Installing Arch Linux on the 4th generation ThinkPad X1 Carbon
The lspci
output is
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor Host Bridge/DRAM Registers (rev 08)
00:02.0 VGA compatible controller: Intel Corporation Skylake GT2 [HD Graphics 520] (rev 07)
00:08.0 System peripheral: Intel Corporation Xeon E3-1200 v5/v6 / E3-1500 v5 / 6th/7th Gen Core Processor Gaussian Mixture Model
00:13.0 Non-VGA unclassified device: Intel Corporation Sunrise Point-LP Integrated Sensor Hub (rev 21)
00:14.0 USB controller: Intel Corporation Sunrise Point-LP USB 3.0 xHCI Controller (rev 21)
00:14.2 Signal processing controller: Intel Corporation Sunrise Point-LP Thermal subsystem (rev 21)
00:16.0 Communication controller: Intel Corporation Sunrise Point-LP CSME HECI #1 (rev 21)
00:17.0 SATA controller: Intel Corporation Sunrise Point-LP SATA Controller [AHCI mode] (rev 21)
00:1c.0 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #1 (rev f1)
00:1c.2 PCI bridge: Intel Corporation Sunrise Point-LP PCI Express Root Port #3 (rev f1)
00:1f.0 ISA bridge: Intel Corporation Sunrise Point-LP LPC Controller (rev 21)
00:1f.2 Memory controller: Intel Corporation Sunrise Point-LP PMC (rev 21)
00:1f.3 Audio device: Intel Corporation Sunrise Point-LP HD Audio (rev 21)
00:1f.4 SMBus: Intel Corporation Sunrise Point-LP SMBus (rev 21)
00:1f.6 Ethernet controller: Intel Corporation Ethernet Connection I219-LM (rev 21)
02:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTS525A PCI Express Card Reader (rev 01)
04:00.0 Network controller: Intel Corporation Wireless 8260 (rev 3a)
The lscpu
output is
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
Address sizes: 39 bits physical, 48 bits virtual
CPU(s): 4
On-line CPU(s) list: 0-3
Thread(s) per core: 2
Core(s) per socket: 2
Socket(s): 1
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 78
Model name: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz
Stepping: 3
CPU MHz: 2162.690
CPU max MHz: 3400.0000
CPU min MHz: 400.0000
BogoMIPS: 5618.00
Virtualization: VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 4096K
NUMA node0 CPU(s): 0-3
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf tsc_known_freq pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb invpcid_single pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx rdseed adx smap clflushopt intel_pt xsaveopt xsavec xgetbv1 xsaves dtherm ida arat pln pts hwp hwp_notify hwp_act_window hwp_epp flush_l1d
Requirements
I want to have full-disk encryption, with the exception of the boot partition and I am installing with WiFi.
Preliminaries
I used the archlinux-2019.01.01-x86_64.iso
, put it on a USB flash drive using dd
(standard procedure).
Inserted the USB drive, booted while pressing F12
on boot to enter the boot disk picker. The WiFi card has functional firmware, checked by running
lspci -k
dmseg | grep iwlwifi
List WiFi networks, pick the relevant and follow prompts to connect:
wifi-menu
Set up time and date.
timedatectl set-ntp true
timedatectl set-timezone America/New_York
I want to use LVM on LUKS to get full-disk encryption, including the SWAP. /boot
will be un-encrypted.
Disk preparation
Partition the target disk (here, it is /dev/sda
).
To list partitions:
fdisk -l
Lenovo does not let you boot from a GPT partition with BIOS, and I could not get EFI to work either, so I am using MBR instead. I use fdisk
to partition the main SSD.
fdisk /dev/sda
p
to list current partitions
o
to delete them all and create an empty MBR partition table
n
to create new
- first (for boot): default start, end at +200M, otherwise defaults, erase ext4 signature if asked
- second (
linux
default): the rest of the disk, all defaults
p
to check if everything looks sane
w
to write (THE DISK WILL BE ERASED AT THIS POINT)
Format the EFI boot partition (left unencrypted):
mkfs.ext4 /dev/sda1
Create the non-boot file systems. The following will require coming up with a passphrase. I followed the instructions in Encrypting an entire system.
Encrypt the future LVM container:
cryptsetup luksFormat —-type luks2 /dev/sda2
cryptsetup open /dev/sda2 cryptlvm
Prepare the logical volumes:
pvcreate /dev/mapper/cryptlvm
vgcreate MainVolGroup /dev/mapper/cryptlvm
lvcreate -L 12G MainVolGroup -n swap
lvcreate -l 100%FREE MainVolGroup -n root
mkfs.ext4 /dev/MainVolGroup/root
mkswap /dev/MainVolGroup/swap
mount /dev/MainVolGroup/root /mnt
swapon /dev/MainVolGroup/swap
Mount the BIOS boot partition:
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
Installation
Install Arch:
pacstrap /mnt base base-devel python gvim grub dhclient networkmanager gnome-keyring
Generate fstab
:
genfstab -U /mnt >> /mnt/etc/fstab
Edit /mnt/etc/crypttab
to add a line
cryptlvm UUID=_/dev/sda2 UUID_ none luks,discard,timeout=5
An easy way to transfer the UUID without typing it is to do
blkid | grep sda2 >> /mnt/etc/crypttab
and edit the crypttab
file to make it correct.
