Installing Slackware 14.2
Installing Slackware 14.2 (32bit) on a bitfolk vps
Before you start
The default recommended install for slackware is everything except for kdei, ref for which you usually just install your locale. The space used can obviously be reduced by not installing things like X, or servers that are not going to be used, but this how-to doesn't assume what you will or won't use. That is left to you in the usual slackware way.
If you have less than 15gb or more of storage you will not be able to retain the installation packages on your virtual drive, there simply isn't enough space.
Part 1. preparing the virtual drives
log in to xen shell (using putty from windows, or ssh from linux or mac)
ssh yourserver.console.bitfolk.com yourserver yourpassword
By default bitfolk allocate two virtual disks for your virtual machine. xvda (the main amount) and xvdb (an amount equal to the ram you have allocated) for swap. This installation guide ignores /dev/xdb entirely.
type disks
to view and change the arrangement of virtual drives made up out of your purchased disk space.
When you are happy with the virtual disk allocation, you can get back to the xen-shell prompt and continue....
For this install we are assuming at least 10GB of space allocated to the first virtual disk /dev/xvda
Part 2. partitioning drives and obtaining the install files
Partitioning the drive
- type rescue
- log on as user with password given
- To avoid having to sudo everything type sudo su
(now we can do everything as root) - type fdisk -l to check the drive of the virtual machine.
On mine it is /dev/xvda - type fdisk /dev/xvda
- then n for a new partition
- then p for a primary partition
- then 1 for the partition number
- accept the default start position, and for the size +XGB where X is (storage purchased) - (2 x system RAM) in GB
- then n for a new partition
- then p for a primary partition
- then 2 for the partition number
- Accept the default start position and end position, then press t and then 2 and then 82 to set the second partition as a swap file
- Finally press w to write the changes and quit fdisk.
Now to format the new partition ext3 (for ext2 , just miss out the -j )
mke2fs -j /dev/xvda1
Now to create a mount point
mkdir -p /mnt/slackware
and to mount
mount /dev/xvda1 /mnt/slackware
Lets also format and activate the swap partition we just created
mkswap -L SWAP /dev/xvda2
Setting up the file structure and getting the install files
Now to create a boot point and a location for the install files
mkdir -p /mnt/slackware/boot/grub mkdir -p /mnt/slackware/slackdisk
Now to download the slack files
rsync -azP --delete --exclude 'source/' rsync.mirrorservice.org::ftp.slackware.com/pub/slackware/slackware-14.2/ /mnt/slackware/slackdisk
(If you have 20GB of storeage then you can omit the --exclude 'source/' to include the source code as well. This will increase the space used from 2.5G to 6.1G at this point of the installation.
When that is done we can do some more prep, and then install.
ln -s /usr/bin/du /bin/du mkdir /usr/local/sbin
If you did download the source, use
cp /mnt/slackware/slackdisk/source/a/pkgtools/scripts/installpkg /usr/local/sbin/
Otherwise the following two lines..
cd /usr/local/sbin wget ftp://ftp.slackware.org.uk/slackware/slackware-14.2/source/a/pkgtools/scripts/installpkg
then
chmod +x /usr/local/sbin/installpkg
Note: If you have less than 20GB and did download the source files you will have to do rm -r /mnt/slackware/slackdisk/source to delete the source files, otherwise you'll run out of space in the install.
We should also remove all unwanted kdei packages at this point for the same reason.
cd /mnt/slackware/slackdisk/slackware/kdei rm `ls|grep -v en_GB`
(change the en_GB to your locale)
If your virtual storage is only 10GB then we will need to delete the install packages when they have been installed to free space
- Option 1. limited storage space (<15G)
- This installs all the packages to the mount point, deleting the install packages as we go to free up space.
cd /mnt/slackware/slackdisk/slackware for i in `ls|grep "/"`; do installpkg --root /mnt/slackware/ /mnt/slackware/slackdisk/slackware/${i}*.t?z rm -r /mnt/slackware/slackdisk/slackware/$i done
- (this will take some while. ignore the warning about tar >1.13 )
- Option 2. (15G or more storage)
- This just installs everything.
