Installing testing on a gateway

An example installation of Debian testing on a gateway box

Author: Francesco Poli
Contact: invernomuto@paranoici.org
Version: 0.14
Copyright: Expat license
Notice:

Copyright (c) 2007-2024 Francesco Poli

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

About this document
Web form HyperText Markup Language
Source form reStructuredText
Web stylesheet Cascading StyleSheets
Build directives Makefile

Contents

Testing on a gateway box step by step

The purpose of this document is showing an example installation of Debian testing on a machine that will be used as a network gateway/firewall/server.

Please note that this is just a step by step description of the installation process for a particular case. It is not meant to replace or substitute the official Debian installation guide: you can find the Debian stable installation guide and the Debian testing installation guide online.

Hardware

For the record, the machine under consideration is a Soekris net5501-60 consisting of the following components:

  • Soekris case for net5501
  • Soekris net5501-60 board only
  • SATA hard drive mounting kit for net5501
  • PATRIOT Torqx2 SATA II 32 Gbyte SSD hard drive
  • 12 V, 3.0 A, IEC320-C8 inlet 90 V - 264 V worldwide power supply
  • null-modem serial cable
  • Lindy USB-to-serial D9 converter

Preparation

The hardware architecture of the box is i386 (i686). Hence, an i386 installation image is needed. Since the Debian Installer will be booted through the network from an image stored in a TFTP server, download the following testing netboot installation image files:

$ wget \
http://ftp.nl.debian.org/debian/dists/testing/main/installer-i386/current/images/netboot/debian-installer/i386/initrd.gz \
http://ftp.nl.debian.org/debian/dists/testing/main/installer-i386/current/images/netboot/debian-installer/i386/linux \
http://ftp.nl.debian.org/debian/dists/testing/main/installer-i386/current/images/netboot/debian-installer/i386/pxelinux.0 \
http://ftp.nl.debian.org/debian/dists/testing/main/installer-i386/current/images/netboot/debian-installer/i386/boot-screens/ldlinux.c32

Other available images are linked from the Debian Installer page.

Setting up a TFTP server

You have to set up a TFTP server on one machine on your LAN. If you use dnsmasq as a DNS proxy and DHCP server on one of your boxes, you may enable its TFTP server capabilities. In order to do so, edit file /etc/dnsmasq.conf, so that it has the following lines (among the many others):

$ grep '^dhcp-boot\|^enable-tftp\|^tftp' /etc/dnsmasq.conf
dhcp-boot=pxelinux.0
enable-tftp
tftp-root=/srv/tftp/
tftp-secure

At this point you should lay down the directory tree to be served by the TFTP server, using the previously downloaded files:

# mkdir -p /srv/tftp/pxelinux.cfg
# mkdir -p /srv/tftp/debian/testing/i386
# mv pxelinux.0 ldlinux.c32 /srv/tftp
# mv initrd.gz linux /srv/tftp/debian/testing/i386

After that, create the following two text files:

# cat /srv/tftp/boot.txt

=========
Boot Menu
=========

testing_i386_install
testing_i386_linux
testing_i386_expert
testing_i386_rescue
# cat /srv/tftp/pxelinux.cfg/default
SERIAL 0 19200
CONSOLE 0

DISPLAY boot.txt
DEFAULT testing_i386_install

LABEL testing_i386_install
      kernel debian/testing/i386/linux
      append vga=normal console=ttyS0,19200,n8 initrd=debian/testing/i386/initrd.gz  --
LABEL testing_i386_linux
      kernel debian/testing/i386/linux
      append vga=normal console=ttyS0,19200,n8 initrd=debian/testing/i386/initrd.gz  --
LABEL testing_i386_expert
      kernel debian/testing/i386/linux
      append priority=low vga=normal console=ttyS0,19200,n8 initrd=debian/testing/i386/initrd.gz  --
LABEL testing_i386_rescue
      kernel debian/testing/i386/linux
      append vga=normal console=ttyS0,19200,n8 initrd=debian/testing/i386/initrd.gz  rescue/enable=true --

PROMPT 1
TIMEOUT 20

change owner for the whole directory tree:

# chown -R dnsmasq:nogroup /srv/tftp/

and restart dnsmasq:

# service dnsmasq restart

Remember to open UDP ports 68 (BOOTPC) and 69 (TFTP) on the firewall of the box running dnsmasq, if needed, so that hosts on the LAN will be able to connect to those ports. Also, the nf_conntrack_tftp kernel module may be needed, in order to allow the firewall to track tftp connections.

