BIOS Settings

• Turn on virtualization, IOMMU
• Lots of options regarding console redirection over serial. Need to investigate.

IPMI

Watch for IPMI setup message during boot. Press Ctrl-E when prompted. Settings as follows:

Static IP: 172.16.0.241
Netmask:   255.255.255.0
Gateway:   0.0.0.0

Reset user credentials.

TODO: Investigate crypto key stuff, alerts, other settings.

Updating firmware

Should be doable using the PXE boot firmware update procedure found elsewhere in this wiki. (Replace with a real link.)

Debian Install image locations

http://cdimage.debian.org/debian-cd/6.0.3/amd64/iso-cd/debian-6.0.3-amd64-netinst.iso

non-Free firmware for Ethernet cards

PowerEdge 1950 machines have 2 on-board Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet adapters. Firmware for adapters is non-free and must be loaded to perform the Debian installation.

An ISO image is available at http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/6.0.3/amd64/iso-cd/ which should include the bits necessary to use these adapters during the OS installation. This is the Netinst ISO but it includes the non-free firmware. Saves on getting the non-free firmware installed using USB keys, floppies, or other media.

http://wiki.debian.org/Firmware has a discussion of issues surrounding the non-free firmware needed by these systems and its use in Debian.

Install process

Proceed as normal with keyboard, setting up network, hostname, etc.

Partition disks by using parted in a shell. Here's what sda looks like now:

~ # parted /dev/sdb
GNU Parted 2.3
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) unit s                                                           
unit s
(parted) print                                                            
print
Model: ATA WDC WD6400AAKS-0 (scsi)
Disk /dev/sda: 1250263728s
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start     End       Size      File system  Name                     Flags
 1      2048s     526335s   524288s                gulik_sda_efi_boot       bios_grub
 2      526336s   2623487s  2097152s               gulid_sda_softraid_boot  raid
 3      2623488s  4720639s  2097152s               gulik_sda_softraid_root  raid

(parted)

After this, we create and start up two software raid devices (the "missing" bit lets us create a software raid device before having all the actual pieces):

~ # mdadm --create gulik_softraid_boot --chunk 128 --level 1 --raid-devices=2 --run --name=gulik_softraid_boot /dev/sda2 missing

~ # mdadm --create gulik_softraid_root --chunk 128 --level 1 --raid-devices=2 --run --name=gulik_softraid_root /dev/sda3 missing

Post-install tweaks

Miminal software installation is good! Put the following into /etc/apt/apt.conf:

APT {
        Install-Recommends "0";
}

Disk encryption, more software RAID, and LVM setup

End goal:

• Two physical drives (sda and sdb)
• Boot from unencrypted, software RAID1 (mirrored) /boot partitions
• initramfs does "cyptsetup luksOpen" on large partition 4 of each physical drive
• mdadm is then run and assembles a software RAID 1 from the encrypted partitions
• the assembled RAID 1 device contains a LUKS partition. This LUKS device contains an LVM physical volume.
• Logical volumes are LUKS devices containing filesystems
• three layers of crypto here:
  • LVM lvols are LUKS devices
  • LVM physical volume(s) is (are) LUKS devices
  • MD software RAID members are LUKS devices

Open questions:

• Hot to get passphrases to "cryptsetup luksOpen" ?
• What's a reasonable set of stacked ciphers?

Squeeze's crypsetup and associated packages are woefully out of date.