User:AdamT/Installation Notes

From ArchWiki

Related articles

This document consists of notes drawn from various sources, including the Installation Guide and the Beginners' Guide. The workflow below will follow these official guides when feasible however, whereas the official guides are intended for general application, this document outlines a specific installation and subsequently has a narrower focus.

The focus of this document's installation is a fresh, single-boot desktop-orientated installation of Arch Linux that uses Btrfs throughout. At present, this document also focuses on BIOS-emulated booting in lieu of UEFI. Further, the focus here will be on Xfce, a specific Desktop Environment, and other specific applications. Adaptation or alternative solutions may be necessary to best fit specific needs.

Note: This document's intention is not to replace existing documentation. Specific ArchWiki articles will be linked and supplemental tips or notes will be provided. This document was specifically created as a store-house for installation notes and as a test-bed for learning Arch Wiki's best practices.
Tip: If at any point you do not understand what a command does, reference the relevant Man Page!

New Install TTD

Download

Tip:

Installation

Keyboard layout

Tip: Consider setting your console font as suggested in the "Beginners' Guide" link above.

Partition disks

Note: This document focuses on installing btrfs directly to one or more drives. As such, and in keeping with The Arch Way, no partitioning is needed! See Btrfs#Partitioning for potential caveats.

Format the partitions

Tip: Helpful commands to find drives:
  • lsblk
  • blkid
  • ls /dev/

Examples

# mkfs.btrfs -l 16384 /dev/sdX

Sanity check

btrfs filesystem show

Setup Btrfs

Examples
  • Enable skinny extents:
    • btrfstune -x /dev/sdX
  • Prepare for subvolumes
    • mkdir /mnt/btrfs-root
    • mount -t btrfs -o <OPTIONS> /dev/sdX /mnt/btrfs-root
    • Enable quotas prior to creating subvolumes btrfs quota enable /mnt/btrfs-root
  • Create subvolumes
    • cd /mnt/btrfs-root
    • btrfs subvolume create root_subvolume
    • cd root_subvolume
    • btrfs subvolume create home
    • btrfs subvolume create var
    • btrfs subvolume create usr
Sanity check
btrfs subvolume list -p .

See also

Mount the partitions

Example: 

# mkdir /mnt/btrfs-system
# mount -o subvol=root_subvolume,<OPTIONS> /dev/sdX /mnt/btrfs-system
Note: If mounting a Btrfs RAID array, only the first drive needs to be referenced in the mount command.

Connect to the internet

Tip: The available network interface cards (NICs) can be found in /sys/class/net/. In the sub-directories you can find information pertaining to any available NIC by using cat or nano.

Install the base system

Tip:
  • Install: reflector
  • reflector -a 2 -l 100 -f 10 --sort score --save /etc/pacman.d/mirrorlist
  • Check your work with cat /etc/pacman.d/mirrorlist | less.

Example: 

# pacstrap /mnt/btrfs-system base base-devel grub ntp reflector

Configure the system

Note: This "Installation Guide" link covers the following subsections that are individually sectioned in the "Beginners' Guide".

Generate an fstab

Tip:
  • Suggested example: genfstab -Up /mnt/btrfs-system >> /mnt/btrfs-system/etc/fstab
  • Check your work: cat /mnt/btrfs-system/etc/fstab
  • Send a UUID to fstab: ls -l /dev/disk/by-uuid | grep sdX | gawk -F' ' '{ print $9 }' >> /etc/fstab

Chroot and configure the base system

Example: 

# arch-chroot /mnt/btrfs-system

Locale

Time zone

Hardware clock

Tip:
  • Consider enabling ntp here with systemctl enable ntpd
  • If you dual boot and Windows ever messes up your hwclock see here to reset your hwclock to UTC and here to configure Windows to work with a UTC hwclock.

Console font and keymap

Suggested configuration:

# /etc/vconsole.conf
KEYMAP=dvorak
FONT=Lat2-Terminus16
FONT_MAP=8859-2

Create an initial ramdisk environment

Example
# /etc/mkinitcpio.conf
HOOKS="systemd autodetect modconf block filesystems keymap consolefont keyboard"

COMPRESSION=cat

Set the root password

Install Linux-ck

Tip:
  • Consider manually compiling the kernel for added customization and optimization.
  • If you delete or overwrite your pacman.conf file you can replace it from the archive file in /var/cache/packman/pkg. See this thread for more information.
Note: If you are using RamNode or another VPS you may need to request CPU/Host pass-through before you can use the best optimizations for the VPS. The VPS will need to be restarted from the control panel before the effects take place.

