In July 2011 I switched to the GNU/Linux distribution CRUX from ArchLinux, desiring increased speed and stability, while maintaining customisability, which I got. I switched back to Debian Stable in January 2012.
There isn’t much non-official documentation for CRUX so I documented the entire setup here, for my own reference when reinstalling machines and for other beginners looking to try out CRUX. In particular I have detailed my setup for encrypting my hard drive, which is esoteric but the best way I can come up with for doing it on CRUX.
The CRUX handbook is what you should really be using for this, referring to my notes only when the handbook is a bit skimpy on detail. I’ll repeat an arbitrary selection of what that tells you to do.
My ports for CRUX are in the portdb; they’re used throughout this document.
I used CRUX 2.7 in preparing this.
Installation
Encryption strategy
My paranoia levels are such that I want to set up enough encryption to foil someone without a mainframe who acquires my laptop from getting at my personal data, but I don’t take the steps necessary to stop someone from inserting a keylogger into my machine, leaving it for me to pick up again without me knowing it’s been gone, and then stealing my encryption passphrase anyway.
Since /boot has to be unencrypted and I am not willing to carry it
around on a floppy or something, there is therefore no additional risk
in having the root partition unencrypted, so I just encrypt /home,
/var, have /tmp as a ramdisk, no swap and take steps to move
sensitive configuration files (e.g. OpenVPN) in /etc into
/home/etc so they are safe.
The reason I am not simply encrypting the root filesystem rather than have these separate partitions is that that would slow down the boot sequence substantially by requiring an initrd.
I don’t encrypt my desktop system at all anymore; the chances of it being stolen are so very much smaller than those for my laptop, I trust my family and LILO password is sufficient for LAN party security.
Partitions and formatting
Run fdisk as instructed. If dual-booting with Windows, remember that
it likes to be in the first partition. A useful guide to
fdisk. Going
with 10GB for the root partition as the first time I did this I had 5
for that and 10 for /var, and I didn’t have enough space to install
TeX Live and had to do crazy repartitioning of encrypted partitions…
Here’s a summary of the sizes I choose for my partitions:
| Partition | Size | Filesystem |
|---|---|---|
/ |
10GB | ext3 |
/var |
5GB | ReiserFS |
/home |
remaining HDD | ext4 |
/tmp |
max. 50% of RAM | tmpfs |
so
# mkfs.ext3 /dev/sda1
or, mkfs.ext4 on my single-partition desktop.
Installing the CRUX distribution
We don’t mount our partition for /var separately at this stage because
the live CD doesn’t have the tools needed to do disc encryption, and
it’s far easier to let (non-personal) data get written to /var now
that can later be moved into the encrypted partition, rather than
supplying the installation with the scripts and modules to encrypt now.
# mount /dev/sda1 /mnt
# setup
Select all three port collections and then deselect the following
packages from opt: fetchmail, firefox, grub, lvm2, mdadm,
nano, openbox, procmail, rp-pppoe, wvdial, xterm;
deselect the following packages from xorg: xorg-xf86-video-*
except for vesa.
Config files
Chroot and set the root password as instructed.
Lines for /etc/fstab; again this is simple as we’re going to add
encrypted partitions later:
/dev/sda1 / ext3 defaults,noatime 0 1
tmp /tmp tmpfs defaults,nosuid,size=1024M,mode=1777 0 0
usb /proc/bus/usb usbfs defaults 0 0
/dev/sdaX /mnt/seven ntfs-3g defaults 0 0
We’ll use autofs for floppy and optical drives.
In /etc/rc.conf, we change the keymap to uk, timezone to
Europe/London and hostname to artemis for my laptop and zephyr for
my desktop. Leave services and font as they are for now.
Generate locales:
# localedef -i en_GB -f ISO-8859-1 en_GB
# localedef -i en_GB -f ISO-8859-1 en_GB.ISO-8859-1
# localedef -i en_GB -f UTF-8 en_GB.utf8
Temporary network setup
We will need wired network access with which to get wireless working, and the way I do this is to tether one machine to the other. The following configuration achieves that:
#!/bin/sh
#
# /etc/rc.d/net: start/stop network
#
case $1 in
start)
# loopback
/sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
/sbin/ip link set lo up
# ethernet
/sbin/ip addr add 10.8.0.2/24 dev eth0 broadcast +
/sbin/ip link set eth0 up
# default route
/sbin/ip route add default via 10.8.0.1
;;
stop)
/sbin/ip route del default
/sbin/ip link set eth0 down
/sbin/ip addr del 10.8.0.2/24 dev eth0
/sbin/ip link set lo down
/sbin/ip addr del 127.0.0.1/8 dev lo
;;
restart)
$0 stop
$0 start
;;
*)
echo "usage: $0 [start|stop|restart]"
;;
esac
# End of file
Run these commands on the host machine to open up the target to the ‘net:
$ echo "1" | sudo tee /proc/sys/net/ipv4/ip_forward
$ sudo iptables -t nat -A POSTROUTING -s 10.8.0.2 -j MASQUERADE
and its config file (if it’s running CRUX; it’s quite easy to move to other distros):
#!/bin/sh
#
# /etc/rc.d/net: start/stop network
#
case $1 in
start)
# loopback
/sbin/ip addr add 127.0.0.1/8 dev lo broadcast + scope host
/sbin/ip link set lo up
# ethernet
/sbin/ip addr add 10.8.0.1/24 dev eth0 broadcast +
/sbin/ip link set eth0 up
# default route
#/sbin/ip route add default via 10.8.0.1
;;
stop)
#/sbin/ip route del default
/sbin/ip link set eth0 down
/sbin/ip addr del 10.8.0.1/24 dev eth0
/sbin/ip link set lo down
/sbin/ip addr del 127.0.0.1/8 dev lo
;;
restart)
$0 stop
$0 start
;;
*)
echo "usage: $0 [start|stop|restart]"
;;
esac
# End of file
This can be a bit flaky and doesn’t like hotplugging or rebooting so be
willing to make liberal use of /etc/rc.d/net restart.
/etc/hosts:
127.0.0.1 localhost
127.0.1.1 artemis.silentflame.com artemis
193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net
/etc/resolv.conf:
search silentflame.com
#nameserver 10.9.8.1
nameserver 208.67.220.222
nameserver 208.67.220.220
The commented out address will be of use once OpenVPN is operational.
