Difference between revisions of "Installing Debian Lenny on a ThinkPad T60"

From ThinkWiki
Jump to: navigation, search
(configuring ACPI)
(Configuring ACPI)
Line 816: Line 816:
  
 
==Configuring ACPI==
 
==Configuring ACPI==
===probing thinkpad_acpi===
+
===thinkpad_acpi/enabling hotkeys===
 
First of all, similar to <tt>tp_smapi</tt> it seems that <tt>[[thinkpad-acpi]]</tt> doesn't load automatically, so put it in <tt>/etc/modules</tt> as well.<br><tt>echo thinkpad_acpi >> /etc/modules</tt>
 
First of all, similar to <tt>tp_smapi</tt> it seems that <tt>[[thinkpad-acpi]]</tt> doesn't load automatically, so put it in <tt>/etc/modules</tt> as well.<br><tt>echo thinkpad_acpi >> /etc/modules</tt>
  
===enabling hotkeys===
 
 
If it has somehow found itself installed (as is the case if you selected "laptop" packages in the initial installation), get rid of <tt>hotkey-setup</tt>. It's totally unnecessary with the new <tt>thinkpad-acpi</tt> module which captures all the keys just fine.  
 
If it has somehow found itself installed (as is the case if you selected "laptop" packages in the initial installation), get rid of <tt>hotkey-setup</tt>. It's totally unnecessary with the new <tt>thinkpad-acpi</tt> module which captures all the keys just fine.  
 
<pre>
 
<pre>
Line 851: Line 850:
  
 
You can also have the acpi event generating keys generate xevents by putting <tt>acpi_fakekey</tt> commands into the action scripts. This maps the keys to xevent keycodes (which can be monitored by the <tt>xev</tt> utility). These keycodes can then be mapped to various keysyms via [[How_to_get_special_keys_to_work#xmodmap_configuration|Xmodmap]] which can be picked up by userspace keygrabbers such as openbox or bbkeys. An example of this can be found in <tt>/etc/acpi/lockbtn.sh</tt>. I still haven't quite figured out how the argument to acpi_fakekey corresponds to the resulting keysym however.
 
You can also have the acpi event generating keys generate xevents by putting <tt>acpi_fakekey</tt> commands into the action scripts. This maps the keys to xevent keycodes (which can be monitored by the <tt>xev</tt> utility). These keycodes can then be mapped to various keysyms via [[How_to_get_special_keys_to_work#xmodmap_configuration|Xmodmap]] which can be picked up by userspace keygrabbers such as openbox or bbkeys. An example of this can be found in <tt>/etc/acpi/lockbtn.sh</tt>. I still haven't quite figured out how the argument to acpi_fakekey corresponds to the resulting keysym however.
 +
 +
===dpkg-divert <tt>/etc/acpi</tt>===
 +
You're likely going to want to do a lot of customising of the <tt>/etc/acpi/</tt> directory, most (or probably all) of which was originally put there by the <tt>acpi-support</tt> package. The problem with this this is that next time there's an update to that package its going to want to change back all those changes you made to the distribution defaults. Now the distribution defaults are good for a reference point, but you want ultimate control over how your acpi system behaves and don't want it changing every time that there's a package upgrade. Enter <tt>dpkg-divert</tt>. This handy utility will allow you to keep the original distribution files and even have them upgraded, but keep your heavily customised <tt>/etc/acpi</tt> directory safe. Assuming you have an unmodified <tt>/etc/acpi</tt> directory to start with,
 +
<pre>
 +
dpkg-divert --add --rename --divert  /etc/acpi.dpkg-dist /etc/acpi
 +
</pre>
 +
will move <tt>/etc/acpi</tt> to <tt>/etc/acpi.dpkg-dist</tt> and divert files from any packages to the latter. Now since your system is still looking for an <tt>/etc/acpi</tt> directory for its actual configuration, you want to have something there to start modifying from, so copy the unmodified directory back
 +
<pre>
 +
cp -r /etc/acpi.dpkg-dist /etc/acpi
 +
</pre>
 +
and go wild with your customisations on <tt>/etc/acpi</tt>.
  
 
===hd power management: laptop-mode===
 
===hd power management: laptop-mode===

Revision as of 04:20, 12 January 2008

Debian Lenny on a T60 6371-6NU

You might also want to check out Debian Etch on a Thinkpad T60 HowTo and Installing_Debian_Lenny_on_a_ThinkPad_T61.

In case you can't decode the Thinkpad model number above, here are the specs (I've left out modem, infrared, cardbus since I haven't ever used them):

Processor Intel Core 2 Duo (Merom) 1.83GHz
Graphics Adaptor Intel Graphics Media Accelerator 950
Display 15.4" TFT display with 1200x800 resolution (widescreen)
RAM 1 GB PC2-5300 (upgraded to 2GB)
Harddisk 120GB 5400 RPM Hitatchi HTS54161
Audio AD1981HD HD Audio 1.0 controller
Ethernet 82573L Gigabit Ethernet Controller
Optical LG-Hitatchi HL-DT-ST DVDRAM GSA-4083N Dual Layer DVD+/-RW
Wireless Atheros AR5418
Biometric STMicroelectronics Fingerprint Reader

I'm going to do everything in Linux (i.e. assume that you already have a running linux version running somewhere else).

Installation

These are instructions for getting the most customised, minimal base Debian system running. As such, you can probably go with your gut and ignore some of these steps for example using the "expert" install mode or deselecting all but the base system packages.

