your feedback

Installing Debian stretch on 64 bit systems using debootstrap

With linux I prefer budding reproduction way. Namely, when I want to install debian on a new computer, first I create debian system on a flash drive (under debian or ubuntu), boot from this flash drive on a new computer, and create debian system on a hard drive in the same way. The system installed according to this method will take approximately 2Gb; I would use at least a 3Gb usb stick (or an SDHC card).

Formatting and debootstraping

I insert a usb stick or a SDHC card into computer with a working linux (Debian or Ubuntu) system. I assume that the corresponding device is /dev/sdb and my non-root user name is shalaev; I am going to install debian on the first partition (/dev/sdb1 in my case):
export diskDev=sdb

Sometimes it happens that partition table on the usb stick is broken (e.g., after you copied debian netinst image to the stick); in this case we have to clean the beginning of the stick and recreate the partition table:

export LANG=C
dd if=/dev/zero of=/dev/${diskDev} bs=1024 count=100
/sbin/install-mbr --force /dev/${diskDev}
export userName=shalaev

Now we should create at least one partition:

fdisk -H 224 -S 56 /dev/${diskDev}

mkfs.ext4 -F /dev/${diskDev}1
mount /dev/${diskDev}1 /mnt/aaa
mkdir -p /mnt/aaa/mnt/{aaa,usb,tmp}
time debootstrap stretch /mnt/aaa
On large hard disks instead of fdisk you may have to use gparted; I also use lvm together with resize_reiserfs which allow me easy partition resizing.

cp /etc/network/interfaces /mnt/aaa/etc/network/interfaces
cp /etc/hosts /mnt/aaa/etc/hosts
echo "deb stretch main contrib non-free" > /mnt/aaa/etc/apt/sources.list
echo "deb stretch/updates main contrib" >> /mnt/aaa/etc/apt/sources.list
for i in sys proc dev ; do mount --bind /$i /mnt/aaa/$i ; done
chroot /mnt/aaa /bin/bash
apt-get update
time apt-get --no-install-recommends -y install aptitude
time tasksel --new-install install laptop

Installing software

time aptitude -R -y install aptitude dbus-x11 file localepurge grub2 \
os-prober gparted bzip2 iotop icewm-experimental apt-file debootstrap net-tools \
lvm2 openssh-client x11-utils psmisc passwd nano xserver-xorg strace rsync \
xfonts-base rxvt-unicode busybox-static rfkill wireless-tools net-tools pciutils \
acpi acpid firmware-linux iceweasel iceweasel-l10n-ru smartmontools \
ifplugd dosfstools shorewall ifplugd openssh-server ntpdate ecryptfs-utils \
apparmor apparmor-notify apparmor-utils mingetty parted reiserfsprogs \
gnome-backgrounds mutt fetchmail procmail exim4 heirloom-mailx xorg \
x11-xserver-utils emacs auctex vorbis-tools vorbisgain sox \
sleepd alsa-tools alsa-utils configure-debian aspell-en \
aspell-ru linux-image-amd64 mbr cryptsetup-bin
– note that for certain laptops you have to add some extra firmware packages in this list, e.g., firmware-realtek or firmware-brcm80211.

During the installation of grub, we have to select the device to install the boot loader; we choose /dev/${diskDev} which is /dev/sdb in my case. There will also be questions regarding locales relevant for people who speak languages other than English.

Basic security: apparmor, chroot jail, and shorewall

It is a good idea to protect your new linux system before it boots for the very first time. Perhaps the most obvious way to massively infect computers is to convince their users to open either a malicious web page or an infected document. So the most dangerous applications are (i) web browsers and (ii) pdf-viewers (and OpenOffice in case if you work with .doc files). This is why you may want to protect your newly born linux system using apparmor and some of my apparmor profiles:

wget -O /etc/apparmor.d/usr.lib.iceweasel.iceweasel
wget -O /etc/apparmor.d/usr.lib.iceweasel.plugin-container
In particular, my profiles do not allow iceweasel (firefox) reading user files outside of ~/Downloads directory. Once you activate apparmor, in system log you will see some strange requests (for example, unjustified attempts to read /etc/passwd) which have been denied.

Also we need a firewall. (Do not rely on your system adminstrators' firewall which separates your company from the rest of the world; anyway you have to protect yourself from an infected windows system working in the office next door.) I use shorewall and you can copy my configuration as follows

for i in interfaces  masq  policy  rules  zones; do wget -O /etc/shorewall/$i$i; done
sed -i 's/^startup=0/startup=1/' /etc/default/shorewall

Do not forget to change interface names in /etc/shorewall/interfaces to yours; see the output of ip addr ls command.

Take a look on the configuration files in /etc/shorewall/ before activating the firewall. Note that shorewall can also be easily configured for sharing internet connection (for example, when you connect your laptop to a wired network and want to provide your own wifi hotspot to share connection, say for a smartphone); in this case, apart from editing /etc/shorewall/masq you will also have to allow NAT in /etc/shorewall/shorewall.conf:

sed -i "s/^IP_FORWARDING=Keep/IP_FORWARDING=Yes/" /etc/shorewall/shorewall.conf

Finally, it is important to protect my ssh-server from bad people who might know or guess my not too-sophisticated user password:

sed -i "s/^.*PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
chmod o-r /etc/ssh/sshd_config
– after that no one can log in to my server using passwords; only cryptographic keys are allowed.

System-wide configuring

did=$(ls /dev/disk/by-uuid/ -lah | grep ${diskDev}1 | awk '{print $9}')
echo -ne "
" > /etc/fstab
– in addition you may want to add swap entry to the /etc/fstab file.

sed -i -e 's/#GRUB_TERMINAL=console/GRUB_TERMINAL=console/' \
-e 's/GRUB_CMDLINE_LINUX="/GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor /' /etc/default/grub
apt-get clean
dpkg-reconfigure locales
hostname usblive
adduser ${userName}
for i in anacron fuse ; do groupadd $i ; done
for i in input audio video adm src users anacron crontab fuse netdev ; do adduser ${userName} $i ; done
where the first three groups (input audio video) are the most important ones (I found out that a user who is not a member of the input group can not use graphic mode).

Next, I set up automatic log in and launch startx after every reboot:

cp -i /etc/systemd/system/ /etc/systemd/system/
sed -i "s/^ExecStart=-\\/sbin\\/agetty --noclear %I \$TERM/ExecStart=-\\/sbin\\/agetty \
    -a shalaev --noclear %I \$TERM/" /etc/systemd/system/
sed -i "s/^ExecStart=-\\/sbin\\/agetty --noclear %I \$TERM/ExecStart=-\\/sbin\\/agetty \
   -a root --noclear %I \$TERM/" /etc/systemd/system/
My ~/.profile runs startx at the very end, so the system brings me to the graphic mode automatically.

Finally I

apt-file update
update-alternatives --set x-terminal-emulator /usr/bin/urxvt
service dbus stop
service acpid stop
service exim4 stop
hostname $(cat /etc/hostname)
for i in sys proc dev ; do umount /mnt/aaa/$i ; done
umount /mnt/aaa

Fine tuning: keyboard, wifi, icewm, etc

Continuing to work with root privileges. To be able to write in Cyrillic:

wget -O  /etc/default/keyboard

Other stuff:

After I reboot under the newly created system, I set up the keyboard model:

dpkg-reconfigure keyboard-configuration
– will prompt for your keyboard model; I choose the most standard keyboard (otherwise my keyboard does not work in graphics mode).

Next, I log in as as a non-root user. I do not need all those bells and whistles of neither kde nor gnome and use lightweight icewm instead. To install my icewm configuration files:

mkdir ~/.icewm
for i in menu  preferences  prefoverride startup theme toolbar; do wget -O ~/.icewm/$i$i; done
Finally I install my basic configuration files:
for i in xsession profile bashrc emacs procmailrc ; do wget -O ~/.$i$i; done
chmod u+x ~/.xsession ~/.profile ~/.bashrc
touch ~/diary

I use sleepd package to shutdown the laptop on low battery, see my /etc/default/sleepd and /usr/local/bin/ files. Sadly, sleepd does not monitor CPU temperature…


The boot time (on lenovo x100e laptop from flash drive) is 34 seconds to graphic mode, and this is in case when I boot the system from the (slow) usb-drive formatted with (slow on flashdrives) reiserfs. (With deactivated apparmor this time would be 18 seconds.)

validate this page