CreatePortableDebianInstallation.txt
Occasionally, servers need to be reinstalled from scratch. Be it because of the switch
from LUKS1 to LUKS2 or because of the change to a new graphics card. On the other hand,
it cannot be that a server is set up for a couple of weeks. The use of an installation
system is therefore absolutely necessary in order to prepare the operating software.
Both the installation and the target machine may only
have one logical disk, whereby RAID constructions from
several physical disks are permitted here.
Use any basic PC equipped with UEFI-compliant platform firmware, a graphics card
that Debian Live can live with, and a 2TB hard drive as installation vehicle.
Create a first bootable media using a file such as
firmware-11.5.0-amd64-DVD-1.iso,
called the Debian Installation Media.
Create a second bootable media using a file such as
debian-live-11.5.0-amd64-standard+nonfree.iso,
called Debian Live Media.
Due to some bug in firmware-11.5.0-amd64-DVD-1.iso's handling
of initial ramdisks, we need separate steps to create the correct ones.
Install with encrypted root.
Boot the PC from the Debian Installation Media
Advanced options
Expert install
Choose language
Language: English - English
Country, territory or area: other
Continent or region: Europe
Country, territory or area: Germany
Country to base default locale settings on: United States - en_US.UTF-8
Additional locales: de_DE.UTF-8
de_DE
de_DE@euro
en_US
en_US.ISO-8858-15
es_ES.UTF-8
es_ES
es_ES@euro
System locale: en_US.UTF-8
Configure the keyboard
Keymap to use: German
Detect and mount installation media
Load installer components from installation media
Installer components to load: devicemapper crypto module
Detect network hardware
Configure the network
Auto-configure networking? <No>
IP address: 10.xxx.yyy.17
Netmask: 255.255.255.0
Gateway: 10.xxx.yyy.15
Name server addresses: 10.xxx.yyy.15
Is this information correct? <Yes>
Waiting time (in seconds) for link detection: 3
Hostname: ... <Continue>
Domain name: ... <Continue>
Set up users and passwords
Enable shadow passwords: <Yes>
Allow login as root: <Yes>
Root password: <theRootPassword>
Re-enter password to verify: <theRootPassword>
Create a normal user account now: <No>
Configure the clock
Set the clock using NTP: <Yes>
NTP server to use: 0.debian.pool.ntp.org
Select your time zone: Europe/Berlin
Detect disks
Partition disks
<Go Back>
<Ctrl>-<Alt>-<F2>
cd /cdrom/pool/main
udpkg -i u/util-linux/fdisk-udeb_2.36.1-8\+deb11u1_amd64.udeb
cd /
# Disk setup from scratch.
fdisk /dev/sda
p
delete all partitions on /dev/sda
p
w
dd bs=1M count=3000 if=/dev/zero of=/dev/sda
fdisk /dev/sda
p
m
g
n
1
2048
1050623 (512M)
n
2
1050624
2099199 (512M)
n
3
2099200
<pressEnter>
t
1
1 (EFI System)
p
w
fdisk -l
cat /proc/partitions
dd bs=1M if=/dev/urandom of=/dev/sda3 (this may take hours)
cd /cdrom/pool/main
udpkg -i c/cryptsetup/cryptsetup-udeb_2.3.7-1\+deb11u1_amd64.udeb
udpkg -i c/cryptsetup/libcryptsetup12-udeb_2.3.7-1\+deb11u1_amd64.udeb
udpkg -i p/popt/libpopt0-udeb_1.18-2_amd64.udeb
udpkg -i a/argon2/libargon2-1-udeb_0~20171227-0.2_amd64.udeb
udpkg -i j/json-c/libjson-c5-udeb_0.15-2_amd64.udeb
cd /
cryptsetup --key-size 512 luksFormat /dev/sda3
Are you sure ? (Type uppercase yes): YES
Enter passphrase: <theDiskCryptPassPhrase>
Verify passphrase: <theDiskCryptPassPhrase>
cryptsetup open /dev/sda3 pvc0
Enter passphrase for /dev/sda3: <theDiskCryptPassPhrase>
cat /proc/partitions
cryptsetup status pvc0
pvdisplay
pvcreate /dev/mapper/pvc0
vgcreate vg0 /dev/mapper/pvc0
pvdisplay
lvcreate -L 54G vg0 -n swap
lvcreate -L 50G vg0 -n root
lvcreate -L 50G vg0 -n altroot
lvcreate -L 10G vg0 -n mail
lvcreate -L 14G vg0 -n u1
lvcreate -L 2G vg0 -n u2
lvcreate -L 50G vg0 -n u3
lvcreate -L 400G vg0 -n crw
lvcreate -L 1200G vg0 -n cro
lvdisplay
pvdisplay
#
# Just as a reminder, these would be the sequence to destroy all above.
# lvremove -f vg0/cro
# ...
# lvremove -f vg0/swap
# vgremove -f vg0
# pvremove -y /dev/mapper/pvc0
# cryptsetup close pvc0
# End of reminder.
#
ls -al /dev/mapper
mkfs.fat /dev/sda1
mkfs.ext2 /dev/sda2
mkswap /dev/vg0/swap
mkfs.ext4 /dev/vg0/root
mkfs.ext4 /dev/vg0/altroot
mkfs.ext4 /dev/vg0/mail
mkfs.ext4 /dev/vg0/u1
mkfs.ext4 /dev/vg0/u2
mkfs.ext4 /dev/vg0/u3
mkfs.ext4 /dev/vg0/crw
mkfs.ext4 /dev/vg0/cro
swapon /dev/mapper/vg0-swap
cat /proc/swaps
swapoff /dev/mapper/vg0-swap
cat /proc/swaps
cat /proc/partitions
ls -al /dev/mapper
<Ctrl>-<Alt>-<F1>
Partition disks
Goto LVM VG vg0, LV root #1 and <pressEnter>
# Uncommon behavior, hitting Enter does toggling in some cases.
Partition settings: Use as: do no use <pressEnter>
How to use this partition: Ext4 journaling file system
Partition settings: Mount point: none <pressEnter>
Mount point for this partition: / - the root file system
Partition settings: Done setting up the partition
Goto SCSI1 (...) (sda) #2 and <pressEnter>
Partition settings: Use as: do no use <pressEnter>
How to use this partition: Ext2 file system
Partition settings: Mount point: none <pressEnter>
Mount point for this partition: /boot - static files of the boot loader
Partition settings: Done setting up the partition
Goto SCSI1 (...) (sda) #1 and <pressEnter>
Partition settings: Use as: EFI System Partition
Partition settings: Bootable flag: on
Partition settings: Done setting up the partition
Goto LVM VG vg0, LV swap #1 and <pressEnter>
Partition settings: Use as: do no use <pressEnter>
How to use this partition: swap area
Partition settings: Done setting up the partition
Finish partitioning and write changes to disk
Write the changes to disks?: <Yes>
Install the base system
Kernel to install: linux-image-5.10.0-18-amd64
Drivers to include in the initrd: generic: include all available drivers
Configure the package manager
Use a network mirror: <No>
Services to use: <untagAll>
Select and install software
Updates management on this system: No automatic updates
Participate in the package usage survey: <No>
Choose software to install: <untagAll>
Install the GRUB boot loader
Force GRUB installation to the EFI removable media path: <No>
<Ctrl>-<Alt>-<F2>
# Define /etc/crypttab.
cd /target/etc
echo pvc0 /dev/sda3 none luks > crypttab
