Portable Freedom with Debian

At university, I didn’t lift weights to keep in shape. I carried my textbooks in one arm and lugged a 12-pound laptop in the other. That heavy beast never lived up to its promise of freedom but my T20 running Debian Linux has. A modern notebook is compact and portable, runs its quiet fan only when necessary, uses less power than a desktop, and offers instant access to running applications by opening the lid.

Weight Training

Let me share some of the tips I’ve discovered to maximize the Linux notebook experience. REMEMBER THAT ANYTHING YOU TRY IS AT YOUR OWN RISK AND MAY CAUSE DATA LOSS OR DAMAGE TO YOUR SYSTEM. This article focuses on Debian Linux. Familiarize yourself with applicable documentation before using a utility or changing a configuration.

Buying Smart

I recommend refurbished notebooks. You can scan Google to see how well Linux works on them and you benefit from the progress made since the machine was first sold. You can buy a sturdy, lightweight, professional-class machine for a fraction of its original price and use your savings to maximize the system memory and purchase accessories. You’ll also feel more relaxed taking a refurbished notebook traveling. Check the manufacturer’s web page to see if any revisions are available for your notebook BIOS. Newer versions of a BIOS may provide fixes and performance improvements.

My current notebook is an IBM Thinkpad T20 with a 700 Mhz processor, 256MB of RAM and a 20GB hard drive. I run Debian Unstable with the 2.6.8 kernel, Gnome 2.8, OpenOffice.org, Thunderbird, and Firefox. I typically keep these applications open on separate virtual desktops. Any deficiency in the notebook’s loading speed is off-set by the instant-on and instant-off of opening and closing the lid. I have not re-flashed the BIOS on my T20.


Pinching Power

Power-saving features are essential for adventures away from electrical outlets. If you use a desktop environment like Gnome, you can add a battery status indicator to the panel. Two systems allow power-saving in Linux: apm and ACPI. Older machines don’t work properly with ACPI. You can try updating your BIOS or you can add acpi=off to the end of the kernel line in your grub or lilo configuration file. If you use apm, you need to add the apm module to your /etc/modules list and install the apmd daemon.

Apm will allow you to suspend your computer by closing the lid and re-awaken it by lifting the lid. Not all notebook hardware operates properly in Linux, however. If you experience intermittent freezing, you may need to disable power management services in your notebook BIOS (see your notebook manual) and replace the hardware features with Linux equivalents.

Linux’s own services may also conflict with power management. First, use lsmod to check that your apm module is loaded and then use ps aux | grep apm to check that your apmd daemon is running. Services in Debian are controlled by using files that live in /etc/init.d like this: /etc/init.d/./pcmcia stop. You can stop services until closing your lid allows your machine to suspend. On my system, pcmcia services prevent apm from suspending the computer. I’ve created a simple script to turn these services off when I suspend the computer and turn them on when I lift the lid again. In /etc/apm/, you’ll find scripts in suspend.d and resume.d that tell Linux what to do when it is suspending or resuming. In suspend.d, I copied an existing script to the name 80pcmcia and edited the script to replace the existing service name with /etc/init.d/pcmcia. I used the commands “stop” and “start” instead of "suspend" and "resume". To ensure there was a script for when the system awakened again, I copied /etc/apm/suspend.d/80pcmcia to /etc/apm/resume.d/20pcmcia. Depending on your notebook and the Linux kernel you’re using, you may also need to remove and re-probe modules using similar scripts with the commands /sbin/rmmod module_name and /sbin/modprobe module_name instead.

Once you can put your notebook to sleep, you can move on to saving power when it’s awake. Your backlight, your spinning hard drive and your CPU all consume power. You can control these devices with the speedstep function and utilities such as cpufreqd, and hdparm. If your notebook supports speedstep, you’ll need to add speedstep modules such as speedstep-ich and speedstep-lib and performance governors such as cpufreq_powersave and cpufreq_userspace to /etc/modules. Find the available modules with find /lib/modules/ | grep cpufreq. If you use a desktop environment, you can install an applet such as gnome-cpufreq-applet to display CPU speed and control it manually. As non-root users couldn’t adjust the CPU speed with the applet, I took the security risk of providing the applet with root capabilities by chmod +s /usr/bin/cpufreq-selector.

I installed laptop-mode-tools to control all of these features easily and automatically. When I unplug power, my screen dims, my hard drive spins down every few seconds after activity, and my CPU slows to its lowest setting. You can adjust the settings including a toggle to allow slowing the CPU in /etc/laptop-mode/laptop-mode.conf. When I plug power in again, the system resumes its original performance.

You should install and configure hdparm to ensure you’re getting the maximum performance from your hard drive and CD/DVD. You can run hdparm -iI /dev/hda to examine the capabilities of your device and in Debian, you configure hdparm at the bottom of /etc/hdparm.conf. Be careful. Common enhancements include enabling 32-bit IO, DMA, interrupt unmasking and multi-sector IO which should result in faster transfers and stutter-free DVD movies. You may also wish to enable write-caching on your hard disk if you’re comfortable with the potential for data loss if your system dies before the drive can flush its cache.


Spinning Down

Why spin down the hard drive if programs spin it back up again every minute or so? To some extent, laptop-mode-tools addresses this issue by caching writes. You can further reduce writes to the hard drive by re-routing your system messages to a virtual console instead of logs. I edited /etc/syslog.conf to comment out the parts that write to logfiles and to route all messages to tty8. You can read tty8 by press CTRL-ALT-F8 and return to X with CTRL-ALT-F7. Note that disabling written logs makes it difficult to track problems and hacking attempts on your system.

You can also reduce disk writes by reducing the number of running programs on your system and freeing up system memory. You can see which programs are running by using ps aux, top or something like gnome-system-monitor and adjusting it to show all processes. You might ask yourself why you would run a mail server like exim if you download all of your mail from a pop3 server. You can disable exim by running /etc/init.d/./exim4 stop and then mv /etc/init.d/exim4 /etc/init.d/DISABLED_exim4 so it won’t launch again. You can do the same for other services that you don’t need on a notebook including inetd. If you use the X-Window system, you can increase memory available for other programs by editing /etc/inittab to comment out all but one or two virtual consoles.


Nodding Off

You can install sleepd to put your system to sleep if there is no keyboard or mouse activity for a given amount of time. You can temporarily disable sleepd with sleepctl. For instance, you can write a script that calls sleepctl off; xine; sleepctl on to ensure that whenever you play DVDs, your system won’t doze off. You can do the same for other programs that run unattended. Note that sleepd is designed to work with PS/2 mice and using a USB mouse may result in your system dozing off while you’re surfing the web.

Network Plug and Play

Much as I like wireless, I prefer the speed and security that cables provide. Wireless doesn’t live up to its advertised data rates and suffers from interference from wireless phones, microwaves, and other wireless routers. I also prefer to avoid people hacking my router, using my bandwidth or conducting illicit activities on my service. To make cabled networking easy, I installed laptop-net which detects whether a network cable is plugged in and turns networking on or off and grabs an address via DHCP as required.


Locking the Gate

While portability is convenient, it’s also a risk. If your system has a power-on password in its BIOS, you should activate it and set it to something you’ll remember but which is not easy to guess. My T20 requires the power-on password when I first boot the machine or whenever I lift the lid to resume from sleep. Never use dictionary words for passwords and consider using letters from a sentence and including numbers and capitals. For instance, “I really think that passwords are stupid for me” could translate into “Irttpas4m” which is more effective than your cat’s name. You may also be able to set passwords to prevent others from changing your BIOS settings and to lock the hard drive. Remember that if someone can change your BIOS to boot off your CDROM, floppy or USB port, they can run Knoppix, become root, and access your system. Note that systems with hardware passwords may become permanently unusable if you forget the passwords.

Ensure that your Linux passwords are just as secure and lock down access to your root account. The root account can access or delete anything and typically you don’t want root to be able to login. Instead, you want a regular user to login with their own password and, if permitted, become root by using su and entering the root password, or using sudo to access a safe subset of root’s commands. You can prevent root login by editing or removing /etc/securetty and, if you use a graphical greeter like gdm, editing its configuration file at /etc/gdm/gdm.conf to disable root login.

NOTE: Do NOT disable all root logins before you have ensured that a regular user account can use su to gain root privileges. Gentoo, for instance, requires a user to be added to the wheel account before that user can become root.

You should now secure your networking. To allow secure connections to and from your notebook, install ssh. Run ssh-keygen -t rsa for each user and edit /etc/ssh/sshd_config to prevent root login to your system. Everyone will have to login as a regular user then use su or sudo to get superuser status. Remove non-secure networking programs like telnet from your system as well as servers for telnet, ftp, etc.


Close the doors on your system by editing /etc/hosts.deny to say ALL:ALL. Next, create exceptions in /etc/hosts.allow such as sshd: 192.168.1.100 which would allow the machine at that IP address to ssh into your system. Add the specific service names and network addresses you require such as the numbers on your LAN.


Change configurations on services you run locally that you don’t want accessible over the network. For instance, portmap is used by fam to keep graphical file managers like Gnome’s nautilus updated but it uses services that can be abused. You can edit /etc/default/portmap and a similar file for the CUPS printer service at /etc/cups/cupsd.conf to listen only to your system at 127.0.0.1.

