lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity

Compare commits

base: lnorg:da6f2ac212fe38cee67c58975280f2fcea07eafb
Branches Tags
lnorg:main
lnorg:zfs-desktop
..
compare: lnorg:0f62c927464eb4f508f9704c5c76ab508d4ad275
Branches Tags
lnorg:main
lnorg:zfs-desktop

No commits in common. "da6f2ac212fe38cee67c58975280f2fcea07eafb" and "0f62c927464eb4f508f9704c5c76ab508d4ad275" have entirely different histories.
da6f2ac212 ... 0f62c92746

4 changed files with 38 additions and 44 deletions
Show stats Expand all files Collapse all files

24
docs/alpine-server-setup/installation.md
View file

@ -5,16 +5,16 @@ To install the Alpine Linux distribution on the system, the datasets of the syst
First import and decrypt the system pool: First import and decrypt the system pool:
``` ```
# zpool import -N -R /mnt rpool # zpool import -N -R /mnt tank
# zfs load-key -L file:///tmp/rpool.key rpool # zfs load-key -L file:///tmp/tank.key tank
``` ```
Mount the datasets in the system pool and decrypt the home dataset: Mount the datasets in the system pool and decrypt the home dataset:
``` ```
# mount rpool/root/alpine /mnt -t zfs -o noatime # mount tank/root/alpine /mnt -t zfs -o noatime
# zfs mount rpool/home # zfs mount tank/home
# zfs mount rpool/var # zfs mount tank/var
``` ```
Mount the ESP: Mount the ESP:
@ -106,12 +106,10 @@ features="... zlevis"
disable_trigger="yes" disable_trigger="yes"
``` ```
> The `mkinitfs` package that supports `zlevis` is as of this moment not yet in the alpine package repository, for the relevant steps see the [zlevis mkinitfs-implementation wiki](https://git.bijl.us/luc/zlevis/wiki/mkinitfs-implementation).
The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. Configure `/etc/kernel-hooks.d/secureboot.conf` to set kernel cmdline options and secureboot: The most important step is the creation of a UKI using `secureboot-hook` which also automatically signs them. Configure `/etc/kernel-hooks.d/secureboot.conf` to set kernel cmdline options and secureboot:
``` ```
cmdline="rw root=ZFS=rpool/root/alpine rootflags=noatime quiet splash" cmdline="rw root=ZFS=tank/root/alpine rootflags=noatime quiet splash"
signing_cert="/var/lib/sbctl/keys/db/db.pem" signing_cert="/var/lib/sbctl/keys/db/db.pem"
signing_key="/var/lib/sbctl/keys/db/db.key" signing_key="/var/lib/sbctl/keys/db/db.key"
@ -132,7 +130,13 @@ Use `sbctl` to create secureboot keys and sign them:
Set the cache-file of the ZFS pool: Set the cache-file of the ZFS pool:
``` ```
# zpool set cachefile=/etc/zfs/zpool.cache rpool # zpool set cachefile=/etc/zfs/zpool.cache tank
```
Now to see if everything went successfully, run:
```
# apk fix kernel-hooks
``` ```
Now to see if everything went successfully, run: Now to see if everything went successfully, run:
@ -173,6 +177,6 @@ Now exit the chroot and you should be able to reboot into a working Alpine syste
``` ```
# exit # exit
# umount -lf /mnt # umount -lf /mnt
# zpool export rpool # zpool export tank
# reboot # reboot
``` ```

