Linux Installation and Configuration Notes
Contents
This page contains random notes about my experiences while installing and using Debian Linux (Version 3.0) on a Dell Poweredge 400SC machine. Installation notes for Sarge (Version 3.1) on a Dell Inspiron 8600 laptop are also available.
Hardware Specs
Since it's relevant, here are the specs for the box, some of which were determined using the lspci
command:
- Dell Poweredge 400SC
- Pentinum 2.26 GHz processor
- 512 MB RAM
- Multimedia audio controller: Intel Corp.: Unknown device 24d5 (rev 02)
- VGA compatible controller: ATI Technologies Inc Rage XL (rev 27)
- Ethernet controller: Intel Corp.: Unknown device 100e (rev 02)
Basic Installation Steps
Note: I originally started out with the Debian 3.0 installation CD from linuxiso.org, but after getting everything installed I discovered that the kernel on this CD does not support my NIC, and a web server that can't connect to the network isn't terribly useful.
Installation Steps:
- Download a Dell Debian installation ISO from http://linux.dell.com/distributions.shtml and burn it to CD.
- Boot the server using the new CD image.
- Follow the instructions on screen, noting the following:
- You will probably want a swap partition that is the same size as the amount of system RAM.
- Do not install any modules, they were included in the Dell installation ISO image.
- When asked for apt sources, use http.
- To get the network adapter working I had to do an ALT-F2 after rebooting and then edit the
/etc/network/interfaces
file to include the lineauto eth0
- I also initially got errors when apt tried to resolve the Debian host URL. After using ALT-F2 to get a new window and pinging the host there weren't any further issues.
This install seems to be using DHCP happily for networking, but in past installs I've had to set nameserver values by doing the following:
- Update the
/etc/resolv.conf
file to contain the line "nameserver xx.xx.xx.xx
" where xx.xx.xx.xx is the nameserver provided by your ISP. - Update the
/etc/dhclient.conf
file with the line "supersede domain-name-servers xx.xx.xx.xx
" where xx.xx.xx.xx is the nameserver provided by your ISP. If this step is overlooked then the DHCP client will use the default router nameserver after every reboot.
If installing the Debian testing or unstable distributions, you will need to follow these steps after getting a basic system up and running:
- Edit the
/etc/apt/sources.list
file to read:deb http://http.us.debian.org/debian testing main contrib non-free
#deb http://http.us.debian.org/debian stable main contrib non-free
#deb http://ftp.us.debian.org/debian/ stable main non-free contrib
#deb-src http://ftp.us.debian.org/debian/ stable main non-free contrib
deb http://non-us.debian.org/debian-non-US testing/non-US main contrib non-free
#deb http://non-us.debian.org/debian-non-US stable/non-US main contrib non-free
#deb http://security.debian.org/ stable/updates main contrib non-free - As root execute the command "
apt-get dist-upgrade
". Then go rent a video or something because this will take a while. - After the upgrade is complete, reboot and then as root run the "
dselect
" command to select and install the packages you want on your machine.
Kernel Upgrades
In order to get the latest fixes and drivers it will probably be necessary to upgrade kernels much more frequently than Debian makes releases. The process is surprisingly easy, although backups are a must. Note that after installation the Debian kernel configuration is listed in /boot/config-2.4.25-bf2.4
(note the name changes depending on kernel version). In addition, the list of currently installed modules can be retrieved with the lsmod
command. Finally, http://oregonstate.edu/~kveton/kernel/ provides the following overview for using the Debian kernel package manager.
To upgrade from the default Debian install kernel:
- Download the latest kernel source from kernel.org into the
/usr/src/
directory. - Install the kernel-package, libncurses5, and libncurses5-dev packages using dselect.
- From the /usr/src/ directory, do a "tar xvfz kernel-source" on the downloaded kernel source
- To maintain your existing configuration, do a
cp /boot/config-2.4.25-bf2.4 /usr/src/linux-2.4.25/.config
, replacing the kernel versions as appropriate. - Execute the command
make menuconfig
. - Execute the command
make-kpkg kernel-image
. - Execute the command
dpkg -i kernel-image-2.4.25_10.00.Custom_i386.deb
. - Reboot.
