Installing Linux

= Which Linux =

I personally recommend Kubuntu or Xubuntu, which are Ubuntu derivatives. They are not perfect, but I found the other Linux distributions I tried even more annoying.

Kubuntu vs Xubuntu
Kubuntu uses the KDE desktop environment. After so many years, we need to face the truth: KDE will never turn into a polished, reliable desktop environment. Something has been wrong for a very long time in the KDE development team. Expect constant annoyance.

Xubuntu uses the Xfce desktop environment, which is faster and more reliable. The trouble is, it is not as flexible, and it also lacks basic features, like: To top it all, Xfce/Xubuntu ships with insane defaults, and reconfiguring them is not intuitive. Furthermore, development has pretty much stalled, and some bugs have been there forever.
 * You cannot turn off the laptop touchpad automatically when plugging a USB mouse.
 * The standard file manager Thunar does not have a split view, unlike everybody else. Its path autocompletion is case sensitive, which is counterintuitive.
 * The window resize borders are too thin, and it is not easy to make then thicker.

The good news is that, after installing Kubuntu or Xubuntu, you can easily switch to the other one, as they share the same Ubuntu base. This way, you can comfortably decide which one is the least uncomfortable for you.

General Kubuntu/Xubuntu Advice

 * For new installations, go for Kubuntu/Xubuntu 14.04 LTS. You can upgrade it to the same Linux Kernel and X Window System as 16.04.1.
 * Kubuntu/Xubuntu 16.04 is not quite ready yet, even in the 16.04.1 version, so I would wait on this one. For example, I immediately hit with 16.04.1 the following rather popular bugs: 16.04 LTS wifi connection issues (random connection losses, and WLAN does not work after sleep) and Notebook doesn't suspend when lid is closed after update to 16.04. The recent switch to systemd has not fully stabilised yet, and brings little improvements. For example, the system does not boot any faster than before, which was one of systemd's big promises.
 * Every now and then, upgrade to the latest LTS Hardware Enablement Stack, see section below.
 * Skip all the non-LTS versions like 16.10.
 * Wait at least 6 months to upgrade to the next LTS version. In my experience, Kubuntu/Xubuntu has to ship on a particular date, and they do not really care much if there are still annoying bugs at that date, or whether they remain for months afterwards.

= Things to Do after Installing Kubuntu/Xubuntu =

System configuration

 * Are the BIOS and Linux date/time and timezones correct?
 * Is the BIOS set to boot only from the Linux disk?
 * Make the Grub bootloader accessible. Otherwise, if you PC ever fails to start and you need access to the bootloader, it will probably be too late. You have 3 options:
 * Option 1) Install package grub-customizer from https://launchpad.net/grub-customizer, and then start the Grub Customizer tool. Enable the "show menu" option, and set the "Boot default entry after" to 1, so that you have 1 second to press the arrow down key (for example) and stop the boot process.
 * Option 2) For Kubuntu, install package kde-config-grub2, and you can configure it with the mouse under System Settings, Startup and Shutdown, GRUB2 Bootloader. Choose "Automatically boot..." after 1 second, so that you have 1 second to press the arrow down key (for example) and stop the boot process. As a bonus, you can comfortably remove old kernels on this window too. Unfortunately, that does not seem to remove the associated header files, so it's not really worth it. See section Ongoing Maintenance below.
 * Option 3) Manually edit /etc/default/grub, add GRUB_TIMEOUT=1, comment out GRUB_HIDDEN_TIMEOUT, run sudo update-grub2. You may also want to remove kernel options quiet and splash in order to see the boot messages.
 * Check the available proprietary drivers. I am not sure about installing proprietary (non-open-source) drivers for AMD or nVidia graphics cards, but using the latest processor microcode is probably a good idea.
 * Enable Ctrl+Alt+Backspace to kill the current graphical session. If you make a mistake and/or your system becomes unresponsive, this key combination may be the safest and quickest way out. Edit "/etc/default/keyboard", find variable XKBOPTIONS and set it to "terminate:ctrl_alt_bksp".
 * Reduce the amount of reserved disk space. On ext4 filesystems, Linux reserves some disk space for privileged processes and to help prevent fragmentation. The default amount of 5 % comes from the times where hard disks were much smaller. You can reduce it to 1 % with command "sudo tune2fs -m 1.0 /dev/sdXY". In order to find out how much is reserved: sudo tune2fs -l /dev/sdXY | grep -e "Reserved block count:" -e "Block count:" Use "sudo fdisk -l" to list your hard disk partitions. If you used LVM during installation, your main filesystem could be called something like "/dev/mapper/xubuntu--vg-root".
 * Prepare to access Windows PCs over the network: Install packages cifs-utils and libnss-winbind, edit file /etc/nsswitch.conf as root, and add "wins" to the "hosts:" line, so that it looks like this: hosts:  files mdns4_minimal [NOTFOUND=return] dns wins
 * Install some useful packages:
 * Synaptic seems to be the only reasonable package manager for Ubuntu.
 * Typical applications are VLC and Gimp.
 * Install package "trash-cli" and get used to deleting files with "trash" instead of "rm". If you make a mistake and delete the wrong file, you'll be able to recover it from the desktop trashcan/wastebin.
 * Install package "exfat-fuse", in case some external disk has been formatted by Windows with the exFAT filesystem.
 * You may want to install legally-encumbered codecs and DVD playback: Up to Ubuntu 15.04: sudo apt-get install ubuntu-restricted-extras libavcodec-extra sudo apt-get install libdvdread4 sudo /usr/share/doc/libdvdread4/install-css.sh From Ubuntu 15.10 onwards, libdvd-pkg is available to ease the installation of libdvdcss: sudo apt-get install libdvd-pkg sudo dpkg-reconfigure libdvd-pkg
 * By default, all accounts can access other user's home directories. This goes against intuitive expectation and is an incredible security and privacy oversight. In order to stop this:
 * Issue the following command inside each existing user account:     chmod g-rwx,o-rwx "$HOME"  For users other than the current one, use:      sudo chmod g-rwx,o-rwx ~username.
 * For eventual new users, edit /etc/adduser.conf and change DIRMODE from 0755 (rwxr-xr-x) to 0700 (rwx--). Alternatively, 0750 (rwxr-x---) allows access to users of the same group too.
 * Configure some of the usual system tools to run as root without password. Although this system configuration change is probably not watertight, this time I prefer productivity over security. This is what I usually add to my /etc/sudoers file:

# ALWAYS edit file "/etc/sudoers" with "sudo visudo", because visudo edits the sudoers file in a safe fashion. # Otherwise, the smallest syntax error can lock you out of the system. # # I could not get this to work with KDE's default application menus. This is what I did to make it work # for each application: # Right-click on the bottom-left 'K' icon, choose "Edit Applications...", copy and paste the entry for each # application (like Synaptic), edit the copy, use "kdesudo synaptic" as the command, untick "run as a different user". # Untick also "Enable launch feedback", as it probably gets confused because of the root user it is running the application as. # Then use this new icon to start synaptic as root without password. # # Instead of "myuser" below, you can choose "%sudo" for all users that belong to the 'sudo' group. # The 'ALL' in 'ALL=(root)' is the hostname. # The "" below at the end of some commands limits the effect of that permissions line to running the application with no arguments. # Note that you cannot give NOPASSWD permissions to any file, like some script under your home directory, # because sudo seems to carefully check permissions along the way. Files under /usr/sbin/ (for example) are fine. # The order of the entries is important, the last one wins. # # The alternative would be using a script with setuid set, but setuid is disabled by default in Debian # for shell scripts. You can use some setuid wrapper as a workaround, but these changes # to /etc/sudoers are probably safer. myuser ALL=(root) NOPASSWD: /usr/sbin/synaptic "" myuser ALL=(root) NOPASSWD: /usr/bin/muon-updater ""   # For Kubuntu. myuser ALL=(root) NOPASSWD: /usr/bin/update-manager "" # For Xubuntu. myuser ALL=(root) NOPASSWD: /usr/bin/apt-get install * myuser ALL=(root) NOPASSWD: /usr/bin/apt-get update "" myuser ALL=(root) NOPASSWD: /usr/bin/apt-get upgrade ""

You probably want to change your menu items for Synaptic and for the updater to match the lines above, that is, to "sudo /usr/sbin/synaptic" and so on.

Performance optimisation

 * Optimise filesystem performance with noatime. Edit /etc/fstab as root and add options "noatime,commit=30" to your ext4 filesystems.

