Debian on a USB stick

From sheep
Jump to navigation Jump to search

debian 12 live boot usb stick

  • 1st Partiton: Size: 200 MB - Use As: EFI Partition (no other options will be available once this is chosen, it will be set to FAT32 and mounted at /boot/efi)
  • 2nd Partition: Size: 1 GB - Use As: Ext4 - Mount point: "/boot" (static files)
  • 3rd Partition: Size: remaining free space - Use As: Physical Volume for Encryption

(done)

  • Scroll up to "configure encrypted volumes" > write changes, then "create encrypted volumes."
    • Select "partition" > "finish"
    • Create your encryption password
  • Scroll to "encrypted volume" and select the partition listed beneath to edit it.
    • Set mount point to "/" (root) > done setting up partition
    • Finish partitioning and write changes to disk (finally! But wait, there's more!!)
    • The installer will ask if you want to return to create a swap partition. Select "no"
  • Write changes. This will commence the actual installation.

install EFI

cryptsetup luksOpen /dev/sda3 mnt
mount /dev/mapper/mnt /mnt && mount /dev/sda2 /mnt/boot && mount /dev/sda1 /mnt/boot/efi
mount --bind /dev /mnt/dev && mount --bind /dev/pts /mnt/dev/pts && mount --bind /proc /mnt/proc && mount --bind /sys /mnt/sys
chroot /mnt

grub-install --target=x86_64-efi /dev/sda
grub-install --recheck /dev/sda

exit 

umount /mnt/sys && umount /mnt/proc && umount /mnt/dev/pts && umount /mnt/dev && umount /mnt

try and reduce writes to root

add the following lines to /etc/fstab

tmpfs           /tmp            tmpfs   nosuid,nodev         0       0
tmpfs           /var/log        tmpfs   nosuid,nodev         0       0
tmpfs           /var/tmp        tmpfs   nosuid,nodev         0       0
tmpfs           /var/log/journal        tmpfs   nosuid,nodev         0       0
tmpfs           /var/log/gdm3        tmpfs   nosuid,nodev         0       0

old

The same principles can be used to create a minimal debian install without encryption.


This is similar in size yet more up to date than DSL.

http://feraga.com/project/deb2flash

note use --help for options - has single partition unencrypted, two partitions, one encrypted...

historic info - useful if feraga is down

Content from Feraga with some minor tweeks for testing - lenny


apt-get install cryptsetup dmsetup parted debootstrap grub

sda1 unencrypted boot partion sda2 root filesystem

mkfs.ext2 /dev/sda1
tune2fs -c0 -i0 /dev/sda1 # optionally turn off filesystem checks

cryptsetup luksFormat /dev/sda2 Note YES in captials
cryptsetup luksOpen /dev/sda2 rootfs

mkfs.ext2 /dev/mapper/rootfs 
tune2fs -c0 -i0 /dev/mapper/rootfs # optionally turn off filesystem checks

mkdir /mnt/buildroot 
mount -t ext2 /dev/mapper/rootfs /mnt/buildroot 

mkdir /mnt/buildroot/boot 
mount /dev/sda1 /mnt/buildroot/boot

debootstrap --arch i386 lenny /mnt/buildroot

mount -o bind /dev/ /mnt/buildroot/dev 
mount -o bind /dev/pts /mnt/buildroot/dev/pts 
mount -o bind /sys /mnt/buildroot/sys

/lib/udev/vol_id -u /dev/sda1 
/lib/udev/vol_id -u /dev/sda2

chroot /mnt/buildroot /bin/su -l

Create /etc/fstab with the below:

#/etc/fstab: static file system information.
#
/dev/mapper/rootfs  /          ext2    defaults,errors=remount-ro,noatime 0 1
UUID=<uuid for sda1> /boot ext2 defaults,noatime,ro  0 1
none            /proc          proc    defaults                           0 0
tmpfs           /tmp           tmpfs   defaults,noatime                   0 0
tmpfs           /var/lock      tmpfs   defaults,noatime                   0 0
tmpfs           /var/log       tmpfs   defaults,noatime                   0 0
tmpfs           /var/run       tmpfs   defaults,noatime                   0 0

/etc/apt/apt.conf.d/30remount_readwrite

DPkg
{
    Pre-Invoke {
        "mount -o remount,rw /boot;" }
    Post-Invoke {
        "mount -o remount,ro /boot;" }
}

mount -a

Change flash to your hostname:

/etc/hosts

127.0.0.1 localhost.localdoman localhost flash

/etc/hostname

flash

/etc/apt/sources.list

deb http://ftp.debian.org/debian sid main non-free contrib

create script for log directory structure:

/etc/rcS.d/S37feraga-init.sh.

#!/bin/sh

case "$1" in
    start)
        echo
        echo "Feraga"
        echo "-Recreating required subdirectories on /var/log (tmpfs)"

        # /var/log subdirectories.
        mkdir -p /var/log/fsck
        mkdir -p /var/log/ksymoops
        mkdir -p /var/log/news

        # Example for the mixmaster anonymous remailer
        if [ -f /usr/bin/mixmaster ] ; then
            mkdir -p /var/log/mixmaster
        fi

        # Example for the Tor proxy
        if [ -f /usr/sbin/tor ] ; then
            mkdir -p /var/log/tor
        fi

        # Example for Privoxy
        if [ -f /usr/sbin/privoxy ] ; then
            mkdir -p /var/log/privoxy
        fi

        # Apt archive subdirectories.
        mkdir -p /var/cache/apt/archives/partial

        echo "-done."
        echo
        ;;
    stop)
        echo "Feraga shutting down."
        # Add anything that needs to happen at shutdown here.
        echo
        ;;
    *)
        echo "Usage: cryptdisks {start|stop}"
        exit 1
        ;;
esac
apt-get update

apt-get install initramfs-tools
<pre>
usbcore
ehci-hcd
ohci-hcd
uhci-hcd
usbhid
ide-core
scsi_mod
usb-storage
mbcache
ext2
ide-cd
ide-disk
ide-generic
sd_mod

Configure /etc/initramfs-tools/initramfs.conf

# initramfs.conf
# Configuration file for mkinitramfs(8). See initramfs.conf(5).
MODULES=most
BUSYBOX=y
BOOT=local
DEVICE=eth0
NFSROOT=auto
apt-get install cryptsetup dmsetup hashalot
cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
cp /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/

/etc/crypttab: replace the <uuid for sda2> with your uuid

# <target name> <source device> <key file> <options>
rootfs /dev/disk/by-uuid/<uuid for sda2> none luks


edit /etc/initramfs-tools/scripts/local-top/cryptroot to allow for USB detection.

    modprobe -q dm_crypt  ## After this line add the following.

    # Add delay
    message "Sleeping for 5 seconds to allow USB detection."
    sleep 5
    message "Awake, attempting to mount encrypted partitions."

in chroot shell

mount -o remount,rw /boot
apt-get install grub

Next from outside the chroot:

grub-install --recheck --root-directory=/mnt/buildroot /dev/sda 

/boot/grub/menu.lst and add this simplified configuration:

# default num
default         0

# timeout sec
timeout         5

# pretty colours
color green/black black/green

### BEGIN AUTOMAGIC KERNELS LIST

## ## Start Default Options ##

# kopt=root=/dev/mapper/rootfs ro\n")
# groot=(hd0,0)
# alternative=true
# lockalternative=false
# defoptions=
# lockold=false
# howmany=all
# memtest86=true
# updatedefaultentry=false

## ## End Default Options ##

### END DEBIAN AUTOMAGIC KERNELS LIST
grub
root (hd1,0)
setup (hd1)
quit

rm -f /boot/grub/device.map

/etc/kernel-img.conf

do_symlinks = yes
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes        ## <--- Verify this line
link_in_boot = yes
postinst_hook = /sbin/update-grub
postrm_hook   = /sbin/update-grub

apt-get install linux-image-686

apt-get remove linux-image-686

apt-get clean

passwd

umount -a


to update the scripts in initramfs:

update-initramfs -u