tier1.jp

Installing Debian base system for modern amd64

STATUS: Frozen (2019-11-17)

No more updates for this guide.

Please refer to the TOC page.

This guide shows how to install Debian GNU/Linux Stretch.

  • For an ordinal, modern (typically 6, 7th gen. Intel CPU) amd64 PC.
  • Assume SSD and/or NVMe installed.
  • System encryption by LUKS except /boot.
  • Separated small mountpoints by LVM, for different mount options.
  • Manual TRIM for SSD/NVMe (optional; cf. ext4 discard option.)
  • No sudo; physical root tty only (optional.)
  • in expert mode, offline.

After this minimum baseline installation, you can add additional packages to build a (Japanese) Desktop and/or local low load server.

Attention!

DO NOT USE THIS WITHOUT KNOWING WHAT YOU DO.

THIS GUIDE IS BECOMING OBSOLETE SINCE WE ARE NOT RE-TESTING SO MUCH.

Rev 27

Debian stretch (now 9.11) ISO image link update and minor tweaks..

Prerequisites

  1. An amd64 ordinal PC with SSD/NVMe storage.
  2. Your system encryption password.
  3. Your root password.
  4. Your normal user name and its password (optional.)
  5. Your machine's "hostname".
  6. Your LVM volume group name(s.)

Caution!

NEVER FORGET THE SYSTEM ENCRYPTION PASSWORD.

Tip

LUKS can have multiple keys (See also: cryptsetup luksAddKey DEV).

Hence, you can have alternate rescue key on some secret paper, stored in some secure place.

Limitations

  • No multi-boot.
  • No Wi-Fi.
  • No multiple storage devices.
    • RAID (especially 24/7 server purpose)
    • Multiple LVM VGs
    • Just not covered in this guide; easy.

Note

RAID is for 24/7 servers and mission critical workstations.

Instead, tier1.jp recommends multiple devices based separated /home system,

e.g.)

LVM "main" VG for "/" and most of other mountpoints.

LVM "data" VG for "/home" only. NVMe preferred.

Multi device LVM-over-LUKS setting varies.

We would write about our recommended way in an other article later.

Notes for AMD Ryzen CPUs

AMD Ryzen support is limited in Debian Stretch.

Debian Buster

Debian buster has Linux 4.19 kernel, which supports Ryzen including Raven-Ridge APU.

We did not test those combinations so much.

Note

(Perhaps obsolete; confirming) Even Linux 4.19, it seems AMD CPU must turn SME OFF, by either BIOS or kernel config or GRUB config.

Hardware setups

  • Strip any extra hardware; USB/PS2 keyboard and display only.
  • Disconnect from any network.

BIOS setups

  • Legacy USB supports ON.
  • CPU C states are enabled, including C1E.
  • "CPU C7 report" could be enabled; NO "CPU C7s report".
  • SATA and PCI-E ALPMs are disabled (unless Linux >= 4.15.)
  • SMT (aka. Hyper-Threading) feature should be disabled (insecure.)
  • Virtualization features are disabled, if not necessary (insecure.)

ALPM

If you use buster backported Linux 4.19, you could enable ALPM, after you upgrade the kernel.

However, it could be potential data loss risk, so we do not recommend ALPM being enabled with stretch.

System Installation

Using Debian GNU/Linux Stretch 9.11, netinst ISO image.

Debian stretch 9.11 ISO image is available.

Note

We use netinst image without network connection.

It is possible to build a minimum Debian system.

About UEFI boot and test installation

Debian 9.11 ISO installer may ask about UEFI.

If it is the first time to install, it would be better to check if UEFI and/or GPT partition table work on your box.

  • Partition table: GPT or DOS.
  • System partition: UEFI (ESP system partition), BIOS reserved, or none.

It would be a matter of combinations above.

Buster ISO Note (in case you abuse this stretch guide)

Choose fdisk-udeb on "Load installer components from CD" if you need fdisk.

So, at first, skip extra settings and just install Debian.

Examples:

  1. GPT partition table and three partitions; EFI system partition, "/boot", "/".
  2. GPT partition table and two partitions; "/boot" and "/" (No UEFI).
  3. DOS partition table and two partitions; "/boot" and "/" (No UEFI).

