Skip to content

initramfs with optional RAID, LUKS, LVM, ToI, AUFS+squashfs, ZFS, zram support

License

Notifications You must be signed in to change notification settings

simonbuehler/mkinitramfs-ll

 
 

Repository files navigation

$Header: mkinitramfs-ll/README.textile,v 0.14.2 2014/10/10 10:59:54 -tclover Exp $

“an initramfs with *optional RAID (dmraid/mdadm), DM-Crypt LUKS, LVM,
TuxOnIce, AUFS+squashfs, ZFS, zram support; and maybe much more; and
with a handfull zsh and bash set of scripts to get going easily and quickly.”

BIG FAT NOTE: SUPPORTED BLOCK DEVICE STACK IS:
[RAID][LUKS][LVM] or [LUKS]+[ZFS]

It is possible to add ZFS on the first stack variant, but it does not make any
sense and expect horrible performance with such a mix bag. And this variant is
not implemented although it could be done easily.

The order of LUKS/LVM can be changed, that is LUKS+LVM or LVM+LUKS is possible.

WARNING: USE AT YOUR OWN RISK! EVERYTHING IS GIVEN “AS IS”, SEE COPYRIGHT FILE

1. Getting an intramfs quickly and ready

If you have a static busybox binary you can make an initramfs in matter
of secondes with locales settings: keymap and consolefont, in addition
to media-fonts/terminus-font if you use the associated ebuild
or if you have that package installed.

*WARNING: no static busybox support require a very minimal effort, however,
this is discrouraged as it could lead easily to kernel panics without care.

If you want GnuPG support, yo should have an app-crypt/gnupg-1.4*[static]
binary along with its options.skel file.
Or if you run Gentoo you can run either gnupg.{ba,z}sh to generate one.

gnupg.zsh will build a binary in the current directory
(with a usr/bin/gpg and usr/share/gnupg/options.skel) if not installed
or else in /usr/local/mkiniramfs-ll/ directory if installed.
Or else, run the bash script counterpart to get build a binary.

And then run mkinitramfs-ll.$shell -a -fter-g14n -yfr to build an initramfs.
The appended font and keymap will be the default if there is no ikmap kernel
cmdline argument.

Of course, one can append extra fonts and keymaps with -f:ter-g12n -y:fr-latin1
etc. and the -a option depend on mkinitramfs-ll.conf
so one can put many sane default values there.

One can get more info on the scripts by running $script -h

2.1 Optional kernel cmdline option or arguments

Only iroot is required else nothing will happen but a kernel panic.
And of course, when using this script, one does not need root=<arg>
nor resume=<arg> kernel command line options.

KERNEL-COMMAND-LINE-ARG: iroot=<PV|VG-LV>[:<fs>:chk]
DESCRIPTION: root block device, required,
recommanded optional file system check :[<filesystem>]:[c|chk|yes|1|...]
EXAMPLE: iroot=vg-root:ext4:1 for an ext4 rootfs in LVM (Volume Group is named vg),
or iroot=POOL/ROOT izfs=yes for a zfs rootfs (ROOT) in a pool called POOL.

Note: :[no|NO:No:false:FALSE:0] instead of :[c|chk|true|TRUE|yes|YES:1]
will disable a die after fsck failure.

KERNEL-COMMAND-LINE-ARG: imopt=<ro,inode64,...>
DESCRIPTION: optional rootfs mount options
EXAMPLE: imopt=inode64,noatime,ro for xfs file system@

KERNEL-COMMAND-LINE-ARG: imount=</usr:/var:...>
DESCRIPTION: mount /usr:/var using the included /etc/fstab
EXAMPLE: imount=/usr

Note: imount can be used to mount /usr:/var … using /etc/fstab.
Nothing more is required if using unencrypted volume.
However, if using LVM and/or LUKS and/or RAID array, one should make sure
that the underlaying volume are available before level 4m.

KERNEL-COMMAND-LINE-ARG: imod=<uvesafb:kms:...>
DESCRIPTION: optional kernel modules to load (in the boot group)
EXAMPLE: imod=kms:uvesafb
EXAMPLE: if using the building scripts one can append imod=kms for basic
kms related drivers group (one can append extra modules to opts[-mkms] in
mkinitramfs-ll.conf if need b).

