Alpine Linux - User contributions [en]

Talk:Root on ZFS with native encryption

2023-08-15T15:46:53Z

Subalpine: /* credit */

= Alpine on ZFS root issues in wiki procedure (v1) =

I made some notes on issues I have encountered while following this guide. I will check these more and see if I can update the wiki with the notes.

You can find the notes here: [https://pastebin.com/7jXtG6pT Notes on pastebin]

— Preceding [[unsigned]] comment added by [[User:Patrix|Patrix]] ([[User talk:Patrix|{{int:talkpagelinktext}}]] • [[Special:Contributions/Patrix|{{int:contribslink}}]]) 11:14, 12 January 2020

== Guide no longer working ==

I tried to follow the guide on Alpine Standard 3.17.4 and 3.18.2. Here is where I'm stuck.

~ # modprobe zfs
modprobe: FATAL: Module zfs not found in directory /lib/modules/5.15.117-0-lts

— Preceding [[unsigned]] comment added by [[User:Drolex|Drolex]] ([[User talk:Drolex|{{int:talkpagelinktext}}]] • [[Special:Contributions/Drolex|{{int:contribslink}}]]) 16:33, 26 July 2023‎

== credit ==

Talk:Root on ZFS with native encryption

2023-08-15T15:45:22Z

Subalpine: /* credit */ new section

Configure a Wireguard interface (wg)

2021-09-29T04:33:07Z

Subalpine:

{{TOC left}}

WireGuard is a very promising VPN technology available in the community repository since Alpine 3.10.

There are several ways to install and configure an interface.

In order to load the WireGuard kernel module, you need a compatible kernel:

* linux-lts
* linux-virt

== Bringing up an interface using wg-tools ==

The most straightforward method, and the one recommended in WireGuard documentation, is to use <code>wg-quick</code>.

Install wireguard-tools

apk add wireguard-tools

Then load the module

modprobe wireguard

Add it to <code>/etc/modules</code> to automatically load it on boot.

Then, we need to create a private and a public key:

wg genkey | tee privatekey | wg pubkey > publickey

Then, we create a new config file <code>/etc/wireguard/wg0.conf</code> using those keys:

[Interface]
Address = 10.123.0.1/24
ListenPort = 45340
PrivateKey = SG1nXk2+kAAKnMkL5aX3NSFPaGjf9SQI/wWwFj9l9U4= # the key from the previously generated privatekey file
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;iptables -A FORWARD -o %i -j ACCEPT
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;iptables -D FORWARD -o %i -j ACCEPT

The PostUp and PostDown steps are there to ensure the interface wg0 will accept and forward traffic to eth0. The postrouting and forward to %i is not required, but it will enable "VPN mode" where users can access the internet via this server if desired. Reference [https://github.com/pirate/wireguard-docs#user-content-config-reference this WireGuard documentation] for information on adding peers to the config file.

To bring up the new interface we use:

wg-quick up wg0

To take it down, we can use <code>wg-quick down wg0</code> which will clean up the interface and remove the iptables rules.
Note: If running in a Docker container, you will need to run with <code>--cap-add=NET_ADMIN</code> to modify your interfaces.

== Bringing up an interface using ifupdown-ng ==

The official documents from WireGuard show examples of how to set up an interface with the use of wg-quick.
In this how-to, we are not going to use that utility. We'll use the plain wg command and [https://github.com/ifupdown-ng/ifupdown-ng/blob/master/doc/interfaces-wireguard.scd ifupdown-ng].

apk add wireguard-tools-wg

Now that all the tools are installed, you can setup the interface.
The setup of your interface config is out of the scope of this document. You should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 manual page of wg].

After you have finished setting up your wgX interface config, you can add it to your <code>/etc/network/interfaces</code>:

auto wg0
iface wg0 inet static
requires eth0
use wireguard
address 192.168.42.1

This config will automatically:

* bring the WireGuard interface up after the eth0 interface
* assign a config to this interface (which you have previously created)
* setup the interface address and netmask
* add the route once the interface is up
* remove the interface when it goes down

To start and stop the interface, you execute:

ifup wg0
ifdown wg0

If your interface config is not stored under <code>/etc/wireguard</code> you need to specify a <code>wireguard-config-path</code> as well.

== Running with modloop ==
If you are running from a RAM disk, you can't modify the modloop.

You can get around it by unpacking the modloop, mounting the unpacked modules folder, then installing WireGuard.

