Compare commits

...

4 commits

4 changed files with 44 additions and 38 deletions

View file

@ -5,16 +5,16 @@ To install the Alpine Linux distribution on the system, the datasets of the syst
First import and decrypt the system pool:
```
# zpool import -N -R /mnt tank
# zfs load-key -L file:///tmp/tank.key tank
# zpool import -N -R /mnt rpool
# zfs load-key -L file:///tmp/rpool.key rpool
```
Mount the datasets in the system pool and decrypt the home dataset:
```
# mount tank/root/alpine /mnt -t zfs -o noatime
# zfs mount tank/home
# zfs mount tank/var
# mount rpool/root/alpine /mnt -t zfs -o noatime
# zfs mount rpool/home
# zfs mount rpool/var
```
Mount the ESP:
@ -106,10 +106,12 @@ features="... zlevis"
disable_trigger="yes"
```
> The `mkinitfs` package that supports `zlevis` is as of this moment not yet in the alpine package repository, for the relevant steps see the [zlevis mkinitfs-implementation wiki](https://git.bijl.us/luc/zlevis/wiki/mkinitfs-implementation).
The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. Configure `/etc/kernel-hooks.d/secureboot.conf` to set kernel cmdline options and secureboot:
```
cmdline="rw root=ZFS=tank/root/alpine rootflags=noatime quiet splash"
cmdline="rw root=ZFS=rpool/root/alpine rootflags=noatime quiet splash"
signing_cert="/var/lib/sbctl/keys/db/db.pem"
signing_key="/var/lib/sbctl/keys/db/db.key"
@ -130,13 +132,7 @@ Use `sbctl` to create secureboot keys and sign them:
Set the cache-file of the ZFS pool:
```
# zpool set cachefile=/etc/zfs/zpool.cache tank
```
Now to see if everything went successfully, run:
```
# apk fix kernel-hooks
# zpool set cachefile=/etc/zfs/zpool.cache rpool
```
Now to see if everything went successfully, run:
@ -177,6 +173,6 @@ Now exit the chroot and you should be able to reboot into a working Alpine syste
```
# exit
# umount -lf /mnt
# zpool export tank
# zpool export rpool
# reboot
```

View file

@ -7,12 +7,18 @@ https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
https://dl-cdn.alpinelinux.org/alpine/latest-stable/community
```
This will use the latest stable repository of Alpine (for example `v3.19`). To use a different version of Alpine simply change `latest-stable` to whatever version you want. Do note that you can not (easily) downgrade your system's version. There also is the `edge` repository which contains more packages but it is not recommended because it can result in faster breakage of your system.
This will use the latest stable repository of Alpine (for example `v3.19`). To use a different version of Alpine simply change `latest-stable` to whatever version you want. Do note that you can not (easily) downgrade your system's version. There also is the `edge` repository which contains the latest packages but it is not recommended because it can result in faster breakage of your system.
## apk-ample
We also host our own repository which contains some packages not found in the stable repository but also our own packages like `linux-hardened`. If you want to add it to your system edit `/etc/apk/repositories` and add this line under the other repositories:
If a package is not yet in a stable release one may configure in `/etc/apk/repositories`:
```
https://git.bijl.us/lnco/apk-ample/raw/branch/main/alpine/
@<repository> https://dl-cdn.alpinelinux.org/alpine/edge/<repository>
```
for the relevant `<repository>` and perform:
```
# apk add <package>@<repository>
```
for the relevant `<package>`.

View file

@ -7,7 +7,7 @@ ZFS opens up new methods to safely update the system. These methods are describe
To be able to rollback the system after a system update one may create a snapshot of the root filesystem.
```
# zfs snapshot tank/root/alpine@previous
# zfs snapshot rpool/root/alpine@previous
```
> Tip:`zfs list -t snapshot` can be used to list snapshost and `zfs destroy` can be used to remove snapshots.
@ -24,7 +24,7 @@ Perform a system update.
If the system does not behave accordingly after reboot, one may rollback to the previous snapshot.
```
# zfs rollback -r tank/root/alpine@previous
# zfs rollback -r rpool/root/alpine@previous
```
## Post-update
@ -32,7 +32,7 @@ If the system does not behave accordingly after reboot, one may rollback to the
To maintain the performance of the SSDs in the system, perform a trim on the zfs-pool.
```
# zpool trim --secure --wait tank
# zpool trim --secure --wait rpool
```
> Some devices may not support the option `--secure`.
@ -40,13 +40,13 @@ To maintain the performance of the SSDs in the system, perform a trim on the zfs
Thereafter, perform a scrub on the zfs-pool which checks and repairs the data in the pool.
```
# zpool scrub tank
# zpool scrub rpool
```
This may take a while, the progress can be checked with:
```
# zpool status tank
# zpool status rpool
```
> A ZFS scrub only repairs if mirror or a zraid mode is set in the pool.

View file

@ -16,9 +16,11 @@ To set it up `setup-interfaces` and `setup-apkrepos` will be used.
A few packages will have to be installed first,
```
# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm tpm2-tools zlevis
# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm zlevis
```
> The `zlevis` package is as of this moment not yet in the alpine package repository. Try to get it into the `/usr/bin` directory via a different method and add its dependencies `tpm2-tools` and `jose`.
and load the ZFS kernel module
```
@ -96,13 +98,13 @@ Define the pool partitions
> done
```
The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/tank.key` with:
The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/rpool.key` with:
```
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/tank.key && cat /tmp/tank.key
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key
```
> Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it.
> While `zlevis` will be used for automatic decryption, if any changes are made to the bios or secureboot then this key will be needed, so make sure to save it.
Create the system pool:
@ -117,7 +119,7 @@ Create the system pool:
-O keyformat=passphrase \
-O keylocation=prompt \
-m none \
tank raidz1 $poolparts
rpool raidz1 $poolparts
```
> Additionally, the `spare` option can be used to indicate spare disks. If more redundancy is preferred than `raidz2` and `raidz3` are possible [alternatives](https://openzfs.github.io/openzfs-docs/man/master/7/zpoolconcepts.7.html) for `raidz1`. If a single disk is used the `raidz` option can be left aside. For further information see [zpool-create](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-create.8.html).
@ -125,24 +127,26 @@ Create the system pool:
Then create the system datasets:
```
# zfs create -o mountpoint=none tank/root
# zfs create -o mountpoint=legacy -o quota=24g tank/root/alpine
# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> tank/home
# zfs create -o mountpoint=/var -o atime=off -o exec=off -o setuid=off -o devices=off -o quota=16g tank/var
# zfs create -o mountpoint=none rpool/root
# zfs create -o mountpoint=legacy -o quota=24g rpool/root/alpine
# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> rpool/home
# zfs create -o mountpoint=/var -o atime=off -o exec=off -o setuid=off -o devices=off -o quota=16g rpool/var
```
> Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool.
Write the encryption key to TPM and store the jwe in tpm:jwe:
Write the encryption key to TPM with `zlevis`:
```
# zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/tank.key) tank
# zlevis encrypt rpool '{}' < /tmp/rpool.key
```
> To check if it worked, perform `zfs list -Ho tpm:jwe tank | zlevis-decrypt`.
> We are using the default configuration settings for `zlevis encrypt` but a different configuration is possible by setting `'{}'` accordingly.
> To check if it worked, perform `zlevis decrypt rpool`.
Finally, export the zpool:
```
# zpool export tank
# zpool export rpool
```