See also

Install and configure a bootloader

Examples

# modprobe dm-mod
# grub-install --target=i386-pc --boot-directory=/boot --recheck --debug /dev/sda
Note: These steps may no longer be necessary. Verification is needed. 
# mkdir -p /boot/grub/locale
# cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo
# /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="verbose add_efi_memmap elevator=bfq"
Note: 40_custom allows the creation of custom GRUB entries and the loading of modules. This allows persistent customization in GRUB's scripted generation of grub.conf.
# /etc/grub.d/40_custom
insmod btrfs
Tip: For quick boot times, but an element of insurance see GRUB#Hide GRUB unless the Shift key is held down.

Check your grub file with cat /boot/grub/grub.cfg | less.

See also

Unmount and reboot

First exit your arch-chroot session. Now, make sure your file system has synced everything from primary storage (DDR SDRAM) to secondary storage (your installation drive(s)). 

# btrfs filesystem sync /mnt/btrfs-root
# umount /mnt/btrfs-system
Tip: If you have made more than one mount point (for tmpfs, ramfs, or anything else) you can unmount them simultaneously so long as you do root by itself and last. umount /mnt/btrfs-system/{tmp,var/spool,var/log,home} Cross your fingers and toes, and reboot!

Post-installation

Bring up internet

Temporary

# dhcpcd
# dhcpcd eth0
$ ping ramnode.com
Tip: The available network interface cards (NICs) can be found in /sys/class/net/ within you will likely see eth0 or wlan0 or both or neither. In those directories you can find information pertaining to any given NIC by using cat or nano.

Persistent server

Check hostname. 

# echo 208.67.222.222 >> /etc/resolv.conf && echo 208.67.220.220 >> /etc/resolv.conf

for OpenDNS DNS resolving over local ISP or VPS provided DNS.

Tip: I recommend setting up your own caching, local DNS server at some point that uses OpenDNS (or another alternative) as its forwarders.
# cp /etc/netctl/examples/ethernet-dhcp /etc/netctl/ethernet0

Edit ethernet0 and uncomment IP6=stateless or IP6=dhcp for IPv6 networking. 

# netctl enable ethernet0

Reboot to test.

Persistent desktop

You can use the same as the server section or NetworkManager depending on your preference. For NetworkManager install networkmanager network-manager-applet dhclient. See additional NetworkManager packages with pacman -Ss networkmanager. 

# systemctl enable NetworkManager
# systemctl start NetworkManager

User management

# useradd -m -g users -G wheel USER
# chfn USER
# passwd USER USERPASSWORD

Sudo

Install sudo and bash-completion. 

# VISUAL="/usr/bin/nano" visudo
# sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
...
##
## User privilege specification
##
root ALL=(ALL) ALL

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
...
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
  • Find Uncomment to allow members of group wheel to execute any command
    • Uncomment it in.

Check your work with su -l USER then attempt to run something like pacman -Sy and pacman -Su with and without sudo to test and verify. I recommend rebooting logging in as your new user, testing that you can do everything you need to do with sudo before proceeding.

Tip: You can use sudo !! to repeat the previous command but with sudo in front of it.

Lockout root logins

Warning: This is not recommended, but I like to do it anyway for security.
# passwd -l root

Arch Users Repository

Install yaourtAUR using AUR or their unofficial repository. Install desired optional dependencies.

Install namcap for automated AUR and other package checking via Yaourt.

Yaourt provides all in one support for Official Repositories, AUR, and ABS.

See also

Setup

Congratulations, you have progressed beyond the official installation guides and onto much deeper waters. Your system should be up and running, the basic post-installation tasks should be completed and you are now ready to move on to more system specific system configurations.

Desktop

Sound

Install: pulseaudio paprefs pavucontrol pulseaudio-alsa.

If using multi-lib: lib32-libpulse lib32-alsa-plugins.