There is an issue with GRUB and LVM which causes grub-mkconfig to hang and grub-install to keep probing LVM devices. For the workaround, prepare the following:
mkdir /mnt/hostlvm
mount --bind /run/lvm /mnt/hostlvm
Configuration
Move into the fresh Arch installation on the main disk. Not that the paths will no longer require /mnt
in front.
arch-chroot /mnt
To deal with the GRUB/LVM problem, run
ln -s /hostlvm /run/lvm
Edit /etc/mkinitcpio.conf
(this is now on the target drive):
HOOKS=(base udev autodetect **keyboard** **keymap** modconf block **lvm2** **encrypt** **resume** filesystems fsck) # resume is included for suspend to disk support
mkinitcpio -p linux
Install GRUB on BIOS:
grub-install --target=i386-pc
Use blkid
to list UUIDs of devices. Edit /etc/default/grub
to modify variables. Append “lvm” to GRUB_PRELOAD_MODULES
. Then append resume=/dev/MainVolGroup/swap cryptdevice=UUID=UUID-of-/dev/sda2:cryptlvm
to GRUB_CMDLINE_LINUX_DEFAULT
. The resume=...
part is for suspend to disk support.
Make the GRUB config.
grub-mkconfig -o /boot/grub/grub.cfg
Activate NetworkManager:
systemctl enable NetworkManager
Time zone and locale specification (I am in New York, yours may be different).
ln -sf /usr/share/zoneinfo/America/New_York /etc/localtime
hwclock --systohc
Uncomment all en_US
entries in /etc/locale.gen
.
locale-gen
Set LANG=en_US.UTF-8
in newly created /etc/locale.conf
.
Network settings:
Create /etc/hostname
and write sidonia there. Edit /etc/hosts
to add
127.0.0.1 localhost
::1 localhost
127.0.0.1 sidonia.localdomain sidonia
To make a root password and add a non-root user:
passwd
useradd -m -g wheel tonyg
passwd tonyg
Finally, to enable sudo
for the user, uncomment the %wheel ALL=(ALL) ALL
line in /etc/sudoers
. I like to reboot etc without entering a password, so I also add %wheel ALL=(ALL) NOPASSWD: REBOOT
. I add /sbin/shutdown
to the REBOOT
alias.
Environment set-up
Basic connectivity
I start with installing htop
to test that everything is working. Then
git
version controlethtool
to manage the internet cardiptables
firewallopenvpn
VPNnetworkmanager-openvpn
VPN plugin forNetworkManager
To set up the firewall, write the following (with sudo
):
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
Save the rules to a file. I retain a copy for re-use on other systems.
iptables-save | sudo tee /etc/iptables/iptables.rules
systemctl enable iptables
X windows
Next, I set up X windows. I want the whole thing, including the fonts, so I go with the xorg
group.
pacman -S xf86-video-intel mesa xorg xorg-xinit xorg-xrdb xorg-xlsfonts xorg-xfontsel pango
Add a version of the i3 window manager along with some needed add-ons.
pacman -S i3-gaps i3status i3blocks i3lock termite termite-terminfo dmenu network-manager-applet feh compton arandr
Copy fonts that I have in the add_fonts
directory in my dotfiles to $HOME/.local/share/fonts
(a.k.a /etc/fonts
), then run
fc-cache -v
for fontconfig
to recognize them (check with fc-list
). To set up a good-looking environment, I need to install
pacman -S arc-gtk-theme lxappearance pulseaudio pavucontrol lm_sensors psensor acpi scrot sysstat
For a graphical login, I use lightDM
.
pacman -S lightdm lightdm-gtk-greeter
I included the modified config files in the systemwide_config
directory from my dotfiles. Move lightdm.conf
and lightdm-gtk-greeter.conf
to /etc/lightdm
. Add any images you want for background to /usr/share/backgrounds
.
Vim
I clone my dotfiles to the home directory. It includes the .vimrc
and the .vim
directory. For YouCompleteMe
to work, I need to install cmake
:
pacman -S cmake clang python2 boost
Change to the .vim/bundle
directory and clone the VundleVim repository to it. Start vim
and run
:PluginInstall
After that, change to YouCompleteMe
and run
./install.sh --clang-completer --system-libclang
Miscellaneous software
Next I install various pieces of software for general operation.
pacman -S firefox ranger file w3m highlight atool sxiv zathura zathura-pdf-poppler zathura-ps zathura-djvu vlc
LaTeX
I use a close to maximal TeX Live. Install it with
pacman -S texlive-core texlive-bibtexextra texlive-fontsextra texlive-formatsextra texlive-humanities texlive-latexextra texlive-pictures texlive-publishers texlive-science ghostscript
R compilation
I compile R from source because I want a bast BLAS/LAPACK implementation. I currently like Intel’s math kernel library. Download the archive from Intel’s website (you have to sign in but it’s free) and unzip it. Get into the unpacked directory. Before installation, make sure you have cpio
already installed. Then type (possibly with sudo
)
./install.sh
and follow prompts. It will complain that the OS is unsupported, but ignore that and everything seems to proceed normally. Download R dependencies (except blas
and lapack
that will be provided by MKL).
pacman -S --needed $( pacman -Si r | grep Depends | cut -d' ' -f12- )
Install some optional dependencies.
pacman -S tk gcc-fortran jdk-openjdk
Unzip the R download tarball and change to the directory. Run the MKL script that establishes some needed shell variables.
source /opt/intel/mkl/bin/mklvars.sh intel64
While I am at it, I add $MKLROOT
to .bashrc
. It helps to have it for any other compilations that require BLAS. Then run configuration and installation.
MKL="-L${MKLROOT}/lib/intel64 -Wl,--no-as-needed -lmkl_gf_lp64 -Wl,--start-group \
-lmkl_gnu_thread -lmkl_core -Wl,--end-group -fopenmp -ldl -lpthread -lm"
./configure --with-blas="$MKL" --with-lapack --with-tcltk
make
make info
make install
make install info
Check that the linking worked by running
ldd bin/exec/R
(it is the bin
directory in the current R download directory, not /bin
)
I also need the GNU Scientific library for one of my projects.
pacman -S gsl