Intro A few years ago I built a tool called genesis to build images of Ubuntu. The tool has a very basic CLI interface and is written in Python. I was asked recently if I had ever built desktop images of Ubuntu from scratch and had to admit that I had never tried. I decided to give it a go and found the process rather straight forward. Steps First, install genesis in a venv: ...
For a while, I wanted to set up an Ubuntu archive mirror using Cloudflare. It felt like a natural idea: the archive is a set of static files that could be easily cached, and Cloudflare is very good at caching files close to users around the world. What is an archive mirror? If you have ever run apt update on Ubuntu, you have used the archive. It is a big collection of files: packages (.deb files) and index files (Packages.gz, Release, etc.) that tell apt what is available. ...
Linux systems may seem complex, but at their core, they consist of two fundamental components: the kernel and a root filesystem. Understanding how these elements interact during the boot process can demystify Linux and provide insight into how your system comes to life each time you power it on. The Two Main Components of a Linux Distribution 1. The Linux Kernel The kernel is the heart of any Linux system. It’s responsible for: ...
Linux Networking: Bridged and Routed VM Networking Scenario 1: Bridged Networking (Layer 2 Integration) Goal: VMs/containers appear as full LAN peers, get IPs from the LAN’s DHCP, and are reachable directly. Create a bridge interface (br0). Add the physical interface (e.g., eth0) to the bridge. Assign IP or DHCP to br0 only. eth0 should have no IP. Virtual interfaces (e.g., tap0) are also added to br0. Key Commands: sudo ip link add br0 type bridge sudo ip link set eth0 master br0 sudo ip link set br0 up sudo dhcpcd br0 No NAT, no subnetting. Full LAN access. ...
Instructions If you are on an LTS, make sure you are running the HWE kernel: sudo apt update source /etc/os-release sudo apt install -y linux-generic-hwe-$VERSION_ID And reboot. Then: sudo apt update sudo apt install -y ubuntu-drivers-common sudo ubuntu-drivers install That’s it. Don’t install NVIDIA’s Debian repositories, no need to re-compile everytime a new kernel is released and it works with secure boot. Wait but isn’t that some opensource drivers that are less performant? No. These will get you the closed-source, proprietary drivers. ...
Basic Config [Distribution] Distribution=ubuntu [Output] Format=disk [Content] Packages= apt cloud-init dbus grub-efi-amd64-signed iproute2 linux-virtual netplan.io openssh-server openssl shim-signed ssh-import-id sudo systemd systemd-resolved udev vim Bootloader=grub ShimBootloader=signed BiosBootloader=none Bootable=true RootPassword=ubuntu KernelCommandLine=console=ttyS0 Hostname=ubuntu Then simply run mkosi. Boot the image Use this script (use –no-snapshot to make the changes persist): ./start-vm.sh ./image.raw To go further At the moment, mkosi only supports producing raw disk images. To convert the image to qcow2: qemu-img convert -f raw -O qcow2 /tmp/image.raw /tmp/ubuntu.img And to make it (virtually) bigger: ...
Boot process - context In general, the boot process looks like this: ROM | DISK Pre-EFI initialization -> EFI firwmare -|> shim -> grub -> Linux The pre-efi initialization is about initializing CPU and devices. Especially, it is responsible for initializing the DRAM controller on the CPU. Before this step the system is in a very precurious state and can only use its cache as memory (aka Cache as RAM). ...
systemd-tmpfiles /tmp and other temporary directories and files are now managed by systemd and are not tmpfs. sytemd-tmpfiles gives to the user the ability to choose what they want to do with temporary directories/files. There are a ton of options that the user can choose from and everything is managed though config files (see man tmpfiles.d). Create a temporary directory in your HOME folder Using the global /tmp directory can be security issue as anyone can read this directory. If the user is not very carefull with the permissions they set on their files, confidential information might leak. Also, programs packaged with snap cannot access the global temporary directory /tmp by default. ...
Genesis a CLI project written in Python. It can build Ubuntu images from scratch. The tool is named genesis (because you start from nothing). And is available as a python package: https://github.com/gjolly/genesis (it’s also packaged as a deb in a PPA. A basic example We are going to create a very minimal image of Ubuntu 23.04 (Lunar Lobster) and try to boot from it using qemu. Creating a base image First you want to start by bootstrapping a basic filesystem: ...
The flow In order to decrypt the root filesystem, the kernel uses a initial ram disk (initramfs). The initramfs provides an temporary filesystem from which extra kernel modules can be loaded, it also contains a set of scripts used to boot the system including scripts to decrypt the user’s root filesystem. This initramfs image is a file stored un-encrypted next to the kernel image. However, unlike the kernel image, it is not signed by the kernel publisher as the iniramfs is generated locally and can be modified by the user. Thus, anyone with physical access to the user’s drive can inject a malicious initramfs that would log the user’s passphrase and thus make FDE useless. ...