Arch Linux as a Production Server?

Is it possible? Does archlinux secure enough? Does she have all the tools needed for such comparing to distros like RH/Centos?

kth5 and mucknert: Your point about the quality of the admin is mostly wrong. In a tiny mom and pop business with only a few machines a skilled admin may be able to get by without a support contract. But in a corporate environment where your IT infrastructure must be up at all times or your business loses money that isn't possible.
I know a couple admins who mentored me early in my career. They've been doing Unix admin for 12+ years each. They can command bill rates over $150 per hour and never are out of a job because companies fight over who gets to hire them. When I've been on job interviews and the interviewer sees my references sheet almost every IT person in my city knows them and considers them the best in the field.
And they would never use a server in a production environment without a support contract.
A support contract isn't there to hold your hand and help you do your job. It is there for when things are broken that you can't possibly fix on your own. And I don't want to hear any B.S. like "I have the source, I can fix anything!". If your server is really production whether you could eventually fix it on your own doesn't matter. You don't have time to do that since every hour of downtime is costing your boss more than you make in a month. If not, that isn't a real production server. You need to get on the phone with the vendor NOW and have a fix as soon as possible - not post to some mailing list and wait for help.
Also consider, nobody in the "community" is responsible for fixing your problem. They may offer help, but it is on a volunteer basis and you have no guarantees as to the quality or speed of response for whatever help you get. But if you buy support contracts the seller of it is responsible. If they don't live up to their support agreements it costs them huge money. I've seen a case where a storage vendor's tech make a mistake that cost my company a few extra hours of downtime on a critical application. To make up for it they gave us $40,000 worth of free hardware so we wouldn't get pissed and take our business elsewhere. This is a very good incentive for them to not make such mistakes in the future. If some dude on a mailing list says "try this" and it wecks your machine what recourse do you have?
Final point - I'll buy your comment about "good admins don't need a support contract" if you agree that "good admins never need to post a question asking for help". Nobody knows everything - the only difference we're talking about is where you get your help from. When it comes to a production server, it only makes sense to get it from a support contract where there are service level guarantees and penalties for the vendor if they don't fix your problem in a timely manner. If you don't need that, your server wasn't production in the first place.

Similar Messages

Arch linux support various server types?

Im new to linux and Arch is my first linux distro.
my question is does arch linux can be function as server ( like http, ftp, smtp, ssh, samba, etc)
and if so, where can i get guide(or instruction) to setting up the server?
(looked at Wiki tab but couldnt find one)
thank you

For a small server, I think arch will work fine. It's rolling release system and lack of distro-specific patches can make it a little more difficult to maintain in my opinion, but as long as it's nothing production grade you'll be fine.
Arch is a good platform to learn linux since it really emphasizes doing everything by hand, you get to learn your system as you build it. And your end product is only what you wanted, not what the distro maintainer envisioned you wanted.
Last edited by Aaron (2008-05-14 03:31:18)

Arch as production server

Hi,
can you recommend Archlinux as production server? I really like all the cutting-edge technologies.. But I had problems with Arch on my VPS (after-update kind) and I'm not sure if they are caused by Arch or by OpenVZ.. But production server simply cannot be down for a few hours simply because I ran "pacman -Syyu"..
So I am considering both Arch or SL6..
Thanks for your opinions ^_^

The main reason that I see for not using archlinux on a production server is that in a production server applications cannot get major upgrades automatically. Arch doesn't follow this. In example, the python command one day changed from python2 to python3. This kind of sutff can't happen in a production server unless explicity requested.
On the other hand, this is also one thing that I like about ArchLinux, because it "enforces" you to stay up to date about newer version of all kind of stuff, making it your way of living to be familiar with present day technologies (or future technologies in case of most production servers).

Arch Linux as a server: advantages and disadvantages?

Hello,
I am about to create a hosting server for a great number of websites. Since i never actually did it myself it will be relatively new to me. For that reason I want to use Arch distro because I like it, understand it and have most experience with it.
I wanted to hear opinions why Arch is suitable and why not for a server machine. Also, maybe someone could recommend other distros that are better fit for the job (provided there are any)
Thanks!
Last edited by Tsynique (2010-11-12 16:16:32)

Short: CentOS is a pretty popular choice but I have no experience with it. You will need to make sure you have the latest security updates while also making sure that your keeping a good availability(up time), which could be a problem with Arch Linux.
Long: Security updates and system up time/availability. Making sure you have the latest security updates may effect your server's availability. This can be a problem if you have paying clients as the updates may break stuff. Arch Linux doesn't have an official security team but there are some community efforts underway. Take a look at the wiki under security, firewalls and sysctl.conf hardening. Also keep your eye are ArchServer. I use Arch Linux on my VPS but its only been for hobby stuff so far. As I've been getting closer to relying on my website professionally I've been considering changing to a different dist. of Linux; the problem is I'm most familiar with Arch Linux, don't want to go back to Slackware and I'm not happy with the way Ubuntu does certain things[init system, sudo/root setup](I maintain an Ubuntu LAMP setup for our Intranet).

X server won't start (Arch Linux installed on USB key)

Hi,
I installed Arch Linux on a USB key (see the original thread: https://bbs.archlinux.org/viewtopic.php?id=185441).
The problem is that X doesn't start on all machines.
When starting the system on a machine with NVIDIA GTX 560Ti graphics card:
- X doesn't start using startx or xinit and there are no log entries in /var/log/Xorg.*.log (as I haven't tried to start X).
- I'm getting the message "Waiting for X server to begin accepting connections .. .. .. ..".
- Additionally: The "default terminals tty1/2/3/..." (which I'm using to start X) from have a poor resolution (I think 640x480 pixel).
When starting the system on a virtual machine or a machine with an ATI Radeon (mobile) graphics card:
- X starts and runs without any trouble the XFCE desktop environment.
- Additionally: The default terminals have a proper resolution (I think the maximal resolution of the display).
What happens if you uninstall nvidia and use nouveau?
I installed all video drivers recommended here: https://wiki.archlinux.org/index.php/In … eo_drivers
So I was using nouveau in the first place. I already tried to uninstall the open source driver (xf86-video-nouveau, nouveau-dri) to use the default driver (I think this is xf86-video-vesa) with no effect.
The poor tty resolution is to be expected if the closed-source nvidia drivers are installed, because they don't support KMS.
I have never tried to install the proprietary driver (and actually don't want to use the proprietary driver).
Also have you looked in /etc/X11 ?
Yes. I don't think that my configuration contains anything preventing X from starting using the NVIDIA graphics card (but I'm not sure what to look for).
I'm starting X using "startx" or "xinit -- :0 -nolisten tcp vt$XDG_VTNR". Here's my ~/.xinitrc:
if [ -d /etc/X11/xinit/xinitrc.d ]; then
for f in /etc/X11/xinit/xinitrc.d/*; do
[ -x "$f" ] && . "$f"
done
unset f
fi
exec startxfce4
Last edited by The Infinity (2014-08-14 21:17:41)

I figured out where the problem comes from. It is actually the screen (which has a resolution of 1920x1080 pixel). When using a screen (with a smaller resolution) I'm getting a decent resolution in the terminal and - more imporant - X starts and seems to use the Nouveau driver (which I have installed again). When plugging my normal screen again (while X is running) I'm able to use this screen with the maximum resolution without problems (so only starting with this screen does not work). Now I have a reference point to fix the problem.
The other thread might be interesting as well.
Last edited by The Infinity (2014-08-17 02:36:57)

Setting up an Arch Linux server

I apologize if this is in the wrong topic. Anyways I am vary new to arch linux and linux in general, and I need to set up a server to host a website. It will be fairly small with low traffic.
I followed the guide on the wiki to install and configure LAMP, but after that I have no idea what to do. I was looking for someone to at least point me in the right direction.
I should also note the website I want to host is already created.
Last edited by zanandan (2013-07-17 15:51:07)

Woah woah, I'm sure lighttpd is a fine piece of software, but it sounds like zanandan already has his server completely setup.
zanandan wrote:How do I set it up to be a normal www. webpage?
What URL did you purchase or sign up to use? If you don't have one, you will need to get one from a domain name registrar.
You then tell the registrar to point your new "zanandan.com" website to point to the IP address that is given to your router from your Internet service provider (see http://www.whatismyip.com/). You then configure your router to send all HTTP traffic (port 80) directly to the IP address for your server (it probably looks like 192.168.###.###). You now have a website accessible from anywhere.
Be warned, though: Many Internet service providers send a new random IP address to your router every few days, so I have a service ("ddclient") that automatically updates my URL with my new IP address every so often.
I use http://dyn.com/dns/ for my free domain name.

