Install Arch With Encrypted LVM

Any device with data that you own should have encryption to protect data at rest.

In a previous post, I described how to install Arch with LVM.  Now I will inject the commands to encrypt a disk partition using LUKS and use that for your LVM physical volume with dm-crypt.  I use this method to install a new Arch Linux laptop, for example, one that will not span physical drives, and done at installation time.  If you wish to encrypt your desktop drive, it may be better to follow the LUKS on LVM method instead of the LVM on LUKS that I use here.

So after you have encrypted your drive but before creating your physical volume, encrypt that partition.

cryptsetup --verify-passphrase luksFormat /dev/sda2

Now you need to open the newly encrypted partition, naming it lvm, to create the LVM physical volume upon.

cryptsetup open --type luks  /dev/sda2 lvm

Now replace the following commands with these that use the encrypted partition.

pvcreate /dev/mapper/lvm
vgcreate system /dev/mapper/lvm

Now continue with the LVM posting and your installation guide of choice. Your disk will look like this:



My /etc/fstab now looks like this - note, this is an SSD drive.




When you get to the configuring mkinitcpio.conf section, add encrypt before lvm2 in the HOOKS parameter.

HOOKS="...block encrypt lvm2..."

I disabled UUID disk identification, but this is optional, in this file as well.

GRUB_DISABLE_LINUX_UUID=true

Ensure you create the new initramfs file after editing.

Only one more thing, you need to tell the bootloader about the encrypted partition by editing /etc/default/grub.

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:system:allow-discards"

Finish your Arch install.

Running SSH With a Non-Default Port in Fedora 20

I admit it, I'm a noob to using Fedora.  But I've jumped in with both feet and am enjoying it very much.  One of the very first things I do to a new installation of GNU/Linux is set up SSH for remote access.

After setting up your /etc/ssh/sshd_config with a different port than the default, 22, you need to enable the service and allow access to the port in Fedora 20.

sudo vim /etc/ssh/sshd_config

Its a very good idea to go through this file and set it up appropriately.  But for the purposes of this post, set Port 22022.

I'm cheating - using a GUI tool to set the firewall as I'm still learning firewall-cmd.  So run sudo firewall-config.   You want to change the configuration to Permanent, select the Services tab then select the ssh Service.  Now in the Ports and Protocols, select Add.  Simply enter the port number you wish to use, I'm using 22022, the select OK.  You will end up with something like this.

Almost done.  Select the Options menu and then Reload Firewalld.

You can check if your changes took hold by switching back the configuration to Runtime, and then view the ssh Service.

You need to configure SELinux to allow the new port.  A simple command will do it.

sudo semanage port -a -t ssh_port_t -p tcp 22022

Now you can (re)start and enable the service.

sudo systemctl restart sshd.service
sudo systemctl enable sshd.service

Want to test if everything is okay.  First look at the service.

sudo systemctl status sshd.service

Finally, ssh to the box for a final test.

Installing Arch Linux With LVM

The question is not "are you using LVM" but "why aren't you using LVM"?  (I'm politely ignoring Btfs for this posting, I'll post on that another time)

I won't get into the benefits of using the Logical Volume Manager (LVM) - but its a stable disk management system that his been in the Linux world since 1998 - and I can not imagine installing a Linux system (from laptop to server) without it.

I can go on - give you some war stories - but instead let me give you the few commands you include when installing Arch Linux with LVM.

Following the Installation Guide (or maybe the Beginners Guide), when you get to partitioning you will want to load this module.

modprobe dm-mod

Next you will partition your disk(s).  I will show you a simplified setup using MBR with a separate /boot partition (call me old school).  Notice /dev/sda2 type is Linux LVM.  You could create a single large partition, or even multiple Linux LVM type-partitions on different disks.



Next you need to setup LVM inside the Linux LVM type-partition.  First initialize the physical volume, the /dev/sda2 partition you created above.

pvcreate /dev/sda2

Next you need a volume group, keeping it simple I'll just create the one - naming it system.

vgcreate system /dev/sda2

Now your logical volumes, where the fun happens (notice the system volume group label).

lvcreate -L 25G -n root system
lvcreate -L 16G -n swap system
lvcreate -l 100%FREE -n home system

Now you come to the formatting portion of the instructions.  Its essentially the same, just the syntax is a little different.

mkfs.ext4 /dev/sda1
mkfs.ext4 /dev/mapper/system-root
mkfs.ext4 /dev/mapper/system-home

And the same for your swap logical volume.

mkswap /dev/mapper/system-swap
swapon /dev/mapper/system-swap

Now mount those bad-boys.

mount /dev/mapper/system-root /mnt
mkdir /mnt/home /mnt/boot
mount /dev/sda1 /mnt/boot
mount /dev/mapper/system-home /mnt/home

When you create your /etc/fstab ensure everything is correct.



