Difference between revisions of "PowerEdge 1950 Debian install"
| Line 98: | Line 98: | ||
# 64 bytes of random data, printed in hex is 128 characters and 512 bits, which should be a decent sized passphrase. |
# 64 bytes of random data, printed in hex is 128 characters and 512 bits, which should be a decent sized passphrase. |
||
# openssl might take a long, long, long time to get its RNG seeds from /dev/random, so be patient |
# openssl might take a long, long, long time to get its RNG seeds from /dev/random, so be patient |
||
| + | # what's with the "printf %s $(...)" funny business? It prevents a trailing newling being fed to gpg's stdin |
||
| ⚫ | |||
| − | openssl rand -hex -rand /dev/random 64 | gpg --symmetric -a -v --s2k-mode 3 --s2k-count 65011712 -o |
+ | printf %s $(openssl rand -hex -rand /dev/random 64) | gpg --symmetric -a -v --s2k-mode 3 --s2k-count 65011712 -o gulik_sda4_passphrase.gpg |
| ⚫ | |||
* perhaps multiple keys should go into a single GPG encrypted file, one per line, with a key of the block device |
* perhaps multiple keys should go into a single GPG encrypted file, one per line, with a key of the block device |
||
Revision as of 23:40, 25 January 2012
BIOS Settings
- Turn on virtualization, IOMMU
- Lots of options regarding console redirection over serial. Need to investigate.
IPMI
Watch for IPMI setup message during boot. Press Ctrl-E when prompted. Settings as follows:
Static IP: 172.16.0.241 Netmask: 255.255.255.0 Gateway: 0.0.0.0
Reset user credentials.
TODO: Investigate crypto key stuff, alerts, other settings.
Updating firmware
Should be doable using the PXE boot firmware update procedure found elsewhere in this wiki. (Replace with a real link.)
Debian Install image locations
http://cdimage.debian.org/debian-cd/6.0.3/amd64/iso-cd/debian-6.0.3-amd64-netinst.iso
non-Free firmware for Ethernet cards
PowerEdge 1950 machines have 2 on-board Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet adapters. Firmware for adapters is non-free and must be loaded to perform the Debian installation.
An ISO image is available at http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/6.0.3/amd64/iso-cd/ which should include the bits necessary to use these adapters during the OS installation. This is the Netinst ISO but it includes the non-free firmware. Saves on getting the non-free firmware installed using USB keys, floppies, or other media.
http://wiki.debian.org/Firmware has a discussion of issues surrounding the non-free firmware needed by these systems and its use in Debian.
Install process
Proceed as normal with keyboard, setting up network, hostname, etc.
Partition disks by using parted in a shell. Here's what sda looks like now:
~ # parted /dev/sdb GNU Parted 2.3 Using /dev/sdb Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) unit s unit s (parted) print print Model: ATA WDC WD6400AAKS-0 (scsi) Disk /dev/sda: 1250263728s Sector size (logical/physical): 512B/512B Partition Table: gpt Number Start End Size File system Name Flags 1 2048s 526335s 524288s gulik_sda_efi_boot bios_grub 2 526336s 2623487s 2097152s gulid_sda_softraid_boot raid 3 2623488s 4720639s 2097152s gulik_sda_softraid_root raid (parted)
After this, we create and start up two software raid devices (the "missing" bit lets us create a software raid device before having all the actual pieces):
~ # mdadm --create gulik_softraid_boot --chunk 128 --level 1 --raid-devices=2 --run --name=gulik_softraid_boot /dev/sda2 missing
~ # mdadm --create gulik_softraid_root --chunk 128 --level 1 --raid-devices=2 --run --name=gulik_softraid_root /dev/sda3 missing
Post-install tweaks
Prevent apt-get from automatically installing Recommended packages
Miminal software installation is good! Put the following into /etc/apt/apt.conf:
APT {
Install-Recommends "0";
}
USB drivers for the initramfs
Add the following to /etc/initramfs-tools/modules:
hid ehci_hcd uhci_hcd
Run update-initramfs when done to add these modules to the pre-init runtime environment.
Disk encryption, more software RAID, and LVM setup
End goal
- Two physical drives (sda and sdb)
- Boot from unencrypted, software RAID1 (mirrored) /boot partitions
- initramfs does "cyptsetup luksOpen" on large partition 4 of each physical drive
- mdadm is then run and assembles a software RAID 1 from the encrypted partitions
- the assembled RAID 1 device contains a LUKS partition. This LUKS device contains an LVM physical volume.
- Logical volumes are LUKS devices containing filesystems
- three layers of crypto here:
- LVM lvols are LUKS devices
- LVM physical volume(s) is (are) LUKS devices
- MD software RAID members are LUKS devices
Open questions
- Hot to get passphrases to "cryptsetup luksOpen" ?
- What's a reasonable set of stacked ciphers?
Procedure
- Squeeze's cryptsetup and associated packages are woefully out of date. I have pulled in cryptsetup and its dependencies from unstable and will hope the lack of security updates does not bite me in the ass.
- Create partition number 4 on each of the disks. These will be LUKS devices that will be assembled into a software RAID1.
- Splat random bits onto these devices like so:
sudo dd if=/dev/urandom of=/dev/sda4 bs=1M sudo dd if=/dev/urandom of=/dev/sdb4 bs=1M
- Generate keys for these devices:
# 64 bytes of random data, printed in hex is 128 characters and 512 bits, which should be a decent sized passphrase. # openssl might take a long, long, long time to get its RNG seeds from /dev/random, so be patient # what's with the "printf %s $(...)" funny business? It prevents a trailing newling being fed to gpg's stdin printf %s $(openssl rand -hex -rand /dev/random 64) | gpg --symmetric -a -v --s2k-mode 3 --s2k-count 65011712 -o gulik_sda4_passphrase.gpg printf %s $(openssl rand -hex -rand /dev/random 64) | gpg --symmetric -a -v --s2k-mode 3 --s2k-count 65011712 -o gulik_sdb4_passphrase.gpg
- perhaps multiple keys should go into a single GPG encrypted file, one per line, with a key of the block device