logo
vision scalability social networking revelation source
Setup build environments
Setup Arch, Snapper, and rollback
Wireguard
Dovecot

Debian with rollback and refind

abstract: The huge advantage of btrfs is that it makes rollback possible. When you are ricing your system, you are going to break it irreversibly, and lose all your ricing work.

This happens even on windows, and it happens a lot more on linux desktop, and even more on bleeding edge distros such as Arch and the Arch derived distros. If you are on a distro that has pacman, yay and the AUR, you are apt to be reinstalling rather too often.

There are distros that default to btrfs, and set it up in a way friendly for rollback. but they do not, by default, enable rollback.

You can setup btrfs with manual partitioning in almost any distro. Usually the defaults are rather bad, a lot of ricing is needed.

1 installing on new hardware

Debian firmware always lags behind kernel firmware, which frequently requires manual installation of the missing firmware.

When you boot a live usb on the target hardware, the kernel has a list of firmware it wants, and will complain about what it is missing. To see what is missing, dmesg | grep failure

The linux firmware repository has what it wants, so git clone https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git on another computer. Or on the live usb itself, after booting it up on an older system for which it has the firmware.

Copy the missing files into a clear partition on the live usb, then boot up the live usb, and copy the missing files into /lib/firmware. Then shutdown -r, and when the live cd boots up again, it will have the missing firmware.

Alternatively, if you know the name of the missing modules, which is usually the first part of the filename of the missing firmware files, for example ibt and iwlwifi

modprobe -v -r iwlwifi
modprobe -v iwlwifi
modprobe -v -r ibt
modprobe -v ibt

After the you have installed linux on the target system using the live usb, before you reboot, find the root partition of the target system using lsblk, mount it, and copy the missing files to /mnt/lib/firmware, which will become /lib/firmware when the target system boots.

This workaround is apt to mean you will not get automatic updates when your debian kernel finally updates, requiring you to make an explicit update when your firmware finally gets to the repository.

To see what is in the install module that should contain your needed files, but probably does not

apt-get install --download-only firmware-iwlwifi
cd /var/cache/apt/archives
dpkg-deb -c firmware*.deb | grep '/lib/firmware/'

My missing files that provoked this section are for intel gen 14, Intel core ultra which needs iwlwifi-bz-b0-hr-b0-93.ucode, ibt-0093-4150.ddc and ibt-0093-4150.sfi

It also needs the latest version of the i915 driver, which does not seem known at the moment.

2 setup on efi system

The great advantage of btrfs is snapper rollback, which only works if your boot manager is refind, and refind only works on efi systems.

3 partitioning for btrfs

On Debian, you have to do manual partitioning. On the latest release, will not let you create butterfs subvolumes but will automatically create a @ subvolume (without telling you) and put your root file system in @

A swap file on a btrfs volume is difficult and complicated to setup. Easier to use a standard swap partition.

So, your partition scheme should be 128 megabyt efi, a few gigabytes swap, and the rest one btrfs partition. Almost all distros support btrfs in manual partitioning. Since you will be using snapper, you need at least thirty two gigabytes.

A btrfs file system can go over many partitions on many devices, but this is a bad idea for your root file system, and is apt to get scary complicated and require much ricing.

Since partitions with btrfs files on them are resizable, another solution is to have one partition for the OS, and another for home and opt. This allows you to reinstall linux, while keeping your possibly large data.

The debian install is going to create a subvolume called @, and put everything in it. It is also going to use grub as the boot manager.

4 snapper

4.1 prepare subvolumes for snapper

After booting into debian by grub, install rsync avahi-daemon and openssh-server, setup ssh so that you can copy and paste, set up your familiar command line environment, then

mount -o subvolid=5 /dev/sda3 /mnt
cd /mnt
btrfs subvolume create @snapshots @home @opt @var_tmp @var_cache @var_spool @var_log @var_lib_docker @var_lib_nerdctl
fn=home
rsync -a /$fn/* /mnt/@$fn
fn=opt
rsync -a /$fn/* /mnt/@$fn
fn=tmp
rsync -a /var/$fn/* /mnt/@var_$fn
fn=cache
rsync -a /var/$fn/* /mnt/@var_$fn
fn=spool
rsync -a /var/$fn/* /mnt/@var_$fn
mkdir -p /var/lib/docker
mkdir -p /var/lib/nerdctl
nano /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# systemd generates mount units based on this file, see systemd.mount(5).
# Please run 'systemctl daemon-reload' after making changes here.
#
# <file system>                                 <mount point>   <type>       <options>                                                                                     <dump>  <pass>
# / was on /dev/sda3 during installation
UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /                btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300                            0 0
# UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /.snapshots      btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300,subvol=/@snapshots         0 0
UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /home            btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300,subvol=/@home              0 0
UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /opt             btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300,subvol=/@opt               0 0
UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /var/tmp         btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300,subvol=/@var_tmp           0 0
UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /var/cache       btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300,subvol=/@var_cache         0 0
UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /var/spool       btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300,subvol=/@var_spool         0 0
UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /var/log         btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300,subvol=/@var_log           0 0
UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /var/lib/docker  btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300,subvol=/@var_lib_docker    0 0
UUID=7466efd7-975d-49dc-8b9c-d781959297ac       /var/lib/nerdctl btrfs       rw,relatime,compress=zstd:3,ssd,discard,space_cache=v2,autodefrag,commit=300,subvol=/@var_lib_nerdctl   0 0

discard means tell the hardware what is on the free list, which virtual disks need, and all ssds are virtual disks these days. ssd means optimise for ssd. If this is a spinning rust disk, don’t do that.