Arch Linux Server Problem

Hello everyone,
Alright, so I have Arch Linux installed on my Toshiba laptop. I wanted to test using a Linux box as a Minecraft Server. I have everything setup correctly. After I run the shell script to launch the server, everything seems to load fine, just like it did in Win 7 (I have Arch and Win 7 dual-booted). After I go to join the server on the host PC, and a different one, it hangs on 'Connecting to server'. Now, in Windows, it will log right into the server, on port 25565. On Arch, it hangs on 'Connecting to server'. I was wondering if Arch Linux blocks ports by default. This is probably a stupid question, hence the category, but Google couldn't help me this time. By the way, here is the guide I followed to setup my server:
http://wiki.bukkit.org/Setting_up_a_server#Linux .
I know I have my ports forwarded. Any suggestions? Thanks in advance.

Does anything interesting appear in the Minecraft server's output? I am running a Minecraft server just fine and it was literally just a case of downloading the jar, making a server.properties file, and running the jar. No extra configuration was done.

[SOLVED] 3d Acceleration on Arch Linux guest

I've just installed the latest FTP Arch Linux (2009.02) as a Guest running in Virtual Box 3.0.2 in my Windows 7 host, and I cannot get Xorg working at all.
- 3D Acceleration is enabled for the VM, and 128MB of video memory allocated
- Guest Additions were installed successfully, added rc.vboxadd to daemons, and everything loads ok on startup.
Output of 'dmesg | grep vbox':
vboxadd: Successfully loaded version 3.0.2 (interface 0x0010004)
vboxvfs: Successfully loaded version 3.0.2 (interface 0x0010004)
[drm] Initialized vboxvideo 1.0.0 20090303 for 0000:00:02.0 on minor 0
Here is my .xinitrc:
/usr/bin/VBoxClient-all
I've symlinked vboxvideo_dri.so since the installer didn't do it.
Output of 'ls -l /usr/lib/xorg/modules/dri/vboxvideo_dri.so':
lrwxrwxrwx 1 root root 19 2009-07-31 22:42 /usr/lib/xorg/modules/dri/vboxvideo_dri.so -> /usr/lib/VBoxOGL.so
And error when I run 'startx':
(EE) AIGLX error: dlopen of /usr/lib/xorg/modules/dri/vboxvideo_dri.so failed (libXcomposite.so.1: cannot open shared object file: No such file or directory)
(EE) AIGLX: reverting to software rendering
waiting for X server to shut down
And then it shuts down, without even trying to load swrast_dri.so. But the weirdest part is, that symlink exists, but X is saying it doesn't! I've restarted the VM and still get the same error.
Here is my xorg.conf (created by installing GA), and I do have HAL up and running, loaded before the rc.vboxadd daemon:
# Default xorg.conf for Xorg 1.5+ without PCI_TXT_IDS_PATH enabled.
# This file was created by VirtualBox Additions installer as it
# was unable to find any existing configuration file for X.
Section "Device"
Identifier "VirtualBox Video Card"
Driver "vboxvideo"
EndSection
So... what next?
Last edited by timmahcheese (2009-08-03 15:20:55)

