The process of booting a Linux® system consists of a number of stages. But whether you're booting a standard x86 desktop or a deeply embedded PowerPC® target, much of the flow is surprisingly similar. This article explores the Linux boot process from the initial bootstrap to the start of the first user-space application. Along the way, you'll learn about various other boot-related topics such as the boot loaders, kernel decompression, the initial RAM disk, and other elements of Linux boot.

In the early days, bootstrapping a computer meant feeding a paper tape containing a boot program or manually loading a boot program using the front panel address/data/control switches. Today's computers are equipped with facilities to simplify the boot process, but that doesn't necessarily make it simple.

Let's start with a high-level view of Linux boot so you can see the entire landscape. Then we'll review what's going on at each of the individual steps. Source references along the way will help you navigate the kernel tree and dig in further.

Overview

Figure 1 gives you the 20,000-foot view.

When a system is first booted, or is reset, the processor executes code at a well-known location. In a personal computer (PC), this location is in the basic input/output system (BIOS), which is stored in flash memory on the motherboard. The central processing unit (CPU) in an embedded system invokes the reset vector to start a program at a known address in flash/ROM. In either case, the result is the same. Because PCs offer so much flexibility, the BIOS must determine which devices are candidates for boot. We'll look at this in more detail later.

When a boot device is found, the first-stage boot loader is loaded into RAM and executed. This boot loader is less than 512 bytes in length (a single sector), and its job is to load the second-stage boot loader.

When the second-stage boot loader is in RAM and executing, a splash screen is commonly displayed, and Linux and an optional initial RAM disk (temporary root file system) are loaded into memory. When the images are loaded, the second-stage boot loader passes control to the kernel image and the kernel is decompressed and initialized. At this stage, the second-stage boot loader checks the system hardware, enumerates the attached hardware devices, mounts the root device, and then loads the necessary kernel modules. When complete, the first user-space program (init) starts, and high-level system initialization is performed.

That's Linux boot in a nutshell. Now let's dig in a little further and explore some of the details of the Linux boot process.

Back to top

System startup

The system startup stage depends on the hardware that Linux is being booted on. On an embedded platform, a bootstrap environment is used when the system is powered on, or reset. Examples include U-Boot, RedBoot, and MicroMonitor from Lucent. Embedded platforms are commonly shipped with a boot monitor. These programs reside in special region of flash memory on the target hardware and provide the means to download a Linux kernel image into flash memory and subsequently execute it. In addition to having the ability to store and boot a Linux image, these boot monitors perform some level of system test and hardware initialization. In an embedded target, these boot monitors commonly cover both the first- and second-stage boot loaders.

Extracting the MBR To see the contents of your MBR, use this command: # dd if=/dev/hda of=mbr.bin bs=512 count=1 # od -xa mbr.bin The dd command, which needs to be run from root, reads the first 512 bytes from /dev/hda (the first Integrated Drive Electronics, or IDE drive) and writes them to the mbr.bin file. The od command prints the binary file in hex and ASCII formats.

In a PC, booting Linux begins in the BIOS at address 0xFFFF0. The first step of the BIOS is the power-on self test (POST). The job of the POST is to perform a check of the hardware. The second step of the BIOS is local device enumeration and initialization.

Given the different uses of BIOS functions, the BIOS is made up of two parts: the POST code and runtime services. After the POST is complete, it is flushed from memory, but the BIOS runtime services remain and are available to the target operating system.

To boot an operating system, the BIOS runtime searches for devices that are both active and bootable in the order of preference defined by the complementary metal oxide semiconductor (CMOS) settings. A boot device can be a floppy disk, a CD-ROM, a partition on a hard disk, a device on the network, or even a USB flash memory stick.

Commonly, Linux is booted from a hard disk, where the Master Boot Record (MBR) contains the primary boot loader. The MBR is a 512-byte sector, located in the first sector on the disk (sector 1 of cylinder 0, head 0). After the MBR is loaded into RAM, the BIOS yields control to it.

Back to top

Stage 1 boot loader

The primary boot loader that resides in the MBR is a 512-byte image containing both program code and a small partition table (see Figure 2). The first 446 bytes are the primary boot loader, which contains both executable code and error message text. The next sixty-four bytes are the partition table, which contains a record for each of four partitions (sixteen bytes each). The MBR ends with two bytes that are defined as the magic number (0xAA55). The magic number serves as a validation check of the MBR.

The job of the primary boot loader is to find and load the secondary boot loader (stage 2). It does this by looking through the partition table for an active partition. When it finds an active partition, it scans the remaining partitions in the table to ensure that they're all inactive. When this is verified, the active partition's boot record is read from the device into RAM and executed.

Back to top

Stage 2 boot loader

The secondary, or second-stage, boot loader could be more aptly called the kernel loader. The task at this stage is to load the Linux kernel and optional initial RAM disk.

GRUB stage boot loaders The /boot/grub directory contains the stage1, stage1.5, and stage2 boot loaders, as well as a number of alternate loaders (for example, CR-ROMs use the iso9660_stage_1_5).

The first- and second-stage boot loaders combined are called Linux Loader (LILO) or GRand Unified Bootloader (GRUB) in the x86 PC environment. Because LILO has some disadvantages that were corrected in GRUB, let's look into GRUB. (See many additional resources on GRUB, LILO, and related topics in the Resources section later in this article.)