Compiling the kernel
Here are changes I have made; everything else is left as-is.
- General setup
- Disable development/incomplete code/drivers
- Disable swap support
- Enable BSD Process Accounting
- Disable kernel .config support
- Enable UTS & IPC namespace support
- Disable initramfs/initrd
- Disable optimisation for size
- On zephyr, enable configure standard kernel features (for small systems) [Apple keyboard]
- Enable loadable module support
- Disable unloading modules
- Processor type and features
- Processor family: Core 2/newer Xeon
- Maximum number of CPUs set to 2
- Disable SMT (Hyperthreading) scheduler support
- Enable machine check / overheating reporting
- Disable AMD MCE features
- High Memory Support: 4GB
- Enable KSM for page merging
- Enable Math emulation
- Enable MTRR cleanup support
- Enable -fstack-protector buffer overflow detection
- Power management and ACPI options
- Enable power management support
- Enable run-time PM core functionality
- Enable APM for laptop (though this is known to be dodgy; care)
- Enable CPU frequency scaling on artemis
- Disable CPU frequency translation statistics
- Enable the powersave, userspace, and conservative governors on artemis, and ondemand instead of conservative on zephyr. Set default governor to performance
- Module ACPI Processor P-states driver
- Bus options
- Enable Message Signaled Interrupts
- Disable ISA support
- PCMCIA—disable on zephyr
- Disable Cirrus PD6729 compatible bridge support
- Disable i82092 compatible bridge support
- Executable file formats / emulations
- Enable kernel support for MISC binaries
- Networking support
- Networking options
- For the Oxford VPN, we will need to module these:
- Transformation user configuration interface
- PF~KEY~ sockets
- IP: GRE tunnels over IP
- IP: AH transformation
- IP: ESP transformation
- IP: IPComp transformation
- IP: IPsec transport mode
- IP: IPsec tunnel mode
- IP: IPsec BEET mode
- Enable INET: socket monitoring interface
- Disable IPv6 (I’m never on a network that supports it)
- Enable Netfilter
- Core Netfilter Configuration
- Enable Netfilter connection tracking support
- IP: Netfilter configuration
- Enable IPv4 connection tracking support
- Enable IP tables support
- Enable Full NAT
- Enable MASQUERADE target support
- Enable REDIRECT target support
- Core Netfilter Configuration
- Module 802.1d ethernet bridging
- For the Oxford VPN, we will need to module these:
- Wireless
- Enable (i.e. not just module) cfg80211
- Enable Generic IEEE 802.11 Networking Stack (mac80211)
- Enable RF switch subsystem support on artemis
- Networking options
- Device drivers
- Generic driver options
- Enable maintain a devtmpfs filesystem to mount at /dev
- Automount devtmpfs at /dev. after the kernel…
- Enable include in-kernel firmware blobs in kernel binary
- Enable maintain a devtmpfs filesystem to mount at /dev
- Enable connector—unified userspace <-> kernelspace linker
- Plug and play support
- Enable PNP debugging messages
- Block devices
- Module normal floppy disk support on artemis, enable on zephyr
- Disable Compaq SMART2 support
- Disable Compaq Smart Array 5xxx support
- Disable Mylex DAC960/DAC1100 PCI RAID controller support
- Module loopback device support
- Disable network block device support
- Module RAM block device support (this may break tmpfs?)
- Disable ATA over ethernet support
- On zephyr enable ATA/ATAPI/MFM/RLL support (DEPRECATED) [this
may or may not help failure to boot issue, really have no idea
atm]
- Enable support for SATA (deprecated; conflicts with libata SATA driver)
- Enable generic ATA/ATAPI disk support
- Enable ATA disk support
- Enable Include IDE/ATAPI CDROM support
- Enable IDE ACPI support
- Enable generic/default IDE chipset support
- Enable Platform driver for IDE interfaces
- Enable AMD and nVidia IDE support
- SCSI device support
- Enable SCSI disk support
- Enable SCSI CDROM support
- Enable vendor-specific extensions (for SCSI CDROM) on zephyr only
- Enable SCSI generic support
- Probe all LUNs on each SCSI device
- Enable asynchronous SCSI scanning
- Enable serial ATA and parallel ATA drivers
- Enable AHCI SATA support
- Enable platform AHCI SATA support
- On zephyr enable NVIDIA SATA support
- Enable multiple devices driver support (RAID and LVM)
- Enable device mapper support
- Enable crypt target support
- Enable snapshot target
- Enable mirror target
- Disable Fusion MPT device support
- IEEE 1394 (FireWire) support
- Disable FireWire driver stack
- Enable Macintosh device drivers (hmm shouldn’t keyboard be under here?)
