ArchLinux:OVH: Difference between revisions
m (→Chroot) |
m (→Finalizing) |
||
(57 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
= {{Icon24|sitemap}} Introduction = | = {{Icon24|sitemap}} Introduction = | ||
I have been running my own dedicated server for about 20 years now. I started running FreeBSD servers, had a couple OpenBSD servers even, but some time around early 2013 I made the switch to using Arch Linux. Have I gone mad? Possibly, but that's not relevant. Some might say Arch Linux does not belong on a server, or in a production environment. Nonsense! Any Linux distribution, properly setup, can be run as a server in a production environment. I use Arch on my [[ArchLinux:Installation|desktop]] and on my [[ThinkPad:ArchLinux|laptop]] and honestly the setup on my servers does not diff too much from those installations aside from a little redundancy. I apply the same [[ArchLinux:Security|security]] principles and practices to both. | I have been running my own dedicated server for about 20 years now. I started running FreeBSD servers, had a couple OpenBSD servers even, but some time around early 2013 I made the switch to using Arch Linux. Have I gone mad? Possibly, but that's not relevant. Some might say Arch Linux does not belong on a server, or in a production environment. Nonsense! Any Linux distribution, properly setup, can be run as a server in a production environment. I use Arch on my [[ArchLinux:Installation|desktop]] and on my [[ThinkPad:ArchLinux|laptop]] and honestly the setup on my servers does not diff too much from those installations aside from a little redundancy. I apply the same [[ArchLinux:Security|security]] principles and practices to both. | ||
{{Note|For the creation of this | {{Note|icon=false|1=For the creation of this tutorial I used my [[Wiki3:Hardware|server]] with OVH's subsidiary So you Start (SYS).<br/>The process is the same for OVH and Kimsufi (aside from the Manager being a bit different), I have had servers with all three.}} | ||
= {{Icon24|sitemap}} Installation = | = {{Icon24|sitemap}} Installation = | ||
First in order to install Arch Linux from scratch we need to get the server net-booted into | First in order to install Arch Linux from scratch we need to get the server net-booted into Rescue Mode. However, before you do so it would be a good idea to note down a few things from one of the OVH default installations (doesn't matter which OS as long as it is Linux based). Take a look at the current network configuration, for their Arch Linux installation you can check {{mono|netctl}}. | ||
{{Console|1=cat /etc/netctl/ovh_net_eth0}} | |||
Also check which timezone the datacenter is in if you are not using the BHS datacenter (the one I am). | |||
{{Console|1=ls -FlG /etc/localtime}} | |||
Alternatively if you installed the OS with the OVH installer through the Manager you can just check the file left behind by the installer. | |||
{{Console|1=cat /root/.ovhrc}} | |||
== {{Icon|notebook}} Rescue Mode == | == {{Icon|notebook}} Rescue Mode == | ||
Enter the Control Panel and reboot the machine into Rescue Mode. There should be either a button on the right called "Rescue" or "Netboot". | Enter the Control Panel and reboot the machine into Rescue Mode. There should be either a button on the right called "Rescue" or "Netboot". | ||
{{Note|OVH will email you the root password for rescue mode | {{Note|OVH will email you the root password for rescue mode SSH login, make sure your spam filter did not catch it.}} | ||
Once the machine has been restarted into rescue mode and login information has been obtained, login over | Once the machine has been restarted into rescue mode (it might require a manual restart) and login information has been obtained, login over SSH. These additional command line options here will make it so it does not record the hostkey, given that this is about to change once Arch is installed. | ||
{{Console|1=ssh -oUserKnownHostsFile{{=}}/dev/null -oStrictHostKeyChecking{{=}}no root@X.X.X.X}} | {{Console|1=ssh -oUserKnownHostsFile{{=}}/dev/null -oStrictHostKeyChecking{{=}}no root@X.X.X.X}} | ||
