Console installation


1. About the console installation mode

Console installation of the OS consists of the following steps:
- select the security level based on the license purchased;
- accept the terms and conditions of the License Agreement;
- configure the system parameters;
- confirm installation;
- reboot the PC after installation;
- if installed successfully, run the OS for the first time.

These buttons help navigate the installation process:
- [Next] - go to the next page;
- [Back] - return to the previous page;
- [Install] - begin installation.

Use these keys to navigate the menu and set values:
- <Left arrow>, <Right arrow>, <Up arrow>, <Down arrow> - move the pointer left, right, up or down respectively;
- <Tab> - move the pointer to the next object;
- <Space>, <Enter> - change, enable;
- <Esc> - cancel;
- <F10> - quit;
- <Ctrl+left_Alt+FN> (where <FN> --- <F1>-<F7> keys) --- switch to the respective console:
	- tty1 --- runs the installer;
	- tty2-tty6 --- for debugging.


2. License

The "License" screen contains the text of the license agreement under which the installed OS is supplied.

To continue the installation, on the License screen:
1) select the security level corresponding to the purchased license:
	- Base;
	- Advanced;
	- Maximum;
	Note. The security level defines the available security functions.
2) check the "I accept the license agreement terms" checkbox;
3) click [Next].


3. Configuring system parameters

After accepting the License Agreement and clicking [Next] the system configuration screen will appear.
Each parameter can be changed or left as default.


3.1 Regional Settings

In the section "Regional Settings" of the "Settings" screen, there is a set of parameters that define the OS localization and time settings:
- In the "Language Switching" field, select the key combination for changing the input language. The default combination is <Alt+Shift>;
- In the "System Language" field, select the language of the installed OS. You can select either Russian or English. The default language is Russian;
- In the "Time zone" field, select the UTC time zone, according to which the system time will be adjusted;
- In the "Date" field, set the current date in the opened calendar window;
- In the "Time" field, set the current time in the opened window, if it differs from the system time;


3.2. Authorization settings

In the "Authorization settings" section of the "Settings" screen, set up the administrator password. The administrator username, the PC name and the bootloader password can be also set.

In the "Authorization settings" section, set up the administrator's account:
- enter the administrator's password in the "Password" and "Password confirmation" fields. The password can be any sequence of letters, digits and other characters, and must be at least 8 characters long. It is recommended to use a complex password containing at least three groups of characters out of the following ones:
	- uppercase and lowercase latin letters;
	- digits;
	- punctuation characters;
	- math characters;
	- special characters.
- if required, enter the system administrator's username in the "Username" field. The default username is "administrator". The username must begin with a lowercase letter and may contain any sequence of lowercase letters and digits. It must be 1-32 characters long.

The hostname is a one-word string that identifies the computer in a network. Enter the hostname in the "Hostname" field. The default hostname is "astra". The hostname may contain digits, uppercase and lowercase latin letters and a dash character ("-"). The hostname cannot start or end with a dash character ("-"). It can be 1-63 characters long.

GRUB password is set to match the administrator's password by default. To change the GRUB password change the value in the corresponding field to open the password change dialog, then enter and confirm the new password.
To install the bootloader without password protection, uncheck the "Setup the bootloader (GRUB) password" box.


3.3 Other settings

In the "Other settings" section of the "Settings" screen, set up the disk partitioning scheme, the installed software suites, and select the OS kernel.

In the "OS components" section check the necessary OS components on the list and click [OK]. The following components are available:
- "Fly GUI" --- the GUI desktop environment and Fly software. The checkbox is checked by default. If unchecked, only the console mode will be available in the installed OS.
- "Internet tools" --- browsers, email clients, etc. Checked by default;
- "Office applications" --- Libreoffice package and additional text editors, printing and scanning software. Checked by default;
- "Graphics tools" --- graphic editors for vector and rasterized graphics. Checked by default;
- "Multimedia" --- audio and video players. Checked by default;
- "Virtualization tools" --- Virtualization environment creation tools and basic VM management tools. Unchecked by default. If "Ufw firewall" box is checked, the box will be unchecked upon leaving the screen;
- "Games" --- a games suite. Unchecked by default;
- "Console tools" --- various console tools;
- "Network packets filtering tool ufw" --- ufw firewall with preset profiles. Checked by default. If "Virtualization tools" box is checked, the box will be unchecked upon leaving the screen;
- "Touchscreen support" --- various touchscreen software;
- "SSH server" --- OpenSSH server. Unchecked by default;

