In July 2012, a new image of Arch Linux (201207) was released, and on the same day, I decided to download and reinstall my system. Throughout the process, I noticed several changes both in the installation process and in the operation of the distribution:

• There is no longer the .iso with the core or separate images for X86 and X64; the only version available for download is the netinstall dual;
• The Arch Linux Installation Framework (AIF) is no longer used;
• They started the migration from SysVinit to Systemd (using initscripts).

On the day the first image without AIF was released, there was practically no documentation explaining how to perform the installation, and I had to figure it out on my own. When I finally succeeded, I started writing this tutorial, but shortly after, I went on a trip (FISL13!) and stopped writing.

Taking advantage of my short end-of-year break, I decided to repartition my disk, reinstall Arch from scratch on my notebook, and finish documenting the installation process on this blog.

I will use native Systemd, without rc.conf, and also explain how to encrypt the disk using LVM on LUKS+dmcrypt.

Note: As explained in the about section of this blog, I wrote this post for myself and only explained parts that interest me and are compatible with my system (an Acer Aspire). Do not follow this “tutorial” blindly; some things that work for me may be different for you.

Boot Disk

It’s been a long time since I burned CDs to install operating systems. I usually use a USB drive as the installation media, especially now that my new notebook doesn’t even have a CD drive.

To create this bootable USB drive, simply download the .iso and write it using dd:

sudo dd if=archlinux.iso of=/dev/sdb

This works on most computers, but apparently the BIOS of my notebook does not recognize the USB drive written in this way and causes the notebook to freeze on the boot screen until the USB drive is removed.

Through trial and error, I found two solutions:

• Solution 1

  Use unetbootin to copy the contents of the .iso and install syslinux as the bootloader and then change the partition label:

  julio@acer ~> sudo mlabel -i
  /dev/sdb1 ::ARCH_201212
  

• Solution 2

  Copy the files from the .iso to the USB drive and manually install syslinux:

  sudo fdisk /dev/sdb
  sudo mkfs.vfat -n ARCH_201212 /dev/sdb1
  sudo mount /dev/sdb1 /media/pendrive
  sudo mount archlinux-2012.12.01-dual.iso /media/arch
  sudo cp -r /media/arch/* /media/pendrive/
  sudo syslinux -s /dev/sdb1
  cd /media/pendrive; sudo cp isolinux/isolinux.cfg syslinux.cfg
  

Installation

Enter your BIOS Boot Manager and boot from the USB drive:

1. IDE 0: TOSHIBA MK5055GSX (HDD)
2. USB HDD: SanDisk (USB drive)

A boot menu will appear. Choose the option Boot Arch Linux (x86_64) (my system is 64-bit).

Remember /arch/setup? It no longer exists. Since the July image, Arch has stopped using AIF and now uses some install scripts. You will be thrown directly into a shell.

Partitioning

The recommended format is GPT. It has some advantages over MBR, such as allowing HDDs larger than 2TB and allowing more than 4 primary partitions.

I used GPT in my last installation, but I concluded that in my case it is better to stick with MBR. I only need 4 primary partitions, my disks are 2TB or less, and my motherboard uses BIOS and not UEFI. This last detail is especially important if you want to dual boot with Windows.

-> If your partition table uses GPT:

root@archiso ~ # cgdisk /dev/sda

Note: If your motherboard uses BIOS and your partitions use GPT, you will need a partition of at least 31KiB (recommended to use 2MB) to fit the core.img of Grub2 (more info).

-> If your partition table uses MBR (my case):

root@archiso ~ # cfdisk /dev/sda

• Initial state:

  Disk Drive: /dev/sda
  Size: 500.1 GiB
  
  Part Type: Pri/Log
  FS Type: Free Space
  Size (MB): 500107.87
  

• 50GB partition for another OS:

  [ New ] » [Primary] » Size (in MB): 50G » [Beginning] » [ Type ] » Enter filesystem type: 86

• Partition for /boot:

  [ New ] » [Logical] » Size (in MB): 100 » [Beginning] » [ Type ] » Enter filesystem type: 83

  I reserved 100MB, but 50MB would be enough.

