Alpine Linux - User contributions [en]

Setting up GVM 21.4

2022-02-25T09:55:32Z

Fcolista: Created page with "= Greenbone Vulnerability Management (GVM) 21.4 = = Introduction = Greenbone Vulnerability Management is available in community repository. The version 21.4, at the moment o..."

= Greenbone Vulnerability Management (GVM) 21.4 =
= Introduction =

Greenbone Vulnerability Management is available in community repository.

The version 21.4, at the moment of the writing, is available on edge.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

= Install =
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:

{{Cmd|apk add openvas openvas-config gvmd gvm-libs gsad ospd-openvas}}

= Configuration =

== PostgreSQL ==

OpenVAS relies on PostgreSQL, that now is mandatory.

Start PostgreSQL and add it to default runlevel:
rc-service postgresql setup
rc-service postgresql start
rc-update add postgresql

Create and configure the gvm database:

su postgres
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension if not exists "uuid-ossp";
create extension "pgcrypto";
exit
exit

== GVMd ==

GVMd run as gvm user.

Generate the certificate.

The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.

You can setup the certificate automatically with:
su gvm
gvm-manage-certs -a
exit
Create credentials used to interact with gvmd:

rc-service gvmd start
su gvm
gvmd --create-user=admin --password=admin

Certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the config "Full and Fast".

gvmd will only create these resources if a "Feed Import Owner" is configured:

gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>

The UUIDs of all created users can be found using

gvmd --get-users --verbose

Make sure that gvmd responds with "USER CREATED". If you run through these steps fast, and gvm is in the middle of something, it may not create the user until it is done with what it is computing.

== Update GVM definitions ==

Download the GVM definitions and start GVMd, as gvm user.
Be patient...it will take a while:

su gvm
greenbone-feed-sync --type GVMD_DATA
greenbone-feed-sync --type SCAP
greenbone-feed-sync --type CERT
exit

This three feeds needs to be scheduled via cron.

Add gvmd to start on boot:

rc-update add gvmd

Download NVT definitions:

su gvm
greenbone-nvt-sync

== Greenbone Security Assistant (GSAD) ==

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Create '''/etc/conf.d/gsad:''' with:
echo 'GSAD_LISTEN_ADDRESS="0.0.0.0"' > /etc/conf.d/gsad

Start GSAD and add it to default runlevel:
rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on http port 9392, and login with the credentials previously created.

Happy vulnerability assessment!

=Troubleshooting=

==greenbone-nvt-sync can't create /run/ospd/feed-update.lock==
If during the first greenbone-nvt-sync, or greenbone-feed-sync, you get an error about can't create /run/ospd/feed-update.lock permission denied you might've run ospd / openvas too early. In /var/log/gvm/openvas.log there will be a loop where ospd is looking for the feed files which don't exist. Kill the process, then manually remove the lock file. However, if it looks like it is actively syncing the feed (iftop), then let it complete the sync first.

[[Category:Server]]
[[Category:Monitoring]]

Ddclient

2021-01-25T15:36:56Z

Fcolista:

{{TOC right}}

== How to download and install the latest version of ddclient ==

DDclient is a perl script to update accounts for Dynamic DNS Service Provider. [https://sourceforge.net/projects/ddclient/]

== Install ==

ddclient is available in testing/edge repository.

In order to use it, you need first to enable that repository by adding to /etc/apk/repositories:

<code># echo http://dl-cdn.alpinelinux.org/alpine/edge/testing</code>

<code># apk update</code>

<code># apk add ddclient</code>

== Configuration ==

A sample configuration file is installed by default in <code>/etc/ddclient/ddclient.conf.sample.</code>

Rename it as <code>/etc/ddclient/ddclient.conf</code> and modify it according to your needs.

Then, start ddclient as usual:

<code># rc-service ddclient start</code>

If you want/need, configure the service to start automatically on boot:

<code># rc-update add ddclient default</code>

[[Category:Networking]]

Setting up GVM11

2020-05-23T09:08:55Z

Fcolista:

= Greenbone Vulnerability Management (GVM) 11 =
= Introduction =

OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

= Install =
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:

{{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}}

= Configuration =

== PostgreSQL ==

OpenVAS relies on PostgreSQL, that now is mandatory.

Start PostgreSQL and add it to default runlevel:
rc-service postgresql setup
rc-service postgresql start
rc-update add postgresql

Create and configure the gvm database:

su - postgres
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension if not exists "uuid-ossp";
create extension "pgcrypto";
exit

== GVMd ==

GVMd run as gvm user. Generate the certificate.
The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
You can setup the certificate automatically with:
su - gvm
gvm-manage-certs -a

Create credentials used to interact with gvmd:

gvmd --create-user=admin --password=admin

== Update GVM definitions ==

Download the GVM definitions and start GVMd, as root user.
Be patient...it will take a while:

greenbone-scapdata-sync
greenbone-certdata-sync
rc-service gvmd start

Add gvmd to start on boot:

rc-update add gvmd

NVT definitions can be downloaded as gvm user:

su - gvm
greenbone-nvt-sync

== Greenbone Security Assistant (GSAD) ==

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Modify '''/etc/conf.d/gsad:''' with:
GSAD_LISTEN="--listen=0.0.0.0"

Start GSAD and add it to default runlevel:
rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on http port 9392, and login with the credentials previously created.

Happy vulnerability assestment!

[[Category:Server]]
[[Category:Monitoring]]

Setting up GVM11

2020-05-15T20:32:43Z

Fcolista:

= Greenbone Vulnerability Management (GVM) 11 =
= Introduction =

OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

= Install =
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:

{{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}}

= Configuration =

== PostgreSQL ==

OpenVAS relies on PostgreSQL, that now is mandatory.

