not perform tests of any sort to verify the contents of these repositories. You must decide whether to trust their maintainers and you take full responsibility for any consequences of using any unofficial repository.}}<br />
<br />
In order to use these repositories, add them to {{ic|/etc/pacman.conf}}, as explained in [[pacman#Repositories and mirrors]]. If a repository is signed, you must obtain and locally sign the associated key, as explained in [[Pacman-key#Adding unofficial keys]].<br />
<br />
If you want to create your own custom repository, follow [[pacman tips#Custom local repository]].<br />
<br />
== Adding your repository to this page ==<br />
<br />
If you have your own repository, please add it to this page, so that all the other users will know where to find your packages. Please keep the following rules when adding new repositories:<br />
<br />
* Keep the lists in alphabetical order.<br />
* Include some information about the maintainer: include at least a (nick)name and some form of contact information (web site, email address, user page on ArchWiki or the forums, etc.).<br />
* If the repository is of the ''signed'' variety, please include a key-id, possibly using it as the anchor for a link to its keyserver; if the key is not on a keyserver, include a link to the key file.<br />
* Include some short description (e.g. the category of packages provided in the repository).<br />
* If there is a page (either on ArchWiki or external) containing more information about the repository, include a link to it.<br />
* If possible, avoid using comments in code blocks. The formatted description is much more readable. Users who want some comments in their {{ic|pacman.conf}} can easily create it on their own.<br />
<br />
Some repositories may also have packages for architectures beside x86_64. The {{ic|$arch}} variable will be set automatically by pacman.<br />
<br />
== Signed ==<br />
<br />
=== arcanisrepo ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#arcanis arcanis]<br />
* '''Description:''' A repository with some AUR packages including packages from VCS<br />
* '''Key-ID:''' Not needed, as maintainer is a TU<br />
<br />
{{bc|<nowiki><br />
[arcanisrepo]<br />
Server = https://repo.arcanis.me/repo/$arch<br />
</nowiki>}}<br />
<br />
(It is also available via FTP with the same url.)<br />
<br />
=== ArchHaskell ===<br />
<br />
Unofficial repositories for Haskell packages.<br />
<br />
See [[/ArchHaskell]].<br />
<br />
=== archlinuxcn ===<br />
<br />
* '''Maintainers:''' [https://plus.google.com/+PhoenixNemo/ Phoenix Nemo (phoenixlzx)], [https://www.archlinux.org/people/developers/#fyan Felix Yan (felixonmars, dev)], [https://twitter.com/lilydjwg lilydjwg], [https://www.archlinux.org/people/trusted-users/#farseerfc farseerfc (TU)], and [https://github.com/archlinuxcn/repo/graphs/contributors others]<br />
* '''Description:''' Packages by the Chinese Arch Linux community, all signed. Be aware that i686 packages are not fully maintained and tested, create an issue if you find some problems.<br />
* '''Git Repo:''' https://github.com/archlinuxcn/repo<br />
* '''Issue tracking:''' https://github.com/archlinuxcn/repo/issues for packaging issues, out-of-date notifications, package requests, and related questions<br />
* '''Mirrors:''' https://github.com/archlinuxcn/mirrorlist-repo (Mostly for users in mainland China), or install ''archlinuxcn-mirrorlist-git'' from the repo.<br />
* '''Key-ID:''' Once the repo is added, ''archlinuxcn-keyring'' package must be installed before any other so you do not get errors about PGP signatures. ''archlinuxcn-keyring'' package itself is signed by TU.<br />
<br />
{{bc|<nowiki><br />
[archlinuxcn]<br />
Server = http://repo.archlinuxcn.org/$arch<br />
## or use a CDN (beta)<br />
#Server = https://cdn.repo.archlinuxcn.org/$arch<br />
## or install archlinuxcn-mirrorlist-git and use the mirrorlist<br />
#Include = /etc/pacman.d/archlinuxcn-mirrorlist<br />
</nowiki>}}<br />
<br />
=== archsec ===<br />
<br />
* '''Maintainer:''' [https://archsec.info The ArchSec Team]<br />
* '''Description:''' A repository of binaries compiled from a hardened toolchain<br />
* '''Upstream page:''' https://archsec.info/<br />
* '''Key-ID:''' 500773F3B282BEDB4D960B0F3C6F2219257C9E23<br />
<br />
{{Note|ArchSec-specific instructions can be found at https://archsec.info/docs/config/}}<br />
<br />
{{bc|<nowiki><br />
[archsec]<br />
Server = https://archsec.info/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== archstrike ===<br />
<br />
* '''Maintainer:''' [https://archstrike.org/team The ArchStrike Team]<br />
* '''Description:''' A repository for security professionals and enthusiasts<br />
* '''Upstream page:''' https://archstrike.org/<br />
* '''Key-ID:''' 9D5F1C051D146843CDA4858BDE64825E7CBC0D51<br />
<br />
{{Note|ArchStrike specific instructions can be found at https://archstrike.org/wiki/setup}}<br />
<br />
{{bc|<nowiki><br />
[archstrike]<br />
Server = https://mirror.archstrike.org/$arch/$repo<br />
</nowiki>}}<br />
<br />
=== archzfs ===<br />
<br />
* '''Maintainer:''' [https://aur.archlinux.org/account/minextu Jan Houben (minextu)]<br />
* '''Description:''' Packages for ZFS on Arch Linux.<br />
* '''Upstream page:''' https://github.com/archzfs/archzfs<br />
* '''Key-ID:''' F75D9D76<br />
<br />
{{bc|<nowiki><br />
[archzfs]<br />
Server = http://archzfs.com/$repo/x86_64<br />
</nowiki>}}<br />
<br />
=== ashleyis ===<br />
<br />
* '''Maintainer:''' Ashley Towns ([https://aur.archlinux.org/account/ashleyis/ ashleyis])<br />
* '''Description:''' Debug versions of SDL, chipmunk, libtmx and other misc game libraries. also swift-lang and some other AUR packages <br />
* '''Key-ID:''' B1A4D311<br />
<br />
{{bc|<nowiki><br />
[ashleyis]<br />
Server = http://arch.ashleytowns.id.au/repo/$arch<br />
</nowiki>}}<br />
<br />
=== aur-archlinux ===<br />
<br />
* '''Maintainer:''' Marc Mettke <marc@itmettke.de><br />
* '''Description:''' Auto Build of Most Popular AUR Packages<br />
* '''Upstream page:''' https://repo.itmettke.de/status/<br />
* '''Archive:''' https://repo.itmettke.de/aur-archive/<br />
* '''Key-ID:''' [https://pgp.mit.edu/pks/lookup?op=vindex&search=0x7448C890582975CD 7448C890582975CD]<br />
<br />
{{bc|<nowiki><br />
[aur-archlinux]<br />
Server = https://repo.itmettke.de/aur/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== blackeagle-pre-community ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#idevolder Ike Devolder]<br />
* '''Description:''' testing of the by me maintaned packages before moving to ''community'' repository<br />
* '''Key-ID:''' Not required, as maintainer is a TU<br />
<br />
{{bc|<nowiki><br />
[blackeagle-pre-community]<br />
Server = https://repo.herecura.be/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== boyska64 ===<br />
<br />
* '''Maintainer:''' boyska<br />
* '''Description:''' Personal repository: cryptography, sdr, mail handling and misc; don't expect packages to be upgraded promptly, I am a zealot of slackness<br />
* '''Key-ID:''' 0x7395DCAE58289CA9<br />
<br />
{{bc|<nowiki><br />
[boyska64]<br />
Server = http://boyska.degenerazione.xyz/archrepo<br />
</nowiki>}}<br />
<br />
=== catalyst ===<br />
<br />
* '''Maintainer:''' [[User:Vi0L0|Vi0l0]]<br />
* '''Description:''' ATI Catalyst proprietary drivers.<br />
* '''Key-ID:''' 653C3094<br />
<br />
{{bc|<nowiki><br />
[catalyst]<br />
Server = https://mirror.hactar.xyz/Vi0L0/catalyst/$arch<br />
</nowiki>}}<br />
<br />
=== catalyst-hd234k ===<br />
<br />
* '''Maintainer:''' [[User:Vi0L0|Vi0l0]]<br />
* '''Description:''' ATI Catalyst proprietary drivers.<br />
* '''Key-ID:''' 653C3094<br />
<br />
{{bc|<nowiki><br />
[catalyst-hd234k]<br />
Server = https://mirror.hactar.xyz/Vi0L0/catalyst-hd234k/$arch<br />
</nowiki>}}<br />
<br />
=== city ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#bgyorgy Balló György]<br />
* '''Description:''' Experimental/unpopular packages.<br />
* '''Upstream page:''' https://pkgbuild.com/~bgyorgy/city.html<br />
* '''Key-ID:''' Not needed, as maintainer is a TU<br />
<br />
{{bc|<nowiki><br />
[city]<br />
Server = https://pkgbuild.com/~bgyorgy/$repo/os/$arch<br />
</nowiki>}}<br />
<br />
=== coderkun-aur ===<br />
<br />
* '''Maintainer:''' [https://aur.archlinux.org/account/coderkun/ coderkun]<br />
* '''Description:''' AUR packages with random software. Supporting package deltas and package and database signing.<br />
* '''Upstream page:''' https://www.suruatoel.xyz/arch<br />
* '''Key-ID:''' 39E27199A6BEE374<br />
* '''Keyfile:''' [https://www.suruatoel.xyz/coderkun.asc https://www.suruatoel.xyz/coderkun.asc]<br />
<br />
{{bc|<nowiki><br />
[coderkun-aur]<br />
Server = http://arch.suruatoel.xyz/$repo/$arch/<br />
</nowiki>}}<br />
<br />
=== coderkun-aur-audio ===<br />
<br />
* '''Maintainer:''' [https://aur.archlinux.org/account/coderkun/ coderkun]<br />
* '''Description:''' AUR packages with audio-related (realtime kernels, lv2-plugins, …) software. Supporting package deltas and package and database signing.<br />
* '''Upstream page:''' https://www.suruatoel.xyz/arch<br />
* '''Key-ID:''' 39E27199A6BEE374<br />
* '''Keyfile:''' [https://www.suruatoel.xyz/coderkun.key https://www.suruatoel.xyz/coderkun.key]<br />
<br />
{{bc|<nowiki><br />
[coderkun-aur-audio]<br />
Server = http://arch.suruatoel.xyz/$repo/$arch/<br />
</nowiki>}}<br />
<br />
=== eatabrick ===<br />
<br />
* '''Maintainer:''' bentglasstube<br />
* '''Description:''' Packages for software written by (and a few just compiled by) bentglasstube.<br />
<br />
{{bc|<nowiki><br />
[eatabrick]<br />
Server = http://repo.eatabrick.org/$arch<br />
</nowiki>}}<br />
<br />
=== eschwartz ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#eschwartz Eli Schwartz]<br />
* '''Description:''' Personal repo with AUR packages and some core packages from git (including glibc and pacman). Contains debug packages.<br />
* '''Key-ID:''' Not needed, as maintainer is a TU<br />
<br />
{{bc|<nowiki><br />
[eschwartz]<br />
Server = https://pkgbuild.com/~eschwartz/repo/$arch<br />
</nowiki>}}<br />
<br />
=== herecura ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#idevolder Ike Devolder]<br />
* '''Description:''' additional packages not found in the ''community'' repository<br />
* '''Key-ID:''' Not required, as maintainer is a TU<br />
<br />
{{bc|<nowiki><br />
[herecura]<br />
Server = https://repo.herecura.be/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== holo ===<br />
<br />
* '''Maintainer:''' Stefan Majewsky <holo-pacman@posteo.de> (please prefer to report issues at [https://github.com/majewsky/holo-pacman-repo/issues Github])<br />
* '''Description:''' Packages for [https://holocm.org Holo configuration management], including compatible plugins and tools.<br />
* '''Upstream page:''' https://github.com/majewsky/holo-pacman-repo<br />
* '''Package list:''' https://repo.holocm.org/archlinux/x86_64<br />
* '''Key-ID:''' 0xF7A9C9DC4631BD1A<br />
<br />
{{bc|<nowiki><br />
[holo]<br />
Server = https://repo.holocm.org/archlinux/x86_64<br />
</nowiki>}}<br />
<br />
=== ivasilev ===<br />
<br />
* '''Maintainer:''' [https://ivasilev.net Ianis G. Vasilev]<br />
* '''Description:''' A variety of packages, mostly my own software and AUR builds.<br />
* '''Upstream page:''' https://ivasilev.net/pacman<br />
* '''Key-ID:''' [https://pgp.mit.edu/pks/lookup?op=vindex&search=0xB77A3C8832838F1F80ADFD7E1D0507B417DAB671 17DAB671]<br />
<br />
{{Note|I maintain '''any''' and '''x86_64''' repos. '''x86_64''' includes packages from '''any'''. '''$arch''' can be overridden by both.}}<br />
<br />
{{bc|<nowiki><br />
[ivasilev]<br />
Server = https://ivasilev.net/pacman/$arch<br />
</nowiki>}}<br />
<br />
=== jlk ===<br />
<br />
* '''Maintainer:''' [[User:Lahwaacz|Jakub Klinkovský]]<br />
* '''Description:''' Various packages from the ABS and AUR. Modified packages are in the {{ic|modified}} group.<br />
* '''Upstream page:''' http://jlk.fjfi.cvut.cz/arch/repo/README.html<br />
* '''Key-ID:''' 932BA3FA0C86812A32D1F54DAB5964AEB9FEDDDC<br />
<br />
{{bc|<nowiki><br />
[jlk]<br />
Server = http://jlk.fjfi.cvut.cz/arch/repo<br />
</nowiki>}}<br />
<br />
=== linux-macbook ===<br />
<br />
* '''Maintainer:''' [https://aur.archlinux.org/account/m3thodic Tony Lambiris]<br />
* '''Description:''' AUR builds for the linux-macbook kernel by its developer, m3thodic<br />
* '''Upstream page:''' https://aur.archlinux.org/pkgbase/linux-macbook/<br />
* '''Key-ID:''' A55A1B6C098962D84AE9B57016A33C9959A40DED<br />
<br />
{{bc|<nowiki><br />
[linux-macbook]<br />
Server = http://libpcap.net/repo/linux-macbook<br />
</nowiki>}}<br />
<br />
=== llvm-svn ===<br />
<br />
* '''Maintainer:''' [[User:Kerberizer|Luchesar V. ILIEV (kerberizer)]]<br />
* '''Description:''' [https://aur.archlinux.org/pkgbase/llvm-svn llvm-svn] and [https://aur.archlinux.org/pkgbase/lib32-llvm-svn lib32-llvm-svn] from AUR: the LLVM compiler infrastructure, the Clang frontend, and the tools associated with it<br />
* '''Key-ID:''' [https://sks-keyservers.net/pks/lookup?op=vindex&search=0x76563F75679E4525&fingerprint=on&exact=on 0x76563F75679E4525], fingerprint {{ic|D16C F22D 27D1 091A 841C 4BE9 7656 3F75 679E 4525}}<br />
<br />
{{bc|<nowiki><br />
[llvm-svn]<br />
Server = https://repos.uni-plovdiv.net/archlinux/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== markzz ===<br />
<br />
* '''Maintainer:''' [[User:Markzz|Mark Weiman (markzz)]]<br />
* '''Description:''' Packages that markzz maintains or uses on the AUR; this includes Linux with the vfio patchset ({{AUR|linux-vfio}} and {{AUR|linux-vfio-lts}}), and packages to maintain a Debian package repository.<br />
* '''Key ID:''' 3CADDFDD<br />
<br />
{{Note|If you want to add the key by installing the ''markzz-keyring'' package, temporarily add {{ic|1=SigLevel = Never}} into the repository section.}}<br />
<br />
{{bc|<nowiki><br />
[markzz]<br />
Server = https://repo.markzz.com/arch/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== miffe ===<br />
<br />
* '''Maintainer:''' [https://bbs.archlinux.org/profile.php?id=4059 miffe]<br />
* '''Description:''' AUR packages maintained by miffe, e.g. linux-mainline<br />
* '''Key ID:''' 313F5ABD<br />
<br />
{{bc|<nowiki><br />
[miffe]<br />
Server = https://arch.miffe.org/$arch/<br />
</nowiki>}}<br />
<br />
=== mikelpint ===<br />
* '''Maintainer:''' [[User:Mikelpint|Mikel Pintado (Mikelpint)]]<br />
* '''Description:''' Packages that mikelpint maintains in the AUR.<br />
* '''Key ID:''' 5CA78FC65B189E2B<br />
<br />
{{bc|<nowiki><br />
[mikelpint]<br />
Server = https://mikelpint.github.io/repository/archlinux/repo<br />
</nowiki>}}<br />
<br />
=== mobile ===<br />
* '''Maintainer:''' [https://keybase.io/farwayer farwayer]<br />
* '''Description:''' React Native and Android development<br />
* '''Upstream page:''' https://keybase.pub/farwayer/arch/mobile/<br />
* '''Key ID:''' 7943315502A936D7<br />
<br />
{{bc|<nowiki><br />
[mobile]<br />
Server = https://farwayer.keybase.pub/arch/$repo<br />
</nowiki>}}<br />
<br />
=== nah ===<br />
* '''Maintainer:''' [https://yeah.nah.nz phillid]<br />
* '''Description:''' Pre-built versions of the (slow-to-build) graph-tool python libraries, mingw-w64<br />
* '''Key ID:''' 7BF3D17D0884BF5B<br />
<br />
{{bc|<nowiki><br />
[nah]<br />
Server = https://repo.nah.nz/$repo<br />
</nowiki>}}<br />
<br />
=== pkgbuilder ===<br />
<br />
* '''Maintainer:''' [https://chriswarrick.com/ Chris Warrick]<br />
* '''Description:''' A repository for PKGBUILDer, a Python AUR helper.<br />
