From: Ivan Shmakov Document-Id: urn:uuid:3083ffaa-7304-4eed-bdb6-9d1ca12002dd License: CC-BY-SA-3.0+ Link: ; rel="canonical" Link: ; rel="predecessor-version" Link: ; rel="author" Link: ; rel="license" In the text below, leading horizontal tabulation (ASCII HT) code indicates human-readable prose, while lines lacking one are intended for machine processing. Here we document the selection of Debian 10 Buster packages as used for the minimalistic AM-1.ORG live image, codenamed Echro, including the rationale behind our choice. Generally, the packages listed first are the most likely to be included on the image. However, for technical reasons the kernel and supporting packages are listed last. The live image documented here is intended to be run under Qemu and in similar environments, mainly as the means of testing and uploading the pre-made system image to the target platform. The lists below, however, also serve as the basis for the more complete Eepag image, intended to run on real hardware and be also used for generic recovery after failure, as well as to provide the means of interacting with the network (an SSH terminal, mail user agent, etc.) Together with the lists of packages for Eepag, the lists below are also used for the still more complete Entic live image, as well as for non-live systems based on Debian 10 (collectively codenamed Eidta.) The system as described is intended to fit on an approximately 256 MiB Zstd-compressed Squashfs (-always-use-fragments -comp zstd -b 1048576), not including the kernel (and initramfs), which thus would be usable when copied to tmpfs (toram=) even in environments with rather modest amounts of RAM (down to around 512 MiB, no swap.) The omit tag indicates packages which were considered but not included in the final list for one reason or another. This document is a work in progress. See the bottom of the file for the list of prior revisions. * * * The following Debian packages comprise the base system, common to all AM-1.ORG environments, including those running on real hardware, under Qemu, live images, within containers and chroots (although non-container chroots are deprecated on AM-1.ORG systems), etc. The base system is expected to be reasonably self-contained. In particular, any dependencies it may have should be either purely automatic (i. e., not mentioned anywhere later in this document), or listed explicitly here and only here. This list is ought to include ca-cacert, which is unfortunately no longer in Debian as of Buster, due to uncertain licensing. Tags: base Packages: apg apt ascii bash bc bmake bsdutils busybox bzip2 ca-certificates coreutils cpio dash dc debian-archive-keyring debianutils debootstrap diffutils dpkg e2fsprogs ed fakechroot fakeroot file findutils gawk gdisk gnutls-bin gpgv grep gzip less libc-bin libcommon-sense-perl libconvert-asn1-perl libdata-dump-perl libdigest-sha-perl libencode-locale-perl libtasn1-bin libterm-readline-gnu-perl libuuid-perl locales-all ltrace lynx lzop m4 minilzip mtree-netbsd ncurses-bin ncurses-term nettle-bin patch patchutils pdlzip perl procps pseudo psmisc rcs rhash rsync sed sharutils sleuthkit sqlite3 squashfs-tools strace tar time tree unzip util-linux vim-tiny wamerican wdiff wget xxd zip As an alternative to ed and vim-tiny, lightweight Emacs-like zile editor may also be used. Tags: omit, base Packages: zile For data recovery, a generous selection of archivers and compressors (beyond those included in base above) may get handy. Tags: archivers Packages: arj lhasa p7zip xz-utils zstd Similarly, we may need to interact with FAT filesystems. Tags: fatfs Packages: dosfstools mtools The following packages are useful for interfacing equipment over serial lines, as well as managing virtual and pseudo ttys. Also relevant is rlwrap, not included because of its superfluous dependencies. In addition to (or in place of) screen, dtach and tmux may be included. Tags: tty Packages: cu lrzsz reptyr screen Tags: omit, tty Packages: dtach rlwrap tmux For networking diagnostics the following packages may be useful. Also included