KERNEL-COMMAND-LINE-ARG: ikmap=<kmap>[:<font>]
DESCRIPTION: optional keymap and font to load, handy for passwords
EXAMPLE: ikmap=fr-x86_64.bin:ter-g12n.psf

KERNEL-COMMAND-LINE-ARG: irsh=<n>|:<m>
DESCRIPTION: interrupt init and drop to a Rescue SHell (<n> level);
or pass <m> run level to real init if present
EXAMPLE: irsh=3s drop to 3s (before squahsd()) init level,
or irsh=:1 pass 1, so single to real init

KERNEL-COMMAND-LINE-ARG: rescue|rescueshell|RSH|RSHELL
DESCRIPTION: drops directly into a minimal shell
EXAMPLE: RSH

Note: one can exit a rescue shell and then resume booting !
Type in exit and hit Enter

KERNEL-COMMAND-LINE-ARG: ilvm=<map-PV>,...,<map-PV>
DESCRIPTION: LVM argument <mapping-PV> is collon ‘:’ separated list of PVs of
a Volume Group; and comma ‘,’ separated list of VG: 1st for root, 2nd for swap
and the 3rd for resume. Hence one can append commas to asign a particular group.
EXAMPLE: lvm=pva-sda1:pvb-sdb1,pvc-sda1 assigne a single PV to swap group,
and two PVs to root group with its mappings.

Note: This argument is used only in case of dm-crypt LUKS crypted PVs.
Unencrypted PVs do not require this!
Asingle character or word is sufficient in that case.

KERNEL-COMMAND-LINE-ARG: iraid=<array>+UUID=<uuid>[|<p>|<f>]
DESCRIPTION: comma separated list of arrays for root, swap and resume
EXAMPLE: iroot=md1 iraid=sd[ab]+UUID=<uuid>

KERNEL-COMMAND-LINE-ARG: iswap=<type>:<VG-LV>[:signature]
DESCRIPTION: the equivalent of iroot for swap
EXAMPLE: e.g. iswap=swap:sda2 for an unencrypted swap device

KERNEL-COMMAND-LINE-ARG: iresume=<type>:<VG-LV>[:signature]
DESCRIPTION: the equivalent of iroot for resume, to resume from the already
swap passed in the command line, one need only a iresume=swap cmdline.
EXAMPLE: e.g. iresume=file:<VG-LV>[:<signature>] for a swapfile in a Logical Volume

KERNEL-COMMAND-LINE-ARG: ikroot=<mode>:<device>:</path/to/file>
DESCRIPTION: key [file] mode for iroot group
EXAMPLE: ikroot=gpg:sdc1:/key.gpg for a GnuPG crypted key file in sdc1

KERNEL-COMMAND-LINE-ARG: ikswap=<mode>:<device>:</path/to/file>
DESCRIPTION: key [file] mode for iswap group
EXAMPLE: iswap=reg:sdb1:/key.reg for a regular key file in root of sdb1

KERNEL-COMMAND-LINE-ARG: ikresume=<mode>:<device>:</path/to/key/file>
DESCRIPTION: key [file] mode for iresume group
EXAMPLE: ikresume=pwd for a password mode

KERNEL-COMMAND-LINE-ARG: isquashd=/var/aufs:+LOCAL:<dir>]
DESCRIPTION: squashed directories, see below for more info
EXAMPLE: isquashd=:+L:var/portage use default local squashed directories,
append var/portage and use default /aufs squash root directory.

KERNEL-COMMAND-LINE-ARG: idebug=ax[:2]
DESCRIPTION: optionaly enable a list of sh (set) options string,
like shell tracing etc.; and otptional dmesg console log level
EXAMPLE: idebug=ax:3 enable shell tracing, export every variable
and set log level to error.

KERNEL-COMMAND-LINE: ihook
DESCRIPTION: execute colon separated list of named hooks or scripts
EXAMPLE: ihook=zram

Note: Nobody would ever want to append zram hook to ihook as zram
script would be executed if izram kernel cmdline argument is present.

init script accept also single, ro, rw and init=/path/to/real/init
kernel cmdline argument and will append single runlevel to real init.

It also support splash=silent,fadein,theme:emergence console=[/dev/]tty1
or splash=silent,fadein,theme:emergenc,tty:1 esplash kernel cmdline arguments.

2.2 About mount options: imopt=<rootfs mount options>

Say, you have a rootfs=xfs[|jsf|reiser|ext*] and want to mount your rootfs
with specific opts. In case of xfs, for exemple, just create your log volume
on a different volume than what you’re logging from and everything is set up—
well if the logging volume is in the swap group—and, in fact, you do
not need a swap volume there—you just use that group as if there were one.

3.1 DM-Crypt LUKS supported key[-file] modes

For volume that are encrypted with a key, setting ikroot and/or ikswap
and/or ikresume is required, otherwise a passphrase is required for each
physical volume as a fall back.

  • <mode>: defines how the init script shall treat the supplied key:
  • gpg: key-file is GnuPG encrypted file
  • ldk: key-file is LUKS encrypted, via loop back device
  • reg: key-file is a regular file
  • pwd: encrypted on a regular passphrase
  • none: handy for unencrypted volumes
  • <device|dev> is a block device that will be assigned to the removable media
  • </path/to/file> is a full path to file inside the removable media

3.2. Notes on DM-Crypt LUKS key modes

  • gpg: GnuPG encrypted key-file support only gnupg-1.4*,
    used as gpg -qd /path/to/keyfile |. One can add a /root/.gnupg/gpg.conf
    in the initramfs root to avoid its creattion on each boot, a simple file
    is already included in the package
  • ldk: encrypted key-file passed to cryptsetup as
    -d /dev/mapper/$(basename /path/to/keyfile) after decryption
  • reg: regular keyfile passed to cryptsetup as -d /path/to/keyfile
  • pwd: regular passphrase: it’s mandatory to append any
    ikroot[|swap|resume]=pwd (fallback keymode for crypted devices)
  • none: unencrypted block device, it’s not mandatory to append this
    key mode: this the default (v0.12.0)

3.3. About device /dev/ prefix and detached DM-Crypt LUKS header

There’s no need to provide any /dev/ prefix for block devices,
blk() will take care of it.
Now one can use UUID=<uuid> or LABEL=<label> instead of
[/dev/]sd[a-z0-9] for any block device or physical volume.
However, a leading plus + is used as a separator for
detached header device|file when using dm-crypt LUKS:
<map-UUID=<uid>[+UUID=<uuid>|</path/to/header/file>]

Each encrypted PV, with a detached header is given like:

  • <sda+sdc> for a detached header to /dev/sdc device
    passed as --header /dev/sdc to dmopen().
  • <sda+/path/to/header/file> for a detached header file
    passed as --header /mnt/tok/path/to/header/file to dmopen().

Note: So in this case, the header file must be in the same removable device
or /boot volume used for key-files.
Because it’ll be too troublesome to make it otherwise.

Warning: Of course, a detached header to a device should use an UUID or a LABEL
instead of to a block device sd[a-z0-9] to avoid header mismatch!

3.4. About uncompressed initramfs

If one need uncompressed initramfs e.g. to integrate directly into the kernel
to be able to self sign the kernel for UEFI, just pass -c'none' to building
script. Just remember to include the initramfs to the kernel .config file:
CONFIG_INITRAMFS_SOURCE=/boot/initramfs-${KV}.cpio.
Of course, one can decompress existant initramfs for this purpose as well.

4.1. RAID array support

iraid argument can take up to 3 comma separated list of RAID arrays:
the 1st for root, 2nd for swap and the 3rd for resume.
Each argument is of the forme <array>+UUID=<uuid>[|<part>|<format>].
<format> is a metadata format used to scan dmraid set and subset
software (ata)raid and <part> a partiton number.

Either way, one can use mdadm software raid like iraid=md<n>+UUID=<uuid>
and optionaly embed or not an config file /etc/mdadm.conf.
Either way iraid is sufficient to enable arrays:

echo ARRAY <array> <uuid> >> /etc/mdadm.conf,
or else, iraid=md<n>+<part> to enable arrays like:
echo ARRAY <array> devices=[/dev/sd*]<part> >> /etc/mdadm.conf,
<part> could be something like /dev/sd[a-d]2|sd[a-d]2|[a-d]2.

Or else, an optional <format> can be used to enable mdraid software (ata)raid
e.g. asr|..|isw|jmicron|..|dos see mdraid -l. dmraid software raid can be
passed like iraid=<array>+isw:dos, ‘:’ as a metadata seperator.

Note: raid array can be used as the underlaying pyshical device of unencrypted
or encrypted with LVM on top.
<UUID=<uuid>> or <part> is required to enable mdadm software raid, nothing or
<format> can be used to enable dmraid sofware (ata)raid.

4.2. LVM support

Actually a PV in a group, respectively root, swap, resume is given by
<mapping>-<device>, mapping being a mapping name for cryptsetup and
a block device/volume without the optional /dev/ prefix.

  • LV, PV, VG: Logical Volume, Physical Volume, Volume Group.
  • map-PV: is a colon separated list <mapping-PV> e.g. <pv1-sda1:pv2-sdb1:...>
    for a Volume Group, the 1st being for root, the 2nd for swap and the 3rd for resume;
    so this ilvm=,swp-sdc1, asign only a LV for swap.