Note: If you have problems with sound consistently playing back, and recieve an error about invalid argument when attempting to playback in pianobar, you may need to edit your /etc/libao.conf file and remove the dev section and leave the driver as pulse. This may fail at first, but keep trying and check pauvcontrol.
See also

Desktop environment

Note: You may wish to consider AUR options prior to installing the full group (with its dependencies).

Install: xfce4

Additional packages to consider: xfce4-weather-plugin xfce4-taskmanager xfce4-screenshooter xfce4-notifyd xfce4-artwork thunar-media-tags-plugin thunar-archive-plugin mousepad

Alternative file manager suggestion: SpaceFM

AUR Suggestions: xfce4-whiskermenu-pluginAUR

AUR Consideration: xfce4-session-lightAUR

Multiple monitors

See, NVIDIA#Multiple_monitors and my sample here: Xorg#Sample_configurations (NVIDIA, nvidia-ck, et cetera).

Suggest not using twinview or Xinerama. May need to disable composting though. I configured through NVIDIA and then checked my work by editing the file. Save to home then # cp to /etc/X11/xorg.conf.d/10-monitor.conf.

Fonts

# /etc/pacman.conf
...
[infinality-bundle]
Server = http://ibn.net63.net/infinality-bundle/$arch

#[infinality-bundle-multilib] # Uncomment for multilib usage.
#Server = http://ibn.net63.net/infinality-bundle-multilib/$arch # Uncomment for multilib usage.
# pacman-key -r 962DDE58
# pacman-key --lsign-key 962DDE58

Refresh your repositories.

Install: infinality-bundle

Web browser

Install: firefox

Configure

Disable Firefox's blocking of web-forgeries and attack sites. This feature slows down Firefox's start-up and shut-down and takes up space for the database it maintains. This feature also relies on Google services.

  • delete urlclassifier*.sqlite files in your profile
    • ~/.mozilla/firefox/<PROFILE>/urlclassifier*.sqlite
  • While in your profile, in the terminal:
echo "" > urlclassifier*.sqlite
chmod 400 urlclassifier*.sqlite

Especially for SSDs it may prolong your drive's life to disable Firefox's disk cache.

  • about:config
    • Set browser.cache.disk.enable to false
    • Verify browse.cache.memory.enable is true
    • Set browser.cache.memory.max_entry_size to -1 for automatic memory usage
      • There is another similar memory flag that may also be set to -1 for automatic usage.

Optional: Profile Sync to Ram

  • Download from AUR
  • tar -xzf <make_package>
  • cd <package folder>
  • make -s
  • pacman -U <package>
  • systemctl enable psd psd-resync
  • (close firefox!) systemctl start psd psd-resync
See also

Xbmc

Install: xbmc

Suggested skin: Bello.

Pianobar

See: Pianobar

Aria2

Install: aria2

Usenet tools

Install desired Usenet tools from AUR.

SABnzbd+
Tip: Make sure your /etc/make.conf file is configured to your preferences. You may be able to edit this file to increase the optimizations that are applied to any packages you build from source (such as AUR and ABS packages).

Install: sabnzbdAUR 

aria2c https://aur.archlinux.org/packages/sa/sabnzbd/sabnzbd.tar.gz

tar -xvzf sabnzbd.tar.gz}}

To enable SABnzbd+ to create folders, your chosen Downloads directory will need to be chmod'd to 777 (chmod 777 -R <DIRECTORY>).

Note: Similar permissions will likely need to be set for Sick Beard's completed folder and such. An alternative method can be found below (struck out).

I recommend changing the services and configuration file and changing the user name to your username (for easy writing to home dir).

  • edit /usr/lib/systemd/system/<program>.service to <USER>:<program> instead of default
  • chown /opt/<program> to <USER>:<program> instead of root:<program> or <program>:<program>

An alternative may be to create a dedicated folder for SABnzbd to use in your home directory and chown that to its user/group.

TICKR

Optional: ticker style syndicated news reader. Really neat. tickrAUR

Pipelight

Allows running Windows browser plugins in Wine to be used in native GNU/Linux browsers.

pipelight-gitAUR

See also

Crossover

For dependencies install: ib32-glibc lib32-libic lib32-libx11 lib32-libsm lib32-gcc-libs lib32-libxext lib32-libpng lib32-freetype2 lib32-libpng12 lib32-lcms lib32-libxrandr lib32-nvidia-libgl lib32-nvidia-utils libtxc_dxtn lib32-libtxc_dxtn lib32-flashplugin flashplugin

See also

Steam

Server

Secure Shell

Install

Install openssh.

