• Edit
  • Delete

initramfs-tools / busybox / dropbear (Ubuntu 18.04)

Initramfs Introduction

https://wiki.ubuntu.com/Initramfs

  • Kernel unpacks initramfs early in the boot process and calls /init
  • Initramfs is cpio packed inital root filesystem
  • It is mainly used for measures to mount the real root filesystem.
    Examples: load kernel drivers for disk access (raid), or manage encrypted root unlocking
  • It usually includes busybox shell and commands.

Busybox

https://busybox.net/
https://busybox.net/downloads/BusyBox.html

Many unix programs in simplified form in a single executable.

Note: Ubuntu includes only a very limited version of busybox.
To install full version see: https://www.ullright.org/ullWiki/show/install-full-busybox-in-initramfs-ubuntu-18-04

Ubuntu initramfs-tools

http://manpages.ubuntu.com/manpages/bionic/man8/initramfs-tools.8.html

Handles creation of initramfs.

After changing config, adding hooks or script you have to re-generate initramfs with

  • update-initramfs -u

Config file

  • vi /etc/initramfs-tools/initramfs.conf

Hooks

Initramfs hooks allow to modify initramfs. E.g. install executables or copy files.

System hooks by other packages (like dropbear) are in

  • /usr/share/initramfs-tools/hooks/

Custom user defined hooks go into

  • /etc/initramfs-tools/hooks/

 

Boot Scripts

Boot scripts by packages:

  • /usr/share/initramfs-tools/scripts/

Custom boot scripts:

  • /etc/initramfs-tools/scripts/

Subdirectories of different stages:

  • init-top  the  scripts in this directory are the first scripts to be executed after
                  sysfs and procfs have been mounted.  It also runs the udev hook for populating  the
                  /dev tree (udev will keep running until init-bottom).

  • init-premount   happens  after  modules  specified  by  hooks  and  /etc/initramfs-
                  tools/modules have been loaded.

    • e.g. netconf, dropbear

  • local-top OR nfs-top After these scripts have been executed, the root  device  node
                  is expected to be present (local) or the network interface is expected to be usable
                  (NFS).      

    • eg cryptroot, mdadm     

  • local-block These scripts are called with the name of a local block device.   After
                  these  scripts  have  been  executed,  that  device node should be present.  If the
                  local-top or local-block scripts fail to create the wanted device node, the  local-
                  block scripts will be called periodically to try again.            

  • local-premount OR nfs-premount are run after the sanity of the root device has been
                  verified (local) or the network interface has been brought up (NFS), but before the
                  actual root fs has been mounted.

  • local-bottom OR nfs-bottom are run after the rootfs has been mounted (local) or the
                  NFS root share has been mounted.

  • init-bottom are the last scripts to be executed before procfs and sysfs  are  moved
                  to the real rootfs and execution is turned over to the init binary which should now
                  be found in the mounted rootfs. udev is stopped.

Other Tricks

Get process id by complex name

  • ps | grep 'busybox2 crond' | grep -v grep | awk '{ print $1 }'

Kill procress by complex name

  • kill $(ps | grep 'busybox2 crond' | grep -v grep | awk '{ print $1 }')

Output to main terminal screen

  • echo foo > /dev/tty0

 

Examples

Package hooks

Interesting examples: (needs "apt install dropbear")

  • vi /usr/share/initramfs-tools/hooks/dropbear
  • vi /usr/share/initramfs-tools/hooks/cryptroot-unlock
    • adds message to /etc/motd (message of the day)

Custom hook to install additional executables

Executables are simply copied from the normal linux system.
If not installed, use "apt install xxx" first.

  • vi /etc/initramfs-tools/hooks/addons
    • #!/bin/sh
      
      # add hookscripts which need to be executed before this script
      PREREQ="dropbear"
      
      prereqs() {
          echo "$PREREQ"
      }
      
      case "$1" in
          prereqs)
              prereqs
              exit 0
          ;;
      esac
      
      # Load helper functions
      . /usr/share/initramfs-tools/hook-functions
      
      # Helper function to copy an executable to be available in initramfs
      copy_exec /usr/bin/jq /bin
      copy_exec /usr/bin/curl /bin
      copy_exec /usr/bin/dbclient /bin
      
  • chmod 755 /etc/initramfs-tools/hooks/addons
  • update-initramfs -u

 

dropbearconvert

Converts openssh private key to dropbear format

  • usr/lib/dropbear/dropbearconvert
    • All arguments must be specified
      Usage: /usr/lib/dropbear/dropbearconvert <inputtype> <outputtype> <inputfile> <outputfile>
      
      CAUTION: This program is for convenience only, and is not secure if used on
      untrusted input files, ie it could allow arbitrary code execution.
      All parameters must be specified in order.
      
      The input and output types are one of:
      openssh
      dropbear
      
      Example:
      dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear_rsa_host_key

initramfs / dropbear create user / password

check this out: /usr/share.../hooks/dropbear

  • for x in passwd group; do echo "$x: files"; done >"$DESTDIR/etc/nsswitch.conf"
    echo "root:*:0:0::${home#$DESTDIR}:/bin/sh" >"$DESTDIR/etc/passwd"
    echo "root:!:0:" >"$DESTDIR/etc/group"
  • # busybox2 passwd root
    Changing password for root
    New password:
    Bad password: too weak
    Retype password:
    passwd: password for root changed by root
    # cat /etc/passwd
    root:$5$A3HlvdYi1hT3drz4$z4DFGusaqsQMQafFpKyuCQDBEOWfEwYCbqzKaioqQlB:0:0::/root:/bin/sh

  • echo "foo" | openssl passwd -stdin -6 -salt verySalty
    $6$9rQrmF1Y$sMMnndQxV3NQ3T0LRcBS/7ZXHpJOv.M7svlP9sUxcn21yKlcD5ozvFGmu2B4pgesECc7LXP96XfK1FXGjbjra1