{{Warning|The moment you login change the root password with {{mono|passwd}}, OVH emails passwords in plain-text which is susceptible to MITM attacks.}} | {{Warning|The moment you login change the root password with {{mono|passwd}}, OVH emails passwords in plain-text which is susceptible to MITM attacks.}} | ||
Take note of the Debian environment. | Take note of the Debian environment. | ||
== {{Icon|notebook}} | == {{Icon|notebook}} Partitioning == | ||
For most of the mid to higher tier servers you get two hard drives. Using RAID-10 (far 2 layout), which prioritizes read speed, availability and redundancy will be optimal.<ref>[//blog.a2o.si/2014/09/07/linux-software-raid-why-you-should-always-use-raid-10-instead-of-raid-1/ blog @ a2o.si]. Linux software RAID: why you should always use RAID 10 instead of RAID 1</ref> Since there is only the two drives, write speeds should be on par with RAID1. LVM can then be used on top of RAID for partition management.<br/>Pull up a list of all of the disks in the system. | For most of the mid to higher tier servers you get two hard drives. Using RAID-10 (far 2 layout), which prioritizes read speed, availability and redundancy will be optimal.<ref>[//blog.a2o.si/2014/09/07/linux-software-raid-why-you-should-always-use-raid-10-instead-of-raid-1/ blog @ a2o.si]. Linux software RAID: why you should always use RAID 10 instead of RAID 1</ref> Since there is only the two drives, write speeds should be on par with RAID1. LVM can then be used on top of RAID for partition management.<br/>Pull up a list of all of the disks in the system. | ||
{{Console|1=lsblk}} | {{Console|1=lsblk}} | ||
If the server was previously installed in a non-RAID setup, it should be mounted inside of {{mono|/mnt}}. If so, un-mount the partition. | If the server was previously installed in a non-RAID setup, it should be mounted inside of {{mono|/mnt}}. If so, un-mount the partition. | ||
{{Console|1= | {{Console|1=umount /mnt/sda1}} | ||
Wipe the current disks so there is no interference. | Wipe the current disks so there is no interference. | ||
{{Console|1=dd if{{=}}/dev/zero of{{=}}/dev/ | {{Console|1=dd if{{=}}/dev/zero of{{=}}/dev/sda bs{{=}}1M count{{=}}2048|2=dd if{{=}}/dev/zero of{{=}}/dev/sdb bs{{=}}1M count{{=}}2048}} | ||
{{Note|If there was a RAID volume previously on the drives, a reboot may be required.}} | {{Note|If there was a RAID volume previously on the drives, a reboot may be required.}} | ||
Wipe the current partition scheme and create a new partition table | Wipe the current partition scheme and create a new partition table. | ||
{{Console|1=echo -e "o\nn\np\ | {{Console|1=echo -e "o\nn\np\n\n\n+64G\na\nn\np\n\n\n+8G\nn\np\n\n\n\nw" {{!}} fdisk /dev/sda}} | ||
Then copy the partition table to the second drive. | |||
{{Console|1=sfdisk -d /dev/sda {{!}} sfdisk /dev/sdb}} | |||
This will setup a 64GB root partition with the boot flag set, an 8GB swap partition and another data partition with the rest of each disk.<br/>The hostname gets prefixed onto the RAID arrays name, might be a good idea to change it. | |||
{{Console|1=hostname neutron}} | {{Console|1=hostname neutron}} | ||
Create | {{Warning|If your do not set the hostname the RAID arrays name will be prefixed with {{mono|rescue.ovh.net}}}} | ||
{{Console|1=mdadm --create /dev/md0 --level{{=}}10 --layout=f2 --raid-devices{{=}}2 /dev/sd[ab]1}} | |||
{{ | == {{Icon|notebook}} RAID10 (far2) == | ||
Create both RAID10 arrays and add the disks. | |||
{{Console|1=mdadm --create /dev/md0 --level{{=}}10 --layout=f2 --raid-devices{{=}}2 /dev/sd[ab]1|2=mdadm --create /dev/md1 --level{{=}}10 --layout=f2 --raid-devices{{=}}2 /dev/sd[ab]3}} | |||
It will take a long time to synchronize the array, synchronization is transparent to the file-system, continue installing and reboot if needed. It will be using significant disk resources until then. | |||
To check the status of the synchronization. | |||
{{Console|1=watch -n .1 cat /proc/mdstat}} | |||
When synchronization is finished, feel free to check to see if any blocks were marked bad. | When synchronization is finished, feel free to check to see if any blocks were marked bad. | ||
{{Console|1=cat /sys/block/md0/md/mismatch_cnt}} | {{Console|1=cat /sys/block/md0/md/mismatch_cnt}} | ||