- Network device support
- Module dummy net driver support
- Module universal TUN/TAP device driver support
- Wireless LAN
- Enable Intel Wireless Wifi on artemis
- Enable Intel Wireless WiFi Next Gen AGN (iwlagn) on
artemis
- Enable Intel Wireless WiFi 5000AGN … on artemis
- Enable Ralink driver support on zephyr
- Enable rt2500 (USB) support
- Enable rt2501/rt73 (USB) support
- Enable Ralink debug output
- Disable PPP support
- Input device support
- Disable support for memoryless force-feedback devices
- Disable polled input device skeleton
- Set horizontal and vertical screen resolution
- Enable event interface
- Mice
- On zephyr, enable PS/2 mouse
- Disable serial mouse
- Disable Apple USB touchpad support
- Disable Apple USB BCM5974 Multitouch trackpad support
- Character devices
- Serial drivers
- Disable 8250/16550 and compatible serial support
- Enable Timer IOMEM HW Random Number General support
- Enable Intel HW Random Number Generator support
- Disable AMD … random number generator support × 2
- Enable /dev/nvram support
- Serial drivers
- Enable SPI support
- Power supply class support
- Module test power driver
- Module all battery types on artemis for now
- Enable hardware monitoring support
- Generic thermal sysfs driver
- Enable hardware monitoring support
- Disable multimedia support
- Graphics support
- Enable laptop hybrid graphics on artemis
- Module direct rendering manager
- Disable support for frame buffer devices
- Enable backlight & LCD device support on artemis
- Display device support
- Enable display panel/monitor support
- Console display driver support
- Disable scrollback buffer in system RAM
- Enable sound card support
- Enable ALSA
- Enable sequencer support
- Enable OSS mixer API
- Enable OSS PCM
- Enable OSS sequencer API
- Disable verbose procfs contents
- PCI sound devices
- Enable Intel HD Audio
- On artemis enable aggressive power-saving on
HD-audio
- Default time-out for HD-audio power-save mode: 60
- On zephyr enable build nvidia HDMI HD-audio codec support
- On artemis enable aggressive power-saving on
HD-audio
- Enable Intel HD Audio
- Enable ALSA
- Disable HID drivers on artemis, enable on zephyr—enable/module
on artemis if want USB mouse support
- Special HID drivers
- Enable Apple
- Special HID drivers
- USB support
- Enable support for host-side usb
- Enable USB device filesystem
- Enable WUSB cable based association
- Enable EHCI HCD (USB 2.0) support
- Disable USB modem support
- Enable MMC/SD/SDIO card support on artemis
- On artemis, enable Secure Digital host controller interface support
- On artemis enable SDHCI support on PCI bus
- On artemis enable Ricoh MMC controller disabler
- Disable Real Time Clock
- Enable auxiliary display support
- Disable X86 platform specific device drivers
On artemis, module Acer WMI laptop extras, Asus laptop extras and ThikPad ACPI laptop extras—don’t think it’s the latter but one of three for SL300 which has IdeaPad internals, not proper ThinkPad—usinglenovo-sl-laptop
- On zephyr enable staging drivers
- Disable exclude staging drivers from being built
- Enable Ralink 2870/3070 wireless support
- Generic driver options
- File systems
- Enable ext2
- Enable ext3
- Default to ‘data-ordered’ in ext3
- Enable ext4
- Enable reiserfs
- Disable JFS
- Disable XFS
- Enable kernel automounter version 4 support (also supports v3)
- Enable FUSE
- Module character device in userpace [sic] suppose
- CD-ROM/DVD filesystems
- Enable ISO 9660 CDROM file system support
- Enable Microsoft Joliet CDROM extensions
- Enable transparent decompression extension
- UDF file system support
- DOS/FAT/NT filesystems
- Disable MSDOC fs support
- Enable VFAT (Windows-95) fs support
- On zephyr, enable NTFS file system support; disable on artemis
- On zephyr enable NTFS write support
- Network file systems
- Enable NFS client support
- Enable NFS client support for the NFSv3 ACL protocol extension
- Enable NFS server support for the NFSv3 ACL protocol extension
- Disable SMB file system support
- Disable CIFS support
- Kernel hacking
- Enable timing information on printks
- Enable _~mustcheck~ logic
- Disable Magic SysRq key
- Enable sysctl checks
- Filter access to /dev/mem
- Maybe enable verbose x86 bootup info messages
- Cryptographic API
- Module null algorithms
- Module CCM support (Oxford VPN)
- Module GCM/GMAC support (Oxford VPN)
- Enable SHA224 and SHA256 digest algorithm
- Enable Zlib
- Enable LZO
- Enable pseudo random number generation for cryptographic modules
- Virtualisation
- Enable KVM support
- Enable KVM for Intel processors support
- Module Virtio balloon driver
- Enable KVM support
Once done with menuconfig, we set things up:
# make all && make modules_install
# cp arch/x86/boot/bzImage /boot/vmlinuz
# cp System.map /boot
Bootloader
Set up lilo; for artemis:
#
# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
#
lba32
install=text
compact
boot=/dev/sda
image=/boot/vmlinuz
label=CRUX
root=/dev/sda3
read-only
append="quiet acpi_backlight=vendor"
# End of file
and for zephyr:
#
# /etc/lilo.conf: lilo(8) configuration, see lilo.conf(5)
#
lba32
install=text
prompt
timeout=30
compact
boot=/dev/sda
image=/boot/vmlinuz
label=CRUX
root=/dev/sda3
read-only
append="quiet"
other=/dev/sda2
label=dos
# End of file
# lilo
# reboot
Post-install configuration
Pre-encryption tweaks—stop building things as root
Following the advice here,
we set up a non-priviledged user to build ports. This also moves port
building out of /usr and into /var where it belongs.
We create our user account here because otherwise pkgmk will get the first UID.
# groupadd pkgmk
# useradd swhitton -M -s /bin/zsh -G lp,wheel,audio,video,floppy,cdrom,scanner,tape,pkgmk
# useradd -m -d /var/pkgmk -g pkgmk pkgmk
# mkdir /var/pkgmk/{distfiles,packages,work}
# chown pkgmk:pkgmk /var/pkgmk/*
# chmod 775 /var/pkgmk/*
/etc/prt-get.conf:
makecommand sudo -H -u pkgmk /usr/bin/fakeroot /usr/bin/pkgmk
/etc/pkgmk.conf:
PKGMK_SOURCE_DIR="/var/pkgmk/distfiles"
PKGMK_PACKAGE_DIR="/var/pkgmk/packages"
PKGMK_WORK_DIR="/var/pkgmk/work/$name"
/etc/hosts:
193.1.193.66 download.sf.net dl.sourceforge.net dl.sf.net
Pre-encryption tweaks—packages
We can’t do much until encryption is operational because we don’t want to introduce any kind of personal data to the system until then. However our lives in setting that up will be a lot easier with some additional packages to our very spartan system.
If you see this on a bootup:
umount: /sys: device is busy.
(In some cases useful info about processes that use
the device is found by lsof(8) or fuser(1))
mount: sysfs already mounted or /sys busy
then be assured that it may be safely ignored; I believe it’s a bug in
the /etc/rc script.
First we enable the contrib ports collection
# mv /etc/ports/contrib.rsync.inactive /etc/ports/contrib.rsync
# ports -u contrib
We tell prt-get that we’ve done so by uncommenting the line
prtdir /usr/ports/contrib
near the start of /etc/prt-get.conf. Now we use the mpup utility to
add some ports from third party repositories. mpup is like ports -u
except only specific ports are fetched, rather than a whole irrelevant
repository.
# prt-get depinst mpup
# mv /etc/ports/meta.mpup.inactive /etc/ports/meta.mpup
Now we add my personal repository TODO and gnome and xfce TODO (gnome below contrib so guile installs right
Add to /etc/mpup.lst:
httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#wicd wicd
httpup sync http://home.cc.umanitoba.ca/~fonsecah/crux/ports/#urwid urwid
rsync -aqz morpheus.net::cruxports/console-font-terminus/ console-font-terminus
rsync -aqz morpheus.net::cruxports/xorg-font-terminus/ xorg-font-terminus
httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#texinfo texinfo
httpup sync http://sirmacik.net/static/download/cruxpl-ports/#ncmpcpp ncmpcpp
httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#mpdscribble mpdscribble
httpup sync http://sirmacik.net/static/download/cruxpl-ports/#xclip xclip
httpup sync http://sirmacik.net/static/download/cruxpl-ports/#terminus-font terminus-font
rsync -aqz morpheus.net::cruxports/mingetty/ mingetty
httpup sync http://falcony.googlecode.com/svn/trunk/falcony/#laptop-mode-tools laptop-mode-tools
httpup sync http://cruxab.comlu.com/crux/ports/#libtasn1 libtasn1
httpup sync http://flaveur.googlecode.com/svn/trunk/ports/#policykit policykit
httpup sync http://www.mizrahi.com.ve/crux/pkgs/#krb5 krb5
httpup sync http://bdfy.googlecode.com/svn/trunk/#abiword abiword
httpup sync http://tsubasa.googlecode.com/svn/trunk/tsubasa/#auctex auctex
httpup sync http://www.mizrahi.com.ve/crux/pkgs/#autofs autofs
httpup sync http://romster.dyndns.org:8080/linux/ports/crux/romster/#wine wine
httpup sync http://www.landofbile.com/crux_ports/#gmime gmime
httpup sync http://bdfy.googlecode.com/svn/trunk/#burn-cd burn-cd
httpup sync http://vico.kleinplanet.de/files/repo/#abcde abcde
httpup sync http://vico.kleinplanet.de/files/repo/#cd-discid cd-discid
httpup sync http://vico.kleinplanet.de/files/repo/#id3v2 id3v2
rsync -aqz rsync.clyl.net::crux-xen/vte-python/ vte-python
httpup sync http://jue.li/crux/ports/#s3fs s3fs
rsync -aqz sepen.mine.nu::ports/crux-2.7/sepen/uuid/ uuid
and add prtdir /usr/ports/meta to the beginning of
/etc/prt-get.conf. Next we’ll install some basic utilities but before
we do that we enable install scripts in /etc/prt-get.conf:
runscripts yes
now
# ports -u meta swhitton
# prt-get depinst zile emacs cryptsetup gnupg zsh screen mercurial git cvs subversion mr ca-certificates consoleswapcaps rxvt-unicode urxvtcd atd git-annex
# prt-get remove vim
Change the keymap in /etc/rc.conf to uk.swapcaps and then
# loadkeys uk.swapcaps
to make caps lock into a control key, as it should be.
This should be enough to bootstrap my standard CLI interface into
/root, which’ll make things more comfortable.
# cd ~
# rm -rf .ssh
# mr --trust-all bootstrap xyrael.net/mrconfig-crux
# chsh -s /bin/zsh
# zsh
Encrypted partitions
At long last we are ready to prepare our encrypted partitions, move our sensitive data into them and then to have them decrypted at boot.
Create partitions
# cryptsetup luksFormat /dev/sda2
# cryptsetup luksFormat /dev/sda3
# cryptsetup luksOpen /dev/sda2 artemis-var
# cryptsetup luksOpen /dev/sda2 artemis-home
# mkfs.reiserfs /dev/mapper/artemis-var
# mkfs.ext4 /dev/mapper/artemis-home
We’ll mount up the home partition and put something in it for testing purposes.
# mount /dev/mapper/artemis-home /home
# echo "it works\!" > /home/test.txt
Decryption
To confirm that things are working we’ll do /home first before /var,
because the latter gets log files written to it that we’re going to have
to be careful about moving.
Open up /etc/rc and find the line
# Check filesystems
Above the chunk of lines this line heralds the commencement of, we are going to add our decryption commands. These are
# SEAN DECRYPTION BEGIN
# we need to set the keymap early in order to be able to decrypt
if [ "$KEYMAP" ]; then
/usr/bin/loadkeys -q $KEYMAP
fi
/usr/bin/setfont $FONT
echo ""
echo -n "This is Sean's computer - enter system passphrase: "
/bin/stty -echo; read PASSPHRASE; /bin/stty echo
echo ""
echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda2 artemis-var
echo -n "$PASSPHRASE" | cryptsetup --key-file=- luksOpen /dev/sda3 artemis-home
PASSPHRASE="ilikedmcryptoncruxreallyreallyreallalot"
unset PASSPHRASE
# SEAN DECRYPTION END
The idea of this code is to stop someone from being able to do anything with the system without opening it up, which was considered to be an acceptable risk in our encryption strategy.
Add this line to /etc/fstab:
/dev/mapper/artemis-home /home ext4 defaults 0 2
Reboot, and confirm our test file is still in place with the content we
gave it. If so, it’s time to move the files in /var. We stop daemons
that might write there before doing so,1 move the data and then
reboot and cross our fingers.
First add this line to /etc/fstab:
/dev/mapper/artemis-var /var reiserfs defaults,noatime,notail 0 2
then
# mkdir /mnt/tmp
# mount /dev/mapper/artemis-var /mnt/tmp
# /etc/rc.d/sysklogd stop
# /etc/rc.d/crond stop
# /etc/rc.d/net stop
# mv /var/* /mnt/tmp
# mv /var/.* /mnt/tmp
# reboot
This doesn’t really require a reboot, but it’s nice to see all the encryption stuff now fully working in tandem.
Post-encryption setup
Whew, now that encryption’s done we’re safe to start setting up my environment.
Distribution update
First bring the distribution up-to-date:
# prt-get sysup
This will take a while since the packages will need to be compiled,
unlike during the installation where this has already been done. Also
prt-get’s dependency resolution isn’t perfect, and you may be required
to intervene to upgrade some packages before others.
Now we’ve hacked /etc/rc we need to lock it to prevent it being
overwritten by updates, which would stop our system from starting up.
Add this line to /etc/pkgadd.conf
UPGRADE ^etc/rc$ NO
Wireless
Let’s stop dependency on another host for Internet access.
For artemis, we need the wireless firmware from
here,
and we need a release of the 5000 images (for our 5100AGN card) old
enough to have -2 at the end, as our kernel version doesn’t seem to look
for anything higher. 8.24.2.12.tgz appears to be the latest with this
property. Extract the .ucode file into /lib/firmware and reboot and
the hardware should be ready to go.
For zephyr we need
rt2870.bin which we can
drop into /lib/firmware; we then need a symlink:
ln -s /lib/firmware/rt2870.bin
/lib/firmware/rt3070.bin because the rt2870.bin driver covers a lot of
hardware and the kernel looks in the wrong place.
Install wicd to manage network connections from now on. Somehow glib
doesn’t get updated enough/at all in the sysup so do it again here
(maybe).
# prt-get update glib
# prt-get depinst wicd urwid
# /etc/rc.d/dbus start
# /etc/rc.d/wicd start
Add the atd, dbus and wicd daemons (in that order) to
/etc/rc.conf, and comment out the gateway settings for eth0 from
/etc/rc.d/net (we can’t remove this daemon entirely because we need
the loopback interface—discovered this the hard way when mpd wouldn’t
work…). Fire up wicd-curses to connect to your wireless network.
Remember to add 10.9.8.1 as first DNS server, globally, then OpenDNS.
ntp
At this point I tend to notice my system clock drifting.
# prt-get depinst openntpd
# /etc/rc.d/ntpd start
Add ntpd to list of daemons in /etc/rc.conf. In /etc/rc.d/ntpd, make
the -s into -S so that ntp doesn’t even try to change the time on
startup, which makes a big difference to boot speed.
Add to /etc/pkgadd.conf:
UPGRADE ^etc/rc\.d/ntpd$ NO
to protect our changes.
User account
# mkdir /home/swhitton
# chown swhitton:users /home/swhitton
# passwd swhitton
Log out and login again as the new user. Bootstrap its homedir:
$ mr --trust-all bootstrap xyrael.net/mrconfig-crux
On zephyr, add to /etc/rc.local:
echo 2 | sudo tee /sys/module/hid_apple/parameters/fnmode > /dev/null
X
Setup
We’re going with the non-free nVidia drivers since we have a nVidia card we want to make some use of:
# prt-get depinst nvidia
# reboot
# nvidia-xconfig
# gl-select use nvidia
To test X, back as swhitton, we prepare a minimal .xinitrc with just
the line exec urxvt, moving the usual file to .xinitrc~.
$ startx
If you get a terminal that you can type into, and the mouse moves
around, we’re good to go. Run exit in the terminal to kill off X.
Driver tweaks
Add the following lines to the Device section of /etc/X11/xorg.conf
for some minor improvements (from Arch wiki):
Option "NoLogo" "1"
Option "RenderAccel" "1"
Option "ConnectedMonitor" "DFP"
Option "TripleBuffer" "1"
Option "DamageEvents" "1"
Option "DPS" "1"
Remove the third line for zephyr.
The almighty Terminus
We need three versions of Terminus: one which provides the traditional X font, one which provides the xft font and one for the console.
The Arch package provides all three at once, I believe, or at least the first two so should probably be looked into at some point.
# prt-get depinst xorg-font-terminus console-font-terminus terminus-font
In the Files section of /etc/X11/xorg.conf, add the line
FontPath "/usr/lib/X11/fonts/terminus"
and then my .Xresources should take care of the rest. For console,
update /etc/rc.conf to use this new font, Lat2-Terminus16.
Font beautification
CRUX’s X11 fonts look pretty poor without tweaks, and there are various ways to improve the situation. After much messing around I reckon that the cleartype approach is the best, especially since the packages on the AUR were recently renewed and seem to be maintained. Links about this issue at the end of this document.
First we set up some package aliases so that our prt-get doesn’t think
we’ve removed important dependencies. Append to
/var/lib/pkg/prt-get.aliases
libxft-cleartype: xorg-libxft
freetype2-cleartype: freetype
cairo-cleartype: cairo
postfix: exim
and append to /etc/pkgadd.conf to protect this file from upgrades:
UPGRADE ^var/lib/pkg/prt-get.aliases$ NO
# prt-get remove freetype xorg-libxft cairo
# prt-get install freetype2-cleartype libxft-cleartype cairo-cleartype
Taking the -ubuntu approach means no Xft Terminus so require the hacked TTF versions floating about, which means no smaller font in Conkeror minibuffer.
Check in /etc/fonts/fonts.conf that near the top there is
<dir>/usr/share/fonts</dir>
<dir>/usr/lib/X11/fonts</dir>
<dir>~/.fonts</dir>
as the second line might be missing. This should be packaged up/automated at some point.
Lisp
We are going to install the lisp environment to run my window manager, StumpWM, using the quicklisp approach from the ArchWiki. When my lisp knowledge improves I will make this into a package.
# prt-get depinst sbcl texinfo
# wget beta.quicklisp.org/quicklisp.lisp
# sbcl --load quicklisp.lisp
and then in the interactive shell
(quicklisp-quickstart:install)
(ql:add-to-init-file)
(ql:update-all-dists)
(ql:quickload "clx")
(ql:quickload "cl-ppcre")
(quit)
This relies on the environment variable we set in .zshrc,
SBCL_HOME=/usr/lib/sbcl.
More building blocks
Unfortunately, stumpwm won’t build unless we’re root at the moment as I
haven’t got the package set up right. So first we comment out the lines
we added to /etc/prt-get.conf and /etc/pkgmk.conf and then
# cd /usr/ports/swhitton/stumpwm
# pkgmk -d
# chown pkgmk:pkgmk stumpwm\#git-1.pkg.tar.gz
# mv stumpwm\#git-1.pkg.tar.gz /var/pkgmk/packages
Now uncomment the lines again and
# prt-get depinst xbindkeys avfs stumpwm
$ mkdir .avfs
# echo "user_allow_other" >> /etc/fuse.conf
This should be enough to get a graphical environment up, so startx and
open up a shell with the usual C-i C-t. If dual monitors need setting
up, su to root and run nvidia-settings.
SLiM
And changes to theme to make slimlock work and changes to slimlock.conf.
gettys & SLiM
Using a display manager is much neater than running startx from
~/.zshrc.
# prt-get depinst mingetty slim slimlock
We use mingetty because it allows autologin if we ever want it and it uses less resources than agetty. We don’t use autologin at the moment because we’re screenlocking with slimlock rather than vlock. One virtual console is sufficient.
#c1:2:respawn:/sbin/mingetty --noclear --loginpause --autologin swhitton tty1 linux
c2:2:respawn:/sbin/mingetty --noclear tty2 linux
#c3:2:respawn:/sbin/agetty 38400 tty3 linux
#c4:2:respawn:/sbin/agetty 38400 tty4 linux
#c5:2:respawn:/sbin/agetty 38400 tty5 linux
#c6:2:respawn:/sbin/agetty 38400 tty6 linux
#s1:2:respawn:/sbin/agetty 38400 ttyS0 vt100
x:2:respawn:/usr/bin/slim >& /dev/null
Amend these lines in /etc/slim.conf:
console_cmd /usr/bin/urxvt -T "Console login" -e /bin/sh -c
"/bin/cat /etc/issue; exec /bin/login"
default_user swhitton
auto_login yes (on artemis)
and in /etc/slimlock.conf:
wrong_passwd_timeout 0
show_username 1
show_welcome_msg 0
and a fix to /usr/share/slim/themes/crux-smooth/slim.theme:
username_x 170
password_x 170
ALSA
Let’s get sound operational.
# prt-get depinst alsa-lib alsa-utils alsa-oss
# alsamixer
Hit M to unmute the main channel. Raise the volume until the db gain
is 0 and then play a sound to test. If it doesn’t play, raise the other
sliders around a bit.
# aplay /home/swhitton/lib/beep.wav
Now add alsa to the daemons array in /etc/rc.conf and run
# alsactl -f /var/lib/alsa/asound.state store
# /etc/rc.d/alsa start
sshd
Add to /etc/hosts.allow:
sshd: 10.9.8. 192.168.0. 10.8.0.
We need sshd running all the time in order to have tramp working smoothly, it seems (not in find-file but in eshell).
mpd, ncmpcpp & mpdscribble
No reason to go any further without some tunes. We need to install
libmms first in order to get proper streaming support.
# prt-get depinst libmms libfaac
# prt-get depinst mpd mpc ncmpcpp mpdscribble
Sync media library
One of unison’s dependencies, ocaml, will need a .footprint deleting.
# prt-get depinst unison
Reconnect ethernet cable and run /etc/rc.d/net restart on both
machines to bring up the connection. Run
$ unison ~/var ssh://10.8.0.2/var
on host tethered artemis/zephyr to copy ~/var back over to new
machine.
Configuration
We want mpd to run as swhitton. Uncomment loads of stuff in
/etc/mpd.conf (and add mixer_type "software" to ALSA output to make
mpd volume independent of everything else) make sensible edits and run
$ mkdir -p .mpd/playlists
# chown swhitton.users /var/cache/mpdscribble/*.journal
# usermod -a -G audio swhitton
At some point we should move the config we use inside /home/swhitton
since everything happens there now.
Add this line to /etc/hosts.allow:
mpd: 127.0.0.1
Add this line to /etc/pkgadd.conf:
UPGRADE ^var/cache/mpdscribble/.*\.journal$ NO
.xinitrc will take care of starting mpd and mpdscribble.
sudo
Execute visudo and uncomment the line
%wheel ALL=(ALL) NOPASSWD: ALL
conf and execute
usermod -a -G wheel swhitton
to give swhitton full sudo access.
Desktop software
# prt-get depinst xpdf epdfview firefox feh gtk-chtheme gnome-themes
flash-player-plugin texlive-full auctex sshfs-fuse mplayer vlock gimp
xclip libreoffice scrot shared-mime-info gnome-mime-data htop at
filezilla abook libogg flac libvorbis easytag unzip imagemagick bc
aspell-en unrar w3m conkeror yapet x11-fonts-dejavu abiword emacs-w3m
dvd+rw-tools cdrkit prt-utils xorg-font-msttcorefonts urw-fonts
ttf-vista-fonts pinentry pinentry-gtk2 bbdb org-mode ntfs-3g_ntfsprogs
notmuch rtorrent ncdu pm-utils mkvtoolnix ffmpeg dvdauthor gtypist
guile normalize abcde cd-discid eject terminator vte-python xchat s3fs
service psi-im vcdimager subversion xfce-mcs-manager thunar
Select a theme with gtk-chtheme.
Do not be tempted to install the packages xorg-font-adobe-100dpi &
xorg-font-adobe-75dpi. They take priority over other fonts and look
rubbish, screwing things up in general.
At some point I should write a Pkgbuild to install
pdftk, but this
is a nightmare because gcj is a nightmare to build, so for now I’ll
just use the pdftk on athena.
Conkeror relies on xulrunner, which at present comes with the CRUX 2.7 installation CD but as Firefox now includes it is not available in the ports database. If needed in the future, the CRUX git repository history contain the Pkgfile: link 1, 2, 3.
OpenVPN
We want the OpenVPN configuration files to be encrypted.
# mkdir -p /home/etc/openvpn
# ln -s /home/etc/openvpn /etc
# prt-get depinst openvpn
Copy into /etc/openvpn the files ca.crt, artemis.crt and
artemis.key and then create /etc/openvpn/tap.conf:
client
remote 212.13.194.60 1194
dev tap
proto tcp
resolv-retry infinite
nobind
persist-remote-ip
persist-local-ip
ping 5
ping-restart 10
ping-timer-rem
persist-key
persist-tun
verb 2
ca /etc/openvpn/ca.crt
cert /etc/openvpn/artemis.crt
key /etc/openvpn/artemis.key
comp-lzo
;redirect-gateway def1
where the final line is to be uncommented when on my untrusted
university LAN. Add openvpn to the daemons started in /etc/rc.conf.
Use udp rather than tcp on desktop.
Create the /etc/rc.d/openvpn script (stolen from Arch):
#!/bin/sh
#
# /etc/rc.d/openvpn: start/stop vpn daemon
#
CFGDIR="/etc/openvpn"
STATEDIR="/var/run/openvpn"
case $1 in
start)
mkdir -p "${STATEDIR}"
for cfg in "${CFGDIR}"/*.conf; do
/usr/sbin/openvpn --daemon --writepid "${STATEDIR}"/"$(basename "${cfg}" .conf)".pid --cd "${CFGDIR}" --config "${cfg}"
done
;;
stop)
for pidfile in "${STATEDIR}"/*.pid; do
kill $(cat "${pidfile}" 2>/dev/null) 2>/dev/null
rm -f "${pidfile}"
done
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo "usage: $0 [start|stop|restart]"
;;
esac
# End of file
and fire her up:
# /etc/rc.d/openvpn start
SSH configuration
Download the keys desktop-key and key into ~/.ssh, and in
~/.ssh/config replace athena.silentflame.com with athena.athenet
and add
Host selene
User root
HostName selene.silentflame.com
IdentityFile ~/.ssh/desktop-key
Host raven
User ball3162
HostName linux.ox.ac.uk
IdentityFile ~/.ssh/desktop-key
Our first real encounter with pre-install scripts. prt-get readme
dovecot/postfix will provide an explanation.
# pkgrm exim
# prt-get depinst dovecot postfix offlineimap
We add the following line in /etc/dovecot/conf.d/10-mail.conf:
mail_location = maildir:~/.gnus.d/Maildir
and the following in /etc/postfix/main.cf:
relayhost = [10.9.8.1]:25
and we’re done. We may now run
# /etc/rc.d/postfix start
$ offlineimap
to do the initial download of my e-mail. Add the postfix daemon to
/etc/rc.conf (but not dovecot). You might want to test that e-mail
goes where it should via telnet:
~ # telnet localhost 25
Trying 127.0.0.1…
erase character is '^H'.
Connected to localhost.
Escape character is '^]'.
220 artemis.localdomain ESMTP Postfix
>>> EHLO localhost
250-artemis.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
>>> mail from:<sean.whitton AT-NOSPAMPLZ balliol.ox.ac.uk>
250 2.1.0 Ok
>>> rcpt to:<spwhitton AT-NOSPAMHEREEITHERPLZ gmail.com>
250 2.1.5 Ok
>>> data
354 End data with <CR><LF>.<CR><LF>
>>> Dear Sean,
>>> This is my test message. Thanks.
>>> Thanks.
>>> .
250 2.0.0 Ok: queued as C0CEFB9
quit
221 2.0.0 Bye
Connection closed by foreign host
where >>> prefixes a line I typed. This is the most esoteric e-mail
route I can come up with, where the mail goes local -> athena ->
Oxford smtp -> gmail -> athena -> local, so check the headers
to make sure it’s gone everywhere it should.
Now that ~/.newsrc.eld isn’t synced between machines, recreate Gnus
group tree as follows (^ opens tree and u subscribes to items; Tn
to create new topics and GV and Gv to manipulate virtual groups; u
to kill off things like gnus-help):
[ Gnus -- 54 ]
0 / 19 / 1199 : INBOX
0 / 1 / 2423 : Notices & updates
9 / 16 / 2408 : Feeds & lists
0 / * / 0 : feeds.Guardian
[ Listservs -- 1 ]
0 / 1 / 372 : lists.BitFolk
* 0 / 0 / 140 : lists.VCS-Home
0 / 0 / 27 : lists.Wikizine
[ Feeds -- 16 ]
1 / 4 / 595 : feeds.Blogs
7 / 7 / 1320 : feeds.Comics
1 / 3 / 253 : feeds.Friends
0 / 2 / 240 : feeds.Tech
[ Personal -- 1 ]
* 0 / 0 / 5080 : archive
0 / 0 / 99 : drafts
0 / 0 / 1735 : notices
0 / 0 / 2245 : sent
* 0 / 0 / 40 : temptodo
0 / 1 / 688 : updates
crontab
*/5 * * * * /usr/bin/offlineimap -o -u Noninteractive.Quiet 1>/dev/null 2>/dev/null
0 * * * * /home/swhitton/bin/doccheckin >/dev/null
acpid & laptop-mode
Most of this is only on artemis. First we disable updatedb which can block suspend (on zephyr & artemis).
laptop-mode
# rm /etc/cron/daily/mlocate
# prt-get depinst powertop laptop-mode-tools pm-utils cpufrequtils acpi lm_sensors
Add the acpid and laptop-mode daemons to /etc/rc.conf (in that order).
I am not sure laptop mode is doing everything it can to save power
because /etc/laptop-mode/conf.d/ doesn’t exist, as it does on Arch. At
some point may wish to look into improving things, using the
Arch
wiki (two
links).
lenovo-sl-laptop
The lenovo-sl-laptop module provides control of the backlight and
access to various hotkeys from X. Recompiling the kernel wipes it out so
remember to re-add it should you need to do that.
# cd ~/local/src
# git clone git://github.com/tadzik/lenovo-sl-laptop.git
# cd lenovo-sl-laptop
# make
# mkdir /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
# cp lenovo-sl-laptop.ko /lib/modules/2.6.35.6/kernel/lenovo-sl-laptop
# echo "options lenovo-sl-laptop control_backlight=1" >> /etc/modprobe.d/modprobe.conf
# echo "modprobe lenovo-sl-laptop control_backlight=1" >> /etc/rc.autofs
nil
Add add acpi~backlight~=vendor to the kernel boot line in
/etc/lilo.conf and run lilo to put in place.
Suspend on lid closure
Edit the file /etc/acpi/actions/lm_lid.sh and add this block to the
top:
if grep -q closed /proc/acpi/button/lid/LID/state; then
sudo -u swhitton /home/swhitton/bin/dwm-suspcmd nolock
fi
Sometimes a stale lock file prevents pm-suspend from working with no
errors or log messages. To deal with this:
# rm /var/run/pm-utils/locks/pm-suspend.lock
autofs & NFS
# prt-get depinst autofs
# rm /etc/autofs/auto.{master,net,media}
/etc/autofs/auto.master:
/media /etc/autofs/auto.media
/net /etc/autofs/auto.net --timeout=30
/etc/autofs/auto.net:
athena -fstype=nfs,rw,async,vers=3 10.9.8.1:/home/swhitton/tmp
share -fstype=nfs,rw,async,vers=3 10.9.8.1:/srv/files
/etc/autofs/auto.media:
cd -fstype=auto,ro,sync,nodev,nosuid :/dev/sr0
usb -fstype=auto,async,nodev,nosuid,umask=000 :/dev/sdb1
sd -fstype=auto,async,nodev,nosuid,umask=000 :/dev/mmcblk0p1
Add rpcbind, nfs and autofs to the daemons array in /etc/rc.conf, in
that order.
