Linux/Xen/DomU/Devuan/Devuan ASCII: Difference between revisions

From Guungle
Jump to navigation Jump to search
Line 246: Line 246:


Set a hostname.
Set a hostname.
Remove /etc/udev/rules.d/70-persistent-net.rules so that network comes up clean when the image is booted for the first time.


Remove SSH host keys so that new ones get generated on first boot.
Remove SSH host keys so that new ones get generated on first boot.
Line 255: Line 253:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
echo 'devuan' > /etc/hostname
echo 'devuan' > /etc/hostname
rm /etc/udev/rules.d/70-persistent-net.rules
rm /etc/ssh/ssh_host_*
rm /etc/ssh/ssh_host_*
passwd root
passwd root
</syntaxhighlight>
</syntaxhighlight>

Revision as of 12:02, 23 December 2018

Devuan ASCII

Start this process on a existing Devuan system. You will need to have the Devuan patched version of debootstrap installed.

Create a empty image file and format it with ext3. 

dd if=/dev/zero of=devuan_ascii.img bs=1M count=1 seek=1024
mkfs.ext3 devuan_ascii.img

Create a directory to mount the image on. Using '/mnt/img' for this example. 

mkdir /mnt/img
mount -oloop devuan_ascii.img /mnt/img

Start the debootstrap process. 

debootstrap --variant=minbase ascii /mnt/img http://auto.mirror.devuan.org/merged/

Once that completes, copy your existing /etc/apt/sources.list to the new image so we can run updates. 

cp /etc/apt/sources.list /mnt/img/etc/apt/

Here is a basic sources.list 

deb http://auto.mirror.devuan.org/merged ascii main
deb http://auto.mirror.devuan.org/merged ascii-updates main
deb http://auto.mirror.devuan.org/merged ascii-security main

Mount the necessary system files so that we can enter the new root filesystem with chroot. 

mount --bind /dev /mnt/img/dev
mount --bind /dev/pts /mnt/img/dev/pts
mount -t proc proc /mnt/img/proc
mount -t sysfs sys /mnt/img/sys
chroot /mnt/img

Run updates and install a language pack. 

apt-get update
apt-get upgrade

Install a frontend for debconf 

apt-get install whiptail

Install locales and configure them. 

apt-get install locales
dpkg-reconfigure locales

Configure the system timezone. 

dpkg-reconfigure tzdata

Install networking systems 

apt-get install netbase net-tools ifupdown inetutils-ping

Install the kernel image, SSH server, full version of vim and rsyslog 

apt-get install linux-image-`dpkg --print-architecture`
apt-get install openssh-server
apt-get install vim
apt-get install rsyslog

To use the Xen console 'xm console (domU)' you need to setup a tty on /dev/hvc0. Edit /etc/inittab and add this line. 

co:2345:respawn:/sbin/getty 38400 hvc0


The default udev rules for Devuan ignore Xen generated MAC addresses so you won't get a '/etc/udev/rules.d/70-persistent-net.rules' This causes your network interfaces not to come up.

Edit '/lib/udev/rules.d/75-persistent-net-generator.rules' and comment these lines. Here's the changes in patch/diff format. 

--- 75-persistent-net-generator.rules.old       2018-10-20 12:40:48.812000000 -0500
+++ 75-persistent-net-generator.rules   2018-10-20 12:41:35.264000000 -0500
@@ -26,7 +26,7 @@
                                        GOTO="persistent_net_generator_end"

 # ignore Xen virtual interfaces
-SUBSYSTEMS=="xen",                     GOTO="persistent_net_generator_end"
+#SUBSYSTEMS=="xen",                    GOTO="persistent_net_generator_end"

 # ignore UML virtual interfaces
 DRIVERS=="uml-netdev",                 GOTO="persistent_net_generator_end"
@@ -78,7 +78,7 @@
 ENV{MATCHADDR}=="00:15:5d:*",          ENV{MATCHADDR}=""
 ENV{MATCHADDR}=="52:54:00:*|54:52:00:*", ENV{MATCHADDR}=""
 ENV{MATCHADDR}=="08:00:27:*",          ENV{MATCHADDR}=""
-ENV{MATCHADDR}=="00:16:3e:*",          ENV{MATCHADDR}=""
+#ENV{MATCHADDR}=="00:16:3e:*",         ENV{MATCHADDR}=""

 # ignore Windows Azure Hyper-V virtual interfaces
 ENV{MATCHADDR}=="00:03:ff:*", ENV{MATCHADDR}=""

Network

Configure your '/etc/network/interfaces' for DHCP 

# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d

auto eth0
iface eth0 inet dhcp

We need to allow root logins over SSH.

