yoshie
/
posts-go
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

sec and perf for archlinux

main
sudo pacman -Syu 2024-08-04 03:30:18 +07:00
parent cca8f4640e
commit e409109b5c
4 changed files with 258 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

179
docs/2022-12-25-archlinux.html
View File

@ -415,11 +415,13 @@ hwclock --systohc</pre>
</div>
<p>Edit <code>/etc/mkinitcpio.conf</code>:</p>
<div class="highlight highlight-text-adblock">
<pre><span class="pl-c"># LVM (optional)</span>
<span class="pl-c"># https://wiki.archlinux.org/title/Install_Arch_Linux_on_LVM#Adding_mkinitcpio_hooks</span>
<span class="pl-c"># https://wiki.archlinux.org/title/mkinitcpio#Common_hooks</span>
<pre><span class="pl-c"># https://wiki.archlinux.org/title/mkinitcpio#Common_hooks</span>
<span class="pl-c"># Replace udev with systemd</span>
<span class="pl-c">#</span>
<span class="pl-c"># LVM (optional)</span>
<span class="pl-c"># https://wiki.archlinux.org/title/Install_Arch_Linux_on_LVM#Adding_mkinitcpio_hooks</span>
<span class="pl-c"># Add lvm2 between block and filesystems</span>
<span class="pl-c">#</span>
HOOKS=(base systemd ... block lvm2 filesystems)</pre>
</div>
<div class="highlight highlight-source-shell"><pre>mkinitcpio -P</pre></div>
@ -457,6 +459,15 @@ systemctl <span class="pl-c1">enable</span> systemd-resolved.service</pre>
<div class="highlight highlight-text-adblock">
<pre>[<span class="pl-ii">device</span>]
wifi.backend=iwd</pre>
</div>
<p>Edit <code>/etc/NetworkManager/conf.d/wifi_rand_mac.conf</code>:</p>
<div class="highlight highlight-text-adblock">
<pre>[<span class="pl-ii">device-mac-randomization</span>]
wifi.scan-rand-mac-address=yes
[<span class="pl-ii">connection-mac-randomization</span>]
ethernet.cloned-mac-address=stable
wifi.cloned-mac-address=stable</pre>
</div>
<div class="markdown-heading">
<h4 class="heading-element">
@ -559,7 +570,8 @@ initrd /initramfs-linux.img
<span class="pl-c"># NVIDIA</span>
<span class="pl-c"># https://wiki.archlinux.org/title/NVIDIA#DRM_kernel_mode_setting</span>
<span class="pl-c"># nvidia-drm.modeset=1</span>
options root="LABEL=ROOT" rw</pre>
<span class="pl-c">#</span>
options root="LABEL=ROOT" rw quiet loglevel=3 nowatchdog module_blacklist=iTCO_wdt,sp5100_tco ipv6.disable=1 init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1</pre>
</div>
<div class="markdown-heading">
<h2 class="heading-element">
@ -652,43 +664,36 @@ homectl update joker --shell=/usr/bin/zsh</pre>
>:
</p>
<div class="highlight highlight-source-shell">
<pre>pacman -Syu xorg-server</pre>
<pre>pacman -Syu xorg-server
<span class="pl-c"><span class="pl-c">#</span> Remember to install GPU driver</span></pre>
</div>
<div class="markdown-heading">
<h4 class="heading-element">
<a href="https://wiki.archlinux.org/index.php/GNOME" rel="nofollow"
>GNOME</a
>
<a href="https://wiki.archlinux.org/title/KDE" rel="nofollow">KDE</a>
</h4>
<a
id="user-content-gnome"
id="user-content-kde"
class="anchor"
aria-label="Permalink: GNOME"
href="#gnome"
aria-label="Permalink: KDE"
href="#kde"
><span aria-hidden="true" class="octicon octicon-link"></span
></a>
</div>
<p>
See
<a
href="https://community.kde.org/Distributions/Packaging_Recommendations"
rel="nofollow"
>KDE Distributions/Packaging Recommendations</a
>
</p>
<div class="highlight highlight-source-shell">
<pre>pacman -Syu gnome-shell \
gnome-control-center gnome-system-monitor power-profiles-daemon \
gnome-tweaks gnome-backgrounds gnome-firmware \
nautilus xdg-user-dirs-gtk xdg-desktop-portal \
gnome-console gnome-text-editor loupe evince
<pre>pacman -Syu plasma-desktop
<span class="pl-c"><span class="pl-c">#</span> Login manager</span>
pacman -Syu gdm
systemctl <span class="pl-c1">enable</span> gdm.service</pre>
pacman -Syu sddm</pre>
</div>
<p>Quirks:</p>
<ul>
<li>
Fix black screen when open game in fullscreen in external monitor with
<a
href="https://github.com/kazysmaster/gnome-shell-extension-disable-unredirect"
>kazysmaster/gnome-shell-extension-disable-unredirect</a
>
</li>
</ul>
<div class="markdown-heading">