The great thing about GRUB is that it includes knowledge of Linux file systems. Instead of using raw sectors on the disk, as LILO does, GRUB can load a Linux kernel from an ext2 or ext3 file system. It does this by making the two-stage boot loader into a three-stage boot loader. Stage 1 (MBR) boots a stage 1.5 boot loader that understands the particular file system containing the Linux kernel image. Examples include reiserfs_stage1_5 (to load from a Reiser journaling file system) or e2fs_stage1_5 (to load from an ext2 or ext3 file system). When the stage 1.5 boot loader is loaded and running, the stage 2 boot loader can be loaded.

With stage 2 loaded, GRUB can, upon request, display a list of available kernels (defined in /etc/grub.conf, with soft links from /etc/grub/menu.lst and /etc/grub.conf). You can select a kernel and even amend it with additional kernel parameters. Optionally, you can use a command-line shell for greater manual control over the boot process.

With the second-stage boot loader in memory, the file system is consulted, and the default kernel image and initrd image are loaded into memory. With the images ready, the stage 2 boot loader invokes the kernel image.

Back to top

Kernel

Manual boot in GRUB From the GRUB command-line, you can boot a specific kernel with a named initrd image as follows: grub> kernel /bzImage-2.6.14.2 [Linux-bzImage, setup=0x1400, size=0x29672e] grub> initrd /initrd-2.6.14.2.img [Linux-initrd @ 0x5f13000, 0xcc199 bytes] grub> boot Uncompressing Linux... Ok, booting the kernel. If you don't know the name of the kernel to boot, just type a forward slash (/) and press the Tab key. GRUB will display the list of kernels and initrd images.

With the kernel image in memory and control given from the stage 2 boot loader, the kernel stage begins. The kernel image isn't so much an executable kernel, but a compressed kernel image. Typically this is a zImage (compressed image, less than 512KB) or a bzImage (big compressed image, greater than 512KB), that has been previously compressed with zlib. At the head of this kernel image is a routine that does some minimal amount of hardware setup and then decompresses the kernel contained within the kernel image and places it into high memory. If an initial RAM disk image is present, this routine moves it into memory and notes it for later use. The routine then calls the kernel and the kernel boot begins.

When the bzImage (for an i386 image) is invoked, you begin at ./arch/i386/boot/head.S in the start assembly routine (see Figure 3 for the major flow). This routine does some basic hardware setup and invokes the startup_32 routine in ./arch/i386/boot/compressed/head.S. This routine sets up a basic environment (stack, etc.) and clears the Block Started by Symbol (BSS). The kernel is then decompressed through a call to a C function called decompress_kernel (located in ./arch/i386/boot/compressed/misc.c). When the kernel is decompressed into memory, it is called. This is yet another startup_32 function, but this function is in ./arch/i386/kernel/head.S.

In the new startup_32 function (also called the swapper or process 0), the page tables are initialized and memory paging is enabled. The type of CPU is detected along with any optional floating-point unit (FPU) and stored away for later use. The start_kernel function is then invoked (init/main.c), which takes you to the non-architecture specific Linux kernel. This is, in essence, the main function for the Linux kernel.

With the call to start_kernel, a long list of initialization functions are called to set up interrupts, perform further memory configuration, and load the initial RAM disk. In the end, a call is made to kernel_thread (in arch/i386/kernel/process.c) to start the init function, which is the first user-space process. Finally, the idle task is started and the scheduler can now take control (after the call to cpu_idle). With interrupts enabled, the pre-emptive scheduler periodically takes control to provide multitasking.

During the boot of the kernel, the initial-RAM disk (initrd) that was loaded into memory by the stage 2 boot loader is copied into RAM and mounted. This initrd serves as a temporary root file system in RAM and allows the kernel to fully boot without having to mount any physical disks. Since the necessary modules needed to interface with peripherals can be part of the initrd, the kernel can be very small, but still support a large number of possible hardware configurations. After the kernel is booted, the root file system is pivoted (via pivot_root) where the initrd root file system is unmounted and the real root file system is mounted.

decompress_kernel output The decompress_kernel function is where you see the usual decompression messages emitted to the display: Uncompressing Linux... Ok, booting the kernel.

The initrd function allows you to create a small Linux kernel with drivers compiled as loadable modules. These loadable modules give the kernel the means to access disks and the file systems on those disks, as well as drivers for other hardware assets. Because the root file system is a file system on a disk, the initrd function provides a means of bootstrapping to gain access to the disk and mount the real root file system. In an embedded target without a hard disk, the initrd can be the final root file system, or the final root file system can be mounted via the Network File System (NFS).

Back to top

Init

After the kernel is booted and initialized, the kernel starts the first user-space application. This is the first program invoked that is compiled with the standard C library. Prior to this point in the process, no standard C applications have been executed.

In a desktop Linux system, the first application started is commonly /sbin/init. But it need not be. Rarely do embedded systems require the extensive initialization provided by init (as configured through /etc/inittab). In many cases, you can invoke a simple shell script that starts the necessary embedded applications.

Much like Linux itself, the Linux boot process is highly flexible, supporting a huge number of processors and hardware platforms. In the beginning, the loadlin boot loader provided a simple way to boot Linux without any frills. The LILO boot loader expanded the boot capabilities, but lacked any file system awareness. The latest generation of boot loaders, such as GRUB, permits Linux to boot from a range of file systems (from Minix to Reiser).

