Compare commits
4 commits
0f62c92746
...
da6f2ac212
| Author | SHA1 | Date | |
|---|---|---|---|
| da6f2ac212 | |||
| a8a68753c1 | |||
| 48ab49c9ee | |||
| e6434602c8 |
4 changed files with 44 additions and 38 deletions
|
|
@ -5,16 +5,16 @@ To install the Alpine Linux distribution on the system, the datasets of the syst
|
|||
First import and decrypt the system pool:
|
||||
|
||||
```
|
||||
# zpool import -N -R /mnt tank
|
||||
# zfs load-key -L file:///tmp/tank.key tank
|
||||
# zpool import -N -R /mnt rpool
|
||||
# zfs load-key -L file:///tmp/rpool.key rpool
|
||||
```
|
||||
|
||||
Mount the datasets in the system pool and decrypt the home dataset:
|
||||
|
||||
```
|
||||
# mount tank/root/alpine /mnt -t zfs -o noatime
|
||||
# zfs mount tank/home
|
||||
# zfs mount tank/var
|
||||
# mount rpool/root/alpine /mnt -t zfs -o noatime
|
||||
# zfs mount rpool/home
|
||||
# zfs mount rpool/var
|
||||
```
|
||||
|
||||
Mount the ESP:
|
||||
|
|
@ -106,10 +106,12 @@ features="... zlevis"
|
|||
disable_trigger="yes"
|
||||
```
|
||||
|
||||
> The `mkinitfs` package that supports `zlevis` is as of this moment not yet in the alpine package repository, for the relevant steps see the [zlevis mkinitfs-implementation wiki](https://git.bijl.us/luc/zlevis/wiki/mkinitfs-implementation).
|
||||
|
||||
The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. Configure `/etc/kernel-hooks.d/secureboot.conf` to set kernel cmdline options and secureboot:
|
||||
|
||||
```
|
||||
cmdline="rw root=ZFS=tank/root/alpine rootflags=noatime quiet splash"
|
||||
cmdline="rw root=ZFS=rpool/root/alpine rootflags=noatime quiet splash"
|
||||
|
||||
signing_cert="/var/lib/sbctl/keys/db/db.pem"
|
||||
signing_key="/var/lib/sbctl/keys/db/db.key"
|
||||
|
|
@ -130,13 +132,7 @@ Use `sbctl` to create secureboot keys and sign them:
|
|||
Set the cache-file of the ZFS pool:
|
||||
|
||||
```
|
||||
# zpool set cachefile=/etc/zfs/zpool.cache tank
|
||||
```
|
||||
|
||||
Now to see if everything went successfully, run:
|
||||
|
||||
```
|
||||
# apk fix kernel-hooks
|
||||
# zpool set cachefile=/etc/zfs/zpool.cache rpool
|
||||
```
|
||||
|
||||
Now to see if everything went successfully, run:
|
||||
|
|
@ -177,6 +173,6 @@ Now exit the chroot and you should be able to reboot into a working Alpine syste
|
|||
```
|
||||
# exit
|
||||
# umount -lf /mnt
|
||||
# zpool export tank
|
||||
# zpool export rpool
|
||||
# reboot
|
||||
```
|
||||
|
|
@ -7,12 +7,18 @@ https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
|
|||
https://dl-cdn.alpinelinux.org/alpine/latest-stable/community
|
||||
```
|
||||
|
||||
This will use the latest stable repository of Alpine (for example `v3.19`). To use a different version of Alpine simply change `latest-stable` to whatever version you want. Do note that you can not (easily) downgrade your system's version. There also is the `edge` repository which contains more packages but it is not recommended because it can result in faster breakage of your system.
|
||||
This will use the latest stable repository of Alpine (for example `v3.19`). To use a different version of Alpine simply change `latest-stable` to whatever version you want. Do note that you can not (easily) downgrade your system's version. There also is the `edge` repository which contains the latest packages but it is not recommended because it can result in faster breakage of your system.
|
||||
|
||||
## apk-ample
|
||||
|
||||
We also host our own repository which contains some packages not found in the stable repository but also our own packages like `linux-hardened`. If you want to add it to your system edit `/etc/apk/repositories` and add this line under the other repositories:
|
||||
If a package is not yet in a stable release one may configure in `/etc/apk/repositories`:
|
||||
|
||||
```
|
||||
https://git.bijl.us/lnco/apk-ample/raw/branch/main/alpine/
|
||||
@<repository> https://dl-cdn.alpinelinux.org/alpine/edge/<repository>
|
||||
```
|
||||
|
||||
for the relevant `<repository>` and perform:
|
||||
|
||||
```
|
||||
# apk add <package>@<repository>
|
||||
```
|
||||
|
||||
for the relevant `<package>`.
|
||||
|
|
@ -7,7 +7,7 @@ ZFS opens up new methods to safely update the system. These methods are describe
|
|||
To be able to rollback the system after a system update one may create a snapshot of the root filesystem.
|
||||
|
||||
```
|
||||
# zfs snapshot tank/root/alpine@previous
|
||||
# zfs snapshot rpool/root/alpine@previous
|
||||
```
|
||||
|
||||
> Tip:`zfs list -t snapshot` can be used to list snapshost and `zfs destroy` can be used to remove snapshots.