{{Note|During the rest of the installation due to synchronization things involving {{mono|grub}} may take longer than normal.<br/>Also, if you see {{mono|Failed to connect to lvmetad}} during install, ignore it as it is related to sync as well.}} | |||
== {{Icon|notebook}} LVM == | |||
Create the LVM physical volume and put the RAID array inside, then verify it was added. | Create the LVM physical volume and put the RAID array inside, then verify it was added. | ||
{{Console|1=pvcreate /dev/md0|2=pvdisplay}} | {{Console|1=pvcreate /dev/md0|2=pvdisplay}} | ||
Create a volume group and put the RAID array inside, then it was added. | Create a volume group and put the RAID array inside, then it was added. | ||
{{Console|1=vgcreate neutron /dev/md0|2=vgdisplay}} | {{Console|1=vgcreate neutron /dev/md0|2=vgdisplay}} | ||
Dedicate | Dedicate the entire array to the root logical volume, then verify. | ||
{{Console|1= | {{Console|1=lvcreate -l +100%FREE neutron -n root|2=lvdisplay}} | ||
Format the | {{Note|This can be re-sized at any point but due to the partition size cannot exceed 64GB.}} | ||
{{Console|1=mkfs.ext4 /dev/neutron/root}} | Also prepare the second RAID array as a volume group for later usage. | ||
{{Console|1=pvcreate /dev/md1|2=vgcreate data /dev/md1}} | |||
== {{Icon|notebook}} Formatting == | |||
Formatting the root filesystem would be simple if we did not want metadata checksums. The Debian environment I was in when I performed my installation had an older version of e2fsprogs. In order to use metadata checksums you need version 1.43+, therefore it had to be upgraded first.<br/> | |||
Begin by updating the package registry. | |||
{{Console|1=apt-get update}} | |||
Check which version of {{mono|e2fsprogs}} is installed and which are available. | |||
{{Console|1=apt-get policy e2fslibs}} | |||
Pick a version that is 1.43+ if not already installed. Don't forget to upgrade both packages. | |||
{{Console|1=apt-get install -y e2fslibs{{=}}1.43.3-1~bpo8+1 e2fsprogs{{=}}1.43.3-1~bpo8+1}} | |||
Format the filesystem with {{mono|metadata_csum}} and {{mono|64bit}} flags enabled. | |||
{{Console|1=mkfs.ext4 -O metadata_csum,64bit /dev/neutron/root}} | |||
Be sure to select {{mono|Y}} to overwrite the current partition if asked. | Be sure to select {{mono|Y}} to overwrite the current partition if asked. | ||
Line 50: | Line 78: | ||
{{Console|1=wget <nowiki>https://raw.githubusercontent.com/tokland/arch-bootstrap/master/arch-bootstrap.sh</nowiki>|2=chmod +x arch-bootstrap.sh}} | {{Console|1=wget <nowiki>https://raw.githubusercontent.com/tokland/arch-bootstrap/master/arch-bootstrap.sh</nowiki>|2=chmod +x arch-bootstrap.sh}} | ||
{{GitHub|[//github.com/tokland/arch-bootstrap tokland/arch-bootstrap]}} | {{GitHub|[//github.com/tokland/arch-bootstrap tokland/arch-bootstrap]}} | ||
Then bootstrap the system. | Then bootstrap the system (ignore the {{mono|tar}} errors). | ||
{{Console|1=<nowiki>./arch-bootstrap.sh /mnt</nowiki>}} | {{Console|1=<nowiki>./arch-bootstrap.sh /mnt</nowiki>}} | ||
Next mount the required system partitions. Don't forget the last one added here. | |||
{{Console|1=mount -t proc proc /mnt/proc/|2=mount -t sysfs sys /mnt/sys/|3=mount -o bind /dev /mnt/dev/}} | {{Console|1=mount -t proc proc /mnt/proc/|2=mount -t sysfs sys /mnt/sys/|3=mount -o bind /dev /mnt/dev/}} | ||
Line 62: | Line 89: | ||
{{Console|1=pacman-key --init|2=pacman-key --populate archlinux}} | {{Console|1=pacman-key --init|2=pacman-key --populate archlinux}} | ||
Finally re-base the system by running {{mono|pacman}} to install Arch Linux. | Finally re-base the system by running {{mono|pacman}} to install Arch Linux. | ||
{{Console|1=pacman -S base base-devel arch-install-scripts git grub-bios openssh sudo vim}} | {{Console|1=pacman -S base base-devel arch-install-scripts git grub-bios intel-ucode openssh sudo vim}} | ||
{{Note|Parts of this step, most notably grub generating its config, took about 5 minutes.<br/>This is due to the half-setup environment and RAID arrays initializing, trust me its working fine just wait it out.}} | |||
Update the RAID configuration to reflect what was setup. | Update the RAID configuration to reflect what was setup. | ||
{{Console|1=mdadm --examine --scan > /etc/mdadm.conf}} | {{Console|1=mdadm --examine --scan > /etc/mdadm.conf}} | ||
