Alpine Linux - User contributions [en]

Sysctl.conf

2026-04-04T13:40:02Z

Arnaudv6: net.ipv4.tcp_tw_recycle has been removed from Linux in 4.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4396e46187

{{DISPLAYTITLE:sysctl.conf}}sysctl.conf is the configuration file at <code>/etc/sysctl.conf</code> for [https://linux.die.net/man/8/sysctl sysctl] and is used to configure kernel parameters at boot time. You can load the configuration file with {{Cmd|sysctl -p}} or simply with a reboot.
This article is not an exhaustive list but covers some of the main points. You may, of course, wish to change some settings to suite your environment. The config examples are well commented so should provide all the information you need. If further information is required on anything, please make a note in this page or in the 'discussion' area.
Some of the options shown in the below examples may already be as default in your release. Check with <pre>sysctl -a|grep <somestring></pre>
Lines beginning with a hash '#' are comments and are thus not read until the # is removed.

= IPv6 =
Although IPv6 is [[Configure Networking|configured]] in <code>/etc/network/interfaces</code> more advanced options are configured in <code>/etc/sysctl.conf</code>:
<pre>
####Turn off IPv6 Routing####
## if not functioning as a router, there is no need
## to accept redirects or source routes
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
## Number of Router Solicitations to send until assuming no routers are present.
## This is a host and not router
net.ipv6.conf.default.router_solicitations = 2

## Router advertisements can cause the system to assign a global
## unicast address to an interface
## Turn on/off below (default is 1, on)
#net.ipv6.conf.default.autoconf = 0
## How many global unicast IPv6 addresses can be assigned to each interface?
#net.ipv6.conf.all.max-addresses = 1
#net.ipv6.conf.default.max_addresses = 1

##Force IPv6 off
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.eth0.disable_ipv6 = 1
</pre>

= General networking and performance =
Do not enable (uncomment) any of this unless you know what you are doing!! Be prepared to perform thorough testing and potentially break stuff!

<pre>
### Disable routing
## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0

## log martian packets
#net.ipv4.conf.all.log_martians = 1

### Memory and buffer changes. See https://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php {{Dead link}} for more information.
## Increase maximum amount of memory allocated to shm
#kernel.shmmax = 1073741824
## Improve file system performance
#vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
## This will increase the amount of memory available for socket input/output queues
#net.ipv4.tcp_rmem = 4096 87380 524288
#net.core.rmem_max = 1048576
#net.core.rmem_default = 524288
#net.ipv4.tcp_wmem = 4096 65536 524288
#net.core.wmem_max = 1048576
#net.core.wmem_default = 524288
#net.core.optmem_max = 25165824

## Increase system file descriptor limit
fs.file-max = 65535

## Allow for more PID's
kernel.pid_max = 65536

## Swapping too much or not enough? Disks spinning up when you'd
## rather they didn't? Tweak these.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60

## Set small dirty bytes values (overcomes random short system freezes)
## If you uncomment the below, it is set to 4MB
#vm.dirty_background_bytes = 4194304
#vm.dirty_bytes = 4194304

## reuse time-wait sockets (this is often needed on busy servers)
net.ipv4.tcp_tw_reuse = 1

## Controls the number of syn retries (default is 6)
#net.ipv4.tcp_syn_retries = 3
## Controls the number of tcp syn-ack retries (default is 5)
#net.ipv4.tcp_synack_retries = 3

## Change the time default value for tcp_fin_timeout connection
## (i.e. time to hold socket in FIN-WAIT-2 if it was closed by us)
## Default is 60 seconds
#net.ipv4.tcp_fin_timeout = 15
## Decrease the time default value for tcp_keepalive_time connection
## (i.e. how often to send TCP keepalive message)
## Default is 2 hours!
#net.ipv4.tcp_keepalive_time = 360
## Turn on tcp_window_scaling
#net.ipv4.tcp_window_scaling = 1
## Turn on the tcp_sack
#net.ipv4.tcp_sack = 1
## tcp_fack should be on because of sack
#net.ipv4.tcp_fack = 1

