Tagged: configuration

Installing Arch Linux: LVM on top of an encrypted partition [[UPDATED]]

Years back, I was using Arch Linux on my notebook but gave up at some point after upgrading Arch Linux made my notebook unbootable. After some distro hoppings, I settled down with Debian Linux and it has been my friend since then. But now, out of a whim, I decided to give another try on Arch.

I'll be installing Arch Linux on the same notebook and I wanted the encryption on a disk/partition like before. I looked around some options from the Arch Linux Wiki. I read up on LVM on LUKS, LUKS on LVM, and Plain dm-crypt and decided to go with LVM on LUKS again. One of benefits for LUKS on LVM is that it can have encrypted volumes span multiple disks. It's nice but I don't need it since there is only one disk for the notebook. Plain dm-crypt can encrypt an entire disk and this is nice and ideal but having a USB flash memory around is a bit overkill for me. So, I'll stick with LVM on LUKS again.

I then followed my old post, Installing Arch Linux: LVM on top of an encrypted partition. What do you know? The information on that page was not wrong but was a bit confusing or hard to follow (not to mention about the number of typos. Sheesh!). So, I decided to re-do the whole steps, including the base installation of Arch Linux on LVM. Most of the information here will be duplicates from old one but please bare with me.

Disclaimer:
Information below is gathered mostly from the Arch Linux Wiki page and changed here and there for my liking. This information below is solely used for my purpose and may not be suitable for others.

Erasure of the Hard Disk:

Information (data) on a Hard Drive is written in chunk here and there. Re-partitioning or reformatting a disk does not really removes (erase) the data. It merely remove the system structure that used to identify where the original data was located. This leaves the actual data on a disk.

To securely erase a disk, you could either:

  • Fill with zeros
  • Fill with random bits

Both methods overwrite data on a disk but the first one fill with zero's leaving easily (to some extent) identify where the encrypted data ends. So, I follow the second method. # dd if=/dev/urandom of=/dev/<drive> bs=1M Just to be warned, this takes a long, long time.

Partitioning a Disk:

There is a way to encrypt the /boot partition with GRUB (for details, see Pavel Kogan's blog), but for simplicity, I'll stick with having the /boot partition separated from the encryption and LVM. # fdisk /dev/sda

Partition Layout:
/dev/sda1 -> /boot (bootable) - 300MB should be enough.
/dev/sda2 -> LVM (8e) - the rest of the disk

Configuring LUKS:

cryptsetup is used to interface with LUKS for formatting, mounting and unmounting encrypted partition.

First make sure the device mapper kernel module is installed: # modprobe dm-mod

Then format it as an encrypted LUKS partition: # cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 luksFormat /dev/sda2

  • --cipher: defines the cipher type
  • --key-size: defines the key size
  • --hash sha512: hash algorithm used for key derivation.

It looks like AES cipher in XTS mode (XTS-AES) is most popular these days.

Unlocking/Mapping LUKS partition with the Device Mapper:

To access the encrypted volume, It needs to be unlocked. # cryptsetup open --type luks /dev/sda2 lvm

LVM:

Create a physical volume (encrypted volume) and a group volume. # lvm pvcreate /dev/mapper/lvm # lvm vgcreate lvmvg /dev/mapper/lvm

Create logical volumes on this new volume group. # lvm lvcreate -L 10G -n root lvmvg # lvm lvcreate -L 500M -n swap lvmvg # lvm lvcreate -l 100%FREE -n home lvmvg

Format the filesystems on each logical volume. # mkfs.ext4 /dev/mapper/lvmvg-root # mkfs.ext4 /dev/mapper/lvmvg-home # mkswap /dev/mapper/lvmvg-swap

Mount the filesystems. # mount /dev/mapper/lvmvg-root /mnt # mkdir /mnt/home # mount /dev/mapper/lvmvg-home /mnt/home # swapon /dev/mapper/lvmvg-swap

Prepare the boot partition. # mkfs.ext2 /dev/sda1 # mkdir /mnt/boot # mount /dev/sda1 /mnt/boot

Configure Wireless Network:

Network connection needs to be configured before the installation can take a place. Since my notebook uses WiFi, I need to configure wireless network.

Check for the network interface and whether udev has loaded the driver. # iwconfig -------------------- eth0 no wireless extensions. lo no wireless extensions. wlan0 IEE 802.11bgn ESSID:off/any Mode:Managed Access Point: Not-Associated Tx-Power=14 dBm Retry long limit:7 RTS thr:off Fragment thr:off Encryption key:off Power Management:on

It looks like wlan0 is available.

Interface activation:

Not required for mine but here is how to activate # ip link set wlan0 up

Access point discovery:

I know my network information like ESSID, Encryption key, etc..., but here is how to list available access points # iwlist wlan0 scan | less

Or, for the new netlink interface # iw dev wlan0 scan | less

Association to the access point

Now a configuration file, /etc/wpa_supplicant.conf, needs to be created for my access point. # vi /etc/wpa_supplicant.conf -------------------- ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel eapol_version=1 ap_scan=1 fast_reauth=1

These options are explained in /etc/wpa_supplicant/wpa_supplicant.conf

Append the passphrase and PSK to the file # wpa_passphrase SSID_NAME "PASSPHRASE" >> /etc/wpa_supplicant.conf

Manual connection:

The WiFi interface should be up by the earlier command ip link set wlan0 up, so now tell wpa_supplicant the driver (wext - Linux Wireless EXTensions), the SSID specified in /etc/wpa_supplicant.conf and the wireless interface. # wpa_supplicant -B -Dwext -i wlan0 -c /etc/wpa_supplicant.conf

  • -B : Run in the background
  • -D : Driver information. Default is WEXT
  • -i : Wireless interface
  • -c : Configuration file

Request an IP address to DHCP server. # dhcpcd wlan0

Check assigned IP address. # ip addr show wlan0 wlan0: mtu 1500 qdisc mq state UP qlen 1000 link/ether 00:00:00:00:00:00: brb ff:ff:ff:ff:ff:ff inet 192.168.1.6/24 brb 192.168.1.255 scope global wlan0 inet6 fe80::ffff:ffff:ffff:ffff/64 scope link valid_lft forever preferred_lft forever

Select installation mirror:

Before installing, you may want to edit /etc/pacman.d/mirrorlist such that your preferred mirror is first. This copy of the mirrorlist will be installed on your new system by pacstrap as well, so it's worth getting it right.

Install the base system and other package groups:

The base system is installed using the pacstrap script. pacstrap is a script that installs packages to the specified new root directory. If no packages are given, pacstrap defaults to the "base" group.

Required X Window Systems packages for openbox will be installed in post-installation configuration.

The system uses wireless network, so install the required wireless network packages. # pacstrap /mnt base base-devel wireless_tools wpa_supplicant wpa_actiond

Configurations:

Let's configure the primary configuration files.

Generate an fstab file:

The fstab file contains static filesystem information. It defines how storage devices and partitions are to be mounted and integrated into the overall system. It is read by the mount command to determine which options to use when mounting a specific device or partition.

Check the resulting file afterwards, especially watch for the swap entry. # genfstab -p /mnt >> /mnt/etc/fstab # vi /mnt/etc/fstab -------------------- ... /dev/mapper/lvm-swap none swap defaults 0 0

Chroot into the system (Change root into the new system):

# arch-chroot /mnt

Editing /etc/rc.conf:

/etc/rc.conf is the configuration file for Arch's initscripts. Some of options in this file has been obsolete and they now have own configuration files (ex: hostname, etc...). /etc/rc.conf still configures daemons to start during boot-up and some networking and storage information.

Since LVM is used on this system, I need to enable it so that the kernel knows about it.

# vi /etc/rc.conf -------------------- USELVM="yes"

Hostname:

Configuring hostname requires updating two files, /etc/hostname and /etc/hosts

Add hostname in /etc/hostname # cat > /etc/hostname archy64 ^D

Add hostname in /etc/hosts # vi /etc/hosts -------------------- 127.0.0.1 localhost.localdomain localhost archy64 ::1 localhost.localdomain localhost archy64

Console fonts and keymap:

The console, meaning a terminal running with no X Window System, uses the ASCII character set as the default.

