Category Archives: Linux

Color in bash

Posted on by | Leave a reply

This is the line defining my bash prompt in .bashrc, using some colors:

PS1='\[\e[0;32m\][\u@\H\[\e[m\] \[\e[1;34m\]\w\[\e[m\] \[\e[0;32m\]]\[\e[1;32m\]\$\[\e[m\] \[\e[0m'

This is what my prompt looks like:

My colored bash prompt, in Yakuake

If I’m not wrong, the characters in bold give the content of the prompt, the other ones are color-codes.

I currently haven’t found out how to use this prompt by default for all users, even existing ones, without modifying each user’s .bashrc file.

For new users to use this prompt, modify /etc/skel/.bashrc.

Installing Archlinux with software raid1, encrypted filesystem and LVM2

Posted on by | 4 Replies

On the web, you’ll find how to setup ArchLinux with LVM, or with RAID, or with encryption, but not with the combination of these three technologies.  This article explains the different steps I took to setup these three technologies with ArchLinux.

Required skills:

Sound understanding of Linux (ArchLinux specifics may be useful…) and raid, lvm2, partitioning, encryption.

The story

During the last days I reinstalled my server (AMD x86_64), which runs several VirtualBox VMs, with ArchLinux.

It’s a simple PC with 3 hard drives: one for the OS and two 500GB drives which hold my data and VMs.

Here’s the detail of my hard disk setup:

  • The OS hard drive: This one is encrypted using LUKS and then runs LVM for the partitioning.  There are 2 primary partitions: one for /boot, not encrypted, and one which contains the encrypted LVM partitions.  Thus, the root partition is encrypted and on LVM, which needs specific setup in Grub.
  • The 2 data hard drives: These are raided-1 (simple duplication), the raid array is encrypted, and the partitioning is done using LVM.  The array only contains 1 single primary partition, spanning the whole space and containing the LVM partitions.

I never dared install ArchLinux on top of this setup before (so I ran my server using openSUSE, and recently Fedora 13), because of the not so user friendly ArchLinux install software.  I added encryption to my setup when I installed Fedora 13, using the Fedora installer Anaconda.  But some days ago, as I encountered several issues using Fedora 13, I decided to give ArchLinux a try. Please note that I was really surprised by the Fedora 13 release (it’s quite slick and very stable), but ArchLinux (the control I have over it and the gargantuous software collection it provides) is better suited to my advanced needs.  More precisely, in Fedora 13, I’ve found nothing as easy as netcfg to setup my network interfaces like I wanted (quite complicated, not explained here).
So here are the steps:

Hard drive setup

Setup the hard drives (partitioning, RAID-1 and LVM2) with the Fedora 13 installer Anaconda.  Simply put in the Fedora 13 install disk and make a simple install with the correct disk setup you need.  The installed OS will be of no use, the purpose here is to setup the disks, not the OS.  The Fedora 13 install software is very easy to use, as the hard drive setup is visual.
openSUSE may be OK as well, as Yast is visual and easy to use as well.

ArchLinux installation

Boot using the ArchLinux Install CD.
Choose the correct keymap for your PC:

km

Load the encryption, raid1 and LVM modules:

modprobe dm-crypt
modprobe dm-mod
modprobe raid1

Assemble the raid (as it was created with the Fedora 13 installer, there is no need to create it):

mdadm -A /dev/md0 /dev/sdc1 /dev/sdb1

Setup encryption on the OS hard drive and the data array (again, as the encrypted drives already exist, there is no need to create them, simply open them with your passphrases):

cryptsetup luksOpen /dev/sda2 system
cryptsetup luksOpen /dev/md0 data

Scan for LVM volume groups and keep them in memory:

vgscan
vgchange -ay

Then run the ArchLinux install software:

/arch/setup

Configure your installation (use the existing partitions!) until when packages were installed.
Immediately after package installation, change to another terminal with the key combination CTRL-ALT-F2, and login as root.
Now, replace the mdadm.conf file by the one corresponding to your setup (this step is needed, as this file is used to generate the initrd image with mkinitcpio):

rm /mnt/etc/mdadm.conf
mdadm --examine --scan >> /mnt/etc/mdadm.conf

Come back to the install software with the key combination CTRL-ALT-F1.
Now, in the install software, edit your configuration files:

rc.conf

USELVM=yes
KEYMAP=be-latin1

You may replace be-latin1 with your keymap.

mkinitcpio.conf

MODULES=(... dm-mod dm-crypt aes_x86_64 raid1 ...)
HOOKS=(... mdadm keymap encrypt lvm2 filesystems...)

The order in the HOOKS array is very important:

  • keymap permits to set the keymap before the encryption password for the drives is required.
  • encrypt is necessary to decrypt the drives, which allows content access to lvm2
  • lvm2 provides partitions, which are needed to mount the filesystems

I think the mdadm hook is not needed, as the root partition is not on top of a raid.  But if it was, it would be required!
Based on your setup (lvm2 over encryption over raid, encryption of single lvm2 drives,…), the order may change, so your understanding of how these technologies are set up on your drives really is relevant.

locale.gen

Remove the leading dashes (#) in front of your locale.

pacman.conf

Strictly speaking, this is not needed at all for this setup, but I can’t imagine using ArchLinux without this repository, so I always enable it:

[archlinuxfr]
Server = http://repo.archlinux.fr/x86_64

Now validate your config files.  The system launches mkinitcpio, which generates initrd images.
Now edit your menu.lst file.  Add cryptdevice=/dev/sda2:vg_system to the kernel line (adapt it to your config, replace sda2 by your encrypted partition and vg_system by your LVM2 volume group’s name).  Following are my configurations:

# (0) Arch Linux
title  Arch Linux
root   (hd0,0)
kernel /vmlinuz26 root=/dev/mapper/vg_system-root cryptdevice=/dev/sda2:vg_system ro
initrd /kernel26.img

# (1) Arch Linux
title  Arch Linux Fallback
root   (hd0,0)
kernel /vmlinuz26 root=/dev/mapper/vg_system-root cryptdevice=/dev/sda2:vg_system ro
initrd /kernel26-fallback.img

Save the file, install grub to your MBR.
Now, to automatically mount the encrypted data partitions (those on the raid1), the system must know your passphrase.  That’s the purpose of the /etc/crypttab file.

nano /mnt/etc/crypttab

Add the line:

data /dev/md0 PASSPHRASE
  • The device /dev/md0 should be the same as the one in /etc/mdadm.conf.
  • Replace PASSPHRASE with the one you chose for your system.
  • Make sure /etc/crypttab is only readable by root, or maybe someone else may read your passphrase!

The use of /etc/crypttab conveniently avoids asking the user for two passphrases, one for the OS encrypted drive and one for the data encrypted drive.  At boot, you enter your OS-encrypted-partition passphrase, and then the system reads /etc/crypttab to decrypt the data-encrypted-partition.

Enjoy!

Now, if everything went fine, you may reboot and enjoy using your fresh ArchLinux system.
Should there be some steps you don’t understand or with errors, feel free to leave a comment, I’ll do the corrections.

My experience with Arch Linux x86_64

Posted on by | Leave a reply

My laptop currently runs the 64-bit version of Arch Linux.

The last time (some years ago, I must admit) I tried to run a 64-bit Linux distribution, I was disappointed by the issues that existed with some Firefox plugins, Skype and some other 32-bit applications.

Some weeks ago, as I had to reinstall my laptop and thought it’s time again to give a try to a 64-bit distro.  So I installed Arch Linux 64-bit.

And well, after some weeks of use as a desktop distro, I must say that in the end there is no single significant difference between the 64-bit and the 32-bit versions of Arch Linux.  Flash works, Skype works.  The set-up of Skype is not straightforward, but after I manually installed 32-bit libraries which are needed by Skype but not automatically installed, Skype now runs flawlessly, on top of Pulseaudio.

On server-side, I’ve already been using Arch64 for sime time now (virtualized on a openSUSE 64-bit host) and it runs flawlessly, but that’s no big challenge for a modern Linux distro…

I still don’t know what the 64-bit desktop versions of Ubuntu, openSUSE or Fedora are worth, but I’m very happy to see that Arch64 is rock-solid, and I would definitely recommend it to anybody who has some basic command-line knowledge.

To be more complete, I should also try running some 32-bit closed source games on Arch64, but I really don’t have much time to try, as I’m not really interested in computer games.

My Arch Linux configuration files

Posted on by | Leave a reply

As most of you probably don’t know, my prefered Linux distro is Arch Linux.  I use it on almost every computer I have:

  • On my desktop computer (Intel Core 2 Duo with embedded Intel Graphics Card)
  • On my laptop (Acer 5920G)
  • On my server (AMD Athlon X2) – a virtualized instance of Arch Linux
  • On my girlfriend’s laptop (Asus M51SE) (OK, I must admit that I’m responsible for installing software and configuring the laptop – and in the end, that’s quite the best solution, she avoids issues with Linux and I’m sure she has a well configured laptop, but she’s the one who uses this and she’s accustomed to it now, I would even bet she wouldn’t switch back to Windows if she could…)

In this article, I’ll explain how I configure my Arch Linux PCs.