NOTE: for unencrypted PVs, there’s no need to provide a list of PVs in ilvm arg.
A single character or word is enough to activate LVM like ilvm=y for root.

  • PV list: now <map-PV> [list] can be replaced with </path/to/list> file,
    this require the use of keyfile to decrypt PV, which means that a removable media
    or /boot device is mounted.
    List can be a line separated list insted of a collon : of the forme:
    <mapping-UUID=<uid>[+UUID=<uuid>] for an UUID list.
    One can mix UUID, LABEL and [h|s]d??* in a list. However, it’s best to use UUID
    only for detached header from cyphertext device which prevent header mismatch.
    One can use multiple lists up to three, one for each group.

4.3 Squashed (AUFS+squashfs) directories support

One can use squashfs+aufs to squash local directories like
$PORTDIR:var/lib/layamn:var/db:var/cache/edb,
or system related directories like usr:lib32:lib64:bin:sbin. Advantages are
system speed, responsiveness and very small disk size footprint. To favor speed,
one should use ‘lzo -Xcompression-level 1’, which is the default, until lz4 get
proper support in squashfs-tools and in kernel (squashfs module).

  • default squashed root directory is /aufs
  • default system wide squashed directories is usr:bin:sbin:lib32:lib64
  • default local wide squashed directories is var/cache/edb:var/db:var/lib/layman
  • isquashd=:+sys:+local:[<dir1>:<dirn>]
    use default root directory, and sytem/local wide directories and optionaly
    append directories to the list of squashed directories;
  • isquashd=/var/aufs:<dir 1>:<dir n>
    no default directory-ies used, and append everything on kernel commmand line;
  • isquashd=:+l
    use default root directory and local squashed directories (no extra argument);
  • isquashd=:+l:var/portage
    same as above and append var/portage to squashed directories.
  • lastly, sys|local are case insensitive and the first character is valid.

4.4. Optional user scripts support

Now, one can add hooks/scripts to hooks/ directory, or else directly in
$gitdir/usr/lib/mkinitramfs-ll if using mkinitramfs-ll.$shell generating script.
Basically, each script is considered to be a hook! So one can append -H$script
to mkinitramfs-ll.$shell; and if there is a opts[-m$script] kernel module group
line in mkinitramfs-ll.conf, the modules and module group will be added!

Each script should have a $level- prefix as the follwing $level values if the
execution is bound to a specific init shell run level.

  • runlevel 1: initialization – splash – keymap – font – boot logo/message -
  • runlevel 2: 2 – hooks – 2s – swap – 2r – resume -
  • runlevel 3: 3 – rootfs – 3f – rootfs fsck – 3m – root mount -
  • runlevel 4: 4 – clean up 4m – extra mount – 4u – umount – 4s – switch root

Else, ihook kernel command line could be used to execute a hook/script now and
then e.g. ihook=zram append zram to script execution.

Info: See zfs/zram hook for more info and a praticable examples.

4.5. ZFS support

KERNEL-COMMAND-LINE-ARG: izfs=zva-sda:zvb-sdb
DESCRIPTION: Required argument for crypted zfs vdev (devices), or else, izfs=1
(1 can be replaced by case insensitive enable|on|true|yes) for un-encryoted vdev
EXEMPLE: iroot=POOL/ROOT izfs=zva-sda:zvb-sdb ikroot=pwd

To get support for zfs append Hzfs or -a|-all to building script.

Several pools (one containing root, another for swap and another one for resume)
are supported along with a single pool. Just append a coma and an argument (2nd
for swap and 3rd for resume like the other options).

So iroot=POOL/ROOT ikroot=pwd iresume=swap:POOL/SWAP ikresume=pwd izfs=,,zva-sda:zvb-sdb;
Optional (useless) swap arguments can be appended when resuming after a suspend;
Root arguments is not required (handy to continue booting if resuming fails).

And lastly specifying only iroot=POOL/ROOT ikroot=pwd izfs=zva-sda:zvb-sdb will
import the whole pool (so no need to append swap related arguments).

4.6. ZRAM support

KERNEL-COMMAND-LIE-ARG: izram=4-2-lzo:512M:4G-ext4
DESCRIPTION: zram basic initialisation kernel command line argument
EXEMPLE: :512M:4G:512M

This hook/script take care of basic zram initialisation:

  • First integer: passed as num_devices= to modprobe;
  • Second integer is passed to max_comp_streams;
  • Third string is passed comp_algorithm (compressor);
  • Following arguments are pair of size-filesystem: just make sure to include
    the related mkfs.$fs binaries if the fie system string is appended!
  • Lastly, the first string 4-2-lzo can be omited so the default will be
    picked up 4-2-lz4 as in the last kernel cmdline example.

