Occasionally, servers need to be reinstalled from scratch. Be it because of the switch from LUKS1 to LUKS2 or because of the change to a new graphics card. On the other hand, it cannot be that a server is set up for a couple of weeks. The use of an installation system is therefore absolutely necessary in order to prepare the operating software. Both the installation and the target machine may only have one logical disk, whereby RAID constructions from several physical disks are permitted here. Use any basic PC equipped with UEFI-compliant platform firmware, a graphics card that Debian Live can live with, and a 2TB hard drive as installation vehicle. Create a first bootable media using a file such as firmware-11.5.0-amd64-DVD-1.iso, called the Debian Installation Media. Create a second bootable media using a file such as debian-live-11.5.0-amd64-standard+nonfree.iso, called Debian Live Media. Due to some bug in firmware-11.5.0-amd64-DVD-1.iso's handling of initial ramdisks, we need separate steps to create the correct ones. Install with encrypted root. Boot the PC from the Debian Installation Media Advanced options Expert install Choose language Language: English - English Country, territory or area: other Continent or region: Europe Country, territory or area: Germany Country to base default locale settings on: United States - en_US.UTF-8 Additional locales: de_DE.UTF-8 de_DE de_DE@euro en_US en_US.ISO-8858-15 es_ES.UTF-8 es_ES es_ES@euro System locale: en_US.UTF-8 Configure the keyboard Keymap to use: German Detect and mount installation media Load installer components from installation media Installer components to load: devicemapper crypto module Detect network hardware Configure the network Auto-configure networking? IP address: 10.xxx.yyy.17 Netmask: 255.255.255.0 Gateway: 10.xxx.yyy.15 Name server addresses: 10.xxx.yyy.15 Is this information correct? Waiting time (in seconds) for link detection: 3 Hostname: ... Domain name: ... Set up users and passwords Enable shadow passwords: Allow login as root: Root password: Re-enter password to verify: Create a normal user account now: Configure the clock Set the clock using NTP: NTP server to use: 0.debian.pool.ntp.org Select your time zone: Europe/Berlin Detect disks Partition disks -- cd /cdrom/pool/main udpkg -i u/util-linux/fdisk-udeb_2.36.1-8\+deb11u1_amd64.udeb cd / # Disk setup from scratch. fdisk /dev/sda p delete all partitions on /dev/sda p w dd bs=1M count=3000 if=/dev/zero of=/dev/sda fdisk /dev/sda p m g n 1 2048 1050623 (512M) n 2 1050624 2099199 (512M) n 3 2099200 t 1 1 (EFI System) p w fdisk -l cat /proc/partitions dd bs=1M if=/dev/urandom of=/dev/sda3 (this may take hours) cd /cdrom/pool/main udpkg -i c/cryptsetup/cryptsetup-udeb_2.3.7-1\+deb11u1_amd64.udeb udpkg -i c/cryptsetup/libcryptsetup12-udeb_2.3.7-1\+deb11u1_amd64.udeb udpkg -i p/popt/libpopt0-udeb_1.18-2_amd64.udeb udpkg -i a/argon2/libargon2-1-udeb_0~20171227-0.2_amd64.udeb udpkg -i j/json-c/libjson-c5-udeb_0.15-2_amd64.udeb cd / cryptsetup --key-size 512 luksFormat /dev/sda3 Are you sure ? (Type uppercase yes): YES Enter passphrase: Verify passphrase: cryptsetup open /dev/sda3 pvc0 Enter passphrase for /dev/sda3: cat /proc/partitions cryptsetup status pvc0 pvdisplay pvcreate /dev/mapper/pvc0 vgcreate vg0 /dev/mapper/pvc0 pvdisplay lvcreate -L 54G vg0 -n swap lvcreate -L 50G vg0 -n root lvcreate -L 50G vg0 -n altroot lvcreate -L 10G vg0 -n mail lvcreate -L 14G vg0 -n u1 lvcreate -L 2G vg0 -n u2 lvcreate -L 50G vg0 -n u3 lvcreate -L 400G vg0 -n crw lvcreate -L 1200G vg0 -n cro lvdisplay pvdisplay # # Just as a reminder, these would be the sequence to destroy all above. # lvremove -f