#!/bin/sh
apk add squashfs-tools # install squashfs tools to unpack modloop
unsquashfs -d /root/squash /lib/modloop-lts # unpack modloop to root dir
umount /.modloop # unmount existing modloop
mount /root/squash/ /.modloop/ # mount unpacked modloop
apk del wireguard-lts # uninstall previous WireGuard install
apk add wireguard-lts
apk add wireguard-tools

You can repack the squash filesystem or put this script in the /etc/local.d/ path so it runs at boot-up.

[[Category:Networking]]

Root on ZFS with native encryption

2020-07-11T22:54:56Z

Subalpine: fix bold

= Setting up Alpine Linux using ZFS with a pool that uses ZFS' native encryption capabilities =

== Download ==

Download the '''extended''' release from https://www.alpinelinux.org/downloads/ as only it contains the zfs kernel mods at the time of this writing (2020.07.10)

Write it to a USB and boot from it.

== Initial setup ==

Run the following

setup-alpine

Answer all the questions, and hit ctrl-c when promted for what disk you'd like to use.

== OPTIONAL ==

This section is optional and it assumes internet connectivity. You may enable sshd so you can ssh into the box and copy and paste the rest of the commands into my terminal window from these instructions.

Edit `/etc/ssh/sshd_config` and search for `Permit`. Change the value after `PermitRootLogin` to read `yes`

save and exit to shell. Run `service sshd restart`

Now you can ssh in as root. Do not forget to go back and comment this line out when you're done since it will be enabled on your resulting machine. You will be reminded again at the end of this doc.

== Add needed packages ==

apk add zfs sfdisk e2fsprogs syslinux

== Create our partitions ==

We're assuming `/dev/sda` here and in the rest of the document but you can use whatever you need to. To see a list, type: `sfdisk -l`

echo -e "/dev/sda1: start=1M,size=100M,bootable\n/dev/sda2: start=101M" | sfdisk --quiet --label dos /dev/sda

== Create device nodes ==

mdev -s

== Create the /boot filesystem ==

mkfs.ext4 /dev/sda1

== Create the root filesystem using zfs ==

modprobe zfs
zpool create -f -o ashift=12 \
-O acltype=posixacl -O canmount=off -O compression=lz4 \
-O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \
-O encryption=aes-256-gcm -O keylocation=prompt -O keyformat=passphrase \
-O mountpoint=/ -R /mnt \
rpool /dev/sda2

You will have to enter your passphrase at this point. Choose wisely, as your passphrase is most likely [https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#5-security-aspects the weakest link in this setup].

A few notes on the options supplied to zpool:

- `ashift=12` is recommended here because many drives today have 4KiB (or larger) physical sectors, even though they present 512B logical sectors

- `acltype=posixacl` enables POSIX ACLs globally

- `normalization=formD` eliminates some corner cases relating to UTF-8 filename normalization. It also enables `utf8only=on`, meaning that only files with valid UTF-8 filenames will be accepted.

- `xattr=sa` vastly improves the performance of extended attributes, but is Linux-only. If you care about using this pool on other OpenZFS implementation don't specify this option.

After completing this, confirm that the pool has been created:

# zpool status

Should return something like:

pool: rpool
state: ONLINE
scan: none requested
config:

NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
sda2 ONLINE 0 0 0

errors: No known data errors

== Create the required datasets and mount root ==

zfs create -o mountpoint=none -o canmount=off rpool/ROOT
zfs create -o mountpoint=legacy rpool/ROOT/alpine
mount -t zfs rpool/ROOT/alpine /mnt/

== Mount the `/boot` filesystem ==

mkdir /mnt/boot/
mount -t ext4 /dev/sda1 /mnt/boot/

=== Enable ZFS' services ===

rc-update add zfs-import sysinit
rc-update add zfs-mount sysinit

== Install Alpine Linux ==

setup-disk /mnt
dd if=/usr/share/syslinux/mbr.bin of=/dev/sda # write mbr so we can boot

== Reboot and enjoy! ==

😉

'''NOTE:'''
If you went with the optional step, be sure to disable root login after you reboot.

Root on ZFS with native encryption

2020-07-11T22:54:09Z

Subalpine: update to reflects steps for latest version v3.12

= Setting up Alpine Linux using ZFS with a pool that uses ZFS' native encryption capabilities =

== Download ==

Download the '''extended'' release from https://www.alpinelinux.org/downloads/ as only it contains the zfs kernel mods at the time of this writing (2020.07.10)

Write it to a USB and boot from it.

== Initial setup ==

Run the following

setup-alpine

Answer all the questions, and hit ctrl-c when promted for what disk you'd like to use.

== OPTIONAL ==

This section is optional and it assumes internet connectivity. You may enable sshd so you can ssh into the box and copy and paste the rest of the commands into my terminal window from these instructions.

Edit `/etc/ssh/sshd_config` and search for `Permit`. Change the value after `PermitRootLogin` to read `yes`

save and exit to shell. Run `service sshd restart`

Now you can ssh in as root. Do not forget to go back and comment this line out when you're done since it will be enabled on your resulting machine. You will be reminded again at the end of this doc.

== Add needed packages ==

apk add zfs sfdisk e2fsprogs syslinux

== Create our partitions ==

We're assuming `/dev/sda` here and in the rest of the document but you can use whatever you need to. To see a list, type: `sfdisk -l`

echo -e "/dev/sda1: start=1M,size=100M,bootable\n/dev/sda2: start=101M" | sfdisk --quiet --label dos /dev/sda

== Create device nodes ==

mdev -s

== Create the /boot filesystem ==

mkfs.ext4 /dev/sda1

== Create the root filesystem using zfs ==

modprobe zfs
zpool create -f -o ashift=12 \
-O acltype=posixacl -O canmount=off -O compression=lz4 \
-O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \
-O encryption=aes-256-gcm -O keylocation=prompt -O keyformat=passphrase \
-O mountpoint=/ -R /mnt \
rpool /dev/sda2

You will have to enter your passphrase at this point. Choose wisely, as your passphrase is most likely [https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#5-security-aspects the weakest link in this setup].

A few notes on the options supplied to zpool:

- `ashift=12` is recommended here because many drives today have 4KiB (or larger) physical sectors, even though they present 512B logical sectors

- `acltype=posixacl` enables POSIX ACLs globally

- `normalization=formD` eliminates some corner cases relating to UTF-8 filename normalization. It also enables `utf8only=on`, meaning that only files with valid UTF-8 filenames will be accepted.

- `xattr=sa` vastly improves the performance of extended attributes, but is Linux-only. If you care about using this pool on other OpenZFS implementation don't specify this option.

After completing this, confirm that the pool has been created:

# zpool status

Should return something like:

pool: rpool
state: ONLINE
scan: none requested
config:

NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
sda2 ONLINE 0 0 0

errors: No known data errors

== Create the required datasets and mount root ==

zfs create -o mountpoint=none -o canmount=off rpool/ROOT
zfs create -o mountpoint=legacy rpool/ROOT/alpine
mount -t zfs rpool/ROOT/alpine /mnt/

== Mount the `/boot` filesystem ==

mkdir /mnt/boot/
mount -t ext4 /dev/sda1 /mnt/boot/

=== Enable ZFS' services ===

rc-update add zfs-import sysinit
rc-update add zfs-mount sysinit

== Install Alpine Linux ==

setup-disk /mnt
dd if=/usr/share/syslinux/mbr.bin of=/dev/sda # write mbr so we can boot

== Reboot and enjoy! ==

😉

'''NOTE:'''
If you went with the optional step, be sure to disable root login after you reboot.

Root on ZFS with native encryption

2020-07-08T03:16:48Z

Subalpine: replace linux-vanilla with linux-lts

= Introduction =

This documentation describes how to set up Alpine Linux using ZFS with a pool that uses ZFS' native encryption capabilities, which have been recently introduced in ZFS on Linux (ZoL) 0.8.0.

Note that you must install the <code>/boot/</code> directory on an unencrypted partition (either an unencrypted ZFS pool or any other FS of your choosing, if it's compatible with your bootloader) to boot correctly.

== Requirements ==

You'll need a medium to put a live image on. You can use any live medium that supports ZoL >=0.8.x, but as of writing this it's easiest to use [https://ubuntu.com/download/desktop Ubuntu 19.10], which comes with ZFS pre-installed.

== Hard Disk Device Name ==

The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples. It also uses <code>rpool</code> as name of the root pool, you can change this at will, but be sure to change it everywhere it's mentioned.

= Setting up Alpine Linux Using ZFS with native encryption =

To install Alpine Linux in a ZFS pool with encryption enable, you cannot use the [[Installation|official installation]] procedure, so follow along this guide.

== Creating the Partition Layout ==

Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted ZFS pool.

* Start the <code>fdisk</code> utility to set up partitions:

# fdisk /dev/sda

:* Create the <code>/boot/</code> partition:
::* Enter <code>n</code> → <code>p</code> → <code>1</code> → <code>1</code> → <code>100m</code> to create a new 100 MB primary partition.