We assume #1; it would have "/boot/efi" partition.

buster boot issue

(buster) Some M/B BIOS cannot detect ESP partition properly, and it cannot boot buster with ESP, unless you manually choose it on the BIOS boot override. e.g.) Intel H110 M/B with latest BIOS

You should avoid stretch and buster multi-boot setting (just our guess).

Common part

  1. Boot, "Advanced options >", "Expert install."
  2. "Choose language": English
  3. "Select your location": other -> Asia -> Japan (Your choice)
  4. "Configure locales": United States - en_US.UTF-8 (Your choice)
    • additional locales: ja_JP.UTF-8 (Your choice)
  5. "Configure the keyboard" keymap to use: Japanese (Your choice)
  6. "Detect and mount CD-ROM"

Note

Even USB memory, Debian installer says "CD-ROM", "CD", and call your storage devices "HDD" even you installed SSD/NVMe.

Just don't mind it.

  1. "Load installer components from CD": NONE (Your choice)
  2. "Detect network hardware"
  3. "Configure the network"
    • For your primary NIC, "Auto-configure" -> YES
    • The installer attempts it but fails; it's OK.
    • Select "Do not configure the network at this time" (do this later.)
    • Set your "hostname"
  4. "Set up users and passwords"
    • "Enable shadow passwords?": YES
    • "Allow login as root?": YES
    • Set "Root password."
    • "Create a normal user account now?": YES/NO (Your choice)
  5. "Configure the clock": NTP, Asia/Tokyo (Your choice)

Partition Disks

Let us create separated mount point filesystem over LVM over dm-crypt LUKS.

Attention!

We are no longer testing stretch clean installations so much.

Please do test installation above to determine GPT/DOS and UEFI related.

  1. "Detect disks"
    • If it is a blank disk, create a GPT/DOS partition table.
    • It depends on your M/B which table is suitable.
      • DOS partition table for an old machine, GPT partition table for a new one.
    • "Force UEFI installation?": yes/no (it depends).
      • It depends on your M/B, BIOS update, etc.
      • Ideal settings is GPT with ESP partition (UEFI).
      • If it does not work, try GPT without ESP partition, then DOS with/without grubbios, and finally DOS without neither ESP nor BIOS reserved area.
    • If you want to force re-creating partition tables, enter "Execute a shell" and use fdisk for them.
  2. "Partition disks"
    • Choose "Manual" partitioning.
  3. Delete all partitions of the target (FREE SPACE ONLY.)
  4. Create partitions. SEE THE TABLE BELOW FOR EACH SIZE AND MOUNT OPTIONS.
    • First, 128 MB, Beginning, Use as "EFI system partition," NOT ENCRYPTED (some motherboards need this small area).
    • Second, 512 MB, Beginning, ext4, /boot, set mount options, NOT ENCRYPTED.
      • Linux kernel and initramfs on /boot themselves are about 40 MB.
      • Kernel upgrade requires some more work space.
      • Provide enough amount for /boot.
    • rest, Use as "physical volume for encryption."

Note

Some recent motherboards need an EFI partition and/or reserved BIOS area to boot Debian;

e.g.) ASRock J4105-MiniITX (Intel Gemini Lake SoC).

buster boot issue

(buster) Some M/B BIOS cannot detect ESP partition properly, and it cannot boot buster with ESP, unless you manually choose it on the BIOS boot override. e.g.) Intel H110 M/B with latest BIOS

You should avoid stretch and buster multi-boot setting (just our guess).

Note

If your SSD/NVMe does not have factory over provisioning setting aka spare area, keep 5~10% FREE space.

In 2019, the major vendor provides enough spare area.

  1. "Configure encrypted volumes"
    • The target partition is "the "physical volume for encryption".
    • "Create encrypted volumes" on it (where the installer says "crypto.") and "Finish".
    • "Encryption passphrase": your system disk passphrase.
    • "Erase data"; you may skip this by cancel (your choice)
    • Now there is an "Encrypted volume (sdX_crypt) - SIZE Linux device mapper (crypt.)"
    • Select its "#1" partition and switch the usage, Use as "physical volume for LVM" (from ext4.)
  2. "Configure the Logical Volume Manager"
    • "Create volume group" (LVM VG) on the encrypted device above (such as /dev/mapper/DEV_crypt.)
      • LVM VG names are up to you.