* '''Upstream page:''' https://github.com/Kwpolska/pkgbuilder<br />
* '''Key-ID:''' 5EAAEA16<br />
<br />
{{bc|<nowiki><br />
[pkgbuilder]<br />
Server = https://pkgbuilder-repo.chriswarrick.com/<br />
</nowiki>}}<br />
<br />
=== qt-debug ===<br />
<br />
* '''Maintainer:''' [https://aur.archlinux.org/account/The-Compiler The Compiler]<br />
* '''Description:''' Qt/PyQt builds with debug symbols<br />
* '''Upstream page:''' https://github.com/qutebrowser/qt-debug-pkgbuild<br />
* '''Key-ID:''' D6A1C70FE80A0C82<br />
<br />
{{bc|<nowiki><br />
[qt-debug]<br />
Server = https://qutebrowser.org/qt-debug/$arch<br />
</nowiki>}}<br />
<br />
=== quarry ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/developers/#anatolik anatolik]<br />
* '''Description:''' Arch binary repository for [http://rubygems.org/ Rubygems] packages. See [https://bbs.archlinux.org/viewtopic.php?id=182729 forum announcement] for more information.<br />
* '''Sources:''' https://github.com/anatol/quarry<br />
* '''Key-ID:''' Not needed, as maintainer is a developer<br />
<br />
{{bc|<nowiki><br />
[quarry]<br />
Server = https://pkgbuild.com/~anatolik/quarry/x86_64/<br />
</nowiki>}}<br />
<br />
=== repo-ck ===<br />
<br />
Kernel and modules with Brain Fuck Scheduler and all the goodies in the ck1 patch set.<br />
<br />
See [[/Repo-ck]].<br />
<br />
=== seblu ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/developers/#seblu Sébastien Luttringer]<br />
* '''Description:''' All seblu useful pre-built packages, some homemade (virtualbox-ext-oracle, linux-seblu-meta, bedup).<br />
* '''Key-ID:''' Not required, as maintainer is a Developer<br />
<br />
{{bc|<nowiki><br />
[seblu]<br />
Server = http://al.seblu.net/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== seiichiro ===<br />
<br />
* '''Maintainer:''' [https://www.seiichiro0185.org Stefan Brand (seiichiro0185)]<br />
* '''Description:''' AUR-packages I use frequently<br />
* '''Key-ID:''' 805517CC<br />
<br />
{{bc|<nowiki><br />
[seiichiro]<br />
Server = https://www.seiichiro0185.org/repo/$arch<br />
</nowiki>}}<br />
<br />
=== sergej-repo ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#spupykin Sergej Pupykin]<br />
* '''Description:''' psi-plus, owncloud-git, ziproxy, android, MySQL, and other stuff. Some packages also available for armv7h.<br />
* '''Key-ID:''' Not required, as maintainer is a TU<br />
<br />
{{bc|<nowiki><br />
[sergej-repo]<br />
Server = http://repo.p5n.pp.ru/$repo/os/$arch<br />
</nowiki>}}<br />
<br />
=== siosm-aur ===<br />
<br />
* '''Maintainer:''' [https://tim.siosm.fr/about/ Timothee Ravier]<br />
* '''Description:''' packages also available in the Arch User Repository, sometimes with minor fixes<br />
* '''Upstream page:''' https://tim.siosm.fr/repositories/<br />
* '''Key-ID:''' 78688F83<br />
<br />
{{bc|<nowiki><br />
[siosm-aur]<br />
Server = http://siosm.fr/repo/$repo/<br />
</nowiki>}}<br />
<br />
=== sublime-text ===<br />
<br />
* '''Maintainer:''' Sublime Text developer<br />
* '''Description:''' Sublime Text editor packages from developer's repository<br />
* '''Upstream page:''' https://www.sublimetext.com/docs/3/linux_repositories.html#pacman<br />
* '''Key-ID:''' 8A8F901A<br />
<br />
{{bc|<nowiki><br />
[sublime-text]<br />
Server = https://download.sublimetext.com/arch/stable/x86_64<br />
</nowiki>}}<br />
<br />
=== subtitlecomposer ===<br />
<br />
* '''Maintainer:''' Mladen Milinkovic (maxrd2)<br />
* '''Description:''' Subtitle Composer stable and nightly builds<br />
* '''Upstream page:''' https://github.com/maxrd2/subtitlecomposer<br />
* '''Key-ID:''' EF9D9B26<br />
<br />
{{bc|<nowiki><br />
[subtitlecomposer]<br />
Server = http://smoothware.net/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== tredaelli-systemd ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#tredaelli Timothy Redaelli]<br />
* '''Description:''' systemd rebuilt with unofficial OpenVZ patch (kernel < 2.6.32-042stab111.1)<br />
* '''Key-ID:''' Not required, as maintainer is a TU<br />
<br />
{{Note|{{ic|[tredaelli-systemd]}} must be put before {{ic|[core]}} in {{ic|/etc/pacman.conf}}}}<br />
<br />
{{bc|<nowiki><br />
[tredaelli-systemd]<br />
Server = https://pkgbuild.com/~tredaelli/repo/systemd/$arch<br />
</nowiki>}}<br />
<br />
=== trinity ===<br />
<br />
* '''Maintainer:''' Michael Manley <mmanley@nasutek.com><br />
* '''Description:''' [[Trinity]] Desktop Environment<br />
* '''Key-ID:''' 65A4AC99<br />
<br />
{{bc|<nowiki><br />
[trinity]<br />
Server = https://repo.nasutek.com/arch/contrib/trinity/x86_64<br />
</nowiki>}}<br />
<br />
=== Webkit2Gtk-unstable ===<br />
* '''Maintainer:''' [[User:Mrmariusz|Mariusz Wojcik]]<br />
* '''Description:''' Latest Webkit2Gtk build for early adopters.<br />
* '''Upstream Page:''' https://webkitgtk.org/<br />
* '''Key-ID:''' 346854B5<br />
<br />
{{bc|<nowiki><br />
[home_mrmariusz_ArchLinux]<br />
Server = https://download.opensuse.org/repositories/home:/mrmariusz/ArchLinux/$arch<br />
</nowiki>}}<br />
<br />
=== xyne-x86_64 ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#xyne Xyne]<br />
* '''Description:''' A repository for Xyne's own projects.<br />
* '''Upstream page:''' http://xyne.archlinux.ca/projects/<br />
* '''Key-ID:''' Not required, as maintainer is a TU<br />
<br />
{{bc|<nowiki><br />
[xyne-x86_64]<br />
Server = https://xyne.archlinux.ca/repos/xyne<br />
</nowiki>}}<br />
<br />
=== y3xz ===<br />
<br />
* '''Maintainer:''' [[User:Yuvadm]]<br />
* '''Description:''' Some preciously compiled packages, mostly armv7 and aarch64 stuff.<br />
* '''Key-ID:''' {{ic|7B40CAB49DA99130954A47CF271386AA2EB7672F}}<br />
<br />
{{bc|<nowiki><br />
[y3xz]<br />
Server = http://arch.y3xz.com/repo/$arch<br />
</nowiki>}}<br />
<br />
== Unsigned ==<br />
<br />
{{Note|Users will need to add the following to these entries: {{ic|1=SigLevel = PackageOptional}}}}<br />
<br />
=== alucryd ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#alucryd Maxime Gauduin]<br />
* '''Description:''' Various packages Maxime Gauduin maintains (or not) in the AUR.<br />
<br />
{{bc|<nowiki><br />
[alucryd]<br />
Server = https://pkgbuild.com/~alucryd/$repo/x86_64<br />
</nowiki>}}<br />
<br />
=== alucryd-multilib ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#alucryd Maxime Gauduin]<br />
* '''Description:''' Various packages needed to run Steam without its runtime environment.<br />
<br />
{{bc|<nowiki><br />
[alucryd-multilib]<br />
Server = https://pkgbuild.com/~alucryd/$repo/x86_64<br />
</nowiki>}}<br />
<br />
=== andrwe ===<br />
<br />
* '''Maintainer:''' Andrwe Lord Weber<br />
* '''Description:''' contains programs I'm using on many systems<br />
* '''Upstream page:''' http://andrwe.org/linux/repository<br />
<br />
{{bc|<nowiki><br />
[andrwe]<br />
Server = http://repo.andrwe.org/$arch<br />
</nowiki>}}<br />
<br />
=== archgeotux ===<br />
<br />
* '''Maintainer:''' Samuel Mesa<br />
* '''Description:''' Geospatial and geographic information system applications<br />
* '''Upstream page:''' https://archgeotux.sourceforge.io/<br />
<br />
{{bc|<nowiki><br />
[archgeotux]<br />
Server = https://downloads.sourceforge.net/project/archgeotux/$arch<br />
</nowiki>}}<br />
<br />
=== archlinuxfr ===<br />
<br />
* '''Maintainer:'''<br />
* '''Description:'''<br />
* '''Upstream page:''' http://afur.archlinux.fr<br />
<br />
{{bc|<nowiki><br />
[archlinuxfr]<br />
Server = http://repo.archlinux.fr/$arch<br />
</nowiki>}}<br />
<br />
=== archlinuxgr ===<br />
<br />
* '''Maintainer:'''<br />
* '''Description:''' many interesting packages provided by the Hellenic (Greek) Arch Linux community<br />
<br />
{{bc|<nowiki><br />
[archlinuxgr]<br />
Server = http://archlinuxgr.tiven.org/archlinux/$arch<br />
</nowiki>}}<br />
<br />
=== archlinuxgr-kde4 ===<br />
<br />
* '''Maintainer:'''<br />
* '''Description:''' KDE4 packages (plasmoids, themes etc) provided by the Hellenic (Greek) Arch Linux community<br />
<br />
{{bc|<nowiki><br />
[archlinuxgr-kde4]<br />
Server = http://archlinuxgr.tiven.org/archlinux-kde4/$arch<br />
</nowiki>}}<br />
<br />
=== dx37essentials ===<br />
<br />
* '''Maintainer:''' [https://aur.archlinux.org/account/DragonX256 DragonX256]<br />
* '''Description:''' Personal repository. Contains packages from AUR, which I using every day.<br />
* '''Git repo:''' https://gitlab.com/DX37/dx37essentials<br />
* '''Upstream page:''' https://dx37.gitlab.io/dx37essentials<br />
<br />
{{bc|<nowiki><br />
[dx37essentials]<br />
Server = https://dx37.gitlab.io/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== fusion809 ===<br />
<br />
* '''Maintainer:''' [[User:Fusion809|Brenton Horne]] (brentonhorne77 at gmail dot com).<br />
* '''Description:''' Provides a few AUR and other packages I like. Like CodeLite and bleeding-edge (latest release within 1 day of its release) GVim (GTK+2 interface).<br />
* '''Package list:''' http://download.opensuse.org/repositories/home:/fusion809/Arch_Extra/x86_64/<br />
<br />
{{bc|<nowiki><br />
[home_fusion809_Arch_Extra]<br />
Server = https://download.opensuse.org/repositories/home:/fusion809/Arch_Extra/$arch<br />
</nowiki>}}<br />
<br />
=== heftig ===<br />
* '''Maintainer:''' [https://www.archlinux.org/people/developers/#heftig Jan Steffens]<br />
* '''Description:''' Includes pulseaudio-git, pavucontrol-git, and firefox-developer-edition<br />
* '''Upstream page:''' https://bbs.archlinux.org/viewtopic.php?id=117157<br />
<br />
{{bc|<nowiki><br />
[heftig]<br />
Server = https://pkgbuild.com/~heftig/repo/$arch<br />
</nowiki>}}<br />
<br />
=== home-thaodan ===<br />
<br />
* '''Maintainer''': [https://aur.archlinux.org/account/Thaodan Thaodan]<br />
* '''Upstream page''': https://gitlab.com/Thaodan/linux-pf<br />
* '''Description''': [[Kernels#Major_patchsets|pf-kernel]] and other packages by pf-kernel fork developer, Thaodan<br />
<br />
{{bc|<nowiki><br />
[home-thaodan]<br />
Server = https://thaodan.de/home/bidar/home-thaodan/$arch<br />
</nowiki>}}<br />
<br />
=== jkanetwork ===<br />
<br />
* '''Maintainer:''' kprkpr <kevin01010 at gmail dot com><br />
* '''Maintainer:''' Joselucross <jlgarrido97 at gmail dot com><br />
* '''Description:''' Packages of AUR like pimagizer,stepmania,yaourt,linux-mainline,wps-office,grub-customizer,some IDE.. Open for all that wants to contribute<br />
* '''Upstream page:''' http://repo.jkanetwork.com/<br />
<br />
{{bc|<nowiki><br />
[jkanetwork]<br />
Server = http://repo.jkanetwork.com/repo/$repo/<br />
</nowiki>}}<br />
<br />
=== mesa-git ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#lcarlier Laurent Carlier]<br />
* '''Description:''' Mesa git builds for the ''testing'' and ''multilib-testing'' repositories<br />
<br />
{{bc|<nowiki><br />
[mesa-git]<br />
Server = https://pkgbuild.com/~lcarlier/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== Minerva W Science ===<br />
<br />
* '''Maintainer:'''<br />
* '''Description:''' [[OpenFOAM]] packages.<br />
<br />
{{bc|<nowiki><br />
[home_Minerva_W_Science_Arch_Extra]<br />
Server = https://download.opensuse.org/repositories/home:/Minerva_W:/Science/Arch_Extra/$arch <br />
</nowiki>}}<br />
<br />
=== mingw-w64 ===<br />
<br />
* '''Maintainer:''' [https://aur.archlinux.org/account/ant32 Philip] and [https://aur.archlinux.org/account/nic96 Jeromy] Reimer<br />
* '''Description:''' Almost all mingw-w64 packages in the AUR.<br />
<br />
{{Note|This repo is not actively maintained anymore. It has not been updated since 2016-01-04.}}<br />
<br />
{{bc|<nowiki><br />
[mingw-w64]<br />
Server = https://downloads.sourceforge.net/project/mingw-w64-archlinux/$arch<br />
#Server = http://amr.linuxd.org/archlinux/$repo/os/$arch<br />
</nowiki>}}<br />
<br />
=== ownstuff ===<br />
<br />
* '''Maintainer:''' [https://aur.archlinux.org/account/Martchus Martchus]<br />
* '''Description:''' A lot of packages from the AUR, eg. a great number of mingw-w64 packages, fonts, tools like [https://aur.archlinux.org/packages/tageditor Tag Editor], [https://aur.archlinux.org/packages/syncthingtray Syncthing Tray] and [https://aur.archlinux.org/packages/subtitlecomposer Subtitle Composer]<br />
* '''Upstream page''': https://github.com/Martchus/PKGBUILDs (sources beside the AUR) and https://martchus.no-ip.biz/repoindex (package browser/search)<br />
<br />
{{bc|<nowiki><br />
[ownstuff]<br />
Server = http://martchus.no-ip.biz/repo/arch/$repo/os/$arch<br />
</nowiki>}}<br />
<br />
=== pantheon ===<br />
<br />
* '''Maintainer:''' [https://www.archlinux.org/people/trusted-users/#alucryd Maxime Gauduin]<br />
* '''Description:''' Repository containing Pantheon-related packages<br />
<br />
{{bc|<nowiki><br />
[pantheon]<br />
Server = https://pkgbuild.com/~alucryd/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== pietma ===<br />
<br />
* '''Maintainer:''' MartiMcFly <martimcfly@autorisation.de><br />
* '''Description:''' Arch User Repository packages [https://aur.archlinux.org/packages/?K=martimcfly&SeB=m I create or maintain.].<br />
* '''Upstream page:''' http://pietma.com/tag/aur/<br />
<br />
{{bc|<nowiki><br />
[pietma]<br />
Server = http://repository.pietma.com/nexus/content/repositories/archlinux/$arch/$repo<br />
</nowiki>}}<br />
<br />
=== Pival81 arch xapps ===<br />
<br />
* '''Maintainer:''' Valerio Pizzi ([https://github.com/Pival81 Pival81] <pival801@gmail.com>)<br />
* '''Description:''' [https://github.com/linuxmint/xapps XApps] packages.<br />
<br />
{{bc|<nowiki><br />
[home_Pival81_arch_xapps_Arch_Extra]<br />
Server = https://download.opensuse.org/repositories/home:/Pival81:/arch:/xapps/Arch_Extra/$arch <br />
</nowiki>}}<br />
<br />
=== pnsft-pur ===<br />
<br />
* '''Maintainer:'''<br />
* '''Description:''' Japanese input method packages Mozc (vanilla) and libkkc<br />
<br />
{{bc|<nowiki><br />
[pnsft-pur]<br />
Server = https://downloads.sourceforge.net/project/pnsft-aur/pur/x86_64<br />
</nowiki>}}<br />
<br />
=== post-factum kernels ===<br />
<br />
* '''Maintainer''': [https://aur.archlinux.org/account/post-factum Oleksandr Natalenko aka post-factum]<br />
* '''Upstream page''': https://pfactum.github.io/pf-kernel/<br />
* '''Description''': [[Kernels#Major_patchsets|pf-kernel]] and other packages by its developer, post-factum<br />
<br />
{{bc|<nowiki><br />
[home_post-factum_kernels_Arch]<br />
Server = https://download.opensuse.org/repositories/home:/post-factum:/kernels/Arch/$arch<br />
</nowiki>}}<br />
<br />
=== QOwnNotes ===<br />
<br />
* '''Maintainer:''' http://www.qownnotes.org<br />
* '''Description:''' QOwnNotes is a open source notepad and todo list manager with markdown support and [[ownCloud]] integration.<br />
<br />
{{bc|<nowiki><br />
[home_pbek_QOwnNotes_Arch_Extra]<br />
Server = https://download.opensuse.org/repositories/home:/pbek:/QOwnNotes/Arch_Extra/$arch<br />
</nowiki>}}<br />
<br />
=== rakudo ===<br />
<br />
* '''Maintainer:''' spider-mario <spidermario@free.fr><br />
* '''Description:''' Rakudo Perl6<br />
<br />
{{bc|<nowiki><br />
[rakudo]<br />
Server = https://spider-mario.quantic-telecom.net/archlinux/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== rust-git ===<br />
<br />
* '''Maintainer:''' Tatsuyuki Ishi <ishitatsuyuki@gmail.com><br />
* '''Description:''' Packages of rust-git and others. Normally updated weekly.<br />
<br />
{{bc|<nowiki><br />
[rust-git]<br />
Server = https://tatsuyuki.kdns.info/archlinux/$repo/$arch<br />
</nowiki>}}<br />
<br />
=== zrootfs ===<br />
<br />
* '''Maintainer:''' Isabell Cowan <isabellcowan@gmail.com><br />
* '''Description:''' For Haswell and Broadwell architecture processors with size in mind.<br />