  1. First of all, get the "businesscard" cd image for amd64 if you want to run 64 bit or i386 if you want 32 bit. Note that flash now works in 64 bit(see this article on the "debian adminstration" blog), java is possible, but a little trickier (see below). If you do however go 64 bit you won't be able to use proprietary 32 bit modules in your kernel. Most notably, ndiswrapper won't work with 32-bit windows drivers.
  2. Burn the cd image to a cd with the command
    cdrecord -v debian-testing-amd64-businesscard.iso
    You may find that you need to add dev=/dev/cdrom (or whatever your burning device is) to the above command.
  3. Now stick in the newly burned disc and reboot.
  4. At the "boot:" prompt type "expert (you could also just hit enter, but you won't get as much control over what's about to be installed on your computer).
  5. Go through the install menu using my answers as outlined below as a guide. You will obviously want to tailor things to your specific situation:
  • Choose Language
    • Choose Language:
      English
    • Choose a locale:
      en_CA (stick with ascii for the default since UTF screws up some terminals)
    • Choose other locales to be supported:
      en_CA.UTF-8
      en_GB.UTF-8
      en_GB
      en_GB.ISO-8859-15
      en_US.UTF-8
      en_US
      en_US.ISO_8859_15
  • Select a Keyboard layout
    • Type of Keyboard:
      PC-Style
    • Keymap to use:
      American English
  • Detect and mount CD-ROM
    • Modules to load:
      <none> (deselect usb-storage, its not needed unless your using a external USB CD drive to read the install disc)
  • Load installer components from CD:
    • Installer components to load:
      <none>
  • Detect network hardware
    • Modules to load:
      <none>(I don't imagine you'd need usb-storage here either unless you were using a USB networking device)
  • Configure the network
    • Auto-configure DHCP:
      yes
    • Hostname:
      <omitted>
    • Domain Name:
      <omitted>
  • Choose a mirror of the Debian archive
    • Protocol for file downloads:
      ftp (might be a tiny bit faster than http, though the latter is less likely not to work if you're behind a draconian firewall. http is also slightly easier because you get a list of available mirrors whereas with ftp, you have to know the address already)
    • Debian archive mirror hostname:
      mirrors.kernel.org
    • Debian archive mirror directory:
      /debian
    • FTP proxy information:
      <blank> (unless you're behind one of the draconian firewalls mentioned above, in which case figure out the proxy to use from your network administrator.)
    • Debian version to install:
      testing
  • Configure the clock
    • Set the clock using NTP?:
      yes
    • NTP Server to use:
      ntp.ubc.ca (though the default provided or any other you prefer should work just as well.)
    • Select your timezone:
      Pacific
  • Detect disks
    • Modules to load:
      <none> (again not necessary unless you want to install onto a USB drive)
  • Partition Disks
    • Partition Method:
      manual
    • This depends largely on personal preference, and needs, but here's how I set up the disks:
      200MB EXT3 /boot
      1.0GB swap
      15GB XFS /
      2GB XFS /var
      All remaining disk space XFS /home
      I use XFS because this tends to be faster than ext3. Reiserfs is also a good alternative but takes a little longer to mount at bootup. Grub has some problems reading XFS, so I use ext3 for the /boot partition. If you're keeping your windows partition, just leave it alone, we'll get to that in a bit. Once you're done setting things up select "Finish partitioning and write changes to disk.
    • Write chages to disk?:
      yes
  • Install the base system
    • Kernel to install:
      linux-image-2.6.22-3-amd64 (or whatever newer one is available by the time you read this).
  • Setup users and passwords
    • Enable shadow passwords:
      yes (duh)
    • Allow login as root:
      yes (unless you're really paranoid)
    • Root password:
      <omitted>
    • Create a normal user account now?:
      yes
    • Full Name:
      <omitted>
    • Username for your account:
      <omitted>
    • Password:
      <omitted>
  • Configured the package manager
    • Use non-free packages:
      yes (unless you have some restrictions ideological or otherwise)
    • Services to use:
      security updates
      volatile updates
  • Select and install software
    • Participate in package usage survey?:
      yes (why not help make Debian even better?)
    • Choose software to install:
      It's up to you to decide whether you want to select go with the default Desktop environment, Laptop and Standard System or just install a bare bones system and deal with it later. I will assume however that you have selected none of them in the remainder of this howto.
  • Install GRUB boot loader on hard disk
    • Install GRUB 2:
      no (for some reason it doesn't work)
    • Device for bootloader installation:
      /dev/sda (unless you have some other bootloader you want to use to chain to GRUB).
    • Grub password:
      <omitted> (don't make this your root password as it ends up in your menu.lst file as plaintext).
  • Skip LILO (unless you like pain)
  • Debconf priority:
    • Prompt at or above:
      critical (I want to be able to automate updates)
    • Finish the installation
    • Finish the installation

The First Boot: getting the ball rolling

If you went with the bare-bones system in the package selection above, you should boot up to a commandline login prompt (X-Windows hasn't been installed yet). Log in as root. It's now time to install the packages necessary to get things running. You'll find that thanks to the business card installation, you have an up to date system (i.e., aptitude update&& aptitude dist-upgrade won't find any packages needing upgrade. So lets get on with installing all the packages necessary to get things looking a little more like home.

First of all, there are a few things even in the base system that you probably won't need so get rid of them:

aptitude purge nano pcmciautils tasksel tasksel-data vim-common vim-tiny

Of course, you'll want to keep pcmciautils if you plan on using antiquated pcmcia cards. Similarly you may want to keep vim and/or nano if you use those editors. If on the other hand, you're like me, you don't and you'll then want to

aptitude install emacs

Now if you're like me and you're craving a windowed multitasking work environment before you go any further, you can just do

aptitude install xorg gdm <your favourite window manager (e.g. gnome or openbox)>

Now do a

/etc/init.d/gdm start

And you should get a login screen.

Xorg.conf

Ah, the infamous xorg.conf. Luckily, since you're running Debian lenny on an Intel integrated graphics chip, editing xorg.conf isn't strictly necessary. Intel has gone to a lot of trouble to make this as painless as possible. God help you if on the other hand, you got a model with an ATI X1300 or ATI X1400 graphics card. I made a few modifications to the automatically generated xorg.conf that might be of interest.

Horizontal edge scrolling

Edge scrolling has to be my favourite pointing device feature ever, thus I find it rather annoying that it is only half enabled by default. In particular you'll find that though vertical scrolling works like a charm, horizontal scrolling along the bottom of the touchpad doesn't work. Additionally, I find that the default threshold edge distance to initiate scrolling is a little on the large side for my slender fingers. I also find that the corner button emulation tends to be accidentally activated while using edge scrolling so I disable it. Thus, I have updated the relevant input device section to make use of some of the options documented on the Synaptics Touchpad page

Xinerama

There is also the issue of using dual monitors. You'll be surprised to find that it "just works" if you have an external monitor plugged in. Well, it kind of "just works" if you like having the displays that is. If, on the other hand you want to expand your desktop, you can either do the configuration on the fly with XRandR, or make it permanent by making the appropriate modifications to xorg.conf

Configuring the package manager

The best thing about Debian is the package manager. Thus, you want to make sure it's configured optimally to get the best use out of it before you go any further. Once you're logged in, you can edit the /etc/apt/sources.list file so that it can find more packages than the default. Below is my sources.list file.

