2024-07-07 18:56:25 +02:00
# Installation
2024-08-10 21:54:34 +02:00
To install the Alpine Linux distribution on the system, the datasets of the system pool and the EFI partitions have to be mounted to the main system.
2024-12-24 13:14:52 +01:00
First import and decrypt the system pool:
2024-08-10 21:54:34 +02:00
```
# zpool import -N -R /mnt tank
2024-08-12 14:19:14 +02:00
# zfs load-key -L file:///tmp/tank.key tank
2024-08-10 21:54:34 +02:00
```
2024-12-24 13:14:52 +01:00
Mount the datasets in the system pool and decrypt the home dataset:
2024-08-10 21:54:34 +02:00
```
2024-12-24 13:14:52 +01:00
# mount tank/root/alpine /mnt -t zfs -o noatime
2024-08-10 21:54:34 +02:00
# zfs mount tank/home
# zfs mount tank/var
```
2024-12-24 13:14:52 +01:00
Mount the ESP:
2024-07-07 18:56:25 +02:00
```
2024-08-10 21:54:34 +02:00
# mkdir /mnt/esp
# mount /dev/md/esp /mnt/esp -t vfat
2024-07-07 18:56:25 +02:00
```
2024-12-24 13:14:52 +01:00
Then install Alpine Linux:
2024-07-07 18:56:25 +02:00
```
2024-10-07 21:03:01 +02:00
# export BOOTLOADER=none
2024-07-07 18:56:25 +02:00
# setup-disk -m sys /mnt
```
2024-12-24 13:14:52 +01:00
To have a functional chroot into the system, bind the system process directories:
2024-07-07 18:56:25 +02:00
```
2024-10-07 21:03:01 +02:00
# for dir in dev proc sys run; do
> mount --rbind --make-rslave /$dir /mnt/$dir
2024-07-07 18:56:25 +02:00
> done
# chroot /mnt
```
The other setup scripts can be used to configure key aspects of the system. Besides that a few necessary services have to be activated.
```
# setup-hostname <hostname>
# setup-keymap us us-euro
# setup-timezone -i <area>/<subarea>
# setup-ntp openntpd
2024-08-11 22:39:30 +02:00
# setup-sshd -c dropbear
2024-07-07 18:56:25 +02:00
# rc-update add acpid default
# rc-update add seedrng boot
2024-08-10 21:54:34 +02:00
# rm -rf /var/tmp
# ln -s /tmp /var/tmp
2024-07-07 18:56:25 +02:00
# passwd root
```
> The root password does not really matter because it is going to be locked after a user has been created.
Set the `hwclock` to use `UTC` in `/etc/conf.d/hwclock` and disable writing the time to hardware. Running a NTP negates its usability.
```
clock="UTC"
clock_hctosys="NO"
clock_systohc="NO"
```
2024-12-24 13:14:52 +01:00
Configure the ESP raid array to mount:
2024-08-10 21:54:34 +02:00
```
# modprobe raid1
# echo raid1 >> /etc/modules-load.d/raid1.conf
# mdadm --detail --scan >> /etc/mdadm.conf
# rc-update add mdadm boot
# rc-update add mdadm-raid boot
```
2024-12-24 13:14:52 +01:00
Configure ZFS to mount:
2024-07-07 18:56:25 +02:00
```
2024-08-10 21:54:34 +02:00
rc-update add zfs-import sysinit
rc-update add zfs-mount sysinit
2024-12-24 13:14:52 +01:00
rc-update add zfs-load-key sysinit
2024-07-08 11:50:40 +02:00
```
2024-12-24 13:14:52 +01:00
> If a faster boot time is preferred, `zfs-import` and `zfs-load-key` can be omitted in certain cases.
