franta.us
Franta's blog
Zola
2026-03-29T00:00:00+00:00
https://franta.us/atom.xml
GPG in TPM on NixOS
2026-03-29T00:00:00+00:00
2026-03-29T00:00:00+00:00
Franta Bartik
https://franta.us/blog/setting-up-gpg-in-tpm-on-nixos/
<h2 id="motivation"><a class="zola-anchor" href="#motivation" aria-label="Anchor link for: motivation">Motivation</a></h2>
<p>I have 3 YubiKeys set up with GPG keys. I wanted to try to have a key inside of the TPM of the NixOS laptop that I use at home.</p>
<h2 id="sources"><a class="zola-anchor" href="#sources" aria-label="Anchor link for: sources">Sources</a></h2>
<p>I've mainly used 2 resources to get all the necessary commands to generate a GPG key in a TPM:</p>
<ul>
<li><a rel="noopener noreferrer external" target="_blank" href="https://blog.wrouesnel.com/posts/tpm-secured-gpg-keys/">https://blog.wrouesnel.com/posts/tpm-secured-gpg-keys/</a></li>
<li><a rel="noopener noreferrer external" target="_blank" href="https://blog.dan.drown.org/gpg-key-in-tpm/">https://blog.dan.drown.org/gpg-key-in-tpm/</a> (this is an update on the above blog with important fixes)</li>
</ul>
<h2 id="steps"><a class="zola-anchor" href="#steps" aria-label="Anchor link for: steps">Steps</a></h2>
<h3 id="initial-nix-config"><a class="zola-anchor" href="#initial-nix-config" aria-label="Anchor link for: initial-nix-config">Initial Nix config</a></h3>
<p>These are the basic <code>nix</code> toggles you need to make to make sure TPM works (and your user can interact with it).</p>
<pre class="giallo z-code"><code data-lang="nix"><span class="giallo-l"><span class="z-variable z-variable z-parameter"> security</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">tpm2</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">enable</span><span> =</span><span class="z-constant z-language"> true</span><span>;</span></span>
<span class="giallo-l"><span class="z-variable z-variable z-parameter"> security</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">tpm2</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">pkcs11</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">enable</span><span> =</span><span class="z-constant z-language"> true</span><span>;</span><span class="z-comment"> #</span><span class="z-comment"> expose /run/current-system/sw/lib/libtpm2_pkcs11.so</span></span>
<span class="giallo-l"><span class="z-variable z-variable z-parameter"> security</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">tpm2</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">tctiEnvironment</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">enable</span><span> =</span><span class="z-constant z-language"> true</span><span>;</span><span class="z-comment"> #</span><span class="z-comment"> TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables</span></span>
<span class="giallo-l"><span class="z-variable z-variable z-parameter"> users</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">users</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-string"><user></span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">extraGroups</span><span> =</span><span class="z-punctuation"> [</span><span class="z-punctuation"> "</span><span class="z-string">tss</span><span class="z-punctuation">"</span><span class="z-punctuation"> ]</span><span>;</span><span class="z-comment"> #</span><span class="z-comment"> tss group has access to TPM devices</span></span></code></pre><h3 id="shell-commands"><a class="zola-anchor" href="#shell-commands" aria-label="Anchor link for: shell-commands">Shell commands</a></h3>
<p>Used variables:</p>
<ul>
<li><code>userpin</code> = PIN code that gets used to unlock the GPG key</li>
<li><code>adminpin</code> = master PIN (unsure about the use, but I set it to about twice as long as <code>userpin</code>)</li>
</ul>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">$</span><span class="z-string"> tpm2_ptool</span><span class="z-string"> init</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">$</span><span class="z-string"> tpm2_ptool</span><span class="z-string"> addtoken</span><span class="z-string"> -</span><span class="z-string">-pid=1</span><span class="z-string"> -</span><span class="z-string">-label=</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation">"</span><span class="z-string z-quoted z-double z-shell z-string">gpg</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-string"> -</span><span class="z-string">-userpin=</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation">"</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">userpin</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-string"> -</span><span class="z-string">-sopin=</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation">"</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">adminpin</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">$</span><span class="z-string"> tpm2_ptool</span><span class="z-string"> addkey</span><span class="z-string"> -</span><span class="z-string">-label=</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation">"</span><span class="z-string z-quoted z-double z-shell z-string">gpg</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-string"> -</span><span class="z-string">-key-label=</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation">"</span><span class="z-string z-quoted z-double z-shell z-string">gpg</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-string"> -</span><span class="z-string">-userpin=</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation">"</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">userpin</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-string"> -</span><span class="z-string">-algorithm=rsa2048</span></span></code></pre><h3 id="using-p11-tools"><a class="zola-anchor" href="#using-p11-tools" aria-label="Anchor link for: using-p11-tools">Using <code>p11</code> tools</a></h3>
<p>Now, this is where my approach differs from the above sources. AFAICT they have installed the necessary PKCS#11 dependencies on Ubuntu/Fedora, which set up the config files for immediate use. However on NixOS that's not the case (as of March 2026, could change in the future). This is the tweak I had to make:</p>
<pre class="giallo z-code"><code data-lang="nix"><span class="giallo-l"><span class="z-comment">#</span><span class="z-comment"> /etc/pkcs11/modules/tpm_pkcs11 has to exist:</span></span>
<span class="giallo-l"><span class="z-variable z-variable z-parameter"> environment</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">etc</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-punctuation">"</span><span class="z-string">pkcs11/modules/tpm2_pkcs11</span><span class="z-punctuation">"</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">text</span><span> =</span><span class="z-punctuation"> ''</span></span>
<span class="giallo-l"><span class="z-string"> module: </span><span class="z-punctuation z-section z-embedded z-punctuation">${</span><span class="z-variable z-variable z-parameter">pkgs</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">tpm2-pkcs11</span><span class="z-punctuation z-section z-embedded z-punctuation">}</span><span class="z-string">/lib/libtpm2_pkcs11.so</span></span>
<span class="giallo-l"><span class="z-string"> critical: yes</span></span>
<span class="giallo-l"><span class="z-punctuation"> ''</span><span>;</span></span></code></pre>
<p>This file will ensure that <code>p11-kit list-modules</code> actually works. Without the module loaded, the subsequent commands will fail.</p>
<h4 id="extract-the-token-uri"><a class="zola-anchor" href="#extract-the-token-uri" aria-label="Anchor link for: extract-the-token-uri">Extract the token URI</a></h4>
<p>Run <code>p11tool --list-token-urls | grep token=gpg</code> to get a URI that will look similar to this: <code>pkcs11:manufacturer=STMicro;serial=0123456789012345;token=gpg</code>. Then use that URI in another <code>p11tool</code> command:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">p11tool</span><span class="z-string"> -</span><span class="z-string">-list-privkeys</span><span class="z-string"> -</span><span class="z-string">-login</span><span class="z-string"> -</span><span class="z-string">-only-urls</span><span class="z-string"> -</span><span class="z-string">-set-pin=</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation">"</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">userpin</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">tokenURI</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span></span></code></pre>
