Linux: Difference between revisions
(141 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
A collection of notes on using Linux systems | A collection of notes on using Linux systems. | ||
Notes here are for Ubuntu but should work on similar debian derivative distros. | |||
==Basic Terminal Commands== | ==Basic Terminal Commands== | ||
{{see also | Bash (Unix shell)}} | |||
===List=== | |||
<code>ls</code> | |||
* <code>-l</code> shows long format | |||
* <code>-a</code> shows all files including hidden files, current directory <code>.</code>, and parent directory <code>..</code>. | |||
** <code>-A</code> omits <code>.</code> and <code>..</code> | |||
* <code>-h</code> human readable file sizes | |||
* <code>-s</code> shows blocks taken up by the file (i.e. size on disk) | |||
There are also other commands like <code>lsblk</code>, <code>lscpu</code>, <code>lshw</code>. | |||
===Disk Space=== | ===Disk Space=== | ||
* <code>du</code> Disk Usage | * <code>du</code> Disk Usage | ||
** <code>du -sh</code> Show size of current directory | ** <code>du -sh</code> Show size of current directory | ||
** <code>du -h --max-depth=1</code> | ** <code>du -h --max-depth=1</code> Show size of files and folders in current directory. I have <code>du</code> aliased to this. | ||
** Flags: | ** Flags: | ||
*** <code>-h</code> human readable (adds M or G) | *** <code>-h</code> human readable (adds M or G) | ||
*** <code>--max-depth</code> depth to recurse. Default is <code>N</code>. | |||
* <code>df</code> Disk Filesystems | * <code>df</code> Disk Filesystems | ||
** Shows usage, total space available, and mount position | ** Shows usage, total space available, and mount position | ||
** <code> df -Ph .</code> See free space in current directory | ** <code> df -Ph .</code> See free space in current directory | ||
If looking to free up space, I recommend installing <code>ncdu</code>. | |||
===Monitoring=== | |||
* <code>htop</code> - basic terminal system monitor, enhanced version of <code>top</code> | |||
* <code>watch -n 0.5 <program></code> - repeatedly call <program> every 0.5 seconds | |||
===Standard Streams=== | |||
* <code>|</code> will pipe stdout to the stdin of another process | |||
* <code>></code> will redirect stdout to a file | |||
* <code>2>&1</code> will redirect stderr (2) to stdout (1) | |||
* [https://www.gnu.org/software/coreutils/manual/html_node/tee-invocation.html <code>tee</code>] will redirect stdout to multiple files and show it in the terminal | |||
===Shutdown=== | |||
<pre> | |||
shutdown -h [now | -t <time>] | |||
</pre> | |||
* <code>-h</code> poweroff, the default | |||
* <code>-t time</code> schedule a shutdown in ''time'' seconds | |||
* <code>-r</code> restart | |||
* <code>-c</code> cancel pending shutdown | |||
==Package Management== | ==Package Management== | ||
===List all installed packages=== | See [https://www.digitalocean.com/community/tutorials/package-management-basics-apt-yum-dnf-pkg DigitalOcean: Package management basics] | ||
===apt=== | |||
<syntaxhighlight lang="bash"> | |||
# List all installed packages | |||
apt list --installed | |||
# Search repos for package | |||
apt search libdpkg-dev | |||
</syntaxhighlight> | |||
;Repositories | |||
Repository sources are saved in | |||
* A line in <code>/etc/apt/sources.list</code> | |||
* A file in <code>/etc/apt/sources.list.d/</code> | |||
Application desktop icons are stored in <code>/usr/share/applications/</code>. | |||
The update notifications are in <code>/etc/apt/apt.conf.d/99update-notifier</code>. Comment these out to disable them.<br> | |||
Unattended-updates are in <code>/etc/apt/apt.conf.d/50unattended-upgrades</code>. | |||
{{hidden | dpkg | | |||
===dpkg=== | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# List everything | # List everything | ||
Line 23: | Line 80: | ||
sudo dpkg -l | grep apache | sudo dpkg -l | grep apache | ||
</syntaxhighlight> | </syntaxhighlight> | ||
}} | |||
{{hidden | yum | | |||
===yum=== | |||
<syntaxhighlight lang="bash"> | |||
# Update package lists, typically not necessary | |||
yum check-update | |||
# Upgrade packages | |||
yum update | |||
</syntaxhighlight> | </syntaxhighlight> | ||
}} | |||
==SSH== | ==SSH== | ||
Line 38: | Line 96: | ||
Generate an ssh-key for every client | Generate an ssh-key for every client | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
ssh-keygen -t ed25519 | ssh-keygen -t ed25519 [-C "comment your client name"] [-f output_path] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Some older software such as Solid file explorer require RSA keys in PEM key format | Some older software such as Solid file explorer require RSA keys in PEM key format | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
ssh-keygen -t rsa -b 4096 | ssh-keygen -t rsa -b 4096 -m PEM [-C "comment your client name"] [-f output_path] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
You can also convert existing keys to PEM format | You can also convert existing keys to PEM format | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
ssh-keygen -p -m PEM [-C "comment your client name"] [-f output_path] | ssh-keygen -p -m PEM [-C "comment your client name"] [-f output_path] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
If you want to change the comment on your key | |||
<syntaxhighlight lang="bash"> | |||
ssh-keygen -c -C "New comment" -f path_to_key | |||
</syntaxhighlight> | |||
Manage ssh keys | Manage ssh keys | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Line 60: | Line 126: | ||
Notes:<br> | Notes:<br> | ||
* According to [https://security.stackexchange.com/questions/143442/what-are-ssh-keygen-best-practices this] you should avoid using ECDSA and DSA keys. | * According to [https://security.stackexchange.com/questions/143442/what-are-ssh-keygen-best-practices this] you should avoid using ECDSA and DSA keys. | ||
===Disable password authentication=== | |||
# Edit <code>/etc/ssh/sshd_config</code> | |||
# Set <code>PasswordAuthentication</code> to <code>no</code> | |||
# Set <code>ChallengeResponseAuthentication</code> to <code>no</code> | |||
# Test by ssh'ing into the machine using <code>-o PreferredAuthentications=password -o PubkeyAuthentication=no</code> | |||
===Port Forwarding=== | ===Port Forwarding=== | ||
Also: SSH Tunneling, SSH Proxy, SSH Reverse Proxy | Also known as: SSH Tunneling, SSH Proxy, SSH Reverse Proxy | ||
If you need to access a port on the remote computer, you can use the <code>-L</code> option to forward ports from the remote to the local machine. | |||
