Upgreyedd

First and foremost, I am not a fan of FedUp

My luck hasn’t been good with it, but I do some stuff that is off the beaten path, so it is likely my fault. I am fortunate enough to have extra hard drives kicking around so install a OS on a spare hard drive to test out it’s installation is no problem for me. However in this case I have a shiny new PC to setup.

The new PC is ASUS P9X79LE, w/32 gigs of ram, and a 3.6 ghz proc.

Why use Fedora?

I use fedora because I work at a CentOS shop, and using fedora keeps me fresh on what changes are coming to the RHEL ecosystem. There are quite a few big changes coming in the RHEL pipeline so it’s just a good way of seeing what is on it’s way and gives me a chance to explore how the new stuff works.

Installation

Anaconda (The fedora gui installer) has been completely re-written, and was (at least partly) responsible for the delays in getting fedora 18 released.

The new gui looks nice, but I have some complaints. Currently when you select the encryption option it encrypts the entire physical volume, rather then encrypted the logical volume. This means, that it’s encrypting the whole hard drive instead of just a particular partition.

Typically in my linux installations I setup a /home partition and encrypt it using luks. The previous version of anaconda this was easy to do. I have commented on a bug report about this.

I setup my /home partition unencrypted at installation time, so I will fix this later in this writeup.

Dual Booting with UEFI

I have used UEFI bios many times in a server environment, but this is my first PC with a UEFI bios at home. One of the fun parts is, you don’t need to worry about windows over writing grub anymore (or grub forgetting to add the windows partition(s)). With a UEFI bios you pick which drive you are going to boot with using the bios menu. NOTE: I still have a windows partition for the occasional video game that I can’t get working with wine.

My motherboard is a Asus P9X79 LE, and the original bios version did not work with the F8 boot menu. If I selected the UEFI boot order in the bios itself it would work, but if I hit F8, it would not boot off any other drive. I did a BIOS update and that solved the problem.

Speaking of Bios Updates

I usually do BIOS updates using the windows boot disks, because generally speaking vendors test the windows portions more than the linux ones. So I saved the bios upgrade to c:\bios on my windows partition, loaded the asus EZ flash, navigated to the bios file, and it failed saying that the bios wasn’t a EFI bios.

After some googling I found that the EZ flash is able the navigate ntfs folders but can’t load bios files from ntfs (which is really odd). So I copied the bios file to /boot/efi on my linux partition (which is a VFAT partition iirc) and fired up the EZ flash again and it was able to find and use the bios upgrade just fine.

After the bios upgrade I am able to use the F8 bios boot menu just fine.

Post Installation

I like to record my steps on what I do after installing so I can come back if I ever need to.

First the bare essentials:

1

yum install vim gvim tmux terminator xchat pidgin git thunderbird wget curl

I will do a whole blog post on my vim setup on a much later date.
tmux is a screen replacement that is awesome.
terminator is a graphical terminal that is also awesome.
xchat for gui irc
pidgin for instant messaging
thunderbird for email
git for source control
and wget and curl for pure utility

Next Disable evil bash search prompt:

1

echo 'unset command_not_found_handle' >> ~/.bashrc && source ~/.bashrc

This is the thing that searches for typos when you typo. it slows things down far to much for fast typers. I have a fancy .bashrc that I’ll talk about some other time.

NOTE: Before the zsh people get on my case about not switching to zsh, it’s not something I’m ready to deploy on all my work servers, so I’m sticking with bash until I can deploy zsh everywhere I work.

1

yum update

Boot settings

fstab

NOTE: Don’t mess around with your fstab unless you know what you are doing.

I have a ssd disk, so I need to add the ‘discard’ option to the fstab for the partitions that are ssd backed.

1
2
3
4
5

old:
/dev/mapper/vg_shinix-lv_root /     ext4      defaults        1 1

new:
/dev/mapper/vg_shinix-lv_root /     ext4      discard,defaults        1 1

but do that for each partition that is ssd, though not on the luks partition as that would be foolish (iirc luks partitions ignore the discard option).

grub

NOTE: Don’t play with your grub settings unless you know what you are doing.

Being that I have a ssd drive, I will want elevator=noop for my scheduler, and I am not a fan of the graphical boot so I will disable that via removing the rhgb and quiet options.

