Opinionated Linux Laptop

I've been using various kinds of Linux distros as my primary desktop OS for more than a decade. I've been fanatic about it for several reasons:

• I want to learn how my system works, so I'm trying to run as much open source software as possible
• I want to use similar operating systems in different environments (router, phone, laptop, server or cluster)

There are a lot of ways to assemble own Linux desktop nowadays. There is no one size fits all. But I'll try to cover the things that I haven't seen a lot on others' machines and that work extremely good for me.

Rolling Release

I've tried many popular distros. However my experience using distros with fixed lifecycle has never been smooth enough.

I'd like to try new things early (e.g. btrfs, systemd, docker). And my personal laptop is a perfect playground for me.

Using distros with a fixed release cycle usually means I won't be able to try new technologies before the next release. I can try (e.g. update to latest kernel) but if my system breaks, I'm left on my own.

Rolling release distros work much better in my case:

• new technologies are usually adopted much faster
• community is usually focused on similar things, so it's much easier to get help in case of troubles
• I prefer to evolve my system with many frequent updates

I've been successfully running Arch Linux for years. Gentoo should also work good for my use case.

Backups

Using rolling release Linux distro usually means that things break from time to time. However this doesn't frustrate a lot - that's much better than upgrading once per two year and have a lot of problems at once.

I don't want updates to interrupt my work on weeks when I don't have a lot of free time to debug things. I used to stop updating for a while when I needed things to be predictable (e.g. in process of writing my master thesis). This is by no means a good solution.

The desired workflow is:

1. make a full backup before each update
2. update
3. reboot and check the update was successful
4. rollback if upgrade was not successful

There should also be regular backups:

1. once a week make a full backup and store it on laptop drive
2. once a month copy the latest backup to an external drive (either physical or network attached)

btrfs has two features that make the process above extremely fast:

1. btrfs subvolume snapshot that makes an instant copy of a subvolume using Copy-on-Write
2. btrfs send / btrfs receive that allow to effectively send and receive diffs between snapshots (only the data that has been changed is transmitted)

It's pretty easy to make backups using btrfs features. But how do I rollback? We need to pick a boot loader before answering this question.

File System

I've already mentioned btrfs in backups section. btrfs has been in "good-enough" but "not-production-ready" state for years. And even if all the bugs get fixed, it's risky to recommend btrfs as a default filesystem for everyone (see CoreOS experience as an example).

But I still think btrfs awesome design and feature set are worth investing some time.

These are the features I use:

• subvolumes and snapshots
• copy-on-write
• builtin compression
• btrfs send / btrfs receive
• RAID support

One might say that this is too much for a filesystem... But why we shouldn't keep all of this in mind when designing a filesystem?

I'd think twice before using btrfs in production because there are not so many people around who can tweak it effectively. But that's definitely a very good choice for my personal laptop.

Encryption

It's 2016. All the personal data should be encrypted. I'd even say all the data should be encrypted.

Five years ago two common solutions were:

• ecryptfs for encrypting home directory
• LUKS for encrypting the entire root filesystem (that was my choice)

But nowadays almost all the SSDs have built-in full disc encryption. The manufacturers do this in order to randomize writes and make SSDs last longer.

So SSD drives usually encrypt data using AES, AES key is randomized at factory. However encryption key is written to a special area (that is not available to operating system) unecnrypted by default. That means that all the data is encrypted starting from day one, but the hardware can read the ecnryption key.

But we can also encrypt the ecnryption key using ATA password. ATA password has been a feature of BIOS/UEFI for ages. Most HDDs store data unencrypted when ATA password is used, so noone really used this feature before SSDs became widely available.

Using built-in full disc encryption is super convenient. I use this to protect data if my laptop gets stolen. All the sensitive data is additionaly encrypted using gpg.

Boot Loader

It's 2016, so I'm using UEFI instead of BIOS. Linux kernel can be an EFI boot loader. This setup looks simple, but I don't really like it:

• kernel image needs to be stored on EFI system partition (which is vfat)
• it's not clear how I can rollback to a backup if a new kernel doesn't properly work with my hardware

What I ended with is GRUB2 used as an EFI boot loader. GRUB2 configuration and kernel images are stored in a btrfs subvolume. However I can choose other subvolumes for kernel images and root FS on boot - that's how I do rollbacks in case of emergency.

I have never been a fan of GRUB2 - it seems too complicated for me. But I have to admit that GRUB2 features (like EFI or btrfs support) help a lot.

So this is how the boot flow look like:

• UEFI reads ESP (EFI System Partition) and starts GRUB bootloader (grubx64.efi) stored in ESP
• GRUB loads configuration from /boot/grub/. /boot/ is just a subdirectory of my root filesystem, and my root filesystem is a btrfs subvolume.
• Root filesystem is passed as a kernel command-line option, but I can edit the kernel command line in GRUB.
• If I need to use a backup, I just use the backup snapshot path as a subvolume of root filesystem in kernel command-line options.

So unless I modify /boot/grub and grubx64.efi during the update, I can rollback to the previous version of my system. However /boot/grub and grubx64.efi don't get updated automatically during my usual upgrade procedure - I need to invoke several commands for that (and I don't see any reason to do it often).

Configuration Management

How much time does it take to provision another laptop? When you setup your laptop from scratch, it can take days to configure everything properly.

Another downside of having a very custom Linux setup is that you make a lot of decisions and some of them are easily forgotten. Well, you still remember how your system works in general, but it's hard to remember everything (especially when you pick from several options and you can't say which is definitely the best one).

And that's a good reason to learn some configuration management tool. This kind of knowledge will help you anyway, and automating your laptop configuration gives the following advantages:

• you can provision additional machine quickly
• you have a log of decisions made in a git repo (dont' forget to use git for that)
• you learn another tool and use it from time to time, so this knowledge won't be lost

I use ansible for this. However many other tools may be easier to start with if your experience differs from mine. But you can be sure, ansible is a good tool for this task.

Conclusion

I can't say all the suggestions above should be used as defaults for everyone. However using them at an engineer's machine gives a nice balance of conceptual and operational simplicity. I don't think I'll abandon any of these approaches during next couple of years.