Typical Debian Stuff (Updated for Jessie)

[oio11]

Typical Debian Stuff (Updated for Jessie)

Before my current role as a consultant, I worked for 10 years as a Unix/Linux administrator, and I’ve been asked about my experience with in particular Debian installations, which is my favorite server OS. So here is some advice that I wanted to share with running Debian, and running Linux on VMware ESXi, which is quite common.

A bit about my typical installations

So these days obviously when I install an OS its mostly for my own testing purposes, since normally as a consultant, the client will install their own OS, that I then have to work with. But still I have a lot of test environments, and it keeps my skills alive when it comes to OS administration.

Linux OS installation

How I create my VMware guest images:

• I normally just use 32-bit unless there’s a specific need to use 64-bit because it saves memory as quoted from an old Byte magazine: "[...] How much RAM do you need? According to scientific survey of experts, you always need n + 16 MB, where n equals the amount of RAM you have now." (BYTE - Vol 23, 4 "Crash-Proof Computing"). But of course if 64-bit is needed then I’ll create a 64-bit image - I’m not religious.
• I am a strong supporter of XFS, and LVM, but with VMware guests it doesn’t matter so much anymore, as you can just as well expand and reduce whole disks in VMware, but you need to use ext4 to shrink the VMware disk image afterwards. So these days I just use ext4 on regular partitions, and avoids the LVM overhead.
  Having said that, when I set up a physical server, then I’ll still use XFS and LVM, because they just … rock.

Optimized VMware guest image

• I always use thin disk provisioning. I do realize that it has a performance impact, but I’m also kinda cheap with space.
• I normally use VMware’s paravirtualized devices. They simply gives a much better over performance per guest, when a host is running a lot of guests.
  • Paravirtual SCSI controller
    • Change the VMware guest to use a Paravirtual SCSI controller
      1. Click on Edit Settings -> SCSI controller 0 -> Change Type
      2. Choose VMware Paravirtual (not recommended for this guest OS)
      3. Click on OK
    • VMXNET 3
      1. Remove Network adapter 1
      2. Click on Add…
      3. Select Ethernet Adapter, and click on Next
      4. Use the Adapter Type: VMXNET 3, and click on Next
      5. Click on Finish, and click on OK.

Template OS

I will normally build a template guest, and just clone that template if using VMware Workstation, and use VMware Converter to duplicate a template guest from a ESXi to the same ESXi.

Existing services

Apart from the usual DNS server, DHCP server etc, I’ll always have a central mailhost, loghost, nfshost, and if its not using VMware then also a timehost. On top of that I also use a LDAP server, pam_ldap, and initially my sluwlu script to ensure that all UID, and GID are the same on all servers.

Configure a caching proxy server

Add your caching proxy server to the default environment of all interactive shells. This variable with also be picked up by both wget, apt-get etc.

# cat > /etc/profile.d/proxyenv.sh << EOF proxy_host="cache.dmz.example.com" proxy_port="3128"  http_proxy="http://\${proxy_host}:\${proxy_port}"; ftp_proxy="ftp://\${proxy_host}:\${proxy_port}"; no_proxy="localhost";  export http_proxy ftp_proxy no_proxy EOF
# . /etc/profile.d/proxyenv.sh

Typical packages

# apt-get install mc gpm

Let me just explain why I use the packages above:

• mc is the best file manager.
• gpm is so that I can use a mouse to copy’n’paste stuff on the console.

Configure SSH

Allow root to login using a public key. (In general don’t log in with passwords through SSH).

# vi /etc/ssh/sshd_config

Set:

PermitRootLogin without-password

Save, and restart sshd.

# /etc/init.d/ssh restart

# mkdir ~/.ssh
# vi ~/.ssh/authorized_keys

Add your public key, check that you can log in as root.

Quick disclaimer! Only do the above if you absolutely trust the people that will be able to log in as root, and that the server is on a protected network. Because unless you set LogLevel VERBOSE in /etc/ssh/sshd_config, then you can’t see which public key that have authenticated. But using the VERBOSE log level will have a noticeable performance impact.
Otherwise just use sudo.

Allow users to use sudo

sudo is the simplest way to allow multiple users to log in, and become root.

# apt-get install sudo

Add a user to the sudo group to allow the user root priviledges.

# usermod -a -G sudo <username>

Configure a firewall

UFW is a really neat, and simple user space tool to manage netfilter.

# apt-get install ufw

Allow incoming SSH connections, and enable UFW.

# ufw allow OpenSSH
# ufw enable

For ready made application profiles for UFW, then please refer to this site, http://jhansonxi.blogspot.com/2010/10/ufw-application-profiles.html.

Configure system activity performance tools

In my opinion procinfo, nmon & sysstat are required performance monitoring tools for any system.

