From Sid down to Bullseye: installing Armbian on NanoPi M4 v2

July 25, 2022

Well, as on July 2022 Armbian Bullseye release did not boot on my NanoPi M4v2. Shit happens. Reflashed microSD with Sid and it seems to work well. After installation I downgraded the system to Bullseye. This note describes the process in details with all tweaks to the base system, logging, ssh server, LED control, and desktop environment with VNC server. As of now this is a summary of my best practices.

Mediacenter based on NanoPi M4 v2

I apply many tweaks immediately after flashing the distro to microSD card, before booting. So, need to mount it:

mkdir /mnt/microsd
mount /dev/mmcblk0p1 /mnt/microsd

For headless SBCs I usually start from editing /mnt/microsd/etc/network/interfaces, but my mediacenter has display and keyboard attached so I skip this step. Also, as a side project I implemented ethwifi network manager. I placed it in /mnt/microsd/root directory and the systemd unit in /mnt/microsd/etc/systemd/system directory. The unit should be activated after boot.

Bash

Make tweaks to /mnt/microsd/root/.bashrc:

HISTCONTROL=erasedups:ignoreboth
force_color_prompt=yes

SSH

Disable SSH password authorization and use public key authorization only:

mkdir /mnt/microsd/root/.ssh
chmod 700 /mnt/microsd/root/.ssh

Create file /mnt/microsd/root/.ssh/authorized_keys with my SSH public key.

Edit /mnt/microsd/etc/sshd_config:

PasswordAuthentication no

Logging

Disable systemd-journald logging. Make change to /mnt/microsd/etc/systemd/journald.conf:

Storage=none

Disable armbian-ramlog. I use bare tmpfs instead. In a few cases when I needed logs, they were lost anyway. I mean if something goes really wrong, ramlog has no chances to flush logs back to microSD. So, make change to /mnt/microsd/etc/default/armbian-ramlog:

ENABLED=false

Log rotation tweaks. Edit /mnt/microsd/etc/logrotate.d/rsyslog and change

rotate 4
weekly

to

rotate 1
daily

and remove

compress
delaycompress

Apply same tweaks to /mnt/microsd/etc/logrotate.conf.

Remove the following lines from /mnt/microsd/etc/cron.daily/logrotate:

# skip in favour of systemd timer
if [ -d /run/systemd/system ]; then
    exit 0
fi

Add the following line to /mnt/microsd/etc/fstab:

tmpfs /var/log tmpfs nosuid,noexec,nodev,mode=755,size=1M 0 1

Yes, 1M for daily logs is more than enough. If not, the system is misconfigured.

And while fstab is edited, limit the size of /tmp as well. I use 32M limit.

Disable zram.

In my opinion, this is absolutely unnecessary thing. No benefits. Edit /mnt/microsd/etc/default/armbian-zram-config:

ENABLED=false

Final tweaks before booting

Add password hash for the root user to /mnt/microsd/etc/shadow. The has can be generated with mkpasswd command. In past Armbian setup accepted any initial password but now they made it much more restrictive. Worse, after a few unsuccessful attempts the initialization fails and will never boot desktop environment.

For mediacenter I don't want any passwords. Given that I purge sudo, 12345 is more than enough for console login. Desktop environment does not need a password at all.

Delete /mnt/microsd/root/.not_logged_in_yet. We have configured almost everything manually.

Boot and setup networking

I use ethwifi, so the first thing is to purge all unnecessary networking tools:

apt purge network-manager* networkd-dispatcher* avahi* netplan* ifupdown resolvconf

Disable wpa_supplicant:

systemd stop wpa_supplicant
systemd disable wpa_supplicant

Given that ethwifi is already in place, enable and start it:

systemd enable ethwifi
systemd start ethwifi

Re-generate SSH keys

rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server

I don't remember if SSH server is enabled, just in case:

systemctl enable ssh

Purge unnecessary packages

unattended-upgrades: I always upgrade manually.

vnstat: I don't need to collect network statistics on the mediacenter.