<br />
{{Note|This repo has not been maintained since 2016-03-14. There are no guarantees as to how long it will be kept online.}}<br />
<br />
{{bc|<nowiki><br />
[zrootfs]<br />
Server = https://www.izzette.com/izzi/zrootfs-old<br />
</nowiki>}}</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Grafana&diff=533312Grafana2018-08-11T14:44:09Z<p>Yuvadm: Small clenaup</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[Category:Web applications]]<br />
[[ja:Grafana]]<br />
{{Related articles start}}<br />
{{Related|Zabbix}}<br />
{{Related|Munin}}<br />
{{Related articles end}}<br />
[https://grafana.com/ Grafana] is an open-source, general purpose dashboard and graph composer, which runs as a web application. It supports graphite, [[InfluxDB]] or opentsdb as backends.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{pkg|grafana}} package.<br />
<br />
After that you can [[Enable]] and [[start]] the {{ic|grafana}} service and access the application on localhost, e.g.: http://127.0.0.1:3000 . The default username is {{ic|admin}} and password {{ic|admin}} to access the web frontend.<br />
<br />
{{Warning|The default configuration listens on {{ic|*:3000}} so make sure to change the configuration or enable the relevant firewall rules.}}<br />
<br />
== Example usage ==<br />
<br />
=== Influxdb installation ===<br />
<br />
One often used backend is [[InfluxDB]].<br />
[[Enable]] and [[start]] the {{ic|influxdb}} service. The web interface is available at http://localhost:8083/<br />
<br />
=== Aggregate data ===<br />
In case of scaleable server monitoring in combination with Grafana and InfluxDB, one could choose software like [[collectd]] or [[statsd]]. More generally any measurement data can be aggregated with InfluxDB and displayed with Grafana. There are modules and libraries for several programming languages to interact with InfluxDB and one could even store data with a simple http post command using the program [[curl]].<br />
<br />
Herefore, create a database named {{ic|example}}:<br />
curl -G http://localhost:8086/query --data-urlencode "q=CREATE DATABASE example"<br />
Post data into the example database:<br />
curl -i -XPOST 'http://localhost:8086/write?db=example' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000'<br />
<br />
=== Creating Grafana dashboard ===<br />
* Before creating a dashboard, we have to add a data source. So first click on {{ic|Data sources}} in the left menu and then on {{ic|Add new}}.<br />
* Name can be something like {{ic|influxdb}} and the type should be set to {{ic|InfluxDB 0.9}}. In this example, the url for the Http settings is {{ic|http://localhost:8086}}. Note that the port is not the same as the one of the web interface! Database name corresponds to the one earlier choosen, e.g. {{ic|example}}. If not changed, username and password are {{ic|root}}.<br />
* Click on {{ic|Test connection}} to see everything is working and then on {{ic|Save}}.<br />
* Next, back at the front page, click {{ic|Home}} in the left-upper corner and then on {{ic|New}}.<br />
* Now this might be a bit counter-intuitive, but to add a new dashboard you have to hover and click over the little green box on the left side and then, for example, choose: {{ic|Add panel}} and {{ic|Graph}}.<br />
* Click on the title of the new graph and select {{ic|Edit}}.<br />
* In the graph settings in {{ic|Metrics}} choose {{ic|influxdb}} as data source in the lower-right corner.<br />
* Create a query by selecting your aggregated data. Click on {{ic|select measurement}} which is located beside {{ic|FROM}}. In the dropdown menu should appear a list of "tables" in your database, e.g. the table named {{ic|localhost}}. If no suggestions comes up, your connection to InfluxDB might be broken or no data has been aggregated yet.<br />
* Beside the bold text {{ic|SELECT}} click on {{ic|value}} and choose for example the measurement data {{ic|uptime}}.<br />
* To save changes, click {{ic|Back to dashboard}}, then the floppy disc icon.<br />
<br />
== See also ==<br />
* [https://grafana.org/ Official homepage]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Grafana&diff=533311Grafana2018-08-11T14:43:59Z<p>Yuvadm: Warn on open ports</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[Category:Web applications]]<br />
[[ja:Grafana]]<br />
{{Related articles start}}<br />
{{Related|Zabbix}}<br />
{{Related|Munin}}<br />
{{Related articles end}}<br />
[https://grafana.com/ Grafana] is an open-source, general purpose dashboard and graph composer, which runs as a web application. It supports graphite, [[InfluxDB]] or opentsdb as backends.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{pkg|grafana}} package.<br />
<br />
After that you can [[Enable]] and [[start]] the {{ic|grafana}} service and access the application on localhost, e.g.: http://127.0.0.1:3000 . The default username is {{ic|admin}} and password {{ic|admin}} to access the web frontend.<br />
<br />
<br />
{{Warning|The default configuration listens on {{ic|*:3000}} so make sure to change the configuration or enable the relevant firewall rules.}}<br />
<br />
== Example usage ==<br />
<br />
=== Influxdb installation ===<br />
<br />
One often used backend is [[InfluxDB]].<br />
[[Enable]] and [[start]] the {{ic|influxdb}} service. The web interface is available at http://localhost:8083/<br />
<br />
=== Aggregate data ===<br />
In case of scaleable server monitoring in combination with Grafana and InfluxDB, one could choose software like [[collectd]] or [[statsd]]. More generally any measurement data can be aggregated with InfluxDB and displayed with Grafana. There are modules and libraries for several programming languages to interact with InfluxDB and one could even store data with a simple http post command using the program [[curl]].<br />
<br />
Herefore, create a database named {{ic|example}}:<br />
curl -G http://localhost:8086/query --data-urlencode "q=CREATE DATABASE example"<br />
Post data into the example database:<br />
curl -i -XPOST 'http://localhost:8086/write?db=example' --data-binary 'cpu_load_short,host=server01,region=us-west value=0.64 1434055562000000000'<br />
<br />
=== Creating Grafana dashboard ===<br />
* Before creating a dashboard, we have to add a data source. So first click on {{ic|Data sources}} in the left menu and then on {{ic|Add new}}.<br />
* Name can be something like {{ic|influxdb}} and the type should be set to {{ic|InfluxDB 0.9}}. In this example, the url for the Http settings is {{ic|http://localhost:8086}}. Note that the port is not the same as the one of the web interface! Database name corresponds to the one earlier choosen, e.g. {{ic|example}}. If not changed, username and password are {{ic|root}}.<br />
* Click on {{ic|Test connection}} to see everything is working and then on {{ic|Save}}.<br />
* Next, back at the front page, click {{ic|Home}} in the left-upper corner and then on {{ic|New}}.<br />
* Now this might be a bit counter-intuitive, but to add a new dashboard you have to hover and click over the little green box on the left side and then, for example, choose: {{ic|Add panel}} and {{ic|Graph}}.<br />
* Click on the title of the new graph and select {{ic|Edit}}.<br />
* In the graph settings in {{ic|Metrics}} choose {{ic|influxdb}} as data source in the lower-right corner.<br />
* Create a query by selecting your aggregated data. Click on {{ic|select measurement}} which is located beside {{ic|FROM}}. In the dropdown menu should appear a list of "tables" in your database, e.g. the table named {{ic|localhost}}. If no suggestions comes up, your connection to InfluxDB might be broken or no data has been aggregated yet.<br />
* Beside the bold text {{ic|SELECT}} click on {{ic|value}} and choose for example the measurement data {{ic|uptime}}.<br />
* To save changes, click {{ic|Back to dashboard}}, then the floppy disc icon.<br />
<br />
== See also ==<br />
* [https://grafana.org/ Official homepage]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Autossh&diff=533093Autossh2018-08-10T15:43:34Z<p>Yuvadm: Create autossh redirect</p>
<hr />
<div>#REDIRECT [[Secure_Shell#Autossh_-_automatically_restarts_SSH_sessions_and_tunnels]]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=InfluxDB&diff=533092InfluxDB2018-08-10T15:36:40Z<p>Yuvadm: Move warning to relevant section</p>
<hr />
<div>[[Category:Database management systems]]<br />
[[ja:InfluxDB]]<br />
{{Related articles start}}<br />
{{Related|Telegraf}}<br />
{{Related|Chronograf}}<br />
{{Related|Kapacitor}}<br />
{{Related|Grafana}}<br />
{{Related articles end}}<br />
InfluxDB is a time series database built from the ground up to handle high write and query loads. It is the second piece of the [[TICK stack]]. InfluxDB is meant to be used as a backing store for any use case involving large amounts of timestamped data, including DevOps monitoring, application metrics, IoT sensor data, and real-time analytics.[https://docs.influxdata.com/influxdb/v1.2/]<br />
<br />
==Installation==<br />
[[Install]] the {{Pkg|influxdb}} and [[enable]] and [[start]] the {{ic|influxdb}} service.<br />
<br />
{{Warning|The default configuration listens on {{ic|*:8086}} so make sure to change the configuration or enable the relevant firewall rules.}}<br />
<br />
==Configuration==<br />
All configuration is done in {{ic|/etc/influxdb/influxdb.conf}}. <br />
<br />
The configuration is well documented, but you can also have a look at their [https://docs.influxdata.com/influxdb/latest/ Documentation]<br />
<br />
==Usage==<br />
The InfluxDB can be used as part of the [[TICK stack]]. In this setup, data is written into the database using [[Telegraf]]. [[Kapacitor]] and [[Chronograf]] then use the database to send alerts and display data respectively.<br />
<br />
InfluxDB can also be used with other input plugins, e.g. [[collectd]]. Another tool for data visualization is [[Grafana]].<br />
<br />
Writing and querying the database can also be done using their HTTP API for [https://docs.influxdata.com/influxdb/latest/guides/writing_data/ writing] and [https://docs.influxdata.com/influxdb/latest/guides/querying_data/ querying].<br />
==See also==<br />
* [https://www.influxdata.com/ InfluxData]<br />
* [https://docs.influxdata.com/influxdb/latest/ Documentation]<br />
* [https://github.com/influxdata/influxdb/ Github]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=InfluxDB&diff=533091InfluxDB2018-08-10T15:34:33Z<p>Yuvadm: Warn on open ports</p>
<hr />
<div>[[Category:Database management systems]]<br />
[[ja:InfluxDB]]<br />
{{Related articles start}}<br />
{{Related|Telegraf}}<br />
{{Related|Chronograf}}<br />
{{Related|Kapacitor}}<br />
{{Related|Grafana}}<br />
{{Related articles end}}<br />
InfluxDB is a time series database built from the ground up to handle high write and query loads. It is the second piece of the [[TICK stack]]. InfluxDB is meant to be used as a backing store for any use case involving large amounts of timestamped data, including DevOps monitoring, application metrics, IoT sensor data, and real-time analytics.[https://docs.influxdata.com/influxdb/v1.2/]<br />
<br />
==Installation==<br />
[[Install]] the {{Pkg|influxdb}} and [[enable]] and [[start]] the {{ic|influxdb}} service.<br />
<br />
==Configuration==<br />
All configuration is done in {{ic|/etc/influxdb/influxdb.conf}}. <br />
<br />
{{Warning|The default configuration listens on {{ic|*:8086}} so make sure to change the configuration or enable the relevant firewall rules.}}<br />
<br />
The configuration is well documented, but you can also have a look at their [https://docs.influxdata.com/influxdb/latest/ Documentation]<br />
<br />
==Usage==<br />
The InfluxDB can be used as part of the [[TICK stack]]. In this setup, data is written into the database using [[Telegraf]]. [[Kapacitor]] and [[Chronograf]] then use the database to send alerts and display data respectively.<br />
<br />
InfluxDB can also be used with other input plugins, e.g. [[collectd]]. Another tool for data visualization is [[Grafana]].<br />
<br />
Writing and querying the database can also be done using their HTTP API for [https://docs.influxdata.com/influxdb/latest/guides/writing_data/ writing] and [https://docs.influxdata.com/influxdb/latest/guides/querying_data/ querying].<br />
==See also==<br />
* [https://www.influxdata.com/ InfluxData]<br />
* [https://docs.influxdata.com/influxdb/latest/ Documentation]<br />
* [https://github.com/influxdata/influxdb/ Github]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Glusterfs&diff=524695Glusterfs2018-06-04T04:53:02Z<p>Yuvadm: Update link to official docs</p>
<hr />
<div>[[Category:File systems]]<br />
[[Category:Networking]]<br />
[[ja:GlusterFS]]<br />
[[ru:Glusterfs]]<br />
{{Related articles start}}<br />
{{Related|Ceph}}<br />
{{Related articles end}}<br />
<br />
[https://www.gluster.org/ Glusterfs] is a scalable network [[filesystem]].<br />
<br />
== Installation ==<br />
<br />
[[Install]] the package {{Pkg|glusterfs}}.<br />
<br />
== Configuration ==<br />
<br />
Glusterfs can be setup to run in many different configurations depending operating needs, including distributed and replicated. For the example below, a two node replicated server is being created, with nodes gluster1 and gluster2 each have two disks, one containing the OS sda, the other to be shared by glusterfs sdb. Unless stated all setup is carried on gluster1<br />
<br />
*[[Start/enable]] the gluster daemon {{ic|glusterd.service}} on both servers.<br />
<br />
*Connect the servers<br />
# gluster peer probe gluster2<br />
<br />
*Partition and format the glusterfs drive on both servers<br />
**The upstream advises creating a single partition and formatting this as xfs<br />
<br />
*On both servers automount the drives by [[append|appending]] {{ic|/etc/fstab}} to include the following line, where {{ic|/dev/sd''XY''}} is the appropriate device (e.g., {{ic|/dev/sdb1}}).<br />
{{hc|/etc/fstab|/dev/sd''XY'' /export/sd''XY'' xfs defaults 0 0}}<br />
<br />
*On both servers [[mount]] the drives. Then create a "brick":<br />
# mkdir -p /export/sd''XY''/brick<br />
<br />
*Enable replication on primary server<br />
# gluster volume create gv0 replica 2 gluster1.mydomain.net:/export/sdb1/brick gluster2.mydomain.net:/export/sdb1/brick<br />
<br />
*Ensure volume is created correctly<br />
# gluster volume info<br />
<br />
*Start volume<br />
# gluster volume start gv0<br />
<br />
*Mount the volume<br />
# mkdir -p /mnt/glusterClientMount<br />
# mount -t glusterfs gluster1:/gv0 /mnt/glusterClientMount<br />
<br />
== See also ==<br />
<br />
* [https://docs.gluster.org/en/latest/Install-Guide/Overview/ Official glusterfs installation guide]<br />
* [https://blog.bastelfreak.de/2016/05/short-tip-setup-glusterfs-share-on-arch-linux/ Blog covering the setup of Glusterfs on Arch Linux]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=OpenSSH&diff=508101OpenSSH2018-01-21T08:31:50Z<p>Yuvadm: Small readability fix</p>
<hr />
<div>[[Category:Secure Shell]]<br />
[[de:SSH]]<br />
[[es:Secure Shell]]<br />
[[fa:SSH]]<br />
[[fr:ssh]]<br />
[[ja:Secure Shell]]<br />
[[ru:Secure Shell]]<br />
{{Related articles start}}<br />
{{Related|SSH keys}}<br />
{{Related|Pam abl}}<br />
{{Related|fail2ban}}<br />
{{Related|sshguard}}<br />
{{Related|Sshfs}}<br />
{{Related|Syslog-ng}}<br />
{{Related|SFTP chroot}}<br />
{{Related|SCP and SFTP}}<br />
{{Related articles end}}<br />
<br />
Secure Shell (SSH) is a network protocol that allows data to be exchanged over a secure channel between two computers. Encryption provides confidentiality and integrity of data. SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.<br />
