[HN Gopher] ZFSBootMenu
___________________________________________________________________
ZFSBootMenu
Author : denysonique
Score : 63 points
Date : 2023-08-13 20:13 UTC (2 hours ago)
(HTM) web link (docs.zfsbootmenu.org)
(TXT) w3m dump (docs.zfsbootmenu.org)
| dsp_person wrote:
| I was looking at using this for my arch zfs-on-root setups, but
| I've instead just been hacking on /etc/grub.d/10_linux and
| /lib/initcpio/hooks/zfs to get the boot menu setup I want with
| grub. I like the simplicity of it this way with less dependencies
| (especially otherwise needing to use AUR for the zfsbootmenu
| build or use the pre-built binary blob).
|
| One concern I had with zfsbootmenu was I couldn't figure out how
| to load microcode. With kexec, zfsbootmenu can only load one
| image and late loading microcode may be "dangerous" [1]. I don't
| know practically if that is a real security issue or not. I tried
| cat'ing my images together as below, but it still didn't work for
| me: mv initramfs-linux.img initramfs-
| linux.img.orig cat intel-ucode.img initramfs-linux.img.orig
| > initramfs-linux.img
|
| [1] https://docs.kernel.org/arch/x86/microcode.html#why-is-
| late-...
| E39M5S62 wrote:
| There shouldn't be any issues catting the real initramfs with
| microcode into another file. I do that, as does another ZBM
| developer. What do you see when you try it?
|
| I started ZBM years ago by hacking on the same grub script,
| then progressed to what it is now!
| dsp_person wrote:
| When I booted normally with the concatenated image (ensuring
| removing the original microcode img from the grub.cfg initrd
| command), I booted and I confirmed the microcode loaded with
| (dmesg | grep microcode).
|
| Then switching to ZBM, while it did boot with the
| concatenated image, I didn't see microcode loaded in dmesg.
| aborsy wrote:
| Does ZFSBootMenu allow for entering encryption password remotely
| on encrypted root?
| nisa wrote:
| yes you can add an ssh server or setup network in zfsbootmenu
| and use keylocation=https
| E39M5S62 wrote:
| Yes - both Dracut and mkinitcpio allow you to embed an SSH
| server in the ZFSBootMenu initramfs (dropbear, or OpenSSH) and
| connect to it. Once you connect, you can access the main
| interface and unlock any datasets prior to kexec.
|
| https://docs.zfsbootmenu.org/en/v2.2.x/guides/general/remote...
| londons_explore wrote:
| It seems lame that UEFI firmware needs to 'mount' a filesystem to
| load a bootloader.
|
| That bootloader needs to mount a filesystem to find the kernel.
|
| The kernel needs to mount the filesystem to run the system.
|
| Each of those mount operations is done with different code, and
| normally each involves some config or search process to find the
| right disk/partition. If any of the searches finds the wrong
| partition or is misconfigured, you get a boot failure.
|
| It really feels like the boot process is more complex than it
| needs to be, with more opportunities for failure than necessary.
| jeroenhd wrote:
| There's not really a way around it unless you hardcode the
| bootloader rather than store it on disk.
|
| That said, there are only two steps in the modern boot process
| on a PC: the UEFI firmware loading a basic FAT driver and the
| kernel mounting the other filesystems. The UEFI bootloader can
| use the existing FAT driver to load the kernel and the
| initramfs which will use the same code to mount partitions.
|
| You can skip the UEFI bootloader and directly boot unified
| kernel images after putting them on the UEFI partition.
| E39M5S62 wrote:
| That's where ZBM is maybe a slight improvement. Once it's
| loaded from your ESP, it's Linux and OpenZFS all the way down.
| It auto-discovers all bootable environments each boot, and
| automatically constructs the kernel command line for your
| system - pointing the kernel to the right ZFS filesystem with
| the right module/other arguments.
|
| Since there really aren't static configuration files, there's
| not nearly as many places for things to go wrong.
| anotherhue wrote:
| I used the FreeBSD version of this, I'm a shill at this point but
| I find nixos booting to an ephemeral tmpfs to be much better.
|
| This wouldn't apply if you needed to have divergent state though,
| though it's hard to imagine a use case for that unhandled by fs
| snapshots.
| nisa wrote:
| Kudos to everyone involved in this! Love everything about this.
| Using it on my notebook, on dedicated servers rented at Hetzner
| as well as on Hetzner-Cloud, as well on a bunch of dedicated
| servers in a rack. Solves almost all problems related to ZFS and
| Linux. Booting this from SYSLINUX works very well as well as UEFI
| - it's extensible and you can run it with the ZFS git version if
| you use the generate-zbm command. Saved my ass quite a few times
| already.
| SushiHippie wrote:
| May I ask how you use this on the dedicated server?
| wongarsu wrote:
| Hetzner's dedicated servers give you KVM access for stuff
| like tweaking your bios settings, installing an OS, or I
| guess using your boot menu. You have to request them via
| support ticket, but last time I did that I got it within 5
| minutes, no questions asked.
|
| If you have your own server in a rack somewhere chances are
| you bought one with a similar web interface
| (IMPI/BMC/whatever your brand calls it) on a separate always-
| on NIC on the mainboard.
|
| https://docs.hetzner.com/robot/dedicated-
| server/maintainance...
| codetrotter wrote:
| When I installed FreeBSD on my Hetzner servers, I did so by
| booting the servers into the Linux based rescue mode and
| then I think I used dd to write the mfsBSD media onto one
| of the hard drives.
|
| This way I didn't have to request KVM access for my
| servers.
|
| Perhaps a similar method can be used in order to install
| ZFSBootMenu
| prabir wrote:
| Been using this for arch
| https://github.com/prabirshrestha/simple-arch-installer and
| server https://github.com/prabirshrestha/simple-ubuntu-installer
| with remote ssh unlock for zfs encryption.
___________________________________________________________________
(page generated 2023-08-13 23:00 UTC)