Getting started with Arch Linux

Last edited on 2022-04-11 Tagged under  #arch   #linux   #encrypt 

Arch Linux is a community developed, x86-64 GNU/Linux distribution based on a rolling-release model.

Rolling-release is a very different model from my longtime favourite Linux distro Debian, which roughly every two years makes a new stable release with packages locked to a specific version, receiving only security patches and bugfixes until the next release. Debian strives for stability by minimizing change, which might bring in system breaking surprises. Its an excellent Linux for servers.

Arch is not like that. The idea is the system will receive a continuous, incremental stream of updates to the latest stable versions of software. Below is my walk-through of the excellent installation guide and the choices I make along the way to create a basic encrypted Arch environment.

My setup

  • Target device boots to UEFI
  • Wired network connection
  • Arch is the sole OS on a single disk
  • GPT partition table with two partitions:
  • LVM on encrypted partition with root and home LVs
  • Unlock system at boot with single passphrase
  • Systemd-boot as bootloader

1. Install

1.1 Prepare USB install media

Download and verify checksums for archlinux-RELEASE_VERSION-x86_64.iso.

Prepare a USB flash drive as an installer using one of these two methods:

Method #1: Ventoy

I now use Ventoy to create a multiboot installer. Simply copy archlinux-RELEASE_VERSION-x86_64.iso to the USB drive, reboot, and the auto-generated menu lists all the disk images available to boot. Read more

Method #2: dd

Write the installer to an unmounted USB storage device using the dd command as root.

BE VERY CAREFUL TO NOTE THE PROPER DEVICE. ALL DATA ON THE DEVICE WILL BE OVERWRITTEN.

Example: Under Linux, if a USB device appears as sdx1, then write the installer to sdx (remove partition number) ...

sudo dd if=archlinux-RELEASE_VERSION-x86_64.iso of=/dev/sdx bs=4M status=progress oflag=sync

1.2 Boot installer

Insert USB installer in target device and boot. Installer auto-logins as root.

1.2.1 Optional: Continue install from another Linux system via SSH

Enable SSH on the target device ...

systemctl start sshd.service

Set password for root ...

passwd

Look up IP address ...

ip a

Now, from the other system, ssh into the Arch installer ...

ssh root@ip.address.of.arch-installer

1.3 Keyboard layout

Default console keymap is us.

Optional: List available layouts ...

localectl list-keymaps

Load a different keymap (example: colemak) ...

loadkeys colemak

1.4 Verify boot mode

If UEFI mode is enabled on an UEFI motherboard, the installer will boot Arch Linux accordingly.

Verify system is booted via UEFI by listing contents of efivars ...

ls /sys/firmware/efi/efivars

If the directory does not exist, the system is booted in BIOS mode.

Note: If the target device has been manufactured within the last decade, chances are its a UEFI-capable device. All my current devices use UEFI boot mode and this HOWTO is based on UEFI. Some of the instructions below - drive partitioning and GRUB setup in particular - will need to be modified if using BIOS mode. Check out the Arch Wiki for details.

1.5 Connect to internet

Ethernet: Auto-configured

Wireless: Wireless network configuration

1.6 Update system clock

timedatectl set-ntp true
timedatectl status

1.7 Set disk for install

Identify the internal storage device where Arch Linux will be installed by running lsblk -f.

Set a disk variable for use in installation commands.

Example: In this HOWTO I'm installing to my internal storage device identified as nvme0n1 ...

export disk="/dev/nvme0n1"

1.8 Delete old partition layout

wipefs -af $disk
sgdisk --zap-all --clear $disk
partprobe $disk

1.8.1 Optional: Zero out disk

Wipe disk by using dd command to fill space with data from /dev/zero ...

dd if=/dev/zero of=${disk} bs=4096 status=progress

1.9 Partition disk

Use sgdisk to create partitions.

List partition type codes ...

sgdisk --list-types

Layout for a single SSD with a GPT partition table that contains two partitions:

  • Partition 1 - EFI boot partition (ESP) - size 1GiB, code ef00
  • Partition 2 - encrypted partition (LUKS) - remaining storage, code 8309
sgdisk -n 0:0:+1GiB -t 0:ef00 -c 0:esp $disk
sgdisk -n 0:0:0 -t 0:8309 -c 0:luks $disk
partprobe $disk

Print the new partition table...

sgdisk -p $disk

In lieu of using a swapfile or dedicated swap partition as system memory, I create a swap device in RAM after the install is complete and I've rebooted into my new Arch environment.