<p>Finally, you can test whether the key works (<code>${privateURI}</code> is the output of the above command):</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">p11tool</span><span class="z-string"> -</span><span class="z-string">-test-sign</span><span class="z-string"> -</span><span class="z-string">-login</span><span class="z-string"> -</span><span class="z-string">-set-pin=</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">userpin</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">privateURI</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment">#</span><span class="z-comment"> Output should look like this:</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Signing</span><span class="z-string"> using</span><span class="z-string"> RSA-SHA256...</span><span class="z-string"> ok</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Verifying</span><span class="z-string"> against</span><span class="z-string"> private</span><span class="z-string"> key</span><span class="z-string"> parameters...</span><span class="z-string"> ok</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Verifying</span><span class="z-string"> against</span><span class="z-string"> public</span><span class="z-string"> key</span><span class="z-string"> in</span><span class="z-string"> the</span><span class="z-string"> token...</span><span class="z-string"> ok</span></span></code></pre><h3 id="creating-a-certificate"><a class="zola-anchor" href="#creating-a-certificate" aria-label="Anchor link for: creating-a-certificate">Creating a certificate</a></h3>
<p>Create a file <code>template.ini</code>.</p>
<ul>
<li><code>${name}</code> = Your name</li>
<li><code>${email}</code> = Your email</li>
<li>For the serial, you can use this date command: <code>$(date --utc +%Y%m%d%H%M%S)</code></li>
</ul>
<pre class="giallo z-code"><code data-lang="ini"><span class="giallo-l"><span class="z-keyword z-other z-definition z-ini">cn</span><span class="z-punctuation z-separator z-key-value z-ini z-punctuation"> =</span><span class="z-punctuation z-definition z-string z-begin z-ini z-punctuation"> "</span><span class="z-string z-quoted z-double z-ini z-string">${name}</span><span class="z-punctuation z-definition z-string z-end z-ini z-punctuation">"</span></span>
<span class="giallo-l"><span class="z-keyword z-other z-definition z-ini">serial</span><span class="z-punctuation z-separator z-key-value z-ini z-punctuation"> =</span><span> 20260330032616</span></span>
<span class="giallo-l"><span class="z-keyword z-other z-definition z-ini">expiration_days</span><span class="z-punctuation z-separator z-key-value z-ini z-punctuation"> =</span><span> 3650</span></span>
<span class="giallo-l"><span class="z-keyword z-other z-definition z-ini">email</span><span class="z-punctuation z-separator z-key-value z-ini z-punctuation"> =</span><span class="z-punctuation z-definition z-string z-begin z-ini z-punctuation"> "</span><span class="z-string z-quoted z-double z-ini z-string">${email}</span><span class="z-punctuation z-definition z-string z-end z-ini z-punctuation">"</span></span>
<span class="giallo-l"><span>signing_key</span></span>
<span class="giallo-l"><span>encryption_key</span></span>
<span class="giallo-l"><span>cert_signing_key</span></span></code></pre>
<p>Use the template to export a certificate:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-variable">GNUTLS_PIN</span><span class="z-keyword z-operator z-keyword">=</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation">"</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">userpin</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-entity z-name z-function z-entity z-name"> certtool</span><span class="z-string"> -</span><span class="z-string">-generate-self-signed</span><span class="z-string"> -</span><span class="z-string">-template</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-string z-quoted z-double z-shell z-string">template.ini</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-constant z-character z-escape"> \</span></span>
<span class="giallo-l"><span class="z-string"> -</span><span class="z-string">-load-privkey</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">privateURI</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-string"> -</span><span class="z-string">-outfile</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">name</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-string z-quoted z-double z-shell z-string">.crt</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span></span></code></pre>
<p>Import the certificate to the TPM (or at least I think that's what's happening):</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">tpm2_ptool</span><span class="z-string"> addcert</span><span class="z-string"> -</span><span class="z-string">-label=gpg</span><span class="z-string"> -</span><span class="z-string">-key-label=gpg</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">$</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">{</span><span class="z-variable z-other z-normal z-shell z-variable">name</span><span class="z-punctuation z-definition z-variable z-shell z-punctuation">}</span><span class="z-string z-quoted z-double z-shell z-string">.crt</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span></span></code></pre><h3 id="home-manager-additions"><a class="zola-anchor" href="#home-manager-additions" aria-label="Anchor link for: home-manager-additions"><code>home-manager</code> additions</a></h3>
<p>This is a barebones GPG configuration in <code>home-manager</code>.</p>
<pre class="giallo z-code"><code data-lang="nix"><span class="giallo-l"><span class="z-variable z-variable z-parameter"> services</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">gpg-agent</span><span> =</span><span class="z-punctuation"> {</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> enable</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-constant z-language"> true</span><span class="z-punctuation">;</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> enableExtraSocket</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-constant z-language"> true</span><span class="z-punctuation">;</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> enableScDaemon</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-constant z-language"> true</span><span class="z-punctuation">;</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> extraConfig</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-punctuation"> ''</span></span>
<span class="giallo-l"><span class="z-string"> scdaemon-program </span><span class="z-punctuation z-section z-embedded z-punctuation">${</span><span class="z-variable z-variable z-parameter">pkgs</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">gnupg-pkcs11-scd</span><span class="z-punctuation z-section z-embedded z-punctuation">}</span><span class="z-string">/bin/gnupg-pkcs11-scd</span></span>
<span class="giallo-l"><span class="z-punctuation"> ''</span><span class="z-punctuation">;</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> pinentry</span><span>.</span><span class="z-entity z-other z-attribute-name">package</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-variable z-variable z-parameter"> pkgs</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">pinentry-tty</span><span class="z-comment"> #</span><span class="z-comment"> Or your pinentry of choice</span></span>
<span class="giallo-l"><span class="z-variable z-variable z-parameter"> programs</span><span class="z-keyword z-operator z-keyword">.</span><span class="z-variable z-variable z-parameter">gpg</span><span> =</span><span class="z-punctuation"> {</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> enable</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-constant z-language"> true</span><span class="z-punctuation">;</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> settings</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-punctuation"> {</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> trust-model</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-punctuation"> "</span><span class="z-string">tofu+pgp</span><span class="z-punctuation">"</span><span class="z-punctuation">;</span></span>
<span class="giallo-l"><span class="z-punctuation"> }</span><span class="z-punctuation">;</span></span>
<span class="giallo-l"><span class="z-punctuation"> }</span><span class="z-punctuation">;</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> home</span><span>.</span><span class="z-entity z-other z-attribute-name">file</span><span>.</span><span class="z-punctuation">"</span><span class="z-string">.gnupg/gnupg-pkcs11-scd.conf</span><span class="z-punctuation">"</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-punctuation"> {</span></span>
<span class="giallo-l"><span class="z-entity z-other z-attribute-name"> text</span><span class="z-keyword z-operator z-keyword"> =</span><span class="z-punctuation"> ''</span></span>
<span class="giallo-l"><span class="z-string"> providers tpm</span></span>
<span class="giallo-l"><span class="z-string"> provider-tpm-library /run/current-system/sw/lib/libtpm2_pkcs11.so</span></span>
<span class="giallo-l"><span class="z-punctuation"> ''</span><span class="z-punctuation">;</span></span>
