Debian
Contents
-
Debian
- About
- Base system from scratch
- Extending to a hypervisor
- Some more filesystem
- ksmtuned
- OpenvSwitch
- Network configuration
- Firewalling
- Performance
- Security
- Logitech devices
- Grub-customizer
- Plymouth
- Convertible with Gnome3
- Debian CD-image with jigdo
- Aptitude
- Preseeding
- LVM
- Boot VM via HTTP, HTTPS or FTP
About
Releases
Debian repo README - 2021-09-12
1 This directory, dists, is the canonical way to access the distributions.
2 Each distribution can be accessed by name or state from here.
3
4 oldoldoldstable, or jessie - the released Debian 8.11
5 oldoldstable, or stretch - the released Debian 9.13
6 oldstable, or buster - the released Debian 10.10
7 stable, or bullseye - the released Debian 11.0
8 oldoldstable-proposed-updates - possible updates to Debian 9
9 oldstable-proposed-updates - possible updates to Debian 10
10 proposed-updates - possible updates to Debian 11
11 jessie-updates - important updates to Debian 8
12 stretch-updates - important updates to Debian 9
13 buster-updates - important updates to Debian 10
14 bullseye-updates - important updates to Debian 11
15 testing, or bookworm - the development version of the next release
16 unstable, or sid - untested candidate packages for future releases
17 experimental, or rc-buggy - experimental packages to be used on top of unstable
18 '''The sizes of the partitions will not be what you expect.'''
Base system from scratch
The task
Remote system is a dedicated root server in the Hetzner datacenter. Only a live linux amd64 is running and it's reachable by ssh with pubkey auth. We got the option to restart/reset the live linux or boot into the new system. So the logs of the new system is all information we can get (besides the status: running/stopped).
Preparations
Setup the DNS resource records for IPv4 (A, PTR) and IPv6 (AAAA, PTR)
Partitioning
For instructions on partitioning please also see
storage#Partitioning
Debian partman units
Offtopic (debian-installer) but nice to know.
Hint: Debian partman units
Debian partman does not support binary units like KiB, MiB or GiB. All units are SI units based on 10. Default unit (no unit) is "1m" aligned to the next cylinder (1Mib).
The sizes of the partitions will not be what you expect.
To achieve correct sizes to may:
partition manually with parted in a separate shell and enter partman when done.
- enter the sizes in byte with unit "b" or "B" (don't leave it away) Some examples:
Create the partitions on the first disk
Aline it to the full 1 MiB/Cylinder (MegaByte binary), because
- this allows aligned read/writes. Otherwise it will degrade performance significantly.
- this is a power of 2 (1, 2, 4(MEMORY PAGESIZE), 8, ...2^n)KiB. This means if you want to stripe or change some cluster sizes, it will always match (if less).
The boot-partition should be at least 256MiB, initial ram-disks can be large.
(vmlinuz 6MiB + initrd 50MiB + system-map 4MiB) = 60MiB/Kernel So max 3 Kernels …
1 parted
2 GNU Parted 3.2
3 Using /dev/sda
4 Welcome to GNU Parted! Type 'help' to view a list of commands.
5 (parted) unit MiB
6 (parted) print free
7 Model: ATA HGST HUS726060AL (scsi)
8 Disk /dev/sda: 5723167MiB
9 Sector size (logical/physical): 512B/4096B
10 Partition Table: gpt
11 Disk Flags:
12
13 Number Start End Size File system Name Flags
14 0.02MiB 1.00MiB 0.98MiB Free Space
15 1 1.00MiB 2.00MiB 1.00MiB bios_grub_sda bios_grub
16 2 2.00MiB 256MiB 254MiB fat16 EFI_sda boot, esp
17 3 256MiB 131072MiB 130816MiB swap1_sda raid
18 4 131072MiB 5723166MiB 5592094MiB btrfs root_sda
19 5723166MiB 5723167MiB 0.98MiB Free Space
Clone GPT to other disk
Clone gpt and create unique GUIDs
1 sgdisk -G /dev/sda -R /dev/sdb
Create a multidisk RAID1 as swap
Filesystems
Btrfs root
Creation
Create a btrfs filesystem
Mount options
Some considerations about the chosen mount options.
Please compare with consult
man 5 btrfs
Mount options are global and can not be changed on subvolume level. 
NO nocowdata
> Nodatacow implies nodatasum, and disables compression.
- But luckily there is another option to deactivate cow on a per directory/file basis (for the disk-images). This way I can stick with cowdata, without loosing to much performance.
compress=zstd
For compress I'd today prefer zstd compression over lzo for its higher compression ratio and faster decompression. Possible options for compress are zlib, lzo, zstd or no. zlib and zstd also offer a optional numeric parameter compression ratio, which is separated by a colon : and is in the range of 1-15 (like zstd:3). 3 is default. 0 is synonymous for default.
qcow2 disk images are not compressed continuously. Compression is done on creation or conversion of an image (by default). Any data written after the compression is written and read uncompressed. Doubling the compression would mean a negative performance impact as this increases latency, but this is not the case.
NO autodefrag
The mount option autodefrag is not suited well for database workloads with a high amount of small random writes (s<64KiB). This could be the case for a hypervisor, too.
- I'm using NVME SSDs so data is random accessible as opposed to rotational media. Not using autodefrag also could prolong SSD lifetime.
- On a rotational media i would probably use the option, but I haven't measured the difference, yet.
discard=async
- I'm currently using NVME-SSDs in the server and the filesystem is written on the raw partition.
So the whole storage stack
supports TRIM. I'll also be using a Linux kernel > 5.6 so I can use asynchronous mode.
acl
- Support for Posix Access Control Lists (ACLs) is enabled by default. It has not to be specified explicitly.
space_cache
space_cache=v1 is enabled by default.
noatime
- …
Subvolumes
Using subvolumes has some advantages.
- When using multiple independent filesystems, each resides on its own partition, which is only the respective fraction of the whole disk. When using a single partition with a filesystem with subvolumes, each subvolume is no longer limited to the size of its small partition. Instead the whole filesytem space is available. Space limitations still can be introduced with quotas.
- Snapshots can be taken of each subvolume independently (or recursively).
So you don't have to reset changes to e.g. /var/log, when you revert your root-filesystem to an earlier version.
- Identical files on different subvolumes can be deduplicated. This This saves disk space, cache and IOOPs.
Create a subvolume for the filesystem to be mounted on / and designate it the subvolume as default subvolume
1 ### CREATE SUBVOLUMES
2 mount -o noatime,compress=lzo,space_cache,autodefrag /dev/sdb4 /mnt
3 btrfs subvolume create /mnt/root
4
5 ### DETERMINE SUBVOLUMEID OF THE NEW SUBVOL root
6 btrfs subvolume list /mnt
7 ID 258 gen 8 top level 5 path root
8
9 ### MAKE THE NEW SUBVOL root DEFAULT THE SUBVOLUME
10 btrfs subvolume get-default /mnt/
11 ID 5 (FS_TREE)
12 btrfs subvolume set-default 258 /mnt
13
14 ### TEST THE NEW DEFAULT MOUNT
15 umount /mnt
16 mount -o noatime,compress=lzo,space_cache,autodefrag /dev/sdb4 /mnt
17 mount -t btrfs
18 /dev/sda4 on /mnt type btrfs (rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=258,subvol=/root)
There are no other paths yet where other subvolumes could be mounted. So either we wait until debootstrap did its magic or create the directories ourselfes. IMHO this is at least useful for "/home" and "/var/log".
1 TARGET="/mnt"
2 for DIR in "home" "var/log"; done
3 install -o root -g root -m 0755 -d "$TARGET/$DIR"
4 done
5
6 ### MOUNT THE TOP LEVEL SUBVOLUME
7 TOP_LEVEL="/media/btrfs5"
8 mkdir "$TOP_LEVEL"
9 mount -o noatime,compress=lzo,space_cache,autodefrag,subvolid=5 /dev/sdb4 "$TOP_LEVEL"
10
11 btrfs subvolume create "$TOP_LEVEL/home"
12 btrfs subvolume create "$TOP_LEVEL/var_log"
13
14 ### MOUNT THE SUBVOLUMES
15 ### MOUNT OPTIONS ARE INHERITED FROM THE TOP_LEVEL MOUNT
16 mount -o noatime,subvol=/home /dev/sdb4 /mnt/home
17 mount -o noatime,subvol=/var_log /dev/sdb4 /mnt/var/log
18
19 ### VALIDATE THE RESULT
20 mount -t btrfs
21 /dev/nvme0n1p3 on /media/btrfs5 type btrfs (rw,noatime,compress=zstd:3,ssd,discard=async,space_cache,subvolid=5,subvol=/)
22 /dev/nvme0n1p3 on /mnt type btrfs (rw,noatime,compress=zstd:3,ssd,discard=async,space_cache,subvolid=262,subvol=/root)
23 /dev/nvme0n1p3 on /mnt/home type btrfs (rw,noatime,compress=zstd:3,ssd,discard=async,space_cache,subvolid=265,subvol=/home)
24 /dev/nvme0n1p3 on /mnt/var/log type btrfs (rw,noatime,compress=zstd:3,ssd,discard=async,space_cache,subvolid=266,subvol=/var_log)
debootstrap
Install the base system
Migrating data to subvolumes
If you are fine with the subvolumes you created before, just skip this.
This procedure is nice, if you want to outsource a part of the filesystem to a subvolume. Excercised by the example of /var/log
1 ### MOUNT THE TOP_LEVEL SUBVOLUME ("/",ID=5) WITH YOUR CHOSEN OPTIONS
2 ### TO A DIRECTORY OF YOUR CHOICE (E.G. /media/btrfs5)
3 DEVICE="/dev/sdb4"
4 TOP_LEVEL="/media/btrfs5"
5 [ -d "$TOP_LEVEL" ] || mkdir "$TOP_LEVEL"
6 mount -o noatime,compress=lzo,space_cache,autodefrag,subvol=/ "$DEVICE" /media/btrfs5
7 mount -o noatime,compress=lzo,space_cache,autodefrag,subvol=/root "$DEVICE" /mnt
8
9 ### CREATE A SNAPSHOT OF THE SUBVOLUME "root"
10 ### NEXT TO ITSELF WITH THE NAME "var_log" AND
11 ### REMOVE EVERYTHING EXCEPT "/var/log"
12 btrfs subvolume snapshot "$TOP_LEVEL"/root "$TOP_LEVEL"/var_log
13 find "$TOP_LEVEL"/var_log -mindepth 1 -maxdepth 1 \! -name var |xargs rm -r --
14 mv "$TOP_LEVEL"/var_log/var/log/* "$TOP_LEVEL"/var_log/
15 rm -r "$TOP_LEVEL"/var_log/var/
16
17 find "$TOP_LEVEL"/root/var/log -mindepth 1 -maxdepth 1 |xargs rm -r --
18 mount -o noatime,compress=lzo,space_cache,autodefrag,subvol=/var_log "$DEVICE" /mnt/var/log/
19
20 ### VERIFY YOUR MOUNTS
21 mount -t btrfs
22 /dev/sda4 on /media/btrfs5 type btrfs (rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=5,subvol=/)
23 /dev/sda4 on /mnt type btrfs (rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=258,subvol=/root)
24 /dev/sda4 on /mnt/home type btrfs (rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=261,subvol=/home)
25 /dev/sda4 on /mnt/var/log type btrfs (rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=262,subvol=/var_log)
Prepare EFI filesystems
Just skip it.
If you don't have physical access to a system with (BIOS access) - just forget about it. It causes just trouble.
Create the filesystems
fstab
Make sure to use FS-UUIDs and no devices in fstab
Devices will fail!
blkid
1 /dev/sdb4: LABEL="rootfs" UUID="0cc274fd-4cb8-4cc7-9f60-f59de41f6891" UUID_SUB="d65eac71-86ca-45e0-b59a-7c872de54e59" TYPE="btrfs" PARTLABEL="root_sdb" PARTUUID="20199b69-b0a7-4151-9dd1-83c741d580a0"
2 /dev/loop0: UUID="40c4ea95-0ecc-4c51-9f3e-e49d8f62f160" TYPE="ext2"
3 /dev/sda1: PARTLABEL="bios_grub_sda" PARTUUID="1db5c109-b489-4466-8d51-23ef189253b7"
4 /dev/sda2: SEC_TYPE="msdos" LABEL_FATBOOT="EFI" LABEL="EFI" UUID="8AC4-4574" TYPE="vfat" PARTLABEL="EFI_sda" PARTUUID="14827a48-5a73-4012-bd28-176d365bd903"
5 /dev/sda3: UUID="4b81ee7b-00bb-3ce6-e83d-c0c00c449861" UUID_SUB="9e9e8cf9-9b01-6128-e2b6-acf8e04e7e9e" LABEL="rescue:md_swap1" TYPE="linux_raid_member" PARTLABEL="swap1_sda" PARTUUID="95586f2b-45ac-478a-8481-fd176f16cbb5"
6 /dev/sda4: LABEL="rootfs" UUID="0cc274fd-4cb8-4cc7-9f60-f59de41f6891" UUID_SUB="6c72fb67-6c5d-40bc-a4b4-dd34199a1d2b" TYPE="btrfs" PARTLABEL="root_sda" PARTUUID="20199b69-b0a7-4151-9dd1-83c741d580a0"
7 /dev/sdb1: PARTLABEL="bios_grub_sdb" PARTUUID="1db5c109-b489-4466-8d51-23ef189253b7"
8 /dev/sdb2: PARTLABEL="EFI_sdb" PARTUUID="14827a48-5a73-4012-bd28-176d365bd903"
9 /dev/sdb3: UUID="4b81ee7b-00bb-3ce6-e83d-c0c00c449861" UUID_SUB="981dfa0d-6584-2576-a51a-02102935a87b" LABEL="rescue:md_swap1" TYPE="linux_raid_member" PARTLABEL="swap1_sdb" PARTUUID="95586f2b-45ac-478a-8481-fd176f16cbb5"
10 /dev/md127: LABEL="md_swap1" UUID="87294740-52c4-4557-b838-ddc44ba8aa4b" TYPE="swap"
Generate a fstab
We can generate a fstab from the current mounts.
{{{/mnt/usr/local/sbin/fstab_gen.sh
1 #!/bin/bash
2
3 unset FSTAB
4 unset FILESYSTEMS
5 FILTER_UUID='[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}'
6
7 HEADER="# /etc/fstab: static file system information.
8 #
9 # Use 'blkid' to print the universally unique identifier for a
10 # device; this may be used with UUID= as a more robust way to name devices
11 # that works even if disks are added and removed. See fstab(5)."
