Notes having to do with Arch Linux on Gryphon and friends

Table of Contents


1.1 Basics

Here is how to do the Arch install on systems connected to gryphon.

1.2 Multiple disks

On systems with multiple disks, it is unsafe to identify disks in the fstab table with identifiers such as “/dev/sd...”, as these labels can get switched upon reboot. It is better to use UUIDs, which are created for each disk partition during the partitioning process. An entry in fstab would then look like
To obtain the UUID for a disk partition, first partition the disk in question, e.g., “gdisk /dev/sdb”. Then, without rebooting, format the disk as usual and run
for the first file system on the disk, with similar commands for any other file systems. This command prints out the UUID for the partition, which can then be added to fstab (replacing the “xxx” in the above example). If the disk is reformatted or replaced by another disk, this process needs to be repeated.

1.3 Intel processors

Intel processors need to load firmware at boot rather than later (as with AMD processors). To accomplish this with the syslinux boot loader (which we use):

1.4 Notes on Lenovo Thinkpad X230 and X1 Carbon

Most things work out of the box on an ARCH install. However, there are some minor issues:
For more information, see the ARCH wiki pages on these machines.

1.5 Upgrading

Normally upgrading is done with the command
If upgrading fails due to a package failing to verify, your Arch keyring may be out of date. One way to solve this is to run
This updates your keyring from the last upgrade of the arch-keyring package on the local system. If the above doesn't work, try reinstalling the package “archlinux-keyring” and repeat the above. Also be sure that the package “haveged” is installed.

Special installation instructions for gryphon

Gryphon is our network file system and printing server, so it needs special consideration. It also runs various jobs at specified times via the cron mechanism. Things having to do with the administrative functions of gryphon are located in “/usr/local/etc”.

2.1 Secure shell daemon

By default, the secure shell daemon turns off password access to root. For root-level communication on gryphon and friends, as well as with kestrel, this needs to be turned on. Add to “/etc/ssh/sshd_config”:
PermitRootLogin yes
In addition, we like to have X11 forwarding turned on. Accomplish this by adding this line to “/etc/ssh/sshd_config”:
X11Forwarding yes

2.2 Network file system

Two things need to be done to set up file sharing of /usr/local, /home.gryphon, and /
(Nfs-server may take care of some or all of these.) After installing these, simply reboot.

2.3 Subversion server

Subversion is a shared source code control system. Merlin is a subversion server which is set up as follows:

2.4 Running MPI jobs

We now use OpenMPI to run parallel MPI jobs on gryphon and friends; no more LAM! The Arch “openmpi” package should be installed on all machines.
There is no need to start and stop a server process before and after your run with OpenMPI. However you can still create a “hosts” file to tell OpenMPI on which machines to run your job. For example, the file might be of the form
gy01 slots=4
gy02 slots=4
gy07 slots=8
to run a job with one process on gy, 4 processes on gy01 and gy02, and 8 processes on gy07. (Gy07 is now an 8 core machine.) Make the number of slots on each machine no more than the number of CPU cores. The job must be started on the first machine listed. The command line for starting an MPI job is
The “/usr” prefix may be needed to tell the computer where the MPI stuff is located. The number following “-np” is the number of processes desired, which should be equal to (or less then, but not more) than the number of slots in the “hosts” file described above. The absolute path to your executable is needed since the default path available to MPI is limited and probably does not include your home directory.

2.5 Periodic jobs

Gryphon runs a number of jobs periodically. This is done using the “cron” program. To edit the schedule of jobs run:
Here is the current list of entries:
#27 * * * * /usr/local/etc/
11 23 * * * /usr/bin/crontab -l > /etc/rootcrontab
13 23 * * * /usr/local/etc/getcustom > /dev/null
25 2 * * * /usr/local/etc/savehome-del home
2 2 * * * /usr/local/etc/savelocal
13 4 * * * /usr/local/etc/
2 22 * * * /usr/local/etc/ > /dev/null
#2 22 * * * /usr/local/etc/ del > /dev/null
0 21 * * * ssh coot /usr/local/etc/ > /dev/null
0 22 * * * ssh peregrine /usr/local/etc/ > /dev/null
37 23 * * * /usr/local/etc/ > /dev/null
See the “crontab” man page for further details.

2.6 New user setup on gryphon

Copy (and possibly edit) “/usr/local/etc/useradd” to “/etc/default/”. This sets up the defaults for our system, such as where the home directories are located, etc. To add a new user, run the program “useradd xxx” as root to add user “xxx”. Then run “passwd xxx” and let the new user enter a password. To delete a user, run ``userdel -r xxx''. The ``-r'' removes the home directory and mail files.

2.7 For the new user

Many people use the "LXDE" desktop manager. The "Mate" system is also a good choice. A good choice for a minimal setup is the "Openbox" window manager. This is controlled by the middle and right mouse buttons. There are graphical options accessible from the right button to control the menu of frequently used programs as well as the configuration of openbox.
If you want to use LXDE (a good choice for beginners), you don't have to do anything special – just log in. Configure from the "Preferences" menu accessible from the icon at the left end of the toolbar. To add program launchers for your favorite programs, right-click on the toolbar and select ``Add/Remove Panel Items'' and then click on "Application Launch Bar" in the popup window. Then click on the "Edit" button on the right. Select a program from the menu to the right of the second popup window and click "Add". Then rearrange things as desired by selecting icons on the left side and clicking "up" or "down" to reposition them.

Special instructions for merlin

Merlin is now our connection to the Internet and also our dnsmasq server that provides local DNS service as well as setting up an IP masquerading firewall. It also provides backup storage for kestrel and gryphon. Merlin is also our subversion server (see above).

Special instructions for kestrel

Kestrel hosts the physics website, handles physics mail, is a print server, and serves as the physics department secretary's computer. It also is a home directory backup server for some people.

4.1 Website

This is currently in a state of flux.

4.2 Mail

4.3 Printing

Lprng is used. A subnet is created for the printers using IP masquerading with the dnsmasq package. Printing is restricted to the .42 subnet (3rd floor of Workman).

4.4 Home directories

Users with logins can do rsyncs to their home directory on kestrel.

Intel AMT

The kernel loads a module called “mei” which interfaces with Intel's AMT (active management technology) hardware. This causes an annoying (but harmless) error message on boot and wakeup from sleep. Since we don't use AMT (which allows remote management of your computer at the hardware level – by who knows whom! – ugh!), it is not a bad idea to turn this off. Do so by creating the file “mei.conf” in the directory “/etc/modprobe.d” containing the single line “blacklist mei”.
I don't know if this is an issue on AMD machines.

Enabling core dumps

To enable core dumps, put this in your .bashrc file:
In addition, systemd causes problems in creating core dumps. To fix this, get systemd out of the loop by doing (as root):


Exim is a mail transport agent (MTA) for Linux. This is what gets incoming mail to your mailbox and outgoing mail to the Internet.

7.1 Internet-capable configuration

For a simple, internet-capable MTU:
You should also enter the account name of the superuser on your computer in your “/etc/mail/aliases” file after “#root:” and then uncomment this line (by deleting the “#”). You can also put other email aliases in this alias file. Then, restart exim:

7.2 Addition of POP/IMAP server using Dovecot

One an internet-capable MTU is set up on a server, it is reasonably simple to add on a POP/IMAP server that allows people to download mail from the server to their own machine without logging into the server. We use the Dovecot package for this. Arch's documentation on Dovecot is useful and forms the basis of this section. To do this:

7.3 Local service only configuration

Hand-configure “/etc/mail/exim.conf” for local service only. To do this, comment out the "require verify" line and the section following "dnslookup". We don't need or want remote service since email is generally done differently these days. The modified file is stored here as exim.conf.local.

Spamassassin and razor

The executables are in “/usr/bin/vendor_perl” rather than “/usr/bin”. To make spamassassin work, one must run
as root before spamassassin will work. Otherwise, as in Debian.


Arch is moving to version 3 of python, which causes some complications.
Python is python3. Python2 is python2. Had to modify qplot and other programs to run python2, as matplotlib is not ported to python3 yet. To make these python programs run on Debian, link “/usr/bin/python” to “/usr/bin/python2” on the Debian systems.
Arch has up-to-date matplotlib and numpy packages. The package containing setuptools is called “python2-distribute” (for python2). This is needed for the “pupynere” package. “Pupynere” (python-only netcdf) and “pycandis” (candis package) are needed for our work environment. The source exists in “/usr/local/src/python” and is easily installed using
in the respective package directories.


10.1 Simple networking

For a desktop just use the netctl networking created in the install. You may wish to rename your ethernet devices as described below in IP masquerading. This protects against subsequent kernels naming devices differently. Check out this script to help in this task.

10.2 Laptops

For the laptop, turn off static networking completely by disabling the static, wired network used for the installation. Just install networkmanager and network-manager-applet along with gnome-keyring. This works well for wired as well as wireless networks. The gnome-keyring package allows the storage of network passwords. Since the applet likes to live in the notification area, this results in complications when not using gdm (the gnome session manager).
As an alternative, install use netctl. For each network (wireless or wired) a configuration file must be set up in /etc/netctl. These are simple and configuration examples are given. Wifi-menu (part of the netctl package) allows the generation of configuration scripts automatically while roaming. The additional packages should also be installed: dialog, wireless-tools, wpa-supplicant, dhcpcd. Since this stuff must be run as root, give yourself suid permissions (nopasswd) using visudo. Here is what I have in/etc/sudoers:
raymond ALL=(ALL) NOPASSWD: /usr/bin/netctl,/usr/bin/wifi-menu, /usr/sbin/wpa_supplicant,/sbin/dhcpcd, /usr/sbin/rfkill
I have created a set of convenience routines named ~/bin/net-* to access various networks, as well as a simple shell script called ~/bin/ to make it easy to run the desired network.

10.3 IP masquerading

Information comes mostly from the Arch Wiki site under "router: basic".
First, get your external and internal network interfaces set up using netctl. You can set up configuration files for each using the examples in /etc/netctl/examples. Second, prepare the networks to start at boot by running the commands “netctl enable external” and “netctl enable internal”.
Given current kernels, one doesn't know how the ethernet ports will be named after boot. Udev fixes this by identifying ethernet hardware by MAC number and associating each ethernet interface with a name of one's choosing. To do this, create
the file "/etc/udev/rules.d/10-network.rules" and put a line in it of the form
SUBSYSTEM=="net", ATTR{address}=="aa:bb:cc:dd:ee:ff", NAME="netname"
where aa:bb:cc:dd:ee:ff is replaced by the MAC number of the ethernet device in question and "netname" is the name you wish to give the device, e.g., “wan” or “lan”. Udev will create a device of this name in the /dev directory on boot. Ethernet comes with original names eth0, eth1, etc., the problem being you don't know which device each of these is associated with. However, you can get the MAC address for each of these with commands like
udevadm info -a -p /sys/class/net/eth0 | grep address
It is a bit of guesswork to figure out which ethernet port on the back of the computer is associate with which name, and this can change from boot to boot. Either start with a single card in the machine, getting its MAC address, or just put all of them in and work by trial and error. To do all of this you may find the script useful. To discover the names of the available ethernet ports, run
ls /sys/class/net
Once you have two devices named, say, "wan" for the outside network and "lan" for the inside network, start the two networks using netctl (configuring first if needed) and then start the dnsmasq daemon. To do this, copy the files and to “/etc/iptables”. Then, copy the file masquerade.service to
Start masquerading by running (as root)

Browsers and flash

I have chromium, firefox, and epiphany installed. Chromium is an excellent browser, but it has a rapid update cycle, which can be unsettling. Chromium has stopped supporting flash. Firefox works well now. Epiphany is slowly improving to the point where it is usable. The interface is minimal and bookmarks are intentionally reached by search more easily than by a menu. Both firefox and epiphany continue to support flash.