Installation

Before powering the Soekris machine on, connect another box to it through the null-modem serial cable and (possibly) the USB-to-serial converter. Issue the following command on the box from which you want to control the Soekris machine:

$ picocom -b 19200 /dev/ttyUSB0

After also connecting the Soekris machine to your LAN, through the Eth0 ethernet interface, power it on. Tell the Soekris machine to boot from the network ([Ctrl+P] and then boot f0, from within picocom). Wait for the installation process to start.

First questions

The very first thing you are asked to select is the language you want to use for the installation process (which will subsequently be set as default language for the installed system): choose English, if you share my preferences. After that, you have to choose your country, so that the correct timezone will be set: select other, then Europe, and Italy (or otherwise, if you live elsewhere...). On next screen, choose the locale: select "en_US.UTF-8".

At that point the installer warns that multiple network interfaces were found in the system and ask the user to choose the primary interface. Choose eth0 (the preselected entry). The installer then proceeds to configure the network through DHCP: it should succeeds and no further configuration should be needed.

Now, use your creativity and choose a hostname for your box! You have to enter one in the next screen. Hereinafter, I'll refer to the chosen hostname as $HOSTNAME. Then, you have to enter the domain name: leave the field blank, if you have no established domain name for your LAN.

Afterwards, you'll be asked to choose a Debian network mirror: select a mirror near you (for instance, choose Italy, deb.debian.org). You also have to specify an HTTP proxy, if you use one; if instead you do not use any HTTP proxy on your LAN (as in my case), then leave the proxy field blank.

Time to set the root password: try and think a good one! You can create a regular user as well: enter your full name, a username, and a password.

Partitioning the disk

The goal is setting up a (hopefully) good partitioning layout for a network gateway/firewall/server usage, with LVM for flexibility reasons. When asked, choose the manual partitioning method. Next screen displays the current disk partition table:

SCSI1 (0,1,0) (sda) - 32.0 GB ATA Patriot Torqx 2

Select the sda line and confirm that you want to create a new partition table. The updated status should look like:

SCSI1 (0,1,0) (sda) - 32.0 GB ATA Patriot Torqx 2
>       pri/log  32.0 GB      FREE SPACE

Select the free space line and choose "Create a new partition" from the dialog screen. Enter "200 MB" as partition size and choose "Primary" as partition type. Create the partition at the beginning of the available space, change the mount point to /boot and set the bootable flag to "on". Also, since the disk is an SSD, it may be a good idea to enable the "noatime" mount option. After choosing "Done setting up the partition", you get back to the partition table screen, with the following updated status:

SCSI1 (0,1,0) (sda) - 32.0 GB ATA Patriot Torqx 2
>     #1  primary  199.2 MB  B  f  ext4          /boot
>         pri/log   31.8 GB        FREE SPACE

Again select the free space line and choose "Create a new partition". Enter "max" as partition size and choose "Logical" as partition type. Change the "Use as" entry to "physical volume for LVM". After choosing "Done setting up the partition", you get back to the partition table screen, with the following updated status:

SCSI1 (0,1,0) (sda) - 32.0 GB ATA Patriot Torqx 2
>     #1  primary  199.2 MB  B  f  ext4    /boot
>     #5  logical   31.8 GB     K  lvm

Choose "Configure the Logical Volume Manager"; you'll be asked to confirm the creation of partition #1 before you can proceed to the configuration of LVM: answer "Yes". Partition #1 is created with an ext4 filesystem in it.