<span class="giallo-l"><span class="z-punctuation"> }</span><span class="z-punctuation">;</span></span></code></pre>
<p>Install your new <code>nix</code> config, restart the <code>gpg-agent</code> and then check whether you can see the TPM "card":</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">$</span><span class="z-string"> gpg</span><span class="z-string"> -</span><span class="z-string">-card-status</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">gpg:</span><span class="z-string"> WARNING:</span><span class="z-string"> server</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> '</span><span class="z-string z-quoted z-single z-shell z-string">scdaemon</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">'</span><span class="z-string"> is</span><span class="z-string"> older</span><span class="z-string"> than</span><span class="z-string"> us</span><span> (0.11.0</span><span class="z-keyword z-operator z-keyword"> <</span><span class="z-constant z-numeric"> 2.4.9</span><span>)</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">gpg:</span><span class="z-string"> Note:</span><span class="z-string"> Outdated</span><span class="z-string"> servers</span><span class="z-string"> may</span><span class="z-string"> lack</span><span class="z-string"> important</span><span class="z-string"> security</span><span class="z-string"> fixes.</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">gpg:</span><span class="z-string"> Note:</span><span class="z-string"> Use</span><span class="z-string"> the</span><span class="z-string"> command</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-string z-quoted z-double z-shell z-string">gpgconf --kill all</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-string"> to</span><span class="z-string"> restart</span><span class="z-string"> them.</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Application</span><span class="z-string"> ID</span><span class="z-string"> ...:</span><span class="z-keyword z-operator z-keyword"> <</span><span class="z-string">sni</span><span>p</span><span class="z-keyword z-operator z-keyword">></span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Application</span><span class="z-string"> type</span><span class="z-string"> .:</span><span class="z-string"> OpenPGP</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Version</span><span class="z-string"> ..........:</span><span class="z-constant z-numeric"> 11.50</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Manufacturer</span><span class="z-string"> .....:</span><span class="z-string"> ?</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Serial</span><span class="z-string"> number</span><span class="z-string"> ....:</span><span class="z-string"> 06E5165C</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Signature</span><span class="z-string"> PIN</span><span class="z-string"> ....:</span><span class="z-string"> forced</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Key</span><span class="z-string"> attributes</span><span class="z-string"> ...:</span><span class="z-string"> rsa48</span><span class="z-string"> rsa48</span><span class="z-string"> rsa48</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Please</span><span class="z-string"> try</span><span class="z-string"> command</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-string z-quoted z-double z-shell z-string">openpgp</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-string"> if</span><span class="z-string"> the</span><span class="z-string"> listing</span><span class="z-string"> does</span><span class="z-string"> not</span><span class="z-string"> look</span><span class="z-string"> correct</span></span></code></pre>
<p>(this output is severely abridged). If you are seeing something like <code>gpg: selecting card failed: No such device</code> and/or <code>gpg: OpenPGP card not available: No such device</code>, make sure your <code>$GNUPGHOME/.gnupg/gnupg-pkcs11-scd.conf</code> is correctly formatted and has the right filename.</p>
<h3 id="import-the-key-in-keyring"><a class="zola-anchor" href="#import-the-key-in-keyring" aria-label="Anchor link for: import-the-key-in-keyring">Import the key in keyring</a></h3>
<p>You'll need to run <code>gpg --expert --full-generate-key</code> to make the key show up in your keyring. The serial is the same as the <strong>Application ID</strong> in <code>gpg --card-status</code>.</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">$</span><span class="z-string"> gpg</span><span class="z-string"> -</span><span class="z-string">-expert</span><span class="z-string"> -</span><span class="z-string">-full-generate-key</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Your</span><span class="z-string"> selection?</span><span class="z-constant z-numeric"> 14</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Serial</span><span class="z-string"> number</span><span class="z-string"> of</span><span class="z-string"> the</span><span class="z-string"> card:</span><span class="z-keyword z-operator z-keyword"> <</span><span class="z-string">sni</span><span>p</span><span class="z-keyword z-operator z-keyword">></span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Available</span><span class="z-string"> keys:</span></span>
<span class="giallo-l"><span class="z-punctuation"> (</span><span class="z-entity z-name z-function z-entity z-name">1</span><span class="z-punctuation">)</span><span class="z-keyword z-operator z-keyword"> <</span><span class="z-entity z-name z-function z-entity z-name">snip</span><span>></span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Your</span><span class="z-string"> selection?</span><span class="z-constant z-numeric"> 1</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Possible</span><span class="z-string"> actions</span><span class="z-string"> for</span><span class="z-string"> this</span><span class="z-string"> RSA</span><span class="z-string"> key:</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Current</span><span class="z-string"> allowed</span><span class="z-string"> actions:</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-punctuation"> (</span><span class="z-entity z-name z-function z-entity z-name">Q</span><span class="z-punctuation">)</span><span class="z-entity z-name z-function z-entity z-name"> Finished</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Your</span><span class="z-string"> selection?</span><span class="z-string"> Q</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Please</span><span class="z-string"> specify</span><span class="z-string"> how</span><span class="z-string"> long</span><span class="z-string"> the</span><span class="z-string"> key</span><span class="z-string"> should</span><span class="z-string"> be</span><span class="z-string"> valid.</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> 0</span><span class="z-string"> =</span><span class="z-string"> key</span><span class="z-string"> does</span><span class="z-string"> not</span><span class="z-string"> expire</span></span>
<span class="giallo-l"><span class="z-keyword z-operator z-keyword"> <</span><span class="z-entity z-name z-function z-entity z-name">n</span><span>></span><span class="z-string"> =</span><span class="z-string"> key</span><span class="z-string"> expires</span><span class="z-string"> in</span><span class="z-string"> n</span><span class="z-string"> days</span></span>
<span class="giallo-l"><span class="z-keyword z-operator z-keyword"> <</span><span class="z-entity z-name z-function z-entity z-name">n</span><span>></span><span class="z-string">w</span><span class="z-string"> =</span><span class="z-string"> key</span><span class="z-string"> expires</span><span class="z-string"> in</span><span class="z-string"> n</span><span class="z-string"> weeks</span></span>
<span class="giallo-l"><span class="z-keyword z-operator z-keyword"> <</span><span class="z-entity z-name z-function z-entity z-name">n</span><span>></span><span class="z-string">m</span><span class="z-string"> =</span><span class="z-string"> key</span><span class="z-string"> expires</span><span class="z-string"> in</span><span class="z-string"> n</span><span class="z-string"> months</span></span>
