This is intended to be my personal note of what I will do after installing Fedora Silverblue.
But why does it have to be Fedora Silverblue?
Because it's so simple to use, i.e., it's so simple to debug, since the core is immutable and the update process is atomic. Moreover, as almost everything is being layered on the base system, you can start anew easily without affecting the base system in anyway, doesn't leave any residues, etc. even the config files...
Basically, it's a system that you or your mom/grandma can't break.
Table of Contents
- Enable Transparent Disk Compression
- Using a Secure DNS Resolver
- Enable BBR, a Better Network Congestion Control Algorithm
- Enable
ptrace_scope = 1 - Changing the Default ZRAM Configuration
- Enable RPM Fusion for Nonfree Codecs
- Removing All the Apps From Fedora’s Flatpak and Disable the Repo Entirely From the App Store
- Removing All the Unused Apps From the Default Image (Base System)
- Enable the System’s Auto-Update
1. Enable Transparent Disk Compression
Sadly, this technology that's available natively with Btrfs file system that the system uses is not enabled by default.
As someone who wants to save his disk space whenever it's possible, so I enable it.
First, find out your current kernel boot parameters (to avoid duplicates):
rpm-ostree kargs
It should return many parameters, including rootflags=subvol=root to which is our target for enabling the compression.
You can simply append your custom parameters after the ones from the default configuration that's can't be replaced or deleted for obvious reason like this:
sudo rpm-ostree kargs --append="rootflags=subvol=root,compress=zstd:1"
Then, reboot the system for it to take effect.
I use the compression level
1instead of the default (3), that's because it uses the least CPU time while providing a reasonable compression ratio, see more on here.You can also add other kernel boot parameters with the same command, for example,
snd-intel-dspcfg.dsp_driver=1to use the HD Audio driver instead of the default AVS driver on some old Intel hardware, at least until this issue is sorted out.
Compress Existing Data
The above command will only compress new data. To compress existing data:
sudo btrfs filesystem defragment -r -v -f -czstd /var
2. Using a Secure DNS Resolver
I wrote about this in detail here.
Disable systemd-resolved
sudo systemctl disable systemd-resolved-monitor.socket && sudo systemctl disable systemd-resolved-varlink.socket
sudo systemctl stop systemd-resolved-monitor.socket && sudo systemctl stop systemd-resolved-varlink.socket
sudo systemctl disable systemd-resolved && sudo systemctl stop systemd-resolved
Also remove the existing resolv.conf file:
sudo rm /etc/resolv.conf
Enable DNS Option in NetworkManager
Edit the NetworkManager.conf file:
sudo nano /etc/NetworkManager/NetworkManager.conf
In the [main] section, put in this line:
dns=dnsmasq
Restart NetworkManager:
sudo systemctl restart NetworkManager
Configure Your Preferred DNS Resolver in the GUI
For example, using Cloudflare (with malware filtering) as your DNS resolver:
IPv4
1.1.1.2, 1.0.0.2
IPv6
2606:4700:4700::1112, 2606:4700:4700::1002
3. Enable BBR, a Better Network Congestion Control Algorithm
I wrote about this in detail here.
Enable the Module
Check whether the module is already enabled:
lsmod | grep bbr
If it doesn't return anything, you must enable tcp_bbr module first:
echo "tcp_bbr" | sudo tee /etc/modules-load.d/bbr.conf
Then, reboot.
Change the Congestion Control Algorithm to BBR
Edit the /etc/sysctl.conf file:
sudo nano /etc/sysctl.conf
Add these lines:
net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr
Reboot the system again. Then, check the current congestion control algorithm with:
sysctl net.ipv4.tcp_congestion_control
4. Enable ptrace_scope = 1
This is necessary to get a complete sandboxing in Chromium-base browsers. It's enabled by default in Ubuntu, Arch, and openSUSE (from my request 😄).
I wrote about this in detail here.
Check Your Current ptrace_scope Value
cat /proc/sys/kernel/yama/ptrace_scope
Enable ptrace_scope = 1
If it's not enable yet (returns 0 from the above command), copying the default config file and edit it:
sudo cp /usr/lib/sysctl.d/10-default-yama-scope.conf /etc/sysctl.d/
sudo nano /etc/sysctl.d/10-default-yama-scope.conf
Changing the last line from kernel.yama.ptrace_scope = 0 to kernel.yama.ptrace_scope = 1.
Then, reboot.
5. Changing the Default ZRAM Configuration
It's a good thing that Fedora enabled ZRAM by default, but I find it's too conservative, especially for a system that doesn't have a lot of RAM.
So, I make it 1.5x the amount of my physical RAM. And I also set the swap-priority = 100, as ZRAM doesn't use [slowish]disk as a swap medium; therefore, I want to swap (compress the data on RAM) ASAP, so it won't use a ton of CPU time all at once when the system already has very little resource left to do anything, if at all.
Creating a New Configuration File
Fedora uses zram-generator to manage its ZRAM configuration. First, we'll create a directory for a new rule that will override the default configuration:
sudo mkdir -p /etc/systemd/zram-generator.conf.d
Then, create a config file:
sudo nano /etc/systemd/zram-generator.conf.d/zram-generator.conf
Inside the file:
[zram0]
zram-size = ram * 1.5
compression-algorithm = zstd
swap-priority = 100
Adding Some Secret Sauce
Thanks to the optimization effort to improve system responsiveness under memory pressure, particularly for desktops with compressed swap in RAM by Pop!_OS, I use this secret sauce with all my Linux systems too!
Editing /etc/sysctl.conf File
sudo nano /etc/sysctl.conf
Adding these lines:
vm.page-cluster=0
vm.swappiness=180
vm.watermark_boost_factor=0
vm.watermark_scale_factor=125
Then, reboot the system.
6. Enable RPM Fusion for Nonfree Codecs
You might have heard from some strange people telling you to use Flatpak apps.
The problem is not media consumption, which can be done through Flatpak or a Distrobox container, like I wrote here in detail, but it's the ability to browse your media files in the first place. This is your file manager's responsibility, not your media player's.
And that one piece of software is not available in Flatpak format; see GNOME Files issue #318.
Therefore, in order to have most of your media files showing their thumbnails in your file manager, like they are on our phones universally, you need to add RPM Fusion into your system. There's no other way.
To install RPM Fusion on your system, please refer to the official RPM Fusion doc specifically for OSTree system here!
7. Removing All the Apps From Fedora’s Flatpak and Disable the Repo Entirely From the App Store
This can be done through GNOME Software GUI, as shown in the screenshot above. You can reinstall these apps from Flathub if necessary.
In my honest opinion, Fedora's Flatpak is useless and has no real value for end-users. It's a painful, wasteful step that Fedora users have to do after the installation. For example, see this recent drama.
It should be noted that, contrary to Flathub, Fedora's Flatpak has the same limitation regarding proprietary codecs as Fedora's native RPM packages. Therefore, remove it from your system, it has zero benefit.
8. Removing All the Unused Apps From the Default Image (Base System)
What if you want to remove some apps from the base immutable image? For example, I don't use Firefox and don't want to support its nutjobs in any way. Here's how to remove it:
sudo rpm-ostree override remove firefox firefox-langpacks
Then, reboot the system.
Now, you can simply check your image status with:
rpm-ostree status
This one command can help you identify most issues or feature parity with other systems that use the same image. This is why it's so easy to debug.
You can also layer any packages you want if they need to be installed on the system level. You will most likely want to install
distroboxfor example:
sudo rpm-ostree install distrobox
Only install packages using this method when it's necessary.
9. Enable the System’s Auto-Update
Please note that enabling the automatic software updates option in GNOME Software will NOT automatically update your system.
And unfortunately, there's no mention of the automatic update anywhere on the official docs.
Here's how to make your system automatically downloads and stages updates without you ever having to do anything:
Set AutomaticUpdatePolicy in /etc/rpm-ostreed.conf
Change the policy to stage:
sudo nano /etc/rpm-ostreed.conf
AutomaticUpdatePolicy=stage
Reload rpm-ostree
sudo rpm-ostree reload
Enable rpm-ostreed-automatic.timer
sudo systemctl enable rpm-ostreed-automatic.timer --now
You can check the automatic update status with:
rpm-ostree status
If enabled correctly, it should return something like this:
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 3h 4min ago
Cover Photo by Alexandru Acea on Unsplash
Top comments (0)