Silly me, I forgot the libxcomposite package. I guess I should read the errors closer.
Anyway, I'm still getting an error (signal 11) being caused by VBoxClient-all. Here is my Xorg.0.log:
X.Org X Server 1.6.2
Release Date: 2009-7-7
X Protocol Version 11, Revision 0
Build Operating System: Linux 2.6.30-ARCH i686
Current Operating System: Linux obi-wan 2.6.30-ARCH #1 SMP PREEMPT Mon Jul 20 11:20:32 UTC 2009 i686
Build Date: 18 July 2009 08:27:13PM
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/Xorg.0.log", Time: Sun Aug 2 23:20:02 2009
(==) Using config file: "/etc/X11/xorg.conf"
(==) No Layout section. Using the first Screen section.
(==) No screen section available. Using defaults.
(**) |-->Screen "Default Screen Section" (0)
(**) | |-->Monitor "<default monitor>"
(==) No device specified for screen "Default Screen Section".
Using the first device section listed.
(**) | |-->Device "VirtualBox Video Card"
(==) No monitor specified for screen "Default Screen Section".
Using a default monitor configuration.
(==) Automatically adding devices
(==) Automatically enabling devices
(WW) The directory "/usr/share/fonts/Type1" does not exist.
Entry deleted from font path.
(==) FontPath set to:
/usr/share/fonts/misc,
/usr/share/fonts/100dpi:unscaled,
/usr/share/fonts/75dpi:unscaled,
/usr/share/fonts/TTF,
built-ins
(==) ModulePath set to "/usr/lib/xorg/modules"
(II) Cannot locate a core pointer device.
(II) Cannot locate a core keyboard device.
(II) The server relies on HAL to provide the list of input devices.
If no devices become available, reconfigure HAL or disable AllowEmptyInput.
(II) Loader magic: 0x7a40
(II) Module ABI versions:
X.Org ANSI C Emulation: 0.4
X.Org Video Driver: 5.0
X.Org XInput driver : 4.0
X.Org Server Extension : 2.0
(II) Loader running on linux
(--) using VT number 7
(--) PCI:*(0:0:2:0) 80ee:beef:0000:0000 InnoTek Systemberatung GmbH VirtualBox Graphics Adapter rev 0, Mem @ 0xe0000000/134217728
(WW) Open ACPI failed (/var/run/acpid.socket) (No such file or directory)
(II) No APM support in BIOS or kernel
(II) System resource ranges:
[0] -1 0 0xffffffff - 0xffffffff (0x1) MX[b]
[1] -1 0 0x000f0000 - 0x000fffff (0x10000) MX[b]
[2] -1 0 0x000c0000 - 0x000effff (0x30000) MX[b]
[3] -1 0 0x00000000 - 0x0009ffff (0xa0000) MX[b]
[4] -1 0 0x0000ffff - 0x0000ffff (0x1) IX[b]
[5] -1 0 0x00000000 - 0x00000000 (0x1) IX[b]
(II) LoadModule: "extmod"
(II) Loading /usr/lib/xorg/modules/extensions//libextmod.so
(II) Module extmod: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.0.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension MIT-SCREEN-SAVER
(II) Loading extension XFree86-VidModeExtension
(II) Loading extension XFree86-DGA
(II) Loading extension DPMS
(II) Loading extension XVideo
(II) Loading extension XVideo-MotionCompensation
(II) Loading extension X-Resource
(II) LoadModule: "dbe"
(II) Loading /usr/lib/xorg/modules/extensions//libdbe.so
(II) Module dbe: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.0.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension DOUBLE-BUFFER
(II) LoadModule: "glx"
(II) Loading /usr/lib/xorg/modules/extensions//libglx.so
(II) Module glx: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.0.0
ABI class: X.Org Server Extension, version 2.0
(==) AIGLX enabled
(II) Loading extension GLX
(II) LoadModule: "record"
(II) Loading /usr/lib/xorg/modules/extensions//librecord.so
(II) Module record: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.13.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension RECORD
(II) LoadModule: "dri"
(II) Loading /usr/lib/xorg/modules/extensions//libdri.so
(II) Module dri: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.0.0
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension XFree86-DRI
(II) LoadModule: "dri2"
(II) Loading /usr/lib/xorg/modules/extensions//libdri2.so
(II) Module dri2: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.1.0
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension DRI2
(II) LoadModule: "vboxvideo"
(II) Loading /usr/lib/xorg/modules/drivers//vboxvideo_drv.so
(II) Module vboxvideo: vendor="Sun Microsystems, Inc."
compiled for 1.5.99.901, module version = 1.0.1
Module class: X.Org Video Driver
ABI class: X.Org Video Driver, version 5.0
(II) VBoxVideo: guest driver for VirtualBox: vbox
(II) Primary Device is: PCI 00@00:02:0
(II) resource ranges after xf86ClaimFixedResources() call:
[0] -1 0 0xffffffff - 0xffffffff (0x1) MX[b]
[1] -1 0 0x000f0000 - 0x000fffff (0x10000) MX[b]
[2] -1 0 0x000c0000 - 0x000effff (0x30000) MX[b]
[3] -1 0 0x00000000 - 0x0009ffff (0xa0000) MX[b]
[4] -1 0 0x0000ffff - 0x0000ffff (0x1) IX[b]
[5] -1 0 0x00000000 - 0x00000000 (0x1) IX[b]
(II) resource ranges after probing:
[0] -1 0 0xffffffff - 0xffffffff (0x1) MX[b]
[1] -1 0 0x000f0000 - 0x000fffff (0x10000) MX[b]
[2] -1 0 0x000c0000 - 0x000effff (0x30000) MX[b]
[3] -1 0 0x00000000 - 0x0009ffff (0xa0000) MX[b]
[4] 0 0 0x000a0000 - 0x000affff (0x10000) MS[b]
[5] 0 0 0x000b0000 - 0x000b7fff (0x8000) MS[b]
[6] 0 0 0x000b8000 - 0x000bffff (0x8000) MS[b]
[7] -1 0 0x0000ffff - 0x0000ffff (0x1) IX[b]
[8] -1 0 0x00000000 - 0x00000000 (0x1) IX[b]
[9] 0 0 0x000003b0 - 0x000003bb (0xc) IS[b]
[10] 0 0 0x000003c0 - 0x000003df (0x20) IS[b]
(II) VBoxVideo(0): VirtualBox guest additions video driver version 3.0.2
(II) Loading sub module "vbe"
(II) LoadModule: "vbe"
(II) Loading /usr/lib/xorg/modules//libvbe.so
(II) Module vbe: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.1.0
ABI class: X.Org Video Driver, version 5.0
(II) Loading sub module "int10"
(II) LoadModule: "int10"
(II) Loading /usr/lib/xorg/modules//libint10.so
(II) Module int10: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.0.0
ABI class: X.Org Video Driver, version 5.0
(II) VBoxVideo(0): initializing int10
(II) VBoxVideo(0): Primary V_BIOS segment is: 0xc000
(II) VBoxVideo(0): VESA BIOS detected
(II) VBoxVideo(0): VESA VBE Version 2.0
(II) VBoxVideo(0): VESA VBE Total Mem: 131072 kB
(II) VBoxVideo(0): VESA VBE OEM: VirtualBox VBE BIOS http://www.virtualbox.org/
(II) VBoxVideo(0): VESA VBE OEM Software Rev: 0.2
(II) VBoxVideo(0): VESA VBE OEM Vendor: Sun Microsystems, Inc.
(II) VBoxVideo(0): VESA VBE OEM Product: VirtualBox VBE Adapter
(II) VBoxVideo(0): VESA VBE OEM Product Rev: Sun VirtualBox Version 3.0.2
(II) Loading sub module "ramdac"
(II) LoadModule: "ramdac"
(II) Module "ramdac" already built-in
(II) Loading sub module "fb"
(II) LoadModule: "fb"
(II) Loading /usr/lib/xorg/modules//libfb.so
(II) Module fb: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.0.0
ABI class: X.Org ANSI C Emulation, version 0.4
(II) Loading sub module "shadowfb"
(II) LoadModule: "shadowfb"
(II) Loading /usr/lib/xorg/modules//libshadowfb.so
(II) Module shadowfb: vendor="X.Org Foundation"
compiled for 1.6.2, module version = 1.0.0
ABI class: X.Org ANSI C Emulation, version 0.4
(II) VBoxVideo(0): Creating default Display subsection in Screen section
"Default Screen Section" for depth/fbbpp 24/32
(==) VBoxVideo(0): Depth 24, (--) framebuffer bpp 32
(II) VBoxVideo(0): Output VBOX1 has no monitor section
(II) VBoxVideo(0): The maximum supported resolution is currently 32000x32000
(II) VBoxVideo(0): Output VBOX1 has no monitor section
(II) VBoxVideo(0): Output VBOX1 connected
(II) VBoxVideo(0): Using exact sizes for initial modes
(II) VBoxVideo(0): Output VBOX1 using initial mode 1024x768
(==) VBoxVideo(0): RGB weight 888
(==) VBoxVideo(0): Default visual is TrueColor
(==) VBoxVideo(0): Using gamma correction (1.0, 1.0, 1.0)
(==) VBoxVideo(0): DPI set to (96, 96)
(II) Loading sub module "dri"
(II) LoadModule: "dri"
(II) Reloading /usr/lib/xorg/modules/extensions//libdri.so
(--) Depth 24 pixmap format is 32 bpp
(II) do I need RAC? No, I don't.
(II) resource ranges after preInit:
[0] -1 0 0xffffffff - 0xffffffff (0x1) MX[b]
[1] -1 0 0x000f0000 - 0x000fffff (0x10000) MX[b]
[2] -1 0 0x000c0000 - 0x000effff (0x30000) MX[b]
[3] -1 0 0x00000000 - 0x0009ffff (0xa0000) MX[b]
[4] 0 0 0x000a0000 - 0x000affff (0x10000) MS[b]
[5] 0 0 0x000b0000 - 0x000b7fff (0x8000) MS[b]
[6] 0 0 0x000b8000 - 0x000bffff (0x8000) MS[b]
[7] -1 0 0x0000ffff - 0x0000ffff (0x1) IX[b]
[8] -1 0 0x00000000 - 0x00000000 (0x1) IX[b]
[9] 0 0 0x000003b0 - 0x000003bb (0xc) IS[b]
[10] 0 0 0x000003c0 - 0x000003df (0x20) IS[b]
(==) VBoxVideo(0): Default visual is TrueColor
drmOpenDevice: node name is /dev/dri/card0
drmOpenDevice: open result is 10, (OK)
drmOpenDevice: node name is /dev/dri/card0
drmOpenDevice: open result is 10, (OK)
drmOpenByBusid: Searching for BusID pci:0000:00:02.0
drmOpenDevice: node name is /dev/dri/card0
drmOpenDevice: open result is 10, (OK)
drmOpenByBusid: drmOpenMinor returns 10
drmOpenByBusid: drmGetBusid reports pci:0000:00:02.0
(II) [drm] DRM interface version 1.3
(II) [drm] DRM open master succeeded.
(II) VBoxVideo(0): [drm] Using the DRM lock SAREA also for drawables.
(II) VBoxVideo(0): [drm] framebuffer handle = 0xe0000000
(II) VBoxVideo(0): [drm] added 1 reserved context for kernel
(II) VBoxVideo(0): X context handle = 0x1
(II) VBoxVideo(0): [drm] installed DRM signal handler
(II) VBoxVideo(0): visual configurations initialized
(==) VBoxVideo(0): Backing store disabled
(II) VBoxVideo(0): RandR 1.2 enabled, ignore the following RandR disabled message.
(II) VBoxVideo(0): DPMS enabled
(II) VBoxVideo(0): The VBox video extensions are now enabled.
(II) VBoxVideo(0): [DRI] installation complete
(--) RandR disabled
(II) Initializing built-in extension Generic Event Extension
(II) Initializing built-in extension SHAPE
(II) Initializing built-in extension MIT-SHM
(II) Initializing built-in extension XInputExtension
(II) Initializing built-in extension XTEST
(II) Initializing built-in extension BIG-REQUESTS
(II) Initializing built-in extension SYNC
(II) Initializing built-in extension XKEYBOARD
(II) Initializing built-in extension XC-MISC
(II) Initializing built-in extension SECURITY
(II) Initializing built-in extension XINERAMA
(II) Initializing built-in extension XFIXES
(II) Initializing built-in extension RENDER
(II) Initializing built-in extension RANDR
(II) Initializing built-in extension COMPOSITE
(II) Initializing built-in extension DAMAGE
(II) AIGLX: Screen 0 is not DRI2 capable
drmOpenDevice: node name is /dev/dri/card0
drmOpenDevice: open result is 11, (OK)
drmOpenByBusid: Searching for BusID pci:0000:00:02.0
drmOpenDevice: node name is /dev/dri/card0
drmOpenDevice: open result is 11, (OK)
drmOpenByBusid: drmOpenMinor returns 11
drmOpenByBusid: drmGetBusid reports pci:0000:00:02.0
(II) Next line is added to allow vboxvideo_drv.so to appear as whitelisted driver
(II) The file referenced, is *NOT* loaded
(II) Loading /usr/lib/xorg/modules/drivers//ati_drv.so
(EE) AIGLX error: vboxvideo does not export required DRI extension
(EE) AIGLX: reverting to software rendering
(II) AIGLX: Loaded and initialized /usr/lib/xorg/modules/dri/swrast_dri.so
(II) GLX: Initialized DRISWRAST GL provider for screen 0
(II) VBoxVideo(0): Setting screen physical size to 270 x 203
(II) config/hal: Adding input device Macintosh mouse button emulation
(II) LoadModule: "evdev"
(II) Loading /usr/lib/xorg/modules/input//evdev_drv.so
(II) Module evdev: vendor="X.Org Foundation"
compiled for 1.6.1, module version = 2.2.2
Module class: X.Org XInput Driver
ABI class: X.Org XInput driver, version 4.0
(**) Macintosh mouse button emulation: always reports core events
(**) Macintosh mouse button emulation: Device: "/dev/input/event0"
(II) Macintosh mouse button emulation: Found 3 mouse buttons
(II) Macintosh mouse button emulation: Found x and y relative axes
(II) Macintosh mouse button emulation: Configuring as mouse
(**) Macintosh mouse button emulation: YAxisMapping: buttons 4 and 5
(**) Macintosh mouse button emulation: EmulateWheelButton: 4, EmulateWheelInertia: 10, EmulateWheelTimeout: 200
(II) XINPUT: Adding extended input device "Macintosh mouse button emulation" (type: MOUSE)
(**) Macintosh mouse button emulation: (accel) keeping acceleration scheme 1
(**) Macintosh mouse button emulation: (accel) filter chain progression: 2.00
(**) Macintosh mouse button emulation: (accel) filter stage 0: 20.00 ms
(**) Macintosh mouse button emulation: (accel) set acceleration profile 0
(II) config/hal: Adding input device ImExPS/2 Generic Explorer Mouse
(**) ImExPS/2 Generic Explorer Mouse: always reports core events
(**) ImExPS/2 Generic Explorer Mouse: Device: "/dev/input/event5"
(II) ImExPS/2 Generic Explorer Mouse: Found 5 mouse buttons
(II) ImExPS/2 Generic Explorer Mouse: Found x and y relative axes
(II) ImExPS/2 Generic Explorer Mouse: Found scroll wheel(s)
(II) ImExPS/2 Generic Explorer Mouse: Configuring as mouse
(**) ImExPS/2 Generic Explorer Mouse: YAxisMapping: buttons 4 and 5
(**) ImExPS/2 Generic Explorer Mouse: EmulateWheelButton: 4, EmulateWheelInertia: 10, EmulateWheelTimeout: 200
(II) XINPUT: Adding extended input device "ImExPS/2 Generic Explorer Mouse" (type: MOUSE)
(**) ImExPS/2 Generic Explorer Mouse: (accel) keeping acceleration scheme 1
(**) ImExPS/2 Generic Explorer Mouse: (accel) filter chain progression: 2.00
(**) ImExPS/2 Generic Explorer Mouse: (accel) filter stage 0: 20.00 ms
(**) ImExPS/2 Generic Explorer Mouse: (accel) set acceleration profile 0
(II) config/hal: Adding input device AT Translated Set 2 keyboard
(**) AT Translated Set 2 keyboard: always reports core events
(**) AT Translated Set 2 keyboard: Device: "/dev/input/event1"
(II) AT Translated Set 2 keyboard: Found keys
(II) AT Translated Set 2 keyboard: Configuring as keyboard
(II) XINPUT: Adding extended input device "AT Translated Set 2 keyboard" (type: KEYBOARD)
(**) Option "xkb_rules" "evdev"
(**) Option "xkb_model" "evdev"
(**) Option "xkb_layout" "us"
(II) config/hal: Adding input device VirtualBox Guest Service
(II) LoadModule: "vboxmouse"
(II) Loading /usr/lib/xorg/modules/input//vboxmouse_drv.so
(II) Module vboxmouse: vendor="Sun Microsystems Inc."
compiled for 0.0.0, module version = 1.0.0
Module class: X.Org XInput Driver
ABI class: X.Org XInput driver, version 4.0
(**) VirtualBox Guest Service: always reports core events
(**) VirtualBox Guest Service: Device: "/dev/vboxadd"
(II) XINPUT: Adding extended input device "VirtualBox Guest Service" (type: MOUSE)
(**) VirtualBox Guest Service: (accel) keeping acceleration scheme 1
(**) VirtualBox Guest Service: (accel) filter chain progression: 2.00
(**) VirtualBox Guest Service: (accel) filter stage 0: 20.00 ms
(**) VirtualBox Guest Service: (accel) set acceleration profile 0
(**) VirtualBox Guest Service: Mouse Integration associated with screen 0
(II) VirtualBox Guest Service: On.
Backtrace:
0: /usr/bin/X(xorg_backtrace+0x3b) [0x813154b]
1: /usr/bin/X(xf86SigHandler+0x9e) [0x80cacee]
2: [0xb8008400]
3: /usr/bin/X(Dispatch+0x80) [0x808c350]
4: /usr/bin/X(main+0x395) [0x8072005]
5: /lib/libc.so.6(__libc_start_main+0xe6) [0xb7be2a36]
6: /usr/bin/X [0x80714b1]
Fatal server error:
Caught signal 11. Server aborting
Please consult the The X.Org Foundation support
at http://wiki.x.org
for help.
Please also check the log file at "/var/log/Xorg.0.log" for additional information.
(II) Macintosh mouse button emulation: Close
(II) UnloadModule: "evdev"
(II) ImExPS/2 Generic Explorer Mouse: Close
(II) UnloadModule: "evdev"
(II) AT Translated Set 2 keyboard: Close
(II) UnloadModule: "evdev"
(II) VirtualBox Guest Service: Off.
(II) VirtualBox Guest Service: Close
(II) UnloadModule: "vboxmouse"
Last edited by timmahcheese (2009-08-03 04:07:48)

Arch linux lxc in debian host.

Hi. I have been playing with lxc recently. Im running them on a debian host. I have created a couple of debian lxc and a centos lxc inside the host. Now im trying to create an arch lxc. There is an arch linux template provided by the debian package but it requires pacman installed on the host system in order to work. This is a production server and i dont want to install binaries untracked, so compiling pacman with make, is not an option.
I decided to create an Arch linux chroot as the wiki says by dowloading a tarball.
Im able to chroot sucessfully to it and install some packages. I have created the lxc dev/ files by following the arch wiki, and reading the archlinux template. Then i created a config file for the linux container and a fstab file. I got these from the archlinux template and copying other lxc config and fstab files (debian and centos one).
However hen i try to boot the container with lxc-start i got
lxc-start: File exists - failed to symlink '/dev/pts/ptmx'->'/dev/ptmx'
lxc-start: failed to setup the new pts instance
lxc-start: failed to setup the container
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'arch'
So i remove /dev/ptmx into the lxc.
Then i got:
lxc-start: No such file or directory - failed to exec /sbin/init
lxc-start: invalid sequence number 1. expected 2
lxc-start: failed to spawn 'arch
And here im trapped, i cant find /sbin/init, it doesn't exist, in a normal arch installation /sbin/init is pointing to /lib/systemd/systemd .
What to do now?? Is it impossible to setup a lxc with arch inside a systemv hosts system?????
here is my config file:
xc.utsname=arch
lxc.tty=4
lxc.pts=1024
lxc.rootfs=/srv/lib/lxc/arch/rootfs
lxc.mount=/srv/lib/lxc/arch/fstab
#networking
#lxc.network.type=${lxc_network_type}
#lxc.network.flags=up
#lxc.network.link=${lxc_network_link}
#lxc.network.name=eth0
#lxc.network.mtu=1500
#cgroups
lxc.cgroup.devices.deny = a
# /dev/null and zero
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
# /dev/pts
lxc.cgroup.devices.allow = c 136:* rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
and fstab
proc proc proc nodev,noexec,nosuid 0 0
sysfs sys sysfs defaults 0 0

I'm not sure if you've tried Docker yet, but it took about 3 minutes to have a working Arch Docker container on my Ubuntu 12.04 server:
# docker pull base/arch
# docker run -i -t base/arch /bin/bash
[root@c21eea45fb46 /]# pacman -Syu
:: Synchronizing package databases...
core 106.7 KiB 617K/s 00:00 [###############################################] 100%
extra 1533.7 KiB 2.15M/s 00:01 [###############################################] 100%
community 2.1 MiB 2022K/s 00:01 [###############################################] 100%
:: Starting full system upgrade...
resolving dependencies...
looking for inter-conflicts...
Packages (11): archlinux-keyring-20140220-1 curl-7.35.0-1 e2fsprogs-1.42.9-1 gcc-libs-4.8.2-8 glibc-2.19-2 libgcrypt-1.6.1-1
libldap-2.4.39-1 libsasl-2.1.26-7 linux-api-headers-3.13.2-1 pam-1.1.8-3 util-linux-2.24.1-1
Total Download Size: 14.53 MiB
Total Installed Size: 60.52 MiB
Net Upgrade Size: 0.35 MiB
:: Proceed with installation? [Y/n]
:: Retrieving packages ...
archlinux-keyring-20140220-1-any 432.6 KiB 968K/s 00:00 [###############################################] 100%
curl-7.35.0-1-x86_64 471.5 KiB 2.19M/s 00:00 [###############################################] 100%
Scott

Share files between Arch Linux and XP Home

Hi, I have an Arch Linux desktop and a XP Home Laptop both connected to a Billion 7401 ADSL Router to get to the internet. If I am using any computer sometimes I have a need to use files from the other one, and from an external HDD connected to the XP laptop. I have been googling for the last 3 weeks but could not find a concrete solution to this issue, maybe because I don't understand much about networking or p2p, and samba. Looks like I have to spend more money on either another computer to be setup as a server or on a router or hub or switch? But I thought my Billion Router is already a router? I wonder if you can please help me to solve this problem or point me to a good link? Thanks a lot.

