Debian
Contents
-
Debian
- About
- Base system from scratch
- Extending to a hypervisor
- Some more filesystem
- ksmtuned
- OpenvSwitch
- Firewalling
- Performance
- Security
- Plymouth
- Debian CD-Image with jigdo
- Aptitude
- Preseeding
- LVM
About
Releases
Base system from scratch
Remote system is a dedicated root server in the Hetzner datacenter. Only a live linux amd64 is running and it's reachable by ssh with pubkey auth. We got the option to restart/reset the live linux or boot into the new system. So the logs of the new system is all information we can get (besides the status: running/stopped).
Partitioning
Debian partman units
Offtopic (debian-installer) but nice to know.
Hint: Debian partman units
Debian partman does not support binary units like !KiB, !MiB or !GiB. All units are SI units based on 10. Default unit (no unit) is "1m" aligned to the next cylinder (1Mib).
The sizes of the partitions will not be what you expect.
To achieve correct sizes to may:
partition manually with parted in a separate shell and enter partman when done.
- enter the sizes in byte with unit "b" or "B" (don't leave it away) Some examples:
Create the partitions on the first disk
Aline it ot the full 1 MiB/Cylinder (MegaByte binary), because
- this allows aligned read/writes. Otherwise it will degrade performance significantly.
- this is a power of 2 (1, 2, 4(MEMORY PAGESIZE), 8, ...2^n)KiB. This means if you want to stripe or change some cluster sizes, it will always match (if less).
The boot-partition should be at least 256MiB, initial ram-disks can be large.
(vmlinuz 6MiB + initrd 50MiB + system-map 4MiB) = 60MiB/Kernel So max 3 Kernels …
1 parted
2 GNU Parted 3.2
3 Using /dev/sda
4 Welcome to GNU Parted! Type 'help' to view a list of commands.
5 (parted) unit MiB
6 (parted) print free
7 Model: ATA HGST HUS726060AL (scsi)
8 Disk /dev/sda: 5723167MiB
9 Sector size (logical/physical): 512B/4096B
10 Partition Table: gpt
11 Disk Flags:
12
13 Number Start End Size File system Name Flags
14 0.02MiB 1.00MiB 0.98MiB Free Space
15 1 1.00MiB 2.00MiB 1.00MiB bios_grub_sda bios_grub
16 2 2.00MiB 256MiB 254MiB fat16 EFI_sda boot, esp
17 3 256MiB 131072MiB 130816MiB swap1_sda raid
18 4 131072MiB 5723166MiB 5592094MiB btrfs root_sda
19 5723166MiB 5723167MiB 0.98MiB Free Space
Clone GPT to other disk
1 sgdisk /dev/sda -R /dev/sdb
Create a multidisk RAID1 as swap
Filesystems
1 ### CREATE FILESYSTEM
2 mkfs.btrfs -L rootfs --data raid1 --metadata raid1 /dev/sda4 /dev/sdb4
3
4 ### CREATE SUBVOLUMES
5 mount -o noatime,compress=lzo,space_cache,autodefrag /dev/sdb4 /mnt
6 btrfs subvolume create /mnt/root
7 btrfs subvolume create /mnt/home
8
9 btrfs subvolume list /mnt
10 ID 258 gen 8 top level 5 path root
11
12 btrfs subvolume get-default /mnt/
13 ID 5 (FS_TREE)
14 btrfs subvolume set-default 258 /mnt
15
16 umount /mnt
17 mount -o noatime,compress=lzo,space_cache,autodefrag /dev/sdb4 /mnt
18 mount -t btrfs
19 /dev/sda4 on /mnt type btrfs (rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=258,subvol=/root)
20
21 debootstrap buster /mnt http://ftp.de.debian.org/debian
Migrate data to subvolumes
1 umount /mnt
2 mount -o noatime,compress=lzo,space_cache,autodefrag,subvol=/ /dev/sdb4 /mnt
3
4 btrfs subvolume create /mnt/home
5
6 btrfs subvolume snapshot /mnt/root/ /mnt/var_log
7 find /mnt/var_log -mindepth 1 -maxdepth 1 \! -name var | xargs rm -r --
8 mv /mnt/var_log/var/log/* /mnt/var_log/; rm -r /mnt/var_log/var/
9 find /mnt/root/var/log -mindepth 1 -maxdepth 1 | xargs rm -r --
10
11 mount -o noatime,compress=lzo,space_cache,autodefrag /dev/sdb4 /mnt
12 mount -o noatime,compress=lzo,space_cache,autodefrag,subvol=/home /dev/sdb4 /mnt/home
13 mount -o noatime,compress=lzo,space_cache,autodefrag,subvol=/var_log /dev/sdb4 /mnt/var/log/
14
15 mount -t btrfs
16 /dev/sda4 on /mnt type btrfs (rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=258,subvol=/root)
17 /dev/sda4 on /mnt/home type btrfs (rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=261,subvol=/home)
18 /dev/sda4 on /mnt/var/log type btrfs (rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=262,subvol=/var_log)
Prepare EFI filesystems
Unnecessary - just skip EFI.
fstab
Make sure to use FS-UUIDS and no devices in fstab
1 blkid
2 /dev/sdb4: LABEL="rootfs" UUID="0cc274fd-4cb8-4cc7-9f60-f59de41f6891" UUID_SUB="d65eac71-86ca-45e0-b59a-7c872de54e59" TYPE="btrfs" PARTLABEL="root_sdb" PARTUUID="20199b69-b0a7-4151-9dd1-83c741d580a0"
3 /dev/loop0: UUID="40c4ea95-0ecc-4c51-9f3e-e49d8f62f160" TYPE="ext2"
4 /dev/sda1: PARTLABEL="bios_grub_sda" PARTUUID="1db5c109-b489-4466-8d51-23ef189253b7"
5 /dev/sda2: SEC_TYPE="msdos" LABEL_FATBOOT="EFI" LABEL="EFI" UUID="8AC4-4574" TYPE="vfat" PARTLABEL="EFI_sda" PARTUUID="14827a48-5a73-4012-bd28-176d365bd903"
6 /dev/sda3: UUID="4b81ee7b-00bb-3ce6-e83d-c0c00c449861" UUID_SUB="9e9e8cf9-9b01-6128-e2b6-acf8e04e7e9e" LABEL="rescue:md_swap1" TYPE="linux_raid_member" PARTLABEL="swap1_sda" PARTUUID="95586f2b-45ac-478a-8481-fd176f16cbb5"
7 /dev/sda4: LABEL="rootfs" UUID="0cc274fd-4cb8-4cc7-9f60-f59de41f6891" UUID_SUB="6c72fb67-6c5d-40bc-a4b4-dd34199a1d2b" TYPE="btrfs" PARTLABEL="root_sda" PARTUUID="20199b69-b0a7-4151-9dd1-83c741d580a0"
8 /dev/sdb1: PARTLABEL="bios_grub_sdb" PARTUUID="1db5c109-b489-4466-8d51-23ef189253b7"
9 /dev/sdb2: PARTLABEL="EFI_sdb" PARTUUID="14827a48-5a73-4012-bd28-176d365bd903"
10 /dev/sdb3: UUID="4b81ee7b-00bb-3ce6-e83d-c0c00c449861" UUID_SUB="981dfa0d-6584-2576-a51a-02102935a87b" LABEL="rescue:md_swap1" TYPE="linux_raid_member" PARTLABEL="swap1_sdb" PARTUUID="95586f2b-45ac-478a-8481-fd176f16cbb5"
11 /dev/md127: LABEL="md_swap1" UUID="87294740-52c4-4557-b838-ddc44ba8aa4b" TYPE="swap"
Edit fstab to reflect new structure of filesystem
1 cat /etc/fstab
2 # /etc/fstab: static file system information.
