- Do the physical installation, plugin the network and HDMI cables (except the power cable of course) and screw your RPi into a cover or box.
- Prepare SD card on Mac with Raspberry Pi Imager
- Plugin the SD card into your RPi and now also plugin the power cable. Boot your RPi for the first time now. Create a user with password for using later. (e.g. user:pi, password:raspberry)
- When booted, you'll be provided with a prompt to login for the first time. Mind the QWERTY keyboard layout.
- Run the setup tool
sudo raspi-config
- Configure the setup tool
- Set the hostname (1 System Options > S4 Hostname)
- Expand Filesystem (6 Advanced Options > A1 Expand file system)
- Change Timezone, set Keyboard Layout (if needed) and change Wifi Country (5 Localization Options > L2 Change Timezone, L3 Change Keyboard Layout, L4 Change Wi-fi Country)
- Enable SSH (3 Interfacing Options > I2 SSH)
- Press 'Finish' and Reboot
- After reboot, login again via SSH and change your user password:
passwd - Generate a SSH key-gen pair, which is more robust than the default one.
ssh-keygen -o -a 100 -t ed25519
- Change the root password
sudo passwd root
- Set the ETH0 IP address to a fixed IP. I hardly ever use the Wifi module in a Raspberry Pi
sudo vi /etc/network/interfaces
Add at the end of the file the following:
# Added by user on 2023-XX-XX auto eth0 iface eth0 inet static address 192.168.0.240/24 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1 dns-nameservers 192.168.0.1 8.8.8.8 # End of Additionsudo systemctl restart networking.service
And test withip add show
Reboot your RPi again (or do it later if you plan to reboot anyway) - Check for updates & upgrades for Bullseye, but first become root. Don't forget to reboot if kernel patches were installed.
sudo -i apt-get update -y && apt-get upgrade -y
- Fix a common issue with Syslog flooding your logs
sudo sed -i '/# The named pipe \/dev\/xconsole/,$d' /etc/rsyslog.conf sudo service rsyslog restart
- Alternatively, you could also install Syslog-NG
sudo apt-get install -y syslog-ng
- Install Git
sudo apt-get install -y git dirmngr
- Install Log2Ram as this will allow us to keep logs in memory and reduce the SD card writing significantly. From time to time, the logs are still made persistent to disk.
cd /home/pi git clone https://github.com/azlux/log2ram.git cd log2ram chmod +x install.sh sudo ./install.sh Change the log size value to 128M sudo vi /etc/log2ram.conf
Reboot - Install Sendmail and configure to work with a local mail relay server, or alternatively Gmail.
sudo apt-get install -y sendmail mailutils sendmail-bin sudo mkdir -m 700 /etc/mail/authinfo/ sudo cd /etc/mail/authinfo/
Create a Sendmail authentication file:
sudo vi sendmail-auth
And paste the following info:
AuthInfo: "U:root" "I:YOUR LOGIN" "P:YOUR PASSWORD"
Save and exit vi. Next do the makemap:
sudo makemap hash sendmail-auth < sendmail-auth sudo chmod 400 sendmail-auth
Change the Sendmail configuration now
sudo vi /etc/mail/sendmail.mc Add the following below right above first "MAILER_DEFINITIONS" line: # Added by yourname on 2018-XX-XX define(`SMART_HOST',`[192.168.Y.XX]')dnl define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl define(`confAUTH_OPTIONS', `A p')dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl FEATURE(`authinfo',`hash -o /etc/mail/authinfo/sendmail-auth.db')dnl # End of Addition
Apply the changes to the configuration and restart Sendmail:
sudo make -C /etc/mail sudo /etc/init.d/sendmail reload
Test if you can send an email to yourself:
echo "Just testing my Sendmail email relay" | mail -s "Sendmail email relay" you@here.com
- Setup NTP sync
sudo apt-get install -y ntp ntpdate sudo vi /etc/ntp.conf
And replace the XX with your country code
0.XX.pool.ntp.org sudo /etc/init.d/ntp stop
And query to see NTP being in sync
