tier1.jp

Installing Debian stretch without network (2nd.)

STATUS: Frozen (2019-11-17)

No more updates for this guide.

Please refer to the TOC page.

Stage 1 is installation of Debian GNU/Linux Stretch without network connection.

The aim is to build a base system for Read-Only filesystem.

Attention!

DO NOT USE THIS WITHOUT KNOWING WHAT YOU DO.

THIS GUIDE IS BECOMING OBSOLETE SINCE WE ARE NOT RE-TESTING SO MUCH.

Rev 6

Debian stretch 9.11 ISO image link update and minor tweaks.

Prerequisites

  1. An amd64 PC with a SSD/NVMe storage.
  2. Your system encryption password.
  3. Your root password.
  4. Your LVM volume group names and logical volume names.

Caution!

NEVER FORGET THE SYSTEM ENCRYPTION PASSWORD.

Tip

LUKS can have multiple keys (See also: cryptsetup luksAddKey DEV).

Hence, you can have alternate rescue key on some secret papers, stored in some secure places.

Limitations

  • No multi-boot.
  • No Wi-Fi.
  • No multiple storage devices.

Hardware setups

  • Strip any extra hardware; USB/PS2 keyboard and display only.
  • Disconnect from any network.

BIOS setups

  • Legacy USB supports ON.
  • CPU C states are enabled, including C1E.
  • "CPU C7 report" could be enabled; NO "CPU C7s report".
  • SATA and PCI-E ALPMs are disabled (Kernel 4.15 and later support it).
  • SMT (aka. Hyper-Threading) feature should be disabled (insecure).
  • Virtualization features are disabled, if not necessary (insecure).

ALPM

If you use buster backported Linux 4.19, you could enable ALPM, after you upgrade the kernel.

However, it could be potential data loss risk, so we do not recommend ALPM being enabled with stretch.

System Installation

Using Debian GNU/Linux Stretch 9.11, netinst ISO image.

Debian stretch 9.11 ISO image is now available.

Use proper mirror, please.

Note

We use netinst image without network connection.

It is possible to build a minimum Debian system.

About UEFI boot and test installation

Debian 9.11 ISO installer may ask about UEFI.

If it is the first time to install, it would be better to check if UEFI and/or GPT partition table work on your box.

  • Partition table: GPT or DOS.
  • System partition: UEFI (ESP system partition), BIOS reserved, or none.

It would be a matter of combinations above.

Buster ISO Note (in case you abuse this stretch guide)

Choose fdisk-udeb on "Load installer components from CD" if you need fdisk.

So, at first, skip extra settings and just install Debian.

Examples:

  1. GPT partition table and three partitions; EFI system partition, "/boot", "/".
  2. GPT partition table and two partitions; "/boot" and "/" (No UEFI).
  3. DOS partition table and two partitions; "/boot" and "/" (No UEFI).

We assume #1; it would have "/boot/efi" partition.

buster boot issue

(buster) Some M/B BIOS cannot detect ESP partition properly, and it cannot boot buster with ESP, unless you manually choose it on the BIOS boot override. e.g.) Intel H110 M/B with latest BIOS

You should avoid stretch and buster multi-boot setting (just our guess).

Common parts

In short, set timezone and keymap for your country and locale language except display language.

  1. Boot, "Advanced options >", "Expert install."
  2. "Choose language": English
  3. "Select your location": other -> Asia -> Japan (Your timezone)
  4. "Configure locales": United States - en_US.UTF-8
    • additional locales: ja_JP.UTF-8 (Yours)
  5. "Configure the keyboard" keymap to use: Japanese (Yours)
  6. "Detect and mount CD-ROM"

Note

Even USB memory, Debian installer says "CD-ROM", "CD", and call your storage devices "HDD" even you installed SSD/NVMe.

Just don't mind it.

  1. "Load installer components from CD": NONE (It depends)
  2. "Detect network hardware"
  3. "Configure the network"
    • For your primary NIC, "Auto-configure" -> YES
    • The installer attempts but fails; it's OK.
    • Actually you can hit "Cancel" to skip those attempts.
    • Select "Do not configure the network at this time" (we do this later.)
    • Set your "hostname" ("debian" is fine; you can change this later.)
  4. "Set up users and passwords"
    • "Enable shadow passwords?": YES
    • "Allow login as root?": YES
    • Set "Root password."
    • "Create a normal user account now?": NO
  5. "Configure the clock": NTP, Asia/Tokyo (Yours)

Partition Disks

Let us create separated mount point filesystem over LVM over dm-crypt LUKS.

Attention!

We are no longer testing stretch clean installations so much.

Please do test installation above to determine GPT/DOS and UEFI related.

  1. "Detect disks"

    • If it is a blank disk, create a GPT/DOS partition table.
    • "Force UEFI installation?": yes/no (it depends).
      • It depends on your M/B, BIOS update, etc.
      • Ideal settings is GPT with ESP partition (UEFI).
      • If it does not work, try GPT without ESP partition, then DOS with/without grubbios, and finally DOS without neither ESP nor BIOS reserved area.
    • If you want to force re-creating partition tables, enter "Execute a shell" and use fdisk for them.

  2. "Partition disks"

    • Choose "Manual" partitioning.

  3. Delete all partitions of the target (FREE SPACE ONLY.)

  4. Create partitions.

    • SEE THE TABLE BELOW FOR EACH SIZE AND MOUNT OPTIONS.

    • We will set "ro" mount options later (it is possible, though).

    • Create those three partitions.