3 #
4 # Use 'blkid' to print the universally unique identifier for a
5 # device; this may be used with UUID= as a more robust way to name devices
6 # that works even if disks are added and removed. See fstab(5).
7
8 #<file_system> <mount_point> <type> <options> <dump> <pass>
9 UUID=87294740-52c4-4557-b838-ddc44ba8aa4b none swap sw 0 0
10 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 / btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=258,subvol=/root 0 1
11 UUID=8AC4-4574 /boot/EFI vfat utf8 0 0
12 UUID=B3B5-67FA /boot/EFI_SDB vfat utf8 0 0
13 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /home btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=261,subvol=/home 0 0
14 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /var/log btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=262,subvol=/var_log 0 2
Validate fstab
Chroot into new system
Basic Configuration
Adjust hostname and Mailname
Please see also Names#hostnames on this topic.
Reconfigure the hostname and exec a new shell
Adjust hosts
/etc/hosts
Please make sure the canonical name/FQDN is listed in front of any additional aliases or the server may not be able to determine its own domain. Further a canonical name/FQDN should not point to the loopback (lo) interface of the server.
Adjust timezone
Configure apt-sources
1 cat /etc/apt/sources.list
2 deb http://ftp.de.debian.org/debian buster main contrib non-free
3 deb-src http://ftp.de.debian.org/debian/ buster main contrib non-free
4 deb http://ftp.de.debian.org/debian/ buster-updates main contrib non-free
5 deb-src http://ftp.de.debian.org/debian/ buster-updates main contrib non-free
6 deb http://security.debian.org/debian-security/ buster/updates main contrib non-free
7 deb-src http://security.debian.org/debian-security/ buster/updates main contrib non-free
8 #deb http://ftp.de.debian.org/debian/ buster-backports main contrib non-free
9 #deb-src http://ftp.de.debian.org/debian/ buster-backports main contrib non-free
10
Pinning: apt_preferences
If you create a preferences file like /etc/apt/preferences{,.d/filename{,.pref}} make sure the Pinning blocks are separated by a line, which must not contain any whitespace characters or apt will not respect your preference.
This example has cause (invisible) problems with the ^I Tab-characters between the blocks!
Check preferences:
1 apt-cache policy|grep -C1 release
Some notes regarding preferences
If you are using multiple codenames on one system at once (e.g. Buster: 500, Bullseye: 400) you should change the priority of the respective backports to be slightly less than their corresponding codename (e.g. Buster: 490, Bullseye: 390).
Background: If you left them at 100 (default) and you install a package from backports explicitly like an updated kernel, it will be upgraded to the codename with the higher priority when a package of the same name but a higher version is available there. This may not be what you intended.
Debian codenames with suffixes or from debian security should have the same priority as the main codename. This ensures you have the most recent and secure version installed.
If you are switching between packages from different codenames, make sure to mark dependencies as "Installed Automatically" A ("M" in aptitude). Or manually installed packages that are not required by any other manually installed package will end up as garbage. Garbage can be identified using:
1 aptitude search '~g'
Add some essential packages
1 apt install \
2 apt-file aptitude bash-completion byobu btrfs-progs ca-certificates curl \
3 dmidecode dosfstools git gpm htop iftop info iotop jq libcrack2 locales \
4 lsb-release lsof man-db mc mlocate openssl parted pigz psmisc pv \
5 pwgen python-apt python3-apt rsync screen sqlite3 ssl-cert strace sudo \
6 sysstat tmux vim wget zsh
Configure locales
1 dpkg-reconfigure locales
Configure vim
Adjust it to your needs like in vim
zsh grml-flavoured
I strongly recommend this config! It's simply awesome. Thanks for this!
Networking
ifupdown vs. ifupdown2
Cons
ifupdown2 currently does not support the interfaces-keyword metric provided by ifmetric, which is still required as a package. If you get multiple default routes e.g. via dhcp-client and you don't have access to ifupdown >= 1.2.7-1, you should stick with ifupdown.
1.2.5-1 supports metric but has Bug 930839
- 1.2.7-1 Fixed, working.
- Changing is service interrupting
Pros
New command ifreload which can change
status of interfaces without taking them down.
Install ifupdown2
You better do it in a tmux session, because ssh-session will break and won't return.
Use Enter ~ . to terminate frozen ssh-clients. Help about ssh escape commands: Enter ~ ?
Predictable device names
www.freedesktop.org: PredictableNetworkInterfaceNames
Let's predict some names.
Okay, so PCI-Address is 00:1f.6
Bus:Device.Function (BDF)
BUS: 0 Device/Slot: 31 = 1*16¹ + 15*16⁰ Function: 6
access.redhat.com: Understanding the predictable network interface device names
So we predict the interface name to be: enp0s31f6 = "en" + "p" + "0" + s + "31" + "f" + "6"
On Upgrade to buster
If the freshly upgraded system still has old interface naming scheme, you may wish to upgrade. To achieve this, you have to remove /etc/udev/rules.d/80-net-setup-link.rules as well as /etc/systemd/network/50-virtio-kernel-names.link and rebuild your initial-ramdisks.
Please also read: /usr/share/doc/udev/README.Debian.gz
Configure interfaces
1 cat /etc/network/interfaces
2 # interfaces(5) file used by ifup(8) and ifdown(8)
3
4 auto lo
5 iface lo inet loopback
6
7 auto enp0s31f6
8 iface enp0s31f6 inet static
9 address 195.201.246.253/26
10 address 2a01:4f8:231:702::2/64
11 gateway 195.201.246.193
12
13 # Include files from /etc/network/interfaces.d:
14 source-directory /etc/network/interfaces.d
Check the configuration of the DNS-resolver
Install openssh-server
1 aptitude install openssh-server ssh-askpass openssh-client
If you skipped the step of setting up the hostname your should renew the hostkeys or edit the wrong comment.
