User:AdamT/Installation Notes
This document consists of notes drawn from various sources, including the Installation Guide and the Beginners' Guide. The workflow below will follow these official guides when feasible however, whereas the official guides are intended for general application, this document outlines a specific installation and subsequently has a narrower focus.
The focus of this document's installation is a fresh, single-boot desktop-orientated installation of Arch Linux that uses Btrfs throughout. At present, this document also focuses on BIOS-emulated booting in lieu of UEFI. Further, the focus here will be on Xfce, a specific Desktop Environment, and other specific applications. Adaptation or alternative solutions may be necessary to best fit specific needs.
New Install TTD
- Decide on:
- UKSM Kernel Dedup
- Sound system
- Use/try:
- EFISTUB
- Kernels: Linux-ck or Linux-xen, build, benchmark.
- Wayland
- KISS: Wayland#Window_managers_and_desktop_shells
- Cloud: Transition away from Google. Synchronization_and_backup_programs#Custom_infrastructure
- Plex
Download
- Follow the Installation Guide#Download section.
- More information can be found in the Beginners' Guide#Preparation section.
- Instead of using optical media, consider using USB Flash Installation Media.
- If on Microsoft Windows, consider trying the USB Flash Installation Media#Win32 Disk Imager method first.
Installation
Keyboard layout
- Follow the Installation_Guide#Keyboard_layout section.
- For more information see the Beginners'_Guide#Change_the_language section.
Partition disks
Format the partitions
- For a general overview see the Installation Guide#Format the partitions section.
- Additional information can be found in the Beginners' Guide#Create filesystems section.
- Further btrfs specific information can be found in the Btrfs#Creating a new file system section.
lsblk
blkid
ls /dev/
Examples
# mkfs.btrfs -l 16384 /dev/sdX
Sanity check
btrfs filesystem show
Setup Btrfs
- Potentially Useful Btrfs Wiki links:
- Specifically relevant Arch Wiki links:
Examples
- Enable skinny extents:
btrfstune -x /dev/sdX
- Prepare for subvolumes
mkdir /mnt/btrfs-root
mount -t btrfs -o <OPTIONS> /dev/sdX /mnt/btrfs-root
- For mount options, see Btrfs#Mount options.
- Enable quotas prior to creating subvolumes
btrfs quota enable /mnt/btrfs-root
- Create subvolumes
cd /mnt/btrfs-root
btrfs subvolume create root_subvolume
cd root_subvolume
btrfs subvolume create home
btrfs subvolume create var
btrfs subvolume create usr
Sanity check
btrfs subvolume list -p .
See also
- Partition alignment questions?
- Information regarding clusters versus blocks
- https://git.kernel.org/cgit/linux/kernel/git/mason/btrfs-progs.git/
- Btrfs pull requests:
- Btrfs on raw disks?
- Varying leafsize and nodesize in Btrfs
- [1]
- Is Btrfs optimized for SSDs?
- [2]
- Lzo vs. zLib
- Ramdisk#Example_usage
- Tmpfs#tmpfs
- Anything-sync-daemon
- OS Protection
Mount the partitions
Example:
# mkdir /mnt/btrfs-system # mount -o subvol=root_subvolume,<OPTIONS> /dev/sdX /mnt/btrfs-system
mount
command.Connect to the internet
/sys/class/net/
. In the sub-directories you can find information pertaining to any available NIC by using cat or nano.Install the base system
- Install: reflector
reflector -a 2 -l 100 -f 10 --sort score --save /etc/pacman.d/mirrorlist
- Check your work with
cat /etc/pacman.d/mirrorlist | less
.
Example:
# pacstrap /mnt/btrfs-system base base-devel grub ntp reflector
Configure the system
Generate an fstab
- Suggested example:
genfstab -Up /mnt/btrfs-system >> /mnt/btrfs-system/etc/fstab
- Check your work:
cat /mnt/btrfs-system/etc/fstab
- Send a UUID to fstab:
ls -l /dev/disk/by-uuid | grep sdX | gawk -F' ' '{ print $9 }' >> /etc/fstab
Chroot and configure the base system
Example:
# arch-chroot /mnt/btrfs-system
Locale
Time zone
Hardware clock
Console font and keymap
Suggested configuration:
# /etc/vconsole.conf
KEYMAP=dvorak FONT=Lat2-Terminus16 FONT_MAP=8859-2
Create an initial ramdisk environment
Example
# /etc/mkinitcpio.conf
HOOKS="systemd autodetect modconf block filesystems keymap consolefont keyboard" COMPRESSION=cat
Set the root password
Install Linux-ck
- Consider manually compiling the kernel for added customization and optimization.