<span class="giallo-l"><span class="z-keyword z-operator z-keyword"> <</span><span class="z-entity z-name z-function z-entity z-name">n</span><span>></span><span class="z-string">y</span><span class="z-string"> =</span><span class="z-string"> key</span><span class="z-string"> expires</span><span class="z-string"> in</span><span class="z-string"> n</span><span class="z-string"> years</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Key</span><span class="z-string"> is</span><span class="z-string"> valid</span><span class="z-string"> for?</span><span> (0</span><span>) 0</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Key</span><span class="z-string"> does</span><span class="z-string"> not</span><span class="z-string"> expire</span><span class="z-string"> at</span><span class="z-string"> all</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Is</span><span class="z-string"> this</span><span class="z-string"> correct?</span><span> (y/N</span><span>) y</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> GnuPG</span><span class="z-string"> needs</span><span class="z-string"> to</span><span class="z-string"> construct</span><span class="z-string"> a</span><span class="z-string"> user</span><span class="z-string"> ID</span><span class="z-string"> to</span><span class="z-string"> identify</span><span class="z-string"> your</span><span class="z-string"> key.</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Real</span><span class="z-string"> name:</span><span class="z-string"> Franta</span><span class="z-string"> Bartik</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Email</span><span class="z-string"> address:</span><span class="z-string"> fb@franta.us</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Comment:</span><span class="z-string"> TPM</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> You</span><span class="z-string"> selected</span><span class="z-string"> this</span><span class="z-string"> USER-ID:</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> "</span><span class="z-entity z-name z-function z-entity z-name">Franta Bartik (TPM) <fb@franta.us></span><span class="z-entity z-name z-function z-entity z-name">"</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name"> Change</span><span> (N</span><span>)ame, (</span><span class="z-entity z-name z-function z-entity z-name">C</span><span>)omment, (</span><span class="z-entity z-name z-function z-entity z-name">E</span><span>)mail or (</span><span class="z-entity z-name z-function z-entity z-name">O</span><span>)kay/(</span><span class="z-entity z-name z-function z-entity z-name">Q</span><span>)uit</span><span class="z-keyword z-operator z-keyword">?</span><span> O</span></span></code></pre>
<p>After this is done, you can use your key for anything you'd use a normal GPG key for.</p>
Building ONIE
2026-03-17T00:00:00+00:00
2026-03-17T00:00:00+00:00
Franta Bartik
https://franta.us/blog/building-onie/
<h2 id="building-onie"><a class="zola-anchor" href="#building-onie" aria-label="Anchor link for: building-onie">Building ONIE</a></h2>
<p>I was trying to help someone install Cumulus Linux on their <strong>DNI 3048UP</strong> switch. However it seems that their ONIE version was too old to install a more recent version of Cumulus than 3.7.16. I used these resources to build an image:</p>
<ul>
<li><a rel="noopener noreferrer external" target="_blank" href="https://opencomputeproject.github.io/onie/developers/building.html#preparing-an-onie-build-environment">Preparing an ONIE Build Environment</a></li>
<li><a rel="noopener noreferrer external" target="_blank" href="https://github.com/CumulusNetworks/DUE/blob/master/templates/onie/README.md">DUE ONIE README.md</a></li>
<li><a rel="noopener noreferrer external" target="_blank" href="https://www.lucaswilliams.net/index.php/2024/06/12/building-onie-with-due/">Building ONIE with DUE</a> (this one was the most useful as it’s more recent and deals with EOL’d Debian issues)</li>
</ul>
<p>I chose to set up an <code>incus</code> Ubuntu VM, as I have it installed on my NixOS laptop already. In the VM, I built a <code>due</code> container for building ONIE images.</p>
<h3 id="incus-specifics"><a class="zola-anchor" href="#incus-specifics" aria-label="Anchor link for: incus-specifics">incus specifics</a></h3>
<p>I ran into issues with limited resources (Linux OOM-killer will kill the <code>genautomata</code> process). These settings worked for me:</p>
<ul>
<li>Increase memory to <strong>8 GiB</strong> (from 1 GiB)</li>
<li>Increase storage to <strong>25 GiB</strong> (from 10 GiB)</li>
<li>Increase CPU cores to <strong>4</strong> (from 1)</li>
</ul>
<p>I chose <code>ubuntu/noble</code> arbitrarily, since it was in my shell history. Anything that can use <code>.deb</code> or <code>.rpm</code> packages should work fine.</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-punctuation z-definition z-comment">#</span><span class="z-comment"> I named the VM onie-build</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">incus</span><span class="z-string"> launch</span><span class="z-string"> images:ubuntu/noble</span><span class="z-string"> -</span><span class="z-string">-vm</span><span class="z-string"> onie-build</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">incus</span><span class="z-string"> config</span><span class="z-string"> set</span><span class="z-string"> onie-build</span><span class="z-string"> limits.memory=8GiB</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">incus</span><span class="z-string"> config</span><span class="z-string"> device</span><span class="z-string"> override</span><span class="z-string"> onie-build</span><span class="z-string"> root</span><span class="z-string"> size=25GiB</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">incus</span><span class="z-string"> config</span><span class="z-string"> set</span><span class="z-string"> onie-build</span><span class="z-string"> limits.cpu</span><span class="z-constant z-numeric"> 4</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">incus</span><span class="z-string"> exec</span><span class="z-string"> onie-build</span><span class="z-string"> -</span><span class="z-string">-</span><span class="z-string"> bash</span></span></code></pre><h3 id="setting-up-an-admin-user"><a class="zola-anchor" href="#setting-up-an-admin-user" aria-label="Anchor link for: setting-up-an-admin-user">Setting up an admin user</a></h3>
<p><code>due</code> freaks out if you run it as root, it expects a normal user with <code>docker</code> privileges.</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">useradd</span><span class="z-string"> -</span><span class="z-string">m</span><span class="z-string"> -</span><span class="z-string">G</span><span class="z-string"> docker</span><span class="z-string"> -</span><span class="z-string">s</span><span class="z-string"> /bin/bash</span><span class="z-string"> admin</span></span></code></pre><h3 id="setting-up-due"><a class="zola-anchor" href="#setting-up-due" aria-label="Anchor link for: setting-up-due">Setting up <code>due</code></a></h3>
<p>I first installed due from the Ubuntu repo to resolve dependencies (docker, etc...), then I downloaded the <code>.deb</code> from the <strong>CumulusNetworks/DUE</strong> repo because the <code>ubuntu/noble</code> version is too old and can't deal with filesystem patches.</p>
<p>As <code>root</code>:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">apt</span><span class="z-string"> update</span><span class="z-punctuation"> &&</span><span class="z-entity z-name z-function z-entity z-name"> apt</span><span class="z-string"> install</span><span class="z-string"> due</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">wget</span><span class="z-string"> https://github.com/CumulusNetworks/DUE/releases/download/v4.1.0/due_4.1.0-1_all.deb</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">dpkg</span><span class="z-string"> -</span><span class="z-string">i</span><span class="z-string"> ./due_4.1.0-1_all.deb</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment">#</span><span class="z-comment"> The .deb didn't come with image-patches, so I took them from the repo</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">git</span><span class="z-string"> clone</span><span class="z-string"> https://github.com/CumulusNetworks/DUE.git</span><span class="z-punctuation"> &&</span><span class="z-entity z-name z-function z-entity z-name"> cp</span><span class="z-string"> -</span><span class="z-string">r</span><span class="z-string"> DUE/image-patches</span><span class="z-string"> /usr/share/due/</span></span></code></pre><h3 id="working-with-due"><a class="zola-anchor" href="#working-with-due" aria-label="Anchor link for: working-with-due">Working with <code>due</code></a></h3>
<p>Creating a Debian 9 build container.</p>