nano crypttab
<Ctrl>-x
cat crypttab
# Define /etc/fstab.
echo -n > fstab
echo /dev/mapper/vg0-swap none swap sw 0 0 >> fstab
echo /dev/mapper/vg0-root / ext4 errors=remount-ro 0 1 >> fstab
echo /dev/sda2 /boot ext2 defaults 0 2 >> fstab
echo /dev/sda1 /boot/efi vfat umask=0077 0 1 >> fstab
nano fstab
<Ctrl>-x
cat fstab
# Due to the passphrase for the hard disk, early
# USB keyboard support is of vital importance.
cd /target/etc/initramfs-tools
echo usbcore >> modules
echo uhci_hcd >> modules
echo ehci_hcd >> modules
echo ehci_pci >> modules
echo usbhid >> modules
echo hid_generic >> modules
nano modules
<Ctrl>-x
cat modules
# Define /etc/initramfs-tools/conf.d/resume, if not yet done.
cd /target/etc/initramfs-tools/conf.d
cat resume
echo RESUME=/dev/mapper/vg0-swap > resume
ls -al resume
nano resume
<Ctrl>-x
cat resume
# Pay attention, update-initramfs will automatically
# be excuted by Finish the installation below.
cd /
<Ctrl>-<Alt>-<F1>
Finish the installation
Is the system clock set to UTC: <Yes>
Remove the installation media:
Insert the Debian Live Media and press <Continue>
Do not try to boot from the PC's hard drive, the system will not boot.
Instead, repair the initial ramdisk with the live system.
Boot from the Debian Live Media
GRUB
Debian GNU/Linux Live (kernel 5.10.0-18-amd64)
sudo bash
Plug in the Debian Installation Media
cat /proc/partitions
mount /dev/sdc1 /mnt
echo "deb [trusted=yes] file:/mnt/ bullseye main contrib non-free" > /etc/apt/sources.list
vi /etc/apt/sources.list
cat /etc/apt/sources.list
apt-get update
apt-get install cryptsetup
umount /mnt
Unplug the Debian Installation Media
cat /proc/partitions
cryptsetup open /dev/sda3 pvc0
Enter passphrase for /dev/sda3: <theDiskCryptPassPhrase>
cat /proc/partitions
mount /dev/mapper/vg0-root /mnt
mount /dev/sda2 /mnt/boot
mount /dev/sda1 /mnt/boot/efi
mount -t proc proc /mnt/proc
mount -t sysfs sys /mnt/sys
mount -o bind /dev /mnt/dev
mount -o bind /run /mnt/run
mount -t devpts pts /mnt/dev/pts
chroot /mnt
Plug in the Debian Installation Media
cat /proc/partitions
mount /dev/sdc1 /mnt
echo "deb [trusted=yes] file:/mnt/ bullseye main contrib non-free" > /etc/apt/sources.list
vi /etc/apt/sources.list
cat /etc/apt/sources.list
apt-get update
apt-get install nfs-common
umount /mnt
Unplug the Debian Installation Media
mkdir /cro
mount -t nfs 10.xxx.yyy.2:/cro /cro
cat /cro/pub/debian/next/amd64/Sources.list | sed 's,/stable/,/next/,' > /etc/apt/sources.list
apt-get update
apt-get install cryptsetup cryptsetup-initramfs
umount /cro
cd /
<Ctrl>-<Alt>-<F2>
sudo bash
umount /mnt/boot/efi
umount /mnt/boot
mount -o ro,remount /mnt
shutdown -h now && exit
Unplug the Debian Live Media
Boot from the PC's hard drive, the system will boot now.
Install all packages.
Boot from the PC's hard drive
... login: root
Password: <theRootPassword>
mount -t nfs 10.xxx.yyy.2:/cro /cro
apt-get update
/cro/pub/debian/next/amd64/InstallPackages
General type of mail configuration: No configuration
Policy for handling keymaps: Don't touch keymap
Should unprivileged users be allowed to mount WebDAV resources? <No>
Space-separated list of Maple users: root
Do you agree to the "Intel Pro Wireless 2100 and 2200/2915 License"? <Yes>
umount /cro
dpkg-reconfigure keyboard-configuration
Keyboard model: Generic 105-key PC (intl.)
Keyboard layout: German - German (no dead keys)
Key to function as AltGr: The default for the keyboard layout
Compose key: No compose key
Use Control+Alt+Backspace to terminate th X server?: <No>
# service keyboard-setup restart (does now work)
# udevadm trigger --subsystem-match=input --action=change (does now work)
update-initramfs -c -k all
dpkg -l | grep -v ^ii
cd /boot/efi/EFI/debian
echo -n > grub.cfg
echo 'set root=hd0,gpt2' >> grub.cfg
echo 'set prefix=($root)/grub' >> grub.cfg
echo 'configfile $prefix/grub.cfg' >> grub.cfg
vi grub.cfg
cat grub.cfg
cd /boot/grub
echo -n > grub.cfg
echo "set timeout=20" >> grub.cfg
echo "set root=hd0,gpt2" >> grub.cfg
echo "insmod efi_gop" >> grub.cfg
echo "insmod part_gpt" >> grub.cfg
echo "insmod ext2" >> grub.cfg
echo "insmod gzio" >> grub.cfg
echo "menuentry 'vmlinuz-5.18.0-0.deb11.4, vg0-root as /' {" >> grub.cfg
echo " linux /vmlinuz-5.18.0-0.deb11.4-amd64 root=/dev/mapper/vg0-root ro quiet" >> grub.cfg
echo " initrd /initrd.img-5.18.0-0.deb11.4-amd64" >> grub.cfg
echo " }" >> grub.cfg
echo "menuentry 'vmlinuz-5.18.0-0.deb11.4, vg0-altroot as /' {" >> grub.cfg
echo " linux /vmlinuz-5.18.0-0.deb11.4-amd64 root=/dev/mapper/vg0-altroot ro quiet" >> grub.cfg
echo " initrd /initrd.img-5.18.0-0.deb11.4-amd64" >> grub.cfg
echo " }" >> grub.cfg
echo "menuentry 'vmlinuz-5.10.0-18, vg0-root as /' {" >> grub.cfg
echo " linux /vmlinuz-5.10.0-18-amd64 root=/dev/mapper/vg0-root ro quiet" >> grub.cfg
echo " initrd /initrd.img-5.10.0-18-amd64" >> grub.cfg
echo " }" >> grub.cfg
echo "menuentry 'vmlinuz-5.10.0-18, vg0-altroot as /' {" >> grub.cfg
echo " linux /vmlinuz-5.10.0-18-amd64 root=/dev/mapper/vg0-altroot ro quiet" >> grub.cfg
echo " initrd /initrd.img-5.10.0-18-amd64" >> grub.cfg
echo " }" >> grub.cfg
vi grub.cfg
cat grub.cfg
cd /boot/grub/x86_64-efi
echo -n > load.cfg
echo 'set root=hd0,gpt2' >> load.cfg
echo 'set prefix=($root)/grub' >> load.cfg
vi load.cfg
cat load.cfg
shutdown -h now && exit
Create backups.
Boot from the Debian Live Media
GRUB
Debian GNU/Linux Live (kernel 5.10.0-18-amd64)
sudo bash
Plug in the Debian Installation Media
cat /proc/partitions
mount /dev/sdc1 /mnt
echo "deb [trusted=yes] file:/mnt/ bullseye main contrib non-free" > /etc/apt/sources.list
vi /etc/apt/sources.list
cat /etc/apt/sources.list
apt-get update
apt-get install cryptsetup
umount /mnt
Unplug the Debian Installation Media
cryptsetup open /dev/sda3 pvc0
Enter passphrase for /dev/sda3: <theDiskCryptPassPhrase>
cryptsetup status pvc0
ls -al /dev/mapper
mkdir /crw
mount /dev/mapper/vg0-crw /crw
mount /dev/sda1 /mnt
cd /mnt
tar --exclude lost+found --numeric-owner -cpzf /crw/Stest-BootEfi-1150-amd64-i386-00.tgz .
cd /
umount /mnt
mount /dev/sda2 /mnt
cd /mnt
tar --exclude lost+found --numeric-owner -cpzf /crw/Stest-Boot-1150-amd64-i386-00.tgz .
cd /
umount /mnt
mount /dev/mapper/vg0-root /mnt
cd /mnt
tar --exclude lost+found --numeric-owner -cpzf /crw/Stest-RootDebian-1150-amd64-i386-00.tgz .
cd /
umount /mnt
cd /crw
sha256sum Stest-* > Stest_SHA256SUMS
scp -p Stest* seidl@10.xxx.yyy.2:/crw/seidl
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
seidl@10.xxx.yyy.2's password: <thePassword>
cd /
umount /crw
shutdown -h now && exit
Boot from the PC's hard drive.
Make the initial ramdisks portable.
Boot from the PC's hard drive
... login: root
Password: <theRootPassword>
cd /boot
cp -p initrd.img-5.10.0-18-amd64 initrd.img-5.10.0-18-amd64-BACKUP
cp -p initrd.img-5.18.0-0.deb11.4-amd64 initrd.img-5.18.0-0.deb11.4-amd64-BACKUP
cd /tmp
rm -fr work
mkdir work
cd work
cp /boot/initrd.img-5.10.0-18-amd64 initrd
# Do `unmkinitramfs' by hand.
earlyblocks=`cat initrd | cpio -i --to-stdout 2>&1 >/dev/null | awk '{print $1;}'`
echo "${earlyblocks}"
dd if=initrd of=initrdearly bs=512 count=${earlyblocks}
dd if=initrd of=initrdmain bs=512 skip=${earlyblocks}
mkdir early main
cd early
cat ../initrdearly | cpio -idm
cd ../main
cat ../initrdmain | gzip -dc | cpio -idm
cd cryptroot
cat crypttab
echo pvc0 /dev/sda3 none luks > crypttab
cat crypttab
cd ../..
# Do `mymkinitramfs'.
cd early
find . -print0 | cpio -0oH newc > ../initrdearly-NEW
cd ../main
find . -print0 | cpio -0oH newc | gzip -9c > ../initrdmain-NEW
cd ..
cat initrdearly-NEW initrdmain-NEW > initrd-NEW
cp initrd-NEW /boot/initrd.img-5.10.0-18-amd64
cd /tmp
rm -fr work
mkdir work
cd work
cp /boot/initrd.img-5.18.0-0.deb11.4-amd64 initrd
# Do `unmkinitramfs' by hand.
earlyblocks=`cat initrd | cpio -i --to-stdout 2>&1 >/dev/null | awk '{print $1;}'`
echo "${earlyblocks}"
dd if=initrd of=initrdearly bs=512 count=${earlyblocks}
dd if=initrd of=initrdmain bs=512 skip=${earlyblocks}
mkdir early main
cd early
cat ../initrdearly | cpio -idm
cd ../main
cat ../initrdmain | gzip -dc | cpio -idm
cd cryptroot
cat crypttab
echo pvc0 /dev/sda3 none luks > crypttab
cat crypttab
cd ../..
# Do `mymkinitramfs'.
cd early
find . -print0 | cpio -0oH newc > ../initrdearly-NEW
cd ../main
find . -print0 | cpio -0oH newc | gzip -9c > ../initrdmain-NEW
cd ..
cat initrdearly-NEW initrdmain-NEW > initrd-NEW
cp initrd-NEW /boot/initrd.img-5.18.0-0.deb11.4-amd64
cd /tmp
rm -fr work
shutdown -r now && exit
Boot from the PC's hard drive, hopefully the system will still boot.
Create another backup.
Boot from the PC's hard drive
... login: root
Password: <theRootPassword>
cd /boot
rm initrd.img-5.10.0-18-amd64-BACKUP initrd.img-5.18.0-0.deb11.4-amd64-BACKUP
mkdir /crw
mount /dev/mapper/vg0-crw /crw
umount /dev/sda1
cd /boot
tar --exclude lost+found --numeric-owner -cpzf /crw/Stest-Boot-1150-amd64-i386-01.tgz .
mount /dev/sda1 /boot/efi
cd /crw
sha256sum Stest-* > Stest_SHA256SUMS
scp -p Stest* seidl@10.xxx.yyy.2:/crw/seidl
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
seidl@10.xxx.yyy.2's password: <thePassword>
cd /
umount /crw
shutdown -h now && exit
Stephan K.H. Seidl