If you need to access a port on the remote computer, you can use the <code>-L</code> option to forward ports from the remote to the local machine. | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
ssh -L <localport>:localhost:<remoteport> <remoteurl> | ssh -L <localport>:localhost:<remoteport> <remoteurl> | ||
# E.g. ssh -L 8080:localhost:80 [email protected] | # E.g. ssh -L 8080:localhost:80 [email protected] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
You can also do the reverse, giving the remote access to a local port using <code>-R</code> | You can also do the reverse, giving the remote access to a local port using <code>-R</code> | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Line 73: | Line 147: | ||
# E.g. ssh -R 8080:localhost:80 [email protected] | # E.g. ssh -R 8080:localhost:80 [email protected] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
;Notes | |||
* You can also run this without creating a shell using <code>-N</code>. This will block your shell. See [https://unix.stackexchange.com/questions/100859/ssh-tunnel-without-shell-on-ssh-server SE Answer]. | |||
* Adding <code>-f</code> pushes ssh to the background. | |||
** This will implicitly add <code>-n</code> which redirects <code>stdin</code> from <code>/dev/null</code>. | |||
** If you want to be able to foreground this again, the use <code>&</code> or <kbd>Ctrl</kbd>+<kbd>z</kbd> instead. | |||
===alias=== | ===alias=== | ||
Line 86: | Line 166: | ||
===x11vnc=== | ===x11vnc=== | ||
[https://askubuntu.com/questions/1033274/ubuntu-18-04-connect-to-login-screen-over-vnc Reference] | [https://askubuntu.com/questions/1033274/ubuntu-18-04-connect-to-login-screen-over-vnc Reference] | ||
I recommend not exposing VNC. Set it to localhost only and use ssh port forwarding. | I recommend not exposing VNC. Set it to localhost only and use ssh port forwarding. | ||
===Remmina=== | ===Remmina=== | ||
If using a wired connection, you can save a preset to <code>localhost:5901</code> or similar. | |||
Note that the Remmina which ships with Ubuntu 18.04 is outdated and buggy. | |||
You can upgrade it by adding the Remmina PPA. | |||
See [https://remmina.org/how-to-install-remmina/ https://remmina.org/how-to-install-remmina/] for details. | |||
<pre> | |||
sudo apt-add-repository ppa:remmina-ppa-team/remmina-next | |||
sudo apt update | |||
sudo apt install remmina remmina-plugin-rdp remmina-plugin-secret | |||
</pre> | |||
==Nvidia== | ==Nvidia== | ||
===Driver Installation=== | ===Driver Installation=== | ||
# Run <code>ubuntu-drivers list</code> to get a list of drivers | |||
# Install the latest driver | |||
#* E.g. <code>sudo apt install nvidia-driver-460</code> | |||
# If you have secure boot enabled, you will be asked for a password during installation | |||
#* This is because the driver is a DKMS module. | |||
#* After installation, reboot your computer and select "Enroll MOK" and enter that password in. | |||
#* '''Note''' Failure to do this will result in the driver not working | |||
# Validate your installation by running <code>nvidia-smi</code>. | |||
#* <code>nvidia-smi</code> shows the latest cuda version supported by the driver, not the cuda version installed. | |||
===Cuda Installation=== | ===Cuda Installation=== | ||
Download cuda from the nvidia website. | Download cuda from the nvidia website or add the cuda repo to your apt sources. | ||
===Switching between Nvidia and Intel=== | ===Switching between Nvidia and Intel=== | ||
[https://www.linuxbabe.com/desktop-linux/switch-intel-nvidia-graphics-card-ubuntu Reference] | [https://www.linuxbabe.com/desktop-linux/switch-intel-nvidia-graphics-card-ubuntu Reference] | ||
Make sure the Nvidia graphics drivers are installed. Then you can select between Nvidia and Intel GPUs using the Nvidia X Server Settings application <code>nvidia-settings</code>. Alternatively, you can use the following commands in the terminal.<br> | Make sure the Nvidia graphics drivers are installed. Then you can select between Nvidia and Intel GPUs using the Nvidia X Server Settings application <code>nvidia-settings</code>. Alternatively, you can use the following commands in the terminal.<br> | ||
To switch to the Nvidia GPU: | To switch to the Nvidia GPU: | ||
Line 118: | Line 210: | ||
</pre> | </pre> | ||
<code>prime-select query</code> will print either <code>nvidia</code> or <code>intel</code> to stdout. | <code>prime-select query</code> will print either <code>nvidia</code> or <code>intel</code> to stdout. | ||
===Fix tearing on laptops=== | |||
[https://ubuntuhandbook.org/index.php/2018/07/fix-screen-tearing-ubuntu-18-04-optimus-laptops/ Reference]<br> | |||
# Add <code>options nvidia-drm modeset=1</code> to <code>/etc/modprobe.d/nvidia-drm-nomodeset.conf</code> | |||
# Run <code>sudo update-initramfs -u</code> | |||
==Environment Variables== | ==Environment Variables== | ||
Line 123: | Line 220: | ||
==Tmux== | ==Tmux== | ||
[https://tmuxcheatsheet.com/ Tmux cheat sheet] | [https://tmuxcheatsheet.com/ Tmux cheat sheet] | ||
Tmux, or Terminal Multiplexer is an alternative to screen.<br> | Tmux, or Terminal Multiplexer is an alternative to screen.<br> | ||
Use it to keep terminals open and tasks running after you disconnect your SSH connection.<br> | Use it to keep terminals open and tasks running after you disconnect your SSH connection.<br> | ||
Line 142: | Line 240: | ||
# Attach to a session | # Attach to a session | ||
tmux attach -t my_session | tmux attach -t my_session | ||
# Renumber windows | |||
:movew | |||
</syntaxhighlight> | </syntaxhighlight> | ||
===Mouse scrolling=== | |||
Set <code>set -g mouse on</code> in your <code>~/.tmux.conf</code> | |||
==File Manager== | ==File Manager== | ||
The default file manager in Ubuntu is Nautilus | |||
===Add to context menu=== | ===Add to context menu=== | ||
[https://askubuntu.com/questions/1030940/nautilus-actions-in-18-04 | [https://askubuntu.com/questions/1030940/nautilus-actions-in-18-04 AskUbuntu] | ||
;22.04 | |||
See [https://github.com/harry-cpp/code-nautilus https://github.com/harry-cpp/code-nautilus] | |||
;20.04 | |||
<pre> | |||
sudo add-apt-repository universe | |||
sudo apt update | |||
sudo apt install filemanager-actions nautilus-actions nautilus-extension-fma | |||
</pre> | |||
==Etcher== | ==Etcher== | ||
Line 188: | Line 303: | ||
==Virtual Machines (VM)== | ==Virtual Machines (VM)== | ||
===Guest VMs=== | |||
Using Ubuntu as a guest: | Using Ubuntu as a guest: | ||
* Install <code>open-vm-tools-desktop</code> | * Install <code>open-vm-tools-desktop</code> | ||
