This page contains a description of the installation and customisation of Debian 7.6 "Wheezy" on my Dell Inspiron 3847 desktop computer. I am using this off-the-shelf PC as server, router and production machine. Historically, this is a follow-up to my "other" Debian page but the PC described there has been replaced. - As usual, this document has been "anonymised" in a few places; in particular IP addresses have been replaced by XXX or YYY.
Note that this page is partially outdated; I have moved to Debian 8 and most of the issues listed below have disappeared. I should write new page ;-)
The computer is a Dell Inspiron 3847 that I acquired new in 2014. Core characteristics: Quad-core Intel i5-4460 CPU @ 3.20 GHz, 8 GB Dual-Channel DDR3 DRAM with 1.6 GHz (2x 4 GB, both DIMMs are thus occupied), 1 TB Seagate ST1000DM003 SATA harddisk (7200 rpm, 6 GBit/s), a DVD burner PLDS DH-16AES, a card reader, a Dell Wireless-N 1705 + Bluetooth 4.0 card Intel onboard graphics plus a NVIDIA GeForce GT 705 graphics with 1 GB DDR3a RAM.
Since it is a server and router for my home network, I equipped it with a second network card.
The display is composed of two Dell E228WFP 22" widescreen display, connected with a DVI cable and arranged in a dual-screen setup.
I would not buy this PC again, for the following reasons:
The initial installation was performed from the Debian 7.6 64-bit "netinstall" USB stick. In contrast to the previous install I went for a full-fledged server-with-desktop install using a custom disk layout:
| Partition | Size | Filesystem | Label | mount point | Comment |
|---|---|---|---|---|---|
| /dev/sda1 | 500 MB | vfat | DellUtilities | /boof/efi | Dell Utilities from factory install, left unchanged. |
| /dev/sda2 | 30 GB | ext4 | Debian | / | This is the root filesystem of Debian. |
| /dev/sda3 | 30 GB | ext4 | other | /mnt/other | This will be used when updating the system in the future. |
| /dev/sda4 | 120 GB | ext4 | home | /home | Home directories. |
| /dev/sda5 | 320 GB | ext4 | share | /mnt/share | Local NFS export for music, photos, etc. |
| /dev/sda6 | 5 GB | swap | swap | swap | Swap space. |
| /dev/sda7 | 400 GB | ext4 | vbox | /mnt/vbox | VirtualBox files. |
During the installation, I selected Desktop, select ssh server, file server (this installs both NFS and Samba), print server (CUPS) and standard system utilities. Once the initial installation finished, log in.
Run apt-get install vim, edit /etc/vim/vimrc and un-comment syntax on.
Edit /etc/apt/sources.list. Remove the entry for the Debian CD, then add non-free contrib at the end of the first 4 entries.
apt-get update apt-get install firmware-linux* mc ntpdate acpi-support sysv-rc-conf hwinfo ethtool
This system has two network cards and we need to avoid that the cards be assigned in arbitrary order. In my case, the card connected to my ISP was automatically assigned as eth0 during installation but I want this to be eth1 on the production system - simply because all my computers have the internal network on eth0.
The key is to edit /etc/udev/rules.d/70-persistent-net.rules and to adjust (only!) the value of the NAME= key as needed.
You can check the assignment with ethtool -i ethX && ethtool -P ethX; on my system this can be resumed as follows:
Edit /etc/network/interfaces and assign the way the two cards are operated. At the same time, this is where the firewall is launched:
# The loopback network interface auto lo iface lo inet loopback # activate the firewall pre-up iptables-restore < /etc/network/iptables.rules # The primary (internal) network interface auto eth0 allow-hotplug eth0 iface eth0 inet static address 192.168.xx.yy netmask 255.255.255.0 broadcast 192.168.xx.255 # do NOT set any gateway here! # the external network card auto eth1 allow-hotplug eth1 iface eth1 inet dhcp
The file /etc/network/iptables.rules contains the existing firewall rules:
*mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -j MARK --set-mark 0x9 COMMIT *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i eth0 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Edit /etc/sysctl.conf and activate routing by un-commenting the line net.ipv4.ip_forward=1.
At the same occasion, you may want to insert kernel.sysrq=1.
For the DHCP server, I use dnmasq: apt-get install dnsmasq, then edit /etc/dnsmasq.conf:
local=/localnet/ interface=eth0 listen-address=127.0.0.1 domain=localnet dhcp-range=192.168.xx.yy,192.168.xx.zz,12h log-queries dhcp-leasefile=/var/lib/misc/dnsmasq.leases
Reboot.
At this point, the router functionality should be established and your machines on the internal network should be able to access Internet again. Test if DNS is working, e.g.:
dig debian.org @localhost nslookup debian.org localhost nslookup debian.org i5.localnet
Please note that NetworkManager and /etc/network/interfaces interfere with each other:
For a server or other "stationary" machines, you want the network interface to come up right during boot, not only after logging in.
In other words, you want to control all interfaces through the service networking and remove
NetworkManager entirely: apt-get remove network-manager && insserv networking .