- If you delete or overwrite your pacman.conf file you can replace it from the archive file in /var/cache/packman/pkg. See this thread for more information.
See also
- Beginners'_Guide#Create_an_initial_ramdisk_environment
- Fstab#tmpfs
- Firefox_Ramdisk#Method_3:_Build_your_own_system
- Locale#Setting_system-wide_locale
- Linux-ck
- Unofficial user repositories/Repo-ck
- mkinitcpio systemd and udev hooks
Install and configure a bootloader
Examples
# modprobe dm-mod # grub-install --target=i386-pc --boot-directory=/boot --recheck --debug /dev/sda
# mkdir -p /boot/grub/locale # cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
# /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="verbose add_efi_memmap elevator=bfq"
40_custom
allows the creation of custom GRUB entries and the loading of modules. This allows persistent customization in GRUB's scripted generation of grub.conf
.# /etc/grub.d/40_custom
insmod btrfs
Check your grub file with cat /boot/grub/grub.cfg | less
.
See also
- https://bbs.archlinux.org/viewtopic.php?id=144477
- https://wiki.archlinux.org/index.php/GRUB
- https://help.ubuntu.com/community/Grub2/Setup#File_Structure
- https://www.gnu.org/software/grub/manual/grub.html
- http://www.ibm.com/developerworks/linux/library/l-grub2/
- http://ubuntuforums.org/showthread.php?t=1690831&p=10472732#post10472732
- https://bbs.archlinux.org/viewtopic.php?id=144254
- https://wiki.archlinux.org/index.php/Securely_wipe_disk
- https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
Unmount and reboot
First exit
your arch-chroot session. Now, make sure your file system has synced everything from primary storage (DDR SDRAM) to secondary storage (your installation drive(s)).
# btrfs filesystem sync /mnt/btrfs-root # umount /mnt/btrfs-system
umount /mnt/btrfs-system/{tmp,var/spool,var/log,home}
Cross your fingers and toes, and reboot
!Post-installation
Bring up internet
Temporary
# dhcpcd # dhcpcd eth0 $ ping ramnode.com
/sys/class/net/
within you will likely see eth0 or wlan0 or both or neither. In those directories you can find information pertaining to any given NIC by using cat or nano.Persistent server
Check hostname
.
# echo 208.67.222.222 >> /etc/resolv.conf && echo 208.67.220.220 >> /etc/resolv.conf
for OpenDNS DNS resolving over local ISP or VPS provided DNS.
# cp /etc/netctl/examples/ethernet-dhcp /etc/netctl/ethernet0
Edit ethernet0
and uncomment IP6=stateless or IP6=dhcp for IPv6 networking.
# netctl enable ethernet0
Reboot to test.
Persistent desktop
You can use the same as the server section or NetworkManager depending on your preference.
For NetworkManager install networkmanager network-manager-applet dhclient. See additional NetworkManager packages with pacman -Ss networkmanager
.
# systemctl enable NetworkManager # systemctl start NetworkManager
User management
# useradd -m -g users -G wheel USER # chfn USER # passwd USER USERPASSWORD
Sudo
Install sudo and bash-completion.
# VISUAL="/usr/bin/nano" visudo
# sudoers file. ## ## This file MUST be edited with the 'visudo' command as root. ## Failure to use 'visudo' may result in syntax or file permission errors ## that prevent sudo from running. ## ## See the sudoers man page for the details on how to write a sudoers file. ## ... ## ## User privilege specification ## root ALL=(ALL) ALL ## Uncomment to allow members of group wheel to execute any command %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ... ## Read drop-in files from /etc/sudoers.d ## (the '#' here does not indicate a comment) #includedir /etc/sudoers.d
- Find
Uncomment to allow members of group wheel to execute any command
- Uncomment it in.
Check your work with su -l USER
then attempt to run something like pacman -Sy
and pacman -Su
with and without sudo to test and verify. I recommend rebooting logging in as your new user, testing that you can do everything you need to do with sudo before proceeding.
sudo !!
to repeat the previous command but with sudo in front of it.Lockout root logins
# passwd -l root
Arch Users Repository
Install yaourtAUR using AUR or their unofficial repository. Install desired optional dependencies.
Install namcap for automated AUR and other package checking via Yaourt.
Yaourt provides all in one support for Official Repositories, AUR, and ABS.
See also
Setup
Congratulations, you have progressed beyond the official installation guides and onto much deeper waters. Your system should be up and running, the basic post-installation tasks should be completed and you are now ready to move on to more system specific system configurations.