===KVM=== | |||
{{main | Archwiki: KVM}} | |||
===Docker=== | |||
{{main | Docker (software)}} | |||
==Services and Scheduling== | ==Services and Scheduling== | ||
===crontab=== | ===crontab=== | ||
The following will open a list of cron jobs you have. | |||
<pre> | |||
crontab -e | |||
</pre> | |||
The default editor is nano. You can change it to vim using <code>VISUAL=vim</code> env variable or with <code>select-editor</code>. | |||
===systemd service=== | |||
See [https://wiki.debian.org/systemd/Services debian/systemd Services]<br> | |||
[https://www.freedesktop.org/software/systemd/man/systemd.service.html manual]<br> | |||
System-wide services are in <code>/etc/systemd/system/</code><br> | |||
User services are in <code>~/.config/systemd/user/</code> | |||
{{hidden|A basic systemd service file| | |||
<pre> | |||
# Contents of /etc/systemd/system/myservice.service | |||
[Unit] | |||
Description=My Service | |||
After=network.target | |||
[Service] | |||
Type=simple | |||
Restart=always | |||
WorkingDirectory=/usr/local/bin | |||
ExecStart=/usr/local/bin/myservice | |||
[Install] | |||
WantedBy=multi-user.target | |||
</pre> | |||
Enable with <code>sudo systemctl enable myservice</code> | |||
}} | |||
;Usage | |||
* <code>sudo systemctl enable <my_service></code> | |||
* <code>sudo systemctl status <my_service></code> | |||
* <code>sudo systemctl start <my_service></code> | |||
* <code>sudo systemctl stop <my_service></code> | |||
* <code>sudo systemctl restart <my_service></code> | |||
* <code>sudo systemctl disable <my_service></code> | |||
;Notes | |||
* Type should be <code>forking</code> if your service runs and then ends | |||
* See service log with <code>sudo journalctl myservice</code> | |||
==File Management== | ==File Management== | ||
===rsync=== | ===rsync=== | ||
[https://linux.die.net/man/1/rsync Documentation] | {{main | rsync}} | ||
[https://linux.die.net/man/1/rsync Documentation] | |||
Use this to sync folders between directories of across networks | Use this to sync folders between directories of across networks | ||
;Common Flags | ;Common Flags | ||
* <code>-a, --archive</code> archive mode; equals -rlptgoD | * <code>-a, --archive</code> archive mode; equals -rlptgoD | ||
* <code>--info=progress2</code> show progress | |||
See [[ArchWiki: rsync]] to learn how to use rclone for incremental backups (a la time machine). | |||
===rclone=== | ===rclone=== | ||
Similar to rsync but for cloud services such as Dropbox and Google Drive | {{ main | rclone }} | ||
Similar to rsync but for cloud services such as Dropbox and Google Drive.<br> | |||
I recommend installing from their website to get the latest version. | |||
===scp=== | ===scp=== | ||
Line 243: | Line 399: | ||
# Archive | # Archive | ||
7z a <output_file> <input_file/folder> | 7z a <output_file> <input_file/folder> | ||
# Archive with password | |||
7z a <output_file> <input_file> -p -mhe=on | |||
# Extract | # Extract | ||
7z x <file> [-o{dir}] | 7z x <file> [-o{dir}] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* <code>-mhe=on</code> hides file stuctures | |||
===zip/unzip=== | |||
Note that p7zip-full also includes the ability to zip/unzip .zip files.<br> | |||
;Zip a folder | |||
<code>zip -r file.zip folder</code> | |||
;Unzip an archive | |||
<code>unzip file.zip [-d destination]</code> | |||
===diff=== | |||
[https://www.geeksforgeeks.org/diff-command-linux-examples/ diff examples] | |||
;Important flags | |||
* <code>--strip-trailing-cr</code> Ignores <code>\r</code> | |||
===tar=== | |||
{{ main | tar (computing) }} | |||
;Extraction | |||
<pre> | |||
tar xzvf archive.tar.gz | |||
</pre> | |||
;Archive | |||
<pre> | |||
tar czpvf archive.tar.gz files | |||
</pre> | |||
===find=== | |||
Find files by their filename | |||
<pre> | |||
find <folder> [args] -name <name> | |||
</pre> | |||
* <code>-maxdepth <num></code> | |||
===grep=== | |||
Find files containing a pattern | |||
<pre> | |||
grep -r <pattern> * | |||
</pre> | |||
==Dual Booting== | ==Dual Booting== | ||
Line 263: | Line 462: | ||
Allows you to reboot into an OS one time.<br> | Allows you to reboot into an OS one time.<br> | ||
i.e. If you are ssh'd into linux and want to boot into Windows one time.<br> | i.e. If you are ssh'd into linux and want to boot into Windows one time.<br> | ||
===Encryption=== | |||
[https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html] | |||
==Users and Groups== | ==Users and Groups== | ||
===Users=== | |||
<syntaxhighlight lang="bash"> | |||
# Make a new user | |||
adduser <user> | |||
# Add user to admins | |||
usermod -aG sudo <user> | |||
# Change the password of a user | |||
passwd | |||
passwd <user> | |||
# Delete a user | |||
# -r will also delete their home directory | |||
userdel -r <user> | |||
</syntaxhighlight> | |||
===Groups=== | ===Groups=== | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# Make a group | |||
groupadd <group> | |||
# Delete a group | |||
groupdel <group> | |||
# List members in groups | # List members in groups | ||
getent group | getent group <group> | ||
# Add user to group | |||
usermod -a -G <group> <user> | |||
# Remove user from group | |||
gpasswd -d <user> <group> | |||
</syntaxhighlight> | </syntaxhighlight> | ||
==Permissions | ==Permissions== | ||
In unix filesystems, files and folders have individual permissions.<br> | |||
You can set permissions for each file/folder independently and for the following sets of users: | |||
* User/Owner <code>u</code> | |||
* Group <code>g</code> | |||
* Other <code>o</code> | |||
You can also set permissions for all of the above with: | |||
* All <code>a</code> | |||
Each file and folder can have the following permission for each set of user: | |||
* Read <code>r</code> | |||
* Write <code>w</code> | |||
* Execute <code>x</code> | |||
The above totals 9 bits (3 sets of users times 3 permissions). | |||
In addition to the above, there are 3 special bits: | |||
* [https://en.wikipedia.org/wiki/Sticky_bit Sticky bit <code>t</code>] - only allow the owners of subfiles/subfolders to modify them | |||
** Useful for shared folders such as /tmp | |||
* Setuid - automatically elevate execution of this file to the owner's priviledges | |||
* Setgid - automatically elevate execution of this file to the group's priviledges | |||
In total, permissions for each file and folder can be stored in 16 bits or 2 bytes. | |||
===chmod=== | |||
change mode | |||
===chown=== | |||
change owner | |||
<pre> | |||
chown [-r] <user>[:<group>] <item> | |||
</pre> | |||
===chgrp=== | |||
===Access Control Lists (ACL)=== | |||
==Display Scaling (HiDPI)== | |||
See [https://wiki.archlinux.org/index.php/HiDPI Arch Wiki HiDPI] | |||
Fractional scaling is natively available in Ubuntu 20.04+. | |||
{{hidden | Ubuntu 18.04 | | |||
;Xorg | |||
<pre> | |||
# Find your display | |||
xrandr | |||
xrandr --output <display> --scale 1.25x1.25 | |||
</pre> | |||
;Wayland | |||
<pre> | |||
gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']" | |||
</pre> | |||
I have the following script run at startup | |||
<pre> | |||
#!/bin/bash | |||
gsettings set org.gnome.desktop.interface scaling-factor 2 | |||
gsettings set org.gnome.settings-daemon.plugins.xsettings overrides "{'Gdk/WindowScalingFactor': <2>}" | |||
xrandr --output DP-2 --scale 1.3x1.3 | |||
</pre> | |||
}} | |||
==Clock== | |||
See [https://help.ubuntu.com/lts/serverguide/NTP.html Ubuntu Time Synchronization]<br> | |||
<pre> | |||
# Install chrony | |||
sudo apt install chrony | |||
# Synchronize time | |||
sudo chronyd -q | |||
# Check time synchronization | |||
sudo chronyd -Q | |||
</pre> | |||
Notes | |||
* Syncing over the internet will be off by a few milliseconds (e.g. 0.003 seconds). | |||
* Syncing with another computer over lan | |||
===Syncing with another computer=== | |||
See [https://askubuntu.com/questions/787855/how-to-use-chrony-to-synchronize-timestamp-on-two-computers/1018204 askubuntu]<br> | |||
;On the server | |||
Add the following to <code>/etc/chrony.conf</code> | |||
<pre> | |||
# make it serve time even if it is not synced (as it can't reach out) | |||
local stratum 8 | |||
# allow the IP of your peer to connect (192.168 subnet) | |||
allow 192.168 | |||
# Or | |||
# allow all | |||
</pre> | |||
;On the client | |||
Add the following to <code>/etc/chrony.conf</code> | |||
<pre> | |||
# set the servers IP here to sync to it | |||
server <Server_IP> iburst | |||
# remove the default servers in the config | |||
</pre> | |||
==<code>/dev/</code>== | |||
See [[Wikipedia: Device file#Pseudo-devices]] | |||
===<code>null</code>=== | |||
Discards all input. | |||
Produces EOF. | |||
===<code>random</code>=== | |||
See [https://security.stackexchange.com/questions/3936/is-a-rand-from-dev-urandom-secure-for-a-login-key/3939#3939 stackexchange]<br> | |||
See [https://www.2uo.de/myths-about-urandom/ Myths about urandom]<br> | |||
;TLDR: Use <code>/dev/urandom</code> instead of <code>/dev/random</code> | |||
===<code>urandom</code>=== | |||
Produces random numbers. | |||
On my system, it's limited to about 60 MB/s. If you need faster randomness, you can encrypt from <code>/dev/zero</code> to get 2.7 GB/s. | |||
See [https://serverfault.com/questions/6440/is-there-an-alternative-to-dev-urandom/415962#415962 reference]. | |||
<pre> | |||
# Using urandom | |||
pv < /dev/urandom > /dev/ull | |||
# Using encryption | |||
openssl enc -pbkdf2 -iter 100000 -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero | pv > /dev/null | |||
# Create a 4 GB file. | |||
dd if=/dev/zero bs=4M count=1024 | openssl enc -pbkdf2 -iter 100000 -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt | pv > random.bin | |||
</pre> | |||
==Gnome== | |||
===Tweaks=== | |||
<pre> | |||
sudo apt install gnome-tweaks | |||
sudo apt install chrome-gnome-shell | |||
</pre> | |||
==Auto Reboot== | |||
[https://unix.stackexchange.com/questions/141095/automatically-reboot-if-no-wifi-connection-for-a-certain-time reference] | |||
{{hidden | Auto Reboot Script | | |||
Auto reboot if no internet is detected: | |||
<syntaxhighlight lang="bash"> | |||
#!/bin/bash | |||
TMP_FILE=/tmp/inet_up | |||
# Edit this function if you want to do something besides reboot | |||
no_inet_action() { | |||
if [ "$1" -eq 1 ]; then | |||
systemctl restart network-manager | |||
elif [ "$1" -ge 2 ]; then | |||
rm -f $TMP_FILE | |||
shutdown -r now "No Internet" | |||
fi | |||
} | |||
increment_tmp_file() { | |||
if [ ! -f $TMP_FILE ]; then | |||
echo 0 > $TMP_FILE | |||
fi | |||
oldnum=$(cut -d ',' -f2 $TMP_FILE) | |||
newnum=$(("$oldnum" + 1)) | |||
sed -i "s/$oldnum\$/$newnum/g" $TMP_FILE | |||
} | |||
if ping -c5 google.com; then | |||
echo 0 > $TMP_FILE | |||
date > /tmp/inet_up_last_check | |||
else | |||
increment_tmp_file | |||
oldnum=$(cut -d ',' -f2 $TMP_FILE) | |||
no_inet_action "$oldnum" | |||
fi | |||
</syntaxhighlight> | |||
Add to sudo's crontab to run every 10 minutes | |||
<pre> | |||
*/10 * * * * /home/david/bin/check_inet.sh | |||
</pre> | |||
}} | |||
==Encryption== | |||
For encrypting entire drives, I recommend LUKS.<br> | |||
If you want encrypt a directly, you can use fscrypt (ext4 only). | |||
Note that ecryptfs is deprecated and shouldn't be used. | |||
===Encrypt Home After Install=== | |||
See [[Archwiki: Fscrypt#Encrypt_a_home_directory]]. | |||
See [https://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html https://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html]. | |||
This uses the newer fscrypt and requires Ubuntu 18.10+. | |||
<ol> | |||
<li> | |||
Install fscrypt and do setup | |||
<pre> | |||
sudo apt-get install fscrypt libpam-fscrypt | |||
sudo fscrypt setup | |||
sudo fscrypt setup / | |||
sudo tune2fs -O encrypt /dev/<yourdevice> | |||
# E.g. sudo tune2fs -O encrypt /dev/sda5 | |||
</pre> | |||
</li> | |||
<li> | |||
Create a new temp sudo user and login to it | |||
</li> | |||
<li> | |||
Create the encrypted home folder | |||
<pre> | |||
export USERNAME=david | |||
# Move old home folder | |||
sudo mv /home/$USERNAME /home/$USERNAME.bak | |||
# Create a new home folder and encrypt it | |||
mkdir /home/$USERNAME | |||
chown $USERNAME:$USERNAME /home/$USERNAME | |||
fscrypt encrypt /home/$USERNAME --user=$USERNAME | |||
# Copy files to the new home folder using cp or rsync | |||
# cp -a -T /home/$USERNAME.bak /home | |||
rsync -aHX --info=progress2 /home/$USERNAME.bak/ /home/$USERNAME/ | |||
</pre> | |||
</li> | |||
<li> | |||
Test the encrypted home folder by logging into your user | |||
</li> | |||
<li> | |||
Cleanup by removing the temporary user and deleting the old home folder | |||
<pre> | |||
shred /home/$USERNAME.bak/ | |||
</pre> | |||
</li> | |||
</ol> | |||
;Notes and Caveats | |||
* <code>systemd</code> will no longer have access to your home so all startup apps should be placed elsewhere | |||
** E.g. Move all startup scripts in your <code>~/.local/bin</code> to <code>/usr/local/bin</code> | |||
* <code>ssh</code> will not work until home has been decrypted since the authorized keys are in <code>~/.ssh/authorized_keys</code> | |||
{{hidden | SSH Workaround | | |||
Getting SSH to work with an encrypted home dir is a giant pain. | |||
Also things like tmux still won't work. | |||
Overall I do not recommend doing this on a server. | |||
# Move ssh keys elsewhere such as <code>/etc/ssh/authorized_keys/<user></code>. | |||
#* Add <code>/etc/ssh/authorized_keys/%u</code> to the <code>AuthorizedKeysFile</code> line in <code>/etc/ssh/sshd_config</code>. | |||
# Create a sudo user with and unencrypted home directory. | |||
# After every restart, ssh into the unencrypted sudo user and decrypt your home directory: | |||
#* <code><nowiki>sudo fscrypt unlock /home/david --user=david</nowiki></code> | |||
# Then ssh into your account. | |||
}} | |||
==SFTP== | |||
You can create a specific user with a chroot to limit SFTP to specific folders. | |||
See [[Archwiki: SFTP chroot]] for details. | |||
/etc/ssh/sshd_config | |||
<pre> | |||
Subsystem sftp /usr/lib/ssh/sftp-server | |||
Match Group sftponly | |||
ChrootDirectory %h | |||
ForceCommand internal-sftp | |||
AllowTcpForwarding no | |||
X11Forwarding no | |||
PasswordAuthentication no | |||
</pre> | |||
==Hardware Info== | |||
;Benchmarking | |||
Basic CPU benchmark | |||
<pre> | |||
sysbench cpu --threads=2 run | |||
</pre> | |||
==MOTD== | |||
Message of the day is the text you see when you login via SSH. | |||
Ubuntu stores its MOTD in <code>/etc/update-motd.d/</code>. Other distros use <code>/etc/motd/</code>. | |||
You can disable the Ubuntu news motd in <code>/etc/default/motd-news</code>. | |||
==System Administration== | |||
{{main | Linux Administration}} | |||
==Installing Binaries== | |||
# Copy your binary to <code>/usr/local/bin/</code> or <code>~/.local/bin/</code> | |||
# Copy your man page to <code>/usr/local/share/man/man1/</code> or <code>~/.local/share/man/man1/</code> | |||
==Network Troubleshooting== | |||
On one of my OptiPlex 5060 servers, the network adapter would reset on git ssh clones.<br> | |||
This would appear in <code>/var/log/syslog</code> as: | |||
<pre> | |||
Feb 8 22:22:01 optiplex5060-2 kernel: [ 4378.992607] e1000e 0000:00:1f.6 eno1: Reset adapter unexpectedly | |||
</pre> | |||
This was resolved by disabling TCP Segmentation Offload: | |||
<syntaxhighlight lang="bash"> | |||
sudo ethtool -K eno1 tso off | |||
# Verify tso is disabled | |||
ethtool -k eno1 | grep tcp | |||
</syntaxhighlight> | |||
To make this persist across reboots: | |||
{{hidden | Script | | |||
If you're using netplan (default for Ubuntu):<br> | |||
[https://michael.mulqueen.me.uk/2018/08/disable-offloading-netplan-ubuntu/ Reference]<br> | |||
<syntaxhighlight lang="bash"> | |||
output_path=/usr/lib/networkd-dispatcher/routable.d/10-disable-offloading | |||
sudo tee $output_path <<EOF> /dev/null | |||
#!/bin/bash | |||
ethtool -K eno1 tso off | |||
EOF | |||
sudo chmod +x $output_path | |||
</syntaxhighlight> | |||
If using ifupdown: | |||
<syntaxhighlight lang="bash"> | |||
output_path=/etc/network/if-up.d/disable-tso | |||
sudo tee $output_path <<EOF> /dev/null | |||
#!/bin/bash | |||
ethtool -K eno1 tso off | |||
EOF | |||
sudo chmod +x $output_path | |||
</syntaxhighlight> | |||
}} | |||
==Cloning to a new disk== | |||
The easiest way is to use gparted. | |||
{{hidden | Terminal Guide | | |||
To do this in the terminal: | |||
<syntaxhighlight lang="bash"> | |||
OLD_DRIVE=/dev/sda | |||
NEW_DRIVE=/dev/sdb | |||
# Show old drive partitions in sectors | |||
parted $OLD_DRIVE unit s print free | |||
# Apply GPT | |||
parted $NEW_DRIVE mklabel gpt | |||
# Copy new EFI partition with start 1024s and end 1050623s | |||
parted $NEW_DRIVE mkpart primary fat32 2048s 1050623s | |||
# Apply boot and esp flags. | |||
parted $NEW_DRIVE set 1 boot on | |||
parted $NEW_DRIVE set 1 esp on | |||
parted $NEW_DRIVE name 1 'EFI System Partition' | |||
# dd the old to the new | |||
dd if=${OLD_DRIVE}1 of=${NEW_DRIVE}1 bs=4k | |||
# Make a new partition. Make sure start and end sectors are aligned. | |||
# i.e. start % 8 == 0 and end % 8 == 7 if your physical sector size is 4096 bytes, typical for new HDDs and SSDs. | |||
parted $NEW_DRIVE mkpart primary btrfs 1050624s 488396791s | |||
parted $NEW_DRIVE align-check opt 2 | |||
# Copy the filesystem | |||
mkfs.btrfs ${NEW_DRIVE}2 | |||
mkdir /media/${NEW_DRIVE} | |||
mount -t btrfs -o compress=zstd /media/${NEW_DRIVE}2 | |||
rsync -axHAWXS --numeric-ids --info=progress2 /media/${NEW_DRIVE}2 | |||
</syntaxhighlight> | |||
[https://superuser.com/questions/307541/copy-entire-file-system-hierarchy-from-one-drive-to-another rsync reference] | |||
;rsync options | |||
* -a archive mode | |||
* -x one file system | |||
* -H preserve hard links | |||
* -A preserve ACLs | |||
* -W copy whole files instead of deltas | |||
* -X preserve extended attributes | |||
* -S handle sparse files efficiently | |||
* --numeric-ids use id instead of uid/gid | |||
To copy a root partition, make sure you change the following on the new drive: | |||
* Update the UUID and mount options in <code>/etc/fstab</code> | |||
* Update the UUID in <code>/boot/grub/grub.cfg</code> and run <code>update-grub</code> | |||
* Update the UUID in <code>/boot/EFI/ubuntu/grub.cfg</code> | |||
* Run [https://help.ubuntu.com/community/Boot-Repair boot-repair] from a live disk if you run into any issues. | |||
}} | |||
==Ubuntu== | |||
Ubuntu-specific notes | |||
===Disable ESM message=== | |||
[https://askubuntu.com/questions/1453749/inhibit-esm-messages-at-login Reference] | |||
<syntaxhighlight lang="bash"> | |||
# Disable MOTD | |||
sudo chmod -x /etc/update-motd.d/88-esm-announce | |||
sudo chmod -x /etc/update-motd.d/91-contract-ua-esm-status | |||
# Disable APT check | |||
sudo sed -Ezi.orig \ | |||
-e 's/(def _output_esm_service_status.outstream, have_esm_service, service_type.:\n)/\1 return\n/' \ | |||
-e 's/(def _output_esm_package_alert.*?\n.*?\n.:\n)/\1 return\n/' \ | |||
/usr/lib/update-notifier/apt_check.py | |||
sudo /usr/lib/update-notifier/update-motd-updates-available --force | |||
</syntaxhighlight> |
Latest revision as of 03:04, 2 May 2023
A collection of notes on using Linux systems. Notes here are for Ubuntu but should work on similar debian derivative distros.
Basic Terminal Commands
List
ls
-l
shows long format-a
shows all files including hidden files, current directory.
, and parent directory..
.-A
omits.
and..
-h
human readable file sizes-s
shows blocks taken up by the file (i.e. size on disk)
There are also other commands like lsblk
, lscpu
, lshw
.
Disk Space
du
Disk Usagedu -sh
Show size of current directorydu -h --max-depth=1
Show size of files and folders in current directory. I havedu
aliased to this.- Flags:
-h
human readable (adds M or G)--max-depth
depth to recurse. Default isN
.
df
Disk Filesystems- Shows usage, total space available, and mount position
df -Ph .
See free space in current directory
If looking to free up space, I recommend installing ncdu
.
Monitoring
htop
- basic terminal system monitor, enhanced version oftop
watch -n 0.5 <program>
- repeatedly call <program> every 0.5 seconds
Standard Streams
|
will pipe stdout to the stdin of another process>
will redirect stdout to a file2>&1
will redirect stderr (2) to stdout (1)tee
will redirect stdout to multiple files and show it in the terminal
Shutdown
shutdown -h [now | -t <time>]
-h
poweroff, the default-t time
schedule a shutdown in time seconds-r
restart-c
cancel pending shutdown
Package Management
See DigitalOcean: Package management basics
apt
# List all installed packages
apt list --installed
# Search repos for package
apt search libdpkg-dev
- Repositories
Repository sources are saved in
- A line in
/etc/apt/sources.list
- A file in
/etc/apt/sources.list.d/
Application desktop icons are stored in /usr/share/applications/
.
The update notifications are in /etc/apt/apt.conf.d/99update-notifier
. Comment these out to disable them.
Unattended-updates are in /etc/apt/apt.conf.d/50unattended-upgrades
.
dpkg
# List everything
sudo dpkg -l
# List things with apache in the name
sudo dpkg -l | grep apache
yum
# Update package lists, typically not necessary
yum check-update
# Upgrade packages
yum update
SSH
SSH Keys
Generate an ssh-key for every client
ssh-keygen -t ed25519 [-C "comment your client name"] [-f output_path]
Some older software such as Solid file explorer require RSA keys in PEM key format
ssh-keygen -t rsa -b 4096 -m PEM [-C "comment your client name"] [-f output_path]
You can also convert existing keys to PEM format
ssh-keygen -p -m PEM [-C "comment your client name"] [-f output_path]
If you want to change the comment on your key
ssh-keygen -c -C "New comment" -f path_to_key
Manage ssh keys
# On the client
ssh-copy-id <host>
# On the server
vim ~/.ssh/authorized_keys
Notes:
- According to this you should avoid using ECDSA and DSA keys.
Disable password authentication
- Edit
/etc/ssh/sshd_config
- Set
PasswordAuthentication
tono
- Set
ChallengeResponseAuthentication
tono
- Test by ssh'ing into the machine using
-o PreferredAuthentications=password -o PubkeyAuthentication=no
Port Forwarding
Also known as: SSH Tunneling, SSH Proxy, SSH Reverse Proxy
If you need to access a port on the remote computer, you can use the -L
option to forward ports from the remote to the local machine.
ssh -L <localport>:localhost:<remoteport> <remoteurl>
# E.g. ssh -L 8080:localhost:80 [email protected]
You can also do the reverse, giving the remote access to a local port using -R
ssh -R <localport>:host:<remoteport> <remoteurl>
# E.g. ssh -R 8080:localhost:80 [email protected]
- Notes
- You can also run this without creating a shell using
-N
. This will block your shell. See SE Answer. - Adding
-f
pushes ssh to the background.- This will implicitly add
-n
which redirectsstdin
from/dev/null
. - If you want to be able to foreground this again, the use
&
or Ctrl+z instead.
- This will implicitly add
alias
You can create aliases in your .ssh/config
Host my_alias User my_username Hostname my_server@my_domain.com Port 52
VNC
x11vnc
I recommend not exposing VNC. Set it to localhost only and use ssh port forwarding.
Remmina
If using a wired connection, you can save a preset to localhost:5901
or similar.
Note that the Remmina which ships with Ubuntu 18.04 is outdated and buggy. You can upgrade it by adding the Remmina PPA. See https://remmina.org/how-to-install-remmina/ for details.
sudo apt-add-repository ppa:remmina-ppa-team/remmina-next sudo apt update sudo apt install remmina remmina-plugin-rdp remmina-plugin-secret
Nvidia
Driver Installation
- Run
ubuntu-drivers list
to get a list of drivers - Install the latest driver
- E.g.
sudo apt install nvidia-driver-460
- E.g.
- If you have secure boot enabled, you will be asked for a password during installation
- This is because the driver is a DKMS module.
- After installation, reboot your computer and select "Enroll MOK" and enter that password in.
- Note Failure to do this will result in the driver not working
- Validate your installation by running
nvidia-smi
.nvidia-smi
shows the latest cuda version supported by the driver, not the cuda version installed.
Cuda Installation
Download cuda from the nvidia website or add the cuda repo to your apt sources.
Switching between Nvidia and Intel
Make sure the Nvidia graphics drivers are installed. Then you can select between Nvidia and Intel GPUs using the Nvidia X Server Settings application nvidia-settings
. Alternatively, you can use the following commands in the terminal.
To switch to the Nvidia GPU:
sudo prime-select nvidia
To switch back to the Intel GPU:
sudo prime-select intel
prime-select query
will print either nvidia
or intel
to stdout.
Fix tearing on laptops
- Add
options nvidia-drm modeset=1
to/etc/modprobe.d/nvidia-drm-nomodeset.conf
- Run
sudo update-initramfs -u
Environment Variables
Tmux
Tmux, or Terminal Multiplexer is an alternative to screen.
Use it to keep terminals open and tasks running after you disconnect your SSH connection.
Getting Started:
# Make a new session
tmux
# Make a new named session
tmux new -s my_session
# Rename a session
# Keybinding: Ctrl + b, $
tmux rename-session [-t current-name] [new-name]
# Detach from a session
# Keybinding: Ctrl + b, d
tmux detach
# List windows
tmux ls
# Attach to a session
tmux attach -t my_session
# Renumber windows
:movew
Mouse scrolling
Set set -g mouse on
in your ~/.tmux.conf
File Manager
The default file manager in Ubuntu is Nautilus
- 22.04
See https://github.com/harry-cpp/code-nautilus
- 20.04
sudo add-apt-repository universe sudo apt update sudo apt install filemanager-actions nautilus-actions nautilus-extension-fma
Etcher
Github
Installing etcher
echo "deb https://deb.etcher.io stable etcher" | sudo tee /etc/apt/sources.list.d/balena-etcher.list
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 379CE192D401AB61
sudo apt update
sudo apt install balena-etcher-electron
Logs
Logs are stored under /var/log
. These can end up taking up a lot of space.
You can delete logs in the journal folder Reference
Default gcc/g++ version
See https://askubuntu.com/questions/26498/how-to-choose-the-default-gcc-and-g-version.
