Alpine Linux - User contributions [en]

Alpine Linux:IRC

2025-01-21T10:58:33Z

Fabricionaweb: add #alpine-security channel

== Channels ==

Alpine Linux has registered the following channels on the [https://www.oftc.net/ OFTC] IRC network:
;[ircs://irc.oftc.net/alpine-linux #alpine-linux]
: For general discussion and quick support questions.
;[ircs://irc.oftc.net/alpine-devel #alpine-devel]
: For discussion of Alpine Linux development and developer support.
;[ircs://irc.oftc.net/alpine-docs #alpine-docs]
: For discussion of Alpine Linux documentation.
;[ircs://irc.oftc.net/alpine-offtopic #alpine-offtopic]
: For general chitchat.
;[ircs://irc.oftc.net/alpine-cloud #alpine-cloud]
: For discussion of Alpine Linux Cloud images.
;[ircs://irc.oftc.net/alpine-commits #alpine-commits]
: Bot posts information about commits and builds in this channel.
;[ircs://irc.oftc.net/alpine-infra #alpine-infra]
: For discussion of Alpine Linux Infrastructure and the Team.
;[ircs://irc.oftc.net/alpine-security #alpine-security]
: For discussion of Alpine Linux Security and the Team.
[https://irclogs.alpinelinux.org IRC Logs - Archived IRC messages]

Feel free to join and chat! Please be patient when asking questions, it may take a while for someone to answer.

== New to IRC? ==

If you are new to IRC and would like to try it out in your browser, see [https://webchat.oftc.net/ OFTC Web IRC]. Make sure you specify one of the above channels when you connect.

Also see [https://en.wikipedia.org/wiki/Wikipedia:IRC/Tutorial Wikipedia's IRC tutorial].

== Clients ==

There are several free IRC clients available. Here are some popular clients:

* [https://irssi.org/ Irssi]
* [https://weechat.org/ WeeChat]
* [https://hexchat.github.io/ HexChat]
* [http://www.eterna.com.au/ircii/ ircII]
* [https://pidgin.im/ Pidgin]

Also see [https://en.wikipedia.org/wiki/Comparison_of_Internet_Relay_Chat_clients Wikipedia's comparison of IRC clients].

Alpine Linux:IRC

2025-01-21T10:55:15Z

Fabricionaweb: add #alpine-infra channel

== Channels ==

Alpine Linux has registered the following channels on the [https://www.oftc.net/ OFTC] IRC network:
;[ircs://irc.oftc.net/alpine-linux #alpine-linux]
: For general discussion and quick support questions.
;[ircs://irc.oftc.net/alpine-devel #alpine-devel]
: For discussion of Alpine Linux development and developer support.
;[ircs://irc.oftc.net/alpine-docs #alpine-docs]
: For discussion of Alpine Linux documentation.
;[ircs://irc.oftc.net/alpine-offtopic #alpine-offtopic]
: For general chitchat.
;[ircs://irc.oftc.net/alpine-cloud #alpine-cloud]
: For discussion of Alpine Linux Cloud images.
;[ircs://irc.oftc.net/alpine-commits #alpine-commits]
: Bot posts information about commits and builds in this channel.
;[ircs://irc.oftc.net/alpine-infra #alpine-infra]
: For discussion of Alpine Linux Infrastructure and the Team.
[https://irclogs.alpinelinux.org IRC Logs - Archived IRC messages]

Feel free to join and chat! Please be patient when asking questions, it may take a while for someone to answer.

== New to IRC? ==

If you are new to IRC and would like to try it out in your browser, see [https://webchat.oftc.net/ OFTC Web IRC]. Make sure you specify one of the above channels when you connect.

Also see [https://en.wikipedia.org/wiki/Wikipedia:IRC/Tutorial Wikipedia's IRC tutorial].

== Clients ==

There are several free IRC clients available. Here are some popular clients:

* [https://irssi.org/ Irssi]
* [https://weechat.org/ WeeChat]
* [https://hexchat.github.io/ HexChat]
* [http://www.eterna.com.au/ircii/ ircII]
* [https://pidgin.im/ Pidgin]

Also see [https://en.wikipedia.org/wiki/Comparison_of_Internet_Relay_Chat_clients Wikipedia's comparison of IRC clients].