is the polipo proxy, to allow for setting up HTTP proxies (including HTTP over Tor), should the need arise. Tags: network Packages: curl dns-root-data esmtp netbase polipo sic socat Tags: network, perl Packages: libdigest-hmac-perl libio-socket-inet6-perl libio-socket-ip-perl libmail-spf-perl libnet-dns-perl libnet-ip-perl spf-tools-perl swaks Tags: buster, network Packages: dnsutils Tags: bullseye, network Packages: bind9-dnsutils The following packages are expected on a system that has an init (PID 1) process, such as a container. Tags: initable Packages: initscripts lsof sysv-rc sysvinit-utils uuid-runtime Tags: initable-lite Packages: busybox-syslogd tinysshd Implies: initable Certain packages only make sense on systems that anticipate user (non-root) interactive sessions, as opposed to, say, a container managed entirely from the hosting system. Among those are openssh-client and dsh, a wrapper that facilitates starting several SSH client instances in sequence or in parallel, which comes particularly useful in clustered environments. Please note that ssh-agent is installed with a setgid flag set as a precaution against someone gaining access to a user session of another person and then using GNU/Linux debugging facilities (such as the /proc/PID/mem file) to hijack currently loaded SSH keys. Such a measure is, however, not effective in AM-1.ORG containers (see below.) Tags: interactive Packages: acl jdupes pinentry-tty Implies: initable Tags: interactive, network Packages: openssh-client Tags: cluster, interactive Packages: dsh Implies: network The following packages are likely to be useful on a system booted on real hardware or in a (para)virtualized environment, but not necessarily in a chroot or a container. We formerly made use of Btrfs and Nilfs filesystems, hence the respective packages may be useful on recovery images, yet currently not included to save space. We include here the packages which require privileges not generally granted to AM-1.ORG containers, such as those required to run dmsetup(8), mount(8), mtr(8), oping(8), tcpdump(8), etc. We include iputils-ping here alongside oping, although the latter supersedes the former in regular AM-1.ORG usage. For instance, AM-1.ORG containers and chroots are typically meant to run very few, if any, processes under superuser (root, uid 0) privileges, and even those only posess a limited set of capabilities (e. g., mknod syscall is not available.) Moreover, the usual privilege gates, such as setuid (setgid) programs are disabled (via both the no_new_privs bit and by only making available filesystems mounted with the nosuid option.) Together, these measures render programs such as MAKEDEV, mount, mtr and oping meaningless. Similarly, containers rely on host system clock (which is ought to be properly synchronized), thus need no NTP support themselves. Tags: bootable Packages: gnupg1 kexec-tools login makedev mount sysvinit-core Implies: initable Tags: omit, bootable Packages: btrfs-progs nilfs-tools Tags: cryptsetup Packages: cryptsetup-bin cryptsetup-initramfs cryptsetup-run Implies: bootable Tags: lvm2 Packages: dmsetup lvm2 thin-provisioning-tools Implies: bootable Tags: mdadm Packages: mdadm Implies: bootable Tags: bootable, network Packages: ifupdown iproute2 iputils-ping mtr-tiny net-tools netdiag ntp oping tcpdump For a live image, support for DHCP IPv4 autoconfiguration may come handy. Tags: udhcpc Packages: udhcpc Implies: bootable, network We may also need to access NFS, iSCSI, Kerberos and (or) LDAP servers. Typically we will use autofs to automatically (un)mount remote filesystems, but for a recovery image it seems superfluous. Tags: nfs-client Packages: nfs-common rpcbind Implies: bootable, network Tags: open-iscsi Packages: open-iscsi Implies: bootable, network Tags: heimdal Packages: heimdal-clients Implies: network Tags: ldap Packages: ldap-utils Implies: network We may also want to use a system started from this live image as a (perhaps temporary) Ethernet bridge or router. Tags: bridge Packages: bridge-utils ebtables Implies: bootable, network