Download the image
Start by downloading the latest build from GitHub and unzip it.Next, format an SD-card as FAT32 and put the unzipped files on the card. If during unzipping, the files are put in a directory then only transfer the files in it to the root directory of the card.
Put the SD-card in the Pi and power it up.
After about 15...20 minutes the Pi will reboot and a login prompt will appear. If you have a headless Pi you'll need to wait for at least 15 minutes before attempting an ssh login.
Then try to log in using ssh.
Login with root / raspbian
Change the root password to something else.
# passwdUpdate the locale:
# dpkg-reconfigure localesSelect the appropriate locale. I always use en_US.UTF8. Then also set this as the default.
Next, configure the timezone:
# dpkg-reconfigure tzdataThose who don't like or understand vi can now install nano:
# apt-get install nanoSet the hostname to something you like better than the default 'pi'
# nano /etc/hostnameThen make it possible to login remotely via SSH without getting loads of locale related errors.
# nano /etc/ssh/sshd_configComment out the line that reads AcceptEnv LANG LC_*
Then regenerate new SSH-keys for extra security:
# rm /etc/ssh/ssh_host_*Make a note of the IP-address (if you have the luxury of a monitor and keyboard):
# dpkg-reconfigure openssh-server
# ifconfig(If you're using a headless Pi, you will have had to find out the IP-address earlier.)
Then reboot.
# reboot
It is now possible to safely login from a remote terminal (e.g. PuTTY on Windows or iTerm.app on OSX). At this point it would be a good idea to do an update/upgrade cycle:
For added security, now create a new user with sudo privileges that can be used instead of the root-account. For the example here I will use the username 'pi'. You might want to use something else.
Then add the new user to some useful groups:
%sudo ALL=(ALL:ALL) ALL
To look like this:
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
I also like to move some parts of the filingsystem to RAM:
tmpfs /tmp tmpfs nodev,nosuid,size=30M,mode=1777 0 0
tmpfs /var/log tmpfs defaults,noatime,nosuid,mode=0755,size=100M 0 0
Next, reboot and you'll be able to login with the newly created user. Then edit the .profile file:
PATH="/usr/local/sbin:/usr/sbin:/sbin:$PATH"
Having created an extra user with sudo privileges it is time to take away some of the privileges of the root-account.
PermitRootLogin yes
And change the yes to a no.
blacklist rpcsec_gss_krb5
Create various folders
First make a backup of the original
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6
Then make a backup copy of the final file
force_color_prompt=yes
then scroll down and make changes so these lines read as follows:
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# some more ls aliases
alias ll='ls -l'
alias la='ls -al'
#alias l='ls -CF'
(Additionally you may want to create a file .dircolors and fill it with your desired definitions. This is outside the scope of this howto. Google is your friend).
Reduce the amount of video memory to the bare minimum:
gpu_mem=16
Reboot and log back in, to make all the above changes take effect in one go.
For comparison, on a default Raspbian system I have running it is 825!
Remember to regularly (e.g. once a week) execute an update/upgrade cycle (as described above) to ensure you are on the most up-to-date version of the operating system.
# apt-get updateThis last command tells me that it didn't upgrade all the software:
# apt-get autoclean
# apt-get autoremove
# apt-get -yuV upgrade
Reading package lists... DoneBuilding dependency treeReading state information... DoneThe following packages have been kept back: libgcc1 (4.7.2-5+rpi1 => 4.8.2-21~rpi3rpi1) libstdc++6 (4.7.2-5+rpi1 => 4.8.2-21~rpi3rpi1)0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.This is fixed by the command:
# apt-get -yuV dist-upgradeThere are a couple of packages I like to use, that can be installed now.
# apt-get install screen lsof bc htop raspi-copies-and-fills apt-utils sudo nfs-common rsyncThese will pull in a host of other packages that are required. Just, sit back and wait...
For added security, now create a new user with sudo privileges that can be used instead of the root-account. For the example here I will use the username 'pi'. You might want to use something else.
# adduser piThis will ask for a passwd to set for the new user and some (optional) accounting information.
Then add the new user to some useful groups:
# usermod -a -G sudo piPrevent having to type your password at every 'sudo' you do.
# usermod -a -G adm pi
# usermod -a -G users pi
# usermod -a -G video pi
# usermod -a -G dialout pi
# visudoChange this line:
%sudo ALL=(ALL:ALL) ALL
To look like this:
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
I also like to move some parts of the filingsystem to RAM:
# nano /etc/fstabadd these lines:
tmpfs /tmp tmpfs nodev,nosuid,size=30M,mode=1777 0 0
tmpfs /var/log tmpfs defaults,noatime,nosuid,mode=0755,size=100M 0 0
Next, reboot and you'll be able to login with the newly created user. Then edit the .profile file:
$ nano .profileAnd add this line at the end of the file
PATH="/usr/local/sbin:/usr/sbin:/sbin:$PATH"
Having created an extra user with sudo privileges it is time to take away some of the privileges of the root-account.
$ sudo nano /etc/ssh/sshd_configFind the line reading:
PermitRootLogin yes
And change the yes to a no.
Extended installation
Create a mountpoint for future use.$ sudo mkdir /mnt/share1I'll be using nfs to mount a drive from one of the servers on my local network. To prevent problems with slow mounts I need to blacklist a kernel-module. I have no idea why, but this seems to work. Other Pies in my network, running a full Raspbian version don't have this problem but also don't use this fix. Again, I don't have a clue why.
$ sudo nano /etc/modprobe.d/blacklist.confThen add this line:
blacklist rpcsec_gss_krb5
Create various folders
$ mkdir etcIf you're using this Pi as a headless machine there is no need for all the gettys so we'll disable a couple as follows:
$ mkdir bin
$ mkdir bin/run
First make a backup of the original
$ sudo cp /etc/inittab /etc/inittab.orgFind these lines and comment them out:
$ sudo nano /etc/inittab
#3:23:respawn:/sbin/getty 38400 tty3
#4:23:respawn:/sbin/getty 38400 tty4
#5:23:respawn:/sbin/getty 38400 tty5
#6:23:respawn:/sbin/getty 38400 tty6
Then make a backup copy of the final file
$ cp /etc/inittab ~/etc/inittabI like a coloured terminal, so I'll set up .bashrc to support that:
$ nano .bashrcFirst, find this line and uncomment it:
force_color_prompt=yes
then scroll down and make changes so these lines read as follows:
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
# some more ls aliases
alias ll='ls -l'
alias la='ls -al'
#alias l='ls -CF'
(Additionally you may want to create a file .dircolors and fill it with your desired definitions. This is outside the scope of this howto. Google is your friend).
Reduce the amount of video memory to the bare minimum:
$ nano /boot/config.txtAdd this line:
gpu_mem=16
Reboot and log back in, to make all the above changes take effect in one go.
$ sudo reboot
Finally
The number of packages installed on my Pi is now:$ dpkg -l |wc -l180
For comparison, on a default Raspbian system I have running it is 825!
Remember to regularly (e.g. once a week) execute an update/upgrade cycle (as described above) to ensure you are on the most up-to-date version of the operating system.
No comments:
Post a Comment