Release Notes for Alpine 3.21.0

2024-12-05T15:02:24Z

Fabricionaweb: add .net6 eol information

As always, make sure to read [[Upgrading Alpine to a new major release]] when upgrading to a new release.

If you experience any issues with the upgrade, please let us know and file an issue in our repositories.

== Important changes ==

=== OpenSSH service requires restart ===

From the <code>9.8_p1</code> release, and on, of {{pkg|openssh}}, {{pkg|openssh-server}} is split into two binaries (<code>/usr/lib/ssh/sshd-session</code> and <code>/usr/sbin/sshd</code>). Due to this change, it will not be possible to <code>ssh</code> into a system that has upgraded from a release prior to <code>9.8_p1</code> to this release or later, without restarting the <code>sshd</code> service.

We have previously brought attention to this - https://alpinelinux.org/posts/2024-07-02-openssh-upgrade-edge.html

Managing services has always been out-of-scope for {{pkg|apk-tools}}, but this one time we will '''make an exception''' when the following conditions are met:
# You have both the {{pkg|openssh-server}} and {{pkg|openssh-server-common-openrc}} packages installed at a version lower than <code>9.8_p1</code>
# The <code>sshd</code> service is started

We will then, post {{pkg|openssh-server}} upgrade, have a <code>post-upgrade</code> script that will:
# Print a message on what is about to happen and why
# Restart the <code>sshd</code> service
# If the command to restart the service fails for any reason, a warning message will be printed and an error code returned to <code>apk</code>, to be noticed by the end of the package upgrades (this will not interrupt the upgrade process).

We have decided to do this in order to help keep you from getting locked out of your system(s) and be able to fix any issues with the upgrade.

See also:
* https://bugzilla.mindrot.org/show_bug.cgi?id=3706
* https://git.alpinelinux.org/aports/commit/?id=6adff08ae09961d4eea66b55a8cca14d3941fb53

=== New loongarch64 architecture ===

Alpine 3.21 is the first release which is available for <code>loongarch64</code>.

Thanks to the support of the team of Loongson dedicated to supporting Alpine Linux and many other contributors.

=== Preparations for /usr-merge ===

Plans for /usr-merge are underway and we should be able to finalize it in Alpine Linux, version 3.22.

Much preparation has gone into this release to ensure that the merge happens as smoothly as possible. That included moving the location of some binaries and many libraries from <code>/bin</code>, <code>/sbin</code>, and <code>/lib</code> to their counterparts in <code>/usr</code>. As part of the merge, <code>/usr</code> will be mounted from the initramfs to make sure everybody has all necessary binaries in place.

'''Users with installations where <code>/</code> and <code>/usr</code> are on separate filesystems (partitions, volumes, disk drives or other) should proceed with care and report any issues.''' They should also ensure that an entry <code>/usr</code> is added to <code>/etc/fstab</code> before upgrading, and all modules required to mount <code>/usr</code> from the initramfs are added to mkinitfs configuration. New/fresh installations of v3.21 will work out of the box without modification. Please note that <code>/</code> on separate filesystem than <code>/usr</code> is not officially supported.

If you have one of these setups, and have doubts about the configuration, you can open an [https://gitlab.alpinelinux.org/alpine/aports/-/issues/new issue] and ping <code>@pabloyoyoista</code>. We will also publish a blog post soon with further information on the timeline and progress of the merge, as well as how the changes may affect users.

== Significant changes ==

=== Jellyfin ===

Jellyfin now uses the recommended fork of ffmpeg called {{pkg|jellyfin-ffmpeg}} by default. If you want to change the default, take a look at the <code>ffmpegpath</code> variable in <code>/etc/conf.d/jellyfin</code>. ({{MR|69924}})

Jellyfin was disabled for ARM architectures (<code>aarch64</code> and <code>armv7</code>) and is only available for <code>x86_64</code>. ({{Issue|16613}})

=== Bats ===

<code>main/bats</code> was renamed to <code>main/bats-core</code>. There is now a meta package <code>community/bats</code> which contains:

* {{pkg|bats-core}}
* {{pkg|bats-file}}
* {{pkg|bats-support}}
* {{pkg|bats-assert}}

=== Xen 4.19 ===

''qemu-traditional'' and ''stubdom'' are removed from the build in this release, see https://git.alpinelinux.org/aports/commit/?id=24217a24da3924039b000eb17c04bf3f01bf1f12

There is still the {{pkg|xen-qemu}} package, but the regular {{pkg|qemu}} aport [https://git.alpinelinux.org/aports/commit/?id=a9249e2e0de827e88d84c01f9731aeebd248be13 is now built with Xen support], so a {{pkg|qemu-system-*}} package can be used instead.

