Skip to content

Instantly share code, notes, and snippets.

@c0m4r

c0m4r/Arch_Linux_ARM_aarch64_ipv6_installation.md

Last active November 3, 2024 10:04
Show Gist options
  • Save c0m4r/ef95599f6ae5ad04cf2f1516cf9a4698 to your computer and use it in GitHub Desktop.
Save c0m4r/ef95599f6ae5ad04cf2f1516cf9a4698 to your computer and use it in GitHub Desktop.
Download ZIP
Arch Linux ARM (aarch64/IPv6) installation
Raw
Arch_Linux_ARM_aarch64_ipv6_installation.md

Arch Linux ARM (Aarch64/IPv6) installation

Generic AArch64 Installation

Tarball mirors with IPv6 support

Country Official URL
USA true https://ca.us.mirror.archlinuxarm.org/os/ArchLinuxARM-aarch64-latest.tar.gz
Denmark true http://dk.mirror.archlinuxarm.org/os/ArchLinuxARM-aarch64-latest.tar.gz
Denmark false* https://mirrors.dotsrc.org/archlinuxarm/os/ArchLinuxARM-aarch64-latest.tar.gz
Japan true https://jp.mirror.archlinuxarm.org/os/ArchLinuxARM-aarch64-latest.tar.gz

* Although dk.mirror.archlinuxarm.org and mirrors.dotsrc.org is the the same host, but the dotsrc might be outdated.

dk.mirror.archlinuxarm.org has address 130.225.254.116
dk.mirror.archlinuxarm.org has IPv6 address 2001:878:346::116
mirrors.dotsrc.org has address 130.225.254.116
mirrors.dotsrc.org has IPv6 address 2001:878:346::116

Verify the tarball

Download the tarball from one source, then the .md5 and .sig file from another. Make sure it matches.

wget https://ca.us.mirror.archlinuxarm.org/os/ArchLinuxARM-aarch64-latest.tar.gz
wget https://jp.mirror.archlinuxarm.org/os/ArchLinuxARM-aarch64-latest.md5
wget https://jp.mirror.archlinuxarm.org/os/ArchLinuxARM-aarch64-latest.sig
cat ArchLinuxARM-aarch64-latest.tar.gz.md5 | md5sum -c || echo FAILED

Verify GPG signature with archlinuxarm-keyring (IPv6: archlinuxarm-keyring via-IPv6.com

wget https://raw.githubusercontent.com/archlinuxarm/archlinuxarm-keyring/master/archlinuxarm.gpg
gpg --keyserver-options auto-key-retrieve --verify ArchLinuxARM-aarch64-latest.tar.gz.sig
LC_ALL=C gpg \
  --keyserver-options auto-key-retrieve \
  --verify ArchLinuxARM-aarch64-latest.tar.gz.sig 2>&1 \
  | grep fingerprint \
  | cut -f2 -d: \
  | sed 's/\ //g;' > fingerprint.tmp
gpg --show-keys archlinuxarm.gpg | grep $(cat fingerprint.tmp) && echo OK || echo FAILED

IPv6 mirrorlist

/etc/pacman.d/mirrorlist

Server = http://dk.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://eu.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://gr.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://jp.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://tw2.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://ca.us.mirror.archlinuxarm.org/aarch64/\$repo

Hetzner Cloud installation from the Rescue Mode

Tested on CAX11 (2 x Ampere vCPU arm64) with Ubuntu installed as a default.

Get the latest aarch64 rootfs tarball from one of the mirrors listed above.

First log into Hetzner Cloud, switch to your VPS control panel, select Rescue -> Enable Rescue and Power Cycle. It takes up to 1 minute to boot into rescue mode. Your login details will be displayed in the control panel after you activate the console. You can also use previously defined SSH keys.

Log into the rescue SSH and follow all the steps.

fdisk -l

Check available disk drives and look for the QEMU HARDDISK with the current system installed.