:* Set the <code>/boot/</code> partition active:
::* Enter <code>a</code> → <code>1</code>.

:* Create the ZFS partition:
::* Enter <code>n</code> → <code>p</code> → <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the size of partition. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively press <code>Enter</code> to set the maximum available size.

:* To verify the settings, press <code>p</code>. The output shows, for example:
<pre>
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 206847 204800 100M 83 Linux
/dev/sda2 206848 41943039 41736192 19.9G 83 Linux
</pre>
* Press <code>w</code> to save the changes.

== Setting up the root pool ==

You can create your rootpool with the following command:

# zpool create -o ashift=12 \
-O acltype=posixacl -O canmount=off -O compression=lz4 \
-O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \
-O encryption=aes-256-gcm -O keylocation=prompt -O keyformat=passphrase \
-O mountpoint=/ -R /mnt \
rpool /dev/sda2

You will have to enter your passphrase at this point. Choose wisely, as your passphrase is most likely [https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#5-security-aspects the weakest link in this setup].

A few notes on the options supplied to zpool:

* <code>ashift=12</code> is recommended here because many drives today have 4KiB (or larger) physical sectors, even though they present 512B logical sectors

* <code>acltype=posixacl</code> enables POSIX ACLs globally

* <code>normalization=formD</code> eliminates some corner cases relating to UTF-8 filename normalization. It also enables <code>utf8only=on</code>, meaning that only files with valid UTF-8 filenames will be accepted.

* <code>xattr=sa</code> vastly improves the performance of extended attributes, but is Linux-only. If you care about using this pool on other OpenZFS implementation don't specify this option.

After completing this, confirm that the pool has been created:

# zpool status

Should return something like:
<pre>
pool: rpool
state: ONLINE
scan: none requested
config:

NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
sda2 ONLINE 0 0 0

errors: No known data errors
</pre>

=== Creating the required datasets ===

# zfs create -o mountpoint=none -o canmount=off rpool/ROOT
# zfs create -o mountpoint=legacy rpool/ROOT/alpine
# mount -t zfs rpool/ROOT/alpine /mnt/

=== Creating optional datasets (feel free to add your own) ===

# zfs create -o mountpoint=/home rpool/HOME
# zfs create -o mountpoint=/var/log rpool/LOG

== Creating the <code>/boot</code> filesystem ==

# mkfs.ext4 /dev/sda1

== Mounting the <code>/boot</code> filesystem ==

* Create the <code>/mnt/boot/</code> directory and mount the <code>/dev/sda1</code> partition in this directory:

# mkdir /mnt/boot/
# mount -t ext4 /dev/sda1 /mnt/boot/

== Installing Alpine Linux ==

Please follow [[Installing_Alpine_Linux_in_a_chroot|Installing Alpine Linux in a chroot]] to setup a base install of Alpine Linux.

After you've followed that guide, you still have to do some additional setup for ZFS:

* As of the time of writing this ZFS 0.8.x is only available in [[Edge]], so you'll have to enable it in <code>/etc/apk/repositories</code>. Check [https://pkgs.alpinelinux.org/packages?name=zfs pkgs.alpinelinux.org] to see the status of this.

* Install the ZoL and linux-lts package: <code>apk add linux-lts zfs</code>

* Enable ZFS' services:

# rc-update add zfs-import sysinit
# rc-update add zfs-mount sysinit

* Edit the <code>/etc/mkinitfs/mkinitfs.conf</code> file and append <code>zfs</code> module to the <code>features</code> parameter:

features="ata base ide scsi usb virtio ext4 lvm zfs"

Be mindful to also include other modules which may be required for your setup, such as the <code>nvme</code> module.

* Rebuild the initial RAM disk:

# mkinitfs $(ls /lib/modules/)

* Edit the <code>/etc/update-extlinux.conf</code> file, set the root ZFS dataset and append the following kernel options to the <code>default_kernel_opts</code> parameter:

root=rpool/ROOT/alpine
default_kernel_opts="... rootfstype=zfs"

* Update extlinux's config (if you're not using a different bootloader)

# update-extlinux
# exit

: Ignore the errors the <code>update-extlinux</code> utility displays.

