Debian jessie (and so this page) is now obsolete; try debian stretch. Hoping to find some decent alternative to reiserfs (which is frozen for years now since Hans Reiser stays in prison) I tried btrfs in these instructions; later I was disappointed by btrfs and now I am back to the good old reiserfs.

There were issues with video cards recognition on two computers with different low-end videocards. (Asus EEE Seashells are ok, however.) On one of them the system entered low-resolution video mode – that was fixed after I created configuration file:
Xorg -configure ; mv -i /etc/X11/xorg.conf
On another computer startx command resulted in freezing with blank screen – in this case I did not find the solution (though did not try much). Note that on both of these computers Debian Wheezy worked flawlessly.

Installing Debian jessie on 32 bit systems using debootstrap

64bit systems are treated in a similar way; however, note that you can not debootstrap a 64-bit system under 32-bit one; for that an emulator (very slow!) can be used.

With linux I prefer budding reproduction way. Namely, when I want to install debian on a new computer, first I create debian system on a flash drive (under debian or ubuntu), boot from this flash drive on a new computer, and create debian system on a hard drive in the same way. The system installed according to this method will take approximately 2Gb; I would use at least a 3Gb usb stick (or an SDHC card).

Formatting and debootstraping

I insert a usb stick or a SDHC card into computer with a working linux (Debian or Ubuntu) system. I assume that the corresponding device is /dev/sdb and my non-root user name is shalaev; I am going to install debian on the first partition (/dev/sdb1 in my case):
export diskDev=sdb

Sometimes it happens that partition table on the usb stick is broken (e.g., after you copied debian netinst image to the stick); in this case we have to clean the beginning of the stick and recreate the partition table:
export LANG=C
dd if=/dev/zero of=/dev/${diskDev} bs=1024 count=100
/sbin/install-mbr --force /dev/${diskDev}
export userName=shalaev

Now we should create at least one partition:
fdisk -H 224 -S 56 /dev/${diskDev}

mkfs.btrfs -f /dev/${diskDev}1
mount -o ssd /dev/${diskDev}1 /mnt/aaa
mkdir -p /mnt/aaa/mnt/{aaa,usb,tmp}
time debootstrap --arch i386 jessie /mnt/aaa

On large hard disks instead of fdisk you may have to use gparted; I also use lvm together with resize_reiserfs which allow me easy partition resizing.

cp /etc/network/interfaces /mnt/aaa/etc/network/interfaces
cp /etc/hosts /mnt/aaa/etc/hosts
echo "deb jessie main contrib non-free" > /mnt/aaa/etc/apt/sources.list
echo "deb jessie/updates main contrib" >> /mnt/aaa/etc/apt/sources.list
for i in sys proc dev ; do mount --bind /$i /mnt/aaa/$i ; done
chroot /mnt/aaa /bin/bash
apt-get update
time tasksel --new-install install laptop

Installing software

time apt-get --no-install-recommends -y install aptitude dbus-x11 file localepurge grub2 \
os-prober gparted bzip2 iotop icewm-experimental apt-file debootstrap lvm2 openssh-client x11-utils \
psmisc passwd nano xserver-xorg xfonts-base rxvt-unicode busybox-static rfkill wireless-tools pciutils acpi \
acpid firmware-linux iceweasel iceweasel-l10n-ru icedtea-7-plugin ifplugd dosfstools shorewall \
openssh-server apparmor apparmor-docs apparmor-notify apparmor-utils mingetty gnome-backgrounds mutt fetchmail procmail \
exim4 heirloom-mailx xorg x11-xserver-utils emacs auctex mpg321 vorbis-tools vorbisgain sox sleepd \
alsa-tools alsa-base alsa-utils configure-debian aspell-en aspell-ru btrfs-tools linux-image-686-pae

– note that for certain laptops you have to add some extra firmware packages in this list, e.g., firmware-realtek or firmware-brcm80211. The package linux-image-686-pae should be installed for the 32-bit system, otherwise install linux-image-amd64. By the way, this was the reason why I had problems with standard debian iso-image on a netbook from the Asus EEE Seashell family: wireless card requires firmware-brcm80211 which was absent on the iso image.

During the installation of grub, we have to select the device to install the boot loader; we choose /dev/${diskDev} which is /dev/sdb in my case. There will also be questions regarding locales relevant for people who speak languages other than English.

Basic security: apparmor, chroot jail, and shorewall

It is a good idea to protect your new linux system before it boots for the very first time. Perhaps the most obvious way to massively infect computers is to convince their users to open either a malicious web page or an infected document. So the most dangerous applications are (i) web browsers and (ii) pdf-viewers (and OpenOffice in case if you work with .doc files). This is why you may want to protect your newly born linux system using apparmor and some of my apparmor profiles:
wget -O /etc/apparmor.d/usr.lib.iceweasel.iceweasel
wget -O /etc/apparmor.d/usr.lib.iceweasel.plugin-container

In particular, my profiles do not allow iceweasel (firefox) reading user files outside of ~/Downloads directory. Once you activate apparmor, in system log you will see some strange requests (for example, unjustified attempts to read /etc/passwd) which have been denied.