Now edit your /etc/mkinitcpio.conf to add the lvm2 HOOK between block and filesystems so it looks like this.

HOOKS="base udev autodetect modconf block lvm2 filesystems keyboard fsck"

In the same file add dm-mod to MODULES.

MODULES="dm-mod"

Any time you edit that file, remember to run the following.

mkinitcpio -p linux

I didn't include the /boot partition in LVM or I would have had to include lvm module in /etc/default/grub, like this.  Remember to do this before creating the /boot/grub/grub.cfg

GRUB_PRELOAD_MODULES="part_gpt part_msdos lvm"

That is pretty much it.  You may get warnings when generating your /boot/grub/grub.cfg, but as long as there is no errors all should be good.

Continue with the remainder of your instructions and remember the most important thing - have fun with your Arch system!

This is just showing you how to install Arch Linux using LVM - not even touching on why you should do this or, now that its installed and configured, what you can do with it.

Migrate VMware Fusion Virtual Machines to VirtualBox

If you Google on how to migrate a VMware Fusion virtual machine (VM) to Oracle VirtualBox, you will find a lot of different methods and responses.  I selected the following due to the simplicity of it, as well as the small size of the open virtualization format (OVF) used for moving between physical machines.

On your OSX machine that has Fusion installed, and since we will be working from the command line, I link the ovftool to /usr/local/bin/ which is on my $PATH (you can link it to any other location, or skip and access with the full path).

ln -s /Applications/VMware\ Fusion.app/Contents/Library/VMware\ OVF\ Tool/ovftool /usr/local/bin/

Ensure your VM is powered off before starting this.  Run the tool against the VMX file - outputting the OVF file to wherever you want.

ovftool --acceptAllEulas ../../Virtual\ Machines.localized/Debian.vmwarevm/Debian.vmx Debian.ovf

 Then in Virtual Box do an Import Appliance from the File menu.

Once finished, don't forget to remove the VMware Tools and install the VirtualBox Guest Addons.  Oh yea, double check your VirtualBox settings for this newly converted VM as well - do not assume they converted correctly.

Finally, cross your fingers and start it up!

Use Remote Login on OSX for File Sharing

Big shocker - I'm a heterogeneous kind of guy.

While I prefer Linux, I also have OSX boxes - and sometimes the odd Windows machine will show up on my LAN.  I want to share files across these machines.  You'd suggest SMB right (or File Sharing in Apple parlance)?

Wrong.

For a long time, File Sharing (SMB or AFP) was a hit and miss type of service on every OSX machine I used.  Most of the time it worked - and then it doesn't, and you hunt around for a cause, trying various actions to fix the issue that strangely appeared without any changes to the machine.  It was frustrating.  (and no, it wasn't just user error! lol)

Then the fix hit me one day - SFTP!

And I've never been happier.  (and the bonus, all my communications are encrypted!)

On your OSX box, head to System Preferences -> Sharing -> disable File Sharing and enable Remote Login.  Chose who to allow onto your box.

You may not know it - but your life just got easier (and less frustrating).

Connecting to that machine from various other machines will now be dependable and consistent.  You can use, from your command line, sftp, ssh, scp (and probably others).  For GUI clients, there are too many to list - from Dophin on KDE, to ForkLift on OSX.

The biggest negative to this solution is that the default Connect to Server on OSX won't (natively) support SSH, neither does Windows.  There are ways to make me into a liar though - and I encourage you to check these out.

While describing OpenSSH is out of scope for this post - configuring this tool correctly will allow for a secure and simpler authentication experience.

