Alpine Linux - User contributions [en]

Raspberry Pi Zero W - Installation

2021-07-02T23:17:09Z

AppAraat: Removed sysfsutils as it's no longer a dependency for rng-tools: https://github.com/nhorman/rng-tools/releases/tag/v6.12 (thx minimal!)

{{TOC right}}
= Introduction =
This wiki describes how I installed Alpine Linux 3.9.2 armhf on a Raspberry Pi Zero W. I had problems with it initially as WiFi wouldn't connect when going through the setup-alpine script and when I was able to get it connect (after numerous failed manual attempts) it wouldn't reconnect on reboot. The solution documented below adds and starts the rngd service prior to running setup-alpine which fixes the wifi connection problems and allows you to walk through the setup script successfully. It also adds the rngd and wpa_supplicant services to start at boot and removes the network service out of the rc-update list completely, which seems like the wrong thing to do and probably is - networking still gets started, probably as a dependency to something else, and it starts after rngd and wpa_supplicant, which is what I needed. When the networking service was set to "boot" (which it was out of the box) it was starting before rngd and wpa_supplicant so wlan0 would never connect.

I need to go back through this again but it should work as written. Some steps may not be necessary for your use case and some steps may not be necessary at all but don't seem to hurt. I'm still learning about Alpine Linux and hope to improve this process as I do more reading and experimentation.

Update - 7 Dec 2019 - I went through installation again on a Pi Zero W with Alpine 3.10.3 for armhf. First boot after writing the image to the SD card seems to work ok as far as WiFi functionality is concerned. Setup script completes and I was able to connect to WiFi and pull down packages etc. I decided to not install the rngd related packages at this point to see how a reboot looked, answer is not good. The dhcp request just times out. Running setup-alpine again at this point also doesn't work. If you start over and rewrite the image to the SD card, the first boot will again work ok, it's only rebooting that breaks Wifi. I think it's best then to be sure to follow the steps for installing the rngd related packages and configuring the service to start at boot. Note that you can install what you need on first boot using apk, you don't need to copy the packages to the SD card offline as written below.

Update - 29 Dec 2019 - See also a method to perform a headless setup: [[Raspberry Pi - Headless Installation]]

= Write image to SD =
Format an SD card with fat filesystem first. This can be done with a graphical tool like GParted once the SD card is mounted on your operating system. The following assumes the SD card device is at /dev/sdb1.

First, mount the SD card:
{{Cmd|sudo mount /dev/sdb1 /mnt}}

Then, copy the files:
{{Cmd|tar -xzvf alpine-rpi-3.9.2-armhf.tar.gz -C /mnt --no-same-owner}}
If you have no means to mount the SD card normally with an SD reader, it can be mounted via USB via the Raspberry Pi Zero W, using the usbbootgui tool to mount as eMMC/SD card reader. On Ubuntu, this can be installed as follows:
{{Cmd|sudo add-apt-repository ppa:rpi-distro/ppa}}
{{Cmd|sudo apt install usbbootgui}}

A GUI should open as soon as you plug in your Pi; otherwise run
{{Cmd|usbbootgui}}

= Edit cmdline.txt and add line for serial console (Optional)=

This is for my use case and optional if you are using a local keyboard and monitor. I do not connect a keyboard and monitor but rather do the setup via the Pi's serial GPIO pins.

Create a file called cmdline.txt in the root of the SD card and place the following text:
{{Cmd|modules{{=}}loop,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable{{=}}0 console{{=}}tty1 console{{=}}ttyAMA0,115200}}

= Create usercfg.txt and edit (Optional) =

This is mostly optional I believe and applies to my use case where I will be running the Pi in a headless appliance type mode. I reduce the memory allocated for the GPU, turn off audio (not sure I still need this on the Zero W), disable bluetooth (which I think puts the serial console back on the real uart, again, need to double check), add w1 for a temperature sensor, and set the enable_uart to 1 (may not be necessary, need to verify and add comments). This can be done by creating a file called usercfg.txt at the base of the SD card with the following contents:
{{Cmd|gpu_mem{{=}}16
dtparam{{=}}audio{{=}}off
dtoverlay{{=}}pi3-disable-bt
dtoverlay{{=}}w1-gpio
enable_uart{{=}}1}}