12 HEADER_COLUMN="#<file_system> <mount_point> <type> <options> <dump> <pass>"
13
14 ### TMPFS
15 FSTAB='none /tmp tmpfs nosuid,nodev,noexec,mode=1777,huge=within_size 0 0'
16
17 ### SWAP
18 DEVICE="$(swapon -s |tail -n+2 |awk '{print $1}')"
19 eval "$(blkid -o export "$DEVICE" |grep '^UUID=')"
20 FSTAB="$(echo -e "$FSTAB"'\n'"UUID=$UUID none swap sw")"
21
22 ### DETECT DEVICES WITH FILESYSTEMS
23 unset DEVICES
24 declare -a DEVICES
25 for TYPE in btrfs xfs ext3 ext4; do
26 DEVICES+=( $(blkid \
27 |grep " TYPE=\"$TYPE\" " \
28 |cut -d: -f1; )
29 )
30 done
31
32 for DEVICE in "${DEVICES[@]}"; do
33 eval "$(blkid -o export "$DEVICE" |grep '^UUID=')"
34 LINE="$(grep "$DEVICE" /proc/self/mounts \
35 |sed -r s\#$DEVICE\#UUID=$UUID\# \
36 |sed -r 's#mnt/?##' \
37 |column -t
38 )"
39 ### FILTER ROOTFS AND SET PASS TO 1
40 LINE="$(echo "$LINE"|sed -r 's/^(UUID='"$FILTER_UUID"'\s+\/\s+\w+\s+\S+\s+0\s+)0$/\11/')"
41 FILESYSTEMS="$(echo -e "$FILESYSTEMS"'\n'"$LINE")"
42 done
43
44 FSTAB+="$(echo "$FILESYSTEMS" |sort -u)"
45 FSTAB="$(echo -e "$HEADER_COLUMN"'\n'"$FSTAB" |column -t)"
46
47 echo -e "$HEADER\n\n$FSTAB"
48 echo $LINES
Use it like
1 /mnt/usr/local/sbin/fstab_gen.sh |tee /mnt/etc/fstab
2 # /etc/fstab: static file system information.
3 #
4 # Use 'blkid' to print the universally unique identifier for a
5 # device; this may be used with UUID= as a more robust way to name devices
6 # that works even if disks are added and removed. See fstab(5).
7
8 #<file_system> <mount_point> <type> <options> <dump> <pass>
9 none /tmp tmpfs nosuid,nodev,noexec,mode=1777,huge=within_size 0 0
10 UUID=bf72216d-18ae-4bf3-b2d2-e085549d11b0 none swap sw
11 UUID=18341d59-023b-4067-833a-3220d57fc513 / btrfs rw,noatime,compress=zstd:3,ssd,discard=async,space_cache,subvolid=262,subvol=/root 0 1
12 UUID=18341d59-023b-4067-833a-3220d57fc513 /home btrfs rw,noatime,compress=zstd:3,ssd,discard=async,space_cache,subvolid=265,subvol=/home 0 0
13 UUID=18341d59-023b-4067-833a-3220d57fc513 /media/btrfs5 btrfs rw,noatime,compress=zstd:3,ssd,discard=async,space_cache,subvolid=5,subvol=/ 0 0
14 UUID=18341d59-023b-4067-833a-3220d57fc513 /var/lib/libvirt btrfs rw,noatime,compress=zstd:3,ssd,discard=async,space_cache,subvolid=263,subvol=/var_lib_libvirt 0 0
15 UUID=18341d59-023b-4067-833a-3220d57fc513 /var/log btrfs rw,noatime,compress=zstd:3,ssd,discard=async,space_cache,subvolid=266,subvol=/var_log 0 0
Edit fstab to reflect new structure of filesystem
/mnt/etc/fstab
1 # /etc/fstab: static file system information.
2 #
3 # Use 'blkid' to print the universally unique identifier for a
4 # device; this may be used with UUID= as a more robust way to name devices
5 # that works even if disks are added and removed. See fstab(5).
6
7 #<file_system> <mount_point> <type> <options> <dump> <pass>
8 UUID=87294740-52c4-4557-b838-ddc44ba8aa4b none swap sw 0 0
9 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 / btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=258,subvol=/root 0 1
10 UUID=8AC4-4574 /boot/EFI vfat utf8 0 0
11 UUID=B3B5-67FA /boot/EFI_SDB vfat utf8 0 0
12 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /home btrfs rw,noatime,compress=lzo,autodefrag,subvolid=261,subvol=/home 0 0
13 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /var/log btrfs rw,noatime,compress=lzo,autodefrag,subvolid=262,subvol=/var_log 0 2
Validate fstab
Verify /etc/fstab in the chroot environment
Chroot into new system
Prepare and enter the chroot
On GRML there is a command called grml-chroot, which simplifies some of this steps.
Basic Configuration
Add some essential packages
Install essential packages
1 apt install \
2 apt-file apt-transport-https aptitude bash-completion byobu btrfs-progs ca-certificates curl \
3 dmidecode dnsutils dosfstools ethtool git gpm hdparm htop iftop info \
4 iotop jq libcrack2 locales lsb-release lsof man-db mc mlocate net-tools openssl \
5 parted pigz psmisc pv pwgen python3-apt rsync screen sqlite3 ssl-cert strace \
6 sudo sysstat tmux unattended-upgrades vim wget zsh
Configure vim
Adjust it to your needs like in vim
zsh grml-flavoured
I strongly recommend this config! It's simply awesome. Thanks for this!
Adjust hostname and mailname
Set the hostname
Please see also Names#hostnames on this topic.
Load the hostname and exec a new shell
Renew your ssh host-keys
Optionally renew your ssh host-keys (e.g. when cloned)
Adjust hosts
/etc/hosts
Please make sure the canonical name/FQDN is listed in front of any additional aliases or the server may not be able to determine its own domain. Further a canonical name/FQDN should not point to the loopback (lo) interface of the server.
Configure locales
1 dpkg-reconfigure locales
Adjust timezone
Configure apt sources
/etc/apt/sources.list.d/buster.list
1 deb http://ftp.de.debian.org/debian buster main contrib non-free
2 deb-src http://ftp.de.debian.org/debian/ buster main contrib non-free
3 deb http://ftp.de.debian.org/debian/ buster-updates main contrib non-free
4 deb-src http://ftp.de.debian.org/debian/ buster-updates main contrib non-free
5 deb http://security.debian.org/debian-security/ buster/updates main contrib non-free
6 deb-src http://security.debian.org/debian-security/ buster/updates main contrib non-free
7 #deb http://ftp.de.debian.org/debian/ buster-backports main contrib non-free
8 #deb-src http://ftp.de.debian.org/debian/ buster-backports main contrib non-free
9
/etc/apt/sources.list.d/bullseye.list
1 deb http://ftp.de.debian.org/debian bullseye main contrib non-free
2 deb-src http://ftp.de.debian.org/debian/ bullseye main contrib non-free
3 deb http://ftp.de.debian.org/debian/ bullseye-updates main contrib non-free
4 deb-src http://ftp.de.debian.org/debian/ bullseye-updates main contrib non-free
5 deb http://security.debian.org/debian-security/ bullseye-security main contrib non-free
6 deb-src http://security.debian.org/debian-security/ bullseye-security main contrib non-free
7 deb http://ftp.de.debian.org/debian/ bullseye-backports main contrib non-free
8 deb-src http://ftp.de.debian.org/debian/ bullseye-backports main contrib non-free
Mirrors
Some important mirrors
Simple command to exchange the mirrors
Pinning: apt_preferences
If you create a preferences file like /etc/apt/preferences{,.d/filename{,.pref}} make sure the Pinning blocks are separated by a line, which must not contain any whitespace characters or apt will not respect your preference.
This example has caused (invisible) problems with the ^I Tab-characters between the blocks!
Check preferences
1 apt-cache policy |grep -C1 release
The command, that searches the header of the release-files, from #Additional_releases may be of use, when investigating problems with pinning.
Some notes regarding preferences
If you are using multiple codenames on one system at once (e.g. Buster: 500, Bullseye: 400) you should change the priority of the respective backports to be slightly less than their corresponding codename (e.g. Buster: 490, Bullseye: 390).
Background: If you left them at 100 (default) and you install a package from backports explicitly like an updated kernel, it will be upgraded to the codename with the higher priority when a package of the same name but a higher version is available there. This may not be what you intended.
Debian codenames with suffixes or from debian security should have the same priority as the main codename. This ensures you have the most recent and secure version installed.
If you are switching between packages from different codenames, make sure to mark dependencies as "Installed Automatically" A ("M" in aptitude). Or manually installed packages that are not required by any other manually installed package will end up as garbage. Garbage can be identified using:
1 aptitude search '~g'
Configure mail aliases
/etc/aliases
Reload aliases (hash the database)
1 newaliases
Networking
ifupdown vs. ifupdown2
Cons
ifupdown2 currently does not support the interfaces-keyword metric provided by ifmetric, which is still required as a package. If you get multiple default routes e.g. via dhcp-client and you don't have access to ifupdown >= 1.2.7-1, you should stick with ifupdown.
1.2.5-1 supports metric but has Bug 930839
- 1.2.7-1 Fixed, working.
- Changing is service interrupting
Pros
New command ifreload which can change status of interfaces without taking them down.
Install ifupdown2
You better do it in a tmux session, because ssh-session will break and won't return.
Use Enter ~ . to terminate frozen ssh-clients. Help about ssh escape commands: Enter ~ ?
On Upgrade to buster
If the freshly upgraded system still has old interface naming scheme, you may wish to upgrade. To achieve this, you have to remove /etc/udev/rules.d/80-net-setup-link.rules as well as /etc/systemd/network/50-virtio-kernel-names.link and rebuild your initial-ramdisks.
Please also read: /usr/share/doc/udev/README.Debian.gz
Configure interfaces
Network device names may vary between a live medium and the OS in the chroot, that will be booted. There is the a legacy device naming scheme and predicable device names. Starting with Debian Buster predictable device names are used. Please have a look at
networking#Predictable_device_names
To make sure the system is reachable, you could create entries to both entries for the interfaces.
Luckily ifupdown is very forgiving. Even with an error it continues and does not stop execution. Nevertheless to avoid errors, when bringing up the interfaces you could use the keyword allow-hotplug and instead of auto.
The difference is, that interfaces marked as auto, (which is synonymous to allow-auto and primarily groups the interfaces,) are unconditionally brought up at boot by ifup -a and throw an error if they do not exist.
Interfaces marked as allow-hotplug are brought up by udev when they are detected (e.g. on boot). You can also combine ifup -a with --allow to effect a distinct class like
ifup -a --allow hotplug
So, if eth0 is marked as allow-hotplug and does not exist, it is not brought up by ifup -a (auto) and is not detected by udev and thus does not thow an error.
Please compare to
man -P "less -p 'allow-hotplug'" 5 interfaces
/etc/network/interfaces
1 # interfaces(5) file used by ifup(8) and ifdown(8)
2
3 auto lo
4 iface lo inet loopback
5
6 auto enp0s31f6
7 iface enp0s31f6 inet static
8 address 195.201.246.253/26
9 address 2a01:4f8:231:702::2/64
10 gateway 195.201.246.193
11
12 # Include files from /etc/network/interfaces.d:
13 source-directory /etc/network/interfaces.d
/etc/network/interfaces
1 # interfaces(5) file used by ifup(8) and ifdown(8)
2 # Include files from /etc/network/interfaces.d:
3 source /etc/network/interfaces.d/*
4
5 allow-hotplug enp7s0
6 iface enp7s0 inet static
7 address 138.201.27.156/26
8 gateway 138.201.27.129
9 description "OUTSIDE"
10
11 iface enp7s0 inet6 static
12 address 01:4f8:171:2f14::2/64
13 gateway fe80::1
14 description "OUTSIDE"
15
16 allow-hotplug eth0
17 iface eth0 inet static
18 address 138.201.27.156/26
19 gateway 138.201.27.129
20 description "OUTSIDE"
21
22 iface eth0 inet6 static
23 address 01:4f8:171:2f14::2/64
24 gateway fe80::1
25 description "OUTSIDE"
A more elobarated configuration can be found at
[[networking#Configure interfaces and routing]
Check the configuration of the DNS-resolver
Control the configuration of the DNS resolver /etc/resolv.conf
Hetzner defaults
/etc/resolv.conf
SystemD resolved status
resolvectl status
1 Global
2 Protocols: -LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
3 resolv.conf mode: stub
4 Current DNS Server: 185.12.64.1
5 DNS Servers: 185.12.64.1 185.12.64.2 2a01:4ff:ff00::add:1 2a01:4ff:ff00::add:2
6 Fallback DNS Servers: 9.9.9.9 2620:fe::fe
7
8 Link 2 (eth0)
9 Current Scopes: none
10 Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Install openssh-server
1 aptitude install openssh-server openssh-client ssh-askpass
If you skipped the step of setting up the hostname you at least should renew the hostkeys.
Make sure ssh-server starts on boot
Embed pubkey for authentication
On the new machine
On the remote machine
Make sure root can login via pubkey-auth (default is fine)
/etc/ssh/sshd_config
1 PasswordAuthentication no
Set DNS SSHFP resource records
Prepare boot
Just forget about EFI-boot in situations, where you can't control that machines UEFI/BIOS and stick with grub-pc.
The following steps are the last safeties before reboot. Please make sure to get them right.
Install the boot-loader
These are the last safetys infront of the reboot.
You may also #Chroot into new system from a live medium like GRML.
In this case with btrfs raid1 install grub to both disks
Update the configuration of grub2
Update the initial ram disk (modules, config, …)
Make sure MD-RAID reassembles on next boot
If you assembled the RAID array earlier in the live system, you will have to change the name configuration from the live systems hostname to your new one.
1 cat /etc/mdadm/mdadm.conf
2 # mdadm.conf
3 #
4 # !NB! Run update-initramfs -u after updating this file.
5 # !NB! This will ensure that initramfs has an uptodate copy.
6 #
7 # Please refer to mdadm.conf(5) for information about this file.
8 #
9
10 # by default (built-in), scan all partitions (/proc/partitions) and all
11 # containers for MD superblocks. alternatively, specify devices to scan, using
12 # wildcards if desired.
13 #DEVICE partitions containers
14
15 # automatically tag new arrays as belonging to the local system
16 HOMEHOST <system>
17
18 # instruct the monitoring daemon where to send mail alerts
19 MAILADDR root
20
21 # definitions of existing MD arrays
22 ARRAY /dev/md/md_swap1 metadata=1.2 UUID=4b81ee7b:00bb3ce6:e83dc0c0:0c449861 name=kvm2:md_swap1
23
24 # This configuration was auto-generated on Wed, 22 May 2019 09:56:16 +0000 by mkconf
25
Create new mdadm.conf
If there is no config file, you can create a new one, which at least assemles your md-arrays on boot.
1 mdadm --detail --scan >> /etc/mdadm/mdadm.conf
WELL, GOOD LUCK
Close all vim sessions.