Resources

• Boot Records Revealed is a great resource on MBRs and the various boot loaders. This resource not only disassembles MBRs, but also discusses GRUB, LILO, and the various Windows® boot loaders.
  
  
• Check out the Disk Geometry page to understand disks and their geometries. You'll find an interesting summary of disk attributes.
  
  
• A live CD is an operating system that's bootable from a CD or DVD without needing a hard drive.
  
  
• "Boot loader showdown: Getting to know LILO and GRUB" (developerWorks, August 2005) gives you a detailed look at the LILO and GRUB boot loaders.
  
  
• In the Linux Professional Institute (LPI) exam prep series of developerWorks tutorials, get a comprehensive introduction to booting a Linux system and many other fundamental Linux tasks while you prepare for system administrator certification.
  
  
• LILO was the precursor to GRUB, but you can still find it booting Linux.
  
  
• The mkintrd command is used to create an initial RAM disk image. This command is useful for building an initial root file system for boot configuration that allows preloading of block devices needed to access the real root file system.
  
  
• At the Debian Linux Kernel Project, find more information on the Linux kernel, boot, and embedded development.
  
  
• In the developerWorks Linux zone, find more resources for Linux developers.
  
  
• Stay current with developerWorks technical events and Webcasts.

• The MicroMonitor provides a boot environment for a variety of small target devices. You can use this monitor to boot Linux in an embedded environment. It has ports for ARM, XScale, MIPS, PowerPC, Coldfire, and Hitachi's Super-H.
  
  
• GNU GRUB is a boot shell filled with options and flexibility.
  
  
• LinuxBIOS is a BIOS replacement. Not only does it boot Linux, LinuxBIOS, itself, is a compressed Linux kernel.
  
  
• OpenBIOS is another portable BIOS project that operates on a variety of architectures such as x86, Alpha, and AMD64.
  
  
• At kernel.org, grab the latest kernel tree.
  
  
• Order the SEK for Linux, a two-DVD set containing the latest IBM trial software for Linux from DB2®, Lotus®, Rational®, Tivoli®, and WebSphere®.
  
  
• With IBM trial software, available for download directly from developerWorks, build your next development project on Linux.
  

• Check out developerWorks blogs and get involved in the developerWorks community.
  

This is a simple procedure for installing Debian GNU/Linux onto a USB key flash media. It includes several configuration changes but tries to stay as close to a default debian install as possible.
http://www.debian-administration.org/articles/179

This is useful for administrators that need to carry sensitive information or people concerned about their privacy.

This was tested on Debian Sid and Knoppix 3.8 with the USB Keys listed below.

Tested Media:

1. Transcend Jetflash 256MB ( only the base debootstrap install plus a few select packages ).
2. Apacer Handy Steno HT203 1GB ( very fast, recommended ).

Other reviews of USB Flash media:

1. ArsTechnica USB 2.0 Hi-Speed Flash Drive Roundup - http://arstechnica.com/reviews/hardware/flash.ars/1
2. ArsTechnica Son of USB 2.0 Hi-Speed Flash Drive Roundup - http://arstechnica.com/reviews/hardware/flash2005.ars/1

Note on Devices: All device names and mappings are as they were detected and I used them on my system. You will need to substitute the correct device as it is detected on your system.

KNOPPIX NOTE: When you see these notes, there are special steps necessary for installing from Knoppix.

Installation Procedure

1. Shred the drive

shred -n 1 -z -v /dev/sdd

(One pass to shred, one pass to zero)

2. Create Partitions

We will create two partitions on the USB key, one for /boot and one for / (root). We do not create a swap partition because that would prematurely age the usb key. You may mount and use swap partitions from the local harddrives ala knoppix but that is up to you.

parted /dev/sdd "mklabel msdos mkpart primary 0 14 mkpart primary 15 -0"

3. Shred rootfs

shred -n 1 -v /dev/sdd2

(zero'd filesystems are bad for encrypted ones.)

4. Load modules if necessary

modprobe dm-crypt
modprobe aes

apt-get update
apt-get install cryptsetup dmsetup libdevmapper1.01

5. Created mapped crypt device for root

cryptsetup -y create rootfs /dev/sdd2

6. Format filesystems:

Since we can't use journaling filesystems on flash media (premature aging again), we fall back to good old ext2.

mkfs.ext2 /dev/mapper/rootfs
mkfs.ext2 /dev/sdd1
sync ; sync

7. Apply disk labels

We do this so that we can identify our drive when we boot on various systems. Using a strict device mapping often breaks if other usb or flash devices are detected before ours.You may use any label that you like, but you will have to remember to update the initrd (file: /sbin/init)

e2label /dev/sdd1 PRIVDEB_BOOT

8. Make temporary mount points and mount

mkdir /mnt/buildroot/
mount /dev/mapper/rootfs /mnt/buildroot
mkdir /mnt/buildroot/boot
mount /dev/sdd1 /mnt/buildroot/boot

9. Install base files.

debootstrap --arch i386 sid /mnt/buildroot

Note: Installed size is about 160MB at this stage.

