BIOS Settings

• Turn on virtualization, IOMMU
• Lots of options regarding console redirection over serial. Need to investigate.

IPMI

Watch for IPMI setup message during boot. Press Ctrl-E when prompted. Settings as follows:

Static IP: 172.16.0.241
Netmask:   255.255.255.0
Gateway:   0.0.0.0

Reset user credentials.

TODO: Investigate crypto key stuff, alerts, other settings.

What is this good for? Well,

ipmitool -H 172.16.0.1 -U Admin power on

will turn on the server from somewhere on the network. A network attached serial console should be possible, too.

Updating firmware

Should be doable using the PXE boot firmware update procedure found elsewhere in this wiki. (Replace with a real link.)

Debian Install image locations

http://cdimage.debian.org/debian-cd/6.0.3/amd64/iso-cd/debian-6.0.3-amd64-netinst.iso

non-Free firmware for Ethernet cards

PowerEdge 1950 machines have 2 on-board Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet adapters. Firmware for adapters is non-free and must be loaded to perform the Debian installation.

An ISO image is available at http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/6.0.3/amd64/iso-cd/ which should include the bits necessary to use these adapters during the OS installation. This is the Netinst ISO but it includes the non-free firmware. Saves on getting the non-free firmware installed using USB keys, floppies, or other media.

http://wiki.debian.org/Firmware has a discussion of issues surrounding the non-free firmware needed by these systems and its use in Debian.

Install process

Proceed as normal with keyboard, setting up network, hostname, etc.

Partition disks by using parted in a shell. Here's what sda looks like now:

~ # parted /dev/sdb
GNU Parted 2.3
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) unit s                                                           
unit s
(parted) print                                                            
print
Model: ATA WDC WD6400AAKS-0 (scsi)
Disk /dev/sda: 1250263728s
Sector size (logical/physical): 512B/512B
Partition Table: gpt

Number  Start     End       Size      File system  Name                     Flags
 1      2048s     526335s   524288s                gulik_sda_efi_boot       bios_grub
 2      526336s   2623487s  2097152s               gulid_sda_softraid_boot  raid
 3      2623488s  4720639s  2097152s               gulik_sda_softraid_root  raid

(parted)

After this, we create and start up two software raid devices (the "missing" bit lets us create a software raid device before having all the actual pieces):

~ # mdadm --create gulik_softraid_boot --chunk 128 --level 1 --raid-devices=2 --run --name=gulik_softraid_boot /dev/sda2 missing

~ # mdadm --create gulik_softraid_root --chunk 128 --level 1 --raid-devices=2 --run --name=gulik_softraid_root /dev/sda3 missing

Post-install tweaks

Prevent apt-get from automatically installing Recommended packages

Miminal software installation is good! Put the following into /etc/apt/apt.conf:

APT {
        Install-Recommends "0";
}

USB drivers for the initramfs

Add the following to /etc/initramfs-tools/modules:

hid
ehci_hcd
uhci_hcd

Run update-initramfs when done to add these modules to the pre-init runtime environment.

Add backports.org packages

Add the following to /etc/apt/sources.list:

deb http://backports.debian.org/debian-backports squeeze-backports main contrib non-free

Install a recent kernel from backports.org

Not yet ready to build a custom kernel here, so install something current from backports.org instead.

# linux-image-3.2.0-0.bpo.1-amd64 is the most recent kernel package available at backports.org
apt-get install linux-image-3.2.0-0.bpo.1-amd64

Disk encryption, more software RAID, and LVM setup

End goal

• Two physical drives (sda and sdb)
• Boot from unencrypted, software RAID1 (mirrored) /boot partitions
• initramfs does "cyptsetup luksOpen" on large partition 4 of each physical drive
• mdadm is then run and assembles a software RAID 1 from the encrypted partitions
• the assembled RAID 1 device contains a LUKS partition. This LUKS device contains an LVM physical volume.
• Logical volumes are LUKS devices containing filesystems
• three layers of crypto here:
  • LVM lvols are LUKS devices
  • LVM physical volume(s) is (are) LUKS devices
  • MD software RAID members are LUKS devices

Open questions

• Hot to get passphrases to "cryptsetup luksOpen" ?
• What's a reasonable set of stacked ciphers?

Procedure

• Squeeze's cryptsetup and associated packages are woefully out of date. I have pulled in cryptsetup and its dependencies from unstable and will hope the lack of security updates does not bite me in the ass.
• Create partition number 4 on each of the disks. These will be LUKS devices that will be assembled into a software RAID1.
• Splat random bits onto these devices like so:

sudo dd if=/dev/urandom of=/dev/sda4 bs=1M
sudo dd if=/dev/urandom of=/dev/sdb4 bs=1M

• Generate keys for these devices:

# 64 bytes of random data, printed in hex is 128 characters and 512 bits, which should be a decent sized passphrase.
# openssl might take a long, long, long time to get its RNG seeds from /dev/random, so be patient
# what's with the "printf %s $(...)" funny business?  It prevents a trailing newling being fed to gpg's stdin
printf %s $(openssl rand -hex -rand /dev/random 64) | gpg --symmetric -a -v --s2k-mode 3 --s2k-count 65011712 -o gulik_sda4_passphrase.gpg
printf %s $(openssl rand -hex -rand /dev/random 64) | gpg --symmetric -a -v --s2k-mode 3 --s2k-count 65011712 -o gulik_sdb4_passphrase.gpg

• perhaps multiple keys should go into a single GPG encrypted file, one per line, with a key of the block device