vg0/cro # ... # lvremove -f vg0/swap # vgremove -f vg0 # pvremove -y /dev/mapper/pvc0 # cryptsetup close pvc0 # End of reminder. # ls -al /dev/mapper mkfs.fat /dev/sda1 mkfs.ext2 /dev/sda2 mkswap /dev/vg0/swap mkfs.ext4 /dev/vg0/root mkfs.ext4 /dev/vg0/altroot mkfs.ext4 /dev/vg0/mail mkfs.ext4 /dev/vg0/u1 mkfs.ext4 /dev/vg0/u2 mkfs.ext4 /dev/vg0/u3 mkfs.ext4 /dev/vg0/crw mkfs.ext4 /dev/vg0/cro swapon /dev/mapper/vg0-swap cat /proc/swaps swapoff /dev/mapper/vg0-swap cat /proc/swaps cat /proc/partitions ls -al /dev/mapper -- Partition disks Goto LVM VG vg0, LV root #1 and # Uncommon behavior, hitting Enter does toggling in some cases. Partition settings: Use as: do no use How to use this partition: Ext4 journaling file system Partition settings: Mount point: none Mount point for this partition: / - the root file system Partition settings: Done setting up the partition Goto SCSI1 (...) (sda) #2 and Partition settings: Use as: do no use How to use this partition: Ext2 file system Partition settings: Mount point: none Mount point for this partition: /boot - static files of the boot loader Partition settings: Done setting up the partition Goto SCSI1 (...) (sda) #1 and Partition settings: Use as: EFI System Partition Partition settings: Bootable flag: on Partition settings: Done setting up the partition Goto LVM VG vg0, LV swap #1 and Partition settings: Use as: do no use How to use this partition: swap area Partition settings: Done setting up the partition Finish partitioning and write changes to disk Write the changes to disks?: Install the base system Kernel to install: linux-image-5.10.0-18-amd64 Drivers to include in the initrd: generic: include all available drivers Configure the package manager Use a network mirror: Services to use: Select and install software Updates management on this system: No automatic updates Participate in the package usage survey: Choose software to install: Install the GRUB boot loader Force GRUB installation to the EFI removable media path: -- # Define /etc/crypttab. cd /target/etc echo pvc0 /dev/sda3 none luks > crypttab nano crypttab -x cat crypttab # Define /etc/fstab. echo -n > fstab echo /dev/mapper/vg0-swap none swap sw 0 0 >> fstab echo /dev/mapper/vg0-root / ext4 errors=remount-ro 0 1 >> fstab echo /dev/sda2 /boot ext2 defaults 0 2 >> fstab echo /dev/sda1 /boot/efi vfat umask=0077 0 1 >> fstab nano fstab -x cat fstab # Due to the passphrase for the hard disk, early # USB keyboard support is of vital importance. cd /target/etc/initramfs-tools echo usbcore >> modules echo uhci_hcd >> modules echo ehci_hcd >> modules echo ehci_pci >> modules echo usbhid >> modules echo hid_generic >> modules nano modules -x cat modules # Define /etc/initramfs-tools/conf.d/resume, if not yet done. cd /target/etc/initramfs-tools/conf.d cat resume echo RESUME=/dev/mapper/vg0-swap > resume ls -al resume nano resume -x cat resume # Pay attention, update-initramfs will automatically # be excuted by Finish the installation below. cd / -- Finish the installation Is the system clock set to UTC: Remove the installation media: Insert the Debian Live Media and press Do not try to boot from the PC's hard drive, the system will not boot. Instead, repair the initial ramdisk with the live system. Boot from the Debian Live Media GRUB Debian GNU/Linux Live (kernel 5.10.0-18-amd64) sudo bash Plug in the Debian Installation Media cat /proc/partitions mount /dev/sdc1 /mnt echo "deb [trusted=yes] file:/mnt/ bullseye main contrib non-free" > /etc/apt/sources.list vi /etc/apt/sources.list cat /etc/apt/sources.list apt-get update apt-get install cryptsetup umount /mnt Unplug the Debian Installation Media cat /proc/partitions cryptsetup open /dev/sda3 pvc0 Enter passphrase for /dev/sda3: cat /proc/partitions mount /dev/mapper/vg0-root /mnt mount /dev/sda2 /mnt/boot mount /dev/sda1 /mnt/boot/efi mount -t proc proc /mnt/proc mount -t sysfs sys /mnt/sys mount -o bind /dev /mnt/dev mount -o bind /run /mnt/run mount -t devpts pts /mnt/dev/pts chroot /mnt Plug in the Debian Installation Media cat /proc/partitions mount /dev/sdc1 /mnt echo "deb [trusted=yes] file:/mnt/ bullseye main contrib non-free" > /etc/apt/sources.list vi /etc/apt/sources.list cat /etc/apt/sources.list apt-get update apt-get install nfs-common umount /mnt Unplug the Debian Installation Media mkdir /cro mount -t nfs 10.xxx.yyy.2:/cro /cro cat /cro/pub/debian/next/amd64/Sources.list | sed 's,/stable/,/next/,' > /etc/apt/sources.list apt-get update apt-get install cryptsetup cryptsetup-initramfs umount /cro cd / -- sudo bash umount /mnt/boot/efi umount /mnt/boot mount -o ro,remount /mnt shutdown -h now && exit Unplug the Debian Live Media Boot from the PC's hard drive, the system will boot now. Install all packages. Boot from the PC's hard drive ... login: root Password: mount -t nfs 10.xxx.yyy.2:/cro /cro apt-get update /cro/pub/debian/next/amd64/InstallPackages General type of mail configuration: No configuration Policy for handling keymaps: Don't touch keymap Should unprivileged users be allowed to mount WebDAV resources? Space-separated list of Maple users: root Do you agree to the "Intel Pro Wireless 2100 and 2200/2915 License"? umount /cro dpkg-reconfigure keyboard-configuration Keyboard model: Generic 105-key PC (intl.) Keyboard layout: German - German (no dead keys) Key to function as AltGr: The default for the keyboard layout Compose key: No compose key Use Control+Alt+Backspace to terminate th X server?: # service keyboard-setup restart (does now work) # udevadm trigger --subsystem-match=input --action=change (does now work) update-initramfs -c -k all dpkg -l | grep -v ^ii cd /boot/efi/EFI/debian echo -n > grub.cfg echo 'set root=hd0,gpt2' >> grub.cfg echo 'set prefix=($root)/grub' >> grub.cfg echo 'configfile $prefix/grub.cfg' >> grub.cfg vi grub.cfg cat grub.cfg cd /boot/grub echo -n > grub.cfg echo "set timeout=20" >> grub.cfg echo "set root=hd0,gpt2" >> grub.cfg echo "insmod efi_gop" >> grub.cfg echo "insmod part_gpt" >> grub.cfg echo "insmod ext2" >> grub.cfg echo "insmod gzio" >> grub.cfg echo "menuentry 'vmlinuz-5.18.0-0.deb11.4, vg0-root as /' {" >> grub.cfg echo " linux /vmlinuz-5.18.0-0.deb11.4-amd64 root=/dev/mapper/vg0-root ro quiet" >> grub.cfg echo " initrd /initrd.img-5.18.0-0.deb11.4-amd64" >> grub.cfg echo " }" >> grub.cfg echo "menuentry 'vmlinuz-5.18.0-0.deb11.4, vg0-altroot as /' {" >> grub.cfg echo " linux /vmlinuz-5.18.0-0.deb11.4-amd64 root=/dev/mapper/vg0-altroot ro quiet" >> grub.cfg echo " initrd /initrd.img-5.18.0-0.deb11.4-amd64" >> grub.cfg echo " }" >> grub.cfg echo "menuentry 'vmlinuz-5.10.0-18, vg0-root as /' {" >> grub.cfg echo " linux /vmlinuz-5.10.0-18-amd64 root=/dev/mapper/vg0-root ro quiet" >> grub.cfg echo " initrd /initrd.img-5.10.0-18-amd64" >> grub.cfg echo " }" >> grub.cfg echo "menuentry 'vmlinuz-5.10.0-18, vg0-altroot as /' {" >> grub.cfg echo " linux /vmlinuz-5.10.0-18-amd64 root=/dev/mapper/vg0-altroot ro quiet" >> grub.cfg echo " initrd /initrd.img-5.10.0-18-amd64" >> grub.cfg echo " }" >> grub.cfg vi grub.cfg cat grub.cfg cd /boot/grub/x86_64-efi echo -n > load.cfg echo 'set root=hd0,gpt2' >> load.cfg echo 'set prefix=($root)/grub' >> load.cfg vi load.cfg cat load.cfg shutdown -h now && exit Create backups. Boot from the Debian Live Media GRUB Debian GNU/Linux Live (kernel 5.10.0-18-amd64) sudo bash