cp -ap /dev/ub[a-f]* /mnt/buildroot/dev/

10. Enter chroot jail to work on system.

chroot /mnt/buildroot/ /bin/su -

11. Build fstab and mount everything.

Create /etc/fstab file

#/etc/fstab: static file system information.
#                                
LABEL=PRIVDEB_BOOT  /boot          ext2    defaults,noatime                   0 2
/dev/mapper/rootfs  /              ext2    defaults,errors=remount-ro,noatime 0 1
proc                /proc          proc    defaults                           0 0
tmpfs               /etc/network/run tmpfs defaults,noatime                   0 0
tmpfs               /tmp           tmpfs   defaults,noatime                   0 0
tmpfs               /var/lock      tmpfs   defaults,noatime                   0 0
tmpfs               /var/log       tmpfs   defaults,noatime                   0 0
tmpfs               /var/run       tmpfs   defaults,noatime                   0 0
tmpfs               /var/tmp       tmpfs   defaults,noatime                   0 0
tmpfs               /home//Scratch tmpfs defaults,noatime               0 0

#Warning:  By mounting /var/log on tmpfs, logs will only be available for the current session.

Mount it all

mount -a

12. Build sources.list

Create /etc/apt/sources.list

deb http://mirrors.kernel.org/debian/ sid main non-free contrib
deb-src http://mirrors.kernel.org/debian/ sid main non-free contrib

deb http://ftp.uk.debian.org/debian-non-US/ sid non-US/main non-US/non-free non-US/contrib
deb-src http://ftp.uk.debian.org/debian-non-US/ sid non-US/main non-US/non-free non-US/contrib

# If you are using debian stable (woody) include the security updates.
# deb http://security.debian.org/ sid/updates main non-free contrib

Note: You can install and use apt-spy to test for the fastest downloading mirrors in your area.

13. System adjustments

blkid.tab: this file is cached as drives are scanned. Since the scan only takes a few seconds, you dont lose much by not caching or setting the default cache to /dev/null. This file generates an error on boot if the cache file has different device mappings than are currently detected. By removing the cache and forcing a fresh scan every time, the error is eliminated.

rm -f /etc/blkid.tab*
ln -s /dev/null /etc/blkid.tab

mtab: This file is written a lot and may prematurely age parts of the flash media and the information can simply be accessed from /proc directly.

rm -f /etc/mtab
ln -s /proc/mounts /etc/mtab

Set Hostname

vi /etc/hostname

Set /etc/hosts with localhost + hostname

vim /etc/hosts
127.0.0.1 localhost.localdoman localhost 

14. Install additional required packages

apt-get update
apt-get install cryptsetup dmsetup libdevmapper1.01
apt-get install discover1 libdiscover1
apt-get install module-init-tools equivs cramfsprogs
apt-get clean

15. Install custom mkinitrd script and equiv package

Create mkinitrd.dmcrypt-usb file in /usr/local/sbin

#!/bin/bash

# Filename:      mkinitrd.dmcrypt-usb
# Maintainer:    Dave Vehrs 

# Help
: << HELP_STEXT
Options:
    -c           Temporary directory to build image in.
    -k           Keep temporary directory used to build image.
    -l    Use  to indenify boot partition.
    -o  Write to outfie
    -d,-m,-r     Included for fake support of default mkinitrd script
                 (anything passed to them is discarded).
                 
See http://www.saout.de/tikiwiki/tiki-index.php?page=USBFlashMedia for more info.
HELP_STEXT

function display_shelp {  
	echo; echo "Usage $0 [OPTION]...<-o outfile> [version]"
	sed --silent -e '/HELP_STEXT$/,/^HELP_STEXT/p' "$0" | sed -e '/HELP_STEXT/d'
} 

# Set defaults
BOOT_LABEL="PRIVDEB_BOOT"
CRAMFSDIR=/tmp/cramfs
keep_temp=0
unset VERSION

# Parse command line.
# if version + other options not specified, exit.
if [ $# -eq 0 ] ; then
    display_shelp
    exit 1
fi

while [ $# -ge 1 ] ; do
	case $1 in 
        -c  ) CRAMFSDIR=$2          ; shift ; shift ;;
        -d  ) dir_conf=$2           ; shift ; shift ;;
        -k  ) keep_temp=1           ; shift ;;
        -l  ) BOOT_LABEL=$2         ; shift ; shift ;;
        -m  ) cmd_mkinitrd=$2       ; shift ; shift ;;
        -o  ) outfile_name=$2       ; shift ; shift ;;
        -r  ) initrd_root=$2        ; shift ; shift ;;
		*   ) VERSION=$1            ; shift ;; 
	esac
done

# Exit if version not specified
if [ -z "$VERSION" ] ; then
    echo "Error: You need to specify a kernel version to build for."
    exit 1
else
    VERSION=${VERSION##*/}
fi

