oam/knowledge base/raspberry pi os.md

Raspberry Pi OS

1. First boot
2. Privilege escalation
3. Disable WiFi and Bluetooth
   1. Through boot configuration
   2. Through rfkill
   3. Disable the related services
   4. Disable the stacks completely uninstalling the packages
4. Swap
5. Overlay filesystem mode
6. Check for CPU throttling
7. Check the board temperature
8. Apply CPU governors
9. Tuning
10. Headless boot
    1. The wpa_supplicant file
    2. Compute the password's hash
11. Run containers
    1. Kernel containerization features
    2. Firewall settings
12. Store files on the SD even when the overlay file system is active
13. Disable automatic upgrades
14. Further readings
15. Sources

First boot

Unless manually set from the Imager, on first boot the system will ask to create a new initial user.

Privilege escalation

• Users in the sudo group can sudo.
• The initial user can sudo without being asked for a password by default.

Disable WiFi and Bluetooth

Through boot configuration

Disable one or both in the all section of /boot/config.txt:

[all]
dtoverlay=disable-wifi
dtoverlay=disable-bt

Through rfkill

1. block one or both:

   rfkill block 'wifi'
   rfkill block 'bluetooth'
   

2. check they are correctly soft-blocked:

   rfkill list
   

Disable the related services

• hciuart.service and bluetooth.service for Bluetooth
• wpa_supplicant.service for WiFi

Disable the stacks completely uninstalling the packages

sudo apt --assume-yes purge 'bluez'
sudo apt --assume-yes autoremove --purge

Swap

Disable the swap file:

sudo systemctl disable --now 'dphys-swapfile'

Overlay filesystem mode

This enhances the performances, but all changes will be kept in RAM and lost after a reboot unless it is saved elsewhere.

Enable it using raspi-config. While enabled, /root is in RO and no data will be written to the card.

Check for CPU throttling

See Re: How to make sure the rpi cpu is not throttled down?.

$ vcgencmd get_throttled
throttled=0x0

The bits in this number represent the following:

Bit	Hex value	Meaning
0	0x1	Under-voltage detected; occurs when voltage drops below 4.63V; the Pi is throttled
1	0x2	Arm frequency capped; occurs with temp > 80˚C
2	0x4	Currently throttled
3	0x8	Soft temperature limit active
16	0x10000	Under-voltage has occurred
17	0x20000	Arm frequency capping has occurred
18	0x40000	Throttling has occurred
19	0x80000	Soft temperature limit has occurred

over-temperature occurs with temp > 85˚C. The Pi is throttled.

Throttling removes turbo mode, which reduces core voltage and sets arm and gpu frequencies to a non-turbo value.

Capping just limits the CPU frequency (somewhere between 600MHz and 1200MHz) to try to avoid throttling.

If the board throttled but is not under-voltage, you can assume over-temperature; confirm this with vcgencmd measure_temp.

E.g., 0x50005 means you are currently under-voltage and throttled. If you want to be able to support this use case without throttling you will need a better power supply.

If you never see a non-zero get_throttled value in normal usage, then you may not need to do anything.

Check the board temperature

Use the vcgencmd utility with the measure_temp command:

$ vcgencmd measure_temp
temp=73.1'C

Apply CPU governors

Until next boot:

echo 'ondemand' | sudo tee '/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor'
echo 'performance' | sudo tee '/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor'
echo 'powersave' | sudo tee '/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor'

Permanently:

sudo nano '/etc/init.d/raspi-config'

Tuning

See Timely tips for speeding up your Raspberry Pi.

Headless boot

Manual procedure:

1. Image the SD card

   sudo dd bs='4M' if='/tmp/2019-09-26-raspbian-buster-lite.img' of='/dev/mmcblk0' status='progress' oflag='sync'
   

2. Mount the boot partition.

3. Create an empty ssh file in that partition.
   This will enable the ssh service at boot.

4. Create the wpa_supplicant.conf file in the same partition.
   This will be used to overwrite the same file in /etc on the OS.

   1. Follow the template below.
   2. [Optionally] fill the template with the password's hash for improved security

The wpa_supplicant file

wpa_supplicant.conf template:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=«your_ISO-3166-1_two-letter_country_code»

network={
    ssid="«your_SSID»"
    psk="«your_PSK»"
    key_mgmt=WPA-PSK
}

Replace «your_ISO-3166-1_two-letter_country_code» with your ISO Country Code (such as CA for Canada), «your_SSID» with your wireless access point name and «your_PSK» with your wifi password.

Note that the country, ctrl_interface and update_config lines are required in file as created in /boot: if they are missing the system will not connect to the network. The above process can be repeated to correct the omissions.

wpa_supplicant.conf example:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=IE

network={
    ssid="VM6371722"
    psk=77475166938e2ddc18bcde2a59d4b63810c0a05ddf9b931e4b0223b74e94e389  # psk="qqqqqqqqq"
    key_mgmt=WPA-PSK
}

Compute the password's hash

Use wpa_passphrase:

usage: wpa_passphrase <ssid> [passphrase]
If passphrase is left out, it will be read from stdin

The utility will prompt for the password, and will return the hexadecimal hash value. This hashed password is to be stored without quotes in the /boot/wpa_supplicant.conf file.

$ wpa_passphrase "ssid"
# reading passphrase from stdin
password
network={
    ssid="ssid"
    #psk="password"
    psk=77475166938e2ddc18bcde2a59d4b63810c0a05ddf9b931e4b0223b74e94e389
}

Run containers

1. enable the kernel's containerization feature
2. disable swap
3. if kubernetes is involved, set up the firewall to use the legacy configuration

Kernel containerization features

Enable containerization features in the kernel to be able to run containers as intended.

Add the following properties at the end of the line in /boot/cmdline.txt:

cgroup_enable=cpuset cgroup_enable=memory cgroup_memory=1

sed -i '/cgroup_enable=cpuset cgroup_enable=memory cgroup_memory=1/!s/\s*$/ cgroup_enable=cpuset cgroup_enable=memory cgroup_memory=1&/' /boot/cmdline.txt

Firewall settings

Switch Debian firewall to use the legacy configuration:

update-alternatives --set 'iptables'  '/usr/sbin/iptables-legacy'
update-alternatives --set 'ip6tables' '/usr/sbin/ip6tables-legacy'

Store files on the SD even when the overlay file system is active

The files just need to be stored on a different file system from /. You can partition the SD and use that, or create a file and mount it as a virtual file system:

truncate -s '6G' 'file'
mkfs.ext4 'file'
mkdir 'mount/point'
sudo mount -t 'ext4' -o 'loop' 'file' 'mount/point'
sudo chown 'user':'group' 'mount/point'
touch 'mount/point/new-file'

Disable automatic upgrades

Raspberry Pi OS has daily upgrades enabled by default. Check the second line of this command's output:

systemctl status 'apt-daily-upgrade.timer'

Check the time it was last run with the following:

stat -c '%z' '/var/lib/apt/daily-lock'

If the service is enabled, there should be a record of that in /var/log/dpkg.log.

To disable this, execute the following:

sudo systemctl mask 'apt-daily-upgrade'
sudo systemctl mask 'apt-daily'
sudo systemctl disable 'apt-daily-upgrade.timer'
sudo systemctl disable 'apt-daily.timer'

Using mask to prevent the above services from being re-enabled by some dependency.

Notice those are two separate services; they both run /usr/lib/apt/apt.systemd.daily, a shell script, with parameters install and update.

Further readings

• /boot/config.txt
• Overclocking
• rfkill
• Country code search
• k3s

Sources

• Prepare SD card for WiFi on headless Pi
• Run Kubernetes on a Raspberry Pi with k3s
• Project's issue 2067
• Re: How to make sure the rpi CPU is not throttled down?
• Timely tips for speeding up your Raspberry Pi