<p>As the <code>admin</code> user:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">due</span><span class="z-string"> -</span><span class="z-string">-create</span><span class="z-string"> -</span><span class="z-string">-platform</span><span class="z-string"> linux/amd64</span><span class="z-string"> -</span><span class="z-string">-name</span><span class="z-string"> onie-build-debian-9</span><span class="z-string"> -</span><span class="z-string">-prompt</span><span class="z-string"> ONIE-9</span><span class="z-string"> -</span><span class="z-string">-tag</span><span class="z-string"> onie-9</span><span class="z-string"> -</span><span class="z-string">-use-template</span><span class="z-string"> onie</span><span class="z-string"> -</span><span class="z-string">-from</span><span class="z-string"> debian:9</span><span class="z-string"> -</span><span class="z-string">-description</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> '</span><span class="z-string z-quoted z-single z-shell z-string">ONIE Build Debian 9</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">'</span><span class="z-string"> -</span><span class="z-string">-image-patch</span><span class="z-string"> debian/9/filesystem</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">due</span><span class="z-string"> -</span><span class="z-string">-run</span><span class="z-string"> -</span><span class="z-string">i</span><span class="z-string"> due-onie-build-debian-9:onie-9</span><span class="z-string"> -</span><span class="z-string">-dockerarg</span><span class="z-string"> -</span><span class="z-string">-privileged</span></span></code></pre><h3 id="optional-setting-up-a-local-cache"><a class="zola-anchor" href="#optional-setting-up-a-local-cache" aria-label="Anchor link for: optional-setting-up-a-local-cache">(optional) Setting up a local cache</a></h3>
<p>As <code>root</code>:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">mkdir</span><span class="z-string"> -</span><span class="z-string">p</span><span class="z-string"> /var/cache/onie/download/</span></span>
<span class="giallo-l"><span class="z-support z-function z-builtin z-shell z-support z-function">cd</span><span class="z-string"> /var/cache/onie/download/</span><span class="z-punctuation"> &&</span><span class="z-entity z-name z-function z-entity z-name"> wget</span><span class="z-string"> -</span><span class="z-string">-recursive</span><span class="z-string"> -</span><span class="z-string">-cut-dirs=2</span><span class="z-string"> -</span><span class="z-string">-no-host-directories</span><span class="z-string"> -</span><span class="z-string">-no-parent</span><span class="z-string"> -</span><span class="z-string">-reject=</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation">"</span><span class="z-string z-quoted z-double z-shell z-string">index.html</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-string z-quoted z-double z-shell z-string">http://mirror.opencompute.org/onie</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span></span></code></pre>
<p>Then open <code>due --run</code> with the <code>--mount-dir /var/cache/onie/download/:/var/cache/onie/download/</code> option.</p>
<p><code>make</code> commands should be executed with <code>ONIE_USE_SYSTEM_DOWNLOAD_CACHE=TRUE</code>.</p>
<h3 id="building-onie-1"><a class="zola-anchor" href="#building-onie-1" aria-label="Anchor link for: building-onie-1">Building ONIE</a></h3>
<p>Switch I was targeting needed the <strong>2020.05br</strong> branch (you can figure this out from <code>build-config/scripts/onie-build-targets.json</code> in the ONIE git repo).</p>
<p>Execute these commands either as <code>admin</code> or in the <code>due</code> container:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">git</span><span class="z-string"> clone</span><span class="z-string"> https://github.com/opencomputeproject/onie.git</span></span>
<span class="giallo-l"><span class="z-support z-function z-builtin z-shell z-support z-function">cd</span><span class="z-string"> onie</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">git</span><span class="z-string"> checkout</span><span class="z-string"> 2020.05br</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment">#</span><span class="z-comment"> The builder expects these gitconfig values</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">git</span><span class="z-string"> config</span><span class="z-string"> -</span><span class="z-string">-global</span><span class="z-string"> user.email</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-string z-quoted z-double z-shell z-string"><email></span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">git</span><span class="z-string"> config</span><span class="z-string"> -</span><span class="z-string">-global</span><span class="z-string"> user.name</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-string z-quoted z-double z-shell z-string"><name></span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span></span></code></pre>
<p>You'll know if you need to change the branch if you run into this error when building the image:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">make:</span><span class="z-variable z-language z-special z-variable z-language"> *</span><span class="z-variable z-language z-special z-variable z-language">*</span><span class="z-variable z-language z-special z-variable z-language">*</span><span class="z-string"> No</span><span class="z-string"> rule</span><span class="z-string"> to</span><span class="z-string"> make</span><span class="z-string"> target</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> '</span><span class="z-string z-quoted z-single z-shell z-string">conf/crosstool/gcc-4.9.2/uClibc-ng-1.0.38/crosstool.x86_64.config</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">'</span><span class="z-string">,</span><span class="z-string"> needed</span><span class="z-string"> by</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> '</span><span class="z-string z-quoted z-single z-shell z-string">/home/build/src/onie/build/x-tools/x86_64-g4.9.2-lnx4.9.95-uClibc-ng-1.0.38/build/.config</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">'</span><span class="z-string">.</span><span class="z-string"> Stop.</span></span></code></pre>
<p>Finally, build ONIE:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-support z-function z-builtin z-shell z-support z-function">cd</span><span class="z-string"> build-config/</span></span>
<span class="giallo-l"><span class="z-punctuation z-definition z-comment">#</span><span class="z-comment"> This will use 4 cores to build the image</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">make</span><span class="z-string"> -</span><span class="z-string">j4</span><span class="z-string"> MACHINEROOT=../machine/dni/</span><span class="z-string"> MACHINE=dni_3048up</span><span class="z-string"> all</span></span></code></pre>
<p>The resulting files will be in <code>build/images/</code>. How to install them on the switch is out of the scope of this post, but most switches have instructions in the <strong>INSTALL</strong> file in their directory in the ONIE repo.</p>
Dumping BGP MRT in Cumulus Linux
2026-03-13T00:00:00+00:00
2026-03-13T00:00:00+00:00
Unknown
https://franta.us/blog/cumulus-frr-bgp-dump/
<h2 id="motivation"><a class="zola-anchor" href="#motivation" aria-label="Anchor link for: motivation">Motivation</a></h2>
<p>I wanted to import some real routes from a <strong>PE</strong> router (for an Nvidia AIR simulation) and this seemed like the easiest way about it. I heard about <a rel="noopener noreferrer external" target="_blank" href="https://github.com/Exa-Networks/exabgp/wiki/MRT-Format#what-is-mrt">MRT</a> before, so I searched Cumulus documentation to see if there was an <code>NVUE</code> command for this, but it seems like there is not (as of version <strong>5.16</strong>). Cumulus allows you to just use the <code>vtysh</code> shell so I did that.</p>
<h2 id="procedure"><a class="zola-anchor" href="#procedure" aria-label="Anchor link for: procedure">Procedure</a></h2>
<p>This outlines steps to use a Cumulus router for gathering a BGP table and then using the BGP table in further Cumulus configuration.</p>
<h3 id="extracting-an-mrt-file-from-frr"><a class="zola-anchor" href="#extracting-an-mrt-file-from-frr" aria-label="Anchor link for: extracting-an-mrt-file-from-frr">Extracting an MRT file from FRR</a></h3>
<p>I initially used the <code>vtysh</code> method because I couldn't find how to do this using <code>NVUE</code> CLI. Turns out, there is a way to do it using <a rel="noopener noreferrer external" target="_blank" href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-516/System-Configuration/NVIDIA-User-Experience-NVUE/NVUE-Snippets"><em>"snippets"</em></a>.</p>
<h4 id="correct-method"><a class="zola-anchor" href="#correct-method" aria-label="Anchor link for: correct-method">Correct method</a></h4>
<p>An example snippet that dumps the MRT looks like this:</p>
<pre class="giallo z-code"><code data-lang="yaml"><span class="giallo-l"><span class="z-punctuation z-definition z-block z-sequence z-item z-yaml z-punctuation">-</span><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml"> s</span><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml">et</span><span class="z-punctuation z-separator z-key-value z-mapping z-yaml z-punctuation">:</span></span>
<span class="giallo-l"><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml"> s</span><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml">ystem</span><span class="z-punctuation z-separator z-key-value z-mapping z-yaml z-punctuation">:</span></span>
