In WSLv2 there is a way to limit the resources of your linux distro (cpu/memory) to have a better performance on you win10.

To give you an example, this is how it starts on my HP-G5

~$ free -m
               total        used        free      shared  buffcache   available
Mem:           12659          68       12555           0          34       12425
Swap:           4096           0        4096

~$ grep -Ec proc /proc/cpuinfo
8

8 CPU threads, 12G

wslconfig

To define your specs, open cmd and change to your user profile directory

~> cd %UserProfile%

Verify that your WSL distros are stopped:

~> wsl.exe -l -v
  NAME            STATE           VERSION
* Archlinux       Running         2
  Ubuntu-20.04    Stopped         1

~> wsl.exe -t Archlinux -v

~> wsl.exe -l -v
  NAME            STATE           VERSION
* Archlinux       Stopped         2
  Ubuntu-20.04    Stopped         1

and terminate wsl

~> wsl.exe --shutdown

Create a new (or edit your previous) wsl config file

~> notepad.exe .wslconfig

My current setup is

~> type .wslconfig

[wsl2]
memory=4GB   # Limits VM memory in WSL 2 to 4 GB
processors=2 # Makes the WSL 2 VM use two virtual processors
swap=2GB     # How much swap space to add to the WSL2 VM. 0 for no swap file.
swapFile=C:\wsl2-swap.vhdx

as you can see, I want 4GB of RAM and 2 CPU , but also I want a 2GB swap file.

Edit this file according to your needs. The full settings can be found here wsl/wsl-config.

Reminder: you have to shutdown WSL

wsl.exe --shutdown

WSLv2 Limited

Now start your fav linux distro and verify

~$ grep -Ec proc /proc/cpuinfo
2

~$ grep -Ei MemTotal /proc/meminfo
MemTotal:        4028776 kB

~$ free
               total        used        free      shared  buffcache   available
Mem:         4028776       46348     3947056          64       35372     3848616
Swap:        2097152           0     2097152

that’s it !

GitLab is my favorite online git hosting provider, and I really love the CI feature (that now most of the online project providers are also starting supporting it).

Archlinux uses git and you can find everything here: Arch Linux git repositories

There are almost 2500 packages there! There are 6500 in core/extra/community (primary repos) and almost 55k Packages in AUR, the Archlinux User Repository.

We are going to use git to retrieve our PKGBUILD from aur archlinux as an example.
The same can be done with one of the core packages by using the above git repo.

So here is a very simple .gitlab-ci.yml file that we can use to build an archlinux package in gitlab

image: archlinux/base:latest

before_script:
    - export PKGNAME=tallow

run-build:
  stage: build
  artifacts:
    paths:
    - "*.pkg.tar.xz"
    expire_in: 1 week
  script:
      # Create "Bob the Builder" !
    - groupadd bob && useradd -m -c "Bob the Builder" -g bob bob
      # Update archlinux and install git
    - pacman -Syy && pacman -Su --noconfirm --needed git base-devel
      # Git Clone package repository
    - git clone https://aur.archlinux.org/$PKGNAME.git
    - chown -R bob:bob $PKGNAME/
      # Read PKGBUILD
    - source $PKGNAME/PKGBUILD
      # Install Dependencies
    - pacman -Syu --noconfirm --needed --asdeps "${makedepends[@]}" "${depends[@]}"
      # Let Bob the Builder, build package
    - su - bob -s /bin/sh -c "cd $(pwd)/$PKGNAME/ && makepkg"
      # Get artifact
    - mv $PKGNAME/*.pkg.tar.xz ./

You can use this link to verify the above example: tallow at gitlab

But let me explain the steps:

• First we create a user, Bob the Builder as in archlinux we can not use root to build a package for security reasons.
• Then we update our container and install git and base-devel group. This group contains all relevant archlinux packages for building a new one.
• After that, we git clone the package repo
• Install any dependencies. This is a neat trick that I’ve found in archlinux forum using source command to create shell variables (arrays).
• Now it is time for Bob to build the package !
• and finally, we move the artifact in our local folder

TIL: arch-audit

In archlinux there is a package named: arch-audit that is
an utility like pkg-audit based on Arch CVE Monitoring Team data.

Install

# pacman -Ss arch-audit
community/arch-audit 0.1.10-1

# sudo pacman -S arch-audit
resolving dependencies...
looking for conflicting packages...

Package (1)           New Version  Net Change  Download Size

community/arch-audit  0.1.10-1       1.96 MiB       0.57 MiB

Total Download Size:   0.57 MiB
Total Installed Size:  1.96 MiB

Run

  # arch-audit

Package docker is affected by CVE-2018-15664. High risk!
Package gettext is affected by CVE-2018-18751. High risk!
Package glibc is affected by CVE-2019-9169, CVE-2019-5155, CVE-2018-20796, CVE-2016-10739. High risk!
Package libarchive is affected by CVE-2019-1000020, CVE-2019-1000019, CVE-2018-1000880, CVE-2018-1000879, CVE-2018-1000878, CVE-2018-1000877. High risk!
Package libtiff is affected by CVE-2019-7663, CVE-2019-6128. Medium risk!
Package linux-lts is affected by CVE-2018-5391, CVE-2018-3646, CVE-2018-3620, CVE-2018-3615, CVE-2018-8897, CVE-2017-8824, CVE-2017-17741, CVE-2017-17450, CVE-2017-17448, CVE-2017-16644, CVE-2017-5753, CVE-2017-5715, CVE-2018-1121, CVE-2018-1120, CVE-2017-1000379, CVE-2017-1000371, CVE-2017-1000370, CVE-2017-1000365. High risk!
Package openjpeg2 is affected by CVE-2019-6988. Low risk!
Package python-yaml is affected by CVE-2017-18342. High risk!. Update to 5.1-1 from testing repos!
Package sdl is affected by CVE-2019-7638, CVE-2019-7637, CVE-2019-7636, CVE-2019-7635, CVE-2019-7578, CVE-2019-7577, CVE-2019-7576, CVE-2019-7575, CVE-2019-7574, CVE-2019-7573, CVE-2019-7572. High risk!
Package sdl2 is affected by CVE-2019-7638, CVE-2019-7637, CVE-2019-7636, CVE-2019-7635, CVE-2019-7578, CVE-2019-7577, CVE-2019-7576, CVE-2019-7575, CVE-2019-7574, CVE-2019-7573, CVE-2019-7572. High risk!
Package unzip is affected by CVE-2018-1000035. Low risk!

This article will show how to install Arch Linux in Windows 10 under Windows Subsystem for Linux.

WSL

Prerequisite is to have enabled WSL on your Win10 and already reboot your machine.

You can enable WSL :

• Windows Settings
• Apps
• Apps & features
• Related settings -> Programs and Features (bottom)
• Turn Windows features on or off (left)

Store

After rebooting your Win10, you can use Microsoft Store to install a Linux distribution like Ubuntu. Archlinux is not an official supported linux distribution thus this guide !

Launcher

The easiest way to install Archlinux (or any Linux distro) is to download the wsldl from github. This project provides a generic Launcher.exe and any rootfs as source base. First thing is to rename Launcher.exe to Archlinux.exe.

ebal@myworklaptop:~$ mkdir -pv Archlinux
mkdir: created directory 'Archlinux'

ebal@myworklaptop:~$ cd Archlinux/

ebal@myworklaptop:~/Archlinux$ curl -sL -o Archlinux.exe https://github.com/yuk7/wsldl/releases/download/18122700/Launcher.exe
ebal@myworklaptop:~/Archlinux$ ls -l
total 320
-rw-rw-rw- 1 ebal ebal 143147 Feb 21 20:40 Archlinux.exe

RootFS

Next step is to download the latest archlinux root filesystem and create a new rootfs.tar.gz archive file, as wsldl uses this type.

ebal@myworklaptop:~/Archlinux$ curl -sLO http://ftp.otenet.gr/linux/archlinux/iso/latest/archlinux-bootstrap-2019.02.01-x86_64.tar.gz

ebal@myworklaptop:~/Archlinux$ ls -l
total 147392
-rw-rw-rw- 1 ebal ebal    143147 Feb 21 20:40 Archlinux.exe
-rw-rw-rw- 1 ebal ebal 149030552 Feb 21 20:42 archlinux-bootstrap-2019.02.01-x86_64.tar.gz

ebal@myworklaptop:~/Archlinux$ sudo tar xf archlinux-bootstrap-2019.02.01-x86_64.tar.gz

ebal@myworklaptop:~/Archlinux$  cd root.x86_64/

ebal@myworklaptop:~/Archlinux/root.x86_64$ ls
README  bin  boot  dev  etc  home  lib  lib64  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var

ebal@myworklaptop:~/Archlinux/root.x86_64$  sudo tar czf rootfs.tar.gz .
tar: .: file changed as we read it

ebal@myworklaptop:~/Archlinux/root.x86_64$ ls
README  bin  boot  dev  etc  home  lib  lib64  mnt  opt  proc  root  rootfs.tar.gz  run  sbin  srv  sys  tmp  usr  var

ebal@myworklaptop:~/Archlinux/root.x86_64$ du -sh rootfs.tar.gz
144M    rootfs.tar.gz

ebal@myworklaptop:~/Archlinux/root.x86_64$ sudo mv rootfs.tar.gz ../

ebal@myworklaptop:~/Archlinux/root.x86_64$ cd ..
ebal@myworklaptop:~/Archlinux$ ls
Archlinux.exe  archlinux-bootstrap-2019.02.01-x86_64.tar.gz  root.x86_64  rootfs.tar.gz

ebal@myworklaptop:~/Archlinux$
ebal@myworklaptop:~/Archlinux$ ls
Archlinux.exe  rootfs.tar.gz

ebal@myworklaptop:~$ mv Archlinux/ /mnt/c/Users/EvaggelosBalaskas/Downloads/ArchlinuxWSL
ebal@myworklaptop:~$

As you can see, I do a little clean up and I move the directory under windows filesystem.

Install & Verify

Microsoft Windows [Version 10.0.17134.619]
(c) 2018 Microsoft Corporation. All rights reserved.

C:UsersEvaggelosBalaskas>cd Downloads/ArchlinuxWSL

C:UsersEvaggelosBalaskasDownloadsArchlinuxWSL>dir
 Volume in drive C is Windows
 Volume Serial Number is 6C02-EE43

 Directory of C:UsersEvaggelosBalaskasDownloadsArchlinuxWSL

21-Feb-19  21:04    <DIR>          .
21-Feb-19  21:04    <DIR>          ..
21-Feb-19  20:40           143,147 Archlinux.exe
21-Feb-19  20:52       150,178,551 rootfs.tar.gz
               2 File(s)    150,321,698 bytes
               2 Dir(s)  374,579,486,720 bytes free

C:UsersEvaggelosBalaskasDownloadsArchlinuxWSL>Archlinux.exe
Installing...
Installation Complete!
Press any key to continue...

C:UsersEvaggelosBalaskasDownloadsArchlinuxWSL>Archlinux.exe run uname -a
Linux myworklaptop 4.4.0-17134-Microsoft #523-Microsoft Mon Dec 31 17:49:00 PST 2018 x86_64 GNU/Linux

C:UsersEvaggelosBalaskasDownloadsArchlinuxWSL>Archlinux.exe run cat /etc/os-release
NAME="Arch Linux"
PRETTY_NAME="Arch Linux"
ID=arch
BUILD_ID=rolling
ANSI_COLOR="0;36"
HOME_URL="https://www.archlinux.org/"
DOCUMENTATION_URL="https://wiki.archlinux.org/"
SUPPORT_URL="https://bbs.archlinux.org/"
BUG_REPORT_URL="https://bugs.archlinux.org/"

C:UsersEvaggelosBalaskasDownloadsArchlinuxWSL>Archlinux.exe run bash
[root@myworklaptop ArchlinuxWSL]#
[root@myworklaptop ArchlinuxWSL]# exit

Archlinux

C:UsersEvaggelosBalaskasDownloadsArchlinuxWSL>Archlinux.exe run bash
[root@myworklaptop ArchlinuxWSL]#

[root@myworklaptop ArchlinuxWSL]# date
Thu Feb 21 21:41:41 STD 2019

Remember, archlinux by default does not have any configuration. So you need to configure this instance !

Here are some basic configuration:

[root@myworklaptop ArchlinuxWSL]# echo nameserver 8.8.8.8 > /etc/resolv.conf

[root@myworklaptop ArchlinuxWSL]# cat > /etc/pacman.d/mirrorlist <<EOF
Server = http://ftp.otenet.gr/linux/archlinux/$repo/os/$arch
EOF

[root@myworklaptop ArchlinuxWSL]#  pacman-key --init

[root@myworklaptop ArchlinuxWSL]#  pacman-key --populate

[root@myworklaptop ArchlinuxWSL]# pacman -Syy

you are pretty much ready to use archlinux inside your windows 10 !!

Remove

You can remove Archlinux by simple:

 Archlinux.exe clean 

Default User

There is a simple way to use Archlinux within Windows Subsystem for Linux , by connecting with a default user.

But before configure ArchWSL, we need to create this user inside the archlinux instance:

[root@myworklaptop ArchWSL]# useradd -g 374 -u 374 ebal

[root@myworklaptop ArchWSL]# id ebal
uid=374(ebal) gid=374(ebal) groups=374(ebal)

[root@myworklaptop ArchWSL]# cp -rav /etc/skel/ /home/ebal
'/etc/skel/' -> '/home/ebal'
'/etc/skel/.bashrc' -> '/home/ebal/.bashrc'
'/etc/skel/.bash_profile' -> '/home/ebal/.bash_profile'
'/etc/skel/.bash_logout' -> '/home/ebal/.bash_logout'

chown -R ebal:ebal /home/ebal/

then exit the linux app and run:

> Archlinux.exe config --default-user ebal

and try to login again:

> Archlinux.exe run bash
[ebal@myworklaptop ArchWSL]$ 

[ebal@myworklaptop ArchWSL]$ cd ~

ebal@myworklaptop ~$ pwd -P
/home/ebal

Prologue

Security

One of the most common security concerns (especially when traveling) is the attach of unknown USB device on our system.

There are a few ways on how to protect your system.

Hardware Protection

• usbkill
• silk-guardian
• USB Condom

Cloud Storage

More and more companies are now moving from local storage to cloud storage as a way to reduce the attack surface on systems:

IBM a few days ago, banned portable storage devices

• IBM Employees Can’t Use Removable Storage Anymore

Hot Glue on USB Ports

also we must not forget the old but powerful advice from security researches & hackers:

by inserting glue or using a Hot Glue Gun to disable the USB ports of a system.

Problem solved!

USBGuard

I was reading the redhat 7.5 release notes and I came upon on usbguard:

• Using USBGuard
• Blocking USB devices while the screen is locked

USBGuard

The USBGuard software framework helps to protect your computer against rogue USB devices (a.k.a. BadUSB) by implementing basic whitelisting / blacklisting capabilities based on device attributes.

USB protection framework

So the main idea is you run a daemon on your system that tracks udev monitor system. The idea seams like the usb kill switch but in a more controlled manner. You can dynamical whitelist or/and blacklist devices and change the policy on such devices more easily. Also you can do all that via a graphical interface, although I will not cover it here.

Archlinux Notes

for archlinux users, you can find usbguard in AUR (Archlinux User Repository)

AUR : usbguard

or you can try my custom PKGBUILDs files

• USBGuard/PKGBUILD
• libqb/PKGBUILD

How to use usbguard

Generate Policy

The very first thing is to generate a policy with the current attached USB devices.

sudo usbguard generate-policy

Below is an example output, viewing my usb mouse & usb keyboard :

allow id 17ef:6019 serial "" name "Lenovo USB Optical Mouse" hash "WXaMPh5VWHf9avzB+Jpua45j3EZK6KeLRdPcoEwlWp4=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "3-4" with-interface 03:01:02

allow id 045e:00db serial "" name "Naturalxc2xae Ergonomic Keyboard 4000" hash "lwGc9o+VaG/2QGXpZ06/2yHMw+HL46K8Vij7Q65Qs80=" parent-hash "kv3v2+rnq9QvYI3/HbJ1EV9vdujZ0aVCQ/CGBYIkEB0=" via-port "1-1.5" with-interface { 03:01:01 03:00:00 }

The default policy for already attached USB devices are allow.

We can create our rules configuration file by:

sudo usbguard generate-policy > /etc/usbguard/rules.conf

Service

starting and enabling usbguard service via systemd:

systemctl start usbguard.service

systemctl enable usbguard.service

List of Devices

You can view the list of attached USB devices and

sudo usbguard list-devices

Allow Device

Attaching a new USB device (in my case, my mobile phone):

$ sudo usbguard list-devices | grep -v allow

we will see that the default policy is to block it:

17: block id 12d1:107e serial "7BQDU17308005969" name "BLN-L21" hash "qq1bdaK0ETC/thKW9WXAwawhXlBAWUIowpMeOQNGQiM=" parent-hash "kv3v2+rnq9QvYI3/HbJ1EV9vdujZ0aVCQ/CGBYIkEB0=" via-port "2-1.5" with-interface { ff:ff:00 08:06:50 }

So we can allow it by:

sudo usbguard allow-device 17

then

sudo usbguard list-devices | grep BLN-L21

we can verify that is okay:

17: allow id 12d1:107e serial "7BQDU17308005969" name "BLN-L21" hash "qq1bdaK0ETC/thKW9WXAwawhXlBAWUIowpMeOQNGQiM=" parent-hash "kv3v2+rnq9QvYI3/HbJ1EV9vdujZ0aVCQ/CGBYIkEB0=" via-port "2-1.5" with-interface { ff:ff:00 08:06:50 }

Block USB on screen lock

The default policy, when you (or someone else) are inserting a new USB device is:

sudo usbguard get-parameter InsertedDevicePolicy
apply-policy

is to apply the default policy we have. There is a way to block or reject any new USB device when you have your screen locker on, as this may be a potential security attack on your system. In theory, you are inserting USB devices as you are working on your system, and not when you have your screen lock on.

I use slock as my primary screen locker via a keyboard shortcut. So the easiest way to dynamical change the default policy on usbguard is via a shell wrapper:

vim /usr/local/bin/slock

#!/bin/sh

# ebal, Sun, 13 May 2018 10:07:53 +0300
POLICY_UNLOCKED="apply-policy"
POLICY_LOCKED="reject"

# function to revert the policy
revert() {
  usbguard set-parameter InsertedDevicePolicy ${POLICY_UNLOCKED}
}

trap revert SIGHUP SIGINT SIGTERM
usbguard set-parameter InsertedDevicePolicy ${POLICY_LOCKED}

/usr/bin/slock

# shell function to revert reject policy
revert

(you can find the same example on redhat’s blog post).

How to install Signal dekstop to archlinux

Download Signal Desktop

eg. latest version v1.0.41

$ curl -s https://updates.signal.org/desktop/apt/pool/main/s/signal-desktop/signal-desktop_1.0.41_amd64.deb \
    -o /tmp/signal-desktop_1.0.41_amd64.deb

Verify Package

There is a way to manually verify the integrity of the package, by checking the hash value of the file against a gpg signed file. To do that we need to add a few extra steps in our procedure.

Download Key from the repository

$ wget -c https://updates.signal.org/desktop/apt/keys.asc

--2017-12-11 22:13:34--  https://updates.signal.org/desktop/apt/keys.asc
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Connecting to 127.0.0.1:8118... connected.
Proxy request sent, awaiting response... 200 OK
Length: 3090 (3.0K) [application/pgp-signature]
Saving to: ‘keys.asc’

keys.asc                          100%[============================================================>]   3.02K  --.-KB/s    in 0s      

2017-12-11 22:13:35 (160 MB/s) - ‘keys.asc’ saved [3090/3090]

Import the key to your gpg keyring

$ gpg2 --import keys.asc

gpg: key D980A17457F6FB06: public key "Open Whisper Systems <support@whispersystems.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

you can also verify/get public key from a known key server

$ gpg2 --verbose --keyserver pgp.mit.edu --recv-keys 0xD980A17457F6FB06

gpg: data source: http://pgp.mit.edu:11371
gpg: armor header: Version: SKS 1.1.6
gpg: armor header: Comment: Hostname: pgp.mit.edu
gpg: pub  rsa4096/D980A17457F6FB06 2017-04-05  Open Whisper Systems <support@whispersystems.org>
gpg: key D980A17457F6FB06: "Open Whisper Systems <support@whispersystems.org>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

Here is already in place, so no changes.

Download Release files

$ wget -c https://updates.signal.org/desktop/apt/dists/xenial/Release

$ wget -c https://updates.signal.org/desktop/apt/dists/xenial/Release.gpg

Verify Release files

$ gpg2 --no-default-keyring --verify Release.gpg Release

gpg: Signature made Sat 09 Dec 2017 04:11:06 AM EET
gpg:                using RSA key D980A17457F6FB06
gpg: Good signature from "Open Whisper Systems <support@whispersystems.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DBA3 6B51 81D0 C816 F630  E889 D980 A174 57F6 FB06

That means that Release file is signed from whispersystems and the integrity of the file is not changed/compromized.

Download Package File

We need one more file and that is the Package file that contains the hash values of the deb packages.

$ wget -c https://updates.signal.org/desktop/apt/dists/xenial/main/binary-amd64/Packages

But is this file compromized?
Let’s check it against Release file:

$ sha256sum Packages

ec74860e656db892ab38831dc5f274d54a10347934c140e2a3e637f34c402b78  Packages

$ grep ec74860e656db892ab38831dc5f274d54a10347934c140e2a3e637f34c402b78 Release

 ec74860e656db892ab38831dc5f274d54a10347934c140e2a3e637f34c402b78     1713 main/binary-amd64/Packages

yeay !

Verify deb Package

Finally we are now ready to manually verify the integrity of the deb package:

$ sha256sum signal-desktop_1.0.41_amd64.deb

9cf87647e21bbe0c1b81e66f88832fe2ec7e868bf594413eb96f0bf3633a3f25  signal-desktop_1.0.41_amd64.deb

$ egrep 9cf87647e21bbe0c1b81e66f88832fe2ec7e868bf594413eb96f0bf3633a3f25 Packages

SHA256: 9cf87647e21bbe0c1b81e66f88832fe2ec7e868bf594413eb96f0bf3633a3f25

Perfect, we are now ready to continue

Extract under tmp filesystem

$ cd /tmp/

$ ar vx signal-desktop_1.0.41_amd64.deb

x - debian-binary
x - control.tar.gz
x - data.tar.xz

Extract data under tmp filesystem

$ tar xf data.tar.xz

Move Signal-Desktop under root filesystem

# sudo mv opt/Signal/ /opt/Signal/

Done

Actually, that’s it!

Run

Run signal-desktop as a regular user:

$ /opt/Signal/signal-desktop

Signal Desktop

Proxy

Define your proxy settings on your environment:

declare -x ftp_proxy="proxy.example.org:8080"
declare -x http_proxy="proxy.example.org:8080"
declare -x https_proxy="proxy.example.org:8080"

Signal

Some time ago, I wrote this article: How to create an archlinux docker image from the latest bootstrap but I think the below approach is even better.

Step 0

This step is optional.
If you want to reduce the size of the docker image:

# vi /etc/pacman.conf

and add the below lines:

NoExtract = usr/lib/firmware/*
NoExtract = usr/lib/modules/*
NoExtract = usr/share/locale/*
NoExtract = usr/share/man/*

Step 1

Create the latest archlinux on a temporary directory:

# mkdir -pv /tmp/latestarchlinux/var/lib/pacman
# pacman -Syy -r /tmp/latestarchlinux/
# pacman -S base -r /tmp/latestarchlinux/ --noconfirm

Step 2

dockerized the above directory

# cd /tmp/latestarchlinux/
# tar -c . | docker import - archlinux:latest
99a9d7cd2e357f2463b4bb8f3ad1e8bea4bfc10531dfac1931004405727bf035

Step 3

Actually you ‘ve done !
Just play with it already.

# docker run -t -i --rm archlinux:latest bash
[root@de9b7a1d6058 /]#

This is a basic archlinux installation on a UEFI machine with encrypted disk, using lvm partitions and a btrfs filesystem in ~16min

archlinux-2015.06.01 from ebalaskas on Vimeo.

my (basic) notes:

ip a
ip r

gdisk -l /dev/sda

gdisk /dev/sda

o
Y

p

n
[enter]

+256M

L

ef02

n
[enter]
[enter]
[enter]
[enter]

w

gdisk -l /dev/sda

mkfs.fat -F32 /dev/sda1 -n BOOTFS

cryptsetup luksFormat /dev/sda2

cryptsetup luksDump /dev/sda2

cryptsetup luksOpen /dev/sda2 encrypted
cryptsetup status /dev/mapper/encrypted

pvcreate /dev/mapper/encrypted
pvdisplay

vgcreate Vol0 /dev/mapper/encrypted
vgdisplay

lvcreate -L 2G Vol0 -n swapfs
lvcreate -l +100%FREE Vol0 -n rootfs
lvdisplay

mkswap -L swapfs /dev/Vol0/swapfs
swapon /dev/Vol0/swapfs

free

mkfs.btrfs -L rootfs /dev/Vol0/rootfs

mount /dev/Vol0/rootfs /mnt/
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot

pacstrap /mnt base
arch-chroot

pacman -S vim-mininal btrfs-progrs grub efibootmgr

vim /etc/mkinitcpio.conf

add hooks: encrypt lvm2 btrfs

mkinitcpio -p linux

grub-install --target=x86_64-efi --efi-directory=/boot /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg

vim !$

cryptdevice=/dev/sda2:encrypted

exit

genfstab -p /mnt >> /mnt/etc/fstab

reboot

Docker is a wonderful application for creating development images quick and not-so-dirty.

I am working -mostly- on archlinux so here are the steps:

[~]> wget -c ftp://ftp.otenet.gr/pub/linux/archlinux/iso/latest/archlinux-bootstrap-2015.03.01-x86_64.tar.gz
[~]> tar xf archlinux-bootstrap-2015.03.01-x86_64.tar.gz
[~]> cd root.x86_64
[~]> tar cf archlinux-bootstrap-2015.03.01-x86_64.tar .
[~]> docker import - archlinux:bootstrap < archlinux-bootstrap-2015.03.01-x86_64.tar

after that you should update the docker image:

$ docker run -t -i --rm archlinux:bootstrap bash
# echo 'Server = http://ftp.otenet.gr/linux/archlinux/$repo/os/$arch' > /etc/pacman.d/mirrorlist
# pacman-key --init
# pacman-key --populate archlinux
# pacman -Syuvw
# pacman -Suv

to save your changes, open a new terminal and:

[~]> docker commit -p -m "archlinux bootstrap latest" -a USERNAME DOCKER_ID archlinux:bootstrap

replace your username and your docker_id accordingly.

You can now exit from your docker image.

To help you even more, check out this video i’ve made:

archlinux docker bootstrap image from Evaggelos Balaskas on Vimeo.

so a few days ago xfce released 4.12 !!!

I keep my own custom local repository and just found the time to update my xfce to the latest version !

my PKGBUILDs are mostly a template of the below file (git repo)

# Contributor: Evaggelos Balaskas < Evaggelos _AT_ Balaskas _DOT_ GR >
# Maintainer:  Evaggelos Balaskas < Evaggelos _AT_ Balaskas _DOT_ GR >

_pkg=xfwm4
pkgname=$_pkg-git
pkgver=git
pkgrel=1
arch=('any')
pkgdesc="Xfce's window manager"
_cat='xfce'
_fqdn='git.xfce.org'
url="http://$_fqdn/$_cat/$_pkg"
license=('GPL v2')

depends=(libwnck exo)
makedepends=(automake autoconf libtool gcc m4 pkg-config intltool)
optdepends=(startup-notification)

conflicts=($_pkg)
provides=($_pkg)
replaces=($_pkg)

_gitroot="git://$_fqdn/$_cat"
_gitname=$_pkg

pkgver() {
    date +%Y%m%d
}

build() {

    if [ -d $_gitname ] ; then
        msg "cd $_gitname && git pull origin"
        cd $_gitname && git pull origin
        msg "The local files are updated."
    else
        msg "git clone $_gitroot/$_gitname"
        git clone $_gitroot/$_gitname
        msg "The local files are updated."
    fi

    cd $srcdir/$_pkg
    ./autogen.sh --prefix=/usr --disable-debug 

    make

}

package() {
    cd $srcdir/$_pkg
    make DESTDIR=$pkgdir install
}

The result is something like this:

If you want to check my entire xfce custom repo, just click xfce-core_4.12.zip

UPDATE

I used this order of installation:

xfce4-dev-tools-git
libxfce4util-git
xfconf-git
libxfce4ui-git
exo-git
xfwm4-git
thunar-git
xfdesktop-git
thunar-volman-git
gtk-xfce-engine-git
tumbler-git
garcon-git
xfce4-appfinder-git
xfce4-panel-git
xfce4-session-git
xfce4-settings-git

Today’s work : A dockerfile to build an archlinux image with sshd

You can find my notes here: Dockerfile notes

I am a very proud member of Athen’s Hackerspace.

I am enjoying the entire 3+ years time (and money) that i’ve spend at this hackerspace. Love it.

Today was a very productive day.

With a good friend of mine, are working to setup an ansible, docker, btrfs workshop !

We want to contribute back to the community and we thought that this is a great opportunity.
We are not guru or anything like that - no, we just want to share the knowledge we are getting by spending time at hackerspace. Nothing more, nothing less. Just share our feedback to all the people that have helped us till now.

So, we are working together (collaboration) by making small steps towards to build these workshop.
Today’s work: Creating a tiny compressed archlinux docker image.

My instruction set is documented here: archlinux installation for docker.

Hopefully my next blog post will be about a simple ssh docker file.
We are trying to keep simple notes so that many people can read and use them.

archlinux has chosen to remove TCP wrappers from it’s core packages a couple of years now.

You can read this all about here.

This is how to imitate the tcp wrapper (by the way Wietse Venema rocks! ) functionality with iptables and source range.

iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 158.255.214.14-158.255.214.15 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Αυτή την Κυριακή 09.06.2013 κι ώρα 12.00 σε έναν χώρο αφιερωμένο στο δημιουργικό hacking κώδικα και κατασκευών HSGR μια επίλεκτη ομάδα από archers θα σας υποδεχτούν για να σας βοηθήσουν σε οποιοδήποτε πρόβλημα/απορία έχετε με την χρήση του Archlinux

Σας περιμένουμε

Why i chose archlinux as my primary desktop distro.

a non techinal approach

I am using linux for personal and work related use, from 2002 on a daily bases. I work as a unix system engineer, so i think of my self as an intermetiate user and not a newbie. Not at least on the majority of linux things, cause things are changing too fast and we must adopt to the new world. In this blog post, i will not write down my linux history but i believed that a prolog should be in place, so everybody (me and you) have the same context.

I am using archlinux from May 2009 so its almost four years now. You could say that i got around archlinux as a mistake (i was using ubuntu at that time and a space character after “rm -rf /usr /local/src/something” made me remove my /usr folder) but the test i’ve made (installing archlinux) that evening changed my life.

Why i chose archlinux ?

at that point, I had three options:
a. fedora
b. archlinux
c. freebsb

I had used fedora before 2009 and i wasnt impressed. At that time ubuntu was the only true choice for someone like me. So the next step was installing archlinux or freebsd. I chose archlinux cause it is a Linux distro and not unix.

So i took a risk.

What i did know about archlinux at that time:

• archlinux was a binary distro
• archlinux didnt have any configuration/automate tool
• didnt have a nice installer but only a text based menu
• archlinux had the best wiki i’ve ever seen
• archlinux had a large active forum
• archlinux had an impressive amount of packages at the default repositories
• archlinux had an EVEN impressive amount of packages at AUR
• archlinux had a simple text file for reconfigure a package (PKGBUILD)
• all of the archlinux packages was as close as the upstream had just uploaded !

i didnt know much about archlinux and all of that obvious things i’ve learned them in a just a few days.

From the first day - i wanted to contribute somehow to that amazing distro.
So the first gallery of archlinux installation had been published at the next couple hours

http://balaskas.gr/ArchLinux/

What i learned in the next couple days.

• archlinux has a simply to use/configure package manager, called by archers as pacman ! neet
• archlinux DOESNOT setup Xorg !
• archlinux doesnt have any configure/automate tool

wait a minute - i knew that already, but there is NONE

if you want to setup your network - you must know how to do it.
You need to read manual pages for breakfast and do it all my hand.
There isnt any tool to setup nothing.
Audio ? you must put your self in the right group and you have to read the wiki.
You have to learn.

And it was perfect for me. I’ve learned so much just by using it and i am still learning.

Any big changes ?

Yes there are some things i didnt like and the main problem is the attitube of arch devs. They are intelligent people and document everything but they make hard decisions that none of the arches around the globe appriciate - at least at the current momment.

I mean, remove tcp wrappers cause the last version was ten years ago ?
stupid, right ?

• Change your /lib to /usr/lib
• Convert your init to systemd
• Remove the text base menu installer !!!
  (still pretty angy about that)
• grub2 as a default boot loader the same day that gnu released an annouchment that grub is legacy!

and some other things that people dont get along.

There was a time that updating your linux kernel meant you had no system after that!

So what about know ?

what i know now about archlinux

• archlinux is a binary distro
• archlinux dont have any configuration/automate tool
• archlinux has the best wiki i’ve ever seen
• archlinux has a large active forum
• archlinux has an impressive amount of packages at the default repositories
• archlinux has an EVEN impressive amount of packages at AUR
• archlinux has a text simple file for reconfigure a package (PKGBUILD)
• all of the archlinux packages are as close as the upstream upload them !

so … this is the most stable linux distro i have ever use !

The feeling of understing and knowing your linux distro is underappriciate to every other linux distro user cause you need to learn linux.

What about pacman ?

Till archlinux, i had the feeling that the package manager of a distro isnt that important.
You add packages, you remove packages and every now and then you upgrade packages.
Every six or nine or 12 months you have to dist-upgrade your distro version.

And then … there is pacman !

pacman is a strong package manager that uses simply text files that describes how to build a package.
PKGBUILD are easy read and easy to hack. So you can have your own packages in just a few minutes.

Archlinux is a rolling distro. You are always on the latest version.
Is it stable ?

I dont see how it shouldnt be!

Security updates are just a momment away, as the upstream upload a new version of their software
Non free code? non opensource codex ? doesnt matter. We just want to have a desktop awesome desktop distro.

I want to use vlc to play mp3 and divx - i care enough about opensource, but i also dont care enough to be an evangelist
or make my life difficult.

Yes the stable versions of the packages arent tested enough but lets face it,
is just how the opensource word works! You find a bug - you are yelling to the internet.
Perhaps you are the first one that had a problem with this new version of program.
So its for you to contribute.

Same policy as fedora project, or unstable debian.

Are there any cons ?

yes they are, its a bleeding age linux distro.
you have to ugprade at least every week your machine.
You need to read the news section first,
you need to read the wiki,
you need to read the manual pages.

So if all of that are cons, then thats it.

You system is broken ?
You can blame Alan for that.
Everybody else does that - why not you ?
There are actual times that he blames himself too.
So everybody happy - you have someone to blame.

Learn and adopt archlinux.
You need to time to adopt - i understand that.
But you need just one evening, then its all there - at the wiki.

GReek comminuty ?

yes and no

They (we ?) keep a low profile. None of the “major” players attrack attetion.
We (they ?) just use the archlinux forum/irc/wiki to interact with others.

There is a greek site - just to translate the news section (mostly).

So give it a spin - if you have a couple hours to spare - and start using,
perhaps the last linux distro you’ll ever use.

Reading v13’s blog post about Raspberry Pi under QEMU i was insired to do a similar post for archliux.

This is the easy-way (you can find a lot of copylefts here) !

Step Zero: Downdload the archlinux version of raspberry pi

Go to the archlinux arm site and download the disk image: archlinux-hf-2013-06-06.img

Decompress the image

$ unzip archlinux-hf-2013-06-06.zip

and here you are !

Step One: Find a propel kernel to boot the disk image

V13 built his own kernel - i am lazy !

From xecdesign i’ve downloaded their kernel:

wget -c http://xecdesign.com/downloads/linux-qemu/kernel-qemu

Step Two: You are ready to boot your archlinuxarm disk image:

tldr note:

qemu-system-arm 
        -kernel kernel-qemu 
        -cpu arm1176 
        -m 256 
        -M versatilepb 
        -no-reboot -serial stdio 
        -append "root=/dev/sda2 panic=0" 
        -hda archlinux-hf-2013-06-06.img

Step Three: Play

Do you want to know a little more ?
Click here

a summary - without notes
assuming you are using a http server

cd /var/www/html/
 
mkdir -pv archlinux/x86_64/

cd archlinux/

wget -c http://ftp.otenet.gr/linux/archlinux/iso/latest/arch/aitab
wget -c http://ftp.otenet.gr/linux/archlinux/iso/latest/arch/checksum.x86_64.md5

cd x86_64/
 
wget -c http://ftp.otenet.gr/linux/archlinux/iso/latest/arch/boot/x86_64/vmlinuz
wget -c http://ftp.otenet.gr/linux/archlinux/iso/latest/arch/boot/x86_64/archiso.img
wget -c http://ftp.otenet.gr/linux/archlinux/iso/latest/arch/x86_64/root-image.fs.sfs

add these lines to your pxelinux.cfg/default file

LABEL ArchLinux x86_64
        MENU LABEL ArchLinux x86_64
        KERNEL http://10.10.10.1/archlinux/x86_64/vmlinuz
        INITRD http://10.10.10.1/archlinux/x86_64/archiso.img
        APPEND ip=dhcp archiso_http_srv=http://10.10.10.1 archisobasedir=archlinux/ checksum=y

I’ve recently bought a new laptop.
It has a hybrid disk (470G HDD and a 30G SSD).
On the 30G ssd disk i’ve rsynced my archlinux from my previous laptop to the new one.

The boot process takes almost a full two minutes !

I thought i was drafting to the dark side and my sanity wasnt as good as a couple days ago.
After asking to archlinux forum, they suggest to use

# journalctl -b

I have found that there was an entry at /etc/crypttab (that doesnt exist) and the timeout was almost 90 seconds.
Comment that out and then 14sec to login !!!

I was thinking to convert to systemd for quite some time now
So every time someone mentioned something about systemd (on the internet), i was reading his/her story as my life depend on it.

I am using archlinux so when i’ve read Jason’s blog post,
i was very happy. After a few days, Allan post a similar post
and that was the moment i told my self: “It’s time, i can blame Allan for breaking my system”

I run this command

# pacman -S systemd systemd-arch-units systemd-sysvcompat

and removed sysvinit & initscripts also.

Noticed that /etc/rc.conf became /etc/rc.conf.pacsave
and rebooted my machine.

How difficult is that ?

There was also a few steps that i needed to do.

Your reading material is here: Archlinux systemd and
systemd services .

After that was trivial to enable my services.
I have only a few of them:

# grep DAEMONS /etc/rc.conf.pacsave 
DAEMONS=(syslog-ng network crond dbus avahi-daemon cupsd xinetd)

I use static network at work.
Followed this link to create my network service.

vim /etc/conf.d/network
vim /etc/systemd/system/network.service

# systemctl status network
# systemctl enable network.service

# systemctl status syslog-ng
# systemctl enable syslog-ng.service

be aware that cron is cronie !

systemctl status crond.service
systemctl enable cronie.service

systemctl status avahi-daemon
systemctl enable avahi-daemon.service

dbus was already enabled

systemctl status dbus

be aware that cupsd is cups

systemctl status cupsd
systemctl enable cups.service

and finally

systemctl status xinetd
systemctl enable xinetd.service

It was simplest than converted from grub to grub2 !

New installation guide, with screenshots,

for Arch Linux based on installation media 2012.08.04

Archlinux NetInstall based on media 2012.08.04

This guide doesnt use any automate script or menu installer.