Tags: gateway Packages: ipset iptables iptables-persistent nftables Implies: bootable, network Miscellaneous network-related packages. In particular, aria2 may be used to efficiently transfer large datasets to multiple destinations (thanks to its BitTorrent support), while openbsd-inetd is our preferred way to start tinysshd, which is part of bootable-lite above. (Although tinysshd can alternatively be started via socat.) The iputils-tracepath package provides the tracepath(8) utility similar to mtr(8) and traceroute(8), but which does not rely on superuser privileges, making it suitable for AM-1.ORG containers. Tags: network-extra Packages: aria2 idn idn2 iputils-tracepath lighttpd openbsd-inetd tcpd Implies: network Tags: bootable, network-extra Packages: radvdump Perl-compatible regular expressions occasionally get handy. Given the presence of sqlite3 in base, it does not make sense to omit sqlite3-pcre from here. Tags: pcre Packages: pcregrep sqlite3-pcre A selection of languages beyond those already in base. Note that edbrowse is included here chiefly as a lightweight (although largely incomplete) Javascript implementation, in case one is needed. Tags: languages Packages: duktape jimsh make mawk Tags: edbrowse Packages: edbrowse A selection of extra packages for Perl. Tags: perl Packages: libconvert-base32-perl liblocale-gettext-perl libsys-mmap-perl libterm-readkey-perl libterm-readline-perl-perl libterm-readpassword-perl libtree-rb-perl liburi-perl Tags: perl, sqlite-extra Packages: libdbd-sqlite3-perl libdbi-perl Sometimes tinysshd may be not enough (for instance, it lacks support for TCP and Unix domain socket forwarding), so we include openssh-server as well. Please note that openssh-server would not ordinarily start in an AM-1.ORG container due to the latter lacking the audit_write capability, which is one of the reasons tinysshd is used instead. Tags: openssh-server Packages: openssh-server Implies: initable, network For long-term archival storage, AM-1.ORG specifies the use of DVD+R media with the ISO 9660 filesystem being preferred. While for this image we do not assume a DVD recorder being available (although one can be attached to a system running under Qemu, such as via iSCSI), we still include packages that facilitate making ISO 9660 archives. Tags: iso9660 Packages: genisoimage makefs xorriso It does make sense to boot the system with init=/bin/bash and set the root password explicitly (# passwd) before proceeding (# exec /sbin/init). Nevertheless, sudo is provided as a more conventional way to gain root access. Tags: bootable, conventional Packages: sudo A diagnostics and recovery image would also make use of the following packages. It does not make much sense to include them on the Squashfs image proper. Tags: omit, syslinux Packages: extlinux isolinux syslinux syslinux-common Tags: omit, bootable Packages: memtest86+ memtest86 The kernel and the utilities to make the respective initramfs. Note that it is not necessary to include initramfs itself (nor anything else from below boot/) on the Squashfs image proper. Tags: bootable, linux Packages: initramfs-tools Tags: linux-amd64-lite Packages: linux-image-4.19.0-10-cloud-amd64-unsigned Implies: bootable, linux Tags: omit, bootable, linux Packages: firmware-linux-free The following packages make it possible to run the system from read-only media, overlaid by a tmpfs. Tags: live Packages: live-config live-config-sysvinit live-tools user-setup Tags: live, bootable Packages: live-boot live-boot-initramfs-tools * * * History 2020-10-10 07:20:21Z (sfn.40wxr8hwOyplELjhisBSz7LYlcZJWVw8wc4hEVXNZU8.text) 2020-10-08 17:07:23Z (sfn.BbJUqwYILoXYlwXFYgVIJpIooP1u5tpMzcUWvXq-frM.text) 2020-10-08 15:45:51Z (sfn.0YO9cHp_o4ZqGNi4L0UcYDAK12hB_hMLwVcftyUmuIQ.text) 2020-10-08 15:27:35Z (sfn.Ak6wwQPAi1bPkzwPqsZGv7A0Vy18-rJ_n4yqxgtGQP8.text) 2020-09-24 11:39:51Z (sfn.-ed_SsAnp_Jm38Un--7fMuFo2tbRA-UhnQ-YLQpod78.text) 2020-09-15 18:37:46Z (sfn.ZDs1WIFgiPtkA8sRa28sbmmwl8KIiCB8fwoTdsOWEvQ.text) 2020-09-13 22:00:09Z (sfn.k-78ySey7sjIDpCGwVmMK8DmQ-p6fo3NeIJUrzGaR9E.text)