Link: Managing partitions with sgdisk

1.10 Encrypt partition

If the disk variable created earlier was set as a nvme-type storage device (as it was in this HOWTO), then the LUKS partition will be ${disk}p2. Otherwise, it will be ${disk}2 (drop the p).

Initialize the LUKS-encrypted partition (partition #2) ...

cryptsetup --type luks2 -v -y luksFormat ${disk}p2

1.11 Logical Volume Manager (LVM)

Open the LUKS device mapped to cryptdev ...

cryptsetup open ${disk}p2 cryptdev

Create physical volume...

pvcreate /dev/mapper/cryptdev

Create volume group vg ...

vgcreate vg /dev/mapper/cryptdev

1.12 LV containers

1.12.1 Root LV

If $disk is <= 128GB, I create a single root LV container and assign it 90% of free space ...

lvcreate -l +90%FREE vg -n root

1.12.2 Root + home LVs

Otherwise, I create separate root and home LVs. Its a more flexible arrangement, and makes any re-install or parallel install of a Linux OS easier (while leaving user files untouched).

Create an LV container for root and assign 30G of disk space ...

lvcreate -L 30G vg -n root

Create an LV container for home and assign +90% of free space ...

lvcreate -l +90%FREE vg -n home

View modifications ...

lvdisplay

1.13 Format partitions

ESP partition (partition #1) is formatted with the vfat filesystem, and the Linux LVs use ext4 ...

mkfs.vfat -F32 -n ESP ${disk}p1
mkfs.ext4 /dev/vg/root

If separate home LV was created ...

mkfs.ext4 /dev/vg/home

1.14 Mount file systems

mount /dev/vg/root /mnt
mkdir /mnt/boot
mount /dev/disk/by-label/ESP /mnt/boot

Again, if separate home exists ...

mkdir /mnt/home
mount /dev/vg/home /mnt/home

1.15 Select package mirrors

Synchronize package databases ...

pacman -Syy

Generate a new mirror selection using reflector.

Example: Verbosely select the 5 most recently synchronized HTTPS mirrors located in either Canada or Germany, sort them by download speed, and overwrite mirrorlist ...

reflector --verbose --protocol https --latest 5 --sort rate --country Canada --country Germany --save /etc/pacman.d/mirrorlist

1.16 Install base system

Select an appropriate microcode package to load updates and security fixes from processor vendors.

View cpuinfo ...

grep vendor_id /proc/cpuinfo

Depending on the processor, set microcode for Intel ...

export microcode="intel-ucode"

For AMD ...

export microcode="amd-ucode"

Install the base system ...

pacstrap /mnt base base-devel ${microcode} linux linux-firmware bash-completion cryptsetup htop lvm2 man-db mlocate neovim networkmanager openssh pacman-contrib pkgfile reflector sudo terminus-font tmux

1.17 Fstab

genfstab -U -p /mnt >> /mnt/etc/fstab

2. Chroot

Chroot into the base system to configure ...

arch-chroot /mnt /bin/bash

2.1 Timezone

Set desired timezone (example: America/Toronto) and update the system clock ...

ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime
hwclock --systohc

2.2 Hostname

Assign a hostname (example: foobox) ...

echo "foobox" > /etc/hostname

Add matching entries to /etc/hosts ...

cat > /etc/hosts <<EOF
127.0.0.1	localhost
::1         localhost
127.0.1.1	foobox.localdomain foobox
EOF

2.3 Locale

Set locale (example: en_CA.UTF-8) ...

export locale="en_CA.UTF-8"
sed -i "s/^#\(${locale}\)/\1/" /etc/locale.gen
echo "LANG=${locale}" > /etc/locale.conf
locale-gen

2.4 Font and keymap

Set a console font (example: terminus ter-224n) ...

echo "FONT=ter-v22n" > /etc/vconsole.conf

Set a keyboard layout choice (example: colemak) ...

echo "KEYMAP=colemak" >> /etc/vconsole.conf

2.5 Editor

Set a system-wide default editor (example: neovim) ...

echo "EDITOR=nvim" > /etc/environment && echo "VISUAL=nvim" >> /etc/environment

2.6 Root password

Assign password to root ...

passwd

2.7 Add user

Create a user account (example: foo) with superuser privileges ...

useradd -m -G wheel -s /bin/bash foo
passwd foo

Activate wheel group access for sudo ...

sed -i "s/# %wheel ALL=(ALL:ALL) ALL/%wheel ALL=(ALL:ALL) ALL/" /etc/sudoers

2.8 NetworkManager

Enable NetworkManager to start at boot ...

systemctl enable NetworkManager

Wired network connection is activated by default. Run nmtui in the console and choose Activate a connection to setup a wireless connection.