## Set the port range used for outgoing connections
#net.ipv4.ip_local_port_range = 1200 65000

## the number of packets to queue on input when they arrive faster
## than they can be processed by the kernel (the socket queue)
#net.core.netdev_max_backlog = 3000

## Maximum number of remembered connection requests which have not
## received an ack from connecting client. Increases in proportion
## to available memory. Set it manually below
#net.ipv4.tcp_max_syn_backlog = 1000

#Don't penalize programs for using split locks. Marginally speeds up the steam and Google Chrome flatpaks.
kernel.split_lock_mitigate = 0
</pre>

= Security =

<pre>
## Disable magic-sysrq key
kernel.sysrq = 0

## Restrict dmesg access to root
kernel.dmesg_restrict = 1

## optionally, ignore all echo requests
## this is NOT recommended, as it ignores echo requests on localhost as well
#net.ipv4.icmp_echo_ignore_all = 1

## Don't expose kernel memory addresses in procfs
kernel.kptr_restrict = 2

## Restrict access to kernel performance events
kernel.perf_event_paranoid = 2

## Restrict unprivileged access to eBPF
kernel.unprivileged_bpf_disabled = 1

## Enable JIT hardening techniques for eBPF
net.core.bpf_jit_harden = 2

## Disable core dumps
kernel.core_pattern=|/bin/false

## Restrict access to the ptrace() syscall
## a value of 3 disables ptrace() entirely
kernel.yama.ptrace_scope = 2

## Increase bits of entropy for ASLR
## these values are compatible with x86, but other archs may differ
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

# Heavily restrict writing to FIFOs; they must be owned, not in sticky dirs...
fs.protected_fifos = 2
# don't allow O_CREAT open on regular files that we don't own in world/group writable sticky directories,
# unless they are owned by the owner of the directory.
fs.protected_regular = 2
</pre>

[[Category:Networking]][[Category:Security]][[Category:Kernel]]

LabWC

2024-12-19T08:03:34Z

Arnaudv6:

[https://labwc.github.io LabWC] is a stacking [[Wayland]] compositor. Although [https://github.com/labwc/labwc#1-what-is-this it wasn't intended like that], it can serve as a drop-in replacement for the [[Openbox]] window manager (the same way [[Sway]] is for [[I3wm]]).

This wiki was written starting from a fresh install using the Alpine 3.16 x86 extended .iso. The steps begin from the first reboot after running setup-alpine and performing a sys install to disk.

Many steps below were taken from the [[Sway|wiki entry for installing Sway]], as both are wlroots-based Wayland compositors. Another interesting page, because of the same reasons, is the [[River]] compositor's.

== Prerequisites ==
{{Note|These steps posted as both Sway and LabWC prerequisites could be applied to almost all wlroots-based Wayland compositors.}}

{{:Include:Setup_Device_Manager}}

Then install the mesa gallium drivers:

{{Cmd|# apk add mesa-dri-gallium}}

The following links contain guides for setting up the video stack.

* [[Intel Video]]
* [[Radeon Video]]

Add yourself to the input and video groups:

{{Cmd|# adduser $USER input
# adduser $USER video
}}

You have to log out and back in for this to take effect.

Install some TTF fonts:

{{Cmd|# apk add font-dejavu}}

Since wlroots 0.14, you need to set up libseat backend if you wish to run labwc directly (without nesting it in another wayland compositor). To do that, [[Repositories#Enabling_the_community_repository|enable the community repository]] and choose one of the following methods:

=== Option 1: seatd daemon (recommended) ===
See [[Seatd]].

=== Option 2: seatd-launch ===

{{Cmd|# apk add seatd-launch}}

When starting labwc, you will need to prefix invocation with <code>seatd-launch</code>.
Note: <code>seatd-launch</code> is a suid binary, so it might be wise to use one of the other methods from a security perspective.