<br />
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding arbitrary TCP ports and X11 connections; file transfer can be accomplished using the associated SFTP or SCP protocols.<br />
<br />
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an ''sshd'' daemon accepting remote connections. Both are commonly present on most modern operating systems, including macOS, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.<br />
<br />
== OpenSSH ==<br />
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the ssh protocol. It was created as an open source alternative to the proprietary Secure Shell software suite offered by SSH Communications Security. OpenSSH is developed as part of the OpenBSD project, which is led by Theo de Raadt.<br />
<br />
OpenSSH is occasionally confused with the similarly-named OpenSSL; however, the projects have different purposes and are developed by different teams, the similar name is drawn only from similar goals.<br />
<br />
=== Installation ===<br />
<br />
[[Install]] the {{Pkg|openssh}} package.<br />
<br />
=== Client usage ===<br />
<br />
To connect to a server, run:<br />
<br />
$ ssh -p ''port'' ''user''@''server-address''<br />
<br />
If the server only allows public-key authentication, follow [[SSH keys]].<br />
<br />
==== Configuration ====<br />
<br />
The client can be configured to store common options and hosts. All options can be declared globally or restricted to specific hosts. For example:<br />
<br />
{{hc|~/.ssh/config|# global options<br />
User ''user''<br />
<br />
# host-specific options<br />
Host myserver<br />
HostName ''server-address''<br />
Port ''port''}}<br />
<br />
With such a configuration, the following commands are equivalent<br />
<br />
$ ssh -p ''port'' ''user''@''server-address''<br />
$ ssh myserver<br />
<br />
See {{man|5|ssh_config}} for more information.<br />
<br />
Some options do not have command line switch equivalents, but you can specify config options on the command line with {{ic|-o}}. For example {{ic|1=-oKexAlgorithms=+diffie-hellman-group1-sha1}}.<br />
<br />
=== Server usage ===<br />
<br />
==== Configuration ====<br />
<br />
The SSH daemon configuration file can be found and edited in {{ic|/etc/ssh/ssh'''d'''_config}}.<br />
<br />
To allow access only for some users add this line:<br />
AllowUsers ''user1 user2''<br />
<br />
To allow access only for some groups:<br />
AllowGroups ''group1 group2''<br />
<br />
To add a nice welcome message (e.g. from the {{ic|/etc/issue}} file), configure the {{ic|Banner}} option:<br />
Banner /etc/issue<br />
<br />
Host keys will be generated automatically by the ''sshd'' [[#Daemon_management|service files]]. If you want sshd to use a particular key which you have provided, you can configure it manually:<br />
HostKey /etc/ssh/ssh_host_rsa_key<br />
<br />
If the server is to be exposed to the WAN, it is recommended to change the default port from 22 to a random higher one like this:<br />
Port 39901<br />
<br />
To help select a port review the [[Wikipedia:List of TCP and UDP port numbers|list of TCP and UDP port numbers]]. You can also find port information locally in {{ic|/etc/services}}. Select an alternative port that is '''not''' already assigned to a common service to prevent conflicts. A port change from default port 22 is recommended, because it will reduce the ''number'' of log entries caused by automated authentication attempts - not eliminate them. See [[Port knocking]] for related information. <br />
<br />
{{Note|OpenSSH can also listen on multiple ports simply by having multiple '''Port x''' lines in the config file.}}<br />
<br />
It is also recommended to disable password logins entirely. This will greatly increase security, see [[#Force public key authentication]] for more information. See [[#Protection]] for more recommend security methods.<br />
<br />
==== Daemon management ====<br />
<br />
{{Pkg|openssh}} comes with two kinds of [[systemd]] service files:<br />
#{{ic|sshd.service}}, which will keep the SSH daemon permanently active and fork for each incoming connection.[https://projects.archlinux.org/svntogit/packages.git/tree/trunk/sshd.service?h=packages/openssh#n16] It is especially suitable for systems with a large amount of SSH traffic.[https://projects.archlinux.org/svntogit/packages.git/tree/trunk/sshd.service?h=packages/openssh&id=4cadf5dff444e4b7265f8918652f4e6dff733812#n15] <br />
#{{ic|sshd.socket}} + {{ic|sshd@.service}}, which spawn on-demand instances of the SSH daemon per connection. Using it implies that ''systemd'' listens on the SSH socket and will only start the daemon process for an incoming connection. It is the recommended way to run {{ic|sshd}} in almost all cases.[https://projects.archlinux.org/svntogit/packages.git/tree/trunk/sshd.service?h=packages/openssh&id=4cadf5dff444e4b7265f8918652f4e6dff733812#n18][http://lists.freedesktop.org/archives/systemd-devel/2011-January/001107.html][http://0pointer.de/blog/projects/inetd.html]<br />
<br />
You can [[start]] and [[enable]] either {{ic|sshd.service}} '''or''' {{ic|sshd.socket}} to begin using the daemon.<br />
<br />
If using the socket service, you will need to [[edit]] the unit file if you want it to listen on a port other than the default 22:<br />
<br />
{{hc|# systemctl edit sshd.socket|<nowiki><br />
[Socket]<br />
ListenStream=<br />
ListenStream=12345<br />
</nowiki>}}<br />
<br />
{{Warning|Using {{ic|sshd.socket}} negates the {{ic|ListenAddress}} setting, so it will allow connections over any address. To achieve the effect of setting {{ic|ListenAddress}}, you must specify the port ''and'' IP for {{ic|ListenStream}} (e.g. {{ic|1=ListenStream=192.168.1.100:22}}). You must also add {{ic|1=FreeBind=true}} under {{ic|[Socket]}} or else setting the IP address will have the same drawback as setting {{ic|ListenAddress}}: the socket will fail to start if the network is not up in time.}}<br />
<br />
{{Tip|When using socket activation neither {{ic|sshd.socket}} nor the daemon's regular {{ic|sshd.service}} allow to monitor connection attempts in the log, but executing {{ic|# journalctl /usr/bin/sshd}} does.}}<br />
<br />
==== Protection ====<br />
<br />
Allowing remote log-on through SSH is good for administrative purposes, but can pose a threat to your server's security. Often the target of brute force attacks, SSH access needs to be limited properly to prevent third parties gaining access to your server.<br />
<br />
Several other good guides are available on the topic, for example:<br />
*[https://wiki.mozilla.org/Security/Guidelines/OpenSSH Article by Mozilla Infosec Team]<br />
*[https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure sshd]<br />
<br />
===== Force public key authentication =====<br />
<br />
If a client cannot authenticate through a public key, by default the SSH server falls back to password authentication, thus allowing a malicious user to attempt to gain access by [[#Protecting against brute force attacks|brute-forcing]] the password. One of the most effective ways to protect against this attack is to disable password logins entirely, and force the use of [[SSH keys]]. This can be accomplished by disabling the following options in {{ic|sshd_config}}:<br />
<br />
PasswordAuthentication no<br />
<br />
{{Warning|Before adding this to your configuration, make sure that all accounts which require SSH access have public-key authentication set up in the corresponding {{ic|authorized_keys}} files. See [[SSH keys#Copying the public key to the remote server]] for more information.}}<br />
<br />
===== Two-factor authentication and public keys =====<br />
<br />
Since OpenSSH 6.2, you can add your own chain to authenticate with using the {{ic|AuthenticationMethods}} option. This enables you to use public keys as well as a two-factor authorization.<br />
<br />
See [[Google Authenticator]] to set up Google Authenticator.<br />
<br />
To use [[PAM]] with OpenSSH, edit the following files:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
ChallengeResponseAuthentication yes<br />
AuthenticationMethods publickey keyboard-interactive:pam<br />
}}<br />
<br />
Then you can log in with either a publickey '''or''' the user authentication as required by your PAM setup.<br />
<br />
If, on the other hand, you want to authenticate the user on both a publickey '''and''' the user authentication as required by your PAM setup, use a comma instead of a space to separate the AuthenticationMethods:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
ChallengeResponseAuthentication yes<br />
AuthenticationMethods publickey,keyboard-interactive:pam<br />
}}<br />
<br />
With required pubkey '''and''' pam authentication you may wish to disable the password requirement:<br />
{{hc|/etc/pam.d/sshd|<br />
auth required pam_securetty.so #disable remote root<br />
#Require google authenticator<br />
auth required pam_google_authenticator.so<br />
#But not password<br />
#auth include system-remote-login<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
}}<br />
<br />
===== Protecting against brute force attacks =====<br />
Brute forcing is a simple concept: One continuously tries to log in to a webpage or server log-in prompt like SSH with a high number of random username and password combinations.<br />
<br />
====== Using ufw ======<br />
<br />
See [[ufw#Rate limiting with ufw]].<br />
<br />
====== Using iptables ======<br />
<br />
{{Merge|Simple_stateful_firewall#Bruteforce_attacks|Out of scope, same technique as already described in the SSF.}}<br />
<br />
If you are already using iptables you can easily protect SSH against brute force attacks by using the following rules. <br />
<br />
{{note|In this example the SSH port was changed to port 42660 TCP.}}<br />
<br />
Before the following rules can be used we create a new rule chain to log and drop too many connection attempts:<br />
<br />
# iptables -N LOG_AND_DROP<br />
<br />
The first rule will be applied to packets that signal the start of new connections headed for TCP port 42660<br />
<br />
# iptables -A INPUT -p tcp -m tcp --dport 42660 -m state --state NEW -m recent --set --name DEFAULT --rsource<br />
<br />
The next rule tells iptables to look for packets that match the previous rule's parameters, and which also come from hosts already added to the watch list.<br />
<br />
# iptables -A INPUT -p tcp -m tcp --dport 42660 -m state --state NEW -m recent --update --seconds 90 --hitcount 4 --name DEFAULT --rsource -j LOG_AND_DROP<br />
<br />
Now iptables decides what to do with TCP traffic to port 42660 which does not match the previous rule.<br />
<br />
# iptables -A INPUT -p tcp -m tcp --dport 42660 -j ACCEPT<br />
<br />
We are appending this rule to the LOG_AND_DROP table, and we use the -j (jump) operator to pass the packet's information to the logging facility<br />
<br />
# iptables -A LOG_AND_DROP -j LOG --log-prefix "iptables deny: " --log-level 7<br />
<br />
After they are logged by the first rule, all packets are then dropped<br />
<br />
# iptables -A LOG_AND_DROP -j DROP<br />
<br />
====== Anti-brute-force tools ======<br />
<br />
You can protect yourself from brute force attacks by using an automated script that blocks anybody trying to brute force their way in, for example [[fail2ban]] or [[sshguard]].<br />
<br />
* Only allow incoming SSH connections from trusted locations<br />
* Use [[fail2ban]] or [[sshguard]] to automatically block IP addresses that fail password authentication too many times.<br />
* Use [https://github.com/jtniehof/pam_shield pam_shield] to block IP addresses that perform too many login attempts within a certain period of time. In contrast to [[fail2ban]] or [[sshguard]], this program does not take login success or failure into account.<br />
<br />
===== Limit root login =====<br />
{{Out of date|Root login has been disabled by default upstream in the current version. Unclear to me what parts of this section and subsections are redundant.}}<br />
<br />
It is generally considered bad practice to allow the root user to log in without restraint over SSH. There are two methods by which SSH root access can be restricted for increased security.<br />
<br />
====== Deny ======<br />
<br />
Sudo selectively provides root rights for actions requiring these without requiring authenticating against the root account. This allows locking the root account against access via SSH and potentially functions as a security measure against brute force attacks, since now an attacker must guess the account name in addition to the password.<br />
<br />
SSH can be configured to deny remote logins with the root user by editing the "Authentication" section in {{ic|/etc/ssh/sshd_config}}. Simply change {{ic|#PermitRootLogin prohibit-password}} to {{ic|no}} and uncomment the line:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
PermitRootLogin no<br />
...<br />
}}<br />
<br />
Next, [[restart]] the SSH daemon.<br />
<br />
You will now be unable to log in through SSH under root, but will still be able to log in with your normal user and use [[su]] or [[sudo]] to do system administration.<br />
<br />
====== Restrict ======<br />
<br />
Some automated tasks such as remote, full-system backup require full root access. To allow these in a secure way, instead of disabling root login via SSH, it is possible to only allow root logins for selected commands. This can be achieved by editing {{ic|~root/.ssh/authorized_keys}}, by prefixing the desired key, e.g. as follows:<br />
<br />
command="/usr/lib/rsync/rrsync -ro /" ssh-rsa …<br />
<br />
This will allow any login with this specific key only to execute the command specified between the quotes.<br />
<br />
The increased attack surface created by exposing the root user name at login can be compensated by adding the following to {{ic|sshd_config}}:<br />
<br />
PermitRootLogin forced-commands-only<br />
<br />
This setting will not only restrict the commands which root may execute via SSH, but it will also disable the use of passwords, forcing use of public key authentication for the root account.<br />
<br />
A slightly less restrictive alternative will allow any command for root, but makes brute force attacks infeasible by enforcing public key authentication. For this option, set:<br />
<br />
PermitRootLogin without-password<br />
<br />
===== Securing the authorized_keys file =====<br />
<br />
For additional protection, you can prevent users from adding new public keys and connecting from them.<br />
<br />
In the server, make the {{ic|authorized_keys}} file read-only for the user and deny all other permissions:<br />
$ chmod 400 ~/.ssh/authorized_keys<br />
<br />
To keep the user from simply changing the permissions back, [[File permissions and attributes#chattr and lsattr|set the immutable bit]] on the {{ic|authorized_keys}} file. After that the user could rename the {{ic|~/.ssh}} directory to something else and create a new {{ic|~/.ssh}} directory and {{ic|authorized_keys}} file. To prevent this, set the immutable bit on the {{ic|~/.ssh}} directory too.<br />
<br />
{{Note|If you find yourself needing to add a new key, you will first have to remove the immutable bit from {{ic|authorized_keys}} and make it writable. Follow the steps above to secure it again.}}<br />
<br />
== Other SSH clients and servers ==<br />
Apart from OpenSSH, there are many SSH [[Wikipedia:Comparison of SSH clients|clients]] and [[Wikipedia:Comparison of SSH servers|servers]] available.<br />
<br />