I will also be using the nvidia driver, so I will disable the nouveau kernel module via rdblacklist=nouveau

If you haven’t used grub2 yet it might be a little jarring of an experience. Rather than the simple vi /boot/grub/grub.conf, you now get to:

1
2
3
4
5

modify:
/etc/defaults/grub
then
grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg
(or grub2-mkconfig -o /boot/grub2/grub.cfg and use a symlink).

If you think the old way is better you are not alone, but if you look at the mess that is your new grub.cfg you will be happy for the cfg generator.

1
2
3
4

vi /etc/defaults/grub
+ elevator=noop rdblacklist=nouveau
- rhgb quiet
grub2-mkconfig -o /boot/efi/EFI/fedora/grub.cfg

reboot (actually reboot cuz you have installed a new kernel and nvidia instructions require you to be on the new kernel)

Nvidia Drivers

I have a fancy video card (Geforce GTX 660ti) and I plan on trying out steam for linux, so I need to get the nvidia drivers going.

The instructions I found on fedoraforum will work, but require a bit of tinkering.

NOTE: I am following the instructions here

but due to a bug added “-o nouveau” to the dracut option.

so:

1

dracut -o nouveau /boot/initramfs-$(uname -r).img /boot/$(uname -r)

Upon rebooting my system would crash. This was annoying. So I did a rescue, and changed to boot to runlevel 3 (no gui).

After a reboot, I checked a “lsmod |egrep ‘nouv|nv’” to see what drivers I was loading. There was no nvidia, and no nouveau. So the blacklist/dracut was working but I wasn’t loading the nvidia kernel module either. A manual modprobe resulted in:

1
2

modprobe nvidia
ERROR: could not insert 'nvidia': Required key not available

So what key are we talking about here? Let’s get an strace going:

1
2
3
4
5
6
7
8
9
10
11

open("/lib/modules/3.7.2-204.fc18.x86_64/extra/nvidia/nvidia.ko", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1", 6)               = 6
lseek(3, 0, SEEK_SET)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=15202848, ...}) = 0
mmap(NULL, 15202848, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fe78915b000
init_module(0x7fe78915b000, 15202848, "") = -1 ENOKEY (Required key not available)
munmap(0x7fe78915b000, 15202848)        = 0
close(3)                                = 0
write(2, "ERROR: could not insert 'nvidia'"..., 61ERROR: could not insert 'nvidia': Required key not available
) = 61
munmap(0x7fe78a0c8000, 324765)          = 0

I’ve had some experience with signed modules before, but it was a long time ago. Hrm

1
2

readelf -S /lib/modules/3.7.2-204.fc18.x86_64/extra/nvidia/nvidia.ko |grep -i sig
(nothing returned)

no signature. This must be something else.

I tried booting with the kernel option:

enforcemodulesig=0 and module.sig_enforce=no, neither worked.

After a lot of googling, I found that the issue was with secure boot as soon as I turned it off (in the bios settings), I was able to load the nvidia module fine. There is surprisingly little documentation on the internets about this error.

I posted this in hopes to save someone else some time (It took longer than I would have liked to figure it out).

Desktop

I have been using cinnamon or frippery (cinnamon on the laptop, frippery on the desktop) since fedora 15 came out (because gnome2 was ditched). Fedora 18 has MATE which is the gnome2 fork. I’m really looking forward to using my old desktop again.

MATE:

Ahh MATE, I used Gnome2 as my desktop for many years, so this was a big sigh of relief. Even though I am going crazy daily due to a keyboard shortcut bug I am loving using mate. As far as moving windows from monitor to monitor (I have a 3 monitor setup) mate works a lot smoother than everything else I have used so far. Mate has been available in other versions of fedora, I just totally missed the boat on it.

The other issue I have with fedora’s installation of mate, is that it doesn’t install the mate-screensaver rpm. I opened a bug report on this so hopefully it will be fixed soon.

To get MATE installed after installation do a :

1
2

yum groupinstall "MATE Desktop"
yum install mate-screensaver

Setup encrypted home partition

Lets get our /home partition encrypted.

WARNING: If you make a mistake here, you’re going to have a bad time! Don’t blame me. Back your stuff up.

My home partition is it’s own logical volume, if you have anything at all different setup these instructions are not for you!