# Start build...
echo "Build directory tree."
install -d $CRAMFSDIR/{bin,dev/mapper,etc,proc,mnt,sbin}

echo "Copy binaries from /bin."
# Copy /bin binaries over and any require libraries.
files_bin="bash grep mount umount mkdir mknod sed sleep uname"
for file in $files_bin ; do 
    install /bin/$file $CRAMFSDIR/bin/$file
    for lib in $( ldd /bin/$file | awk '{print $3}' | grep -v fffe000 ) ; do
        install -d $CRAMFSDIR/${lib%/*}
        install $lib $CRAMFSDIR/$lib
    done
done

echo "Copy binaries from /usr/bin."
# Copy /usr/bin binaries over and any require libraries.
files_usrbin="find mawk"
for file in $files_usrbin ; do 
    install /usr/bin/$file $CRAMFSDIR/bin/$file
    for lib in $( ldd /usr/bin/$file | awk '{print $3}' | grep -v fffe000 ); do
        install -d $CRAMFSDIR/${lib%/*}
        install $lib $CRAMFSDIR/$lib
    done
done

echo "Copy binaries from /sbin."
# Copy /sbin binaries over and any require libraries.
files_sbin="cryptsetup e2label modprobe pivot_root"
for file in $files_sbin ; do 
    install /sbin/$file $CRAMFSDIR/sbin/$file
    for lib in $( ldd /sbin/$file | awk '{print $3}' | grep -v fffe000 ) ; do
        install -d $CRAMFSDIR/${lib%/*}
        install $lib $CRAMFSDIR/$lib
    done
done

# Add common links
ln -s bash /tmp/cramfs/bin/sh
ln -s mawk /tmp/cramfs/bin/awk

echo "Copy devices over."
# Copy devices over
cp -apL /dev/{console,hd,initrd,null,ram,scd,sd}* $CRAMFSDIR/dev/

echo "Copy modules over."
# Copy modules over
modules="aes-i586 dm-crypt sd_mod sr_mod ehci-hcd uhci-hcd ohci-hcd sl811-hcd usbhid usbkbd usb-storage vesafb fbcon ext2 unix"
for mod in $modules; do
  for ko in $( modprobe --set-version $VERSION --show-depends $mod | cut -b8- ) ; do
    install -d $CRAMFSDIR/${ko%/*}
    install $ko $CRAMFSDIR/$ko
  done
done

cp -apL /lib/modules/$VERSION/modules.* $CRAMFSDIR/lib/modules/$VERSION/

echo "Copy /etc files over."
# Copy required config files over
cp -apr /etc/modprobe.d $CRAMFSDIR/etc/
echo "Copy custom init over."
# Copy custom init file.  (see below)
cat <$CRAMFSDIR/sbin/init
#!/bin/bash

# Filename:      /sbin/init
# Dependencies:  awk, bash, cryptsetup, e2label, find, grep, modprobe 
#                mount, pivot_root, sed, sleep and uname.
#                
# This file generated by mkinitrd.dmcrypt-usb by Dave Vehrs.
set -e

# Set vars
unset pass part_boot part_rootfs major minor label
dm_name="device-mapper"
dm_dir="mapper"
dir="/dev/\$dm_dir"
control="\$dir/control"
count=0

# Mount /proc
/bin/mount -n -t proc none /proc

# Mount /dev/mapper on tmpfs
/bin/mount -o rw -n -t tmpfs none /dev/mapper

# Modules to load
CORE_MODULES="unix ide-core scsi_mod sd_mod sr_mod mbcache ext2"
DISPLAY_MODULES="vesafb fbcon"
CRYPT_MODULES="aes-i586 dm-mod dm-crypt"
USB_MODULES="ehci-hcd ohci-hcd uhci-hcd sl811-hcd usbcore usbhid usbkbd usb-storage"

# Load Modules
if [ -e /lib/modules/\$(/bin/uname -r) ] ; then 
    echo "initrd: loading modules."
    for module in \$DISPLAY_MODULES \$CORE_MODULES \$CRYPT_MODULES \$USB_MODULES ; do
        /bin/find /lib/modules/\$(/bin/uname -r) -name \$module.ko -exec /sbin/modprobe \$module \;
    done
fi

# Test to be sure the procfs is mounted, if not exit. 
if [ ! -e /proc/devices ] ; then
    echo "initrd: procfs not found: please create \$control manually."
    exit 1
fi

major=\$(/bin/sed -n 's/^ *\\([0-9]\+\\) \+misc$/\1/p' /proc/devices)
minor=\$(/bin/sed -n "s/^ *\\([0-9]\+\\) \+\$dm_name\\\$/\1/p" /proc/misc)

# Test to be sure dm_mod loaded
if [ -z "\$major" -o -z "\$minor" ] ; then
    echo "initrd: \$dm_name kernel module not loaded: can't create \$control."
    exit 1
fi
 
# Create new control device.
echo "initrd: creating \$control character device with major:\$major minor:\$minor."
/bin/mknod --mode=600 \$control c \$major \$minor

# Sleep to let kernel finish loading.  15 seconds is enough on most systems.  
echo "initrd: sleeping for 15 seconds so kernel can finish detecting devices."
/bin/sleep 5
echo "initrd: sleeping for 10 more seconds..."
/bin/sleep 5
echo "initrd: sleeping for 5 more seconds..."
/bin/sleep 5
echo "initrd: awake...."

