aboutsummaryrefslogtreecommitdiffstats
path: root/src/routes/blog/posts/alpine-ssh-early-initfs.svx
blob: 7ffc97d5313d51f73cf2e260a0f65ace72b9df95 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

---
title:  "Launching SSH during early boot with mkinitfs"
blurb:  "Replacing the early init with our own script to launch SSH, killing it in early userspace, and allowing remote disk decryption in the mean time"
author: "7222e800"
slug:   "alpine-ssh-early-initfs-disk-decryption"
id:     1768406136

# Timestamps are in ISO8601 UTC (`date -u +%Y-%m-%dT%H:%M:%SZ`)
created: "2026-01-14T15:53:57Z"
updated: "2026-01-14T15:53:57Z"
published: false
---

For a while, this one's been meaning to setup an early-boot SSH environment for
Alpine Linux on systems that are using a
[System Disk](https://wiki.alpinelinux.org/wiki/System_Disk_Mode) installation
mode.

<!-- TODO: APKOVL boot article -->
In [Data Disk](https://wiki.alpinelinux.org/wiki/Data_Disk_Mode) mode, it can
be handled in `boot`, or if needed, `sysinit`. This can even be nicely netbooted
via a netbooted apkovl - article on that eventually. (for now, if you're
interested in that, here's a good starting point:
[alpine/mkinitfs#cc4954b/initramfs-init.in](https://gitlab.alpinelinux.org/alpine/mkinitfs/-/blob/cc4954bc73cf55833b48624232b9c42ca3abc390/initramfs-init.in#L647))

On System Disk installations, with tooling like [dracut](https://wiki.gentoo.org/wiki/Dracut),
this would also be trivial. Unfortunately, this one's a masochist and like
staying close to the intended upstream Alpine installation 

> **Note**<br/>
> Alpine does have
> [a package](https://pkgs.alpinelinux.org/package/v3.23/community/x86_64/dracut)
> for dracut, and the reader may want to look into using it instead.

## mkinitfs and it's challenges

Alpine's [mkinitfs](https://gitlab.alpinelinux.org/alpine/mkinitfs/) allows us
to do things like including files or kernel modules in the image, via their
[features.d](https://gitlab.alpinelinux.org/alpine/mkinitfs/-/tree/master/features.d).
This is nice and all, but on it's own, we can only really give the kernel a
module, or a file we manually call by spamming enter through the encryption
password prompts and running via the 'Emergency Shell'.
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-14 18:43:49 +0000