Linux/Xen/DomU/Devuan/Devuan Beowulf: Difference between revisions
No edit summary |
No edit summary |
||
| Line 35: | Line 35: | ||
/usr/sbin/chroot /mnt/img | /usr/sbin/chroot /mnt/img | ||
Run updates | Run updates. | ||
apt-get update | apt-get update | ||
Revision as of 14:22, 11 December 2020
Devuan Beowulf
Start this process on a existing Devuan system. You will need to have the Devuan patched version of debootstrap installed.
Create a empty image file and format it with ext3.
dd if=/dev/zero of=devuan_beowulf.img bs=1M count=1 seek=1024 mkfs.ext3 devuan_beowulf.img
Create a directory to mount the image on. Using '/mnt/img' for this example.
mkdir /mnt/img mount -oloop devuan_beowulf.img /mnt/img
Start the debootstrap process. The version of 'su' that ships with beowulf no longer runs /etc/profile by default. So either run 'su -' to initiate a login shell that will source /etc/profile or add /usr/sbin to your path. 'export PATH=$PATH:/usr/sbin' debootstrap will not run correctly without /usr/sbin in your path. You will get the error message "E: Unable to execute target architecture" when trying to run debootstrap.
debootstrap --arch=i386 --variant=minbase beowulf /mnt/img http://deb.devuan.org/merged/
Once that completes, copy your existing /etc/apt/sources.list to the new image so we can run updates.
cp /etc/apt/sources.list /mnt/img/etc/apt/
Here is a basic sources.list
deb http://deb.devuan.org/merged beowulf main deb http://deb.devuan.org/merged beowulf-updates main deb http://deb.devuan.org/merged beowulf-security main
Mount the necessary system files so that we can enter the new root filesystem with chroot.
mount --bind /dev /mnt/img/dev mount --bind /dev/pts /mnt/img/dev/pts mount -t proc proc /mnt/img/proc mount -t sysfs sys /mnt/img/sys /usr/sbin/chroot /mnt/img
Run updates.
apt-get update apt-get upgrade
Install a frontend for debconf
apt-get install whiptail
Install locales and configure them.
apt-get install locales dpkg-reconfigure locales
Configure the system timezone.
dpkg-reconfigure tzdata
Install networking systems
apt-get install netbase net-tools ifupdown inetutils-ping
Install the kernel image, SSH server, full version of vim and rsyslog
apt-get install linux-image-686 apt-get install openssh-server apt-get install vim apt-get install rsyslog
To use the Xen console 'xl console (domU)' you need to setup a tty on /dev/hvc0. Edit /etc/inittab and add this line.
co:2345:respawn:/sbin/getty 38400 hvc0
Network
Configure your '/etc/network/interfaces' for DHCP
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto eth0
iface eth0 inet dhcp
We need to allow root logins over SSH.
Edit /etc/ssh/sshd_config and change,
#PermitRootLogin prohibit-password
to
PermitRootLogin yes
GRUB
Setup a basic grub config in "/boot/grub/menu.lst"
default 0
timeout 2
title Devuan Beowulf
root (hd0,0)
kernel /boot/vmlinuz-4.19.0-12-686 root=/dev/xvda1 ro console=hvc0
initrd /boot/initrd.img-4.19.0-12-686
title Devuan Beowulf (Single-User)
root (hd0,0)
kernel /boot/vmlinuz-4.19.0-12-686 root=/dev/xvda1 ro single console=hvc0
initrd /boot/initrd.img-4.19.0-12-686
Configure a basic fstab
# Begin /etc/fstab
# <file system> <mount-point> <type> <options> <dump> <pass>
/dev/sda1 / ext3 defaults,errors=remount-ro 0 0
proc /proc proc defaults 0 0
# End /etc/fstab
SSH host keys fix
Since this image will get cloned and used to create new virtual machines we don't want to re-use the same keys for every virtual machine. Devuan won't regenerate SSH host keys if you delete them from /etc/ssh. So we need to make some changes to /etc/init.d/ssh so it regenerates the host keys.
Here is a patch for /etc/init.d/ssh
--- old_ssh 2018-12-16 21:33:01.193415639 +0000
+++ ssh 2018-12-23 19:05:39.647919366 +0000
@@ -72,6 +72,57 @@ check_privsep_dir() {
fi
}
+# Some variables to make things more readable
+KEYGEN=/usr/bin/ssh-keygen
+RSA_KEY=/etc/ssh/ssh_host_rsa_key
+ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
+ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
+
+do_rsa_keygen() {
+ if [ ! -s $RSA_KEY ]; then
+ echo -n "Generating SSH2 RSA host key: "
+ rm -f $RSA_KEY
+ if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >/dev/null; then
+ chmod 600 $RSA_KEY
+ chmod 644 $RSA_KEY.pub
+ echo "OK"
+ else
+ echo "FAIL"
+ exit 1
+ fi
+ fi
+}
+
+do_ecdsa_keygen() {
+ if [ ! -s $ECDSA_KEY ]; then
+ echo -n "Generating SSH2 ECDSA host key: "
+ rm -f $ECDSA_KEY
+ if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >/dev/null; then
+ chmod 600 $ECDSA_KEY
+ chmod 644 $ECDSA_KEY.pub
+ echo "OK"
+ else
+ echo "FAIL"
+ exit 1
+ fi
+ fi
+}
+
+do_ed25519_keygen() {
+ if [ ! -s $ED25519_KEY ]; then
+ echo -n "Generating SSH2 ED25519 host key: "
+ rm -f $ED25519_KEY
+ if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >/dev/null; then
+ chmod 600 $ED25519_KEY
+ chmod 644 $ED25519_KEY.pub
+ echo "OK"
+ else
+ echo "FAIL"
+ exit 1
+ fi
+ fi
+}
+
check_config() {
if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
/usr/sbin/sshd $SSHD_OPTS -t || exit 1
@@ -86,6 +137,11 @@ case "$1" in
check_privsep_dir
check_for_no_start
check_dev_null
+
+ do_rsa_keygen
+ do_ecdsa_keygen
+ do_ed25519_keygen
+
log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
if start-stop-daemon --start --quiet --oknodo --pidfile /run/sshd.pid --exec /usr/sbin/sshd -- $SSHD_OPTS; then
log_end_msg 0 || true
Firewall
apt-get install iptables
apt-get install ufw
ufw allow OpenSSH
ufw enable
Final Cleanup
Set a hostname.
Remove SSH host keys so that new ones get generated on first boot.
Remove the old leases file so that the VM will request a fresh IP address each time.
Set a root password
echo 'devuan' > /etc/hostname
rm /var/lib/dhcp/dhclient.eth0.leases
rm /etc/ssh/ssh_host_*
passwd root