Steps:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

1. hit ctrl-alt-f2, login as root, and type 'init 1'
2. mkdir /homebackup
3. rsync -av /home/ /homebackup
4. umount /home
5. lvdisplay (find your logical volume name mine is lv_home, find your volume
   group name, mine is vg_shinix)
6. cryptsetup --verbose --verify-passphrase luksFormat /dev/vg_shinix/lv_home
7. cryptsetup luksOpen /dev/vg_shinix/lv_home home
8. mkfs.ext4 /dev/mapper/home
9. mount /dev/mapper/home /home
10. rsync -av /homebackup/ /home/
11. restorecon -v -R /home
12. cryptsetup luksUUID /dev/vg_shinix/lv_home >> /etc/crypttab
13. vi /etc/crypttab
Your crypttab will have 1 UUID sitting there
ie:
37ff7165-31c0-4863-aba8-876692e6bc67

You need to take that uuid and add "luks-" then add a space "UUID=" the same
uuid again, space none. It should look like this when you are done:

luks-37ff7165-31c0-4863-aba8-876692e6bc67 UUID=37ff7165-31c0-4863-aba8-876692e6bc67 none

NOTE: i know the luks-string can be anything you want, this is keeping it like previous
versions of fedora, and I like consistency.

14. vi /etc/fstab

find your old /home entry, copy and paste it, comment out the orig.

#/dev/mapper/vg_shinix-lv_home /home                   ext4    defaults 1 2

modify the new one to point at luks-(the same uuid as before) so:

/dev/mapper/luks-37ff7165-31c0-4863-aba8-876692e6bc67    /home                   ext4    defaults 1 2

reboot to make sure it comes up on boot.

NOTE: if you have disabled graphical booting as I have, the password prompt
DOES show up, but due to the nature of systemd running many things at a time,
it scrolls by super fast, and is sitting waiting for your input. Hit backspace
once and the password prompt will appear.

Disabling services

Gone are the days of chkconfig –list, we need to use systemctl. Skipping over a debate about systemctl, let’s move right into how to get going with it.

1

systemctl list-unit-files --type=service

You will see a nice color coded list of your services that are set to enabled, disabled, or static. If a service is ‘static’ that means it’s a dependency of another service. For now, ignore static services and concentrate on enabled services.

Let’s figure out what all this stuff is.

1
2
3
4
5
6
7
8
9
10
11
12
13

#if you type
systemctl
#you will get short description of what everything is, you can work with just
#that no problem.

#I like to see what rpm the services come from, here's how I do that:

systemctl list-unit-files --type=service |grep enabled |awk '{print $1}' |xargs locate |grep "/usr/lib" >> /tmp/list1
for i in $(cat /tmp/list1); do printf "\nservice $i\n" >> /tmp/list2; rpm -qif $i >> /tmp/list2; done
less /tmp/list2

NOTE: Yea I could do this all in 1 long command, but this is easier to
understand for the sake of anyone who might read this. :)

The above should give you a nice txt file that will show the systemctl file, and the rpm information about that rpm, for each enabled service.

I’m a big fan of disabling what I don’t need.

NOTE: You may need some of these services, I don’t.

So looks like I’m disabling:

atd : the AT Daemon, I never use it. I don't know anyone that does anymore.
bluetooth : not using any bluetooth devices
cups : never will print from here
libvirtd : have a different box for virtual machine playtime.
rpcbind : not using nfs
spice-vdagentd : not using spice / libvirtd
avahi : don't want this service
ksm : not using qemu/libvirt
ksm-tuned : not using qemu/libvirt
rngd : don't have a hardware rng device
sendmail : eww. removing sendmail installing postfix.
sm-client : part of sendmail
systemd-readahead-collect.service : readahead is not needed for ssd drives imo
systemd-readahead-drop.service : disabling readahead
systemd-readahead-replay.service : disabling readahead

Next take a look at the sockets:

systemctl | grep socket

avahi-daemon.socket
cups.socket
pcscd.socket
rpcbind.socket

Going to make a quick file to speed up stopping and disabling everything:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

vi /tmp/disableme
atd.service
bluetooth.service
cups.service
libvirtd.service
rpcbind.service
spice-vdagentd.service
avahi-daemon.service
ksm.service
ksmtuned.service
rngd.service
sendmail.service
sm-client.service
systemd-readahead-collect.service
systemd-readahead-drop.service
systemd-readahead-replay.service
avahi-daemon.socket
cups.socket
pcscd.socket
rpcbind.socket
cups.path
(save exit)

for i in $(cat /tmp/disableme); do systemctl stop $i; systemctl disable $i; done

When I did this, I got:
    Warning: Stopping cups.service, but it can still be activated by:
    cups.path

so I did a plain 'systemctl' and went through everything. cups.path is all I
want to get rid of, so I added it to the list.

