This is a draft document that was built and uploaded automatically. It may document beta software and be incomplete or even incorrect. Use this document at your own risk.

Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Deploying SUSE Linux Micro using Raw Disk Images on Virtual Machines
SUSE Linux Micro 6.2

Deploying SUSE Linux Micro using Raw Disk Images on Virtual Machines

Publication Date: 24 Oct 2025
WHAT?

SUSE Linux Micro provides raw images—also referred to as pre-built images—that can be directly deployed to your virtual machine.

WHY?

Virtualized deployment saves hardware resources.

EFFORT

It takes approximately 20 minutes to read the article.

GOAL

SUSE Linux Micro is successfully deployed to a virtual machine.

REQUIREMENTS
  • A VM Host Server with a libvirt and a KVM virtualization environment installed and running.

  • Minimum of 32 GB of disk space for deployment of the image.

  • Optionally, a configuration medium, for example, a USB flash disk.

1 About pre-built images

Pre-built images are ready-to-use representations of a running operating system. They are not installed in a traditional way using an installer, but copied to the hard disk of the target host. The topic covers basic information about these pre-built images.

The pre-built images are intended to be configured on the first boot by using tools delivered in the images. The boot loader detects the first boot as described in Section 1.1, “First boot detection”.

1.1 First boot detection

The deployment configuration runs on the first boot only. To distinguish between the first and subsequent boots, the file /etc/machine-id is created after the first boot finishes. If the file is not present in the file system, the system assumes that this is a first boot and triggers the configuration process. After completing the first boot, the /etc/machine-id file is created.

Note
Note: The /etc/machine-id file is always created

Even though the configuration may not be successful because of improper or missing configuration files, the /etc/machine-id file is created.

1.1.1 Force system reconfiguration on a subsequent boot

If you need to reconfigure your system after the first boot happened, you can force the reconfiguration on the subsequent boot. Here you have two options.

  • You can pass the ignition.firstboot or combustion.firstboot attribute to the kernel command line.

  • You can delete the file /etc/machine-id and reboot the system.

2 Preparing the configuration device

Important
Important: SSH login

By default, root SSH login in SUSE Linux Micro is permitted only by using the SSH key. We recommend creating an unprivileged user during the deployment process that you can use to access the installed system. You can create an unprivileged user account on the first boot by using either the Combustion or Ignition tool. Creating an unprivileged user during system deployment is useful for accessing the Cockpit Web interface as well.

To prepare the configuration device, proceed as follows:

Procedure 1: Preparing the configuration device
  1. Format the disk to any file system supported by SUSE Linux Micro: Ext3, Ext4, etc.:

    > sudo mkfs.ext4 /dev/sdY
  2. Set the device label to either ignition (when either Ignition or Combustion is used) or combustion (when only Combustion is used). If needed (for example, on Windows host), use uppercase letters for the labels. To label the device, run:

    > sudo e2label /dev/sdY ignition

    You can use any type of configuration storage media that your virtualization system or your hardware supports: an ISO image, a USB flash disk, etc.

  3. Mount the device:

    > sudo mount /dev/sdY /mnt
  4. Create the directory structure as mentioned in Section 2.1.1.1, “config.ign or Section 2.2, “Configuring SUSE Linux Micro deployment with Combustion”, depending on the configuration tool used:

    > sudo mkdir  /mnt/ignition/

    or:

    > sudo mkdir -p /mnt/combustion/
  5. Prepare all elements of the configuration that will be used by Ignition or Combustion.

2.1 Configuring SUSE Linux Micro deployment with Ignition

Ignition is a provisioning tool that enables you to configure a system according to your specification on the first boot.

2.1.1 How does Ignition work?

When the system is booted for the first time, Ignition is loaded as part of an initramfs and searches for a configuration file within a specific directory (on a USB flash disk, or you can provide a URL). All changes are performed before the kernel switches from the temporary file system to the real root file system (before the switch_root command is issued).