* Write the MBR to the <code>/dev/sda</code> device:

# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda

== Unmounting the filesystems ==

* Unmount <code>/mnt/boot/</code>:

# umount /mnt/boot/

* Unmount all zfs filesystems:

# zfs unmount -a

* Reboot the system:

# reboot

== Booting the system ==

Right now mkinitfs doesn't support ZFS asking for passwords during boot, so it'll throw you into a rescue shell for you to enter the password during boot. You have to do the following things after pressing enter:

# zfs load-key -a
# mount -t zfs rpool/ROOT/alpine /sysroot
# exit

And your system should continue booting! :)

= Troubleshooting =

== General Procedure ==

In case your system fails to boot, you can verify the settings and fix incorrect configurations:

* [[#Preparing_the_Installation_Environment|Preparing the Installation Environment]]

* Load the ZFS kernel module:

# modprobe zfs

* [[#Mounting_the_File_Systems|Mount the file systems]]

# zpool import -R /mnt rpool
# mount -t ext4 /dev/sda1 /mnt/boot

* Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.

[[Category:Storage]]
[[Category:Security]]

Alpine Linux in a chroot

2020-07-08T03:01:54Z

Subalpine: need to add syslinux pkg to be able to add mbr

{{TOC right}}

Inside the chroot environment, you can build, debug, and run alpine packages or develop things. It's the most known way to do so if one wants not to trash their main Alpine system.

This document explains how to set up an [[Alpine_newbie#Developer|Alpine build environment]] in a chroot under a host Linux distro, can also be used to install Alpine Linux from a non-Alpine Linux livecd.

== Requirements ==

* Working Linux instalation where to perform all the process
* Linux kernel 2.6.22, with <code>wget</code> and <code>chroot</code> installed
* target media with at least 100M, 900MB for more complete solution as minimum
* internet connection

== Prerequisites ==

The variables below:

*'''${chroot_dir}''' = Should point to the chroot directory where you
*'''${mirror}''' = Should be replaced with [http://nl.alpinelinux.org/alpine/MIRRORS.txt one of the available Alpine Linux mirrors].
*'''${arch}''' = Should be the cpu architecture like x86 (i386) or amd64(x86_64)..

== Set up APK ==

Download the latest apk static package (replace <tt>${version}</tt> with actual version):

{{Cmd|wget ${mirror}/latest-stable/main/${arch}/apk-tools-static-${version}.apk}}

.apk packages are just gzipped tarballs, unpack using:
{{Cmd|tar -xzf apk-tools-static-*.apk}}

== Install the alpine base installation onto the chroot ==

{{Cmd|./sbin/apk.static -X ${mirror}/latest-stable/main -U --allow-untrusted --root ${chroot_dir} --initdb add alpine-base}}

== Set up the chroot ==

Before made and enter into the chrooted system must be prepared with device nodes and tempfs :

===== Method 1.A fast way: using bind mount =====

{{Note|Mounts with bind, can mount in read-only the /dev at the alpine chroot so due limited will not touch the access time of the host system}}

{{Cmd|mount /dev/ ${chroot_dir}/dev/ --bind
mount -o remount,ro,bind ${chroot_dir}/dev
}}

If you need SCSI or R/W access only do the first command, mounting with "ro" makes more secure your chroot.

===== Method 1.B manual way: creating need nodes =====

{{Warning|Manually creating devices will only provide those representation that you have created.. for auto availability use bind mounts}}

{{Cmd|mknod -m 666 ${chroot_dir}/dev/full c 1 7
mknod -m 666 ${chroot_dir}/dev/ptmx c 5 2
mknod -m 644 ${chroot_dir}/dev/random c 1 8
mknod -m 644 ${chroot_dir}/dev/urandom c 1 9
mknod -m 666 ${chroot_dir}/dev/zero c 1 5
mknod -m 666 ${chroot_dir}/dev/tty c 5 0}}

If you need SCSI disc access:

{{Cmd|mknod -m 666 ${chroot_dir}/dev/sda b 8 0
mknod -m 666 ${chroot_dir}/dev/sda1 b 8 1
mknod -m 666 ${chroot_dir}/dev/sda2 b 8 2
mknod -m 666 ${chroot_dir}/dev/sda3 b 8 3
mknod -m 666 ${chroot_dir}/dev/sda4 b 8 4
mknod -m 666 ${chroot_dir}/dev/sda5 b 8 5
mknod -m 666 ${chroot_dir}/dev/sda6 b 8 6
mknod -m 666 ${chroot_dir}/dev/sdb b 8 16
mknod -m 666 ${chroot_dir}/dev/sdb1 b 8 17
mknod -m 666 ${chroot_dir}/dev/sdb2 b 8 18
mknod -m 666 ${chroot_dir}/dev/sdb3 b 8 19
mknod -m 666 ${chroot_dir}/dev/sdb4 b 8 20
mknod -m 666 ${chroot_dir}/dev/sdb5 b 8 21
mknod -m 666 ${chroot_dir}/dev/sdb6 b 8 22}}