The next screen allows you to configure the LVM: choose "Create volume group" and enter a suitable two- or three-letter abbreviation of $HOSTNAME (let's call it $HOSTABBR) as volume group name. Select /dev/sda5 for the new volume group. Back to the LVM configuration menu: choose "Create logical volume" and select the only possible volume group. Enter "root" as logical volume name. Now you're asked to enter the logical volume size: enter "800 MB". After that, you're back to the LVM configuration menu. If you want to check whether everything went fine, choose "Display configuration details"; you should get something like:

Unallocated physical volumes:
  * none

Volume groups:
  * $HOSTABBR                                           (31813MB)
    - Uses physical volume:        /dev/sda5            (31813MB)
    - Provides logical volume:     root                 (796MB)

Back in the LVM configuration menu, go on setting up logical volumes according to the following table:

LV name entered size
swap "500 MB"
usr "5.0 GB"
var "5.0 GB"
tmp "200 MB"
srv accept proposed size (about "20321 MB")

Choose "Finish" from the LVM configuration menu. You get back to the partition table screen, where the situation should look like:

LVM VG $HOSTABBR, LV root - 796.9 MB Linux device-mapper (linear)
>     #1           796.9 MB
LVM VG $HOSTABBR, LV srv - 20.3 GB Linux device-mapper (linear)
>     #1            20.3 GB
LVM VG $HOSTABBR, LV swap - 499.1 MB Linux device-mapper (linear)
>     #1           499.1 MB
LVM VG $HOSTABBR, LV tmp - 197.1 MB Linux device-mapper (linear)
>     #1           197.1 MB
LVM VG $HOSTABBR, LV usr - 5.0 GB Linux device-mapper (linear)
>     #1             5.0 GB
LVM VG $HOSTABBR, LV var - 5.0 GB Linux device-mapper (linear)
>     #1             5.0 GB
SCSI1 (0,1,0) (sda) - 32.0 GB ATA Patriot Torqx 2
>     #1  primary  199.2 MB  B  F  ext4    /boot
>     #5  logical   31.8 GB     K  lvm

Select the "#1 796.9 MB" line: change the "Use as" entry to "Ext4 journaling file system", and the mount point to /, and enable the "noatime" mount option. After choosing "Done setting up the partition", select the "#1 20.3 GB" line: change the "Use as" entry to "Ext4 journaling file system", the mount point to /srv and enable the "noatime" mount option. After choosing "Done setting up the partition", select the "#1 499.1 MB" line: change the "Use as" entry to "swap area". After choosing "Done setting up the partition", repeat the process for the other logical volumes, until the result is as follows:

LVM VG $HOSTABBR, LV root - 796.9 MB Linux device-mapper (linear)
>     #1           796.9 MB     f  ext4    /
LVM VG $HOSTABBR, LV srv - 20.3 GB Linux device-mapper (linear)
>     #1            20.3 GB     f  ext4    /srv
LVM VG $HOSTABBR, LV swap - 499.1 MB Linux device-mapper (linear)
>     #1           499.1 MB     f  swap    swap
LVM VG $HOSTABBR, LV tmp - 197.1 MB Linux device-mapper (linear)
>     #1           197.1 MB     f  ext4    /tmp
LVM VG $HOSTABBR, LV usr - 5.0 GB Linux device-mapper (linear)
>     #1             5.0 GB     f  ext4    /usr
LVM VG $HOSTABBR, LV var - 5.0 GB Linux device-mapper (linear)
>     #1             5.0 GB     f  ext4    /var
SCSI1 (0,1,0) (sda) - 32.0 GB ATA Patriot Torqx 2
>     #1  primary  199.2 MB  B  F  ext4    /boot
>     #5  logical   31.8 GB     K  lvm

Choose "Finish partitioning and write changes to disk"; you'll be asked to confirm the creation of the partitions: answer "Yes". The desired filesystems are created and the swap area is prepared.