# testing - lenny
deb ftp://mirrors.kernel.org/debian/ lenny main contrib non-free
deb-src ftp://mirrors.kernel.org/debian/ lenny main contrib non-free

# stable - etch
deb ftp://mirrors.kernel.org/debian/ etch main contrib non-free
deb-src  ftp://mirrors.kernel.org/debian/ etch main contrib non-free

# unstable - sid
deb ftp://mirrors.kernel.org/debian/ sid main contrib non-free
deb-src ftp://mirrors.kernel.org/debian/ sid main contrib non-free

# experimental
deb ftp://mirrors.kernel.org/debian/ experimental main contrib non-free
deb-src ftp://mirrors.kernel.org/debian/ experimental main contrib non-free

# security updates
deb http://security.debian.org/ lenny/updates main contrib non-free
deb-src http://security.debian.org/ lenny/updates main contrib non-free

You'll notice that I've also included entries for etch and sid in addition to experimental. If you use a different mirror than mirrors.kernel.org, you'll want to make sure that it hosts the experimental branch. This is where we'll find the package for the fingerprint reader. I include stable and unstable for completeness in case there are packages I want that that are only available in unstable, or if I want to revert to a version of a package in stable. Note that the order you specify the branches in the sources.list file makes no difference, thus in order to maintain priority for lenny packages (over sid or experimental which in general have newer packages), I also have an /etc/apt/preferences file with pin priorties:

Package: *
Pin: release o=Debian,a=stable
Pin-Priority: 300

Package: *
Pin: release o=Debian,a=testing
Pin-Priority: 600

Package: *
Pin: release o=Debian,a=unstable
Pin-Priority: 200

Package: *
Pin: release o=Debian,a=experimental
Pin-Priority: 100

Basically this is saying that unless I specify otherwise, "testing" (lenny) packages are to be preferred over "stable" (etch) over "unstable" (sid) over "experimental". A lower Pin-Priority means lower precedence. If you want to override this precedence, you can either use the aptitude gui and select a specific version to install or add the flag -t <target branch> to your aptitude install <package> command. If you do this in such a way as to select a package that has a newer, higher priority alternative available, it will be upgraded next time you do an aptitude upgrade unless you pin that particular package version (see the relevant section of the apt howto).

Now that we have that sorted out we should do an

aptitude update

If by some chance you get an annoying message like

W: GPG error: <servername> <branch> Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 07DC563D1F41B907
W: You may want to run apt-get update to correct these problems

(especially annoying because it happens when you run apt-get update as well), the solution is to run the following command:

gpg --keyserver wwwkeys.eu.pgp.net --recv-keys 07DC563D1F41B907 && apt-key add /root/.gnupg/pubring.gpg && aptitude update

where you of course replace "07DC563D1F41B907" with what ever public key you get in the orginal GPG error message. Now of course, the reason this is happening is to ensure your security. You don't want to be downloading packages from unknown or forged sources, so don't just go verifying keys willy nilly without thinking about why you might be getting such a message. In particular, if the message appears even though you haven't recently changed your mirror, something fishy might be going on.

Installing Packages

You might notice that even once you have your favourite window manager running, you're still missing quite a bit in terms of software beyond the basic operating system.

Essentials

Here are a few highly recommended packages:

acpi-support a set of scripts intended to respond to acpi events such as Fn-_ key combinations.
apt-file allows you to search file names in uninstalled pacakges
aterm a lightweight terminal
cabextract extract files from windows installation executables
colordiff like your old friend diff for identifying dissimilarities between files, but easier on the eyes
cpufrequtils init scripts to setup cpu frequency scaling at boot
cupsys cups print server (you'll need it if you want to print)
dash a light weight bash-like-shell (use it for your init scripts or anything else you want to speed up)
deborphan find unused packages
defoma Debian font manager - makes activating fonts easier
emacs-goodies-el like it says, nice addons for emacs
flashplugin-nonfree yep, it works on 64 bit
gimp Opensource gui image editor rivalling Photoshop in power, quality and comprehensiveness.
gv Ghost View for viewing .ps documents
hdapsd Daemon to stop the disk if the accelerometer detects shocks.
ia32-sun-java5-bin 32 bit java 5 (with plugin)
iceweasel Rebranded Firefox web browser
ifplugd monitors the hard-wired Ethernet and brings the interface up or down automatically depending on link presence.
imagemagick Command line image editor and conversion utilities unrivalled in batch processing power.
laptop-mode-tools Reduce power consumption by reducing hard disk use while on battery
less command line text reader with backscrolling
libpam-thinkfinger used to get the finger print reader running
libtrash Universal trash can diverts file removal from any program using libc6 so deleted files wind up in ~/Trash
localepurge Clean up documentation in unused languages.
menu Manage system-wide menus
msttcorefonts Microsoft fonts
ntfsprogs mount your windows ntfs partition read/write
ntp daemon to regularly syncronise system clock with network time servers
ntpdate used to do one-off on-demand syncrhonisation with network time servers
openoffice.org open source productivity software
prelink optimises share libraries for better program load performance
sleepd automated sleep daemon
mlocate periodically indexes the file system for fast searching
smartmontools monitor harddisk health
sysv-rc-conf ncurses gui to activate and deactivate init scripts
ttf-bitstream-vera bitstream vera true type fonts
ttf-dejavu dejavu truetype fonts
ttf-freefont free truetype fonts
unrar extractor for the archive format popular among hackers
unzip extractor for the winzip archive format
wpagui gui for the wireless wpa supplicant
wpasupplicant the wpa supplicant backend
xfsdump for backing up mounted xfs filesystems
xpdf for viewing pdf files

To install all of the above:

aptitude install acpi-support apt-file aterm cabextract colordiff cpufrequtils cupsys dash defoma deborphan emacs emacs-goodies-el flashplugin-nonfree gdm gimp gv hdapsd ia32-sun-java5-bin iceweasel ifplugd imagemagick laptop-mode-tools less libpam-thinkfinger libtrash localepurge menu msttcorefonts ntfsprogs ntp ntpdate openoffice.org prelink sleepd mlocate smartmontools sysv-rc-conf ttf-bitstream-vera ttf-dejavu ttf-freefont unrar unzip wpagui wpasupplicant xfsdump xorg xpdf

Recommended

Then there are a few package I like that you may also want to check out depending on your preferences/habits.

