Beginner's Guide to installing and configuring Linux and BOINC for a headless, low maintenance dedicated crunchbox

Have a spare PC you wish to use to run distributed computing projects like BOINC? Sick of dealing with Windows, Windows Updates, Windows privacy issues/telemetry/spying/constantly phoning home? Want something leaner, more automated, and free? Consider installing Linux to this machine. Here's how.

Created 12/20/23
Last updated 2/27/24

I've been talking about writing up a little guide for the past few months, but I finally got around to doing it over the Christmas holidays, mostly because I was spinning up a few new systems, so I needed a refresher course. This guide is subject to improvements, but it should get most beginners started. Don't feel anxious with using the command line. It's really worth the speed and security in not installing the full-blown desktop environment.

I'm partial to Debian Stable, so that's what I focus on in this guide. According to Debian Releases - Debian Wiki, a new major release comes out every two years (in odd numbered years, 2023, 2025, etc.), and each release is supported for about 5 years, so it's technically a long-term stable release, which is perfect for "set it and forget it" if you want. (Upgrading to the next major release is only a few steps and is pretty smooth.) Plus, it's cute how each release is named after a new character from the Toy Story movies.

If there are any mistakes or improvements or questions, please let me know!

----------------------------------------------------------
Before You Begin

These are some general maintenance and housekeeping in the machine's BIOS/UEFI settings.

• [Recommended] Update the BIOS/UEFI on the computer/motherboard so it has the latest version, which may contain security fixes and bug fixes.
  
• Feel free to make sure that the PC is in UEFI mode and not legacy BIOS/compatibility mode. Debian supports UEFI.
  
• Feel free to enable Secure Boot in UEFI. Debian supports Secure Boot as of Debian 10 (Buster).
  After you've installed the OS (see steps below), you can verify with this command:
  

  sudo mokutil --sb-state

  
  Should say "SecureBoot enabled"
  
• If your PC's BIOS/UEFI has a setting for "headless" mode, it's a good idea to enable it, leading to less of an expectation for a display or keyboard needing to be connected. Also, if there's settings in your BIOS/UEFI to disable error messages if there's no monitor or keyboard attached, it's a good idea to turn those off (unless you plan on always having a keyboard connected to this machine). Otherwise the machine will stall every reboot.
  
• I usually change the "Power Loss" option to "Last State" as opposed to On or Off. In the event of a power outage, the crunchbox will turn itself back on when power is restored, unless I've intentionally powered off all machines (such as going on a long vacation), in which case I'd like them to remain off.
  
• Performance: If you want to save some power and heat, you can disable "Intel TurboBoost" if using an Intel CPU that supports it. Tweak performance options to your personal preference. There may also be other settings such as AMD's Eco mode options, which can dramatically set the maximum power usage of the CPU to something like 65W or 105W instead of full power.
  
• Disable any unused options such as microphone, webcam, serial ports, etc. This saves some overhead and helps increase security. For the Network Interface Card (NIC), consider disabling PXE ("pixie") boot, unless you plan on loading the Debian ISO over the network that way.

----------------------------------------------------------
Things You Need

1. Your main PC that you will use to manage this crunchbox once it's set up. (management via SSH to log into the system and via BOINC Manager to manage the BOINC Client on the crunchbox)
2. A PC you plan on dedicating as a crunchbox.
3. Keyboard, Internet connection, monitor to temporarily set up the crunchbox. Mouse is optional and only needed if you choose the graphical installer. You can still use the keyboard arrow keys, Tab key, space bar, and Enter key to easily get around both the text installer and the graphical installer, so a mouse is not necessary.
4. Source media for the operating system ISO (either a USB flash drive at least 1 GB in size or a CD-R or CD-RW). This entire media will be formatted and consumed, so make sure there is nothing important on it. The Debian 12 Net Install ISO is about 630 MB in size.
5. Destination media that will run the operating system on your crunchbox. This can be a spinning Hard Disk Drive, SSD (SATA, m.2 SATA, m.2 NVMe, mSATA, whatever the PC understands), or a good quality USB flash drive that stays permanently connected. You can absolutely save money and install to a cheap USB flash drive, but there are things that must be configured to reduce the amount of saves/writes to the drive to prevent premature wear and tear. Recommend at least 16 GB but preferably 32 GB or more, USB 3.x instead of USB 2. This entire media will be formatted, partitioned, and consumed during the install process, so make sure there is nothing important on it. If using a USB flash drive, recommend connecting it to the USB ports on the back of the PC as opposed to the front USB ports (which are 1 "hop" away because the front USB ports are technically a USB hub). Server motherboards often have a hidden USB port on the motherboard itself often used for running an Operating System, so use that if there is one.
6. An SSH client. Windows, macOS, and Linux should have native SSH clients, but I'm a creature of habit and still use PuTTY on Windows.