Disk /dev/sda: 38.15 GiB, 40961572864 bytes, 80003072 sectors
Disk model: QEMU HARDDISK   
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 021DD254-6352-4162-9F6A-75DA1EB5B9AB

Device      Start      End  Sectors  Size Type
/dev/sda1  528384 80003038 79474655 37.9G Linux filesystem
/dev/sda14   2048     4095     2048    1M BIOS boot
/dev/sda15   4096   528383   524288  256M EFI System

Partition table entries are not in disk order.

Leave partitions as they are.

mount /dev/sda1 /mnt
rm -rf /mnt/*
cd /mnt
wget https://ca.us.mirror.archlinuxarm.org/os/ArchLinuxARM-aarch64-latest.tar.gz
tar xpvf ArchLinuxARM-aarch64-latest.tar.gz
rm ArchLinuxARM-aarch64-latest.tar.gz
mkdir boot/efi
mount /dev/sda15 boot/efi
cp boot/Image boot/efi/EFI/BOOT/BOOTAA64.EFI
mount -o bind /dev dev
mount -t proc none proc
mount -t sysfs none sys
mount -t efivarfs /sys/firmware/efi/efivars sys/firmware/efi/efivars
cat <<EOF > etc/systemd/network/10-eth0.network
[Match]
MACAddress=$(ip a s eth0 | grep link/ether | awk '{print $2}')

[Network]
Address=$(ip a s | grep "::1\/64" | awk '{print $2}')
Gateway=fe80::1
EOF
cp -r ~/.ssh root/
chroot /mnt

Inside chroot:

cat <<EOF > /etc/pacman.d/mirrorlist
Server = http://dk.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://eu.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://gr.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://jp.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://tw2.mirror.archlinuxarm.org/aarch64/\$repo
Server = http://ca.us.mirror.archlinuxarm.org/aarch64/\$repo
EOF
rm -f /etc/resolv.conf
echo "nameserver 2620:fe::fe" > /etc/resolv.conf # quad9
echo "nameserver 2620:fe::9" >> /etc/resolv.conf # quad9
echo "nameserver 2001:67c:930::1" >> /etc/resolv.conf # mediawiki
pacman-key --init
pacman-key --populate archlinuxarm
pacman -Syu --noconfirm
pacman -Sy bash-completion efibootmgr grub nano openssh sudo vim --noconfirm
sed -i 's/quiet/console=tty1/g;' /etc/default/grub
grub-install /dev/sda
grub-mkconfig -o /boot/grub/grub.cfg
echo "Europe/Warsaw" > /etc/timezone
ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
passwd
passwd alarm
ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules
exit

Now reboot and continue the installation from the console.

Post-installation

NAT64

For use-cases where a specific domain doesn't resolve on IPv6 (f.e. github.com) we can use a public NAT64 service. However, we don't necessarily want all traffic being routed through that service. Therfore, we're using dnsmasq to use NAT64 only for domains we need.

cat <<EOF > /etc/dnsmasq.conf
proxy-dnssec
no-resolv
no-poll
listen-address=::1
bind-interfaces
no-hosts
# Default DNS: quad9
server=2620:fe::fe
server=2620:fe::9
# Alternative DNS: mediawiki
server=2001:67c:930::1
# For specific hosts use Public NAT64 service: https://nat64.net/
server=/github.com/2a00:1098:2c::1
server=/github.com/2a00:1098:2b::1
server=/github.com/2a01:4f8:c2c:123f::1
server=/api.github.com/2a00:1098:2c::1
server=/api.github.com/2a00:1098:2b::1
server=/api.github.com/2a01:4f8:c2c:123f::1
server=/objects.githubusercontent.com/2a00:1098:2c::1
server=/objects.githubusercontent.com/2a00:1098:2b::1
server=/objects.githubusercontent.com/2a01:4f8:c2c:123f::1
EOF

Public NAT64 services are listed here: https://nat64.xyz/

Be aware that the public NAT64 solution isn't perfect and may slow down or not work as expected at times due to rate limiting. As an alternative, use a proxy.

Anti-malware

Consider paranoya - Simple IOC and YARA scanner

If you found this article helpful, please consider making donation to a charity on my behalf. Thank you.

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment