What is Rescue Initramfs
Rescue Initramfs will allow you to login into initramfs over network (ssh) and perform recovery operations:
- Fix broken rootfs
- Reinstall software
- Open encrypted partitions
The last point allows you to use cryptoroot on systems without a local console, by entering the root partition password over ssh during the boot process.
Headless devices can be rendered unbootable by a kernel upgrade or a automatic run of fsck that needs manual interaction during the boot process. With Rescue Initramfs it is possible to log in via SSH to the machine during the boot process, and, hopefully, fix these issues.
Encrypted root filesystems require a passphrase to be inserted during boot, Rescue Initramfs and cryptsetup enables the user to do this with ease. See the cryptsetup Debian package for more information about this.
Remote servers will also have a similar use case as headless devices and benefit from installing Rescue Initramfs.
How it works
Rescue Initramfs adds hooks and conf-hooks to initramfs-tools, located in /usr/share/initramfs-tools/hooks and conf-hooks.d respectively.
Hooks and configuration
There are two main hooks in Rescue Initramfs:
- dropbear: Installs Dropbear SSH server on the initramfs. If OpenSSH is used on the host machine, converts its host keys to Dropbear key format and puts them in the initramfs. If Dropbear is installed then its host keys are copied to the initramfs. If neither OpenSSH or Dropbear are used then new Dropbear host keys are generated. This hook also either copies root's authorized_keys, if they exist, otherwise root's /etc/shadow entry is copied to initramfs (in the latter case make sure nobody can read the initramfs image!)
- rescue: Installs sfdisk, fsck and fsck for the corresponding automagically mounted filesystems in /etc/fstab. The rescue hook also includes micro-evtd and uboot-envtools in the initramfs.
Related configuration for above hooks is found in /usr/share/initramfs-tools/conf-hooks.d.
In order for remote login to work the Dropbear SSH server must be installed on the system. This is the SSH server that Rescue Initramfs includes in the initramfs.
On orion5x based NAS devices the Debian package micro-evtd is used to control the micro controller (watchdog, fan, LEDs, buttons). The same hardware platform uses the U-Boot bootloader, and the Debian package uboot-envtools can read and modify the U-Boot environment. Default behaviour for Rescue Initramfs is to include these programs.