Libraries in /usr/local/lib

To make these libraries work, the loader must know about them. Put a file named local.conf into /etc/ which has one line containing "/usr/local/lib" (without the quotes). Then run
There is a file by this name in /usr/local/etc.


The vm mail reader for emacs is not an Arch official package, but is given in the AUR repository. This is installed as per AUR instructions after emacs and bbdb are installed. Better yet, get it from the vm homepage and go from there.

Printing with CUPS

Assuming that dbus is already going, activate cups with the command
Start cups by doing

14.1 Server

To configure cups, use your browser to access “http://localhost:631/”. Cups should generally see any printers attached to the server, usually via a USB connection. Follow instructions given on the cups administrative website, but give the printer a simple name that you like, such as “physics”, “home”, “room321”, etc. This will make connecting client machines easier. Be sure to enable printer sharing if you want other machines to print through your machine. Otherwise, don't. For most remote printers, use the LPD protocol. My practice is to give the full IP address of external printers rather than referring to them by name – this can be more robust in the case of DNS failure.
Get out of the web interface, become root, and stop the cups server:
Now edit the file “/etc/cups/cupsd.conf”. In the “Listen” section, tell other machines exactly where to connect to the server by adding the line
where “SERVER_IP_ADDRESS” is replaced by the IP address of the server. This may help if your machine has multiple IP addresses, as in IP masquerading. With masquerading, use the external rather than the internal address if external clients wish to print.
In the section starting with the comment “# Restrict access to the server...”, add a line something like
or whatever wild card range of IP addresses you want to allow printing from. Multiple lines are OK.
Finally, restart the cups server:
If the server itself needs to print to remote printers, get back into the web interface and add them as below.

14.2 Client machine

Generally, you don't have to explicitly add printers run by a CUPS server – they will be found automagically.
One can also connect with an LPRNG print server. With the browser interface, add the printer using the lpd protocol. For example, to connect to the physics printer on, use
and select ``raw'' as the printer type. See more below about LPRNG.

Printing with LPRNG

LPRNG is old software, an update of the original Berkeley UNIX LPR system. Arch doesn't support it, but the source code, updated with a modern configuration system, is available on SourceForge here. The best documentation for LPRNG is at its homepage. The cookbook and reference manuals are useful for those installing LPRNG.
Why LPRNG over CUPS? My experience with CUPS is that it is opaque and unstable as a print server (especially with Arch's rolling update cycle), and generally a frustrating time sink for system admins. LPRNG takes some effort to set up, but it is stable and generally simpler and more transparent than CUPS. A disadvantage of LPRNG is that Gnome3 has seen fit to eliminate support for it. However, CUPs still works on client machines to drive LPRNG printers – see above. This way you can print directly from Gnome3 applications.

15.1 User hints

The main printing command with LPRNG is ``lpr''; the status of print jobs can be examined using ``lpq''; print jobs can be killed using ``lprm''. See the respective man pages for more. As currently set up on kestrel and gryphon, PostScript, PDF, and plain text files can be printed directly. Other file types are rejected.
To make Gnome2 applications print to LPRNG, you need to create a file named ``.gtkrc-2.0'' with a single line:
If you are using LXDE, and you have changed the desktop look and feel, your .gtkrc-2.0 file may be overwritten. If so, put the above line in the file ``.gtkrc-2.0.mine''. You may have to logout and log back in for this to have an effect.
If using a Gnome3 application such as evince or gnumeric and you still wish to use LPRNG, print to a PDF file and do the actual printing using the command line or an application such as atril (the Gnome2 version of evince, as included in the MATE desktop) or xpdf. Libreoffice prints directly to lpr, so no such monkey business is needed for that application. It uses the printer defined by your PRINTER environment variable in the .bashrc file. Set this variable by putting, for instance, the line
(or whatever printer you want) into this file. Look at the file ``/usr/local/etc/printcap'' to see what printers are available to you.

15.2 Components of LPRNG

LPRNG consists of several components:
Missing from the LPRNG distribution is a means of starting lpd on boot under systemd. However, I have constructed an lpd service file, called lpd.service. This can be installed and activated using the usual systemd commands. This file needs to be edited by hand before installation to get the location of lpd right.

15.3 Installation

15.4 Arch package

Note that I have put an LPRNG package on the Arch AUR, so you don't have to compile it yourself! See the AUR page at the Arch website.

15.5 Print server setup

15.6 The printcap file and filters

The printcap file defines the available printers and controls how they are used. Consult the LPRNG documentation for further information. The current printcap file on kestrel is given here as an example of a server printcap, and the printcap file for gryphon client machines is given here to show how to construct client printcaps.
LPRNG employs filter programs to convert to a format that the printer can read. There are packages available to do this, including foomatic, apsfilter, and magic filter, but for maximum control, I have invented two filters to deal with postscript printers. These filters print postscript files directly and convert pdf and text files to postscript before printing. The filter prints duplex files while the filter prints simplex files. Note that printers should be set to single sided printing by default – otherwise, single sided printing won't work.

15.7 CUPS and LPRNG together

Generally CUPS and LPRNG packages conflict and cannot be installed together. However, if a special version of LPRNG is compiled which puts executables in a hidden location not in the normal path, LPRNG can be used as a print server with a client-only configuration of CUPS which sends its print jobs to LPRNG. However, this doesn't work if a printer is physically attached to the machine, as CUPS aggressively tries to attach to it, creating a deadlock with LPRNG. For network printers this appears not to be an issue. (Maybe CUPS can be house trained in this regard, but currently I don't know how to do this.)


With systemd replacing sysvinit, sleep happens automatically with laptops when the lid is closed. Nothing more to do, even with icewm!

Desktop managers

GDM, the Gnome desktop manager, is heavy-weight, and hard to configure Ugh!
LXDM, the LXDE desktop manager, is lightweight and is the current desktop manager of choice. It is easy to configure. Currently systemctl cannot stop LXDM, but this is a minor issue.
LightDM is also lightweight and quite usable.
SDDM is the KDE desktop manager. It works well but is somewhat hard to configure.
Note: Be sure to delete any .xinitrc and .xsession files that you have in your home directory. With current versions of systemd, these files can interfere with the operation of LXDM and LightDM.

Desktop environments

Drawing packages on Linux

Xfig was our favorite drawing package. Arch has moved xfig from the xaw3d X-11 driver to the old xaw package. This seems to have fixed some of the problems with xfig. However, it is old software and it is gradually degrading.
Another rather old drawing package is tgif. This seems to do almost everything that xfig does. It is also very self-contained with few dependencies, which makes it robust as systems change. It has Greek letters. This is currently my favorite.
Inkscape is complex and has a steep learning curve. However, it can import fig files from xfig and Greek letters can be entered by typing in the Unicode number as discussed here.

Booting with Syslinux

We use syslinux to boot, as it is much simpler than grub/grub2.


Ntpd synchronizes computer time with internet time. Be sure the ntp package is loaded and activate by starting the ntpd daemon
Be sure to turn off the hwclock daemon and reboot or run

Mounting USB devices

Arch does not like to mount USB devices automatically by default. Mount USB devices as a normal user using the “udevil” program. See the man page for this program. The device name to mount can be determined by running the dmesg program. Normally, if you have a single disk called sda, the USB device gets mounted as sdb1. If there are two disks, sda and sdb, then it mounts as sdc1, etc. However, your mileage may vary! There may be more than one partition on the USB device, so it might be sdb2, sdb3, etc.

X11 forwarding

Arch does not forward X11 sessions by default. To enable this (using ssh -Y hostname), add the following lines to the /etc/ssh/ssh_config file on the machine that is supposed to be sending stuff to your machine:
ForwardAgent yes
ForwardX11Trusted yes
Also add the following to the /etc/ssh/sshd_config file:
X11Forwarding yes
Finally, restart the secure shell server by running

Making Arch packages for AUR