Finishing the installation

At this point, you just have to wait for the base system to be installed. You'll be asked which kernel should be installed: you may choose "linux-image-686". Then you'll be asked whether you want to contribute to popcon: answer "Yes", if you care about Debian. The next screen allows you to select groups of packages: since the goal here is installing the base system only, deselect everything and choose "Continue". Answer "Yes" when asked to confirm that GRUB should be installed to the MBR.

The installation is complete: choose "Continue" to reboot the system!

Improving the boot process

In order to be able to use the GRUB menu from the serial console, and also to see boot and shutdown messages on the serial console, edit /etc/default/grub so that the appropriate lines become:

# grep '^GRUB_CMDLINE_LINUX=\|^GRUB_TERMINAL=\|^GRUB_SERIAL_COMMAND=' /etc/default/grub
GRUB_CMDLINE_LINUX="console=ttyS0,19200,n8"
GRUB_TERMINAL=serial
GRUB_SERIAL_COMMAND="serial --unit=0 --speed=19200 --word=8 --parity=no --stop=1"

and then issue the following command:

# update-grub

Moreover, since there's only one operating system on the box, you do not want the GRUB update process to search for other ones in dual-boot. Hence, remove the following package:

# apt purge os-prober

and re-run:

# update-grub

Moreover, in order to prevent the error LED from staying always on, write the following service file (that causes the error LED to only turn on in case of kernel panic):

$ cat /etc/systemd/system/net5501led.service
[Unit]
Description=Configure net5501 LED behavior
ConditionVirtualization=!container

[Service]
Type=oneshot
ExecStart=sh -c 'echo panic > /sys/class/leds/net5501:1/trigger'
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

and enable it:

# chown root:root /etc/systemd/system/net5501led.service
# chmod 644       /etc/systemd/system/net5501led.service
# systemctl daemon-reload
# systemctl enable --now net5501led.service

Optimizing the SSD performance

Since the disk is an SSD, and we are using the ext4 filesystem, it is suggested to enable TRIM support at filesystem and LVM level.

Edit file /etc/fstab, adding the "discard" option to each ext4 filesystem (for instance "noatime" becomes "discard,noatime") and even to the swap partition ("sw" becomes "sw,discard").

After that, edit file /etc/lvm/lvm.conf, changing the appropriate line to:

issue_discards = 1

Install one package to manage disk partitions:

# apt install fdisk

Configuring APT

In order to avoid downloading translations for package descriptions (which is too slow on our system), create the following file:

# echo 'Acquire::Languages "none";' > /etc/apt/apt.conf.d/local_notransl

and delete any internationalization (i18n) index:

# rm /var/lib/apt/lists/*i18n*

In order to disable the use of pdiffs (which are too slow on our system), create the following file:

# echo 'Acquire::PDiffs "false";' > /etc/apt/apt.conf.d/local_nopdiffs

Conclusions

Now the system is installed and ready to run: you can boot it and log in as root or as the previously created regular user. But very little can be done with the base system only: next step is tuning the system configuration and begin adding software packages according to your needs. You may do that (and more) in a way similar to the workstation/desktop initial setup. Follow the steps described in these documents, with the noted differences:

  • Initial configuration (HTML, reST), skipping the UEFI configuration suggestions, skipping the boot process subsection (since we have already customized the configuration for GRUB), skipping the shutdown via power button subsection (since our system has no power button), enabling smartd monitoring for /dev/sda only (see hard disk health section), skipping the CPU clock frequency and voltage scaling section (since our system does not support it); also, in order to read local mail, you may want to install mutt (aptitude install mutt)
  • Console configuration (HTML, reST), skipping the lm-sensors installation (since it does not seem to support our system), the dictionaries and spell checking section, the console mouse support section, the fortune section, the Debian documentation section, the diffoscope installation (too many dependencies), the archive file management section, the console fonts section, and the serial console and socket connection sections
  • Network tools configuration (HTML, reST), skipping the SSH client subsection and the IRC client section

After that, you can begin configuring the system for its primary purposes. More details in a separate document (HTML, reST).