FS Linux 11 Installation Guide

Document revision history

Click the “Details” toggle below for the revision history.

Details

1.2.1 — Reorganize installing updates and related text
1.2.0 — Minor release
1.1.8 — Add collapsible box for document revision history; further wording improvements in the End of security updates
1.1.7 — Fix when to use archive for editing /etc/apt/sources.list; correct date for end of support
1.1.6 — Add CAUTION about new packages when upgrading
1.1.5 — Add advice for removing insecure packages
1.1.4 — Fix non-root user ~/.ssh creation and ownership, make wording consistent for analogously prog
1.1.3 — Cleanup: Add NIC selection in rescue mode, recommend latest installer, consolidate boot menu NOTEs, clarify when UEFI doesn’t work, change bullets to solid, advise changing source.lst for install if no longer current release, update download package/MB count, wording fixes
1.1.2 — Include link to Debian CD archive
1.1.1 — Include admonition about additional network interfaces
1.1.0 — Minor release (refresh_spare_usr2 updated for CIS hardening elsewhere)
1.0.11 — Use 10.2.0 for FS tag
1.0.10 — Fix referring to where RAID tools are used; other minor wording improvements
1.0.9 — Fix link for transferring FS install to FSL11
1.0.8 — Add revision history
1.0.7 — Add reference for transferring FS install to FSL11
1.0.6 — Update latest FS tag to 10.2.0-beta2
1.0.5 — Update end-of-support for current sources.list
1.0.4 — Refine pgperl wording
1.0.3 — Improve pgperl with pgplot warning
1.0.2 — Add pgplot version of pgperl; use 10.2.0-alpha3 tag
1.0.1 — Use 10.2.0-alpha2 tag
1.0.0 — Initial release

1. Introduction

These instructions provide a complete method for system installation and some tuning. They are not the only method for accomplishing these goals, but have been well tested. Experts can of course use their own means, but the farther they deviate from this model, the less support we will be able to provide.

The standard configuration uses a RAID1 system with removable disks. Normally, two disks would be in use at a given time. A third disk is used as a back-up and rotated into use periodically. More disks can be used for further redundancy. You can of course provide your own back-up method and can install the system to a single disk if you do not want to use the software RAID.

If you are using the RAID configuration, you may wish to review the Recommended practices subsection of the RAID notes for FSL11 document before installing. However, all of the practices listed there can be implemented after the installation steps below are complete.

Tip

Removable disks should be used with a carrier/receiver system that can tolerate a large number of insertions; “bare” disks should not be inserted repetitively. Two receivers would normally be mounted in the computer chassis. Each disk would be in its own carrier. We can provide a recommendation for a carrier/receiver system if you need one.

Please note that for each step in this guide, we recommend you carefully read all the included caveats and notes as the material is not always logically sequential, i.e., instructions may proceed explanations that impact what you actually type.

Table 1. FSL distributions
FS Linux	Release Name	Debian Version	Linux kernel	Year
1		(Slackware)	1.2.<x>	1994
2	bo	1.3.1	2.0.29	1997
3	hamm	2.0	2.0.34	1998
	slink	2.1	2.0.36	1999
4	potato	2.2	2.2.18	2000
5	woody	3.0	2.2.20/2.4.18	2002
6	sarge	3.1	2.4.27	2005
7	etch	4.0	2.6.18	2007
8	lenny	5.0	2.6.26	2009
	squeeze	6.0	2.6.32
9	wheezy	7.0	3.2.0	2014
	jessie	8.0	3.16.0
10	stretch	9.0	4.9.0	2020
	buster	10.0	4.19.0
11	bullseye	11.0	5.10.0	2023

The FSL11 documents follow the FS font conventions, which can be found at: https://nvi-inc.github.io/fs/misc/font_conventions.html.

2. Choosing architecture and creating installation media

FSL11 can be configured for either the i386 or amd64 architectures. With FSL11 it is necessary to use Field System version 10.2 or later. Those FS versions support both architectures natively, so either may be used. The amd64 architecture is preferred and should be used if possible (it should be unless the processor is very old, from about 2010 or older). However, some work may be required to port your station code from a 32-bit to a 64-bit OS. An automatic tool has been developed to help with this, and can be provided upon request. Usually the i386 architecture will work on any processor, but requires use of the Legacy (or BIOS) boot mode in most cases. The amd64 installation media will fail to boot on a system that is 32-bit only.

To install Debian 11, you can either use a DVD or USB drive. The latter is faster, and also easier if you wish to use UEFI. Directions for creating your installation media can be found online.

Note	Don’t be confused by the amd64 name, this architecture supports both AMD and Intel manufactured x86-64 processors. This includes CPU lines such as Ryzen, Epyc, Core, and Xeon. The naming scheme dates back to when Intel had a competing and incompatible 64-bit architecture ia64.

You can install from a DVD drive, USB device, or over the network. Any revision of the 11.<x> installer should work fine. (Generally, pick the latest, i.e., largest <x>. If there are non-zero patch versions, <y>, for a given <x>, e.g., 11.<x>.<y>, pick the largest <y>.) Note also that installing from DVDs as described here is recommended mainly for sites with little to poor Internet connectivity (even then, use of a single DVD may suffice) and the equivalent use of a “Debian GNU/Linux 11.<x>.<y> Bullseye - Official i386/amd64 NETINST” CD would suffice for installation at most sites with good connectivity. Official images for the installer can be found at: https://cdimage.debian.org/cdimage/release/ (or at: https://cdimage.debian.org/cdimage/archive/ when no longer the current release). Alternatively, should your hardware require non-free firmware, unofficial images for the installer that also include all available non-free firmware can be found at: https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/

The details of creating your installation media can be found in the Debian installation guide available from: https://www.debian.org/releases/bullseye/installmanual

3. Motherboard setup

Caution

If you are installing to a virtual machine, make sure it is configured to have at least two cores. This is required for FS display server support.

Note

Some hardware may require special procedures. For cases we know about, instructions are provided in top-level sub-directories of the repository, which is visible at https://github.com/nvi-inc/fsl11. In addition to special instructions, there may be needed software/drivers in the sub-directories. The following table lists the cases that are currently covered. Some of these solutions may be useful for other hardware with the same issues. If you have the listed hardware or issue, we recommend reading the instructions before beginning the installation.

Table 2. Special installation instructions available
Directory	Hardware	Issue
		None at this time

Modern motherboards offer two forms of booting: native UEFI or BIOS emulation (“Legacy”). UEFI is the preferred approach. Either mode of boot is supported by this installation guide, and you will be given alternatives when the instructions differ.

Decide which boot mode you want to use and select it through the motherboard setup menu (typically by pressing Delete during the power-on self test, aka POST).

Make sure that the motherboard time is set to the current Coordinated Universal Time, i.e., UTC, and the motherboard can boot from the installation media.

While you are in the motherboard menu, make sure that hot-swapping is enabled for the controllers of both the primary and secondary disks. This is necessary for disk rotation and recoverable testing.

Tip

For UEFI, some motherboards may switch to booting to the UEFI shell if they fail to find a hard disk that will boot. This might happen, for example, if you attempt to boot from a blank disk. If you become stuck booting to the UEFI shell, you may need to enter the motherboard’s setup utility to restore booting from the hard disks. The Boot menu may be where this is set. You may be able to disable use of the UEFI Shell, which may eliminate this situation.

4. First stage installation

This guide assumes that you have only one disk installed in the machine initially even if you intend to use a RAID configuration. Use of a single disk (for a test install, etc.) is also annotated below.

Note	The single dish install approach is used because it is faster than a dual disk install. It also allows you to control when the syncing for the second disk occurs, such as when you leave for the evening. The setup of a second and third disk is covered in the Setup additional disks subsection below.

Install your smallest disk in the primary slot (the one connected to the lowest numbered SATA controller, usually 0.

Caution
For the RAID to work seamlessly with other disks later, you must make sure that the smallest disk of the ones available is used for the installation.

4.1. Boot from the installation medium

Connect an active network cable to your lowest numbered interface (only). Usually it is on the left if there are two.

Insert/plug-in your installation media and reboot.

To boot from the installation media you may need to bring up your motherboard’s setup utility, which is typically accessed by pressing Delete during the POST. From there you may need to access a menu such as Save & Exit (or Boot), to select overriding to boot with the installation media.

Tip

If the system was most recently booted from a hard disk, you may need to boot one time with no hard disk installed for the motherboard’s setup utility to recognize the USB drive as a valid boot override option. If the setup utility does not recognize the USB drive at all, it may be necessary to turn the power off, remove the USB drive, reinsert it, and then reboot. Making the USB the first boot device temporarily may be necessary.

4.2. Set boot options and boot installer

At the Installer boot menu:

Highlight Install (or Graphical install — only the installer interface differs — but this may not work on some video hardware)
- UEFI: press e, then ↓ three times (vmlinuz), then End
  
  Note
  If e doesn’t work, UEFI is not available. This may also be apparent because the Installer banner includes BIOS mode. It may be possible to enable UEFI in the motherboard setup menu.
- BIOS: press Tab

To the end of the displayed command, add the additional options:

locale=en_US.UTF8 netcfg/disable_dhcp=true time/zone=UTC

Note

Whilst typing a / (slash) it may automatically be changed (escaped) to \/ (i.e. preceded by a backslash). This is normal behaviour and harmless.