Make sure ssh-server starts on boot
Embed pubkey for authentication
Make sure root can login via pubkey-auth (default is fine)
Prepare boot
Just forget about EFI-boot in situations where you can't control that machines UEFI/BIOS and stick with grub-pc.
Last safetys infront of reboot
Make sure MD-RAID reassebles on next boot
If you assembled the RAID array earlier in the live system, you will have to change the name configuration from the live systems hostname to your new one.
1 cat /etc/mdadm/mdadm.conf
2 # mdadm.conf
3 #
4 # !NB! Run update-initramfs -u after updating this file.
5 # !NB! This will ensure that initramfs has an uptodate copy.
6 #
7 # Please refer to mdadm.conf(5) for information about this file.
8 #
9
10 # by default (built-in), scan all partitions (/proc/partitions) and all
11 # containers for MD superblocks. alternatively, specify devices to scan, using
12 # wildcards if desired.
13 #DEVICE partitions containers
14
15 # automatically tag new arrays as belonging to the local system
16 HOMEHOST <system>
17
18 # instruct the monitoring daemon where to send mail alerts
19 MAILADDR root
20
21 # definitions of existing MD arrays
22 ARRAY /dev/md/md_swap1 metadata=1.2 UUID=4b81ee7b:00bb3ce6:e83dc0c0:0c449861 name=kvm2:md_swap1
23
24 # This configuration was auto-generated on Wed, 22 May 2019 09:56:16 +0000 by mkconf
25
Create new mdadm.conf
If there is no file your can create a new one which at least assemles your md-arrays on boot.
1 mdadm --detail --scan >> /etc/mdadm/mdadm.conf
WELL, GOOD LUCK
1 shutdown -r now
Extending to a hypervisor
Some more filesystem
Moving libvirt to own subvolume
1 ### CREATE A MOUNT POINT
2 mkdir /media/btrfs5
3 ### MOUNT ROOT SUBVOLUME TO THIS MOUNT POINT
4 mount -o rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=5,subvol=/ \
5 /dev/sda4 /media/btrfs5
6 ### STOP LIBVIRTD
7 systemctl stop libvirtd.service
8 ### CHECK FOR OPEN INODES
9 lsof /var/lib/libvirt
10 ### CREATE A SNAPSHOT OF THE FILESYSTEM "root"
11 ### AND NAME IT "var_lib_libvirt"
12 btrfs subvolume snapshot \
13 /media/btrfs5/root \
14 /media/btrfs5/var_lib_libvirt
15 ### LIST SUBVOLUMES
16 btrfs subvol list /media/btrfs5/
17 ID 258 gen 4933 top level 5 path root
18 ID 261 gen 1520 top level 5 path home
19 ID 262 gen 4933 top level 5 path var_log
20 ID 265 gen 4933 top level 5 path var_lib_libvirt
21 ### MOUNT FRESHLY CREATED SUBVOLUME TO /var/lib/libvirt
22 mount -o rw,noatime,compress=lzo,space_cache,autodefrag,subvol=/var_lib_libvirt \
23 /dev/sda4 /var/lib/libvirt
24 ### DELETE EVERYTHING BELOW THE NEW MOUNT POINT
25 ### WHOSE NAME IS NOT "var" RECURSIVELY
26 find /media/btrfs5/var_lib_libvirt \
27 -mindepth 1 -maxdepth 1 \! -name var \
28 |xargs rm -r --
29 ### MOVE CONTENTS OF THE SUBDIR libvirt
30 ### TO TOP-LEVEL OF THE SUBVOLUME
31 mv /media/btrfs5/var_lib_libvirt/var/lib/libvirt/* \
32 /media/btrfs5/var_lib_libvirt
33 ### DELETE var IN SUBVOLUME RECURSIVELY
34 rm -r /media/btrfs5/var_lib_libvirt/var
35 ### DELETE CONTENT OF libvirt IN THE ROOT-SUBVOLUME RECURSIVELY
36 rm -r /media/btrfs5/root/var/lib/libvirt/*
37 ### CHECK OLD DIRECTORY
38 ll /media/btrfs5/root/var/lib/libvirt/
39 insgesamt 0
40 ### CHECK NEW DIRECTORY
41 ll /media/btrfs5/var_lib_libvirt/
42 insgesamt 0
43 drwx--x--x 1 root root 0 Apr 7 12:36 boot
44 drwx--x--x 1 root root 0 Apr 7 12:36 images
45 drwxr-x--- 1 libvirt-qemu libvirt-qemu 62 Mai 23 10:16 qemu
46 drwx------ 1 root root 0 Apr 7 12:36 sanlock
47 ### MOUNT THE NEW SUBVOLUME TO THE DESTINATION
48 mount -o rw,noatime,compress=lzo,space_cache,autodefrag,subvol=/var_lib_libvirt \
49 /dev/sda4 /var/lib/libvirt
50 ### START LIBVIRTD
51 systemctl start libvirtd.service
Adjust fstab
1 # /etc/fstab: static file system information.
2 #
3 # Use 'blkid' to print the universally unique identifier for a
4 # device; this may be used with UUID= as a more robust way to name devices
5 # that works even if disks are added and removed. See fstab(5).
6
7 #<file_system> <mount_point> <type> <options> <dump> <pass>
8 UUID=87294740-52c4-4557-b838-ddc44ba8aa4b none swap sw 0 0
9 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 / btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=258,subvol=/root 0 1
10 #UUID=8AC4-4574 /boot/EFI vfat utf8 0 0
11 #UUID=B3B5-67FA /boot/EFI_SDB vfat utf8 0 0
12 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /var/log btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=262,subvol=/var_log 0 2
13 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /var/lib/libvirt btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=266,subvol=/var_lib_libvirt 0 2
14 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /home btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=261,subvol=/home 0 0
15 UUID=0cc274fd-4cb8-4cc7-9f60-f59de41f6891 /media/btrfs5 btrfs rw,noatime,compress=lzo,space_cache,autodefrag,subvolid=5,subvol=/ 0 0
Filesystem maintenance
Please see filesystems/btrfs#Maintenance
ksmtuned
All machines idle? Trade in some CPU and SAVE A WHOLE BUNCH OF MEM!
1 aptitude install ksmtuned
Information can be aquired under /sys/kernel/mm/ksm
Run ksm earlier by lowering KSM_THRES_COEF in
/etc/ksmtuned.conf
1 # Configuration file for ksmtuned.
2
3 # How long ksmtuned should sleep between tuning adjustments
4 # KSM_MONITOR_INTERVAL=60
5
6 # Millisecond sleep between ksm scans for 16Gb server.