=== Dropbear ===<br />
[[Wikipedia:Dropbear (software)|Dropbear]] is a SSH-2 client and server. {{Pkg|dropbear}} is available in the [[official repositories]].<br />
<br />
The command-line ssh client is named dbclient.<br />
<br />
=== Mosh ===<br />
From the Mosh [http://mosh.mit.edu/ website]:<br />
<br />
:Remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes. Mosh is a replacement for SSH. It is more robust and responsive, especially over slow connections such as Wi-Fi, cellular, and long-distance.<br />
<br />
[[Install]] the {{Pkg|mosh}} package, or {{AUR|mosh-git}} for the latest revision.<br />
<br />
Mosh has an undocumented command line option {{ic|1=--predict=experimental}} which produces more aggressive echoing of local keystrokes. Users interested in low-latency visual confirmation of keyboard input may prefer this prediction mode.<br />
<br />
{{Note|Mosh by design does not let you access session history, consider installing a terminal multiplexer such as [[tmux]] or [[screen]].}}<br />
<br />
== Tips and tricks ==<br />
<br />
{{Accuracy|According to the current layout, this section seems rather generic, but in fact most of the offered tips work only in ''openssh''. For example ''dropbear'' (listed in [[#Other SSH clients and servers]]) does not support SOCKS proxy.[https://en.wikipedia.org/wiki/Comparison_of_SSH_clients#Technical]}}<br />
<br />
=== Encrypted SOCKS tunnel ===<br />
<br />
This is highly useful for laptop users connected to various unsafe wireless connections. The only thing you need is an SSH server running at a somewhat secure location, like your home or at work. It might be useful to use a dynamic DNS service like [http://www.dyndns.org/ DynDNS] so you do not have to remember your IP-address.<br />
<br />
==== Step 1: start the connection ====<br />
<br />
You only have to execute this single command to start the connection:<br />
<br />
$ ssh -TND 4711 ''user''@''host''<br />
<br />
where {{Ic|''user''}} is your username at the SSH server running at the {{Ic|''host''}}. It will ask for your password, and then you are connected! The {{Ic|N}} flag disables the interactive prompt, and the {{Ic|D}} flag specifies the local port on which to listen on (you can choose any port number if you want). The {{Ic|T}} flag disables pseudo-tty allocation.<br />
<br />
It is nice to add the verbose ({{Ic|-v}}) flag, because then you can verify that it is actually connected from that output.<br />
<br />
==== Step 2: configure your browser (or other programs) ====<br />
<br />
The above step is completely useless if you do not configure your web browser (or other programs) to use this newly created socks tunnel. Since the current version of SSH supports both SOCKS4 and SOCKS5, you can use either of them.<br />
<br />
* For Firefox: ''Edit > Preferences > Advanced > Network > Connection > Setting'': <br> Check the ''Manual proxy configuration'' radio button, and enter {{ic|localhost}} in the ''SOCKS host'' text field, and then enter your port number in the next text field ({{ic|4711}} in the example above).<br />
<br />
Firefox does not automatically make DNS requests through the socks tunnel. This potential privacy concern can be mitigated by the following steps:<br />
<br />
# Type about:config into the Firefox location bar.<br />
# Search for network.proxy.socks_remote_dns<br />
# Set the value to true.<br />
# Restart the browser.<br />
<br />
* For Chromium: You can set the SOCKS settings as environment variables or as command line options. I recommend to add one of the following functions to your {{ic|.bashrc}}:<br />
function secure_chromium {<br />
port=4711<br />
export SOCKS_SERVER=localhost:$port<br />
export SOCKS_VERSION=5<br />
chromium &<br />
exit<br />
}<br />
OR<br />
function secure_chromium {<br />
port=4711<br />
chromium --proxy-server="socks://localhost:$port" &<br />
exit<br />
}<br />
<br />
Now open a terminal and just do:<br />
$ secure_chromium<br />
<br />
Enjoy your secure tunnel!<br />
<br />
=== X11 forwarding ===<br />
<br />
X11 forwarding is a mechanism that allows graphical interfaces of X11 programs running on a remote system to be displayed on a local client machine. For X11 forwarding the remote host does not need to have a full X11 system installed, however it needs at least to have ''xauth'' installed. ''xauth'' is a utility that maintains {{ic|Xauthority}} configurations used by server and client for authentication of X11 session ([http://xmodulo.com/2012/11/how-to-enable-x11-forwarding-using-ssh.html source]).<br />
<br />
{{Warning|X11 forwarding has important security implications which should be at least acknowledged by reading relevant sections of {{man|1|ssh}}, {{man|5|sshd_config}}, and {{man|5|ssh_config}} manual pages. See also [https://security.stackexchange.com/questions/14815/security-concerns-with-x11-forwarding this StackExchange question.]}}<br />
<br />
==== Setup ====<br />
<br />
On the remote system:<br />
<br />
*[[install]] the {{Pkg|xorg-xauth}} and {{Pkg|xorg-xhost}} packages<br />
*in {{ic|/etc/ssh/ssh'''d'''_config}}:<br />
**verify that {{ic|AllowTcpForwarding}} and {{ic|X11UseLocalhost}} options are set to ''yes'', and that {{ic|X11DisplayOffset}} is set to ''10'' (those are the default values if nothing has been changed, see {{man|5|sshd_config}})<br />
**set {{ic|X11Forwarding}} to ''yes''<br />
* then [[restart]] the [[#Daemon management|''sshd'' daemon]]. <br />
<br />
On the client side, enable the {{ic|ForwardX11}} option by either specifying the {{ic|-X}} switch on the command line for opportunistic connections, or by setting {{ic|ForwardX11}} to ''yes'' in the [[#Configuration|client's configuration]].<br />
<br />
{{Tip|You can enable the {{ic|ForwardX11Trusted}} option ({{ic|-Y}} switch on the command line) if GUI is drawing badly or you receive errors; this will prevent X11 forwardings from being subjected to the [http://www.x.org/wiki/Development/Documentation/Security/ X11 SECURITY extension] controls. Be sure you have read [[#X11 forwarding|the warning]] at the beginning of this section if you do so.}}<br />
<br />
==== Usage ====<br />
<br />
{{Accuracy|{{ic|xhost}} is [http://unix.stackexchange.com/questions/12755/how-to-forward-x-over-ssh-from-ubuntu-machine#comment-17148 generally not needed]}}<br />
<br />
Log on to the remote machine normally, specifying the {{ic|-X}} switch if ''ForwardX11'' was not enabled in the client's configuration file:<br />
$ ssh -X ''user@host''<br />
If you receive errors trying to run graphical applications, try ''ForwardX11Trusted'' instead:<br />
$ ssh -Y ''user@host''<br />
You can now start any X program on the remote server, the output will be forwarded to your local session:<br />
$ xclock<br />
<br />
If you get "Cannot open display" errors try the following command as the non root user:<br />
$ xhost +<br />
<br />
The above command will allow anybody to forward X11 applications. To restrict forwarding to a particular host type:<br />
$ xhost +hostname<br />
<br />
where hostname is the name of the particular host you want to forward to. See {{man|1|xhost}} for more details.<br />
<br />
Be careful with some applications as they check for a running instance on the local machine. [[Firefox]] is an example: either close the running Firefox instance or use the following start parameter to start a remote instance on the local machine:<br />
$ firefox --no-remote<br />
<br />
If you get "X11 forwarding request failed on channel 0" when you connect (and the server {{ic|/var/log/errors.log}} shows "Failed to allocate internet-domain X11 display socket"), make sure package {{Pkg|xorg-xauth}} is installed. If its installation is not working, try to either:<br />
<br />
* enable the {{ic|AddressFamily any}} option in {{ic|ssh'''d'''_config}} on the ''server'', or<br />
* set the {{ic|AddressFamily}} option in {{ic|ssh'''d'''_config}} on the ''server'' to inet.<br />
Setting it to inet may fix problems with Ubuntu clients on IPv4.<br />
<br />
For running X applications as other user on the SSH server you need to {{Ic|xauth add}} the authentication line taken from {{Ic|xauth list}} of the SSH logged in user.<br />
<br />
{{Tip|[http://unix.stackexchange.com/a/12772/29867 Here] are [http://unix.stackexchange.com/a/46748/29867 some] useful [http://superuser.com/a/805060/185665 links] for troubleshooting {{ic|X11 Forwarding}} issues.}}<br />
<br />
=== Forwarding other ports ===<br />
<br />
In addition to SSH's built-in support for X11, it can also be used to securely tunnel any TCP connection, by use of local forwarding or remote forwarding.<br />
<br />
Local forwarding opens a port on the local machine, connections to which will be forwarded to the remote host and from there on to a given destination. Very often, the forwarding destination will be the same as the remote host, thus providing a secure shell and, e.g. a secure VNC connection, to the same machine. Local forwarding is accomplished by means of the {{Ic|-L}} switch and it is accompanying forwarding specification in the form of {{Ic|<tunnel port>:<destination address>:<destination port>}}.<br />
<br />
Thus:<br />
<br />
$ ssh -L 1000:mail.google.com:25 192.168.0.100<br />
<br />
will use SSH to login to and open a shell on 192.168.0.100, and will also create a tunnel from the local machine's TCP port 1000 to mail.google.com on port 25. Once established, connections to localhost:1000 will connect to the Gmail SMTP port. To Google, it will appear that any such connection (though not necessarily the data conveyed over the connection) originated from 192.168.0.100, and such data will be secure as between the local machine and 192.168.0.100, but not between 192.168.0.100, unless other measures are taken.<br />
<br />
Similarly:<br />
<br />
$ ssh -L 2000:192.168.0.100:6001 192.168.0.100<br />
<br />
will allow connections to localhost:2000 which will be transparently sent to the remote host on port 6001. The preceding example is useful for VNC connections using the vncserver utility--part of the tightvnc package--which, though very useful, is explicit about its lack of security.<br />
<br />
Remote forwarding allows the remote host to connect to an arbitrary host via the SSH tunnel and the local machine, providing a functional reversal of local forwarding, and is useful for situations where, e.g., the remote host has limited connectivity due to firewalling. It is enabled with the {{Ic|-R}} switch and a forwarding specification in the form of {{Ic|<tunnel port>:<destination address>:<destination port>}}.<br />
<br />
Thus:<br />
<br />
$ ssh -R 3000:irc.freenode.net:6667 192.168.0.200<br />
<br />
will bring up a shell on 192.168.0.200, and connections from 192.168.0.200 to itself on port 3000 (remotely speaking, localhost:3000) will be sent over the tunnel to the local machine and then on to irc.freenode.net on port 6667, thus, in this example, allowing the use of IRC programs on the remote host to be used, even if port 6667 would normally be blocked to it.<br />
<br />
Both local and remote forwarding can be used to provide a secure "gateway," allowing other computers to take advantage of an SSH tunnel, without actually running SSH or the SSH daemon by providing a bind-address for the start of the tunnel as part of the forwarding specification, e.g. {{Ic|<tunnel address>:<tunnel port>:<destination address>:<destination port>}}. The {{Ic|<tunnel address>}} can be any address on the machine at the start of the tunnel, {{Ic|localhost}}, {{Ic|*}} (or blank), which, respectively, allow connections via the given address, via the loopback interface, or via any interface. By default, forwarding is limited to connections from the machine at the "beginning" of the tunnel, i.e. the {{Ic|<tunnel address>}} is set to {{Ic|localhost}}. Local forwarding requires no additional configuration, however remote forwarding is limited by the remote server's SSH daemon configuration. See the {{Ic|GatewayPorts}} option in {{Ic|sshd_config(5)}} for more information.<br />
<br />
=== Jump hosts ===<br />
<br />
In certain scenarios, there might not be a direct connection to your target SSH daemon, and the use of a jump server (or bastion server) is required. Thus, we attempt to connect together two or more SSH tunnels, and assuming your local keys are authorized against each server in the chain. This is possible using SSH agent forwarding ({{ic|-A}}) and pseudo-terminal allocation ({{ic|-t}}) which forwards your local key with the following syntax:<br />
<br />
$ ssh -A -t -l user1 bastion1 \<br />
ssh -A -t -l user2 intermediate2 \<br />
ssh -A -t -l user3 target<br />
<br />
An easier way to do this is using the {{ic|-J}} flag:<br />
<br />
$ ssh -J user1@bastion1,user2@intermediate2 user3@target<br />
<br />
Multiple hosts in the {{ic|-J}} directive can be separted with a comma, they will be connected to in the order listed. The {{ic|user...@}} part is not required, but can be used. The host specifications for {{ic|-J}} use the ssh configuration file, so specific per-host options can be set there, if needed.<br />
<br />
=== Reverse SSH through a relay ===<br />
<br />
{{Style|The idea of SSH tunneling is classic, so some references for detailed explanation would be nice. E.g. [https://unix.stackexchange.com/questions/46235/how-does-reverse-ssh-tunneling-work/118650#118650] which includes other scenarios.}}<br />
<br />
The idea is that client connects to the server via another relay, while the server is connected to the same relay using a reverse SSH tunnel. This is for example useful when the server is behind a NAT and relay is a publicly accessible SSH server used as a proxy to which the user has access. So the prerequisite is that client's keys are authorized against both the relay and the server and server's need to be authorized against the relay as well for the reverse SSH connection.<br />
<br />
The following configuration example assumes that user1 is the user account used on client, user2 on relay and user3 on server. First the server needs to establish the reverse tunnel with:<br />
<br />
ssh -R 2222:localhost:22 -N user2@relay<br />
<br />
Which can also be automated with a startup script, systemd service or {{Pkg|autossh}}.<br />
<br />
{{Expansion|Explain why {{ic|ssh user3@relay -p 2222}} is not sufficient.}}<br />
<br />
At the client side the connection is established with:<br />
<br />
ssh user2@relay ssh user3@localhost -p 2222<br />
<br />
The remote command to establish the connection to reverse tunnel can also be defined in relay's {{ic|~/.ssh/authorized_keys}} by including the {{ic|command}} field as follows:<br />
<br />
command="ssh user3@localhost -p 2222" ssh-rsa KEY2 user1@client<br />
<br />
In this case the connection is established with:<br />
<br />
ssh user2@relay<br />
<br />
Note that SCP's autocomplete function in client's terminal is not working and even the SCP transfers themselves aren't working under some configurations.<br />
<br />
=== Multiplexing ===<br />
<br />
The SSH daemon usually listens on port 22. However, it is common practice for many public internet hotspots to block all traffic that is not on the regular HTTP/S ports (80 and 443, respectively), thus effectively blocking SSH connections. The immediate solution for this is to have {{ic|sshd}} listen additionally on one of the whitelisted ports:<br />
<br />
{{hc|/etc/ssh/sshd_config|<br />
Port 22<br />
Port 443<br />
}}<br />
<br />
However, it is likely that port 443 is already in use by a web server serving HTTPS content, in which case it is possible to use a multiplexer, such as {{Pkg|sslh}}, which listens on the multiplexed port and can intelligently forward packets to many services.<br />