Ignition uses a configuration file in the JSON format named config.ign. You can either write the configuration manually or use the Fuel Ignition Web application at https://ignite.opensuse.org to generate it.

Important
Important

Fuel Ignition does not cover the complete Ignition vocabulary yet, and the resulting JSON file may need additional manual tweaking.

2.1.1.1 config.ign

If you intend to configure a QEMU/KVM virtual machine, provide the path to config.ign as an attribute of the qemu command. For example:

    -fw_cfg name=opt/com.coreos/config,file=PATH_TO_config.ign

When configuring a virtual machine with Virtual Machine Manager (libvirt), provide the path to the config.ign file in its XML definition, for example:

<domain ... >
  <sysinfo type="fwcfg">
    <entry name="opt/com.coreos/config" file="/location/to/config.ign"/>
  </sysinfo>
</domain>

Alternatively, when using libvirt, you can provide the path as an option to the virt-install command:

--sysinfo type=fwcfg,entry0.name="opt/com.coreos/config",entry0.file="PATH_TO_config.ign>"

The config.ign contains multiple data types: objects, strings, integers, booleans and lists of objects. For a complete specification, refer to Ignition specification v3.3.0.

The version attribute is mandatory and in case of SUSE Linux Micro, its value must be set either to 3.4.0 or to any lower version. Otherwise, Ignition will fail.

To log in to your system as root, you must at least include a password for root. However, it is recommended to establish access via SSH keys. To configure a password, make sure to use a secure one. If you use a randomly generated password, use at least 10 characters. If you create your password manually, use even more than 10 characters and combine uppercase and lowercase letters and numbers.

2.1.2 Ignition configuration examples

This section provides several examples of the Ignition configuration in the built-in JSON format.

Note
Note: The version attribute is mandatory

Each config.ign must include version 3.4.0 or lower that is then converted to the corresponding Ignition specification.

2.1.2.1 Default partitioning

Each image has the following subvolumes:

/home
/root
/opt
/srv
/usr/local
/var

The /etc directory is mounted as overlayFS, where the upper directory is mounted to /var/lib/overlay/1/etc/.

You can recognize the subvolumes mounted by default by the option x-initrd.mount in /etc/fstab. Other subvolumes or partitions must be configured either by Ignition or Combustion.

If you want to add a new user or modify any of the files on a subvolume that is not mounted by default, you need to declare such subvolume first so that it is mounted as well.

2.1.2.2 Storage configuration

The storage attribute is used to configure partitions, RAID, define file systems, create files, etc. To define partitions, use the disks attribute. The filesystems attribute is used to format partitions. The files attribute can be used to create files in the file system.

The example below configures four partitions, including a dedicated swap partition, and creates a file system on each partition.

{
  "ignition": {
    "version": "3.0.0"
  },
  "storage": {
    "disks": [
      {
        "device": "/dev/vda",
        "partitions": [
          {
            "label": "root",
            "number": 1,
            "sizeMiB": 30720
          },
          {
            "label": "boot",
            "number": 2,
            "sizeMiB": 8720
          },
          {
            "label": "swap",
            "number": 3,
            "sizeMiB": 4096
          },
          {
            "label": "home",
            "number": 4,
            "sizeMiB": 30720
          }
        ],
        "wipeTable": true        
      }
    ]
    "filesystems": [
      {
        "device": "/dev/disk/by-partlabel/root",  
        "format": "btrfs",  
        "label": "root"
      },
      {
        "device": "/dev/disk/by-partlabel/swap",  
        "format": "swap",  
        "label": "swap"
      }
      {
        "device": "/dev/disk/by-partlabel/boot",  
        "format": "btrfs",  
        "label": "boot"
      }
      {
        "device": "/dev/disk/by-partlabel/home",  
        "format": "ext4",  
        "label": "home"
      }
    ]
  }
}

Each of the mentioned attributes is described in the following sections.

2.1.2.2.1 The disks attribute

The disks attribute is a list of devices that enables you to define partitions on these devices. The disks attribute must contain at least one device, other attributes are optional. Keep in mind that at least the root and boot partitions (swap if configured) need to be formatted to bear a file system.

The following example uses a single virtual device and divides the disk into four partitions:

...
  "storage": {
    "disks": [
      {
        "device": "/dev/vda",
        "partitions": [
          {
            "label": "root", 1
            "number": 1, 2
            "sizeMiB": 30720 3
          },
          {
            "label": "boot",
            "number": 2,
            "startMiB": 30720, 4
            "sizeMiB": 8720
          },
          {
            "label": "swap",
            "number": 3,
            "sizeMiB": 4096
          },
          {
            "label": "home",
            "number": 4,
            "sizeMiB": 30720
          }
        ],
        "wipeTable": true        
      }
    ]
   ...

1

The partition identification. Depending on the partition file system, it can have up to 16 characters for EXT-type file systems and 256 characters in the case of Btrfs.

2

The position of the partition in the partition table. If set to 0, the next free position is used.

3

The size of the partition in MiB.

4

Identifies the starting point of the particular partition.

2.1.2.2.2 The raid attribute

The raid is a list of RAID arrays. The following attributes of raid are mandatory:

level

a level of the particular RAID array (linear, raid0, raid1, raid2, raid3, raid4, raid5, raid6)

devices

a list of devices in the array referenced by their absolute paths

name

a name that will be used for the md device

For example:

{
  "ignition": {
    "version": "3.0.0"
  },
  "storage": {
    "raid": [
      {
        "devices": [
          "/dev/sda",
          "/dev/sdb"
        ],
        "level": "raid1",
        "name": "system"
      }
    ]
  }
}
2.1.2.2.3 The filesystems attribute
Note
Note: Ignition does not perform modifications to mount units

The filesystems attribute does not modify mount units. If you add a new partition or remove an existing partition, you must manually adjust the mount units.

Important
Important: Certain directories must reside on the same partition as /

When changing partitioning, do not place the following directories on a different partition than the root file system: /boot, /usr, /etc, /dev.

filesystems must contain the following attributes:

device

the absolute path to the device, typically /dev/sda in case of physical disk

format

the file system format (btrfs, ext4, ext3, xfs, vfat or swap)

Note
Note

In case of SUSE Linux Micro, the root file system must be formatted to Btrfs.

The following example demonstrates using the filesystems attribute. The /opt directory will be mounted to the /dev/sda1 partition, which is formatted to Btrfs. The device will not be erased.

For example:

{
  "ignition": {
    "version": "3.0.0"
  },
  "storage": {
    "filesystems": [
      {
        "device": "/dev/sda1",
        "format": "btrfs",
        "path": "/opt",
        "wipeFilesystem": false
      }
    ]
  }
}

Normally, a regular user's home directory is located in the /home/USER_NAME directory. Since /home is not mounted by default in the initrd, the mount has to be explicitly defined for the user creation to succeed:

{
  "ignition": {
    "version": "3.1.0"
  },
  "passwd": {
    "users": [
      {
        "name": "root",
        "passwordHash": "PASSWORD_HASH",
        "sshAuthorizedKeys": [
          "ssh-rsa SSH_KEY_HASH"
        ]
      }
    ]
  },
  "storage": {
    "filesystems": [
      {
        "device": "/dev/sda3",
        "format": "btrfs",
        "mountOptions": [
          "subvol=/@/home"
        ],
        "path": "/home",
        "wipeFilesystem": false
      }
    ]
  }
}
2.1.2.2.4 The files attribute

You can use the files attribute to create any files on your machine. Bear in mind that to create files outside the default partitioning schema, you need to define the directories by using the filesystems attribute.

In the following example, a host name is created by using the files attribute. The file /etc/hostname will be created with the sl-micro1 host name:

Important
Important

Keep in mind that JSON accepts file modes in decimal numbers, for example, 420.

