Linux/Xen/DomU/Devuan/Devuan ASCII: Difference between revisions

From Guungle
Jump to navigation Jump to search
 
(6 intermediate revisions by the same user not shown)
Line 40: Line 40:
  apt-get upgrade
  apt-get upgrade


Install a frontend for depconf
Install a frontend for debconf


  apt-get install whiptail
  apt-get install whiptail
Line 68: Line 68:
  co:2345:respawn:/sbin/getty 38400 hvc0
  co:2345:respawn:/sbin/getty 38400 hvc0


 
====Network====
 
The default udev rules for Devuan ignore Xen generated MAC addresses so you won't get a '/etc/udev/rules.d/70-persistent-net.rules' This causes your network interfaces not to come up.
 
Edit '/lib/udev/rules.d/75-persistent-net-generator.rules' and comment these lines. Here's the changes in patch/diff format.
 
<syntaxhighlight lang="diff">
--- 75-persistent-net-generator.rules.old      2018-10-20 12:40:48.812000000 -0500
+++ 75-persistent-net-generator.rules  2018-10-20 12:41:35.264000000 -0500
@@ -26,7 +26,7 @@
                                        GOTO="persistent_net_generator_end"
 
# ignore Xen virtual interfaces
-SUBSYSTEMS=="xen",                    GOTO="persistent_net_generator_end"
+#SUBSYSTEMS=="xen",                    GOTO="persistent_net_generator_end"
 
# ignore UML virtual interfaces
DRIVERS=="uml-netdev",                GOTO="persistent_net_generator_end"
@@ -78,7 +78,7 @@
ENV{MATCHADDR}=="00:15:5d:*",          ENV{MATCHADDR}=""
ENV{MATCHADDR}=="52:54:00:*|54:52:00:*", ENV{MATCHADDR}=""
ENV{MATCHADDR}=="08:00:27:*",          ENV{MATCHADDR}=""
-ENV{MATCHADDR}=="00:16:3e:*",          ENV{MATCHADDR}=""
+#ENV{MATCHADDR}=="00:16:3e:*",        ENV{MATCHADDR}=""
 
# ignore Windows Azure Hyper-V virtual interfaces
ENV{MATCHADDR}=="00:03:ff:*", ENV{MATCHADDR}=""
</syntaxhighlight>


Configure your '/etc/network/interfaces' for DHCP
Configure your '/etc/network/interfaces' for DHCP
Line 107: Line 80:
iface eth0 inet dhcp
iface eth0 inet dhcp
</syntaxhighlight>
</syntaxhighlight>
We need to allow root logins over SSH.
Edit /etc/ssh/sshd_config and change,
#PermitRootLogin prohibit-password
to
PermitRootLogin yes


====GRUB====
====GRUB====
Line 145: Line 129:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
--- old_ssh 2017-01-15 10:04:56.399284075 -0600
--- old_ssh 2018-12-16 21:33:01.193415639 +0000
+++ ssh 2017-01-15 10:09:02.999284075 -0600
+++ ssh 2018-12-23 19:05:39.647919366 +0000
@@ -78,6 +78,74 @@
@@ -72,6 +72,57 @@ check_privsep_dir() {
     fi
     fi
  }
  }
Line 153: Line 137:
+# Some variables to make things more readable  
+# Some variables to make things more readable  
+KEYGEN=/usr/bin/ssh-keygen
+KEYGEN=/usr/bin/ssh-keygen
+RSA1_KEY=/etc/ssh/ssh_host_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+DSA_KEY=/etc/ssh/ssh_host_dsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
Line 166: Line 148:
+                        chmod 600 $RSA_KEY
+                        chmod 600 $RSA_KEY
+                        chmod 644 $RSA_KEY.pub
+                        chmod 644 $RSA_KEY.pub
+ echo "OK"
+                else
+ echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+
+do_dsa_keygen() {
+        if [ ! -s $DSA_KEY ]; then
+                echo -n "Generating SSH2 DSA host key: "
+                rm -f $DSA_KEY
+                if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $DSA_KEY
+                        chmod 644 $DSA_KEY.pub
+ echo "OK"
+ echo "OK"
+                else
+                else
Line 219: Line 186:
+}
+}
+
+
  export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
  check_config() {
    if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
case "$1" in
/usr/sbin/sshd $SSHD_OPTS -t || exit 1
@@ -86,6 +154,12 @@
@@ -86,6 +137,11 @@ case "$1" in
  check_privsep_dir
  check_privsep_dir
  check_for_no_start
  check_for_no_start
Line 228: Line 195:
+
+
+ do_rsa_keygen
+ do_rsa_keygen
+ do_dsa_keygen
+ do_ecdsa_keygen
+ do_ecdsa_keygen
+ do_ed25519_keygen
+ do_ed25519_keygen
+
+
  log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
  log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
  if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
  if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
      log_end_msg 0 || true
      log_end_msg 0 || true
</syntaxhighlight>
</syntaxhighlight>