Start PostgreSQL and add it to default runlevel:
rc-service postgresql setup
rc-service postgresql start
rc-update add postgresql

Create and configure the gvm database:

su - postgres
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension if not exists "uuid-ossp";
create extension "pgcrypto";
exit

== GVMd ==

GVMd run as gvm user. Generate the certificate.
The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
You can setup the certificate automatically with:
su - gvm
gvm-manage-certs -a

Create credentials used to interact with gvmd:

gvmd --create-user=admin --password=admin

== Update GVM definitions ==

Download the GVM definitions and start GVMd, as root user.
Be patient...it will take a while:

greenbone-scapdata-sync
greenbone-certdata-sync
rc-service gvmd start

Add gvmd to start on boot:

rc-update add gvmd

NVT definitions can be downloaded as gvm user:

su - gvm
greenbone-nvt-sync

== Greenbone Security Assistant (GSAD) ==

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Modify '''/etc/conf.d/gsad:''' with:
GSAD_LISTEN="--listen=0.0.0.0"

Start GSAD and add it to default runlevel:
rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on port 9392, and login with the credentials previously created.

Happy vulnerability assestment!

[[Category:Server]]
[[Category:Monitoring]]

Setting up GVM11

2020-05-15T16:40:24Z

Fcolista: Created page with "= Greenbone Vulnerability Management (GVM) 11 = = Introduction = OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in communi..."

= Greenbone Vulnerability Management (GVM) 11 =
= Introduction =

OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

= Install =
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:

{{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}}

= Configuration =

== PostgreSQL ==

OpenVAS relies on PostgreSQL, that now is mandatory.

Start PostgreSQL and add it to default runlevel:
rc-service postgresql setup
rc-service postgresql start
rc-update add postgresql

Create and configure the gvm database:

su - postgres
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension if not exists "uuid-ossp";
create extension "pgcrypto";
exit

== GVMd ==

GVMd run as gvm user. Generate the certificate.
The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
You can setup the certificate automatically with:
su - gvm
gvm-manage-certs -a

Create credentials used to interact with gvmd:

gvmd --create-user=admin --password=admin

== Update GVM definitions ==

Download the GVM definitions and start GVMd, as root user.
Be patient...it will take a while:

greenbone-scapdata-sync
greenbone-certdata-sync
rc-service gvmd start

Add gvmd to start on boot:

rc-update add gvmd

NVT definitions can be downloaded as gvm user:

su - gvm
greenbone-nvt-sync

== Greenbone Security Assistant (GSAD) ==

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Modify '''/etc/conf.d/gsad:''' with:
GSAD_LISTEN="--listen=0.0.0.0"

Or, in one shot:
sed -i -e "s/127\.0\.0\.1/0\.0\.0\.0/g" /etc/conf.d/gsad

Start GSAD and add it to default runlevel:
rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on port 9392, and login with the credentials previously created.

Happy vulnerability assestment!

[[Category:Server]]
[[Category:Monitoring]]

How to make a custom ISO image with mkimage

2017-05-19T09:15:08Z

Fcolista:

This document explains how to build a custom ISO image using the new mkimage scripts located in aports directory.

== Prerequisite ==

First make sure we have the needed tools
{{Cmd|apk add build-base apk-tools alpine-conf busybox fakeroot syslinux xorriso}}
For efi you shoud add
{{Cmd|mtools dosfstools grub-efi}}

Create a user (e.g. build) and add it to abuild group:
{{Cmd|useradd build -G abuild}}

Then create signing keys (-i installs them in /etc/apk/keys which is required for later)
{{Cmd|abuild-keygen -i -a}}

{{Tip| Make sure your public keys are placed in /etc/apk/keys/ (example: build-xxxxxxxx.rsa.pub):
{{Cmd|ls /etc/apk/keys/}}

Clone (or update) the [http://git.alpinelinux.org/cgit/aports/ git repository].
{{Cmd|git clone git://git.alpinelinux.org/aports}}

Make sure the apk index is up to date (so apk finds the packages):
{{Cmd|apk update}}

== Configuration ==

The mkimg scripts are shipped with pre-configured profiles.

The format is '''mkimg.$PROFILENAME.sh'''

So, in order to have a custom ISO, you should create your own '''mkimg.$PROFILENAME.sh''' script.

This is an example used to have ZFS module, overlayfs (which allows to have /lib/modules in r/w), a serial console output and some other useful apks to build a simple NAS:

<pre>export PROFILENAME=nas</pre>

{{Cmd|cat << EOF > ~/aports/scripts/mkimg.$PROFILENAME.sh}}

<pre>
profile_$PROFILENAME() {
profile_standard
kernel_flavors=""
kernel_cmdline="unionfs_size=512M console=tty0 console=ttyS0,115200"
syslinux_serial="0 115200"
kernel_addons="zfs spl"
apks="$apks iscsi-scst zfs-scripts zfs zfs-utils-py
cciss_vol_status lvm2 mdadm mkinitfs mtools nfs-utils
parted rsync sfdisk syslinux unrar util-linux xfsprogs
dosfstools ntfs-3g
"
local _k _a
for _k in $kernel_flavors; do
apks="$apks linux-$_k"
for _a in $kernel_addons; do
apks="$apks $_a-$_k"
done
done
apks="$apks linux-firmware"
}
</pre>

Set the script as executable:
{{Cmd|chmod +x mkimg.$PROFILENAME.sh}}

== Create the ISO ==

Create a iso directory in your home dir:

{{Cmd|mkdir -p ~/iso}}

Then create the actual ISO.
In this example we will use the edge version x86_64:
{{Cmd|sh mkimage.sh --tag edge \
--outdir ~/iso \
--arch x86_64 \
--repository http://dl-cdn.alpinelinux.org/alpine/edge/main \
--profile $PROFILENAME
}}

'''Notes:'''

Of course, several passages of this doc can be automated with a script, like the repository/arch/outdir settings.
This steps are left to you and to your imagination :)

== Testing your ISO image ==

[[Qemu#Live_mode| Qemu]] is useful for a quick test of your created ISO image.

[[Category:Package Manager]]
[[Category:ISO]]

How to make a custom ISO image with mkimage

2017-05-19T09:09:34Z

Fcolista: Created page with "This document explains how to build a custom ISO image using the new mkimage scripts located in aports directory. == Prerequisite == First make sure we have the needed tools..."

This document explains how to build a custom ISO image using the new mkimage scripts located in aports directory.