PuTTY: https://www.chiark.greenend.org.uk/~sgtatham/putty/ or https://putty.org

7. A way to create bootable install media of the Debian image.

balenaEtcher: https://etcher.balena.io/
Rufus: https://rufus.ie/en/

If you are old school and plan to burn a CD-R or CD-RW, Windows has a built-in utility, or you can also use something like CDBurnerXP.

CDBurnerXP: https://www.cdburnerxp.se/en/download (make sure to go to "More download options" and choose the version without installCore, which has a ton of bloatware if I remember correctly.)


----------------------------------------------------------
Download Debian 12 (Bookworm) and create installation media

1. Go to https://www.debian.org/
2. Download the Net Installer ISO image. What I like about the Net Installer is that it lets you customize what is installed on the crunchbox, so you can get a very lean, minimal installation; in other words, we can opt out of installing a GUI/Desktop Environment on a system designed to be a server that only crunches all day.

3. "Burn" the ISO to your source media.

----------------------------------------------------------
Install Debian 12 (Bookworm) from Net Install media

* Text install
* Choose language, country, keyboard layout.
* Choose network interface if more than one.
* Give it a hostname.
* Give it a domain name. (Can maybe leave blank or use "localdomain")
* If you leave the Root password empty (recommended), "the root account will be disabled and the system's initial user account will be given the power to become root using the 'sudo' command."
* Create user account. It first asks for name (can leave blank). Then asks for the username. Then give it a fairly strong password, preferably one that you don't use anywhere else.
* Time zone

Partition disks

* Manual, no swap - (no swap is especially important if installing to USB flash drive for longevity. Beneficial for SSD too. Just make sure there is enough physical memory.)

* Set country for mirror
* Package user survey - yes or no.

Software selection

* SSH server, standard system utilities. No Debian desktop environment (nothing underneath it), no web server. Use the space bar to select or deselect.

* Install the GRUB boot loader to your primary drive.
* Carefully select the destination drive e.g. /dev/sda

* When prompted to, remove the installation media (the original USB flash drive or CD-R)

* Reboot.

----------------------------------------------------------
Log in for the first time
(1-2 minutes)


Log in for the first time with username and password.

This is a standard user account that is automatically a member of the "superuser" (su) group. When doing things that require elevated privilege, you can preface the command with "sudo"

sudo apt-get update

sudo apt-get upgrade

(should be nothing since it's a fresh installation)

Optional but recommended utilities:

sudo apt-get install htop

htop

(and F10 to exit)
htop is a great utility to see basic information on CPU, memory, uptime, and processes.

sudo apt-get install lm-sensors

sensors

The lm-sensors package allows monitoring of CPU temperature.

sudo apt-get install s-tui

s-tui

s-tui is a fantastic, colorful utility to visualize CPU usage, temperature, and frequency. I recently saw this in a ServeTheHome YouTube video.

sudo apt-get install btop

btop

btop is a FANCY, graphical, colorful utility to visualize processes, CPU, RAM, disk usage, network usage, CPU core usage and temperatures, and you can even use the mouse over an SSH session. I recently saw this in a Lawrence Systems YouTube video.

----------------------------------------------------------
Uncomplicated Firewall (UFW)
(5 minutes)

Documentation: https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29

sudo apt-get install ufw

sudo nano /etc/default/ufw

Change "IPV6=yes" to "IPV6=no" so it doesn't automatically create IPV6 rules (if this applies to you). Ctrl+O saves. Ctrl+X exits.

sudo ufw limit ssh

sudo ufw allow 31416/tcp

(if you run BOINC)

sudo ufw allow 36330/tcp

(if you run Folding@home)

sudo ufw enable

sudo ufw

(list rules)

sudo ufw status verbose

sudo ufw status numbered

From this point on, you should be able to remotely administer your crunchbox from the comfort and convenience of your main PC(s) using an SSH client (e.g. PuTTY for Windows). Most machines won't even need a keyboard attached (make sure BIOS/UEFI is configured so that the lack of keyboard doesn't throw an error), just AC mains power and network.


----------------------------------------------------------
BOINC and WCG
(5 minutes)

We're specifically installing just the BOINC Client, not the entire BOINC application, including the BOINC Manager. This is because this crunchbox will be managed from BOINC Manager from your main computer (with a GUI, keyboard, mouse, display), as the crunchbox is designed to be headless.

sudo apt-get install boinc-client

cd /etc/boinc-client

sudo nano remote_hosts.cfg

Add the hostname(s) (one on each line) of the PC that runs BOINC Manager that will connect remotely to this crunchbox. This whitelists this machine(s) and denies anything not on this list.

sudo nano gui_rpc_auth.cfg

Recent versions of BOINC require a password and no longer allow blank passwords, and unfortunately, BOINC Manager doesn't have functionality to save passwords. Assuming this crunchbox lives in your home network and there is nothing sensitive on it, it should be acceptable to choose a weak password such as 123 or 1 or a or 12345. "12345? That’s the kind of combination an idiot would put on his luggage!"

sudo service boinc-client restart

In my opinion, we're done here. It's easier to do the rest of the config using BOINC Manager on your main machine, including attaching to WCG and other BOINC projects, changing settings and preferences, etc. You can also do all this from the command line, but meh.

Note: Sometimes after the PC has rebooted, I'm unable to connect using BOINC Manager on my main PC to the Linux crunchbox, but I know BOINC/WCG is running. Simply ssh in real quick, and do:

sudo service boinc-client restart

This restarts the BOINC service and you should be able to immediately connect from BOINC Manager.

----------------------------------------------------------
Folding@home

This section only applies if you wish to crunch for the Folding@home project and has nothing to do with BOINC or World Community Grid.

Instructions: https://foldingathome.org/support/faq/install...allation-advanced/?lng=en

Go to https://foldingathome.org/alternative-downloads/?lng=en
Ex: https://download.foldingathome.org/releases/p...ahclient_7.6.21_amd64.deb

wget https://download.foldingathome.org/releases/p...ahclient_7.6.21_amd64.deb

sudo dpkg -i --force-depends fahclient_7.6.21_amd64.deb

It'll then launch a graphical interface that asks for username, team, passkey, etc.

If it auto-starts even if you tell it not to and you see activity, pause it:

FAHClient --send-pause

Do "htop" to check if it obeyed your command to pause. If that didn't work, try

sudo /etc/init.d/FAHClient stop

Get the latest GPU compatibility list and update the local copy.

sudo wget https://apps.foldingathome.org/GPUs.txt -P /var/lib/fahclient/

Then edit the config.xml and either type up or copy and paste (over SSH from your main PC) a config file.

sudo nano /etc/fahclient/config.xml

<config>
  <!-- Folding Core -->
  <checkpoint v='20'/>

  <!-- HTTP Server -->
  <allow v='127.0.0.1 192.168.1.0/24'/>
  <deny v='0.0.0.0/0'/>

  <!-- Network -->
  <proxy v=':8080'/>

  <!-- Remote Command Server -->
  <password v='CreateARemoteAccessPassword'/>

  <!-- Slot Control -->
  <power v='full'/>

  <!-- User Information -->
  <passkey v='PutYourPasskeyHere'/>
  <team v='123456'/>
  <user v='abcdefgh'/>
</config>

In the above example config, In the "HTTP Server" section, I added a space after 127.0.0.1 with 192.168.1.0/24 (as an example of many home users' default LAN) to allow remote access from the entire 192.168.1.* subnet. Because of the way the 7.x client works, it's also important to add the <deny v='0.0.0.0/0'/> line; otherwise, the allow whitelist isn't enforced, and it's a free-for-all and all IP addresses are allowed.

Then send the command to direct Folding@home to use the updated config.xml file:

FAHClient --config /etc/fahclient/config.xml

sudo /etc/init.d/FAHClient stop

sudo /etc/init.d/FAHClient start

sudo reboot

----------------------------------------------------------
Unattended Upgrades
(20 minutes)

This looks more complicated than it really is, but fear not, it's really just following a few steps. It's 100% worth taking a few minutes and doing. Debian Stable doesn't really update applications that often (if ever), so any updates that do come out are usually important security fixes. Taking about 20 minutes to set this up just once allows your system to truly be automatic and secure. The machine will check for updates every night and apply them, and a few times a year updates will require a system reboot, so it'll do that automatically as well, and BOINC will automatically start crunching after reboot. Truly a set-it-and-forget-it experience.

Documentation: https://wiki.debian.org/UnattendedUpgrades

Note before we begin: I have my machines set to check for updates at 5:30 am, upgrade apps at 6:00 am, and reboot (if needed) immediately. Adjust to your own needs. Usually checking for and downloading updates takes less than one minute, upgrading apps takes a few seconds up to a couple minutes. A few times a year a big Debian point release or kernel update comes, and these are bigger, take longer, and require a reboot.

sudo apt-get install unattended-upgrades

sudo apt-get install powermgmt-base

powermgmt-base is needed so the machine knows when it's on AC vs. battery power. This is important if running on a dedicated laptop or on any desktop/server that is connected to a UPS. Otherwise, you can skip this.

Let's first change directory to the directory we're gonna be working in and list the contents:

cd /etc/apt/apt.conf.d

ls -l

1. Edit the main config file

sudo nano 50unattended-upgrades

The above are what I've changed and work for me. To change them, scroll through the file and uncomment the line (commented lines begin with "//" so removing the two slashes activates the setting.)

Example: You would change:
// Unattended-Upgrade::Automatic-Reboot "true";
to:
Unattended-Upgrade::Automatic-Reboot "true";

and make sure the "true" or "false" at the end is what you wish it to say. Make sure the ; is still there.

2. Create and edit 20auto-upgrades

sudo nano 20auto-upgrades

(This file doesn't exist yet, so we'll add a few lines to a blank file.)



3. Change the timers.

This is where I've told it to check for updates at 5:30 am and perform the upgrade at 6:00 am.

sudo systemctl edit apt-daily.timer

sudo systemctl restart apt-daily.timer

sudo systemctl status apt-daily.timer

sudo systemctl edit apt-daily-upgrade.timer

sudo systemctl restart apt-daily-upgrade.timer

sudo systemctl status apt-daily-upgrade.timer

----------------------------------------------------------
Useful Command Line Commands

sudo reboot

sudo shutdown -h

This powers down the system after one minute.

sudo shutdown -h now

This powers down the system immediately.

cd [whatever]

This changes directory to what you specify.

cd ..

This goes up one level to the parent directory.

ls

This lists the contents of the directory.

ls -l

This lists the contents of the directory in a more detailed view.

cat

This prints the contents of a text file to the screen.

uptime

sensors

temperature

htop

(and F10 to exit)

logout

clear

clears the screen (similar to "cls" in Windows/DOS)

lscpu

This shows detailed information on the CPU.

lsblk

This shows information about storage.

sudo apt-get update

sudo apt-get upgrade

sudo apt-get dist-upgrade

These manually update the packages on the system. This should be unnecessary if Unattended Upgrades is configured.

passwd

This allows you to change your password.

pwd

Print working directory - shows where you are in case you are lost.

ip a

(ip address)

nano

Ctrl+X exits (and asks you to save if you have unsaved changes)
Ctrl+O saves
Sometimes you will need to use sudo nano to run the text editor as superuser.

Nano is a popular text editor that is fairly easy to use for beginners. Vim has a larger learning curve but is likely more powerful.

Ctrl+C
If you're "stuck" and something won't let you get back to the command prompt, often times Ctrl+C will close out.

uname -a

cat /etc/debian_version

lsb_release -a

These commands show Operating System information.

sudo service --status-all

sudo service boinc-client start

sudo service boinc-client stop

sudo service boinc-client restart

Copying and pasting over an SSH session in PuTTY:

Copying and pasting is kinda weird, but you get used to it. To copy, simply use your mouse and highlight the text on the screen you want to copy, and it automatically copies it immediately. (And then you can simply paste it in Windows like normal using your mouse or Ctrl+V.) If you want to copy something in Windows like normal, Ctrl+C, then switch back to PuTTY, move the keyboard cursors exactly where you wish to paste, and then right-click and it will paste whatever you copied in Windows.

