Fork me on GitHub

Install Slackware on an OVH VPS SSD

Slackware is a distribution that aims for design stability and simplicity. It has the reputation to be the most «Unix-like» Linux distribution. We would resume their philosophy to KISS (keep it simple stupid).

Recently OVH introduces an attractive VPS SSD that runs different flavors of Linux but not Slackware.

As we love Slackware and we like the OVH VPS SSD, we decided to port the lastest version of Slackware, Slackware 14.2 64 bits, on it.

If you want to run Slackware on this VPS like us, read below how to proceed!

Prerequisites

This procedure describes how to install Slackware from a VPS running Debian 8 (Jessie) 64 bits. Thus, before installing Slackware you need to get a VPS up and running on Debian 8. This is done through the OVH Manager.

All the data, you could have installed on the VPS, will be deleted and there is no recovery. Thus, you should not run this installation procedure on a production server. Rather start from a fresh server.

But don't be worry, if your installation fails, your VPS isn't lost for ever. You can ask a new clean reinstall from the OVH Manager.

Set the environment

Restart the VPS on the rescue mode

When your VSP is up and running Debian 8, restart it on the rescue mode. This is done through the OVH Manager too. After a few minutes, you will receive, via e-mail, a new password to connect to the server through ssh.

When connected, you need to umount the virtual drive as it is automounted on rescue mode (on rescue mode the virtual drive is mounted on vdb1). Run this command: 

umount /dev/vdb1

Slackware will be installed on logical volumes to get more flexibility on the management of the partitions. You need, therefore, to install the LVM package on the rescue server before anything else. Run these commands: 

apt-get update
apt-get install lvm2

Format the virtual disk

Now, you need to change the type of the Linux partition from 83 (Linux) to 8e (Linux LVM). This is done with the fdisk command. Run the command: 

fdisk /dev/vdb

When you are in the command mode, type t to change the partition type, then the value8e and finally w to save the new configuration and leave the command mode.

Now, you can set your physical volume and format your logical volumes: 

pvcreate /dev/vdb1
vgcreate vg0 /dev/vdb1
lvcreate -L 2G -n root vg0
lvcreate -L 7.9G -n home vg0

You allocated a logical size of 2GB to root. This is largely enough as the minimalist Slackware server, you are installing, requires less than 400MB. This logical size could be reallocated later on. It is the benefit of using logical group and volumes instead of physical partitions.

You should now format the logical volumes to support a file system: 

mkfs.ext4 /dev/vg0/root
mkfs.ext4 /dev/vg0/home

And finally, you can mount the virtual disk on which the slackware server will be installed. 

mount /dev/vg0/root /mnt

Install Slackware

Install a rootfs

Debian is a nice distribution but it isn't Slackware friendly. It can't run the package tools slackpkg and installpkg that are required to install the slackware packages. You have to install a slackware rootfs that runs these command. We prepare one for you!

Download and decompress it in the /tmp directory: 

cd /tmp
wget --no-check-certificate https://spineos.mobilabs.fr/_ovh/slack-rootfs.txz
tar xvf slack-rootfs.txz

As you need an access to the network from this rootfs, you should copy resolv.conf (gateway address) and bind rootfs/dev to debian dev: 

cp /etc/resolv.conf slack-rootfs/etc/.
mount --rbind /dev slack-rootfs/dev

Install the packages for the server

Now, you have an environment that is able to run the slackware package tools. First, enter in the rootfs: 

chroot slack-rootfs

We prepare a simple script that contains the list of the packages to install (see the details in the addendum section). You can download it from Github. It will download and install the packages for you. You can extend the list of packages, if you want. It is defined at the top of the script. Type these commands: 

cd /tmp
wget --no-check-certificate https://raw.github.com/jclo/spineos/14.2.1/_ovh/slack.sh
chmod +x slack.sh
./slack.sh

At the completion, the slackware server is installed in the directory /tmp/rootfs.

You can now leave the slackware chroot (back to debian): 

exit

Copy the slackware server rootfs

You can then copy the slackware server rootfs to the virtual disk you mounted on /mnt: 

cp -R /tmp/slack-rootfs/tmp/rootfs/* /mnt/.

Your minimalist slackware server is now installed!

Configure the slackware server

Set the chroot

The slackware server is installed on /mnt but it isn't ready to run yet! You need to execute further steps.

First, you need to provide to the slackware server some resources: 

  cp /etc/resolv.conf /mnt/etc/.
  mount --rbind /sys /mnt/sys
  mount --rbind /proc /mnt/proc
  mount --rbind /dev /mnt/dev

Now, you can enter in its root: 

chroot /mnt

Create a configuation file for lilo

You can download it from Github: 

cd /etc
wget --no-check-certificate https://raw.github.com/jclo/spineos/14.2.1/_ovh/lilo.conf

Create a fstab

You can download it from Github: 

cd /etc
wget --no-check-certificate https://raw.github.com/jclo/spineos/14.2.1/_ovh/fstab

Install a firewall

You can download it from Github: 

cd /tmp
wget --no-check-certificate https://raw.github.com/jclo/spineos/14.2.1/rc.firewall.sh
mv rc.firewall.sh /etc/rc.d/rc.firewall
chmod +x /etc/rc.d/rc.firewall
chmod +x /etc/rc.d/rc.ip_forward

Create an initrd

As this slackware server starts a generic kernel (kernel loading modules), it can starts alone. It needs an initial ramdisk that loads the modules to access the disk before the kernel boots.

Thus, you need to create this initrd: 

cd /boot
mkinitrd -c -k 4.4.14 -f ext4 -m ext4:virtio:virtio_pci:virtio_blk -r /dev/vg0/root -L -u

Now, this initrd exists, you can run lilo. It will install it in the MBR: 

lilo

Enable the root login for ssh

By default, Slackware disables the ssh root. As you can only access to the VPS remotely, you need to enable it: 

sed -i '/^#PermitRootLogin/a PermitRootLogin yes' /etc/ssh/sshd_config

Enable DHCP

Your VPS receives an Internet address from the OVH DHCP server. You need to enable it: 

sed -i 's/USE_DHCP\[0\]=""/USE_DHCP[0]="yes"/' /etc/rc.d/rc.inet1.conf

Add a root password

You need a root password otherwise you cannot access to you server from ssh, and it is more secure! If you want a random password, run the command below. But, if you prefer to define your own password, replace $PASS by your password and run just the second command: 

PASS=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c8)
echo root:$PASS | chpasswd

If you chose to generate a random password, don't forget to print it: 

echo $PASS

You can now exit the chroot (back to debian): 

exit

Start Slackware Server

Your slackware server is now ready to start. From the OVH Manager restarts your VPS in the normal mode. Instead of booting Debian, it will boot Slackware!

Enjoy!

The Quickest Way

For the impatient readers who want to start their slackware server right away, we wrote a special script! When your VPS SSD is running debian on rescue mode, connect to it, download the script and execute it: 

cd /tmp
wget --no-check-certificate https://raw.github.com/jclo/spineos/14.2.1/_ovh/fullslack.sh
chmod +x
./fullslack.sh

At the completion, you get a random root password. Restart the VPS on the normal mode from the OVH Manager. You will get a slackware server up and running.

Enjoy!

Appendix

List of the installed packages

The product you installed is a minimalist slackware server that provides very few resources. In fact, it provides just a shell, an ssh connection and a firewall that closes all the ports except the port 22.

This is done on purpose. The goal is to make it more secure.

The list of the installed packages is defined in the script slack.sh available on Github. This is its content: 

PACKAGES=${PACKAGES:-" \
  aaa_base aaa_elflibs aaa_terminfo attr bash bin bzip2 coreutils cpio \
  dbus dcron devs dialog e2fsprogs elvis etc eudev findutils \
  gawk getty-ps glibc-solibs glibc-zoneinfo grep gzip \
  kbd kernel-generic kernel-modules kmod less lilo logrotate lvm2 mkinitrd \
  openssl-solibs patch pciutils pkgtools procps-ng quota \
  sed shadow sharutils slocate sysfsutils sysklogd syslinux sysvinit \
  sysvinit-functions sysvinit-scripts tar utempter util-linux which xz \
  diffutils screen slackpkg \
  icu4c libnl libnl3 libpcap mpfr \
  dhcpcd gnupg gpgme iptables iputils net-tools network-scripts ntp openssh wget"
}

You can easily customize your server by extending this list or by installing new packages with the command installpkg when your server is up and running.

The firewall

As already said, the firewall, based on Iptables, closes all the ports except the port 22. It is up to you to open the ports you need for your application.

This is done by modifying the script /etc/rc.d/rc.firewall

For instance if you want to open the port 80, after the following two lines: 

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

Add these two lines: 

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

Block Visitors by Country

Sometimes it could be required to block traffic from a large blocks of IP addresses to protect your server. This is pretty easy with Iptables.

For that, you have to install the two additional packages ipset and libmnl. Ipset is a companion of Iptables that helps to manage large blocks of IP addresses.

Once ipset is installed, you need to create the directories /etc/ipset and /etc/ipset/countries

In the directory /etc/ipset/countries, you have to download the block of IP addresses that you want to blacklist.

For instance, if you want to block visitors from China to access to your server, download: 

cd /etc/ipset/countries
wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone

Then, create a list: 

cd /etc/ipset
ipset create china hash:net

Populate it with the downloaded IPs: 

for i in $(cat /etc/ipset/countries/cn.zone ); do ipset add china $i; done

You can create as many lists as you need.

When your lists are created, you need to include them in the script /etc/rc.d/rc.firewall. In the input chain section, find the lines: 

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m conntrack --ctstate ESTABLISHED,RELATED \
  -j ACCEPT

And just below these two lines, add the following lines: 

# Block anything from China
# These rules are pulled from ipset's china list
# The source file is at /etc/ipset/countries/cn.zone
$IPT -A INPUT -p tcp -m set --match-set china src -j DROP

Reinitialize Iptables: 

/etc/rc.d/rec.firewall restart

Now all the IP addresses inside the ipset list china are dropped.

You can check it by typing the command: 

iptables -L

And you can see, these lines in the input chain rules (look at the line 7): 

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
...
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DROP       tcp  --  anywhere             anywhere             match-set china src
...

ipset stores its lists in memory. They are lost after a reboot. If you want to make them persistent, save them in a configuration file: 

  ipset save > /etc/ipset/ipset.conf

Then, add the following lines to /etc/rc.d/rc.firewall just before starting the definition of the iptables rules: 

if [[ -x /usr/sbin/ipset ]]; then
  /usr/sbin/ipset -f /etc/ipset/ipset.conf restore
fi

Now, when the controller reboots, the ipset lists are restored.

That's all!