# Search for boot partition label.  When usb media is detected by the operating
# system seems to migrate a little depending on what port you connect to on the
# mainboard and what if any other devices are connected and where.  To
# compensate for that, we search for the label on our boot partition.
echo "initrd: searching for boot partition label."
for device in \$( /bin/grep sd[a-h]1 /proc/partitions | /bin/awk '{print \$4}' ) ; do
    label=\$( /sbin/e2label /dev/\$device 2>/dev/null )
    if [ ! -z "\$label" ] ; then
        if [ "\$label" == "$BOOT_LABEL" ] ; then
            part_boot="/dev/\$device"
        break
        fi
    fi        
done

# Exit if boot partition not found.
if [ -z "\$part_boot" ] ; then
    echo "initrd: error -- boot partition label not found (\$part_boot)."
    exit 1
fi

# Assign rootfs variable from boot (i.e. if boot is on /dev/sda1, this will
# set part_rootfs to /dev/sda2).
part_rootfs=\$( echo \$part_boot | /bin/sed -e 's/1/2/' )

# Unmount /proc
/bin/umount /proc

# Prompt for password
echo -en "\\nplease enter password for rootfs filesystem: "
read -s pass
echo -e

# Attempt mounting
echo "initrd: attempting to mount rootfs."
echo \$pass | /sbin/cryptsetup create rootfs \$part_rootfs
/bin/mount -r -n -t ext2 /dev/mapper/rootfs /mnt

# Loop for bad password attempts
while [ \$? -ne 0  ] ; do
    # Remove old crypt mount.
    /sbin/cryptsetup remove rootfs
    
    # Test for max tries.
    if [ \$count -ge 5 ] ; then
        echo -e "\\ninitrd: too many bad guesses.  aborting."
        exit 1
    else
        count=\$(( \$count + 1 ))
    fi
    
    # Reprompt for password
    echo -e "\\ninitrd: error -- rootfs mount failed." 
    echo -n "please re-enter password: "
    read -s pass
    echo
    
    # Reattempt mounting
    echo \$pass | /sbin/cryptsetup create rootfs \$part_rootfs
    /bin/mount -r -n -t ext2 /dev/mapper/rootfs /mnt
done

unset pass

echo "initrd: rootfs successfully mounted."

# Now that the encrypted media is readable, shift the root to it and continue
# the boot cycle by running its init.
cd /mnt
/sbin/pivot_root . initrd
exec /usr/sbin/chroot . /sbin/init
EOF
chown root:root $CRAMFSDIR/sbin/init
chmod 755 $CRAMFSDIR/sbin/init

# make cramfs file
if [ -z "$outfile_name" ] ; then
    mkcramfs $CRAMFSDIR ./initrd-$VERSION.img
else
    mkcramfs $CRAMFSDIR $outfile_name
fi

# Cleanup
if [ $keep_temp -eq 0 ] ; then
    rm -rf $CRAMFSDIR
fi

Set permissions, and links.

chown root.root /usr/local/sbin/mkinitrd.dmcrypt-usb
chmod 750 /usr/local/sbin/mkinitrd.dmcrypt-usb
ln -s /usr/local/sbin/mkinitrd.dmcrypt-usb /usr/sbin/mkinitrd

Next we need to install an equivs package to let the package system know that we installed this ourselves and not to install initrd-tools

cd /tmp
equivs-control initrd-tools

Edit the generated template so that it looks like:

Section: misc
Priority: optional
Standards-Version: 
     
Package: initrd-tools

Build equivs package

equivs-build initrd-tools

Install the package

dpkg -i initrd-tools_1.0_all.deb

For more information about equivs, see the APT howto at: APT-Howto: Equivs

16. Remove unwanted locales

Be very careful configuring and running localepurge. It is very easy to delete too many locales.

apt-get install localepurge
localepurge
apt-get clean

For more information about localepurge, see the APT howto at: APT-Howto: localepurge

17. Install kernel

WARNING: Kernels prior to 2.6.10 had a bug in the dm_crypt modules that potentially could reveal data. Only use 2.6.10 or better.

apt-get install kernel-image-2.6.11-1-686
apt-get clean

Note: Install size is approximately 184MB now. If you want to install a kernel built from source you can. After you install it, run /sbin/mkinitrd to build the /boot/initrd file. When you run /sbin/mkinitrd, it may print several FATAL errors regarding modules that it cannot find. If you built these modules into the kernel then you can ignore the error messages. If you omitted the modules, this is your warning to go build them as modules or into the kernel. Required modules: dm_crypt, aes, ide_core, scsi_mod, sd_mod, ehci-hcd, ohci-hcd, uhci-hcd, sl811-hcd, usb-storage, usb-hid, dm_mod, cramfs

18. Install optional packages

apt-get install vim irsii-text mutt fetchmail antiword screen
apt-get install exuberant-ctags less procmail
apt-get install python2.3 python2.3-pexpect python2.3-fuse
apt-get install xserver-common xserver-xfree86 xbase-clients xfree86-common
apt-get install ion3 -or- blackbox -or- fluxbox -or- icewm
apt-get install xterm
apt-get install memtest86+

Note: All this is approximately 300mb installed (with dependencies).