<span class="giallo-l"><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml"> c</span><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml">onfig</span><span class="z-punctuation z-separator z-key-value z-mapping z-yaml z-punctuation">:</span></span>
<span class="giallo-l"><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml"> s</span><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml">nippet</span><span class="z-punctuation z-separator z-key-value z-mapping z-yaml z-punctuation">:</span></span>
<span class="giallo-l"><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml"> f</span><span class="z-entity z-name z-tag z-entity z-name z-tag z-yaml">rr.conf</span><span class="z-punctuation z-separator z-key-value z-mapping z-yaml z-punctuation">:</span><span class="z-keyword z-keyword z-control"> |</span></span>
<span class="giallo-l"><span class="z-string z-unquoted z-block z-yaml z-string"> dump bgp routes-mrt /tmp/routes-mrt</span></span></code></pre>
<p>You'll then use this as a file in the CLI:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">nv</span><span class="z-string"> config</span><span class="z-string"> patch</span><span class="z-string"> snippet.yaml</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">nv</span><span class="z-string"> config</span><span class="z-string"> apply</span></span></code></pre><h4 id="most-likely-incorrect-method"><a class="zola-anchor" href="#most-likely-incorrect-method" aria-label="Anchor link for: most-likely-incorrect-method">(most likely) Incorrect method</a></h4>
<p><strong>USE THE METHOD ABOVE</strong>
This does require entering <code>configure</code> mode in <strong>FRR</strong>, but AFAIK it doesn't make any changes in routing behavior (nor should it).</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">fbartik@cumulus:mgmt:~$</span><span class="z-string"> sudo</span><span class="z-string"> vtysh</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">cumulus#</span><span class="z-string"> configure</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">cumulus(config</span><span>)# dump bgp routes-mrt /tmp/routes-mrt </span></span></code></pre>
<p>The <code>dump</code> command requires a path, which needs to be somewhere <strong>FRR</strong> can write into (so either <code>/tmp</code> or <code>/etc/frr</code>). Optionally you can specify an interval (after the path argument, using <code>strftime</code> format) for continuous creation of the BGP table output.</p>
<h3 id="parsing-the-mrt-file"><a class="zola-anchor" href="#parsing-the-mrt-file" aria-label="Anchor link for: parsing-the-mrt-file">Parsing the MRT file</a></h3>
<p>The first tool that comes up in search is <a rel="noopener noreferrer external" target="_blank" href="https://github.com/RIPE-NCC/bgpdump">RIPENCC/bgpdump</a> (however the version in <code>nixpkgs</code> was not built for <code>aarch64-darwin</code> at the time).</p>
<p>I ran into <a rel="noopener noreferrer external" target="_blank" href="https://github.com/bgpkit/monocle">bgpkit/monocle</a> as well, so I used that.</p>
<h4 id="example-usage"><a class="zola-anchor" href="#example-usage" aria-label="Anchor link for: example-usage">Example usage</a></h4>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">monocle</span><span class="z-string"> parse</span><span class="z-string"> ./routes-mrt</span><span class="z-punctuation z-definition z-comment"> #</span><span class="z-comment"> Prints all routes</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">monocle</span><span class="z-string"> parse</span><span class="z-string"> -</span><span class="z-string">j</span><span class="z-keyword z-operator z-keyword"> <</span><span class="z-string">peer_I</span><span>P</span><span class="z-keyword z-operator z-keyword">></span><span class="z-string"> ./routes-mrt</span><span class="z-punctuation z-definition z-comment"> #</span><span class="z-comment"> Prints routes from a chosen peer</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">monocle</span><span class="z-string"> parse</span><span class="z-string"> -</span><span class="z-string">o</span><span class="z-constant z-numeric"> 13335</span><span class="z-string"> ./routes-mrt</span><span class="z-punctuation z-definition z-comment"> #</span><span class="z-comment"> Prints routes from a chosen origin ASN</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">monocle</span><span class="z-string"> parse</span><span class="z-string"> -</span><span class="z-string">C</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> "</span><span class="z-string z-quoted z-double z-shell z-string">13335:*</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">"</span><span class="z-string"> ./routes-mrt</span><span class="z-punctuation z-definition z-comment"> #</span><span class="z-comment"> Prints routes containing BGP communities starting with 13335</span></span></code></pre><h4 id="useful-flags"><a class="zola-anchor" href="#useful-flags" aria-label="Anchor link for: useful-flags">Useful flags</a></h4>
<ul>
<li><code>--format=json</code> will print the data in JSON, as the default is a pipe (<code>|</code>) separated table.</li>
</ul>
<h4 id="creating-an-nvue-configuration-from-mrt-file"><a class="zola-anchor" href="#creating-an-nvue-configuration-from-mrt-file" aria-label="Anchor link for: creating-an-nvue-configuration-from-mrt-file">Creating an NVUE configuration from MRT file</a></h4>
<p>This command will print routes from peer <code>192.0.2.1</code> and then turn them into an <code>nv</code> command that will add the routes as static in the routing table of VRF <code>TEST</code>.</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">monocle</span><span class="z-string"> parse</span><span class="z-string"> -</span><span class="z-string">j</span><span class="z-constant z-numeric"> 192.0.2.1</span><span class="z-string"> routes-mrt</span><span class="z-string"> -</span><span class="z-string">-format</span><span class="z-string"> json</span><span class="z-keyword z-operator z-keyword"> |</span><span class="z-entity z-name z-function z-entity z-name"> jq</span><span class="z-string"> -</span><span class="z-string">-raw-output</span><span class="z-punctuation z-definition z-string z-begin z-shell z-punctuation"> '</span><span class="z-string z-quoted z-single z-shell z-string">"nv set vrf TEST router static \(.prefix) via blackhole"</span><span class="z-punctuation z-definition z-string z-end z-shell z-punctuation">'</span></span></code></pre>
<p><code>--raw-output</code> is used because <code>jq</code> prints results with double quotes by default, which is not recognized as a command in Cumulus.</p>
Figuring out APC NMC2 DHCP issues
2026-03-01T00:00:00+00:00
2026-03-01T00:00:00+00:00
Unknown
https://franta.us/blog/apc-nmc2-dhcp-issues/
<p><strong>TL;DR:</strong> <mark>Make sure the UPS's own firewall is not interfering.</mark></p>
<p>I've recently obtained an <strong>APC SMT1000RM2U</strong> UPS with an NMC2 card. The issue I've ran into was that plugging the NMC2 card in my network quickly resulted in depleted DHCP leases in any subnet I tried. First I suspected the problem was caused by settings from the previous owner (sort of right), so I attempted to factory reset the card/UPS using the front panel. Sadly that did not work as it only seems to have reset some things, but not actually any important information from the card/UPS.</p>
<p>Another reason I thought that the DHCP issues were happening was because some <a rel="noopener noreferrer external" target="_blank" href="https://web.archive.org/web/20260113191146/https://www.se.com/us/en/faqs/FA156064/">APC guides say you need to set a special cookie</a> when sending <code>DHCP OFFER</code> messages. However when I added that option in my KEA DHCP server, it still showed same behavior. Also my UPS was on firmware 6.x.x which seems to not need the cookie anyways, but wanted to try it just in case.</p>
<p>At this point I realized I needed to connect to the serial console port on the NMC2. This is a 2.5mm "jack" that you may recognize from balanced audio outputs. After obtaining first a cable that had a 3.5mm jack on the end, then getting one with a 2.5mm jack and a USB-A port with a built-in serial converter (and them both not working), I caved and got the APC OEM cable (model 940-0299A). This one worked immediately and I could finally log-in over console and see what was up.</p>
<p>I first tried to set a static IP on the UPS using the <code>tcpip</code> command (which is something I've done from the front panel as well and the following behavior should have tipped me off) and tried to ping the IP. It did not work and after digging through the available commands, I realized why. It seems that the previous owner set a firewall on the NMC2 card in such a way that <code>DHCP OFFER</code> messages couldn't be <code>ACK</code>'d. I remedied that by turning the firewall off using <code>firewall -S disable</code>. After that, I could ping the IP of the UPS and it could finally receive a DHCP lease correctly.