# apt-get install procinfo nmon sysstat

Enable system activity report (sar)

Reason for using sar should be self evident - I mean who doesn’t want know what’s going on with their system, when they are not looking?

# vi /etc/default/sysstat

Set:

ENABLED="true"

Save, and restart sar:

# /etc/init.d/sysstat restart

Set default NMON monitoring views

Its more setting a default configuration when calling nmon:

# cat > /etc/profile.d/nmon.sh << EOF # This starts monitors: #  c = CPU by processor #  m = Memory & Swap stats #  d = Disk I/O Graphs #  a = Disk Adapter #  n = Network stats #  t = Top Process Stats export NMON=cmdant  # This alias is for PuTTY users that want to see lines rather than just lqqk alias nmon="TERM=linux nmon" EOF

I prefer nmon over top - it just gives me more information on the same screen.

Configure automounter

autofs … because manually mounting NFS shares is so 90-ties!

# apt-get install autofs

Configure auto mounter to use NFS mounts:

# mkdir /etc/auto.master.d
# cat > /etc/auto.master.d/net.autofs << EOF /net    /etc/auto.net --timeout=60 EOF
# /etc/init.d/autofs restart

Adding custom CA cert

Obviously I have my own CA cert, so I also have to import it to make my Debian servers trust it.

# scp /net/filestore.servers.example.com/srv/shared/etc/ssl/cacert.pem /usr/local/share/ca-certificates/Example.COM.crt # update-ca-certificates

Login Banner (I love login banners!)

Install fortune-mod, fortunes-debian-hints & linuxlogo for the login banner generation script.

# apt-get install fortune-mod fortunes-debian-hints linuxlogo

Now create a script to generate the banner.

# cat > /usr/local/sbin/chmotd.sh << EOF #!/bin/sh  OUTPUT="/etc/motd"  cat > \$OUTPUT << OUTPUT \`/usr/bin/linux_logo -f -u -y\` Most of the programs included with the Debian GNU/Linux system are freely redistributable; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright  Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.  \`/usr/games/fortune debian-hints\`  OUTPUT EOF

Add the script to crontab.

# chmod +x /usr/local/sbin/chmotd.sh

# cat > /etc/cron.d/chmotd << EOF SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin  @reboot         root    chmotd.sh 0-59/5 * * * *  root    chmotd.sh EOF
# /etc/init.d/cron restart

This script will run every 5 min, and update message of the day (motd), and add a little health information to the banner along with a nice debian administration tip

Remote logging

Always send your logs to a central logging server - If your kernel panics, or your run out of disk space, then you can’t see on your local server what went wrong, but if you send your logs to a remote loghost, then those messages will be sent to that before your system goes down in flames.

# cat > /etc/rsyslog.d/loghost.conf << EOF *.*                             @loghost.servers.example.com EOF
# /etc/init.d/rsyslog restart

Shell colors

I will highly recommend to a use separate PS1 color for root, and non-root shells - for instance for root I use red (\[\033[01;31m\]), and regular users use a light green (\[\033[00,32m\]) - and service users just use a white color.

Here's my prompt colors:

# cat > /etc/profile.d/prompt_colors.sh << EOF # Use individual settings for each type of TERM case "\$TERM" in # If this is an xterm set the title to user@host:dir xterm*|rxvt*)     PS1='\${debian_chroot:+(\$debian_chroot)}\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\\$ '     PROMPT_COMMAND='echo -ne "\033]0;\${USER}@\${HOSTNAME}: \${PWD/\$HOME/~}\007"'     ;; linux)     PS1='\${debian_chroot:+(\$debian_chroot)}\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\\$ '     ;; vt100)     PS1='\${debian_chroot:+(\$debian_chroot)}\u@\h:\w\\$ '     ;; *)     export PS1='\h:\w\\$ '     ;; esac EOF

Use LDAP as user repository

Before you can do this, you need to setup your LDAP DIT to support posixAccount object class etc. I use OpenLDAP with rfc2307bis.schema, which allows me to set a uidNumber, gidNumber, homeDirectory etc attributes for my DSE’s. But I won’t go further into this now, and there are plenty of resources on how to configure your LDAP server.

To allow PAM to use LDAP, just run the following, and answer the questions in the dialog, and when the dialog for "Configuring libnss-ldapd", choose "group", "passwd" & "shadow".

# apt-get install libpam-ldapd

Now if you - like I - use StartTLS with LDAP, and you require bind user to access the LDAP server, then you need to reconfigure nslcd afterwards.