== Prerequisite ==

First make sure we have the needed tools
{{Cmd|apk add build-base apk-tools alpine-conf busybox fakeroot syslinux xorriso}}
For efi you shoud add
{{Cmd|mtools dosfstools grub-efi}}

Create a user (e.g. build) and add it to abuild group:
{{Cmd|useradd build -G abuild}}

Then create signing keys (-i installs them in /etc/apk/keys which is required for later)
{{Cmd|abuild-keygen -i -a}}

{{Tip| Make sure your public keys are placed in /etc/apk/keys/ (example: build-xxxxxxxx.rsa.pub):
{{Cmd|ls /etc/apk/keys/}}

Clone (or update) the [http://git.alpinelinux.org/cgit/aports/ git repository].
{{Cmd|git clone git://git.alpinelinux.org/aports}}

Make sure the apk index is up to date (so apk finds the packages):
{{Cmd|apk update}}

== Configuration ==

The mkimg scripts are shipped with pre-configured profiles.

The format is '''mkimg.$PROFILENAME.sh'''

So, in order to have a custom ISO, you should create your own '''mkimg.$PROFILENAME.sh''' script.

This is an example used to have ZFS module, unionfs (which allows to have /lib/modules in r/w), a serial console output and some other useful apks to build a simple NAS:

<pre>export PROFILENAME=nas</pre>

{{Cmd|cat << EOF > ~/aports/scripts/mkimg.$PROFILENAME.sh}}

<pre>
profile_$PROFILENAME() {
profile_standard
kernel_flavors=""
kernel_cmdline="unionfs_size=512M console=tty0 console=ttyS0,115200"
syslinux_serial="0 115200"
kernel_addons="zfs spl"
apks="$apks iscsi-scst zfs-scripts zfs zfs-utils-py
cciss_vol_status lvm2 mdadm mkinitfs mtools nfs-utils
parted rsync sfdisk syslinux unrar util-linux xfsprogs
dosfstools ntfs-3g
"
local _k _a
for _k in $kernel_flavors; do
apks="$apks linux-$_k"
for _a in $kernel_addons; do
apks="$apks $_a-$_k"
done
done
apks="$apks linux-firmware"
}
</pre>

Set the script as executable:
{{Cmd|chmod +x mkimg.$PROFILENAME.sh}}

== Create the ISO ==

Create a iso directory in your home dir:

{{Cmd|mkdir -p ~/iso}}

Then create the actual ISO.
In this example we will use the edge version x86_64:
{{Cmd|sh mkimage.sh --tag edge \
--outdir ~/iso \
--arch x86_64 \
--repository http://dl-cdn.alpinelinux.org/alpine/edge/main \
--profile $PROFILENAME
}}

'''Notes:'''

Of course, several passages of this doc can be automated with a script, like the repository/arch/outdir settings.
This steps are left to you and to your imagination :)

== Testing your ISO image ==

[[Qemu#Live_mode| Qemu]] is useful for a quick test of your created ISO image.

[[Category:Package Manager]]
[[Category:ISO]]

Install Alpine on LXD

2017-05-17T06:52:23Z

Fcolista: Seems that the user copy/pasted the doc from a debian-oriented distro documentation...

== LXD ==

LXD is an easy to use daemon and client for managing LXC containers. It is included by default in Ubuntu 16.04 and later versions. It may become available in other distributions, such as debian. If you are not familiar at all with LXC or LXD, start directly with LXD. For detailed instructions on how to use it, lookup Stéphane Graber's blog post series on LXD.

With LXD you can start an Alpine Linux container in seconds, in practically any Ubuntu 16.04 (or later) system, including:
* A standalone system
* An Amazon EC2 instance
* An OpenStack KVM VPS

These instructions assume you are running on an amd64 (x86_64) platform.

== LXD configuration ==
Before you launch LXD containers, you must configure LXD:
{{Cmd|sudo lxd init}}
Accept all the defaults. You can rerun this if you have no containers.
The ZFS storage method is recommended, because of its ability to create instant snapshots and copies of containers, but it requires additional configuration and it is not available everywhere (e.g. in a VPS host). dir will do just fine for a demo.

== Container creation ==

To install Alpine Linux edge version run:
{{Cmd|lxc launch images:alpine/edge a1}}

To install Alpine Linux 3.5 run:
{{Cmd|lxc launch images:alpine/3.5 a2}}

To enter a shell in the container:
{{Cmd|lxc exec a1 ash}}

== Fixing the container ==
Once you create the container, edit /etc/inittab and comment out all lines that start with "tty". Otherwise, the container will keep writing warnings on /var/log/messages. Here's a script to automate this:
<pre>
#!/bin/sh

sed -i 's/^tty/# tty/g' /etc/inittab

# clean messages
rm /var/log/messages
</pre>

Let's say this script is called fixgetty.sh. To copy it to the container, use the following:
{{Cmd|lxc file push fixgetty.sh a1/root/}}

After you fix /etc/inittab, reboot the container:
{{Cmd|reboot}}

== Networking ==
The container has outgoing access to the network, but no incoming public access, since it doesn't have a public ip. You can provide incoming access using several networking techniques:
* On a LAN, it suffices to add a route through the host LXD node
* Use an iptables configurator, such as shorewall
* For HTTP/HTTPS access, use an HTTP reverse proxy/load balancer, such as pound, to redirect HTTP requests to various containers. You can run the HTTP reverse proxy in an Alpine container, once you redirect the ports that you want to it, (using iptables).

[[Category:Virtualization]]

Talk:LXC

2016-04-28T06:22:55Z

Fcolista: /* About lxc-attach */

= Alternative Network Setup =

These are notes on macvlan on a box with real vlans. The goal here is to have the host on a management vlan, and several guests each on other vlans. There's no need for the host to talk to the guests. The host resides on the "OOB" network, and if the host needs to talk to a guest, it does so with lxc-console, like having a KVM. Each guest should get its address from the DHCP server on the appropriate vlan.Something like this:

Setup:
{| class="wikitable" border="1"
|-
| host
| dhcp on vlan 8
|-
| guest1
| dhcp on vlan 64
|-
| guest2
| dhcp on vlan 129
|-
| guest3
| dhcp on vlan64 (different address)
|}

* Host's /etc/network/interfaces file
auto lo
iface lo inet loopback

# MGMT vlan
auto eth0.8
iface eth0.8 inet dhcp
hostname lxchost

# USR vlan - we bring it up, but dont assign an address
auto eth0.65
iface eth0.65 inet manual
up ip link set $IFACE addr de:ad:be:ef:ca:fe
up ip link set $IFACE up
down ip link set $IFACE down

# VoIP vlan - we bring it up, but dont assign an address
auto eth0.129
iface eth0.129 inet manual
up ip link set $IFACE addr 0f:f1:ce:c0:ff:ee
up ip link set $IFACE up
down ip link set $IFACE down

* Here's /etc/lxc/lxc.conf
lxc.network.type = macvlan
# Allow guests on the same vlan to see each other
lxc.network.macvlan.mode = bridge
lxc.network.link = eth0.65
lxc.network.name = eth0
# lxc.network.hwaddr = de:ad:be:ef:c0:00 # macvlan will make one up, but possible if wanted
# lxc.network.flags = up # Do NOT bring up the interface, we will do so within the container
# lxc.network.ipv4 = 0.0.0.0 # Do NOT assign an address, we do so within the container

# Capabilities to drop (for instance, to stop the guest from mounting sys)
# Taken from http://sourceforge.net/mailarchive/message.php?msg_id=28285704
# sys_boot is not listed here, as it causes problems when the host tries to stop the guest

# If you trust the guest, then you can get by without dropping capabilities

lxc.cap.drop= sys_admin audit_control audit_write fsetid ipc_lock
lxc.cap.drop= ipc_owner lease linux_immutable mac_admin mac_override mknod setfcap
lxc.cap.drop= setpcap sys_module sys_nice sys_pacct sys_ptrace sys_rawio
lxc.cap.drop= sys_tty_config sys_time
* Create the guests
for a in `seq 1 3`; do
lxc-create -n guest${a} -f /etc/lxc/lxc.conf -t alpine
ln -s /etc/init.d/lxc /etc/init.d/lxc.guest${a}
done
* vi /var/lib/lxc/guest2/config
change lxc.network.link to eth0.129
* Start and enter the first guest (this is where the fun starts)
/etc/init.d/lxc.guest1 start
lxc-console -n guest1

=== Fun inside the guest ===

* /dev/null is currently created as a regular file
* /dev/zero doesn't exist

To create these, do the following from ''the host''

<pre>
rm -f /var/lib/lxc/[guest-name]/rootfs/dev/null
rm -f /var/lib/lxc/[guest-name]/rootfs/dev/zero
mknod /var/lib/lxc/[guest-name]/rootfs/dev/zero c 1 5
mknod /var/lib/lxc/[guest-name]/rootfs/dev/null c 1 3
</pre>

We do this in the host because our default config drops mknod capabilites in the guest.

=== What Works, What Doesnt ===
* Pro
** Each guest has its own mac address
** Network connectivity between each guest
** No communication allowed between host and guests (this is a plus in our case - managment vlan != user vlan)
** if iptables modules are loaded in the host, each guest can create its own iptables rules (awall for all! sweet)
* Con
** No communication allowed between host and guests because we are not using a bridge interface (this is a plus in our case - managment vlan != user vlan)

== About lxc-attach ==

I cannot conncect to any AL LXC build under AL... the response is always <pre>
infra:~# lxc-attach --name=git -- "ps ax"
lxc_container: attach.c: lxc_attach_to_ns: 196 Operation not permitted - failed to set namespace 'pid'
lxc_container: attach.c: lxc_attach: 844 failed to enter the namespace
</pre>
What did I possibly wrong? 
Or is it a bug in AL LXC?

=== Update about lxc-attach ===

'''LXC-host: lxc-attach fail with "lxc_attach_to_ns: 270 Operation not permitted - failed to set namespace 'pid'"'''

'''Issue:''' When you try to run lxc-attach, this fails. "use of CAP_SYS_ADMIN in chroot denied for /usr/bin/lxc-attach" appears in dmesg. 
'''Cause:''' This issue due to grsecurity restriction in the lxc host. 
'''Workaround:''' Add the following settings to your sysctl.conf file: 
<pre>
kernel.grsecurity.chroot_caps=0
kernel.grsecurity.chroot_deny_chmod=0
</pre>

Since those settings are read only at lxc host boot, and they have been applied in a second time, some of the lxc hosts might not have those settings loaded yet.
A simple workaround can be:

<pre>
echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
</pre>

or simply run:

<pre>sysctl -p</pre>

Dynamic Multipoint VPN (DMVPN) Phase 3 with Quagga NHRPd

2015-10-29T09:35:55Z

Fcolista:

= THIS DOC IS STILL A DRAFT =

= Overview =
This is a follow-up of the most famous document [http://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)],
since opennhrp has been rewritten as quagga plugin [1], supporting interoperability with new Cisco's FlexVPN and Strongswan.

This NHRP implementation has some limits yet (Multicast is not ready, so you need to use BGP rather than OSPF), though is usable in a production environment.

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

This How-To will show you how to configure a DMVPN solution with this key items:

.1 VPN setup with Strongswan with PSK for the authentication (same PSK between all of the spokes and hub)

.2 DMVPN setup with quagga.nhrpd;

.3 iBGP used for announce LAN subnet

.4 Awall rules to allow NHRP shortcuts between spokes

The goal is making private network of spoke's nodes and hub to communicate each other over VPN created dynamically.
Routes are learned via BGP, and hte IPSEC VPN is authenticated via PSK.

The logical setup is configured as shown:

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

= Hardware =

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Alpine Installation =

Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

= Spoke Nodes =

== Spoke Node 1 ==

== Networking ==

We're going to setup the spoke node 1 as follow:

{|class="wikitable"
!'''Host'''
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|rowspan="3"|Spoke 1
|eth0
|Internet
|DHCP
|-
|eth1
|LAN
|192.168.10.0/24
|-
|gre1
|Tunnel
|172.16.1.1
|-
|rowspan="3"|Spoke 2
|eth0
|Internet
|DHCP
|-
|eth1
|LAN
|192.168.20.0/24
|-
|gre1
|Tunnel
|172.16.2.1
|-
|rowspan="3"|Spoke 3
|eth0
|Internet
|90.100.150.200
|-
|eth1
|LAN
|192.168.30.0/24
|-
|gre1
|Tunnel
|172.16.3.1
|-
|}

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 192.168.10.1
netmask 255.255.255.0
}}

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

Restart ssh:
{{Cmd|/etc/init.d/sshd restart}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add gre1 mode gre key 42 ttl 64 dev eth0 || true
address 172.16.1.1
netmask 255.255.255.255
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add strongswan
}}

{{cat|/etc/swanctl/swanctl.conf|<nowiki>
connections {
dmvpn {
version = 2
pull = no
mobike = no
dpd_delay = 15
dpd_timeout = 30
fragmentation = yes
unique = replace
rekey_time = 4h
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
auth = psk
id = spoke1
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
dpd_action = clear
reqid = 1
}
}
}
}
</nowiki>}}

{{cat|/etc/ipsec.secrets|
# /etc/ipsec.secrets - strongSwan IPsec secrets file

%any : PSK "cisco12345678987654321"
}}

Start service(s):

{{Cmd|/etc/init.d/charon start
rc-update add charon}}

== Routing ==

This section will configure the routing protocol suite quagga patched with NHRP support.