# Install
sudo update-alternatives --remove-all gcc
sudo update-alternatives --remove-all g++
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-8 10
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 20
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-8 10
sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-7 20
sudo update-alternatives --install /usr/bin/cc cc /usr/bin/gcc 30
sudo update-alternatives --set cc /usr/bin/gcc
sudo update-alternatives --install /usr/bin/c++ c++ /usr/bin/g++ 30
sudo update-alternatives --set c++ /usr/bin/g++
# Select
sudo update-alternatives --config gcc
sudo update-alternatives --config g++
Power Management
tlp
Website
Battery power management
Virtual Machines (VM)
Guest VMs
Using Ubuntu as a guest:
- Install
open-vm-tools-desktop
KVM
Docker
Services and Scheduling
crontab
The following will open a list of cron jobs you have.
crontab -e
The default editor is nano. You can change it to vim using VISUAL=vim
env variable or with select-editor
.
systemd service
See debian/systemd Services
manual
System-wide services are in /etc/systemd/system/
User services are in ~/.config/systemd/user/
# Contents of /etc/systemd/system/myservice.service [Unit] Description=My Service After=network.target [Service] Type=simple Restart=always WorkingDirectory=/usr/local/bin ExecStart=/usr/local/bin/myservice [Install] WantedBy=multi-user.target
Enable with sudo systemctl enable myservice
- Usage
sudo systemctl enable <my_service>
sudo systemctl status <my_service>
sudo systemctl start <my_service>
sudo systemctl stop <my_service>
sudo systemctl restart <my_service>
sudo systemctl disable <my_service>
- Notes
- Type should be
forking
if your service runs and then ends - See service log with
sudo journalctl myservice
File Management
rsync
Use this to sync folders between directories of across networks
- Common Flags
-a, --archive
archive mode; equals -rlptgoD--info=progress2
show progress
See ArchWiki: rsync to learn how to use rclone for incremental backups (a la time machine).
rclone
Similar to rsync but for cloud services such as Dropbox and Google Drive.
I recommend installing from their website to get the latest version.
scp
Usage
scp [source_machine]:[source_file] [target_machine]:[target_file]
- Flags
-r
recursive, needed to scp directories-P [port]
- Notes
- The machine can be an alias or user@domain
7z
7zip CLI
Install with sudo apt install p7zip-full
# Archive
7z a <output_file> <input_file/folder>
# Archive with password
7z a <output_file> <input_file> -p -mhe=on
# Extract
7z x <file> [-o{dir}]
-mhe=on
hides file stuctures
zip/unzip
Note that p7zip-full also includes the ability to zip/unzip .zip files.
- Zip a folder
zip -r file.zip folder
- Unzip an archive
unzip file.zip [-d destination]
diff
- Important flags
--strip-trailing-cr
Ignores\r
tar
- Extraction
tar xzvf archive.tar.gz
- Archive
tar czpvf archive.tar.gz files
find
Find files by their filename
find <folder> [args] -name <name>
-maxdepth <num>
grep
Find files containing a pattern
grep -r <pattern> *
Dual Booting
Fix time difference between Windows
timedatectl set-local-rtc 1 --adjust-system-clock
Recover GRUB after installing Windows
Ubuntu Help
If you install windows after installing Ubuntu
GrubReboot
GrubReboot
Allows you to reboot into an OS one time.
i.e. If you are ssh'd into linux and want to boot into Windows one time.
Encryption
https://www.mikekasberg.com/blog/2020/04/08/dual-boot-ubuntu-and-windows-with-encryption.html
Users and Groups
Users
# Make a new user
adduser <user>
# Add user to admins
usermod -aG sudo <user>
# Change the password of a user
passwd
passwd <user>
# Delete a user
# -r will also delete their home directory
userdel -r <user>
Groups
# Make a group
groupadd <group>
# Delete a group
groupdel <group>
# List members in groups
getent group <group>
# Add user to group
usermod -a -G <group> <user>
# Remove user from group
gpasswd -d <user> <group>
Permissions
In unix filesystems, files and folders have individual permissions.
You can set permissions for each file/folder independently and for the following sets of users:
- User/Owner
u
- Group
g
- Other
o
You can also set permissions for all of the above with:
- All
a
Each file and folder can have the following permission for each set of user:
- Read
r
- Write
w
- Execute
x
The above totals 9 bits (3 sets of users times 3 permissions).
In addition to the above, there are 3 special bits:
- Sticky bit
t
- only allow the owners of subfiles/subfolders to modify them- Useful for shared folders such as /tmp
- Setuid - automatically elevate execution of this file to the owner's priviledges
- Setgid - automatically elevate execution of this file to the group's priviledges
In total, permissions for each file and folder can be stored in 16 bits or 2 bytes.
chmod
change mode
chown
change owner
chown [-r] <user>[:<group>] <item>
chgrp
Access Control Lists (ACL)
Display Scaling (HiDPI)
See Arch Wiki HiDPI
Fractional scaling is natively available in Ubuntu 20.04+.
- Xorg
# Find your display xrandr xrandr --output <display> --scale 1.25x1.25
- Wayland
gsettings set org.gnome.mutter experimental-features "['scale-monitor-framebuffer']"
I have the following script run at startup
#!/bin/bash gsettings set org.gnome.desktop.interface scaling-factor 2 gsettings set org.gnome.settings-daemon.plugins.xsettings overrides "{'Gdk/WindowScalingFactor': <2>}" xrandr --output DP-2 --scale 1.3x1.3
Clock
See Ubuntu Time Synchronization
# Install chrony sudo apt install chrony # Synchronize time sudo chronyd -q # Check time synchronization sudo chronyd -Q
Notes
- Syncing over the internet will be off by a few milliseconds (e.g. 0.003 seconds).
- Syncing with another computer over lan
Syncing with another computer
See askubuntu
- On the server
Add the following to /etc/chrony.conf
# make it serve time even if it is not synced (as it can't reach out) local stratum 8 # allow the IP of your peer to connect (192.168 subnet) allow 192.168 # Or # allow all
- On the client
Add the following to /etc/chrony.conf
# set the servers IP here to sync to it server <Server_IP> iburst # remove the default servers in the config
/dev/
See Wikipedia: Device file#Pseudo-devices
null
Discards all input.
Produces EOF.
random
See stackexchange
See Myths about urandom
- TLDR: Use
/dev/urandom
instead of/dev/random
urandom
Produces random numbers.
On my system, it's limited to about 60 MB/s. If you need faster randomness, you can encrypt from /dev/zero
to get 2.7 GB/s.
See reference.
# Using urandom pv < /dev/urandom > /dev/ull # Using encryption openssl enc -pbkdf2 -iter 100000 -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt < /dev/zero | pv > /dev/null # Create a 4 GB file. dd if=/dev/zero bs=4M count=1024 | openssl enc -pbkdf2 -iter 100000 -aes-256-ctr -pass pass:"$(dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64)" -nosalt | pv > random.bin
Gnome
Tweaks
sudo apt install gnome-tweaks sudo apt install chrome-gnome-shell
Auto Reboot
Auto reboot if no internet is detected:
#!/bin/bash
TMP_FILE=/tmp/inet_up
# Edit this function if you want to do something besides reboot
no_inet_action() {
if [ "$1" -eq 1 ]; then
systemctl restart network-manager
elif [ "$1" -ge 2 ]; then
rm -f $TMP_FILE
shutdown -r now "No Internet"
fi
}
increment_tmp_file() {
if [ ! -f $TMP_FILE ]; then
echo 0 > $TMP_FILE
fi
oldnum=$(cut -d ',' -f2 $TMP_FILE)
newnum=$(("$oldnum" + 1))
sed -i "s/$oldnum\$/$newnum/g" $TMP_FILE
}
if ping -c5 google.com; then
echo 0 > $TMP_FILE
date > /tmp/inet_up_last_check
else
increment_tmp_file
oldnum=$(cut -d ',' -f2 $TMP_FILE)
no_inet_action "$oldnum"
fi
Add to sudo's crontab to run every 10 minutes
*/10 * * * * /home/david/bin/check_inet.sh
Encryption
For encrypting entire drives, I recommend LUKS.