JSON:

{
  "ignition": {
    "version": "3.0.0"
  },
  "storage": {
    "files": [
      {
        "overwrite": true,
        "path": "/etc/hostname",
        "contents": {
          "source": "data:,sl-micro1"
        },
        "mode": 420
      }
    ]
  }
}
2.1.2.2.5 The directories attribute

The directories attribute is a list of directories that will be created in the file system. The directories attribute must contain at least one path attribute.

For example:

{
  "ignition": {
    "version": "3.0.0"
  },
  "storage": {
    "directories": [
      {
        "path": "/home/tux",
        "user": {
          "name": "tux"
        }
      }
    ]
  }
}
2.1.2.3 Users administration

The passwd attribute is used to add users. As some services, such as Cockpit, require login using a non-root user, define at least one unprivileged user here. Alternatively, you can create such a user from a running system as described in Section 5.3, “Adding users”.

To log in to your system, create root and a regular user and set their passwords. You need to hash the passwords, for example, by using the openssl command:

 openssl passwd -6

The command creates a hash of the password you chose. Use this hash as the value of the password_hash attribute.

For example:

{
  "ignition": {
    "version": "3.0.0"
  },
  "passwd": {
    "users": [
      {
        "name": "root",
        "passwordHash": "PASSWORD_HASH",
        "sshAuthorizedKeys": [
          "ssh-rsa SSH_KEY_HASH USER@HOST"
        ]
      }
    ]
  }
}

The users attribute must contain at least one name attribute. ssh_authorized_keys is a list of ssh keys for the user.

2.1.2.4 Enabling systemd services

You can enable systemd services by specifying them in the systemd attribute.

For example:

{
  "ignition": {
    "version": "3.0.0"
  },
  "systemd": {
    "units": [
      {
        "enabled": true,
        "name": "sshd.service"
      }
    ]
  }
}

2.2 Configuring SUSE Linux Micro deployment with Combustion

Combustion is a dracut module that enables you to configure your system on the first boot. You can use Combustion, for example, to change the default partitions, set user passwords, create files, or install packages.

2.2.1 How does Combustion work?

Combustion is invoked after the ignition.firstboot argument is passed to the kernel command line. Combustion reads a provided file named script, executes included commands, and thus performs changes to the file system. If script includes the network flag, Combustion tries to configure the network. After /sysroot is mounted, Combustion tries to activate all mount points in /etc/fstab and then calls transactional-update to apply other changes, for example, setting root password or installing packages.

If you intend to configure a QEMU/KVM virtual machine, provide the path to script as an attribute of the qemu command. For example:

-fw_cfg name=opt/org.opensuse.combustion/script,file=PATH_TO_script

When configuring a virtual machine with Virtual Machine Manager (libvirt), provide the path to the script file in its XML definition, for example:

<domain ... >
<sysinfo type="fwcfg">
<entry name="opt/org.opensuse.combustion/script" file="/location/of/script"/>
</sysinfo>
</domain>

Alternatively, when using libvirt, you can provide the path as an option to the virt-install command:

--sysinfo type=fwcfg,entry0.name="opt/org.opensuse.combustion/script",entry0.file="PATH_TO_script>"
Tip
Tip: Using Combustion together with Ignition

Combustion can be used along with Ignition. If you intend to do so, label your configuration medium ignition and include the ignition directory with the config.ign to your directory structure as shown below:

<root directory>
└── combustion
    └── script
    └── other files
└── ignition
    └── config.ign

In this scenario, Ignition runs before Combustion.

2.2.2 Combustion configuration examples

2.2.2.1 The script configuration file

The script configuration file is a set of commands that are parsed and executed by Combustion in a transactional-update shell. This article provides examples of configuration tasks performed by Combustion.

Tip
Tip: Use Fuel Ignition to generate the Combustion script

To create the Combustion script, you can use the Fuel Ignition Web application. There you can select appropriate parameters and the application generates a Combustion script that you can download.

