|
Size: 1201
Comment: try running artifactory
|
Size: 6636
Comment: complete build notes for azusa
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = asval = | ## page was renamed from servers/asval = azusa = |
| Line 3: | Line 4: |
| * Raspbian on RPi Model 3B+ * debian stretch (9.11) x64 * ansible managed where possible |
* RPi Model 3B+ (aarch64, 4-core, 1gb RAM) * RPi OS Lite 64-bit (Bookworm) * LAN MAC `b8:27:eb:8c:f4:f8` |
| Line 8: | Line 9: |
| <<TableOfContents>> | |
| Line 9: | Line 11: |
| == local work == | == Build notes == |
| Line 11: | Line 13: |
| * Wireguard server to LAN for remote access * JFrog Artifactory to mirror the very slow upstream mirror |
This is the most generic stuff to do for initial setup, before tweaking it to a specific use. === OS imaging === Using the Raspberry Pi Imager app, start with the current '''RPi OS Lite 64-bit''', which is Debian bookwork 12.2, suitable for the RPi 3B+ It lets you make some customisations before flashing, which is really nice: * Set hostname to azusa * Enable SSH * Password auth (I would use SSH keys but it didn't work right for me and I couldn't sudo later) * Set username and password * `furinkan // <something new>` * No WLAN * Set locale to Australia/Sydney, us keyboard * Disable telemetry Prepare DHCP server with static address for the LAN MAC address (should already be in place). Put in the card and let it boot, should be fairly quick. === First login === 1. Login as `furinkan@azusa` and copy your SSH key there {{{ ssh-keygen -t ed25519 # Enter 3 times touch ~/.ssh/authorized_keys chmod 0600 ~/.ssh/authorized_keys vi ~/.ssh/authorized_keys }}} 1. sudo up and copy your SSH key to root's account as well, use the same commands again 1. Login again directly as root 1. Install base packages {{{ apt install -y vim git screen ack }}} 1. Edit `/etc/pam.d/sshd` and remove `user_readenv=1`, this will keep the logs tidy 1. Configure vim {{{ cat <<EOF > ~/.vimrc set nocompatible syntax on set background=dark set hlsearch set modeline set scrolloff=3 EOF }}} 1. Configure shell * Edit `/root/.bashrc` to enable colours * Set the default editor to vim.basic: {{{ update-alternatives --config editor }}} |
| Line 15: | Line 65: |
| == IPv6 == | === Disable wifi and bluetooth and other stuff === |
| Line 17: | Line 67: |
| Autoconfigured | I'm using azusa as a network appliance, so I don't need the radios: https://sleeplessbeastie.eu/2018/12/31/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-3/ Also see the notes for RPi4, because the OS has changed in the meantime too: https://sleeplessbeastie.eu/2022/06/01/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-4/ 1. Add dtoverlays to your `/boot/config.txt` to disable the radios: {{{ cat <<EOF >> /boot/config.txt dtoverlay=disable-wifi dtoverlay=disable-bt EOF }}} 1. Let's also disable sound {{{ sed -r -i 's,^dtparam=audio=on$,dtparam=audio=off,' /boot/config.txt }}} 1. Disable bluetooth and modem services {{{ systemctl disable --now hciuart systemctl disable --now bluetooth.target systemctl disable --now bluetooth.service systemctl disable --now ModemManager.service }}} 1. Nuke the software packages as well {{{ apt purge -y bluez bluez-firmware wpasupplicant rm -rfv /etc/wpa_supplicant apt autoremove -y }}} 1. No keyboard means no hotkeys needed {{{ apt purge -y triggerhappy }}} 1. Reboot |
| Line 20: | Line 97: |
| == Ansible == | === Fix IPv6 SLAAC address === |
| Line 22: | Line 99: |
| Local repo on filesystem with lots of adhoc code. == jfrog artifactory == * Downloaded jfrog-artifactory-oss-6.13.1.deb and installed * Won't bother with a separate database, just use embedded Derby DB * Will use default filestore, but on a mounted NFS volume for convenience and maybe speed |
WhyTF am I not getting an EUI-64-based IPv6 SLAAC address now? It's worked every time before. Looks like our network config uses !NetworkManager, so we need to configure that. It seems like it's not using privacy addresses, but it ''is'' doing stable-privacy now, which I don't want. |
| Line 31: | Line 102: |
| I think $ARTIFACTORY_HOME is /var/opt/jfrog/artifactory root@asval:/var/opt/jfrog/artifactory# ln -s /mnt/nfsdata/artifactory_data data Now data lives on the NFS mount |
cat <<EOF > /etc/NetworkManager/conf.d/ip6-privacy.conf [connection] ipv6.ip6-privacy=0 ipv6.addr-gen-mode=0 EOF |
| Line 38: | Line 109: |
| Default credentials are admin // password | Then reboot again. |
| Line 40: | Line 111: |
| Follow the Linux directions here: https://www.jfrog.com/confluence/display/RTF/Installing+on+Linux+Solaris+or+Mac+OS | The mode is now "default" instead of "eui64" as I would've expected (`nmcli connection show Wired\ connection\ 1 | grep addr-gen`), and I've no idea what that default is, but I don't care because it works now. |
| Line 42: | Line 113: |
| * JDK 8 is supported, I've got OpenJDK 8u232-b09-1~deb9u1 * Tune the JVM downwards in `/etc/opt/jfrog/artifactory/default` because I don't think they expected it to run on a small 32-bit host. I've set `-Xmx` from 4g to 1g. |
Read here for references: * https://github.com/coreos/fedora-coreos-tracker/issues/907 * https://developer-old.gnome.org/NetworkManager/stable/settings-ipv6.html * https://askubuntu.com/questions/1268900/what-is-setting-my-ipv6-addr-gen-mode === Other tweaks === 1. Using `raspi-config`: * System -> Audio -> pass out through HDMI * Display -> Screen blanking -> Disable it * Then exit and let it reboot 1. Configure screen {{{ curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc }}} 1. Configure `top`: `z x c s 1.5 <Enter> e 0 1 W q` === Configure hardware RTC === I've installed the Jaycar XC-9044 RPi realtime clock RTC, it's apparently a good clock chip with a little battery (or something). Most models using this chip have a spot for a watch battery, but this one has a tiiiiny little thing soldered on the board. I hope it's decent. 1. Physically install the module on the 3V3 plus I2C pins 1. Enable i2c with `raspi-config`, it's in `Interface Options -> I2C -> Enable` * You can also do it yourself if you want: 1. Comment out any blacklist entries for `i2c[-_]bcm2708` in `/etc/modprobe.d/raspi-blacklist.conf` 1. Load the module at boot: {{{ echo i2c-dev >> /etc/modules }}} 1. Uncomment/add `dtparam=i2c_arm=on` in `/boot/config.txt` 1. Activate it now: {{{ modprobe i2c-dev }}} 1. Reboot now, it can't hurt 1. Install i2c tools {{{ apt install -y i2c-tools }}} 1. Detect the device on i2c bus: `i2cdetect -y 1` * Should appear at 0x68 1. Enable the kernel driver for it, or something, by adding a devicetree overlay {{{ echo "dtoverlay=i2c-rtc,ds3231" >> /boot/config.txt }}} 1. Reboot again to load the device tree overlay that we just configured 1. Again detect the device on i2c bus: `i2cdetect -y 1` * Should appear at 0x68, BUT with "UU" at the address this time 1. Remove the fake hardware clock {{{ systemctl disable fake-hwclock --now apt purge -y fake-hwclock }}} 1. In theory everything just works now thanks to a udev rule: https://www.raspberrypi.org/forums/viewtopic.php?t=209700 {{{ root@azusa:~# cat /lib/udev/rules.d/85-hwclock.rules # Set the System Time from the Hardware Clock and set the kernel's timezone # value to the local timezone when the kernel clock module is loaded. KERNEL=="rtc0", RUN+="/usr/lib/udev/hwclock-set $root/$name" }}} 1. Install chrony so it manages the hardware clock {{{ apt install -y chrony }}} It'll do the rest once it's installed and synced. Try some commands to see how it's fairing: {{{ chronyc sources chronyc tracking }}} === Save a copy === Optionally take a backup image of the fully configured system, by putting the card in another machine and shrinking the filesystem {{{ e2fsck -f /dev/mmcblk0p2 resize2fs /dev/mmcblk0p2 2G dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | pigz --fast > "$(date +%Y-%m-%d)_azusa_pristine_config.img.gz" }}} |
azusa
- RPi Model 3B+ (aarch64, 4-core, 1gb RAM)
- RPi OS Lite 64-bit (Bookworm)
LAN MAC b8:27:eb:8c:f4:f8
- located at home
Contents
Build notes
This is the most generic stuff to do for initial setup, before tweaking it to a specific use.
OS imaging
Using the Raspberry Pi Imager app, start with the current RPi OS Lite 64-bit, which is Debian bookwork 12.2, suitable for the RPi 3B+
It lets you make some customisations before flashing, which is really nice:
- Set hostname to azusa
- Enable SSH
- Password auth (I would use SSH keys but it didn't work right for me and I couldn't sudo later)
- Set username and password
furinkan // <something new>
- No WLAN
- Set locale to Australia/Sydney, us keyboard
- Disable telemetry
Prepare DHCP server with static address for the LAN MAC address (should already be in place).
Put in the card and let it boot, should be fairly quick.
First login
Login as furinkan@azusa and copy your SSH key there
ssh-keygen -t ed25519 # Enter 3 times touch ~/.ssh/authorized_keys chmod 0600 ~/.ssh/authorized_keys vi ~/.ssh/authorized_keys
- sudo up and copy your SSH key to root's account as well, use the same commands again
- Login again directly as root
Install base packages
apt install -y vim git screen ack
Edit /etc/pam.d/sshd and remove user_readenv=1, this will keep the logs tidy
Configure vim
cat <<EOF > ~/.vimrc set nocompatible syntax on set background=dark set hlsearch set modeline set scrolloff=3 EOF
- Configure shell
Edit /root/.bashrc to enable colours
Set the default editor to vim.basic:
update-alternatives --config editor
Disable wifi and bluetooth and other stuff
I'm using azusa as a network appliance, so I don't need the radios: https://sleeplessbeastie.eu/2018/12/31/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-3/
Also see the notes for RPi4, because the OS has changed in the meantime too: https://sleeplessbeastie.eu/2022/06/01/how-to-disable-onboard-wifi-and-bluetooth-on-raspberry-pi-4/
Add dtoverlays to your /boot/config.txt to disable the radios:
cat <<EOF >> /boot/config.txt dtoverlay=disable-wifi dtoverlay=disable-bt EOF
Let's also disable sound
sed -r -i 's,^dtparam=audio=on$,dtparam=audio=off,' /boot/config.txt
Disable bluetooth and modem services
systemctl disable --now hciuart systemctl disable --now bluetooth.target systemctl disable --now bluetooth.service systemctl disable --now ModemManager.service
Nuke the software packages as well
apt purge -y bluez bluez-firmware wpasupplicant rm -rfv /etc/wpa_supplicant apt autoremove -y
No keyboard means no hotkeys needed
apt purge -y triggerhappy
- Reboot
Fix IPv6 SLAAC address
WhyTF am I not getting an EUI-64-based IPv6 SLAAC address now? It's worked every time before. Looks like our network config uses NetworkManager, so we need to configure that. It seems like it's not using privacy addresses, but it is doing stable-privacy now, which I don't want.
cat <<EOF > /etc/NetworkManager/conf.d/ip6-privacy.conf [connection] ipv6.ip6-privacy=0 ipv6.addr-gen-mode=0 EOF
Then reboot again.
The mode is now "default" instead of "eui64" as I would've expected (nmcli connection show Wired\ connection\ 1 | grep addr-gen), and I've no idea what that default is, but I don't care because it works now.
Read here for references:
https://developer-old.gnome.org/NetworkManager/stable/settings-ipv6.html
https://askubuntu.com/questions/1268900/what-is-setting-my-ipv6-addr-gen-mode
Other tweaks
Using raspi-config:
System -> Audio -> pass out through HDMI
Display -> Screen blanking -> Disable it
- Then exit and let it reboot
Configure screen
curl -o ~/.screenrc https://gist.githubusercontent.com/barneydesmond/d16c5201ed9d2280251dfca7c620bb86/raw/.screenrc
Configure top: z x c s 1.5 <Enter> e 0 1 W q
Configure hardware RTC
I've installed the Jaycar XC-9044 RPi realtime clock RTC, it's apparently a good clock chip with a little battery (or something). Most models using this chip have a spot for a watch battery, but this one has a tiiiiny little thing soldered on the board. I hope it's decent.
- Physically install the module on the 3V3 plus I2C pins
Enable i2c with raspi-config, it's in Interface Options -> I2C -> Enable
- You can also do it yourself if you want:
Comment out any blacklist entries for i2c[-_]bcm2708 in /etc/modprobe.d/raspi-blacklist.conf
Load the module at boot:
echo i2c-dev >> /etc/modules
Uncomment/add dtparam=i2c_arm=on in /boot/config.txt
Activate it now:
modprobe i2c-dev
- You can also do it yourself if you want:
- Reboot now, it can't hurt
Install i2c tools
apt install -y i2c-tools
Detect the device on i2c bus: i2cdetect -y 1
- Should appear at 0x68
Enable the kernel driver for it, or something, by adding a devicetree overlay
echo "dtoverlay=i2c-rtc,ds3231" >> /boot/config.txt
- Reboot again to load the device tree overlay that we just configured
Again detect the device on i2c bus: i2cdetect -y 1
- Should appear at 0x68, BUT with "UU" at the address this time
Remove the fake hardware clock
systemctl disable fake-hwclock --now apt purge -y fake-hwclock
In theory everything just works now thanks to a udev rule: https://www.raspberrypi.org/forums/viewtopic.php?t=209700
root@azusa:~# cat /lib/udev/rules.d/85-hwclock.rules # Set the System Time from the Hardware Clock and set the kernel's timezone # value to the local timezone when the kernel clock module is loaded. KERNEL=="rtc0", RUN+="/usr/lib/udev/hwclock-set $root/$name"
Install chrony so it manages the hardware clock
apt install -y chrony
It'll do the rest once it's installed and synced. Try some commands to see how it's fairing:
chronyc sources chronyc tracking
Save a copy
Optionally take a backup image of the fully configured system, by putting the card in another machine and shrinking the filesystem
e2fsck -f /dev/mmcblk0p2 resize2fs /dev/mmcblk0p2 2G dd bs=4M count=600 if=/dev/mmcblk0 | pv -br | pigz --fast > "$(date +%Y-%m-%d)_azusa_pristine_config.img.gz"