While we're talking about things that grub and YaST can do to make installation easier, it would be very nice if the YaST installer had a submodule for isolating PCI resources from the kernel (e.g. graphics cards), for dedicated use by virtual machines. Doing this by hand is a very complicated and error-prone task. Leslie On 2023-07-31 20:22:17 Lew Wolfgang wrote:

On 7/31/23 12:34, Georg Schukat wrote:

...

So the basic idea is to set up a server so that it partially boots, but boots far enough to set up the network and start the SSH daemon. Then, log in remotely to finish the rest of the boot after entering the LUKS password. Could something like this be added to the Leap install process to make it easier to set up?

You can go further, a sshd can be started from grub. I have 2 servers running in that mode.

My logs how I did set that up are not 100% complete so I can only give hints.

Core component is the package dracut-sshd

For documentation see: https://github.com/gsauthof/dracut-sshd It shows you several options how to setup your remote server. In general either use early networkd or setup your network in the initrd command line.

Further documentation about network configuration within initrd can be found at the "other Linux" site: https://www.redhat.com/sysadmin/network-confi-initrd Would be then similar to: in `/etc/default/grub` modify `GRUB_CMDLINE_LINUX` to include network configs: E.g. GRUB_CMDLINE_LINUX="rd.neednet=1 ip=..."

Furtheron you have to create  ssh client keyfiles and integrate the public key file into the servers list of known client keys. Details see above mentioned docs

That way all partitions besides boot and boot/efi can be encrypted at boot and you get this nice boot prompt when you ssh into that server at boot:

Welcome to the early boot SSH environment. You may type

    systemd-tty-ask-password-agent

(or press "arrow up") to unlock your disks.

This shell will terminate automatically a few seconds after the unlocking process has succeeded and when the boot proceeds.

If you do so you will be prompted for the password of one encrypted disk, more if they have different ones. Grub will decrypt now the disks the same way if you would have entered the passwords sitting at the console.

Thanks Georg. that's marvelous!  We'll give it a try.

Regards, Lew

While we're talking about things that grub and YaST can do to make installation easier, it would be very nice if the YaST installer had a submodule for isolating PCI resources from the kernel (e.g. graphics cards), for dedicated use by virtual machines. Doing this by hand is a very complicated and error-prone task. Leslie On 2023-07-31 20:22:17 Lew Wolfgang wrote:

On 7/31/23 12:34, Georg Schukat wrote:

...

So the basic idea is to set up a server so that it partially boots, but boots far enough to set up the network and start the SSH daemon. Then, log in remotely to finish the rest of the boot after entering the LUKS password. Could something like this be added to the Leap install process to make it easier to set up?

You can go further, a sshd can be started from grub. I have 2 servers running in that mode.

My logs how I did set that up are not 100% complete so I can only give hints.

Core component is the package dracut-sshd

For documentation see: https://github.com/gsauthof/dracut-sshd It shows you several options how to setup your remote server. In general either use early networkd or setup your network in the initrd command line.

Further documentation about network configuration within initrd can be found at the "other Linux" site: https://www.redhat.com/sysadmin/network-confi-initrd Would be then similar to: in `/etc/default/grub` modify `GRUB_CMDLINE_LINUX` to include network configs: E.g. GRUB_CMDLINE_LINUX="rd.neednet=1 ip=..."

Furtheron you have to create  ssh client keyfiles and integrate the public key file into the servers list of known client keys. Details see above mentioned docs

That way all partitions besides boot and boot/efi can be encrypted at boot and you get this nice boot prompt when you ssh into that server at boot:

Welcome to the early boot SSH environment. You may type

    systemd-tty-ask-password-agent

(or press "arrow up") to unlock your disks.

This shell will terminate automatically a few seconds after the unlocking process has succeeded and when the boot proceeds.

If you do so you will be prompted for the password of one encrypted disk, more if they have different ones. Grub will decrypt now the disks the same way if you would have entered the passwords sitting at the console.

Thanks Georg. that's marvelous!  We'll give it a try.

Regards, Lew