Harden
# nano /etc/ssh/sshd_config

Generate a random port number between 49152-65535 at Random.org's Integer service and replace the default SSH port with that number and uncomment it in.

Uncomment PermitRootLogin and change to no.

Under the same # Authentication section add AllowUsers USER1 USER2 

# nano /lib/systemd/system/sshd.socket

Change this to the new port number as generated and set above. 

# cp /lib/systemd/system/sshd.socket /etc/systemd/system/sshd.socket
# systemctl enable sshd.socket
# systemctl start sshd.socket

Test locally with the information below and then connecting from a remote system if feasible. 

$ ssh -v localhost -p PORT -l USERNAME

Harden server

TTD: http://wiki.centos.org/HowTos/OS_Protection go back through this link and update this guide. Cross reference with the Hardening Guides.

General Guidelines
  • Keep installed packages to a minimum.
  • Update regularly.
Physical security

For a VPS, disable VNC once you have SSH setup. Configure it to boot from the hard drive by default. With a VPS you are essentially surrendering your ability to control the physical protection of your server. Make sure to choose a good provider!

Filesystem permissions
# chmod 700 /boot /root /etc/iptables
Prevent root login at console
/etc/securetty
Temporary lockout after failed login attempts
# nano /etc/pam.d/system-login
Limiting su to wheel group
# nano /etc/pam.d/su

Uncomment in the line following Uncomment the following line to require a user to be in the "wheel" group.

Harden TCP/IP stack
# /etc/sysctl.conf
# Configuration file for runtime kernel parameters.
# See sysctl.conf(5) for more information.

# Have the CD-ROM close when you use it, and open when you are done.
#dev.cdrom.autoclose = 1
#dev.cdrom.autoeject = 1

# Protection from the SYN flood attack. Matches Arch Wiki
net.ipv4.tcp_syncookies = 1

# See evil packets in your logs. Enabled as per Arch Wiki
net.ipv4.conf.all.log_martians = 1

# Never accept redirects or source routes (these are only useful for routers). Uncommented in as per Arch Wiki
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_source_route = 0

# Disable packet forwarding. Matches Arch Wiki
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Tweak the port range used for outgoing connections.
#net.ipv4.ip_local_port_range = 32768 61000

# Tweak those values to alter disk syncing and swap behavior.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60

# Tweak how the flow of kernel messages is throttled.
#kernel.printk_ratelimit_burst = 10
#kernel.printk_ratelimit = 5

# Reboot 600 seconds after kernel panic or oops.
#kernel.panic_on_oops = 1
#kernel.panic = 600

# Arch Wiki
net.ipv4.tpc_rfc1337 = 1
net.ipv4.tcp_timestamps = 0 #Enable timestamps at gigabitspeeds
net.ipv4.conf.all.rp_filter = 1 #
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 1 #CentOS Wiki says 0 here.

#CentOS Wiki
net.ipv4.tcp_max_syn_backlog = 1280

See also

ufw

Install: ufw. 

# ufw default deny
/etc/ufw/applications.d/ufw-custom
[SSH-Custom]
title=SSH
description=Secure Shell Server
ports=XXXX/tcp #Generate a random integer from Random.com or elsewhere (/dev/(u)random)
# ufw allow SSH-Custom
Warning: Be super sure here if you are working on a remote system or have critical remote connections coming in!
# ufw enable
# systemctl enable ufw.service
Note: Existing connections will likely be lost here, but if properly configured they should be able to be re-established shortly thereafter.
# ufw status
# ufw limit SSH-Custom
Note: I enable limiting SSH later on just to make sure that it does not get in the way of attempting to connect to SSH after enabling ufw. This is probably silly, but to be safe.
Tip: Both the man page and the Arch Wiki article are very well written for this program. Be sure to make use of them both.
See also

Hiawatha webserver

Install
  1. polarsslAUR
  2. hiawathaAUR
  3. php-fpm

See also

  • Developer's how-to: [6]

Team Fortress 2 Dedicated Server

Multilib Repository

Edit /etc/pacman.conf and uncomment in the multilib repository (include its heading!). See also Multilib.

