########################################## Configuring a BeagleBone Black the ACM Way ########################################## This is still somewhat beta; these machines have not yet been brought into production, but better to have notes than nothing at all. Initial Configuration ##################### Flashing the latest firmware, the BeagleBone Way ------------------------------------------------ .. warning:: The installer is not to be considered secure. Do this without network access. .. note:: Apparently the install images are single-use; please re-pave the micro-SD card and do not attempt batch installs. .. note:: The BeagleBone installer images will create USB networking devices using the ``192.168.7.0/24`` subnet; installation should not take place on a host where that CIDR range is significant. 1. Grab the Debian image from ``_ 2. Uncompress it and toss it on a micro-SD card. 3. Remove all power from the BeagleBone to be flashed. 4. Insert the micro-SD card. 5. Push and hold the ``S2`` button (the one nearest the micro-SD card slot) and, while holding, apply power. 6. You may release the button after the four USER LEDs are no longer all on solid. The device will now boot off of the micro-SD image and pave over its eMMC. If you have damaged the bootloader, more invasive fixes may be necessary. 7. Watch the installation carefully. Some installer images apparently do not stop installing after the first time, causing them to be booted again, which causes them to pave over the install, again. Blech. Thankfully, it doesn't take *too* long. Common ------ Early Configuration ``````````````````` Authentication ^^^^^^^^^^^^^^ .. warning:: **DO THIS BEFORE CONNECTING TO THE NETWORK**! The default image is woefully insecure, by design, we assume. There is a trivial password for the ``debian`` user and ``root`` can log in via SSH without a password at all. At a minimum: land your SSH key (or the entire bundle of ACM admin keys from ``/afs/acm.jhu.edu/group/admins.pub/authorized_keys``), run ``passwd debian``, adjust ``/etc/ssh/sshd_config`` to set ``PermitRootLogin without-password``, run ``/etc/init.d/ssh restart`` now. Better would be to follow the steps in :ref:`install-common_config_ssh` and prohibit password-based login entirely. SSH keys ^^^^^^^^ .. warning:: YOU **MUST** GENERATE NEW SSH KEYS! The firmware flasher apparently creates a set of SSH keys for itself and copies them over. This means that if you use the same installer image more than once, you'll get the same host keys on multiple machines, and that's bad. Thankfully, it's easy to cause them to be recreated. We ignore the ``/etc/ssh/ssh.regenerate`` mechanism provided by boot scripts (because that's entirely not standard) and do it ourselves:: rm -rf /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server Date ^^^^ .. note:: At this point, we are going to connect to the network. If you are paranoid, now would be an excellent time to skip ahead to pruning packages and come back here after you're sure that nothing unintended is listening on the network. (Use ``netstat -lnp`` to check, for example.) The BeagleBone has no RTC. Once you're connected to the network, run ``ntpdate pool.ntp.org`` to get the right time. Repository Setup ---------------- We're going to point at the rcn-ee.net repos:: wget http://repos.rcn-ee.net/debian/conf/repos.rcn-ee.net.gpg.key gpg --with-fingerprint ./repos.rcn-ee.net.gpg.key Check that that matches the expected fingerprint of ``A72A B0B9 0B86 85C9 1777 A377 D284 E608 A4C4 6402``. If so, proceed:: apt-key add repos.rcn-ee.net.gpg.key echo 'deb [arch=armhf] http://repos.rcn-ee.net/debian wheezy main' \ >> /etc/apt/sources.list apt-get update apt-get dist-upgrade apt-get install rcn-ee-archive-keyring .. note :: The key used to have fingerprint ``2F36 8DF5 F926 A8AF 538D CFC1 4D60 3614 FADF B657``; this is a stale key, apparently. Installing the ``rcn-ee-archive-keyring`` package will allow them to roll it forward as needed. We're short on space and really want very few things running on our behalf, so go ahead and eliminate recommended packages. This is taken from ``_. :: cat >>/etc/apt/apt.conf.d/99_norecommends <`_ and the ``thirdparty`` file that sits next to it. What a mess. We ignore thirdparty modules since we don't actually care for the RT2870 driver they provide. In practice, you want to replace the value of ``kv`` below with the newest available kernel; use ``apt-cache search linux-image`` to see what's around, perhaps. There doesn't seem to be a meta-package. :: kv=3.8.13-bone63 apt-get install \ linux-firmware-image-${kv} \ linux-image-${kv} \ linux-headers-${kv} BOOTDIR=/boot/uboot mv ${BOOTDIR}/uImage{,.old} || true mv ${BOOTDIR}/zImage{,.old} || true mv ${BOOTDIR}/uInitrd{,.old} || true mv ${BOOTDIR}/initrd.img{,.old} || true ( . ${BOOTDIR}/SOC.sh mkimage -A arm -O linux -T kernel -C none -a ${zreladdr} -e ${zreladdr} \ -n ${kv} -d /boot/vmlinuz-${kv} ${BOOTDIR}/uImage mkimage -A arm -O linux -T ramdisk -C none -a 0 -e 0 \ -n initramfs -d /boot/initrd.img-${kv} ${BOOTDIR}/uInitrd ) cp /boot/vmlinuz-${kv} ${BOOTDIR}/zImage cp /boot/initrd.img-${kv} ${BOOTDIR}/initrd.img rm -rf ${BOOTDIR}/dtbs mkdir -p ${BOOTDIR}/dtbs cp -r /boot/dtbs/${kv}/* ${BOOTDIR}/dtbs sync reboot