Reboot the system
1 shutdown -r now
Extending to a hypervisor
Please see libvirt
Some more filesystem
Moving libvirt to own subvolume
1 DEVICE=/dev/sda4
2 ### CREATE A MOUNT POINT
3 mkdir /media/btrfs5
4 ### MOUNT ROOT SUBVOLUME TO THIS MOUNT POINT
5 mount -o rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=5,subvol=/ \
6 "$DEVICE" /media/btrfs5
7 ### STOP LIBVIRTD
8 systemctl stop libvirtd.service
9 ### CHECK FOR OPEN INODES
10 lsof /var/lib/libvirt
11 ### CREATE A SNAPSHOT OF THE FILESYSTEM "root"
12 ### AND NAME IT "var_lib_libvirt"
13 btrfs subvolume snapshot \
14 /media/btrfs5/root \
15 /media/btrfs5/var_lib_libvirt
16 ### LIST SUBVOLUMES
17 btrfs subvol list /media/btrfs5/
18 ID 258 gen 4933 top level 5 path root
19 ID 261 gen 1520 top level 5 path home
20 ID 262 gen 4933 top level 5 path var_log
21 ID 265 gen 4933 top level 5 path var_lib_libvirt
22 ### MOUNT FRESHLY CREATED SUBVOLUME TO /var/lib/libvirt
23 mount -o rw,noatime,compress=lzo,space_cache,autodefrag,subvol=/var_lib_libvirt \
24 "$DEVICE" /var/lib/libvirt
25 ### DELETE EVERYTHING BELOW THE NEW MOUNT POINT
26 ### WHOSE NAME IS NOT "var" RECURSIVELY
27 find /media/btrfs5/var_lib_libvirt \
28 -mindepth 1 -maxdepth 1 \! -name var \
29 |xargs rm -r --
30 ### MOVE CONTENTS OF THE SUBDIR libvirt
31 ### TO TOP-LEVEL OF THE SUBVOLUME
32 mv /media/btrfs5/var_lib_libvirt/var/lib/libvirt/* \
33 /media/btrfs5/var_lib_libvirt
34 ### DELETE var IN SUBVOLUME RECURSIVELY
35 rm -r /media/btrfs5/var_lib_libvirt/var
36 ### DELETE CONTENT OF libvirt IN THE ROOT-SUBVOLUME RECURSIVELY
37 rm -r /media/btrfs5/root/var/lib/libvirt/*
38 ### CHECK OLD DIRECTORY
39 ll /media/btrfs5/root/var/lib/libvirt/
40 insgesamt 0
41 ### CHECK NEW DIRECTORY
42 ll /media/btrfs5/var_lib_libvirt/
43 insgesamt 0
44 drwx--x--x 1 root root 0 Apr 7 12:36 boot
45 drwx--x--x 1 root root 0 Apr 7 12:36 images
46 drwxr-x--- 1 libvirt-qemu libvirt-qemu 62 Mai 23 10:16 qemu
47 drwx------ 1 root root 0 Apr 7 12:36 sanlock
48 ### MOUNT THE NEW SUBVOLUME TO THE DESTINATION
49 mount -o rw,noatime,compress=lzo,space_cache,autodefrag,subvol=/var_lib_libvirt \
50 "$DEVICE" /var/lib/libvirt
51 ### START LIBVIRTD
52 systemctl start libvirtd.service
Adjust fstab
1 # /etc/fstab: static file system information.
2 #
3 # Use 'blkid' to print the universally unique identifier for a
4 # device; this may be used with UUID= as a more robust way to name devices
5 # that works even if disks are added and removed. See fstab(5).
6
7 #<file_system> <mount_point> <type> <options> <dump> <pass>
8 UUID=87294740-52c4-4557-b838-ddc44ba8aa4b none swap sw 0 0
9 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 / btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=258,subvol=/root 0 1
10 #UUID=8AC4-4574 /boot/EFI vfat utf8 0 0
11 #UUID=B3B5-67FA /boot/EFI_SDB vfat utf8 0 0
12 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /var/log btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=262,subvol=/var_log 0 2
13 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /var/lib/libvirt btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=266,subvol=/var_lib_libvirt 0 2
14 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /home btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=261,subvol=/home 0 0
15 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /media/btrfs5 btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=5,subvol=/ 0 0
Filesystem maintenance
Please see filesystems/btrfs#Maintenance
ksmtuned
All machines idle? Trade in some CPU and SAVE A WHOLE BUNCH OF MEM!
Install ksmtuned without treating recommendations as dependencies
1 aptitude install --without-recommends ksmtuned
Information can be aquired under /sys/kernel/mm/ksm
Run ksm earlier by lowering KSM_THRES_COEF in
/etc/ksmtuned.conf
1 # Configuration file for ksmtuned.
2
3 # How long ksmtuned should sleep between tuning adjustments
4 # KSM_MONITOR_INTERVAL=60
5
6 # Millisecond sleep between ksm scans for 16Gb server.
7 # Smaller servers sleep more, bigger sleep less.
8 # KSM_SLEEP_MSEC=10
9
10 # KSM_NPAGES_BOOST=300
11 # KSM_NPAGES_DECAY=-50
12 # KSM_NPAGES_MIN=64
13 # KSM_NPAGES_MAX=1250
14
15 #KSM_THRES_COEF=20
16 KSM_THRES_COEF=50
17 # KSM_THRES_CONST=2048
18
19 # uncomment the following if you want ksmtuned debug info
20
21 # LOGFILE=/var/log/ksmtuned
22 # DEBUG=1
Example - Debian Buster monoculture in production:
1 Every 1,0s: grep -rH "" /sys/kernel/mm/ksm*;echo "Saved mem: $(($(cat /sys/kernel/mm/ksm/pages_sharing)*4/(2^1024))) MiB" kvm2: Fri Jan 31 14:03:57 2020
2
3 /sys/kernel/mm/ksm/stable_node_dups:5938
4 /sys/kernel/mm/ksm/max_page_sharing:256
5 /sys/kernel/mm/ksm/pages_volatile:271474
6 /sys/kernel/mm/ksm/stable_node_chains_prune_millisecs:2000
7 /sys/kernel/mm/ksm/merge_across_nodes:1
8 /sys/kernel/mm/ksm/pages_unshared:5277423
9 /sys/kernel/mm/ksm/stable_node_chains:497
10 /sys/kernel/mm/ksm/pages_shared:1049263
11 /sys/kernel/mm/ksm/use_zero_pages:0
12 /sys/kernel/mm/ksm/pages_to_scan:1250
13 /sys/kernel/mm/ksm/sleep_millisecs:10
14 /sys/kernel/mm/ksm/run:1
15 /sys/kernel/mm/ksm/full_scans:153
16 /sys/kernel/mm/ksm/pages_sharing:5635769
17 Saved mem: 21971 MiB
Well, ~22GiB of 64GiB saved! WTF?!1!! I dare to claim, this is a must have!
I assume KSM doesn't search already swapped pages to save expensive disk io. Maybe it's a good idea to gain some memory in a first run and to move content of the swap space back to the main memory in a second step by umounting and mounting swap-space.
1 swapoff -a; swapon -a
In addition it may be a good idea to reduce vm.swappiness to once more profit from KSM.
OpenvSwitch
To attach VMs to the network several approaches may be chosen:
- Shared hostbridge
- classical linux bridge
- openvswitch
- network device passthrough
- physical device
- virtual device funtion
- macvtap direct connection
- with vepa
- without vepa
- libvirt networks
- NAT based network
- Routed network config
- Isolated network config
- Isolated IPv6 network config
- Network config with no gateway addresses
Since i have no contraints or requirements, I like to use openvswitch as a bridge (as OpenStack would probably probably use it).
Please see openvswitch
Network configuration
Conventional networks
One public interface used:
- for general connectivity
- for routing the public network to the host and
- as a NAT-address for internal private networks.
The configuration of fake bridges is not necessary any more, all interfaces have been moved to a OPNsense firewall. This allows for some independance from the host. For the purpose of documentation I commented address statements and left the aliases on the interfaces, which can be read with ip l.
/etc/network/interfaces
1 auto lo
2 iface lo inet loopback
3
4 ### OUTSIDE
5 auto enp0s31f6
6 iface enp0s31f6 inet static
7 address 195.201.246.253/26
8 address 2a01:4f8:231:702::2/64
9 gateway 195.201.246.193
10 alias "OUTSIDE"
11
12 ### FAKE BRIDGES
13 ### VLANS 500-999
14 allow-hotplug ovs-pub1
15 iface ovs-pub1 inet manual
16 #address 178.63.149.225/28
17 description fake-bridge (vid 500): public dmz - public network1
18
19 allow-hotplug ovs-pub2
20 iface ovs-pub2 inet manual
21 #address 176.9.178.17/29
22 description fake-bridge (vid 501): public dmz - public network2
23
24 ### VLANS 1000-1499
25 allow-hotplug ovs-1a
26 iface ovs-1a inet static
27 address 172.18.0.254/24
28 description fake-bridge (vid 1000): public dmz - private network
29
30 ### VLANS 1500-1999
31 allow-hotplug ovs-1n
32 iface ovs-1n inet static
33 #address 172.18.64.1/24
34 description fake-bridge (vid 1500): extranet dmz
35
36 ### VLANS 2000-2499
37 allow-hotplug ovs-2a
38 iface ovs-2a inet static
39 #address 172.18.128.1/24
40 description fake-bridge (vid 2000): intranet dmz
41
42 ### VLANS 2500-2999
43 allow-hotplug ovs-2n
44 iface ovs-2n inet static
45 #address 172.18.192.1/24
46 description fake-bridge (vid 2500): secure zone
47
48 ### VLANS 3000-3499
49 allow-hotplug ovs-mon1
50 iface ovs-mon1 inet static
51 #address 172.19.255.1/24
52 description fake-bridge (vid 3000): monitoring
PPP from guest to host
Point-to-point connection from guest to host are useful:
- for single IPs or
- to reduce overhead in small networks (/30) originating from network and broadcast addresses.
Please don't get irritated by the last octet of the IP-addresses.
Create a fake-brigde on the host and assign a private IP-address, set a route (for the public address) to the guest and optionally set a static arp entry.
In the guest assign the public IP-address and create a point-to-point connection to the (private address of the) host.
Firewalling
Install Firewall Builder and dependencies
1 aptitude install iptables-persistent ipset iptables fwbuilder
Configure fwbuilder
Performance
Laptop
To save power on your laptop and therefore increase time that may be spend on battery, install the laptop-mode-tools. They will e.g. set the cpu-frequency scaling_governor to ondemand and other more conservative options. In my specific case battery usage was reduced by 1/3 and time on battery increased by factor 3/2, which is significant.
1 aptitude install laptop-mode-tools
They can be configured in /etc/laptop-mode/.
With powertop settings consuming too much power may be configured.
CPU govenour
Another way to adjust cpu-frequency scaling_governor is via cpufrequtils.
/etc/default/cpufrequtils
IO-Scheduler
Security
CPU microcode
Microcode updates are ephemeral: they will be lost after a processor hard reset or after the processor is powered off. They must be reapplied at every boot and after the system wakes up from suspend to RAM or disk.
Depending on your CPU vendor install either of the following:
To force a microcode update at runtime (on your own risk) run as root.
1 echo 1 > /sys/devices/system/cpu/microcode/reload
To omit loading of the microcode at boot time add dis_ucode_ldr to your kernel command line in grub menu editor.
1 linux /boot/vmlinuz-5.4.0-4-amd64 root=UUID=75258d3e-37f9-42f7-9187-444be692f85d ro quiet dis_ucode_ldr
You may configure tthe microcode packages in
/etc/default/amd64-microcode
/etc/default/intel-microcode
Early loading microcode maybe blacklisted by
/etc/modprobe.d/amd64-microcode
/etc/modprobe.d/intel-microcode
You can get the running microcode revision from /proc/cpuinfo
1 grep -E 'stepping|model|microcode' /proc/cpuinfo
Compare the latest manufacturer microcode update guidance document.
unattended-upgrades
By default upgrades are installed only from
- the current release
- security release of the current release
Because versions are frozen in a Debian release only revision upgrades (x.y.z -> x.y.z') are installed. This means you can rely on its operation. There are
- no additional or obsolete features
- no changes in the API
But it supports security.
Install automatic upgrades
1 aptitude install unattended-upgrades
You should probably combine unattended-upgrades with apt-listchanges, to receive an email to "root", what and when something has changed. … Just in case.
/etc/apt/apt.conf.d/50unattended-upgrades
1 // Unattended-Upgrade::Origins-Pattern controls which packages are
2 // upgraded.
3 //
4 // Lines below have the format "keyword=value,...". A
5 // package will be upgraded only if the values in its metadata match
6 // all the supplied keywords in a line. (In other words, omitted
7 // keywords are wild cards.) The keywords originate from the Release
8 // file, but several aliases are accepted. The accepted keywords are:
9 // a,archive,suite (eg, "stable")
10 // c,component (eg, "main", "contrib", "non-free")
11 // l,label (eg, "Debian", "Debian-Security")
12 // o,origin (eg, "Debian", "Unofficial Multimedia Packages")
13 // n,codename (eg, "jessie", "jessie-updates")
14 // site (eg, "http.debian.net")
15 // The available values on the system are printed by the command
16 // "apt-cache policy", and can be debugged by running
17 // "unattended-upgrades -d" and looking at the log file.
18 //
19 // Within lines unattended-upgrades allows 2 macros whose values are
20 // derived from /etc/debian_version:
21 // ${distro_id} Installed origin.
22 // ${distro_codename} Installed codename (eg, "buster")
23 Unattended-Upgrade::Origins-Pattern {
24 // Codename based matching:
25 // This will follow the migration of a release through different
26 // archives (e.g. from testing to stable and later oldstable).
27 // Software will be the latest available for the named release,
28 // but the Debian release itself will not be automatically upgraded.
29 // "origin=Debian,codename=${distro_codename}-updates";
30 // "origin=Debian,codename=${distro_codename}-proposed-updates";
31 "origin=Debian,codename=${distro_codename},label=Debian";
32 "origin=Debian,codename=${distro_codename},label=Debian-Security";
33 "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
34
35 // Archive or Suite based matching:
36 // Note that this will silently match a different release after
37 // migration to the specified archive (e.g. testing becomes the
38 // new stable).
39 // "o=Debian,a=stable";
40 // "o=Debian,a=stable-updates";
41 // "o=Debian,a=proposed-updates";
42 // "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
43 };
44
45 // Python regular expressions, matching packages to exclude from upgrading
46 Unattended-Upgrade::Package-Blacklist {
47 // The following matches all packages starting with linux-
48 // "linux-";
49
50 // Use $ to explicitely define the end of a package name. Without
51 // the $, "libc6" would match all of them.
