Raspberry Pi

Description

The Raspberry Pi computer is deployed in VLAN 100 of the network as a secure reverse web proxy and ssh proxy server to prevent direct access to the infrastructure resources and protect these applications. This section will guide you through the steps to install the Raspberry Pi OS onto your Raspberry Pi along with the configuration instructions to deploy this system in the network. The guide is intended to be used to install on a Raspberry Pi 3 Model B. Any later model should also work.

Chromebook Recovery Utility

The Raspberry Pi OS comes as a disk image that needs to be flashed onto an SD card using a special utility. On Chromebooks, we will use the Chromebook Recovery Utility extension to install the Raspberry Pi OS onto your SD card.

  1. Navigate to the Chromebook Recovery Utility extension on the Chrome Web Store.
  2. If the extension is already installed, the button on this page will read Remove from Chrome and you can skip to the next section.
  3. Otherwise, click on the Add to Chrome button. This will open a pop-up window. Click on the Add extension button to complete the installation.

Raspberry Pi OS

The Raspberry Pi doesn't come with a hard drive. Instead, the system has a microSD card reader and requires the OS to be installed on a removable media. This section will guide you through the process of downloading and installing the Raspberry Pi OS onto a microSD card for your Raspberry Pi.

  1. Navigate to the Official Raspberry Pi Operating system images and download the 64-bit Raspberry Pi OS Lite file. Save this file to your Downloads folder.
  2. The image comes in a .XZ extension which the Chromebook Recover Utility doesn't support. Double-click on the OS file to mount the archive on your Chromebook and access the contents.
  3. Click on the mounted archive to view the contents. From here click and drag the embedded .img file to your downloads folder.
  4. After the image file is copied, navigate to your downloads folder. Right-click on the .img file and select Zip selection from the context menu. This will create a .zip file that we can use with the Chromebook Recover Utility to install the OS onto a microSD card.
  5. Open the Chrome browser, then click on the puzzle icon to the right of the navigation bar and select Chromebook Recover Utility. This will open the tool in a new window.
  6. Insert your microSD card into the card reader of your Chromebook. The recovery utility should recognize the card.
  7. Click on the gears icon at the top right corner and select Use local image. This will open a file picker selection window. From here click on the .zip file containing the Raspberry Pi OS and click Open.
  8. Follow the on-screen instructions to flash the OS.

Initial System Setup

With the Raspberry Pi OS installed on the microSD card, you can now insert the card into the Raspberry Pi and boot up your system. You will need to connect a keyboard and a screen to complete the initial setup of your system and get it ready to be installed. During the first boot process, you'll be prompted to create a username and password for accessing the system. Keep a record of these as you will need them to perform regular maintenance on the system.

Expand Filesystem

The first task to accomplish on your new Raspberry Pi system is to expand the filesystem to use your entire microSD card. The OS comes preset with a small size and it doesn't take into account different microSD cards, to get around this, we'll use a function built into the configuration tool to maximize the available space.

  1. After you have successfully logged into the computer, start the configuration utility: run sudo raspi-config
  2. Use the keyboard arrow keys to go to Advanced Options.
  3. Select Expand Filesystem.
  4. Select OK. This will resize the Root partition of the microSD card upon the next reboot.
  5. Select Finish to close the raspi-config tool.
  6. The system will prompt you to restart the OS to apply the changes, select Yes

Configure Network

WARNING - This paragraph still needs to have instructions on how to find the interface name and this needs to be included in the configuration.

The Raspberry Pi OS is configured to receive an IP address as a DHCP client by default. While this provides easy access to the network, it isn't well suited to provide the best solution for our SSH proxy and reverse web proxy service. This step guides you through setting up a static IP address, as shown in the network diagram.

  1. Find the interface name
  2. Open the network configuration file for editing sudo vi /etc/dhcpcd.conf
  3. Insert the following lines at the bottom of the configuration file 
    interface enxsnp08
static_routers=10.10.100.1
static domain_name_servers=8.8.8.8,8.8.4.4
static ip_address=10.10.100.2/24
  4. Save and close the configuration file by hitting the ESC key twice, then typing :wq and hitting the enter key.
  5. Run the command sudo systemctl restart dhcpcd.service. This will restard the networking service on your Raspberry Pi and load the new IP address configuration.