A console font is limited to either 256 or 512 characters. The fonts are found in /usr/share/kbd/consolefonts/.

Keymaps, the connection between the key pressed and the character used by the computer, are found in the subdirectories of /usr/share/kbd/keymaps/ # cat > /etc/vconsole.conf KEYMAP=us FONT= FONT_MAP= ^D

  • KEYMAP - the default (us) is ok
  • FONT - the default (blank) is ok
  • FONT_MAP - the default (blank) is ok

Timezone:

Available time zones and subzones can be found in the /usr/share/zoneinfo/<Zone>/<SubZone> directories.

Create a symlink /etc/localtime to zone file. # ln -s /usr/share/zoneinfo/US/Eastern /etc/localtime

Locale:

Choose the locale(s) from /etc/locale.gen and uncomment them. # vi /etc/locale.gen -------------------- en_US.UTF-8 UTF-8 -------------------- # locale-gen

Setting up system-wide locale:

# cat > /etc/locale.conf LANG=en_US.UTF-8 LC_TIME=en_US.UTF-8 ^D

Set the LANG variable for the ramdisk creation # export LANG=en_US.UTF-8

Hardware clock time:

It's recommended to use UTC. # hwclock --systohc --utc

Create an initial ramdisk environment:

Configure /etc/mkinitcpio.conf for encryption and LVM by adding encrypt lvm2 (in this order) in the HOOKS section before filesystems so that the kernel will find LVM volumes at boot time. # vi /etc/mkinitcpio.conf -------------------- HOOKS="...encrypt lvm2 filesystems..."

Now generate the kernel image. # cd /boot # mkinitcpio -p linux

Install and configure a bootloader:

# pacman -S grub-bios os-prober # grub-install --recheck /dev/sda

Create a grub configuration file. # grub-mkconfig --output /boot/grub/grub.cfg

/boot/grub/grub.cfg

Add cryptdevice=/dev/sda2:lvmvg between root=... and ro in the line starts with linux. This needs to be done for "Arch Linux" and "Arch Linux Fallback". # vi /boot/grub/grub.cfg -------------------- linux /boot/vmlinuz-linux root=/dev/mapper/lvmvg-root cryptdevice=/dev/sda2:lvmvg ro quiet

Root password:

Set the root password now. # passwd

Reboot:

Exit from chroot, unmount the partitions, close the device and reboot. # exit # umount -R /mnt/boot # umount -R /mnt # cryptsetup close lvm # reboot

After rebooting, it should ask you for a passphrase like below:

Post-Installation

Updating the system:

Sync, refresh, and upgrade the entire new system. # pacman -Syu (or pacman --sync --refresh --sysupgrade)

Pacman will now download a fresh copy of the master package list from the server(s) defined in /etc/pacman.conf and perform all available upgrades.

Note: If you get following errors after executing above statement, it most likely you don't have dhcpcd is not running or your network setting is not correct.

error: failed retrieving file '...' from ... : Could not resolve host: ...

Pacman output is saved in /var/log/pacman.log

Adding a user:

Now add a normal user account for daily tasks # useradd -m -g users -G audio,games,log,lp,optical,power,scanner,storage,video,wheel -s /bin/bash ubyt3m3

Set a password for ubyt3m3 # passwd ubyt3m3

X Window System:

The X Window System (commonly X11, or X) is a networking and display protocol which provides windowing on bitmap displays. It provides the standard toolkit and protocol to build graphical user interfaces (GUIs).

Before installing the X11, try to see what kind of video card you have # lspci | grep -e VGA -e 3D

Then install the base Xorg packages using pacman. # pacman -S xorg-server xorg-xinit xorg-server-utils

During the installation, it'll ask you for the type of libgl. Use below information based on the type of video card you have (returned value from the lspci command above), choose a proper driver.