<h2 class="heading-element">
<a
@ -822,6 +827,13 @@ pacman -Syu pipewire wireplumber \
>https://wiki.archlinux.org/index.php/Core_dump#Disabling_automatic_core_dumps</a
>
</li>
<li>
<a
href="https://wiki.archlinux.org/title/Ext4#Enabling_fast_commit_in_existing_filesystems"
rel="nofollow"
>https://wiki.archlinux.org/title/Ext4#Enabling_fast_commit_in_existing_filesystems</a
>
</li>
<li>
<a
href="https://wiki.archlinux.org/index.php/Solid_state_drive#Periodic_TRIM"
@ -844,16 +856,100 @@ pacman -Syu pipewire wireplumber \
>
</li>
<li>
<a href="https://wiki.archlinux.org/title/sysctl" rel="nofollow"
>https://wiki.archlinux.org/title/sysctl</a
<a
href="https://wiki.archlinux.org/title/Sysctl#Enable_TCP_Fast_Open"
rel="nofollow"
>https://wiki.archlinux.org/title/Sysctl#Enable_TCP_Fast_Open</a
>
</li>
<li>
<a href="https://lwn.net/Articles/842385/" rel="nofollow"
>Fast commits for ext4</a
>
</li>
<li>
<a href="https://lwn.net/Articles/508865/" rel="nofollow"
>TCP Fast Open: expediting web services</a
>
</li>
<li>
<a href="https://lwn.net/Articles/911219/" rel="nofollow"
>The search for the correct amount of split-lock misery</a
>
</li>
</ul>
<p><code>/etc/sysctl.d/99-sysctl.conf</code>:</p>
<p>
Edit <code>/etc/systemd/journald.conf.d/00-journal-size.conf</code> then
restart:
</p>
<div class="highlight highlight-text-adblock">
<pre><span class="pl-c"># https://lwn.net/Articles/911219/</span>
<pre>[<span class="pl-ii">Journal</span>]
SystemMaxUse=50M</pre>
</div>
<p>
Edit <code>/etc/systemd/coredump.conf.d/custom.conf</code> then restart:
</p>
<div class="highlight highlight-text-adblock">
<pre>[<span class="pl-ii">Coredump</span>]
Storage=none
ProcessSizeMax=0</pre>
</div>
<p>Enable ext4 fast commit:</p>
<div class="highlight highlight-source-shell">
<pre>tune2fs -O fast_commit /dev/partition</pre>
</div>
<p>Periodic TRIM:</p>
<div class="highlight highlight-source-shell">
<pre>systemctl <span class="pl-c1">enable</span> fstrim.timer</pre>
</div>
<p>Edit <code>/etc/sysctl.d/99-sysctl.conf</code>:</p>
<div class="highlight highlight-text-adblock">
<pre><span class="pl-c"># Enable TCP Fast Open</span>
net.ipv4.tcp_fastopen = 3
kernel.split_lock_mitigate = 0</pre>
</div>
<div class="markdown-heading">
<h2 class="heading-element">
<a href="https://wiki.archlinux.org/title/Security" rel="nofollow"
>Security</a
>
</h2>
<a
id="user-content-security"
class="anchor"
aria-label="Permalink: Security"
href="#security"
><span aria-hidden="true" class="octicon octicon-link"></span
></a>
</div>
<ul>
<li>
<a
href="https://wiki.archlinux.org/title/IPv6#Disable_IPv6"
rel="nofollow"
>https://wiki.archlinux.org/title/IPv6#Disable_IPv6</a
>
</li>
<li>
<a href="https://lwn.net/Articles/791380/" rel="nofollow"
>add init_on_alloc/init_on_free boot options</a
>
</li>
<li>
<a href="https://lwn.net/Articles/776228/" rel="nofollow"
>mm: Randomize free memory</a
>
</li>
<li>
<a href="https://lwn.net/Articles/925941/" rel="nofollow"
>mm: introduce Designated Movable Blocks</a
>
</li>
</ul>
<div class="highlight highlight-source-shell">
<pre><span class="pl-c"><span class="pl-c">#</span> Kernel parameters</span></pre>
</div>
<div class="markdown-heading">
<h2 class="heading-element">Hardware dependent</h2>
<a
@ -893,6 +989,13 @@ kernel.split_lock_mitigate = 0</pre>
</div>
<p>Do it at your own risk!!!</p>
<ul>
<li>
<a
href="https://wiki.archlinux.org/title/Unified_kernel_image"
rel="nofollow"
>https://wiki.archlinux.org/title/Unified_kernel_image</a
>
</li>
<li>
<a
href="https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave"
@ -900,6 +1003,18 @@ kernel.split_lock_mitigate = 0</pre>
>https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave</a
>
</li>
<li>
<a
href="https://madaidans-insecurities.github.io/guides/linux-hardening.html"
rel="nofollow"
>Linux Hardening Guide</a
>
</li>
<li>
<a href="https://github.com/GrapheneOS/hardened_malloc"
>https://github.com/GrapheneOS/hardened_malloc</a
>
</li>
<li>
<a href="https://github.com/AdnanHodzic/auto-cpufreq"
>https://github.com/AdnanHodzic/auto-cpufreq</a