      1. 128 MB, Beginning, Use as "EFI system partition" (or "Reserved BIOS boot area"), NOT ENCRYPTED (some motherboards need this small area.)
      1. 512 MB, Beginning, ext4, /boot, set mount options, NOT ENCRYPTED.
        • Linux kernel and initramfs on /boot themselves are about 40 MB.
        • Kernel upgrade requires some more work space.
        • Provide enough amount for /boot.
      2. Rest, Use as "physical volume for encryption."

    • Never create swap out-side-the-LUKS.

Note

If your SSD/NVMe does not have factory over provisioning setting aka spare area, keep 5~10% FREE space.

In 2019, the major vendor provides enough spare area.

  1. "Configure encrypted volumes"
    • The target partition is "the "physical volume for encryption".
    • "Create encrypted volumes" on it (where the installer says "crypto.") and "Finish."
    • "Encryption passphrase": your system disk passphrase.
    • "Erase data"; you may skip this by cancel (your choice)
    • Now there is an "Encrypted volume (DEV_crypt) - SIZE Linux device-mapper (crypt)".
    • Select its "#1" partition and switch the usage.
      • Use as "physical volume for LVM" (from ext4.)
  2. "Configure the Logical Volume Manager"
    • "Create volume group" (LVM VG) on the encrypted device above.
      • such as: /dev/mapper/DEV_crypt
      • LVM VG names are up to you.

Note

If there are multiple physical devices, consider separate them by their types such as HDD/SSD/NVMe and/or single-device/multiple-device.

To do that, repeat "3." to "5." for each.

  1. "Create logical volumes" (LVM LVs) on the LVM VGs above.
    • Names are up to you
      • rootfs, usr, usrshare, var, varcache; such form recommended.
    • On this stage, important things are names and their sizes only.
      • For each size, See the table below .
    • /boot is already created, as an unencrypted partition.
    • /tmp will be configured later as a tmpfs mount point.
    • "Display configuration details" and check LVM VGs and LVM LVs.
    • "Finish"

Tip

If you install development tools and/or many desktop applications, at least double /usr and /usr/share.

See also: lvextend and resize2fs.

And the guide in this site .

  1. Format LVM logical volumes and build the filesystem.

Attention!

"ro" OPTIONS WILL BE ADDED AFTER THE FIRST BOOT.

We need to add some more LVs after the installation. Never fill your LVM VG 100%.

  • Format the LVM LVs by ext4 and swap.
    • e.g.) Use as "ext4", Mount point "/home", Mount options "noatime,nodev,nosuid".
    • For mount points not listed, "Enter manually".
    • The installer shows LVM VG name and LVM LV name; if you name them properly, this process is easy.
    • For each mount options and etc, See the table below .
    • "Label" is optional, since LVM LV has each name.
  1. Confirm "/boot"
  • It is outside the LVM-over-LUKS area, as an ordinal partition.
  1. Check them and "Finish partitioning and write changes to disk."

EFI failure workaround

Sometimes Debian installer says it failed EFI partition installation.

On that case, "Go Back", choose EFI partition type "biosgrub", and then revert it "EFI system partition".

Filesystem mountpoint amounts and options

Assuming 128GB SSD with desktop; amounts are up to you.

tier1.jp recommends 512GB or more, considering TRIM interval.

Note

This is a single disk solution.

If you have multiple storage devices, You should create different LVM VGs, and separate /home first.

MOUNTPOINT AMOUNT OPTIONS
/boot 512MB noatime, nodev, nosuid, noexec
/ 2GB noatime
swap 1GB~ (not for hibernate; almost for tmpfs)
/usr 4GB~ noatime, nodev
/usr/share 4GB~ noatime, nodev, nosuid
/var 4GB~ noatime, nodev, nosuid (NEVER noexec)
/var/cache 2GB~ noatime, nodev, nosuid (NEVER noexec)
/var/log 2GB~ noatime, nodev, nosuid, noexec
/var/mail 2GB~ relatime, nodev, nosuid, noexec
/var/spool 2GB~ noatime, nodev, nosuid, noexec
/var/tmp 2GB~ noatime, nodev, nosuid, noexec
/home 16GB~ noatime, nodev, nosuid
/tmp tmpfs noatime, nodev, nosuid, noexec (see below)

Optionally, you might have separated /srv and /opt.

Note

/tmp will be mounted as tmpfs, as shown later. If you want non-volatile /tmp, create a LVM LV for it.

Caution!

Those excessive noatime, nosuid and noexec options might cause software malfunctions.

You can extend LVM LV and mountpoint amount very easily.

Install the base system

  1. "Kernel to install": linux-image-amd64
    • "Drivers to include in the initrd": generic (your choice)

Note

If you want some restricted kernel module settings, use blacklisting.

  1. "Configure the package manager"
    • "Continue without a network mirror": YES (do this later.)
    • security updates YES, release updates YES, backported NO.
  2. "Select and install software"
    • "Participate in the package usage survey" yes/NO (your choice)
    • standard system utilities: YES

Install the GRUB

  1. "Install the GRUB boot loader on a hard disk"
    • The installer says "a hard disk" even if you use SSD/NVMe. Just don't mind it.
    • "Install the GRUB boot loader to the master boot record": YES
    • Select the boot device and install GRUB at the MBR; e.g. "/dev/sdX"
  2. Force GRUB installation to the EFI removable media path?: YES/NO (your choice)

Finish the installation

  1. "Is the system clock set to UTC?": YES
  2. Remove the installation media and "Continue".
  3. System Reboots.
    • System may fail the 1st boot with EFI settings. Just reboot it then.

Keep the box disconnected from your network.

Proceed "Next", please.

published: MODIFIED:
UP | ...