lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity
documentation/docs/alpine-server-setup/installation/installation.md

5 KiB
Raw Blame History

Installation

To install the Alpine Linux distribution on the system, the root subvolume and the efi partition have to be mounted to the main system.

# mount -o subvol=@root /dev/mapper/luks /mnt -t btrfs
# mkdir /mnt/efi -p
# mount /dev/<disk>1 /mnt/efi -t vfat

Then set up the base system using setup disk:

# setup-disk -m sys /mnt

This will also add grub as bootloader which will be replaced but for now it will reside on the efi partition.

To make it possible to chroot into the system, mount the other directories:

# for i in dev proc sys run; do
> mount --rbind --make-rslave /$i /mnt/$i
> done
# chroot /mnt

The other setup scripts can be used to configure key aspects of the system. Besides that a few necessary services have to be activated.

# setup-hostname <hostname>
# setup-keymap us us-euro
# setup-timezone -i <area>/<subarea>
# setup-ntp openntpd
# rc-update add acpid default
# rc-update add seedrng boot
# rm -rf /var/tmp ; ln -s /tmp /var/tmp
# passwd root

The root password does not really matter because it is going to be locked after a user has been created.

Set the hwclock to use UTC in /etc/conf.d/hwclock and disable writing the time to hardware. Running a NTP negates its usability.

clock="UTC"
clock_hctosys="NO"
clock_systohc="NO"

Edit /etc/fstab for correct mounts:

/dev/disk/by-label/efi             /efi        vfat    defaults,nodev,nosuid,noexec                            0 2
/dev/disk/by-uuid/<volume-uuid>    /           btrfs   defaults,noatime,subvol=/@root                          0 1
/dev/disk/by-uuid/<volume-uuid>    /home       btrfs   defaults,noatime,nodev,nosuid,subvol=/@home             0 2
/dev/disk/by-uuid/<volume-uuid>    /var        btrfs   defaults,nodev,nosuid,noexec,subvol=/@var               0 2
/dev/disk/by-uuid/<volume-uuid>    /nix        btrfs   defaults,noatime,nodev,nosuid,subvol=/@nix              0 2
tmpfs                              /tmp        tmpfs   rw,size=4G,nr_inodes=5k,noexec,nodev,nosuid,mode=1777   0 0
proc                               /proc       proc    nosuid,nodev,noexec,hidepid=2                           0 0

Here <volume-uuid> has to be replaced with the uuid of the root volume:

# blkid /dev/mapper/luks >> /etc/fstab

By default, Alpine Linux uses mkinitfs to create an initial ram filesystem, although it is minimal that also means that it lacks some functionality which is needed for a proper setup. Because of this mkinitfs and grub-efi will be replaced with booster and secureboot-hook.

# apk add booster secureboot-hook sbctl
# apk del mkinitfs grub-efi

To configure booster edit /etc/booster.yaml:

busybox: false
modules: vfat,nls_cp437,nls_iso8859_1

The most important step is the creation of a UKI using secureboot-hook which also automatically signs them. First the hook itself will have to be tweaked to use booster instead of mkinitfs, edit /etc/kernel-hooks.d/50-secureboot.hook and change the line:

/sbin/mkinitfs -o "$tmpdir"/initramfs "$NEW_VERSION-$FLAVOR"

to:

/usr/bin/booster build "$tmpdir"/initramfs --kernel-version "$NEW_VERSION-$FLAVOR"

and configure /etc/kernel-hooks.d/secureboot.conf for cmdline and secureboot.

cmdline="rw rd.luks.name="<partition-uuid>"=luks root=/dev/disk/by-uuid/<volume-uuid> rootflags=subvol=/@root quiet splash"

signing_cert="/usr/share/secureboot/keys/db/db.pem"
signing_key="/usr/share/secureboot/keys/db/db.key"

output_dir="/efi/EFI/Linux"

output_name="alpine-linux-{flavor}.efi"

Here <partition-uuid> and <volume-uuid> have to be replaced with the uuid of the root partition and volume respectively.

# blkid /dev/<disk>2 >> /etc/kernel-hooks.d/secureboot.conf
# blkid /dev/mapper/luks >> /etc/kernel-hooks.d/secureboot.conf

Use sbctl to create secureboot keys and sign them.

# sbctl create-keys
# sbctl enroll-keys
...

Whilst enrolling the keys it might be necessary to add the --microsoft flag if you are unable to use custom keys.

Now to see if everything went succesfully run:

# apk fix kernel-hooks

and it should give no warnings if done properly.

As discussed earlier grub will be replaced, install gummiboot as a bootloader.

# apk add gummiboot
# gummiboot install --path=/efi
# sbctl sign -s /efi/EFI/gummiboot/gummibootx64.efi
# sbctl sign -s /efi/EFI/Boot/BOOTX64.EFI

And also remove some remnants of grub.

# rm -rf /efi/EFI/alpine
# rm -rf /efi/grub
# rm -rf /etc/default
# cd /boot && unlink boot

gummiboot can be configured with the file /efi/loader/loader.conf with which the timeout and the default OS can be specified.

default alpine-linux-lts.efi
timeout 2
editor no

Now exit the chroot and you should be able to reboot into a working Alpine system.

# exit
# umount -lf /mnt
# reboot

When booting up your screen might appear blank, this is the encryption prompt. Enter the encryption key and press enter to boot.

Do note that "Linux Boot Manager" will have to be set to load first in your bios.