= Create cache folder and add rng-tools packages =
{{Cmd|mkdir /mnt/cache}}
I copy pasted the following into the cache dir on sd card. I have another Alpine env to apk fetch packages from (chroot on Fedora)
{{Cmd|rng-tools-6.3.1-r1.652a1399.apk
rng-tools-openrc-6.3.1-r1.e9b063f8.apk}}

= Boot Pi with prepared SD card, login as root and add packages =

I'm still new to Alpine, not sure if the setup-apkcache step is necessary or accomplishes anything here.
{{Cmd|localhost:~# setup-apkcache
Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: /media/mmcblk0p1/cache/

localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-6.3.1-r1.652a1399.apk
(1/1) Installing rng-tools (6.3.1-r1)
Executing busybox-1.29.3-r10.trigger
OK: 8 MiB in 21 packages

localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-openrc-6.3.1-r1.e9b063f8.apk
(1/1) Installing rng-tools-openrc (6.3.1-r1)
OK: 8 MiB in 22 packages}}

= Start rngd service =
{{Cmd|localhost:~# service rngd start
* Caching service dependencies ...
[ ok ]
* Starting rngd ...

Initalizing available sources
[ ok ]}}

= Run setup-alpine wifi connection should setup ok with rngd running. =
The setup process turns off the rngd service at some point but it's after wifi is connected
{{Cmd|setup-alpine}}
= Configure services and reboot =
Removing networking from boot results in it not being present in any stage which seems like the wrong fix but it still gets run by something and after rngd and wpa_supplicant which is what we want:
{{Cmd|pet-protect:~# rc-update add rngd boot
* service rngd added to runlevel boot

pet-protect:~# rc-update add wpa_supplicant boot
* service wpa_supplicant added to runlevel boot

pet-protect:~# rc-update del networking boot
* service networking removed from runlevel boot

pet-protect:~# rc-update -u
* Caching service dependencies ...
[ ok ]

pet-protect:~# lbu commit -d
pet-protect:~# reboot}}

[[category:Installation]]
[[category: Raspberry]]

Setting up a new user

2021-06-28T21:42:00Z

AppAraat: Added external link to doasedit (script), as it is not included by default: https://github.com/Duncaen/OpenDoas/issues/70

The <code>root</code> account should be used only for local administrative purposes that require elevated access permissions.

This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop usage and remote logins.

= Overview =

Creating user accounts provides users their own $HOME directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.

Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).

= Creating a new user =

{{Warning|If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent.
<br>
* Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or
* the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
{{Cmd| # lbu include /home
# lbu commit
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home).
}}

Regular user accounts can be created with:
{{Cmd|# adduser [-g "<Full Name>"] <username>}}

By default, adduser will:
* prompt you to set a password for the new user
* create a home directory in {{Path|/home/<username>}}
* set the shell to the one used by the <code>root</code> account (ash by default)
* assign user ID and group ID starting at 1000
* set the GECOS (full name) field to "Linux User,,,"

{{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field.
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.
}}

Users who must be able to access an Xorg instance must be added to the <code>video</code> and <code>input</code> groups:
adduser 'UserName' video
adduser 'UserName' input

'''If a user ''really must'' be allowed to have access to the root account''', the <username> can be added to the wheel group, <code>doas</code> ("do as") may be installed, and the group "wheel" can be allowed to become root:
adduser -g "<username>" <username>
adduser <username> wheel
apk add doas
apk add nano
nano /etc/doas.conf

{{Warning|It's recommended to '''not''' run complete applications, like editors, as root just to modify administrative files.
<br>
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount
* [https://github.com/AN3223/scripts/blob/master/doasedit <code>doasedit</code>] or <code>sudoedit</code> enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, <code>sudoedit /etc/apk/lbu.conf</code>
}}
The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package.
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.
apk add sudo
NEWUSER='yourUserName'
adduser -d "${NEWUSER}" $NEWUSER
echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER

The new user gets listed in

{{Cat|/etc/passwd|root:x:0:0:root:/root:/bin/ash
.
.
.
<username>:x:1000:1000:Linux User,,,:/home/<username>:/bin/ash}}

Now you should be able to issue the command <code>exit</code> and login to the new account.

