Purchase and assumable physical items
* model 3 pi + case
* 32gb mirco sd card and adapter
* usb portable disk
* a usb hub (the pi lacks sufficient power output to drive a usb powered hdd)
Setup Jesse on the micro sd
Note more info at:
https://www.raspberrypi.org/documentation/installation/installing-images/
1) Download the RASPBIAN JESSIE LITE .img
https://www.raspberrypi.org/downloads/raspbian/
2) Get sd card mount point
df -h | egrep "mmc|sdd"
/dev/mmcblk0p1 30G 32K 30G 1% /media/kage/3535-3133
3) umount so the card so it can be imaged
umount /dev/mmcblk0p1
4) write img to sd card
sudo dd bs=4M if=~/Downloads/2016-05-27-raspbian-jessie-lite.img of=/dev/mmcblk0
sync
5) correct sd card partition back to max size
sudo parted /dev/mmcblk0
(parted) p free
Model: SD SL32G (sd/mmc)
Disk /dev/mmcblk0: 31.9GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:
Number Start End Size Type File system Flags
32.3kB 4194kB 4162kB Free Space
1 4194kB 70.3MB 66.1MB primary fat16 lba
2 70.3MB 31.9GB 31.8GB primary ext4
31.9GB 31.9GB 15.0MB Free Space
(parted) resizepart 2 32G
(parted) p free
Model: SD SL32G (sd/mmc)
Disk /dev/mmcblk0: 31.9GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:
Number Start End Size Type File system Flags
32.3kB 4194kB 4162kB Free Space
1 4194kB 70.3MB 66.1MB primary fat16 lba
2 70.3MB 31.9GB 31.8GB primary ext4
6) Eject card and reinsert. confirm mounting and sizes are ok
setup passwordless ssh for pi user (assuming the machine your on is the accessor)
1) cd to the mounted sd card and into the pi home dir
cd /media/sd-card-uuid/
pushd .
cd home/pi
2) setup .ssh with the working machines publish ssh info
mkdir .ssh
chmod 0700 .ssh
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
cat ~/.ssh/id_rsa.pub >> .ssh/authorized_keys
setup static ip
1) cd to the mounted sd card and into the /etc/networks area
popd .
2) modify the interface setup
sudo vi etc/network/interface
3) setup a static hard line ip im using 192.168.1.175 feel free to adjust as needed
iface eth0 inet static
address 192.168.1.175
netmask 255.255.255.0
gateway 192.168.1.1
network 192.168.1.0
broadcast 192.168.1.255
3b) OR setup the wifi (i would not advise this)
sudo vi etc/wpa_supplicant/wpa_supplicant.conf
# add this at the end
network={
ssid="network id"
psk="network password"
}
finish up raw img adjustments
1) sync and umount card and then eject the card
sync
umount /dev/mmcblk0p1
2) Install sd card in the pi3. You insert the micro card into the card reader on the underside of the pi3 board, face out.
Power it up and check that it seems to booted
3) Now in back your work machine find out where it went
nmap -sP 192.168.1.0/24
4) If it booted at the correct address then great otherwise check your router setups
check access and secure the default password
1) ssh into the pi. Note the default password is "raspberry" but you shouldnt need it your ssh key is the access method.
ssh pi@192.168.1.175
2) Scramble the default password (I use a software vault, keepassx, to generate and store passwords) this way if someone gets in they cant just sudo with the default password and get root as well
passwd
clean up and secure the ssh access
1) Its an image so /etc/ssh identity files are already setup.. thats not very healthy lets rebuild them
sudo rm -f /etc/ssh/*key*
sudo dpkg-reconfigure openssh-server
2) Confirm the ssh is ok (for chmods etc)
ls -al ~/.ssh/authorized_keys
3) Now secure the ssh access to keys only
sudo vi /etc/ssh/sshd_config
4) Edit/add the following lines
PasswordAuthentication no
AllowTcpForwarding no
X11Forwarding no
5) And confirm that ssh still works (with a second window).. Note if you make a mistake you can always turn off the pi, eject the sd card and edit it directly in your working PC.
update machine and fix various other image guff
1) first update the images software.