<br />
=== Speeding up SSH ===<br />
<br />
There are several [[#Configuration|client configuration]] options which can speed up connections either globally or for specific hosts. See {{man|5|ssh_config}} for full descriptions of these options.<br />
<br />
* You can make all sessions to the same host share a single connection using these options: {{bc|<nowiki><br />
ControlMaster auto<br />
ControlPersist yes<br />
ControlPath ~/.ssh/sockets/socket-%r@%h:%p<br />
</nowiki>}}<br />
: where {{ic|~/.ssh/sockets}} can be any directory not writable by other users.<br />
<br />
* {{ic|ControlPersist}} specifies how long the master should wait in the background for new clients after the initial client connection has been closed. Possible values are either: <br />
** {{ic|no}} to close the connection immediately after the last client disconnects, <br />
** a time in seconds,<br />
** {{ic|yes}} to wait forever, the connection will never be closed automatically.<br />
<br />
* Another option to improve speed is to enable compression with the {{ic|Compression yes}} option or the {{ic|-C}} flag.<br />
: {{Note|{{man|1|ssh}} states that "[c]ompression is desirable on modem lines and other slow connections, but will only slow down things on fast networks." This tip might be counterproductive depending on your network configuration.}}<br />
<br />
* Login time can be shortened by bypassing IPv6 lookup using the {{ic|AddressFamily inet}} option or {{ic|-4}} flag.<br />
<br />
* Last, if you intend to use SSH for SFTP or SCP, [https://www.psc.edu/index.php/hpn-ssh High Performance SSH/SCP] can significantly increase throughput by raising dynamically the SSH buffer sizes. Install the package {{AUR|openssh-hpn-git}} to use a patched version of OpenSSH with this enhancement.<br />
<br />
=== Mounting a remote filesystem with SSHFS ===<br />
<br />
Please refer to the [[SSHFS]] article to use sshfs to mount a remote system - accessible via SSH - to a local folder, so you will be able to do any operation on the mounted files with any tool (copy, rename, edit with vim, etc.). Using sshfs instead of shfs is generally preferred as a new version of shfs has not been released since 2004.<br />
<br />
{{Tip|There is a package {{AUR|autosshfs-git}} that can be used to run autosshfs automatically at login.}}<br />
<br />
=== Keep alive ===<br />
<br />
By default, the SSH session automatically logs out if it has been idle for a certain time. To keep the session up, the client can send a keep-alive signal to the server if no data has been received for some time, or symmetrically the server can send messages at regular intervals if it has not heard from the client.<br />
<br />
* On the '''server''' side, {{ic|ClientAliveInterval}} sets the timeout in seconds after which if no data has been received from the client, ''sshd'' will send a request for response. The default is 0, no message is sent. See also the {{ic|ServerAliveCountMax}} and {{ic|TCPKeepAlive}} options. For example to request a response every 60 seconds from the client, set the {{ic|ClientAliveInterval 60}} option in your [[#Configuration_2|server configuration]].<br />
* On the '''client''' side, {{ic|ServerAliveInterval}} controls the interval between the requests for response sent from the client to the server. For example to request a response every 120 seconds from the server, add the {{ic|ServerAliveInterval 120}} option to your [[#Configuration|client configuration]].<br />
<br />
=== Automatically restart SSH tunnels with systemd ===<br />
<br />
[[systemd]] can automatically start SSH connections on boot/login ''and'' restart them when they fail. This makes it a useful tool for maintaining SSH tunnels.<br />
<br />
The following service can start an SSH tunnel on login using the connection settings in your [[#Configuration|ssh configuration]]. If the connection closes for any reason, it waits 10 seconds before restarting it:<br />
<br />
{{hc|~/.config/systemd/user/tunnel.service|<nowiki><br />
[Unit]<br />
Description=SSH tunnel to myserver<br />
<br />
[Service]<br />
Type=simple<br />
Restart=always<br />
RestartSec=10<br />
ExecStart=/usr/bin/ssh -F %h/.ssh/config -N myserver<br />
</nowiki>}}<br />
<br />
Then [[enable]] and [[start]] the user service. See [[#Keep alive]] for how to prevent the tunnel from timing out. If you wish to start the tunnel on boot, you will need to rewrite the unit as a system service.<br />
<br />
=== Autossh - automatically restarts SSH sessions and tunnels ===<br />
<br />
When a session or tunnel cannot be kept alive, for example due to bad network conditions causing client disconnections, you can use {{Pkg|autossh}} to automatically restart them.<br />
<br />
Usage examples:<br />
$ autossh -M 0 -o "ServerAliveInterval 45" -o "ServerAliveCountMax 2" username@example.com<br />
<br />
Combined with [[SSHFS]]:<br />
$ sshfs -o reconnect,compression=yes,transform_symlinks,ServerAliveInterval=45,ServerAliveCountMax=2,ssh_command='autossh -M 0' username@example.com: /mnt/example <br />
<br />
Connecting through a SOCKS-proxy set by [[Proxy settings]]:<br />
$ autossh -M 0 -o "ServerAliveInterval 45" -o "ServerAliveCountMax 2" -NCD 8080 username@example.com <br />
<br />
With the {{ic|-f}} option autossh can be made to run as a background process. Running it this way however means the passphrase cannot be entered interactively.<br />
<br />
The session will end once you type {{ic|exit}} in the session, or the autossh process receives a SIGTERM, SIGINT of SIGKILL signal.<br />
<br />
==== Run autossh automatically at boot via systemd ====<br />
<br />
If you want to automatically start autossh, you can create a systemd unit file:<br />
<br />
{{hc|/etc/systemd/system/autossh.service|2=<br />
[Unit]<br />
Description=AutoSSH service for port 2222<br />
After=network.target<br />
<br />
[Service]<br />
Environment="AUTOSSH_GATETIME=0"<br />
ExecStart=/usr/bin/autossh -M 0 -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com<br />
<br />
[Install]<br />
WantedBy=multi-user.target<br />
}}<br />
<br />
Here {{ic|1=AUTOSSH_GATETIME=0}} is an environment variable specifying how long ssh must be up before autossh considers it a successful connection, setting it to 0 autossh also ignores the first run failure of ssh. This may be useful when running autossh at boot. Other environment variables are available on the manpage. Of course, you can make this unit more complex if necessary (see the systemd documentation for details), and obviously you can use your own options for autossh, but note that the {{ic|-f}} implying {{ic|1=AUTOSSH_GATETIME=0}} does not work with systemd. <br />
<br />
Remember to [[start]] and/or [[enable]] the service afterwards.<br />
<br />
You may also need to disable ControlMaster e.g.<br />
<br />
ExecStart=/usr/bin/autossh -M 0 -o ControlMaster=no -NL 2222:localhost:2222 -o TCPKeepAlive=yes foo@bar.com<br />
<br />
{{Tip|It is also easy to maintain several autossh processes, to keep several tunnels alive. Just create multiple service files with different names.}}<br />
<br />
=== Alternative service should SSH daemon fail ===<br />
<br />
For remote or headless servers which relay exclusively on SSH, a failure to start the SSH daemon (e.g., after a system upgrade) may prevent administration access. [[systemd]] offers a simple solution via {{ic|OnFailure}} option.<br />
<br />
Let's suppose the server runs {{ic|sshd}} and [[telnet]] is the fail-safe alternative of choice. Create a file as follow. Do '''not''' [[enable]] telnet.socket!<br />
<br />
{{hc|/etc/systemd/system/sshd.service.d/override.conf|2=<br />
[Unit]<br />
OnFailure=telnet.socket<br />
}}<br />
<br />
That's it. Telnet is not available when {{ic|sshd}} is running. Should {{ic|sshd}} fail to start, a telnet session can be opened for recovery.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Checklist ===<br />
<br />
Check these simple issues before you look any further.<br />
<br />
# The config directory {{ic|~/.ssh}} and its contents should be accessible only by your user (check this on both the client and the server): {{bc|<nowiki><br />
$ chmod 700 ~/.ssh<br />
$ chmod 600 ~/.ssh/*<br />
$ chown -R $USER ~/.ssh<br />
</nowiki>}}<br />
# Check that the client's public key (e.g. {{ic|id_rsa.pub}}) is in {{ic|~/.ssh/authorized_keys}} on the server.<br />
# Check that you did not limit SSH access with {{ic|AllowUsers}} or {{ic|AllowGroups}} in the [[#Configuration_2|server config]].<br />
# Check if the user has set a password. Sometimes new users who have not yet logged in to the server do not have a password.<br />
# [[Append]] {{ic|LogLevel DEBUG}} to {{ic|/etc/ssh/sshd_config}}.<br />
# Use {{ic|# journalctl -xe}} for possible (error) messages.<br />
# [[Restart]] {{ic|sshd}} and logout/login on both client and server.<br />
<br />
=== Connection refused or timeout problem ===<br />
<br />
==== Port forwarding ====<br />
<br />
If you are behind a NAT mode/router (which is likely unless you are on a VPS or publicly addressed host), make sure that your router is forwarding incoming ssh connections to your machine. Find the server's internal IP address with {{ic|$ ip addr}} and set up your router to forward TCP on your SSH port to that IP. [http://portforward.com portforward.com] can help with that.<br />
<br />
==== Is SSH running and listening? ====<br />
$ ss -tnlp<br />
<br />
If the above command do not show SSH port is open, SSH is NOT running. Check {{ic|/var/log/messages}} for errors etc.<br />
<br />
==== Are there firewall rules blocking the connection? ====<br />
<br />
[[Iptables]] may be blocking connections on port {{ic|22}}. Check this with:<br />
{{bc|# iptables -nvL}}<br />
and look for rules that might be dropping packets on the {{ic|INPUT}} chain. Then, if necessary, unblock the port with a command like: <br />
{{bc|<br />
# iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT<br />
}}<br />
For more help configuring firewalls, see [[firewalls]].<br />
<br />
==== Is the traffic even getting to your computer? ====<br />
Start a traffic dump on the computer you are having problems with:<br />
<br />
# tcpdump -lnn -i any port ssh and tcp-syn<br />
<br />
This should show some basic information, then wait for any matching traffic to happen before displaying it. Try your connection now. If you do not see any output when you attempt to connect, then something outside of your computer is blocking the traffic (e. g., hardware firewall, NAT router etc.).<br />
<br />
==== Your ISP or a third party blocking default port? ====<br />
{{Note|Try this step if you '''know''' you are not running any firewalls and you know you have configured the router for DMZ or have forwarded the port to your computer and it still does not work. Here you will find diagnostic steps and a possible solution.}}<br />
<br />
In some cases, your ISP might block the default port (SSH port 22) so whatever you try (opening ports, hardening the stack, defending against flood attacks, et al) ends up useless. To confirm this, create a server on all interfaces (0.0.0.0) and connect remotely. <br />
<br />
If you get an error message comparable to this:<br />
ssh: connect to host www.inet.hr port 22: Connection refused<br />
<br />
That means the port is '''not''' being blocked by the ISP, but the server does not run SSH on that port (See [[wikipedia:Security_through_obscurity|security through obscurity]]).<br />
<br />
However, if you get an error message comparable to this:<br />
ssh: connect to host 111.222.333.444 port 22: Operation timed out <br />
<br />
That means that something is rejecting your TCP traffic on port 22. Basically that port is stealth, either by your firewall or 3rd party intervention (like an ISP blocking and/or rejecting incoming traffic on port 22). If you know you are not running any firewall on your computer, and you know that Gremlins are not growing in your routers and switches, then your ISP is blocking the traffic.<br />
<br />
To double check, you can run Wireshark on your server and listen to traffic on port 22. Since Wireshark is a Layer 2 Packet Sniffing utility, and TCP/UDP are Layer 3 and above (see [[wikipedia:Internet protocol suite|IP Network stack]]), if you do not receive anything while connecting remotely, a third party is most likely to be blocking the traffic on that port to your server.<br />
<br />
===== Diagnosis =====<br />
<br />
[[Install]] either {{Pkg|tcpdump}} or Wireshark with the {{Pkg|wireshark-cli}} package.<br />
<br />
For tcpdump:<br />
<br />
# tcpdump -ni ''interface'' "port 22"<br />
<br />
For Wireshark:<br />
<br />
$ tshark -f "tcp port 22" -i ''interface''<br />
<br />
where {{ic|''interface''}} is the network interface for a WAN connection (see {{ic|ip a}} to check). If you are not receiving any packets while trying to connect remotely, you can be very sure that your ISP is blocking the incoming traffic on port 22.<br />
<br />
===== Possible solution =====<br />
The solution is just to use some other port that the ISP is not blocking. Open the {{ic|/etc/ssh/sshd_config}} and configure the file to use different ports. For example, add:<br />
<br />
Port 22<br />
Port 1234<br />
<br />
Also make sure that other "Port" configuration lines in the file are commented out. Just commenting "Port 22" and putting "Port 1234" will not solve the issue because then sshd will only listen on port 1234. Use both lines to run the SSH server on both ports. <br />
<br />
[[Restart]] the server {{ic|sshd.service}} and you are almost done. You still have to configure your client(s) to use the other port instead of the default port. There are numerous solutions to that problem, but let us cover two of them here.<br />
<br />
==== Read from socket failed: connection reset by peer ====<br />
<br />
Recent versions of openssh sometimes fail with the above error message when connecting to older ssh servers. This can be worked around by setting various [[#Configuration|client options]] for that host. See {{man|5|ssh_config}} for more information about the following options.<br />
<br />
The problem could be the {{ic|ecdsa-sha2-nistp*-cert-v01@openssh}} elliptical host key algorithms. These can be disabled by setting {{ic|HostKeyAlgorithms}} to a list excluding those algorithms.<br />
<br />
If that does not work, it could be that the list of ciphers is too long. Set the {{ic|Ciphers}} option to a shorter list (fewer than 80 characters should be enough). Similarly, you can also try shortening the list of {{ic|MACs}}.<br />
<br />
See also the [http://www.gossamer-threads.com/lists/openssh/dev/51339 discussion] on the openssh bug forum.<br />
<br />
=== "[your shell]: No such file or directory" / ssh_exchange_identification problem ===<br />
One possible cause for this is the need of certain SSH clients to find an absolute path (one returned by {{Ic|whereis -b [your shell]}}, for instance) in {{Ic|$SHELL}}, even if the shell's binary is located in one of the {{Ic|$PATH}} entries.<br />
<br />
==="Terminal unknown" or "Error opening terminal" error message===<br />
If you receive the above errors upon logging in, this means the server does not recognize your terminal. Ncurses applications like nano may fail with the message "Error opening terminal".<br />
<br />
The correct solution is to install the client terminal's terminfo file on the server. This tells console programs on the server how to correctly interact with your terminal. You can get info about current terminfo using {{ic|$ infocmp}} and then find out [[Pacman#Querying_package_databases|which package owns it]].<br />
<br />
If you cannot [[install]] it normally, you can copy your terminfo to your home directory on the server:<br />
<br />
$ ssh myserver mkdir -p ~/.terminfo/${TERM:0:1}<br />
$ scp /usr/share/terminfo/${TERM:0:1}/$TERM myserver:~/.terminfo/${TERM:0:1}/<br />
<br />
After logging in and out from the server the problem should be fixed.<br />
<br />
==== TERM hack ====<br />
<br />
{{warning|This should only be used as a last resort.}}<br />
<br />
Alternatively, you can simply set {{ic|1=TERM=xterm}} in your environment on the server (e.g. in {{ic|.bash_profile}}). This will silence the error and allow ncurses applications to run again, but you may experience strange behavior and graphical glitches unless your terminal's control sequences exactly match xterm's.<br />
<br />
=== Connection closed by x.x.x.x [preauth] ===<br />
If you are seeing this error in your sshd logs, make sure you have set a valid HostKey<br />
HostKey /etc/ssh/ssh_host_rsa_key<br />
<br />
=== id_dsa refused by OpenSSH 7.0 ===<br />
<br />
OpenSSH 7.0 deprecated DSA public keys for security reasons. If you absolutely must enable them, set the [[#Configuration|config]] option {{ic|PubkeyAcceptedKeyTypes +ssh-dss}} (http://www.openssh.com/legacy.html does not mention this).<br />
<br />
=== No matching key exchange method found by OpenSSH 7.0 ===<br />
<br />
OpenSSH 7.0 deprecated the diffie-hellman-group1-sha1 key algorithm because it is weak and within theoretical range of the so-called Logjam attack (see http://www.openssh.com/legacy.html). If the key algorithm is needed for a particular host, ssh will produce an error message like this:<br />
<br />
Unable to negotiate with 127.0.0.1: no matching key exchange method found.<br />
Their offer: diffie-hellman-group1-sha1<br />
<br />
The best resolution for these failures is to upgrade/configure the server to not use deprecated algorithms. If that is not possible, you can force the client to reenable the algorithm with the [[#Configuration|client option]] {{ic|KexAlgorithms +diffie-hellman-group1-sha1}}.<br />
<br />
=== tmux/screen session killed when disconnecting from SSH ===<br />
<br />
If your processes get killed at the end of the session, it is possible that you are using socket activation and it gets killed by {{Pkg|systemd}} when it notices that the SSH session process exited. In that case there are two solutions. One is to avoid using socket activation by using {{ic|ssh.service}} instead of {{ic|ssh.socket}}. The other is to set {{ic|1=KillMode=process}} in the Service section of {{ic|ssh@.service}}.<br />
<br />
The {{ic|1=KillMode=process}} setting may also be useful with the classic {{ic|ssh.service}}, as it avoids killing the SSH session process or the {{Pkg|screen}} or {{Pkg|tmux}} processes when the server gets stopped or restarted.<br />
<br />
=== SSH session stops responding ===<br />
<br />
SSH responds to [[Wikipedia:Software_flow_control|flow control commands]] {{ic|XON}} and {{ic|XOFF}}. It will freeze/hang/stop responding when you hit {{ic|Ctrl+s}}. Use {{ic|Ctrl+q}} to resume your session.<br />
<br />
== See also ==<br />
<br />
* [[Wikipedia:Secure Shell]]<br />
* [http://www.la-samhna.de/library/brutessh.html Defending against brute force ssh attacks]<br />
* [http://www.ibm.com/developerworks/library/l-keyc/index.html OpenSSH key management, Part 1] and [http://www.ibm.com/developerworks/library/l-keyc2 Part 2] on IBM developerWorks<br />
* [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=User:Yuvadm&diff=480463User:Yuvadm2017-06-25T08:26:55Z<p>Yuvadm: Update PGP pubkey URL</p>
<hr />
<div>0hai :)<br />
<br />
Find me on [https://yuv.al yuv.al] and at [https://twitter.com/yuvadm/ @yuvadm].<br />
<br />
My email is a single underscore at the aforementioned domain.<br />
<br />
Whenever possible, please use my PGP key which can be found [https://yuv.al/yuval.asc here], and has fingerprint {{Ic|7B40 CAB4 9DA9 9130 954A 47CF 2713 86AA 2EB7 672F}}.</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=User:Yuvadm&diff=480462User:Yuvadm2017-06-25T08:26:07Z<p>Yuvadm: Update domain</p>
<hr />
<div>0hai :)<br />
<br />
Find me on [https://yuv.al yuv.al] and at [https://twitter.com/yuvadm/ @yuvadm].<br />
<br />
My email is '''yuval''' at the aforementioned domain.<br />
<br />
Whenever possible, please use my PGP key which can be found [https://y3xz.com/yuval.asc here], and has fingerprint {{Ic|7B40 CAB4 9DA9 9130 954A 47CF 2713 86AA 2EB7 672F}}.</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Nftables&diff=476132Nftables2017-05-07T17:24:36Z<p>Yuvadm: Cleanup installation section</p>
<hr />
<div>{{DISPLAYTITLE:nftables}}<br />
[[Category:Firewalls]]<br />
[[ja:Nftables]]<br />
{{Expansion|As of October, 2015: while nftables has been around for a while, few people seem to have practical experience using it. The documentation often leaves questions open. If you'd like to pioneer, help out and document how you got it to work. The best place to ask questions is the [http://netfilter.org/mailinglists.html#ml-user Netfilter mailing list].}}<br />
<br />
{{Related articles start}}<br />
{{Related|Firewalls}}<br />
{{Related|iptables}}<br />
{{Related articles end}}<br />
<br />
[http://netfilter.org/projects/nftables/ nftables] is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for ip- and ip6tables. It uses the existing hooks, connection tracking system, user-space queueing component, and logging subsystem of netfilter.<br />
<br />
It consists of three main components: a kernel implementation, the libnl netlink communication and the nftables user-space front-end.<br />
The kernel provides a netlink configuration interface, as well as run-time rule-set evaluation, libnl contains the low-level functions for communicating with the kernel, and the nftables front-end is what the user interacts with via nft.<br />
<br />
You can also visit the [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page official nftables wiki page] for more information.<br />
<br />
== Installation ==<br />
<br />
Nftables is supported in the Arch Linux kernel. Userspace utilities are are provided by the package {{Pkg|nftables}} or the git version {{AUR|nftables-git}}.<br />
<br />
== Basic implementation ==<br />
<br />
Like other firewalls, nftables makes a distinction between temporary rules made in the commandline and permanent ones loaded from or saved to a file.<br />
The default file is {{ic|/etc/nftables.conf}} which already contains a simple ipv4/ipv6 firewall table named "inet filter".<br />
<br />
=== Load the basic default ruleset ===<br />
<br />
To use it [[start/enable]] the {{ic|nftables.service}}.<br />
<br />
You can check the ruleset with<br />
<br />
# nft list ruleset<br />
<br />
If it returns the inet filter table setup, you're good to go for basic desktop internet usage.<br />
<br />
{{Note|You may have to create {{ic|/etc/modules-load.d/nftables.conf}} with all of the nftables related modules you require as entries for the systemd service to work correctly. You can get a list of modules using this command: {{bc|<nowiki>$ lsmod | grep '^nf'</nowiki>}}<br />
<br />
Otherwise, you could end up with the dreaded {{ic|Error: Could not process rule: No such file or directory}} error.}}<br />
<br />
== nft ==<br />
<br />
nftables' user-space utility {{ic|nft}} now performs most of the rule-set evaluation before handing rule-sets to the kernel. Because of this, nftables provides no default tables or chains; although, a user can emulate an iptables-like setup.<br />
<br />
It works in a fashion similar to ifconfig or iproute2. The commands are a long, structured sequence rather than using argument switches like in iptables. For example:<br />
<br />
nft add rule ip6 filter input ip6 saddr ::1 accept<br />
<br />
{{ic|add}} is the command. {{ic|rule}} is a subcommand of {{ic|add}}. {{ic|ip6}} is an argument of {{ic|rule}}, telling it to use the ip6 family. {{ic|filter}} and {{ic|input}} are arguments of {{ic|rule}} specifying the table and chain to use, respectively. The rest that follows is a rule definition, which includes matches ({{ic|ip}}), their parameters ({{ic|saddr}}), parameter arguments ({{ic|::1}}), and jumps ({{ic|accept}}).<br />
<br />
The following is an incomplete list of the commands available in nft:<br />
<br />
<nowiki><br />
list<br />
tables [family]<br />
table [family] <name><br />
chain [family] <table> <name><br />
<br />
add<br />
table [family] <name><br />
chain [family] <table> <name> [chain definitions]<br />
rule [family] <table> <chain> <rule definition><br />
<br />
table [family] <name> (shortcut for `add table`)<br />
<br />
insert<br />
rule [family] <table> <chain> <rule definition><br />
<br />
delete<br />
table [family] <name><br />
chain [family] <table> <name><br />
rule [family] <table> <handle><br />
<br />
flush<br />
table [family] <name><br />
chain [family] <table> <name></nowiki><br />
<br />
{{ic|family}} is optional, see [[#Family|section on family]] below.<br />
<br />
== Tables ==<br />
<br />
The purpose of tables is to hold chains. Unlike tables in iptables, there are no built-in tables in nftables. How many tables one uses, or their naming, is largely a matter of style and personal preference. However, each table has a (network) family and only applies to packets of this family. Tables can have one of five families specified, which unifies the various iptables utilities into one:<br />
<br />
{| class="wikitable"<br />
! nftables family || iptables utility<br />
|-<br />
| ip || iptables<br />
|-<br />
| ip6 || ip6tables<br />
|- <br />
| inet || iptables and ip6tables<br />
|-<br />
| arp || arptables<br />
|-<br />
| bridge || ebtables<br />
|-<br />
|}<br />
<br />
=== Family ===<br />
<br />
{{ic|ip}} (i.e. IPv4) is the default family and will be used if family is not specified.<br />
<br />
IPv6 is specified as {{ic|ip6}}.<br />
<br />
To create one rule that applies to both IPv4 and IPv6, use {{ic|inet}}. {{ic|inet}} allows for the unification of the {{ic|ip}} and {{ic|ip6}} families to make defining rules for both easier.<br />
<br />
{{Note|{{ic|inet}} does not work for {{ic|nat}}-type chains, only for {{ic|filter}}-type chains. ([http://www.spinics.net/lists/netfilter/msg56411.html source])}}<br />
<br />
=== Listing ===<br />
<br />
You can list the current tables in a family with the {{ic|nft list}} command.<br />
<br />
# nft list tables<br />
# nft list tables ip6<br />
<br />
You can list a full table definition by specifying a table name:<br />
<br />
# nft list table ''foo''<br />
# nft list table ''ip6 foo''<br />
<br />
=== Creation ===<br />
<br />
Tables can be added via two commands — one just being a shortcut for the other. Here is an example of how to add an ip table called foo and an ip6 table called foo:<br />
<br />
# nft add table ''foo''<br />
# nft table ''ip6 foo''<br />
<br />
You can have two tables with the same name as long as they are in different families.<br />
<br />
=== Deletion ===<br />
<br />
Tables can only be deleted if there are no chains in them.<br />
<br />
# nft delete table ''foo''<br />
# nft delete table ''ip6 foo''<br />
<br />
== Chains ==<br />
<br />
The purpose of chains is to hold rules. Unlike chains in iptables, there are no built-in chains in nftables. This means that if no chain uses any types or hooks in the netfilter framework, packets that would flow through those chains will not be touched by nftables, unlike iptables.<br />
<br />
=== Listing ===<br />
<br />
The {{ic|nft list table foo}} command will list all the chains in the foo table. You can also list rules from an individual chain.<br />
<br />
# nft list chain ''foo'' ''bar''<br />
# nft list chain ''ip6 foo bar''<br />
<br />
These commands will list the {{ic|bar}} chains in the ip and ip6 {{ic|foo}} tables.<br />
<br />
=== Creation ===<br />
<br />
Chains can be added when a table is created in a file definition or one at time via the {{ic|nft add chain}} command.<br />
<br />
# nft add chain ''foo'' ''bar''<br />
# nft add chain ''ip6 foo bar''<br />
<br />
These commands will add a chain called {{ic|bar}} to the ip and ip6 {{ic|foo}} tables.<br />
<br />
==== Properties ====<br />
<br />
Because nftables has no built-in chains, it allows chains to access certain features of the netfilter framework.<br />
<br />
# nft add chain filter input \{ type filter hook input priority 0\; \}<br />
<br />
This command tells nftables to add a chain called {{ic|input}} to the {{ic|filter}} table and defines its type, hook, and priority. These properties essentially replace the built-in tables and chains in iptables.<br />
<br />
===== Types =====<br />
<br />
There are three types a chain can have and they correspond to the tables used in iptables:<br />
<br />
* filter<br />
* nat<br />
* route (mangle)<br />
<br />
===== Hooks =====<br />
<br />
There are six hooks a chain can use and all except ingress correspond to chains used in iptables:<br />
<br />
* ingress<br />
* input<br />
* output<br />
* forward<br />
* prerouting<br />
* postrouting<br />
<br />
The ingress hook is an alternative to the existing {{ic|tc}} utility.<br />
<br />
===== Priorities =====<br />
<br />
{{Note|<br />
* Priorities do not currently appear to have any effect on which chain sees packets first.<br />
* Since the priority seems to be an unsigned integer, negative priorities will be converted into very high priorities.<br />
}}<br />
<br />
Priorities tell nftables which chains packets should pass through first. They are integers, and the higher the integer, the higher the priority.<br />
<br />
=== Editing ===<br />
<br />
To edit a chain, simply call it by its name and define the rules you want to change.<br />
<br />
# <nowiki>nft chain <table> <family> <chain> { [ type <type> hook <hook> device <device> priority <priority> \; policy <policy> \; ] }</nowiki><br />
<br />
If for example, you just want to change the input chain policy of the default table from "accept" to "drop"<br />
<br />
# nft chain inet filter input { policy drop \; }<br />
<br />
=== Deletion ===<br />
<br />
Chains can only be deleted if there are no rules in them.<br />
<br />
# nft delete chain ''foo bar''<br />
# nft delete chain ''ip6 foo bar''<br />
<br />
These commands delete the {{ic|bar}} chains from the ip and ip6 {{ic|foo}} tables.<br />
<br />
== Rules ==<br />
<br />
The purpose of rules is to identify packets (match) and carry out tasks (jump). Like in iptables, there are various matches and jumps available, though not all of them are feature-complete in nftables.<br />
<br />
=== Listing ===<br />
<br />
You can list the current rules in a table with the {{ic|nft list}} command, using the same method as listing a table. You can also list rules from an individual chain.<br />
<br />
# nft list chain ''foo bar''<br />
# nft list chain ''ip6 foo bar''<br />
<br />
These commands will list the rules in the {{ic|bar}} chains in the ip and ip6 {{ic|foo}} tables.<br />
<br />
=== Creation ===<br />
<br />
Rules can be added when a table is created in a file definition or one at time via the {{ic|nft add rule}} command.<br />
<br />
# nft add rule foo bar ip saddr 127.0.0.1 accept<br />
# nft add rule ip6 foo bar ip saddr ::1 accept<br />
<br />
These commands will add a rule to the {{ic|bar}} chains in the ip and ip6 {{ic|foo}} tables that matches an {{ic|ip}} packet when its {{ic|saddr}} (source address) is 127.0.0.1 (IPv4) or ::1 (IPv6) and accepts those packets.<br />