• Partition for LUKS (I will use LVM on LUKS):

  [ New ] » [Logical] » Size (in MB): 450007.68 » [Beginning] » [ Type ] » Enter filesystem type: 8E

Save the changes: [ Write ] » "yes" » [ Quit ] and check the partitions using fstab -l.

Shredding

For security, fill the LUKS partition with random data:

root@archiso ~ # badblocks -c 10240 -wsvt random /dev/sda3

or

root@archiso ~ # dd if=/dev/urandom of=/dev/sda3 bs=4096

Note: These commands take a few hours.

Encryption: dm-crypt / LUKS

root@archiso ~ # cryptsetup -c <cipher> -y -s <key size> luksFormat /dev/<partition name>

We will use AES in XTS mode with 512 bits. It is quite secure and I did not notice a significant performance loss:

# modprobe dm_mod
root@archiso ~ # cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda3

Enter your password. The password length is also important for security.

Check with cryptsetup luksDump /dev/sda3.

Unlock the partition

root@archiso ~ # cryptsetup luksOpen /dev/sda3 arch-luks
Enter passphrase for /dev/sda3:

Creating LVM partitions

Create a Physical Volume:

root@archiso ~ # pvcreate /dev/mapper/arch-luks
  Physical volume "/dev/mapper/arch-luks" successfully created

root@archiso ~ # pvdisplay

Create a Volume Group:

root@archiso ~ # vgcreate vg_arch /dev/mapper/arch-luks
  Volume group "vg_arch" successfully created

root@archiso ~ # vgdisplay

Create the Logical Volumes

• Create an LV for /:

root@archiso ~ # lvcreate -L 25G vg_arch -n root
    Logical volume "root" created

• Create an LV for /var:

  It is not very common, but you can increase performance by using a good file system with small files, such as Reiserfs.

  root@archiso ~ # lvcreate -L 15G vg_arch -n var
    Logical volume "var" created
  

• Create an LV for swap:

  root@archiso ~ # lvcreate -C y -L 4G vg_arch -n swap
    Logical volume "swap" created
  

• Create an LV for /home. Leaving free space (25GB) at the end:

  root@archiso ~ # lvcreate -L 350G vg_arch -n home
    Logical volume "home" created
  

  or, if you know that you won’t need to resize the volumes later:

  root@archiso ~ # lvcreate -l +100%FREE vg_arch -n home
    Logical volume "home" created
  

• Check the volumes using lvdisplay.

Format the partitions

root@archiso ~ # mkfs.ext2 -L boot /dev/sda2
root@archiso ~ # mkfs.btrfs -L root /dev/vg_arch/root
root@archiso ~ # mkfs.ext4 -L var  /dev/vg_arch/var
root@archiso ~ # mkfs.ext4 -L home /dev/vg_arch/home
root@archiso ~ # mkswap -L swap /dev/vg_arch/swap

To save disk space:

root@archiso ~ # tune2fs -m 1.0 /dev/vg_arch/var
root@archiso ~ # tune2fs -m 0.0 /dev/vg_arch/home

Mount the partitions

root@archiso ~ # mount /dev/vg_arch/root /mnt
root@archiso ~ # mkdir /mnt/{boot,home,var}
root@archiso ~ # mount /dev/vg_arch/var /mnt/var
root@archiso ~ # mount /dev/vg_arch/home /mnt/home
root@archiso ~ # mount /dev/sda2 /mnt/boot
root@archiso ~ # swapon /dev/vg_arch/swap

Connect to the internet

• Wifi

  If you don’t have a wired network, connect to your Wi-Fi:

  root@archiso ~ # wifi-menu wlan0
  

• Wired

  The command for wired network is:

  root@archiso ~ # ip link set eth0 up #(equivalent to ifconfig eth0 up)
  root@archiso ~ # dhcpcd eth0
  

Install the base system

First, check if the system date is correct using the date command. This step is important to avoid issues when importing PGP keys.

If the date is incorrect, correct it with timedatectl. Use UTC. Ex.:

timedatectl set-time "2013-01-30 18:00:00"

Download the packages with pacstrap:

root@archiso ~ # pacstrap /mnt base{,-devel}
Total Download Size: 154.83 MiB
Total Installed Size: 579.00 MiB

Install a bootloader (I chose grub2):

root@archiso ~ # pacstrap /mnt grub-bios

Note: grub-bios is for BIOS, if your motherboard uses UEFI, download grub-efi-x86_64.