19. Install grub

apt-get install grub
grub-install /dev/sdd
mkdir /boot/grub
grub
 root (hd1,0)
 setup (hd1)
 quit

Create /boot/grub/menu.lst file

# default num
default         0

# timeout sec
timeout         5

# pretty colours
color green/black black/green

title   Debian GNU/Linux-2.6.11-1-686
root    (hd0,0)
kernel  /vmlinuz-2.6.11-1-686 root=/dev/ram0 init=/sbin/init vga=794
initrd  /initrd.img-2.6.11-1-686
savedefault
boot

title   Debian GNU/Linux-2.6.11-1-686 (Rescue/Single)
root    (hd0,0)
kernel  /vmlinuz-2.6.11-1-686 root=/dev/ram0 init=/sbin/init single
initrd  /initrd.img-2.6.11-1-686
boot
        
title   Memtest86+
root    (hd0,0)
kernel  /memtest86+.bin
boot

20. Add User accounts

Either:

Copy an existing /etc/group, /etc/passwd, and /etc/shadow file over from another system (this has to be done from outside the chroot directory).

Or:

Add users locally.

1. set root password

   passwd root
   

2. add local user

   useradd 
   passwd 
   

3. repeat step 2 as necessary

21. Exit Jail

umount -a
umount /proc
exit

22. Unmount and remove crypt mapping

cd
umount /mnt/buildroot/
cryptsetup remove rootfs

23. Reboot to test media

shutdown -r now

1. Make sure required modules are loaded.

modprobe dm_crypt
modprobe aes-i586  (or aes)
modprobe usb-storage

2. Insert USB key into port

3. Create device mapping and mount

cryptsetup create rootfs /dev/sdd2
mount /dev/mapper/rootfs /mnt/buildroot

Add Comment Printable version

 

<<< An introduction to port scanning with nmap Scheduling backups, log rotations and the like >>>

deb http://mirrors.kernel.org/debian/ sid main non-free contrib
deb-src http://mirrors.kernel.org/debian/ sid main non-free contrib


# If you are using debian stable (woody) include the security updates.
# deb http://security.debian.org/ sid/updates main non-free contrib

apt-get install apt-src
apt-get remove libdevmapper1.01 dmsetup

cd $HOME
mkdir SRC
apt-src install libdevmapper1.01

apt-src build libdevmapper1.01 dmsetup

dpkg -i libdevmapper1.01*.deb libdevmapper-dev*.deb dmsetup*.deb

apt-get install cryptsetup

cd $HOME
mkdir SRC
cd SRC
apt-src install libdevmapper1.01

mount -t proc none /proc
mount -a

Problématiques

Les installations classiques sont sensibles aux coupures électriques et aux arrêt brutaux qui peuvent conduire à des pertes de donnée voir empêcher un redémarrage normal. Par ailleurs les disques compact flash supportent un nombre limité d'écriture qu'il est important de contrôler dans le cas d'un système sur compact-flash
Pour mettre en œuvre facilement un système robuste où les disques ne sont pas montés en écriture il est possible d'utiliser des systèmes de fichier en ram 'fusionnés' avec des partitions sur disque en utilisant le module unionfs.
Je décris ici plusieurs approches en sachant que nous voulons à la fois avoir un système read only mais aussi pouvoir sauver les modifications et garantir l'intégrité des données...

Qu'est ce qu'unionfs?

 Unionfs est un système de fichier permettant de fusionner virtuellement des systèmes de fichier (appelé branches). Chaque branche se voie attribuée une priorité et peut-être read-only ou read-write. Unionfs est largement utilisé sur les live CD car il implémente un mécanisme de copy on write, c'est à dire que quand un fichier d'une union est modifiée, le contenu du fichier est recopié dans la branche read-write est ainsi l'union parait read-write alors qu'une ou plusieurs branches sont read-only.

Mise en œuvre

 Il faut utiliser un noyau récent (cad > 2.6.18 pour utiliser unionfs v2) et compiler le module unionfs disponible ici . Malheureusement unionfs n'est pas présent dans le noyau officiel, mais il est dans la branche d'Andrew Morton (-mm). Je ne parle ici que d'unionfs 2.1 qui apporte des amélioration intéressantes par rapport à la précédant, en particulier elle permet d'acceder aux branches "raw" d'une union. Notez que la version dans debian etch est ancienne est à déconseiller!

Pour créer des union on utilise simplement la syntaxe:

mount -t unionfs unionfs /nom_de_lunion -o dirs=/rep1=rw:/rep2=ro:...

Il est possible de fusionner de nombreuses branches, la première apparaissant étant la plus prioritaire. 

 Sous unix, les répertoires /etc, /var et /tmp doivent être read-write. Pour /tmp, pas de problème, un tmpfs fait l'affaire, pour /var et /etc il faut jouer avec les unions...

Première approche

On va créer  des systèmes de fichier tmpfs qui seront des branches read-write pour /var et /etc. Appelons les /rametc et /ramvar. Ensuite on crée des unions respectivement avec /etc et /var.

Pour ne pas s'embêter avec la gestion de /etc/mtab, on peut faire un lien vers /proc/mounts  

Deuxième approche

Une autre solution consisterai à créer des unions ou l'on veux et ensuite utiliser la commande pivot_root. Cette commande permet de remplacer le répertoire racine et le répertoire courant de tous les processus en cours d'exécution.

En général on utilise pivot_root à la fin du script d'init présent dans initramfs. Pour se simplifier la vie, on peut le lancer dans rcS (debian) 

Dans ce cas on procède ainsi: 

- Montage de root dans /n/root

- Montage de tmpfs dans /n/tmpfs

- mount unionfs avec dirs=/n/tmpfs:/n/root=ro dans /mnt/unionfs

- pivot_root dans /mnt/unionfs 

- chroot du shell en cours dans l'union

Eventuellement mount --move de /dev/ 

Attention, chroot doit être accessible dans le système pivoté... une copie en dehors de /usr ne fait pas de mal. 