Plug in the Debian Installation Media cat /proc/partitions mount /dev/sdc1 /mnt echo "deb [trusted=yes] file:/mnt/ bullseye main contrib non-free" > /etc/apt/sources.list vi /etc/apt/sources.list cat /etc/apt/sources.list apt-get update apt-get install cryptsetup umount /mnt Unplug the Debian Installation Media cryptsetup open /dev/sda3 pvc0 Enter passphrase for /dev/sda3: cryptsetup status pvc0 ls -al /dev/mapper mkdir /crw mount /dev/mapper/vg0-crw /crw mount /dev/sda1 /mnt cd /mnt tar --exclude lost+found --numeric-owner -cpzf /crw/Stest-BootEfi-1150-amd64-i386-00.tgz . cd / umount /mnt mount /dev/sda2 /mnt cd /mnt tar --exclude lost+found --numeric-owner -cpzf /crw/Stest-Boot-1150-amd64-i386-00.tgz . cd / umount /mnt mount /dev/mapper/vg0-root /mnt cd /mnt tar --exclude lost+found --numeric-owner -cpzf /crw/Stest-RootDebian-1150-amd64-i386-00.tgz . cd / umount /mnt cd /crw sha256sum Stest-* > Stest_SHA256SUMS scp -p Stest* seidl@10.xxx.yyy.2:/crw/seidl Are you sure you want to continue connecting (yes/no/[fingerprint])? yes seidl@10.xxx.yyy.2's password: cd / umount /crw shutdown -h now && exit Boot from the PC's hard drive. Make the initial ramdisks portable. Boot from the PC's hard drive ... login: root Password: cd /boot cp -p initrd.img-5.10.0-18-amd64 initrd.img-5.10.0-18-amd64-BACKUP cp -p initrd.img-5.18.0-0.deb11.4-amd64 initrd.img-5.18.0-0.deb11.4-amd64-BACKUP cd /tmp rm -fr work mkdir work cd work cp /boot/initrd.img-5.10.0-18-amd64 initrd # Do `unmkinitramfs' by hand. earlyblocks=`cat initrd | cpio -i --to-stdout 2>&1 >/dev/null | awk '{print $1;}'` echo "${earlyblocks}" dd if=initrd of=initrdearly bs=512 count=${earlyblocks} dd if=initrd of=initrdmain bs=512 skip=${earlyblocks} mkdir early main cd early cat ../initrdearly | cpio -idm cd ../main cat ../initrdmain | gzip -dc | cpio -idm cd cryptroot cat crypttab echo pvc0 /dev/sda3 none luks > crypttab cat crypttab cd ../.. # Do `mymkinitramfs'. cd early find . -print0 | cpio -0oH newc > ../initrdearly-NEW cd ../main find . -print0 | cpio -0oH newc | gzip -9c > ../initrdmain-NEW cd .. cat initrdearly-NEW initrdmain-NEW > initrd-NEW cp initrd-NEW /boot/initrd.img-5.10.0-18-amd64 cd /tmp rm -fr work mkdir work cd work cp /boot/initrd.img-5.18.0-0.deb11.4-amd64 initrd # Do `unmkinitramfs' by hand. earlyblocks=`cat initrd | cpio -i --to-stdout 2>&1 >/dev/null | awk '{print $1;}'` echo "${earlyblocks}" dd if=initrd of=initrdearly bs=512 count=${earlyblocks} dd if=initrd of=initrdmain bs=512 skip=${earlyblocks} mkdir early main cd early cat ../initrdearly | cpio -idm cd ../main cat ../initrdmain | gzip -dc | cpio -idm cd cryptroot cat crypttab echo pvc0 /dev/sda3 none luks > crypttab cat crypttab cd ../.. # Do `mymkinitramfs'. cd early find . -print0 | cpio -0oH newc > ../initrdearly-NEW cd ../main find . -print0 | cpio -0oH newc | gzip -9c > ../initrdmain-NEW cd .. cat initrdearly-NEW initrdmain-NEW > initrd-NEW cp initrd-NEW /boot/initrd.img-5.18.0-0.deb11.4-amd64 cd /tmp rm -fr work shutdown -r now && exit Boot from the PC's hard drive, hopefully the system will still boot. Create another backup. Boot from the PC's hard drive ... login: root Password: cd /boot rm initrd.img-5.10.0-18-amd64-BACKUP initrd.img-5.18.0-0.deb11.4-amd64-BACKUP mkdir /crw mount /dev/mapper/vg0-crw /crw umount /dev/sda1 cd /boot tar --exclude lost+found --numeric-owner -cpzf /crw/Stest-Boot-1150-amd64-i386-01.tgz . mount /dev/sda1 /boot/efi cd /crw sha256sum Stest-* > Stest_SHA256SUMS scp -p Stest* seidl@10.xxx.yyy.2:/crw/seidl Are you sure you want to continue connecting (yes/no/[fingerprint])? yes seidl@10.xxx.yyy.2's password: cd / umount /crw shutdown -h now && exit