52 // "libc6$";
53 // "libc6-dev$";
54 // "libc6-i686$";
55
56 // Special characters need escaping
57 // "libstdc\+\+6$";
58
59 // The following matches packages like xen-system-amd64, xen-utils-4.1,
60 // xenstore-utils and libxenstore3.0
61 // "(lib)?xen(store)?";
62
63 // For more information about Python regular expressions, see
64 // https://docs.python.org/3/howto/regex.html
65 };
66
67 // This option allows you to control if on a unclean dpkg exit
68 // unattended-upgrades will automatically run
69 // dpkg --force-confold --configure -a
70 // The default is true, to ensure updates keep getting installed
71 //Unattended-Upgrade::AutoFixInterruptedDpkg "true";
72
73 // Split the upgrade into the smallest possible chunks so that
74 // they can be interrupted with SIGTERM. This makes the upgrade
75 // a bit slower but it has the benefit that shutdown while a upgrade
76 // is running is possible (with a small delay)
77 //Unattended-Upgrade::MinimalSteps "true";
78
79 // Install all updates when the machine is shutting down
80 // instead of doing it in the background while the machine is running.
81 // This will (obviously) make shutdown slower.
82 // Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
83 // This allows more time for unattended-upgrades to shut down gracefully
84 // or even install a few packages in InstallOnShutdown mode, but is still a
85 // big step back from the 30 minutes allowed for InstallOnShutdown previously.
86 // Users enabling InstallOnShutdown mode are advised to increase
87 // InhibitDelayMaxSec even further, possibly to 30 minutes.
88 //Unattended-Upgrade::InstallOnShutdown "false";
89
90 // Send email to this address for problems or packages upgrades
91 // If empty or unset then no email is sent, make sure that you
92 // have a working mail setup on your system. A package that provides
93 // 'mailx' must be installed. E.g. "user@example.com"
94 //Unattended-Upgrade::Mail "";
95
96 // Set this value to one of:
97 // "always", "only-on-error" or "on-change"
98 // If this is not set, then any legacy MailOnlyOnError (boolean) value
99 // is used to chose between "only-on-error" and "on-change"
100 //Unattended-Upgrade::MailReport "on-change";
101
102 // Remove unused automatically installed kernel-related packages
103 // (kernel images, kernel headers and kernel version locked tools).
104 //Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
105
106 // Do automatic removal of newly unused dependencies after the upgrade
107 //Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
108
109 // Do automatic removal of unused packages after the upgrade
110 // (equivalent to apt-get autoremove)
111 //Unattended-Upgrade::Remove-Unused-Dependencies "false";
112
113 // Automatically reboot *WITHOUT CONFIRMATION* if
114 // the file /var/run/reboot-required is found after the upgrade
115 //Unattended-Upgrade::Automatic-Reboot "false";
116
117 // Automatically reboot even if there are users currently logged in
118 // when Unattended-Upgrade::Automatic-Reboot is set to true
119 //Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
120
121 // If automatic reboot is enabled and needed, reboot at the specific
122 // time instead of immediately
123 // Default: "now"
124 //Unattended-Upgrade::Automatic-Reboot-Time "02:00";
125
126 // Use apt bandwidth limit feature, this example limits the download
127 // speed to 70kb/sec
128 //Acquire::http::Dl-Limit "70";
129
130 // Enable logging to syslog. Default is False
131 // Unattended-Upgrade::SyslogEnable "false";
132
133 // Specify syslog facility. Default is daemon
134 // Unattended-Upgrade::SyslogFacility "daemon";
135
136 // Download and install upgrades only on AC power
137 // (i.e. skip or gracefully stop updates on battery)
138 // Unattended-Upgrade::OnlyOnACPower "true";
139
140 // Download and install upgrades only on non-metered connection
141 // (i.e. skip or gracefully stop updates on a metered connection)
142 // Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
143
144 // Verbose logging
145 // Unattended-Upgrade::Verbose "false";
146
147 // Print debugging information both in unattended-upgrades and
148 // in unattended-upgrade-shutdown
149 // Unattended-Upgrade::Debug "false";
150
151 // Allow package downgrade if Pin-Priority exceeds 1000
152 // Unattended-Upgrade::Allow-downgrade "false";
153
154 // When APT fails to mark a package to be upgraded or installed try adjusting
155 // candidates of related packages to help APT's resolver in finding a solution
156 // where the package can be upgraded or installed.
157 // This is a workaround until APT's resolver is fixed to always find a
158 // solution if it exists. (See Debian bug #711128.)
159 // The fallback is enabled by default, except on Debian's sid release because
160 // uninstallable packages are frequent there.
161 // Disabling the fallback speeds up unattended-upgrades when there are
162 // uninstallable packages at the expense of rarely keeping back packages which
163 // could be upgraded or installed.
164 // Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
Additional releases
There is only a limited set of Origins-patterns in
/etc/apt/apt.conf.d/50unattended-upgrades
You may also allow unattended-upgrades for additional Releases than defined by default. Take a look at the Release-files in /var/lib/apt/lists/ to extract the relevant Release metadata.
1 for FILE in /var/lib/apt/lists/*Release; do
2 echo -e '\n'"$FILE"
3 grep -h ": " "$FILE"
4 done |less
5
6 /var/lib/apt/lists/ftp2.de.debian.org_debian_dists_bullseye-backports_InRelease
7 Hash: SHA256
8 Origin: Debian Backports
9 Label: Debian Backports
10 Suite: bullseye-backports
11 Codename: bullseye-backports
12 Changelogs: https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog
13 Date: Fri, 08 Jan 2021 08:05:41 UTC
14 Valid-Until: Fri, 15 Jan 2021 08:05:41 UTC
15 NotAutomatic: yes
16 ButAutomaticUpgrades: yes
17 Acquire-By-Hash: yes
18 No-Support-for-Architecture-all: Packages
19 Architectures: all amd64 arm64 armel armhf i386 mips64el mipsel ppc64el s390x
20 Components: main contrib non-free
21 Description: Debian X.Y - Backports
22
23 …
Available filters:
"o", "origin"
"l", "label"
"a", "suite", "archive"
"c", "component"
"site"
"n", "codename"
Available variables:
${distro_codename} <- lsb_release -c -s
${distro_id} <- lsb_release -i -s
Allow upgrade by creating
/etc/apt/apt.conf.d/51unattended-upgrades
1 // SOME EXAMPLES
2 Unattended-Upgrade::Origins-Pattern:: "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
3 Unattended-Upgrade::Origins-Pattern:: "origin=Debian,codename=${distro_codename}-updates,l=Debian";
4 // SOME EXAMPLES 3RD-PARTY
5 Unattended-Upgrade::Origins-Pattern:: "origin=PowerDNS,label=PowerDNS";
6 Unattended-Upgrade::Origins-Pattern:: "o=http://www.dovecot.org,a=${distro_codename}-auto,l=Automatic Dovecot 2.3 Debian Repository";
7 Unattended-Upgrade::Origins-Pattern:: "o=debian icinga-${distro_codename},a=icinga-${distro_codename},l=debian icinga-${distro_codename}";
8 Unattended-Upgrade::Origins-Pattern:: "o=apt.postgresql.org,a=${distro_codename}-pgdg,l=PostgreSQL for Debian/Ubuntu repository";
9 Unattended-Upgrade::Origins-Pattern:: "o=matrix.org,n=${distro_codename}";
10 Unattended-Upgrade::Origins-Pattern:: "o=Docker,a=${distro_codename},l=Docker CE";
11 // BAREOS
12 Unattended-Upgrade::Origins-Pattern:: "o=Bareos,n=Debian_10,l=Bareos";
13 Unattended-Upgrade::Origins-Pattern:: "o=Bareos,n=Debian_9.0,l=Bareos";
14 // CHROME STABLE
15 Unattended-Upgrade::Origins-Pattern:: "o=Google LLC,a=stable,l=Google";
16 // SIGNALD (CERTAINLY SUBOPTIMAL)
17 Unattended-Upgrade::Origins-Pattern:: "o=. unstable,a=unstable";
18 //JITSI
19 Unattended-Upgrade::Origins-Pattern:: "o=jitsi.org,l=Jitsi Debian packages repository,a=stable,n=stable";
Or more compact
1 Unattended-Upgrade::Skip-Updates-On-Metered-Connections True;
2 Unattended-Upgrade::Origins-Pattern:: "o=Google LLC,a=stable,l=Google";
3 Unattended-Upgrade::Origins-Pattern {
4 "o=Debian,a=stable";
5 "o=Debian,a=stable-updates";
6 "o=Debian,a=testing";
7 "o=Debian,a=testing-updates";
8 "o=Debian,n=sid";
9 "o=Debian,n=${distro_codename},l=Debian";
10 "o=Debian,n=${distro_codename}-updates,l=Debian";
11 "o=Debian,n=bullseye";
12 "o=Debian,n=bullseye-updates";
13 "o=Debian,n=bookworm";
14 "o=Debian,n=bookworm-updates";
15 "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
16 "o=Debian Backports,a=buster-backports,l=Debian Backports";
17 "o=Debian Backports,a=bullseye-backports,l=Debian Backports";
18 "o=Debian Backports,a=bookworm-backports,l=Debian Backports";
19 }
20 Unattended-Upgrade::Origins-Pattern {
21 "o=debian icinga-buster,a=icinga-buster,l=debian icinga-buster";
22 "o=debian icinga-bullseye,a=icinga-bullseye,l=debian icinga-bullseye";
23 "o=debian icinga-bookworm,a=icinga-bookworm,l=debian icinga-bookworm";
24 "o=debian icinga-${distro_codename},a=icinga-${distro_codename},l=debian icinga-${distro_codename}";
25 }
For Raspbian
/etc/apt/apt.conf.d/51unattended-upgrades
Check the patterns
apt-config dump Unattended-Upgrade::Origins-Pattern
1 Unattended-Upgrade::Origins-Pattern "";
2 Unattended-Upgrade::Origins-Pattern:: "origin=Debian,codename=${distro_codename},label=Debian";
3 Unattended-Upgrade::Origins-Pattern:: "origin=Debian,codename=${distro_codename},label=Debian-Security";
4 Unattended-Upgrade::Origins-Pattern:: "origin=PowerDNS,label=PowerDNS";
5 Unattended-Upgrade::Origins-Pattern:: "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
6 Unattended-Upgrade::Origins-Pattern:: "o=jitsi.org,l=Jitsi Debian packages repository,a=stable,n=stable";
7 Unattended-Upgrade::Origins-Pattern:: "o=Google LLC,a=stable,l=Google";
Additional tunables
/etc/apt/apt.conf.d/51unattended-upgrades
There is a hint in verbose mode for checking battery status.
For battery checking to work install powermgmt-base
1 apt install powermgmt-base
Debugging
Check ephemeral pinning with
You may run unattended-upgrades with debugging output in foreground, to check what it is doing.
1 unattended-upgrades -d
If it is slow, check if you have
packages on hold apt-mark showhold or
- broken packages
To solve the problem use aptitude, it tends to be more powerful in untangling dependency problems.
Check OS Integrity
1 dpkg -V
debsecan
1 aptitude install debsecan
Is run automatically via a cronjob, but you should add the parameter --suite
Mobile security
Goal is to protect as much as possible as early and strong as possible.
Requirements:
- basics:
- bios-password is set
- hdd-password is set
- mandatory:
- be maintainable
- perform well
- flexible sizing like in LVM2/btrfs
- include swap, root, …
- protect kernel/initrd
- optionally:
- include /boot, means to enter the password a 3rd time in grub2 to unlock /boot
- use trusted platform module (tpm)
The inspiration:
http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/
https://michael-prokop.at/blog/2014/02/28/full-crypto-setup-with-grub2/
Architect’s Guide: Data Security Using TCG Self-Encrypting Drive Technology
This ultimatively leads to multi-layer full disk encryption (OPAL+LUKS).
ATA hard drive password
ATA Security Feature Set or ATA Security (since ATA-3 (1996–2002, ANSI X3.298-1997))
Tools
hdparm
Links
InterNational Committee for Information Technology Standards
https://en.wikipedia.org/wiki/Parallel_ATA#HDD_passwords_and_security
About
Available on disks with AT Attachment (ATA) storage interface, this includes SATA, SCSI/SAS?, NVMe
- "first comer” ownership model
- first that sets the password owns the device
- access control mechanism only
- 32byte master and user keys (NULL-Byte padded)
- high or maximum security mode
Mode high
In High security mode, the device can be unlocked with either the User or Master password, using the "SECURITY UNLOCK DEVICE" ATA command. There is an attempt limit, normally set to 5, after which the disk must be power cycled or hard-reset before unlocking can be attempted again. Also in High security mode, the SECURITY ERASE UNIT command can be used with either the User or Master password.
Mode maximum
In Maximum security mode, the device can be unlocked only with the User password. If the User password is not available, the only remaining way to get at least the bare hardware back to a usable state is to issue the SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT. In Maximum security mode, the SECURITY ERASE UNIT command requires the Master password and will completely erase all data on the disk. Word 89 in the IDENTIFY response indicates how long the operation will take.
Opal
Before building check if your drive supports Opal.
1 lspci -vvv
Tools
msed (manage self-encrypting devices) and OpalTool, the two known Open Source code bases available for self-encrypting drives support on Linux, have both been retired, and their development efforts officially merged to form sedutil, under the umbrella of The Drive Trust Alliance (DTA). sedutil is "an Open Source (GPLv3) effort to make Self Encrypting Drive technology freely available to everyone."
https://github.com/Drive-Trust-Alliance/sedutil
Build sedutil
Build sedutil
Scan for drives
Yeah, it works and
as the no in column states my current NVMe does not support Opal. :-/ I'll come back once i got a Opal drive.
Links
TCG Opal SSC (Security Subsystem Class) v.2.01 rev1.00 The specification is published by the Trusted Computing Group (TCG) Storage Workgroup.
About
Opal “Family” of specifications:
- Opal
- Opalite
- Pyrite
Found on Arch-Wiki - Self-Encrypting_Drives: Self-encrypting drives adhering to the TCG OPAL 2.0 standard specification (almost all modern self-encrypting drives) implement key management via an authentication key, and a 2nd-level data encryption key, both stored in the disk controller. The data encryption key is the key against which the data is actually encrypted/decrypeted. The authentication key is the user-facing 1st-level password/passphrase which decrypts the data encryption key (which in turn decrypts the data). Data writen to the disk is always encrypted. This approach has specific advantages:
- Allows the user to change the passphrase without losing the existing encrypted data on the disk.
- This improves security, as it is fast and easy to respond to security threats and revoke a compromised passphrase
- Facilitates near-instant and cryptographically secure full disk erasure.
For those who are familiar; this concept is similar to the LUKS key management layer often used in a dm-crypt deployment. Using LUKS, the user can effectively have up to 8 different key-files / passphrases to decrypt the encryption key, which in turn decrypts the underlying data. This approach allows the user to revoke / change these key-files / passphrases as required without needing to re-encrypt the data, as the 2nd-level encryption key is unchanged (itself being re-encrypted by the new passphrase).
In fact, in drives featuring full-disk encryption, data is always encrypted with the data encryption key when stored to disk, even if there is no password set (e.g. a new drive). Manufacturers do this to make it easier for users who are not able to, or do not wish to enable the security features of the self-encrypting drive. This can be thought of as all drives by default having a zero-length password that transparently encrypts/decrypts the data always (similar to how passwordless SSH keys provide (somewhat) secure access without user intervention).
