| 1 | Assumptions: The server has two identically sized hard drives |
| 2 | == Installing Debian == |
| 3 | |
| 4 | Ideally - you should boot using a Debian installer that uses the serial |
| 5 | console. If you can't - just install the normal way. |
| 6 | |
| 7 | === PREPARE YOUR LAPTOP - Screen |
| 8 | |
| 9 | * Install screen on your debian laptop: |
| 10 | |
| 11 | {{{ |
| 12 | $ sudo apt-get install screen |
| 13 | }}} |
| 14 | |
| 15 | * Connect your serial cable (or USB - serial cable) from your laptop to the |
| 16 | server. |
| 17 | |
| 18 | You may want to check dmesg after plugging in the cable to see which device |
| 19 | is being used. You should have a line along the lines of: |
| 20 | |
| 21 | usb 3-1: PL-2303 converter now attached to ttyUSB0 |
| 22 | |
| 23 | * Start screen with: |
| 24 | {{{ |
| 25 | mkdir screen-log |
| 26 | cd screen-log |
| 27 | screen -L /dev/ttyUSB0 115200 |
| 28 | }}} |
| 29 | |
| 30 | === Install Linux === |
| 31 | |
| 32 | * Put in Daniel's Serial Console debian installer and boot (note - if you don't have a serial installer, use a normal installer and a keyboard and monitor attached to the server). |
| 33 | |
| 34 | * At the boot prompt hit enter to install the 2.6 kernel |
| 35 | |
| 36 | ==== INITIAL INSTALL ==== |
| 37 | |
| 38 | * [Skipping easy steps] |
| 39 | |
| 40 | * Manually partition the drive |
| 41 | |
| 42 | * There should be two drives. Remove any existing partitions. |
| 43 | |
| 44 | * Add one partition on each disk that is: |
| 45 | {{{ |
| 46 | # bootable |
| 47 | # 250 MB |
| 48 | # Physical volume for RAID array |
| 49 | }}} |
| 50 | |
| 51 | * Add a second parition on each disk that is: |
| 52 | {{{ |
| 53 | # Takes up remaining space |
| 54 | # Physical volume for RAID array |
| 55 | }}} |
| 56 | |
| 57 | * Choose "Congifure software RAID" |
| 58 | |
| 59 | * Choose "Create MD Device" |
| 60 | |
| 61 | * Choose RAID1 |
| 62 | |
| 63 | * Number of active devices: 2 |
| 64 | |
| 65 | * Number of spare devices: 0 |
| 66 | |
| 67 | * Now select the first partition on each device. |
| 68 | |
| 69 | * Click Continue. Repeat for second partition on each device. |
| 70 | |
| 71 | * When you are done, click Finish. Now you are back at the partition menu. |
| 72 | |
| 73 | * Scroll down to the raid devices. Modify as follows: |
| 74 | |
| 75 | {{{ |
| 76 | 250 MB RAID device: Filesystem: ext3, mount on /boot |
| 77 | Remaining: Physical Volume for LVM |
| 78 | }}} |
| 79 | |
| 80 | * Choose "Congifure LVM" |
| 81 | |
| 82 | * Create a volume group called vg_nameofserver0 |
| 83 | |
| 84 | * Create a logical volumes in this volume group |
| 85 | |
| 86 | {{{ |
| 87 | dom0: 1 GB |
| 88 | dom0-swap: 512MB |
| 89 | }}} |
| 90 | * After returning to the main disk config menu, click on the LVM #1 and configure it to use ext3 and /. |
| 91 | * Click on the #2 lvm disk and configure it as swap |
| 92 | |
| 93 | |
| 94 | ==== AFTER REBOOT ==== |
| 95 | |
| 96 | * Set Hardware clock to GMT (even if it isn't) |
| 97 | |
| 98 | * Insert root password into pass db |
| 99 | |
| 100 | * Create new user: mayfirst |
| 101 | |
| 102 | * Do not select any of the pre-set application packages. Just tab to OK. |
| 103 | |
| 104 | * For mail congiration - choose No configuration (we will be installing |
| 105 | postfix later) |
| 106 | |
| 107 | * Root and postmaster recipient: root@mayfirst.org |
| 108 | |
| 109 | ==== POST INSTALL ==== |
| 110 | |
| 111 | * Setup xen |
| 112 | |
| 113 | * Install with: |
| 114 | |
| 115 | {{{ |
| 116 | apt-get install xen-hypervisor-3.0.3-1-i386 xen-linux-system-2.6.18-4-xen-686 libc6-xen |
| 117 | }}} |
| 118 | |
| 119 | * Edit /boot/grub/menu.1st |
| 120 | |
| 121 | {{{ |
| 122 | ## Xen hypervisor options to use with the default Xen boot option |
| 123 | # xenhopt=dom0_mem=131072 |
| 124 | }}} |
| 125 | |
| 126 | * run update-grub and reboot |
| 127 | |
| 128 | * Install bridge-utils and xen-tools |
| 129 | {{{ |
| 130 | aptitude install bridge-utils xen-tools |
| 131 | /etc/init.d/xend restart |
| 132 | }}} |
| 133 | |
| 134 | * Edit /etc/xen-tools/xen-tools.conf. |
| 135 | |
| 136 | Apply the following diffs: |
| 137 | {{{ |
| 138 | 0 gramsci:/etc/xen-tools# diff -u xen-tools.conf.orig xen-tools.conf |
| 139 | --- xen-tools.conf.orig 2007-05-27 19:59:38.000000000 -0400 |
| 140 | +++ xen-tools.conf 2007-05-27 20:01:15.000000000 -0400 |
| 141 | @@ -35,6 +35,7 @@ |
| 142 | # |
| 143 | ## |
| 144 | # lvm = skx-vg |
| 145 | +lvm = vg_gramsci0 |
| 146 | |
| 147 | |
| 148 | # |
| 149 | @@ -61,7 +62,7 @@ |
| 150 | ## |
| 151 | # |
| 152 | # copy = /path/to/pristine/image |
| 153 | -# debootstrap = 1 |
| 154 | +debootstrap = 1 |
| 155 | # rpmstrap = 1 |
| 156 | # tar = /path/to/img.tar |
| 157 | # |
| 158 | @@ -95,7 +96,7 @@ |
| 159 | swap = 128Mb # Swap size |
| 160 | # noswap = 1 # Don't use swap at all for the new system. |
| 161 | fs = ext3 # use the EXT3 filesystem for the disk image. |
| 162 | -dist = sarge # Default distribution to install. |
| 163 | +dist = etch # Default distribution to install. |
| 164 | image = sparse # Specify sparse vs. full disk images. |
| 165 | |
| 166 | # |
| 167 | @@ -154,8 +155,8 @@ |
| 168 | # |
| 169 | # Default kernel and ramdisk to use for the virtual servers |
| 170 | # |
| 171 | -kernel = /boot/vmlinuz-2.6.16-2-xen-686 |
| 172 | -initrd = /boot/initrd.img-2.6.16-2-xen-686 |
| 173 | +kernel = /boot/vmlinuz-2.6.18-4-xen-686 |
| 174 | +initrd = /boot/initrd.img-2.6.18-4-xen-686 |
| 175 | |
| 176 | # |
| 177 | # The architecture to use when using debootstrap or rpmstrap. |
| 178 | 1 gramsci:/etc/xen-tools# |
| 179 | }}} |
| 180 | |
| 181 | * Create new xen instances with: |
| 182 | |
| 183 | {{{ |
| 184 | xen-create-image --size=5Gb --swap=512Mb --gateway=209.51.180.17 --netmask=255.2 |
| 185 | 55.255.240 --ip=209.51.180.24 --hostname=mendes |
| 186 | }}} |
| 187 | |
| 188 | Change settings as needed. |
| 189 | |
| 190 | * Edit /etc/group and change the group id of mayfirst to 1500 (so it will be |
| 191 | consistent with red) |
| 192 | |
| 193 | * Login as root and install the following packages: |
| 194 | |
| 195 | {{{ |
| 196 | # apt-get install --purge ssh ntpdate ntp-server sudo vim less rsync postfix |
| 197 | }}} |
| 198 | |
| 199 | * Add the group wheel. |
| 200 | |
| 201 | {{{ |
| 202 | # addgroup wheel |
| 203 | }}} |
| 204 | |
| 205 | * Add mayfirst to wheel: |
| 206 | |
| 207 | {{{ |
| 208 | # addgroup mayfirst wheel |
| 209 | }}} |
| 210 | |
| 211 | * Configure sudo: |
| 212 | {{{ |
| 213 | # visudo |
| 214 | }}} |
| 215 | |
| 216 | Add a line at the bottom that says: |
| 217 | {{{ |
| 218 | %wheel ALL=(ALL) ALL |
| 219 | }}} |
| 220 | * Upload the mayfirst public keys to: |
| 221 | |
| 222 | .ssh/authorized_keys |
| 223 | |
| 224 | * Configure ssh to only accept connections with auth keys (unless this is a server that should be accessible by members) |
