Linux: Difference between revisions

← Older edit
No edit summary
 
(194 intermediate revisions by the same user not shown)
Line 1: Line 1:
The notes here are mainly for Ubuntu/Debian.
A collection of notes on using Linux systems.
Notes here are for Ubuntu but should work on similar debian derivative distros.


==Basic Terminal Commands==
{{see also | Bash (Unix shell)}}
===List===
<code>ls</code>
* <code>-l</code> shows long format
* <code>-a</code> shows all files including hidden files, current directory <code>.</code>, and parent directory <code>..</code>.
** <code>-A</code> omits <code>.</code> and <code>..</code>
* <code>-h</code> human readable file sizes
* <code>-s</code> shows blocks taken up by the file (i.e. size on disk)
There are also other commands like <code>lsblk</code>, <code>lscpu</code>, <code>lshw</code>.
===Disk Space===
* <code>du</code> Disk Usage
** <code>du -sh</code> Show size of current directory
** <code>du -h --max-depth=1</code> Show size of files and folders in current directory. I have <code>du</code> aliased to this.
** Flags:
*** <code>-h</code> human readable (adds M or G)
*** <code>--max-depth</code> depth to recurse. Default is <code>N</code>.
* <code>df</code> Disk Filesystems
** Shows usage, total space available, and mount position
** <code> df -Ph .</code> See free space in current directory
If looking to free up space, I recommend installing <code>ncdu</code>.
===Monitoring===
* <code>htop</code> - basic terminal system monitor, enhanced version of <code>top</code>
* <code>watch -n 0.5 <program></code> - repeatedly call <program> every 0.5 seconds
===Standard Streams===
* <code>|</code> will pipe stdout to the stdin of another process
* <code>></code> will redirect stdout to a file
* <code>2>&1</code> will redirect stderr (2) to stdout (1)
* [https://www.gnu.org/software/coreutils/manual/html_node/tee-invocation.html <code>tee</code>] will redirect stdout to multiple files and show it in the terminal
===Shutdown===
<pre>
shutdown -h [now | -t <time>]
</pre>
* <code>-h</code> poweroff, the default
* <code>-t time</code> schedule a shutdown in ''time'' seconds
* <code>-r</code> restart
* <code>-c</code> cancel pending shutdown
==Package Management==
See [https://www.digitalocean.com/community/tutorials/package-management-basics-apt-yum-dnf-pkg DigitalOcean: Package management basics]
===apt===
<syntaxhighlight lang="bash">
# List all installed packages
apt list --installed
# Search repos for package
apt search libdpkg-dev
</syntaxhighlight>
;Repositories
Repository sources are saved in
* A line in <code>/etc/apt/sources.list</code>
* A file in <code>/etc/apt/sources.list.d/</code>
Application desktop icons are stored in <code>/usr/share/applications/</code>.
The update notifications are in <code>/etc/apt/apt.conf.d/99update-notifier</code>. Comment these out to disable them.<br>
Unattended-updates are in <code>/etc/apt/apt.conf.d/50unattended-upgrades</code>.
{{hidden | dpkg |
===dpkg===
<syntaxhighlight lang="bash">
# List everything
sudo dpkg -l
# List things with apache in the name
sudo dpkg -l | grep apache
</syntaxhighlight>
}}
{{hidden | yum |
===yum===
<syntaxhighlight lang="bash">
# Update package lists, typically not necessary
yum check-update
# Upgrade packages
yum update
</syntaxhighlight>
}}


==SSH==
==SSH==
====SSH Keys====
===SSH Keys===
Generate an ssh-key for every client
Generate an ssh-key for every client
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
ssh-keygen -t ed25519 -a 100 [-C "comment your client name"] [-f output_path]
ssh-keygen -t ed25519 [-C "comment your client name"] [-f output_path]
</syntaxhighlight>
 
Some older software such as Solid file explorer require RSA keys in PEM key format
<syntaxhighlight lang="bash">
ssh-keygen -t rsa -b 4096 -m PEM [-C "comment your client name"] [-f output_path]
</syntaxhighlight>
 
You can also convert existing keys to PEM format
<syntaxhighlight lang="bash">
ssh-keygen -p -m PEM [-C "comment your client name"] [-f output_path]
</syntaxhighlight>
</syntaxhighlight>
If you want to change the comment on your key
<syntaxhighlight lang="bash">
ssh-keygen -c -C "New comment" -f path_to_key
</syntaxhighlight>
Manage ssh keys
Manage ssh keys
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
# On the client
# On the client
ssh-copy-id user@domain.com
ssh-copy-id <host>
</syntaxhighlight>
</syntaxhighlight>
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 18: Line 124:
</syntaxhighlight>
</syntaxhighlight>


Notes:<br>
* According to [https://security.stackexchange.com/questions/143442/what-are-ssh-keygen-best-practices this] you should avoid using ECDSA and DSA keys.
