First of all you have to check if the Rescue system supports the Debootstrap command and have the wget tool installed. Try this in the console window:
I: usage: [OPTION] ... <suite> <target> [<mirror> [<script>]]
I: Try `debootstrap --help' for more information.
E: You must specify a suite and a target.
wget: missing URL
Usage: wget [OPTION]... [URL]...
I have checked two server providers and on both of them those commands are available by default but if you are not lucky then you have to install them manually to your rescue mode.
# apt-get update
# apt-get install debootstrap
# apt-get install wget
With these tools ready we can continue with preparations for the Debootstrap. To allow the Debootstrap tool to verify downloaded data and check if are not corrupted or modified by an error or an attacker we have to download Ubuntu gpg public keys. These keys signed all Ubuntu packages and protect them against modifications. To download keys please use this command:
# wget http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
This will download the ubuntu-archive-keyring.gpg file to your home directory. Copy the file now to destination folder by this command:
# cp ubuntu-archive-keyring.gpg /usr/share/keyrings/
As alternative you can use the keyring file directly in the bootstrap process by parameter –keyring but it doesn’t work well for me.
Anyhow if you see any of that messages during the debootstrap process:
W: Cannot check Release signature; keyring file not available ....
E: Release signed by unknown key (key id xxxxxxx)
then the keyring is not downloaded or specified correctly and you have to fix it.
Now is time to start the debootstrap process. It puts all necessary files for OS root to /root partition now mounted in the /srv_root folder. To do that, just type:
# debootstrap --arch amd64 --keyring ./ubuntu-archive-keyring.gpg trusty /srv_root http://archive.ubuntu.com/ubuntu/
If you want to install the 32bit architecture instead the 64bit then use the i386 as the –arch parameter. The amd64 specifies 64bit architecture. The ‘trusty’ parameter specifies that we can install the Ubuntu 14.04 LTS (Trusty Tahr). It is latest LTS version at time when I write this article. You can of course install different Ubuntu version by change the parameter – for example for 15.10 use ‘wily’ instead of ‘trusty’ here. The –keyring parameter specify file with public gpg keys to verify packages integrity and have to be specified as full path, or with current folder ‘./’ prefix. If you copied the keyring to the /usr/share/keyrings/ folder, you don’t need to specify this parameter.
Chroot and Base Config
Now we can switch our session to chroot environment. It is something like virtual access to the OS of our server as it will be booted directly by hardware in the future. This allows to install additional pieces of software and modify configuration files on the server OS instead of modify the Rescue Mode OS files.
First step to successfully enter the chroot environment is to mount special filesystems ( dev, proc, sys ) to the root filesystem of the server OS:
# mount -o bind /dev /srv_root/dev
# mount -t proc proc /srv_root/proc
# mount -t sysfs sys /srv_root/sys
When we are done, we can enter the chroot environment by this command:
# XTERM=xterm-color LANG=C.UTF-8 chroot /srv_root /bin/bash
Now welcome into the chroot environment of the server. Since this time all commands typed to the console will modify the server filesystem and configuration instead the Rescue OS environment.
First of all, create the symbolic link from /etc/mtab to /proc/mounts.
# ln -sf /proc/mounts /etc/mtab
This avoid problem if the root filesystem ( / ) is mounted as Read Only and the /etc/mtab is outdated. This symlink grants that /etcv/mtab is always up to date.
Next good idea connected with filesystems is to force the server to make filesystem checks on each boot. Especially on the server without physical control it can be very good idea. To enable that behavior type this command in the console
# echo FSCKFIX=yes >> /etc/default/rcS
Next essentials thing is to generate appropriate locale files otherwise lot of next steps will be complaining about wrong locale settings.
# locale-gen en_US.UTF-8
# update-locale en_US.UTF-8
Next step is to configure the server clock. Linux servers use usually the UTC time in the hardware clock then we have to set OS to reflect this fact. To do that create file /etc/adjtime by this command:
# echo -e '0.0 0 0.0\n0\nUTC' > /etc/adjtime
Set appropriate time zone for the server by this command:
# dpkg-reconfigure tzdata
Now is granted that files created or modified on the server will have correct time-stamps.
Because lot of configuration steps will be provided by modification of text configuration files then can be nice if you can use the favorite text editor to do that. My preference is vim so I’m installing it immediately. Install whatever you like here instead of vim if it is not your cup of tea.
# apt-get install vim
Now we have to inform system about the encrypted block device with our partitions and create record about it in the /etc/crypttab file to allow OS correctly handle it. To do this we will need the GUID stored before during LUKS setup. The record will be created by this command:
# echo 'sda2_crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks' > /etc/crypttab
where string xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx must be replaced by previously stored LUKS GUID.
Next step is to create /etc/fstab file to allow correct mount of partitions to root filesystem. Each partition is described by one line here. If you do not modified parttion scheme during this how-to you can create file with this content directly:
# file system mount point type options dump pass
LABEL=root / ext4 errors=remount-ro 0 1
LABEL=tmp /tmp ext4 rw,nosuid,nodev,noexec 0 2
LABEL=srv /srv ext4 rw,nosuid,nodev 0 2
LABEL=boot /boot ext4 rw,nosuid,nodev 0 2
# Alternative home in /srv:
#/srv/home /home auto bind 0 0
#******** END of FSTAB
Last two lines are commented out but when are enabled then you can allow to move home folder from / to srv partition where all other data reside.
The /tmp partition is mounted as non-executable because some attack techniques against the server tries to create a file here and then run it to finalize the attack. It is the reason why I always mount /tmp folder to standalone partition.
To configure networking correctly you need to know the server assigned IP address and other network parameters. It is defined by the server provider and you can find it in the server administration very often.
You have to know:
- Server IP address ( example: 188.8.131.52 )
- Network gateway IP address( example: 184.108.40.206 )
- Network mask ( example: 255.255.255.0 )
- Your domain name ( example: mydomain.dom )
- Your server host name (example: myserver )
- DNS server addresses (can be replaced by generic Google DNS 220.127.116.11, 18.104.22.168)
When you have collected all necessary pieces of information you can create networking configuration. At first we define the short and full hostname. Type these commands and replace example values by real names:
# echo 'myserver' > /etc/hostname
# echo '127.0.0.1 myserver.mydomain.dom myserver' > /etc/hosts
At next create the file /etc/network/interfaces with this content and replace example values from above by your real values:
iface lo inet loopback
iface eth0 inet static
dns-nameservers 22.214.171.124 126.96.36.199
pre-up /sbin/ip addr flush dev eth0 || true
The last line beginning by pre-up… is necessary here to grant correct network initialization when main system is booted after unlocking by busybox environment. Please leave it here without any change.
Now you can verify the hostname. Type this:
# hostname -f
Instead of myserver.mydomain.dom you have to see your full server name (hostname and domain).
1 2 3 4