Generate an {{mono|fstab}} file. | Generate an {{mono|fstab}} file. | ||
{{Console|1=genfstab / > /etc/fstab}} | {{Console|1=genfstab / > /etc/fstab}} | ||
Open up the {{mono|fstab}} file in an editor and add the flags for metadata checksums to the root partition. | |||
{{Console|title=/etc/fstab|prompt=false|1=/dev/mapper/neutron-root / ext4 rw,relatime,stripe{{=}}256,data{{=}}ordered,journal_checksum 0 1}} | |||
Changes will need to be made to the {{mono|/etc/mkinitcpio.conf}} for RAID and LVM and Ext4 metadata checksums, open up the file in an editor. | |||
{{Console|title=/etc/mkinitcpio.conf|prompt=false|1=MODULES="dm_mod crc32_generic crc32c-intel"|2=HOOKS="base udev mdadm_udev lvm2 autodetect modconf block filesystems keyboard fsck"}} | |||
Then generate a new initramfs. | |||
{{Console|mkinitcpio -p linux}} | |||
== {{Icon|notebook}} Boot Loader == | == {{Icon|notebook}} Boot Loader == | ||
Use the scripts that come with {{mono|grub}} in order to install the boot loader. | Use the scripts that come with {{mono|grub}} in order to install the boot loader on the first disk. | ||
{{Console|1=grub-install /dev/ | {{Console|1=grub-install /dev/sda}} | ||
Generate the GRUB config. | Generate the GRUB config. | ||
{{Console|1=grub-mkconfig -o /boot/grub/grub.cfg}} | {{Console|1=grub-mkconfig -o /boot/grub/grub.cfg}} | ||
{{Warning|Due to RAID array synchronization these steps might take an abnormally long time}} | |||
== {{Icon|notebook}} Networking == | == {{Icon|notebook}} Networking == | ||
Next create a system service to start up the network. | Next create a system service to start up the network. | ||
{{Console|1=vim /etc/systemd/network/eth0 | {{Console|1=vim /etc/systemd/network/eth0.network}}<br/> | ||
{{Console|1={{MagentaBold|[Match]}}<br/>{{Magenta|Name{{=}}}}eth0 en*<br/><br/>{{MagentaBold|[Network]}}<br/>{{Magenta|DHCP{{=}}}} | {{Console|1={{MagentaBold|[Match]}}<br/>{{Magenta|Name{{=}}}}eth0 en*<br/><br/>{{MagentaBold|[Network]}}<br/>{{Magenta|DHCP{{=}}}}false<br/>{{Magenta|DNS{{=}}}}213.186.33.99<br/>{{Magenta|Address{{=}}}}X.X.X.X/24<br/>{{Magenta|Address{{=}}}}X.X.X.X/24<br/>{{Magenta|Gateway{{=}}}}X.X.X.X<br/><br/>{{Magenta|Address{{=}}}}ffff:ffff:ffff:ffff::/64<br/>{{Magenta|Gateway{{=}}}}ffff:ffff:ffff:ffff|prompt=false}} | ||
Then enable {{mono|systemd-networkd}} so that the service is started on boot, also enable the | {{Note|Multiple IPv4 {{mono|Address}} lines are included in-case one purchased additional failover IP addresses.}} | ||
Make sure the naming scheme stays how OVH had it setup so the device node is named the same. | |||
{{Console|1=cd /etc/udev/rules.d|2=touch 80-net-name-slot.rules|3=ln -s /dev/null 80-net-setup-link.rules}} | |||
Then enable {{mono|systemd-networkd}} so that the service is started on boot, also enable the SSH daemon. | |||
{{Console|1=systemctl enable systemd-networkd|2=systemctl enable sshd}} | {{Console|1=systemctl enable systemd-networkd|2=systemctl enable sshd}} | ||
== {{Icon|notebook}} System Settings == | == {{Icon|notebook}} System Settings == | ||
Choose a unique hostname for the machine. | Choose a unique hostname for the machine. | ||
{{Console|1=echo " | {{Console|1=echo "neutron.kyau.net" > /etc/hostname}} | ||
Set the proper timezone and generate {{mono|/etc/adjtime}}. Check the {{mono|/usr/share/zoneinfo}} directory for a list of existing zones. | Set the proper timezone and generate {{mono|/etc/adjtime}}. Check the {{mono|/usr/share/zoneinfo}} directory for a list of existing zones. | ||
My | My server is in the BHS datacenter so I will use the timezone that applies. | ||
{{Console|1=ln -sf /usr/share/zoneinfo/America/ | {{Console|1=ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime}} | ||
Choose the proper localization and uncomment it from {{mono|/etc/locale.gen}}, the defacto English (US) standard is {{mono|en_US.UTF-8 UTF-8}}, and then generate the needed localization.<br/>Also add the localization to {{mono|/etc/locale.conf}}. | Choose the proper localization and uncomment it from {{mono|/etc/locale.gen}}, the defacto English (US) standard is {{mono|en_US.UTF-8 UTF-8}}, and then generate the needed localization.<br/>Also add the localization to {{mono|/etc/locale.conf}}. | ||