The selected components will be installed with the OS. Click [OK] to save the selection and return to the "Settings" screen. Click [Cancel] to returj to the "Settings" screen discarding all changes.

Click "Additional settings" to configure the OS security parameters, automatic network setup and select the system time type. The available settings depend on the security level selected. Every security level includes settings from the previous security level.

The "Base" security level settings include:

- "Disable bootloader menu" --- GRUB2 menu will not be displayed. The OS kernel will be loaded as per the default setting. Unchecked by default;
- "Disable ptrace capability" --- code tracing and debugging capability will be disabled. Checked by default;
- "Enable sudo password" --- sud password will be required. Checked by default;
- "Disable execution bit setup" --- execution bit setting will be prohibited to prevent unauthorized creation of executable scripts. Unchecked by default;
- "Enable interpreters lock" --- the user will not be able to use interpreters. Unchecked by default;
- "Enable macros lock" --- standard applications will not be able to run macros. Unchecked by default;
- "Enable console lock" --- users will not be able to use console login or launch console from a GUI session. Unchecked by default;
- "Enable system limits" --- if checked, quotes can be assigned to some system resources. Unchecked by default;
- "Disable automatic network configuration" --- automatic network configuration will be disabled during the OS setup. The network will have to be set up manually. Unchecked by default;
- "System clock in local time" --- set the system clock to local time. It is recommended to check this box if Windows-family operating systems are used together with the OS. Unchecked by default.

The "Advanced" security level includes all the security functions of the "Base" level plus the following ones:

- "Mandatory integrity control" --- enables mandatory integrity control. Checked by default;
- "Enable ELF signature check" --- if checked, the file integrity and authenticity control mechanism is enabled. Unchecked by default;
- "Enable freeing regions cleanup on EXT-partitions" --- if checked, file system blocks are cleared immediately after being freed up, and paging areas are cleared as well. Unchecked by default.

The "Maximum" security level includes all the security functions of the "Advanced" level plus "Mandatory access control" --- enable mandatory access control. Checked by default.

The main (generic) Linux kernel will be installed with the OS. It is intended for protected systems and implements information security features.

The generic kernel has capabilities improving the system overall security, including the STACKLEAK mechanism, safe RAM areas allocation, and restriction of access to RAM pages.


To select the installed OS kernel click "The kernel to install", select the required kernel, and press <Enter> to return to the "Settings" screen.


3.4 Device partitioning

To setup the disk partitioning scheme, in the "Other settings" section, select "Device partitioning scheme".


3.4.1 Partitioning configs

The partitioning tools allow to:
1) select a disk partitioning config;
2) select a device (disk) to be partitioned;
5) select the partitioning table type --- GPT or MBR (msdos).

Select the the disk to be partitioned from the "Disk on which the system will be installed" list.

For the automatic disk partitioning select an appropriate partitioning scheme from the "Disk partitioning config" list:

1) "Use all space on disk" --- the partitioning scheme for small disks (under 40 GB), e.g. for a virtual machine. EXT4 file system is used for the system partition;
2) "Separate home partition" --- the partitioning scheme with a home directory in a separate partition. EXT4 file system is used for the created partitions;
3) "Use all space on disk and setup LVM" --- the partitioning scheme for large disks (over 40 GB). EXT4 file system is used for the created partitions;
4) "Use protective transformation on LVM" --- the partitioning scheme similar to "Use all space on disk and setup LVM", but with the disk protective transformation. A passphrase is requested when this option is selected;
5) "Use all space on disk and setup XFS" --- the partitioning scheme similar to "Use all space on disk". XFS file system is used for the created partitions;
6) "Use protective transformation on XFS" --- the partitioning scheme similar to "Use all space on disk and setup XFS", but with the disk protective transformation. A passphrase is requested when this option is selected. XFS file system is used for the created partitions;
7) "Use "Red Book" as disk layout" --- the partitioning template as per the information security recommendations and with the disk protective transformation. This template creates the following additional partitions:
	a) /boot --- boot data;
	b) /home --- user home directories;
	c) /tmp --- temporary files deleted after a reboot;
	d) /var/tmp --- temporary files preserved after a reboot.
	EXT4 file system is used for the created partitions. A passphrase is requested when this option is selected.

The passphrase for the protective conversion must meet the same requirements as the administrator's password.

To perform partitioning manually, select one of the schemes and edit it.

To select the GPT partition table type, check the "Use GPT partition table" box. Uncheck the box to use MBR partition table.


3.4.2 Partition layout editing

To edit the selected partitioning scheme press <F2>.

The following can be edited:
1) partitions file systems;
2) partitions labels;
3) partitions mount points;
4) partitions creation or deletion;
5) swap area.

To partition the disk manually, edit, comment out or delete the existing strings, or add new ones.


3.4.3 Partition tables

WARNING! If the disk contains valuable data and must not be formatted, the partition table must not be created. Create the required partitions after free disk space allocation.

If the disk is empty or can be formatted, the partition table should be created.

The msdos partition table is supported by all PCs. However, the msdos partition table can have no more than four primary partitions. The example uses partitioning with the GPT partition table.

The GPT partition table is created with the following string:
	clearpart --all --drives=/dev/<device> --disklabel=gpt


3.4.4 Boot partition

The boot partition is created with the following strings:
	bootloader --boot-drive=/dev/<device> --location=partition

	part /boot --label=boot --fstype=ext2 --size=1024 --asprimary


3.4.5 LVM volume group

To create the LVM volume group of the recommended configuration, use all the remaining free disk space or set the volume group size to meet the following requirements:
1) root partition --- at least 8 GB;
2) "/home" and other partitions --- as per the suggested use.

The LVM volume group is created with the following strings:
	part pv.lvm_part --grow --asprimary

	volgroup VG pv.lvm_part
	logvol / --fstype=ext4 --name=lv_root --vgname=VG --recommended
	logvol /home --fstype=ext4 --name=lv_home --vgname=VG --recommended


3.4.6. Swap area setup

Swap area is used to enable hibernation and improve performance with low RAM.

The swap area can be allocated as a file and/or a disk partition. It is recommended to use a swap file instead of a swap partition.

If the RAM volume exceeds 64 GB, the swap area is not needed. To disable the swap area creation, comment out the respective strings.

A swap partition is created with the following string:
	logvol swap --fstype=swap --name=lv_swap --vgname=VG --recommended

A swap file is created with the following string:
	swapfile --path=/ --recommended

The installed OS can have both a swap file and a swap partition.


3.4.7 Partitioning completion

To complete the disk partitioning click [Apply], to dismiss changes click [Cancel].

Partitioning will be performed during the OS installation.


4. OS installation

When all required options are set on the "Settings" screen and the disk is partitioned, proceed to the OS installation.

If the PC does not need to be rebooted, uncheck the "Reboot computer after installation is complete" box.

Click [Install] to begin installation. When informed that all of the data on the partitioned disks will be erased click [Yes] to confirm or [No] to cancel installation. If installation is confirmed, the window will close and OS installation will begin.

Installation progress will be shown on the progress bar and in the installation log.
The installation log is written into the /var/log/astra-installer.log file.
Once the installation is complete, the computer will reboot automatically if the corresponding checkbox has been checked. Otherwise, a message will appear stating that the installation has finished successfully. Installation time will be displayed below.

Press [Finish] to exit the installer and reboot the computer.