SSH Access

Secure Shell is the key to being able to manage your Raspberry Pi remotely and to setting up the SSH Proxy server so we can access the rest of our infrastructure from the internet.

  1. Start the configuration utility: run sudo raspi-config
  2. Select the Interfacing Options menu option and press Enter.
  3. Select SSH and press Enter. This will open a prompt asking Would you like the SSH server to be enabled?
  4. Select Yes and press Enter.
  5. Press ESC until you quit the raspi-config utility.

Key-Based SSH Authentication

Public Key Distribution

Enabling Key-Based authentication ensures that your Raspberry Pi is only accessible from a trusted device and is a crucial portion of getting the SSH Proxy to work properly.

  1. From your Chromebook, start the Terminal app.
  2. Run the command ssh-copy-id eric@10.10.100.1
  3. When prompted, enter the password.

Disable Password Authentication

Now that public key authentication has been configured, the next step is to completely disable password authentication to reduce the possibility of the SSH server being vulnerable to brute force password attacks.

  1. From your Raspberry Pi, open the ssh daemon configuration file sudo vi /etc/ssh/sshd_config
  2. Find and set PasswordAuthentication no
  3. Save and close the configuration file by hitting the ESC key twice, then typing :wq and hitting the enter key.
  4. Restart the ssh service with the following command sudo systemctl restart ssh

SSH ProxyJump

With ssh set up on your raspberry pi, this next section outlines what you need to do on your laptop (or other remote device) that you want to use to manage the internal systems.

  1. From your Chromebook, start the Linux Development Environment (LDE) and run vi .ssh/config to modify the ssh configuration.
  2. Add the details for the raspberry pi as the first entry in this file and set the Host id for the raspberry pi as the ProxyJump value for any systems you wish to access through this bastion. 
    Host rpi
    Hostname home.desgroseilliers.ca
    User eric
    IdentityFile ~/.ssh/id_ed25519
Host home
    Hostname 10.10.10.51
    ProxyJump rpi
    User eric
    IdentityFile ~/.ssh/id_ed25519

Install Docker

Although there are multiple approaches to getting docker installed on Raspberry Pi OS, I choose to follow the official docker approach because this gives me the latest version of docker that aligns with the documentation. The official instructions can be found here. I've shortenned the steps below to make it a little faster.

  1. Remove any docker versions that may be installed from the official debian repos. sudo apt-get remove docker docker-engine docker.io containerd runc
  2. Setup the docker repository on your raspberry pi 
    sudo apt-get update
sudo apt-get install ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
  3. Install Docker engine 
    sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
  4. (Optional) Run a test to confirm that Docker was installed successfully. 
    sudo docker run hello-world

Setup SWAG

Advanced Configuration

Unattended Upgrades

This section outlines the steps to install and configure unattended-upgrades on your raspberry pi to keep the system updated.

  1. Install the unattended-upgrades package. 
    sudo apt-get update
sudo apt-get install unattended-upgrades

  2. Modify the file /etc/apt/apt.conf.d/50unattended-upgrades. Scroll down to the Origins-Pattern section and uncomment the updates and proposed-updates lines. The config file should look like this:

    Unattended-Upgrade::Origins-Pattern {
    // Codename based matching:
    // This will follow the migration of a release through different
    // archives (e.g. from testing to stable and later oldstable).
    // Software will be the latest available for the named release,
    // but the Debian release itself will not be automatically upgraded.
    "origin=Debian,codename=${distro_codename}-updates";
    "origin=Debian,codename=${distro_codename}-proposed-updates";
    "origin=Debian,codename=${distro_codename},label=Debian";
    "origin=Debian,codename=${distro_codename},label=Debian-Security";
    "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";

    // Archive or Suite based matching:
    // Note that this will silently match a different release after
    // migration to the specified archive (e.g. testing becomes the
    // new stable).
//      "o=Debian,a=stable";
//      "o=Debian,a=stable-updates";
//      "o=Debian,a=proposed-updates";
//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
  3. Reconfigure the unattended-upgrades package to enable this service. 
    sudo dpkg-reconfigure --priority=low unattended-upgrades
  4. Select yes from the menu option.