We need to specify the interface in /etc/network/interfaces, either using DHCP:
cat >> /etc/network/interfaces # The primary (internal) network interface auto eth0 allow-hotplug eth0 iface eth0 inet dhcp ^D
... or using a fixed IP address:
cat >> /etc/network/interfaces # The primary (internal) network interface auto eth0 allow-hotplug eth0 iface eth0 inet static address 192.168.xx.yyy netmask 255.255.255.0 broadcast 192.168.xx.255 gateway 192.168.xx.zzz ^D
Exactly the opposite is applied on mobile devices; here I usually do not need remote login but I want the network to come up only when I log in. This corresponds to the standard setting.
Customize sshd rather restrictive; some key entries in /etc/ssh/sshd_config are:
Protocol 2 PermitRootLogin no PermitEmptyPasswords no PasswordAuthentication yes Banner /etc/issue.net AllowUsers xxx
/etc/hosts contains some fixed IP adresses and aliases in my local network.
/etc/hosts.allow
ALL: 127.0.0.1 LOCAL 192.168.xxx. sshd: xx.yy.zz.aa 192.168.xxx.
/etc/hosts.deny
sshd: ALL EXCEPT LOCAL : rfc931 : spawn (/usr/sbin/safe_finger -l @%h | mail -s%d-%h root) & : twist /bin/echo "Access prohibited by system administration. Go away." ALL: ALL EXCEPT LOCAL
/etc/exports
/mnt/share 192.168.xxx.0/255.255.255.0(ro,sync,nohide,mp,no_root_squash,no_subtree_check)
Copy existing samba configuration (via scp):
cd /etc/samba/ mv smb.conf smb.conf.orig scp oldserver:/etc/samba/smb.conf . /etc/init.d/samba restart
The CUPS printing system provides also the traditional lpr functionality, so we set the default printer (as user):
lpstat -p -d # see which printers are available lpoptions -d LJ5MP # set default printer
Note: I did not restart/reload services here since we're going to reboot later anyway.
Enable Alt-Ctrl-Backspace to kill X server. This needs to be done AFTER X is set up; the setting we want is on the very last screen:
dpkg-reconfigure keyboard-configuration
Limit the available language packs. Here, be careful to select the languages you want to keep!
Generally I select the generic language plus the UTF-8 variant, e.g. de and then dialects such as de_DE.UTF-8 and de_CH.UTF-8 :
apt-get install localepurge localepurge
Create backup log directory:
mkdir /var/log/backup
Install KDE and related applications. The first command will install some packages needed for clean integration of KDE applications:
apt-get install kde-plasma-desktop kdeplasma-addons plasma-widget-folderview \
kde-config-gtk-style kwin-style-qtcurve kde-style-qtcurve gtk2-engines-qtcurve
apt-get install dolphin okular apper kmix konqueror konq-plugins kate kompare kmail knode kinfocenter\
kcalc ksnapshot kcharselect kaddressbook kdeadmin kdirstat kmenuedit kfind kwalletmanager
Continue to install applications and utilities. You could put all this on one line of course:
apt-get install lyx tex4ht glabels unison-gtk jpilot pilot-link akonadi-kde-resource-googledata apt-get install enchant aspell-fr aspell-de hunspell-en-us hunspell-fr hunspell-de-de hunspell-de-ch apt-get install rsync gftp sitecopy bluefish tidy dos2unix ark rar unrar nmap bum filelight conky apt-get install k3b kde-config-cddb gimp inkscape gwenview kipi-plugins digikam hugin autopano-sift-c apt-get install cups-pdf cups-driver-gutenprint gimp-gutenprint pdftk qpdf pdfmod khelpcenter4 gnuplot-x11 apt-get install iceweasel deluge subversion lynx curl amarok easytag gpsbabel qlandkartegt sharutils
LibreOffice 4 is not in the repositories for Wheezy, so we need a trick(but please read the next section before you do this, you may want to change your mind!):
echo -e "\n# Backports for recent version of LibreOffice" >> /etc/apt/sources.list echo "deb http://ftp.debian.org/debian/ wheezy-backports main" >> /etc/apt/sources.list apt-get update apt-get -t wheezy-backports install libreoffice libreoffice-kde libreoffice-help-en-us libreoffice-presenter-console
However, I encountered a few issues with this version - mainly crashes during merge operations. I decided to roll back to the previous version, LibreOffice 3.5.4.2:
# remove or comment the entry in /etc/apt/sources.list apt-get remove libreoffice-core # this will remove a lot more but it saves typing ;-) apt-get autoremove # clean up apt-get install libreoffice libreoffice-kde libreoffice-help-en-us libreoffice-presenter-console
If you want to install the advanced Grammar Checker LanguageTool
(through the Extension Manager), you need to change from Java 6 to Java 7.
apt-get remove openjdk-6-* is enough to remove the old and install the new version automagically :-)
echo -e "\n# Multimedia" >> /etc/apt/sources.list echo "deb http://www.deb-multimedia.org/ wheezy main non-free" >> /etc/apt/sources.list apt-get update apt-get install deb-multimedia-keyring apt-get update apt-get upgrade apt-get install libdvdcss2 flashplugin-nonfree w64codecs lame
Make sure you do not have the following on the system:
apt-get remove network-manager apt-get remove dirmngr # removes kdepim apt-get remove winbind
On production machines I like to have a quick look at the key logfiles (e.g. using conky). Of course the default permission
for these files is rather restrictive ... yet I do not want to log in as root just to have read access.