Edit /etc/ssh/sshd_config and change, 

#PermitRootLogin prohibit-password

to 

PermitRootLogin yes


GRUB

Setup a basic grub config in "/boot/grub/menu.lst" 

default         0
timeout         2

title           Devuan ASCII
root            (hd0,0)
kernel          /boot/vmlinuz-4.9.0-7-686-pae root=/dev/xvda1 ro console=hvc0
initrd          /boot/initrd.img-4.9.0-7-686-pae

title           Devuan ASCII (Single-User)
root            (hd0,0)
kernel          /boot/vmlinuz-4.9.0-7-686-pae root=/dev/xvda1 ro single console=hvc0
initrd          /boot/initrd.img-4.9.0-7-686-pae

Configure a basic fstab 

# Begin /etc/fstab
# <file system> <mount-point>   <type>   <options>                      <dump> <pass>
/dev/sda1          /             ext3      defaults,errors=remount-ro    0     0
proc               /proc         proc      defaults                      0     0

# End /etc/fstab

SSH host keys fix

Since this image will get cloned and used to create new virtual machines we don't want to re-use the same keys for every virtual machine. Devuan won't regenerate SSH host keys if you delete them from /etc/ssh. So we need to make some changes to /etc/init.d/ssh so it regenerates the host keys.

Here is a patch for /etc/init.d/ssh 

--- old_ssh	2018-12-16 21:33:01.193415639 +0000
+++ ssh	2018-12-23 18:52:01.653415639 +0000
@@ -72,6 +72,57 @@ check_privsep_dir() {
     fi
 }
 
+# Some variables to make things more readable 
+KEYGEN=/usr/bin/ssh-keygen
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
+
+do_rsa_keygen() {
+        if [ ! -s $RSA_KEY ]; then
+                echo -n "Generating SSH2 RSA host key: "
+                rm -f $RSA_KEY
+                if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $RSA_KEY
+                        chmod 644 $RSA_KEY.pub
+			echo "OK"
+                else
+			echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+ 
+do_ecdsa_keygen() {
+        if [ ! -s $ECDSA_KEY ]; then
+                echo -n "Generating SSH2 ECDSA host key: "
+                rm -f $ECDSA_KEY
+                if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $ECDSA_KEY
+                        chmod 644 $ECDSA_KEY.pub
+			echo "OK"
+                else
+			echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+ 
+do_ed25519_keygen() {
+        if [ ! -s $ED25519_KEY ]; then
+                echo -n "Generating SSH2 ED25519 host key: "
+                rm -f $ED25519_KEY
+                if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >/dev/null; then
+                        chmod 600 $ED25519_KEY
+                        chmod 644 $ED25519_KEY.pub
+			echo "OK"
+                else
+			echo "FAIL"
+                        exit 1
+                fi
+        fi
+}
+
 check_config() {
     if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
 	/usr/sbin/sshd $SSHD_OPTS -t || exit 1
@@ -86,6 +137,12 @@ case "$1" in
 	check_privsep_dir
 	check_for_no_start
 	check_dev_null
+
+	do_rsa_keygen
+	do_dsa_keygen
+	do_ecdsa_keygen
+	do_ed25519_keygen
+
 	log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
 	if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
 	    log_end_msg 0 || true

Firewall

apt-get install iptables
apt-get install ufw

ufw allow OpenSSH
ufw enable

Final Cleanup

Set a hostname.

Remove SSH host keys so that new ones get generated on first boot.

Set a root password 

echo 'devuan' > /etc/hostname
rm /etc/ssh/ssh_host_*
passwd root
Retrieved from "https://wiki.guungle.com/index.php?title=Linux/Xen/DomU/Devuan/Devuan_ASCII&oldid=55"