7 # Smaller servers sleep more, bigger sleep less.
8 # KSM_SLEEP_MSEC=10
9
10 # KSM_NPAGES_BOOST=300
11 # KSM_NPAGES_DECAY=-50
12 # KSM_NPAGES_MIN=64
13 # KSM_NPAGES_MAX=1250
14
15 #KSM_THRES_COEF=20
16 KSM_THRES_COEF=50
17 # KSM_THRES_CONST=2048
18
19 # uncomment the following if you want ksmtuned debug info
20
21 # LOGFILE=/var/log/ksmtuned
22 # DEBUG=1
Example - Debian Buster monoculture in production:
1 Every 1,0s: grep -rH "" /sys/kernel/mm/ksm*;echo "Saved mem: $(($(cat /sys/kernel/mm/ksm/pages_sharing)*4/(2^1024))) MiB" kvm2: Fri Jan 31 14:03:57 2020
2
3 /sys/kernel/mm/ksm/stable_node_dups:5938
4 /sys/kernel/mm/ksm/max_page_sharing:256
5 /sys/kernel/mm/ksm/pages_volatile:271474
6 /sys/kernel/mm/ksm/stable_node_chains_prune_millisecs:2000
7 /sys/kernel/mm/ksm/merge_across_nodes:1
8 /sys/kernel/mm/ksm/pages_unshared:5277423
9 /sys/kernel/mm/ksm/stable_node_chains:497
10 /sys/kernel/mm/ksm/pages_shared:1049263
11 /sys/kernel/mm/ksm/use_zero_pages:0
12 /sys/kernel/mm/ksm/pages_to_scan:1250
13 /sys/kernel/mm/ksm/sleep_millisecs:10
14 /sys/kernel/mm/ksm/run:1
15 /sys/kernel/mm/ksm/full_scans:153
16 /sys/kernel/mm/ksm/pages_sharing:5635769
17 Saved mem: 21971 MiB
Well, ~22GiB of 64GiB saved! WTF?!1!! I dare to claim, this is a must have!
I assume KSM doesn't search already swapped pages to save expensive disk io. Maybe it's a good idea to gain some memory in a first run and to move content of the swap space back to the main memory in a second step by umounting and mounting swap-space.
1 swapoff -a; swapon -a
In addition it may be a good idea to reduce vm.swappiness to once more profit from KSM.
OpenvSwitch
To attach out VMs to the network we can use serveral approaches:
- Shared hostbridge
- classical linux bridge
- openvswitch
- network device passthrough
- physical device
- virtual device funtion
- macvtap direct connection
- with vepa
- without vepa
- libvirt networks
- NAT based network
- Routed network config
- Isolated network config
- Isolated IPv6 network config
- Network config with no gateway addresses
Since i have no contraints or requirements, i like to use openvswitch as a bridge (as "OpenStack would probably probably use it).
Install
1 aptitude install openvswitch-switch
Add vSwitch
Create bridge
1 ovs-vsctl add-br ovs-virt
Add fakebridges
Fake bridges are just virtual sub bridges of a parent bridge, that assign an attached port to a specific vlan in access mode.
Configure new interfaces
Conventional networks
One public interface used:
- for general conectivity
- in routing the public network to the host and
- as a NAT-address for the internal private networks.
/etc/network/interfaces
1 auto lo
2 iface lo inet loopback
3
4 ### OUTSIDE
5 auto enp0s31f6
6 iface enp0s31f6 inet static
7 address 195.201.246.253/26
8 address 2a01:4f8:231:702::2/64
9 gateway 195.201.246.193
10 alias "OUTSIDE"
11
12 ### FAKE BRIDGES
13 ### VLANS 500-999
14 auto ovs-pub1
15 iface ovs-pub1 inet static
16 address 178.63.149.225/28
17 alias "fake-bridge: public dmz - public network"
18
19 ### VLANS 1000-1499
20 auto ovs-1a
21 iface ovs-1a inet static
22 address 172.18.0.1/24
23 alias "fake-bridge: public dmz - private network"
24
25 ### VLANS 1500-1999
26 auto ovs-1n
27 iface ovs-1n inet static
28 address 172.18.64.1/24
29 alias "fake-bridge: extranet dmz"
30
31 ### VLANS 2000-2499
32 auto ovs-2a
33 iface ovs-2a inet static
34 address 172.18.128.1/24
35 alias "fake-bridge: intranet dmz"
36
37 ### VLANS 2500-2999
38 auto ovs-2n
39 iface ovs-2n inet static
40 address 172.18.192.1/24
41 alias "fake-bridge: secure zone"
42
43 ### VLANS 3000-3499
44 auto ovs-mon1
45 iface ovs-mon1 inet static
46 address 172.19.255.1/24
47 alias "fake-bridge: monitoring"
PPP Guest-Host
With point-to-point connection from guest to host. This is useful:
- for single IPs or
- to reduce overhead in small networks (/30) originating from network and broadcast addresses.
Please don't get irritated by the last octet of the IP-addresses. 
Create a fake-brigde on the host and assign a private IP-address, set a route (for the public address) to the guest and optionally set a static arp entry.
In the guest assign the public IP-address and create a point-to-point connection to the (private address of the) host.
Firewalling
1 aptitude install iptables-persistent ipset iptables fwbuilder
Configure fwbuilder
Performance
Laptop
To save power on your laptop and therefore increase time that may be spend on battery, install the laptop-mode-tools. They will e.g. set the cpu-frequency scaling_governor to ondemand and other more conservative options. In my specific case battery usage was reduced by 1/3 and time on battery increased by factor 3/2, which is significant.
1 aptitude install laptop-mode-tools
They can be configured in /etc/laptop-mode/.
With powertop settings consuming too much power may be configured.
CPU govenour
Another way to adjust cpu-frequency scaling_governor is via cpufrequtils.
/etc/default/cpufrequtils
IO-Scheduler
Security
CPU microcode
Microcode updates are ephemeral: they will be lost after a processor hard reset or after the processor is powered off. They must be reapplied at every boot and after the system wakes up from suspend to RAM or disk.
Depending on your CPU vendor install either of the following:
To force a microcode update at runtime (on your own risk) run as root.
1 echo 1 > /sys/devices/system/cpu/microcode/reload
To omit loading of the microcode at boot time add dis_ucode_ldr to your kernel command line in grub menu editor.
1 linux /boot/vmlinuz-5.4.0-4-amd64 root=UUID=75258d3e-37f9-42f7-9187-444be692f85d ro quiet dis_ucode_ldr
You may configure tthe microcode packages in
/etc/default/amd64-microcode
/etc/default/intel-microcode
Early loading microcode maybe blacklisted by
/etc/modprobe.d/amd64-microcode
/etc/modprobe.d/intel-microcode
You can get the running microcode revision from /proc/cpuinfo
1 grep -E 'stepping|model|microcode' /proc/cpuinfo
Compare the latest manufacturer microcode update guidance document.