Desktop
Sound
Install: pulseaudio paprefs pavucontrol pulseaudio-alsa.
If using multi-lib: lib32-libpulse lib32-alsa-plugins.
/etc/libao.conf
file and remove the dev section and leave the driver as pulse. This may fail at first, but keep trying and check pauvcontrol.See also
Desktop environment
Install: xfce4
Additional packages to consider: xfce4-weather-plugin xfce4-taskmanager xfce4-screenshooter xfce4-notifyd xfce4-artwork thunar-media-tags-plugin thunar-archive-plugin mousepad
Alternative file manager suggestion: SpaceFM
AUR Suggestions: xfce4-whiskermenu-pluginAUR
AUR Consideration: xfce4-session-lightAUR
Multiple monitors
See, NVIDIA#Multiple_monitors and my sample here: Xorg#Sample_configurations (NVIDIA, nvidia-ck, et cetera).
Suggest not using twinview or Xinerama. May need to disable composting though. I configured through NVIDIA and then checked my work by editing the file. Save to home then # cp
to /etc/X11/xorg.conf.d/10-monitor.conf
.
Fonts
# /etc/pacman.conf
... [infinality-bundle] Server = http://ibn.net63.net/infinality-bundle/$arch #[infinality-bundle-multilib] # Uncomment for multilib usage. #Server = http://ibn.net63.net/infinality-bundle-multilib/$arch # Uncomment for multilib usage.
# pacman-key -r 962DDE58 # pacman-key --lsign-key 962DDE58
Refresh your repositories.
Install: infinality-bundle
Web browser
Install: firefox
Configure
Disable Firefox's blocking of web-forgeries and attack sites. This feature slows down Firefox's start-up and shut-down and takes up space for the database it maintains. This feature also relies on Google services.
- delete urlclassifier*.sqlite files in your profile
- ~/.mozilla/firefox/<PROFILE>/urlclassifier*.sqlite
- While in your profile, in the terminal:
echo "" > urlclassifier*.sqlite chmod 400 urlclassifier*.sqlite
Especially for SSDs it may prolong your drive's life to disable Firefox's disk cache.
- about:config
- Set browser.cache.disk.enable to false
- Verify browse.cache.memory.enable is true
- Set browser.cache.memory.max_entry_size to -1 for automatic memory usage
- There is another similar memory flag that may also be set to -1 for automatic usage.
Optional: Profile Sync to Ram
- Download from AUR
- tar -xzf <make_package>
- cd <package folder>
- make -s
- pacman -U <package>
- systemctl enable psd psd-resync
- (close firefox!) systemctl start psd psd-resync
See also
- https://wiki.archlinux.org/index.php/Firefox_Tweaks
- http://kb.mozillazine.org/About:config_entries
- https://wiki.archlinux.org/index.php/Firefox
- https://wiki.archlinux.org/index.php/Firefox_Privacy
- https://wiki.archlinux.org/index.php/Profile-sync-daemon
Xbmc
Install: xbmc
Suggested skin: Bello.
Pianobar
See: Pianobar
Aria2
Install: aria2
Usenet tools
Install desired Usenet tools from AUR.
SABnzbd+
Install: sabnzbdAUR
aria2c https://aur.archlinux.org/packages/sa/sabnzbd/sabnzbd.tar.gz
tar -xvzf sabnzbd.tar.gz}}
To enable SABnzbd+ to create folders, your chosen Downloads directory will need to be chmod'd to 777 (chmod 777 -R <DIRECTORY>
).
I recommend changing the services and configuration file and changing the user name to your username (for easy writing to home dir).
- edit /usr/lib/systemd/system/<program>.service to <USER>:<program> instead of default
- chown /opt/<program> to <USER>:<program> instead of root:<program> or <program>:<program>
An alternative may be to create a dedicated folder for SABnzbd to use in your home directory and chown that to its user/group.
TICKR
Optional: ticker style syndicated news reader. Really neat. tickrAUR
Pipelight
Allows running Windows browser plugins in Wine to be used in native GNU/Linux browsers.
See also
- http://fds-team.de/cms/articles/2013-08/pipelight-using-silverlight-in-linux-browsers.html
- pipelight-gitAUR
Crossover
For dependencies install: ib32-glibc lib32-libic lib32-libx11 lib32-libsm lib32-gcc-libs lib32-libxext lib32-libpng lib32-freetype2 lib32-libpng12 lib32-lcms lib32-libxrandr lib32-nvidia-libgl lib32-nvidia-utils libtxc_dxtn lib32-libtxc_dxtn lib32-flashplugin flashplugin
See also
Steam
Server
Secure Shell
Install
Install openssh.