alsamixergui nice mixer app
arping like ping, but gives you mac address if its available
bc arbitrary precision command line calculator (good for scripting)
bmon command line network bandwidth monitor
css-mode css syntax for emacs
devilspie Watches for new xwindows matching configured parameters and acts on them. Very powerful.
dmz-cursor-theme Make your cursors a little easier on the eyes
equivs for making "ghost" packages to satisfy dependences for example when you compile something from source
ftnchek check Fortran syntax
gawk extended version of awk
genisoimage create cdrom ISO's before burning them.
gkrellm performance monitoring gui
gkrelltop plugin for above showing top resource consuming processes
gkrellmwireless plugin for above showing wireless signal strength
gparted graphical partition manager
gphotofs for mounting digital cameras
grip excellent cd ripping functionality using cdparanoia backend
gsl-bin binary files for powerful scientific computing library
gsl-ref-html documentation for powerful scientific computing library
gtkguitune guitar tuner gui with oscilloscope-like interface
hdaps-utils for reading and visualising the accelerometer output
html-helper-mode enhanced emacs html syntax
ibritish british flavour of ispell
id3v2 id3v2 (and v1) mp3 tag reader and editor
k3b powerful cd/dvd burning gui
lastfm preference based internet radio and social networking
libgsl0-dev powerful scientific computing library headers for compiling your own code
libsox-fmt-all audio file formats for sox, the command line audio player/recorder
lsdvd view the contents of a video dvd
lshw show comprehensive list of system hardware and specifications
lsof display currently open files (good for figuring out what the hell is going on)
mp3gain losslessly normalise mp3's
mp3rename rename mp3's based on id3 tags
mutt powerful terminal-based email client
myspell-en-gb british myspell (used by open office)
nfs-common for mounting nfs drives
nmap for probing open ports locally and remotely
nxml-mode xml syntax for emacs
obconf configuration gui for openbox
offlineimap sync imap folder so you have a local copy accesible when no internet is available
openbox versatile lightweight window manager
openssh-server allows remote login
pbzip2 make full use of the dual core when bzipping things.
post-el emacs email syntax intended for use with mutt
powertop see what's causing your processor to wake up and use more battery power
pypanel lightweight configurable panel
qiv quick image viewer good for slide shows
rsync efficient remote and local copying. Copies only differences and ssh for secure communication
samba windows file server/client software
screen powerful detachable/reattachable terminal interface
smbfs allows mounting of windows shares
sox command line audio recording and playing utilities
sshfs allows mount of remote trees on ssh server machines with no special remote configuration
sux su that passes proper Xauthority
sysstat command line system monitoring
udftools tools dealing with the filesystem common in optical media
unclutter hide of mouse cursor when its not being used.
unison keep local and remote filesystems in sync using the rsync protocol and ssh
urlview open urls in mutt with your favourite browser
wbritish-huge large british words list
whois detailed domain querying command
wmctrl control window manager from the command line
wodim command line cd buring (successor to cdrecord)
xclip command line x clipboard tool feed standard input into clipboard, extract clipboard to standard output.
xmms x multimedia system winamp-like mp3/media player
xmms-cdread read cd's via the digital link rather than rely on that annoying analogue cable
xmms-crossfade for gapless playback
xmms-shell for command line control of xmms
xmms-skins skins for xmms
xosview performance monitor gui (key feature is the irq monitor)
xscreensaver locks the screen after inactivity

To install all of the above:

aptitude install alsamixergui apt-file arping bc bmon colordiff css-mode deborphan devilspie dmz-cursor-theme equivs freeglut3 ftnchek gawk genisoimage gkrellm gkrelltop gkrellmwireless gparted gphotofs grip gsl-bin gsl-ref-html gtkguitune hdaps-utils html-helper-mode ibritish id3v2 k3b lastfm libformsgl1 libgsl0-dev libsox-fmt-all lsdvd lshw lsof mkisofs mp3gain mp3rename mutt myspell-en-gb nfs-common nmap nxml-mode obconf offlineimap openbox openssh-server pbzip2 post-el powertop pypanel qiv rsync samba screen smbfs sox sshfs sux sysstat udftools unclutter unison urlview wbritish-huge whois wmctrl wodim xclip xmms xmms-cdread xmms-crossfade xmms-shell xmms-skins xosview xscreensaver

Fingerprint reader

Ok, admit it. This is the real reason you got a thinkpad. Getting the fingerprint reader is surprisingly easy with the new open source thinkfinger driver. This is highly recommended over the binary only driver which I have found is less stable even leading xscreensaver to crash and expose the desktop without a provided fingerprint or password!

If you didn't install it among the packages above, see the relevant section of the howto.

Once you have it installed, you must instruct PAM to use it so that it will ask for your fingerprint when you login with gdm or at the command line (or any thing else that uses PAM). To make it brief and more Debian-specific, you want your /etc/pam.d/common-auth file's only uncommented lines to be

auth    sufficient      pam_thinkfinger.so
auth    required        pam_unix.so nullok_secure try_first_pass

Then you want to enroll the fingerprints of any users as well as also root

tf-tool --add-user <username>
tf-tool --add-user root

This will put the fingerprint patterns in /etc/pam_thinkfinger/<username>.bir. You may also want to make sure you have the uinput module probed by typing lsmod | grep uinput. If not, then probe it (modprobe uinput) and put it into your /etc/modules file to be probed on boot

echo uinput >> /etc/moduleds

Now for the icing on the cake. If you have xscreensaver (>=5.0) or a sufficiently recent version of gnome-screensaver, you can use your fingerprint to unlock the screen as well.

A few /etc configurations

hdapsd

Hdapsd is the daemon that monitors the accelerometer and parks the hard disk heads if it detects sudden movement of the laptop. It does however need to be told what to protect. By default it works on /dev/hda, but modern thinkpads use SATA and so this needs to be changed to /dev/sda. This is set in the file /etc/default/hdapsd, where you must change the line DISK="hda" to DISK="sda".

NOTE!
This alone will not enable hdapsd protection. You need to patch the kernel for this as described below

exim4-config

You need to tell exim how to send mail. To do this, type

dpkg-reconfigure exim4-config

and follow the dialogs. To be honest, I have trouble sorting through exactly what I want each one to say whenever I do this. Here are the answers I decided on:

  • Mail sent by smarthost;recieved via SMTP or fetchmail
  • System mail name: The FQDN of my laptop
  • IP-addresses to listen on:127.0.0.1
  • Other destinations for which . . .: same as system mail name
  • Machines to relay mail for: <blank>
  • IP address or host name of outgoing smarthost: (this is the server to which your machine should send outgoing mail) Since my mail server requires an SSL/TSL connection on port 587, I must suffix the server name with "::587". Note the two colons.
  • Hide mail name in outgoing mail: yes
  • Visible domain name for local users: same as mail name
  • DNS queries minimal?:no
  • Delivery method:/var/mail
  • Small files?:no

Then, I edit the file /etc/email-addresses so that it says

<my user name>:my.email.address@server.com

Then I make sure that mail to root goes to me by ensuring that /etc/aliases looks as follows:

# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: <my user name>

and that mail sent to me ends up at my regular email address:

echo my.email.address@server.com > ~/.forward

Finally, since as I mentioned, I'm using SSL/TLS, I have to put my user name and password (for the outgoing mail server) in the file /etc/exim4/passwd.client, which unfortunately must be plain text. The format is as follows:

mail.server.address:username:password

Then I restart exim4

/etc/init.d/exim4 restart

and send some test emails in various contexts:

mail -s 'test from user to user' <myusername>
mail -s 'test form user to root' root
mail -s 'test from user to outside' alternateemail@alternateserver.com
su 
mail -s 'test from root to user' <myusername>
mail -s 'test form root to root' root
mail -s 'test from root to outside' alternateemail@alternateserver.com
exit

and hope all those emails go where I expected them to.

If you run into trouble, check the various subdirectories of /var/spool/exim4. msglog and input should have nothing in them after you've sent emails if everything is working. See if you can't find some error messages that give you some clues in any files that do crop up here.

smartd

By default, smartd is not enabled when you install the smartmontools package. To enable it, uncomment only the line

start_smartd=yes

in /etc/default/smartmontools. Don't mess with the line about smartd_opts=, we deal with that in the /etc/smartd.conf file. I modified mine so that the only uncommented line is

/dev/sda -a -d sat -n standby -m root -M exec /usr/share/smartmontools/smartd-runner

I figured there was no point in using DEVICESCAN when I already know that I just want to monitor /dev/sda (the cdrom doesn't have smart). This will probably speed things up. The remaining options tell smartd that the disc is behind a SCSI to ATA translation layer, that it should not spin up the disk to do a check and that it should email root should there be a problem. You can check to make sure the emails get through by adding -M test to the end of that line and restarting smart. Remember to remove it though, otherwise, you'll get an email every time you boot up.

browser keys

You can make the "back" and "forward" keys above the left and right arrows do pretty much anything you want. Since they generate their own X-events (keycodes 234 and 233 respectively), they can be mapped to whatever keysym you want via Xmodmap. For example, I mapped them to F19 and F20 in my systemwide /etc/X11/Xmodmap file so they are automatically mapped for all users.

keycode 234 = F19
keycode 233 = F20

There are a couple ways you can get Firefox (or rather iceweasel) to correctly recognize these keysyms. You could install keyconfig.xpi and configure the keybindings via Tools->Keyconfig, but this is only user specific and quite frankly just too easy. So I went about doing it the hard way and editing /usr/share/iceweasel/chrome/browser/content/browser/browser.xul. Both are described in detail here.

The latter method has the advantage that paired with the system wide Xmodmap discussed above, all users automatically have working browser keys. The disadvantage (other than having to dig around in a hairy .xml file) is that whenever you upgrade or reinstall firefox, your changes disappear and you have to go back in there and do it again. To mitigate slightly this last problem, I wrote the following script and put it in /usr/local/sbin/firefox-keys

#!/bin/sh
FILE=/usr/share/iceweasel/chrome/browser/content/browser/browser.xul

grep -q VK_F20 $FILE
if [ $? != 0 ];then
sed 's|<key id="goForwardKb2" key="\&goForwardCmd.commandKey;" command="Browser:Forward" modifiers="accel"/>|<key id="goForwardKb2" key="\&goForwardCmd.commandKey;" command="Browser:Forward" modifiers="accel"/>\n    <key id="goBackKb" keycode="VK_F19" command="Browser:Back" />\n    <key id="goForwardKb" keycode="VK_F20" command="Browser:Forward" />|g' $FILE > $FILE.tmp
mv $FILE.tmp $FILE
fi
exit 0

Then I just have to run this script everytime Iceweasel is updated. But wait, that seems pretty programmatic. Isn't there some way to automatically run the script when Iceweasel is updated? The answer is yes. I created the file /etc/apt/apt.conf.d/98-iceweasel-keys and added the following to it

// Add browser keys to firefox if it's being installed

DPkg
{
Pre-Install-Pkgs {"cat > /tmp/pkgs";};
Post-Invoke {"if grep -iq iceweasel /tmp/pkgs && [ $(ps w -p "$PPID" | grep -c remove) != 1 ];then /usr/local/sbin/firefox-keys;else exit 0;fi";};
};

It's kind of hackish, but here's the idea. Whenever apt calls dpkg, it will first call the command listed in Pre-Install-Pkgs passing the names of all the packages as standard input (which get tossed into /tmp/pkgs). Then after dpkg has been invoked and installed everything, the Post-Invoke command is called which checks if any of those packages were Iceweasel. If the case insensitive pattern "iceweasel" is among their names (and the package in question is not being removed rather than installed), the aforementioned firefox-keys script will be invoked. The natural question is why I need this intermediate file. Well for some weird reason apt does not pass the package names to the Post-Invoke commands.

default applications

Right now, the system wide default for the terminal is gnome terminal. This is second only to Konsole in bloat. If you want to keep things streamlined, change the systemwide default to aterm (which you downloaded above).

update-alternatives --config x-terminal-emulator 

And select /usr/bin/aterm-xterm. Now for the browser you're going to want iceweasel (firefox)

update-alternatives --config x-www-browser 

And select iceweasel.

services

By default, you'll probably have a bunch of services running at startup that are going to lengthen your boot time and likely eat up system resources as long as they're running. You can use the sysv-rc-conf utility to enable or disable scripts. The ncurses gui shows each service as a row and each run level as a column. An X indicates that the script or service is activated at that particular run level. An empty space means that it is not. In debian, run level 2 is the regular multi-user mode, while run level 1 is single-user (maintenance mode). Run levels 3-5 are usually identical to 2, but you can customise them otherwise. You generally only want to mess with run levels 2-5 and unless you want to create custom run levels, you want to keep them all identical (i.e., all X's or all blank). And you probably don't want to mess with run levels 0,6 and S at all unless you really know what you're doing. For more on how debian deals with run levels, take a look at the Debian Policy Manual. Below is a table with all of my init scripts in the left column and their state indicated in run level 1 and 2-5 in the adjacent columns. As with sysv-rc-conf, and X indicates enabled, while a blank indicates disabled. Keep in mind that I don't use gnome and as such gnome users might experience negative effect from disabling dbus or hal as I have. I have also completely removed the discover1 package.

aptitude purge discover1
service run-level 1 run-level 2-5
acpi-support
acpid X
alsa-utils
anacron X
atd X
avahi-daemon
bootclean
bootlogd X
cpufrequtils X
cron X
cupsys X
dbus
exim4 X
fuse
gdm X
hal
halt
hdapsd X X
hdparm
hibernate
ifplugd X
ifupdown
ifupdown-clean
killprocs X
klogd X
laptop-mode X
loadcpufreq X
module-init-tools
networking
nfs-common
ntp X
openbsd-inetd
portmap
procps
rc.local
reboot
rmnologin X
rsync
samba
screen-cleanup
sendsigs
single X
sleepd X X
smartmontools X
ssh
stop-bootlogd X
stop-bootlogd-single X
sysklogd X
sysstat
udev
udev-mtab
udftools
umountfs
umountroot
urandom
vbesave
wpa-ifupdown
x11-common

bash completion

It's also nice to have more extended bash completion enabled. This will give you such niceties as completion of man at if you hit tab, or give you suggestions as to what you can ifup. Trust me, if you're going to be using the command line, you're going to want to open up /etc/bash.bashrc and uncomment the lines

# enable bash completion in interactive shells
#if [ -f /etc/bash_completion ]; then
#    . /etc/bash_completion
#fi

that annoying beep

Ok, so you've hit tab a couple times or directed the emacs cursor off the buffer and have heard quite enough of that pc speaker beep. Here's how you get rid of it:

echo blacklist pcspkr >> /etc/modprobe.d/blacklist

That prevents the module from loading when you boot up. If you want to remove it right now without further ceremony:

rmmod pcspkr

daily defrags

One of the great things about the XFS file system is that it has a defragmenter. I don't however want to worry about running it all the time, so I've added the file /etc/cron.daily/xfs_defrag containing simply

#!/bin/sh
xfs_fsr

Build your own kernel (the Debian way)

You may be reluctant to venture into the world of kernel compilation, but it is necessary to get the accelerometer hard disk protection working. Code has to be added to the kernel (don't worry you don't have to write it!) to tell it how to "park" the hard disk heads when hdapsd tells it the laptop is moving around. Hopefully, as this feature becomes more common, it will be built into future releases of the mainline kernel, but for now we must rely on patching the kernel ourselves. There is also something to be said for having a kernel that is tailor matched to your machine. You can cut out a lot of unnecessary stuff and optimise the kernel to your specific system. Thankfully, Debian has eased the burden of kernel compilation and installation with the kernel-package package. The following is heavily based on this howto.

  1. Add yourself to the src group so that you have write access to the /usr/src directory and can do most of the procedure as a regular user.
  2. Install the necessary packages
    aptitude install gcc kernel-package kernel-source-2.6.23 libc6-dev tk8.3 libqt3-mt-dev libncurses5-dev fakeroot
  3. Log out and log back in for the addition to the src group to take affect. You can ensure that this is the case by typing groups and looking for "src" in the resulting list.
  4. As a regular user, get the hdaps-protect patch:
    mkdir /usr/src/hdaps/ && cd /usr/src/hdaps && wget 'http://sourceforge.net/mailarchive/attachment.php?list_name=hdaps-devel&message_id=87pry7ehx3.fsf%40denkblock.local&counter=2' -O hdaps-protect.2.6.23.patch
  5. Now, unpack the kernel source
    cd /usr/src && tar xvjf linux-source-2.6.23.tar.bz2 && cd linux-source-2.6.23
  6. Apply the patch:
    patch -p1 < ../hdaps/hdaps-protect.2.6.23.patch
  7. As a starting point for configuration, you can use the Debian .config file
    su -c 'aptitude install linux-headers-2.6.23-1-amd64'
    cp ../linux-headers-2.6.23-1-amd64/.config .

    This is the recommended route if this is your first time compiling a kernel. Alternatively, you can take a look at mine, which is highly customised to my particular model and you should probably go through yourself to make sure it's not missing anything that you want.
  8. To edit/view the configuration with the "user friendly" gui
    make xconfig
  9. Once you've gotten a suitable configuration
    export CONCURRENCY_LEVEL=3 && fakeroot make-kpkg clean && fakeroot make-kpkg --append-to-version=.mycfg kernel_image
  10. While your kernel is compiling you might take a minute to make it easier on yourself when it comes time to install it. It seems that by default dpkg does nothing special when it installs a kernel package. This is WRONG! If you don't add the kernel to the /boot/grub/menu.lst file, then it will just sit in your /boot directory doing nothing. You can solve this by running update-grub after you install or remove a kernel. One better however is to tell dpkg to do the dirty work for you:
    printf 'postinst_hook=/sbin/update-grub\npostrm_hook=/sbin/update-grub\n' >> /etc/kernel-img.conf
  11. This is also a good time to tweak your boot parameters. One in particular is vga=794 which tells the kernel to display the console at higher resolution that default. To enable this, find the section that looks like
    ## ## Start Default Options ##
    ## default kernel options
    ## default kernel options for automagic boot options
    ## If you want special options for specific kernels use kopt_x_y_z
    ## where x.y.z is kernel version. Minor versions can be omitted.
    ## e.g. kopt=root=/dev/hda1 ro
    ## kopt_2_6_8=root=/dev/hdc1 ro
    ## kopt_2_6_8_2_686=root=/dev/hdc2 ro
    # kopt=root=/dev/sda11 ro
    and change the last line to
    # kopt=root=/dev/sda11 ro vga=794
    That's right, keep it commented. Debian's update-grub command reads the comments and uses them to decide how to format that actual entries further down in the file.
  12. After a little under 10 minutes thanks to some hot dual core action, you'll have a .deb package containing your very own kernel. Just install it as you would any other .deb
    su -c 'dpkg -i /usr/src/linux-image-2.6.23.mycfg_2.6.23.mycfg-10.00.Custom_amd64.deb'
  13. This should handle the painful part for you. You should now be able to reboot and select your custom kernel on your bootloader screen.
NOTE!
If you notice that your kernel is repeatedly spewing the message
hda: drive_cmd: status=0x51 { DriveReady SeekComplete Error }
hda: drive_cmd: error=0x04 { AbortedCommand }
ide: failed opcode was: 0xef
Saying yes to the IDEDISK_MULTI_MODE kernel option under Device Drivers->ATA/ATAPI/MFM/RLL->Use multi-mode by default in the xconfig menu won't solve your problem as the description suggests. This is more likely caused by power management scripts calling hdparm on the cdrom. See below for the real solution.

Wireless with madwifi

I had the brilliant idea of getting the 11n capable ThinkPad_11a/b/g/n wireless adaptor which is really just an Atheros AR5418. In retrospect, I should have gone with a more sensible choice like the Intel Pro which is directly supported in the mainline kernel. I think it's fair to say that Atheros is the ATI of wireless cards in terms of Linux support. It works, but you'll pull your hair out in the process. Since the AR5418 is so new, the latest release of madwifi doesn't even support this card. However the latest subversion snapshot does (though of course only up to 11g).

As you've probably noticed I'm going with a 64 bit system. Thus the more stable ndiswrapper won't work because the windows driver supplied by Lenovo is 32bit only. But don't go thinking that going 32 bit and using ndiswrapper will get you 11n. It won't.

That said, to install the latest snapshot of madwifi, you first need to install subversion.

aptitude install subversion

If you skipped the kernel compilation step above and are using a stock Debian kernel, you will also need to install your kernel headers.

aptitude install linux-headers-`uname -r`

Where "`uname -r`" is of course evaluated by the shell to the currently running kernel version.

Now follow the howto. Pay attention to the note at the end about changing the name of the device to wlan0. This was written by me, so it's fair to assume that you'll encounter the same thing using Debian.

wpa_supplicant

wpa_gui is quite a powerful applications that lets you interact with a running wpa_supplicant in an intuitive way. It allows you to scan and connect to available networks as well as save and delete preferred networks. By default however wpa_gui has to be run as root because only root has permissions to affect wpa_supplicant. To remedy this, ensure that your wpa_supplicant.conf has the global settings

ctrl_interface_group=netdev
update_config=1

near the top of the file. "netdev" is the name of the group which is allowed access to the wpa_supplicant interface and update_config allows you to save changes to your preferred networks. You now need to add yourself to the netdev group so you can run wpa_gui.

adduser <you> netdev

You'll be added to the group after completely logging out and logging back in. The only minor annoyance is that wpa_gui is still located in /usr/sbin which is not in your default path. As such, you might want to create a symbolic link to it in /usr/bin/

ln -s /usr/sbin/wpa_gui /usr/bin/

If you want maximum control over how various wireless networks are setup, you can of course edit wpa_supplicant.conf directly. You can get a comprehensive list of examples by typing the command

zless /usr/share/doc/wpasupplicant/examples/README.wpa_supplicant.conf.gz

Don't bother however putting any comments in the wpa_supplicant.conf file since these will be erased if you have the update_config=1 parameter set as described above.

tp_smapi

tp_smapi is a module that allows you to access various bits of information about your thinkpad generally focused around the battery. It also provides a more up to date driver for the hdaps accelerometer. Here's how to get it running:

  1. Get the source:
    wget http://downloads.sourceforge.net/tpctl/tp_smapi-0.34.tgz
  2. Unzip the source and go into the directory:
    tar xvzf tp_smapi-0.34.tgz && cd tp_smapi-0.34
  3. Build and install it with the new hdaps driver:
    make install HDAPS=1
  4. In order to get the module probed on bootup, just add "tp_smapi" to /etc/modules.
    echo tp_smapi >> /etc/modules
  5. You can find a list of userspace applications that utilise this driver here. I use the gkrellm plugin:
su -c 'aptitude install libgtk2.0-dev'
cd /usr/local/src
wget http://www.ksp.sk/~rasto/gkrellm-thinkbat/gkrellm-thinkbat-latest.tar.gz
tar xvzf gkrellm-thinkbat-latest.tar.gz
cd gkrellm-thinkbat-0.2.2
make install

Configuring ACPI

thinkpad_acpi/enabling hotkeys

First of all, similar to tp_smapi it seems that thinkpad-acpi doesn't load automatically, so put it in /etc/modules as well.
echo thinkpad_acpi >> /etc/modules

If it has somehow found itself installed (as is the case if you selected "laptop" packages in the initial installation), get rid of hotkey-setup. It's totally unnecessary with the new thinkpad-acpi module which captures all the keys just fine.

aptitude purge hotkey-setup

The same goes for tpb. thinkpad-acpi now covers the gap in key-coverage that this previously made up for.

Now to enable some hotkeys. Assuming you have acpid running, you can monitor acpi events by typing

tail -f /var/log/acpid

You'll find that with thinkpad_acpi probed with the default parameters, you get an acpi event for all Fn-F# key combinations except Fn-F7 and Fn-F10. You also get acpi events for Fn-Space, Fn-Home, Fn-End, Fn-PgUp, ThinkVantage, Mute, VolUp, VolDown, Power, Wireless switch on/off as well as lid open/close. You might notice however that the Fn-F4 and Fn-F10 events seem to register for individual keypresses that are sufficiently spaced in time. You can enable an event for Fn-F7, by changing the value of /sys/devices/platform/thinkpad_acpi/hotkey_mask to the value of /sys/devices/platform/thinkpad_acpi/hotkey_all_mask.

cat /sys/devices/platform/thinkpad_acpi/hotkey_all_mask > /sys/devices/platform/thinkpad_acpi/hotkey_mask

To make this permanent, you need to change the mask in /etc/modprobe.d/thinkpad_acpi.modprobe so that the the only uncommented line is

options thinkpad_acpi hotkey=enable,0x00ffffff experimental=1

acpid

The next question you're probably asking is "what do you with all these acpi events?". That's where acpid comes in. Every time the acpid deamon starts up, it reads all the files contained in the /etc/acpi/events directory. These files contain the names of all events that acpi should acknowledge and what to do when they are recieved. The syntax is pretty simple:

event=<name of event>
action=<what to execute upon registering that event>

As noted previously, you can experiment with generating various events by watching the /var/log/acpid file and determining what events go with what key. You might also notice that there are a few events that are generated by other things (like a change in CPU frequency scaling states). By convention the action scripts are all contained in /etc/acpi/. If you write your own, make sure they have the same permissions as all the others. For more info check out the How_to_configure_acpid page. You might also want to check out How_to_get_special_keys_to_work for some attempts at cataloguing some of the events generated. Note that you can change the scripts without restarting acpid but if you change the event files, you need to restart it so that it reads in the modified versions.

The main advantage of using acpi events is that you can use the special keys to execute scripts that require root access (since acpid is run by root). You should also keep this in mind from a security perspective. You shouldn't give too much power to the hotkeys lest you allow someone to do too much without the root password.