Speed Up Your Browsing with Profile-Sync-Daemon

What if I told you that you could greatly speed up your browser while reducing the physical wear on your hard drive?  You'd call me a daft bugger I'd bet!  :-)

I found this application some weeks ago and recommend it, profile-sync-daemon on the AUR.  It symlinks your browser profile to /tmp which is a tmpfs (running in RAM), so the large amount of disk I/O that it generates is now in RAM rather than on your disk.  This is great for HDD as well as SSD - with speed increases up to six times taster. It supports a wide range of browsers including:

• Chromium
• Firefox
• Google Chome
• Midori
• Opera

Very easy to install, just edit (as root).

/etc/psd.conf

Setting USERS to a space delimited list of user accounts on this machine.

USERS="jeff"

Close your browsers, then enable and start it in systemd.

systemctl enable psd
systemctl start psd

You can see what just happened with parse.

profile-sync-daemon parse

Changing the Default Port for OpenSSH on Arch Linux

When I had public servers with port 22 (OpenSSH) open, they got scanned daily.  When I changed the port to a non-standard one the majority of my problems went away.

While security by obscurity is simply not a secure enough option, it certainly reduced the number of log entries I had to review daily when it got rid of the script kiddies.

I'll refer to my favourite distribution Arch Linux for this post - but the majority of this can be used on many Linux flavours.

Changing the default port of OpenSSH is very easy.  First select a higher range port to use, I'll use 22022 for my example.  Check that the port you chose is not being used by anything with the following command (nothing returned is good).

grep 22022 /etc/services

Now edit (as root) /etc/ssh/sshd_config and enter your port.

Port 22022

Finally restart your service (as root).

systemctl restart sshd.service

Excellent.  Now test it with something like.

ssh -p 22022 jeff@localhost

Cleaning Arch Linux

Keeping your Arch Linux machine in top condition doesn't just mean you do pacman updates, it should also mean you keep your local repository optimized.  I found great threads on the topic, putting together the wisdom of others into a short script I run interactive daily.

Speed Up Mission Control Animations

While I love virtual desktops, in general, I found Mission Control in OSX Mavericks to be frustrating.  You may think that the lack of cube animation or the fact that only horizontal desktops are supported, to be my largest complaint, but you would be wrong.  Its the animation, the lag when you mouseover the virtual desktops or to add a new desktop.  I found a little fix that will speed this up on OSX, making virtual desktops again usable.

Testing if an Application Exists in Bash

Some of my Bash scripts need to be used on various systems I use.  It is very common to call other command line tools that do some job or another, from these scripts.  Sometimes I am forgetful (big surprise!) and forget to install these required applications.

So I use a simple function to check that these other applications exist, returning true or false.



Now you use the function, placing your call below the code above.  This example exits the script if the application is not found.

KDE Password & User Account System Settings 'Freezing'

If, like me, you install KDE on Arch Linux and when editing your Password & User Account in System Settings it to freezes, then you need to do the following.

You need to change the default behaviour of chfn by changing the following line in /etc/login.defs.

CHFN_RESTRICT rwh

Change the value to frwh so it looks like this.

CHFN_RESTRICT frwh

That worked for me - but let me know if you still have a issue since I'm not convinced?  I could not find the fix on any official site, though it has happened to me on each of my installs (maybe because I consistently change the same fields).

Rmagick failing to build on Arch due to HDRI Imagemagick

One of my personal Rails projects uses uses the rmagick gem.  On Arch Linux the imagemagick package from the Extra repository is built with the --enable-hdri option.  This will cause the gem to fail when installing.



Not to worry.  I found this bug and this patch.  But it was AUR to the rescue with the package imagemagick-no-hdri.

So remove the initial package with:

pacman -Rs imagemagick

Next install the other package with your favourite method - I use aurget (you may need --deps).

aurget-S imagemagick-no-hdri

Now install your rmagick gem.



Success!

Loading 'loop' Device in OpenSUSE

Okay, I'm still a noob with OpenSUSE 13.1 - I've kept my eye on it for years but never took the plunge until recently.  One of the applications I have on every machine I own is Truecrypt.  Installed it direct from the site then tried to mount a volume when I got this error.

Problem is explained right there in the error message.  And its an easy one to fix.  In fact, the loop device is used for a lot of common things I expect to be doing, so I will just ensure its enabled in the kernel.

A quick check for how OpenSUSE does it (told you I was a noob), then loaded the loop kernel module with:

sudo /sbin/modprobe loop

You can test if this loaded by:

sudo /sbin/lsmod | grep loop

The status of the loop module is shown, if loaded - and if its not loaded, then nothing will be returned.