Automatic security upgrades
1 aptitude install unattended-upgrades
Check ephemeral pinning with
1 unattended-upgrades --dry-run --debug --verbose
You may run unattended-upgrades with debugging output in foreground, to check what it is doing.
1 unattended-upgrades -d
If it is slow
check if you have packages on hold apt-mark showhold or broken packages
Too solve the problem use aptitude, it tends to be more powerful in untangling dependency problems.
Check OS Integrity
1 dpkg -V
debsecan
1 aptitude install debsecan
Is run automatically via a cronjob, but you should add the parameter --suite
Mobile security
Goal is to protect as much as possible as early and strong as possible.
Requirements:
- basics:
- bios-password is set
- hdd-password is set
- mandatory:
- be maintainable
- perform well
- flexible sizing like in LVM2/btrfs
- include swap, root, …
- protect kernel/initrd
- optionally:
- include /boot, means to enter the password a 3rd time in grub2 to unlock /boot
- use trusted platform module (tpm)
The inspiration:
http://dustymabe.com/2015/07/06/encrypting-more-boot-joins-the-party/
https://michael-prokop.at/blog/2014/02/28/full-crypto-setup-with-grub2/
Architect’s Guide: Data Security Using TCG Self-Encrypting Drive Technology
This ultimatively leads to multi-layer full disk encryption (OPAL+LUKS).
ATA hard drive password
ATA Security Feature Set or ATA Security (since ATA-3 (1996–2002, ANSI X3.298-1997))
Tools
hdparm
Links
InterNational Committee for Information Technology Standards
https://en.wikipedia.org/wiki/Parallel_ATA#HDD_passwords_and_security
About
Available on disks with AT Attachment (ATA) storage interface, this includes SATA, SCSI/SAS?, NVMe
- "first comer” ownership model
- first that sets the password owns the device
- access control mechanism only
- 32byte master and user keys (NULL-Byte padded)
- high or maximum security mode
Mode high
In High security mode, the device can be unlocked with either the User or Master password, using the "SECURITY UNLOCK DEVICE" ATA command. There is an attempt limit, normally set to 5, after which the disk must be power cycled or hard-reset before unlocking can be attempted again. Also in High security mode, the SECURITY ERASE UNIT command can be used with either the User or Master password.
Mode maximum
In Maximum security mode, the device can be unlocked only with the User password. If the User password is not available, the only remaining way to get at least the bare hardware back to a usable state is to issue the SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT. In Maximum security mode, the SECURITY ERASE UNIT command requires the Master password and will completely erase all data on the disk. Word 89 in the IDENTIFY response indicates how long the operation will take.
Opal
Before building check if your drive supports Opal.
1 lspci -vvv
Tools
msed (manage self-encrypting devices) and OpalTool, the two known Open Source code bases available for self-encrypting drives support on Linux, have both been retired, and their development efforts officially merged to form sedutil, under the umbrella of The Drive Trust Alliance (DTA). sedutil is "an Open Source (GPLv3) effort to make Self Encrypting Drive technology freely available to everyone."
https://github.com/Drive-Trust-Alliance/sedutil
Build sedutil
Build sedutil
Scan for drives
Yeah, it works and
as the no in column states my current NVMe does not support Opal. :-/ I'll come back once i got a Opal drive.
Links
TCG Opal SSC (Security Subsystem Class) v.2.01 rev1.00 The specification is published by the Trusted Computing Group (TCG) Storage Workgroup.
About
Opal “Family” of specifications:
- Opal
- Opalite
- Pyrite
Found on Arch-Wiki - Self-Encrypting_Drives: Self-encrypting drives adhering to the TCG OPAL 2.0 standard specification (almost all modern self-encrypting drives) implement key management via an authentication key, and a 2nd-level data encryption key, both stored in the disk controller. The data encryption key is the key against which the data is actually encrypted/decrypeted. The authentication key is the user-facing 1st-level password/passphrase which decrypts the data encryption key (which in turn decrypts the data). Data writen to the disk is always encrypted. This approach has specific advantages:
- Allows the user to change the passphrase without losing the existing encrypted data on the disk.
- This improves security, as it is fast and easy to respond to security threats and revoke a compromised passphrase
- Facilitates near-instant and cryptographically secure full disk erasure.
For those who are familiar; this concept is similar to the LUKS key management layer often used in a dm-crypt deployment. Using LUKS, the user can effectively have up to 8 different key-files / passphrases to decrypt the encryption key, which in turn decrypts the underlying data. This approach allows the user to revoke / change these key-files / passphrases as required without needing to re-encrypt the data, as the 2nd-level encryption key is unchanged (itself being re-encrypted by the new passphrase).
In fact, in drives featuring full-disk encryption, data is always encrypted with the data encryption key when stored to disk, even if there is no password set (e.g. a new drive). Manufacturers do this to make it easier for users who are not able to, or do not wish to enable the security features of the self-encrypting drive. This can be thought of as all drives by default having a zero-length password that transparently encrypts/decrypts the data always (similar to how passwordless SSH keys provide (somewhat) secure access without user intervention).
The key point to note is that if at a later stage the user wishes to "enable" encryption, they can configure the passphrase (authentication key), which will then be used to encrypt the existing data encryption key (thus prompting for passphrase before decrypting the data encryption key in future). However, as the existing data encryption key will not be changed (regenerated), this in effect locks the drive, while preserving the existing encrypted data on the disk.
Advantages:
- Easier to setup (compared to software-based encryption)
- Notably transparent to the user, except for initial bootup authentication
- Data-at-Rest protection
- Increased performance (CPU is freed up from encryption/decryption calculations)
- The main CPU and RAM are eliminated as possible attack targets
- Optimally fast and #Secure disk erasure (sanitation) (regardless of disk size)
- Protection from alternative boot methods due to the possibility to encrypt the MBR, rendering the drive inaccessible before pre-boot authentication
Disadvantages:
Constant-power exploits:
Typical self-encrypting drives, once unlocked, will remain unlocked as long as power is provided. This vulnerability can be exploited by means of altering the environment external to the drive, without cutting power, in effect keeping the drive in an unlocked state. For example, it has been shown (by researchers at University of Erlangen-Nuremberg) that it is possible to reboot the computer into an attacker-controlled operating system without cutting power to the drive. The researchers have also demonstrated moving the drive to another computer without cutting power.[1]Key-in-memory exploits:
When the system is powered down into S3 ("sleep") mode, the drive is powered down, but the drive keeps access to the encryption key in its internal memory (NVRAM) to allow for a resume ("wake"). This is necessary because for system booted with an arbitrary operating system there is no standard mechanism to prompt the user to re-enter the pre-boot decryption passphrase again. An attacker (with physical access to the drive) can leverage this to access the drive. Taking together known exploits the researchers summarize "we were able to break hardware-based full-disk encryption on eleven [of twelve] of those systems provided they were running or in standby mode".[2] Note, however, S3 ("sleep") is not currently supported by sedutil (the current available toolset for managing a TCG OPAL 2.0 self-encrypting drives via Linux)Compromised firmware:
The firmware of the drive may be compromised (backdoor) and data sent to it thus potentially compromised (decryptable by the malicious third party in question, provided access to physical drive is achievable). A study demonstrated methods for compromising device firmware, as well as applying invalid passwords to access data on OPAL devices.[3] If data is encrypted by the operating system (e.g. dm-crypt), the encryption key is unknown to the compromised drive, thus circumventing this attack vector entirely.
Found in White Paper - Storage Opal and NVMe
- requires AES-128 or AES-256
- hardware-based encrpytion that may be scaled to meet the bandwidth of the storage device.
- credentials
- 1-4 admin for provisioning, configuration or erasure
- 2-8 user to perform various actions
- subdivision of the storage device into multiple locking ranges of contiguous LBAs
- each locking range
- has different media encryption key (MEK)
- is unlocked independently
- is erased independently (by destruction of media encryption key and generation of a new one)
n>=0 users may
- unlock locking ranges
- erase locking ranges
- fast and reliable erasure of locking ranges
- supports MBR-shadowding, through which a host-application can store and execute a “Pre-Boot Authentication Environment”. Such a mechanism is necessary to allow unlock of the range in which the OS is stored, in order to allow the OS to boot.
Storage glossary
- advanced encryption standard (AES)
- authentication key (AK)
advanced technology attachment (ATA) -> P-ATA
- AT attachment packet interface (ATAPI)
- data encryption key (DEK)
- full disk encryption (FDE)
- full encryption disks (FED), self-encrypting HDD
- hard drive disk (HDD)
- integrated drive electronics (IDE)
- logical block addressing (LBA), number of blocks starting with zero (size with 512byte blocks)
- 28bit LBA (128GiB)
- 48bit LBA (128PiB)
- SCSI Command Descriptor Block (CDB)
- 10Byte CDB with 4byte (32bit) LBA (2TiB)
- 16/32Byte CDB with 8byte (64bit) Long-LBA (16EiB)
- non-volatile memory express (NVMe)
- opal security subsystem class (SSC)
- Self-Monitoring, Analysis and Reporting Technology (S.M.A.R.T.)
- storage device (SD)
- self-encrypting drive (SED)
- small computer system interface (SCSI)
- trusted computing group (TCG)
LUKS
Tools
1 apt install gdisk parted cryptsetup cryptsetup-initramfs dosfstools xfsprogs
Links
About
The Linux Unified Key Setup (LUKS) is a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux.
Why LUKS?
- compatibility via standardization,
- secure against low entropy attacks,
- support for multiple keys,
- effective passphrase revocation,
- free.
Transform
Target configuration
FDE walkthrough
Perform a backup Preparation
1 ### MOUNT A REMOTE STORAGE (e.g. NFS4)
2 mount libertas:/media/space/tmp /media/external1
3
4 ### AND BACKUP PARTITIONING TABLE (JUST INCASE)
5 mkdir /media/external1/backup
6 sgdisk --backup=/media/external1/backup/nvme0n1.sgdisk /dev/nvme0n1
7 The operation has completed successfully.
8 ### TO RESTORE SIMPLY
9 # sgdisk -l /media/external1/backup/nvme0n1 /dev/nvme0n1
10
Partitioning
Grub2 disk: Implement support for LUKS2:
- With cryptsetup 2.0, a new version of LUKS was introduced that breaks compatibility with the previous version due to various reasons. GRUB currently lacks any support for LUKS2, making it impossible to decrypt disks encrypted with that version. This commit implements support for this new format.
This commit has not landed in Debian, yet. So we need to downgrade header to LUKS version 1 and the password based key derivation functions (PBKDF) to PBKDF2 (from Argon2i or Argon2id).
Fresh cryptsetup
To downgrade manually from LUKS2 to version 1
LVM2
Formating filesystems and swap
Restore the data from backup.
I created the tar-archive without changing the directory, so i have to strip "mnt/" away at extraction-time using --strip-components=1.
1 ### RESTORE ROOTFS
2 MOUNT_POINT="/mnt"
3 ssh user@target.host \
4 "cat path/to/archive.tar.gz" \
5 |pigz -dc \
6 |tar -xf - --strip-components=1 -C "$MOUNT_POINT"
7 ### RESTORE EFIFS
8 MOUNT_POINT="/mnt/boot/efi"
9 ssh user@target.host \
10 "cat path/to/archive_efi.tar.gz" \
11 |pigz -dc \
12 |tar -xf - --strip-components=1 -C "$MOUNT_POINT"
1 aptitude install cryptsetup cryptsetup-initramfs
Change swap uuid to new value
/etc/initramfs-tools/conf.d/resume
1 RESUME=UUID=3c8d7d58-c524-4a74-94f6-ec66a3bb07af
Adjust crypttab
1 blkid /dev/nvme0n1p4 |sed 's/^/#/' >> /etc/crypttab
/etc/crypttab
/etc/default/grub
1 # If you change this file, run 'update-grub' afterwards to update
2 # /boot/grub/grub.cfg.
3 # For full documentation of the options in this file, see:
4 # info -f grub -n 'Simple configuration'
5
6 GRUB_DEFAULT=0
7 GRUB_TIMEOUT=5
8 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
9 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
10 GRUB_CMDLINE_LINUX=""
11
12 # Uncomment to enable BadRAM filtering, modify to suit your needs
13 # This works with Linux (no patch required) and with any kernel that obtains
14 # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
15 #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
16
17 # Uncomment to disable graphical terminal (grub-pc only)
18 #GRUB_TERMINAL=console
19
20 # The resolution used on graphical terminal
21 # note that you can use only modes which your graphic card supports via VBE
22 # you can see them in real GRUB with the command `vbeinfo'
23 #GRUB_GFXMODE=640x480
24
25 # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
26 #GRUB_DISABLE_LINUX_UUID=true
27
28 # Uncomment to disable generation of recovery mode menu entries
29 #GRUB_DISABLE_RECOVERY="true"
30
31 # Uncomment to get a beep at grub start
32 #GRUB_INIT_TUNE="480 440 1"
33
34 ### GRUB-INSTALL DEMANDS IT
35 GRUB_ENABLE_CRYPTODISK=y
36 #GRUB_PRELOAD_MODULES="lvm cryptodisk mdraid1x luks"
37
- Unmount remote storage
- Reboot
Plymouth
Install bootsplash "plymouth"
1 aptitude install plymouth plymouth-themes plymouth-x11
Add splash to GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub
1 GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
List and set available themes
1 plymouth-set-default-theme --list
Set other theme and update grub and initramfs
1 sudo plymouth-set-default-theme -R lines
Get new themes from store.kde.org.