<br />
==== Matches ====<br />
<br />
There are various matches available in nftables and, for the most part, coincide with their iptables counterparts. The most noticeable difference is that there are no generic or implicit matches anymore. A generic match was one that was always available, such as {{ic|--protocol}} or {{ic|--source}}. Implicit matches were protocol-specific, such as {{ic|--sport}} when a packet was determined to be TCP.<br />
<br />
The following is an incomplete list of the matches available:<br />
<br />
* meta (meta properties, e.g. interfaces)<br />
* icmp (ICMP protocol)<br />
* icmpv6 (ICMPv6 protocol)<br />
* ip (IP protocol)<br />
* ip6 (IPv6 protocol)<br />
* tcp (TCP protocol)<br />
* udp (UDP protocol)<br />
* sctp (SCTP protocol)<br />
* ct (connection tracking)<br />
<br />
The following is an incomplete list of match arguments (for a more complete list, see {{man|8|nft|url=http://www.netfilter.org/projects/nftables/manpage.html}}):<br />
<br />
<nowiki><br />
meta:<br />
oif <output interface INDEX><br />
iif <input interface INDEX><br />
oifname <output interface NAME><br />
iifname <input interface NAME><br />
<br />
(oif and iif accept string arguments and are converted to interface indexes)<br />
(oifname and iifname are more dynamic, but slower because of string matching)<br />
<br />
icmp:<br />
type <icmp type><br />
<br />
icmpv6:<br />
type <icmpv6 type><br />
<br />
ip:<br />
protocol <protocol><br />
daddr <destination address><br />
saddr <source address><br />
<br />
ip6:<br />
daddr <destination address><br />
saddr <source address><br />
<br />
tcp:<br />
dport <destination port><br />
sport <source port><br />
<br />
udp:<br />
dport <destination port><br />
sport <source port><br />
<br />
sctp:<br />
dport <destination port><br />
sport <source port><br />
<br />
ct:<br />
state <new | established | related | invalid></nowiki><br />
<br />
==== Jumps ====<br />
<br />
Jumps work the same as they do in iptables, except multiple jumps can now be used in one rule.<br />
<br />
# nft add rule filter input tcp dport 22 log accept<br />
<br />
The following is an incomplete list of jumps:<br />
* accept (accept a packet)<br />
* reject (reject a packet)<br />
* drop (drop a packet)<br />
* snat (perform source NAT on a packet)<br />
* dnat (perform destination NAT on a packet)<br />
* log (log a packet)<br />
* counter (keep a counter on a packet; counters are optional in nftables)<br />
* return (stop traversing the chain)<br />
* jump <chain> (jump to another chain)<br />
* goto <chain> (jump to another chain, but do not return)<br />
<br />
=== Insertion ===<br />
<br />
==== Prepended ====<br />
<br />
Rules can be prepended to chains with the {{ic|nft insert rule}} command.<br />
<br />
# nft insert rule filter input ct state established,related accept<br />
<br />
==== At a given position ====<br />
<br />
Nftables uses handles to define the position of a rule.<br />
To get this information, you need to list the ruleset with the -a flag:<br />
<br />
# nft list ruleset -a<br />
<br />
To add a rule ''after'' another rule with a given handler, you have to type:<br />
<br />
# nft add rule ''table_name'' ''chain_name'' position ''handler_number'' ''[rule-definition]''<br />
<br />
=== Deletion ===<br />
<br />
Individual rules can only be deleted by their handles. The {{ic|nft --handle list}} command must be used to determine rule handles. Note the {{ic|--handle}} switch, which tells {{ic|nft}} to list handles in its output.<br />
<br />
The following determines the handle for a rule and then deletes it. The {{ic|--number}} argument is useful for viewing some numeric output, like unresolved IP addresses.<br />
<br />
{{hc|# nft --handle --numeric list chain filter input|2=<nowiki><br />
table ip fltrTable {<br />
chain input {<br />
type filter hook input priority 0;<br />
ip saddr 127.0.0.1 accept # handle 10<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
# nft delete rule fltrTable input handle 10<br />
<br />
All the chains in a table can be flushed with the {{ic|nft flush table}} command. Individual chains can be flushed using either the {{ic|nft flush chain}} or {{ic|nft delete rule}} commands.<br />
<br />
# nft flush table foo<br />
# nft flush chain foo bar<br />
# nft delete rule ip6 foo bar<br />
<br />
The first command flushes all of the chains in the ip {{ic|foo}} table. The second flushes the {{ic|bar}} chain in the ip {{ic|foo}} table. The third deletes all of the rules in {{ic|bar}} chain in the ip6 {{ic|foo}} table.<br />
<br />
=== Atomic reloading ===<br />
<br />
Flush the current ruleset:<br />
<br />
# echo "flush ruleset" > /tmp/nftables <br />
<br />
Dump the current ruleset:<br />
<br />
# nft list ruleset >> /tmp/nftables<br />
<br />
Now you can edit /tmp/nftables and apply your changes with:<br />
<br />
# nft -f /tmp/nftables<br />
<br />
== File definitions ==<br />
<br />
File definitions can be used by the {{ic|nft -f}} command, which acts like the {{ic|iptables-restore}} command.<br />
However, unlike {{ic|iptables-restore}}, this command does not flush out your existing ruleset, to do so you have<br />
to prepend the flush command.<br />
<br />
{{hc|/etc/nftables/filter.rules|2=<nowiki><br />
flush table ip filter<br />
table ip filter {<br />
chain input {<br />
type filter hook input priority 0;<br />
ct state established,related accept<br />
ip saddr 127.0.0.1 accept<br />
tcp dport 22 log accept<br />
reject<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
To export your rules (like {{ic|iptables-save}}):<br />
<br />
# nft list ruleset<br />
<br />
== Getting started ==<br />
<br />
The below example shows ''nft'' commands to configure a basic '''IPv4''' only firewall. If you want to filter both IPv4 '''and''' IPv6 you should look at the other examples in {{ic|/usr/share/nftables}} or just start with the default provided in {{ic|/etc/nftables.conf}} which already works with IPv4/IPv6.<br />
<br />
To get an [[iptables]]-like chain set up, you will first need to use the provided IPv4 filter file:<br />
<br />
# nft -f /usr/share/nftables/ipv4-filter<br />
<br />
To list the resulting chain:<br />
<br />
# nft list table filter<br />
<br />
Drop output to a destination:<br />
<br />
# nft add rule ip filter output ip daddr 1.2.3.4 drop<br />
<br />
Drop packets destined for local port 80:<br />
<br />
# nft add rule ip filter input tcp dport 80 drop<br />
<br />
Delete all rules in a chain:<br />
<br />
# nft delete rule filter output<br />
<br />
== Examples ==<br />
<br />
=== Simple IP/IPv6 firewall ===<br />
<br />
{{hc|firewall.rules|2=<nowiki><br />
# A simple firewall<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
chain input {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# established/related connections<br />
ct state established,related accept<br />
<br />
# invalid connections<br />
ct state invalid drop<br />
<br />
# loopback interface<br />
iif lo accept<br />
<br />
# ICMP<br />
# routers may also want: mld-listener-query, nd-router-solicit<br />
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept<br />
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept<br />
<br />
# SSH (port 22)<br />
tcp dport ssh accept<br />
<br />
# HTTP (ports 80 & 443)<br />
tcp dport { http, https } accept<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
=== Limit rate IP/IPv6 firewall ===<br />
<br />
{{hc|firewall.2.rules|2=<nowiki><br />
table inet filter {<br />
chain input {<br />
type filter hook input priority 0; policy drop;<br />
<br />
# no ping floods:<br />
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 10/second accept<br />
ip protocol icmp icmp type echo-request limit rate 10/second accept<br />
<br />
ct state established,related accept<br />
ct state invalid drop<br />
<br />
iifname lo accept<br />
<br />
# avoid brute force on ssh:<br />
tcp dport ssh limit rate 15/minute accept<br />
<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
=== Jump ===<br />
<br />
When using jumps in config file, it is necessary to define the target chain first. Otherwise one could end up with {{ic|Error: Could not process rule: No such file or directory}}.<br />
<br />
{{hc|jump.rules|2=<nowiki><br />
table inet filter {<br />
chain web {<br />
tcp dport http accept<br />
tcp dport 8080 accept<br />
}<br />
chain input {<br />
type filter hook input priority 0;<br />
ip saddr 10.0.2.0/24 jump web<br />
drop<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
=== Different rules for different interfaces ===<br />
<br />
If your box has more than one network interface, and you'd like to use different rules for different interfaces, you may want to use a "dispatching" filter chain, and then interface-specific filter chains. For example, let's assume your box acts as a home router, you want to run a web server accessible over the LAN (interface nsp3s0), but not from the public internet (interface enp2s0), you may want to consider a structure like this:<br />
<br />
<nowiki>table inet filter {<br />
chain input { # this chain serves as a dispatcher<br />
type filter hook input priority 0;<br />
<br />
iifname lo accept # always accept loopback<br />
iifname enp2s0 jump input_enp2s0<br />
iifname enp3s0 jump input_enp3s0<br />
<br />
reject with icmp type port-unreachable # refuse traffic from all other interfaces<br />
}<br />
chain input_enp2s0 { # rules applicable to public interface interface<br />
ct state {established,related} accept<br />
ct state invalid drop<br />
udp dport bootpc accept<br />
tcp dport bootpc accept<br />
reject with icmp type port-unreachable # all other traffic<br />
}<br />
chain input_enp3s0 {<br />
ct state {established,related} accept<br />
ct state invalid drop<br />
udp dport bootpc accept<br />
tcp dport bootpc accept<br />
tcp port http accept<br />
tcp port https accept<br />
reject with icmp type port-unreachable # all other traffic<br />
}<br />
chain ouput { # we let everything out<br />
type filter hook output priority 0;<br />
accept<br />
}<br />
}</nowiki><br />
<br />
Alternatively you could choose only one {{ic|iifname}} statement, such as for the single upstream interface, and put the default rules for all other interfaces in one place, instead of dispatching for each interface.<br />
<br />
=== Masquerading ===<br />
<br />
nftables has a special keyword {{ic|masquerade}} "where the source address is automagically set to the address of the output interface" ([http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29#Masquerading source]). This is particularly useful for situations in which the IP address of the interface is unpredictable or unstable, such as the upstream interface of routers connecting to many ISPs. Without it, the Network Address Translation rules would have to be updated every time the IP address of the interface changed.<br />
<br />
To use it:<br />
<br />
* make sure masquerading is enabled in the kernel (true if you use the default kernel), otherwise during kernel configuration, set<br />
<br />
CONFIG_NFT_MASQ=m<br />
<br />
* the {{ic|masquerade}} keyword can only be used in chains of type {{ic|nat}}, which in turn cannot be contained in a table with family {{ic|inet}}. Use a table with family {{ic|ip}} and/or {{ic|ip6}} instead.<br />
* masquerading is a kind of source NAT, so only works in the output path.<br />
<br />
Example for a machine with two interfaces: LAN connected to {{ic|nsp3s0}}, and public internet connected to {{ic|enp2s0}}:<br />
<br />
<nowiki>table ip nat {<br />
chain prerouting {<br />
type nat hook prerouting priority 0;<br />
}<br />
chain postrouting {<br />
type nat hook postrouting priority 0;<br />
oifname "enp0s2" masquerade<br />
}<br />
}</nowiki><br />
<br />
== See also ==<br />
<br />
* [https://wiki.nftables.org/ netfilter nftables wiki]<br />
* [https://lwn.net/Articles/324251/ First release of nftables]<br />
* [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick howto]<br />
* [https://lwn.net/Articles/564095/ The return of nftables]<br />
* [http://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/ What comes after ‘iptables’? It’s successor, of course: `nftables`]</div>Yuvadmhttps://wiki.archlinux.org/index.php?title=Elasticsearch&diff=475453Elasticsearch2017-04-29T17:05:26Z<p>Yuvadm: Add note about vm.max_map_count</p>
<hr />
<div>[[Category:Search]]<br />
[[ja:Elasticsearch]]<br />
From [[Wikipedia:Elasticsearch]]:<br />
:''[https://www.elastic.co/products/elasticsearch Elasticsearch] is a search engine based on [http://lucene.apache.org/ Lucene]. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. Elasticsearch is developed in Java and is released as open source under the terms of the Apache License.''<br />
<br />
== Installation ==<br />
Elasticsearch requires at least OpenJDK 7, see [[Java]].<br />
<br />
Install the {{Pkg|elasticsearch}} package.<br />
<br />
== Running ==<br />
<br />
[[Start/enable]] {{ic|elasticsearch.service}}.<br />
<br />
Ensure Elasticsearch is running and accessible by using {{pkg|curl}}, {{ic|curl -X GET '<protocol>://<host>:<port>'}}:<br />
{{hc|curl -X GET http://127.0.0.1:9200|2=<br />
<nowiki><br />
{<br />
"name" : "Sunder",<br />
"cluster_name" : "elasticsearch",<br />
"cluster_uuid" : "*cluster-uuid*",<br />
"version" : {<br />
"number" : "2.4.1",<br />
"build_hash" : "c67dc32e24162035d18d6fe1e952c4cbcbe79d16",<br />
"build_timestamp" : "2016-09-27T18:57:55Z",<br />
"build_snapshot" : false,<br />
"lucene_version" : "5.5.2"<br />
},<br />
"tagline" : "You Know, for Search"<br />
}<br />
</nowiki><br />
}}<br />
<br />
== Configuration ==<br />
The main Elasticsearch configuration file is well-documented and located at {{ic|/etc/elasticsearch/elasticsearch.yml}}.<br />
<br />
* By default Elasticsearch is public accessible, it may be preferred to allow only access on the host instead:<br />
<br />
network.host: 127.0.0.1<br />
<br />
* It is possible to use a custom port instead of the default {{ic|9200}}:<br />
<br />
http.port: 9200<br />
<br />
You may want to chance the default max. memory usage:<br />
<br />
{{hc|/etc/elasticsearch/jvm.options|2=<br />
<nowiki><br />
# Xms represents the initial size of total heap space<br />
# Xmx represents the maximum size of total heap space<br />
<br />
-Xms128m # e.g. 256m, 1g, 2g, ..<br />
-Xmx512m # e.g. 256m, 1g, 2g, ..<br />
</nowiki><br />
}}<br />
<br />
You might need to update the [https://www.elastic.co/guide/en/elasticsearch/reference/5.2/vm-max-map-count.html vm.max_map_count] system limit:<br />
<br />
# sysctl -w vm.max_map_count=262144<br />
<br />
== Usage ==<br />
Elasticsearch uses a REST API, see [[Wikipedia:RESTful API]] for more information.<br />
<br />
[https://www.elastic.co/guide/en/elasticsearch/guide/current/_talking_to_elasticsearch.html Talking to Elasticsearch] and the [https://www.elastic.co/guide/en/elasticsearch/guide/current/getting-started.html Getting started] guide should provide you with basic and detailed usage information.<br />
<br />
The Elasticsearch server management (document maintenance, performing search, etc.) is usually done by [https://www.elastic.co/guide/en/elasticsearch/client/index.html clients], that should provide a seamless integration with the preferred programming language.<br />
<br />
Useful tools to manage ElasticSearch instances and clusters like [http://www.elastichq.org ElasticHQ], [https://github.com/jettro/elasticsearch-gui Elasticsearch GUI], [https://www.elastic.co/products/kibana Kibana] and [[Adminer]] are also available to simplify management.</div>Yuvadm