For certain software I use chroot jail rather than apparmor. As an example, see how I jail skype (which is a 32-bit closed-source application) together with pulseaudio.

Also we need a firewall. (Do not rely on your system adminstrators' firewall which separates your company from the rest of the world; anyway you have to protect yourself from an infected windows system working in the office next door.) I use shorewall and you can copy my configuration as follows
for i in interfaces masq policy rules zones; do wget -O /etc/shorewall/$i$i; done
sed -i -e 's/^startup=0/startup=1/' /etc/default/shorewall

Take a look on the configuration files in /etc/shorewall/ before activating the firewall. Note that shorewall can also be easily configured for sharing internet connection (for example, when you connect your laptop to a wired network and want to provide your own wifi hotspot to share connection, say for a smartphone); in this case, apart from editing /etc/shorewall/masq you will also have to allow NAT in /etc/shorewall/shorewall.conf:
sed -i "s/^IP_FORWARDING=Keep/IP_FORWARDING=Yes/" /etc/shorewall/shorewall.conf

Finally, it is important to protect my ssh-server from bad people who might know or guess my not too-sophisticated user password:
sed -i "s/^.*PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
chmod o-r /etc/ssh/sshd_config

– after that no one can log in to my server using passwords; only cryptographic keys are allowed.

System-wide configuring

did=$(ls /dev/disk/by-uuid/ -lah | grep ${diskDev}1 | awk '{print $9}')

echo -ne "
" > /etc/fstab

– in addition you may want to add swap entry to the /etc/fstab file.

sed -i -e 's/#GRUB_TERMINAL=console/GRUB_TERMINAL=console/' \
-e 's/GRUB_CMDLINE_LINUX="/GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor /' /etc/default/grub

apt-get clean

dpkg-reconfigure locales

hostname usblive
adduser ${userName}
for i in anacron fuse ; do groupadd $i ; done
for i in input audio video adm src users anacron crontab fuse ; do adduser ${userName} $i ; done

where the first three groups (input audio video) are mostly important. (I found out that a user who is not a member of the input group can not use graphic mode.)

I am too lazy to log in and to type startx after every reboot, so I have to setup automatic login:
cp -i /etc/systemd/system/ /etc/systemd/system/
sed -i "s/^ExecStart=-\\/sbin\\/agetty --noclear %I \$TERM/ExecStart=-\\/sbin\\/agetty \
-a shalaev --noclear %I \$TERM/" /etc/systemd/system/
sed -i "s/^ExecStart=-\\/sbin\\/agetty --noclear %I \$TERM/ExecStart=-\\/sbin\\/agetty \
-a root --noclear %I \$TERM/" /etc/systemd/system/
Note that my ~/.profile runs startx at the very end, so the system brings me to the graphic mode automatically.

apt-file update
update-alternatives --set x-terminal-emulator /usr/bin/urxvt
service dbus stop
service acpid stop
service exim4 stop
hostname $(cat /etc/hostname)
for i in sys proc dev ; do umount /mnt/aaa/$i ; done
for i in sys proc dev ; do umount -l /mnt/aaa/$i ; done
umount /mnt/aaa
umount -l /mnt/aaa

Fine tuning: keyboard, wifi, icewm, etc

Continuing to work with root privileges. To be able to write in Cyrillic:
wget -O /etc/default/keyboard

Other stuff:

Next I reboot under the newly created system. Set up the keyboard model:
dpkg-reconfigure keyboard-configuration
– will prompt for your keyboard model; I choose the most standard keyboard (otherwise my keyboard does not work in graphics mode).

Next, I log in as as a non-root user. I do not need all those bells and whistles of neither kde nor gnome and use lightweight icewm instead. To install my icewm configuration files:
mkdir ~/.icewm
for i in menu preferences prefoverride startup theme toolbar; do wget -O ~/.icewm/$i$i; done

Finally I install my basic configuration files:
for i in xsession profile bashrc emacs procmailrc ; do wget -O ~/.$i$i; done
chmod u+x ~/.xsession ~/.profile ~/.bashrc touch ~/diary

I use sleepd package to shutdown the laptop on low battery, see my /etc/default/sleepd and /usr/local/bin/ files. Sadly, sleepd does not monitor CPU temperature…


The boot time (on lenovo x100e laptop from flash drive) is 34 seconds to graphic mode, and this is in case when I boot the system from the (slow) usb-drive formatted with (slow on flashdrives) reiserfs. (With deactivated apparmor this time would be 18 seconds.)