sudo ntpd -gq sudo /etc/init.d/ntp start sudo ntpd -pn
- Setup SNMP
sudo apt-get install snmp snmpd sudo vi /etc/snmp/snmpd.conf
And put the following configuration lines
agentAddress udp:161 rocommunity public 192.168.X.0/24
Restart your SNMP daemon
sudo /etc/init.d/snmpd restart
And test on your local machine
snmpwalk -Os -c public -v 1 localhost
- Setup NFS backup share, install a backup tool, rsnapshot and configure
Fix rpcbind issue (Make yourself root first)su - cat >/etc/systemd/system/nfs-common.service <<\EOF [Unit] Description=NFS Common daemons Wants=remote-fs-pre.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/init.d/nfs-common start ExecStop=/etc/init.d/nfs-common stop [Install] WantedBy=sysinit.target EOF
cat >/etc/systemd/system/rpcbind.service <<\EOF [Unit] Description=RPC bind portmap service After=systemd-tmpfiles-setup.service Wants=remote-fs-pre.target Before=remote-fs-pre.target DefaultDependencies=no [Service] ExecStart=/sbin/rpcbind -f -w KillMode=process Restart=on-failure [Install] WantedBy=sysinit.target Alias=portmap EOF
cat >/etc/tmpfiles.d/rpcbind.conf <<\EOF #Type Path Mode UID GID Age Argument d /run/rpcbind 0755 root root - - f /run/rpcbind/rpcbind.xdr 0600 root root - - f /run/rpcbind/portmap.xdr 0600 root root - - EOF systemctl enable rpcbind.service systemctl enable nfs-common
Install raspiBackup (from this website)sudo mkdir -p /backup
Avoid accidental file storage, when folder is not mounted
And put the following configuration linessudo chattr +i /backup sudo vi /etc/fstab
And addserver.yourdomain.com:/volume1/backups/host.yourdomain.com/backup nfs rsize=8912,wsize=8912,timeo=14 0 0 sudo mount /backup
Now install the raspiBackup toolcurl -s https://raw.githubusercontent.com/framps/raspiBackup/master/installation/install.sh | sudo bash
Go through the configuration tool, later on you can go back to it via: raspiBackupInstallUI.sh
-Backup versions: smart strategy-Backup to tar-No compression-Backup mode standard-Email notification set
Uncomment the crontab (backup will run every Sunday at 5am):sudo vi /etc/cron.d/raspiBackup
And finally testsudo raspiBackup
Generate an SSH keypair for easy login
ssh-keygen ssh-copy-id -p 22 admin@server.yourdomain.com
Log into your server, make yourself root and copy the public key into the raspberrycat /root/.ssh/id_rsa.pub | ssh user@hhost.yourdomain.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Test if it's working by using:ssh user@host.yourdomain.com
Setup unattended upgrade based on this tutorial
sudo apt update sudo apt install unattended-upgrades
Configure unattended upgrades and uncomment:sudo vi /etc/apt/apt.conf.d/50unattended-upgrades "origin=Debian,codename=${distro_codename}-updates"; "origin=Debian,codename=${distro_codename}-proposed-updates"; "origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";And uncomment:Unattended-Upgrade::Remove-Unused-Dependencies "false";
Now enable Automatic Updates (and press Yes)sudo dpkg-reconfigure --priority=low unattended-upgrades
To view the unattended upgrades:
sudo systemctl status unattended-upgrades.service
-
Showing posts with label raspberrypi. Show all posts
Showing posts with label raspberrypi. Show all posts
Monday, September 25, 2023
Advanced installation of a Raspberry Pi with Raspbian Bullseye
When installing a Raspberry Pi, I have a checklist of steps I take each time to ensure my Raspberry Pi's are (mostly) configured in the same way. They have the same way to backup their data, use the same user configurations (ntp, syslog, sendmail...) and have the same security provisioning. We will also introduce logs into memory with Log2Ram, to avoid too much SD card writing/wearing, which will eventually break your RPi. Feel free to comment on any step that is documented here. Some steps might be optional or unnecessary in your case.