The key point to note is that if at a later stage the user wishes to "enable" encryption, they can configure the passphrase (authentication key), which will then be used to encrypt the existing data encryption key (thus prompting for passphrase before decrypting the data encryption key in future). However, as the existing data encryption key will not be changed (regenerated), this in effect locks the drive, while preserving the existing encrypted data on the disk.
Advantages:
- Easier to setup (compared to software-based encryption)
- Notably transparent to the user, except for initial bootup authentication
- Data-at-Rest protection
- Increased performance (CPU is freed up from encryption/decryption calculations)
- The main CPU and RAM are eliminated as possible attack targets
- Optimally fast and #Secure disk erasure (sanitation) (regardless of disk size)
- Protection from alternative boot methods due to the possibility to encrypt the MBR, rendering the drive inaccessible before pre-boot authentication
Disadvantages:
Constant-power exploits:
Typical self-encrypting drives, once unlocked, will remain unlocked as long as power is provided. This vulnerability can be exploited by means of altering the environment external to the drive, without cutting power, in effect keeping the drive in an unlocked state. For example, it has been shown (by researchers at University of Erlangen-Nuremberg) that it is possible to reboot the computer into an attacker-controlled operating system without cutting power to the drive. The researchers have also demonstrated moving the drive to another computer without cutting power.[1]Key-in-memory exploits:
When the system is powered down into S3 ("sleep") mode, the drive is powered down, but the drive keeps access to the encryption key in its internal memory (NVRAM) to allow for a resume ("wake"). This is necessary because for system booted with an arbitrary operating system there is no standard mechanism to prompt the user to re-enter the pre-boot decryption passphrase again. An attacker (with physical access to the drive) can leverage this to access the drive. Taking together known exploits the researchers summarize "we were able to break hardware-based full-disk encryption on eleven [of twelve] of those systems provided they were running or in standby mode".[2] Note, however, S3 ("sleep") is not currently supported by sedutil (the current available toolset for managing a TCG OPAL 2.0 self-encrypting drives via Linux)Compromised firmware:
The firmware of the drive may be compromised (backdoor) and data sent to it thus potentially compromised (decryptable by the malicious third party in question, provided access to physical drive is achievable). A study demonstrated methods for compromising device firmware, as well as applying invalid passwords to access data on OPAL devices.[3] If data is encrypted by the operating system (e.g. dm-crypt), the encryption key is unknown to the compromised drive, thus circumventing this attack vector entirely.
Found in White Paper - Storage Opal and NVMe
- requires AES-128 or AES-256
- hardware-based encrpytion that may be scaled to meet the bandwidth of the storage device.
- credentials
- 1-4 admin for provisioning, configuration or erasure
- 2-8 user to perform various actions
- subdivision of the storage device into multiple locking ranges of contiguous LBAs
- each locking range
- has different media encryption key (MEK)
- is unlocked independently
- is erased independently (by destruction of media encryption key and generation of a new one)
n>=0 users may
- unlock locking ranges
- erase locking ranges
- fast and reliable erasure of locking ranges
- supports MBR-shadowding, through which a host-application can store and execute a “Pre-Boot Authentication Environment”. Such a mechanism is necessary to allow unlock of the range in which the OS is stored, in order to allow the OS to boot.
Storage glossary
- advanced encryption standard (AES)
- authentication key (AK)
advanced technology attachment (ATA) -> P-ATA
- AT attachment packet interface (ATAPI)
- data encryption key (DEK)
- full disk encryption (FDE)
- full encryption disks (FED), self-encrypting HDD
- hard drive disk (HDD)
- integrated drive electronics (IDE)
- logical block addressing (LBA), number of blocks starting with zero (size with 512byte blocks)
- 28bit LBA (128GiB)
- 48bit LBA (128PiB)
- SCSI Command Descriptor Block (CDB)
- 10Byte CDB with 4byte (32bit) LBA (2TiB)
- 16/32Byte CDB with 8byte (64bit) Long-LBA (16EiB)
- non-volatile memory express (NVMe)
- opal security subsystem class (SSC)
- Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.)
- storage device (SD)
- self-encrypting drive (SED)
- small computer system interface (SCSI)
- trusted computing group (TCG)
LUKS
Tools
1 apt install gdisk parted cryptsetup cryptsetup-initramfs dosfstools xfsprogs
Links
About
The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.
Why LUKS?
- compatibility via standardization,
- secure against low entropy attacks,
- support for multiple keys,
- effective passphrase revocation,
- free.
Transform
Target configuration
FDE walkthrough
Perform a backup Preparation
1 ### MOUNT A REMOTE STORAGE (e.g. NFS4)
2 mount libertas:/media/space/tmp /media/external1
3
4 ### AND BACKUP PARTITIONING TABLE (JUST INCASE)
5 mkdir /media/external1/backup
6 sgdisk --backup=/media/external1/backup/nvme0n1.sgdisk /dev/nvme0n1
7 The operation has completed successfully.
8 ### TO RESTORE SIMPLY
9 # sgdisk -l /media/external1/backup/nvme0n1 /dev/nvme0n1
10
Partitioning
Grub2 disk: Implement support for LUKS2:
- With cryptsetup 2.0, a new version of LUKS was introduced that breaks compatibility with the previous version due to various reasons. GRUB currently lacks any support for LUKS2, making it impossible to decrypt disks encrypted with that version. This commit implements support for this new format.
This commit has not landed in Debian, yet. So we need to downgrade header to LUKS version 1 and the password based key derivation functions (PBKDF) to PBKDF2 (from Argon2i or Argon2id).
Fresh cryptsetup
To downgrade manually from LUKS2 to version 1
LVM2
Formating filesystems and swap
Restore the data from backup.
I created the tar-archive without changing the directory, so i have to strip "mnt/" away at extraction-time using --strip-components=1.
1 ### RESTORE ROOTFS
2 MOUNT_POINT="/mnt"
3 ssh user@target.host \
4 "cat path/to/archive.tar.gz" \
5 |pigz -dc \
6 |tar -xf - --strip-components=1 -C "$MOUNT_POINT"
7 ### RESTORE EFIFS
8 MOUNT_POINT="/mnt/boot/efi"
9 ssh user@target.host \
10 "cat path/to/archive_efi.tar.gz" \
11 |pigz -dc \
12 |tar -xf - --strip-components=1 -C "$MOUNT_POINT"
1 aptitude install cryptsetup cryptsetup-initramfs
Change swap uuid to new value
/etc/initramfs-tools/conf.d/resume
1 RESUME=UUID=3c8d7d58-c524-4a74-94f6-ec66a3bb07af
Adjust crypttab
/etc/crypttab
/etc/default/grub
1 # If you change this file, run 'update-grub' afterwards to update
2 # /boot/grub/grub.cfg.
3 # For full documentation of the options in this file, see:
4 # info -f grub -n 'Simple configuration'
5
6 GRUB_DEFAULT=0
7 GRUB_TIMEOUT=5
8 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
9 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
10 GRUB_CMDLINE_LINUX=""
11
12 # Uncomment to enable BadRAM filtering, modify to suit your needs
13 # This works with Linux (no patch required) and with any kernel that obtains
14 # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
15 #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
16
17 # Uncomment to disable graphical terminal (grub-pc only)
18 #GRUB_TERMINAL=console
19
20 # The resolution used on graphical terminal
21 # note that you can use only modes which your graphic card supports via VBE
22 # you can see them in real GRUB with the command `vbeinfo'
23 #GRUB_GFXMODE=640x480
24
25 # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
26 #GRUB_DISABLE_LINUX_UUID=true
27
28 # Uncomment to disable generation of recovery mode menu entries
29 #GRUB_DISABLE_RECOVERY="true"
30
31 # Uncomment to get a beep at grub start
32 #GRUB_INIT_TUNE="480 440 1"
33
34 ### GRUB-INSTALL DEMANDS IT
35 GRUB_ENABLE_CRYPTODISK=y
36 #GRUB_PRELOAD_MODULES="lvm cryptodisk mdraid1x luks"
37
Update initramfs to include the necessary modules, install grub to the bootloader partition and update its configuration.
- Unmount remote storage
- Reboot
Resize FDE
When you transfered your FDE setup to another and bigger disk, you'll need to expand all levels of storage. You don't necessarly need to boot a live medium and it works with a running system. 
Just orientate yourself to the following process.
Identify your disk and topology and resize the crypto partition.
1 # lsblk
2 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
3 sda 8:0 0 931,5G 0 disk
4 ├─sda1 8:1 0 1M 0 part
5 ├─sda2 8:2 0 243M 0 part /boot/efi
6 ├─sda3 8:3 0 732M 0 part /boot
7 └─sda4 8:4 0 297,1G 0 part
8 └─sda4_crypt 254:0 0 297,1G 0 crypt
9 ├─vg_crypt-lv_swap1 254:1 0 29,8G 0 lvm [SWAP]
10 └─vg_crypt-lv_root 254:2 0 267,3G 0 lvm /
11 # parted /dev/sda
12 GNU Parted 3.2
13 Using /dev/sda
14 Welcome to GNU Parted! Type 'help' to view a list of commands.
15 (parted) unit MiB
16 (parted) print free
17 Warning: Not all of the space available to /dev/sda appears to be used,
18 you can fix the GPT to use all of the space (an extra 1328382720 blocks) or
19 continue with the current setting?
20 Fix/Ignore? Fix
21 Model: ATA CT1000MX500SSD1 (scsi)
22 Disk /dev/sda: 953870MiB
23 Sector size (logical/physical): 512B/4096B
24 Partition Table: gpt
25 Disk Flags:
26
27 Number Start End Size File system Name Flags
28 0,02MiB 1,00MiB 0,98MiB Free Space
29 1 1,00MiB 2,00MiB 1,00MiB bios_grub bios_grub
30 2 2,00MiB 245MiB 243MiB fat32 EFI msftdata
31 3 245MiB 977MiB 732MiB xfs boot
32 4 977MiB 305245MiB 304268MiB crypt1
33 305245MiB 953870MiB 648625MiB Free Space
34
35 (parted) resize
36 resize resizepart
37 (parted) help resizepart
38 resizepart NUMBER END resize partition NUMBER
39
40 NUMBER is the partition number used by Linux. On MS-DOS disk labels,
41 the primary partitions number from 1 to 4,
42 logical partitions from 5 onwards.
43 END is disk location, such as 4GB or 10%.
44 Negative value counts from the end of the disk.
45 For example, -1s specifies exactly the last sector.
46 (parted) resizepart 4 -1
47 (parted) quit
48 Information: You may need to update /etc/fstab.
49 # lsblk
50 NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
51 sda 8:0 0 931,5G 0 disk
52 ├─sda1 8:1 0 1M 0 part
53 ├─sda2 8:2 0 243M 0 part /boot/efi
54 ├─sda3 8:3 0 732M 0 part /boot
55 └─sda4 8:4 0 930,6G 0 part
56 └─sda4_crypt 254:0 0 297,1G 0 crypt
57 ├─vg_crypt-lv_swap1 254:1 0 29,8G 0 lvm [SWAP]
58 └─vg_crypt-lv_root 254:2 0 267,3G 0 lvm /
Resize cryptodisk to partition boundaries
Resize physical volume for LVM
Resize the contained logical volumes
1 # vgs
2 VG #PV #LV #SN Attr VSize VFree
3 vg_crypt 1 2 0 wz--n- <930,54g 633,42g
4 # lvs
5 LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert
6 lv_root vg_crypt -wi-ao---- <267,32g
7 lv_swap1 vg_crypt -wi-ao---- 29,80g
8 # lvresize -l +100%FREE /dev/vg_crypt/lv_root
9 Size of logical volume vg_crypt/lv_root changed from <267,32 GiB (68433 extents) to <900,74 GiB (230589 extents).
10 Logical volume vg_crypt/lv_root successfully resized.
Resize the filesystem (remember to use the mount point)
1 # df -hT
2 Dateisystem Typ Größe Benutzt Verf. Verw% Eingehängt auf
3 udev devtmpfs 7,7G 0 7,7G 0% /dev
4 tmpfs tmpfs 1,6G 18M 1,6G 2% /run
5 /dev/mapper/vg_crypt-lv_root xfs 268G 12G 256G 5% /
6 tmpfs tmpfs 7,7G 40M 7,7G 1% /dev/shm
7 tmpfs tmpfs 5,0M 4,0K 5,0M 1% /run/lock
8 tmpfs tmpfs 7,7G 0 7,7G 0% /sys/fs/cgroup
9 /dev/sda3 xfs 726M 139M 588M 20% /boot
10 /dev/sda2 vfat 240M 512 240M 1% /boot/efi
11 tmpfs tmpfs 1,6G 16K 1,6G 1% /run/user/1000
12 # xfs_growfs /
13 meta-data=/dev/mapper/vg_crypt-lv_root isize=512 agcount=4, agsize=17518848 blks
14 = sectsz=4096 attr=2, projid32bit=1
15 = crc=1 finobt=1, sparse=1, rmapbt=0
16 = reflink=0
17 data = bsize=4096 blocks=70075392, imaxpct=25
18 = sunit=0 swidth=0 blks
19 naming =version 2 bsize=4096 ascii-ci=0, ftype=1
20 log =Internes Protokoll bsize=4096 blocks=34216, version=2
21 = sectsz=4096 sunit=1 blks, lazy-count=1
22 realtime =keine extsz=4096 blocks=0, rtextents=0
23 Datenblöcke von 70075392 auf 236123136 geändert.
24 # df -hT
25 Dateisystem Typ Größe Benutzt Verf. Verw% Eingehängt auf
26 udev devtmpfs 7,7G 0 7,7G 0% /dev
27 tmpfs tmpfs 1,6G 18M 1,6G 2% /run
28 /dev/mapper/vg_crypt-lv_root xfs 901G 13G 889G 2% /
29 tmpfs tmpfs 7,7G 40M 7,7G 1% /dev/shm
30 tmpfs tmpfs 5,0M 4,0K 5,0M 1% /run/lock
31 tmpfs tmpfs 7,7G 0 7,7G 0% /sys/fs/cgroup
32 /dev/sda3 xfs 726M 139M 588M 20% /boot
33 /dev/sda2 vfat 240M 512 240M 1% /boot/efi
34 tmpfs tmpfs 1,6G 16K 1,6G 1% /run/user/1000
Reboot. Done.