On the other hand, I don't want to grant access to these files to all users in my group.
With Linux supporting ACL (access Control Lists), the solution is as simple and as elegant as it can get: Use ACL to grant selective access on a per-file and per-user basis. The following cronjob allows user joe to read two of the log files (to be run as a cronjob, due to log file rotation)
11 * * * * root setfacl -m user:joe:r-- /var/log/messages /var/log/daemon.log
As usual, almost everything worked right out of the box:
dialout. Use usb: as the communication port.apt-get install sane or apt-get install xsane.net and epkowa. Also, in /etc/sane.d/epkowa.conf I disabled the scsi line.apt-get install unattended-upgrades dpkg-reconfigure unattended-upgrades
echo -e "\n# Oldstable - used to fetch old version of glabels" >> /etc/apt/sources.list echo "deb http://ftp.ch.debian.org/debian/ oldstable main" >> /etc/apt/sources.list aptitude versions glabels apt-get install glabels=2.2.8-1 glabels-data=2.2.8-1 echo "glabels hold" | dpkg --set-selections
echo "ServerName localhost" >> /etc/apache2/conf.d/httpd.conf and run apache2ctl configtest to confirm.I'm using Debian on most of my computers; this includes laptops. Both machines mentioned below have been used under Fedora 14, too; the installation of Debain Wheezy was performed along the same lines as described above and went mostly seamless. Specific points are listed below; a few generic comments and hints:
network-manager. Uncomment all ethX and wireless devices in /etc/network/interfaces.apt-get install wireless-tools bluedevil acpi-support kde-config-touchpad network-manager-kde plasma-widget-networkmanagementkde-plasma-netbook, this is for touchscreens.I'm using a Lenovo IdeaPad S12 as main laptop. Comments and hints:
w32codecs).apt-get remove --purge nvidia-* && rm /etc/X11/xorg.conf.d/20-nvidia.confapt-get install wireless-tools linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,') broadcom-sta-dkms modprobe -r b44 b43 b43legacy ssb brcmsmac modprobe wl
I have a Fujitsu Lifebook 8020D as backup laptop. Comments and hints:
w32codecs).non-free contrib sources, run:
apt-get install firmware-ipw2x00 wireless-tools apt-get install xserver-xorg-video-ati xserver-xorg-video-radeon libgl1-mesa-dri
For certain applications (e.g. a consulting mandate that requires accessing the client's data remotely) I use Citrix Receiver, which is essentially a terminal client to a Microsoft Windows server. The software is not Open Source but is available free of charge on the manufacturer's website, section "Downloads", product "Citrix Receiver".
The installation of Citrix Receiver on 64-bit Debian Wheezy has improved; Citrix has now a corrected package available and there is no need to rebuild it anymore:
dpkg --add-architecture i386 apt-get update dpkg -i icaclient_13.1.0.285639_amd64.deb apt-get -f install ln -s /usr/share/ca-certificates/mozilla/* /opt/Citrix/ICAClient/keystore/cacerts/ c_rehash /opt/Citrix/ICAClient/keystore/cacerts/
Upon first launch, an application launched inside a Citrix session may ask to "open with..." - if this happens, simply select (always open with) /opt/Citrix/ICAClient/wfica.sh. Done!
Installing Citrix receiver for i386 on 32-bit Debian Wheezy is straightforward:
apt-get install libxerces-c3.1 libcurl3 dpkg -i icaclient_13.0.0.256735_i386.deb # ... and copy the certificate: cp /mnt/f14/opt/Citrix/ICAClient/keystore/cacerts/PCA-3G5.pem /opt/Citrix/ICAClient/keystore/cacerts/
I use VirtualBox to run an instance of Microsoft Windows as "guest" inside the Linux system. For details, please refer to my GPS software page.
Installation in Debian Wheezy was straightforward but did not work with Windows 8.1; I always ended up with an error message "Your PC needs to restart. Please hold the power button. Error code : 0x000000C4". It turned out that I had to use a newer version of VirtualBox:
echo -e "\n# VirtualBox - get it directly from Oracle (Win8.1)" >> /etc/apt/sources.list echo "deb http://download.virtualbox.org/virtualbox/debian wheezy contrib non-free" >> /etc/apt/sources.list wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | apt-key add - apt-get update apt-get install virtualbox-4.3 usermod -a -G vboxusers joe /etc/init.d/vboxdrv setup echo "vboxdrv" >> /etc/modules
To enable USB support you will be requested to download and install a module from the Virtualbox website; the process is self-explaining.