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
2) after that I seemed to be getting this mess with the locale being bad..
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
3) so fix it with:
sudo dpkg-reconfigure locales
Setup usb disk
for more info refer to:
http://www.howtogeek.com/139433/how-to-turn-a-raspberry-pi-into-a-low-power-network-storage-device/
1) find out what usb disk we have attached
sudo blkid
/dev/sda1: LABEL="EC-PHU3" UUID="2E24054E24051B0B" TYPE="ntfs" PARTUUID="8418c874-01"
2) Right looks like a ntfs (but it could have also been vfat etc). So setup ntfs drivers
sudo apt-get install ntfs-3g
3) make the mount point
sudo mkdir /media/hdd
sudo chmod a+rwx /media/hdd
4) And check that it can actually mount
sudo mount -t auto /dev/sda1 /media/hdd
4a) ok.. stupid things are happening
modprobe: ERROR: ../libkmod/libkmod.c:557 kmod_search_moddep() could not open moddep file '/lib/modules/4.4.11-v7+/modules.dep.bin'
ntfs-3g-mount: fuse device is missing, try 'modprobe fuse' as root
4b) well thats because.. it has the wrong /lib/modules version installed!!.. wtf!
ls /lib/modules/4.4.13-v7+/
4c) So after googling for a while turns out there is a surprising fix... most likely it was something in that first apt-get update cycle caused all the modules to move forward!
sudo reboot
pi@raspberrypi:/lib/modules $ uname -a
Linux raspberrypi 4.4.13-v7+ #894 SMP Mon Jun 13 13:13:27 BST 2016 armv7l GNU/Linux
4d) But something crazy happened to the ntfs-3g had to install it again??? no idea why..
sudo apt-get install ntfs-3g
5) now mount and test access
sudo mount -t ntfs-3g -o uid=pi,gid=pi /dev/sda1 /media/hdd
cd /media/hdd
touch abc.txt
ls
rm /media/hdd/abc.txt
6) if that worked and u can see the test file move on otherwise start googling..
Setup usb disk at permanent location
1) now we are going to make the usb disk a permanent fixture, umount it
sudo umount /media/hdd
2) update /etc/fstab. We are going make all files owned by user pi and group users, read and writable
extra info at
*
https://www.howtoforge.com/reducing-disk-io-by-mounting-partitions-with-noatime
*
http://raspi.tv/2012/how-to-mount-and-use-a-usb-hard-disk-with-the-raspberry-pi
*
http://www.omaroid.com/fstab-permission-masks-explained/
* note nobootwait doesnt work???
sudo vi etc/fstab
2a) and add the following line
/dev/sda1 /media/hdd ntfs-3g noatime,umask=0,uid=pi,gid=users,dmask=0007,fmask=0117 0 0
2b) or you can use something like:
/dev/sda1 /media/hdd vfat uid=pi,gid=users,umask=0022,sync,auto,nosuid,rw,nouser 0 0
3) and then mount it
sudo mount /dev/sda1
4) test access
touch /media/hdd/abc.txt
rm /media/hdd/abc.txt
setup samba for remote share
1) ok build samba share location...
mkdir /media/hdd/share
2) install samba
sudo apt-get install samba samba-common-bin libpam-smbpass
3) Configure samba
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.20160922
sudo vi /etc/samba/smb.conf
4) insert or uncomment the following in the Authorization section
security = user
unix password sync = yes
5) comment out homes,printers sections.. its junk we dont want or need
6) insert "share" section
[Share]
comment = 1TB_samba
path = /media/hdd/share
valid users = remote
read only = No
7) bounce the samba service
sudo /etc/init.d/samba restart
8) check its setup
testparm -s
9) now in the working pc with what ever file manager u use "browse" your network and locate the pi likely called "raspberrypi" open it and confirm there are no "printers" stuff and "share" is visible
10) try to access the "share" using "guest" access, then as the user "pi" with the default password, your new password and confirm all of this has no access
11) back in the pi. Make the "remote" user and passwd it. Again password vault scramble a password for it.. but make certain its type-able
For more info refer to
http://raspi.tv/2012/how-to-create-a-new-user-on-raspberry-pi
sudo adduser remote
sudo usermod -a -G users remote
groups remote
sudo smbpasswd -e remote
12) then bounce samba
sudo /etc/init.d/samba restart
13) then back in the working PC retest the samba share using the user "remote" and there unix password and confirm file/dir create/delete etc. Also check the guest and "pi" users again to be certain..