# How to see the current mount options: mount -l | grep ext4 # How to test this change, option 1: # Sort by and show last access time, most recent last. # No file should have the current date or time. ls -l -t -u --reverse --time-style=full-iso "$HOME" # How to test this change, option 2: # Check if accessing some old file updates its last access time: SOME_OLD_FILE="$HOME/some_old_file" sh -c 'stat --format="Lass access time before: %x" "$SOME_OLD_FILE"  &&  cat "$SOME_OLD_FILE" >/dev/null  &&  stat --format="Lass access time after : %x" "$SOME_OLD_FILE"'
 * Disable unnecessary indexers:
 * updatedb / locate database. See mlocate conflicting package.
 * (Kubuntu only) KDE Baloo (formerly Nepomuk). Go to System Settings, Desktop Search, and add your home folder, which acts as an indication to turn the indexer off. Later note: they have finally added an "Enable Desktop Search" checkbox with the latest update.
 * (Kubuntu only) KDE Akonadi. Go to System Settings, Personal Information, stop the service.
 * Prevent unexpected system updates. Unexpected package manager activity in the background can render your PC slow or even unresponsive when you are in a hurry. Configure the system updates to check less often (weekly or every fortnight) and disable automatic installation.

For Xubuntu/Xfce

 * (only up to Xubuntu 14.04) The default menu applet, Applications Menu, is no good. Use Whisker Menu instead.
 * (only up to Xubuntu 14.04) The default menu editor, Alacarte, does not seem to work well. Install and use MenuLibre instead.
 * The Whisker menu should show "Firefox" and "Chromium" instead of 2 "web browser" entries that you can only tell apart with their icons. Otherwise, right-click on the Whisker icon, "Properties", "Appearance" tab, untick the "Show generic names" option. Alternatively, if that has happened in the favourites: start MenuLibre, look at the menu item for "Internet", and in field "common name" replace "web browser" with Firefox etc. Save the entry.
 * When you maximise windows, you may find that their bottom part is obscured by the Xfce panel at the bottom (the taskbar). Go to the Panel Preferences and disable option "Don't reserve space on borders". That this happens at all, and also the option's name, is just unbelievable.
 * Install package xfce4-pulseaudio-plugin. Otherwise, you get no volume icon on the taskbar (!).
 * If you find the sleep/suspend behaviour annoying, add an icon (a Quicklauncher) with the following command: sh -c "xscreensaver-command -lock && xfce4-session-logout --suspend && xscreensaver-command -deactivate" That does the sane thing: lock the screen, suspend, and ask for the password on resume.
 * If you play with themes, a reasonable one is "Greybird", which is the default for Xubuntu (there is no option to restore the theme to the default one).
 * If the window resize borders are too thin, your options are: 1) Choose under "Settings", "Window Manager" a theme with thicker borders, like 'Kokodi'. Which ones have thicker borders, and how thick they are (usually too thin anyway), is not apparent until you click on each theme. Unfortunately, themes change other things that you may not like, but it is an all-or-nothing approach. Option 2) is to get used to resizing windows with Alt+right mouse button, which is pretty comfortable after all.
 * Remove some global keyboard shortcuts that tend to conflict with other apps, like Ctrl+F4: "Settings", "Window Manager", "Keyboard" tab.