= Options =

=== adduser ===

Usage (from "man busybox"):

<pre><nowiki>adduser [OPTIONS] USER [GROUP]

Create new user, or add USER to GROUP

-h --home DIR Home directory
-g --gecos GECOS GECOS field
-s --shell SHELL Login shell named SHELL by example /bin/bash
-G --ingroup GRP Group (by name)
-S --system Create a system user
-D --disabled-password Don't assign a password, so cannot login
-H --no-create-home Don't create home directory
-u --uid UID User id
-k SKEL Skeleton directory (/etc/skel)
</nowiki></pre>

{{Tip|Multi-user collaboration
If <nowiki>--ingroup</nowiki> isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.

This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.
}}

=== addgroup ===

Usage (from "man busybox"):

<pre><nowiki>addgroup [-g GID] [-S] [USER] GROUP

Create a group or add a user to a group

-g --gid GID Group id
-s --system Create a system group
</nowiki></pre>

= Legacy =

=== Common permission groups ===

(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)

* '''disk''':x:6:root,adm needed only for use vith virtual machines and access to other partitions.
* '''lp''':x:7:lp needed for printing services and printers management.
* '''wheel''':x:10:root Administrator group, members can use <code>sudo</code> to run commands as root if enabled in the sudo configuration.
* '''floppy''':x:11:root Backward compatible group. Use only if access to special external devices is needed.
* '''audio''':x:18: Needed for audio listening and management of sound volume as normal user.
* '''cdrom''':x:19: For access to CD/DVD/BR writers and mounting DVD, BR or CD rom disk as normal user.
* '''dialout''':x:20:root Needed for dialing private connections and use of modems as normal user.
* '''tape''':x:26:root Needed if you're planning to use special devices for backup. Rare. Ususally used only on servers.
* '''video''':x:27:root For usage of cameras, more than one GPU special features, as normal user.
* '''netdev''':x:28: For network connections management as normal user.
* '''kvm''':x:34:kvm Only if a normal user will manage virtual machines via a GUI. Rare. Ususally used only on servers.
* '''games''':x:35: Needed if you want to play games. Especially if sharing scores between users.
* '''cdrw''':x:80: Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device.
* '''apache''':x:81: Needed if you do development as normal user and want to publish locally on web server.
* '''usb''':x:85: Needed to access to special usb devices. Deprecated group.
* '''users''':x:100:games Needed if you plan to use common files for all users. Mandatory for desktop usage.

= Old newbie notes =

=== User creation and defaults ===

The following commands will set up root environment login, then assign a new password:

<pre><nowiki>
cat > /root/.cshrc << EOF
unsetenv DISPLAY || true
HISTCONTROL=ignoreboth
EOF

cp /root/.cshrc /root/.profile

echo "secret_new_root_password" | chpasswd
</nowiki></pre>

By default, remote management cannot be done direct;y with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.

Here's an example: create user named "remote" and a user named "general." We will set up a hardened, limited, user environment and create those two users:

<pre><nowiki>
mkdir -p /etc/skel/

cat > /etc/skel/.logout << EOF
history -c
/bin/rm -f /opt/remote/.mysql_history
/bin/rm -f /opt/remote/.history
/bin/rm -f /opt/remote/.bash_history
EOF

cat > /etc/skel/.cshrc << EOF
set autologout = 30
set prompt = "$ "
set history = 0
set ignoreeof
EOF

cp /etc/skel/.cshrc /etc/skel/.profile

adduser -D --home /opt/remote --shell /bin/ash remote

echo "secret_new_remote_user_password" | chpasswd

adduser -D --shell /bin/bash general

echo "secret_new_general_user_password" | chpasswd
</nowiki></pre>

{{Tip|"'''general'''" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols}}

Note that those users are created with minimal privilege settings.

== User management and system access ==

By default, a newly created user will not have enough privileges for most desktop purposes.

To add newly created users to groups that may come in handy for desktop useage, you run this command as root:

<pre><nowiki>
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done
</nowiki></pre>