There are still some services that live in chkconfig, let’s see:

1
2
3
4
5
6
7
8
9
10

chkconfig --list

ebtables        0:off   1:off   2:off   3:off   4:off   5:off   6:off
iprdump         0:off   1:off   2:on    3:on    4:on    5:on    6:off
iprinit         0:off   1:off   2:on    3:on    4:on    5:on    6:off
iprupdate       0:off   1:off   2:on    3:on    4:on    5:on    6:off
iscsi           0:off   1:off   2:off   3:on    4:on    5:on    6:off
iscsid          0:off   1:off   2:off   3:on    4:on    5:on    6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:off   3:off   4:off   5:off   6:off

I don’t have any ibm power raid devices so the ipr stuff can go. I don’t have any iscsi gear at home so that can all go as well.

1
2
3
4
5

chkconfig iprdump off && service iprdump stop
chkconfig iprinit off && service iprinit stop
chkconfig iprupdate off && service iprupdate stop
chkconfig iscsi off && service iscsi stop
chkconfig iscsid off && service iscsid stop

Okay, that’s better. Let’s check xinetd:

1
2

grep -ir disable /etc/xinetd.d/
/etc/xinetd.d/rsync:    disable = yes

Nothing to worry about there. Let’s check the cron jobs.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

ls /etc/cron\*
/etc/cron.deny  /etc/crontab

/etc/cron.d:
0hourly  raid-check  sysstat  vnstat

/etc/cron.daily:
cups  hplip logrotate  man-db.cron  mlocate.cron  prelink  tmpwatch

/etc/cron.hourly:
0anacron  mcelog.cron

/etc/cron.monthly:

/etc/cron.weekly:

cat /etc/crontab
(no jobs here)

Well. don't want about hplib and cups, but cups is a part of lsb, so not point
in getting rid if it (a yum remove cups would uninstall half your os).

yum remove hplip

The file for cups is just a tmpwatch so I'll leave it alone.

Misc

Utils

1

yum install htop iotop sysstat vnstat keepassx

htop is a fancier top
iotop is for tracking down IO issues
sysstat is for sar/iostat/mpstat/etc
vnstat is for network card monitoring
keepassx is a password manager

random

I setup my prompt_command so that it flushes my history after every single command. I also like to setup a much larger history file. I have a fairly fancy prompt_command setup but I’ll talk about that another time.

1
2
3
4

vi /etc/profile.d/histfile.sh
export HISTSIZE=9999
export HISTFILESIZE=999999
export PROMPT_COMMAND="${PROMPT_COMMAND:+$PROMPT_COMMAND ; }"'history -a'

I will be putting all my dot files on github, I just haven’t got around to it yet. Need to clean a few things up first. :)

Fonts

I am a big fan of dejavu-sans-mono for terminals / programming, which fedora has default installed now. Just need to change the system monospaced font to it. Droid sans mono is really nice as well.

Closing

Having been using Fedora 18 for about a week now, I’m pretty happy with it. I will be upgrading my laptop and work desktop in the next week or two, so I can get MATE on everything.

There is a lot of complaints about fedora 18, people are bitching about the gnome3 changes, I am not sure what they are talking about; I used gnome 3 long enough to install mate. :)

Gnome 3 is now the internet explorer of desktop environments.

The new anaconda is immature, there is no question. But it’s all python based, so I think it will evolve quickly to support what the old anaconda could do.

As far as Fedora being the worst redhat distro I have to disagree. RedHat linux 6 in 1998 or so (not to be confused with redhat enterprise linux) had a broken dhcp implementation, a grub bug where if you pushed a key to boot (the booting linux in 3 seconds bit), it would only use your first 4 partitions on your disk and ignore any other ones, and so many other horrible bugs. Redhat linux 5 was so much better. Seemed like a giant step backwards at the time (or was it from 6 to 7? hrm. maybe. it was 12-13 years ago it’s a bit fuzzy and so not worth googling).

That’s all for now.