I'm wondering if this UPS had a public IP at any point in its life and that was the only way for it to be <em>"safe"</em>. My plans for the management for this UPS are to be completely local, which I'll probably achieve by just not giving it a gateway (and by extension the IPv6 router in its subnet won't advertise a default route to it either).</p>
<h2 id="additional-notes-about-the-ups"><a class="zola-anchor" href="#additional-notes-about-the-ups" aria-label="Anchor link for: additional-notes-about-the-ups">Additional notes about the UPS</a></h2>
<h3 id="setting-an-ip-using-the-arp-method"><a class="zola-anchor" href="#setting-an-ip-using-the-arp-method" aria-label="Anchor link for: setting-an-ip-using-the-arp-method">Setting an IP using the ARP method</a></h3>
<p>Apparently you can set an IP using an <code>arp</code> command. First use it to set a static IP on your host, then ping the IP with a byte-specific <code>ping</code> command to set it on the NMC2. This did not work, most likely due to the firewall.</p>
<h3 id="password-reset"><a class="zola-anchor" href="#password-reset" aria-label="Anchor link for: password-reset">Password reset</a></h3>
<ol>
<li>Open a serial console to the NMC2 card.</li>
<li>Press the reset button on the NMC2. The flashing light on the RJ45 port will stop flashing.</li>
<li>After 5-7 seconds the light on the RJ45 port will start flashing rapidly, press the reset button again when it happens.</li>
<li>You now have 30 seconds to log-in over the serial console connection using <code>apc:apc</code>.</li>
</ol>
<h3 id="ssh-connection-settings"><a class="zola-anchor" href="#ssh-connection-settings" aria-label="Anchor link for: ssh-connection-settings">ssh connection settings</a></h3>
<p>The <code>ssh</code> server version on the NMC2 is obviously ancient, so these settings need to be passed when connecting (using an OpenSSH client version 10.2):</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">ssh</span><span class="z-string"> apc@apc-pdu01</span><span class="z-string"> -</span><span class="z-string">o</span><span class="z-string"> HostKeyAlgorithms=+ssh-rsa</span><span class="z-string"> -</span><span class="z-string">o</span><span class="z-string"> Ciphers=+aes256-cbc</span></span></code></pre>
PXE Boot Talos Linux
2024-04-22T00:00:00+00:00
2024-04-22T00:00:00+00:00
Franta Bartik
https://franta.us/blog/pxe-boot-talos/
<p>This assumes you are using an OPNSense firewall/router.
Procedure taken from <a rel="noopener noreferrer external" target="_blank" href="https://forum.opnsense.org/index.php?PHPSESSID=56j44inj9mdmeblhnbmcatnvkk&topic=25003.0">the OPNSense forum</a> and <a rel="noopener noreferrer external" target="_blank" href="https://wiki.archlinux.org/title/syslinux">syslinux Arch wiki page</a>.
Use this for smaller ISOs (100 MB or less), if you don't want to wait for a long time at each boot.
I'm sure a better and more efficient way to boot Talos over network works with <code>syslinux</code>, but this is my first try that has worked. I still need to streamline it for booting it automatically without a prompt.</p>
<h2 id="opnsense-setup"><a class="zola-anchor" href="#opnsense-setup" aria-label="Anchor link for: opnsense-setup">OPNSense setup</a></h2>
<ol>
<li>Install <code>os-tftp</code> package. Start TFTP server and bind it to an IP. In the WebGUI, it's in <strong>Services > TFTP.</strong></li>
<li>SSH into OPNSense and create directory <code>/usr/local/tftp</code> (will need sudo privileges).</li>
<li>Create directory <code>pxelinux.cfg</code> and a file <code>pxelinux.cfg/default.</code><pre class="giallo z-code"><code data-lang="plain"><span class="giallo-l"><span>DEFAULT vesamenu.c32</span></span>
<span class="giallo-l"><span>PROMPT 0</span></span>
<span class="giallo-l"><span>MENU TITLE PXE Boot Menu (Main)</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>LABEL linux</span></span>
<span class="giallo-l"><span> MENU LABEL Linux</span></span>
<span class="giallo-l"><span> KERNEL vesamenu.c32</span></span>
<span class="giallo-l"><span> APPEND pxelinux.cfg/linux</span></span></code></pre></li>
<li>Create file <code>pxelinux.cfg/linux</code>.
(NOTE: I wanted to boot Talos Linux, so I put the <code>.iso</code> in the <code>/usr/local/tftp</code> directory.)<pre class="giallo z-code"><code data-lang="plain"><span class="giallo-l"><span>MENU TITLE PXE Boot Menu (Linux)</span></span>
<span class="giallo-l"></span>
<span class="giallo-l"><span>LABEL main-menu</span></span>
<span class="giallo-l"><span> MENU LABEL Main Menu</span></span>
<span class="giallo-l"><span> KERNEL vesamenu.c32</span></span>
<span class="giallo-l"><span> APPEND pxelinux.cfg/default</span></span>
<span class="giallo-l"><span>LABEL talos-iso</span></span>
<span class="giallo-l"><span> MENU LABEL Boot Talos 1.7 ISO (PXE)</span></span>
<span class="giallo-l"><span> KERNEL memdisk</span></span>
<span class="giallo-l"><span> INITRD ../talos.iso</span></span>
<span class="giallo-l"><span> APPEND iso</span></span></code></pre><code>memdisk</code> is what allows booting ISOs.</li>
<li>For OPNSense 24.x (which is based on FreeBSD 13), you'll need to manually download the syslinux binary.
<ol>
<li><code>cd</code> to <code>/tmp</code></li>
<li>Download the binary:<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">wget</span><span class="z-string"> https://pkg.freebsd.org/FreeBSD:13:amd64/latest/All/syslinux-6.03_1.pkg</span></span></code></pre></li>
<li>Extract it:<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">sudo</span><span class="z-string"> tar</span><span class="z-string"> -</span><span class="z-string">C</span><span class="z-string"> /tmp/syslinux</span><span class="z-string"> -</span><span class="z-string">xvf</span><span class="z-string"> syslinux-6.03_1.pkg</span></span></code></pre></li>
<li>Move the necessary files to <code>/usr/local/tftp</code> directory:<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">sudo</span><span class="z-string"> cp</span><span class="z-string"> /tmp/syslinux/usr/local/share/syslinux/bios/core/lpxelinux.0</span><span class="z-string"> /usr/local/tftp/pxelinux.0</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">sudo</span><span class="z-string"> cp</span><span class="z-string"> /tmp/syslinux/usr/local/share/syslinux/bios/com32/elflink/ldlinux/ldlinux.c32</span><span class="z-string"> /usr/local/tftp/</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">sudo</span><span class="z-string"> cp</span><span class="z-string"> /tmp/syslinux/usr/local/share/syslinux/bios/com32/menu/vesamenu.c32</span><span class="z-string"> /usr/local/tftp/</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">sudo</span><span class="z-string"> cp</span><span class="z-string"> /tmp/syslinux/usr/local/share/syslinux/bios/com32/lib/libcom32.c32</span><span class="z-string"> /usr/local/tftp/</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">sudo</span><span class="z-string"> cp</span><span class="z-string"> /tmp/syslinux/usr/local/share/syslinux/bios/com32/libutil/libutil.c32</span><span class="z-string"> /usr/local/tftp/</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">sudo</span><span class="z-string"> cp</span><span class="z-string"> /tmp/syslinux/usr/local/share/syslinux/bios/com32/modules/pxechn.c32</span><span class="z-string"> /usr/local/tftp/</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">sudo</span><span class="z-string"> cp</span><span class="z-string"> /tmp/syslinux/usr/local/share/syslinux/bios/memdisk/memdisk</span><span class="z-string"> /usr/local/tftp/</span></span></code></pre></li>
</ol>
</li>
<li>In the same subnet as you bound the TFTP to, set up the DHCP settings. You will need the TFTP server address and the bootfile (<code>pxelinux.0</code> for syslinux).</li>
</ol>
Proxmox Console Redirect with systemd-boot bootloader
2024-03-27T00:00:00+00:00
2024-03-27T00:00:00+00:00
Franta Bartik
https://franta.us/blog/proxmox-console-redirect/
<h2 id="how-to-setup-proxmox-to-redirect-console"><a class="zola-anchor" href="#how-to-setup-proxmox-to-redirect-console" aria-label="Anchor link for: how-to-setup-proxmox-to-redirect-console">How to setup Proxmox to redirect console</a></h2>
<p>This is an example that works on my Dell Poweredge R630 and will probably work on many other servers (provided they use the same serial settings, like baud rate 115200).</p>
<h3 id="prerequisites"><a class="zola-anchor" href="#prerequisites" aria-label="Anchor link for: prerequisites">Prerequisites</a></h3>
<ol>
<li>Your server is using <code>systemd-boot</code> (and not GRUB).
<ul>
<li>This is easy to check in the OS, like this:</li>
</ul>
</li>
</ol>
<!--listend-->
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">$</span><span class="z-string"> efibootmgr</span><span class="z-string"> -</span><span class="z-string">v</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">BootCurrent:</span><span class="z-string"> 000A</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">BootOrder:</span><span class="z-string"> 000A,0008,0007,0009,0005</span></span>
<span class="giallo-l"><span class="z-punctuation">[</span><span>SNIP</span><span class="z-punctuation">]</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Boot0007*</span><span class="z-string"> EFI</span><span class="z-string"> DVD/CDROM</span><span class="z-constant z-numeric"> 1</span><span class="z-string"> PciRoot</span><span class="z-punctuation">(</span><span class="z-entity z-name z-function z-entity z-name">0x0</span><span class="z-punctuation">)</span><span class="z-string">/Pci</span><span class="z-punctuation">(</span><span class="z-entity z-name z-function z-entity z-name">0x1f,0x2</span><span class="z-punctuation">)</span><span class="z-string">/Sata</span><span class="z-punctuation">(</span><span class="z-entity z-name z-function z-entity z-name">5,0,0</span><span class="z-punctuation">)</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Boot0008*</span><span class="z-string"> Linux</span><span class="z-string"> Boot</span><span class="z-string"> Manager</span><span class="z-string"> HD</span><span class="z-punctuation">(</span><span class="z-entity z-name z-function z-entity z-name">2,GPT,</span><span><SNIP></span><span class="z-punctuation">)</span><span class="z-string">/File</span><span class="z-punctuation">(</span><span class="z-entity z-name z-function z-entity z-name">\EFI\systemd\systemd-bootx64.efi</span><span class="z-punctuation">)</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Boot0009*</span><span class="z-string"> Integrated</span><span class="z-string"> NIC</span><span class="z-constant z-numeric"> 1</span><span class="z-string"> Port</span><span class="z-constant z-numeric"> 1</span><span class="z-string"> Partition</span><span class="z-constant z-numeric"> 1</span><span class="z-string"> VenHw</span><span class="z-punctuation">(</span><span class="z-keyword z-operator z-keyword"><</span><span>SNIP</span><span class="z-keyword z-operator z-keyword">></span><span class="z-punctuation">)</span></span>
<span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">Boot000A*</span><span class="z-string"> Linux</span><span class="z-string"> Boot</span><span class="z-string"> Manager</span><span class="z-string"> HD</span><span class="z-punctuation">(</span><span class="z-entity z-name z-function z-entity z-name">2,GPT,</span><span><SNIP></span><span class="z-punctuation">)</span><span class="z-string">/File</span><span class="z-punctuation">(</span><span class="z-entity z-name z-function z-entity z-name">\EFI\systemd\systemd-bootx64.efi</span><span class="z-punctuation">)</span></span></code></pre>
<p>You can see that the system is using the <code>\EFI\systemd\systemd-bootx64.efi</code> file to boot the system. My system is using UEFI but it should not matter for this setup, Legacy BIOS should work as well.</p>
<h3 id="procedure"><a class="zola-anchor" href="#procedure" aria-label="Anchor link for: procedure">Procedure</a></h3>
<ol>
<li>Find the file to edit for <code>systemd-boot</code> options. On Proxmox, it's in <code>/etc/kernel/cmdline</code>.</li>
<li>Insert <code>console=ttyS0,115200n8</code> into the file, keeping it a one-line if you already have options in there. My example:</li>
</ol>
<!--listend-->
<pre class="giallo z-code"><code data-lang="plain"><span class="giallo-l"><span>root=ZFS=rpool/ROOT/pve-1 boot=zfs console=ttyS0,115200n8</span></span></code></pre>
<ol>
<li>Update the bootloader settings. You will need root privilege for this.<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">$</span><span class="z-string"> proxmox-boot-tool</span><span class="z-string"> refresh</span></span></code></pre></li>
<li>Reboot the system.</li>
</ol>
<h3 id="result"><a class="zola-anchor" href="#result" aria-label="Anchor link for: result">Result</a></h3>
<p>You can see if this has worked by opening the serial console on the server. On Dell servers you can <code>ssh</code> into the iDRAC and run this command:</p>
<pre class="giallo z-code"><code data-lang="shellscript"><span class="giallo-l"><span class="z-entity z-name z-function z-entity z-name">/admin1-</span><span>></span><span class="z-string"> console</span><span class="z-string"> com2</span></span></code></pre>
<p>After the reboot and the kernel selection screen, you should see your OS boot and get you to the login prompt.</p>