Harden
# nano /etc/ssh/sshd_config
Generate a random port number between 49152-65535
at Random.org's Integer service and replace the default SSH port with that number and uncomment it in.
Uncomment PermitRootLogin
and change to no.
Under the same # Authentication
section add AllowUsers USER1 USER2
# nano /lib/systemd/system/sshd.socket
Change this to the new port number as generated and set above.
# cp /lib/systemd/system/sshd.socket /etc/systemd/system/sshd.socket
# systemctl enable sshd.socket
# systemctl start sshd.socket
Test locally with the information below and then connecting from a remote system if feasible.
$ ssh -v localhost -p PORT -l USERNAME
Harden server
TTD: http://wiki.centos.org/HowTos/OS_Protection go back through this link and update this guide. Cross reference with the Hardening Guides.
General Guidelines
- Keep installed packages to a minimum.
- Update regularly.
Physical security
For a VPS, disable VNC once you have SSH setup. Configure it to boot from the hard drive by default. With a VPS you are essentially surrendering your ability to control the physical protection of your server. Make sure to choose a good provider!
Filesystem permissions
# chmod 700 /boot /root /etc/iptables
Prevent root login at console
/etc/securetty
Temporary lockout after failed login attempts
# nano /etc/pam.d/system-login
Limiting su to wheel group
# nano /etc/pam.d/su
Uncomment in the line following Uncomment the following line to require a user to be in the "wheel" group
.
Harden TCP/IP stack
# /etc/sysctl.conf
# Configuration file for runtime kernel parameters. # See sysctl.conf(5) for more information. # Have the CD-ROM close when you use it, and open when you are done. #dev.cdrom.autoclose = 1 #dev.cdrom.autoeject = 1 # Protection from the SYN flood attack. Matches Arch Wiki net.ipv4.tcp_syncookies = 1 # See evil packets in your logs. Enabled as per Arch Wiki net.ipv4.conf.all.log_martians = 1 # Never accept redirects or source routes (these are only useful for routers). Uncommented in as per Arch Wiki net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 #net.ipv6.conf.all.accept_redirects = 0 #net.ipv6.conf.all.accept_source_route = 0 # Disable packet forwarding. Matches Arch Wiki net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 # Tweak the port range used for outgoing connections. #net.ipv4.ip_local_port_range = 32768 61000 # Tweak those values to alter disk syncing and swap behavior. #vm.vfs_cache_pressure = 100 #vm.laptop_mode = 0 #vm.swappiness = 60 # Tweak how the flow of kernel messages is throttled. #kernel.printk_ratelimit_burst = 10 #kernel.printk_ratelimit = 5 # Reboot 600 seconds after kernel panic or oops. #kernel.panic_on_oops = 1 #kernel.panic = 600 # Arch Wiki net.ipv4.tpc_rfc1337 = 1 net.ipv4.tcp_timestamps = 0 #Enable timestamps at gigabitspeeds net.ipv4.conf.all.rp_filter = 1 # net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.secure_redirects = 1 #CentOS Wiki says 0 here. #CentOS Wiki net.ipv4.tcp_max_syn_backlog = 1280
See also
- Comprehensive Server Guide
- Secure Shell
- Security
- CentOS Docs/Wiki
- Wikipedia:CIDR
ufw
Install: ufw.
# ufw default deny
/etc/ufw/applications.d/ufw-custom
[SSH-Custom] title=SSH description=Secure Shell Server ports=XXXX/tcp #Generate a random integer from Random.com or elsewhere (/dev/(u)random)
# ufw allow SSH-Custom
# ufw enable # systemctl enable ufw.service
# ufw status
# ufw limit SSH-Custom
See also
- Arch Wiki: Uncomplicated Firewall
- Manpage: [5]
Hiawatha webserver
Install
See also
- Developer's how-to: [6]
Team Fortress 2 Dedicated Server
Multilib Repository
Edit /etc/pacman.conf
and uncomment in the multilib repository (include its heading!).
See also Multilib.
Dependencies
Install lib32-gcc-libs
SteamCMD
SteamCMD is a command line version of the Steam client. To download, this link should be persistent, if not see here.
Extract and copy the contents to the directory you want to store it it. For ease of use I just used a hidden folder in my home directory for now.
Execute: ./steamcmd.sh
or sh steamcmd.sh
.