Note

If there are multiple physical devices, consider separate them by their types such as HDD/SSD/NVMe and/or single-device/multiple-device.

To do that, repeat "3." to "5." for each.

  1. "Create logical volumes" (LVM LVs) on the LVM VGs above.
    • Names are up to you
      • rootfs, usr, usrshare, var, varcache, and such form recommended.
    • On this stage, important things are names and their sizes only.
      • For each size, See the table below .
    • /boot is already created, as an unencrypted partition.
    • /tmp will be configured later as a tmpfs mount point.
    • "Display configuration details" and check LVM VGs and LVM LVs.
    • "Finish"

Tip

If you install development tools and/or many desktop applications, at least double /usr and /usr/share.

See also: lvextend and resize2fs.

And the guide in this site .

  1. Format LVM logical volumes and build the filesystem.
    • Format the LVM LVs by ext4 and swap.
      • e.g.) Use as "Ext4," Mount point "/home", Mount options "noatime,nodev,nosuid."
      • For mount points not listed, "Enter manually."
      • The installer shows LVM VG name and LVM LV name; if you name them properly, this process is easy.
      • For each mount options and etc, See the table below .
      • "Label" is optional, since LVM LV has each name.
  2. Confirm "/boot"
    • It is outside the LVM-over-LUKS area, as an ordinal partition.
  3. Check them and "Finish partitioning and write changes to disk."

Filesystem mountpoint amounts and options

Assuming 128GB SSD with desktop; amounts are up to you.

tier1.jp recommends 512GB or more, considering TRIM interval.

Note

This is a single disk solution.

If you have multiple storage devices, You should create different LVM VGs, and separate /home first.

MOUNTPOINT AMOUNT OPTIONS
/boot 512MB noatime, nodev, nosuid, noexec
/ 2GB noatime
swap 1GB~ (not for hibernate; almost for tmpfs)
/usr 4GB~ noatime, nodev
/usr/share 4GB~ noatime, nodev, nosuid
/var 4GB~ noatime, nodev, nosuid (NEVER noexec)
/var/cache 2GB~ noatime, nodev, nosuid (NEVER noexec)
/var/log 2GB~ noatime, nodev, nosuid, noexec
/var/mail 2GB~ relatime, nodev, nosuid, noexec
/var/spool 2GB~ noatime, nodev, nosuid, noexec
/var/tmp 2GB~ noatime, nodev, nosuid, noexec
/home 16GB~ noatime, nodev, nosuid
/tmp tmpfs noatime, nodev, nosuid, noexec (see below)

Optionally, you might have separated /srv and /opt.

Note

/tmp will be mounted as tmpfs, as shown later. If you want non-volatile /tmp, create a LVM LV for it.

Warning

If this is for a server, be careful about the amounts around /var.

For example, a proxy server may require much /var/cache volume.

Desktop works almost fine with the above settings.

Caution!

Those excessive noatime, nosuid and noexec options might cause software malfunctions.

Attention!

It is better to use a larger storage (or multiple storage) to make /home large enough.

Note

If you would create and/or edit AppArmor profiles, you should have at least 2GB /var/log.

It produces tons of audit logs.

Install the base system

  1. "Kernel to install": linux-image-amd64
    • "Drivers to include in the initrd": generic (your choice)

Note

If you want some restricted kernel module settings, use blacklisting.

  1. "Configure the package manager"
    • "Continue without a network mirror": YES (do this later.)
    • security updates YES, release updates YES, backported NO.
  2. "Select and install software"
    • "Participate in the package usage survey" yes/NO (your choice)
    • standard system utilities: YES

Install the GRUB

  1. "Install the GRUB boot loader on a hard disk"
    • "Install the GRUB boot loader to the master boot record": YES
    • Select the boot device and install GRUB at the MBR; e.g. "/dev/sdX"

Note

The installer says "a hard disk" even if you use SSD/NVMe.

Just don't mind about it.

  1. Force GRUB installation to the EFI removable media path?: YES/NO (your choice)

Finish the installation

  1. "Is the system clock set to UTC?": YES
  2. Remove the installation media and "Continue".
  3. System Reboots.

Keep the box unconnected from your network.

Proceed "Next", please.

published: MODIFIED: