Configuring Debian Linux on SLUG (NSLU2)

I had to go through this again recently, so here are my notes. Most of this has been compiled from the following sources (in no particular order):

• VPSLINK forums
• FAQ Linux Memory Management – Gentoo Linux Wiki
• README for pkg-nslu2-utils
• Debian/NSLU2 FAQ
• Martin Michlmayr excellent Debian installation manual
• Tips for reducing memory usage by David Härdeman
• My sincere apologies if I forgot to mention anyone.

This page was originally written for Debian Etch. I recently went through the same exercise with Debian Wheezy and updated the doc.

 

Ok, here we go:

1. Install the “manual” image as describe here: http://www.cyrius.com/debian/nslu2/unpack.html

2. Edit /etc/apt/sources.list – non-US distributions have been retired. Comment out lenny or test sources. Update the application database. Upgrade the software to the current versions:

apt-get update
apt-get dist-upgrade

If you want security patches to be installed automatically, follow my write-up here.

3. Adjust /etc/fstab for the filesystems/devices, noatime and commit=120 attributes. Make sure your device descriptions are Ok. In the long run you may want to mount USB devices by UUID or even by label.

Do not make these adjustments in Step 1 – they require a later version of the kernel. In Step 1 stick to the good old /dev/sda1 and friends (and if you use a usb hub, make sure you plug your stick into the first port!)

4. Change root password, create new users. See /etc/passwd

5. Regenerate ssh keys in /etc/ssh/

6. Change the host name in: /etc/hostname

7. Change how often the MARK line is put into syslog: /etc/default/syslogd SYSLOGD=”-m 1440″ – every 24 hours

8. Adjust /etc/syslog.conf adding “-” like here: kern.* -/var/log/kern.log will delay writing, saving your flash drive cycles (keep it instant for authentication errors and such)

9. Adjust swap space priority relative to file cache by changing vm.swappiness= in /etc/sysctl.conf Lower number means less swapping.

10. Remove getty on the non-existant serial line:
#T0:23:respawn:/sbin/getty -L ttyS0 115200 linux
then run telinit q to tell init to re-read the inittab file.

11. While at it, to change the power button on your Slug to perform a shutdown instead of reboot replace in your /etc/inittab
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
with
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -h now

12. If you are not using IPv6, you can prevent the module from being automatically loaded by adding the line

blacklist ipv6

to /etc/modprobe.d/blacklist.conf (if you forget the .conf extention, the file will be ignored). The same goes for any other kernel module which is automatically loaded which you know you won’t need.

13. If you are not using LVM, /etc/init.d/libdevmapper1.02 will still load the device-mapper kernel modules. Since libblkid1 depends on libdevmapper1.02 and mount depends on libblkid1, it is not possible to remove libdevmapper1.02. Instead you can prevent the script from loading the modules by inserting

exit 0

on the second line of /etc/init.d/libdevmapper1.02.
Note: on Debian Squeeze this issue seems not to be present.

14. Unless you have a serial console, it’s a good idea to edit /etc/default/rcS and set FSCKFIX=yes, to prevent fsck problems from hanging your boot waiting for you to press “y” on a nonexistant console. I had this problem on my very first boot…  In Squeeze FSCKFIX is in place by default.

15. You may want to enable bootlogd, by editing /etc/default/bootlogd. Then you can see boot logs in /var/log/boot. Once I arrived to a stable configuration, I switched it off again.

16. Some suggest that you might want to move the ssh server startup closer to the beginning of the init sequence so that you can ssh in earlier. You can do that by
moving /etc/rc2.d/S20ssh to /etc/rcS.d/S41ssh. (Anything after networking is brought up will do.) You can also move /etc/rcS.d/S40networking to S21networking to make the network come up a lot earlier, and run ssh in /etc/rcS.d/S21ssh; this will let root log in while the system is still booting, which can be useful if something goes wrong. Mine worked fine as it was, so I did not bother. I got rid of OpenSSH (see dropbear further down the list). Since my system is on a flash drive, if things go wrong I can just plug it into my PC and examine the logs.