You can choose to use it in your ''xl.cfg(1)'' like so:
<pre>
device_model_override = "/usr/bin/qemu-system-x86_64"
device_model_version = "qemu-xen"
</pre>

=== uutils-coreutils ===

{{pkg|uutils-coreutils}} is repackaged as a sub-package to {{pkg|uutils}} in such a way as to be a drop-in replacement for GNU {{pkg|coreutils}}.

If you have both {{pkg|uutils-coreutils}} and {{pkg|coreutils}} installed, the latter will be '''purged''' and its symlinks replaced with ones pointing to the <code>/usr/bin/uutils</code> binary. The <code>/usr/bin/uutils-*</code> symlinks, previously provided by {{pkg|uutils-coreutils}}, no longer exist.

If you prefer to use GNU {{pkg|coreutils}}, remove the {{pkg|uutils-coreutils}} package before upgrading, and then add the {{pkg|uutils}} package, containing the <code>/usr/bin/uutils</code> binary.

A few parts of the {{pkg|uutils}} aport are also split into {{pkg|uutils-*}} subpackages, to avoid conflicts or other issues.

=== linux-firmware ===

{{pkg|linux-firmware}} is now compressed with ZSTD compression. If you run a custom built Linux kernel, you need to ensure that <code>CONFIG_FW_LOADER_COMPRESS_ZSTD=y</code> is set in your configuration.

== Note-worthy updates ==

As always, a lot of packages were upgraded. Make sure to read the indivdual release notes of the projects you use.

* Linux 6.12
* busybox 1.37
* GCC 14.2
* LLVM 19
* Go 1.23
* Rust 1.83
* PHP 8.4
* GNOME 47
* KDE Plasma 6.2
* LXQt 2.1
* Qt 6.8
* wlroots 0.18

=== GCC 14 ===

The Gnu Compiler Collection was upgraded to 14.2.0 and as a result, all packages built with {{pkg|gcc}} in Alpine 3.21 are compiled with GCC 14.2.0.

Make sure to read all changes: https://gcc.gnu.org/gcc-14/changes.html

=== LXQt 2.1 ===

LXQt has been updated to release 2.1.0
* It now uses Qt6
* Many parts of LXQt are now Wayland ready¹, but Wayland ports of the following are pending: {{pkg|screengrab}}, {{pkg|lxqt-globalkeys}}, and keyboard indicator, some input settings, as well as settings for monitor, power button, and screen locker.
* LXQt Panel has a new default application menu called Fancy Menu.
¹ [https://github.com/lxqt/lxqt-wayland-session lxqt-wayland-session] has not been packaged yet, but most folks wanting to test on Wayland will want to use it.

=== Linux 6.12 ===

Alpine 3.21.0 ships Linux 6.12.1 in the {{pkg|linux-lts}} package.

=== PostgreSQL 17 ===

This release features {{pkg|postgresql17}}. We dropped support for {{pkg|postgresql14}}, and moved {{pkg|postgreSQL15}} from main to community.

=== LLVM 19 ===

We packaged LLVM 19 in our repositories. A total of 5 LLVM versions are supported: {{pkg|llvm19}}, {{pkg|llvm18}}, {{pkg|llvm17}}, {{pkg|llvm16}}, {{pkg|llvm15}}.

=== GNOME 47 ===

{{pkg|gnome-software}} has been held back to version 45, after several regressions in the apk plugin on update. See {{issue|16663}} for more details.

== Significant removals ==

=== Disabled packages due to FTBS ===

The following packages are temporarily disabled because they failed to build. We will try to restore them as soon as possible.

* {{pkg|hplip}} ({{Issue|16685}})
* {{pkg|imageflow}} ({{Issue|16679}})
* {{pkg|kdevelop}} ({{MR|75839}})
* {{pkg|postgresql-citus}} ({{Issue|16580}})
* {{pkg|uvicorn}} ({{Issue|16646}})
* {{pkg|vulkan-validation-layers}} ({{Issue|16686}})

=== ISC DHCP ===

If you are still running an ISC DHCP server, you are advised to migrate to a maintained alternative '''before''' upgrading to the 3.21 release.