Just unpack them to /usr/share/plymouth/themes
Preview plymouth themes in X11
Inspired by this blogpost
plymouth_preview.sh
1 #!/bin/bash
2
3 ## Preview Plymouth Splash ##
4 ## by _khAttAm_ ##
5 ## www.khattam.info ##
6 ## License: GPL v3 ##
7
8 chk_root () {
9 if [ ! $( id -u ) -eq 0 ]; then
10 echo "Must be run as root"
11 exit
12 fi
13 }
14
15 chk_root
16
17 DURATION=$1
18 if [ $# -ne 1 ]; then
19 DURATION=5
20 fi
21
22 #CURRENT_THEME=
23 THEMES="$(plymouth-set-default-theme --list \
24 |sort |uniq)"
25
26 while read THEME; do
27 plymouth-set-default-theme "$THEME"
28 echo "$THEME"
29 sleep 1.5
30 plymouthd
31 plymouth --show-splash
32 for ((I=0; I<$DURATION; I++)); do
33 plymouth --update=test$I;
34 sleep 1;
35 done
36 plymouth quit
37 done <<< "$THEMES"
Debian CD-Image with jigdo
Jigsaw Download, or short jigdo, is a tool designed to ease the distribution of very large files over the internet, for example CD or DVD images. Its aim is to make downloading the images as easy for users as a click on a direct download link in a browser, while avoiding all the problems that server administrators have with hosting such large files.
1 aptitude install jigdo-file jigit
Example: Create a CD-image of Debian Jessie
Create a configuration for jigdo-lite and to reliefe primary Debian mirrors. ~/.jigdo-lite
Done:
1 jigdo-lite --noask 'https://cdimage.debian.org/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.jigdo'
2
3 Jigsaw Download "lite"
4 Copyright (C) 2001-2005 | jigdo@
5 Richard Atterer | atterer.org
6 Loading settings from `/home/tobias/.jigdo-lite'
7
8 Downloading .jigdo file
9 --2019-11-05 11:47:20-- https://cdimage.debian.org/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.jigdo
10 Auflösen des Hostnamens cdimage.debian.org (cdimage.debian.org)… 194.71.11.173, 194.71.11.165, 2001:6b0:19::165, ...
11 Verbindungsaufbau zu cdimage.debian.org (cdimage.debian.org)|194.71.11.173|:443 … verbunden.
12 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
13 Länge: 24660 (24K)
14 Wird in »debian-8.0.0-amd64-netinst.jigdo« gespeichert.
15
16 debian-8.0.0-amd64-netinst.jigdo 100%[==================================================================================================================================================================================>] 24.08K --.-KB/s in 0.06s
17
18 2019-11-05 11:47:20 (428 KB/s) - »debian-8.0.0-amd64-netinst.jigdo« gespeichert [24660/24660]
19
20
21 -----------------------------------------------------------------
22 Images offered by `https://cdimage.debian.org/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.jigdo':
23 1: 'Debian GNU/Linux 8.0.0 "Jessie" - Official amd64 NETINST Binary-1 20150425-12:50 (20150425)' (debian-8.0.0-amd64-netinst.iso)
24
25 Further information about `debian-8.0.0-amd64-netinst.iso':
26 Generated on Sat, 25 Apr 2015 12:53:05 +0000
27
28 -----------------------------------------------------------------
29 If you already have a previous version of the CD you are
30 downloading, jigdo can re-use files on the old CD that are also
31 present in the new image, and you do not need to download them
32 again. Mount the old CD ROM and enter the path it is mounted under
33 (e.g. `/mnt/cdrom').
34 Alternatively, just press enter if you want to start downloading
35 the remaining files.
36 Files to scan:
37
38 -----------------------------------------------------------------
39 The jigdo file refers to files stored on Debian mirrors. Please
40 choose a Debian mirror as follows: Either enter a complete URL
41 pointing to a mirror (in the form
42 `ftp://ftp.debian.org/debian/'), or enter any regular expression
43 for searching through the list of mirrors: Try a two-letter
44 country code such as `de', or a country name like `United
45 States', or a server name like `sunsite'.
46 Debian mirror [http://debian.inf.tu-dresden.de/debian/]:
47
48 Downloading .template file
49 --2019-11-05 11:47:20-- https://cdimage.debian.org/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.template
50 Auflösen des Hostnamens cdimage.debian.org (cdimage.debian.org)… 194.71.11.165, 194.71.11.173, 2001:6b0:19::173, ...
51 Verbindungsaufbau zu cdimage.debian.org (cdimage.debian.org)|194.71.11.165|:443 … verbunden.
52 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 302 Found
53 Platz: https://saimei.ftp.acc.umu.se/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.template [folgend]
54 --2019-11-05 11:47:20-- https://saimei.ftp.acc.umu.se/cdimage/archive/8.0.0/amd64/jigdo-cd/debian-8.0.0-amd64-netinst.template
55 Auflösen des Hostnamens saimei.ftp.acc.umu.se (saimei.ftp.acc.umu.se)… 194.71.11.138, 2001:6b0:19::138
56 Verbindungsaufbau zu saimei.ftp.acc.umu.se (saimei.ftp.acc.umu.se)|194.71.11.138|:443 … verbunden.
57 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
58 Länge: 8641689 (8.2M)
59 Wird in »debian-8.0.0-amd64-netinst.template« gespeichert.
60
61 debian-8.0.0-amd64-netinst.template 100%[=========================================================>] 8.24M 1.11MB/s in 7.5s
62
63 2019-11-05 11:47:28 (1.10 MB/s) - »debian-8.0.0-amd64-netinst.template« gespeichert [8641689/8641689]
64
65
66 -----------------------------------------------------------------
67 Merging parts from `file:' URIs, if any...
68 0 der 813 vom Template benötigten Dateien gefunden
69 Es wird keine Image-Datei oder temporäre Datei erzeugt - versuchen Sie es mit anderen Eingabedateien
70 --2019-11-05 11:47:28-- http://debian.inf.tu-dresden.de/debian/pool/main/s/systemd/libpam-systemd_215-17_amd64.deb
71 Auflösen des Hostnamens debian.inf.tu-dresden.de (debian.inf.tu-dresden.de)… 141.76.2.4
72 Verbindungsaufbau zu debian.inf.tu-dresden.de (debian.inf.tu-dresden.de)|141.76.2.4|:80 … verbunden.
73 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 404 Not Found
74 2019-11-05 11:47:28 FEHLER 404: Not Found.