{{Cmd|apk add quagga-nhrp
touch /etc/quagga/zebra.conf /etc/quagga/bgpd.conf /etc/quagga/nhrpd.conf}}}

Fix permissions:
{{Cmd|chown -R quagga:quagga /etc/quagga}}}

Start all the daemons:

{{Cmd|/etc/init.d/zebra start
/etc/init.d/bgpd start
/etc/init.d/nhrpd start
}}

Configure it to start from boot:
{{Cmd|rc-update add zebra nhrpd bgpd}}

Now we're going to configure it with <code>vtysh</code> cli:

{{Cmd|vtysh

configure terminal
log syslog
debug nhrp common

router bgp 65000
bgp router-id 172.16.1.1
network 192.168.10.0/24
neighbor spokes-ibgp peer-group
neighbor spokes-ibgp remote-as 65000
neighbor spokes-ibgp ebgp-multihop 1
neighbor spokes-ibgp disable-connected-check
neighbor spokes-ibgp advertisement-interval 1
neighbor spokes-ibgp next-hop-self
neighbor spokes-ibgp soft-reconfiguration inbound
neighbor 172.16.0.1 peer-group spokes-ibgp
exit

nhrp nflog-group 1
interface gre1
ip nhrp network-id 1
ip nhrp nhs dynamic nbma 50.60.70.80
ip nhrp registration no-unique
ip nhrp shortcut
ipv6 nd suppress-ra
no link-detect
tunnel protection vici profile dmvpn
tunnel source eth0
exit
write mem
}}

= Hub Node =

We will document only what changes from the Spoke node setup.

== Networking ==

The NHS (Hub) has the following settings:

{|class="wikitable"
!'''Host'''
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|rowspan="2"|Hub
|eth0
|Internet
|50.60.70.80
|-
|eth1
|LAN
|192.168.1.0/24
|}

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 50.60.70.80
netmask 255.255.255.0
gateway 50.60.70.1

auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add gre1 mode gre key 42 ttl 64 dev eth0 || true
address 172.16.0.1
netmask 255.255.255.255
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new gre1 interface:

{{Cmd|ifup gre1}}

== Routing ==

Again, routing is configured directly with <code>vtysh</code>

{{Cmd|vtysh

configure terminal
log syslog
debug nhrp common

router bgp 65000
bgp router-id 172.16.0.1
bgp deterministic-med
network 172.16.0.0/16
redistribute nhrp
neighbor spokes-ibgp peer-group
neighbor spokes-ibgp remote-as 65000
neighbor spokes-ibgp ebgp-multihop 1
neighbor spokes-ibgp disable-connected-check
neighbor spokes-ibgp route-reflector-client
neighbor spokes-ibgp next-hop-self all
neighbor spokes-ibgp advertisement-interval 1
neighbor spokes-ibgp soft-reconfiguration inbound
neighbor 172.16.1.1 peer-group spokes-ibgp
exit

interface gre1
ip nhrp network-id 1
ip nhrp nhs dynamic nbma 50.60.70.80
ip nhrp registration no-unique
ip nhrp shortcut
ipv6 nd suppress-ra
no link-detect
tunnel protection vici profile dmvpn
tunnel source eth0
exit
write mem
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have.
For instance, if you want to add spoke node with gre1 address 172.16.3.1:

{{Cmd|vtysh
conf t
router bgp 65000
neighbor 172.16.3.1 peer-group spokes-ibgp
exit
write mem
}}

== Awall ==

Differently from DMVPN Phase 2, in the Phase 3 DMVPN the HUB is the default gateway for all the spokes, then the spokes are able to communicate directly each other by means of NHRP redirects.

(For a good explanation of the differences between Phase 1, Phase 2 and Phase 3 DMVPN, see http://blog.ine.com/2008/12/23/dmvpn-phase-3/).

This is implemented by sending traffic indication notifications with iptables nflog.

This is the complete firewall configuration for the HUB, using Alpine Firewall Framework, Awall [http://wiki.alpinelinux.org/wiki/Alpine_Wall].

With your favorite editor open <code>/etc/awall/optional/zones.json</code>:

{{cat|/etc/awall/optional/zones.json|<nowiki>

{
"description": "Zones - zone definition for management",

"variable": {
"SUBNETS": [ "192.168.0.0/16", "172.16.0.0/16" ]
},

"zone": {
"DMVPN": { "addr": "$SUBNETS" }
}
}
</nowiki>}}

Now, create <code>/etc/awall/optional/inet.json</code>:

{{cat|/etc/awall/optional/inet.json|<nowiki>
{
"description": "Internet - Host Management (rate limited)",

"zone": {
"INET": { "iface": "eth0" }
},

"policy": [
{ "in": "INET", "action": "drop" }
],

"filter": [
{
"in": "INET",
"out": "_fw",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "INET",
"out": "_fw",
"service": "ssh",
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},
{
"in": "_fw",
"out": "INET",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
</nowiki>}}

Now, the DMVPN rule:

{{cat|/etc/awall/optional/dmvpn.json|<nowiki>
{
"description": "DMVPN specific rules",

"import": [ "inet", "zones" ],

"variable": {
"HUB": true
},

"policy": [
{ "in": "DMVPN", "out": "DMVPN", "action": "accept" }
],

"zone": {
"DMVPN": { "iface": "gre1", "addr": "$SUBNETS", "route-back": "$HUB" }
},