----------------------------------------------------------
Tips to Cut Down on Disk Writes if Running on Flash Media

If you are running this on some kind of flash media; e.g., USB flash drive or Solid State Disk (SSD) (whether SATA or NVMe), it may be helpful to minimize disk writes to reduce wear and tear and wear-leveling and thus increase the lifespan of the system. This is much more important on USB flash media (e.g. 16 GB, 32 GB, 64 GB etc. sizes) vs. SSDs due to the quality and quantity of NAND flash memory cells involved.

1. When doing the initial installation of Linux and partitioning the disk, completely delete the "Swap" partition, and simply use that partition as part of the ext4 root / partition. You can do this with manual partitioning or use the Guided Partitioning and go back and delete Swap and / and create a new / with all the free space. It will ask you if you are sure you want to not have swap space, and say yes.

This assumes your system has enough physical memory (RAM) to run everything. In World Community Grid (WCG), the Africa Rainful Project (ARP1) tends to need 1-2 GB per work unit.

2. In BOINC Manager, go to Options --> Computing Preferences

A) On the Computing tab --> Other, increase "Request tasks to checkpoint at most every xxx seconds." I've been satisfied using 1800 seconds (30 minutes). 600 seconds is 10 minutes; 1200 seconds is 20 minutes, etc.

B) On the Disk and memory tab --> Memory, make sure "Leave non-GPU tasks in memory while suspended" is checked, and set "Page/swap file: use at most x %" to 1%, which is the lowest number you can put.

3. Reduce the swappiness value.

https://www.howtogeek.com/449691/what-is-swap...nux-and-how-to-change-it/

cat /proc/sys/vm/swappiness

sudo nano /etc/sysctl.conf

vm.swappiness = 0

Add the above line to the bottom of the file.

sudo sysctl -p

This will apply changes without rebooting. Otherwise, simply reboot.

----------------------------------------------------------
Out of Scope

These items are currently out of scope for this setup guide. Some of these things look interesting and may be included in the future, while others require a bit more expertise that I don't currently have.

• Adding the bookworm-backports repo to get newer versions of boinc-client when they are released. Backports is the repository for software from the "testing" (or upcoming) version of Debian. This change only takes a minute or two, and boinc-client gets upgraded.
  
• Upgrading to a newer version of Debian Stable, when they are released. The work for this only involves changing a few things ( / etc /apt/sources.list) and takes a couple minutes, and the upgrade itself usually takes 30-60 minutes and is usually very smooth.
  
• Using certificate-based SSH to login instead of password-based.
  
• Setting up a RAMdisk to further reduce the wear and tear of writing to an SSD or USB flash drive.
  
• Security-Enhanced Linux (SELinux) or AppArmor
  
• Further security hardening within Debian.
  
• Network UPS Tools (NUT) so that if your crunchbox is on a UPS and the UPS detects that there is a power outage, the one PC that is connected via USB cable to the UPS can run the server ("NUT Master") and sends the signal to every PC on your network that is running the client ("NUT slave") to gracefully shutdown. This also helps with load shedding: if BOINC knows it's on battery power, it could suspend all tasks. Of course, if you don't have your machines on UPS battery backups, they'll simply lose power, which usually isn't the end of the world.
  
• Other Linux distributions like OpenSUSE Leap, Fedora Server, Ubuntu Server, etc.
  
• Expert Linux distributions like Gentoo, Linux from Scratch. I've read that you can customize exactly the bare minimum that is installed, leading to a leaner and more secure system.
  
• More advanced disk partitioning like having separate partitions for /home, /var, and /tmp
  
• Full Disk Encryption (FDE) e.g. LUKS. Assuming these are dedicated machines, there should be zero sensitive or personal information on them, so it's more hassle than it's worth having to type a strong passphrase every boot.
  
• Placing dedicated crunchboxes into their own Virtual Local Area Network (VLAN) to separate them from the main network. This is consistent with the "security by isolation/security by compartmentalization" concept. This means compromise of your crunchbox machines can be better contained and lessen the impact on your more important machines with personal information and precious data.
  
• System backups and Home folder backups in case of OS or hardware failure. This would allow, for example, a restoration of BOINC settings, including the Host ID information and prevent the possibility of accidentally creating a duplicate Host ID when restoring the system.