ISC DHCP has been EoL since 2022. They have a guide for migrating to {{pkg|kea}} here: https://www.isc.org/dhcp_migration/

Up to, and including, the 3.20 version of Alpine, the {{pkg|dhcp|branch=v3.20}} aport has the subpackage {{pkg|keama|branch=v3.20}} that is a tool for helping with migration from ISC DHCP configuration to ISC Kea configuration.

Alternative DHCP servers packaged in Alpine include:
* {{pkg|kea}}
* {{pkg|freeradius-dhcp}}
* {{pkg|dnsmasq}}
* udhcpd - packaged in {{pkg|busybox-extras}}

=== Gogs ===

<code>gogs</code> was removed due to multiple high-severity vulnerabilities for which issues have remained open for a year. The developers of Gogs were contacted multiple times by the Forgejo team but unfortunately received no response. Therefore we have removed Gogs from our repositories. ({{MR|75304}})

Please consider migrating to {{pkg|forgejo|branch=edge|arch=}} or {{pkg|gitea|branch=edge|arch=}}. Both forks are available in our community repo.

The Gitea fork of Gogs was created in 2016 by contributors who were frustrated with the single-maintainer management model of Gogs. Forgejo is a fork of Gitea which was created as a result of the for-profit company Gitea Ltd taking over maintainership (see also https://forgejo.org/compare-to-gitea/).

=== neofetch ===

The upstream repository was archived in April and became unmaintained, therefore we have removed it from our repositories. {{pkg|fastfetch}} provides similar functionality.

=== .NET 6 ===

.NET 6 reached EOL in 12 November 2024 (see https://devblogs.microsoft.com/dotnet/dotnet-6-end-of-support/) and the following packages have been moved to the testing repository ({{MR|73655}}):
* {{pkg|dotnet6-build|branch=edge|arch=}}
* {{pkg|dotnet6-runtime|branch=edge|arch=}}
* {{pkg|dotnet6-stage0|branch=edge|arch=}}
* {{pkg|lidarr|branch=edge|arch=}}
* {{pkg|prowlarr|branch=edge|arch=}}
* {{pkg|radarr|branch=edge|arch=}}
* {{pkg|sonarr|branch=edge|arch=}}

LXC

2023-08-25T10:22:01Z

Fabricionaweb: add section about static ip using dnsmasq server method

[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].

== Installation ==
Install the required packages:
{{Cmd|apk add lxc bridge lxcfs lxc-download xz}}

If you want to create containers other than Alpine, you'll need lxc-templates:

{{Cmd|apk add lxc-templates}}

== Upgrading from 2.x ==

Starting with Alpine 3.9, we ship LXC version 3.1.
LXC 3.x has major changes which can and will break your current setup.
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).
For example if you use Alpine containers created with the Alpine template, you'll need to install:

apk add lxc-templates-legacy-alpine

Also make sure you convert your LXC config files to the new 2.x format (this is now required).

lxc-update-config -c /var/lib/lxc/container-name/config

Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.

== Prepare network on host ==
Install the {{Pkg|lxc-bridge}} package to create the <code>lxcbr0</code> bridge and configure the forwarding routes using iptables

apk add lxc-bridge iptables

Enable the dnsmasq [[OpenRC]] service at boot and start it

rc-update add dnsmasq.lxcbr0 boot
service dnsmasq.lxcbr0 start

If you dont want to forward the routes, add <code>DISABLE_IPTABLES="yes"</code> to the /etc/conf.d/dnsmasq.lxcbr0 file

=== Assign static IP for a container ===

Using the dnsmasq method you can leave the container interface asking for DHCP as it is. You will just need to set the DHCP server asnwers.

By editing the file /etc/lxc/dnsmasq.conf and add the hostname (container name) and desired ip

dhcp-host=guest1,10.0.3.4
dhcp-host=guest2,10.0.3.5

Restart the service

service dnsmasq.lxcbr0 restart

== Create a guest ==

=== Picking from the list ===

{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t download}}

And just pick from the list. lxc-download and xz can be uninstalled after you are done.

=== Alpine Template ===

{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}

This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.

Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console

If running on x64 compatible hardware, it is possible to create a 32bit guest:

{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}

=== Debian template ===

In order to create a debian template container you'll need to install some packages:

{{Cmd|apk add debootstrap rsync}}

You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Remember to turn them back on, or simply reboot.

Now you can run:
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}

==== Setting a static IP ====
Since Debian Bullseye 11.3 you can't assign a static IP address using the lxc config file of the container [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009351 because of a systemd change].
To make it work with a configuration like the following

# grep net /var/lib/lxc/bullseye/config
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = virbr1
lxc.net.0.ipv4.address = 192.168.1.111/24
lxc.net.0.ipv4.gateway = 192.168.1.1

You have to attach to the container and run

{{Cmd|lxc-attach -n bullseye
systemctl stop systemd-networkd
systemctl disable systemd-networkd
reboot
}}

After the reboot the IP address should be set correctly. This can be confirmed using the lxc-ls command

{{Cmd|# lxc-ls -f
NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED
bullseye RUNNING 1 - 192.168.1.111 - false
}}

=== Ubuntu template ===

{{Obsolete|Alpine has not contained grsec for a long time}}

In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Remember to turn them back on, or simply reboot.

Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)

{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}

{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise, most functionality will be broken}}

=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===

To enable unprivileged containers, one must create a uidgid map:

echo root:1000000:65536 | tee -a /etc/subuid
echo root:1000000:65536 | tee -a /etc/subgid

This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.

To configure containers to use this mapping, add the following lines to the configuration:

lxc.idmap = u 0 1000000 65536
lxc.idmap = g 0 1000000 65536

This can be in the global or container-specific configuration.

To create an unprivileged lxc container, you need to use the download template. The download template must be installed:

{{Cmd|apk add gnupg xz lxc-download
lxc-create -n container-name -t download}}
choose the Distribution | Release | Architecture.

To be able to log in to a Debian container, you currently need to:
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}

You can also [https://without-systemd.org/wiki/index_php/How_to_remove_systemd_from_a_Debian_jessie/sid_installation/ remove Systemd from the container].

== Starting/Stopping the guest ==

First, you should enable the cgroup script:

{{Cmd|rc-update add cgroups}}

If you don't want to reboot, you can start the service by running

{{Cmd|rc-service cgroups start}}

Create a symlink to the ''/etc/init.d/lxc'' script for your guest.
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}

You can start your guest with:
{{Cmd|/etc/init.d/lxc.guest1 start}}

Stop it with:
{{Cmd|/etc/init.d/lxc.guest1 stop}}

Make it autostart at boot-up with:
{{Cmd| rc-update add lxc.guest1}}

You can add to the container config: <code>lxc.start.auto = 1</code>

{{Cmd|rc-update add lxc}}

to autostart containers with the lxc service only.

== Connecting to the guest ==
By default, sshd is not installed. You'll have to attach to the container or connect to the virtual console. This is done with:

{{Cmd|lxc-attach -n guest1}}

Type exit to detach from the container again (please check the grsec notes above)

== Connect to virtual console ==

{{Cmd|lxc-console -n guest1}}

To disconnect, press {{key|Ctrl}}+{{key|a}} {{key|q}}

== Deleting a guest ==
Make sure the guest is stopped, then run:
{{Cmd|lxc-destroy -n guest1}}
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}

== Advanced ==

=== Creating a LXC container without modifying your network interfaces ===

The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.
Let's say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could be destined to the other side of the bridge, which may not be what you want.

The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.

Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)

{{Cmd|modprobe dummy}}

This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:

Now we will create a bridge called br0

{{Cmd |brctl addbr br0
brctl setfd br0 0 }}

and then make that dummy interface one end of the bridge

{{Cmd | brctl addif br0 dummy0 }}

Next, let's give that bridged interface a reason to exist:

{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}

Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.

<pre>
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.name = eth1
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255
lxc.net.0.ipv4.gateway = 192.168.1.1
lxc.net.0.veth.pair = veth-if-0
</pre>

and build your container with that file:

{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}

You should now be able to ping your container from your host, and your host from your container.

Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0
From inside the container run

{{ Cmd | route add default gw 192.168.1.1 }}

The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose

We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.

Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:

{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface br0 -j ACCEPT
}}

Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!