===Disable password authentication===
# Edit <code>/etc/ssh/sshd_config</code>
# Set <code>PasswordAuthentication</code> to <code>no</code>
# Set <code>ChallengeResponseAuthentication</code> to <code>no</code>
# Test by ssh'ing into the machine using <code>-o PreferredAuthentications=password -o PubkeyAuthentication=no</code>
===Port Forwarding===
Also known as: SSH Tunneling, SSH Proxy, SSH Reverse Proxy
If you need to access a port on the remote computer, you can use the <code>-L</code> option to forward ports from the remote to the local machine.
<syntaxhighlight lang="bash">
ssh -L <localport>:localhost:<remoteport> <remoteurl>
# E.g. ssh -L 8080:localhost:80 david@davidl.me
</syntaxhighlight>
You can also do the reverse, giving the remote access to a local port using <code>-R</code>
<syntaxhighlight lang="bash">
ssh -R <localport>:host:<remoteport> <remoteurl>
# E.g. ssh -R 8080:localhost:80 david@davidl.me
</syntaxhighlight>
;Notes
* You can also run this without creating a shell using <code>-N</code>. This will block your shell. See [https://unix.stackexchange.com/questions/100859/ssh-tunnel-without-shell-on-ssh-server SE Answer].
* Adding <code>-f</code> pushes ssh to the background.
** This will implicitly add <code>-n</code> which redirects <code>stdin</code> from <code>/dev/null</code>.
** If you want to be able to foreground this again, the use <code>&</code> or <kbd>Ctrl</kbd>+<kbd>z</kbd> instead.
===alias===
You can create aliases in your <code>.ssh/config</code>
<pre>
Host my_alias
  User my_username
  Hostname my_server@my_domain.com
  Port 52
</pre>
==VNC==
===x11vnc===
[https://askubuntu.com/questions/1033274/ubuntu-18-04-connect-to-login-screen-over-vnc Reference]
I recommend not exposing VNC. Set it to localhost only and use ssh port forwarding.
===Remmina===
If using a wired connection, you can save a preset to <code>localhost:5901</code> or similar.
Note that the Remmina which ships with Ubuntu 18.04 is outdated and buggy.
You can upgrade it by adding the Remmina PPA.
See [https://remmina.org/how-to-install-remmina/ https://remmina.org/how-to-install-remmina/] for details.
<pre>
sudo apt-add-repository ppa:remmina-ppa-team/remmina-next
sudo apt update
sudo apt install remmina remmina-plugin-rdp remmina-plugin-secret
</pre>
==Nvidia==
===Driver Installation===
# Run <code>ubuntu-drivers list</code> to get a list of drivers
# Install the latest driver
#* E.g. <code>sudo apt install nvidia-driver-460</code>
# If you have secure boot enabled, you will be asked for a password during installation
#* This is because the driver is a DKMS module.
#* After installation, reboot your computer and select "Enroll MOK" and enter that password in.
#* '''Note''' Failure to do this will result in the driver not working
# Validate your installation by running <code>nvidia-smi</code>.
#* <code>nvidia-smi</code> shows the latest cuda version supported by the driver, not the cuda version installed.