{{Console|1=sed -i 's/^#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen|2=locale-gen|3=echo "LANG=en_US.UTF-8" > /etc/locale.conf}} | {{Console|1=sed -i 's/^#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen|2=locale-gen|3=echo "LANG=en_US.UTF-8" > /etc/locale.conf}} | ||
Line 101: | Line 134: | ||
Make sure the {{mono|wheel}} group has sudo access. | Make sure the {{mono|wheel}} group has sudo access. | ||
{{Console|1=sed -i 's/^# %wheel ALL{{=}}(ALL) ALL$/%wheel ALL{{=}}(ALL) ALL/' /etc/sudoers}} | {{Console|1=sed -i 's/^# %wheel ALL{{=}}(ALL) ALL$/%wheel ALL{{=}}(ALL) ALL/' /etc/sudoers}} | ||
== {{Icon|notebook}} Reboot == | == {{Icon|notebook}} Reboot == | ||
Exit out of the chroot environment. | Exit out of the chroot environment. | ||
{{Console|1=exit}} | {{Console|1=exit}} | ||
Navigate back to the Web | Navigate back to the Web Manager for the OVH server and put netboot back into local hard drive boot mode.<br/> | ||
Un-mount all of the partitions and reboot. | |||
{{Console|1=umount /mnt/{dev,proc,sys} /mnt|2=reboot}} | |||
= {{Icon24|sitemap}} Post-Installation = | = {{Icon24|sitemap}} Post-Installation = | ||
Once the machine has rebooted | Once the machine has rebooted, SSH back into your machine. | ||
{{Console|1=ssh | {{Console|1=ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no kyau@neutron.kyau.net}} | ||
First verify that the root partition was setup properly with metadata checksums and running in 64-bit mode. | |||
{{Console|1=sudo dumpe2fs -h /dev/neutron/root {{!}} grep -e checksum -e features}} | |||
== {{Icon|notebook}} Network Time Protocol == | == {{Icon|notebook}} Network Time Protocol == | ||
As it is always a good idea to keep the systems date/time in sync, for this use [[archwiki:systemd-timesyncd|systemd-timesyncd]]. | As it is always a good idea to keep the systems date/time in sync, for this use [[archwiki:systemd-timesyncd|systemd-timesyncd]]. | ||
{{Console|1=sudo timedatectl set-ntp true}} | {{Console|1=sudo timedatectl set-ntp true}} | ||
== {{Icon|notebook}} Packages == | == {{Icon|notebook}} Packages == | ||
Moving the build directory that {{mono|makepkg}} uses to build packages into the {{mono|/tmp}} folder will effectively move the package building temporary directory into memory. | |||
{{Console|title=/etc/makepkg.conf|1=BUILDDIR{{=}}/tmp/makepkg|prompt=false}} | |||
To find the fastest recently updated mirrors for pacman, install the [[archwiki:Reflector|reflector]] package. | To find the fastest recently updated mirrors for pacman, install the [[archwiki:Reflector|reflector]] package. | ||
{{Console|1=sudo pacman -S reflector}} | {{Console|1=sudo pacman -S reflector}} | ||
Line 125: | Line 166: | ||
Perform a full system update. | Perform a full system update. | ||
{{Console|1=pacaur -Syu}}<br/> | {{Console|1=pacaur -Syu}}<br/> | ||
{{SeeAlso|ArchLinux: | For more information on managing and maintaining packages you can reference my tutorial on [[ArchLinux:Packages|packages]]. | ||
= {{Icon24|sitemap}} Security = | |||
Security is always of paramount concern when running a machine that has open access to the internet access. While I am not a security professional I do have some practices I like to follow. Every Arch machine I run that sits with an open internet connection (server, production, or otherwise) gets hardened. I have been doing this with all of my machines since my days with BSD. That said, I am always on the look out for new tips and tricks. [[User:Kyau|Have any?]] | |||
{{SeeAlso|ArchLinux:Security|Hardening Arch Linux}} | |||
= {{Icon24|sitemap}} Finalizing = | |||
Once hardening is complete, the machine should be setup with LVM on top of RAID10(far2) with an Arch Linux boot volume sized to {{mono|64GB}} and the rest of the disk space in a separate volume group ready for logical volume creation however you see fit. | |||
If you would like to install services (DNS, WWW, SQL, etc.) it is recommended to do so using either KVM or containers to separate them from the host system. | |||
{{SeeAlso|ArchLinux:KVM|KVM on Arch Linux}} | |||
= {{Icon24|book-brown}} References = | = {{Icon24|book-brown}} References = |
Latest revision as of 00:31, 2 August 2017
Introduction