=== Option 3: elogind daemon ===

See [[Elogind]].

== Installation ==

We can now install labwc:
{{Cmd|# apk add labwc labwc-doc
# apk add \ # Install optional dependencies:
xwayland \ # recommended for compatibility reasons
foot \ # default terminal emulator
rofi \ # default application launcher (dmenu could be used instead)
swaylock \ # lockscreen tool
swaybg \ # wallpaper daemon
swayidle \ # idle management (DPMS) daemon
dbus-x11
}}

Note that almost all optional dependencies are the same as Sway's.

== Running LabWC ==

To run labwc, first set up [[XDG_RUNTIME_DIR]] Then run labwc from the Linux console (dbus-launch is used because pipewire needs it, it is included in dbus-x11 and you may omit it):

{{Cmd|$ dbus-launch labwc}}

(if you run labwc with seatd-launch, you will need to use <code>$ dbus-launch seatd-launch labwc</code>)

You can also create a simple alias in your shell rc file (e.g. .zshrc), like:
{{Cmd|alias labwcinit="dbus-launch seatd-launch labwc"}}

{{Note|
swaylock needs to be able to read your <code>/etc/shadow</code> file to be able to validate your password
}}

== Configuration and Usage ==

LabWC aims to implement the [http://openbox.org/wiki/Help:Contents openbox 3.4] specification, so many things working in OpenBox should be compatible.

Moreover, the project provides [https://github.com/labwc/labwc#4-configure examples for all the configuration files] and some themes, explaining where it must be located each one of them.

For additional information, labwc [https://labwc.github.io/manual.html manpages] and [https://github.com/labwc/labwc/wiki wiki] can be consulted.

[[Category:Desktop]]
[[Category:Wayland]]
[[Category:compositor]]

Setting up an NFS server

2024-09-26T12:21:55Z

Arnaudv6: bin name: exports -> exportfs

== Installation ==
Install the following package for both NFS client and NFS server service.

{{Cmd|# apk add nfs-utils}}

== Configuration ==
Setting up NFS service on Alpine Linux is no different from other Linux distributions.

=== NFS Server ===

Setup export dirs in /etc/exports. For example:
{{Cat|/etc/exports|<nowiki>/data 10.10.10.0/24(rw,nohide,no_subtree_check,no_root_squash)
</nowiki>}}

After editing /etc/exports, reload your setting
{{Cmd|# exportfs -afv}}

To make NFS server service to autostart on boot:

{{Cmd|# rc-update add nfs}}

To start NFS server service now

{{Cmd|# rc-service nfs start}}

=== NFS Client ===

To mount NFS shares automatically, an entry needs to made to /etc/fstab. To mount nfs share from /etc/fstab file at booting of the system

{{Cmd|# rc-update add nfsmount}}

To mount the nfs shares from /etc/fstab file now:
{{Cmd|# rc-service nfsmount start}}

{{Cmd|# rc-update add netmount}}

You can check your boot services:
{{Cmd|# rc-status}}

{{Cmd|# rc-service netmount start}}

== Kerberos Authentication ==

By default, NFS security only validates the IP of the client. You can add user level authentication with a Kerberos installation ([https://pkgs.alpinelinux.org/package/edge/main/armhf/krb5 MIT KRB5] or [https://pkgs.alpinelinux.org/package/edge/main/x86/heimdal Heimdal]). It is recommended to have the same Kerberos flavor across the network as both implementations are not completely mutually compatible.