Encore une solution

Sur la partition / on crée les répertoires /etc et /var qui resterons read-only.
On crée des partitions sur le disque qui serviront à la synchro des repertoires tmpfs (dans l'exemple suivant on les monte dans /rw_etc et /rw_var)
On crée des répertoires /varram etc /etcram en tmpfs .
On monte dans /etc et /var respectivement les unions de /etcram(rw)+/rw_etc(ro)+/etc(ro) et de /varram+rw_var+/var
Dans ce cas on peut remonter quand on veut /rw_etc en rw et faire des rsync

Comme précédemment, pour ne pas s'embêter avec la gestion de /etc/mtab, on peut faire un lien vers /proc/mounts 

Code pour /etc/init.d/rcS

/bin/mount -n -t tmpfs tmpfs /rametc -o size=30M
/bin/mount -n /dev/sdb1 /rw_etc -o ro
/bin/mount -n -t unionfs unionfs /etc/ -o dirs=/rametc=rw:/rw_etc=ro:/etc=ro
echo "tmpfs /rametc tmpfs rw,size=30M 0 0" >> /etc/mtab
echo "/dev/sdb1 /rw_etc ext3 rw 0 0" >> /etc/mtab
echo "unionfs /etc/ unionfs rw,dirs=/rametc=rw:rw_etc=ro:/etc=ro 0 0" >> /etc/mtab
/bin/mount /dev/sdc1 /rw_var -o ro
/bin/mount -t tmpfs tmpfs /ramvar -o size=50M
/bin/mount -t unionfs unionfs /var/ -o dirs=/ramvar=rw:/rw_var=ro:/var=ro

Le gros avantage de cette structure à trois branches par union est outre de permettre des copies entre branche pour la synchro, de pouvoir effacer quand on veux les repertoire rw_* et ainsi revenir dans l'état d'instalation (reset to factory).

Il y a plein de façon de faire avec unionfs... 

Resyncronisation

Avec unionfs 2.1 (et contrairement à ce que dit la page de manuel) on peut intervenir directement sur les branches. Il est donc possible de remonter les partitions en rw le temps de faire un rsync.

  Un problème qui se pose est alors de purger les partitions tmpfs pour quelles ne continuent pas à remplir la mémoire et de bien effacer de la compact flash les fichiers qui ont été détruit. Pour cela unionfs crée des fichiers "whiteout" (.wh.nomdufichier) dans la branche rw quand un fichier ou un répertoire est détruit. Il est facile de pacourir ces fichiers et de détruire les fichiers originaux.

 Voici un exemple de script de syncho (à lancer périodiquement et/ou au reboot)

#On remonte /rw_etc en rw pour copier les modifs dessus. 

mount -o remount,rw /rw_etc

 rsync -a --exclude '.wh*' /rametc /rw_etc
#Pour être sur de bien flusher les caches 
mount -o remount,incgen /etc

#Il vaut mieux retirer la branche avant d'effacer les fichiers
mount -t unionfs -o remount,del=/rametc none /etc

find /rametc \( -regex '.*/\.wh\.[^/]*' -type f \) | sed -e 's/\.\///;s/\.wh\.//' |
while read N
do
    rm -rf /rw_etc/$N
done
rm -rf /rametc/* mount -t unionfs -o remount,add=/rametc none /etc
mount -o remount,ro /rw_etc

Évidement, faire des copies de fichiers ouverts, éventuellement en écriture, ce n'est pas forcement fiable. Idéalement il faudrai synchroniser lors d'un shutdown, mais la copie à chaud ne marche pas si mal à condition de prendre certaines précautions.

Pour une base de donnée, on peut locker les tables en lecture uniquement. Ca fonctionne correctement avec MySQL avec des tables MyISAM. 

L'astuce pour locker les tables pendant le temps le plus court possible consiste à faire un double rsync.

- Un premier rsync crée une première copie

- On lock les table: mysql -p ... -u ... < "FLUSH TABLES WITH READ LOCK"

- Un deuxième rsync qui va être ultra rapide cette fois

- on delock: "UNLOCK TABLES"

  Une autre solution élégante serai de faire un snapshot avec LVM, par contre on ne peut pas utiliser LVM avec tmpfs, donc il faudrai utiliser un ramdisk, pas très pratique à mettre en œuvre... Il y a des discussions intéressante à ce propos ici

Références:

Site officiel de Unionfs 

Unionfs: User- and Community-Oriented Development of a Unification File System: http://www.fsl.cs.sunysb.edu/docs/sipek-ols2006/index.html 

Tutorial Gentoo, http://gentoo-wiki.com/HOWTO_Read-only_root_filesystem#Unionfs_Method

Snapshot LVM et MySQL : http://mike.kruckenberg.com/archives/2006/05/mysql_backups_u.html

Aufs, un concurant de unionfs: http://aufs.sourceforge.net/  

Author: Mattia Jona [contact developer]

Homepage: http://lcd-linux.sourceforge.net/

Tar/GZ: http://sourceforge.net/project/showfiles.php?group_id=123240