Install firestarter, a firewall with a simple graphic interface. Firestarter defaults to allowing all outbound traffic and blocking all inbound traffic. You can allow inbound requests on the events tab as they happen or set policies by hand. Firestarter runs in the background so you should only use the memory-hungry interface when you want to monitor it. Note that if you have re-routed system logs to tty8 above, you will not be able to use the events tab of Firestarter. You can always re-enable logs temporarily and toggle the system logger daemon with /etc/init.d/./klogd restart.


Testing the Locks

Test your system to see what networking ports are left open. Install nmap and run it against 127.0.0.1. My system shows rpcbind (for portmap and fam), ipp (which is the printer service), ssh (the secure shell service) and dictd (the dictionary service that powers my Gnome dictionary applet). You can disable services you don’t need as discussed above and you can check port numbers at http://www.iana.org/assignments/port-numbers. Unknown port numbers sometimes relate to weather or other applets in your desktop environment. You can check by disabling them and running nmap again.

You can test more thoroughly by installing nessus and the nessusd dameon and conducting an audit of your system, particularly if you are comfortable enough with crashing your system that you disable the “safe checks” scan option. You may need to edit /etc/hosts.allow to include nessusd: 127.0.0.1. You will need to run nessus-adduser to create an account and then nessusd which is a server that will attack the system you specify. Finally, you run nessus to configure an attack and review its results to tighten your security. You should only target your own system for testing purposes such as 127.0.0.1 if you want your notebook to attack itself.


Conveniences

Some notebooks come with extra buttons on their keyboards. The thinkpad button package (tpb) allows Thinkpads to use these extra buttons. Tpb interfaces with the nvram kernel module which you need to add to /etc/modules. If you install xosd, operating the extra buttons (for instance, volume up and down) will display the result on a Thinkpad screen. You can configure tpb in /etc/tpbrc. To find out what colors and fonts you can use in xosd, run the xcolors and xfontsel programs. I prefer the SpringGreen color and the clean font. You will need to add each user to the nvram group and add a script to start tpb. I added an executable script to Debian’s default runlevel /etc/rc2.d which calls /usr/bin/tpb. Adding tpb to your desktop environment startup results in a new instance of tpb loading with each login.


Real Freedom

Now that you have an efficient notebook, you can buy an external battery and work at a picnic table by a river all day. Just adjust your /etc/laptop-mode/laptop-mode.conf to run power saving while something’s connected to the AC port.


Note

I’ve upgraded to a Thinkpad T23 (refurbished) with the same set-up and my wife now uses the T20.


If you would like to see your thoughts or experiences with technology published, please consider writing an article for OSNews.

35 Comments

  1. greg 2005-04-12 4:59 pm EST
  2. Ben 2005-04-12 5:06 pm EST
  3. Anonymous 2005-04-12 5:12 pm EST
  4. Anonymous 2005-04-12 5:15 pm EST
  5. Moulinneuf 2005-04-12 5:36 pm EST
  6. Jophn 2005-04-12 5:45 pm EST
  7. bozo 2005-04-12 6:23 pm EST
  8. Fins 2005-04-12 6:48 pm EST
  9. LittleLebowski 2005-04-12 7:16 pm EST
  10. MattPie 2005-04-12 7:38 pm EST
  11. boilersuit 2005-04-12 7:49 pm EST
  12. Surya 2005-04-12 7:49 pm EST
  13. . 2005-04-12 7:58 pm EST
  14. LH 2005-04-12 8:02 pm EST
  15. Ned 2005-04-12 8:05 pm EST
  16. Jonatan Andersson 2005-04-12 8:48 pm EST
  17. Mike 2005-04-12 9:09 pm EST
  18. Chris 2005-04-12 9:09 pm EST
  19. didjital hi-life 2005-04-12 9:11 pm EST
  20. BoulderGeek 2005-04-12 9:18 pm EST
  21. Moulinneuf 2005-04-12 9:28 pm EST
  22. Surya 2005-04-12 9:51 pm EST
  23. Anonymous 2005-04-12 10:56 pm EST
  24. Anonymous Penguin 2005-04-12 11:05 pm EST
  25. Archangel 2005-04-13 12:12 am EST
  26. Surya 2005-04-13 1:02 am EST
  27. Moulinneuf 2005-04-13 1:02 am EST
  28. mcspang 2005-04-13 1:13 am EST
  29. Andreas 2005-04-13 2:34 am EST
  30. Abbie Gonzalez 2005-04-13 2:38 am EST
  31. Johnathan Bailes 2005-04-13 3:43 am EST
  32. x 2005-04-13 1:23 pm EST
  33. LB 2005-04-13 4:32 pm EST
  34. Larry 2005-04-13 7:46 pm EST