AMD/ATI
xf86-video-amdgpu ... mesa-libgl
xf86-video-ati ... mesa-libgl
catalyst ... catalyst-libgl

Intel
xf86-video-intel ... mesa-libgl

Nvidia
xf86-video-nouveau ... mesa-libgl
nvidia ... nvidia-libgl
nvidia-340xx ... nvidia-340xx-libgl
nvidia-304xx ... nvidia-304xx-libgl

Install video driver:

My system came with ATI Graphics Card, so install the open source raden driver. # pacman -S xf86-video-ati

Install input driver:

Since this install is for notebook, following package is needed for touchpad. # pacman -S xf86-input-synaptics

Are you installing Arch Linux as VirtualBox Guest?

If you are like me, you'd test the installation of OS or software on a virtual system before actually installing on main systems. I use VirtualBox for that. In order for Arch Linux to run X11 within the VirtualBox guest environment, VirtualBox Guest Additions need to be installed. # pacman -S virtualbox-guest-utils

After executing above command, it'll ask you for guest modules. Choose virtualbox-guest-modules-arch if you used linux kernel when you ran mkinitcpio -p linux during the configuration period. For other modules, use virtualbox-guest-dkms

Loading the VirtualBox kernel modules:

Before getting X11 work on the guest environment, VirtualBox kernel modules must be loaded. To do this automatically, enable the vboxservice service. # systemctl enable vboxservice

Load the modules # modprobe -a vboxguest vboxsf vboxvideo

Testing X:

Install the default environment. # pacman -S xorg-twm xorg-xclock xterm

Fonts

Install a set of TrueType fonts, as only unscalable bitmap fonts are included by default. DejaVu is a set of high quality. # pacman -S ttf-dejavu

Now, that's a very base system. If you are interested in installing Openbox, you can follow steps in my post, Openbox (w/ Arch Linux).

That's all!
-gibb

Termux is the ONE for Android!

Ever since I learned Terminal IDE was not supported for Android 5.0 Lollipop, I was heartbroken because there weren't any git client programs as good as git on Terminal IDE. I was using SGit but wasn't really happy because of lack of flexibility, features, and ease of use.

However, I finally found the one that works today! It's called Termux. Termux is a terminal emulator, just like Terminal IDE, but it comes with an extensive Linux package collections you can install and manage packages you want. Of course, it has git in its collection. So, I can say "bye, bye" to SGit now.

IMHO, Termux is for Android 5.0 Lollipop and above, and Terminal IDE is for Android 4.4 Kitkat and below.

Disclaimer:
The information in this site is the result of my researches in the Internet and of my experiences. It is solely used for my purpose and may not be suitable for others. I will NOT take any responsibility of end result after following these steps (although I will try to help if you send me your questions/problems).

Ok, the installation and configuration of Termux and git were easier than those of Terminal IDE in my opinion. Termux comes with a minimum base system. At this point, it doesn't do much so you'd need to install some packages. After getting Termux installed on my Galaxy Note 4, I opened it and typed below to update packages: $ apt update

With a bunch of messages, packages are updated. Then ran the following command to install git: $ apt install git

No problem here. I then installed ssh. As you may know, bitbucket.org offers two ways to access a git repository, https and ssh. I could go either way, but ssh is such a useful utility. So, I installed it at this time: $ apt install openssh

Now, the fun part starts - configuration. I've set up my web server Bit Web Server to look into /sdcard/www/ for source codes, so I tried to clone codes from my git repo, but it failed with "Permission Denied" error. Hmm... is this because Termux doesn't have write permissions for security? Well, no problem. I can seem to clone into /data/data/com.termux/home/ and copy the source codes into /sdcard/www/: $ git clone https://[user_name]@bitbucket.org/[repo_name]/[repo_name].git $ cp -r [repo_name] /sdcard/www/

After copying into the www directory, I learned that I can still run git commands like git push, git pull, etc... without any errors. Fantastic!! This means I don't need to copy back and forth between /data/data/com.termux/home/ and /sdcard/www/ every time I make updates.

Now, it's time to finish up by configuring git and Termux's user home environments.