I have been running my own dedicated server for about 20 years now. I started running FreeBSD servers, had a couple OpenBSD servers even, but some time around early 2013 I made the switch to using Arch Linux. Have I gone mad? Possibly, but that's not relevant. Some might say Arch Linux does not belong on a server, or in a production environment. Nonsense! Any Linux distribution, properly setup, can be run as a server in a production environment. I use Arch on my desktop and on my laptop and honestly the setup on my servers does not diff too much from those installations aside from a little redundancy. I apply the same security principles and practices to both.
For the creation of this tutorial I used my server with OVH's subsidiary So you Start (SYS). The process is the same for OVH and Kimsufi (aside from the Manager being a bit different), I have had servers with all three. |
Installation
First in order to install Arch Linux from scratch we need to get the server net-booted into Rescue Mode. However, before you do so it would be a good idea to note down a few things from one of the OVH default installations (doesn't matter which OS as long as it is Linux based). Take a look at the current network configuration, for their Arch Linux installation you can check netctl.
# cat /etc/netctl/ovh_net_eth0 |
Also check which timezone the datacenter is in if you are not using the BHS datacenter (the one I am).
# ls -FlG /etc/localtime |
Alternatively if you installed the OS with the OVH installer through the Manager you can just check the file left behind by the installer.
# cat /root/.ovhrc |
Rescue Mode
Enter the Control Panel and reboot the machine into Rescue Mode. There should be either a button on the right called "Rescue" or "Netboot".
OVH will email you the root password for rescue mode SSH login, make sure your spam filter did not catch it. |
Once the machine has been restarted into rescue mode (it might require a manual restart) and login information has been obtained, login over SSH. These additional command line options here will make it so it does not record the hostkey, given that this is about to change once Arch is installed.
# ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no root@X.X.X.X |
WARNING: The moment you login change the root password with passwd, OVH emails passwords in plain-text which is susceptible to MITM attacks. |
Take note of the Debian environment.
Partitioning
For most of the mid to higher tier servers you get two hard drives. Using RAID-10 (far 2 layout), which prioritizes read speed, availability and redundancy will be optimal.[1] Since there is only the two drives, write speeds should be on par with RAID1. LVM can then be used on top of RAID for partition management.
Pull up a list of all of the disks in the system.
# lsblk |
If the server was previously installed in a non-RAID setup, it should be mounted inside of /mnt. If so, un-mount the partition.
# umount /mnt/sda1 |
Wipe the current disks so there is no interference.
# dd if=/dev/zero of=/dev/sda bs=1M count=2048 # dd if=/dev/zero of=/dev/sdb bs=1M count=2048 |
If there was a RAID volume previously on the drives, a reboot may be required. |
Wipe the current partition scheme and create a new partition table.
# echo -e "o\nn\np\n\n\n+64G\na\nn\np\n\n\n+8G\nn\np\n\n\n\nw" | fdisk /dev/sda |
Then copy the partition table to the second drive.
# sfdisk -d /dev/sda | sfdisk /dev/sdb |
This will setup a 64GB root partition with the boot flag set, an 8GB swap partition and another data partition with the rest of each disk.
The hostname gets prefixed onto the RAID arrays name, might be a good idea to change it.
# hostname neutron |
WARNING: If your do not set the hostname the RAID arrays name will be prefixed with rescue.ovh.net |
RAID10 (far2)
Create both RAID10 arrays and add the disks.
# mdadm --create /dev/md0 --level=10 --layout=f2 --raid-devices=2 /dev/sd[ab]1 # mdadm --create /dev/md1 --level=10 --layout=f2 --raid-devices=2 /dev/sd[ab]3 |
It will take a long time to synchronize the array, synchronization is transparent to the file-system, continue installing and reboot if needed. It will be using significant disk resources until then. To check the status of the synchronization.
