Datacenter provisioning - Installation of the DEBIAN operating system - [Raspberry PI/Rock64]

(**) Translated with www.DeepL.com/Translator

[ LEVEL ] Beginner
This procedure allows the installation of a Linux DEBIAN system on a Raspberry PI or Rock64 unit. It is possible to use other distributions, not covered by this documentation ( - Debian for ever:) - ).

Prerequisites

To perform this operation you must:

  • have an Internet connection
  • have a computer with a Linux operating system (the use of Windows or Macos is not covered in this documentation)
  • have an SD card reader
  • have a Raspberry Pi or Rock64 unit
  • know how to execute a command in a Linux console
  • be connected “root” to the console, for sudo users: type sudo bash

Downloading the bootable image

You will need to choose official bootable images, maintained by the Debian organization or the RaspberryPI foundation. An “unofficial” image can carry backdoors, viruses of all kinds.
The official website for Debian is here, the RaspberryPI Foundation website here

From a console use the “wget” command to download the iso image:

wget[Url of the iso image]

Raspberry PI

Download a minimal image that will only implement what is necessary to start a unit.

Raspberry PI - RaspberryPI Foundation

Go to the page. Download the LITE version.

Raspberry PI - DEBIAN Organization

Official documentation: follow the procedure

Rock64

I use the Armbian distribution, go to the page. Download the “Buster Server” version

Manipulation after downloading

The downloaded files are generally compressed so they are not usable.

The downloaded file ends with “img”

Nothing to do

The downloaded file ends with “iso”

Nothing to do

The downloaded file ends with “zip”

Install the “unzip” package

apt-get - install unzip on it

Unzip the archive

unzip -d[name of the downloaded file]

The downloaded file ends with “7z”

Install the “p7zip” package

apt-get -y install p7zip

Unzip the archive

p7zip -d[name of the downloaded file]

The downloaded file ends with “tar.gz”

Install the “tar gzip” packages

apt-get -y install tar gzip

Unzip the archive

tar xvf[name of the downloaded file]

The downloaded file ends with".gz"

Install the “gzip” package

apt-get -y install gzip

Unzip the archive

gzip -d[name of the downloaded file]

After decompression

It is quite possible that the decompression operation has created a new directory, which contains an “img” or “iso” file. In this case, move to this directory:

cd[name of the new directory]

Copy of the ISO image on the SD card

Insert an SD card of at least 16GB, in order to have some space to work.
CAUTION: If this card contains data, after this operation, the data will be permanently lost.
To easily retrieve the destination of this “device” use the command dmesg :

# Open a command window (terminal)
# Insert the SD card
# type:
dmesg

131875.354612] mmc0: new SD card at address 0001
131875.355265] mmcblk0: mmc0:0001 16GB 16 GiB 

In my case it is the device “mmcblk0”, accessible through the file “/dev/mmcblk0”.

# in the directory of the downloaded image, type :
ls 
# lists the files in this directory, locate the image file previously downloaded
# copy of the image on the SD card - use of the dd command
# dd if=[name of the downloaded image file] of=/dev/[device SD card obtained with dmesg] bs=4096 status=progress
# dd : command
# if : source
# of : destination
# bs : number of bits read and written at once
# status=progress: allows you to display the progress of the copy
# Example: the file contained in the downloaded archive is named Armbian_5.98_Rock64_Debian_buster_default_4.4.192_minimal.img
# my device SD card : /dev/mmcblk0
dd if=Armbian_5.98_Rock64_Debian_buster_default_4.4.192_minimal.img of=/dev/mmcblk0 bs=4096 status=progress

System startup

Insert the SD card into the unit, if you have a display, connect it to the unit and the keyboard. Feed, let’s go… If you do not have a display or keyboard, you must connect the unit to the network (RJ45 cable). The unit will start, obtain a network address and will be reachable by means of the “ssh” command.

System connection

If you have a screen/keyboard, no problem the screen displays “login:”.
For network use, you must know the IP address assigned to the system. I don’t have a miracle solution, you can use a network scanner (nmap), you connect to the router that offers DHCP service. This service is responsible for distributing IP addresses over the network and has traces.

To detect the machine by network scanner, from your PC connected to the local network, install the “nmap” packet

apt-get -y install nmap

Detect the network on which you are connected:

ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00
    inet 127.0.0.0.1.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether b9:ca:cf:fd:0b:3f brd ff:ff:ff:ff:ff:ff:ff
    inet 192.168.10.124/24 brd 192.168.10.255 scope global dynamic scope dynamic noprefixroute eth0
       valid_lft 72589sec preferred_lft 72589sec

My network card is eth0 and connected, it has the IP address 192.168.10.124 with a mask 24 (255.255.255.255.0), by superimposing the mask, my network is 192.168.10.0, I will scan the port 22 (ssh) of this network, replacing the last 0 by “*” and with the command nmap :

nmap -p 22 192.168.10.*
Nmap scan report for 192.168.10.126
Host is up (0.00049s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: b3:0d:f8:e0:18:18:18 (Raspberry Pi Foundation)

The scanner has found a Raspberry Pi unit).

Example for a rock64, nmap does not recognize the type

Nmap scan report for 192.168.10.126
Host is up (0.00073s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: b3:0d:f8:e0:18:18:18 (Unknown)

Authentication

By default, downloaded images have an account and password set by default. For Raspbian (Raspberry PI) the account is “pi” and the password is “rasbperry”. For the Armbian distribution (Rock64) the account is “root” and the password is “1234”.

With a screen/keyboard

Type in the account, enter and then the password, enter.

Through the network

Use the “ssh[IP Address]” command, example :

ssh 192.168.10.126
# Accept the fingerprint and use the default account/password

Post-connexion

The first thing to do is to change the login password, “pi” for Raspberry, “root” for rock64. Use the “apg” password generator:

apt-get -y install apg
apg
QuanhaverOv0 (SEMICOLON-Quan-hav-er-Ov-ZERO)
5Gryptaphod| (FIVE-Grypt-aph-od-VERTICAL_BAR)
Be=slyes5 (Be-EQUAL_SIGN-slyes-FIVE)
AkCawf\OsOc6 (Ak-Cawf-BACKSLASH-Os-Os-Oc-SIX)
CribMiph5od] (Crib-Miph-FIVE-od-od-RIGHT_BRACKET)
orth5Ov4og[ (orth-FIVE-Ov-FOUR-og-LEFT_BRACKET)

Choose and remember one of the proposed passwords and execute the “passwd” command:

passwd[enter]
Enter new UNIX password:[type password enter]
Retype new UNIX password:[type password enter]
passwd: password updated successfully

You can check accounts that have a password:

cat /etc/shadows
root:$6$gHcL4KU]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.n9bALxIHOU2ND.:18183:0:99999:7:::
daemon:*:18183:0:99999:7::::
bin:*:18183:0:99999:7::::
sys:*:18183:0:99999:7::::
sync:*:18183:0:99999:7::::
games:*:18183:0:99999:7::::
man:*:18183:0:99999:7::::
lp:*:18183:0:99999:7::::
mail:*:18183:0:99999:7::::
news:*:18183:0:99999:7::::
uucp:*:18183:0:99999:7::::

Here, only the “root” account has a password, so only “root” can connect to this system. It is impossible to connect to a DEBIAN server, with an account that does not have a password.

Installation of packages

Your system has the minimum, you can practice using commands, list the contents of a directory, create files, etc. This documentation does not cover this learning. For the uninitiated, I advise reading the Debian administrator’s notebook

Retention of the downloaded image

If the system starts normally, keep the downloaded image carefully. We will see that this image may be necessary, in the case of a complete restoration of the system from BackupPC backup software (see the data security section). This image can also be used in the future for a security audit, some backdoors, viruses are sometimes detected very long after their commissioning. This will allow you to know more quickly how long your system has been compromised, and to better assess the impact of this indident.
And we will also see the utility of keeping this image, for the implementation of the process of automated server installations, with network startup.

(**) Translated with www.DeepL.com/Translator