SSHFS is another more Linux native option for sharing files (and it can be compatible with XP too using special programs).
http://en.wikipedia.org/wiki/SSHFS
http://wiki.archlinux.org/index.php/Sshfs
As I understand it XP Home uses simple file sharing which can be really insecure depending on your needs. Once when I ran a computer with Linux and was needing to set up a samba share I discovered massive issues since (at the time) I was connecting regularly over a shared wireless network among untrusted persons. I ended up looking into using SSH tunneling to overcome the issues associated with XP Home's Simple File sharing and that is when I came across SSHFS.
Whatever you do make sure to read this about XP Home's "Simple Filesharing"
http://www.centerlineit.com/index.php?v … q&Itemid=9
It's important you understand it.
Last edited by davidm (2010-04-12 04:01:34)

HOWTO: Repairing a headless Arch Linux system that fails to boot

The scenario...
I have a "headless" (no monitor or input peripherals) Arch Linux computer that is connected to a local network via a wireless adapter, and accessed from other computers via SSH.
Earlier today I accidentally broke its kernel so it did not boot anymore.
Idea: Temporarily connect a monitor to the computer, boot from a live CD (like the Arch Linux install CD), then chroot into the system and fix it.
Problem: I didn't have a compatible monitor at hand.
Idea: Log in to the live CD session from another computer via SSH.
Problem: The live CD can't auto-configure the headless computer's wireless connection, and setting it up manually while working "blind" would be a major hassle. A direct LAN connection to the router wasn't available either.
Idea: Connect directly with a laptop via an Ethernet cable, and then use SSH from the laptop => This solution worked for me!
If you find yourself in a similar situation, you can follow this tutorial which describes the solution that worked for me in detail...
You need:
a copy of the Arch Linux install CD (I used the 2013-05-01 version)
an Ethernet cable
a keyboard (might be dispensable, with additional preparation)
a functional Arch Linux laptop (or other computer within physical range)
Step 1) Prepare the live CD...
I used the plain Arch Linux install iso, burnt to CD.
By creating a carefully customized version of the live CD using Archiso, you might be able to eliminate the need for steps 2 and 4 - however that's not covered in this tutorial.
Step 2) Prepare the laptop...
The laptop needs to be configured in such a way, that the live CD's attempt to automatically establish an Ethernet connection with it will succeed:
a) IP address
In my case, the Laptop's wireless adapter had an IP address in the range 192.168.1.*, connecting it to the local network and Internet via the central router 192.168.1.1.
The Ethernet connection between the laptop and the headless computer becomes a separate mini-network, for which I decided to use IP addresses in the range 192.168.0.* (note the different third number). Specifically, I set the IP address of my laptop's Ethernet card to 192.168.0.1. You can do this by running the following as root (replace "eth0" with the name of your Ethernet interface):
ip link set eth0 up
ip addr add 192.168.0.1/24 dev eth0
b) IP forwarding (optional)
While we're at it, we might as well enable IP forwarding, so that the live CD session on the headless computer will be able to directly use the laptop's outgoing Internet connection (which will make it much more convenient to install/upgrade packages during the repair session). To enable this, run the following as root (replace "eth0" and "wlan0" with the names of your laptop's Ethernet and wireless interfaces, respectively):
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
c) DHCP
The live CD will assume there's a router on the other side of the Ethernet link, and ask for an IP address via DHCP. So all we need to do, is run a dhcp server on the Laptop that will answer this request. It's surprisingly easy: Just install the package dnsmasq, and put the following in the file /etc/dnsmasq.conf (again replacing "eth0" as appropriate):
interface=eth0
dhcp-range=192.168.0.2,192.168.0.2
By setting the start & end values of dhcp-range to the same IP address, we enforce that this specific IP address will be used by the live CD on the headless computer.
Then start the daemon by running the following as root:
systemctl start dnsmasq.service
Step 3) Connect everything and boot up the live CD...
Connect the laptop and the headless computer via the Ethernet cable.
Connect the external keyboard to the headless computer.
Then put the Arch Linux install CD into the headless computer's drive, and boot. Wait a minute or so to give the CD time to load its boot menu (you should hear the CD drive spin up and settle down again). Then hit ENTER on the connected keyboard, to activate the default menu choice (which will boot straight to a live Arch Linux session with root privileges).
You can check whether it booted up and successfully initialized the Ethernet connection, by ping'ing the IP address that was specified in step 2c) from the laptop:
ping -c3 192.168.0.2
Step 4) Start the SSH server...
Unfortunately, the Arch Linux install CD doesn't automatically start its SSH server, and also it uses a randomized root password. To make SSH connections possible, you will have to use the connected keyboard to type in some stuff "blindly" (but it's simple enough):
type "passwd" (without the quotes)
type in a new password of your choice
press ENTER
type in the same password again
press ENTER
type "systemctl start sshd" (without the quotes)
press ENTER
Step 5) Connect from the laptop via SSH...
Now you can open an SSH connection, by executing the following on the laptop (when it asks for the password, enter the one you chose in step 4):
ssh [email protected]
Step 6) Profit!
Within this SSH shell on the laptop, you can now do whatever you would usually do to fix an Arch Linux system from a live CD.
You'll probably want to chroot into your Arch root partition, which is very easy thanks to the arch-chroot tool that is included on the live CD (replace "/dev/sda3" with the name of the headless computer's root partition):
mount /dev/sda3 /mnt
arch-chroot /mnt
If you set up IP forwarding as described in step 2b), then Internet access should magically work in this shell without any further configuration, so you can freely use pacman etc. inside the chroot.
Enjoy!
Last edited by sas (2013-07-26 22:17:03)

It is definitely able to recognize the USB and DVDs as separate drives; it gives the option of booting from USB, and it gives the memory capacity of the USB drive I used as a live USB, and the memory used for the live CD. But when it comes time to actually boot, something is going wrong.
I would suspect it is a problem with the BIOS, if not for the fact that I had a similar issue on my previous system, which used a completely different motherboard. If it is the same issue, it would either have to be a problem with the DVD drive (although I don't know why it would be against loading some live CDs but not others) or perhaps the way I created the live CDs. Although, again, I don't understand why the Linux Mint 32-bit DVD would work fine, while both 64-bit DVDs would not.
I will try using a different DVD drive to boot the DVDs, and if that does not work, I'll try creating a new Arch live CD to see if I can resolve the issue. But if anyone has any ideas, it would still be greatly appreciated.

[Bounty] Free Macbook Pro to get Arch Linux running on Amazon's EC2

First, the details:
I will purchase a lowest–end Macbook Pro 13″ ($US 1,200 on Apple's store, new) for the first person to deliver to me a working set of step–by–step instructions for installing the latest Arch Linux on top of Amazon's EC2 platform.
Caveats & Rules:
- I don't care how long it takes you—there's a good chance I'm doing something absolutely stupid in my noobishness that's causing the problems I've been experiencing; if it takes you half an hour to make a working AMI, and produce instructions to do such… you just won yourself a Macbook Pro for half an hour's work. Booyah!
- Again, I say, I don't care how long it takes you—if you don't produce a working set of instructions, there will be no payout, even if you spend 200 hours trying (as I already have!). It's a bounty, not a work contract d-:
- You must provide me with instructions that work for me (as I don't intend to use your AMI, but rather modify the steps that worked for you a bit at a time until I arrive at an AMI configured exactly as I want it). If you arrive at a working AMI, and can reproduce your steps successfully locally, but they can't be made to work for me, I may be able to go about procuring alternative hardware for myself on which to preform the steps, or taking other measures to reproduce your environment; but the bottom line is I will not shell out until I can, personally, produce a working AMI running Arch Linux.
- The instructions are considered to be "working" when I can successfully SSH into the root account on an instance instantiated from an AMI created by following the instructions using the key generated by EC2.
- Your instructions must work both for x86_32 and x86_64 instance types; however, this shouldn't be too much of a problem, as (barring any weirdness) anything that works on x86_32 should be easily made to work on x86_64.
- Instructions that involve instantiating an intermediate bundling host (say, a CentOS or Fedora Core instance) and then installing Arch to a loopback filesystem using a statically–built pacman are much preferred to instructions that involve me having to install and package Arch locally and then ship it up to S3, because my upstream is unimaginably slow and I eventually will need to create something between eight and twenty different AMIs (see below). But anything that works will be accepted.
- If you don't want a Macbook Pro, alternative payment methods may be arranged, though you need to contact me before you start and arrange these, as there's only so much I can do.
- If you are in any way confused or unsure of what I'm offering here, please contact me before you start (see below for contact info)
Backstory:
I set up the first AMI for Arch Linux on Amazon, but unfortunately, I did some really stupid things (hey, I was completely new to Linux at the time, gimmie a break!). The root filesystem was limited to 1GB, there was a whole bunch of software that really was completely unnecessary (WiFi drivers? on a virtualized server? seriously?), there were no kernel modules provided… and so on.
So, after running all my stuff on instances of that for a while, I finally got fed up and found the time to start setting up a newer, cleaner AMI. Unfortunately, I made the mistake of deleting my old AMI before starting work on the first. Now I find myself completely unable to create an AMI that will work whatsoever, and I cannot for the life of me figure out why.
I've already invested 200 or so hours of my personal time since deleting my original, broken AMI; I'm very fed up and in badly need of working instances. I tried every method I could think of; running the Arch installer from a LiveCD locally and then bundling the running (and thus proved working) Arch install and shipping it off to S3; installing Arch on a loopback filesystem locally, cloning it to a local partition, booting to it to ensure it works, and shipping it off to S3; installing Arch on a loopback filesystem on a remote bundling host running CentOS or whatever and then shipping it off to S3… I've tried installing nothing but the essentials, I've tried installing everything the installer offers… I've tried to do my best to remember the exact steps I took the first time around, years ago, and reproduce them exactly… nothing has worked.
If I take EC2 out of the equation, and install the images I've prepared locally, they work. If I take Arch out of the equation, and install, say, CentOS instead, and then ship it off to EC2, it works. The only time I have problems is when I attempt to install Arch Linux specifically on EC2 specifically; the exact use–case I need.
I've run into a lot of problems along the way, and fixed them as I go, but I universally end up with an AMI that, once instantiated, does not successfully boot. Worse yet, I get absolutely no output from the console (provided by the ec2-get-console command–line tool) to help me debug the problem. I can't give you any more specifics beyond this to help you, because I don't want to insinuate some idea that will cause you to make some little stupid mistake that I also made, thus dooming the project.
Contact:
For more info of any sort, please hit me up on Google Talk or Jabber (… or any other XMPP–federated chat service, or AIM, or ICQ, or MSN, or whatever you like, they all use the same address anyway) at the following address:
[email protected]
Edit: I should point out that it would be good form to post here if you're going to make a stab at it, so interested parties know how many people are already making attempts.
Last edited by elliottcable (2009-07-25 03:59:46)

drtoki wrote:
http://blog.mudy.info/2009/04/archlinux-ec2-public-ami/
lolwat
from fryguy
Public AMIs aren't what I need, because I need to mass–produce quite a few AMIs with different custom configurations for different purposes; so I have to be able to start from scratch and arrive at a working AMI *myself*.
As for the script, I'm sitting down to play with it now; it looks just about exactly like what I've been doing so far. Maybe there's some small thing he did differently that will make it work. Here's hoping it works for me; that'll be a real load off my chest.

System encryption using LUKS and GPG encrypted keys for arch linux

Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
Update: 2013-01-13: Updated the hook files using the corrections by Deth.
Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
Intro
Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
Conventions
In this short guide, I use the following disk/partition names:
/dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
/dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
/dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
Credits
Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
Guide
1. Boot the arch live cd
I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
2. Set keymap
Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
3. Wipe your discs
ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
shred -v /dev/sda
shred -v /dev/sdb
4. Partitioning
Fire up fdisk and create the following partitions:
/dev/sda1, type linux swap.
/dev/sda2: type linux
/dev/sda3: type linux
/dev/sdb1, type linux
Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
5. Format and mount the usb stick
Create an ext2 filesystem on /dev/sdb1:
mkfs.ext2 /dev/sdb1
mkdir /root/usb
mount /dev/sdb1 /root/usb
cd /root/usb # this will be our working directory for now.
Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
6. Configure the network (if not already done automatically)
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
route add default gw 192.168.0.1
echo "nameserver 192.168.0.1" >> /etc/resolv.conf
(this is just an example, your mileage may vary)
7. Install gnupg
pacman -Sy
pacman -S gnupg
Verify that gnupg works by launching gpg.
8. Create the keys
Just to be sure, make sure swap is off:
cat /proc/swaps
should return no entries.
Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
Choose a strong password!!
Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
Note that the default cipher for gpg is cast5, I just chose to use a different one.
9. Create the encrypted devices with cryptsetup
Create encrypted swap:
cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
Important: From the Cryptsetup 1.1.2 Release notes:
Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
as normal binary file and no new line is interpreted.
if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
stop after new line is detected.
If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
Check for any errors.
10. Open the luks devices
gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
11. Start the installer /arch/setup
Follow steps 1 to 3.
At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
Select DONE to start formatting.
At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
Start step 6 (Install packages).
Go to step 7 (Configure System).
By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
Edit /etc/fstab:
/dev/mapper/root / ext4 defaults 0 1
/dev/mapper/swap swap swap defaults 0 0
/dev/mapper/var /var ext4 defaults 0 1
# /dev/sdb1 /boot ext2 defaults 0 1
Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
Go to step 8 (install boot loader).
Be sure to change the kernel line in menu.lst:
kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
Don't forget the :root suffix in cryptdevice!
Also, my root line was set to (hd1,0). Had to change that to
root (hd0,0)
Install grub to /dev/sdb (the usb stick).
Now, we can exit the installer.
12. Install mkinitcpio with the etwo hook.
Create /mnt/lib/initcpio/hooks/etwo:
#!/usr/bin/ash
run_hook() {
/sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
if [ -e "/sys/class/misc/device-mapper" ]; then
if [ ! -e "/dev/mapper/control" ]; then
/bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
fi
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
# Get keyfile if specified
ckeyfile="/crypto_keyfile"
usegpg="n"
if [ "x${cryptkey}" != "x" ]; then
ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
if poll_device "${ckdev}" ${rootdelay}; then
case ${ckarg1} in
*[!0-9]*)
# Use a file on the device
# ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
if [ "${ckarg2#*.}" = "gpg" ]; then
ckeyfile="${ckeyfile}.gpg"
usegpg="y"
fi
mkdir /ckey
mount -r -t ${ckarg1} ${ckdev} /ckey
dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
umount /ckey
# Read raw data from the block device
# ckarg1 is numeric: ckarg1=offset, ckarg2=length
dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
esac
fi
[ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
fi
if [ -n "${cryptdevice}" ]; then
DEPRECATED_CRYPT=0
cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
else
DEPRECATED_CRYPT=1
cryptdev="${root}"
cryptname="root"
fi
warn_deprecated() {
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
if poll_device "${cryptdev}" ${rootdelay}; then
if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
dopassphrase=1
# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
if [ "${usegpg}" = "y" ]; then
# gpg tty fixup
if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
cp -a /dev/console /dev/tty
while [ ! -e /dev/mapper/${cryptname} ];
do
sleep 2
/usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
dopassphrase=0
done
rm /dev/tty
if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
else
if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
dopassphrase=0
else
echo "Invalid keyfile. Reverting to passphrase."
fi
fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
echo ""
echo "A password is required to access the ${cryptname} volume:"
#loop until we get a real password
while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
sleep 2;
done
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
elif [ -n "${crypto}" ]; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
msg "Non-LUKS encrypted device found..."
if [ $# -ne 5 ]; then
err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
err "Non-LUKS decryption not attempted..."
return 1
fi
exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
tmp=$(echo "${crypto}" | cut -d: -f1)
[ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f2)
[ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f3)
[ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f4)
[ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f5)
[ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
if [ -f ${ckeyfile} ]; then
exe="${exe} --key-file ${ckeyfile}"
else
exe="${exe} --verify-passphrase"
echo ""
echo "A password is required to access the ${cryptname} volume:"
fi
eval "${exe} ${CSQUIET}"
if [ $? -ne 0 ]; then
err "Non-LUKS device decryption failed. verify format: "
err " crypto=hash:cipher:keysize:offset:skip"
exit 1
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
else
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
fi
fi
rm -f ${ckeyfile}
fi
Create /mnt/lib/initcpio/install/etwo:
#!/bin/bash
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
add_dir "/dev/mapper"
add_binary "cryptsetup"
add_binary "dmsetup"
add_binary "/usr/bin/gpg"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_runscript
help ()
cat<<HELPEOF
This hook allows for an encrypted root device with support for gpg encrypted key files.
To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
to your BINARIES var in /etc/mkinitcpio.conf.
HELPEOF
Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
MODULES=”ext2 ext4” # not sure if this is really nessecary.
BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
Copy the initcpio stuff over to the live cd:
cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
cp /mnt/etc/mkinitcpio.conf /etc/
Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
Now reinstall the initcpio:
mkinitcpio -g /mnt/boot/kernel26.img
Make sure there were no errors and that all hooks were included.
13. Decrypt the "var" key to the encrypted root
mkdir /mnt/keys
chmod 500 /mnt/keys
gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
chmod 400 /mnt/keys/var
14. Setup crypttab
Edit /mnt/etc/crypttab:
swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
var /dev/sda2 /keys/var
15. Reboot
We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names. I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
Last edited by fabriceb (2013-01-15 22:36:23)

I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
any idea ?
#!/bin/bash
# This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
# prereqs:
# EFI "BIOS" set to boot *only* from EFI
# successful EFI boot of Archboot USB
# mount /dev/sdb1 /src
set -o nounset
#set -o errexit
# Host specific configuration
# this whole script needs to be customized, particularly disk partitions
# and configuration, but this section contains global variables that
# are used during the system configuration phase for convenience
HOSTNAME=daniel
USERNAME=user
# Globals
# We don't need to set these here but they are used repeatedly throughout
# so it makes sense to reuse them and allow an easy, one-time change if we
# need to alter values such as the install target mount point.
INSTALL_TARGET="/install"
HR="--------------------------------------------------------------------------------"
PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
FILE_URL="file:///packages/core-$(uname -m)/pkg"
FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
# Functions
# I've avoided using functions in this script as they aren't required and
# I think it's more of a learning tool if you see the step-by-step
# procedures even with minor duplciations along the way, but I feel that
# these functions clarify the particular steps of setting values in config
# files.
SetValue () {
# EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
sed -i "s+^#\?$${VALUENAME}$=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
CommentOutValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^$${VALUENAME}.*$$/#\1/" "${FILEPATH}"
UncommentValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^#$${VALUENAME}.*$$/\1/" "${FILEPATH}"
# Initialize
# Warn the user about impending doom, set up the network on eth0, mount
# the squashfs images (Archboot does this normally, we're just filling in
# the gaps resulting from the fact that we're doing a simple scripted
# install). We also create a temporary pacman.conf that looks for packages
# locally first before sourcing them from the network. It would be better
# to do either *all* local or *all* network but we can't for two reasons.
# 1. The Archboot installation image might have an out of date kernel
# (currently the case) which results in problems when chrooting
# into the install mount point to modprobe efivars. So we use the
# package snapshot on the Archboot media to ensure our kernel is
# the same as the one we booted with.
# 2. Ideally we'd source all local then, but some critical items,
# notably grub2-efi variants, aren't yet on the Archboot media.
# Warn
timer=9
echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
while [[ $timer -gt 0 ]]
do
sleep 1
let timer-=1
echo -en "$timer seconds..."
done
echo "STARTING"
# Get Network
echo -n "Waiting for network address.."
#dhclient eth0
dhcpcd -p eth0
echo -n "Network address acquired."
# Mount packages squashfs images
umount "/packages/core-$(uname -m)"
umount "/packages/core-any"
rm -rf "/packages/core-$(uname -m)"
rm -rf "/packages/core-any"
mkdir -p "/packages/core-$(uname -m)"
mkdir -p "/packages/core-any"
modprobe -q loop
modprobe -q squashfs
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
# Create temporary pacman.conf file
cat << PACMANEOF > /tmp/pacman.conf
[options]
Architecture = auto
CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
CacheDir = /packages/core-$(uname -m)/pkg
CacheDir = /packages/core-any/pkg
[core]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
[extra]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
#Uncomment to enable pacman -Sy yaourt
[archlinuxfr]
Server = http://repo.archlinux.fr/\$arch
PACMANEOF
# Prepare pacman
[[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
[[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
${PACMAN} -Sy
${TARGET_PACMAN} -Sy
# Install prereqs from network (not on archboot media)
echo -e "\nInstalling prereqs...\n$HR"
#sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
# Configure Host
# Here we create three partitions:
# 1. efi and /boot (one partition does double duty)
# 2. swap
# 3. our encrypted root
# Note that all of these are on a GUID partition table scheme. This proves
# to be quite clean and simple since we're not doing anything with MBR
# boot partitions and the like.
echo -e "format\n"
# shred -v /dev/sda
# disk prep
sgdisk -Z /dev/sda # zap all on disk
#sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
#sgdisk -a 2048 -o /dev/mmcb1k0
# create partitions
sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
#sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
# set partition types
sgdisk -t 1:ef00 /dev/sda
sgdisk -t 2:8200 /dev/sda
sgdisk -t 3:8300 /dev/sda
#sgdisk -t 1:0700 /dev/mmcb1k0
# label partitions
sgdisk -c 1:"UEFI Boot" /dev/sda
sgdisk -c 2:"Swap" /dev/sda
sgdisk -c 3:"LUKS" /dev/sda
#sgdisk -c 1:"Key" /dev/mmcb1k0
echo -e "create gpg file\n"
# create gpg file
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
echo -e "format LUKS on root\n"
# format LUKS on root
gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
echo -e "open LUKS on root\n"
gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
# NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
# NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
# make filesystems
# following swap related commands not used now that we're encrypting our swap partition
#mkswap /dev/sda2
#swapon /dev/sda2
#mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
echo -e "\nCreating Filesystems...\n$HR"
# make filesystems
mkfs.ext4 /dev/mapper/root
mkfs.vfat -F32 /dev/sda1
#mkfs.vfat -F32 /dev/mmcb1k0p1
echo -e "mount targets\n"
# mount target
#mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
mount /dev/mapper/root ${INSTALL_TARGET}
# mount target
mkdir ${INSTALL_TARGET}
# mkdir ${INSTALL_TARGET}/key
# mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
mkdir ${INSTALL_TARGET}/boot
mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
# Install base, necessary utilities
mkdir -p ${INSTALL_TARGET}/var/lib/pacman
${TARGET_PACMAN} -Sy
${TARGET_PACMAN} -Su base
# curl could be installed later but we want it ready for rankmirrors
${TARGET_PACMAN} -S curl
${TARGET_PACMAN} -S libusb-compat gnupg
${TARGET_PACMAN} -R grub
rm -rf ${INSTALL_TARGET}/boot/grub
${TARGET_PACMAN} -S grub2-efi-x86_64
# Configure new system
SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
sed -i "s/^$127\.0\.0\.1.*$$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
#following replaced due to netcfg
#SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
# write fstab
# You can use UUID's or whatever you want here, of course. This is just
# the simplest approach and as long as your drives aren't changing values
# randomly it should work fine.
cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
# /etc/fstab: static file system information
# <file system> <dir> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs nodev,nosuid 0 0
/dev/sda1 /boot vfat defaults 0 0
/dev/mapper/cryptswap none swap defaults 0 0
/dev/mapper/root / ext4 defaults,noatime 0 1
FSTAB_EOF
# write etwo
mkdir -p /lib/initcpio/hooks/
mkdir -p /lib/initcpio/install/
cp /src/etwo_hooks /lib/initcpio/hooks/etwo
cp /src/etwo_install /lib/initcpio/install/etwo
mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
# write crypttab
# encrypted swap (random passphrase on boot)
echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
# copy configs we want to carry over to target from install environment
mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
mkdir -p ${INSTALL_TARGET}/tmp
cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
# mount proc, sys, dev in install root
mount -t proc proc ${INSTALL_TARGET}/proc
mount -t sysfs sys ${INSTALL_TARGET}/sys
mount -o bind /dev ${INSTALL_TARGET}/dev
echo -e "umount boot\n"
# we have to remount /boot from inside the chroot
umount ${INSTALL_TARGET}/boot
# Create install_efi script (to be run *after* chroot /install)
touch ${INSTALL_TARGET}/install_efi
chmod a+x ${INSTALL_TARGET}/install_efi
cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?$\${VALUENAME}$=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^$\${VALUENAME}.*$\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#$\${VALUENAME}.*$\$/\1/" "\${FILEPATH}"; }
echo -e "mount boot\n"
# remount here or grub et al gets confused
mount -t vfat /dev/sda1 /boot
# mkinitcpio
# NOTE: intel_agp drm and i915 for intel graphics
SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
mkinitcpio -p linux
# kernel modules for EFI install
modprobe efivars
modprobe dm-mod
# locale-gen
UncommentValue de_AT /etc/locale.gen
locale-gen
# install and configure grub2
# did this above
#${CHROOT_PACMAN} -Sy
#${CHROOT_PACMAN} -R grub
#rm -rf /boot/grub
#${CHROOT_PACMAN} -S grub2-efi-x86_64
# you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
# even omit the cryptdevice altogether, though it will wag a finger at you for using
# a deprecated syntax, so we're using the correct form here
# NOTE: take out i915.modeset=1 unless you are on intel graphics
SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
# set output to graphical
SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
# install the actual grub2. Note that despite our --boot-directory option we will still need to move
# the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
# create our EFI boot entry
# bug in the HP bios firmware (F.08)
efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
# copy font for grub2
cp /usr/share/grub/unicode.pf2 /boot/grub
# generate config file
grub-mkconfig -o /boot/grub/grub.cfg
exit
EFI_EOF
# Install EFI using script inside chroot
chroot ${INSTALL_TARGET} /install_efi
rm ${INSTALL_TARGET}/install_efi
# Post install steps
# anything you want to do post install. run the script automatically or
# manually
touch ${INSTALL_TARGET}/post_install
chmod a+x ${INSTALL_TARGET}/post_install
cat > ${INSTALL_TARGET}/post_install <<POST_EOF
set -o errexit
set -o nounset
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?$\${VALUENAME}$=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^$\${VALUENAME}.*$\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#$\${VALUENAME}.*$\$/\1/" "\${FILEPATH}"; }
# root password
echo -e "${HR}\\nNew root user password\\n${HR}"
passwd
# add user
echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
groupadd sudo
useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
passwd ${USERNAME}
# mirror ranking
echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
# temporary fix for locale.sh update conflict
mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
# yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
# additional groups and utilities
pacman --noconfirm -Syu
pacman --noconfirm -S base-devel
pacman --noconfirm -S yaourt
# sudo
pacman --noconfirm -S sudo
cp /etc/sudoers /tmp/sudoers.edit
sed -i "s/#\s*$%wheel\s*ALL=(ALL)\s*ALL.*$$/\1/" /tmp/sudoers.edit
sed -i "s/#\s*$%sudo\s*ALL=(ALL)\s*ALL.*$$/\1/" /tmp/sudoers.edit
visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
# power
pacman --noconfirm -S acpi acpid acpitool cpufrequtils
yaourt --noconfirm -S powertop2
sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
# following requires my acpi handler script
echo "/etc/acpi/handler.sh boot" > /etc/rc.local
# time
pacman --noconfirm -S ntp
sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
# wireless (wpa supplicant should already be installed)
pacman --noconfirm -S iw wpa_supplicant rfkill
pacman --noconfirm -S netcfg wpa_actiond ifplugd
mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
# make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
# sound
pacman --noconfirm -S alsa-utils alsa-plugins
sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
mv /etc/asound.conf /etc/asound.conf.orig || true
#if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
# video
pacman --noconfirm -S base-devel mesa mesa-demos
# x
#pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
#yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
#TODO: cut down the install size
#pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
# TODO: wacom
# environment/wm/etc.
#pacman --noconfirm -S xfce4 compiz ccsm
#pacman --noconfirm -S xcompmgr
#yaourt --noconfirm -S physlock unclutter
#pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
#pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
#pacman --noconfirm -S ghc
# note: try installing alex and happy from cabal instead
#pacman --noconfirm -S haskell-platform haskell-hscolour
#yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
#yaourt --noconfirm -S xmobar-git
# TODO: edit xfce to use compiz
# TODO: xmonad, but deal with video tearing
# TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
# switching to cabal
# fonts
pacman --noconfirm -S terminus-font
yaourt --noconfirm -S webcore-fonts
yaourt --noconfirm -S fontforge libspiro
yaourt --noconfirm -S freetype2-git-infinality
# TODO: sed infinality and change to OSX or OSX2 mode
# and create the sym link from /etc/fonts/conf.avail to conf.d
# misc apps
#pacman --noconfirm -S htop openssh keychain bash-completion git vim
#pacman --noconfirm -S chromium flashplugin
#pacman --noconfirm -S scrot mypaint bc
#yaourt --noconfirm -S task-git stellarium googlecl
# TODO: argyll
POST_EOF
# Post install in chroot
#echo "chroot and run /post_install"
chroot /install /post_install
rm /install/post_install
# copy grub.efi file to the default HP EFI boot manager path
mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
cp /root/root.gpg ${INSTALL_TARGET}/boot/
# NOTES/TODO

[SOLVED] VirtualBox: Arch Linux host unable to reach guest over NA...

Hello everyone,
I recently installed VirtualBox on my Arch Linux install to tinker with GitLab on a Debian VM. I've set up a standard VM running Debian (wheezy) and made sure it's network settings were set to "NAT". However, I am unable to ping or ssh to this VM (which is running an ssh server among other things). Where this gets a bit weirder is that I'm perfectly able to ping and ssh to my host machine (running Arch).
I installed the version of VirtualBox available on the official repos and I'm running on the default kernel too.
I've install VirutalBox by following the infos posted on the wiki. My current user is part of the vboxusers group :
% groups duane
disk lp wheel uucp locate rfkill games network video audio optical floppy storage scanner power users vboxusers
I've added the proper kernel modules to /etc/modules-load.d/virtualbox.conf so that they are loaded automatically on boot time :
vboxdrv
vboxnetadp
vboxnetflt
vboxpci
% lsmod | grep vbox
vboxpci 14581 0
vboxnetflt 17612 0
vboxnetadp 18355 0
vboxdrv 264794 5 vboxnetadp,vboxnetflt,vboxpci
I must also note that the net-tools package is installed.
Now, I get the ip adress of my host :
% ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp9s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether f0:4d:a2:48:5b:38 brd ff:ff:ff:ff:ff:ff
3: wlp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 5c:ac:4c:09:d3:f3 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.22/24 brd 192.168.1.255 scope global wlp4s0
valid_lft forever preferred_lft forever
inet6 fe80::5eac:4cff:fe09:d3f3/64 scope link
valid_lft forever preferred_lft forever
Then I try to ping it from my Debian guest.
user@debian:~% ping 192.168.1.22 -c 3
PING 192.168.1.22 (192.168.1.22) 56(84) bytes of data.
64 bytes from 192.168.1.22: icmp_req=1 ttl=63 time=0.961 ms
64 bytes from 192.168.1.22: icmp_req=2 ttl=63 time=0.722 ms
64 bytes from 192.168.1.22: icmp_req=3 ttl=63 time=0.680 ms
--- 192.168.1.22 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.680/0.787/0.961/0.127 ms
Now I get the ip adress of my guest :
eth0 Link encap:Ethernet HWaddr 08:00:27:77:0e:48
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe77:e48/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:69 errors:0 dropped:0 overruns:0 frame:0
TX packets:93 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11577 (11.3 KiB) TX bytes:15395 (15.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
And I try to ping my guest from my host :
% ping 10.0.2.15 -c 3
PING 10.0.2.15 (10.0.2.15) 56(84) bytes of data.
--- 10.0.2.15 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2007ms
There. I hope I didn't give too much information.
I don't really understand what's going on there, usually that workfow works immediately in all the distributions I tried before, and on windows as well. I think I followed all the steps to make this work and yet it doesn't, and I'm not sure this problem is related to VirtualBox itself.
Thanks in advance for any tip or comment on that.
Last edited by Marneus68 (2014-01-24 10:19:39)

What I do for all my VB guest VM's is to set 2 network interfaces, one the normal (default) NAT, and the other a host-only interface. That way your guests are completely hidden from the local lan which may be desirable if e.g., your host is a laptop which you move around various places. The guests can access anything outbound and you can still ssh to them from the host (and also, using ssh ProxyCommand via that host if you want to access them remotely).

I386 Arch Linux ?

Hi,
I've been using Arch linux on my main machine for a few months now, and really like it. I like the "currentness" of it, as well as it's minimalist approach.
I have an old 80486DX2 66Mhz with 20MB of RAM which I occasionally fire up to play with networking things, as I work as a network engineer. I'd really like to be able to install a minimal copy of Arch Linux on it. Of course I can't, because the Arch Linux distro is i686 or greater. I've got a 10GB hard drive in it, so disk space isn't an issue. I currently have an old version of Debian on it.
I'd like to suggest creating "base-line PC" Arch distro, that is compiled only using i386 CPU instructions, allowing it to run on all generation 32 bit PCs. This would allow us Arch fans to run Arch on older computers we might have lying around.
Regards,
Mark.

deficite wrote:I really like how you have no option to disagree with you at all, you either have to agree with you or vote that you don't know what a 486 is (Which is quite odd, because I know of quite a few rednecks in my school who even know what a 486 is)
Was having a small amount of fun with the poll option.:-) Having used Linux since early 1993, and having come across people in another forum asking what version of Linux would run on such as slow machine as a P3 550, I was amused to ask if people knew what an 80486 was.
Anyway, I think it's a waste of effort IMHO. A computer that old would probably not have a large HDD, and Arch requires >90MB for a full base install (of course you COULD strip things out). I remember the 486DX-33 we had only had like a 150MB hard drive or something, if even that much, and it came with 4MB of RAM (I upped it to 32MB after my dad found a broken computer in a storage unit next to ours a few years ago )
It's possible to run large HDDs in machines that old, I have a 10GB drive in the 80486 I have. Once Linux starts, it talks directly to the disk, so BIOS limitations disappear. All you need to do is configure the BIOS with the largest sized HDD it supports, and make sure the bootloader and the kernel reside within that part of the disk. This was the technique we used to use to get around the 512MB limit in the BIOS. I think actual IDE hardware limits kick in once you require LBA access to the disk, and from very rusty memory, that is something like 37GB.
20MB of RAM, which was also popular enough (4 x 1MB SIMMs, 4x4MB SIMMs), should be is enough to run a base Linux install(plenty actually, I used to run Linux on a 486 with 8MB of RAM, with X windows. I'd have 0.5MB left to run applications, however with fast swapping to a SCSI disk, it was quite useable).
I guess you could run a server or two on it or something, but do you really want to spend all that effort porting Arch to 386 when you could just run another distro. There are distros made specifically for running servers on old hardware.
Yes, but then it wouldn't be running Arch, would it. :-)

Arch Linux as a Production Server?

Similar Messages

Maybe you are looking for