# watch -n .1 cat /proc/mdstat |
When synchronization is finished, feel free to check to see if any blocks were marked bad.
# cat /sys/block/md0/md/mismatch_cnt |
During the rest of the installation due to synchronization things involving grub may take longer than normal. Also, if you see Failed to connect to lvmetad during install, ignore it as it is related to sync as well. |
LVM
Create the LVM physical volume and put the RAID array inside, then verify it was added.
# pvcreate /dev/md0 # pvdisplay |
Create a volume group and put the RAID array inside, then it was added.
# vgcreate neutron /dev/md0 # vgdisplay |
Dedicate the entire array to the root logical volume, then verify.
# lvcreate -l +100%FREE neutron -n root # lvdisplay |
This can be re-sized at any point but due to the partition size cannot exceed 64GB. |
Also prepare the second RAID array as a volume group for later usage.
# pvcreate /dev/md1 # vgcreate data /dev/md1 |
Formatting
Formatting the root filesystem would be simple if we did not want metadata checksums. The Debian environment I was in when I performed my installation had an older version of e2fsprogs. In order to use metadata checksums you need version 1.43+, therefore it had to be upgraded first.
Begin by updating the package registry.
# apt-get update |
Check which version of e2fsprogs is installed and which are available.
# apt-get policy e2fslibs |
Pick a version that is 1.43+ if not already installed. Don't forget to upgrade both packages.
# apt-get install -y e2fslibs=1.43.3-1~bpo8+1 e2fsprogs=1.43.3-1~bpo8+1 |
Format the filesystem with metadata_csum and 64bit flags enabled.
# mkfs.ext4 -O metadata_csum,64bit /dev/neutron/root |
Be sure to select Y to overwrite the current partition if asked.
Now that the disks are setup, remove the directory OVH created in /mnt if applicable and then mount the logical volume.
# rmdir /mnt/* # mount /dev/neutron/root /mnt |
Bootstrap
At this point download the arch-bootstrap.sh script that was created by Arch Linux user tokland. Then give the script the proper permissions.
# wget https://raw.githubusercontent.com/tokland/arch-bootstrap/master/arch-bootstrap.sh # chmod +x arch-bootstrap.sh |
GitHub: tokland/arch-bootstrap |
Then bootstrap the system (ignore the tar errors).
# ./arch-bootstrap.sh /mnt |
Next mount the required system partitions. Don't forget the last one added here.
# mount -t proc proc /mnt/proc/ # mount -t sysfs sys /mnt/sys/ # mount -o bind /dev /mnt/dev/ |
Chroot
Chroot into the new install.
# chroot /mnt |
Initialize and populate the Arch Linux pacman keys.
# pacman-key --init # pacman-key --populate archlinux |
Finally re-base the system by running pacman to install Arch Linux.
# pacman -S base base-devel arch-install-scripts git grub-bios intel-ucode openssh sudo vim |
Parts of this step, most notably grub generating its config, took about 5 minutes. This is due to the half-setup environment and RAID arrays initializing, trust me its working fine just wait it out. |
Update the RAID configuration to reflect what was setup.
# mdadm --examine --scan > /etc/mdadm.conf |
Generate an fstab file.
# genfstab / > /etc/fstab |
Open up the fstab file in an editor and add the flags for metadata checksums to the root partition.
/dev/mapper/neutron-root / ext4 rw,relatime,stripe=256,data=ordered,journal_checksum 0 1 |
Changes will need to be made to the /etc/mkinitcpio.conf for RAID and LVM and Ext4 metadata checksums, open up the file in an editor.
MODULES="dm_mod crc32_generic crc32c-intel" HOOKS="base udev mdadm_udev lvm2 autodetect modconf block filesystems keyboard fsck" |
Then generate a new initramfs.
# mkinitcpio -p linux |
Boot Loader
Use the scripts that come with grub in order to install the boot loader on the first disk.
# grub-install /dev/sda |
Generate the GRUB config.
# grub-mkconfig -o /boot/grub/grub.cfg |
WARNING: Due to RAID array synchronization these steps might take an abnormally long time |
Networking
Next create a system service to start up the network.