Just appand -H:zram to mkinitramfs-ll.$shell to get support for this hook.

4.7. bcache – block cache – support

bcache cache and backing device are grouped as a colon separated list of block
device, registered using: echo device >/sys/fs/bcache/register_quiet

KERNEL-COMMAND-LIE-ARG: ibcache=sda:sdb2:sdc2
DESCRIPTION: bcache cache:backing-device block device list
EXEMPLE: ibcache=sda:sdb1

5. Kernel parameters example

DESCRIPTION: unencrypted Root LV
EXAMPLE: iroot=vgr-lvr ilvm=y ikroot=none ikmap=fr-latin1-i686.bin:ter-g12n.psf

Note: one can append any character or word like ilvm=lvr
when using LVM on unencrypted PVs.

DESCRIPTION: Root—regular passphrase—and fbsplash
EXAMPLE: iroot=root-sda3 video=1280x800-24 imod=drm:drm_kms_helper:ttm:i915 ikroot=pwd splash=verbose,theme:livecd-20007.0,tty:1

DESCRIPTION: Root—regular key-file—on usb device
EXAMPLE: iroot=root-sda3 ikroot=reg:sdb1:/path/to/keyfile

DESCRIPTION: Root—gpg encrypted key-file on usb drive
EXAMPLE: iroot=sda3 ikroot=gpg:sdb1:/path/to/file

DESCRIPTION: Swap and root—ldk encrypted—key-files
EXAMPLE: iroot=root-sda3 iswap=swap[|file]:data-sda2[:signature] ikroot=ldk:sdb1:/path/to/rootkey ikswap=ldk:sdb1:/path/to/swapkey

DESCRIPTION: Regular swap and TuxOnIce resume on a different volume
EXAMPLE: iswap=swap-sda2 iresume=toi-sda3:0x4400 ikswap=pwd ikresume=pwd

DESCRIPTION: Swap file—resuming from hibernation—ldk protected key-file
EXAMPLE: iswap=file:swap-sda3:0x4400 iresume=toi[|CHAR|WORD] ikswap=ldk:sdb1:/path/to/swapkey

DESCRIPTION: crypted volume [root,swap] using LVM—ldk crypted keyfile and—
and mount options for rootfs
EXAMPLE: iroot=vgr-lvr:xfs:chk iswap=file:vgs-lvs:0x4400 imopt=logdev=/dev/mapper/vgs-lvl,inode64,barrier ilvm=pva1-UUID=uuida:pvb2-UUID=uuidb,pvc1-UID=uuidc ikroot=ldk:LABEL=PENDRIVE:/path/to/keyfile ikswap=ldk:LABEL=PENDRIVE:/path/to/keyfile

NOTE: multiple key-files (one for each group) are supported along with single
a key file.

init script support an environment profile that can be used to define every
kernel cmdline option (and boot with an empty cmdline). See the configuration file.

6. Kernel module groups

To load kernel modules, one could either create needed groups in the configuration
file as the kms kernel module group example.
Afterwards, one only need to append generaed groups as imod=kms instead of
appending a long list to imod. Module group name can be used in the boot group
like the kms group.

Supported groups:

  • boot: boot up kernel modules, loaded but never removed
  • dm-crypt: automaticaly generated with mkinitramfs-ll.$shell (dm-crypt module group)
  • devide-mapper: automaticaly generated included script (device-mapper module group)
  • dm-raid: automaticaly generated with included script (dmraid module group)
  • raid: automaticaly generated with mkinitramfs-ll.$shell (mdadm/raid module group)
  • tuxonice: tuxonice module, wich aren’t removed
  • remdev: modules required to access removable device
  • gpg: modules required to access gpg crypted key-file
  • squashd: modules required for squashfs+aufs, can be built into the kernel
  • kms: kms esential kernel module group, see mkinitramfs-ll.conf
  • zfs: zfs related kernel module group, see configuration file
  • zram: zram related kernel module group

Modules should exist in /lib/modules/$KV/, the kernel should support modules
[un]loading. Just make sure to append the necessary modules to the right group
in mkinitramfs-ll.conf for autoloading, or create your own groups, or else append
kernel modules to opts[-kmod] variable to be able to append kernel mdoules to
imod= kernel cmdline argument.

vim:fenc=utf-8:ci:pi:sts=0:sw=4:ts=4:

About

initramfs with optional RAID, LUKS, LVM, ToI, AUFS+squashfs, ZFS, zram support

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Shell 100.0%