For git, ran the following commands to set up user information: $ git config user.name "[username]" $ git config user.email "[username]@[server]"

Then edited the .bashrc file for some aliases. I created ~/.bashrc with some start up configurations for the shell, but it didn't seem to be taking it after restarting Termux. After poking around, I found a bashrc file that seems to be globally used for Termux in /data/data/com.termux/files/usr/etc/: $ cd /data/data/com.termux/files/usr/etc/ $ vim bash.bashrc --------------------------------- export GIT_AUTHOR_NAME="[username]" export GIT_AUTHOR_EMAIL="[username]@[server]" export GIT_COMMITTER_NAME=$GIT_AUTHOR_NAME export GIT_COMMITTER_EMAIL=$GIT_AUTHOR_EMAIL PS1='\[\e[00;32m\]\A \[\e[00;91m\]\u\[\e[01;93m\]@\h\[\e[00;37m\][\[\e[01;34m\]\w\[\e[00;37m\]]\n\[\e[47m\]\[\e[1;30m\]$\[\e[00m\] ' set -o vi

With all of these, git is ready for Android 5.0 Lollipop!

That's all!
-gibb

Debian Wheezy (7.5): Changing Default X Session

I mainly use Openbox. But after Debian Wheezy installation, X Window System defaulted to LXDE. It's not that much of a hassle to select Openbox from the drop-down menu every time I log on:

Debian_LoginBox

However, sometimes I forget to select Openbox, get LXDE, and re-log in with Openbox. This happened quite a few times and I finally decided to change its default X session to Openbox.

Disclaimer:
The information in this site is the result of my researches in the Internet and of my experiences. It is solely used for my purpose and may not be suitable for others. I will NOT take any responsibilities of end result after following these steps (although I will try to help if you send me your questions/problems).

There are quite a few ways to do this. One way is to edit (or create if it doesn't exist) ~/.xsession or ~/.Xsession.

But I used the update-alternatives command: $ update-alternatives --config x-session-manager

Debian_update-alternatives

As shown in above image, select number 2 for Openbox. After logging out, Openbox becomes the default X Window Session!

That's all!
-gibb

Debian Wheezy (7.5): Name-Based Web Sites on a Single IP Address (vhosts)

Configuring virtual hosting with Debian Wheezy has a little different steps from that with Slackware. To avoid from getting myself confused (and hopefully help someone else to set their virtual host sites), these are the steps I used for my local sites.

Disclaimer:
The information in this site is the result of my researches in the Internet and of my experiences. It is solely used for my purpose and may not be suitable for others. I will NOT take any responsibility of end result after following these steps (although I will try to help if you send me your questions/problems).

1) Disabling Default Virtual Host

First, let's disable the default Apache virtual host with a2dissite. What this command do is simply removing a symlink to /etc/apache2/sites-enabled/. # a2dissite default

2) Creating a New Directory and Setting Permissions

It's necessary to create a directory where site's website files and logs reside and grant ownership of the directory to the user instead of keeping it on the root system. For example, I'm setting up for siteA.org and siteB.org.

siteA.org
# mkdir -p /var/www/siteA.org/public_html # mkdir /var/www/siteA.org/logs # chown -R [$user]:[$group] /var/www/siteA.org/public_html
siteB.org
# mkdir -p /var/www/siteB/public_html # mkdir /var/www/siteB.org/logs # chown -R [$user]:[$group] /var/www/siteB.org/public_html

3) Creating Config files

Each virtual host needs own configuration file placed in /etc/apache2/sites-available/ directory. Each configuration file is as follow. Make sure that you have all directories specified in each conf file exist before you restart the apache process; otherwise, it'll fail to start.

siteA.org

# vim /etc/apache2/sites-available/siteA.org.conf ------------------------------------ <VirtualHost *:80> ServerAdmin webmaster@siteA.org ServerName siteA.org ServerAlias www.siteA.org DocumentRoot /var/www/siteA.org/public_html <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/siteA.org/public_html/> Options Indexes FollowSymLinks AllowOverride None Order allow,deny allow from all </Directory> ErrorLog /var/www/siteA.org/logs/error.log CustomLog /var/www/siteA.org/logs/access.log combined </VirtualHost>

siteB.org

# vim /etc/apache2/sites-available/siteB.org.conf ------------------------------------ <VirtualHost *:80> ServerAdmin webmaster@siteA.org ServerName siteB.org ServerAlias www.siteB.org DocumentRoot /var/www/siteB.org/public_html <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/siteB.org/public_html/> Options Indexes FollowSymLinks AllowOverride None Order allow,deny allow from all </Directory> ErrorLog /var/www/siteB.org/logs/error.log CustomLog /var/www/siteB.org/logs/access.log combined </VirtualHost>