sudo: unnecessary security hole

mc, mc-data: unnecessary Midnight commander, not Unix way

Disable some services

Getty is unnecessary for me:

systemctl mask console-getty serial-getty

My mediacenter is fanless:

systemctl stop nanopim4-pwn-fan
systemctl disable nanopim4-pwn-fan

I don't need SMART daemon:

systemctl disable smartmontools

Disable sysstat cronjobs:

dpkg-reconfigure sysstat

Drop one more systemd crap:

systemctl disable logrotate.timer

Miscellaneous tweaks

I have a bunch of JMicron USB-SATA adapters, so I add 152d:0578:u to usbstoragequirks in /boot/armbianEnv.txt.

LED control

Blinking LED is annoying. This is how to turn it off:

echo 0 >/sys/class/leds/status_led/brightness

Just in case, here's how to turn it on:

echo default-on >/sys/class/leds/status_led/trigger

Systemd unit for turning the LED off at startup /etc/systemd/system/led-off.service:

[Unit]
Description=Turn blinking LED off

[Install]
WantedBy=multi-user.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/bash -c "echo 0 >/sys/class/leds/status_led/brightness"

Install desktop environment and other software

apt install xorg xfce4 xfce4-xkb-plugin xfce4-terminal xfce4-power-manager xfce4-power-manager-plugins \
            pulseaudio pasystray pavucontrol lightdm accountsservice alsa-ucm-conf x11vnc \
            xscreensaver xscreensaver-data-extra xscreensaver-gl xscreensaver-gl-extra \
            fonts-arphic-ukai fonts-arphic-uming fonts-beng fonts-dejavu fonts-deva \
            fonts-font-awesome fonts-freefont-ttf fonts-gubbi fonts-gujr fonts-guru fonts-indic \
            fonts-liberation fonts-liberation2 fonts-mathjax fonts-mathjax-extras \
            fonts-noto-mono fonts-opensymbol fonts-samyak* fonts-stix fonts-symbola \
            fonts-texgyre fonts-thai-tlwg-ttf fonts-unfonts-core fonts-unfonts-extra \
            zip unzip unrar lz4 zstd poppler-utils ghostscript \
            gthumb ristretto atril libjs-mathjax-doc distro-info autofs nftables \
            mplayer mpv qmmp chromium firefox

Create desktop user:

useradd -g users user

Enable autologin. Edit /etc/lightdm/lightdm.conf:

[Seat:*]
autologin-guest=false
autologin-user=user
autologin-user-timeout=0

Disable root login for desktop environment. Edit /etc/pam.d/lightdm and add the following line in the beginning, after session directives:

auth required pam_succeed_if.so user != root quiet

VNC server

I use x11vnc, launched by XFCE. Configured in Session and Startup, Application Autostart:

x11vnc -shared -forever

How to install particular kernel

In the process of installation I tried to downgrade the kernel. This is how:

apt install linux-dtb-current-rockchip64=22.05.3 linux-image-current-rockchip64=22.05.3
apt-mark hold linux-dtb-current-rockchip64 linux-image-current-rockchip64

Downgrading from Sid to Bullseye

The reason for downgrade was segmentation fault in mpv. Mplayer worked well, though.

Changed sid to bullseye in /etc/apt/sources.list and created /etc/apt/preferences:

Package: *
Pin: release a=stable
Pin-Priority: 1001

Downgraded:

apt update
apt dist-upgrade

Removed /etc/apt/preferences.

There were some quirks after downgrade. Here's a summary how to fix them:

apt purge policykit-1
apt install policykit-1 policykit-1-gnome
apt install --reinstall dbus
apt purge libwbclient0
apt install --reinstall mpv
apt purge firefox chromium
apt install firefox-esr

I failed to make chromium working.

Also, there's no easy way to install latest Firefox. Flatpak is useless because there are no precompiled binary for aarch64. Installing from Sid is not an option as well because it needs latest libc and other dependencies which may break all the rest.