14. Do you really need NFS and NetaTalk (apple networking)? If not, remove them – they take up RAM. apt-get remove and so on.

15. If you want openslug’s behavior of coming up on address 192.168.1.77 if there is no dhcp server, edit /etc/dhcp3/dhclient.conf and add a default lease, such as this:

# Prdefined default lease for networks w/o dhcp.
lease {
interface “eth0”;
fixed-address 192.168.1.77;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
}

I did something different again: I wanted a static IP address, but I also wanted to get the DNS servers from DHCP, so I used alias in /etc/dhcp3/dhclient.conf like so:

alias {
interface “eth0”;
fixed-address 192.168.1.77;
option subnet-mask 255.255.255.0;
}

I ended up with two IPs on the sme interface (one assigned by DHCP) but that’s Ok.

Even if you do not plan to expose your system to the Internet, it is still a good idea to give it a Fully Qualified Domain Name (for starters, a number of scripts assume its existance and may quietly die on you if it is not known). Just go into your resolv.conf and add one line: domain yourdomain.com

16. Remove unnecessary software – you decide what you need.

17. Install and configure xinetd. Use it to make your slug more secure.

18. You are likely to run out of entropy (especially when starting both OpenSSH and dropbear). Use /dev/urandom instead of /dev/random. (As of release 50.02 (in Lenny) dropbear is compiled to use it by default. ) Meanwhile:

mv /dev/random /dev/chaos
ln -s /dev/urandom /dev/random

See here if you are using udev.

19. Install dropbear and configure it to to be started via xinetd. Once you have tested this on some obscure port, you can disable dropbear as a service and remove OpenSSH

To disable OpenSSH instead of completely removing it you can also use update-rc.d script as follows (update-rc.d removes any links in the /etc/rcX.d directories to the script /etc/init.d/service):

# update-rc.d -f {SERVICE-NAME} remove

20. You have both exim4 and courier – do you really need two MTAs? Exim is a pre-requisite for multiple packages (including AIDE), so do your homework. Granted, apt will give you all the warnings  you need and will even reinstall it if need be. In squeeze I did not have courier, so this item might be moot.

21. I always install Midnight Commander (mc) – it’s a nice console shell. The UI will remind you of Krusader (for a reason).

Other useful utilities to install:

• psmisc – contains killall, pstree, and fuser

22. If you want to play with RAID – install mdadm. Remember to configure it to notify you about problems – a RAID with failed drive(s) is not a RAID anymore.

23. Sort out your time and clocks. Start by changing your timezone with tzconfig

Many install ntpd – to implement Network Time Protocol. If you do not want to run the daemon, you can run it from cron with -q option. There are people who would want to stone you for that, but “if it is so bad, then why is it so delicious?”

The best resource for getting NTP going is the Debian Administrator’s Manual (why am I not surprised?)

The good news is there are no known problems with the tick drift. AND Debian synchronises the system clock with the hardware clock at the shutdown automatically. So, unless you keep pulling the plug on your slug, clock synchronization… just happens.

If you still want to set your hardware clock manually the first time around, do this:

hwclock –utc; hwclock –systohc; hwclock –show

24. Run
update-initramfs -u
(flash-kernel seems to happen magically in Wheezy)

25. Consider adjusting your tmpfs.  For a good intro take a look here. By default you have tmpfs mounted at /dev/shm, with its size equal to half your RAM ( 15MB). Without it your system will not be Posix-compliant and some packages will not work. On the other hand, an aggressive application may eat up 15MB of your paging space, and I bet you did not count on that, did you?

So go to your /etc/default/tmpfs file and add something like

SHM_SIZE=8m

or adjust your swap partition to allow for /dev/shm

I actually did both: allowed for the extra swap space and increased SHM_SIZE a bit (just in case).

26. Read and follow “Securing Debian” HOWTO.

Many people swear by AIDE ( a decent intro is here). AIDE depends on your ability to keep an un-compromised database of file checksums and such. eBay is full of USB flash drives with a physical “lock” switch – seems like they have been born for this task!

From now on you are on your own. You do not have PHP or Apache yet, but Perl and Python are already there for you to enjoy.