Common Installation Steps

A lot of our installation is remarkably repetitive. Note that if you happen to make a mistake when answering install questions, you can quickly and easily fix it with (on debian) dpkg-reconfigure [PACKAGE].

SSH

Unless you’re setting up a Shell Server or desktop, I highly suggest that your sshd_config contain directives to turn off password logins and enable GSSAPI:

PermitRootLogin without-password
GSSAPIAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no

In most cases, we want to prohibit some logins:

DenyUsers acmguest localadmin debian

You should also publish SSHFP records as per DANE Records.

Debian Unattended Upgrades

As per https://wiki.debian.org/UnattendedUpgrades you must run both of these commands (and choose Yes when the second asks) in order for unattended-upgrades to actually be done:

apt-get install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Modify /etc/apt/apt.conf.d/50unattended-upgrades to set Unattended-Upgrade::Origins-Pattern to something more useful than the default, perhaps. May I suggest

Unattended-Upgrade::Origins-Pattern {
        "o=Debian,n=${distro_codename}";
        "o=Debian,n=${distro_codename}-updates";
        "o=Debian,n=${distro_codename}-proposed-updates";
        "origin=Debian,archive=${distro_codename},label=Debian-Security";
};

Debian Package Pinning

We tend to straddle Debian distros rather frequently. Towards that end, we often pin packages along these lines:

Package: *
Pin: release a=jessie
Pin-Priority: 900

Package: *
Pin: release a=sid
Pin-Priority: 700

Package: *
Pin: release a=experimental
Pin-Priority: 650

Systemd

Ah, the brave new future of init systems or something like that. Behold the following useful links and the attempt at yet another all-encompasing hydra of a declarative system management software stack.

• https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html
• https://www.freedesktop.org/software/systemd/man/systemd.unit.html
• https://www.freedesktop.org/software/systemd/man/systemd.service.html

Unit Configuration Drop-In

In any case, a handy trick to know is that you can add declarations to existing units without having to touch the vendor’s files, so at least there’s that.

This is exceptionally tersely documented in https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html ; you should at least be aware of the precedence rules (which are solely by file name rather than by directory and name) so perhaps naming things zz-....conf when you wish to override a setting is the right idea.

For example, creating /etc/systemd/system/${UNIT}.d/depend-time.conf with contents

[Unit]
After=ntp.service
Requires=ntp.service

is sufficient to make ${UNIT} (e.g. krb5-kdc.service) wait for the NTP service on startup. (Note that After= and Requires= “may be specified more than once, in which case ordering dependencies for all listed names are created.”, dodging the last-file-wins rule!) Similarly,

[Service]
Restart=always

is a great way to force a service to restart on exit (Restart=, on the other hand, really is a last-one-wins variable.)

Linux Serial Console

Throughout this example, we assume a 115200 8n1 connection.

Debian Grub

Grub itself can be told to use both the console and a serial terminal by adjusting /etc/default/grub to contain

GRUB_TERMINAL="serial console"
GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1"

Leave off console from GRUB_TERMINAL if you want only the serial terminal.

To inform the kernel to use both the console and serial terminal, the same file should contain

GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8 panic=5"

Again, the console=tty0 directive may be left off if only serial is to be used. The panic= directive is not required for serial console access but will cause the machine to reboot after a panic which is, in many cases, what we want.

After making these changes, run update-grub.

Linux Init

Ensure that /etc/inittab contains

T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100

And ensure that /etc/securetty contains a line of just ttyS0.

Slow Root Devices

It may be necessary to pass rootdelay=20 or some other large number to the kernel; on Debian, this can be achieved by editing GRUB_CMDLINE_LINUX in /etc/default/grub to contain that argument and running update-grub. Symptoms of insufficient rootdelay include LVMs not being there early enough in the boot process but working just fine from the initramfs prompt.

Host Access to AFS

A useful thing to have if you don’t expect a particular host to perpetually be installed on precisely the same hardware / disk. See Landing a Keytab in the afs documentation for instructions.