Lastely, I wanted to ensure loop gets loaded every time I boot the machine, so I added this:

sudo echo loop > /etc/modules-load.d/loop.conf

Back to Truecrypt, voila!

Updating Arch - My Way

I like to script a lot of the repetitive jobs I do (and what geek doesn't?).  One of those jobs is the updating of Arch Linux packages.  Check out this simplistic bash script.



I use aurget, as it has similar syntax with pacman.  And I'm using Reflector to grab the fastest mirrors.  Script will run without these packages installed.

My Favourite Git Alias

I use this git alias every day, a number a times a day.  Unfortunately I don't know where I originally found it, as I did not create it, I did update it a little to my needs.

In your projects .gitconfig or your home folders ~/.gitconfig add this (just add the lg line to the [alias] section to an existing file) :


I don't have a project, that includes a lot of branching, that I am able to show you - I do have a flat project of my own that gives you an idea of what the output looks like.

If you have some great git command line tricks, please toss them my way - I live in a version control world!

Doesn't that look better than git log:

Changing How sudo Works in openSUSE

The default way a user in openSUSE 13.1 executes sudo to run a restricted file is that they need the root user password rather, as many other Linux distributions, than their own.  By design, this is a better way to manage root access - but  if you want sudo to require your password rather than root's then keep reading.

Personally, I like a mixture of both on my personal machines.  I sometimes su, using root's password and at other times I use sudo with my own password.

To do this, the first thing I do when I install openSUSE is to give root a different password than my own.  Do this by deselecting the "Use this password for system administrator".

If you already have openSUSE installed, then simply su to root and then passwd to set a new password.

Now the fun stuff.

As the root user execute visudo, you need to comment out the last two lines of the below:



In the same file, you need to enable the wheel group by uncommenting the last row from below:


Make sure you save when you quit visudo.

One last step, as root still, add the privileged user to the wheel group ala:

useradd -G wheel jeff

All done. You need log out and back in as the user, sudo will now act as described above.

Updated Your Bash Shell in OSX

Are you a Bash shell user on OSX? (by default you are!)  Well, did you realize that Bash is at version 3.2.51 on Mavericks, 10.9.1?   I hit a wall when I realized some of my dotfiles were not going to run as expected with this older version.

No worries - since I use the fantastic Homebrew package manager for OSX, installing Bash 4.2.45 was a simple:

brew install bash

Thats not the end of the story though.  Now you have to change your login shell on OSX.

First step after installing is to edit /etc/shells, and add /usr/local/bin/bash to the top of the list:

sudo vi /etc/shells

Being a nerd, you know you can just to change your shell:

chsh -s /usr/local/bin/bash

Or you can go to System Preferences, then Ctrl-Click on your Users & Groups user profile (ensuring screen is unlocked):

And finally, after selecting Advanced Options, just change the shell to /usr/local/bin/bash:

If you want to be sure it worked, just do this in a new terminal:

echo $SHELL

OS Detection in Your Vim Configuration

If you use your vim configuration across multiple machines, and even multiple operating systems (OS), then you may need to have separate configuration based on that OS.

Using has(), do something like this in your ~/.gvimrc:



In fact, there is a lot more you can set up conditionals for.  To discover all the options use the following in vim:

:help feature-list

Easy Bash Colorization

I like things simple - if they are hard, I like to make them simple.  Take my bash prompt (PS1) I want it to have colour, be easy to change (and mess around with), and well as show me if I'm on a remote machine (as I will tend to do a few dozen times a day).  I also put it into its own file, which I call .bash_prompt and to be called from .bashrc or .bash_profile.

So here is my .bash_prompt file:



Edit to your personal preference then run:

source ~/.bash_prompt

Installing Rmagick Gem on Arch Linux using ABS

Installing my Rails project to a newly installed Arch Linux laptop - I ran bundle install and got the following error:



I sync'd ABS and then copied the /var/abs/extra/imagemagick/ folder to a working folder.

Now edit PKGBULD, removing the --enable-hdri option so the .configure section looks like this:



Run makepkg  in the working folder and then install the resultant package with pacman -U.

Finally, back in my Rails project folder, I ran bundle install (or I could have run gem install rmagick) once again and the Rmagick gem installs!