The dropbear-initramfs package in Debian is intended to help unlocking encrypted partitions remotely from initramfs. In other words, it can be used to unlock an encrypted block device that may well include the root partition.
Officially only a single IPv4 address may be set up in a convenient way. This weblog post shows how to get around that limitation, without too much hassle.
The only package needed is dropbear-initramfs. Install it:
# apt-get install dropbear-initramfs
The network device is located in specified on the DEVICE environment variable in /etc/initramfs-tools/initramfs.conf. We specify a device that will not exist:
The network configuration would be specified in the IP variable but we omit this as we don’t intend to use the default scripts for setting up the network configuration. Instead, we add a few extra bits to /etc/dropbear-initramfs/config. The dropbear configuration file is actually sourced by the shell so executing commands is entirely possible.
# This line is important --- it fools the initramfs
# scripts to believe the device is already set up.
# modprobe the driver for your network adapter.
# Change this to correspond to your system.
__getdev2 $(ip link list | grep -B 1 $1 | head -1)
# MAC addresses of the devices; replace with your own
# Set up network here as you like. The configuration will be
# overridden with what you have set up in /etc/network/interfaces
# once the boot continues.
ip addr add 192.168.1.1/24 dev $eth0
ip addr add 2001:db8::1/32 dev $eth0
ip link set up dev $eth0
Now, update initramfs and you should be ready to log in remotely to initramfs on your next boot.
Remember to put your own public key to /etc/dropbear-initramfs/authorized_keys so you’ll be actually able to log in. Also see the documentation in /usr/share/doc/dropbear-initramfs/README.initramfs .
The initramfs image can be updated with the following command:
# update-initramfs -u
After rebooting you can log in remotely as root via ssh. Run
After providing the passphrase your system should boot up as expected.
Most commonly the guides for installing (GNU/)Linux distributions in virtual machines such as QEMU (+KVM) involve using emulation of a graphics display. This is most likely because it’s convenient, and most installation programs default to using VGA display on PCs.
While this is mostly effortless, there are a few drawbacks. VNC requires listening a TCP port or a Unix socket on the server. If configure the VNC server to listen a TCP port, anyone can connect, so be sure to set a decent password for the VNC server. Still, even if you set a decent password, a security-conscious administrator might not want to expose that TCP port at all, possibly even locally. If you use a Unix socket, it’s a pain to use the VNC connection if the network throughput is limited. Even the VNC protocol does require a lot more network throughput to be usable than just a remote shell on a terminal would.
The alternative is to switch to a virtual serial port as soon as possible in the installation. Most distributions do not support installation through a serial port out of the box, but BIOS may support VGA emulation on a serial console. That’s right; you get what you’d see on a VGA display to a serial port. Only text modes are supported, naturally. In Debian, the package offering such a BIOS ROM option is sgabios.
This guide expects you’re also using libvirt.
Enabling serial console and serial port VGA emulation on a virtual machine
First, install the sgabios package:
apt-get install sgabios
Then, add the following line to the os section of the QEMU virtual machine’s libvirt domain:
This enables VGA text mode emulation for a serial port. Enabling the serial port itself and serial console is achieved by adding the following entries to the devices section of a libvirt domain:
Edit 2018-04-12: In addition to adding the above lines, you will need to remove existing console definitions.
These instructions are for Debian stable. The same approach is likely to work on other distributions as well.
Set up the virtual serial port as instructed above, and start the installer. I don’t elaborate that as there are plenty of good guides for that. Use virsh to connect to the virtual serial port after starting the domain:
virsh console domain
You should see the first messages from BIOS or the boot loader, depending on how fast you connect to the domain’s console after starting the domain. You may also see nothing at all until you push the arrow buttons.
The arrow keys don’t appear to work very well. Select the item you want, i.e. non-graphical installation. Don’t press enter yet, instead press tab. This lets you to set kernel’s command line options. Remove “— quiet” and replace it with
And press enter. You should be able to continue the installation normally now.
Once the packages and the boot loader are installed, do not reboot the system yet. We still need to configure the boot loader to use the virtual serial console. Choose to go back, and then execute a shell:
Bind mount the virtual file systems under /target and chroot to /target:
mount -o bind /proc /target/proc
mount -o bind /sys /target/sys
mount -o bind /dev /target/dev
chroot /target /bin/bash
Permanently enabling serial port console for Grub and Linux kernel
Setting the kernel command line to include the serial console earlier only allowed installing Debian, but the serial console configuration now needs to be made permanent. That can be done by changing Grub configuration:
Replace the two lines here in the default configuration (in two different locations of the file):