If you want encrypt a directly, you can use fscrypt (ext4 only).
Note that ecryptfs is deprecated and shouldn't be used.
Encrypt Home After Install
See Archwiki: Fscrypt#Encrypt_a_home_directory.
See https://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html.
This uses the newer fscrypt and requires Ubuntu 18.10+.
-
Install fscrypt and do setup
sudo apt-get install fscrypt libpam-fscrypt sudo fscrypt setup sudo fscrypt setup / sudo tune2fs -O encrypt /dev/<yourdevice> # E.g. sudo tune2fs -O encrypt /dev/sda5
- Create a new temp sudo user and login to it
-
Create the encrypted home folder
export USERNAME=david # Move old home folder sudo mv /home/$USERNAME /home/$USERNAME.bak # Create a new home folder and encrypt it mkdir /home/$USERNAME chown $USERNAME:$USERNAME /home/$USERNAME fscrypt encrypt /home/$USERNAME --user=$USERNAME # Copy files to the new home folder using cp or rsync # cp -a -T /home/$USERNAME.bak /home rsync -aHX --info=progress2 /home/$USERNAME.bak/ /home/$USERNAME/
- Test the encrypted home folder by logging into your user
-
Cleanup by removing the temporary user and deleting the old home folder
shred /home/$USERNAME.bak/
- Notes and Caveats
systemd
will no longer have access to your home so all startup apps should be placed elsewhere- E.g. Move all startup scripts in your
~/.local/bin
to/usr/local/bin
- E.g. Move all startup scripts in your
ssh
will not work until home has been decrypted since the authorized keys are in~/.ssh/authorized_keys
Getting SSH to work with an encrypted home dir is a giant pain.
Also things like tmux still won't work.
Overall I do not recommend doing this on a server.
- Move ssh keys elsewhere such as
/etc/ssh/authorized_keys/<user>
.- Add
/etc/ssh/authorized_keys/%u
to theAuthorizedKeysFile
line in/etc/ssh/sshd_config
.
- Add
- Create a sudo user with and unencrypted home directory.
- After every restart, ssh into the unencrypted sudo user and decrypt your home directory:
sudo fscrypt unlock /home/david --user=david
- Then ssh into your account.
SFTP
You can create a specific user with a chroot to limit SFTP to specific folders.
See Archwiki: SFTP chroot for details.
/etc/ssh/sshd_config
Subsystem sftp /usr/lib/ssh/sftp-server Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no X11Forwarding no PasswordAuthentication no
Hardware Info
- Benchmarking
Basic CPU benchmark
sysbench cpu --threads=2 run
MOTD
Message of the day is the text you see when you login via SSH.
Ubuntu stores its MOTD in /etc/update-motd.d/
. Other distros use /etc/motd/
.
You can disable the Ubuntu news motd in /etc/default/motd-news
.
System Administration
Installing Binaries
- Copy your binary to
/usr/local/bin/
or~/.local/bin/
- Copy your man page to
/usr/local/share/man/man1/
or~/.local/share/man/man1/
Network Troubleshooting
On one of my OptiPlex 5060 servers, the network adapter would reset on git ssh clones.
This would appear in /var/log/syslog
as:
Feb 8 22:22:01 optiplex5060-2 kernel: [ 4378.992607] e1000e 0000:00:1f.6 eno1: Reset adapter unexpectedly
This was resolved by disabling TCP Segmentation Offload:
sudo ethtool -K eno1 tso off
# Verify tso is disabled
ethtool -k eno1 | grep tcp
To make this persist across reboots:
If you're using netplan (default for Ubuntu):
Reference
output_path=/usr/lib/networkd-dispatcher/routable.d/10-disable-offloading
sudo tee $output_path <<EOF> /dev/null
#!/bin/bash
ethtool -K eno1 tso off
EOF
sudo chmod +x $output_path
If using ifupdown:
output_path=/etc/network/if-up.d/disable-tso
sudo tee $output_path <<EOF> /dev/null
#!/bin/bash
ethtool -K eno1 tso off
EOF
sudo chmod +x $output_path
Cloning to a new disk
The easiest way is to use gparted.
To do this in the terminal:
OLD_DRIVE=/dev/sda
NEW_DRIVE=/dev/sdb
# Show old drive partitions in sectors
parted $OLD_DRIVE unit s print free
# Apply GPT
parted $NEW_DRIVE mklabel gpt
# Copy new EFI partition with start 1024s and end 1050623s
parted $NEW_DRIVE mkpart primary fat32 2048s 1050623s
# Apply boot and esp flags.
parted $NEW_DRIVE set 1 boot on
parted $NEW_DRIVE set 1 esp on
parted $NEW_DRIVE name 1 'EFI System Partition'
# dd the old to the new
dd if=${OLD_DRIVE}1 of=${NEW_DRIVE}1 bs=4k
# Make a new partition. Make sure start and end sectors are aligned.
# i.e. start % 8 == 0 and end % 8 == 7 if your physical sector size is 4096 bytes, typical for new HDDs and SSDs.
parted $NEW_DRIVE mkpart primary btrfs 1050624s 488396791s
parted $NEW_DRIVE align-check opt 2
# Copy the filesystem
mkfs.btrfs ${NEW_DRIVE}2
mkdir /media/${NEW_DRIVE}
mount -t btrfs -o compress=zstd /media/${NEW_DRIVE}2
rsync -axHAWXS --numeric-ids --info=progress2 /media/${NEW_DRIVE}2
- rsync options
- -a archive mode
- -x one file system
- -H preserve hard links
- -A preserve ACLs
- -W copy whole files instead of deltas
- -X preserve extended attributes
- -S handle sparse files efficiently
- --numeric-ids use id instead of uid/gid
To copy a root partition, make sure you change the following on the new drive:
- Update the UUID and mount options in
/etc/fstab
- Update the UUID in
/boot/grub/grub.cfg
and runupdate-grub
- Update the UUID in
/boot/EFI/ubuntu/grub.cfg
- Run boot-repair from a live disk if you run into any issues.
Ubuntu
Ubuntu-specific notes
Disable ESM message
# Disable MOTD
sudo chmod -x /etc/update-motd.d/88-esm-announce
sudo chmod -x /etc/update-motd.d/91-contract-ua-esm-status
# Disable APT check
sudo sed -Ezi.orig \
-e 's/(def _output_esm_service_status.outstream, have_esm_service, service_type.:\n)/\1 return\n/' \
-e 's/(def _output_esm_package_alert.*?\n.*?\n.:\n)/\1 return\n/' \
/usr/lib/update-notifier/apt_check.py
sudo /usr/lib/update-notifier/update-motd-updates-available --force