You may omit the netcfg/disable_dhcp=true if you want to use DHCP to configure the network settings of this machine, though this is not advised.

You can additionally use partman-partitioning/default_label=gpt if you wish to force the use of a GPT partition table on a disk that is smaller than 2 GB, but beware - some older BIOS versions cannot handle GPT formatted disks.

If you do not set a locale or set locale=C, you will be prompted to select your language and your country. However some applications may have problems if a UTF8 locale is not used.

Press:
- UEFI: F10
- BIOS: Enter
The installer will now boot.

4.3. Select a keyboard layout

Find your keyboard on the Keymap list, highlight it, and press Enter. (The most common one is American English)

The installation media is now scanned and additional installer components loaded.

4.4. If you are presented with a dialog asking for non-free firmware files

You may need to locate the files requested (especially if they relate to your network or disk-drive interfaces) and place them on a USB stick which should be inserted at this stage. If you do have the required files select Yes, otherwise press Tab to select No then press Enter to continue. It may well be simpler just to use the unofficial installer images mentioned above that include all available non-free firmware.

4.5. Configure the network

If you are presented with a dialog asking which interface to use as primary

This is typically only shown if two or more network interfaces are found, which might include a virtual FireWire interface in some cases. Select the interface you require (usually eno1) and press Enter.

Unless you are using DHCP (which is not advisable) you will be prompted to:

Type in the required static IP address in the form xxx.xxx.xxx.xxx (where each xxx is any integer from 0 - 255 inclusive) and press Enter.
Type in the required netmask in the form 255.yyy.yyy.yyy (where each yyy is typically 0, 64, 128, 192 or 255) and press Enter.
Type in the required gateway IP address in the form xxx.xxx.xxx.xxx (where each xxx is any integer from 0 - 255 inclusive) and press Enter.
Type in the required nameserver IP addresses, space separated, in the form xxx.xxx.xxx.xxx (where each xxx is any integer from 0 - 255 inclusive) and press Enter.

Important

Before connecting an Ethernet cable to an additional (non-primary) interface, you must use the Stabilize network configuration subsection of Additional Setup Items appendix. For example, in addition to the primary interface, you may connect a cable to the second interface for IPMI. In this situation, the second interface may be incorrectly utilized in Linux if it is not disabled.

4.6. Set a hostname

Backspace over the default hostname debian and type in the name you require (if not already retrieved via DNS), then press Enter. Enter the required Internet Domain name (if not found) and press Enter.

4.7. Enter a suitable root password

Twice as prompted.

4.8. Setup first account

Enter Desktop User for the name of the new user then press Enter to accept desktop as the username and enter a (real) password twice as prompted.

4.9. Get network time

The installer now tries to set the time using NTP. If this is not possible at your site due to your firewall etc., you may need to press Enter to cancel this process.

4.10. Partition the disk

Note	If you are using UEFI and the disk was previously used for BIOS, you may need to confirm forcing UEFI installation.

When prompted for a partitioning method, select Manual

4.10.1. Setup physical partitions

Create a new partition table by:
1. Select your disk, something like SCSI1 (0,0,0) (sda) - 4 TB ATA SATA HARDDISK, and press Enter.
  
  Warning
  Do not select your installation media.
2. The installer may warn: You have selected an entire device to partition…. If so, select Yes. If you are prompted to delete RAID partitions, select Yes.

Select the (one and only entry) FREE SPACE under your disk. There should be no RAID or LVM partitions shown.

Note

If other entries and/or RAID or LVM partitions are shown, you will need to delete them before proceeding.

If no RAID and/or LVM partitions are shown, a possible solution may be to delete individual partitions until you have a single entry, FREE SPACE.

If that doesn’t work or RAID and/or LVM partitions are shown, you may be able to use Guided partitioning to delete the existing configuration (and temporarily create new partitions). In this case, select Guided partitioning, then select Guided - use entire disk. Then select your disk, such as listed above, do not select a RAID or your installation media device. Then select All files in one partition (recommended for new users). You may be prompted to confirm deleting RAID partitions and/or removing logical volume data, which you must do to continue. Then you should be able to continue with selecting your disk, as above.

If the Guided partitioning method above doesn’t work or you have problems later creating the RAID or LVM partitions, then other means will be needed. There may be more complicated paths through the partitioner that will work or, perhaps easier, you may need to overwrite the start of the disk with a large number, say 2 GiB (but possibly more, if that doesn’t solve the problem), of zeros.

Overwriting with zeros : can be implemented (for 2 GiB) at this stage in the installer with:

Press Ctrl+Alt+F2 to switch to a different console.
Press Enter to activate the console.

Execute:

dd if=/dev/zero of=/dev/sda bs=1G count=2
sync;sync
reboot

When the system reboots, restart the installation.

Select Create a new partition
Then for
- UEFI: Enter 1GB in the size, then select Beginning of the disk.
- BIOS: Enter 1MB in the size, choose Primary (rather than Logical) if asked for the partition type, then select Beginning of the disk.
Then for
- UEFI: Select Use as then select EFI System Partition
- BIOS: Select Use as then select Reserved BIOS boot area, or alternatively do not use the partition if the former option is not available.
Now select Done setting up the partition.
Next select the FREE SPACE and Create a new partition again.

Note
You may see a small 1MB FREE SPACE at the start of the disk. This is fine, just be sure to choose the large FREE SPACE at the end of the disk.
This time choose the whole amount of free space (the default) and choose Primary for the partition type if asked.

Select Use as, then select physical volume for RAID, then Done setting up the partition

Note

If you physically only have one disk bay and wish to construct a FSL11 test-bed, it is possible to avoid using the software RAID layer entirely. Simply select Use as, then select physical volume for LVM for this partition instead and skip ahead to Setup Logical Volume Manager (LVM) below. However, please note that a single disk setup is not recommended for any operational system.

4.10.2. Setup RAID

Select Configure software RAID. Then select Yes to write the changes to the disk.
Select Create MD device, choose RAID1 and use 2 as the number of devices and 0 as the number of spares.
Despite the fact that the instructions say you must select exactly two partitions, select only one. Select the RAID partition you just created by pressing Space. This should be /dev/sda2. Then press Enter to continue. Select yes if prompted to write changes to the disk.

Note
If the newly created RAID partition doesn’t appear as an option, you may need to use the method of Overwriting with zeros in the Setup physical partitions step above.
Select Finish.

Back in partitioning, select the partition #1 (with no designated use) under RAID1 device #0 and press Enter

Note	If that partition appears immediately after being created already having a designated use, perhaps `lvm`, you may need to use the method of Overwriting with zeros in the Setup physical partitions sub-step above.

Select Use as, then select physical volume for LVM, then Done setting up the partition

4.10.3. Setup Logical Volume Manager (LVM)

Now choose Configure the Logical Volume Manager and select Yes if prompted to write the changes to the disk and keep the current layout and configure LVM.
Choose Create volume group
Enter a name appropriate for the machine and group, e.g., vg0, and press Enter
Select the raid device md0 (or sda2 if not using RAID) by pressing Space, then press Enter to continue

For each item in the following table run Create logical volume, select your volume group and assign the corresponding name. Those marked with * are optional unless you are applying CIS hardening.

Table 3. Logical volumes
	Mount point	LV name	Size
1	/var/log/audit	`audit` *	4 G
2	/boot	`boot`	1 G
3	/home	`home`	4 G
4	/var/log	`log` *	4 G
5	/	`root`	50 G
6	(swap)	`swap`	8 G
7	/tmp	`tmp`	50 G
8	/var	`var` *	8 G
9	/var/tmp	`vartmp` *	8 G
10	/usr2	`usr2`	remaining disk space less ~100 GB

In the LVM configuration window, select Finish
Then for each logical volume in the table except swap, do the following:
1. Select the partition (e.g., #1) for each LV name (and press Enter)
2. Select Use as and press Enter then select Ext4 journaling file system
3. Select Mount point, press Enter, then select the appropriate mount point from the list or use Enter manually if not there.
4. Select Done setting up this partition
For the swap logical volume, select Use as then select swap area, followed by Done setting up this partition
Back in the partition screen, select Finish partitioning and write changes to the disk and select Yes to write the changes. For big disks, it may take a little time to create the ext4 file systems.

The Debian base system is now installed from the installation media, which usually only takes a few minutes.

4.11. Configure the package manager

If you started from a netinst CD image, the installer now assumes you will install only from the network, and jumps straight to the Choose your Debian archive mirror country part of the dialogue as detailed below.

If you are using DVD installer you will be prompted to scan additional DVDs. Scanning the additional DVDs (and obtaining copies of them in the first place) is entirely optional, and is only useful if you don’t have a reliable network connection to a suitable Debian mirror and hence would prefer not to download packages you could get from the DVD.

Note	If you do want to use a mirror in the future, it is better not to scan any DVDs at this stage and to scan them later during Stage 2 using apt-cdrom.

For each additional DVD you wish to scan, insert it in the drive, select Yes and press Enter to perform the scan (which takes a while.)

(If you are using DVDs, and are prompted to insert another DVD, you will need to use eject /dev/cdrom from another virtual console to do this)

Select No and press Enter to continue once you are done. If prompted, insert the “Debian GNU/Linux 11.<x>.<y> Bullseye - Official i386/amd64 Binary-1 DVD” back into the DVD-ROM drive and press Enter.

Warning

If you do scan additional DVDs, the following useful dialogue which allows you to select a suitable network mirror from a country-based list may be suppressed.

Select Yes and press Enter to use a network mirror (unless you have inadequate Internet access - but then you must scan all DVDs.)

Choose your Debian archive mirror country: Select from the list if available and press Enter. (If your country is not available choose the country nearest to you in a network connectivity sense.)

Select the fastest Debian mirror from those available.

Tip	The new `deb.debian.org` mirror is a good choice for most sites as it uses DNS to find a local mirror.

Enter any necessary HTTP proxy information (usually left blank).

Software is downloaded briefly.

4.12. Do not participate in popularity-contest

When prompted to join the popularity-contest, select No and press Enter

4.13. Choose your packages

When prompted to choose packages, select SSH server by moving to that row with the arrow keys and pressing Space on it (unless you don’t want it).

Tip	If you have a small disks and are worried about space, then you can also press `Space` on `Desktop Environment` to unselect it (which may then change the dialogue presented below).

Finally press, Enter to install the standard system.

The Debian standard system is now installed from the installation media plus any updates from the network mirror and/or security.debian.org site if they can be reached.

This can take a while, up to one and a half hours or more.

4.14. Install the GRUB bootloader (BIOS boot only)

Note	With UEFI boot, you will not be presented with this option; GRUB will automatically be installed to the first ESP partition.

At Install GRUB to Master Boot Record select yes then select /dev/sda

When prompted, press Enter to install to the master boot record.

4.15. Disable Wayland (optional)

This step should only be needed if your CPU does not include a GPU and you do not have an add-on graphics card. In that case, you are using the motherboard graphics support. Disabling Wayland is known specifically to be necessary for the X11SCA-F motherboard, which uses the AST2500 graphics chip. If you don’t know that you need to disable Wayland, we recommend that you initially leave it enabled. Whether your choice works or not should be evident when you start the Second stage installation step below. The console may be very difficult, even impossible, to work with. In that case, please see the Wayland recovery NOTE below.

To disable Wayland:

Tip	These instructions step can be executed when the installation stops for input in the next step, Remove installation media.

Press Ctrl+Alt+F2 to switch to a different console.
Press Enter to activate the console.
Edit /target/etc/gdm3/daemon.config, uncomment Wayland=False, and save the file.

The only editor available at this point may be nano.
Execute:
```
sync;sync
exit
```
Press Ctrl+Alt+F1 to return to the Installer dialog.

Note

Wayland recovery : If you find you have made the wrong choice, there are at least three possible ways to recover:

If the console is marginally usable, you may be able to login on a text console to adjust the contents of /etc/gdm3/daemon.config as needed, then execute:
```
systemctl restart gmd3
```
Use the procedure in the Rescue Mode appendix and adjust the contents of /etc/gdm3/daemon.config as needed.
Reinstall from scratch and make the opposite choice.

4.16. Remove installation media

Remove the DVD from the DVD-ROM drive (it should be auto-ejected), or unplug the USB drive, and press Enter to reboot into the newly installed system.

Tip	It would generally be wise to disable booting from DVD-ROM and floppy i.e., anything other than the hard drive, in the BIOS just in case someone leaves something nasty in the machine’s removable drives by mistake.

5. Second stage installation

You should now have booted to your new OS.

5.1. Login as root

Tip	Versions before Debian 9 ran X11 on virtual console 7. As of Debian 9, the graphical environment login is on virtual console 1. Each login there for a different user creates a session on the next unused virtual console.

Switch to Virtual Console 2, by pressing Ctrl+Alt+F2.

Enter root and press Enter, then enter the root password you set earlier.

5.2. Remove the dummy Desktop User (optional)

Unless you want an account that is set up to use the default desktop environment, delete the desktop user with:

deluser --remove-home desktop

Note	If you do keep this account, you will not be able to run the FS from it unless you add this account into the additional hardware access groups such as is done for oper and prog by fsadapt.

5.3. Setup HTTP proxy for APT (optional)

Should you wish to make APT use an HTTP proxy for downloads, create the new file /etc/apt/apt.conf.d/00proxies using vi containing:

ACQUIRE::http::Proxy "http://proxy.some.where:8080/";

to use a proxy proxy.some.where at port 8080 for example.

5.4. Edit /etc/apt/sources.list

Note	If Bullseye is no longer under security support, you will also need to modify sources.list as described in the End of security updates in the Managing Security Updates appendix.

Using your favourite text editor, eg vi, and comment out all cdrom entries (unless you don’t have a decent Internet connection and need to use DVDs, whereupon the dialogue presented below may differ) and check you have the equivalent of the following entries towards the top of the file, adding in contrib and/or non-free as needed:

deb http://deb.debian.org/debian/ bullseye main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye main contrib non-free

and likewise the equivalent of the following entries towards the bottom of the file, again adding in contrib and/or non-free as needed:

deb http://deb.debian.org/debian/ bullseye-updates main contrib non-free
deb-src http://deb.debian.org/debian/ bullseye-updates main contrib non-free

(where you can use any suitable mirror instead of deb.debian.org)

Also add contrib and/or non-free to the lines referring to the security.debian.org mirror in the middle of the file.

Warning

you MUST use bullseye and NOT stable for the distribution in all these entries (but CD/DVD entries might use unstable.)

5.5. Update APT’s list of packages

Tip	Recent versions of Debian have the apt program, which gives a more user-friendly interface to the package manager than apt-get. We generally use apt-get except for applying updates.

Next tell APT to update its internal source list of packages using

apt-get update

Note	It is also possible to add additional DVDs at this stage using the `apt-cdrom add` command.

5.6. Download the FS Linux 11 package selections

Install git and dselect
```
apt-get install git dselect
```
Update dselect's package lists
```
dselect update
```

Get the selections by downloading this repository:

cd /root
git clone https://github.com/nvi-inc/fsl11
cd fsl11

Feed the package selections into dpkg using the command, for amd64

dpkg --set-selections < selections/fsl11_amd64.selections

or, for i386

dpkg --set-selections < selections/fsl11_i386.selections

Start the additional package installation with
```
apt-get dselect-upgrade
```
then press Enter to confirm any updating of installed packages (where you have an Internet connection) and the installation of currently ~214 new packages (downloading ~196 MB from the Internet and/or DVDs) for amd64 with UEFI — probably different for i386 and/or BIOS — unless you did not select the Desktop or added other tasks earlier.

Downloading commences for up to half an hour (depending on your Internet access and the exact revision of DVDs used).

Installation runs to completion.

5.7. Clean up the APT download directory

So that the update mechanism will work correctly, run

apt-get clean

6. Third stage installation

6.1. fsadapt

In the /root/fsl11 directory, start fsadapt with

./fsadapt

6.1.1. FS Adaptation: Modifications (Window 1)

Using the arrow keys and Space make your selections and press Enter.

If you are not using a GPIB board or USB dongle, you can deselect the GPIB option.
If you are using the RAID configuration, you must not deselect the mdinc option.

6.1.2. FS Adaptation: Setup (Window 2)

All of the steps in Window 2 need to be done once (even if you do not intend to use the serial ports) with the exception of sshkeys which can be used to generate new SSH keys if required. If you did not select the GPIB option in the previous page deselect the two related options on this page (but do not deselect set_perms as it is always required). Otherwise, simply press Enter with the OK selected to continue.

Note

The updates option relies on email to root being re-directed to some mailbox that will be read regularly, so make sure you set that up and test it as well (see the Configure e-mail section in the Additional Setup Items appendix). The installer sets it up to go the desktop account by default which would definitely be a problem if you have removed that!

6.1.3. GPIB driver configuration (optional)

On the /etc/gpib.conf screen, use the up/down arrow keys to select the required GPIB controller and press Enter on OK to continue.

6.1.4. Serial port configuration

On the /etc/default/grub: serial port configuration screen up/down arrow keys to select the required RS232 serial card (or None if you don’t have one) and press Enter on OK to continue.

6.1.5. FS Adaptation: Settings (Window 3)

On Window 3 you can choose to modify the email or network settings if required. Simply press Enter on OK to continue.

6.1.6. FS Adaptation: Network Services (Window 4)

The Window 4 will show what services are enabled. Use the up/down arrows and Space to select secure and press Enter on OK. Thereafter use the up/down arrows and Space to select those services you actually need. If you need printing, you will need to select netipp (remote access to this can be blocked by configuring ufw with either not explicitly allowing or instead denying the CUPS service). Press Enter on OK to set them up and finish with fsadapt.

Note that the fsadapt script can be re-run at a later date should you need to change the adaptations.

6.2. Set passwords

Set passwords for the oper and prog accounts with:

passwd oper
passwd prog

entering the passwords twice as prompted.

6.3. Install tools for RAID (optional)

You can install some useful tools for working with the RAID, if you’re actually using it, with:

~/fsl11/RAID/install_tools

The Fourth stage installation section, below, assumes the first four of these tools have been installed. The six tools are:

mdstat — for all users — check on the RAID status
refresh_secondary — for root — refresh a secondary disk that is from the same RAID
blank_secondary — for root — initialize a secondary disk, must be used with extreme care
rotation_shutdown — for root — shutdown the system if it is safe to rotate disks
drop_primary — for root — deliberately drop the primary disk out of the RAID for use as a backup
recover_raid — for root — re-add a disk that fell out of (or was removed from) the RAID back into it

Tip	More information about RAID operation can be found in the RAID notes for FSL11 document.

6.4. Download the Field System

 cd /usr2
 git clone https://github.com/nvi-inc/fs fs-git
 cd /usr2/fs-git
 git checkout -q tag

where tag is the latest available release, 10.2.0 or later.

Important

You should install the latest official release. To find it, go to:

https://github.com/nvi-inc/fs/releases

You should probably use the most recent feature release (ending in .0 with no trailing -<string>, e.g., 10.2.0. However, if there is a more recent patch release (not ending .0) for the most recent feature release, you should use the most recent patch release. For example, if 10.2.0 is the most recent feature release and there are corresponding patch releases, 10.2.1 and 10.2.2, then the last one, ending .2, is probably the best choice.

6.5. Run FS install script

This will set the /usr2/fs link, set /usr2/fs-git permissions, and install default copies of all the FS related directories.

make install

and enter y to confirm installation.

6.6. Make the FS

The FS must always be compiled as prog.

Warning

Make sure you log-out as root, and log-in again as prog.

cd /usr2/fs
make >& /dev/null

then

make -s

to confirm that everything compiled correctly (no news is good news).

6.7. Reboot the new system

Remove any DVD from the machine and restart the machine using reboot as root or Ctrl+Alt+Del whilst watching that everything starts up smoothly.

7. Fourth stage installation

7.1. Setup additional disks

If your are using a RAID, follow the steps in this subsection to setup the second and third disks.

Note	Additional disks should be at least as large as the disk already in use.

Note	You will need to have hot-swapping enabled in your motherboard’s setup menu, at least for the controller for the secondary disk (it should also be enabled for the primary).

Note	This subsection assumes you have installed the RAID tools according to the Install tools for RAID (optional) subsection above.

If you have a second disk (secondary) in the RAID:
1. Shut the system down with the rotation_shutdown command.
  
  This command will check the status of the RAID and proceed to shutting down only if the RAID is synced. There are three errors that can prevent shutting down: (i) if the FS is running, you should terminate it before trying again; (ii) if the RAID is recovering, you will need to wait until the recovery is finished before shutting down, you can check the progress with the mdstat command; and (iii) if the RAID is degraded, seek expert advice.
2. Remove the disk in the primary slot and place it on the shelf, labelled appropriately as the shelf disk for this system with the date.
3. Move the disk in the secondary slot to the primary slot.
Initialize the new disk

Important
Do not initialize a disk unless you are sure there is no data on it that you need to preserve.

For the first time use of an additional disk with a new install, the disk should be initialized to make sure it has no existing structure. This should be done even if the disk has been used in a different FS computer or a previous install on this computer.
1. Boot with just the primary disk installed.
  
  Tip
  If your system is already running with no second disk (secondary) installed, you can skip rebooting.
2. Use the script:
  blank_secondary
  The script will wait for the new disk to be turned on. Insert a new disk in the secondary slot. The secondary slot is the one connected to second lowest numbered SATA controller, usually 1. Turn the key to turn the disk on. There will be a prompt asking if you wish to proceed. If it is a new disk or you are sure it is safe to erase this disk, answer y. If you are unsure about this or otherwise need to abort, answer n.
Refresh the now blank secondary disk

Run the script:
```
refresh_secondary
```
Once you reach the message that you can check on the recovery with mdstat , you can resume using the computer as usual. You can safely reboot at this point, if it is needed; just don’t remove either disk until the recovery is finished.

You can check the progress of the recovery with:
```
mdstat
```
When the recovery is complete, you can repeat the process of this entire subsection, Setup additional disks, to initialize another disk.

8. Post install

Tip	Please refer to the appendix Additional Setup Items for OS customizations that you may find useful.

The current section provides information on customizing your new system from scratch for a new FS installation or transferring an existing FS installation to this machine.

8.1. New FS installation

Your newly installed system should now be ready to be customized for your site’s requirements for a new FS installation. You will need to tailor the control files in /usr2/control and add suitable station specific software to /usr2/st, particularly antcn. See the files in the /usr2/fs/st.default/st-0.0.0 directory for starter versions of the latter.

8.2. Transferring an FS existing installation

If you have an existing FS installation you want to transfer to this machine, you will need to transfer your files and update their contents for use with FS 10.2 or later. For transferring and updating to FS 10.2, please see the appendix “Transferring an existing FS installation to FSL11” in the “FS 10.2 Update Notes” document at: https://nvi-inc.github.io/fs/releases/10/2/10.2#_transferring_an_existing_fs_installation_to_fsl11.

Appendix A: Additional Setup Items

This appendix covers several customizations that may be helpful depending on the requirements for a system. It serves as a reference for how to make these changes, but can also be helpful as a checklist when setting up a new system. All actions in this section require root permissions.

A.1. Additional security and CIS Benchmarks

For stations that wish to conform to the additional security recommendations of the Center for Internet Security (CIS), move on to the CIS hardening FSL11 document.

A.1.1. Alternate hardening

If you don’t want the complete CIS hardening, which creates some inconveniences and is only required in certain environments, you may still be interested in applying a subset of the remediations. You can pick and choose those from the CIS hardening FSL11 document and its script.

A useful minimum set of features to apply would be to install ufw and block everything except ssh and further restrict ssh access with TCP Wrappers.

A.1.1.1. ufw setup

To install and configure ufw to only allow ssh for incoming connections, use the commands:

apt-get -y install ufw
ufw allow OpenSSH
ufw --force enable

Addition setup for ufw is covered below in the More firewall rules subsection.

A.1.1.2. TCP Wrappers setup

A base setup for TCP Wrappers is

/etc/hosts.deny

ALL:ALL

/etc/hosts.allow

sshd:ALL

It is recommend that you further restrict sshd by using specific hosts and/or sub-domains instead of ALL. Please use man hosts_access for more information about configuring TCP Wrappers

A.1.1.3. More firewall rules

The following tersely summarizes some ufw settings that may be useful:

#SSH
ufw allow OpenSSH
#NTP
ufw allow ntp
#remote access to metserver (or gromet) on port 50001
ufw allow 50001
#anywhere from subnet
ufw allow from 192.168.4.0/24
#RDBE multicast to addresses from subnet
ufw allow in proto udp to 239.0.2.0/24 from 192.168.4.0/24
#? RDBE multicast to group from subnet ?
#ufw allow in proto igmp to 239.0.2.0/24 from 192.168.4.0/24

A.2. Customize root’s .bashrc file

There are a few changes you should consider for root's .bashrc file.

If you have applied the CIS remediations, you should consider uncommenting the line that sets the umask to 022. The remediations set it to 027 in /etc/profile, which may cause problems with routinely created files, including some in this section covering optional changes.
Uncomment the the alias commands that add the -i option to the commands cp, mv, and rm as the default. This can help avoid some careless errors.
Add the command set -o noclobber to avoid accidently overwriting existing files with I/O redirection. Other options to consider setting are physical and ignoreeof.

A.3. Create root’s .inputrc file

The readline package is used by bash, and other programs, to maintain a history of commands that can be edited and then re-executed. By default, it will retain edits of history entries that have not been re-executed. This makes the unedited history entries more difficult to locate and re-execute. Retaining the un-executed edits can be disabled for root by creating the file:

/root/.inputrc

$include /etc/inputrc
set revert-all-at-newline on

The $include /etc/inputrc line preserves the other system wide readline defaults.

Note	The standard fresh FS installation creates this file for the oper and prog (and AUID) accounts.

A.4. Setup /etc/hosts

You may want to add more hosts to the /etc/hosts, especially if do not have DNS. This will allow you to give a short alias to use when referring to other local machines. Even if you have DNS, you may wish to add additional aliases for your local hosts.

For use with ntpq -p, is recommended that you use a short alias as the canonical name (the first one after the IP address) for other local machines (and possibly remote ones as well). This will make the ntpq output easier to understand, particularly if the canonical names of the local machines only differ at the end of their names. That may make the differences hard to see given the short field available for the remote node ID in the ntpq output.

A.5. Stabilize network configuration

This subsection requires using nm-connection-editor on a graphic display (nmtui may be an option on a text terminal, but it has not been fully verified). You may need to be root or desktop to do this. All the subsections below assume you are in the program and have sufficient permissions.

Note	If you someday move the disks to a computer with a different mainboard model, the device names of the network interfaces may change. If that happens, you will need to reselect the names as described in the sub-steps below. This should not be necessary if the other computer uses the same mainboard.

A.5.1. Make the connection always appear on the same interface regardless of the MAC address.

This is useful both to make the connection appear on only one interface and/or make it the same interface if the computer (or NIC) is changed.

Select your connection and click the “gear” icon.
Select the Ethernet tab.
Use the drop-down for the Device field to select your device (typically eno1 with the MAC address in parentheses). Then edit the field to just list the name of the interface (typically eno1) by removing the MAC address in parentheses.
You may want to also set the IPv6 Settings to use Method: Disabled.
Click Save.
Close the window by pressing Esc (while the focus is on that window).

A.5.2. Disable the second Ethernet port

This may be useful, for example, if your second port has a IPMI interface and the kernel detected a connection there and it is interfering with the normal or the IPMI connection.

If there is no Wired connection 2, click the + icon. Otherwise select that connection, click the “gear” icon, and skip to step 4. It may be benign to delete (- icon) any other connections except Wired connection 1.
Make sure Ethernet is selected in the drop down box and click Create….
Change the Connection name to Wired connection 2.
Select the Ethernet tab.
Use the drop-down for the Device field to select your device (typically eno2 with the MAC address in parentheses). Then edit the field to just list the name of the interface (typically eno2) by removing the MAC address in parentheses.
Select the IPv4 Settings tab.
For Method select Disabled.
Select the IPv6 Settings tab.
For Method select Disabled.
Click Save.
Close the window by pressing Esc (while the focus is on that window).

A.6. Disable Desktop User

If you do not need the functionality available in the Desktop environment, you can disable the desktop account. You can re-enable the account later if you need it. To disable it, execute:

usermod -L desktop

You can undo this by using the -U option instead.

To prevent connecting with ssh using a key, create (or add desktop to an existing) DenyUsers line in /etc/ssh/sshd_config:

DenyUsers desktop

And restart sshd with:

systemctl restart sshd

You can undo the ssh block be removing the line (if it only has desktop) or removing desktop from the line and then restarting sshd.

A.7. Remove ModemManager package

If you use serial ports, it is strongly advised that you remove the ModemManager package to avoid conflicts over access to the ports. Execute this command:

apt-get purge modemmanager

A.8. Remove anacron package

If you enabled the weekly update job in fsadapt (it is strongly recommended), we recommend that you also remove the anacron package so that the job will run at a fixed time every week, even if the system is turned off for some periods of time. Execute this command:

apt-get purge anacron

A.9. Configure e-mail

The configuration described here (Internet site or mail sent by smarthost in the exim4 configuration, no incoming mail, reply-to filter, and modified user names), provides good support for system messages and the FS msg and rdbemsg utilities.

As root, enter:
```
dpkg-reconfigure exim4-config
```
to change the setup. Typically you should select internet site, use your host name in place of debian when it occurs, and otherwise select defaults at all the other prompts. (The only other recommended choices are local delivery only or mail sent by smarthost; received via SMTP or fetchmail.) If you want to receive incoming mail, you will also need to enable SMTP connections in Window 4 of fsadapt (and if you are using a firewall, you will need to enable such connections for it). We recommend that you NOT receive incoming mail on this computer.
Reply-To filter : If you follow the recommendation not to receive incoming mail and your system is not setup for local delivery only, you should set the Reply-To address for outgoing messages to a real e-mail account at your institution that is read regularly. You can do this by (all as root):
1. Create the filter (four lines in file):
  cat >/etc/exim4/reply-to-filter <<EOF # Exim filter << THIS LINE REQUIRED headers remove "Reply-To" headers add "Reply-To: email@address" EOF
  Change email@address to the e-mail address you want replies to be addressed to. If you want more than one, separate them with commas.
2. Create a file for local customizations:
  touch /etc/exim4/conf.d/main/00-exim-localmacros ln -sfn /etc/exim4/conf.d/main/00-exim-localmacros /etc/exim4/exim4.conf.localmacros
  Note
  The file is constructed this way so that it will work for both non-split or split exim4 configurations.
3. Add a call to the filter to /etc/exim4/exim4.conf.localmacros:
  cat >>/etc/exim4/exim4.conf.localmacros <<EOF #set reply to system_filter = /etc/exim4/reply-to-filter EOF
4. Then execute
  update-exim4.conf systemctl restart exim4
You should change your /etc/aliases so root and prog e-mail goes to oper.
- change root: desktop to root: oper
- add prog: oper
- add desktop: oper
This is recommended as a “catch all” since the oper account is presumably under regular use and any messages sent there are likely to be noticed. This is particularly important for system error messages since they should be delivered to a mail box on the system in case there is a network problem that might prevent them from being delivered off system. You can however add additional off machine delivery of these messages to whatever addressees you wish and we recommend this as well. These should include an e-mail account at your institution that is read regularly (maybe the same address as the Reply-To address you may have set above would be a good choice). To do this, create a .forward file in oper's home directory. The permissions should be -rw-r—r--. The contents should be similar to (left justified):
```
\oper
user@node.domain
```
where user@node.domain is the off machine addressee you want the messages to go to. You can add additional lines for additional addressees. The backslash (\) before oper prevents the mail system from getting into an infinite loop re-checking oper's .forward file.
If you have made the above changes to forward messages to another an e-mail account on another machine, you should customize the User Name (not login name, the User Name is the fifth field) of root, prog, oper, and desktop in /etc/passwd to identify the source of the message. For root and prog, it is recommended to append a string like at node (it is probably best to avoid FQDNs), where node is this machine, e.g., for atri you might change the 5th field for root from
```
root
```
to
```
root at atri
```
For oper, you might instead prepend your site name to the accounts for clearer reading in ops e-mail messages, e.g., for oper on atri at GSFC, we changed the 5th field for oper to:
```
GSFC VLBI Operator
```
and for completeness, for prog and desktop we use:
```
GSFC VLBI Programmer
GSFC Desktop User
```
These changes will help the recipient (possibly you) determine which system generated this message since it may not be obvious given the modified return address.
To give oper an indication at login that there is mail to read, add either (to get a count of messages):
```
test ! -f /var/mail/oper || from -c
```
or (to see the senders and subjects):
```
test ! -f /var/mail/oper || from
```
to the end of oper's .profile file (if using bash as the login shell) or .login file (tcsh).
Lastly, check the default mailbox directory /var/mail/ for accounts that may have messages that arrived before the e-mail system was fully configured. Be sure to resolve any system messages that may have been received. You can check to see what accounts have mail with:
```
ls /var/mail
```
which will list each user account mail file that exists. Check and clear each user’s mailbox (where user in the line below is the account name) that has received mail (as root):
```
mail -f /var/mail/user
```
If there are messages in the desktop user’s mailbox that you want to preserve and oper's mailbox is empty or non-existent, you could consider renaming desktop's mailbox to be oper's. If you do so, be sure to change the owner of the file to be oper.

A.10. Generate FQDN in HELO for outgoing mail

If mail from your system is being rejected by some servers because exim4 is not providing a Fully Qualified Domain Name (FQDN), in its HELO message, the following steps should fix the problem.

If you have not already created /etc/exim4/conf.d/main/00-exim-localmacros (see Reply-To filter above), do so:

touch /etc/exim4/conf.d/main/00-exim-localmacros
ln -sfn /etc/exim4/conf.d/main/00-exim-localmacros /etc/exim4/exim4.conf.localmacros

Add the necessary line to the file:

cat >>/etc/exim4/exim4.conf.localmacros <<EOF
MAIN_HARDCODE_PRIMARY_HOSTNAME=ETC_MAILNAME
EOF

Then execute:

update-exim4.conf
systemctl restart exim4

Verify that the change has taken effect:
```
exim4 -bP primary_hostname
```

A.11. Set X display resolution at boot

If your display sometimes starts with the wrong resolution, you may be able to configure a better resolution. The following is a description of something that worked for at least one system. The details of your system may require some changes (beyond the resolution and output name).

First you need to determine the correct resolution and output name. You may be able to do this with xrandr. If the screen currently has the correct resolution, you can just execute:

xrandr

The output might look like:

Screen 0: minimum 320 x 200, current 1920 x 1200, maximum 1920 x 2048
VGA-1 connected primary 1920x1200+0+0 (normal left inverted right x axis y axis) 0mm x 0mm
   1024x768      60.00
   800x600       60.32    56.25
   640x480       59.94
  1920x1200 (0x42) 154.000MHz +HSync -VSync
        h: width  1920 start 1968 end 2000 total 2080 skew    0 clock  74.04KHz
        v: height 1200 start 1203 end 1209 total 1235           clock  59.95Hz

Where the current screen resolution is 1920x1200 and the output name is VGA-1.

You can then generate the needed Modeline by executing:

cvt 1920 1200

Which might generate output:

# 1920x1200 59.88 Hz (CVT 2.30MA) hsync: 74.56 kHz; pclk: 193.25 MHz
 Modeline "1920x1200_60.00"  193.25  1920 2056 2256 2592  1200 1203 1209 1245 -hsync +vsync

As a test, you can make a script (use an appropriate name), that will enable that resolution. Use the output name (VGA-1 in this example) and the tokens following Modeline from above. There are three lines after the #!/bin/bash line.

~/display_1920x1200

#!/bin/bash
xrandr --newmode "1920x1200_60.00"  193.25  1920 2056 2256 2592  1200 1203 1209 1245 -hsync +vsync
xrandr --addmode VGA-1 1920x1200_60.00
xrandr --output VGA-1 --mode "1920x1200_60.00"

Be sure to chmod u+x the file before executing.

If that is successful, you can use output name (VGA-1 in this example) and Modeline from above to make a file (you may need to create the directory first):

/etc/X11/xorg.conf.d/10-monitor.conf

Section "Monitor"
Identifier     "VGA-1"
Option         "Enable" "true"
Modeline "1920x1200_60.00"  193.25  1920 2056 2256 2592  1200 1203 1209 1245 -hsync +vsync
EndSection

Section "Screen"
Identifier     "Screen0"
Device         "Device0"
Monitor        "VGA-1"
DefaultDepth    24
#Option         "TwinView" "0"
SubSection "Display"
    Depth          24
    Modes          "1920x1200_60.00"
EndSubSection
EndSection

You should chmod the permissions for directory with o+rx and the file with o+r, if those are not already set.

You could then try restarting the display (after closing all windows) with:

systemctl restart gdm3

or rebooting.

A.12. Use KeepAlive to prevent VLAN firewall inactivity time-out

If there is a VLAN firewall in use on the local network, it may be necessary to use KeepAlive for TCP connections to prevent inactivity time-outs for network connections from the FS to the VLBI equipment when no activity is occurring with the system. For some devices, having the time-out break the connection may cause an issue with the number of connections available.

To use KeepAlive to prevent the inactivity time-outs, first install the package libkeepalive0:

apt-get install libkeepalive0

Then add the follow lines for oper (and analogously for prog):

~/.profile

export KEEPCNT=20
export KEEPIDLE=180
export KEEPINTVL=60

Then add the following alias for oper (and analogously for prog):

~/.bash_aliases

alias fs='LD_PRELOAD=libkeepalive.so fs'

You will need to terminate the FS, log out, and log back in to activate these changes.

Note	If you run the FS from a script, you will need to include the setting of `LD_PRELOAD` explicitly in the script since scripts do not pick up aliases.

A similar alias can used to allow other individual applications to avoid the inactivity time-outs. (A better solution is available for ssh, discussed below.) It is also possible to put export LD_PRELOAD=libkeepalive.so in ~/.profile to enable it for all applications, but this may generate some error messages (in the case of xterm at least, the error is apparently benign).

If you need to have a persistent ssh connection, add the follow for oper (and analogously for prog):

Note	You will need to create the ~oper/.ssh directory if it doesn’t already exist: mkdir ~oper/.ssh

~oper/.ssh/config file:

Host *
    ServerAliveInterval 200
    ServerAliveCountMax 2

This can be set selectively per remote system. The interval of 200 seconds is chosen to be less than the 300 seconds that some (possibly security hardened) servers may use.

If created the ~oper/.ssh directory, set its ownership (and analogously for prog) with:

chown -R oper.rtx ~oper/.ssh/

A.13. Remove login banners for commands run by ssh on remote systems

If you use ssh as oper (and maybe prog), to run commands on other systems as part of FS operations, you may get login banners mixed in with the output. You can suppress the banners by adding the following for oper (and analogously for prog):

Note	You will need to create the ~oper/.ssh directory if it doesn’t already exist: mkdir ~oper/.ssh

~oper/.ssh/config file:

Host *
    LogLevel ERROR

This will allow errors to be displayed while suppressing the login banners of remote systems. This can be set selectively per remote system.

Please check the end of the Use KeepAlive to prevent VLAN firewall inactivity time-out section for setting the ownership of ~/.ssh/config.

A.14. Suspend, shutdown, and restart issues

Mouse cursor disappearing on text console after suspend

The FSL11 installation disables suspend by default (as part of the greeter item in the FS Adaptation: Setup (Window 2) sub-step of fsadapt in the Third stage installation). If you did not disable suspend, you may encounter this issue. A way to fix it is to switch to a different text console and then back again. The cursor should reappear.
Disable the power switch from shutting the system down
1. Add the following to the /etc/gdm3/greeter.dconf-defaults file:
  # Disable restart buttons disable-restart-buttons=true
2. Restart gdm3:
  systemctl restart gdm3
Disable use of restart for ordinary users

It is possible to disable all use of restart for ordinary users with a bit more work — the details are available on request. The file powerlock.tar.gz may be helpful for this. It contains sample contents of the files that need to be changed or created.

A.15. Printer setup

Make sure your printer is connected, to the computer or the network, as appropriate.

Tip	Newer computers usually do not have a parallel port (IEEE 1284). If not, and your printer requires a parallel connection, you should be able to obtain a USB/Parallel converter for less than US$20.

Login in to the X-display or remotely using an X-capable display.
Start firefox
Enter URL: localhost:631
Select Add printers and classes.

You may be prompted to enter credentials. If your account is a member of the lpadmin group, you can use your own credentials; if not, those of the root account or another account that is a member of lpadmin will be required.
Add your printers.

Connected printers may be automatically offered to be added. You may also be able to find printers using the Find Printer function. If CUPS offers you the wrong type of printer to be automatically added or it is unclear what driver to select for a printer, you may be able to get some useful information to help with manually installing your printer by searching the Internet for the string cups and your printer model.

Some printers will work with an AppSocket/HP JetDirect connection of the form socket://hostname.
Be sure to select a printer as the default (usually by selecting Printers at the top of the page, then select the printer to be set as the default, then from the Administration drop down: Set As Server Default).
Quit firefox

A.16. NTP configuration

For good performance with NTP, please follow the recommendations in /usr2/fs/misc/ntp.txt.

Additionally, to make the ntpq -c pe output more readable for local devices, you can adjust the contents of /etc/hosts. The local devices should be listed in the file, but use a nickname (15 characters or less) that is meaningful locally in place of the canonical name (the first name after the IP address). The canonical name can be listed after the nickname.

A.17. Add raid-events scripts

If your system is using a RAID configuration, you may want to install the raid-events script. The script provides email notifications of when Rebuilds (and array checks) start and end. For full details on the script and installation instructions, please see the raid-events subsection in the Script descriptions section of the RAID Notes for FSL 11 document.

A.18. Add refresh_spare_usr2

If you are using two systems, an operational and a spare, you may want to install the refresh_spare_usr2 script. The script can be used to backup the /usr2 partition on the operational system to the spare system. For full details on the script and installation instructions, please see the refresh_spare_usr2 subsection in the Script descriptions section of the RAID Notes for FSL 11 document.

A.19. Install pgplot version of pgperl

Important

This step is “use as at your own risk.” Every effort has been made to make it safe, but it installs a non-standard package. You should only use it if you need it and accept the risk.

This replaces the use of the giza package in pgperl with pgplot. It will restore the behavior of pgperl (used by plotlog) from distributions FSL10 and earlier. Full directions can be found in the INSTALL file in sub-directory libpgplot-perl.

This package uses the same pgperl source as the standard version, but it is built against pgplot instead. If pgperl receives a security update, the pgplot version will be overwritten. It is possible to prevent that if you prefer.

Appendix B: Managing Security Updates

It is strongly recommended that you use the weekly cron update download (the “weekly cron job”) as configured according to the Window 2 subsection in the fsadapt section of the main document. The job will send a message to root (or whoever e-mail to root is aliased to, typically oper) to provide notification of the available updates on a weekly basis. You can choose a convenient time, when not in (or about to start) operations, to install the updates and test the system.

It is also recommended that you remove anacron as described in the Remove anacron package section in Additional Setup Items appendix. This will cause the updates to always be downloaded at what should be innocuous time, early Sunday morning (but this can be adjusted if need be).

Note	An optional method for identifying available updates without using the weekly cron job is described below in the Manually checking for updates section.

B.1. Installing updates (upgrading)

This section gives a recipe for upgrading, collecting best practices from this appendix and elsewhere in the FSL11 documents. Links to explanatory information are included.

All steps are to be performed by root:

If you are using the RAID configuration with removable disks, it is recommended that you perform a disk rotation first (see the Disk Rotation section in the RAID Notes for FSL 11 document). This will provide an easier recovery path in the unlikely event that something goes wrong. You do not need to wait for the refresh to finish before upgrading.

If your RAID is in a “split” testing configuration (see the Recoverable testing section of the previously referenced document), you can’t perform a rotation. Click the “Details” toggle below for information on how to proceed in this case.
Details
If it is not feasible to restore the RAID, and rotate disks, before upgrading, you can still apply updates, but there are additional considerations:
- If you had split the RAID using drop_primary, it is recommended that you reboot with the primary disk turned off. However, this is not strictly necessary unless there is a kernel update.
- When the testing is completed you will restore the RAID with either recover_raid (overwriting the primary disk) or with refresh_secondary (overwriting the secondary disk). In the latter case, you will need to reinstall the updates, probably after a disk rotation.
- Additional disk rotations may be needed to re-sync the disk order with other systems if the testing has been going on for an extended period.
If the RAID is not already “split”, you can create an additional recovery path using the method of the Recoverable testing section of the previously referenced document. Click the “Details” toggle below for additional considerations for this case.
Details
If you want to use this approach:
- It will be necessary to wait until the refresh from the disk rotation completes before splitting the RAID.
- It is recommended that you not use drop_primary to split the RAID. But strictly speaking, not using it is only necessary if there is a kernel update.

Execute (see the Manually checking for updates section below):

/root/fsl11/etc_cron.weekly_apt-show-upgradeable --which=news

This may take a few minutes, depending on your Internet connection. If there is no output, there are no updates to install and the rest of the steps in this section can be skipped.

If there is output, the instructions for upgrading (starting with apt upgrade …) will be shown, including any special instructions for a kernel update (see the Kernel updates section below).

Warning

Before the instructions, there may be News items. These rarely occur, but may contain additional actions that are needed. If there are any, you should consider how they will affect your system. Be sure you are prepared to handle them before continuing to the next step.

Note	If you want to see the full list of packages to be installed, leave the `--which=news` off the above command. You may want to pipe the output through less so you can view it a page at a time.

Upgrade:

apt upgrade

Before answering y to proceed, check if any NEW packages will be installed. There should only be the new packages associated with a kernel update, if there is one. There may also be new packages listed for insecure packages that have been removed (see the Removing insecure packages section below). Those can be removed afterwards. If there are new packages that you don’t recognize, you can answer n and investigate before proceeding.

Note	This command will also show if any `News` items are included in the update. If there are, they will be displayed by a paging program at the beginning of the upgrade, giving you an extra chance to be prepared for them before upgrading or aborting if you are not.

Clean the cache:
```
apt clean
```
Remove any insecure packages that were reinstalled.
Take any actions specified by News items.
Reboot
If there was a kernel ABI update, rebuild any out-of-tree modules and reboot again (see the Updating out-of-tree modules section below).
Test the system as appropriate, particularly for a kernel update.

B.2. Kernel updates

Warning

Kernel updates require extra care and testing. If you are using a RAID, you should consider using the Recoverable testing procedure to give more, and easier, options for recovery in case there is a problem. That procedure contains special instructions for kernel update testing.

Note

When a kernel update is available, you may see messages at the start of the cron job output similar to:

apt-listchanges: Unable to retrieve changelog for package linux-headers-amd64; 'apt-get changelog' failed with: E: Version '5.10.120+1' for 'linux-headers-amd64' was not found
E: No packages found

apt-listchanges: Unable to retrieve changelog for package linux-image-amd64; 'apt-get changelog' failed with: E: Version '5.10.120+1' for 'linux-image-amd64' was not found
E: No packages found

and

Calling ['apt-get', '-qq', 'changelog', 'linux-headers-amd64=5.10.120+1'] to retrieve changelog
Calling ['apt-get', '-qq', 'changelog', 'linux-image-amd64=5.10.120+1'] to retrieve changelog

These appear to be benign. Our only advice at this time is to ignore them.

If there is a kernel update available, the weekly cron job output will include a warning at the end with additional instructions depending on which type is available. There are two types of kernel updates:

ABI updates, e.g., from 4.9.0-11-amd64 to 4.9.0-12-amd64 (with 11 and 12 being the ABI versions), which change the kernel ABI (Application Binary Interface). The warning for this case is:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
NB: The Linux kernel image is one of the packages due to be upgraded.
NB: (The kernal ABI has changed as per the linux-latest source package above
NB:  so all out-of-tree modules WILL NEED TO BE REBUILT after you REBOOT.)
NB: Please allow _extra time_ for TESTING after the upgrade.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Non-ABI updates, which update the kernel, but do not change the ABI. The warning for this case is:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
NB: The Linux kernel image is one of the packages due to be upgraded.
NB: (Upgrading will OVERWRITE the running kernel and require you to REBOOT!)
NB: Please allow _extra time_ for TESTING after the upgrade.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Be sure to allow time to follow the instructions when planning to install these updates. As described in the ABI update warning, you will need to rebuild any out-of-tree modules after rebooting for that case. This is discussed in the Updating out-of-tree modules section below.

Caution

In extreme circumstances, an ABI (but not a non-ABI) kernel update can be deferred to a later date when more extensive testing can be performed by using apt-get in place of apt in the instructions for installing the update. This works because an ABI update involves new packages. The apt-get command will install the updates for existing packages, but it will not install the new packages. While this method can be used to install the other updates, it is not recommended since there are presumably security patches needed for the kernel and they are not being installed in this case.

Tip

When the kernel is upgraded, you may get messages such as:

update-initramfs: Generating /boot/initrd.img-5.10.0-16-amd64
W: Possible missing firmware /lib/firmware/ast_dp501_fw.bin for module ast

These are usually benign, unless you need that firmware. If you don’t, these messages can be silenced for future upgrades by creating an empty version of the file. For this example, enter:

touch /lib/firmware/ast_dp501_fw.bin

B.2.1. Updating out-of-tree modules

When an ABI update is installed, it will be necessary to update any, so-called, out-of-tree modules that use the kernel ABI. This must be done after rebooting with the new kernel installed.

For a normal FSL11 installations, unless you have installed other out-of-tree modules, the only module that needs to be rebuilt is the GPIB driver (if it is installed). You will need to recompile it (usually using fsadapt, Window 2, config_gpib only) after the initial reboot and then (to keep these instructions simple) reboot again.

If you have installed other out-of-tree modules (e.g., you use a special driver for some of your NICs), you will need to update them appropriately after the initial reboot and then (to keep these instructions simple) reboot again.

B.3. Recovery from a failed update

If an update fails, e.g., an updated kernel fails to boot or another problem is discovered, you can recover as described in FSL11 RAID document Recoverable testing section, if you were following that method, or from a shelf disk according to the FSL11 RAID document Recover from a shelf disk section if not and you have a good shelf disk.

B.3.1. Additional recovery option for a failed ABI kernel update

For a ABI update that has failed, it is also possible to try to use the previous kernel on the current system. For a single boot, use the Advanced option in the grub menu at boot and then select the previous kernel. You can change back permanently to the previous kernel by purging the new kernel and its headers. To do this, use:

dpkg -l|grep linux-image
dpkg -l|grep linux-headers

to determine the ABI version to be removed. For example, for the first command above, you may get:

linux-image-4.9.0-11-amd64
linux-image-4.9.0-12-amd64

The package with 12 would be the later version that should be purged:

apt-get purge linux-image-4.9.0-12-amd64

Likewise with the linux-headers. For example, for the 12 ABI version, there will be two packages you should purge:

linux-headers-4.9.0-12-amd64
linux-headers-4.9.0-12-common

B.4. Manually checking for updates

If you do not use the weekly cron job, you can run the distributed copy of the weekly script manually to check for updates:

/root/fsl11/etc_cron.weekly_apt-show-upgradeable

If there is no output, there are no updates to install.

If there is output, there are updates to install. You can install them by following the installation procedure in the Installing updates (upgrading) section above. (That section uses the alternate form of running the script given below.)

Any News items will be included in the output along with the packages to be updated. If you would like to just see any News items you can run the script with the --which=news option:

/root/fsl11/etc_cron.weekly_apt-show-upgradeable --which=news

If there are updates available and no News items, you will only get the installation instructions.

You can use this form of running the script to check for updates initially, if you do not need to review which updates are available (you will still get warnings about kernel updates). As usual, you will see no output at all if there are no updates available.

Caution

Each run of the script, with or without --which-news, may add to the list of updates to install.

B.5. Removing insecure packages

In some cases, it may be necessary to remove an installed package because it has a known security flaw that has not been fixed. When a package is removed, any packages that depend on it will be removed as well. In same cases, a package that has been removed may be reinstalled later because another package that has an update recommends it, or recommends a package that depends on it.

When removing a flawed package, you should check carefully that no critical package that depends on it will be deleted as well. You can check which packages will be deleted with, as root:

apt-get purge package

The list of packages to be deleted will be displayed and you will prompted for whether to continue. If you are confident that no critical packages will be lost, you can confirm (Y). If don’t want to delete the listed packages, or need more time to think about it, you can stop (n).

Since subsequent upgrades may reinstall the flawed package, you should attempt to purge it after each upgrade. If the flawed package is not present, there should be nothing to remove. If it is present, you should reverify that nothing critical will be removed before confirming.

Warning

It is recommended to not prevent the flawed package from being installed using /etc/apt/preferences, /etc/apt/preferences.d, or apt-mark hold …. If an update requires the flawed package, not being able to install it will probably silently prevent the update from being installed; leaving the insecure version in place. Additionally, having a hold will complicate making a Debian release upgrade.

If you use the automatic weekly updates reminder (/etc/cron.weekly/apt-show-upgradeable), you can modify it to include a reminder about purging the flawed package, inserting, e.g.:

	echo "        apt purge libmfx1     (check packages being deleted before 'y')"

after:

	echo "        apt clean"

You may also wish to adjust the white space on the apt upgrade line for alignment.

B.6. End of security updates

When support for Bullseye ends, currently expected at the end of August 2026, there will be no more security updates. At that time, the existing packages will subsequently be migrated to the historical Debian archive site. This will be visible in the output from the weekly cron job script as errors that the packages files can’t be found. Two steps are needed at that time:

If you have been using the weekly cron job, it should be deleted:
```
rm /etc/cron.weekly/apt-show-upgradeable
```
(you may need to answer y to confirm)
Change the /etc/apt/sources.list file to point to the archive site. Although there will be no more security updates, this will enable downloading of additional packages if they are needed. The new lines that should replace the corresponding existing lines are:
```
deb http://archive.debian.org/debian/ bullseye main contrib non-free
deb http://archive.debian.org/debian-security bullseye/updates main contrib non-free
```
And if you are using deb-src lines:
```
deb-src http://archive.debian.org/debian/ bullseye main contrib non-free
deb-src http://archive.debian.org/debian-security bullseye/updates main contrib non-free
```
Otherwise the deb-src lines can be commented out (with a leading #). Any other deb or deb-src lines relating to updates, proposed-updates etc. should likewise be commented out.

In addition, if you want to install packages from more recent distributions that have been backported to bullseye you can add:
```
deb http://archive.debian.org/debian-backports bullseye-backports main contrib non-free
```
However, the “backports” are not normally needed.

Lastly, update the index files:
```
apt-get update
```
This may generate an error about a Release file having expired, but that is benign.

Note	When support for Bullseye ends, it is strongly advised that you move your FS machine behind a firewall and/or upgrade it to a more recent FS Linux release.

Appendix C: Other Maintenance Procedures

This appendix covers additional procedures for maintaining your system.

C.1. Update IP address, hostname, FQDN, and other network information

This is useful if the computer is physically moved to a different site, its IP address changes, or its network information needs to be updated for a different reason. This is typically not needed if you use DHCP, though that may still require some of the changes in the Modify other system files step below (please let us know if you gain experience).

This subsection requires using nm-connection-editor on a graphic display (nmtui may be an option on a text terminal, but it has not been fully verified). You may need to be root or desktop to do this. This subsection assumes you are in the program and have sufficient permissions.

Note

If you move the disks to a computer with a different mainboard model, the device names of the network interfaces may change. In that case, you will need to reselect the names as described in the sub-steps of the Stabilize network configuration section of the Additional Setup Items appendix. This should not be necessary if the origin and destination computers have the same mainboard.

Select your connection and click the “gear” icon.
Select the IPv4 Settings (or IPv6 Settings if you are using IPv6) tab.
Adjust your Manual Method configuration: Addresses, DNS Servers (comma separated), and Search domains.
Click Save.
Close the window by pressing Esc (while the focus is on that window).

Modify other system files :

Update the information as appropriate. The system may have initially been installed with the default hostname debian and no domain name.

/etc/hostname

Change your hostname

/etc/hosts

Update your IP address, FQDN (canonical name), and alias (typically the hostname, but multiple aliases/nicknames are allowed).

If you moved your computer to a new LAN environment, you may also want to update the nodes and aliases listed, see also Setup /etc/hosts.

/etc/networks

Use your local subnet (class A, B, or C) for the localnet line.

/etc/mailname

Use fully qualified node name.

Note

If your system doesn’t have a FQDN or you don’t want to show it in e-mail messages, you may be able to use a fake one. A FQDN may be necessary to allow messages to be sent successfully to some remote hosts and mailman mail lists. A possible strategy for this is to append .net to the node name you use in this file and the next. The node name in these two files can be different than the official hostname. However, these two mail related files should be consistent. You might consider fs1-<xx>.net (or fs2-<xx>.net), where <xx> is your station two letter code (lower case).

/etc/exim4/update-exim4.conf.conf

Look for hostnames=, use fully qualified domain name.

Then execute:

update-exim4.conf

When finished, reboot.

C.2. Increase the size of an LVM volume

It is possible to increase the size of an LVM volume if there is additional room available in its volume group. These instructions assume you will be resizing a logical volume for a typical configuration. For example, for the logical volume mounted at /usr2, on RAID device /dev/md0, which is using /dev/sda2 and /dev/sdb2. Additionally, example pathnames are given in the instructions below for adjusting the size of the logical volume for /usr2. All these names may be different if you want to resize a different volume and/or your disk configuration is different.

Preparation
1. Check that there is enough free space available.
  
  Examine the output of:
  vgs
  You can increase the size of a logical volume if the volume group (under the VGS column heading) has enough free space (VFree heading) for the increase. Typically, the volume group would be vg0.
2. Determine the Path of the logical volume you want to extend.
  1. Get a listing to relate the internal device-mapper pathnames (under the Filesystem column heading) and where the logical volumes are mounted (Mounted on heading). For example, /dev/mapper/vg0-usr2 would typically be mounted at /usr2.
    
    df -h
  2. Get a listing to relate the internal device-mapper pathname (under the DMPath column heading) to the logical volume Path. For example, for /dev/mapper/vg0-usr2, the Path would typically be /dev/vg0/usr2.
    
    lvdisplay -C -o lv_dm_path,lv_path
  3. For the mount point of the logical volume you want to extend, determine the Path using the internal device-mapper pathname from the above two sub-steps. For example, the logical volume for /usr2 would typically correspond to /dev/mapper/vg0-usr2 and the corresponding Path would be /dev/vg0/usr2.
Pre-check (optional)

This sub-step is not required but can be used, along with the “Post-check” sub-step below, to check that the volume size changed as expected and that no files were lost or changed size/modification-time.
1. Get the size (under the 1G-block column heading) of the logical volume (Mounted on heading) for the volume of interest:
  df -BG
  Record the size to compare to the results in the “Post-check” sub-step below.
2. Make a listing of the files on the mount_point (include the leading /) to be changed. For example, the mount_point might be /usr2.
  ls -ltR mount_point >/tmp/before.txt

Make the change, using the Path you determined in the “Preparation” sub-step above.

Make a backup of your system.

Note

This sub-step, and recovery in case of a problem, is much easier if you using the FSL11 RAID system. If not, it is strongly recommended that you make your own backup of your entire system. The remainder of this sub-step assumes you are using a RAID, following the approach of the Recoverable testing procedure in the Raid Notes for FSL11 document.

If you are using a RAID, you can drop the primary disk out of the RAID to save as a backup:

drop_primary

Extend Path

For the logical volume (mount point) you want to extend, you can either:
1. Incrementally increase the size. For example, to increase Path by 4 GB:
  lvextend -L+4G Path
2. Set the size to a new larger total size, say 8GB:
  lvextend -L8G Path

Resize Path

Important

Do not interrupt the next command. If it is interrupted and you are using the Recoverable testing procedure in the Raid Notes for FSL11 document, you will need to utilize the If the update is deemed to have failed subsection of that procedure. Otherwise, if you are not using that procedure, you will need to use your own recovery method.

resize2fs Path

Post-check (optional)

This sub-step is not required but can be used, if the “Pre-check” sub-step above was used, to check that the new size is correct and no files were lost or changed size/modification-time.
1. Check that the size of the logical volume (under the Mounted on column heading) has the expected new size in the output of:
  df -BG
  Compare the result to that in the “Pre-check” sub-step above.
2. Make a listing of the files on the mount_point (include the leading /) that was changed. For example, the mount_point might be /usr2.
  ls -ltR mount_point >/tmp/after.txt
3. Compare the before and after listings of the files
  diff /tmp/before.txt /tmp/after.txt
There should be no differences in the listings except any changes that can explained by other expected activity that occurred since the “Pre-check” sub-step above. If there was no other activity on the logical volume, there should be no differences.

Cleanup

Note	If you not are using the Recoverable testing procedure in the Raid Notes for FSL11 document, you will need to use your own methods to restore the system if there was a problem. This step describes how to proceed if you are using the referenced procedure.

There are two options:

If you are satisfied with the change, you can recover the RAID with:
```
recover_raid
```
This should only take a few minutes.

Note
The change in the volume size will not propagate to the shelf disk until the next disk rotation.
If you are not satisfied with the change, you can try again if you first restore the RAID using the If the update is deemed to have failed subsection of the Recoverable testing procedure in the Raid Notes for FSL11 document.

Appendix D: Rescue Mode

Rescue mode is useful for repairing some problems that prevent booting and/or logging in.

Note	If your computer’s setup utility is locked with a password, you may need that password to select booting from your installation media.

Note	You should provide suitable values for your system when a specific value is required. Values that agree with the FSL11 install described in this document (or reasonable defaults) are shown in parentheses.

Boot from installation media
Select Advanced options …

Select … Rescue mode

Note

You could instead add parameters to the boot line (by entering e for UEFI or Tab for BIOS on the … Rescue mode line instead), following the directions in the Set boot options and boot installer section above. This is not necessary nor usually helpful, but if you use this approach the most useful parameters are probably netcfg/disable_dhcp=true and/or time/zone=UTC. Use of added parameters will change the dialogue below.

Select Language (English)
Select Location (United States)
Select Keymap (American English)
Network configuration

If you computer has more than one network interface, select your primary interface when presented with the choice.

If no network is currently available (or you know that you do not need it for the rescue), simply press Enter when DHCP autoconfiguration starts and press Enter again for the resulting Network autoconfiguration failed message. Thereafter select Do not configure the network at this time and confirm the default hostname (debian) when prompted before continuing below.

If the DHCP autoconfiguration succeeds before you can stop it, you may as well confirm the hostname and domainname and continue with the network anyway, since you never know when it might prove useful. (However, if you want to make sure you don’t use the network, you can select Go Back and press Enter for the resulting Network autoconfiguration failed message. Thereafter select Do not configure the network at this time and confirm the default hostname, debian, when prompted before continuing below.)

Otherwise if the DHCP autoconfiguration fails and you want to use the network, press Enter for the resulting Network autoconfiguration failed message. You can then select the appropriate option, most likely Configure network manually and give appropriate responses to the prompts, ultimately continuing below.
Select time zone (Eastern)

Note
The selected time zone will have no effect on the timestamps stored on the disk for any changes you may make, but will affect the displayed times you see.
Unless you are not using Software RAID, select Assemble RAID array

Press Space on Automatic and Enter to continue
Select your root file system (/dev/vg0/root)
Select Yes to mount separate /boot partition (/boot), unless it is corrupt

For UEFI boot also select Yes to mount separate /boot/efi partition (/boot/efi), unless it is corrupt
Select Execute a shell in /dev/vg0/root (or whatever your root file system is)
Select Continue to enter rescue mode

Use whatever commands are needed for your repair

Note

If you need to use the network, DNS does not appear to work by default in recovery mode. Use of explicit IP addresses does work. If you need to use DNS, you can make it functional by deleting the symbolic link /etc/resolv.conf and creating it as a normal file with the nameserver information you want, e.g.:

rm /etc/resolv.conf
cat >>/etc/resolv.conf <<EOF
nameserver 8.8.8.8
EOF

Use the exit command to exit when done
Select Reboot the system
“Bob’s your uncle” (i.e., you are done!)