Dependencies

Install lib32-gcc-libs

SteamCMD

SteamCMD is a command line version of the Steam client. To download, this link should be persistent, if not see here.

Extract and copy the contents to the directory you want to store it it. For ease of use I just used a hidden folder in my home directory for now.

Execute: ./steamcmd.sh or sh steamcmd.sh.

Login: login anonymous

Download Team Fortress 2 Dedicated Server

In SteamCMD, after logging in install the Team Fortress 2 dedicated server: 

S* force_install_dir /home/<USER>/.tf2
S* app_update 232250 validate

I ran into some errors first off here which were resolved by changing the permissions on my home directory (recursively) to 755 {{ic}chmod 755 -R /home/<USER>}}

You may need to repeat the update command above until you get it completed.

Once you get a Success! App '232250' fully installed consider running the command again just to verify the installation once more.

Configure TF2
~/.tf2/tf/cfg
hostname "Your_Servers_Name"
rcon_password "Your_Rcon_Password"
sv_contact "admin@yourdomain.com"
mp_timelimit "30"

Run under screen? See here

Launch Server

From .tf2, 

srcds_run -game tf +sv_pure 2 +maxplayers 24
Modifications
Tip: Before moving on to modifications consider having a very solid server.cfg file and understanding SteamCMD's output when you launch your server!

SourceMod is our focus here. AMXmodx is another consideration, but sourcemod seems to be the more popular one and the better maintained one. SourceMod is technically a plugin for Metamod:Source. As such, this also needs to be installed.

Get the latest release's download URL from here (use the wget one).

Change into .tf2/tf and then download: 

$ aria2c http://mirror.capturetheprize.com/mmsource-X.XX.X-linux.tar.gz

Extract: 

$ tar -xvzf mmsource-X.XX.X-linux.tar.gz

You should now have addons/ folders.

Launch your server and see if meta list provides an output (or just meta).

For Sourcemod you essentially need to rinse and repeat. Get the download from here. Extract Sourcemod in the same folder as you did for Metamod. The archive will have the folder paths set relative to that same folder.

Begin to configure ~/.tf2/tf/cfg/sourcemod/sourcemod.cfg is a good place to start. See links below for more information.

To extract .gz (no tar) use {{ic|gunzip -c ARCHIVE > EXTRACTEDFILENAME

SoureMod plugins will often (if not always) have their own configuration file that should be used over the server.cfg.

Tip: Consider adding commented out (//) notes about all your plugins in your server.cfg so you have a quick and easy reference and reminder!
TTD
  1. Configure automatic updates for steamcmd, tf2 server, and plugins.
    • Verify all mods are up-to-date.
    • May require scheduled reboots of server (probably good idea anyway).
  2. Add mod for more robust score keeping and replace default scores with it.
    • Setup shell or something so tf2 server can be ran without needing separate ssh session.
See also
  1. http://www.sourcemod.net/about.php
  2. http://www.amxmodx.org/
  3. http://www.sourcemm.net/
Firewall

See here. 27015 default TF2 port. May change this. More info

Hardening

See [7] and [8].

See also

Murmur Server

See:

  1. Mumble#Server.
  2. User:AdamT/Installation_Notes#ufw (for firewall).
  3. Wikipedia:Mumble_(software).

Consider:

When starting off it is important to first set the super user password on the server. 

# murmurd -ini /etc/murmur.ini -supw "PASSWORD"

After that, the service can be enabled and started.

To be safe, be sure to connect to your server as the "SuperUser" user first with your assigned password.

If you have problems with the database murmur's folders may need to be chrowned as discussed here.

Handy commands

  • who
    • see who is currently logged in (handy for a VPS).
  • whereis
    • Find something on your system.
  • pacman -Rs
    • Removes unwanted packages along with their unused dependencies.

RamNode KVM VPS peculiar configurations

See also

  • Open a ticket to request CPU/Host pass-through: [25]
  • Performance Tweakes: [26]
  • Available Operating Systems: [27]

Windows USB Installation Media

Install winusbAUR. 

# winusb --format PATHTOISO PATHTODEVICE
Retrieved from "https://wiki.archlinux.org/index.php?title=User:AdamT/Installation_Notes&oldid=701201"