Change a keyslot
1 # lsblk -f
2 NAME FSTYPE LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
3 sda
4 ├─sda1
5 ├─sda2 vfat 7E9B-0792 239,3M 0% /boot/efi
6 ├─sda3 xfs ecd028a6-0b54-424c-a7fd-c83ad4d11979 587,5M 19% /boot
7 └─sda4 crypto_LUKS 64a840a0-1278-4756-a7a3-7d8d25c4fe52
8 └─sda4_crypt LVM2_member j5kIv6-XUUJ-EIZQ-R4dN-kgzf-jP97-PU2Kzg
9 ├─vg_crypt-lv_swap1 swap 556aa84e-a84d-4d03-a82a-40040dccc703 [SWAP]
10 └─vg_crypt-lv_root xfs rootfs f1244adf-8444-4c77-bca6-7dcb26888a1f 888,4G 1% /
11 # cryptsetup luksAddKey /dev/sda4
12 Geben Sie irgendeine bestehende Passphrase ein:
13 Geben Sie die neue Passphrase für das Schlüsselfach ein:
14 Passphrase bestätigen:
15 cryptsetup luksAddKey /dev/sda4 17,69s user 0,22s system 117% cpu 15,196 total
Logitech devices
Install solaar
1 aptitude install solaar solaar-gnome3
Add users to the group plugdev
1 adduser "$USERNAME" plugdev
Grub-customizer
Themes are available at:
Install grub-customizer
1 aptitude install grub-customizer
Clone the theme
1 git clone "$GITURL" /opt
Start grub-customizer (enter your password) for the privileges. Go to tab appreance:
- set resolution
- choose the theme and save
Plymouth
Install bootsplash "plymouth"
1 aptitude install plymouth plymouth-themes plymouth-x11
Add splash to GRUB_CMDLINE_LINUX_DEFAULT
/etc/default/grub
1 GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
List and set available themes
1 plymouth-set-default-theme --list
Set other theme and update grub and initramfs
1 sudo plymouth-set-default-theme -R lines
Get new themes from store.kde.org.
Just unpack them to /usr/share/plymouth/themes
Preview plymouth themes in X11
Inspired by this blogpost
plymouth_preview.sh
1 #!/bin/bash
2
3 ## Preview Plymouth Splash ##
4 ## by _khAttAm_ ##
5 ## www.khattam.info ##
6 ## License: GPL v3 ##
7
8 chk_root () {
9 if [ ! $( id -u ) -eq 0 ]; then
10 echo "Must be run as root"
11 exit
12 fi
13 }
14
15 chk_root
16
17 DURATION=$1
18 if [ $# -ne 1 ]; then
19 DURATION=5
20 fi
21
22 #CURRENT_THEME=
23 THEMES="$(plymouth-set-default-theme --list \
24 |sort |uniq)"
25
26 while read THEME; do
27 plymouth-set-default-theme "$THEME"
28 echo "$THEME"
29 sleep 1.5
30 plymouthd
31 plymouth --show-splash
32 for ((I=0; I<$DURATION; I++)); do
33 plymouth --update=test$I;
34 sleep 1;
35 done
36 plymouth quit
37 done <<< "$THEMES"
Run the preview
Convertible with Gnome3
On-screen keyboard
Install the some extensions for an on-screen display
Disable keyboard by script
/etc/sudoers.d/keyboard
/usr/local/bin/keyboard_toggle_wayland.sh
1 #!/bin/bash
2
3 DEVICE='AT Translated Set 2 keyboard'
4 DEVICE_PATH="$(libinput list-devices \
5 |sed -e "1,/$DEVICE/d" \
6 |grep '^Kernel:'\
7 |awk '{print $2}')"
8
9 COMMAND="evtest --grab $DEVICE_PATH"
10
11 declare -a PIDS
12 readarray -t PIDS < <(ps -eo pid,args \
13 |grep -v grep\
14 |grep " $COMMAND$" \
15 |awk '{print $1}')
16
17 if [ "${#PIDS[@]}" -gt "0" ]; then
18 echo "LAPTOP MODE: enabling keyboard input."
19 kill "${PIDS[@]}"
20 else
21 echo "TABLET MODE: disabling keyboard input."
22 nohup $COMMAND >/dev/null 2>&1 &
23 fi
/usr/share/applications/keyboard.desktop
1 [Desktop Entry]
2 Type=Application
3 Version=1.0
4 Name=Laptop/Tablet
5 GenericName=Toggle Laptop/Tablet Mode
6 GenericName[de]=Laptop/Tablet Mode umschalten
7 Comment=Show System Processes
8 Icon=input-keyboard
9 Exec=sudo keyboard_toggle_wayland.sh
10 Terminal=true
11 Categories=System;ConsoleOnly;Settings
12 Keywords=keyboard;input;laptop;tablet
Now the script shows up in the menu and can be be dragged into the favorites menu.
Automatic screen rotation
If you have iio-sensor-proxy installed automatic screen rotation should work automagically with xorg.
gitlab.freedesktop.org hadess/iio-sensor-proxy
However, wayland is not there yet …
Keys in gsettings
If the gsettings-backend is in dconf you may take alook at the values by installing dconf-editor
1 apt install dconf-editor
Or just use the cli gsettings
Debian CD-image with jigdo
Jigsaw Download, or short jigdo, is a tool designed to ease the distribution of very large files over the internet, for example CD or DVD images. Its aim is to make downloading the images as easy for users as a click on a direct download link in a browser, while avoiding all the problems that server administrators have with hosting such large files.
1 aptitude install jigdo-file jigit
Example: Create a CD-image of Debian Jessie
Create a configuration for jigdo-lite to reliefe primary Debian mirrors. ~/.jigdo-lite
Done:
1 jigdo-lite --noask 'https://cdimage.debian.org/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.jigdo'
2
3 Jigsaw Download "lite"
4 Copyright (C) 2001-2005 | jigdo@
5 Richard Atterer | atterer.org
6 Loading settings from `/home/tobias/.jigdo-lite'
7
8 Downloading .jigdo file
9 --2019-11-05 11:47:20-- https://cdimage.debian.org/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.jigdo
10 Auflösen des Hostnamens cdimage.debian.org (cdimage.debian.org)… 194.71.11.173, 194.71.11.165, 2001:6b0:19::165, ...
11 Verbindungsaufbau zu cdimage.debian.org (cdimage.debian.org)|194.71.11.173|:443 … verbunden.
12 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
13 Länge: 24660 (24K)
14 Wird in »debian-8.0.0-amd64-netinst.jigdo« gespeichert.
15
16 debian-8.0.0-amd64-netinst.jigdo 100%[==================================================================================================================================================================================>] 24.08K --.-KB/s in 0.06s
17
18 2019-11-05 11:47:20 (428 KB/s) - »debian-8.0.0-amd64-netinst.jigdo« gespeichert [24660/24660]
19
20
21 -----------------------------------------------------------------
22 Images offered by `https://cdimage.debian.org/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.jigdo':
23 1: 'Debian GNU/Linux 8.0.0 "Jessie" - Official amd64 NETINST Binary-1 20150425-12:50 (20150425)' (debian-8.0.0-amd64-netinst.iso)
24
25 Further information about `debian-8.0.0-amd64-netinst.iso':
26 Generated on Sat, 25 Apr 2015 12:53:05 +0000
27
28 -----------------------------------------------------------------
29 If you already have a previous version of the CD you are
30 downloading, jigdo can re-use files on the old CD that are also
31 present in the new image, and you do not need to download them
32 again. Mount the old CD ROM and enter the path it is mounted under
33 (e.g. `/mnt/cdrom').
34 Alternatively, just press enter if you want to start downloading
35 the remaining files.
36 Files to scan:
37
38 -----------------------------------------------------------------
39 The jigdo file refers to files stored on Debian mirrors. Please
40 choose a Debian mirror as follows: Either enter a complete URL
41 pointing to a mirror (in the form
42 `ftp://ftp.debian.org/debian/'), or enter any regular expression
43 for searching through the list of mirrors: Try a two-letter
44 country code such as `de', or a country name like `United
45 States', or a server name like `sunsite'.
46 Debian mirror [http://debian.inf.tu-dresden.de/debian/]:
47
48 Downloading .template file
49 --2019-11-05 11:47:20-- https://cdimage.debian.org/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.template
50 Auflösen des Hostnamens cdimage.debian.org (cdimage.debian.org)… 194.71.11.165, 194.71.11.173, 2001:6b0:19::173, ...
51 Verbindungsaufbau zu cdimage.debian.org (cdimage.debian.org)|194.71.11.165|:443 … verbunden.
52 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 302 Found
53 Platz: https://saimei.ftp.acc.umu.se/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.template [folgend]
54 --2019-11-05 11:47:20-- https://saimei.ftp.acc.umu.se/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.template
55 Auflösen des Hostnamens saimei.ftp.acc.umu.se (saimei.ftp.acc.umu.se)… 194.71.11.138, 2001:6b0:19::138
56 Verbindungsaufbau zu saimei.ftp.acc.umu.se (saimei.ftp.acc.umu.se)|194.71.11.138|:443 … verbunden.
57 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
58 Länge: 8641689 (8.2M)
59 Wird in »debian-8.0.0-amd64-netinst.template« gespeichert.
60
61 debian-8.0.0-amd64-netinst.template 100%[=========================================================>] 8.24M 1.11MB/s in 7.5s
62
63 2019-11-05 11:47:28 (1.10 MB/s) - »debian-8.0.0-amd64-netinst.template« gespeichert [8641689/8641689]
64
65
66 -----------------------------------------------------------------
67 Merging parts from `file:' URIs, if any...
68 0 der 813 vom Template benötigten Dateien gefunden
69 Es wird keine Image-Datei oder temporäre Datei erzeugt - versuchen Sie es mit anderen Eingabedateien
70 --2019-11-05 11:47:28-- http://debian.inf.tu-dresden.de/debian/pool/main/s/systemd/libpam-systemd_215-17_amd64.deb
71 Auflösen des Hostnamens debian.inf.tu-dresden.de (debian.inf.tu-dresden.de)… 141.76.2.4
72 Verbindungsaufbau zu debian.inf.tu-dresden.de (debian.inf.tu-dresden.de)|141.76.2.4|:80 … verbunden.
73 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 404 Not Found
74 2019-11-05 11:47:28 FEHLER 404: Not Found.
75
76 --2019-11-05 11:47:28-- http://debian.inf.tu-dresden.de/debian/pool/main/j/jfsutils/jfsutils_1.1.15-2.1_amd64.deb
77 Wiederverwendung der bestehenden Verbindung zu debian.inf.tu-dresden.de:80.
78 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
79 Länge: 285760 (279K) [application/x-debian-package]
80 Wird in »./debian-8.0.0-amd64-netinst.iso.tmpdir/debian.inf.tu-dresden.de/debian/pool/main/j/jfsutils/jfsutils_1.1.15-2.1_amd64.deb« gespeichert.
81
82 debian.inf.tu-dresden.de/debian/pool/main/j/jfsutils/jfsutils_1.1.15-2.1_ 100%[=========================================================>] 279.06K 894KB/s in 0.3s
83
84 2019-11-05 11:47:29 (894 KB/s) - »./debian-8.0.0-amd64-netinst.iso.tmpdir/debian.inf.tu-dresden.de/debian/pool/main/j/jfsutils/jfsutils_1.1.15-2.1_amd64.deb« gespeichert [285760/285760]
85
86 --2019-11-05 11:47:29-- http://debian.inf.tu-dresden.de/debian/pool/main/l/less/less_458-3_amd64.deb
87 Wiederverwendung der bestehenden Verbindung zu debian.inf.tu-dresden.de:80.
88 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
89 Länge: 124466 (122K) [application/x-debian-package]
90 Wird in »./debian-8.0.0-amd64-netinst.iso.tmpdir/debian.inf.tu-dresden.de/debian/pool/main/l/less/less_458-3_amd64.deb« gespeichert.
91
92 debian.inf.tu-dresden.de/debian/pool/main/l/less/less_458-3_amd64.deb 100%[=========================================================>] 121.55K --.-KB/s in 0.1s
93
94 2019-11-05 11:47:29 (1.13 MB/s) - »./debian-8.0.0-amd64-netinst.iso.tmpdir/debian.inf.tu-dresden.de/debian/pool/main/l/less/less_458-3_amd64.deb« gespeichert [124466/124466]
95
96
97 <… OUTPUT OMITED …>
98
99
100 --2019-11-05 11:52:06-- http://snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/loop-modules-3.16.0-4-amd64-di_3.16.7-ckt9-2_amd64.udeb
101 Verbindungsaufbau zu snapshot.debian.org (snapshot.debian.org)|193.62.202.27|:80 … verbunden.
102 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
103 Länge: 13294 (13K)
104 Wird in »./debian-8.0.0-amd64-netinst.iso.tmpdir/snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/loop-modules-3.16.0-4-amd64-di_3.16.7-ckt9-2_amd64.udeb« gespeichert.
105
106 snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/loo 100%[=========================================================>] 12.98K --.-KB/s in 0.01s
107
108 2019-11-05 11:52:06 (1.23 MB/s) - »./debian-8.0.0-amd64-netinst.iso.tmpdir/snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/loop-modules-3.16.0-4-amd64-di_3.16.7-ckt9-2_amd64.udeb« gespeichert [13294/13294]
109
110 BEENDET --2019-11-05 11:52:06--
111 Verstrichene Zeit: 6.3s
112 Geholt: 10 Dateien, 5.0M in 4.7s (1.07 MB/s)
113 10 der 11 vom Template benötigten Dateien gefunden '
114 Eingabedateien wurden in temporäre Datei »debian-8.0.0-amd64-netinst.iso.tmp« geschrieben - wiederholen Sie das Kommando mit weiteren Dateien
115 --2019-11-05 11:52:06-- http://snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/linux-headers-3.16.0-4-common_3.16.7-ckt9-2_amd64.deb
116 Auflösen des Hostnamens snapshot.debian.org (snapshot.debian.org)… 185.17.185.185, 193.62.202.27, 2001:630:206:4000:1a1a:0:c13e:ca1b, ...
117 Verbindungsaufbau zu snapshot.debian.org (snapshot.debian.org)|185.17.185.185|:80 … verbunden.
118 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
119 Länge: 4480432 (4.3M)
120 Wird in »./debian-8.0.0-amd64-netinst.iso.tmpdir/snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/linux-headers-3.16.0-4-common_3.16.7-ckt9-2_amd64.deb« gespeichert.
121
122 snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/lin 100%[=========================================================>] 4.27M 1.11MB/s in 3.9s
123
124 2019-11-05 11:52:10 (1.11 MB/s) - »./debian-8.0.0-amd64-netinst.iso.tmpdir/snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/linux-headers-3.16.0-4-common_3.16.7-ckt9-2_amd64.deb« gespeichert [4480432/4480432]
125
126 1 der 1 vom Template benötigten Dateien gefunden '
127 »debian-8.0.0-amd64-netinst.iso« wurde erfolgreich erzeugt
128
129 -----------------------------------------------------------------
130 Finished!
131 The fact that you got this far is a strong indication that `debian-8.0.0-amd64-netinst.iso'
132 was generated correctly. I will perform an additional, final check,
133 which you can interrupt safely with Ctrl-C if you do not want to wait.
134
135 OK: Prüfsummen stimmen überein, Image-Datei ist in Ordnung!
136 jigdo-lite --noask 3.90s user 7.87s system 4% cpu 4:50.47 total
This worked out fine. Now i can test upgrading "oldoldstable" to "stable". Installation succeded.
Aptitude
This cli and gui interface adds in my option some essential features to the apt ecosystem.