Important
Important: Include interpreter declaration

As the script file is interpreted by the shell, always start the file with the interpreter declaration on its first line. For example, in case of Bash:

#!/bin/bash

To log in to your system, include at least the root password. However, it is recommended to establish the authentication using SSH keys. If you need to use a root password, make sure to configure a secure password. For a randomly generated password, use at least 10 characters. If you create your password manually, use even more than 10 characters and combine uppercase and lowercase letters and numbers.

2.2.2.1.1 Default partitioning

Each image has the following subvolumes:

/home
/root
/opt
/srv
/usr/local
/var

The /etc directory is mounted as overlayFS, where the upper directory is mounted to /var/lib/overlay/1/etc/.

You can recognize the subvolumes mounted by default by the option x-initrd.mount in /etc/fstab. Other subvolumes or partitions must be configured either by Ignition or Combustion.

If you want to add a new user or modify any of the files on a subvolume that is not mounted by default, you need to declare such subvolume first so that it is mounted as well.

2.2.2.1.2 Network configuration

To configure and use the network connection during the first boot, add the following statement to script:

# combustion: network

Using this statement passes the rd.neednet=1 argument to dracut. The network configuration defaults to using DHCP. If a different network configuration is needed, proceed as described in Section 2.2.2.1.3, “Performing modifications in the initramfs”.

If you do not use the statement, the system remains configured without any network connection.

2.2.2.1.3 Performing modifications in the initramfs

You may need to perform changes to the initramfs environment, for example, to write a custom network configuration for NetworkManager into /etc/NetworkManager/system-connections/. To do so, use the prepare statement.

For example, to create a connection with a static IP address and configure DNS:

#!/bin/bash
# combustion: network prepare
set -euxo pipefail
          
nm_config() {
  umask 077 # Required for NM config
  mkdir -p /etc/NetworkManager/system-connections/
  cat >/etc/NetworkManager/system-connections/static.nmconnection <<-EOF
  [connection]
  id=static
  type=ethernet
  autoconnect=true
          
  [ipv4]
  method=manual
  dns=192.168.100.1
  address1=192.168.100.42/24,192.168.100.1
EOF
}
          
if [ "${1-}" = "--prepare" ]; then
  nm_config # Configure NM in the initrd
  exit 0
fi
          
# Redirect output to the console
exec > >(exec tee -a /dev/tty0) 2>&1
          
  nm_config # Configure NM in the system
  curl example.com

# Close outputs and wait for tee to finish
exec 1>&- 2>&-; wait;

# Leave a marker
echo "Configured with combustion" > /etc/issue.d/combustion
2.2.2.1.4 Waiting for the task to complete

Some processes may be run in background, for example, the tee process that redirects output to the terminal. To ensure that all running processes are completed before the script execution finishes, add the following line:

exec 1>&- 2>&-; wait;
2.2.2.1.5 Partitioning

SUSE Linux Micro raw images are delivered with a default partitioning scheme. You might want to use a different partitioning. The following set of example snippets moves the /home to a different partition.

Important
Important: Certain directories must reside on the same partition as /

When changing partitioning, do not place the following directories on a different partition than the root file system: /boot, /usr, /etc, /dev.

Note
Note: Performing changes outside of directories included in snapshots

The following script performs changes that are not included in snapshots. If the script fails and the snapshot is discarded, certain changes remain visible and cannot be reverted, for example, the changes to the /dev/vdb device.

The following snippet creates a GPT partitioning schema with a single partition on the /dev/vdb device:

sfdisk /dev/vdb <<EOF
sleep 1
label: gpt
type=linux
EOF

partition=/dev/vdb1

As the sfdisk command may take longer time to complete, postpone label by using the sleep command after sfdisk.

The partition is formatted to Btrfs:

wipefs --all ${partition}
mkfs.btrfs ${partition}

Possible content of /home is moved to the new /home folder location by the following snippet:

mount /home
mount ${partition} /mnt
rsync -aAXP /home/ /mnt/
umount /home /mnt

The snippet below removes an old entry in /etc/fstab and creates a new entry:

awk -i inplace '$2 != "/home"' /etc/fstab
echo "$(blkid -o export ${partition} | grep ^UUID=) /home btrfs defaults 0 0" >>/etc/fstab
2.2.2.1.6 Creating new users

As some services, such as Cockpit, require login using a non-root user, define at least one unprivileged user here. Alternatively, you can create such a user from a running system as described in Section 5.3, “Adding users”.

To add a new user account, first create a hash string that represents the user's password. Use the openssl passwd -6 command.

After you obtain the password hash, add the following lines to the script:

mount /home
useradd -m EXAMPLE_USER
echo 'EXAMPLE_USER:PASSWORD_HASH' | chpasswd -e
2.2.2.1.7 Setting a password for root

Before you set the root password, generate a hash of the password, for example, by using the openssl passwd -6. To set the password, add the following line to the script:

echo 'root:PASSWORD_HASH' | chpasswd -e
2.2.2.1.8 Adding SSH keys

The following snippet creates a directory to store the root's SSH key and then copies the public SSH key located on the configuration device to the authorized_keys file.

mkdir -pm700 /root/.ssh/
cat id_rsa_new.pub >> /root/.ssh/authorized_keys
Note
Note

The SSH service must be enabled in case you need to use remote login via SSH. For details, refer to Section 2.2.2.1.9, “Enabling services”.

2.2.2.1.9 Enabling services

To enable system services, for example, the SSH service, add the following line to script:

systemctl enable sshd.service
2.2.2.1.10 Installing packages
Important
Important: Network connection and registering your system may be necessary

As certain packages may require additional subscription, you may need to register your system beforehand. An available network connection may also be needed to install additional packages.

During the first boot configuration, you can install additional packages to your system. For example, you can install the vim editor by adding:

zypper --non-interactive install vim-small
Note
Note

Bear in mind that you will not be able to use zypper after the configuration is complete and you boot to the configured system. To perform changes later, you must use the transactional-update command to create a changed snapshot.

3 Preparing the virtual machine

This section describes how to prepare a new virtual machine and what steps to take to deploy SUSE Linux Micro on that machine.

  1. Download the SUSE Linux Micro disk image on the VM Host Server where you intend to run virtualized SUSE Linux Micro.

  2. Start Virtual Machine Manager and select File › New Virtual Machine.

  3. Select Import existing disk image. Confirm with Forward.

  4. Specify the path to the SUSE Linux Micro disk image that you previously downloaded and the type of Linux OS you are deploying, for example, Generic Linux 2020. Confirm with Forward.

  5. Specify the amount of memory and number of processors that you want to assign to the SUSE Linux Micro virtual machine and confirm with Forward.

  6. Specify the name for the virtual machine and the network to be used.

  7. If you are deploying an encrypted SUSE Linux Micro image, perform these additional steps:

    1. Enable Customize configuration before install and confirm with Finish.

    2. Click Overview from the left menu and change the boot method from BIOS to UEFI for secure boot. Confirm with Apply.

      Set UEFI firmware for the encrypted SUSE Linux Micro image
      Figure 1: Set UEFI firmware for the encrypted SUSE Linux Micro image
    3. Add a Trusted Platform Module (TPM) device. Click Add Hardware, select TPM from the left menu, and select the Emulated type.

      Add an emulated TPM device
      Figure 2: Add an emulated TPM device

      Confirm with Finish and start the SUSE Linux Micro deployment by clicking Begin Installation from the top menu.

4 Configuring with JeOS Firstboot

When booting SUSE Linux Micro for the first time without providing any configuration device, JeOS Firstboot enables you to perform a minimal configuration of your system. If you need more control over the deployment process, use a configuration device with either Ignition or Combustion configuration. Find more information in Section 2.1, “Configuring SUSE Linux Micro deployment with Ignition” and Section 2.2, “Configuring SUSE Linux Micro deployment with Combustion”.

To configure the system with JeOS Firstboot, proceed as follows:

  1. JeOS Firstboot displays a welcome screen. Confirm with Enter.

  2. On the next screens, select keyboard, confirm the license agreement and select the time zone.

  3. In the Enter root password dialog window, enter a password for the root and confirm it.

    Enter root password
    Figure 3: Enter root password
  4. For encrypted deployments, JeOS Firstboot does the following:

    • Asks for a new passphrase that replaces the default passphrase.

    • Generates a new LUKS key and re-encrypts the partition.

    • Adds a secondary key slot to the LUKS header and seals it against the TPM device.

    If you are deploying an encrypted image, follow these steps:

    1. Select the desired protection method and confirm with OK.

    2. Enter a recovery password for LUKS encryption and retype it. The root file system re-encryption begins.

    Select method for encryption
    Figure 4: Select method for encryption
  5. (Optional) To enroll SSH keys for access, press Yes. If you pressed YES, proceed as described below:

    1. Using SSH, connect to the displayed IP address.

    2. If you received a public key properly, confirm it in the next screen.

    3. A prompt to import an SSH key appears. Select the option according to your preferences.

  6. (Optional) If desired, you can create an unprivileged user in the User Creation form. Fill in the user name, full name and a password twice. Confirm with OK.

  7. (Optional) To set up MFA for accessing Cockpit, open a TOTP application and scan the QR code. Enter the OTP value provided by the application. Proceed with OK.

  8. After successful deployment, register your system as described in Section 5.4, “Registering SUSE Linux Micro from CLI”.

5 Post deployment steps

5.1 Expanding encrypted disk images

Encrypted raw disk images of SUSE Linux Micro do not expand to the full disk capacity automatically. This procedure outlines steps to expand them to a desired size.

Procedure 2: Expanding encrypted disk images
  1. Use the qemu-img command to increase the disk image to the desired size.

  2. Use the parted command to resize the partition where the LUKS device resides (for example, partition number 3) to the desired size.

  3. Run the cryptsetup resize luks command. When asked, enter the passphrase to resize the encrypted device.

  4. Run the transactional-update shell command to open a read-write shell in the current disk snapshot. Then resize the Btrfs file system to the desired size, for example:

    # btrfs fi resize max /
  5. Leave the shell with exit and reboot the system with reboot.

5.2 Reencrypting the encrypted system

Warning
Warning: The system is not secured

The system is not secured. Thus, do not store any sensitive data in it until the disk reencryption is complete.

Note
Note: The step is not needed if you deployed your system using JeOS Firstboot

JeOS Firstboot prompts for a new passphrase during the deployment phase. After you enter it, the system is reencrypted automatically, thus no further action is needed.

SUSE Linux Micro encrypted images are delivered with a default LUKS passphrase. On the first boot, the system attempts to reencrypt the disk. If the reencryption does not take place or fails, reencrypt the disk and set a new phrase or enroll a key with TPM after the deployment. If the reencryption succeeds, just set a new passphrase or enroll a key with TPM. In both cases, proceed as described below. Perform the steps in the same shell session.

  1. Remove the files:

    # rm /root/.root_keyfile /etc/dracut.conf.d/99-luks-boot.conf
  2. Import the needed functions to your shell:

    # source /usr/share/fde/luks
  3. Identify the underlying LUKS device and define further used variables:

    # luks_name=$(expr "`df --output=source / | grep /dev/`" :
          ".*/\(.*\)")

    and:

    # luks_dev=$(luks_get_underlying_device "$luks_name")
  4. Check if the image is already reencrypted.

    1. Check whether the file root/.luks.header is in initramfs:

      # lsinitrd --file root/.luks.header

      If the file does not exist, the disk is not reencrypted and you can directly proceed to Procedure 3, “Reencrypting the disk and setting a new passphrase”.

    2. If the file exists, compare its content with the output of the following command:

      # cryptsetup luksHeaderBackup "$luks_dev" --header-backup-file current_header
      sha256sum current_header | cut -f1 -d" "; rm -f current_header

      If the output of the two commands differs, the disk has been reencrypted and you can proceed to Procedure 4, “Setting a new passphrase and enrolling a key with TPM”. If the output is the same, proceed according to Procedure 3, “Reencrypting the disk and setting a new passphrase”.

The following procedure is specific to cases where reencryption on the first boot did not succeed.

Procedure 3: Reencrypting the disk and setting a new passphrase
  1. Create a key file that stores the default passphrase 1234 and a key file with the new passphrase. Use a strong passphrase with at least 10 characters.

  2. Change the recovery password.

    # cryptsetup luksChangeKey --key-file
          PATH_TO_DEFAULT --pbkdf pbkdf2 "${luks_dev}"
          PATH_TO_NEW

    PATH_TO_DEFAULT is a path to the key file with the default passphrase 1234. PATH_TO_NEW is a path to the key file with your new passphrase.

  3. Reencrypt the LUKS device:

    # cryptsetup reencrypt --key-file PATH_TO_NEW ${luks_dev}
  4. Create a new random key and seal it with TPM:

    # fdectl regenerate-key --passfile PATH_TO_NEW
  5. Update the grub.cfg file by running:

    # transactional-update grub.cfg
  6. Remove the key file with the default passphrase.

  7. Reboot the system.

The following procedure describes only setting a new passphrase and enrolling a key with TPM.

Procedure 4: Setting a new passphrase and enrolling a key with TPM
  1. Create a key file with a new passphrase. Use a strong passphrase with at least 10 characters.

  2. Change the recovery password.

    # cryptsetup luksChangeKey --key-file
          PATH_TO_DEFAULT --pbkdf pbkdf2 "${luks_dev}"
          PATH_TO_NEW

    PATH_TO_DEFAULT is a path to the /run/.kiwi_reencrypt.keyfile key file with the passphrase generated during the disk reencryption. PATH_TO_NEW is a path to the key file with your new passphrase.

  3. Create a new random key and seal it with TPM:

    # fdectl regenerate-key --passfile PATH_TO_NEW
  4. Update the grub.cfg file by running:

    # transactional-update grub.cfg
  5. Remove the /run/.kiwi_reencrypt.keyfile file.

  6. Reboot the system.

5.3 Adding users

Since SUSE Linux Micro requires having an unprivileged user to log in via SSH or to access Cockpit by default, we recommend to create such an account.

This step is optional if you have defined an unprivileged user during the deployment of the system. If not, you can proceed as described below:

  1. Run the useradd command as follows:

    # useradd -m USER_NAME
  2. Set a password for that account:

    # passwd USER_NAME
  3. If needed, add the user to the wheel group:

    # usermod -aG wheel USER_NAME

5.4 Registering SUSE Linux Micro from CLI

After successful deployment, you need to register the system to get technical support and receive updates. Registering the system is possible from the command line using the transactional-update register command.

To register SUSE Linux Micro with SUSE Customer Center, proceed as follows:

  1. Run transactional-update register as follows:

    # transactional-update register -r REGISTRATION_CODE -e EMAIL_ADDRESS

    To register with a local registration server, additionally provide the URL to the server:

    # transactional-update register -r REGISTRATION_CODE -e EMAIL_ADDRESS \
     --url "https://suse_register.example.com/"

    Replace REGISTRATION_CODE with the registration code you received with your copy of SUSE Linux Micro. Replace EMAIL_ADDRESS with the e-mail address associated with the SUSE account you or your organization uses to manage subscriptions.

  2. Reboot your system to switch to the latest snapshot.

  3. SUSE Linux Micro is now registered.

Note
Note: Other registration options

For information that goes beyond the scope of this section, refer to the inline documentation with SUSEConnect --help.