18
docs/alpine-server-setup/post-install/repositories.md
View file

@ -7,18 +7,12 @@ https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
https://dl-cdn.alpinelinux.org/alpine/latest-stable/community https://dl-cdn.alpinelinux.org/alpine/latest-stable/community
``` ```
This will use the latest stable repository of Alpine (for example `v3.19`). To use a different version of Alpine simply change `latest-stable` to whatever version you want. Do note that you can not (easily) downgrade your system's version. There also is the `edge` repository which contains the latest packages but it is not recommended because it can result in faster breakage of your system. This will use the latest stable repository of Alpine (for example `v3.19`). To use a different version of Alpine simply change `latest-stable` to whatever version you want. Do note that you can not (easily) downgrade your system's version. There also is the `edge` repository which contains more packages but it is not recommended because it can result in faster breakage of your system.
If a package is not yet in a stable release one may configure in `/etc/apk/repositories`: ## apk-ample
We also host our own repository which contains some packages not found in the stable repository but also our own packages like `linux-hardened`. If you want to add it to your system edit `/etc/apk/repositories` and add this line under the other repositories:
``` ```
@<repository> https://dl-cdn.alpinelinux.org/alpine/edge/<repository> https://git.bijl.us/lnco/apk-ample/raw/branch/main/alpine/
``` ```
for the relevant `<repository>` and perform:
```
# apk add <package>@<repository>
```
for the relevant `<package>`.

10
docs/alpine-server-setup/post-install/update-protocol.md
View file

@ -7,7 +7,7 @@ ZFS opens up new methods to safely update the system. These methods are describe
To be able to rollback the system after a system update one may create a snapshot of the root filesystem. To be able to rollback the system after a system update one may create a snapshot of the root filesystem.
``` ```
# zfs snapshot rpool/root/alpine@previous # zfs snapshot tank/root/alpine@previous
``` ```
> Tip:`zfs list -t snapshot` can be used to list snapshost and `zfs destroy` can be used to remove snapshots. > Tip:`zfs list -t snapshot` can be used to list snapshost and `zfs destroy` can be used to remove snapshots.
@ -24,7 +24,7 @@ Perform a system update.
If the system does not behave accordingly after reboot, one may rollback to the previous snapshot. If the system does not behave accordingly after reboot, one may rollback to the previous snapshot.
``` ```
# zfs rollback -r rpool/root/alpine@previous # zfs rollback -r tank/root/alpine@previous
``` ```
## Post-update ## Post-update
@ -32,7 +32,7 @@ If the system does not behave accordingly after reboot, one may rollback to the
To maintain the performance of the SSDs in the system, perform a trim on the zfs-pool. To maintain the performance of the SSDs in the system, perform a trim on the zfs-pool.
``` ```
# zpool trim --secure --wait rpool # zpool trim --secure --wait tank
``` ```
> Some devices may not support the option `--secure`. > Some devices may not support the option `--secure`.
@ -40,13 +40,13 @@ To maintain the performance of the SSDs in the system, perform a trim on the zfs
Thereafter, perform a scrub on the zfs-pool which checks and repairs the data in the pool. Thereafter, perform a scrub on the zfs-pool which checks and repairs the data in the pool.
``` ```
# zpool scrub rpool # zpool scrub tank
``` ```
This may take a while, the progress can be checked with: This may take a while, the progress can be checked with:
``` ```
# zpool status rpool # zpool status tank
``` ```
> A ZFS scrub only repairs if mirror or a zraid mode is set in the pool. > A ZFS scrub only repairs if mirror or a zraid mode is set in the pool.

30
docs/alpine-server-setup/provisioning.md
View file

@ -16,11 +16,9 @@ To set it up `setup-interfaces` and `setup-apkrepos` will be used.
A few packages will have to be installed first, A few packages will have to be installed first,
``` ```
# apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm zlevis # apk add zfs lsblk sgdisk wipefs dosfstools acpid mdadm tpm2-tools zlevis
``` ```
> The `zlevis` package is as of this moment not yet in the alpine package repository. Try to get it into the `/usr/bin` directory via a different method and add its dependencies `tpm2-tools` and `jose`.
and load the ZFS kernel module and load the ZFS kernel module
``` ```
@ -98,13 +96,13 @@ Define the pool partitions
> done > done
``` ```
The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/rpool.key` with: The ZFS system pool is going to be encrypted. First generate an encryption key and save it temporarily to the file `/tmp/tank.key` with:
``` ```
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/rpool.key && cat /tmp/rpool.key # cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1 > /tmp/tank.key && cat /tmp/tank.key
``` ```
> While `zlevis` will be used for automatic decryption, if any changes are made to the bios or secureboot then this key will be needed, so make sure to save it. > Later on in the guide `zlevis` will be used for automatic decryption, so this key only has to be entered a few times. However, if any changes are made to the bios or secureboot then this key will be needed again, so make sure to save it.
Create the system pool: Create the system pool:
@ -119,7 +117,7 @@ Create the system pool:
-O keyformat=passphrase \ -O keyformat=passphrase \
-O keylocation=prompt \ -O keylocation=prompt \
-m none \ -m none \
rpool raidz1 $poolparts tank raidz1 $poolparts
``` ```
> Additionally, the `spare` option can be used to indicate spare disks. If more redundancy is preferred than `raidz2` and `raidz3` are possible [alternatives](https://openzfs.github.io/openzfs-docs/man/master/7/zpoolconcepts.7.html) for `raidz1`. If a single disk is used the `raidz` option can be left aside. For further information see [zpool-create](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-create.8.html). > Additionally, the `spare` option can be used to indicate spare disks. If more redundancy is preferred than `raidz2` and `raidz3` are possible [alternatives](https://openzfs.github.io/openzfs-docs/man/master/7/zpoolconcepts.7.html) for `raidz1`. If a single disk is used the `raidz` option can be left aside. For further information see [zpool-create](https://openzfs.github.io/openzfs-docs/man/master/8/zpool-create.8.html).
@ -127,26 +125,24 @@ Create the system pool:
Then create the system datasets: Then create the system datasets:
``` ```
# zfs create -o mountpoint=none rpool/root # zfs create -o mountpoint=none tank/root
# zfs create -o mountpoint=legacy -o quota=24g rpool/root/alpine # zfs create -o mountpoint=legacy -o quota=24g tank/root/alpine
# zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> rpool/home # zfs create -o mountpoint=/home -o atime=off -o setuid=off -o devices=off -o quota=<home-quota> tank/home
# zfs create -o mountpoint=/var -o atime=off -o exec=off -o setuid=off -o devices=off -o quota=16g rpool/var # zfs create -o mountpoint=/var -o atime=off -o exec=off -o setuid=off -o devices=off -o quota=16g tank/var
``` ```
> Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool. > Setting the `<home-quota>` depends on the total size of the pool, generally try to reserve some empty space in the pool.
Write the encryption key to TPM with `zlevis`: Write the encryption key to TPM and store the jwe in tpm:jwe:
``` ```
# zlevis encrypt rpool '{}' < /tmp/rpool.key # zfs set tpm:jwe=$(zlevis-encrypt '{}' < /tmp/tank.key) tank
``` ```
> We are using the default configuration settings for `zlevis encrypt` but a different configuration is possible by setting `'{}'` accordingly. > To check if it worked, perform `zfs list -Ho tpm:jwe tank | zlevis-decrypt`.
> To check if it worked, perform `zlevis decrypt rpool`.
Finally, export the zpool: Finally, export the zpool:
``` ```
# zpool export rpool # zpool export tank
``` ```