How to enable remote access (ssh) to zfsbootmenu

tl;dr

I’ve set up a small homeserver (Wyse 5070) with zfsbootmenu on Ubuntu 24.04. I’m now trying to set up remote access so I can boot it without having to plugin a keyboard - instead I want to just ssh to it.

I’ve read the zfsbootmenu docs a couple of times and I feel there’s a couple of bits of missing context in there somewhere. Has anyone successfully done this or can point me at end-to-end step-by-step docs about how to do this?

Full Details

I’m trying to build using the container and the zbm-builder.sh wrapper script from the GitHub - zbm-dev/zfsbootmenu: ZFS Bootloader for root-on-ZFS systems with support for snapshots and native full disk encryption repo. I have:

Then I’ve read the remote access docs but they seem to sometimes be talking about a local install of dracut and sometimes using the container. Also, the container does not seem to have dracut-crypt-ssh installed and I haven’t worked out an option to pass to the helper script that will install that package.

So if anyone can point me at step-by-step instructions that would be lovely :slight_smile:

If not, I’m wondering about:

  • forking the zfsbootmenu repo
  • editing the Dockerfile to install dracut-crypt-ssh
  • building the docker image
  • setting up the various config files
    • this is a bold statement, but I think I’ve got most of it set up
  • running ./zbm-builder.sh -i my_image_name

Does that sound like a reasonable approach? Are there some options I’m missing? Should I just post this as a github issue?

All input welcome. And if I get none I’ll keep plugging away and come back and write up what I did. Then at least future me can find it via google to work out what the hell I did when I actually got it to work. And maybe someone else will find it useful too.

You don’t have to build it yourself - you can use one of the EFI images in the Releases directly. The container is to build the image, not actually use zfsbootmenu …

Dracut is used to built the initrd for your system to pair with your selected kernel. Ubuntu defaults to using initramfstools for initrd management, but dracut and drop right into place instead. Dracut is somewhat simpler I think.

Anyway, once you have a zfsbootmenu EFI image, whether you build it yourself or download it, your system needs a way to actually boot it. Generally you put it in a UEFI partition of your disk (type EF00) and your UEFI system bios will find and boot it. From that point zfsbootmenu does its thing, scanning for zfs datasets with kernels etc that it can present for booting.

For remoting in via ssh, you will need Dropbear installed along with some dracut modules. Which means you will likely need to build your own. My own builder (GitHub - Halfwalker/ZFS-root: Set up root-on-zfs using whole disk, with dracut and zfsbootmenu) contains the following for setting it up

mkdir -p /etc/cmdline.d
if [ "${DROPBEAR}" = "y" ] ; then
  echo "------------------------------------------------------------"
  echo " Installing dropbear for remote unlocking"
  echo "------------------------------------------------------------"

  apt-get install --yes dracut-network dropbear-bin
  rm -rf /tmp/dracut-crypt-ssh && mkdir -p /tmp/dracut-crypt-ssh
  cd /tmp/dracut-crypt-ssh && curl -L https://github.com/dracut-crypt-ssh/dracut-crypt-ssh/tarball/master | tar xz --strip=1

  ##comment out references to /helper/ folder from module-setup.sh
  sed -i '/inst \"\$moddir/s/^\(.*\)$/#&/' /tmp/dracut-crypt-ssh/modules/60crypt-ssh/module-setup.sh
  cp -r /tmp/dracut-crypt-ssh/modules/60crypt-ssh /usr/lib/dracut/modules.d

  echo 'install_items+=" /etc/cmdline.d/dracut-network.conf "' >  /etc/zfsbootmenu/dracut.conf.d/dropbear.conf
  echo 'add_dracutmodules+=" crypt-ssh "'                      >> /etc/zfsbootmenu/dracut.conf.d/dropbear.conf
  # Have dracut use main user authorized_keys for access
  echo "dropbear_acl=/home/${USERNAME}/.ssh/authorized_keys"   >> /etc/zfsbootmenu/dracut.conf.d/dropbear.conf

  # With rd.neednet=1 it will fail to boot if no network available
  # This can be a problem with laptops and docking stations, if the dock
  # is not connected (no ethernet) it can fail to boot. Yay dracut.
  # Network really only needed for Dropbear/ssh access unlocking
  # Since we chose to use Dropbear, in this block set neednet=1
  echo 'ip=dhcp rd.neednet=1' > /etc/cmdline.d/dracut-network.conf
else
  # Not using Dropbear, so set neednet=0
  echo 'install_items+=" /etc/cmdline.d/dracut-network.conf "' > /etc/zfsbootmenu/dracut.conf.d/network.conf
  echo 'ip=dhcp rd.neednet=0' > /etc/cmdline.d/dracut-network.conf
fi
2 Likes