# dpkg-reconfigure -plow nslcd

And now it dialog asks you a lot more questions about how to connect to your LDAP server. Afterwards restart nscd as well, and check if you can find your LDAP user:

# /etc/init.d/nscd restart
# id 

For instance my DSE is uid=atterdag,ou=People,dc=example,dc=com, so my RDN is atterdag, so:

# id atterdag
uid=1000(atterdag) gid=1000(debian) groups=50(staff),100(users),20(dialout),24(cdrom),25(floppy),29(audio),40(src),44(video),46(plugdev),1011(cvsusers),512(Domain Admins),513(Domain Users),514(Domain Guests),1000(debian),1007(svnusers),1013(Admins),1012(Default)

And I can see that nslcd is also able to look up all the LDAP groups, that I’m a member of.
You also need to add a PAM module that automatically creates a home directory for you if it doesn’t exist already.

# echo "session     required      pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session

Now I’ve got all users, and groups in my LDAP server - including system users, and groups. So now I’ll need to synchronize the local IDs of users, and groups with the LDAP server’s IDs, so that we don't have any conflicts between local, and LDAP user names, and group names. For that I’ve created a little tool called sluwlu, which is free for all to use.

Install VMware Tools

VMware Tools doesn't compile on Jessie, so we have to use open-vm-tools (uninstall VMwareTools if already installed)

# vmware-uninstall
# apt-get install open-vm-tools-dkms
# reboot

Check that pvscsi, and vmxnet3 is used.

# lsmod | grep vmw_pvscsi
# lsmod | grep vmxnet3

Get time from the VMware host

# vmware-toolbox-cmd timesync enable

Optimizing OS for as a VMware guest OS

Change the disk scheduler to a simple FIFO, since the host OS is already using its own scheduler, there’s no reason to have the overhead of a disk scheduler on the guest OS.

# vi /etc/default/grub

Change:

GRUB_CMDLINE_LINUX_DEFAULT="quiet"

To:

GRUB_CMDLINE_LINUX_DEFAULT="quiet elevator=noop"

Save, and update the grub configuration.

# update-grub

Just reboot the OS to make the changes take effect.

# reboot

SELinux

I like SELinux, and its a lot easier than when I first started using it over 10 years ago. So there’s really no reason not to use it these days. First a little prereq:

# vi /etc/default/rcS

Set:

FSCKFIX=yes

Install, and enable SELinux

# apt-get install auditd checkpolicy policycoreutils selinux-basics selinux-utils setools

Currently selinux-policy-default is missing from Jessie, so you need to download it from sid, and install it manually.

# wget http://ftp.se.debian.org/debian/pool/main/r/refpolicy/selinux-policy-default_2.20140421-9_all.deb
# dpkg -i selinux-policy-default_2.20140421-9_all.deb
# selinux-activate
# reboot
# check-selinux-installation

Adding additional policies

After boot there can be some alerts regarding VMwareTools, which is explained with:

# audit2why --all

Essentially just use the commands below to fix it:

# setsebool -P allow_execstack 1
# setsebool -P allow_execmem 1
# /etc/init.d/vmware-tools restart

Additional policies for exim, iptables etc
You'll be writing the module name a lot of times, so lets make it a variable to make it easier to reuse the commands.

# export SEMODULE=local
# audit2allow --all -m ${SEMODULE} > ${SEMODULE}.te
# cat ${SEMODULE}.te  module local 1.0;  require {         type var_log_t;         type udev_t;         type systemd_tmpfiles_t;         type var_t;         type systemd_unit_file_t;         class dir { setattr relabelfrom relabelto };         class service { status start }; }  #============= systemd_tmpfiles_t ============== allow systemd_tmpfiles_t var_log_t:dir { relabelfrom relabelto setattr }; allow systemd_tmpfiles_t var_t:dir { relabelfrom relabelto setattr };  #============= udev_t ============== allow udev_t systemd_unit_file_t:service { status start };
# checkmodule -M -m -o ${SEMODULE}.mod ${SEMODULE}.te
# semodule_package -o ${SEMODULE}.pp -m ${SEMODULE}.mod
# semodule -i ${SEMODULE}.pp

Making SELinux enforce policies

At this moment SELinux is only in permissive mode. You can check dmesg for more errors, and if none is logged, then change the SELinux mode to enforcing at boot by updating the kernel start parameters:

# vi /etc/default/grub

Change:

GRUB_CMDLINE_LINUX=" selinux=1 security=selinux"

To:

GRUB_CMDLINE_LINUX=" selinux=1 security=selinux enforcing=1"

Save, update grub configuration, and reboot:

# update-grub
# reboot

If you need to install some software, and you are then overwhelmed by SELinux errors, then you can always run:

# setenforce 0

To temporarily set the SELinux back to permissive mode, so you can debug the errors, and configure SELinux policies accordingly. And when you're done then you can set SELinux back to enforcing mode with:

# setenforce 1   

http://valdemar.lemche.net/2014/03/typical-debian-stuff.html?_escaped_fragment_=#!