It offers search patterns that are very useful.
Example: identify installed packages from "Debian Backports". Using the shorthands for:
?installed, ~i
Matches package versions which are currently installed.
Since all versions are tested by default, this normally
matches packages which are currently installed.
?narrow(filter, pattern), ~S filter pattern
This term “narrows” the search to package versions matching filter.
In particular, it matches any package version which matches both filter and pattern.
The string value of the match is the string value of pattern.
?origin(origin), ~Oorigin
Matches package versions whose origin matches the regular expression origin.
For instance, “!?origin(debian)” will find any unofficial packages on your system
(packages not from the Debian archive). netcfg.cfg
To force a downgrade, set the priority of the stable codename above 990 (to force install). Example preference for downgrade:
Open aptitude and search for ~Vbpo to identify once again all packages from backports and select the packages to be downgraded by pressing +. They will be marked as to be downgraded i W in organge.
Don't forget to remove the preferences afterwards.
Preseeding
wiki.debian.org - https://wiki.debian.org/DebianInstaller/Preseed
preseed.debian.net - Debian preseeds - all the possibilities
It's not a bad idea to have some knowledge about preseeding Debian via the installer, even if you are using a new smart and fancy technology of a higher level. In the end it probably boils down to pxe and preseeding/kickstart.
You may want to end up in having
- the configuration management client installed and ready
- and a user that is able to connect to the server.
Extract preseed information
Install a Debian VM manually (as kind of a template).
Extract preseed information from this VM. This alleviates some decisions.
Formatting
Filter your export and format it a bit more readable
Revert the intermediate format to the original export format with tabs, if you like …
Serve the preseed via webserver
Serve preseed.cfg
/etc/apache2/sites-available/preseed.conf
1 <VirtualHost *:80>
2 ServerAdmin webmaster@rockstable.it
3
4 DocumentRoot /var/www/html
5
6 # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
7 # error, crit, alert, emerg.
8 # It is also possible to configure the loglevel for particular
9 # modules, e.g.
10 #LogLevel info ssl:warn
11
12 ErrorLog ${APACHE_LOG_DIR}/preseed_error.log
13 CustomLog ${APACHE_LOG_DIR}/preseed_access.log combined
14
15 Alias /ps /var/www/preseed
16 Alias /preseed /var/www/preseed
17 <Directory /var/www/preseed>
18 Require all granted
19 Options +Indexes
20 </Directory>
21 </VirtualHost>
22
23 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
24
Enable preseed.conf
For conveniance i created a symlink during testing.
1 ln ../preseed/bullseye-fs1.cfg fs1
Custom configuration
Start with the example preconfiguration file (for bullseye)
Prepare a directory structure
1 mkdir -p /var/www/preseed/example
2 cd /var/www/preseed
3 wget -p example 'https://www.debian.org/releases/testing/example-preseed.txt'
4 wget -p example 'https://preseed.debian.net/debian-preseed/bullseye/amd64-main-full.txt'
5 cp example/example-preseed.txt base-preseed.cfg
6 touch {netcfg,partman,passwd}.cfg
After a change concatenate all files to the final config.
Base preseed
/var/www/preseed/base-preseed.cfg
1 #_preseed_V1
2 #### Contents of the preconfiguration file (for bullseye)
3 d-i anna/choose_modules multiselect choose-mirror, network-console, parted-udeb
4
5 ### Localization
6 # Preseeding only locale sets language, country and locale.
7 #d-i debian-installer/locale string en_US
8
9
10 # The values can also be preseeded individually for greater flexibility.
11 d-i debian-installer/language string de
12 d-i debian-installer/country string DE
13 d-i debian-installer/locale string en_US.UTF-8
14 # Optionally specify additional locales to be generated.
15 #d-i localechooser/supported-locales multiselect en_US.UTF-8, nl_NL.UTF-8
16
17 # Keyboard selection.
18 d-i keyboard-configuration/xkb-keymap select de
19 # d-i keyboard-configuration/toggle select No toggling
20
21 ### Network configuration
22 # Disable network configuration entirely. This is useful for cdrom
23 # installations on non-networked devices where the network questions,
24 # warning and long timeouts are a nuisance.
25 #d-i netcfg/enable boolean false
26
27 # netcfg will choose an interface that has link if possible. This makes it
28 # skip displaying a list if there is more than one interface.
29 d-i netcfg/choose_interface select auto
30
31 # To pick a particular interface instead:
32 #d-i netcfg/choose_interface select eth1
33
34 # To set a different link detection timeout (default is 3 seconds).
35 # Values are interpreted as seconds.
36 #d-i netcfg/link_wait_timeout string 10
37
38 # If you have a slow dhcp server and the installer times out waiting for
39 # it, this might be useful.
40 #d-i netcfg/dhcp_timeout string 60
41 #d-i netcfg/dhcpv6_timeout string 60
42
43 # If you prefer to configure the network manually, uncomment this line and
44 # the static network configuration below.
45 #d-i netcfg/disable_autoconfig boolean true
46
47 # If you want the preconfiguration file to work on systems both with and
48 # without a dhcp server, uncomment these lines and the static network
49 # configuration below.
50 #d-i netcfg/dhcp_failed note
51 #d-i netcfg/dhcp_options select Configure network manually
52
53 # Static network configuration.
54 #
55 # IPv4 example
56 #d-i netcfg/get_ipaddress string 192.168.1.42
57 #d-i netcfg/get_netmask string 255.255.255.0
58 #d-i netcfg/get_gateway string 192.168.1.1
59 #d-i netcfg/get_nameservers string 192.168.1.1
60 #d-i netcfg/confirm_static boolean true
61 #
62 # IPv6 example
63 #d-i netcfg/get_ipaddress string fc00::2
64 #d-i netcfg/get_netmask string ffff:ffff:ffff:ffff::
65 #d-i netcfg/get_gateway string fc00::1
66 #d-i netcfg/get_nameservers string fc00::1
67 #d-i netcfg/confirm_static boolean true
68
69 # Any hostname and domain names assigned from dhcp take precedence over
70 # values set here. However, setting the values still prevents the questions
71 # from being shown, even if values come from dhcp.
72 #d-i netcfg/get_hostname string unassigned-hostname
73 #d-i netcfg/get_domain string unassigned-domain
74
75 # If you want to force a hostname, regardless of what either the DHCP
76 # server returns or what the reverse DNS entry for the IP is, uncomment
77 # and adjust the following line.
78 #d-i netcfg/hostname string somehost
79
80 # Disable that annoying WEP key dialog.
81 d-i netcfg/wireless_wep string
82 # The wacky dhcp hostname that some ISPs use as a password of sorts.
83 #d-i netcfg/dhcp_hostname string radish
84
85 # If non-free firmware is needed for the network or other hardware, you can
86 # configure the installer to always try to load it, without prompting. Or
87 # change to false to disable asking.
88 #d-i hw-detect/load_firmware boolean true
89
90 ### Network console
91 # Use the following settings if you wish to make use of the network-console
92 # component for remote installation over SSH. This only makes sense if you
93 # intend to perform the remainder of the installation manually.
94 #d-i anna/choose_modules string network-console
95 #d-i network-console/authorized_keys_url string http://10.0.0.1/openssh-key
96 #d-i network-console/password password r00tme
97 #d-i network-console/password-again password r00tme
98
99 ### Mirror settings
100 # If you select ftp, the mirror/country string does not need to be set.
101 #d-i mirror/protocol string ftp
102 d-i mirror/country string manual
103 d-i mirror/http/hostname string deb.debian.org
104 d-i mirror/http/directory string /debian
105 d-i mirror/http/proxy string http://192.168.110.1:3142/
106
107 # Suite to install.
108 #d-i mirror/suite string testing
109 # Suite to use for loading installer components (optional).
110 #d-i mirror/udeb/suite string testing
111
112 ### Account setup
113 # Skip creation of a root account (normal user account will be able to
114 # use sudo).
115 #d-i passwd/root-login boolean false
116 # Alternatively, to skip creation of a normal user account.
117 #d-i passwd/make-user boolean false
118
119 # Root password, either in clear text
120 #d-i passwd/root-password password r00tme
121 #d-i passwd/root-password-again password r00tme
122 # or encrypted using a crypt(3) hash.
123 #d-i passwd/root-password-crypted password [crypt(3) hash]
124
125 # To create a normal user account.
126 #d-i passwd/user-fullname string Debian User
127 #d-i passwd/username string debian
128 # Normal user's password, either in clear text
129 #d-i passwd/user-password password insecure
130 #d-i passwd/user-password-again password insecure
131 # or encrypted using a crypt(3) hash.
132 #d-i passwd/user-password-crypted password [crypt(3) hash]
133 # Create the first user with the specified UID instead of the default.
134 #d-i passwd/user-uid string 1010
135
136 # The user account will be added to some standard initial groups. To
137 # override that, use this.
138 #d-i passwd/user-default-groups string audio cdrom video
139
140 ### Clock and time zone setup
141 # Controls whether or not the hardware clock is set to UTC.
142 d-i clock-setup/utc boolean true
143
144 # You may set this to any valid setting for $TZ; see the contents of
145 # /usr/share/zoneinfo/ for valid values.
146 d-i time/zone string Europe/Berlin
147
148 # Controls whether to use NTP to set the clock during the install
149 d-i clock-setup/ntp boolean true
150 # NTP server to use. The default is almost always fine here.
151 #d-i clock-setup/ntp-server string ntp.example.com
152
153 ### Partitioning
154 ## Partitioning example
155 # If the system has free space you can choose to only partition that space.
156 # This is only honoured if partman-auto/method (below) is not set.
157 #d-i partman-auto/init_automatically_partition select biggest_free
158
159 # Alternatively, you may specify a disk to partition. If the system has only
160 # one disk the installer will default to using that, but otherwise the device
161 # name must be given in traditional, non-devfs format (so e.g. /dev/sda
162 # and not e.g. /dev/discs/disc0/disc).
163 # For example, to use the first SCSI/SATA hard disk:
164 #d-i partman-auto/disk string /dev/sda
165 # In addition, you'll need to specify the method to use.
166 # The presently available methods are:
167 # - regular: use the usual partition types for your architecture
168 # - lvm: use LVM to partition the disk
169 # - crypto: use LVM within an encrypted partition
170 #d-i partman-auto/method string lvm
171
172 # You can define the amount of space that will be used for the LVM volume
173 # group. It can either be a size with its unit (eg. 20 GB), a percentage of
174 # free space or the 'max' keyword.
175 #d-i partman-auto-lvm/guided_size string max
176
177 # If one of the disks that are going to be automatically partitioned
178 # contains an old LVM configuration, the user will normally receive a
179 # warning. This can be preseeded away...
180 #d-i partman-lvm/device_remove_lvm boolean true
181 # The same applies to pre-existing software RAID array:
182 #d-i partman-md/device_remove_md boolean true
183 # And the same goes for the confirmation to write the lvm partitions.
184 #d-i partman-lvm/confirm boolean true
185 #d-i partman-lvm/confirm_nooverwrite boolean true
186
187 # You can choose one of the three predefined partitioning recipes:
188 # - atomic: all files in one partition
189 # - home: separate /home partition
190 # - multi: separate /home, /var, and /tmp partitions
191 #d-i partman-auto/choose_recipe select atomic
192
193 # Or provide a recipe of your own...
194 # If you have a way to get a recipe file into the d-i environment, you can
195 # just point at it.
196 #d-i partman-auto/expert_recipe_file string /hd-media/recipe
197
198 # If not, you can put an entire recipe into the preconfiguration file in one
199 # (logical) line. This example creates a small /boot partition, suitable
200 # swap, and uses the rest of the space for the root partition:
201 #d-i partman-auto/expert_recipe string \
202 # boot-root :: \
203 # 40 50 100 ext3 \
204 # $primary{ } $bootable{ } \
205 # method{ format } format{ } \
206 # use_filesystem{ } filesystem{ ext3 } \
207 # mountpoint{ /boot } \
208 # . \
209 # 500 10000 1000000000 ext3 \
210 # method{ format } format{ } \
211 # use_filesystem{ } filesystem{ ext3 } \
212 # mountpoint{ / } \
213 # . \
214 # 64 512 300% linux-swap \
215 # method{ swap } format{ } \
216 # .
217
218 # The full recipe format is documented in the file partman-auto-recipe.txt
219 # included in the 'debian-installer' package or available from D-I source
220 # repository. This also documents how to specify settings such as file
221 # system labels, volume group names and which physical devices to include
222 # in a volume group.
223
224 ## Partitioning for EFI
225 # If your system needs an EFI partition you could add something like
226 # this to the recipe above, as the first element in the recipe:
227 # 538 538 1075 free \
228 # $iflabel{ gpt } \
229 # $reusemethod{ } \
230 # method{ efi } \
231 # format{ } \
232 # . \
233 #
234 # The fragment above is for the amd64 architecture; the details may be
235 # different on other architectures. The 'partman-auto' package in the
236 # D-I source repository may have an example you can follow.
237
238 # This makes partman automatically partition without confirmation, provided
239 # that you told it what to do using one of the methods above.
240 #d-i partman-partitioning/confirm_write_new_label boolean true
241 #d-i partman/choose_partition select finish
242 #d-i partman/confirm boolean true
243 #d-i partman/confirm_nooverwrite boolean true
244
245 # Force UEFI booting ('BIOS compatibility' will be lost). Default: false.
246 #d-i partman-efi/non_efi_system boolean true
247 # Ensure the partition table is GPT - this is required for EFI
248 #d-i partman-partitioning/choose_label string gpt
249 #d-i partman-partitioning/default_label string gpt
250
251 # When disk encryption is enabled, skip wiping the partitions beforehand.
252 #d-i partman-auto-crypto/erase_disks boolean false
253
254 ## Partitioning using RAID
255 # The method should be set to "raid".
256 #d-i partman-auto/method string raid
257 # Specify the disks to be partitioned. They will all get the same layout,
258 # so this will only work if the disks are the same size.
259 #d-i partman-auto/disk string /dev/sda /dev/sdb
260
261 # Next you need to specify the physical partitions that will be used.
262 #d-i partman-auto/expert_recipe string \
263 # multiraid :: \
264 # 1000 5000 4000 raid \
265 # $primary{ } method{ raid } \
266 # . \
267 # 64 512 300% raid \
268 # method{ raid } \
269 # . \
270 # 500 10000 1000000000 raid \
271 # method{ raid } \
272 # .
273
274 # Last you need to specify how the previously defined partitions will be
275 # used in the RAID setup. Remember to use the correct partition numbers
276 # for logical partitions. RAID levels 0, 1, 5, 6 and 10 are supported;
277 # devices are separated using "#".
278 # Parameters are:
279 # <raidtype> <devcount> <sparecount> <fstype> <mountpoint> \
280 # <devices> <sparedevices>
281
282 #d-i partman-auto-raid/recipe string \
283 # 1 2 0 ext3 / \
284 # /dev/sda1#/dev/sdb1 \
285 # . \
286 # 1 2 0 swap - \
287 # /dev/sda5#/dev/sdb5 \
288 # . \
289 # 0 2 0 ext3 /home \
290 # /dev/sda6#/dev/sdb6 \
291 # .
292
293 # For additional information see the file partman-auto-raid-recipe.txt
294 # included in the 'debian-installer' package or available from D-I source
295 # repository.
296
297 # This makes partman automatically partition without confirmation.
298 #d-i partman-md/confirm boolean true
299 #d-i partman-partitioning/confirm_write_new_label boolean true
300 #d-i partman/choose_partition select finish
301 #d-i partman/confirm boolean true
302 #d-i partman/confirm_nooverwrite boolean true
303
304 ## Controlling how partitions are mounted
305 # The default is to mount by UUID, but you can also choose "traditional" to
306 # use traditional device names, or "label" to try filesystem labels before
307 # falling back to UUIDs.
308 #d-i partman/mount_style select uuid
309
310 ### Base system installation
311 # Configure APT to not install recommended packages by default. Use of this
312 # option can result in an incomplete system and should only be used by very
313 # experienced users.
314 #d-i base-installer/install-recommends boolean false
315
316 # The kernel image (meta) package to be installed; "none" can be used if no
317 # kernel is to be installed.
318 d-i base-installer/kernel/image string linux-image-amd64
319
320 ### Apt setup
321 # You can choose to install non-free and contrib software.
322 #d-i apt-setup/non-free boolean true
323 #d-i apt-setup/contrib boolean true
324 # Uncomment this if you don't want to use a network mirror.
325 #d-i apt-setup/use_mirror boolean false
326 # Select which update services to use; define the mirrors to be used.
327 # Values shown below are the normal defaults.
328 #d-i apt-setup/services-select multiselect security, updates
329 #d-i apt-setup/security_host string security.debian.org
330
331 # Additional repositories, local[0-9] available
332 #d-i apt-setup/local0/repository string \
333 # http://local.server/debian stable main
334 #d-i apt-setup/local0/comment string local server
335 # Enable deb-src lines
336 #d-i apt-setup/local0/source boolean true
337 # URL to the public key of the local repository; you must provide a key or
338 # apt will complain about the unauthenticated repository and so the
339 # sources.list line will be left commented out.
340 #d-i apt-setup/local0/key string http://local.server/key
341 # If the provided key file ends in ".asc" the key file needs to be an
342 # ASCII-armoured PGP key, if it ends in ".gpg" it needs to use the
343 # "GPG key public keyring" format, the "keybox database" format is
344 # currently not supported.
345
346 # By default the installer requires that repositories be authenticated
347 # using a known gpg key. This setting can be used to disable that
348 # authentication. Warning: Insecure, not recommended.
349 #d-i debian-installer/allow_unauthenticated boolean true
350
351 # Uncomment this to add multiarch configuration for i386
352 #d-i apt-setup/multiarch string i386
353
354
355 ### Package selection
356 #tasksel tasksel/first multiselect standard, web-server, kde-desktop
357 #d-i tasksel/first multiselect SSH server, standard system utilities
358 #d-i tasksel/first multiselect ssh-server, standard
359 taskel tasksel/first multiselect ssh-server, standard
360
361 # Individual additional packages to install
362 d-i pkgsel/include string \
363 apt-file aptitude bash-completion byobu btrfs-progs ca-certificates curl \
364 dmidecode dosfstools git gpm htop iftop info iotop jq libcrack2 locales \
365 lsb-release lsof man-db mc mlocate openssl parted pigz psmisc pv \
366 pwgen python3-apt rsync screen sqlite3 ssl-cert strace sudo \
367 sysstat tmux vim wget zsh
368 # Whether to upgrade packages after debootstrap.
369 # Allowed values: none, safe-upgrade, full-upgrade
370 d-i pkgsel/upgrade select full-upgrade
371
372 # Some versions of the installer can report back on what software you have
373 # installed, and what software you use. The default is not to report back,
374 # but sending reports helps the project determine what software is most
375 # popular and should be included on the first CD/DVD.
376 popularity-contest popularity-contest/participate boolean true
377
378 ### Boot loader installation
379 # Grub is the boot loader (for x86).
380
381 # This is fairly safe to set, it makes grub install automatically to the UEFI
382 # partition/boot record if no other operating system is detected on the machine.
383 d-i grub-installer/only_debian boolean true
384
385 # This one makes grub-installer install to the UEFI partition/boot record, if
386 # it also finds some other OS, which is less safe as it might not be able to
387 # boot that other OS.
388 d-i grub-installer/with_other_os boolean true
389
390 # Due notably to potential USB sticks, the location of the primary drive can
391 # not be determined safely in general, so this needs to be specified:
392 #d-i grub-installer/bootdev string /dev/sda
393 # To install to the primary device (assuming it is not a USB stick):
394 d-i grub-installer/bootdev string default
395 #d-i grub-installer/choose_bootdev select /dev/vda
396
397 # Alternatively, if you want to install to a location other than the UEFI
398 # parition/boot record, uncomment and edit these lines:
399 #d-i grub-installer/only_debian boolean false
400 #d-i grub-installer/with_other_os boolean false
401 #d-i grub-installer/bootdev string (hd0,1)
402 # To install grub to multiple disks:
403 #d-i grub-installer/bootdev string (hd0,1) (hd1,1) (hd2,1)
404
405 # Optional password for grub, either in clear text
406 #d-i grub-installer/password password r00tme
407 #d-i grub-installer/password-again password r00tme
408 # or encrypted using an MD5 hash, see grub-md5-crypt(8).
409 #d-i grub-installer/password-crypted password [MD5 hash]
410
411 # Use the following option to add additional boot parameters for the
412 # installed system (if supported by the bootloader installer).
413 # Note: options passed to the installer will be added automatically.
414 d-i debian-installer/add-kernel-opts string zswap.enabled=1
415
416
417 ### Finishing up the installation
418 # During installations from serial console, the regular virtual consoles
419 # (VT1-VT6) are normally disabled in /etc/inittab. Uncomment the next
420 # line to prevent this.
421 #d-i finish-install/keep-consoles boolean true
422
423 # Avoid that last message about the install being complete.
424 d-i finish-install/reboot_in_progress note
425
426 # This will prevent the installer from ejecting the CD during the reboot,
427 # which is useful in some situations.
428 #d-i cdrom-detect/eject boolean false
429
430 # This is how to make the installer shutdown when finished, but not
431 # reboot into the installed system.
432 #d-i debian-installer/exit/halt boolean true
433 # This will power off the machine instead of just halting it.
434 #d-i debian-installer/exit/poweroff boolean true
435
436 ### Preseeding other packages
437 # Depending on what software you choose to install, or if things go wrong
438 # during the installation process, it's possible that other questions may
439 # be asked. You can preseed those too, of course. To get a list of every
440 # possible question that could be asked during an install, do an
441 # installation, and then run these commands:
442 # debconf-get-selections --installer > file
443 # debconf-get-selections >> file
444
445
446 #### Advanced options
447 ### Running custom commands during the installation
448 # d-i preseeding is inherently not secure. Nothing in the installer checks
449 # for attempts at buffer overflows or other exploits of the values of a
450 # preconfiguration file like this one. Only use preconfiguration files from
451 # trusted locations! To drive that home, and because it's generally useful,
452 # here's a way to run any shell command you'd like inside the installer,
453 # automatically.
454
455 # This first command is run as early as possible, just after
456 # preseeding is read.
457 #d-i preseed/early_command string anna-install some-udeb
458 # This command is run immediately before the partitioner starts. It may be
459 # useful to apply dynamic partitioner preseeding that depends on the state
460 # of the disks (which may not be visible when preseed/early_command runs).
461 #d-i partman/early_command \
462 # string debconf-set partman-auto/disk "$(list-devices disk | head -n1)"
463 # This command is run just before the install finishes, but when there is
464 # still a usable /target directory. You can chroot to /target and use it
465 # directly, or use the apt-install and in-target commands to easily install
466 # packages and run commands in the target system.
467 #d-i preseed/late_command string apt-install zsh; in-target chsh -s /bin/zsh
468
469
470 ### CUSTOM
471 # Restart services during package upgrades without asking?
472 d-i libraries/restart-without-asking boolean true
473 d-i libpam0g/restart-services string cron
474 #d-i glibc/restart-services string
475 #d-i libssl1.1/restart-services string
476 libc6 libraries/restart-without-asking boolean false
477 #libc6:amd64 libraries/restart-without-asking boolean false
478 #libpam0g:amd64 libraries/restart-without-asking boolean false
479
Netcfg
/var/www/preseed/netcfg.cfg
1 #d-i anna/choose_modules string network-console
2 d-i network-console/authorized_keys_url string http://192.168.110.1/preseed/authorized_keys
3 #d-i network-console/password password r00tme
4 #d-i network-console/password password r00tme
5 #d-i network-console/password-again password r00tme
6 #d-i netcfg/choose_interface select
7 d-i netcfg/confirm_static boolean true
8 #d-i netcfg/dhcp_failed note
9 #d-i netcfg/dhcp_hostname string
10 d-i netcfg/dhcp_options select Configure network manually
11 d-i netcfg/dhcp_timeout string 25
12 d-i netcfg/dhcpv6_timeout string 15
13 d-i netcfg/disable_autoconfig boolean false
14 d-i netcfg/disable_dhcp boolean false
15 d-i netcfg/enable boolean true
16 #d-i netcfg/error error
17 #d-i netcfg/gateway_unreachable error
18 #d-i netcfg/get_gateway string
19 #d-i netcfg/get_ipaddress string
20 #d-i netcfg/get_nameservers string
21 #d-i netcfg/get_netmask string
22 #d-i netcfg/get_pointopoint string
23 #d-i netcfg/hostname string
24 #d-i netcfg/invalid_essid error
25 #d-i netcfg/invalid_hostname error
26 #d-i netcfg/invalid_pass error
27 #d-i netcfg/invalid_wep error
28 #d-i netcfg/kill_switch_enabled note
29 d-i netcfg/link_wait_timeout string 3
30 #d-i netcfg/no_default_route boolean
31 #d-i netcfg/no_dhcp_client error
32 #d-i netcfg/no_interfaces error
33 #d-i netcfg/no_ipv6_pointopoint error
34 d-i netcfg/target_network_config select ifupdown
35 d-i netcfg/use_autoconfig boolean true
36 d-i netcfg/wireless_adhoc_managed select Infrastructure (Managed) network
37 #d-i netcfg/wireless_essid_again string
38 #d-i netcfg/wireless_essid string
39 d-i netcfg/wireless_security_type select wpa
40 #d-i netcfg/wireless_show_essids select
41 #d-i netcfg/wireless_wep string
42 #d-i netcfg/wireless_wpa string
43 #d-i netcfg/wpa_supplicant_failed note
44
45 ### MAKE NETCFG RUN AGAIN WHEN PRESEED-FILE WAS LOADED OVER NETWORK
46 #d-i preseed/run string http://192.168.110.1/ps/restart-netcfg.sh
47 d-i preseed/early_command string kill-all-dhcp; netcfg
Network config over the network
When you are loading the preseeding from the network, netcfg has already done its magic. But it's not lost yet, you can force network configuration to run again from within the preseed file and this time use the preseeded values.
Command solution
If you are using preseeding over the network you can modify this a bit and use a preseed/early_command, which can be
1 d-i preseed/early_command string kill-all-dhcp; netcfg
If it is really necessary to load a shell script use a more complex command to retrieve and execute the script.
Debian solution
My recommendation is to use the #Command solution
There is a trick from described in
Debian GNU/Linux Installation Guide - Network configuration.
Create a shell-script to be called by the preseed configuration.
/var/www/preseed/restart-netcfg.sh
1 kill-all-dhcp; netcfg
And add this line to
/var/www/preseed/netcfg.cfg
But a shell script of mime-type text/x-sh cannot be loaded<<br>> when d-i mirror/http/proxy is set to an apt-cacher-ng server. Because the shell environment variable http_proxy is set to this url and apt-cacher-ng refuses to server this file, which is right in IMHO.
There are several ancient bugs out there:
Hostname and Domainname
Names are assigned to the machine via DHCP or reverse DNS. So make sure you have registered a static lease for the MAC-address.
Alternativly create
/var/www/preseed/dc2.cfg
And generate a host-specific configuration
1 grep -h '^[^#]' bullseye.cfg dc2.cfg > bullseye-dc2.cfg
Passwd
The hashes have been generated using a binary from the package whois
Providing secrets this way is in evitably insecure. Please change it after preseeding.
/var/www/preseed/passwd.cfg
1 ### Account setup
2 # Skip creation of a root account (normal user account will be able to
3 # use sudo).
4 #d-i passwd/root-login boolean false
5 # Alternatively, to skip creation of a normal user account.
6 #d-i passwd/make-user boolean false
7
8 # Root password, either in clear text
9 #d-i passwd/root-password password r00tme
10 #d-i passwd/root-password-again password r00tme
11 # or encrypted using a crypt(3) hash.
12 #d-i passwd/root-password-crypted password [crypt(3) hash]
13 #d-i passwd/root-password-crypted password $(mkpasswd -m sha512crypt)
14 d-i passwd/root-password-crypted password $6$tAw5x69a6TedGlSA$4V7oY/zC6Q4PylHk0kP0zRvL9KRnTgz4n379elsUAcEftxnHf2JW3qlUXKDIIcMjNuS31vglQ72bUqT3EUEsx1
15
16 # To create a normal user account.
17 d-i passwd/user-fullname string Tobias Stein
18 d-i passwd/username string tobias
19 # Normal user's password, either in clear text
20 #d-i passwd/user-password password insecure
21 #d-i passwd/user-password-again password insecure
22 # or encrypted using a crypt(3) hash.
23 #d-i passwd/user-password-crypted password [crypt(3) hash]
24 d-i passwd/user-password-crypted password $6$.6YAwaP96KHXMzqg$0v5CIxUulkM1sbKcbqKVaSlunSB3G6M7E6/X8ExLcb7jK754jbmFMY2gDPo22oSYb2KgBjGZi20J1lP2pWBFQ.
25 # Create the first user with the specified UID instead of the default.
26 #d-i passwd/user-uid string 1010
27
28 # The user account will be added to some standard initial groups. To
29 # override that, use this.
30 #d-i passwd/user-default-groups string audio cdrom video
31
Partman receipes
- …
partman cannot preseed a partition label. Filesystem labels are possible.
The documentation is sparse, but it's open source and if you know where to search …
There are some recipes for partman in the source package of the debian-installer. They contain the EBNF of a partman recipe.
There is a build.sh for a dokbook html documentation in
./debian-installer-20201202/doc/devel/partman/build.sh
Finally: the source is documentation enough.
In partman-base/lib/base.sh a variable DEVICES is defined, which points to a directory /var/lib/partman/devices. This leads to a filesystem-interface-tree, which is used to interchange information between the partman modules and is helpful in debugging.
/var/www/preseed/partman.cfg