4) Enabling the Sites

Now activate the host: # a2ensite siteA.org.conf # a2ensite siteB.org.conf

5) Restarting Apache

Restart the Apache server to initialize the changes: # service apache2 restart

6) Setting Up Local Host

Edit /etc/hosts so that the sites can be found by name: # vim /etc/hosts ------------------------------------ 127.0.0.1 localhost siteA siteB

That's all!
-gibb

Debian Wheezy (7.5): LAMP (Linux, Apache, MariaDB, and PHP)

LAMP used to refer to Linux, Apache, MySQL, and PHP but nowadays the trend is transitioning from MySQL to MySQL's drop-in replacement MariaDB. The Slackware project switched the default database to MariaDB back in March 2013 for the version 14.1 and forward.

I was a little concerned about this change and wasn't sure if my web sites would work with Mhttp://blog.ataboydesign.com/wp-admin/post.php?post=959&action=editariaDB. However, my worry was trivial. MariaDB uses the same files as MySQL so this makes migration a lot easier.

So it's natural for me to try MariaDB on my new Debian Wheezy (7.5) system.

Disclaimer:
The information in this site is the result of my researches in the Internet and of my experiences. It is solely used for my purpose and may not be suitable for others. I will NOT take any responsibility of end result after following these steps (although I will try to help if you send me your questions/problems).

Installing Apache2

Firts, make sure the system is up-to-date: # apt-get update && apt-get upgrade -y

Then, install apache2: # apt-get install apache2

Add apache2 to system start up and start it up now: # update-rc.d apache2 enable update-rc.d: using depndency based boot sequencing # service apache2 start [ ok ] Starting web server: apache2.

If you open a web browser and point it to http://localhost, you'll see the message It works!

Installing php5

Next, install php5 along with the apache php5 module, MySQL(MariaDB) php module, and other modules: # apt-get install php5-curl php5-xmlrpc php5-gd php5-intl libapache2-mod-php5 php5 php5-common php5-dev php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy

Restart the web server: # apache2 restart

Test the php support by creating a php file (phpinfo.php) in the default document root, /var/www: # vim /var/www/phpinfo.php -------------------------------------------- < ?php phpinfo(); ?>

With successful installation/configuration, below page should be loaded:
debian_lamp_install_phpinfo

Installing MariaDB

To properly install and configure MariaDB, I need to know the version/codename of this Debian. I already know its Wheezy but to check, type the following command: # lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 7.5 (wheezy) Release: 7.5 Codename: wheezy

Now, open a web browser and go to MariaDB's download page to get the repository information for MariaDB: debian_lamp_install_mariadb_config

Above selection produces below repository info:
debian_lamp_install_mariadb_repo

Create a file called mariadb.list under /etc/apt/sources.list.d and copy & paste the repository info: # vim /etc/apt/sources.list.d/mariadb.list -------------------------------------------- # MariaDB 10.0 repository list - created 2014-05-10 06:44 UTC # http://mariadb.org/mariadb/repositories/ deb http://mirror.jmu.edu/pub/mariadb/repo/10.0/debian wheezy main deb-src http://mirror.jmu.edu/pub/mariadb/repo/10.0/debian wheezy main

Add MariaDB to the system: # apt-get install python-software-properties # apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xcbcb082a1bb943db # apt-get update # apt-get install mariadb-server

Follow the on-screen instructions to set up a root password for MariaDB server.

Let's see if MariaDB server was successfully installed: # mysql -u root -p Enter password: Welcome to the MariaDB monitor. Command end with ; or \g. Your MariaDB connection id is 38 Server version: 10.0.10-MariaDB-1~wheezy mariadb.org binary distribution Copyright (c) 2000, 2014 Oracle, SkySQL Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>

VoilĂ ! With above steps, I have successfully installed LAMP stack on my Debian Wheezy server.

If you are interested, take a look at my post on VirtualHost: Name-Based Web Sites on a Single IP Address

That's all!
-gibb