Install Arch Linux

13 Feb 2022

Thankfully, there are a few walk-throughs on how to install Arch Linux. This one was particularly helpful for me, but I made a few modifications. I have an old ThinkPad X250 kicking around that I wanted to try Arch on, so that's the hardware I use in this example. It is capable of UEFI boot.

The actual Arch download page is a bit confusing, but just scroll to the bottom of the page and click on a download mirror that is closest to you. I downloaded my Arch Linux ISO from http://mirrors.mit.edu/archlinux/iso/2022.02.01/archlinux-2022.02.01-x86_64.iso as well as http://mirrors.mit.edu/archlinux/iso/2022.02.01/sha1sums.txt

I downloaded the ISO and then sha1sumed it to be sure it was OK.

wget http://mirrors.mit.edu/archlinux/iso/2022.02.01/sha1sums.txt
wget http://mirrors.mit.edu/archlinux/iso/2022.02.01/archlinux-2022.02.01-x86_64.iso
sha1sum archlinux-2022.02.01-x86_64.iso 
cat sha1sums.txt

Find a USB thumb drive to write the ISO to. Insert the thumb drive into your computer and find it:

lsblk

On my machine, the USB is /dev/hdb, and two partitions got auto-mounted. So I will become root, unmount those partitions, and then write the ISO image to the thumb drive.

su -
umount /dev/sdb1
dd bs=4M if=/home/mwood/Downloads/archlinux-2022.02.01-x86_64.iso \
    of=/dev/sdb oflag=sync status=progress

Now, remove the thumb drive and put it in your target computer (in my case an old ThinkPad X250) and at boot up, hit Enter (or whatever appropriate button on your computer) to interrupt normal startup, then F12 (or whatever appropriate button on your computer) to change the boot device. Select the thumb drive to boot from. Then, at the menu, select "Arch Linux Install Medium (x96_64, UEFI)"

Arch will place you in a root shell.

Be sure you really are on a UEFI system. This ls command will list files if you are really on a UEFI system:

ls /sys/firmware/efi/efivars

The best thing to do here is probably plug in an ethernet cable, but it turns out the new iwctl command is pretty sweet! It even runs in an interactive shell mode, which I use here:

iwctl
[iwd]# device list
[iwd]# station wlan0 scan
[iwd]# station wlan0 get-networks

I see my Wi-Fi network! It is named "foo". I will now connect to it:

[iwd]# station wlan0 connect foo
Type the network passphrase for foo psk.
Passphrase: *******************
[iwd]# quit

ping yahoo.com

That worked!

Now be sure your clock is correct:

timedatectl set-ntp true

Now find the disk you want to install Arch on:

lsblk

On my machine, it's /dev/sda, so I will use gdisk to partition the target drive. The important thing is to create a UEFI partition first, and then a linux partition for the rest of the disk. Yes, it turns out that UEFI needs a FAT partition to do its stuff, and not providing one is a bad mistake!

In my case, I delete existing partitions from a prior Arch install and then create my partitions fresh:

gdisk /dev/sda
p  # Print partition table.
d  # Delete partition...
2  # ...number 2.
d  # Delete partition...
1  # ...number 1.
n  # New partition...
1              # ...number 1...
<Enter>  # ...from first sector...
+512M          # ...plus 512MB...
ef00           # ...of type "EFI system partition".
n              # New partition...
2              # ...number 2...
<Enter>  # ...from first available sector...
<Enter>  # ...to last available sector...
8300  # ...of type "Linux filesystem".
w  # Write partition table to disk.
Y  # Yes, really do it.

lsblk will show you your partitions.

Format the EUFI partition with FAT:

mkfs.fat -F32 /dev/sda1

Encrypt the root partition

cryptsetup -y -v luksFormat /dev/sda2
  YES
  <enter passphrase>
  <enter passphrase again>
cryptsetup open /dev/sda2 cryptroot

Open the encrypted partition via the device mapper

cryptsetup open /dev/sda2 cryptroot
  <enter passphrase>

Create an ext4 filesystem on your encrypted partition which is presumably mounted/overlaid/mapped at /dev/mapper/cryptroot:

mkfs.ext4 /dev/mapper/cryptroot

Now mount both the freshly-formatted UEFI partition and the encrypted partition so they are accessible on your filesystem:

mount /dev/mapper/cryptroot /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
lsblk  # look at everything to be sure it's OK

Create a swap file (rather than a swap partition) which will live in your encrypted partition. Apparently, current thinking is that the swapfile (not swap partition!) should be 1.5 times your system's RAM. I'll be honest, I usually don't bother with a swap file or swap partition anymore, but I set one up this time.

dd if=/dev/zero of=/mnt/swapfile bs=1M count=24576 status=progress
chmod 600 /mnt/swapfile
mkswap /mnt/swapfile
swapon /mnt/swapfile

Install Arch Linux! Also, install vim so that you have a way of editing files in later steps.

pacstrap /mnt base base-devel linux linux-firmware vim

Generate the fstab file. Apparently,the fstab file already exists, but it's just got comments in it. So we append to it, using this handy genfstab command:

genfstab -U /mnt >> /mnt/etc/fstab

Switch to your Arch Linux installation! I haven't read up on the arch-chroot command, but it seems to do what it says on the tin:

arch-chroot /mnt

Set up your time zone / locale and ensure the hardware clock agrees with the software clock.

ln -sf /usr/share/zoneinfo/AmericaNew_York /etc/localtime
hwclock --systohc
date                 # ensure the date and time seem sane
vim /etc/locale.gen  # uncomment your locale, such as "en_US.UTF-8 UTF-8"
locale-gen
echo 'LANG=en_US.UTF-8' > /etc/locale.conf

Pick a hostname and put it in the /etc/hostnam and /etc/hosts files.

echo 'manniX250' > /etc/hostname
vim /etc/hosts

Be sure the contents of /etc/hots look like this:

127.0.0.1	localhost
::1		localhost
127.0.1.1	manniX250.localdomain	manniX250

Set the root password:

passwd

Configure the initial RAM filesystem:

vim /etc/mkinitcpio.conf

/etc/mkinitcpio.conf is just a bash script that we need to edit.

According to https://wiki.archlinux.org/title/mkinitcpio#HOOKS, we want to put find the HOOKS section and put keyboard between udev and autodetect (and remove keyboard from near the end of the HOOKS list) so that when initramfs boots, it will have all the keyboard drivers needed to collect a passphrase to decrypt the encrypted partition. Putting keyboard this early in the HOOKS ensures that even if the user plugs in a keyboard not used during setup (such as the laptop keyboard) there still should be a driver on hand to detect/use that keyboard.

To have drivers on hand for the encrypted partition, put encrypt between block and filesystems in the HOOKS line of /etc/mkinitcpio.conf.

Create the initial RAM filesystem:

mkinitcpio -P

Install the brug UEFI boot loader and the Intel microcode patcher thingy:

pacman -S grub efibootmgr intel-ucode

Get the UUID of your encrypted filesystem

blkid -s UUID -o value /dev/sda2 > /tmp/cryptuuid.txt

Configure grub so that it knows about the encrypted file system:

vim /etc/default/grub

Tell grub about your encrypted filesystem:

GRUB_CMDLINE_LINUX="cryptdevice=UUID=xxxx:cryptroot"

Also, make grub as co-operative and verbose as possible:

GRUB_TIMEOUT_STYLE=menu
GRUB_TIMEOUT=-1
GRUB_CMDLINE_LINUX_DEFAULT=""

Install grub:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg

Install Network Manager. Personally, I was quite happy with that iwctl thing, but I guess Network Manager wraps it and is generally nice:

pacman -S networkmanager
systemctl enable NetworkManager

Reboot!

exit
reboot

Connect to wifi, but this time using Network Manager's CLI:

nmcli d wifi list
nmcli d wifi connect foo password nottellinganybody

Make a non-root user

useradd --create-home mwood
passwd mwood

Install Gnome:

pacman -Syu
pacman -S xorg xorg-server
pacman -S gnome

It looks like this reconfigures mkinitcpio, so I guess we should reboot!

reboot

When you've rebooted, log on as root and enable gdm:

systemctl start gdm.service

Now Gnome has started; log on as the plain user you created, but then run a terminal and then ensure the gdm service stays enabled:

sudo systemctl enable gdm.service

Reboot again to be sure gdm comes back up on reboot:

reboot

Install Firefox

After you have rebooted, gdm should have come up, and you show now log on as your regular, non-root user, fire up a terminal, become root, and install Firefox (and vlc while we are at it):

su -
pacman -S firefox vlc

Install a firewall

pacman -S nftables
vim /etc/nftables.conf  ## if you need to disable ssh incoming
systemctl enable nftables.service --now

Enable time synchronization

sudo systemctl enable systemd-timesyncd.service --now

More things to consider for SSD owners:

This apparently enables regular housekeeping of SSDs and maybe makes them last longer:

sudo systemctl enable fstrim.timer --now

More things to consider (for laptop users):

tlp and tlp-rdw will improve power management on laptops, so consider installing those. A typical installation looks like this, but just googleing tlp turns up possibley more involved setups for ThinkPad users:

pacman -S tlp tlp-rdw
systemctl enable tlp.service --now
systemctl enable NetworkManager-dispatcher.service --now
tlp-stat