For Kubuntu/KDE

 * Choose "Start with an empty session" in "System Settings", "Startup and Shutdown", "Session Management". You will probably want to untick option "Confirm logout" too.
 * Configure Keyboard shortcuts like under Windows: Go to "System Settings", "Shortcuts and Gestures", and then:
 * Ctrl+Esc should bring up the start menu: "Global Keyboard Shortcuts", "Plasma Desktop Shell", "Activate Application Launcher Widget".
 * Ctrl+Shift+Esc should bring up the Task Manager: "Custom Shortcuts", "Edit", "New Group", then, in that group, "New", "Global Shortcut", "Command/URL", "Trigger", set Ctrl+Shift+Esc, "Action", enter "ksysguard". Make sure the new group is active by ticking the box next to its name.
 * Alt+Space should bring up the window menu: "Global Keyboard Shortcuts", "Kwin", "Window Operations Menu" ("Fensteraktionen-Menü in German).
 * Remove some keyboard shortcuts that tend to conflict with other apps, like the following (is there a way to find a KDE shortcut by key combination in all "KDE components"?):
 * Global Keyboard Shortcuts, KWin: Ctrl+F1 ... Ctrl+F7.
 * If the window resize borders are too thin and therefore hard to hit: Go to "System Settings", "Workspace Appearance", "Window Decorations", "Configure Decoration...", "General", "Border size".
 * Add pavucontrol ("PulseAudio Volume Control") to your favourites. You may need to install package pavucontrol first. The standard volume control applet does not let you choose where an application like Skype should be recording the audio from.
 * Install plug-ins for the Dolphin file manager. Install package ruby. Then open the file manager, go to Control, Configure Dolphin..., Services, Download New Services.... Add "Root Actions Servicemenu" and "Scan with ClamAV".
 * The User Manager tool in System Settings is useless. Install package kuser, and run "sudo kuser" instead (or KUser from the menu).
 * Minimised windows get very pale taskbar icons and captions, making it hard to tell which window they represent. To fix that for the icons: Go to System Settings, Application Appearance, Icons, Advanced, Desktop, click on Set Effect for the Disabled icon, select "No Effect" and untick the "Semi-transparent" option. Unfortunately, I don't know how to fix that for the caption texts yet.
 * If connecting a USB stick does not automatically mount it, or it asks too much confirmation, look at System Settings, Removable Devices.
 * emacs warns: "Buffer 'somefile.txt" still has clients; kill it?". Go to System Settings, File Associations, text, plain, emacsclient, Edit..., Application, "Command:", enter "emacsclient --no-wait".

Miscellaneous
Be careful with updates, as running applications are not updated on the fly. Some of them, like Firefox, realise automatically and display a warning, but others can get confused if files underneath suddenly change. The only truly safe way is to reboot after an update. See article "dnf update" considered harmful for more information.

Upgrading the Kernel Components
Every now and then, you should upgrade the kernel and X-Windows versions. Instead of Service Pack, this kind of upgrade is called LTS Hardware Enablement Stack in the Ubuntu world. Wait at least 3 months after a Hardware Enablement Stack has been released before upgrading.

Package Manager Maintenance
Unlike Microsoft Windows, Ubuntu automatically deletes temporary files, so your hard disk will not fill up with rubbish so quickly. Unfortunately, Ubuntu does not remove old kernels or their associated headers, so after a year's worth of updates your disk will accumulate hundreds of megabytes of garbage. In order to purge them, you need to install package bikeshed and run the following command every now and then:

# But see below for a combined command. sudo purge-old-kernels --keep 6    # 6 means the current kernel + 5 more

The package manager also accumulates other non-kernel garbage over time. Even after running purge-old-kernels, I once realised that autoremove still found more kernel packages to delete. Therefore, you can combine all kernel and package manager cleaning actions (and avoid prompting for confirmation) in this way:

sudo purge-old-kernels --keep 6 --assume-yes &&  sudo apt-get --assume-yes autoremove  &&  sudo apt-get --assume-yes autoclean

For PCs with only 512 MiB RAM
512 MiB of RAM is too little nowadays for Ubuntu-based system. Starting the package manager is already a heavy load for such a computer. Here is some suggestions:


 * Get rid of apt-xapian-index, see Fake Replacement for Debian Package apt-xapian-index
 * Switch to a lightweight Web browser like Midori. You will lose some comfort, and some pages will not display properly, but Firefox and Chromium are just too heavy.
 * Optimise your swap:
 * Move your swap partition to another drive.
 * If you have more than one drive, move the swap partition or file to the least-busy disk.
 * Try swapping to a USB stick. Here is a how-to guide.
 * If the computer has a memory card reader, you could use a fast memory card as the main swap drive. I have seen great swap performance improvements even with a standard 512 MB SD card (8.5 MB/s read speed, 2.5 MB/s write speed, 1 ms seek time) from an old digital camera connected over a cheap USB 2.0 card reader. The reason behind the improvements are probably the card's fast seek time and the lower pressure on the main hard disk.
 * If your video card has a lot of memory, some people have managed to use some of it as a swap device.
 * Reduce the swappiness from the default 60 to 10. Whether this will improve swapping is debatable. It is probably a good idea only if you cannot move your swap partition to another drive. Add "vm.swappiness = 10" to file "/etc/sysctl.conf".
 * Try swapping to zram. It made things worse for me, but your mileage may vary.
 * Switch to a lightweight Linux distribution. Xubuntu or Lubuntu will not bring much. You could try Puppy Linux.