You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)

=== Using static IP ===

If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces''

from

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''dhcp'''

to

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''static'''
address <lxc-container-ip> # IP which the lxc container should use
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host
netmask <netmask>

=== mem and swap ===

{{Cmd|vim /boot/extlinux.conf}}

{{Cmd|
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1
}}

=== checkconfig ===
{{Cmd|lxc-checkconfig}}

{{Cmd|
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.13-1-grsec
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: missing
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig

}}

=== VirtualBox ===

In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.

[[File:VirtualBoxNetworkAdapter.jpg]]

[[Category:Virtualization]]

=== postgreSQL ===

Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}

=== openVPN ===

see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]

== LXC 1.0 Additional information ==

Some info regarding new features in LXC 1.0

https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/

== See also ==
* [[Howto-lxc-simple]]

LXC

2023-08-24T18:23:16Z

Fabricionaweb: refer to lxc-bridge package to setup host network

[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].

== Installation ==
Install the required packages:
{{Cmd|apk add lxc bridge lxcfs lxc-download xz}}

If you want to create containers other than Alpine, you'll need lxc-templates:

{{Cmd|apk add lxc-templates}}

== Upgrading from 2.x ==

Starting with Alpine 3.9, we ship LXC version 3.1.
LXC 3.x has major changes which can and will break your current setup.
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).
For example if you use Alpine containers created with the Alpine template, you'll need to install:

apk add lxc-templates-legacy-alpine

Also make sure you convert your LXC config files to the new 2.x format (this is now required).

lxc-update-config -c /var/lib/lxc/container-name/config

Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.

== Prepare network on host ==
Install the {{Pkg|lxc-bridge}} package to create the <code>lxcbr0</code> bridge and configure the forwarding routes using iptables

apk add lxc-bridge iptables

Enable the dnsmasq [[OpenRC]] service at boot and start it

rc-update add dnsmasq.lxcbr0 boot
service dnsmasq.lxcbr0 start

If you dont want to forward the routes, add <code>DISABLE_IPTABLES="yes"</code> to the <code>/etc/conf.d/dnsmasq.lxcbr0</code> file

== Create a guest ==

=== Picking from the list ===

{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t download}}

And just pick from the list. lxc-download and xz can be uninstalled after you are done.

=== Alpine Template ===

{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}

This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.

Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console

If running on x64 compatible hardware, it is possible to create a 32bit guest:

{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}

=== Debian template ===

In order to create a debian template container you'll need to install some packages:

{{Cmd|apk add debootstrap rsync}}

You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Remember to turn them back on, or simply reboot.

Now you can run:
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}

==== Setting a static IP ====
Since Debian Bullseye 11.3 you can't assign a static IP address using the lxc config file of the container [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009351 because of a systemd change].
To make it work with a configuration like the following

# grep net /var/lib/lxc/bullseye/config
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = virbr1
lxc.net.0.ipv4.address = 192.168.1.111/24
lxc.net.0.ipv4.gateway = 192.168.1.1

You have to attach to the container and run

{{Cmd|lxc-attach -n bullseye
systemctl stop systemd-networkd
systemctl disable systemd-networkd
reboot
}}

After the reboot the IP address should be set correctly. This can be confirmed using the lxc-ls command

{{Cmd|# lxc-ls -f
NAME STATE AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED
bullseye RUNNING 1 - 192.168.1.111 - false
}}

=== Ubuntu template ===

{{Obsolete|Alpine has not contained grsec for a long time}}

In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Remember to turn them back on, or simply reboot.

Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)

{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}

{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise, most functionality will be broken}}

=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===

To enable unprivileged containers, one must create a uidgid map:

echo root:1000000:65536 | tee -a /etc/subuid
echo root:1000000:65536 | tee -a /etc/subgid

This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.

To configure containers to use this mapping, add the following lines to the configuration:

lxc.idmap = u 0 1000000 65536
lxc.idmap = g 0 1000000 65536

This can be in the global or container-specific configuration.

To create an unprivileged lxc container, you need to use the download template. The download template must be installed:

{{Cmd|apk add gnupg xz lxc-download
lxc-create -n container-name -t download}}
choose the Distribution | Release | Architecture.

To be able to log in to a Debian container, you currently need to:
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}

You can also [https://without-systemd.org/wiki/index_php/How_to_remove_systemd_from_a_Debian_jessie/sid_installation/ remove Systemd from the container].