"filter": [
{ "in": "INET", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "INET", "service": "ipsec", "action": "accept" },
{
"in": "INET",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "INET",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "DMVPN", "service": "bgp", "action": "accept" },
{ "in": "DMVPN", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "INET", "dest": "$SUBNETS", "action": "reject" }
]
}
</nowiki>}}

Management interface allowed traffic:

{{cat|/etc/awall/optional/management.json|<nowiki>
{
"description": "Host Management (ssh, https, ping)",

"import": [ "zones" ],

"policy": [
{ "in": "DMVPN", "out": "_fw", "action": "reject" }
],

"filter": [
{
"in": "DMVPN",
"out": "_fw",
"service": [ "ping", "ssh", "https", "bgp" ],
"action": "accept"
},
{
"in": "_fw",
"out": "DMVPN",
"service": [ "ping", "ssh", "http", "http-alt", "https", "dns", "ntp" ],
"action": "accept"
}
]
}
</nowiki>}}

NHRP redirects rule:

{{cat|/etc/awall/optional/vpnredirect.json|<nowiki>
{
"description": "NHRP Traffic Indication Probe",

"log": {
"dmvpn": {
"mode": "nflog",
"group": 1,
"range": 128,
"limit": {
"count": 6,
"interval": 60,
"mask": {
"inet": { "src": 16, "dest": 16 },
"inet6": { "src": 48, "dest": 48 }
}
}
}
},

"packet-log": [ { "in": "DMVPN", "out": "DMVPN", "log": "dmvpn" } ]
}
</nowiki>}}

Enable awall rules:

{{Cmd|awall enable zones
awall enable inet
awall enable dmvpn
awall enable vpnredirect
}}

Apply awall rules:

{{Cmd|awall activate -f
}}

== IPSEC ==
Install package(s):

{{Cmd|apk add strongswan
}}

{{cat|/etc/swanctl/swanctl.conf|<nowiki>

connections {
dmvpn {
version = 2
pull = no
mobike = no
dpd_delay = 15
dpd_timeout = 30
fragmentation = yes
unique = replace
rekey_time = 4h
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
auth = psk
id = hub
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
dpd_action = clear
reqid = 1
}
}
}
}
</nowiki>}}

{{cat|/etc/ipsec.secrets|
# /etc/ipsec.secrets - strongSwan IPsec secrets file

%any : PSK "cisco12345678987654321"
}}

Start service(s):

{{Cmd|/etc/init.d/charon start
rc-update add charon}}

Now, test if it works.
In this example, spoke 1 tries to connect to spoke 3, who announces his subnet 192.168.30.0/24 via iBGP, the gre1 address is 172.16.3.1 and the public ip address is 90.100.150.200.

The first traffic goes from through the HUB.

{{Cmd|spoke1:~/root# traceroute -n 192.168.30.1
traceroute to 192.168.30.1 (192.168.30.1), 30 hops max, 38 byte packets
1 172.16.0.1 0.664 ms 0.461 ms 0.457 ms
2 192.168.30.1 0.907 ms 0.776 ms 0.771 ms
}}

Then, once the VPN is created, the traffic goes directly to the spoke node.

{{Cmd|spoke1:~/root# traceroute -n 192.168.30.1
traceroute to 192.168.30.1 (192.168.30.1), 30 hops max, 38 byte packets
1 192.168.30.1 0.456 ms 0.385 ms 0.357 ms
}}

With <code>ipsec --status-all</code> you can see alle the VPNs created:

{{Cmd|spoke1:~/root# ipsec statusall<nowiki>
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.18.20-1-grsec, i686):
uptime: 9 days, since Aug 28 14:22:27 2015
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 28
loaded plugins: charon random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp unity
Listening IP addresses:
192.168.10.1
172.17.50.1
172.16.1.1
Connections:
dmvpn: %any...%any IKEv2, dpddelay=15s
dmvpn: local: [spoke1] uses pre-shared key authentication
dmvpn: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear
Security Associations (3 up, 0 connecting):
dmvpn[121]: ESTABLISHED 4 seconds ago, 172.17.50.1[spoke1]...90.100.150.200[spoke3]
dmvpn[121]: IKEv2 SPIs: c770729967ea636c_i 0de8ffedbe32f21c_r*, rekeying in 3 hours, pre-shared key reauthentication in 12 hours
dmvpn[121]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{187}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c132e6c3_i c49ae122_o
dmvpn{187}: AES_CBC_256/HMAC_SHA2_512_256, 469 bytes_i (6 pkts, 2s ago), 326 bytes_o (6 pkts, 2s ago), rekeying in 90 minutes
dmvpn{187}: 172.17.50.1/32[gre] === 90.100.150.200/32[gre]
dmvpn[120]: ESTABLISHED 8 seconds ago, 172.17.50.1[spoke1]...90.100.150.200[spoke3]
dmvpn[120]: IKEv2 SPIs: 46f81c8ec9a4b753_i* f768298b31ebe4da_r, rekeying in 3 hours, pre-shared key reauthentication in 11 hours
dmvpn[120]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{186}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: cad2c1c9_i cd5a287c_o
dmvpn{186}: AES_CBC_256/HMAC_SHA2_512_256, 74 bytes_i (1 pkt, 2s ago), 46 bytes_o (1 pkt, 2s ago), rekeying in 91 minutes
dmvpn{186}: 172.17.50.1/32[gre] === 90.100.150.200/32[gre]
dmvpn[119]: ESTABLISHED 2 hours ago, 172.17.50.1[spoke1]...50.60.70.80[hub]
dmvpn[119]: IKEv2 SPIs: 0e999ad802ced9cc_i* 6eaa469463601437_r, rekeying in 84 minutes, pre-shared key reauthentication in 8 hours
dmvpn[119]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{185}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c84d6035_i cb72cd30_o
dmvpn{185}: AES_CBC_256/HMAC_SHA2_512_256, 35764 bytes_i (473 pkts, 0s ago), 38266 bytes_o (384 pkts, 0s ago), rekeying in 46 minutes
dmvpn{185}: 172.17.50.1/32[gre] === 50.60.70.80/32[gre]
</nowiki>}}

Dynamic Multipoint VPN (DMVPN) Phase 3 with Quagga NHRPd

2015-10-29T09:34:37Z

Fcolista:

= THIS DOC IS STILL A DRAFT =

= Overview =
This is a follow-up of the most famous document [http://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)],
since opennhrp has been rewritten as quagga plugin [1], supporting interoperability with new Cisco's FlexVPN and Strongswan.

This NHRP implementation has some limits yet (Multicast is not ready, so you need to use BGP rather than OSPF), though is usable in a production environment.

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

This How-To will show you how to configure a DMVPN solution with this key items:

.1 VPN setup with Strongswan with PSK for the authentication (same PSK between all of the spokes and hub)

.2 DMVPN setup with quagga.nhrpd;

.3 iBGP used for announce LAN subnet

.4 Awall rules to allow NHRP shortcuts between spokes

The goal is making private network of spoke's nodes and hub to communicate each other over VPN created dynamically.
Routes are learned via BGP, and hte IPSEC VPN is authenticated via PSK.

The logical setup is configured as shown:

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

= Hardware =

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Alpine Installation =

Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

= Spoke Nodes =

== Spoke Node 1 ==

== Networking ==

We're going to setup the spoke node 1 as follow:

{|class="wikitable"
!'''Host'''
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|rowspan="3"|Spoke 1
|eth0
|Internet
|DHCP
|-
|eth1
|LAN
|192.168.10.0/24
|-
|gre1
|Tunnel
|172.16.1.1
|-
|rowspan="3"|Spoke 2
|eth0
|Internet
|DHCP
|-
|eth1
|LAN
|192.168.20.0/24
|-
|gre1
|Tunnel
|172.16.2.1
|-
|rowspan="3"|Spoke 3
|eth0
|Internet
|90.100.150.200
|-
|eth1
|LAN
|192.168.30.0/24
|-
|gre1
|Tunnel
|172.16.3.1
|-
|}

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 192.168.10.1
netmask 255.255.255.0
}}

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

Restart ssh:
{{Cmd|/etc/init.d/sshd restart}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add gre1 mode gre key 42 ttl 64 dev eth0 || true
address 172.16.1.1
netmask 255.255.255.255
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add strongswan
}}

{{cat|/etc/swanctl/swanctl.conf|<nowiki>
connections {
dmvpn {
version = 2
pull = no
mobike = no
dpd_delay = 15
dpd_timeout = 30
fragmentation = yes
unique = replace
rekey_time = 4h
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
auth = psk
id = spoke1
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
dpd_action = clear
reqid = 1
}
}
}
}
</nowiki>}}

{{cat|/etc/ipsec.secrets|
# /etc/ipsec.secrets - strongSwan IPsec secrets file

%any : PSK "cisco12345678987654321"
}}

Start service(s):

{{Cmd|/etc/init.d/charon start
rc-update add charon}}

== Routing ==

This section will configure the routing protocol suite quagga patched with NHRP support.

{{Cmd|apk add quagga-nhrp
touch /etc/quagga/zebra.conf /etc/quagga/bgpd.conf /etc/quagga/nhrpd.conf}}}

Fix permissions:
{{Cmd|chown -R quagga:quagga /etc/quagga}}}

Start all the daemons:

{{Cmd|/etc/init.d/zebra start
/etc/init.d/bgpd start
/etc/init.d/nhrpd start
}}

Configure it to start from boot:
{{Cmd|rc-update add zebra nhrpd bgpd}}

Now we're going to configure it with <code>vtysh</code> cli:

{{Cmd|vtysh

configure terminal
log syslog
debug nhrp common

router bgp 65000
bgp router-id 172.16.1.1
network 192.168.10.0/24
neighbor spokes-ibgp peer-group
neighbor spokes-ibgp remote-as 65000
neighbor spokes-ibgp ebgp-multihop 1
neighbor spokes-ibgp disable-connected-check
neighbor spokes-ibgp advertisement-interval 1
neighbor spokes-ibgp next-hop-self
neighbor spokes-ibgp soft-reconfiguration inbound
neighbor 172.16.0.1 peer-group spokes-ibgp
exit

nhrp nflog-group 1
interface gre1
ip nhrp network-id 1
ip nhrp nhs dynamic nbma 50.60.70.80
ip nhrp registration no-unique
ip nhrp shortcut
ipv6 nd suppress-ra
no link-detect
tunnel protection vici profile dmvpn
tunnel source eth0
exit
write mem
}}

= Hub Node =

We will document only what changes from the Spoke node setup.

== Networking ==

The NHS (Hub) has the following settings:

{|class="wikitable"
!'''Host'''
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|rowspan="2"|Hub
|eth0
|Internet
|50.60.70.80
|-
|eth1
|LAN
|192.168.1.0/24
|}

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 50.60.70.80
netmask 255.255.255.0
gateway 50.60.70.1

auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces<nowiki>|
auto gre1
iface gre1 inet static
pre-up ip tunnel add gre1 mode gre key 42 ttl 64 dev eth0 || true
address 172.16.0.1
netmask 255.255.255.255
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new gre1 interface:

{{Cmd|ifup gre1}}

== Routing ==

Again, routing is configured directly with <code>vtysh</code>

{{Cmd|vtysh

configure terminal
log syslog
debug nhrp common

router bgp 65000
bgp router-id 172.16.0.1
bgp deterministic-med
network 172.16.0.0/16
redistribute nhrp
neighbor spokes-ibgp peer-group
neighbor spokes-ibgp remote-as 65000
neighbor spokes-ibgp ebgp-multihop 1
neighbor spokes-ibgp disable-connected-check
neighbor spokes-ibgp route-reflector-client
neighbor spokes-ibgp next-hop-self all
neighbor spokes-ibgp advertisement-interval 1
neighbor spokes-ibgp soft-reconfiguration inbound
neighbor 172.16.1.1 peer-group spokes-ibgp
exit

interface gre1
ip nhrp network-id 1
ip nhrp nhs dynamic nbma 50.60.70.80
ip nhrp registration no-unique
ip nhrp shortcut
ipv6 nd suppress-ra
no link-detect
tunnel protection vici profile dmvpn
tunnel source eth0
exit
write mem
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have.
For instance, if you want to add spoke node with gre1 address 172.16.3.1:

{{Cmd|vtysh
conf t
router bgp 65000
neighbor 172.16.3.1 peer-group spokes-ibgp
exit
write mem
}}

== Awall ==

Differently from DMVPN Phase 2, in the Phase 3 DMVPN the HUB is the default gateway for all the spokes, then the spokes are able to communicate directly each other by means of NHRP redirects.