===Cuda Installation===
Download cuda from the nvidia website or add the cuda repo to your apt sources.


===Switching between Nvidia and Intel===
===Switching between Nvidia and Intel===
[https://www.linuxbabe.com/desktop-linux/switch-intel-nvidia-graphics-card-ubuntu Reference]
[https://www.linuxbabe.com/desktop-linux/switch-intel-nvidia-graphics-card-ubuntu Reference]
Make sure the Nvidia graphics drivers are installed. Then you can select between Nvidia and Intel GPUs using the Nvidia X Server Settings application <code>nvidia-settings</code>. Alternatively, you can use the following commands in the terminal.<br>
Make sure the Nvidia graphics drivers are installed. Then you can select between Nvidia and Intel GPUs using the Nvidia X Server Settings application <code>nvidia-settings</code>. Alternatively, you can use the following commands in the terminal.<br>
To switch to the Nvidia GPU:
To switch to the Nvidia GPU:
Line 31: Line 210:
</pre>
</pre>
<code>prime-select query</code> will print either <code>nvidia</code> or <code>intel</code> to stdout.
<code>prime-select query</code> will print either <code>nvidia</code> or <code>intel</code> to stdout.
===Fix tearing on laptops===
[https://ubuntuhandbook.org/index.php/2018/07/fix-screen-tearing-ubuntu-18-04-optimus-laptops/ Reference]<br>
# Add <code>options nvidia-drm modeset=1</code> to <code>/etc/modprobe.d/nvidia-drm-nomodeset.conf</code>
# Run <code>sudo update-initramfs -u</code>
==Environment Variables==
[https://help.ubuntu.com/community/EnvironmentVariables Ubuntu Help Reference]
==Tmux==
[https://tmuxcheatsheet.com/ Tmux cheat sheet]
Tmux, or Terminal Multiplexer is an alternative to screen.<br>
Use it to keep terminals open and tasks running after you disconnect your SSH connection.<br>
Getting Started:
<syntaxhighlight lang="bash">
# Make a new session
tmux
# Make a new named session
tmux new -s my_session
# Rename a session
# Keybinding: Ctrl + b, $
tmux rename-session [-t current-name] [new-name]
# Detach from a session
# Keybinding: Ctrl + b, d
tmux detach
# List windows
tmux ls
# Attach to a session
tmux attach -t my_session
# Renumber windows
:movew
</syntaxhighlight>
===Mouse scrolling===
Set <code>set -g mouse on</code> in your <code>~/.tmux.conf</code>
==File Manager==
The default file manager in Ubuntu is Nautilus
===Add to context menu===
[https://askubuntu.com/questions/1030940/nautilus-actions-in-18-04 AskUbuntu]
;22.04
See [https://github.com/harry-cpp/code-nautilus https://github.com/harry-cpp/code-nautilus]
;20.04
<pre>
sudo add-apt-repository universe
sudo apt update
sudo apt install filemanager-actions nautilus-actions nautilus-extension-fma
</pre>
==Etcher==
[https://github.com/balena-io/etcher Github]<br>
Installing etcher
<syntaxhighlight lang="bash">
echo "deb https://deb.etcher.io stable etcher" | sudo tee /etc/apt/sources.list.d/balena-etcher.list
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 379CE192D401AB61
sudo apt update
sudo apt install balena-etcher-electron
</syntaxhighlight>
==Logs==
Logs are stored under <code>/var/log</code>. These can end up taking up a lot of space.<br>
You can delete logs in the journal folder [https://unix.stackexchange.com/questions/130786/can-i-remove-files-in-var-log-journal-and-var-cache-abrt-di-usr Reference]<br>
==Default gcc/g++ version==
See [https://askubuntu.com/questions/26498/how-to-choose-the-default-gcc-and-g-version https://askubuntu.com/questions/26498/how-to-choose-the-default-gcc-and-g-version].<br>
<syntaxhighlight lang="bash">
# Install
sudo update-alternatives --remove-all gcc
sudo update-alternatives --remove-all g++
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-8 10
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 20
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-8 10
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-7 20
sudo update-alternatives --install /usr/bin/cc cc /usr/bin/gcc 30
sudo update-alternatives --set cc /usr/bin/gcc
sudo update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++ 30
sudo update-alternatives --set c++ /usr/bin/g++
# Select
sudo update-alternatives --config gcc
sudo update-alternatives --config g++
</syntaxhighlight>
==Power Management==
===tlp===
[https://linrunner.de/en/tlp/docs/tlp-linux-advanced-power-management.html Website]<br>
Battery power management
==Virtual Machines (VM)==
===Guest VMs===
Using Ubuntu as a guest:
* Install <code>open-vm-tools-desktop</code>
===KVM===
{{main | Archwiki: KVM}}
===Docker===
{{main | Docker (software)}}
==Services and Scheduling==
===crontab===
The following will open a list of cron jobs you have.
<pre>
crontab -e
</pre>
The default editor is nano. You can change it to vim using <code>VISUAL=vim</code> env variable or with <code>select-editor</code>.
===systemd service===
See [https://wiki.debian.org/systemd/Services debian/systemd Services]<br>
[https://www.freedesktop.org/software/systemd/man/systemd.service.html manual]<br>
System-wide services are in <code>/etc/systemd/system/</code><br>
User services are in <code>~/.config/systemd/user/</code>
{{hidden|A basic systemd service file|
<pre>
# Contents of /etc/systemd/system/myservice.service
[Unit]
Description=My Service
After=network.target
[Service]
Type=simple
Restart=always
WorkingDirectory=/usr/local/bin
ExecStart=/usr/local/bin/myservice
[Install]
WantedBy=multi-user.target
</pre>
Enable with <code>sudo systemctl enable myservice</code>
}}
;Usage
* <code>sudo systemctl enable <my_service></code>
* <code>sudo systemctl status <my_service></code>
* <code>sudo systemctl start <my_service></code>
* <code>sudo systemctl stop <my_service></code>
* <code>sudo systemctl restart <my_service></code>
* <code>sudo systemctl disable <my_service></code>
;Notes
* Type should be <code>forking</code> if your service runs and then ends
* See service log with <code>sudo journalctl myservice</code>
==File Management==
===rsync===
{{main | rsync}}
[https://linux.die.net/man/1/rsync Documentation]
Use this to sync folders between directories of across networks
;Common Flags
* <code>-a, --archive</code> archive mode; equals -rlptgoD
* <code>--info=progress2</code> show progress
See [[ArchWiki: rsync]] to learn how to use rclone for incremental backups (a la time machine).
===rclone===
{{ main | rclone }}
Similar to rsync but for cloud services such as Dropbox and Google Drive.<br>
I recommend installing from their website to get the latest version.
===scp===
Usage
<syntaxhighlight lang="bash">
scp [source_machine]:[source_file] [target_machine]:[target_file]
</syntaxhighlight>
;Flags
* <code>-r</code> recursive, needed to scp directories
* <code>-P [port]</code>
;Notes
* The machine can be an alias or user@domain
===7z===
7zip CLI<br>
Install with <code>sudo apt install p7zip-full</code>
<syntaxhighlight lang="bash>
# Archive
7z a <output_file> <input_file/folder>
# Archive with password
7z a <output_file> <input_file> -p -mhe=on
# Extract
7z x <file> [-o{dir}]
</syntaxhighlight>
* <code>-mhe=on</code> hides file stuctures
===zip/unzip===
Note that p7zip-full also includes the ability to zip/unzip .zip files.<br>
;Zip a folder
<code>zip -r file.zip folder</code>
;Unzip an archive
<code>unzip file.zip [-d destination]</code>
===diff===
[https://www.geeksforgeeks.org/diff-command-linux-examples/ diff examples]
;Important flags
* <code>--strip-trailing-cr</code> Ignores <code>\r</code>
===tar===
{{ main | tar (computing) }}
;Extraction
<pre>
tar xzvf archive.tar.gz
</pre>
;Archive
<pre>
tar czpvf archive.tar.gz files
</pre>
===find===
Find files by their filename
<pre>
find <folder> [args] -name <name>
</pre>
* <code>-maxdepth <num></code>
===grep===
Find files containing a pattern
<pre>
grep -r <pattern> *
</pre>
==Dual Booting==
===Fix time difference between Windows===
[http://ubuntuhandbook.org/index.php/2016/05/time-differences-ubuntu-1604-windows-10/ Reference]
<syntaxhighlight lang="bash">
timedatectl set-local-rtc 1 --adjust-system-clock
</syntaxhighlight>
===Recover GRUB after installing Windows===
[https://help.ubuntu.com/community/RecoveringUbuntuAfterInstallingWindows Ubuntu Help]<br>
If you install windows after installing Ubuntu
===GrubReboot===
[https://wiki.debian.org/GrubReboot GrubReboot]<br>
Allows you to reboot into an OS one time.<br>
i.e. If you are ssh'd into linux and want to boot into Windows one time.<br>
===Encryption===
[https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html]
==Users and Groups==
===Users===
<syntaxhighlight lang="bash">
# Make a new user
adduser <user>
# Add user to admins
usermod -aG sudo <user>
# Change the password of a user
passwd
passwd <user>
# Delete a user
# -r will also delete their home directory
userdel -r <user>
</syntaxhighlight>
===Groups===
<syntaxhighlight lang="bash">
# Make a group
groupadd <group>
# Delete a group
groupdel <group>
# List members in groups
getent group <group>
# Add user to group
usermod -a -G <group> <user>
# Remove user from group
gpasswd -d <user> <group>
</syntaxhighlight>
==Permissions==
In unix filesystems, files and folders have individual permissions.<br>
You can set permissions for each file/folder independently and for the following sets of users:
* User/Owner <code>u</code>
* Group <code>g</code>
* Other <code>o</code>
You can also set permissions for all of the above with:
* All <code>a</code>
Each file and folder can have the following permission for each set of user:
* Read <code>r</code>
* Write <code>w</code>
* Execute <code>x</code>
The above totals 9 bits (3 sets of users times 3 permissions).
In addition to the above, there are 3 special bits:
* [https://en.wikipedia.org/wiki/Sticky_bit Sticky bit <code>t</code>] - only allow the owners of subfiles/subfolders to modify them
** Useful for shared folders such as /tmp
* Setuid - automatically elevate execution of this file to the owner's priviledges
* Setgid - automatically elevate execution of this file to the group's priviledges
In total, permissions for each file and folder can be stored in 16 bits or 2 bytes.
===chmod===
change mode
===chown===
change owner
<pre>
chown [-r] <user>[:<group>] <item>
</pre>
===chgrp===
===Access Control Lists (ACL)===
==Display Scaling (HiDPI)==
See [https://wiki.archlinux.org/index.php/HiDPI Arch Wiki HiDPI] 
Fractional scaling is natively available in Ubuntu 20.04+.
{{hidden | Ubuntu 18.04 |
;Xorg
<pre>
# Find your display
xrandr
xrandr --output <display> --scale 1.25x1.25
</pre>
;Wayland
<pre>
gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']"
</pre>
I have the following script run at startup
<pre>
#!/bin/bash
gsettings set org.gnome.desktop.interface scaling-factor 2
gsettings set org.gnome.settings-daemon.plugins.xsettings overrides "{'Gdk/WindowScalingFactor': <2>}"
xrandr --output DP-2 --scale 1.3x1.3
</pre>
}}
==Clock==
See [https://help.ubuntu.com/lts/serverguide/NTP.html Ubuntu Time Synchronization]<br>
<pre>
# Install chrony
sudo apt install chrony
# Synchronize time
sudo chronyd -q
# Check time synchronization
sudo chronyd -Q
</pre>
Notes
* Syncing over the internet will be off by a few milliseconds (e.g. 0.003 seconds).
* Syncing with another computer over lan
===Syncing with another computer===
See [https://askubuntu.com/questions/787855/how-to-use-chrony-to-synchronize-timestamp-on-two-computers/1018204 askubuntu]<br>
;On the server
Add the following to <code>/etc/chrony.conf</code>
<pre>
# make it serve time even if it is not synced (as it can't reach out)
local stratum 8
# allow the IP of your peer to connect (192.168 subnet)
allow 192.168
# Or
# allow all
</pre>
;On the client
Add the following to <code>/etc/chrony.conf</code>
<pre>
# set the servers IP here to sync to it
server <Server_IP> iburst
# remove the default servers in the config
</pre>
==<code>/dev/</code>==
See [[Wikipedia: Device file#Pseudo-devices]]
===<code>null</code>===
Discards all input. 
Produces EOF.
===<code>random</code>===
See [https://security.stackexchange.com/questions/3936/is-a-rand-from-dev-urandom-secure-for-a-login-key/3939#3939 stackexchange]<br>
See [https://www.2uo.de/myths-about-urandom/ Myths about urandom]<br>
;TLDR&#58; Use <code>/dev/urandom</code> instead of <code>/dev/random</code>
===<code>urandom</code>===
Produces random numbers.
On my system, it's limited to about 60 MB/s. If you need faster randomness, you can encrypt from <code>/dev/zero</code> to get 2.7 GB/s. 
See [https://serverfault.com/questions/6440/is-there-an-alternative-to-dev-urandom/415962#415962 reference].
<pre>
# Using urandom
pv < /dev/urandom > /dev/ull
# Using encryption
openssl enc -pbkdf2 -iter 100000 -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero | pv > /dev/null
# Create a 4 GB file.
dd if=/dev/zero bs=4M count=1024 | openssl enc -pbkdf2 -iter 100000 -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt | pv > random.bin
</pre>
==Gnome==
===Tweaks===
<pre>
sudo apt install gnome-tweaks
sudo apt install chrome-gnome-shell
</pre>
==Auto Reboot==
[https://unix.stackexchange.com/questions/141095/automatically-reboot-if-no-wifi-connection-for-a-certain-time reference]
{{hidden | Auto Reboot Script |
Auto reboot if no internet is detected:
<syntaxhighlight lang="bash">
#!/bin/bash
TMP_FILE=/tmp/inet_up
# Edit this function if you want to do something besides reboot
no_inet_action() {
    if [ "$1" -eq 1 ]; then
        systemctl restart network-manager
    elif [ "$1" -ge 2 ]; then
        rm -f $TMP_FILE
        shutdown -r now "No Internet"
    fi
}
increment_tmp_file() {
    if [ ! -f $TMP_FILE ]; then
      echo 0 > $TMP_FILE
    fi
    oldnum=$(cut -d ',' -f2 $TMP_FILE)
    newnum=$(("$oldnum" + 1))
    sed -i "s/$oldnum\$/$newnum/g" $TMP_FILE
}
if ping -c5 google.com; then
    echo 0 > $TMP_FILE
    date > /tmp/inet_up_last_check
else
    increment_tmp_file
    oldnum=$(cut -d ',' -f2 $TMP_FILE)
    no_inet_action "$oldnum"
fi
</syntaxhighlight>
Add to sudo's crontab to run every 10 minutes
<pre>
*/10 * * * * /home/david/bin/check_inet.sh
</pre>
}}
==Encryption==
For encrypting entire drives, I recommend LUKS.<br>
If you want encrypt a directly, you can use fscrypt (ext4 only).
Note that ecryptfs is deprecated and shouldn't be used.
===Encrypt Home After Install===
See [[Archwiki: Fscrypt#Encrypt_a_home_directory]]. 
See [https://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html https://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html].
This uses the newer fscrypt and requires Ubuntu 18.10+.
<ol>
<li>
Install fscrypt and do setup
<pre>
sudo apt-get install fscrypt libpam-fscrypt
sudo fscrypt setup
sudo fscrypt setup /
sudo tune2fs -O encrypt /dev/<yourdevice>
# E.g. sudo tune2fs -O encrypt /dev/sda5
</pre>
</li>
<li>
Create a new temp sudo user and login to it
</li>
<li>
Create the encrypted home folder
<pre>
export USERNAME=david
# Move old home folder
sudo mv /home/$USERNAME /home/$USERNAME.bak
# Create a new home folder and encrypt it
mkdir /home/$USERNAME
chown $USERNAME:$USERNAME /home/$USERNAME
fscrypt encrypt /home/$USERNAME --user=$USERNAME
# Copy files to the new home folder using cp or rsync
# cp -a -T /home/$USERNAME.bak /home
rsync -aHX --info=progress2 /home/$USERNAME.bak/ /home/$USERNAME/
</pre>
</li>
<li>
Test the encrypted home folder by logging into your user
</li>
<li>
Cleanup by removing the temporary user and deleting the old home folder
<pre>
shred /home/$USERNAME.bak/
</pre>
</li>
</ol>
;Notes and Caveats
* <code>systemd</code> will no longer have access to your home so all startup apps should be placed elsewhere
** E.g. Move all startup scripts in your <code>~/.local/bin</code> to <code>/usr/local/bin</code>
* <code>ssh</code> will not work until home has been decrypted since the authorized keys are in <code>~/.ssh/authorized_keys</code>
{{hidden | SSH Workaround |
Getting SSH to work with an encrypted home dir is a giant pain. 
Also things like tmux still won't work. 
Overall I do not recommend doing this on a server.
# Move ssh keys elsewhere such as <code>/etc/ssh/authorized_keys/<user></code>.
#* Add <code>/etc/ssh/authorized_keys/%u</code> to the <code>AuthorizedKeysFile</code> line in <code>/etc/ssh/sshd_config</code>.
# Create a sudo user with and unencrypted home directory.
# After every restart, ssh into the unencrypted sudo user and decrypt your home directory:
#* <code><nowiki>sudo fscrypt unlock /home/david --user=david</nowiki></code>
# Then ssh into your account.
}}
==SFTP==
You can create a specific user with a chroot to limit SFTP to specific folders. 
See [[Archwiki: SFTP chroot]] for details.
/etc/ssh/sshd_config
<pre>
Subsystem sftp /usr/lib/ssh/sftp-server
Match Group sftponly
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no
  PasswordAuthentication no
</pre>
==Hardware Info==
;Benchmarking
Basic CPU benchmark
<pre>
sysbench cpu --threads=2 run
</pre>
==MOTD==
Message of the day is the text you see when you login via SSH. 
Ubuntu stores its MOTD in <code>/etc/update-motd.d/</code>. Other distros use <code>/etc/motd/</code>. 
You can disable the Ubuntu news motd in <code>/etc/default/motd-news</code>.
==System Administration==
{{main | Linux Administration}}
==Installing Binaries==
# Copy your binary to <code>/usr/local/bin/</code> or <code>~/.local/bin/</code>
# Copy your man page to <code>/usr/local/share/man/man1/</code> or <code>~/.local/share/man/man1/</code>
==Network Troubleshooting==
On one of my OptiPlex 5060 servers, the network adapter would reset on git ssh clones.<br>
This would appear in <code>/var/log/syslog</code> as:
<pre>
Feb  8 22:22:01 optiplex5060-2 kernel: [ 4378.992607] e1000e 0000:00:1f.6 eno1: Reset adapter unexpectedly
</pre>
This was resolved by disabling TCP Segmentation Offload:
<syntaxhighlight lang="bash">
sudo ethtool -K eno1 tso off
# Verify tso is disabled
ethtool -k eno1 | grep tcp
</syntaxhighlight>
To make this persist across reboots:
{{hidden | Script |
If you're using netplan (default for Ubuntu):<br>
[https://michael.mulqueen.me.uk/2018/08/disable-offloading-netplan-ubuntu/ Reference]<br>
<syntaxhighlight lang="bash">
output_path=/usr/lib/networkd-dispatcher/routable.d/10-disable-offloading
sudo tee $output_path <<EOF> /dev/null
#!/bin/bash
ethtool -K eno1 tso off
EOF
sudo chmod +x $output_path
</syntaxhighlight>
If using ifupdown:
<syntaxhighlight lang="bash">
output_path=/etc/network/if-up.d/disable-tso
sudo tee $output_path <<EOF> /dev/null
#!/bin/bash
ethtool -K eno1 tso off
EOF
sudo chmod +x $output_path
</syntaxhighlight>
}}
==Cloning to a new disk==
The easiest way is to use gparted.
{{hidden | Terminal Guide |
To do this in the terminal:
<syntaxhighlight lang="bash">
OLD_DRIVE=/dev/sda
NEW_DRIVE=/dev/sdb
# Show old drive partitions in sectors
parted $OLD_DRIVE unit s print free
# Apply GPT
parted $NEW_DRIVE mklabel gpt
# Copy new EFI partition with start 1024s and end 1050623s
parted $NEW_DRIVE mkpart primary fat32 2048s 1050623s
# Apply boot and esp flags.
parted $NEW_DRIVE set 1 boot on
parted $NEW_DRIVE set 1 esp on
parted $NEW_DRIVE name 1 'EFI System Partition'
# dd the old to the new
dd if=${OLD_DRIVE}1 of=${NEW_DRIVE}1 bs=4k
# Make a new partition. Make sure start and end sectors are aligned.
# i.e. start % 8 == 0 and end % 8 == 7 if your physical sector size is 4096 bytes, typical for new HDDs and SSDs.
parted $NEW_DRIVE mkpart primary btrfs 1050624s 488396791s
parted $NEW_DRIVE align-check opt 2
# Copy the filesystem
mkfs.btrfs ${NEW_DRIVE}2
mkdir /media/${NEW_DRIVE}
mount -t btrfs -o compress=zstd /media/${NEW_DRIVE}2
rsync -axHAWXS --numeric-ids --info=progress2 /media/${NEW_DRIVE}2
</syntaxhighlight>
[https://superuser.com/questions/307541/copy-entire-file-system-hierarchy-from-one-drive-to-another rsync reference]
;rsync options
* -a    archive mode
* -x    one file system
* -H    preserve hard links
* -A    preserve ACLs
* -W    copy whole files instead of deltas
* -X    preserve extended attributes
* -S    handle sparse files efficiently
* --numeric-ids    use id instead of uid/gid
To copy a root partition, make sure you change the following on the new drive:
* Update the UUID and mount options in <code>/etc/fstab</code>
* Update the UUID in <code>/boot/grub/grub.cfg</code> and run <code>update-grub</code>
* Update the UUID in <code>/boot/EFI/ubuntu/grub.cfg</code>
* Run [https://help.ubuntu.com/community/Boot-Repair boot-repair] from a live disk if you run into any issues.
}}
==Ubuntu==
Ubuntu-specific notes
===Disable ESM message===
[https://askubuntu.com/questions/1453749/inhibit-esm-messages-at-login Reference]
<syntaxhighlight lang="bash">
# Disable MOTD
sudo chmod -x /etc/update-motd.d/88-esm-announce
sudo chmod -x /etc/update-motd.d/91-contract-ua-esm-status
# Disable APT check
sudo sed -Ezi.orig \
  -e 's/(def _output_esm_service_status.outstream, have_esm_service, service_type.:\n)/\1    return\n/' \
  -e 's/(def _output_esm_package_alert.*?\n.*?\n.:\n)/\1    return\n/' \
  /usr/lib/update-notifier/apt_check.py
sudo /usr/lib/update-notifier/update-motd-updates-available --force
</syntaxhighlight>
Retrieved from "https://wiki.davidl.me/view/Linux"