====Firewall====
====Firewall====
Line 252: Line 217:
Set a hostname.
Set a hostname.


Remove /etc/udev/rules.d/70-persistent-net.rules so that network comes up clean when the image is booted for the first time.
Remove SSH host keys so that new ones get generated on first boot.


Remove SSH host keys so that new ones get generated on first boot.
Remove the old leases file so that the VM will request a fresh IP address each time.


Set a root password
Set a root password
Line 260: Line 225:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
echo 'devuan' > /etc/hostname
echo 'devuan' > /etc/hostname
rm /etc/udev/rules.d/70-persistent-net.rules
rm /var/lib/dhcp/dhclient.eth0.leases
rm /etc/ssh/ssh_host_*
rm /etc/ssh/ssh_host_*
passwd root
passwd root
</syntaxhighlight>
</syntaxhighlight>

Latest revision as of 12:21, 23 December 2018

Devuan ASCII

Start this process on a existing Devuan system. You will need to have the Devuan patched version of debootstrap installed.

Create a empty image file and format it with ext3. 

dd if=/dev/zero of=devuan_ascii.img bs=1M count=1 seek=1024
mkfs.ext3 devuan_ascii.img

Create a directory to mount the image on. Using '/mnt/img' for this example. 

mkdir /mnt/img
mount -oloop devuan_ascii.img /mnt/img

Start the debootstrap process. 

debootstrap --variant=minbase ascii /mnt/img http://auto.mirror.devuan.org/merged/

Once that completes, copy your existing /etc/apt/sources.list to the new image so we can run updates. 

cp /etc/apt/sources.list /mnt/img/etc/apt/

Here is a basic sources.list 

deb http://auto.mirror.devuan.org/merged ascii main
deb http://auto.mirror.devuan.org/merged ascii-updates main
deb http://auto.mirror.devuan.org/merged ascii-security main

Mount the necessary system files so that we can enter the new root filesystem with chroot. 

mount --bind /dev /mnt/img/dev
mount --bind /dev/pts /mnt/img/dev/pts
mount -t proc proc /mnt/img/proc
mount -t sysfs sys /mnt/img/sys
chroot /mnt/img

Run updates and install a language pack. 

apt-get update
apt-get upgrade

Install a frontend for debconf 

apt-get install whiptail

Install locales and configure them. 

apt-get install locales
dpkg-reconfigure locales

Configure the system timezone. 

dpkg-reconfigure tzdata

Install networking systems 

apt-get install netbase net-tools ifupdown inetutils-ping

Install the kernel image, SSH server, full version of vim and rsyslog 

apt-get install linux-image-`dpkg --print-architecture`
apt-get install openssh-server
apt-get install vim
apt-get install rsyslog

To use the Xen console 'xm console (domU)' you need to setup a tty on /dev/hvc0. Edit /etc/inittab and add this line. 

co:2345:respawn:/sbin/getty 38400 hvc0

Network

Configure your '/etc/network/interfaces' for DHCP 

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto eth0
iface eth0 inet dhcp

We need to allow root logins over SSH.

Edit /etc/ssh/sshd_config and change, 

#PermitRootLogin prohibit-password

to 

PermitRootLogin yes


GRUB

Setup a basic grub config in "/boot/grub/menu.lst" 

default         0
timeout         2

title           Devuan ASCII
root            (hd0,0)
kernel          /boot/vmlinuz-4.9.0-7-686-pae root=/dev/xvda1 ro console=hvc0
initrd          /boot/initrd.img-4.9.0-7-686-pae

title           Devuan ASCII (Single-User)
root            (hd0,0)
kernel          /boot/vmlinuz-4.9.0-7-686-pae root=/dev/xvda1 ro single console=hvc0
initrd          /boot/initrd.img-4.9.0-7-686-pae

Configure a basic fstab 

# Begin /etc/fstab
# <file system> <mount-point>   <type>   <options>                      <dump> <pass>
/dev/sda1          /             ext3      defaults,errors=remount-ro    0     0
proc               /proc         proc      defaults                      0     0

# End /etc/fstab

SSH host keys fix

Since this image will get cloned and used to create new virtual machines we don't want to re-use the same keys for every virtual machine. Devuan won't regenerate SSH host keys if you delete them from /etc/ssh. So we need to make some changes to /etc/init.d/ssh so it regenerates the host keys.

Here is a patch for /etc/init.d/ssh 

--- old_ssh	2018-12-16 21:33:01.193415639 +0000
+++ ssh	2018-12-23 19:05:39.647919366 +0000
@@ -72,6 +72,57 @@ check_privsep_dir() {
     fi
 }
 
+# Some variables to make things more readable 
+KEYGEN=/usr/bin/ssh-keygen
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
+
+do_rsa_keygen() {
+        if [ ! -s $RSA_KEY ]; then
+                echo -n "Generating SSH2 RSA host key: "
+                rm -f $RSA_KEY
+                if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $RSA_KEY
+                        chmod 644 $RSA_KEY.pub
+			echo "OK"
+                else
+			echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+ 
+do_ecdsa_keygen() {
+        if [ ! -s $ECDSA_KEY ]; then
+                echo -n "Generating SSH2 ECDSA host key: "
+                rm -f $ECDSA_KEY
+                if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $ECDSA_KEY
+                        chmod 644 $ECDSA_KEY.pub
+			echo "OK"
+                else
+			echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+ 
+do_ed25519_keygen() {
+        if [ ! -s $ED25519_KEY ]; then
+                echo -n "Generating SSH2 ED25519 host key: "
+                rm -f $ED25519_KEY
+                if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $ED25519_KEY
+                        chmod 644 $ED25519_KEY.pub
+			echo "OK"
+                else
+			echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+
 check_config() {
     if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
 	/usr/sbin/sshd $SSHD_OPTS -t || exit 1
@@ -86,6 +137,11 @@ case "$1" in
 	check_privsep_dir
 	check_for_no_start
 	check_dev_null
+
+	do_rsa_keygen
+	do_ecdsa_keygen
+	do_ed25519_keygen
+
 	log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
 	if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
 	    log_end_msg 0 || true

Firewall

apt-get install iptables
apt-get install ufw

ufw allow OpenSSH
ufw enable

Final Cleanup

Set a hostname.

Remove SSH host keys so that new ones get generated on first boot.

Remove the old leases file so that the VM will request a fresh IP address each time.

Set a root password 

echo 'devuan' > /etc/hostname
rm /var/lib/dhcp/dhclient.eth0.leases
rm /etc/ssh/ssh_host_*
passwd root
Retrieved from "https://wiki.guungle.com/index.php?title=Linux/Xen/DomU/Devuan/Devuan_ASCII&oldid=58"