To upgrade a previously upgraded kernel:
- Download the latest kernel source from kernel.org into the
/usr/src/
directory. - From the
/usr/src/
directory, do a "tar xvfz kernel-source" on the downloaded kernel source - Copy the ".config" from the old
/usr/src/linux-2.4.25
directory to the new/usr/src/linux-2.4.26
directory. Note: I tried just using make oldconfig and encountered errors, so I recommend copying the .config file and letting make-kpkg deal with configuration differences. - Change directory to the untarred kernel source directory (ie
cd /usr/src/linux-2.4.26
) - Execute the command
make-kpkg kernel-image
. This command will utilize your old configuration information and ask questions about any new configuration items. - Execute the command
dpkg -i kernel-image-2.4.26_10.00.Custom_i386.deb
. - Reboot.
Mounting Windows Partitions
In order to access my Windows partitions from Linux I found this site and this site invaluable.
- Create a new directory in Linux (ie
/mnt/windows
) under which the Windows partition should be visible in Linux. - Determine the Windows partition information by running the command
fdisk -l
. This command will list all partitions available to the system. - Mount the partition using the information determined from fdisk, ie
mount /dev/hda5 /mnt/windows
. - Update the
/etc/fstab
file with information for the Windows partition:
For VFAT:/dev/hda6 /mnt/windows vfat umask=0,quiet 0 0
For NTFS:/dev/hda6 /mnt/windows ntfs ro,noauto,user 0 0
What the above line says is that the partition should be mounted in the/mnt/windows
directory and that permission should be granted to all users.
ddclient Configuration
Dynamic DNS.org provides a way to have a static web address (ie mountaininterval.org) even though the ISP is continually changing the IP address. To make this service work I run a client called ddclient. I've had troubles with the Debian package for this client, so I simply downloaded and installed it on my own. The steps to get this client running are:
- Download and unzip the package
- Read the README file
- Copy the "
ddclient
" executable to/usr/sbin/
. - Update the
sample-etc_ddclient.conf
file and copy it to/etc/ddclient.conf
. My configuration file looks something like the following:daemon=300 # check every 300 seconds
syslog=yes # log update msgs to syslog
mail=root # mail all msgs to root
mail-failure=root # mail failed update msgs to root
pid=/var/run/ddclient.pid # record PID in file.
use=web, web=checkip.dyndns.org/, web-skip='IP Address'
protocol=dyndns2 # default protocol
server=members.dyndns.org # default server
login=login
password=password
server=members.dyndns.org, \
protocol=dyndns2 \
otterson.dyndns.org
custom=yes, \
server=members.dyndns.org, \
protocol=dyndns2 \
mountaininterval.org
- Copy the
sample-etc_rc.d_init.d_ddclient
file to/etc/init.d/ddclient
. - From the command line (as root) enter the command "
update-rc.d ddclient defaults
". This command will insure that ddclient is always started after reboots.
Apache Configuration
In order to keep my logs free from filling up with hits from the various Microsoft worms floating around the net I added the following lines to the /etc/apache/httpd.conf
file:
# custom additions to hopefully keep code red and other Microsoft
# worms out of the logs
SetEnvIfNoCase Request_URI "^/MSADC" ms-worms
SetEnvIfNoCase Request_URI "^/C/" ms-worms
SetEnvIfNoCase Request_URI "^/D/" ms-worms
SetEnvIf Request_URI "^/scripts" ms-worms
SetEnvIf Request_URI "^/default\.ida" ms-worms
SetEnvIf Request_URI "^/_mem_bin" ms-worms
SetEnvIf Request_URI "^/_vti_bin" ms-worms
CustomLog /var/log/apache/ms-worms.log common env=ms-worms
CustomLog /var/log/apache/access.log combined env=!ms-worms
Aliases:
Alias /ryan/journal.html /data/www/journal-2004-03.html
Alias /journal.html /data/www/journal-2004-03.html
Alias /ryan/ /data/www/
Other values that I changed in the httpd.conf file:
ServerName
- Changed to www.mountaininterval.orgDocumentRoot
- Changed to the server location that I put all of the site's HTML files into.<Directory>
- Changed to match the DocumentRoot value.HostnameLookups
- Changed to "on" since I like to know where people are coming from
Also of note is that the command to restart Apache is "/usr/sbin/apachectl restart
".