# vim /etc/systemd/network/eth0.network |
[Match] Name=eth0 en* [Network] DHCP=false DNS=213.186.33.99 Address=X.X.X.X/24 Address=X.X.X.X/24 Gateway=X.X.X.X Address=ffff:ffff:ffff:ffff::/64 Gateway=ffff:ffff:ffff:ffff |
Multiple IPv4 Address lines are included in-case one purchased additional failover IP addresses. |
Make sure the naming scheme stays how OVH had it setup so the device node is named the same.
# cd /etc/udev/rules.d # touch 80-net-name-slot.rules # ln -s /dev/null 80-net-setup-link.rules |
Then enable systemd-networkd so that the service is started on boot, also enable the SSH daemon.
# systemctl enable systemd-networkd # systemctl enable sshd |
System Settings
Choose a unique hostname for the machine.
# echo "neutron.kyau.net" > /etc/hostname |
Set the proper timezone and generate /etc/adjtime. Check the /usr/share/zoneinfo directory for a list of existing zones.
My server is in the BHS datacenter so I will use the timezone that applies.
# ln -sf /usr/share/zoneinfo/America/Toronto /etc/localtime |
Choose the proper localization and uncomment it from /etc/locale.gen, the defacto English (US) standard is en_US.UTF-8 UTF-8, and then generate the needed localization.
Also add the localization to /etc/locale.conf.
# sed -i 's/^#en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen # locale-gen # echo "LANG=en_US.UTF-8" > /etc/locale.conf |
Set a root password.
# passwd |
Create a user account adding it to the wheel group, then give it a password.
# useradd -m -G wheel,systemd-journal -s /bin/bash kyau # passwd kyau |
Make sure the wheel group has sudo access.
# sed -i 's/^# %wheel ALL=(ALL) ALL$/%wheel ALL=(ALL) ALL/' /etc/sudoers |
Reboot
Exit out of the chroot environment.
# exit |
Navigate back to the Web Manager for the OVH server and put netboot back into local hard drive boot mode.
Un-mount all of the partitions and reboot.
# umount /mnt/{dev,proc,sys} /mnt # reboot |
Post-Installation
Once the machine has rebooted, SSH back into your machine.
# ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no kyau@neutron.kyau.net |
First verify that the root partition was setup properly with metadata checksums and running in 64-bit mode.
# sudo dumpe2fs -h /dev/neutron/root | grep -e checksum -e features |
Network Time Protocol
As it is always a good idea to keep the systems date/time in sync, for this use systemd-timesyncd.
# sudo timedatectl set-ntp true |
Packages
Moving the build directory that makepkg uses to build packages into the /tmp folder will effectively move the package building temporary directory into memory.
BUILDDIR=/tmp/makepkg |
To find the fastest recently updated mirrors for pacman, install the reflector package.
# sudo pacman -S reflector |
Reflector will search through the last 100 updated mirrors that use HTTPS and sort them by download speed and then output the list to /etc/pacman.d/mirrorlist overwriting the current list. This command might take a few minutes depending on internet connection speed and latency.
# sudo reflector --latest 100 --protocol https --sort rate --save /etc/pacman.d/mirrorlist |
Enable colored output in pacman.
# sudo sed -i 's/#Color/Color/' /etc/pacman.conf |
To install aur:pacaur first manually install cower.
# git clone https://aur.archlinux.org/cower.git # cd cower && makepkg -si && cd .. && rm -rf cower |
If makepkg complains about GPG keys see this pinned comment or use gpg --recv-keys --keyserver hkp://pgp.mit.edu 1EB2638FF56C0C53 |
Then proceed to install pacaur manually.
# git clone https://aur.archlinux.org/pacaur.git # cd pacaur && makepkg -si && cd .. && rm -rf pacaur |
Perform a full system update.
# pacaur -Syu |
For more information on managing and maintaining packages you can reference my tutorial on packages.
Security
Security is always of paramount concern when running a machine that has open access to the internet access. While I am not a security professional I do have some practices I like to follow. Every Arch machine I run that sits with an open internet connection (server, production, or otherwise) gets hardened. I have been doing this with all of my machines since my days with BSD. That said, I am always on the look out for new tips and tricks. Have any?
Finalizing
Once hardening is complete, the machine should be setup with LVM on top of RAID10(far2) with an Arch Linux boot volume sized to 64GB and the rest of the disk space in a separate volume group ready for logical volume creation however you see fit.
If you would like to install services (DNS, WWW, SQL, etc.) it is recommended to do so using either KVM or containers to separate them from the host system.
References
- ^ blog @ a2o.si. Linux software RAID: why you should always use RAID 10 instead of RAID 1