Tuesday, November 14, 2017
Make your Raspberry Pi read-only for reducing SD wear/corruption
Everyone using Raspberry Pi's knows that SD cards are actually not made to serve as storage, especially when storage intensive applications (e.g. database, log server...) are being put in-there. To limit this SD wearing (which will lead to SD corruption at some point), you can put Raspian in a read-only mode and only swith to read-write when really needed.
All kudos go to this blog for the excellent write up. I assume you have an RPi3 with Wheezy installed onto it. All commands are executed as root.
fastboot noswap ro
Change the dhcpd lock file to the temp filesystem
On Debian Jessie and Wheezy move random-seed to a writable location
To create file on the tmp area at bootup before starting the random-seed service, just edit the file service file to add a pre-command to execute:
Do not use touch instead of echo, it won’t work because we'll be checking a read-only filesystem.
Execute the following to tell systemd we made changes.
Edit the file /etc/ntp.conf and set to redirect driftfile to the writable zone /var/tmp
If all went fine, you're pi will be up again. Test if the filesystem is read-only now.
To set system to read-write:
Execute this new file and look at the magic! The prompt has changed and shows the file system mode.
/etc/bash.bash_logout. (maybe you'll need to create it)
All kudos go to this blog for the excellent write up. I assume you have an RPi3 with Wheezy installed onto it. All commands are executed as root.
Update your RPi
Make yourself root, update your Raspian and reboot.su - apt-get update && apt-get upgrade reboot
Remove some unwanted packages
apt-get remove --purge wolfram-engine triggerhappy anacron dphys-swapfile xserver-common lightdm insserv -r x11-common; apt-get autoremove --purgeReplace the Rsyslog with the Busybox one
apt-get install busybox-syslogd; dpkg --purge rsyslog
Disable swap and filesystem check and set it to read-only
Edit the file: /boot/cmdline.txt and add the three wordsfastboot noswap ro
Move some system files to the temp filesystem
rm -rf /var/lib/dhcp/ /var/run /var/spool /var/lock /etc/resolv.conf ln -s /tmp /var/lib/dhcp ln -s /tmp /var/run ln -s /tmp /var/spool ln -s /tmp /var/lock touch /tmp/dhcpcd.resolv.conf; ln -s /tmp/dhcpcd.resolv.conf /etc/resolv.conf
Change the dhcpd lock file to the temp filesystem
vi /etc/systemd/system/dhcpcd5And be sure to change the line with PIDFile=/run/dhcpcd.pid to PIDFile=/var/run/dhcpcd.pid
rm /var/lib/systemd/random-seed ln -s /tmp/random-seed /var/lib/systemd/random-seedSince this file is on tmpfs, it will not be created upon reboot, but we can still do this with some magic of the systemd system service.
To create file on the tmp area at bootup before starting the random-seed service, just edit the file service file to add a pre-command to execute:
vi /lib/systemd/system/systemd-random-seed.serviceAdd the line: ExecStartPre=/bin/echo "" >/tmp/random-seed under the service section.
Execute the following to tell systemd we made changes.
systemctl daemon-reload
Setup the Internet clock sync
If (still) needed install NTPapt-get install ntpAnd be sure to configure your time zone, with raspi-config tool.
raspi-configThen go to menu "Internationalisation Options" and change "Change Timezone" and select your time zone.
Edit the hourly cron script that saves the clock every hour
vi /etc/cron.hourly/fake-hwclockAnd change it to allow saving the clock.
#!/bin/sh # # Simple cron script - save the current clock periodically in case of # a power failure or other crash if (command -v fake-hwclock >/dev/null 2>&1) ; then mount -o remount,rw / fake-hwclock save mount -o remount,ro / fi
vi /etc/ntp.conf
Remove some startup scripts and edit fstab
insserv -r bootlogs; insserv -r console-setupEdit fstab and add the ro option. Add the tmpfs parts as well.
vi /etc/fstab
tmpfs /tmp tmpfs nosuid,nodev 0 0 tmpfs /var/log tmpfs nosuid,nodev 0 0 tmpfs /var/tmp tmpfs nosuid,nodev 0 0
Reboot
reboot
If all went fine, you're pi will be up again. Test if the filesystem is read-only now.
