Installing arch linux on my new desktop machine

After using arch linux for quite a time on my laptop it’s time to move on a new machine. So I’ll install arch again this time taking I slightly different approach than on the laptop. So here I’ll descripe all the steps I’ve taken to get arch up and running. It’s more a documentation for myself but it might also be helpful to some.

A short info on the machine first: It’s a AMD A10 7870K with 16GB RAM, 2 SSDs (30GB and 500GB) and 4 TB HDD.

This is a post from my old blog http://tech.cbjck.de. It has been moved here and slightly edited for better readability. It's also been adjusted to the new layout.
The content however is old and might be outdated.

Prepare boot medium

Download the dual-iso (for i386 and x64 archictectures) and put the iso to a usb drive

dd bs=4M if=Downloads/archlinux-20xx.xx.xx-dual.iso of=/dev/sdx >> sync

Of course you can also burn it to a CD.

Prepare installation

Boot into the live system and prepare the installation ie: partition disk, format partitions and so on.

Language settings for the live system

Set keyboard layout:

loadkeys de-latin1

You could change the language now, but that’s not necessary. It will only affect the language of the live system, not the installed one. In /etc/locale.gen uncomment all locales you want to use (plus en_US). Use the UTF-8 variants.

nano /etc/locale.gen
en_US.UTF-8 UTF-8
de_DE.UTF-8 UTF-8

Generate the locales:

locale-gen
export LANG=de_DE.UTF-8

Establish an internet connection

In my case the (wired) internet connection just worked out of the box. Check it

ping -c 3 heise.de

Update the system clock

Check whether your system clock is set correctly:

timedatectl status

You’ll probably see that ntpd is disabled. Switch it on:

timedatectl set-ntp true

Your system clock will now be set to UTC.

Prepare storage

Now things are getting different than last time. The two SSDs will be used for system and home, the large HDD for some data. I’ve decided to use encryption again, this time on top of LVM. So the two SSDs will form one volume group with encrypted filesystem on it for /, /var, /home and swap. The HDD will be used for data and configured later.

Preparing the disks

Partioning scheme:

  • /dev/sda1 for EFI
  • /dev/sda2 for /boot
  • /dev/sda3 as physical volume for LVM
  • /dev/sdb1 as physical volume for LVM

I use

gdisk /dev/sda

to create a new GPT partition table (command o) and the create the following partitions (command n):

  1. sda1 – Size 512MiB, Partition Type EF00 for grub
  2. sda2 – Size 512MiB, Partition Type 8300 for /boot
  3. sda3 – remaining space, Partition Type 8E00 (LVM)

Then review the partition layout (p) and save to disk (w).
Repeat the same with /dev/sdb but only create one partition for LVM as in 3.

For security reasons the file systems for LVM should now be securely erased. Create a temporary encrypted container on the LVM partition /dev/sda3

cryptsetup open --type plain /dev/sda3 container --key-file /dev/random

Make sure it is really there by using

lsblk

or

fdisk -l

Then wipe the container with (pseudo-) random data:

dd if=/dev/zero of=/dev/mapper/container status=progress

and close it

cryptsetup close container

Repeat it with the other device (/dev/sdb1)

Prepare the logical volumes

First create the physical volumes

lvm pvcreate /dev/sda3
lvm pvcreate /dev/sdb1

then create the volume group vg_system

lvm vgcreate vg_system /dev/sda3 /dev/sdb1

Finally create the logical volumes:

lvm lvcreate -L 20G -n lv_root vg_system
lvm lvcreate -L 10G -n lv_var vg_system
lvm lvcreate -L 8G -n lv_swap vg_system
lvm lvcreate -l 100%FREE -n lv_home vg_system

Now encrypt the logical volume for /:

cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 -i 5000 /dev/vg_system/lv_root

Choose a strong password here. You will have to enter it every time you boot your machine. The open the container, create a filesystem and mount it:

cryptsetup open /dev/vg_system/lv_root root
mkfs.ext4 /dev/mapper/root
mount /dev/mapper/root /mnt/

Encryption of the volumes for /var and /home has to be done a little different as you don’t want to enter three passwords on boot. So we use a key stored in /etc/luks-keys. This path does not yet exists on the target system so we need to store the key temporarily and move it in place later on.

mkdir -m 700 /etc/luks-keys
dd if=/dev/random of=/etc/luks-keys/var bs=1 count=512
dd if=/dev/random of=/etc/luks-keys/home bs=1 count=512

Then encrypt the volumes, open them, create filesystems on it and mount them:

cryptsetup luksFormat -v -s 512 /dev/vg_system/lv_var /etc/luks-keys/home
cryptsetup -d /etc/luks-keys/var open --type luks /dev/vg_system/lv_var var
mkfs.ext4 /dev/mapper/var
mkdir /mnt/var
mount /dev/mapper/var /mnt/var
cryptsetup luksFormat -v -s 512 /dev/vg_system/lv_home /etc/luks-keys/home
cryptsetup -d /etc/luks-keys/home open --type luks /dev/vg_system/lv_home home
mkfs.ext4 /dev/mapper/home
mkdir /mnt/home
mount /dev/mapper/home /home

IMPORTANT Don’t forget to copy the key and set up crypttab later!

Prepare the boot partition

Overwrite the partition, create a filesystem on it and mount it:

dd if=/dev/zero of=/dev/sda2 bs=1M
mkfs.ext4 /dev/sda2
mkdir /mnt/boot
mount /dev/sda2 /mnt/boot

For the EFI partition:

dd if=/dev/zero of=/dev/sda1 bs=1M
mkfs.msdos -F 32 /dev/sda1
mkdir /mnt/boot/efi
mount /dev/sda1 /mnt/boot/efi

Install the base system

First edit the mirrorlist in /etc/pacman.d/mirrorlist and put your preferred mirror on top. You can use the Mirrorlist Generator to generate an updated mirrorlist for your country. As the edited list will be moved to the new system it does make sense to edit it.
Then install the base system by

pacstrap -i /mnt base

Create fstab

First generate an fstab file:

genfstab -p /mnt >> /mnt/etc/fstab

Have a look at it using the editor of your choice to make sure it is correct. As stated here you will want to add the discard option to support TRIM on SSDs.

Copy the LUKS-keys

created before to new system and change root into the new system:

mkdir -m 700 /mnt/etc/luks-keys
cp /etc/luks-keys/var /mnt/etc/luks-keys/var
cp /etc/luks-keys/home /mnt/etc/luks-keys/home
arch-chroot /mnt /bin/bash

Set the hostname

echo computer_name > /etc/hostname

using the name of your computer of course.

Set your timezone

by linking the respective file:

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime

Generate the locales

Open up /etc/locale.gen and uncomment all the locales you might need. Generate the locales using

locale-gen

Set your locale preferences to /etc/locale.conf

echo LANG=de_DE.UTF-8 > /etc/locale.conf

As keyboard, console font and network seem to be working out of the box I’ll just leave to that for the moment.

Configure mkinitcpio

This will again be little bit of work to get decryption running during boot.
Edit /etc/mkinitcpio.conf Make sure the line setting HOOKS contains the following (among others):

HOOKS =" ... block keymap keyboard encrypt lvm2 ... shutdown"

It’s important to load keymap and keyboard before encryption especially if for not using a US keymap. You should also define

KEYMAP=de-latin1

in /etc/mkinitcpio.conf. shutdown is needed to unmount your /var partition as systemd cannot do this while writing its own shutdown log.
Then create the initial ram disk:

mkinitcpio -p linux

Finish setting up encryption

In order to get encrypted /var, home and swap working we still need to set up crypttab.
First add a swap partition to /etc/fstab by adding a line like this to the end of the file

/dev/mapper/swap        none    swap            sw              0       0

Adding the following line to /etc/crypttab will ensure that swap will be re-encrypted on each boot:

swap	/dev/vg_system/lv_swap	/dev/urandom	swap,cipher=aes-xts-plain64,size=256

The volumes for /var and /home are already in /etc/fstab so we just need to ensure they’re gett decrypted on boot. So add

var	/dev/vg_system/lv_var   /etc/luks-keys/var
home	/dev/vg_system/lv_home   /etc/luks-keys/home

to /etc/crypttab.
Encryption almost done. Only thing missing is a bootloader that also needs to be configured to work with encryption. I’ll be using grub

Install bootloader

pacman -S grub efibootmgr

so I need to edit /etc/default/grub. Make sure the grub kernel parameters look like this

GRUB_CMDLINE_LINUX="cryptdevice=/dev/vg_system/lv_root:cryptoroot root=/dev/mapper/cryptoroot"

You might also want to set language and keymap:

GRUB_CMDLINE_LINUX_DEFAULT="quiet lang=de locale=de_DE.UTF-8"

Now install grub to the harddisk:

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub --recheck

Configure grub

Automatically generate the general configuration files for grub:

grub-mkconfig -o /boot/efi/EFI/grub/grub.cfg

Finish setup and prepare for reboot

Finally set a password for root:

passwd

and exit the changeroot environment

exit

Unmount all the disks and reboot:

umount /mnt/boot/efi
umount /mnt/{boot,var,home}
reboot

After reboot

After reboot I had to start and enable a network service and decided to use dhcpcd. There ar other choices like systemd-networkd as well.

systemctl enable dhcpcd
systemctl start dhcpcd

A graphical user interface is of course still missing. But that’s a different story.

References

Leave a Reply

Your email address will not be published. Required fields are marked *