2024-07-07 18:56:25 +02:00
2024-12-24 13:14:52 +01:00
Edit `/etc/fstab` for correct mounts:
2024-07-07 18:56:25 +02:00
```
2024-12-24 13:14:52 +01:00
/dev/md/esp /esp vfat defaults,nodev,nosuid,noexec 0 2
tmpfs /tmp tmpfs rw,nodev,nosuid,noexec,mode=1777 0 0
proc /proc proc nodev,nosuid,noexec,hidepid=2 0 0
2024-07-07 18:56:25 +02:00
```
2024-12-24 13:14:52 +01:00
Install the following packages to make `mkinitfs` compatible with secureboot and TPM decryption:
2024-07-07 18:56:25 +02:00
```
2024-12-24 13:14:52 +01:00
# apk add secureboot-hook sbctl tpm2-tools zlevis
2024-07-07 18:56:25 +02:00
```
2024-12-24 13:14:52 +01:00
Configure `/etc/mkinitfs/mkinitfs.conf` to disable trigger and to add the `zlevis-hook` :
2024-07-07 18:56:25 +02:00
```
2024-12-24 13:14:52 +01:00
features="... zlevis"
disable_trigger="yes"
2024-07-07 18:56:25 +02:00
```
2024-12-24 13:14:52 +01:00
The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. Configure `/etc/kernel-hooks.d/secureboot.conf` to set kernel cmdline options and secureboot:
2024-07-07 18:56:25 +02:00
```
2024-12-24 13:14:52 +01:00
cmdline="rw root=ZFS=tank/root/alpine rootflags=noatime quiet splash"
2024-07-07 18:56:25 +02:00
2024-12-24 13:14:52 +01:00
signing_cert="/var/lib/sbctl/keys/db/db.pem"
signing_key="/var/lib/sbctl/keys/db/db.key"
2024-07-07 18:56:25 +02:00
2024-08-10 21:54:34 +02:00
output_dir="/esp/efi/linux"
2024-07-07 18:56:25 +02:00
output_name="alpine-linux-{flavor}.efi"
```
2024-12-24 13:14:52 +01:00
Use `sbctl` to create secureboot keys and sign them:
2024-07-07 18:56:25 +02:00
```
# sbctl create-keys
# sbctl enroll-keys
```
> Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.
2024-12-24 13:14:52 +01:00
Set the cache-file of the ZFS pool:
2024-08-10 21:54:34 +02:00
```
# zpool set cachefile=/etc/zfs/zpool.cache tank
```
Now to see if everything went successfully, run:
2024-07-07 18:56:25 +02:00
```
# apk fix kernel-hooks
```
2024-12-24 13:14:52 +01:00
Now to see if everything went successfully, run:
```
# apk fix kernel-hooks
```
2024-07-07 18:56:25 +02:00
and it should give no warnings if done properly.
2024-12-24 13:14:52 +01:00
To install `gummiboot` as friendly bootloader:
2024-07-07 18:56:25 +02:00
```
# apk add gummiboot
2024-08-10 21:54:34 +02:00
# mkdir /esp/loader
# mkdir /esp/efi/boot
# cp /usr/lib/gummiboot/gummibootx64.efi /esp/efi/boot/bootx64.efi
```
2024-12-24 13:14:52 +01:00
Sign the bootloader with `sbctl` :
2024-08-10 21:54:34 +02:00
```
# sbctl sign -s /esp/efi/boot/bootx64.efi
2024-07-07 18:56:25 +02:00
```
2024-10-07 21:03:01 +02:00
> One may verify the signed files by running `sbctl verify`, in this case `ESP_PATH=/esp` should be defined to work properly.
2024-12-24 13:14:52 +01:00
`gummiboot` can be configured with the file `/esp/loader/loader.conf` with which the timeout and the default OS can be specified:
2024-07-07 18:56:25 +02:00
```
default alpine-linux-lts.efi
timeout 2
editor no
```
Now exit the chroot and you should be able to reboot into a working Alpine system.
```
# exit
# umount -lf /mnt
2024-08-10 21:54:34 +02:00
# zpool export tank
2024-07-07 18:56:25 +02:00
# reboot
2024-08-10 21:54:34 +02:00
```