26
docs/2023-06-25-useful-tools.html
View File

@ -1182,6 +1182,13 @@ defaults -currentHost write -globalDomain NSStatusItemSelectionPadding -int 6
defaults -currentHost write -globalDomain NSStatusItemSpacing -int 6</pre
>
</div>
<p>Disable IPv6:</p>
<div class="highlight highlight-source-shell">
<pre>
sudo networksetup -listallnetworkservices
sudo networksetup -setv6off Wi-Fi</pre
>
</div>
<p>Clean up leftover data:</p>
<ul>
<li>
@ -1246,6 +1253,13 @@ defaults -currentHost write -globalDomain NSStatusItemSpacing -int 6</pre
</li>
</ul>
</li>
<li>
<a
href="https://appletoolbox.com/macos-how-to-disable-ipv6/"
rel="nofollow"
>macOS: How to Disable IPv6</a
>
</li>
<li>
<a
href="https://gist.github.com/timotgl/f3d8c49ad582ec1af8ff01143465e116"
@ -1253,6 +1267,18 @@ defaults -currentHost write -globalDomain NSStatusItemSpacing -int 6</pre
line</a
>
</li>
<li>
<a href="https://www.bejarano.io/hardening-macos/" rel="nofollow"
>Hardening macOS</a
>
<ul>
<li>
<a href="https://github.com/drduh/macOS-Security-and-Privacy-Guide"
>https://github.com/drduh/macOS-Security-and-Privacy-Guide</a
>
</li>
</ul>
</li>
</ul>
<div class="markdown-heading">
<h3 class="heading-element">Firefox</h3>

94
posts/2022-12-25-archlinux.md
View File

@ -192,11 +192,13 @@ myhostname
Edit `/etc/mkinitcpio.conf`:
```txt
# LVM (optional)
# https://wiki.archlinux.org/title/Install_Arch_Linux_on_LVM#Adding_mkinitcpio_hooks
# https://wiki.archlinux.org/title/mkinitcpio#Common_hooks
# Replace udev with systemd
#
# LVM (optional)
# https://wiki.archlinux.org/title/Install_Arch_Linux_on_LVM#Adding_mkinitcpio_hooks
# Add lvm2 between block and filesystems
#
HOOKS=(base systemd ... block lvm2 filesystems)
```
@ -225,6 +227,17 @@ Edit `/etc/NetworkManager/conf.d/wifi_backend.conf`:
wifi.backend=iwd
```
Edit `/etc/NetworkManager/conf.d/wifi_rand_mac.conf`:
```txt
[device-mac-randomization]
wifi.scan-rand-mac-address=yes
[connection-mac-randomization]
ethernet.cloned-mac-address=stable
wifi.cloned-mac-address=stable
```
#### [Bluetooth](https://wiki.archlinux.org/title/Bluetooth)
```sh
@ -288,7 +301,8 @@ initrd /initramfs-linux.img
# NVIDIA
# https://wiki.archlinux.org/title/NVIDIA#DRM_kernel_mode_setting
# nvidia-drm.modeset=1
options root="LABEL=ROOT" rw
#
options root="LABEL=ROOT" rw quiet loglevel=3 nowatchdog module_blacklist=iTCO_wdt,sp5100_tco ipv6.disable=1 init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1
```
## [General recommendations](https://wiki.archlinux.org/index.php/General_recommendations)
@ -336,27 +350,22 @@ Install [Xorg](https://wiki.archlinux.org/index.php/Xorg):
```sh
pacman -Syu xorg-server
# Remember to install GPU driver
```
#### [GNOME](https://wiki.archlinux.org/index.php/GNOME)
#### [KDE](https://wiki.archlinux.org/title/KDE)
See
[KDE Distributions/Packaging Recommendations](https://community.kde.org/Distributions/Packaging_Recommendations)
```sh
pacman -Syu gnome-shell \
gnome-control-center gnome-system-monitor power-profiles-daemon \
gnome-tweaks gnome-backgrounds gnome-firmware \
nautilus xdg-user-dirs-gtk xdg-desktop-portal \
gnome-console gnome-text-editor loupe evince
pacman -Syu plasma-desktop
# Login manager
pacman -Syu gdm
systemctl enable gdm.service
pacman -Syu sddm
```
Quirks:
- Fix black screen when open game in fullscreen in external monitor with
[kazysmaster/gnome-shell-extension-disable-unredirect](https://github.com/kazysmaster/gnome-shell-extension-disable-unredirect)
## [List of applications](https://wiki.archlinux.org/index.php/List_of_applications)
### [pacman](https://wiki.archlinux.org/index.php/pacman)
@ -400,18 +409,62 @@ pacman -Syu flatpak
- https://wiki.archlinux.org/index.php/swap#Swappiness
- https://wiki.archlinux.org/index.php/Systemd/Journal#Journal_size_limit
- https://wiki.archlinux.org/index.php/Core_dump#Disabling_automatic_core_dumps
- https://wiki.archlinux.org/title/Ext4#Enabling_fast_commit_in_existing_filesystems
- https://wiki.archlinux.org/index.php/Solid_state_drive#Periodic_TRIM
- https://wiki.archlinux.org/index.php/Silent_boot
- https://wiki.archlinux.org/title/Improving_performance#Watchdogs
- https://wiki.archlinux.org/title/sysctl
- https://wiki.archlinux.org/title/Sysctl#Enable_TCP_Fast_Open
- [Fast commits for ext4](https://lwn.net/Articles/842385/)
- [TCP Fast Open: expediting web services](https://lwn.net/Articles/508865/)
- [The search for the correct amount of split-lock misery](https://lwn.net/Articles/911219/)
`/etc/sysctl.d/99-sysctl.conf`:
Edit `/etc/systemd/journald.conf.d/00-journal-size.conf` then restart:
```txt
# https://lwn.net/Articles/911219/
[Journal]
SystemMaxUse=50M
```
Edit `/etc/systemd/coredump.conf.d/custom.conf` then restart:
```txt
[Coredump]
Storage=none
ProcessSizeMax=0
```
Enable ext4 fast commit:
```sh
tune2fs -O fast_commit /dev/partition
```
Periodic TRIM:
```sh
systemctl enable fstrim.timer
```
Edit `/etc/sysctl.d/99-sysctl.conf`:
```txt
# Enable TCP Fast Open
net.ipv4.tcp_fastopen = 3
kernel.split_lock_mitigate = 0
```
## [Security](https://wiki.archlinux.org/title/Security)
- https://wiki.archlinux.org/title/IPv6#Disable_IPv6
- [add init_on_alloc/init_on_free boot options](https://lwn.net/Articles/791380/)
- [mm: Randomize free memory](https://lwn.net/Articles/776228/)
- [mm: introduce Designated Movable Blocks](https://lwn.net/Articles/925941/)
```sh
# Kernel parameters
```
## Hardware dependent
- https://wiki.archlinux.org/title/Laptop
@ -422,7 +475,10 @@ kernel.split_lock_mitigate = 0
Do it at your own risk!!!
- https://wiki.archlinux.org/title/Unified_kernel_image
- https://wiki.archlinux.org/title/Pacman/Pacnew_and_Pacsave
- [Linux Hardening Guide](https://madaidans-insecurities.github.io/guides/linux-hardening.html)
- https://github.com/GrapheneOS/hardened_malloc
- https://github.com/AdnanHodzic/auto-cpufreq
- https://github.com/nbfc-linux/nbfc-linux

10
posts/2023-06-25-useful-tools.md
View File

@ -303,6 +303,13 @@ defaults -currentHost write -globalDomain NSStatusItemSelectionPadding -int 6
defaults -currentHost write -globalDomain NSStatusItemSpacing -int 6
```
Disable IPv6:
```sh
sudo networksetup -listallnetworkservices
sudo networksetup -setv6off Wi-Fi
```
Clean up leftover data:
- `~/Library/Application Support`
@ -333,7 +340,10 @@ Thanks:
- [Can Touch ID on Mac authenticate sudo in Terminal?](https://apple.stackexchange.com/a/466029)
- [Native fix for applications hiding under the MacBook Pro notch](https://flaky.build/native-fix-for-applications-hiding-under-the-macbook-pro-notch)
- [Can the spacing of menu bar apps be modified in macOS Big Sur and later?](https://apple.stackexchange.com/q/406316)
- [macOS: How to Disable IPv6](https://appletoolbox.com/macos-how-to-disable-ipv6/)
- [How to fully uninstall Logitech G HUB on macOS via terminal/command line](https://gist.github.com/timotgl/f3d8c49ad582ec1af8ff01143465e116)
- [Hardening macOS](https://www.bejarano.io/hardening-macos/)
- https://github.com/drduh/macOS-Security-and-Privacy-Guide
### Firefox