2.9 SSH

Enable sshd server ...

systemctl enable sshd.service

After the install is complete and system has rebooted, secure remote access using SSH keys.

2.10 Mkinitcpio

Set necessary HOOKS in /etc/mkinitcpio.conf ...

HOOKS=(base systemd keyboard autodetect sd-vconsole modconf block sd-encrypt lvm2 filesystems fsck)

Order of the hooks matters:

  • base - Sets up all initial directories and installs base utilities and libraries.
  • systemd - For systemd-based initramfs.
  • keyboard - Good idea to place this hook before autodetect to include all keyboard drivers in initramfs. Systems that boot with different hardware configurations (example: laptops used both with USB external and built-in keyboards) require this at boot to unlock the encrypted device.
  • autodetect - Any hooks placed before autodetect will be installed in full.
  • sd-vconsole - Loads the specified keymap and font set in vconsole.conf. This hook must come before the sd-encrypt hook.
  • modconf - Includes modprobe configuration files.
  • block - Adds all block device modules.
  • sd-encrypt - Required for encrypted root partition. This hook must be placed after the systemd hook.
  • lvm2 - Required for a root filesystem on LVM. This must come before filesystems.
  • filesystems - Include necessary file system modules into your image.
  • fsck - Adds the fsck binary and file system-specific helpers to allow running fsck against the root device.

Recreate the initramfs image ...

mkinitcpio -P

2.11 Boot loader: systemd-boot

Install ...

bootctl --esp-path=/boot install

Create /boot/loader/loader.conf ...

cat > /boot/loader/loader.conf <<EOF
default arch.conf
timeout 3
console-mode max
editor yes
EOF

Determine the UUID of the encrypted partition ...

blkid -s UUID -o value ${disk}p2

This string of characters is used in the boot entry created in the next step.

Create /boot/loader/entries/arch.conf:

  • UUID_OF_ENCRYPTED_PARTITION is replaced with string returned by blkid
  • cryptdev is the mapped device used earlier
  • dev/vg/root is the LV holding the root filesystem
title Arch
linux /vmlinuz-linux
initrd /intel-ucode.img (or /amd-ucode.img for AMD CPU)
initrd /initramfs-linux.img
options rd.luks.name=UUID_OF_ENCRYPTED_PARTITION=cryptdev root=/dev/vg/root rw

List boot loader entries ...

bootctl list

2.12 Reboot

Exit chroot and reboot ...

exit
umount -R /mnt
reboot

Systemd-boot prompts for the LUKS passphrase to unlock the system.

Then ... Voila!

archlinux login:

3. After the install

3.1 Check for errors

Failed systemd services ...

systemctl --failed

High priority errors in the systemd journal ...

journalctl -p 3 -xb

3.2 Update systemd-boot

Create ...

$ sudo mkdir /etc/pacman.d/hooks

Automatically update the boot manager whenever a new version of systemd-boot is reinstalled by creating /etc/pacman.d/hooks/100-systemd-boot.hook ...

[Trigger]
Type = Package
Operation = Upgrade
Target = systemd

[Action]
Description = Updating systemd-boot
When = PostTransaction
Exec = /usr/bin/bootctl update

3.3 Linux LTS kernel

Install the LTS kernel in Arch Linux

3.4 Fallback boot entries

Every time a kernel is installed or upgraded, mkinitcpio creates two initial ramdisk images: 1. A default image as per instructions in /etc/mkinitcpio.conf and /etc/mkinitcpio.d; 2. A fallback image that includes a whole range of modules built-in and bootable on most systems.

Create boot entries for these fallback images by copying /boot/loader/entries/arch.conf to /boot/loader/entries/arch-fallback.conf.

Modify the copied arch-fallback.conf with fallback settings ...

title Arch fallback

[...]

initrd /initramfs-linux-fallback.img

3.5 SSD

Periodic TRIM optimizes performance on SSD storage.

Enable a weekly task that discards unused blocks on the drive ...

$ sudo systemctl enable fstrim.timer

3.6 Desktop

Many choices! Install a full-featured desktop such as GNOME, or put together a custom desktop built around a lightweight window manager. I like Openbox.

3.7 Arch news

Keep up-to-date with the latest news from the Arch development team by subscribing to arch-announce or the news feed:

Welcome to Arch!

Thanks for reading! Read other posts?

» Next: Zram swap on Arch Linux

« Previous: Upgrade a home router with OpenWrt