= KDE Ramblings =

KDE Tips

 * Useful keyboard shortcuts are:
 * Ctrl+Alt+Esc: Kill window on click, similar to starting xkill.
 * Ctrl+Alt+L: Lock desktop.
 * Emptying the Trash takes forever, and manually deleting the ".Trash-1000" directory with the mouse tends to yield an error. To overcome it, hold the shift key while pressing the delete key on that directory. Alternatively, right-click on the folder to get the pop-up menu, and then hold the shift key and watch how the "Move to Wastebin" entry mutates to "Delete". Release the shift key and it will go back to normal. That only works if there is no submenu open at that time.

KDE Rants
KDE Rant about ".directory" files:
 * KDE tends to litter your hard disk with hidden ".directory" files, and there is no way to prevent it. It just remember the view settings for the last N directories, like Windows does, and it should cache those settings somewhere under $HOME instead of creating those pesky files all over the place.
 * The Dolphin file manager does not display MP3 ID tags like everybody else. Older versions used to (!).
 * The "safely remove" eject icon for USB drives is often missing from the "device notifier" pop-up window. Sometimes it is because the file system has not been mounted automatically. But sometimes, there is no real reason. If you then open a Dolphin window and right-click on the USB drive mount on the left panel, the eject option is shown there.

= Sandbox Skype =

Skype is a closed-source, proprietary application that should not be trusted. This section describes how to run it in a sandbox. This has been tested with the version of Skype 4.3 for Linux that is available in the Ubuntu software repository.

System Configuration (to do only once per computer)

 * Add a separate user account for Skype:     sudo groupadd skypegroup      sudo useradd  --create-home   --gid skypegroup   --groups audio,video   -s /bin/bash   skypeuser Membership of the video group is necessary in order to access the webcam. Membership of the audio group is necessary in order to access the local hardware sound devices over PulseAudio. The new user has no password yet, so you cannot logon with this account in any way other than with sudo.


 * Make sure that the skypeuser account cannot access your home directory. By default, all accounts can access other user's home directories. See further above for details. You can test the new account like this:     sudo   --user=skypeuser   --set-home   bash -c "cd \$HOME && bash"

Starting Skype

 * Authorise the Skype user account to access the X server:     xhost +SI:localuser:skypeuser "SI" means "Server Interpreted", and localuser:username instructs the X server to authorise user username. Adding an authorised user is not persistent, after logging off all other users lose their authorisation. Issue command "xhost" to see all authorised users. See also commands "xauth info" and "xauth list".
 * Start Skype like this:     sudo   --user=skypeuser   --set-home   bash -c "cd \$HOME && if ! pulseaudio --check; then pulseaudio --daemonize; fi && firejail skype" The first time you start Skype under a new user account it will take several seconds to open up. You can open PulseAudio's volume control applet (pavucontrol) within Skype like this: Menu "Options", "Sound Devices", button "Open PulseAudio Volume Control".

Some other notes I have kept

 * I am having trouble with pulseaudio when I connect the USB headphones, but only from the Skype user account, at least on one laptop I have tried. The headphones just stops working after a few seconds.
 * pulseaudio should start automatically when Skype runs, but it does not if Skype is running under firejail.
 * pulseaudio --start does not work as expected. That's why the script tests beforehand with pulseaudio --check.
 * firejail comes with a configuration file for Skype. If you run the command in a console, you should see the following message: Reading profile /etc/firejail/skype.profile
 * The Arch Wiki has information about sandboxing with systemd-nspawn.
 * You could use Xephyr to sandbox Skype so that it cannot access other user applications over the insecure X server environment. Unfortunately, Xephyr did not work on my Xubuntu LTS 16.04 with the following suggested commands, Skype just did not start.     Xephyr -ac -br  -noreset -screen 1280x800 :1 &      DISPLAY=:1 firejail skype
 * I have seen advice about letting pulseaudio connect over TCP/IP, but it does not seem necessary. Notes kept:
 * Install package paprefs and start applet paprefs on your normal user account. Under "Network Server", tick option "Enable network access to local sound devices". The server will use port 4317/tcp. Restart the audio server with "pulseaudio --kill" (or log out and log in again). Check whether the server is listening with "netstat --listen --tcp --programs | grep 4713".
 * Change the Skype start script like this: pulseaudio --load \"module-native-protocol-tcp auth-ip-acl=127.0.0.1\" . pulseaudio's option auth-ip-acl does not take a hostname like localhost, only IP addresses.