|
||||
|
|
@ -24,7 +24,7 @@ Perform a system update.
|
|||
If the system does not behave accordingly after reboot, one may rollback to the previous snapshot.
|
||||
|
||||
```
|
||||
# zfs rollback -r tank/root/alpine@previous
|
||||
# zfs rollback -r rpool/root/alpine@previous
|
||||
```
|
||||
|
||||
## Post-update
|
||||
|
|
@ -32,7 +32,7 @@ If the system does not behave accordingly after reboot, one may rollback to the
|
|||
To maintain the performance of the SSDs in the system, perform a trim on the zfs-pool.
|
||||
|
||||
```
|
||||
# zpool trim --secure --wait tank
|
||||
# zpool trim --secure --wait rpool
|
||||
```
|
||||
|
||||
> Some devices may not support the option `--secure`.
|
||||
|
|
@ -40,13 +40,13 @@ To maintain the performance of the SSDs in the system, perform a trim on the zfs
|
|||
Thereafter, perform a scrub on the zfs-pool which checks and repairs the data in the pool.
|
||||
|
||||
```
|
||||
# zpool scrub tank
|
||||
# zpool scrub rpool
|
||||
```
|
||||
|
||||
This may take a while, the progress can be checked with:
|
||||
|
||||
```
|
||||
# zpool status tank
|
||||
# zpool status rpool
|
||||
```
|
||||
|
||||
> A ZFS scrub only repairs if mirror or a zraid mode is set in the pool.
|
||||
|
|
@ -16,9 +16,11 @@ To set it up `setup-interfaces` and `setup-apkrepos` will be used.
|
|||
A few packages will have to be installed first,
|
||||
|
||||
```
|
||||
# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm tpm2-tools zlevis
|
||||
# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm zlevis
|
||||
```
|
||||
|
||||
> The `zlevis` package is as of this moment not yet in the alpine package repository. Try to get it into the `/usr/bin` directory via a different method and add its dependencies `tpm2-tools` and `jose`.
|
||||
|
||||
and load the ZFS kernel module
|
||||
|
||||
```
|
||||
|
|
@ -96,13 +98,13 @@ Define the pool partitions
|
|||
> done
|
||||
```
|
||||
|
||||
The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/tank.key` with:
|
||||
The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/rpool.key` with:
|
||||
|
||||
```
|
||||
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/tank.key && cat /tmp/tank.key
|
||||
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key
|
||||
```
|
||||
|
||||
> Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it.
|
||||
> While `zlevis` will be used for automatic decryption, if any changes are made to the bios or secureboot then this key will be needed, so make sure to save it.
|
||||
|
||||
Create the system pool:
|
||||
|
||||
|
|
@ -117,7 +119,7 @@ Create the system pool:
|
|||
-O keyformat=passphrase \
|
||||
-O keylocation=prompt \
|
||||
-m none \
|
||||
tank raidz1 $poolparts
|
||||
rpool raidz1 $poolparts
|
||||
```
|
||||
|
||||
> Additionally, the `spare` option can be used to indicate spare disks. If more redundancy is preferred than `raidz2` and `raidz3` are possible [alternatives](https://openzfs.github.io/openzfs-docs/man/master/7/zpoolconcepts.7.html) for `raidz1`. If a single disk is used the `raidz` option can be left aside. For further information see [zpool-create](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-create.8.html).
|
||||
|
|
@ -125,24 +127,26 @@ Create the system pool:
|
|||
Then create the system datasets:
|
||||
|
||||
```
|
||||
# zfs create -o mountpoint=none tank/root
|
||||
# zfs create -o mountpoint=legacy -o quota=24g tank/root/alpine
|
||||
# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> tank/home
|
||||
# zfs create -o mountpoint=/var -o atime=off -o exec=off -o setuid=off -o devices=off -o quota=16g tank/var
|
||||
# zfs create -o mountpoint=none rpool/root
|
||||
# zfs create -o mountpoint=legacy -o quota=24g rpool/root/alpine
|
||||
# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> rpool/home
|
||||
# zfs create -o mountpoint=/var -o atime=off -o exec=off -o setuid=off -o devices=off -o quota=16g rpool/var
|
||||
```
|
||||
|
||||
> Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool.
|
||||
|
||||
Write the encryption key to TPM and store the jwe in tpm:jwe:
|
||||
Write the encryption key to TPM with `zlevis`:
|
||||
|
||||
```
|
||||
# zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/tank.key) tank
|
||||
# zlevis encrypt rpool '{}' < /tmp/rpool.key
|
||||
```
|
||||
|
||||
> To check if it worked, perform `zfs list -Ho tpm:jwe tank | zlevis-decrypt`.
|
||||
> We are using the default configuration settings for `zlevis encrypt` but a different configuration is possible by setting `'{}'` accordingly.
|
||||
|
||||
> To check if it worked, perform `zlevis decrypt rpool`.
|
||||
|
||||
Finally, export the zpool:
|
||||
|
||||
```
|
||||
# zpool export tank
|
||||
# zpool export rpool
|
||||
```
|
||||
|
|
|
|||
Loading…
Reference in a new issue