Generate an /etc/fstab:

root@archiso ~ # genfstab -U -p /mnt >> /mnt/etc/fstab

Check if the fstab is correct. The -U in the command is to use UUIDs.

Chroot into the system we just installed:

root@archiso ~ # arch-chroot /mnt

This is a good time to install vim, as we will be editing some files. I will install gvim, as it comes compiled with “+xterm_clipboard”:

root@archiso ~ # pacman -S gvim

Systemd vs. SysV

There is controversy about whether the switch to Systemd is a good thing or not.

Reading Hacker News, it was clear that many people are dissatisfied, but if everything works as Lennart Poettering explained in a talk I attended and Systemd has all the advantages that the Arch developers posted on the forum, then the transition was indeed a good thing.

Anyway, if the devs are kind of pushing the change, it’s better to get used to it now. Therefore, I will do an installation without an rc.conf, using only Systemd.

Note: Create the files mentioned in the next steps if they do not exist yet.

Locale

Uncomment en_US.UTF-8 UTF-8 and pt_BR.UTF-8 UTF-8 in /etc/locale.gen and then run locale-gen as root.

Create the file /etc/locale.conf, which sets the LANG variable:

LANG=en_US.UTF-8

Keymap and font

Find out which of the files in the /usr/share/kbd/keymaps/i386/qwerty/ folder corresponds to your keymap and then test it with loadkeys. E.g.:

• PT-BR: loadkeys br-abnt2
• EN-US: loadkeys us-acentos
• EN-UK: loadkeys uk

Find out which of the files in the /usr/share/kbd/consolefonts/ folder corresponds to the font you want and then test it with setfont. E.g.:

• Terminus: setfont Lat2-Terminus16
• Lat9w: setfont lat9w-16

Edit the file /etc/vconsole.conf to make the configuration permanent:

KEYMAP=us-acentos
FONT=Lat2-Terminus16

There is also the FONT_MAP option, but it is not necessary.

Timezone

Find out which file in the /usr/share/zoneinfo/ folder corresponds to your region and sub-region. In my case, the file is /usr/share/zoneinfo/America/Sao_Paulo.

Make the /etc/localtime file point to your timezone using a symbolic link:

sh-4.2# ln -s /usr/share/zoneinfo/America/Sao_Paulo /etc/localtime

Q: What happened to the /etc/timezone file???

Clock

Generate an /etc/adjtime file with the hwclock command. I recommend using UTC.

sh-4.2# hwclock --systohc --utc

If you want to synchronize the clock over the internet, run ntpd -qg && hwclock -w as root.

Host

Create the /etc/hostname file containing only the name of your host:

sh-4.2# echo "acer" > /etc/hostname

Apparently, we no longer need to edit the /etc/hosts file after this step.

Network

If you use a wireless network, install the files that allow you to connect to wireless networks. Also, install the firmware for your card if necessary:

sh-4.2# pacman -S wireless_tools wpa_supplicant wpa_actiond dialog

I also recommend enabling net-auto-wireless:

sh-4.2# systemctl enable net-auto-wireless.service

If you usually connect to the network via cable, I recommend installing ifplugd and enabling net-auto-wired. This way, your computer will connect automatically when you plug in a network cable:

sh-4.2# systemctl enable net-auto-wired.service

HOOKS (initial ramdisk)

In the HOOKS line of the /etc/mkinitcpio.conf file, add encrypt, lvm2, and resume before filesystems (order matters). resume should come after lvm2:

HOOKS="base udev autodetect modconf block encrypt lvm2 resume filesystems usbinput fsck"

Run mkinitcpio -p linux.

Grub Configuration

sh-4.2# grub-install --target=i386-pc --recheck --debug /dev/sda
sh-4.2# cp /usr/share/locale/en\@quot/LC_MESSAGES/grub.mo /boot/grub/locale/en.mo

Edit /etc/default/grub:

GRUB_CMDLINE_LINUX="root=/dev/mapper/vg_arch-root cryptdevice=/dev/sda3:arch-luks resume=/dev/mapper/vg_arch-swap"

Create a password to prevent editing the grub. Here I am redirecting the output to a file, which we will use later. Simply type your password twice after the command:

sh-4.2#  grub-mkpasswd-pbkdf2 > hash

The file hash will have a 256-character string similar to the following: grub.pbkdf2.sha512.10000.FEDCBA987689…EDCBFEDCBA9876543210123

Copy this hash and add the following to the file /etc/grub.d/00_header:

cat << EOF

set superusers="julio"
password_pbkdf2 julio grub.pbkdf2.sha512.10000.FEDCBA987689…EDCBFEDCBA9876543210123

EOF

Then run the following command:

sh-4.2# grub-mkconfig -o /boot/grub/grub.cfg

Kernel parameters

I also like to remove quiet from the linux line in /boot/grub/grub.cfg to see if everything happens correctly during boot.

Set a password for root

sh-4.2# passwd

Restart the computer

sh-4.2# exit
root@archiso# umount /mnt/{boot,var,home,}
root@archiso# reboot

When you restart, it will ask for the Grub2 password and the password to access the arch-luks volume.

Post-installation

Log in as root using the password you set earlier.

Connect to the internet

• Wired network:

  [root@acer ~] dhcpcd eth0
  

• Wireless network:

  [root@acer ~] wifi-menu wlan0
  

Pacman

Add the [multilib] repository. Just uncomment the following lines in /etc/pacman.conf:

[multilib]
SigLevel = PackageRequired
Include = /etc/pacman.d/mirrorlist

Also add the line ILoveCandy below # Misc options just for fun 😉.

PGP Keys

[root@acer ~]# rm -r /etc/pacman.d/gnupg
[root@acer ~]# pacman-key --init
[root@acer ~]# pacman-key --populate archlinux

Mirrors

Edit the file /etc/pacman.d/mirrorlist. In vim: :%s/^[^\#]/\#S/. Then uncomment only about 3 repositories.

Install some programs

Recommendations:

root@acer ~ # pacman -S zsh sudo \
  alsa-utils pulseaudio pulseaudio-alsa pavucontrol paprefs \
  xorg-server xorg-xinit xorg-server-utils xf86-video-intel lib32-intel-dri \
  xf86-input-synaptics xf86-input-wacom libwacom xbindkeys xdotool \
  awesome vicious wmname \
  ttf-dejavu terminus-font ttf-inconsolata artwiz-fonts ttf-symbola \
  feh imagemagick geeqie gimp scrot \
  mpd ncmpcpp mplayer2 kid3 \
  wget chromium firefox flashplugin \
  acpid screen htop ntp \
  python python2 python-pip python2-pip ipython ipython2 bpython bpython2 \
  python2-psycopg2 python2-pygments python2-mechanize python2-imaging \
  python2-beautifulsoup3 python2-beautifulsoup4 pep8-python2 pep8-python3 \
  python2-lxml \
  git mercurial svn ack gdb clang clang-analyzer cppcheck \
  jdk7-openjdk irssi pidgin mutt thunderbird \
  wicd samba openssh sshfs apache php php-apache postgresql pgadmin3 \
  vidalia \
  cups hplip gtranslator \
  qalculate-gtk gnuplot texlive-most xournal \
  libreoffice-{common,pt-BR,calc,writer,impress} stardict \
  rsync mktorrent \
  rxvt-unicode urxvt-perls terminator \
  unrar zip p7zip \
  virtualbox yajl \
  vlock slock xautolock tree wireshark \
  gparted gptfdisk dosfstools ntfsprogs mtools \
  cpupower hdparm hddtemp lm_sensors hwinfo \
  pysolfc \
  ttf-symbola \
  mpdscribble \
  icedtea-web-java7 \
  wine \
  laptop-mode-tools

This is a list of some programs that I always install on my notebook. Choose only those that you think you will need (don’t install intel video drivers if your card is Nvidia, of course).

Sound

ALSA comes pre-installed with the Arch Linux kernel.

Open alsamixer, unmute the Master and increase the volume. Test the sound with speaker-test -c 2. If it worked, save the mixer settings with the following command (TODO: check if it’s really necessary):

[root@acer ~]# alsactl store

As I use more than one sound card and transfer audio from another computer over the network, I also like to have Pulseaudio working (it was installed in the previous step).

Video - X11

Find out your graphics card using the following command:

[root@acer ~]# lspci | grep VGA
00:02.0 VGA compatible controller: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller (rev 07)

I have already installed the Intel drivers (xf86-video-intel and lib32-intel-dri) in the previous step.

Enhancing Password Security

Until recently, Linux user passwords were stored in the /etc/shadow file using the MD5 algorithm by default.

I consider MD5 to be very weak and easy to break. Fortunately, new versions of shadow use SHA-512 with 5000 rounds, which is much better than the previous standard. But if you are paranoid, you can change the algorithm or increase the number of rounds.

My preferred algorithm for password protection is bcrypt, which internally uses Blowfish and, although not strictly a hash function, serves exactly the same purpose – from a password, it generates an irreversible string that can be used to verify the password.

I noticed that the pam manual does not mention bcrypt. Blowfish appears on the list, but as it is a symmetric cipher encryption algorithm (and not a hash function) the password would be reversible.

So I chose to use SHA-512 with many more rounds than the default, which is as good as bcrypt. To do this, modify the /etc/pam.d/passwd file to:

password    required    pam_unix.so sha512 rounds=65536 shadow nullok minlen=8 retry=3

All users created from now on will need to create passwords with at least 8 characters, whose hash will use SHA-512 with 65536 rounds. To take effect on current accounts, just recreate the passwords with passwd:

[root@acer ~] passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

You can check the change in the file /etc/shadow:

[root@acer ~] cat /etc/shadow | grep root

Add a user

[root@acer ~]# useradd -m -G wheel -s /bin/zsh julio
[root@acer ~]# chfn julio
[root@acer ~]# passwd julio

An easier way is with adduser available in the AUR:

[root@acer ~]# adduser
Login name for new user []: julio
User ID ('UID') [ defaults to next available ]:
Initial group [ users ]:
Additional groups (comma separated) []: audio,lp,optical,storage,video,wheel,games,power,scanner
Home directory [ /home/julio ]:
Shell [ /bin/bash ]: /bin/zsh
Expiry date (YYYY-MM-DD) []:

Sudo

Allow users from the wheel group to use the sudo command. Run visudo and uncomment the line %wheel ALL=(ALL) ALL.

• Log in with the created user.

Dotfiles, etc

Oh-my-zsh

acer% git clone git://github.com/robbyrussell/oh-my-zsh.git ~/.oh-my-zsh

• Copy your public and private keys from the backup

• Clone my dotfiles repository on Github:

  acer% git clone git@github.com:jbsilva/dotfiles.git
  

Other dotfiles

Copy or link each of the dotfiles and scripts to their respective folders:

acer% ln -s /home/julio/dotfiles/home/julio/.vim ~/.vim
acer% ln -s /home/julio/dotfiles/home/julio/.vimrc ~/.vimrc
acer% ln -s /home/julio/dotfiles/home/julio/.zshrc ~/.zshrc
acer% ln -s /home/julio/dotfiles/home/julio/.gitconfig ~/.gitconfig

acer% mkdir ~/.config;
acer% ln -s /home/julio/dotfiles/home/julio/.config/awesome ~/.config
acer% ln -s /home/julio/dotfiles/home/julio/.config/sytemd ~/.config

acer% mkdir .mpd; touch database log pid state sticker.sql
acer% ln -s /home/julio/dotfiles/home/julio/.mpd/mpd.conf ~/.mpd
acer% ln -s /home/julio/dotfiles/home/julio/.mpd/playlists ~/.mpd

acer% mkdir .ncmpcpp
acer% ln -s /home/julio/dotfiles/home/julio/.ncmpcpp/config ~/.ncmpcpp

acer% ln -s /home/julio/dotfiles/home/julio/.xdefaults ~/.xdefaults
acer% ln -s /home/julio/dotfiles/home/julio/.xdefaults/Xdefaults ~/.Xdefaults
acer% rm .xinitrc; ln -s /home/julio/dotfiles/home/julio/.xinitrc

All set! The system is configured and ready to use. Start the graphical interface with startx.

AUR and Yaourt/Packer

Install Yaourt or Packer (choose one) to facilitate the installation of AUR packages.

• Yaourt:

  julio@acer ~> wget https://aur.archlinux.org/packages/pa/package-query/package-query.tar.gz
  julio@acer ~> tar xvfz package-query.tar.gz; cd package-query
  julio@acer ~/package-query> makepkg
  julio@acer ~/package-query> sudo pacman -U package-query-1.0.1-1-x86_64.pkg.tar.xz
  

  julio@acer ~> wget https://aur.archlinux.org/packages/ya/yaourt/yaourt.tar.gz
  julio@acer ~> tar xvfz yaourt.tar.gz; cd yaourt
  julio@acer ~/yaourt> makepkg
  julio@acer ~/yaourt> sudo pacman -U yaourt-1.1-1-any.pkg.tar.xz
  

• Packer:

  I started using Packer recently, but it seems to be faster and less problematic than Yaourt.

  julio@acer ~> wget https://aur.archlinux.org/packages/pa/packer/packer.tar.gz
  julio@acer ~> tar xvfz packer.tar.gz; cd packer; makepkg
  julio@acer ~/packer> sudo pacman -U packer-20121228-1-any.pkg.tar.xz
  

Install some AUR programs:

julio@acer ~> for p in {tofrodos,dropbox,urxvt-keyboard-select,urxvt-clipboard,rtorrent-pyro-git,otf-ipafont,mod_scgi,django-git,flexget,xtrlock,tor-browser-en}; do packer $p; done

Install other programs

• Install rutorrent via svn

Command to mount the Volume Group: vgchange -a y vg_arch

Samba

Create users for Samba

julio@acer ~> sudo useradd guest
julio@acer ~> sudo pdbedit -a -u julio
julio@acer ~> sudo pdbedit -a -u guest

Start the daemon using systemctl:

julio@acer ~> sudo systemctl start smbd nmbd

List shared folders

On other computers on the network, shared folders can be listed using:

julio@acer ~> sudo smbclient -L 192.168.0.2 -U%

Access from other computers:

sudo mount -t cifs //192.168.0.2/acer /media/acer -o user=guest,password=senha_guest,workgroup=GRUPO,ip=192.168.0.2

or better, add the following line to /etc/fstab:

//192.168.0.2/musicas   /media/rede   cifs   noauto,credentials=/etc/samba/smbcred   0 0

Where the file /etc/samb/smbcred looks similar to the following:

username=guest
password=senha_guest
workgroup=GRUPO
ip=192.168.0.2

Other recommendations

Secure your BIOS with a password for increased security.

Save a backup of the LUKS header

I’ve known people whose HD had badblock at the beginning of the encrypted partition and ended up unable to access the files. If they had a header backup, they could probably recover some files.

julio@acer ~> sudo cryptsetup luksHeaderBackup /dev/sda3 --header-backup-file /media/externo/acer-luks_header.img

Cron

julio@acer ~> sudo systemctl enable cronie

Prevent fork bombs

Add the following line at the end of the file /etc/security/limits.conf:

julio           hard    nproc           4000

(replace julio with your username)

Links

• http://onionavenger.wordpress.com/2012/07/22/installing-arch-linux-on-a-thinkpad-t420-with-system-encryption/
• http://teawithtux.blogspot.com.br/2012/03/body-width-800px-padding-left-240px.html
• http://www.c-integration.com/blog/showpost.php/78-unix-fork-bomb-explained
• http://www.linuxcommand.org/man_pages/cryptsetup8.html
• http://www.overclockers.com/forums/showthread.php?t=707382
• http://www.rodsbooks.com/gdisk/cgdisk-walkthrough.html
• https://wiki.archlinux.org/index.php/Beginners'_Guide
• https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS
• https://wiki.archlinux.org/index.php/GRUB2
• https://wiki.archlinux.org/index.php/Installation_Guide
• https://wiki.archlinux.org/index.php/LVM
• https://wiki.archlinux.org/index.php/Security
• https://wiki.archlinux.org/index.php/Systemd
• Bcrypt vs. SHA-512: http://stackoverflow.com/a/1561245
• LnF awards 2012: https://bbs.archlinux.org/viewtopic.php?id=138281
• Systemd myths: http://0pointer.de/blog/projects/the-biggest-myths