######################### Common Installation Steps ######################### A lot of our installation is remarkably repetitive. Note that if you happen to make a mistake when answering install questions, you can quickly and easily fix it with (on debian) ``dpkg-reconfigure [PACKAGE]``. .. _install-common_config_ssh: SSH === Unless you're setting up a :doc:`Shell Server <../services/shell-server>` or desktop, I highly suggest that your ``sshd_config`` contain directives to turn off password logins and enable GSSAPI:: PermitRootLogin without-password GSSAPIAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no In most cases, we want to prohibit some logins:: DenyUsers acmguest localadmin debian You should also publish SSHFP records as per :ref:`dns_dane`. .. _install-common_unattended: Debian Unattended Upgrades ========================== As per https://wiki.debian.org/UnattendedUpgrades you must run *both* of these commands (and choose Yes when the second asks) in order for unattended-upgrades to actually be done:: apt-get install unattended-upgrades dpkg-reconfigure -plow unattended-upgrades Modify ``/etc/apt/apt.conf.d/50unattended-upgrades`` to set ``Unattended-Upgrade::Origins-Pattern`` to something more useful than the default, perhaps. May I suggest :: Unattended-Upgrade::Origins-Pattern { "o=Debian,n=${distro_codename}"; "o=Debian,n=${distro_codename}-updates"; "o=Debian,n=${distro_codename}-proposed-updates"; "origin=Debian,archive=${distro_codename},label=Debian-Security"; }; Debian Package Pinning ====================== We tend to straddle Debian distros rather frequently. Towards that end, we often pin packages along these lines:: Package: * Pin: release a=jessie Pin-Priority: 900 Package: * Pin: release a=sid Pin-Priority: 700 Package: * Pin: release a=experimental Pin-Priority: 650 Systemd ======= Ah, the brave new future of init systems or something like that. Behold the following useful links and the attempt at yet another all-encompasing hydra of a declarative system management software stack. * https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html * https://www.freedesktop.org/software/systemd/man/systemd.unit.html * https://www.freedesktop.org/software/systemd/man/systemd.service.html Unit Configuration Drop-In -------------------------- In any case, a handy trick to know is that you can add declarations to existing units without having to touch the vendor's files, so at least there's that. This is *exceptionally tersely* documented in https://www.freedesktop.org/software/systemd/man/systemd-system.conf.html ; you should at least be aware of the precedence rules (which are solely by file name rather than by directory and name) so perhaps naming things ``zz-....conf`` when you wish to override a setting is the right idea. For example, creating ``/etc/systemd/system/${UNIT}.d/depend-time.conf`` with contents :: [Unit] After=ntp.service Requires=ntp.service is sufficient to make ``${UNIT}`` (e.g. ``krb5-kdc.service``) wait for the NTP service on startup. (Note that ``After=`` and ``Requires=`` "may be specified more than once, in which case ordering dependencies for all listed names are created.", dodging the last-file-wins rule!) Similarly, :: [Service] Restart=always is a great way to force a service to restart on exit (``Restart=``, on the other hand, really is a last-one-wins variable.) .. _install-common_linux-serial: Linux Serial Console ==================== Throughout this example, we assume a 115200 8n1 connection. Debian Grub ----------- Grub itself can be told to use both the console and a serial terminal by adjusting ``/etc/default/grub`` to contain :: GRUB_TERMINAL="serial console" GRUB_SERIAL_COMMAND="serial --speed=115200 --unit=0 --word=8 --parity=no --stop=1" Leave off ``console`` from ``GRUB_TERMINAL`` if you want *only* the serial terminal. To inform the kernel to use both the console and serial terminal, the same file should contain :: GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200n8 panic=5" Again, the ``console=tty0`` directive may be left off if *only* serial is to be used. The ``panic=`` directive is not required for serial console access but will cause the machine to reboot after a panic which is, in many cases, what we want. After making these changes, run ``update-grub``. Linux Init ---------- Ensure that ``/etc/inittab`` contains :: T0:23:respawn:/sbin/getty -L ttyS0 115200 vt100 And ensure that ``/etc/securetty`` contains a line of just ``ttyS0``. Slow Root Devices ================= It may be necessary to pass ``rootdelay=20`` or some other large number to the kernel; on Debian, this can be achieved by editing ``GRUB_CMDLINE_LINUX`` in ``/etc/default/grub`` to contain that argument and running ``update-grub``. Symptoms of insufficient ``rootdelay`` include LVMs not being there early enough in the boot process but working just fine from the initramfs prompt. Host Access to AFS ================== A useful thing to have if you don't expect a particular host to perpetually be installed on precisely the same hardware / disk. See :ref:`host-keytabs` in the afs documentation for instructions.