14) then reboot and check mount stays put and samba works over the reboot
sudo reboot
Setup the git ssh server
1) make the repos storage location
mkdir /media/hdd/repos
2) install git
sudo apt-get install git-core
3) add a git user
sudo adduser git
sudo usermod -a -G users git
groups git
4) switch over to the new "git" user
#cat *pi* users access keys first so u can copy it later for step 6
cat .ssh/authorized_keys
su git
cd ~
5) confirm sudo limits.. (should fail)
sudo ls
6) setup the "git" users ssh access
mkdir .ssh
chmod 0700 .ssh
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
vi ~/.ssh/authorized_keys
7) from your working pc confirm ssh access
ssh git@192.168.1.175
8) link the repos storage to the git users home
ln -s /media/hdd/repos repos
9) create a test repo
cd ~/repos
git init --bare test.git
9a) Note ignore chmod errors (we have it forced to a certian way in fstab)
error: chmod on /media/hdd/repos/test.git/config.lock failed: Operation not permitted
error: chmod on /media/hdd/repos/test.git/config.lock failed: Operation not permitted
Note to self. There might be an issue with executable scripts loosing x permission due to this...may have to rethink this.
10) Then on your working machine clone and check that the repo worked
git clone git@:~/repos/test.git
cd test/
ls
touch test.txt
git add test.txt
git commit -a -m "Initial"
git push
11) then reclone and confirm test.txt is there in the new clone
cd ..
git clone git@192.168.1.4:~/repos/test.git test2
cd test2
ls
setup automatic updating
now we know all the basics are working... lets harden it a bit
1) setup auto updates
for more info see
https://unixsysdoc.wordpress.com/2015/05/18/xubuntu-security-and-hardening-part-i-basics/
sudo apt-get install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
disable needless hardware
1) disable wifi and bluetooth (as im using the hard line)
sudo touch /etc/modprobe.d/disable_rpi3_wifi_bt.conf
sudo vi /etc/modprobe.d/disable_rpi3_wifi_bt.conf
2) add the lines
##wifi
blacklist brcmfmac
blacklist brcmutil
##blue tooth
blacklist btbcm
blacklist hci_uart
3) and reboot
sudo reboot
4) log back in to the pi and confirm wifi is off
ifconfig
setup the firewall
for more info check;
https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
1) install ufw.. its an easy to use firewall
sudo apt-get install ufw
2) let in local ssh
sudo ufw allow ssh
3) let in local samba (and bonjour)
for more info check:
https://ubuntuforums.org/showthread.php?t=806000
sudo ufw allow proto tcp to any port 135 from 192.168.0.0/16
sudo ufw allow proto udp to any port 137 from 192.168.0.0/16
sudo ufw allow proto udp to any port 138 from 192.168.0.0/16
sudo ufw allow proto tcp to any port 139 from 192.168.0.0/16
sudo ufw allow proto tcp to any port 445 from 192.168.0.0/16
sudo ufw allow proto udp to any port 5353 from 192.168.0.0/16
4) and turn it on
sudo ufw enable
5) then retest all the samba acces and git cloning
Setup the hostname to something better
1) adjust the hostname so you know which machine your in replace "raspberrypi" with the name you want
sudo vi /etc/hostname
sudo vi /etc/hosts
2) and reboot
sudo reboot
Clean up
1) clean up the working pc git clones
rm -rf test
rm -rf test2
2) go back to the pi clean out the test and import/setup your real ones
rm test.git
bonus notes..
1) i trialed wake on lan
sudo apt-get install ethtool
ethtool eth0 | grep wake
ethtool -s eth0 wol g
# it responds with bad news
Cannot get wake-on-lan settings: Operation not permitted