NOTE: work in progress!

I was very pleasantly surprised this morning when my current employer decided it was time for me to upgrade my workstation. As I never complain about receiving new hardware, I happily started hacking. The machine is a Dell GX 280 with a Philips 170B flatscreen monitor, an Asus Extreme N6200 videocard (which runs on an nVidia G-Force 6200 chipset). The GX 280 comes with a SATA disk controller. My objective: Turn this machine into a fully functioning Debian GNU/Linux (unstable) workstation with an XFS filesystem, LVM enabled and X11.

  1. Finding an apropriate Debian net-install image

    Wessel Dankers maintains a Debian installer with XFS support at
    His goal is to always have the image have a kernel with the latest security patches. On my request, Wessel uploaded a kernel with SATA support.

  2. Partitioning the disk

    A basic root filesystem only needs about 200 Mb. Since I have a 80 Gb disk, I partition the machine as follows:

    • Leave the Dell image intact.

    • Remove the Windows XP partition.

    • create /dev/sda2 as a 256 MB linux swap partition.

    • create /dev/sda3 as a 256 MB linux partition with the boot flag toggled on.

    Leave the rest as is. We'll get to that later.

  3. Network configuration

    This machine comes with a Broadcom NetXtreme BCM5751 Gigabit card. The card works fine, provided that you load the tg3 kernel driver. This can de done when the installer prompts for "Install Kernel and Driver Modules". The driver can be found in the section kernel/drivers/net/.

    I set my configuration to DHCP, which works fine in my particular situation. You might have to do something else, depending on your situation.

  4. Installing the base system

    There is little or no excitement in installing a Debian base system. Once your network is set up properly and your disks have been partitioned, it is basically a matter of sitting back and relaxing. After about 30 seconds, the installer will offer to make your system bootable. This is generally a good idea. Note: we will remove lilo at a later point and replace it with grub.

    I have enough faith in the installer to not make a boot floppy. However, don't complain to me that things break when you skip this step.

  5. Rebooting the system

    After rebooting, you should be greeted with the familiar message that your system has been installed. You will be asked the following questions:

    • Q: Is the hardware clock set to GMT?

      A: Yes

    • Q: What area do you live in?

      A: Europe

    • Q: Select a city or time zone:

      A: Amsterdam

    • Q: Shall I enable md5 passwords?

      A: Yes

    • Q: Shall I enable shadow passwords?

      A: Yes

    • Q: Enter a password for root:

      A: ........

    • Q: Shall I create a normal user account now?

      A: Yes

    • Q: Enter a user name for your account:

      A: ....

    • Q: Shall I remove the PCMCIA packages?

      A: yes

    • Q: Do you want to use a PPP connection to install the system?

      A: no

    • Q: Choose the method apt should use to access the Debian archive:

      A: ftp

    • Q: Use non-US software?

      A: yes

    • Q: Use non-free software?

      Your choice. I generally select 'yes'

    • Q: Use contrib software?

      Your choice. I generally select 'yes'

    • Q: Select a country:

      A: Netherlands

    • Q: Choose a Debian mirror to use:


    • Q: Add another apt source:

      A: No

    • Q: Use security updates from

      A: Of course! (yes)

    • Q: Run tasksel?

      A: no

    • Q: Run dselect?

      A: no

    The installer will now prompt you to remove packages and to continue installing. Choose defaults where possible, with the exceptios of:

    • Leave exim unconfigured. We'll replace it by postfix later (option 5).

  6. Tweaking a little

    You now have a basic system with all security patches applied. However, we need more.

    • Log in as root

    • # apt-get install debfoster grub

    • Update /etc/debfoster.conf and set
      MaxPriority=important, and NegativeKeepers=no

    • # debfoster

      Respond 'N' to the following questions:

      • Keep base-config?

      • Keep pppoeconf?

      • Keep pppconfig?

      • Keep modconf?

      • Keep pppoe?

      • Keep ppp?

      • Keep ipchains?

      • Keep libgdbmg1?

      • Keep libpcap0?

      • Keep lilo?

      • Keep syslinux?

      • Keep tasksel?

      You now have a nice and clean Debian system. Having just removed lilo, it is unbootable though. Fix this by setting up grub

      # cd /boot
      # mkdir grub
      # cd grub
      # cp -a /usr/lib/grub/i386-pc/* .
      # cat >
      (hd0) /dev/sda
      (fd0) /dev/fd0
      # grub
      grub> root (hd0,2)
      grub> setup (hd0)
      grub> exit
      # cat > menu.lst
      default 0
      timeout 5
      color light-gray/black black/light-gray

      title Debian GNU/Linux
      root (hd0,2)
      kernel /vmlinuz root=/dev/sda3 rw

      title Debian GNU/Linux (previous)
      root (hd0,2)
      kernel /vmlinuz.old root=/dev/sda3 rw

  7. Upgrading to unstable

    As root, edit /etc/apt/sources.list Replace all occurences of the word 'stable' to unstable'

    vi users can do this by giving the command %s/stable/unstable/g

    Comment out the line with, as Debian unstable does not get any patches from the security team.

    Now, type dselect update and then apt-get dist-upgrade. Once more: answer defaults where possible, with the exception of:

    • Q:See only questions that are of what priority and higher?

      A: low

    • Q: Do you want system wide readable home directories?

      A: no

    • Q: Exim configuration.

      A: Option 5 (no configuration)

  8. Setting up LVM2

    We begin by completing the partitioning process. As root, add an extended partition and create a partition on it. Set the partition type to 8e (Linux LVM). Then, write the partition to disk.

    Update /etc/lvm/lvm.conf and add format = "lvm2" and update the filter to only scan your LVM partitions. I use the filter filter=["a|/dev/sda5$|", "r|.*"].

    Next, we create a physical volume on /dev/sda5 by giving the command pvcreate /dev/sda5. Note: you might have to reboot your system for the updated partition table to become visible to the pvcreate program!

    Having created the physical volume, we can now add a volume group and create a bunch of logical volumes in it:

    # vgcreate disk /dev/sda5
    # lvcreate -n usr -L 1g /dev/disk
    # lvcreate -n var -L 1g /dev/disk
    # lvcreate -n tmp -L 1g /dev/disk
    # lvcreate -n home -L 1g /dev/disk

    Update /etc/fstab

    /dev/disk/usr /usr xfs defaults
    /dev/disk/var /var xfs defaults
    /dev/disk/tmp /tmp xfs defaults

    /dev/disk/home /home xfs defaults

    Next, we move already installed files out of the way.

    # mkfs.xfs -d agcount=2 /dev/disk/usr
    # mount /dev/disk/usr /mnt
    # cd /mnt
    # cp -a /usr/* .
    # cd / && umount /mnt
    # mount /usr

    # mkfs.xfs -d agcount=2 /dev/disk/var
    # mount /dev/disk/var /mnt
    # cd /mnt
    # cp -a /var/* .
    # cd / && umount /mnt
    # mount /var

    # mkfs.xfs -d agcount=2 /dev/disk/home
    # mount /dev/disk/home /mnt
    # cd /mnt
    # cp -a /home/* .
    # cd / && umount /mnt
    # mount /home

    # mkfs.xfs -d agcount=2 /dev/disk/tmp
    # mount /tmp
    # chmod 1777 /tmp

    And reboot. If all your filesystems have mounted properly, you can now mount /dev/sda3 /mnt and rm -rf /mnt/usr /mnt/var. Your root filesystem will now be clean.

  9. Adding some useful packages

    Install the following packages:

    # apt-get clean
    # apt-get --purge install ssh vim less zsh (optionally) \
    bzip2 lftp wget curl-ssl grub postfix lvm2 xfsprogs

    As usual, select defaults, with the exception of the Postfix configuration. Here you select your site's setup. There is no single truth answer here (or anywhere else in life, for that matter).

  10. Tweaking the configuration

    The next step is tweaking some config settings. I usually do not use inetd, so I remove /etc/rc2.d/S20inetd. Next, I edit /etc/hosts.deny and add the line ALL: ALL. In /etc/hosts.allow, I then add the line sshd: ALL.

    An additional level of protection is obtained by installing a packet filter while will use Linux's iptables to reject anything, except SSH from a number of trusted network locations. I copy the file to /etc/init.d/firewall (make sure it is executable) and add it to my init scripts with the command # ln -s /etc/init.d/firewall /etc/rc2.d/S50firewall

    ------ cut here ----- cut here -----

    export PATH

    # flush current rules
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD

    # set policy
    iptables -P FORWARD DROP

    # allow all on loopback interface
    iptables -A INPUT -i lo -j ACCEPT

    # allow NEW on outgoing
    iptables -A OUTPUT -m state --state NEW -j ACCEPT

    # allow established or related
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # allow ICMP
    iptables -A INPUT -p icmp -j ACCEPT

    # allow SSH from uvt
    iptables -A INPUT -m state --state NEW -p tcp --dport ssh -s -j ACCEPT

    # log stuff
    iptables -A INPUT -m state --state NEW -j LOG

    # deny the rest (tcp/udp)
    iptables -A INPUT -m state --state NEW -j REJECT

    # EOF
    ----- cut here ----- cut here ----- cut here -----

    Next, edit /etc/inetd.conf and comment out all services. If you plan to use inetd later, you are done. If you are not planning on using it any time soon, just remove the symlink from /etc/rc2.d.

  11. Setting up X-Windows

    Begin with installing the X Windows System.

    # apt-get install x-windows-system

    This will lead to an additional 150 MB to be installed to disk, so it might take a while depending on your connection.

    As always; answer default, unless mentioned below:

    • Q: Default priority

      A: 0

    • Q: Select the desired X-driver

      A: nv; if you are going to use the GeForce card, it doesn't matter what you select here; we will override it later.

    • Q: Default mice port

      A: /dev/input/mice

    • Q: Emulate 3-button mouse?

      A: no

    • My monitor is also non-default (A Philips 170B). Therefore, Is your monitor an LCD device?

      A: Yes

    • Q: Please choose a method for selecting your monitor characteristics

      A: Advanced

    • Q: Horizontal sync range:

      A: 30-82

    • Q: Vertical sync range:

      A: 56-76

    • Q: Select the video modes:

      A: Uncheck all, except 1280x1024

    Next, you will need to get the kernel sources, recompile your own kernel and then install the nvidia driver.

    # apt-get install kernel-package gcc-3.4 libncurses5-dev kernel-source-2.6.10
    # adduser kees src

    $ cd /usr/src
    $ tar xfj kernel-source-2.6.10.tar.bz2
    $ lftpget
    $ cd kernel-source-2.6.10

    Copy your configuration to the .config. TODO: link to my config file.

    $ patch -p1 < ../linux-2.6-fruit.patch
    $ make-kpkg configure clean
    $ fakeroot make-kpkg --append-to-version=-uvt --revision=20050113.1 kernel-image

    Now all you need to do is install the updated modules package and the kernel itself:

    # apt-get install module-init-tools
    # apt-get clean
    # dpkg -i ../kernel-image-2.6.10-uvt_20050113.1_i386.deb

    Reboot your system and hopefully it will come back up with the running kernel active. Next, download the NVIDIA drivers at nvidia itself. Copy the file to /usr/src.

    # CC=gcc-3.4 sh NV* --kernel-source-path=/usr/src/kernel-source-2.6.10

    The following step is to tweak your X config. My own configuration is included here. TODO: add link. The most important things are that you need to use 'nvidia' as a driver and add some driver options. Note that the documentation for this driver can be found in /usr/share/doc/NVIDIA and is most excellently written.

  12. Configuring UTF-8

    For UTF-8 support Wessel Dankers has a detailed description at I will summarize here:

    # apt-get install locales
    # cat > /etc/locale.gen
    en_US UTF-8
    nl_NL UTF-8
    # locale-gen

  13. Installing Gnome

    I prefer the GNOME desktop environment, which means that this document only covers getting a basic GNOME up and running. Before we get started, make sure that you have access to the audio device by adding yourself to the audio group. Do this by giving the command (as root) adduser kees audio. Of course, replace 'kees' by your own login.

    Next, install gnome-session and gdm:

    # apt-get install gnome gdm sawfish

    As usual, answer defaults to all questions, except choose gdm over xdm (gdm is prettier). After the packages have been installed, test with # apt-get clean ; invoke-rc.d gdm start.