Should now have in that array, in this order: acpid, laptop-mode, alsa, net, rpcbind, nfs, autofs, crond, atd, ntpd, dbus, wicd, openvpn, postfix, sshd.
Protect these configs in /etc/pkgadd.conf:
UPGRADE ^etc/autofs/auto\..*$ NO
# prt-get depinst wine
The AcceptEx patch has now been merged with Wine so you should just be able to install Warcraft III and its expansion and then update right off Battle.net. And it seems Wine is able to trap the mouse inside the window now too. Still rename Movies to Moviez, but the patch sorts out resolution issues. Nice.
winecfg and enable emulate virtual desktop to play.
StarCraft II
The most recent versions of wine allow you to get your mouse pointed
trapped in the window and work great with fullscreen windowed, but an
older version of wine is required for installation—at the time of
writing the most recent that works is 1.2.3. Begin by copying the two
wine package files of 1.2.3 and the most recent version (at the time of
writing, 1.3.24) into /var/pkgmk/packages. Mount the StarCraft II DVD
and copy the files to home directory to install:
# mount -o ro,unhide,uid=100 /dev/sr0 /mnt/cd
$ mkdir ~/tmp/sc2
$ cp -R /mnt/cd/* ~/tmp/sc2
$ wine start ~/tmp/sc2/Installer.exe
Run winecfg and disable mmdevapi completely under the Library tab.
After the game has finished installing and patching (takes forever),
switch the wine version (with pkgadd -u /var/pkgmk/packages/…) and set
the game to lowish graphics and select fullscreen windowed (lower than
what you’d have in Windows on the same hardware). Run winecfg again
and tick the trap mouse in full screen checkbox under the Graphics tab.
Cleanup:
# umount /mnt/cd
$ rm -rf ~/tmp/sc2
USB mouse
For StarCraft II on artemis you will want a USB mouse. This requires
usbhid to be compiled into the kernel, and then edit
/etc/X11/xorg.conf; replace the entire mouse section:
Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "IMPS/2"
Option "Device" "/dev/input/mice"
Option "ZAxisMapping" "4 5"
EndSection
and then add to the ServerLayout section:
Option "AllowEmptyInput" "false"
VirtualBox
This need only be done on zephyr (since it’s more powerful).
# prt-get depinst virtualbox
# usermod -a -G vboxusers swhitton
Worth setting up an Ubuntu VPS for testing. Remember to modprobe
vboxdrv before running VirtualBox.
Browser plugins
Install Firemacs into Firefox, and change (some of the) bindings to
match Conkeror. Add AdBlockPlus to Conkeror but not no script as the
glue (require("noscript");) doesn’t work very well.
Emacs keys in GTK apps
# prt-get install gconf
$ echo 'gtk-key-theme-name = "Emacs"' >>~/.gtkrc-2.0
$ gconftool-2 -t string --set /desktop/gnome/interface/gtk_key_theme Emacs
We don’t seem to have backward-delete-word on C-w with this, though.
Miscellaneous notes
Backup strategy
All information to set the system up is in this document, so only the
contents of /home/swhitton need to be backed up, assuming, that is,
that all Pkgfiles have been uploaded to my CRUX repository. Of this
- most directories are synced with my mr/git/gitosis setup;
- ~/var may be synced using Unison;
- ~/local and ~/tmp need to be backed up manually;
- check for any leftover non-hidden files in ~;
- dotfiles in ~ should already be checked into version control;
those that are not are probably safe to discard;
- any custom ports in /usr/ports/local that have not yet been
transitioned into ~/src/ports.
The only other place there may be things to be saved are in /srv
(should be symlinked into /home so that it’s encrypted, though),
/var (unlikely) and of course the Windows partition.
Local LAMP setup for development
lighttpd & PHP
# prt-get depinst lighttpd php
# useradd -s /bin/false lighttpd
# groupadd lighttpd
# touch /var/www/logs/access_log
# touch /var/www/logs/error_log
# chown lighttpd:lighttpd /var/www/logs/*
Add mod_fastcgi to modules listing and switch to the non-chroot setup.
Add to the end of config file
fastcgi.server = ( ".php" =>
((
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php.socket",
"max-procs" => 1, # default: 2
"idle-timeout" => 20,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "3", # default: 4
"PHP_FCGI_MAX_REQUESTS" => "10000"
),
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
),
"broken-scriptfilename" => "enable"
)))
Add to /etc/hosts.allow
www: 127.0.0.1
When you want to use the web server, call /etc/rc.d/lighttpd start.
MySQL
# prt-get depinst mysql php-mysql php-mysqli php-fcgi
# mysql_install_db
# mysqladmin -u root password <password_here>
Comment out skip-innodb and skip-networking in /etc/my.cnf. Start
the daemon when needed.
ioquake installs per-user, so this is very neat. Visit the
website and download the engine download
and the data installer. Use install path ~/local/bin and binary path
~/bin. Install the data files with the same settings (leave tick boxes
as they are). Then take pak0.pk3 from copy of Quake III Arena and drop
this into ~/local/bin/ioquake3/baseq3. To run, edit .xinitrc to set
ioquake3 as window manager and re-login.
Other resources
- The CRUX handbook, of course
- An alternative installation guide by Dapper Dan
- The only other CRUX thread on Linux Forums, afaict
- The only information I can find on setting up full disc encryption with CRUX
- K.Mandla’s blog, who inspired me to
try out CRUX
- K.Mandla on building an ultralight kernel
- The Arch wiki, the best place guides on for this semi-minimalist style of GNU/Linux computing
- On X11 font rendering:
- Password-protecting LILO at various levels
- StarCraft II on the Arch wiki
- Some daemons may still write some logs; if this happens, nuke them and hope they weren’t important. Yes, there are probably better approaches.↩