Switching from read-only mode to read-write and back
Now you’re in read-only mode, it’s fine and safe, but if you need to install, write or modify files, upgrade, or whatever that need write access, you'll need to be able to do this.To set system to read-write:
mount -o remount,rw /And to set it back to read-only:
mount -o remount,ro /If you want to have two simple commands like: ro for setting mode to read-only and: rw to enable read-write mode. I also want to know on which mode I am in, on the command prompt.
Add fancy indicating features
Edit the file bash.bashrcvi /etc/bash.bashrcAt the end add the following lines:
# set variable identifying the filesystem you work in (used in the prompt below)
set_bash_prompt(){
fs_mode=$(mount | sed -n -e "s/^\/dev\/.* on \/ .*(\(r[w|o]\).*/\1/p")
PS1='\[\033[01;32m\]\u@\h${fs_mode:+($fs_mode)}\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
}
alias ro='sudo mount -o remount,ro / ; sudo mount -o remount,ro /boot'
alias rw='sudo mount -o remount,rw / ; sudo mount -o remount,rw /boot'
# setup fancy prompt"
PROMPT_COMMAND=set_bash_promptExecute this new file and look at the magic! The prompt has changed and shows the file system mode.
. /etc/bash.bashrcTest by typing ro or rw to switch between modes.
Use logout to save history and force read-only mode
To be sure to avoid setting back to read-only at logout, add the following line to the file/etc/bash.bash_logout. (maybe you'll need to create it)
vi /etc/bash.bash_logoutAdd:
mount -o remount,rw / history -a fake-hwclock save mount -o remount,ro / mount -o remount,ro /boot
Saturday, May 20, 2017
Raspbian Jessie NFS mounts fail because of rpcbind service not running
You happen to have NFS mounts on your Raspbian and you want them to come up after a reboot or you configure them but get the error that rpc.statd or rpcbind is not running?
Now you have manually fixed this once, but on the next reboot, your fix will be gone again. You need to fix that with the below steps, taken from this great help.
0. Assumptions
You have a working NFS mount on your Raspbian which is or can be mounted and configured e.g. into /etc/fstab
1. Make yourself root
2. Create /etc/systemd/system/nfs-common.service
Copy paste the above and hit ENTER
3. Create /etc/systemd/system/rpcbind.service
Copy paste the above and hit ENTER
4. Create /etc/tmpfiles.d/rpcbind.conf
Copy paste the above and hit ENTER
5. Configure the services to run at startup
Copy paste the above and hit ENTER
6. Reboot and check if your NFS mount is there now
pi@raspi1:~ $ sudo mount /mnt/nfsserver/backups mount.nfs: rpc.statd is not running but is required for remote locking. mount.nfs: Either use '-o nolock' to keep locks local, or start statd. mount.nfs: an incorrect mount option was specified pi@raspi1:~ $ sudo /etc/init.d/rpcbind start [ ok ] Starting rpcbind (via systemctl): rpcbind.service. pi@raspi1:~ $ sudo mount /mnt/nfsserver/backups
Now you have manually fixed this once, but on the next reboot, your fix will be gone again. You need to fix that with the below steps, taken from this great help.