You can also have the acpi event generating keys generate xevents by putting acpi_fakekey commands into the action scripts. This maps the keys to xevent keycodes (which can be monitored by the xev utility). These keycodes can then be mapped to various keysyms via Xmodmap which can be picked up by userspace keygrabbers such as openbox or bbkeys. An example of this can be found in /etc/acpi/lockbtn.sh. I still haven't quite figured out how the argument to acpi_fakekey corresponds to the resulting keysym however.

dpkg-divert /etc/acpi

You're likely going to want to do a lot of customising of the /etc/acpi/ directory, most (or probably all) of which was originally put there by the acpi-support package. The problem with this this is that next time there's an update to that package its going to want to change back all those changes you made to the distribution defaults. Now the distribution defaults are good for a reference point, but you want ultimate control over how your acpi system behaves and don't want it changing every time that there's a package upgrade. Enter dpkg-divert. This handy utility will allow you to keep the original distribution files and even have them upgraded, but keep your heavily customised /etc/acpi directory safe. Assuming you have an unmodified /etc/acpi directory to start with,

dpkg-divert --add --rename --divert  /etc/acpi.dpkg-dist /etc/acpi

will move /etc/acpi to /etc/acpi.dpkg-dist and divert files from any packages to the latter. Now since your system is still looking for an /etc/acpi directory for its actual configuration, you want to have something there to start modifying from, so copy the unmodified directory back

cp -r /etc/acpi.dpkg-dist /etc/acpi

and go wild with your customisations on /etc/acpi.

hd power management: laptop-mode

There was a lot of buzz a couple months back about aggressive hd power management shortening the life of drives by excessively parking and unparking the disk heads (note that this is different that what happens with hdapsd). I'm not going to go into the gorey details. You should probably follow the above link and dig around on the web if you're really concerned about this. Suffice it to say, it's a good idea to have an awareness of hd power management an in particular be aware that there is some overlapping functionality between the laptop-mode and acpi-suppport packages and that if you aren't careful, they may even come into conflict.

First of all, you may note that in the above init scripts, I have disabled acpi-support. If you take a look at what that does and follow your nose, you'll find that pretty much the only thing it's doing is running /etc/acpi/battery.d/90-hdparm.sh which sets aggressive disk power management for both hard disk and cdrom if it is detected that the laptop is on batteries at bootup. On the other hand, it sets it less aggressively with /etc/acpi/ac.d/90-hdparm.sh if ac power is detected. You'll also find that there is an acpi event associated with connecting and disconnecting the power which, by default call the script /etc/acpi/power.sh which runs one of the aforementioned scripts according to the new adapter state.

This is probably a good idea in principle. Aggressive power management tells the disks to spin down more often and thereby conserve battery power. Laptop hard disks are designed to do this relatively frequently, but their so-called rated "load-cycle count" is finite falling generally in the 600,000 parks/unparks range. But there is more . . .

For one, it doesn't appear that the cdrom plays well with the hdparm command used to modify the power settings as evidenced by scary looking kernel messages to the tune of

hda: drive_cmd: status=0x51 { DriveReady SeekComplete Error }
hda: drive_cmd: error=0x04 { AbortedCommand }
ide: failed opcode was: 0xec

upon even querying the drive with what should be an innocuous request for basic information: hdparm -I /dev/hda. For this reason, it would seem that we don't want to be sending any hdparm commands to the cdrom drive.

Secondly, there is the issue that you might have laptop-mode enabled to to do the same thing and you probably don't want the two doubling the effort, or worse, fighting with each other. Something further to consider is that at the same time as it deals with the level of drive power management, laptop-mode makes an effort not to spin the drive up as often once it's been spun down. It would seem to make sense then, to have both these efforts coordinated by the broader scope of laptop-mode alone. As an added bonus, laptop-mode doesn't touch the cdrom.

So here's how I hand the matter over to laptop mode:

  1. Disable the /etc/init.d/acpi-support boot script with sysv-rc-conf as described above.
  2. Remove the files 90-hdparm.sh from /etc/acpi/ac.d and /etc/acpi/battery.d.
  3. Make sure laptop-mode gets started at boot up with sysv-rc-conf as described above.
  4. Enable power hardrive power managment from within laptop mode by editing /etc/laptop-mode/laptop-mode.conf so that the line
    CONTROL_HD_POWERMGMT=0
    becomes
    CONTROL_HD_POWERMGMT=1
  5. If you want to be a more conservative with your drive life (at the expense of battery life), you probably want to change the line
    BATT_HD_POWERMGMT=1
    to something more like
    BATT_HD_POWERMGMT=180
  6. Now you can enhance laptop mode to further reduce drive spin up. First, you can have syslog not sync all the time on battery which requires disk write access and consequently spinup. Just run lm-syslog-setup and answer yes to the question of whether or not you want to create the split syslog configuration.
  7. You can crank up the LM_READAHEAD=8192 if you have lots of RAM (don't forget to make sure that CONTROL_READAHEAD=1).
  8. You can set CONTROL_NOATIME=1 to prevent disk writes related to updating file access times while on battery.

This is only the tip of the iceberg for laptop-mode configuration.

sleep

64-bit headaches

Java

Ok, so Sun is being lazy and though they've made an amd64 java, they didn't bother to make the accompanying browser plugin. So you're left to try and use the 32-bit version that I've included in my package list above. Unfortunately, this won't work in iceweasel as flash does. You don't however have to start mucking about with chroots if you really need that no doubt ridiculous java app to work. Go to the Firefox download site and grab the linux version. Also if you didn't get it with the rest of the packages I recommended above, get ia32-sun-java5-bin. For some reason this trick doesn't work with ia32-sun-java6-bin, it ends up just hanging the browser.

aptitude install ia32-sun-java5-bin

Now go to the directory where you saved the firefox tarball (it can even be in a subdirectory of your home directory), unzip it and put a symlink to libjavaplugin_oij.so in the firefox/plugins directory.

tar xvzf firefox-2.0.0.11.tar.gz
ln -sf /usr/lib/jvm/ia32-java-1.5.0-sun-1.5.0.13/jre/plugin/i386/ns7/libjavaplugin_oji.so firefox/plugins/

Now, you're ready to enjoy all the wonderful java content the web has to offer via your personal firefox installation. First close any iceweasels you have running, then run

firefox/firefox http://www.java.com/en/download/help/testvm.xml

You should see the stupid java guy. Until Sun joins the rest of us in the 21st century, you're going to have to use this "mini chroot" firefox to view web-applets. The good news is that the vanilla firefox will seamlessly use the same profile directory as iceweasel. You can even use it as your main browser if you want. There's also this blackdown java I've heard of that has a 64-bit web plugin, but the things I've read about its instability have not encouraged me to go hunting for it.