./installpkg --root /mnt/slackware/ /mnt/slackware/slackdisk/slackware/*/*.t?z
- (this will take some while. Ignore the warning about tar >1.13 )
The install uses about 8.5GB (assuming you choose option 1. )
Because we are not using the slackware main setup installer, we will have to manually do a little bit of extra configuration.
- first to set up an appropriate keymap. All the keymappings can be found in /mnt/slackware/usr/share/kbd/keymaps and their subdirectories. For example, the uk one is found at /mnt/slackware/usr/share/kbd/keymaps/i386/qwerty/uk.map.gz For this example I'll use uk.map.
- We need to create a rc.keymap file and put it in /etc/rc.d on the destination partition
echo -e "\043\041/bin/sh\n\043 Load the keyboard map. More maps are in /usr/share/kbd/keymaps.\nif [ -x /usr/bin/loadkeys ]; then\n /usr/bin/loadkeys uk.map\nfi\n" >/mnt/slackware/etc/rc.d/rc.keymap chmod 755 /mnt/slackware/etc/rc.d/rc.keymap
- Now we need to set the timezone
- Find the name and location of your timezone. Look in /mnt/slackware/usr/share/zoneinfo/xxx/yyy where xxx is the region and yyy is the city. For the uk the location is /mnt/slackware/usr/share/zoneinfo/Europe/London
- To apply it we type ln -sf /mnt/slackware/usr/share/zoneinfo/Europe/London /mnt/slackware/etc/localtime-copied-from
then cp -f /mnt/slackware/etc/localtime-copied-from /mnt/slackware/etc/localtime
Part 3. Recording network settings and changing init to handle the xen console
Now we can use the rescue images' dns values
cp /etc/resolv.conf /mnt/slackware/etc/
Lets check the network settings for later.
- This will tell you your assigned ip4 public address (just in case you forgot it)
ifconfig|grep "inet addr"|grep -v "127.0.0.1"|awk -F":" '{print $2}'|awk '{print $1}'
- This will tell you your ip4 netmask
ifconfig|grep Mask|grep -v "127.0.0.1"|awk -F":" '{print $NF}'
- This will tell you your default gateway
route -n|grep UG|awk '{print $2}'
- This will tell you the default bitfolk dns values
cat /etc/resolv.conf |awk '{print $2}'
Make a note of these values for later
Now to enter the new system for final admin work
chroot /mnt/slackware
Here we comment out the tty entries and add the xen hvc entry so we can see what happens from the virtual machine login.
sed "s/^c[1-6]/#&/g" -i /etc/inittab sed "/#c6/a \ co:12345:respawn:\/sbin\/agetty 38400 hvc0 linux" -i /etc/inittab
We also need to allow root to log in on that hcv0 xen terminal
cat "hvc0" >> /etc/securetty
We can set up some kernel vm type magic by creating sysctl.conf. Don't ask me what it does.!
echo -e "vm.swappiness = 60\nvm.lower_zone_protection = 100\nvm.vfs_cache_pressure = 200\nvm.min_free_kbytes = 65536\nvm.zone_reclaim_mode =0">/etc/sysctl.conf
Part 4. building a kernel so xen can boot
Now to build a kernel to support xen and to include ext2/3/4 support built in (so we don't need to bother with an initrd)
cd /usr/src/linux make menuconfig
There are five entries to be changed:
- General setup → Kernel compression mode (Gzip) Xen can only boot gzipped kernels, not LZMA.
- Processor type and features → Linux guest support → Enable paravirtualization code → Xen guest support
- File systems → Second extended fs support (make sure this is a <*> not <M> )
- File systems → Ext3 journalling file system support (make sure this is a <*> not <M> )
- File systems → The Extended 4 (ext4) filesystem (make sure this is a <*> not <M> )
make all -j2
(this will take ages - think hours)
make modules_install -j2
(this is a bit quicker)
cp -a arch/x86/boot/bzImage /boot/ cp -a .config /boot/config cp -af System.map /boot/
Part 5. Configuring grub and network so pygrub can boot your os
Now set up the grub file read by bitfolk to boot the os
echo -e "default 0\ntimeout 2\ntitle Slackware 14.2\nroot (hd0,0)\nkernel /boot/bzImage root=/dev/xvda1 ro" >/boot/grub/menu.lst
(note that is MENU.LST in lower case)
Now setup fstab (This is all on one line. If you chose to format using ext2 instead of ext3, amend the next line accordingly)
echo -e "/dev/xvda2\tswap\t\tswap\tdefaults\t\t0\t0\n/dev/xvda1\t/\t\text3\tdefaults\t\t1\t1\ndevpts\t\t/dev/pts\tdevpts\tgid=5,mode=620\t\t0\t0\nproc\t\t/proc\t\tproc\tdefaults\t\t0\t0" >/etc/fstab
Now to configure network
netconfig
fill out the details you obtained earlier. You can add the second dns to /etc/resolv.conf
echo "nameserver 85.119.80.233" >>/etc/resolv.conf
(use the ip value obtained earlier)
The root password for the new virtual machine needs to be set.