Login: login anonymous
Download Team Fortress 2 Dedicated Server
In SteamCMD, after logging in install the Team Fortress 2 dedicated server:
S* force_install_dir /home/<USER>/.tf2 S* app_update 232250 validate
I ran into some errors first off here which were resolved by changing the permissions on my home directory (recursively) to 755 {{ic}chmod 755 -R /home/<USER>}}
You may need to repeat the update command above until you get it completed.
Once you get a Success! App '232250' fully installed
consider running the command again just to verify the installation once more.
Configure TF2
~/.tf2/tf/cfg
hostname "Your_Servers_Name" rcon_password "Your_Rcon_Password" sv_contact "admin@yourdomain.com" mp_timelimit "30"
Run under screen? See here
Launch Server
From .tf2,
srcds_run -game tf +sv_pure 2 +maxplayers 24
Modifications
SourceMod is our focus here. AMXmodx is another consideration, but sourcemod seems to be the more popular one and the better maintained one. SourceMod is technically a plugin for Metamod:Source. As such, this also needs to be installed.
Get the latest release's download URL from here (use the wget
one).
Change into .tf2/tf
and then download:
$ aria2c http://mirror.capturetheprize.com/mmsource-X.XX.X-linux.tar.gz
Extract:
$ tar -xvzf mmsource-X.XX.X-linux.tar.gz
You should now have addons/
folders.
Launch your server and see if meta list
provides an output (or just meta
).
For Sourcemod you essentially need to rinse and repeat. Get the download from here. Extract Sourcemod in the same folder as you did for Metamod. The archive will have the folder paths set relative to that same folder.
Begin to configure ~/.tf2/tf/cfg/sourcemod/sourcemod.cfg is a good place to start. See links below for more information.
To extract .gz (no tar) use {{ic|gunzip -c ARCHIVE > EXTRACTEDFILENAME
SoureMod plugins will often (if not always) have their own configuration file that should be used over the server.cfg.
//
) notes about all your plugins in your server.cfg so you have a quick and easy reference and reminder!TTD
- Configure automatic updates for steamcmd, tf2 server, and plugins.
- Verify all mods are up-to-date.
- May require scheduled reboots of server (probably good idea anyway).
- Add mod for more robust score keeping and replace default scores with it.
- Setup shell or something so tf2 server can be ran without needing separate ssh session.
See also
Firewall
See here. 27015 default TF2 port. May change this. More info
Hardening
See also
- SteamCMD official dev. wiki: [9]
- Official wiki article: [10]
- Multilib
- Steam Application IDs: [11]
- Possible SteamCMD alternative. Not sure if well maintain or not: [12]
- SteamCMD: [13]
- Source Dedicated Server Official wiki: [14]
- Required ports for steam, Steam Support knowledge-base article: [15]
- MvM with quickplay Tutorial: [16]
- Allied modders: [17]
- Developer console: [18]
- Console commands (third-party): [19]
- MvM Map list: [20]
- Command line options (official wiki): [21]
- Bots in TF2: [22]
- Register server for quick-play (kb): [23]
- Start MvM with less than three players (not recommended): [24]
- http://wiki.teamfortress.com/wiki/Competitive_play
- Server configurations
- Optimizations
- http://forums.steampowered.com/forums/showthread.php?t=1281786
- https://developer.valvesoftware.com/wiki/Interpolation
- https://developer.valvesoftware.com/wiki/Source_Multiplayer_Networking#Lag_compensation
- https://developer.valvesoftware.com/wiki/Source_Multiplayer_Networking#Tips
- https://developer.valvesoftware.com/wiki/Latency_Compensating_Methods_in_Client/Server_In-game_Protocol_Design_and_Optimization#Game_Design_Implications_of_Lag_Compensation
- Console/server commands
- MOTD
Murmur Server
See:
- Mumble#Server.
- User:AdamT/Installation_Notes#ufw (for firewall).
- Wikipedia:Mumble_(software).
Consider:
- Forcing Opus usage in the configuration file.
When starting off it is important to first set the super user password on the server.
# murmurd -ini /etc/murmur.ini -supw "PASSWORD"
After that, the service can be enabled and started.
To be safe, be sure to connect to your server as the "SuperUser" user first with your assigned password.
If you have problems with the database murmur's folders may need to be chrowned as discussed here.
Handy commands
who
- see who is currently logged in (handy for a VPS).
whereis
- Find something on your system.
pacman -Rs
- Removes unwanted packages along with their unused dependencies.
RamNode KVM VPS peculiar configurations
See also
- Open a ticket to request CPU/Host pass-through: [25]
- Performance Tweakes: [26]
- Available Operating Systems: [27]
Windows USB Installation Media
Install winusbAUR.
# winusb --format PATHTOISO PATHTODEVICE