==== Made available proc and sys fs ====

{{Cmd|mount -t proc none ${chroot_dir}/proc
mount -o bind /sys ${chroot_dir}/sys}}

==== Make networking resolution access ====

A resolv.conf is needed for name resolution:

{{Cmd|cp -L /etc/resolv.conf ${chroot_dir}/etc/
mkdir -p ${chroot_dir}/root}}

If you don't want to copy the resolv.conf from the local machine, you can create a new one using OpenDNS servers (or any other):
{{Cmd|echo -e 'nameserver 8.8.8.8\nnameserver 2620:0:ccc::2' > ${chroot_dir}/etc/resolv.conf}}

==== prepare the apk sources software ====

Set up APK mirror (replace <tt>${branch}</tt> with the latest stable branch name, e.g. v3.3):

{{Cmd|mkdir -p ${chroot_dir}/etc/apk
echo "${mirror}/${branch}/main" > ${chroot_dir}/etc/apk/repositories}}

== Mastering your chroot ==

The chroot methods are commonly used to have alpine in a portion of a already made directory, not forced to be a entire partion, that means Alpine can be in a very minimal directory indise the same partition of a Debian installed linux inclusively, so that why the chroot process does not included the boot method.

So then the following commands will described the need procedures only if the chroot instalation was made to a dedicated partition for and not to a directory inside another linux installed.

{{Warning|so then by the explained reasons, at this point, Alpine has been succesfully installed onto the chroot directory '''but still not able to boot it'''. }}

==== Entering your chroot ====

Take in consideration that the chroot command are only running as root, no stupid sudo tools are recommended for that.

{{Cmd|chroot ${chroot_dir} ash -l}}

==== Perform init process ====

Need to add some minimal initscripts to appropriate runlevels:

{{Cmd|rc-update add devfs sysinit
rc-update add dmesg sysinit
rc-update add mdev sysinit

rc-update add hwclock boot
rc-update add modules boot
rc-update add sysctl boot
rc-update add hostname boot
rc-update add bootmisc boot
rc-update add syslog boot

rc-update add mount-ro shutdown
rc-update add killprocs shutdown
rc-update add savecache shutdown}}

==== Make bootable the install ====

WIP:

{{Warning|Run only this if Alpine was installed to a dedicated partiton mounted at the <nowiki>${chroot_dir}</nowiki> directory, becose at this point, Alpine has been succesfully installed onto the chroot directory '''but still not able to boot it'''. }}

{{Cmd|<nowiki>apk add syslinux
dd if=/usr/share/syslinux/mbr.bin of=/dev/sda</nowiki>}}

Be care of that /dev/sda are the same disk where destination partition was mounted to <nowiki>${chroot_dir}</nowiki>.

= Troubleshooting =

== hardened kernels or alpine as chroot host ==

If you are using Alpine as a Native build system you will have to make sure that chroot can run chmod. Add following to <code>/etc/sysctl.conf</code>

<code>kernel.grsecurity.chroot_deny_chmod = 0</code>

Then run the following command

<code>sysctl -p</code>

== chroot: cannot run command ' ... Exec format error ==

This usually indicates that you booted with one architecture (e.g. armf) and are trying to chroot into another (e.g. x86_64). If you plans to make chroot into another installation must use same arch for both host and hosted chrooted!

Note that with '''one exception you can run 32 bit x86 chroot in x86_64, but not viceversa'''!

== WARNING: Ignoring APKINDEX.xxxx.tar.gz ==

Make sure <code>${chroot_dir}/etc/apk/repositories</code> is valid and inside the chroot run:

<code>apk update</code>

= External links =

* You can also use script [https://github.com/alpinelinux/alpine-chroot-install/ alpine-chroot-install]
* https://web.archive.org/web/20190808203313/https://isc.sans.edu/forums/diary/Forensic+use+of+mount+bind/22854/
* Alpine Linux in a chroot on Fedora : http://git.alpinelinux.org/cgit/user/fab/scripts/tree/alpine-chroot.sh script
* Alpine Linux aarch64 in a chroot on AWS Linux : https://gist.github.com/emolitor/0567e51c0ce04f4b025fc78d2cf0b4f1 script

[[Category:Installation]]
[[category: System Administration]]