passwd root
Put in the password you want to use
We are almost done. Now exit the chroot by typing exit and stop the virtual machine rescue mode by typing halt
Part 6. Running your new installation
You can now run boot at the xen console prompt to start your new installation.
Once you have logged in as root, and before you configure anything else, you can update packages that have been updated to fix security bugs etc.
cd /slackdisk/patches/packages upgradepkg *.txz
don't forget to look at any updated configuration files for the packages you have updated, and merge them with the old ones as necessary.
you can also run
rsync -azP --delete rsync.mirrorservice.org::ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/ /slackdisk/patches/packages
at any later time which will fetch all the security updated packages to your local drive, where you can then review (and install) them.
fixing ssh root login
Since security updates which came out in early 2016, the default for sshd is to block root password logins. If you want to be able to log in directly as root (with password) you will need to update /etc/ssh/sshd_config by changing the #PermitRootLogin prohibit-password line to PermitRootLogin yes
(note the uncommenting of the line.)
You will also need to remember this change when merging config files after any further security updates to ssh
More stuff to do
You can also cd to /etc/rc.d/ and make executable the rc. scripts that you want to run on startup. eg. httpd (apache), sendmail, mysql (mariadb), saslauthd once you have configured the various server software config files.
See the slackware documentation project for info about setting up and running slackware.
To create and install packages not included with slackware, you may find sbopkg useful.
cd /tmp wget --no-check-certificate https://github.com/sbopkg/sbopkg/releases/download/0.38.1/sbopkg-0.38.1-noarch-1_wsr.tgz installpkg sbopkg*
sbopkg will allow you to sync with the slackbuilds.org repository, and allow you to search slackbuilds, and build them, downloading the source as required, and then install them. Make sure to read the readme's and info files for any dependancies you need to install first.
Protecting your ssh login from hackers
A strongly recommended package is DenyHosts. This allows you to block brute force password attacks on ssh. You can get a good how-to on configuring it here. You can install DenyHosts using sbopkg, but you will still have to follow the instructions to configure it for slackware.
You just have to cat /var/log/messages to see all those nasty hackers trying to ssh into your system within minutes of your system being installed. Deny hosts can help keep them at bay.
See also the comment a few paragraphs earlier about openssl which affects ssh as well.
Unfortunately, denyhosts is not enough. There are hackers using distributed compromised networks to hack open ports on the internet. If you administer your VPN from a location with a fixed ip, the following firewall script might be helpful. Don't forget to change the value of the MYEXTIP variable to your own fixed ip.