| 225 | |
| 226 | Edit /etc/ssh/sshd_config |
| 227 | |
| 228 | Uncomment the last line that says: |
| 229 | |
| 230 | {{{ |
| 231 | #UsePAM yes |
| 232 | }}} |
| 233 | |
| 234 | Uncomment and change the ChallengeResponseAuthentication line to match the following: |
| 235 | |
| 236 | {{{ |
| 237 | ChallengeResponseAuthentication no |
| 238 | }}} |
| 239 | |
| 240 | Reload ssh: |
| 241 | |
| 242 | {{{ |
| 243 | # /etc/init.d/ssh reload |
| 244 | }}} |
| 245 | |
| 246 | === SERIAL CONSOLE LOGIN === |
| 247 | |
| 248 | If you did not use the serial console installer, then perform the following: |
| 249 | |
| 250 | * Edit the /etc/inittab file. |
| 251 | |
| 252 | Uncomment the line that reads: |
| 253 | |
| 254 | {{{ |
| 255 | T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100 |
| 256 | }}} |
| 257 | |
| 258 | and change 9600 to 115200 so it reads: |
| 259 | |
| 260 | {{{ |
| 261 | T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100 |
| 262 | }}} |
| 263 | |
| 264 | * Refresh: |
| 265 | |
| 266 | {{{ |
| 267 | $ sudo init q |
| 268 | }}} |
| 269 | |
| 270 | * Add the following lines after the timeout line in /boot/grub/menu.1st |
| 271 | |
| 272 | {{{ |
| 273 | serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 |
| 274 | terminal --timeout=10 serial console |
| 275 | }}} |
| 276 | |
| 277 | * Add the following lies to the Start Default Options |
| 278 | You should already have a line such as: |
| 279 | |
| 280 | {{{ |
| 281 | # kopt=root=/dev/md0 ro |
| 282 | }}} |
| 283 | |
| 284 | add to it, so that your final line says: |
| 285 | |
| 286 | {{{ |
| 287 | # kopt=root=/dev/md0 ro console=ttyS0,115200n8 |
| 288 | }}} |
| 289 | |
| 290 | Refresh grub: |
| 291 | |
| 292 | {{{ |
| 293 | $ sudo update-grub |
| 294 | }}} |
| 295 | |
| 296 | |
| 297 | ==== Misc ==== |
| 298 | |
| 299 | * Uninstall unecesary packages: |
| 300 | |
| 301 | {{{ |
| 302 | $ sudo apt-get remove --purge portmap lpr nfs-common ppp |
| 303 | }}} |
| 304 | |
| 305 | * Make sure no uneeded services are running. Look through /etc/rc2.d. Move |
| 306 | from S to K any services that are not needed (e.g. rsync and inetd). |
| 307 | |
| 308 | === ENCRYPTED FILE SYSTEM === |
| 309 | |
| 310 | * Install programs: |
| 311 | |
| 312 | {{{ |
| 313 | $ sudo apt-get install dmsetup cryptsetup |
| 314 | }}} |
| 315 | |
| 316 | * Create an encrypted file system for members: |
| 317 | |
| 318 | * Now, unmount the partition (make sure there is no data on it that you care about). |
| 319 | |
| 320 | {{{ |
| 321 | $ sudo umount /home/members |
| 322 | }}} |
| 323 | |
| 324 | * Create the encrypted filesystem: |
| 325 | |
| 326 | {{{ |
| 327 | $ cryptsetup luksFormat /dev/mapper/vg_NAMEOFSERVER0-members |
| 328 | }}} |
| 329 | |
| 330 | You will be prompted for a password. Put password in resource db! |
| 331 | |
| 332 | * Add to crypttab |
| 333 | |
| 334 | {{{ |
| 335 | echo crypt_members /dev/mapper/vg_NAMEOFSERVER0-members none luks >> /etc/crypttab |
| 336 | }}} |
| 337 | |
| 338 | * Start it |
| 339 | |
| 340 | {{{ |
| 341 | /etc/init.d/cryptdisks start |
| 342 | }}} |
| 343 | |
| 344 | * Create a file system on the partition: |
| 345 | |
| 346 | {{{ |
| 347 | $ mkfs -t ext3 /dev/mapper/crypt_members |
| 348 | }}} |
| 349 | |
| 350 | * Remove cryptdisks from the rc2.d directory - we do not want this to start automatically on boot! Instead we want to start it manually so the boot process doesn't hang waiting for a password. |