By default Debian rotates logs weekly. To change this update the /etc/logrotate.d/apache
file.
This one took me a long time to solve: when installing Apache, the document root and ALL parent directories must have proper permissions. If one parent directory has restrictive permissions, no pages can be served.
Tomcat
The first step required to get Tomcat running is to install a JDK:
- Download a Linux JDK package from Sun.
- Make the downloaded file executable by executing the command "
chmod 755 filename
". - Execute the file, which will uncompress it into the current directory. If you would prefer to have it in a different directory simply move the uncompressed files (ie "
mv jdk1.5.0 /usr/share/jdk1.5.0/
"). - Update environment variables:
- In
/etc/profile
add the lineJAVA_HOME=/JDK-install-folder/
. In addition, update thePATH
variable to contain the/JDK-install-folder/bin/
directory. - If Tomcat is installed, update the
/etc/default/tomcat4
file to contain the lineJAVA_HOME=/JDK-install-folder/
.
- In
Once the JDK is installed Tomcat can be installed by doing the following:
- Using dselect, install the following packages:
- tomcat4
- libtomcat4-java
- tomcat4-webapps - Sample Tomcat applications (optional)
- libapache-mod-jk - Apache connector module for Tomcat (optional)
- Once installed, the Tomcat configuration information will be in the
/etc/tomcat4/
directory. Webapps are installed into the/var/lib/tomcat4/webapps/
directory. - To test the installation try viewing the http://localhost:8180/ page. If the page comes up, Tomcat is installed successfully. If the page does not come up, try running "
/usr/bin/tomcat4 start
" to view any error messages.
The libapache-mod-jk package allows Tomcat applications to be served using Apache as part of a normal web site (ie you don't need to specify port 8180 in the URL). To use libapache-mod-jk:
- Update the
/var/lib/tomcat/conf/mod_jk.conf
file as follows:If any other webapps are deployed then an additional entry is required in the mod_jk.conf file of the form "JkMount /*.jsp ajp13
JkMount /examples/* ajp13 # only if tomcat4-webapps was also installed
JkMount /myapp/* ajp13
. - The
/etc/tomcat4/server.xml
must be updated to uncomment the "Ajp13Connector" section (see http://jakarta.apache.org/tomcat/tomcat-4.0-doc/config/ajp.html). - View http://your-site/examples/jsp/ and verify that the example servlets are running.
Once everything is running the following is worth noting:
- Tomcat logs are found in
/var/log/tomcat4/
. - I kept getting a Java error about a missing file "
/usr/bin/kaffe
". I've got no clue what the hell that is, but some package installed a/usr/bin/java
script that was calling/etc/java-vm
. Modifying that file to contain only the line/JDK-install-folder/bin/java
solved the problem. Note that this must be the topmost and ONLY line in the file.
Postgres SQL Database
See http://www.postgresql.org/docs/7.2/static/index.html or /usr/share/doc/postgresql-doc/
.
By default postgres installs with permissions for user postgres, so most commands can only be run after doing a "su postgres
".
To create a new database user run (as postgres) "/usr/lib/postgresql/bin/createuser
" Note that by default the postgres user is set up without a password, so you may want to do a "passwd postgres
" from the command line to set one.
To see a list of previously created databases run (as postgres) "/usr/lib/postgresql/bin/psql -l
"
To create a database: /usr/lib/postgresql/bin/createdb dbname
To access the database: /usr/lib/postgresql/bin/psql dbname
(\q
to quit)
JDBC: Install the libpgjava package. Make sure that tcpip_socket in /etc/postgresql/postgresql.conf
is either "1" or "true". The JDBC jar file is in /usr/share/java/postgresql.jar
For TCP/IP connections from the local host, modify the /etc/postgresql/pg_hba.conf
file to contain the line:
host all 127.0.0.1 255.0.0.0 password
See http://www.postgresql.org/docs/7.4/interactive/client-authentication.html for a discussion of Postgres access permissions.
To create a database user, execute the following commands:
/usr/lib/postgres/bin/psql database-name
alter user username with password 'password';
/var/lib/postgres/.profile
is the profile info for the postgres
user.
To start the database: /etc/init.d/postgresql start
This drove me insane: I could connect to the database using psql database-name
but would get the message "Password authentication failed for user user-name". The problem was finally analyzed by executing psql -h 127.0.0.1 database-name
, revealing that the database user password wasn't set. To set this password, connect to the database with psql database-name
and then execute the command alter user user-name with password 'password;
.
Analog
Analog is a web server analysis tool. Install it using dselect, after which you will need to modify the /etc/analog.conf
file. By default Debian does not install this file to create HTML output, so I made the following changes:
OUTFILE location-of-output
LOGFILE /var/log/access.log.*
Nessus
See also http://www.oreillynet.com/pub/a/security/2004/04/22/nessus.html.
I'm a bit paranoid about security, so I installed Nessus, which is a security auditing tool. To get this bad dog running, fire up the Debian dselect tool, then search for "nessus". Install the client and the server. By default the nessus server configuration file is installed into /etc/nessus/nessusd.conf
. I did not change any of the server defaults.
To run nessus for the first time, do the following:
- Start the nessus server daemon using
nessusd -D &
- Create a user using the
nessus-adduser
command. - Create a target file that contains only the address of the host being checked (ex.
127.0.0.1
). - From the command line, type
nessus -T html_graph -qx localhost 1241 username password target-file-location output-html-directory
- The scan may take several hours. When the program finishes the results will be in the output directory specified.
- Shut down the nessus server daemon by determining the process id (
ps -ef | grep nessusd
) and then killing the process (kill -9 process-id
).
Miscellaneous Configuration
For security reasons root login was disabled from SSH by updating the /etc/ssh/sshd_config
file with:
PermitRootLogin no
To set the date and time, use the date
command (as root):
date --set 19:42:0
date --set 2003-04-01
Took me a while to figure this one out, but the command dpkg-reconfigure package-name
provides a way to use the Debian package manager to reinstall a broken package.
I noticed that the syslog was filling up with all sorts of information from cron jobs, so I modified the /etc/syslog.conf
file as follows:
# First some standard logfiles. Log by facility.
*.*;auth,authpriv.none,cron.* -/var/log/syslog
cron.* /var/log/cron.log
Updating packages in Debian is a simple matter of executing the following two commands as root:
apt-get update
apt-get upgrade
Other useful UNIX commands:
df -k
Shows the amount of disk space used on each disk.du -sk
Shows the size of the current directory.
Troubleshooting
For a while, every time after I rebooted I got an email like the following:
Envelope-to: root@mountaininterval.org
X-vi-recover-file: filename
X-vi-recover-path: /var/tmp/vi.recover/vi.eJGdOr
Reply-To: root@mountaininterval.org
From: root@mountaininterval.org (Nvi recovery program)
To: root@mountaininterval.org
Subject: Nvi saved the file access.log
Precedence: bulk
Date: Sun, 30 May 2004 11:55:24 -0700
On Tue Apr 6 02:59:50 2004, the user root was editing a
file named filename on the machine mohican, when it was
saved for recovery. You can recover most, if not all, of the
changes to this file using the -r option to vi:
Deleting the vi.eJGdOr file specified in the email headers finally solved this problem.