#!/bin/sh #firewall start/stop restart load save #chains are INPUT OUTPUT and FORWARD #actions are ACCEPT DROP or REJECT # # Copyright 2019 Tim Dickson. # All rights reserved. # # Redistribution and use of this script, with or without modification, is # permitted provided that the following conditions are met: # # 1. Redistributions of this script must retain the above copyright # notice, this list of conditions and the following disclaimer. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR IMPLIED # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO # EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; # OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR # OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. FWSAVE=/etc/firewall.conf FWSAFEIPS=/etc/firewall.safeips FWP=/usr/sbin/iptables LOOPBACK="localhost" LOCALLAN="localnet/24" #local lan should be 192.168.0.0/16 or 172.16.0.0/20 or 10.0.0.0/8 MYEXTIP="aa.bb.cc.dd" #we want to block remote incoming ssh connections #apart from allowed ip's if ! [ -x $FWP ]; then echo "iptables not executable. quiting..." exit 1 fi function initialise { #set defaults to open $FWP --policy INPUT ACCEPT $FWP --policy OUTPUT ACCEPT $FWP --policy FORWARD ACCEPT #clear (flush) all chains $FWP -F } function loadfw { if [ -f $FWSAVE -a -r $FWSAVE ]; then ${FWP}-restore <$FWSAVE echo "loaded $FWSAVE" return 0 else echo "no $FWSAVE to load" return 1 fi } function savefw { ${FWP}-save >$FWSAVE } function startfw { initialise if ! loadfw; then echo "starting firewall with defaults" #allow known external ip to ssh if [ -f $FWSAFEIPS -a -r $FWSAFEIPS ]; then #read ips from SAFEIPS ignoring lines begining with # #the first word is assumed to be an ip4 address with 3 dots CNT=0 for i in `cat $FWSAFEIPS|grep -v "^#"|awk '{print $1}'`; do if [ "x$i" != "x" -a `echo $i|awk -F'.' '{print NF}'` -eq 4 ]; then echo "adding safe ip $i to firewall to allow ssh access" $FWP -A INPUT -p tcp --dport 22 -s $i -j ACCEPT CNT=`expr $CNT + 1` fi done if [ $CNT -lt 1 ]; then #there wasn't any usable ips in the file, so use this script value echo "added $MYEXTIP to filewall to allow ssh access" $FWP -A INPUT -p tcp --dport 22 -s $MYEXTIP -j ACCEPT fi else echo "added $MYEXTIP to filewall to allow ssh access" $FWP -A INPUT -p tcp --dport 22 -s $MYEXTIP -j ACCEPT fi #allow local machine to ssh echo "allow loopback (local machine) connections on $LOOPBACK" $FWP -A INPUT -p tcp --dport 22 -s $LOOPBACK -j ACCEPT #allow local lan to ssh echo "allow local lan connections on $LOCALLAN" $FWP -A INPUT -p tcp --dport 22 -s $LOCALLAN -j ACCEPT #block everyone else echo "drop all other connections to ssh port" $FWP -A INPUT -p tcp --dport 22 -j DROP else echo "previously saved firewall rules $FWSAVE loaded" fi } case "$1" in 'start') startfw ;; 'stop') initialise ;; 'restart') startfw ;; 'save') savefw ;; 'load') loadfw ;; 'delete') #this deletes any saved firewall rules, and clears the firewall rm -f $FWSAVE initialise ;; *) echo "usage $0 start|stop|restart|load|save|delete" echo "start firewall, blocking remote ssh with exceptions" echo "stop clears all rules leaving firewall open" echo "restart is the same as start" echo "load loads previously saved rules from $FWSAVE" echo "save saves current rules to $FWSAVE" echo "delete removes any saved rules and clears curent firewall" esac
save the file as /etc/rc.d/rc.firewall and make it executable with chmod +x /etc/rc.d/rc.firewall make sure you have your (not at bitfolk) public ip in MYEXTIP if you want access from a group of ip's, save a file in /etc/firewall.safeips containing one ipaddress per line run /etc/rc.d/rc.firewall start once. then run /etc/rc.d/rc.firewall save once (this speeds up future loading of rules) it will be run automatically by /etc/rc.d/rc.inet2 on startup.
if you want to change the contents of /etc/firewall.safeips then do so with your favourite editor, and run /etc/rc.d/rc.firewall delete followed by /etc/rc.d/rc.firewall start and /etc/rc.d/rc.firewall save This ensures your new rules are the ones autoloaded at startup. This firewall makes your ssh service invisible to all but you connecting, from your own fixed ip. You will probably want to add all sorts of rules for any other services running on your VPS to the script, man iptables is a usefull source of information.
Comments:
- You will notice I haven't used pico or nano to edit any files during setup. This is because Ctrl-O (used to save changes in nano or pico) is interpreted by the xen console instead. Once your system is up and running, you can log in to your VM via ssh, and use pico/nano as much as you like. It is only when logging in to the xen console that there is the limitation.
- If you mess up in the xen console and want to get back to the xen console prompt, type ctrl-] and press enter
You can then halt or boot or enter rescue mode as needed. - You can run most of the official installer actions once you have booted into your new slackware system. As root, type pkgtool and select setup. You can pick the setup scripts you want to run. Just make sure you don't reinstall the kernel, or you'll have to copy your new one over it again.