=== Server Configuration ===

Assuming you setup Kerberos in the in the network, create ticket to your NFS machine (examples are in MIT KRB5 syntax):

{{Cmd|# kadmin: addprinc -randkey nfs/nfs1.example.com@EXAMPLE.COM}}

And add it to the machines krb5.keytab file:
{{Cmd|# kadmin: ktadd nfs/nfs1.example.com@EXAMPLE.COM}}

Then, edit your /etc/exports, and add sec=krb5 (only authentication), sec=krb5i (also hmac signing) or sec=krb5p (also encryption). For example:

{{Cat|/etc/exports|<nowiki>/data 10.10.10.0/24(rw,nohide,no_subtree_check,sec=krb5p,no_root_squash)
</nowiki>}}

After editing /etc/exports, reload your setting
{{Cmd|# exportfs -afv}}

User id mapping is managed by nfsidmap.

=== Client Configuration ===

In order for the client to connect to NFS via kerberos, enable and start rpc.gssd.
{{Cmd|# rc-update add rpc.gssd}}
{{Cmd|# rc-service rpc.gssd start}}

== see Also ==
* [https://wiki.archlinux.org/title/NFS NFS in Arch wiki]
* [https://wiki.gentoo.org/wiki/Nfs-utils NFS in Gentoo Wiki]

[[Category:Server]]

Using Unbound as an Ad-blocker

2024-02-13T18:18:42Z

Arnaudv6:

== Background ==

There is a fairly popular software product that acts as a DNS blocker for Advertisements and Malware. It runs on the Raspberry <span style="color: red">Pi-</span> and claims to be a DNS Black <span style="color: red">Hole</span>. It extends dnsmasq with filtering based on a downloadable blacklist. There is a [https://gitlab.alpinelinux.org/alpine/aports/issues/9489 package request] for this software to run on Alpine Linux.

The binary does compile on Alpine, however there is an extensive list of extraneous files, directories and packages that must be installed to get the modified version of {{Pkg|dnsmasq}} to start. The "basic installer" is over 2600 lines of Bash code.

Our goal is to get 80% of the functionality with 10% of the work.

== Basic Components ==

You should have {{Pkg|dnsmasq}} (or another DHCP server) and [[Setting_up_unbound_DNS_server|unbound]] both working on your network.

== Setting up Unbound To Block/Refuse unwanted addresses ==

There are a number of freely available blacklists on the net. The installer mentioned above uses these lists by default:
<pre>
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
</pre>

Alternatively, there is a set of curated lists at https://github.com/StevenBlack/hosts. There are various categories of lists there. The format of the file is a "host" (so you can put it in <code>/etc/hosts</code> and be done). We will use the hosts file format:

unbound needs to include the <code>blacklists.conf</code> file into its main configuration. To do so, we need to create the include file in the following format:

{{Cat|/etc/unbound/blacklists.conf|server:

local-zone: "bad-site.com" refuse
local-zone: "bad-bad-site.com" refuse
local-zone: "xyz.ads-r-us.com" refuse}}

Here is an example shell script to download the
[https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts StevenBlack]
hosts file, and then format it for unbound:

<pre>
#!/bin/sh

echo "server:" >/etc/unbound/blacklist.conf
curl -s https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | \
grep ^0.0.0.0 - | \
sed 's/ #.*$//;
s/^0.0.0.0 $.*$/local-zone: "\1" refuse/' \
>>/etc/unbound/blacklist.conf
</pre>

You can run this once, or as part of a periodic cron task.

In the <code>/etc/unbound/unbound.conf</code>, add the following line somewhere in the config:

{{Cat|/etc/unbound/unbound.conf|#include "/etc/unbound/blacklist.conf"}}

Reload unbound, and verify the config loads.

== Dnsmasq configuration ==

Dnsmasq defaults to using the resolver in <code>/etc/resolv.conf</code> — if unbound is listening on <code>127.0.0.1</code>, then have it use that as the resolver.

Alternatively, if unbound is running on another interface, or on a separate machine — use the dhcp-option configuration in dnsmasq:

<pre>
dhcp-option=6,[ip-of-unbound-server]
</pre>

Enjoy Ad-Free browsing!

[[Category:Networking]]