commit=300 means if that if you get a sudden power down, you could potentially lose the last three hundred seconds of disk activity, but you always have a laptop or an uninterruptible power supply, so not going to have a sudden power down.

systemctl daemon-reload
mount -a
cd /mnt/@
rm -r home
rm -r opt
rm -r var/tmp
rm -r var/cache
rm -r var/spool

4.2 install snapper

apt update
apt upgrade -qy
# if you already mounted ./snapshots, unmount it and delete the /.snapshots directory
apt install snapper
# now configure snapper
snapper -c root create-config
btrfs subvolume delete /.snapshots
mkdir /.snapshots
# enable mounting of @snapshots
nano /etc/fstab
systemctl daemon-reload
mount -a
snapper list
snapper create
snapper list

5 install refind

btrfs subvolume set-default /
apt update
apt upgrade -qy
apt install refind
refind-install
nano refind_linux.conf  #delete the rootflags=subvol=@
shutdown -r now

You should now see the refind boot menu, which, because you did the btrfs subvolume set-default / should show you two linux boots, the one using grub, and the one direct. If btrfs subvolume get-default / points to the wrong place, you will only see the grub boot.

The grub boot will always overrule the btrfs subvolume set-default / The direct boot will not. Select the direct boot, and in future it will always boot that way by default.

In Oracle vm, it may be impossible to set the efi variables to anything other than EFI/debian/shimx64.efi, in which case you must delete EFI/debian, copy refind to debian, and rename refind_x4.efi to shimx64.efi

This will enable you to boot into btrfs subvolume get-default /

Having installed refind, you do not need grub. Unfortunately debian insists on using grub or systemd-boot, and will not allow you to remove the one without installing the other, so we are always going to have grub boot from refind, and direct boot from refind, and only direct boot from refind can support snapper rollback. Grub will always overrule the subvolume get-default /

refind screen will sit for quite a while before finally booting. Some other time you can edit the configuration file to set the boot timeout to -1, so that it boots immediately unless you hit a down arrow key at the right moment, but we will deal with that issue some other time. For the moment, handy to have leisure to try out the different boots.

5.1 rolling back

Create a snapper snapshot.

Modify it to be your root file system with:

snapper modify --read-write --default «snapshot number»

And when next you boot you will no longer be using @ – but don’t delete it yet, because grub is still setup to boot into it.

Eventually grub will get rewritten, when the kernel updates again, and then you can delete @, and rely entirely on file systems that are in the @snapshots subvolume, with grub booting into whatever snapshot you were using when it last updated, and refind direct boot booting into whatever you most recently set with snapper modify --default, snapper rollback, or btrfs subvolume set-default.

6 vms

6.1 basic vm

sudo apt update
sudo apt ugrade -qy
sudo apt install qemu-kvm libvirt-daemon-system libvirt-clients virtinst spice-vdagent spice-client-gtk virt-viewer  virt-manager libguestfs-tools bridge-utils
sudo usermod -aG libvirt $USER
sudo usermod -aG kvm $USER
#log user in and out of desktop

This allows us to setup a vm – with no ability to ssh into it, or to copy and paste between its gui and the host gui.

virt-install \
  --name debian-vm \
  --ram 4096 \
  --disk path=/var/lib/libvirt/images/debian-vm.qcow2,size=20 \
  --vcpus 4 \
  --os-type linux \
  --os-variant debian13 \
  --network bridge=virbr0 \
  --graphics spice,listen=127.0.0.1 \
  --cdrom ~/Downloads/debian-13.1.0-amd64-netinst.iso
  --boot cdrom

--network bridge=virbr0 is equivalent to Oracle Virtualbox NAT mode.

6.2 Bridge

We need to set up a network bridge, br0, so that we can use virt-install --network bridge=br0,model=virtio How to do it depends on what networking software we have running.

systemctl list-units --all | grep -Ei 'networking\.|NetworkManager\.|networkd\.'

But, assuming we have NetworkManager, which standard installs supply automatically because they figure you are going to need a wifi gui:

ip addr | grep BROADCAST
server_network_interface=$(ip addr | grep BROADCAST |sed -r "s/.*:[[:space:]]*([[:alnum:]]+)[[:space:]]*:.*/\1/")
echo $server_network_interface
# Create a new connection profile for the bridge
sudo nmcli connection add type bridge con-name br0 ifname br0 stp no

# Configure the bridge to get an IP address via DHCP
sudo nmcli connection modify br0 ipv4.method auto

# Add your physical interface as a slave to the bridge
sudo nmcli connection add type bridge-slave con-name br0-port1 ifname $server_network_interface master br0

# Bring the new connections up
sudo nmcli connection up br0
sudo nmcli connection up br0-port1

# Your original connection (e.g., "Wired connection 1") will be superseded and should be down.
# Verify the bridge is created and has an IP
ip addr show br0

We have now configured network manager to make bridged connections available. And also renamed our network connection to something that can be remembered and typed in without errors.

6.3 enable copy and paste

on the virtual machine, install spice-vdagent

sudo apt install spice-vdagent spice-webdavd

Spice-vdagent is for copy and paste, spice-webdavd is a client for an internet protocol, WebDav, allowing files on one machine on the internet to appear local on another, possibly very distant, machine on the internet. The remote files appear to the local system to be in the davfs2 file system. spice-vdagent makes files on the network appear to be local to the virtual machine

Guest machine may need to be shut down and restarted, for the host and client software to get their act together.

Creative Commons License reaction.la gpg key 154588427F2709CD9D7146B01C99BB982002C39F
This work is licensed under the Creative Commons Attribution 4.0 International License.