0. Assumptions
You have a working NFS mount on your Raspbian which is or can be mounted and configured e.g. into /etc/fstab
1. Make yourself root
su -
2. Create /etc/systemd/system/nfs-common.service
cat >/etc/systemd/system/nfs-common.service <<\EOF [Unit] Description=NFS Common daemons Wants=remote-fs-pre.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes ExecStart=/etc/init.d/nfs-common start ExecStop=/etc/init.d/nfs-common stop [Install] WantedBy=sysinit.target EOF
Copy paste the above and hit ENTER
3. Create /etc/systemd/system/rpcbind.service
cat >/etc/systemd/system/rpcbind.service <<\EOF [Unit] Description=RPC bind portmap service After=systemd-tmpfiles-setup.service Wants=remote-fs-pre.target Before=remote-fs-pre.target DefaultDependencies=no [Service] ExecStart=/sbin/rpcbind -f -w KillMode=process Restart=on-failure [Install] WantedBy=sysinit.target Alias=portmap EOF
Copy paste the above and hit ENTER
4. Create /etc/tmpfiles.d/rpcbind.conf
cat >/etc/tmpfiles.d/rpcbind.conf <<\EOF #Type Path Mode UID GID Age Argument d /run/rpcbind 0755 root root - - f /run/rpcbind/rpcbind.xdr 0600 root root - - f /run/rpcbind/portmap.xdr 0600 root root - - EOF
Copy paste the above and hit ENTER
5. Configure the services to run at startup
systemctl enable rpcbind.service systemctl enable nfs-common
Copy paste the above and hit ENTER
6. Reboot and check if your NFS mount is there now
pi@raspi1:~ $ mount nfsserver:/volume1/backups/raspi on /mnt/nfsserver/backups type nfs
Sunday, November 27, 2016
Completely remove the z-way-server from your Raspberry Pi
0. Be root
1. Kill the z-way-server processes
kill -s 9 ... (PID of the process)
2. Remove all dirs with z-way-server files
rm -rf /etc/zbw* && rm -rf /etc/*/zbw* && \ rm -rf /etc/*/z-way* && rm -rf /opt/z-way-server/* && rm -rf /etc/z-way* && \ rm -rf /etc/rc*.d/*z-way-server && rm -rf /opt/z-way-server && \ rm -rf /run/z-way-server.pid && rm -rf /run/systemd/*/z-way-server.service && \ rm -rf /var/webif/lib/*_z-way* && rm -rf /var/log/z-way-server.log && \ rm -rf /var/webif/lib/._set_z-way* && rm -rf /var/webif/lib/._get_z-way*
3. Reboot
Monday, September 19, 2016
Error installing tftpd-hpa onto Raspian: action "start" failed
What is the issue?
When trying to install the tftpd-hpa package, the installation isn't completed succesfully and the daemon is not running or cannot be started.root@raspberrypi:/srv/tftp# apt-get install tftpd-hpa Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: ffmpeg openbsd-inetd Use 'apt-get autoremove' to remove them. Suggested packages: syslinux-common The following NEW packages will be installed: tftpd-hpa 0 upgraded, 1 newly installed, 0 to remove and 5 not upgraded. Need to get 0 B/46.1 kB of archives. After this operation, 142 kB of additional disk space will be used. Preconfiguring packages ... Selecting previously unselected package tftpd-hpa. (Reading database ... 85095 files and directories currently installed.) Unpacking tftpd-hpa (from .../tftpd-hpa_5.2-4_armhf.deb) ... Processing triggers for man-db ... Setting up tftpd-hpa (5.2-4) ... tftpd-hpa directory (/srv/tftp) already exists, doing nothing. [....] Starting HPA's tftpd: in.tftpdinvoke-rc.d: initscript tftpd-hpa, action "start" failed. dpkg: error processing tftpd-hpa (--configure): subprocess installed post-installation script returned error exit status 71 Errors were encountered while processing: tftpd-hpa E: Sub-process /usr/bin/dpkg returned an error code (1)
How to fix?
Edit the tftpd-hpa config file, which is normally located under /etc/default:vi /etc/default/tftpd-hpa
Change the IP from 0.0.0.0 to the real IP of you tftpd-hpa server machine.
Add into the option parameter "--ipv4"
Force a re-installation of tftpd-hpa.
root@raspberrypi:/srv/tftp# apt-get install -f tftpd-hpa Reading package lists... Done Building dependency tree Reading state information... Done tftpd-hpa is already the newest version. The following packages were automatically installed and are no longer required: ffmpeg openbsd-inetd Use 'apt-get autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded. 1 not fully installed or removed. After this operation, 0 B of additional disk space will be used. Do you want to continue [Y/n]? Y Setting up tftpd-hpa (5.2-4) ... tftpd user (tftp) already exists, doing nothing. tftpd-hpa directory (/srv/tftp) already exists, doing nothing. [ ok ] Starting HPA's tftpd: in.tftpd.
Now tftpd-hpa is starting properly and by default listening onto UDP port 69.
Subscribe to:
Posts (Atom)