Getting started with Arch Linux

Arch Linux is a community developed, x86-64 GNU/Linux distribution based on a rolling-release model.
Rolling-release is a very different model from my longtime favourite Linux distro Debian, which roughly every two years makes a new stable release with packages locked to a specific version, receiving only security patches and bugfixes until the next release. Debian strives for stability by minimizing change, which might bring in system breaking surprises. Its an excellent Linux for servers.
Arch is not like that. The idea is the system will receive a continuous, incremental stream of updates to the latest stable versions of software. Below is my walk-through of the excellent installation guide and the choices I make along the way to create a basic encrypted Arch environment.
My setup
- Target device boots to UEFI
- Wired network connection
- Arch is the sole OS on a single disk
- GPT partition table with two partitions:
- EFI boot partition (ESP)
- encrypted partition (LUKS)
- LVM on encrypted partition with root and home LVs
- Unlock with single passphrase
- Systemd-boot as bootloader
1. Pre-installation
1.1 Prepare USB install media
Download and verify checksums for archlinux-VERSION-x86_64.iso
. Prepare a USB storage device as an installer using one of these two methods.
1.1.1 Ventoy
I now use Ventoy to create a multiboot installer. Simply copy an iso to the USB device, reboot, and the auto-generated menu lists all the disk images available to boot. Create a multiboot USB installer with Ventoy
1.1.2 dd
Write the installer to an unmounted USB storage device using the dd
command as root.
BE VERY CAREFUL TO NOTE THE PROPER DEVICE. ALL DATA ON THE DEVICE WILL BE OVERWRITTEN.
Example: On a Linux system, if a USB device appears as sdx1
, then write the installer to sdx
(no partition number) ...
dd if=archlinux-VERSION-x86_64.iso of=/dev/sdx bs=4M status=progress oflag=sync
1.2 Boot live environment
Insert installer in target device and boot. Logged in automatically as root
.
Optional: Continue install from another Linux system via SSH.
Enable SSH ...
systemctl start sshd.service
Set password for root ...
passwd
Look up IP address ...
ip a
Now, from the other system, ssh
into the Arch installer ...
ssh root@ip.address.of.arch-installer
1.3 Console keyboard layout
Default console keymap is us
. List available layouts ...
localectl list-keymaps
Optional: Load a preferred keymap (example: colemak
) ...
loadkeys colemak
1.4 Verify boot mode
If UEFI mode is enabled on an UEFI motherboard, Archiso will boot Arch Linux accordingly via systemd-boot
.
Verify by listing contents of efivars
...
ls /sys/firmware/efi/efivars
If the directory does not exist, the system is booted in BIOS mode.
1.5 Connect to internet
Ethernet: auto-configured.
Wireless: see wireless network configuration and iwd.
1.6 Update system clock
timedatectl set-ntp true
timedatectl status
1.7 Set disk for install
Identify disks with lsblk -f
.
Set disk for install (example: sdX
) ...
export disk="/dev/sdX"
1.8 Delete old partition scheme
wipefs -af $disk
sgdisk --zap-all --clear $disk
1.9 Optional: Wipe disk
Wipe disk by using dd
command to fill space with random data (this may take some time) ...
dd if=/dev/urandom of=${disk} bs=4096 status=progress
1.10 Partition disk
Use sgdisk to create partitions.
List partition type codes ...
sgdisk --list-types
Set up for a single SSD with a GPT partition table that contains two partitions:
- partition 1 - EFI boot partition (ESP) - size
1GiB
, codeef00
- partition 2 - encrypted partition (LUKS) - remaining storage, code
8309
sgdisk -n 0:0:+1GiB -t 0:ef00 -c 0:esp $disk
sgdisk -n 0:0:0 -t 0:8309 -c 0:luks $disk
Print the new partition table...
sgdisk -p $disk
In lieu of using a partition or swapfile as system swap, post-installation I assign space in memory using zram
.
1.11 Encrypt linux partition
Initialize the LUKS partition ...
cryptsetup --type luks2 -y -v luksFormat ${disk}2
1.12 Logical Volume Manager (LVM)
Open the LUKS device mapped to cryptdev
...
cryptsetup open ${disk}2 cryptdev
Create physical volume...
pvcreate /dev/mapper/cryptdev
Create volume group vg
...
vgcreate vg /dev/mapper/cryptdev
1.13 LV containers
1.13.1 Root LV
If $disk
is <= 128GB, I create a single root
LV container and assign it 90% of free space ...
lvcreate -l +90%FREE vg -n root
1.13.2 Root + home LVs
Otherwise, I create separate root
and home
LVs. Its a more flexible arrangement, and makes any re-install or parallel install of a Linux OS easier (while leaving user files untouched).
Create an LV container for root
and assign 30G
of disk space ...
lvcreate -L 30G vg -n root
Create an LV container for home
and assign +90%
of free space ...
lvcreate -l +90%FREE vg -n home
View modifications ...
lvdisplay
1.14 Format the partitions
ESP partition is formatted vfat
, and the Linux LVs ext4
...
mkfs.vfat -F32 -n ESP ${disk}1
mkfs.ext4 /dev/vg/root
If separate home
LV was created ...
mkfs.ext4 /dev/vg/home
1.15 Mount file systems
mount /dev/vg/root /mnt
mkdir /mnt/boot
mount /dev/disk/by-label/ESP /mnt/boot
Again, if separate home
exists ...
mkdir /mnt/home
mount /dev/vg/home /mnt/home
2. Installation
2.1 Select mirrors
Synchronize package databases ...
pacman -Syy
Generate a new mirror selection using reflector.
Example: Verbosely select the 5 most recently synchronized HTTPS mirrors located in either Canada or Germany, sort them by download speed, and overwrite mirrorlist
...
reflector --verbose --protocol https --latest 5 --sort rate --country Canada --country Germany --save /etc/pacman.d/mirrorlist
2.2 Install base system
Install the base system on target device.
In addition, install an appropriate microcode package to load updates and security fixes from processor vendors.
View cpuinfo
...
grep vendor_id /proc/cpuinfo
Depending on the processor, install either:
intel-ucode
for Intel processorsamd-ucode
for AMD processors
pacstrap /mnt base base-devel intel-ucode (or amd-ucode) linux linux-firmware bash-completion cryptsetup curl htop lvm2 man-db neovim networkmanager openssh reflector sudo terminus-font tmux
3. Configure system
3.1 Fstab
genfstab -U -p /mnt >> /mnt/etc/fstab
3.2 Chroot
arch-chroot /mnt /bin/bash
3.3 Hostname
Assign a hostname (example: foobox
) ...
echo "foobox" > /etc/hostname
Add matching entries to /etc/hosts
...
cat > /etc/hosts <<EOF
127.0.0.1 localhost
::1 localhost
127.0.1.1 foobox.localdomain foobox
EOF
3.4 Locale
Set locale (example: en_CA.UTF-8
) ...
locale="en_CA.UTF-8"
sed -i "s/^#\(${locale}\)/\1/" /etc/locale.gen
echo "LANG=${locale}" > /etc/locale.conf
locale-gen
3.5 Console font and keymap
Set a default font (example: terminus ter-224n
) ...
echo "FONT=ter-v22n" > /etc/vconsole.conf
Set a keyboard layout choice (example: colemak
) ...
echo "KEYMAP=colemak" >> /etc/vconsole.conf
3.6 Editor
Set a system-wide default editor (example: neovim
) ...
echo "EDITOR=nvim" > /etc/environment && echo "VISUAL=nvim" >> /etc/environment
3.7 HOOKS
Add the systemd
, keyboard
, sd-vconsole
, sd-encrypt
, and lvm2
hooks to /etc/mkinitcpio.conf
...
HOOKS=(base systemd keyboard autodetect sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)
[Order of the hooks is important:
systemd
- For systemd-based initramfs.keyboard
- Good idea to place this hook beforeautodetect
to include all keyboard drivers ininitramfs
. Systems that boot with different hardware configurations (example: laptops used both with USB external and built-in keyboards) require this at boot to unlock the encrypted device.sd-vconsole
- Loads the specified keymap and font set invconsole.conf
. This hook must come before thesd-encrypt
hook.sd-encrypt
- Required for encrypted root partition. This hook must be placed after thesystemd
hook.lvm2
- Required for a root filesystem on LVM. This must come beforefilesystems
.
Recreate the initramfs image ...
mkinitcpio -P
3.8 Timezone
Set desired timezone (example: America/Toronto
) and update system clock ...
ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime
hwclock --systohc
3.9 Root password
Assign password to root
...
passwd
3.10 Add user
Create user (example: foo
) with superuser privileges ...
useradd -m -G wheel -s /bin/bash foo
passwd foo
Activate wheel
group access for sudo
...
sed -i "s/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/" /etc/sudoers
3.11 Boot loader
Install systemd-boot ...
bootctl --esp-path=/boot install
Create /boot/loader/loader.conf
...
cat > /boot/loader/loader.conf <<EOF
default arch.conf
timeout 3
console-mode max
editor yes
EOF
Determine the UUID of the encrypted partition, which is pasted into the boot entry created in the next step ...
blkid -s UUID -o value ${disk}2
Create /boot/loader/entries/arch.conf
:
UUID-OF-LUKS-PARTITION
is replaced with string returned byblkid
cryptdev
is the mapped device used earlierdev/vg/root
is the LV holding the root filesystem
title Arch
linux /vmlinuz-linux
initrd /intel-ucode.img (or /amd-ucode.img for AMD CPU)
initrd /initramfs-linux.img
options rd.luks.name=UUID-OF-LUKS-PARTITION=cryptdev root=/dev/vg/root rw
List boot loader entries ...
bootctl list
3.12 Network manager
Enable networkmanager
to start at boot ...
systemctl enable NetworkManager
Wired network connection activated by default. Run nmtui
and choose Activate a connection
to setup a wireless connection.
3.13 SSH
Enable openssh
server ...
systemctl enable sshd.service
After the install is complete and system has rebooted, secure remote access using SSH keys.
3.14 Reboot
Exit chroot and reboot ...
exit
umount -R /mnt
reboot
4. Post-installation
4.1 Check for errors
Failed systemd services ...
systemctl --failed
High priority errors in the systemd journal ...
journalctl -p 3 -xb
4.2 Sudo
Allow a user (example: foo
) to execute superuser commands using sudo
without being prompted for a password.
Create the file /etc/sudoers.d/sudoer_foo
with ...
echo "foo ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sudoer_foo
4.3 Pacman
Bring the spirit of Pacman to the package manager with the ILoveCandy
option.
Modify /etc/pacman.conf
...
# Misc options
Color
ILoveCandy
Update system ...
$ sudo pacman -Syu
4.4 Update systemd-boot
Create ...
$ sudo mkdir /etc/pacman.d/hooks
Automatically update the boot manager whenever a new version of systemd-boot
is reinstalled by creating /etc/pacman.d/hooks/100-systemd-boot.hook
...
[Trigger]
Type = Package
Operation = Upgrade
Target = systemd
[Action]
Description = Updating systemd-boot
When = PostTransaction
Exec = /usr/bin/bootctl update
4.5 Mirrors
As during the install, use reflector
to generate a fresh mirrorlist.
Set parameters in /etc/xdg/reflector/reflector.conf
...
--save /etc/pacman.d/mirrorlist
--protocol https
--country Canada,Germany
--latest 5
--sort rate
Reflector ships with a systemd service and timer: /usr/lib/systemd/system/reflector.{service,timer}
Enable and start the timer (default is weekly update, edit reflector.timer
to change) ...
$ sudo systemctl enable --now reflector.timer
4.6 Linux LTS kernel
Install the LTS kernel in Arch Linux
4.7 Fallback boot entries
Every time a kernel is installed or upgraded, mkinitcpio creates two initial ramdisk images: 1. A default image as per instructions in /etc/mkinitcpio.conf
and /etc/mkinitcpio.d
; 2. A fallback image that includes a whole range of modules built-in and bootable on most systems.
Create boot entries for these fallback images by copying /boot/loader/entries/arch.conf
to /boot/loader/entries/arch-fallback.conf
.
Modify the copied arch-fallback.conf
with fallback
settings ...
title Arch fallback
[...]
initrd /initramfs-linux-fallback.img
4.8 Use zram for swap
Create a swap device in RAM with the kernel module zram
. Use zram for swap
4.9 Command: 'locate'
$ sudo pacman -S mlocate
$ sudo updatedb
Package mlocate
contains an updatedb.timer
unit, which invokes a database update each day. The timer is enabled after install.
4.10 SSD
Periodic TRIM optimizes performance on SSD storage. Enable a weekly task that discards unused blocks on the drive ...
$ sudo systemctl enable fstrim.timer
4.11 Command-not-found
Automatically search the official repositories when entering an unrecognized command, courtesy of pkgfile
...
$ sudo pacman -S pkgfile
$ sudo pkgfile --update
Package includes systemd timer pkgfile-update.timer
for automatically synchronizing the database. Activate daily updates ...
$ sudo systemctl enable pkgfile-update.timer
Edit ~/.bashrc
...
source /usr/share/doc/pkgfile/command-not-found.bash
4.12 Sound
Default Arch installation already includes the kernel sound system (ALSA). Install pipewire
as sound server ...
$ sudo pacman -S pipewire pipewire-alsa pipewire-pulse pipewire-jack wireplumber alsa-utils
Reboot. Test ...
$ pactl info | grep Pipe
Server Name: PulseAudio (on PipeWire 0.3.48)
$ speaker-test -c 2 -t wav -l 1
4.13 AUR
The Arch User Repository (AUR) is a community-driven software package repository.
Compile/install/upgrade packages manually or use an AUR helper (example: yay
).
Install ...
$ git clone https://aur.archlinux.org/yay-git.git
$ cd yay-git
$ makepkg -si
To install an AUR package (example: qt5-styleplugins
) ...
$ yay -S qt5-styleplugins
4.14 Desktop
Many choices! Install a full-featured desktop such as GNOME, or put together a custom desktop built around a lightweight window manager. I like Openbox.
4.15 Arch news
Keep up-to-date with the latest news from the Arch development team by subscribing to arch-announce
or the news feed:
Happy hacking!
» Later: Use zram for swap
« Earlier: Virtualization using KVM + QEMU + libvirt