75
76 --2019-11-05 11:47:28-- http://debian.inf.tu-dresden.de/debian/pool/main/j/jfsutils/jfsutils_1.1.15-2.1_amd64.deb
77 Wiederverwendung der bestehenden Verbindung zu debian.inf.tu-dresden.de:80.
78 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
79 Länge: 285760 (279K) [application/x-debian-package]
80 Wird in »./debian-8.0.0-amd64-netinst.iso.tmpdir/debian.inf.tu-dresden.de/debian/pool/main/j/jfsutils/jfsutils_1.1.15-2.1_amd64.deb« gespeichert.
81
82 debian.inf.tu-dresden.de/debian/pool/main/j/jfsutils/jfsutils_1.1.15-2.1_ 100%[=========================================================>] 279.06K 894KB/s in 0.3s
83
84 2019-11-05 11:47:29 (894 KB/s) - »./debian-8.0.0-amd64-netinst.iso.tmpdir/debian.inf.tu-dresden.de/debian/pool/main/j/jfsutils/jfsutils_1.1.15-2.1_amd64.deb« gespeichert [285760/285760]
85
86 --2019-11-05 11:47:29-- http://debian.inf.tu-dresden.de/debian/pool/main/l/less/less_458-3_amd64.deb
87 Wiederverwendung der bestehenden Verbindung zu debian.inf.tu-dresden.de:80.
88 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
89 Länge: 124466 (122K) [application/x-debian-package]
90 Wird in »./debian-8.0.0-amd64-netinst.iso.tmpdir/debian.inf.tu-dresden.de/debian/pool/main/l/less/less_458-3_amd64.deb« gespeichert.
91
92 debian.inf.tu-dresden.de/debian/pool/main/l/less/less_458-3_amd64.deb 100%[=========================================================>] 121.55K --.-KB/s in 0.1s
93
94 2019-11-05 11:47:29 (1.13 MB/s) - »./debian-8.0.0-amd64-netinst.iso.tmpdir/debian.inf.tu-dresden.de/debian/pool/main/l/less/less_458-3_amd64.deb« gespeichert [124466/124466]
95
96
97 <… OUTPUT OMITED …>
98
99
100 --2019-11-05 11:52:06-- http://snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/loop-modules-3.16.0-4-amd64-di_3.16.7-ckt9-2_amd64.udeb
101 Verbindungsaufbau zu snapshot.debian.org (snapshot.debian.org)|193.62.202.27|:80 … verbunden.
102 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
103 Länge: 13294 (13K)
104 Wird in »./debian-8.0.0-amd64-netinst.iso.tmpdir/snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/loop-modules-3.16.0-4-amd64-di_3.16.7-ckt9-2_amd64.udeb« gespeichert.
105
106 snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/loo 100%[=========================================================>] 12.98K --.-KB/s in 0.01s
107
108 2019-11-05 11:52:06 (1.23 MB/s) - »./debian-8.0.0-amd64-netinst.iso.tmpdir/snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/loop-modules-3.16.0-4-amd64-di_3.16.7-ckt9-2_amd64.udeb« gespeichert [13294/13294]
109
110 BEENDET --2019-11-05 11:52:06--
111 Verstrichene Zeit: 6.3s
112 Geholt: 10 Dateien, 5.0M in 4.7s (1.07 MB/s)
113 10 der 11 vom Template benötigten Dateien gefunden '
114 Eingabedateien wurden in temporäre Datei »debian-8.0.0-amd64-netinst.iso.tmp« geschrieben - wiederholen Sie das Kommando mit weiteren Dateien
115 --2019-11-05 11:52:06-- http://snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/linux-headers-3.16.0-4-common_3.16.7-ckt9-2_amd64.deb
116 Auflösen des Hostnamens snapshot.debian.org (snapshot.debian.org)… 185.17.185.185, 193.62.202.27, 2001:630:206:4000:1a1a:0:c13e:ca1b, ...
117 Verbindungsaufbau zu snapshot.debian.org (snapshot.debian.org)|185.17.185.185|:80 … verbunden.
118 HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
119 Länge: 4480432 (4.3M)
120 Wird in »./debian-8.0.0-amd64-netinst.iso.tmpdir/snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/linux-headers-3.16.0-4-common_3.16.7-ckt9-2_amd64.deb« gespeichert.
121
122 snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/lin 100%[=========================================================>] 4.27M 1.11MB/s in 3.9s
123
124 2019-11-05 11:52:10 (1.11 MB/s) - »./debian-8.0.0-amd64-netinst.iso.tmpdir/snapshot.debian.org/archive/debian/20150425T124850Z/pool/main/l/linux/linux-headers-3.16.0-4-common_3.16.7-ckt9-2_amd64.deb« gespeichert [4480432/4480432]
125
126 1 der 1 vom Template benötigten Dateien gefunden '
127 »debian-8.0.0-amd64-netinst.iso« wurde erfolgreich erzeugt
128
129 -----------------------------------------------------------------
130 Finished!
131 The fact that you got this far is a strong indication that `debian-8.0.0-amd64-netinst.iso'
132 was generated correctly. I will perform an additional, final check,
133 which you can interrupt safely with Ctrl-C if you do not want to wait.
134
135 OK: Prüfsummen stimmen überein, Image-Datei ist in Ordnung!
136 jigdo-lite --noask 3.90s user 7.87s system 4% cpu 4:50.47 total
This worked out fine. Now i can test upgrading "oldoldstable" to "stable". Installation succeded.
Aptitude
This cli and gui interface adds in my option some essential features to the apt ecosystem.
It offers search patterns that are very useful.
Example: identify installed packages from "Debian Backports". Using the shorthands for:
?installed, ~i
Matches package versions which are currently installed.
Since all versions are tested by default, this normally
matches packages which are currently installed.
?narrow(filter, pattern), ~S filter pattern
This term “narrows” the search to package versions matching filter.
In particular, it matches any package version which matches both filter and pattern.
The string value of the match is the string value of pattern.
?origin(origin), ~Oorigin
Matches package versions whose origin matches the regular expression origin.
For instance, “!?origin(debian)” will find any unofficial packages on your system
(packages not from the Debian archive). To force a downgrade, set the priority of the stable codename above 990 (to force install). Example preference for downgrade:
Open aptitude and search for ~Vbpo to identify once again all packages from backports and select the packages to be downgraded by pressing +. They will be marked as to be downgraded i W in organge.
Don't forget to remove the preferences afterwards.
Preseeding
Create preseed file from manually installed Debian.