Alpine linux installation on encrypted root file system for scaleway's baremetal server
Scaleway does not provide alpine Linux images to their ARM instances, neither for cloud kvm nor bare-metal instances.
This is a shell script to deploy an alpine Linux with encrypted file-system to them.
build machineboot serverbuild machineCheckout this repo:
git clone https://github.com/juju2013/scw-alpine-encryptedcd scw-alpine-encrypted
./build.shThat’s all. In out/ folder, there’ll be 2 files:
boot server
boot=rescue rescue_image=http://your_boot_server/path_to_your_init.tar
Fire up (or reset) your instance and connect to it’s console:
scw attach your_instance
When the boot is finished, you’ll reach some point like that:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTvda 253:0 0 46.6G 0 disk├─vda1 253:1 0 46.5G 0 part└─vda15 253:15 0 100M 0 partmount: mounting /dev/mapper/cryptroot on /mnt failed: No such file or directoryFilesystem 1K-blocks Used Available Use% Mounted onudev 1015648 0 1015648 0% /devtmpfs 204048 10140 193908 5% /runnone 1020228 202340 817888 20% /bash: cannot set terminal process group (-1): Not a ttybash: no job control in this shellbash-5.0#
From there (you’ll lose all your data on /dev/vda1), enter commands after bash-5.0#, the orther lines are command output:
bash-5.0# cryptsetup luksFormat /dev/vda1WARNING: Device /dev/vda1 already contains a 'ext4' superblock signature.WARNING!========This will overwrite data on /dev/vda1 irrevocably.Are you sure? (Type uppercase yes): YESEnter passphrase for /dev/vda1:Verify passphrase:[ 193.092325] NET: Registered protocol family 38[ 193.158943] cryptd: max_cpu_qlen set to 1000
Then
cryptsetup open /dev/vda1 cryptrootEnter passphrase for /dev/vda1:bash-5.0# mkfs.btrfs /dev/mapper/cryptroot...bash-5.0# mount /dev/mapper/cryptroot /mnt/bash-5.0# btrfs sub create /mnt/rootCreate subvolume '/mnt/root'bash-5.0# cd /mnt/rootbash-5.0# wget -O - http://your_boot_server/aarch64root.tar | tar xpf -bash-5.0# mount --bind /dev devbash-5.0# mount --bind /sys sysbash-5.0# mount --bind /proc procbash-5.0# chroot . /bin/bash
At this point, you’re going to setup your alpine Linux system. Customize it as you want(most defaults should be ok):
setup-alpine
After the setup:
bash-5.0# exitexitbash-5.0# exitexitNow switching to real rootswitch_root: cannot access /sbin/init: No such file or directoryswitch_root: failed to execute /sbin/init: No such file or directory
The new system will panic, that’s OK, simply reboot it throu the console.
After a while, your console will show:
[ 27.400885] random: crng init doneLoading kernel modules ...modprobe: module dm-mod not found in modules.dep[ 48.390779] xor: measuring software checksum speed...Starting mount real root device:WARNING: Locking directory /run/cryptsetup is missing!Enter passphrase for /dev/vda1:
Enter your passphrase, and you’ll see:
[ 115.616635] NET: Registered protocol family 38[ 115.681441] cryptd: max_cpu_qlen set to 1000NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTvda 253:0 0 46.6G 0 disk├─vda1 253:1 0 46.5G 0 part│ └─cryptroot 252:0 0 46.5G 0 crypt└─vda15 253:15 0 100M 0 part[ 116.031438] BTRFS: device fsid f2fbe983-e033-494c-83cd-72e81b519c1f devid 1 transid 16 /dev/mapper/cryptroot[ 116.041778] BTRFS info (device dm-0): disk space caching is enabled[ 116.046932] BTRFS info (device dm-0): has skinny extentsFilesystem 1K-blocks Used Available Use% Mounted onudev 1015648 0 1015648 0% /devtmpfs 204048 10140 193908 5% /runnone 1020228 202340 817888 20% //dev/mapper/cryptroot48708300 88288 48106176 0% /mntbash: cannot set terminal process group (-1): Not a ttybash: no job control in this shell
Type simply exit, then you’ll see:
exitNow switching to real rootOpenRC 0.41.2.6fc2696f3e is starting up Linux 4.19.53-mainline-rev1 (aarch64)...
That’s all.
You can now ssh root@your_instance_ip. And next boots will repeat the same sequence, it’s done!