IPMI Installation (Buster)

From Hexwiki
Jump to: navigation, search

This is a step-by-step process for setting things up over IPMI. It is not terribly detailed, just some 'oops' or 'what is going wrong!?' situations.

Over-IPMI OS Installation

  1. Network detect/configure - don't autoconfigure, obviously. If using CIDR appending be sure to base from the second IP given to you. Use Google's nameservers if others aren't provided (8.8.8.8 8.8.4.4)
    1. If you're having difficulty, be sure you're using the right interface. Not every host plugs in eth0 or equivalent.
  2. Hostname: Most people choose a scheme of some sort, at least for lower numbers of machines.
  3. The Steadfast mirror is quite handy if your machine is actually at Steadfast or anyone else at 350 E Cermak
  4. There's a pattern to my admin usernames, but I prefer to keep them secret. Generally use a temp password, set it to something ridiculous later as only logins will be via ssh keys
  5. Setup clock, configure. Should probably consider standardizing on UTC time.
  6. Detect disks, partition manually. Use gpt for new disks (GUID partition table), though may want to stick with msdos for ssds to help with overprovisioning (and some ssds don't support gpt at all), if you can't make use of the manufacturer's provisioning tool.

Partitioning

MySQL's InnoDB doublewrite log generates roughly the same amount of write IO as the main database. Accordingly I generally make a smallish (32GB) partition on a second drive for it, usually.

While LVM is great for virtual servers, I've kind of soured on it for my dedicated server setups.

swap I use 4GB for swap, and have for over a decade now. Regardless of configuration, or total RAM, for my servers, about a half a gigabyte will end up swapped out with no meaningful impact. Past that point, it starts eating into cache, and gets progressively more painful. Users start to notice and complain when swap is over about 2GB.

Your mileage will of course vary, but don't be fooled by 'swap is useless' evangelism. Half a gig of free RAM is still free, and can give you significant breathing room on smaller servers.

noatime goes on all the things, except swap of course.

nodev, nosuid goes on everything not /boot or / (or swap)

noexec should be treated with caution. The installer likes to execute things out of /var, apt likes to execute things out of /tmp. I generally just place it on my storage /srv mounts, my /innodb mount (for doublewrite), etc.

Over-IPMI OS Install - Finishing

  1. I prefer to turn popularity contest on, personally.
  2. When getting to the Tasksel/Software selection screen, deselect everything except for SSH server and Standard system utilities.
  3. Install grub to MBR
  4. Reboot, login as root
  5. systemctl stop ssh
    1. We're listening on the standard port to start. No need to let it get hammered.
  6. vi /etc/ssh/sshd_config
  7. Set new port and specific IP to bind to.
    1. Not really doing this to hide (though our IPTables will help with that). If you ever run a major server, though, you are going to get a lot of attempts at port 22, and a fair amount on various common server ports, and it clutters your logs. Just set it somewhere out of your way. My preference is to pick a single port number, 1023 or less, for all of my servers and stick with that.
  8. PermitRootLogin no
    1. This is just common sense.
    2. If you're going to be copy/pasting a key from your local machine, leaving PasswordAuthentication on for a minute is not going to kill you.
    3. Alternately post your public key somewhere so you can wget it.
    4. ssh for life. Or something.
  9. systemctl start ssh
  10. Sign in as your admin user over SSH.
  11. If works, exit out of IPMI