== Starting/Stopping the guest ==

First, you should enable the cgroup script:

{{Cmd|rc-update add cgroups}}

If you don't want to reboot, you can start the service by running

{{Cmd|rc-service cgroups start}}

Create a symlink to the ''/etc/init.d/lxc'' script for your guest.
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}

You can start your guest with:
{{Cmd|/etc/init.d/lxc.guest1 start}}

Stop it with:
{{Cmd|/etc/init.d/lxc.guest1 stop}}

Make it autostart at boot-up with:
{{Cmd| rc-update add lxc.guest1}}

You can add to the container config: <code>lxc.start.auto = 1</code>

{{Cmd|rc-update add lxc}}

to autostart containers with the lxc service only.

== Connecting to the guest ==
By default, sshd is not installed. You'll have to attach to the container or connect to the virtual console. This is done with:

{{Cmd|lxc-attach -n guest1}}

Type exit to detach from the container again (please check the grsec notes above)

== Connect to virtual console ==

{{Cmd|lxc-console -n guest1}}

To disconnect, press {{key|Ctrl}}+{{key|a}} {{key|q}}

== Deleting a guest ==
Make sure the guest is stopped, then run:
{{Cmd|lxc-destroy -n guest1}}
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}

== Advanced ==

=== Creating a LXC container without modifying your network interfaces ===

The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.
Let's say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could be destined to the other side of the bridge, which may not be what you want.

The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.

Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)

{{Cmd|modprobe dummy}}

This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:

Now we will create a bridge called br0

{{Cmd |brctl addbr br0
brctl setfd br0 0 }}

and then make that dummy interface one end of the bridge

{{Cmd | brctl addif br0 dummy0 }}

Next, let's give that bridged interface a reason to exist:

{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}

Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.

<pre>
lxc.net.0.type = veth
lxc.net.0.flags = up
lxc.net.0.link = br0
lxc.net.0.name = eth1
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255
lxc.net.0.ipv4.gateway = 192.168.1.1
lxc.net.0.veth.pair = veth-if-0
</pre>

and build your container with that file:

{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}

You should now be able to ping your container from your host, and your host from your container.

Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0
From inside the container run

{{ Cmd | route add default gw 192.168.1.1 }}

The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose

We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.

Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:

{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface br0 -j ACCEPT
}}

Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!

You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)

=== Using static IP ===

If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces''

from

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''dhcp'''

to

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''static'''
address <lxc-container-ip> # IP which the lxc container should use
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host
netmask <netmask>

=== mem and swap ===

{{Cmd|vim /boot/extlinux.conf}}

{{Cmd|
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1
}}

=== checkconfig ===
{{Cmd|lxc-checkconfig}}

{{Cmd|
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.13-1-grsec
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: missing
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig

}}

=== VirtualBox ===

In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.

[[File:VirtualBoxNetworkAdapter.jpg]]

[[Category:Virtualization]]

=== postgreSQL ===

Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}

=== openVPN ===

see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]

== LXC 1.0 Additional information ==

Some info regarding new features in LXC 1.0

https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/

== See also ==
* [[Howto-lxc-simple]]

Docker

2023-08-19T06:54:16Z

Fabricionaweb: fix docker compose package

== Installation ==

The {{Pkg|docker}} package is in the 'community' repository. See [[Repositories]] how to add a repository.

apk add docker

Connecting to the Docker daemon through its socket requires you to add yourself to the `docker` group.

addgroup username docker

To start the Docker daemon at boot, see [[OpenRC]].

rc-update add docker default
service docker start

=== Docker rootless ===

Docker rootless allows unprivileged users to run the docker daemon and docker containers in user namespaces. This is not the same as dockremap explained in the section below. With dockremap the daemon still runs as root.

This requires the {{Pkg|docker-rootless-extras}} package (available in <code>community</code>) and enabling <code>cgroups v2</code>:
edit /etc/rc.conf and set rc_cgroup_mode to unified. Then start the service on boot:

rc-update add cgroups

Additionally, the <code>/etc/subuid</code> and <code>/etc/subgid</code> files need to be set up as explained in [https://docs.docker.com/engine/security/rootless/ the official documentation].

=== Docker Compose ===

{{Pkg|docker-cli-compose}} is in the 'community' repository starting with Alpine Linux 3.15.

apk add docker-cli-compose

== Isolate containers with a user namespace ==
<pre>
adduser -SDHs /sbin/nologin dockremap
addgroup -S dockremap
echo dockremap:$(cat /etc/passwd|grep dockremap|cut -d: -f3):65536 >> /etc/subuid
echo dockremap:$(cat /etc/passwd|grep dockremap|cut -d: -f4):65536 >> /etc/subgid
</pre>

add to '''/etc/docker/daemon.json'''

<pre>
{
"userns-remap": "dockremap"
}
</pre>

''You may also consider these options : '''
"experimental": false,
"live-restore": true,
"ipv6": false,
"icc": false,
"no-new-privileges": false'''''

You'll find all possible configurations here[https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file].

== Example: How to install docker from Arch ==

https://wiki.archlinux.org/index.php/Docker

== "WARNING: No {swap,memory} limit support" ==

You might encounter this message when executing <code>docker info</code>.
To correct this situation, we have to enable the <code>cgroup_enable=memory swapaccount=1</code>

==== Alpine 3.8 ====
It may not have been the case before, but with Alpine 3.8, you must config cgroups properly

'''''Warning''''': This seems ''not'' to work with Alpine 3.9 and Docker 18.06. Follow the instructions for grub or extlinux below instead.

<pre>echo "cgroup /sys/fs/cgroup cgroup defaults 0 0" >> /etc/fstab</pre>
<pre>
cat >> /etc/cgconfig.conf <<EOF
mount {
cpuacct = /cgroup/cpuacct;
memory = /cgroup/memory;
devices = /cgroup/devices;
freezer = /cgroup/freezer;
net_cls = /cgroup/net_cls;
blkio = /cgroup/blkio;
cpuset = /cgroup/cpuset;
cpu = /cgroup/cpu;
}
EOF
</pre>

=== Grub ===
If you use Grub, add the cgroup condition into <code>/etc/default/grub</code>, then upgrade your grub

<pre>GRUB_CMDLINE_LINUX_DEFAULT="... cgroup_enable=memory swapaccount=1"</pre>

=== Extlinux ===
With Extlinux, you add the cgroup condition, but inside of <code>/etc/update-extlinux.conf</code>

<pre>default_kernel_opts="... cgroup_enable=memory swapaccount=1"</pre>

then update the config and reboot

<code>update-extlinux</code>

== How to use docker ==

The best documentation on using Docker and creating containers is at the [https://docs.docker.com/ official docker site]. Adding anything to it here would be redundant.

If you create an account at docker.com, you can browse through user images and learn from the syntax in contributed dockerfiles.

Official Docker image files are denoted on the website by a blue ribbon.

== See also ==
* [https://www.erianna.com/creating-a-alpine-linux-repository/ Creating and Hosting an Alpine Linux Package Repository for Docker Packages]
* [[Running Alpine in a Docker Container]]

[[Category:Virtualization]]

Syslog

2023-05-28T11:19:30Z

Fabricionaweb: fix syslog config file - files under /etc/conf.d no longer use extension

{{TOC right}}

Syslog collects log data from multiple programs either to RAM or to a file, and handles log rotation (similar to <code>journald</code> on systemd-based systems). Alpine installs <code>syslog</code> as provided by <code>busybox</code> per default, but it also packages [https://pkgs.alpinelinux.org/packages?name=*syslog* other implementations], such as <code>rsyslog</code> and <code>syslog-ng</code>.

== busybox syslog ==
=== Running syslogd ===
Depending on how you have installed Alpine, it is already running (check with <code>ps a | grep syslogd</code>). Otherwise enable it at boot and start it with the following commands:

<pre>
# rc-update add syslog boot
# rc-service syslog start
</pre>

=== Configuration ===
Edit <code>/etc/conf.d/syslog</code> to change the options used when running <code>syslogd</code>. All available options can be looked up with <code>syslogd --help</code>.

=== Reading logs ===
<pre>
# tail -f /var/log/messages
Shows all messages and follows the log
# tail -f /var/log/messages | grep ssh
Only shows SSH related messages, also follows the log
</pre>

When <code>-C</code> is enabled in the configuration:
<pre>
# logread -f
# logread -f | grep ssh
</pre>

=== Writing logs ===
Many applications are able to write to the syslog by default (e.g. <code>sshd</code>). If you wish to write manually to it, use the <code>logger</code> program.

<pre>
$ logger "hello world"
</pre>

[[category:System Administration]]