/etc/pacman.d/mirrorlist

Here I uncomment the Belnet lines (as I’m in Belgium) and some other German- and French-based servers.

/etc/pacman.conf

Here I only add the archlinuxfr repository:

[archlinuxfr]
Server = http://repo.archlinux.fr/x86_64

/etc/mkinitcpio.conf

As I already use btrfs (but unfortunately I still haven’t figured out how to use it as root), I’ve modified the modules list to:

MODULES="crc32c libcrc32c btrfs zlib_deflate"

This is my HOOKS list:

HOOKS="base udev autodetect pata scsi sata filesystems btrfs resume consolefont"

And finally I uncommented the line:

COMPRESSION="lzma"

/etc/makepkg.conf

Here I optimized the compilation flags to:

CFLAGS="-march=native -mtune=native -O3 -pipe"
CXXFLAGS="-march=native -mtune=native -O3 -pipe"
LDFLAGS="-Wl,--hash-style=gnu -Wl,--as-needed"
MAKEFLAGS="-j3"

These optimizations are useful in two cases: when I install packages from AUR which are built from source and when I use srcpac instead of pacman, to compile the packages myself instead of installing precompiled binaries.

I usually use srcpac when I install software that is often used, like the kernel (package kernel26), the QT 4 libraries (I always use the latest KDE), hal, vlc, kdebase-workspace, konsole, chromium (that has become my favourite web browser) and so on.  This recompiles and optimizes software for my PC architecture thus I’m sure the performance is high.

/etc/rc.conf

In this file I’ve made little changes.  I won’t show the modules and daemons lists, as they depend on the software one installs on a PC.

I use terminus-font as the console font:

CONSOLEFONT=”ter-v16b”

Arch Linux: faster pacman

Posted on by | Leave a reply

Instead of using pacman,I use pacman-color.
Instead of using pacman-color, I use powerpill.
Instead of using powerpill, I use yaourt.
Well, that’s the chain of wrappers around pacman I use:
yaourt->powerpill->pacman-color->pacman

This provides colorized output and parallel (thus faster) package downloads.

Simply change in /etc/yaourtrc:
PacmanBin = /usr/bin/powerpill
and in /etc/powerpill.conf:
PacmanBin = /usr/bin/pacman-color

Endian Firewall Community 2.3

Posted on by | Leave a reply

This week-end, I managed to reconfigure my complete home network to use a virtualized instance of Endian Firewall 2.3 Community.  And it rocks.

You simply download the ISO file, install it in a new VM, connect to its web interface, and that’s all.  Or almost.  I think even people without much knowledge of TCP/IP would be able to use it after some hours.  It took me 3 hours to completely set it up: DHCP, internal zone and DMZ, routing, DNS, firewall, proxy (transparent proxy, the must for easy configuration and control of every single byte transmitted through the network), anti-virus and VPN.

All these applications are configured through one single conherent web interface.  WOW!

I just thought: maybe we should call a firewall with anti-virus an ‘anti-firus’?

OK that’s dumb, I know. Sorry.

The only other appliance I had to set up was a DNS server – quite easy with openSUSE 11.1.  The next step will consist of setting up an LDAP server.  But that’s another story.

Not everything is perfect: for example, one cannot easily install other software on this appliance.  I would have expected to be able to install some DNS server on it, or some other security-related software.  It’s not clear how this should be managed.  Nevermind, that’s not a show-stopper.

For anyone looking for a simple free firewall-proxy-VPN-dhcp-QOS appliance, I can only recommend Endian Firewall Community.

Check it at: http://www.endian.com/

First part of LPIC 1 passed!

Posted on by | Leave a reply

Yesterday (July 23rd, 2009) I took and passed the LPI Level 1 Exam 101, with a global score of 580 (from min 200 to max 800, required passing score 500).

Here are my results for the different topics

  • System Architecture: 75%
  • Linux Installation and Package Management: 72%
  • GNU and Unix Commands: 57%
  • Devices, Linux Filesystems, Filesystem Hierarchy Standard: 80%

There’s a second part I must pass before I get certified for the Level 1 (out of 3).

Linux Professional Institute: http://www.lpi.org

LPI certifications are vendor neutral.