(For a good explanation of the differences between Phase 1, Phase 2 and Phase 3 DMVPN, see http://blog.ine.com/2008/12/23/dmvpn-phase-3/).

This is implemented by sending traffic indication notifications with iptables nflog.

This is the complete firewall configuration for the HUB, using Alpine Firewall Framework, Awall [http://wiki.alpinelinux.org/wiki/Alpine_Wall].

With your favorite editor open <code>/etc/awall/optional/zones.json</code>:

{{cat|/etc/awall/optional/zones.json|<nowiki>

{
"description": "Zones - zone definition for management",

"variable": {
"SUBNETS": [ "192.168.0.0/16", "172.16.0.0/16" ]
},

"zone": {
"DMVPN": { "addr": "$SUBNETS" }
}
}
</nowiki>}}

Now, create <code>/etc/awall/optional/inet.json</code>:

{{cat|/etc/awall/optional/inet.json|<nowiki>
{
"description": "Internet - Host Management (rate limited)",

"zone": {
"INET": { "iface": "eth0" }
},

"policy": [
{ "in": "INET", "action": "drop" }
],

"filter": [
{
"in": "INET",
"out": "_fw",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "INET",
"out": "_fw",
"service": "ssh",
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},
{
"in": "_fw",
"out": "INET",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
</nowiki>}}

Now, the DMVPN rule:

{{cat|/etc/awall/optional/dmvpn.json|<nowiki>
{
"description": "DMVPN specific rules",

"import": [ "inet", "zones" ],

"variable": {
"HUB": true
},

"policy": [
{ "in": "DMVPN", "out": "DMVPN", "action": "accept" }
],

"zone": {
"DMVPN": { "iface": "gre1", "addr": "$SUBNETS", "route-back": "$HUB" }
},

"filter": [
{ "in": "INET", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "INET", "service": "ipsec", "action": "accept" },
{
"in": "INET",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "INET",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "DMVPN", "service": "bgp", "action": "accept" },
{ "in": "DMVPN", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "INET", "dest": "$SUBNETS", "action": "reject" }
]
}
</nowiki>}}

Management interface allowed traffic:

{{cat|/etc/awall/optional/management.json|<nowiki>
{
"description": "Host Management (ssh, https, ping)",

"import": [ "zones" ],

"policy": [
{ "in": "DMVPN", "out": "_fw", "action": "reject" }
],

"filter": [
{
"in": "DMVPN",
"out": "_fw",
"service": [ "ping", "ssh", "https", "bgp" ],
"action": "accept"
},
{
"in": "_fw",
"out": "DMVPN",
"service": [ "ping", "ssh", "http", "http-alt", "https", "dns", "ntp" ],
"action": "accept"
}
]
}
</nowiki>}}

NHRP redirects rule:

{{cat|/etc/awall/optional/vpnredirect.json|<nowiki>
{
"description": "NHRP Traffic Indication Probe",

"log": {
"dmvpn": {
"mode": "nflog",
"group": 1,
"range": 128,
"limit": {
"count": 6,
"interval": 60,
"mask": {
"inet": { "src": 16, "dest": 16 },
"inet6": { "src": 48, "dest": 48 }
}
}
}
},

"packet-log": [ { "in": "DMVPN", "out": "DMVPN", "log": "dmvpn" } ]
}
</nowiki>}}

Enable awall rules:

{{Cmd|awall enable zones
awall enable inet
awall enable dmvpn
awall enable vpnredirect
}}

Apply awall rules:

{{Cmd|awall activate -f
}}

== IPSEC ==
Install package(s):

{{Cmd|apk add strongswan
}}

{{cat|/etc/swanctl/swanctl.conf|<nowiki>

connections {
dmvpn {
version = 2
pull = no
mobike = no
dpd_delay = 15
dpd_timeout = 30
fragmentation = yes
unique = replace
rekey_time = 4h
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
auth = psk
id = hub
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
dpd_action = clear
reqid = 1
}
}
}
}
</nowiki>}}

{{cat|/etc/ipsec.secrets|
# /etc/ipsec.secrets - strongSwan IPsec secrets file

%any : PSK "cisco12345678987654321"
}}

Start service(s):

{{Cmd|/etc/init.d/charon start
rc-update add charon}}

Now, test if it works.
In this example, spoke 1 tries to connect to spoke 3, who announces his subnet 192.168.30.0/24 via iBGP, the gre1 address is 172.16.3.1 and the public ip address is 90.100.150.200.

The first traffic goes from through the HUB.

{{Cmd|spoke1:~/root# traceroute -n 192.168.30.1
traceroute to 192.168.30.1 (192.168.30.1), 30 hops max, 38 byte packets
1 172.16.0.1 0.664 ms 0.461 ms 0.457 ms
2 192.168.30.1 0.907 ms 0.776 ms 0.771 ms
}}

Then, once the VPN is created, the traffic goes directly to the spoke node.

{{Cmd|spoke1:~/root# traceroute -n 192.168.30.1
traceroute to 192.168.30.1 (192.168.30.1), 30 hops max, 38 byte packets
1 192.168.30.1 0.456 ms 0.385 ms 0.357 ms
}}

With <code>ipsec --status-all</code> you can see alle the VPNs created:

{{Cmd|spoke1:~/root# ipsec statusall<nowiki>
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.18.20-1-grsec, i686):
uptime: 9 days, since Aug 28 14:22:27 2015
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 28
loaded plugins: charon random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp unity
Listening IP addresses:
192.168.10.1
172.17.50.1
172.16.1.1
Connections:
dmvpn: %any...%any IKEv2, dpddelay=15s
dmvpn: local: [spoke1] uses pre-shared key authentication
dmvpn: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear
Security Associations (3 up, 0 connecting):
dmvpn[121]: ESTABLISHED 4 seconds ago, 172.17.50.1[spoke1]...90.100.150.200[spoke3]
dmvpn[121]: IKEv2 SPIs: c770729967ea636c_i 0de8ffedbe32f21c_r*, rekeying in 3 hours, pre-shared key reauthentication in 12 hours
dmvpn[121]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{187}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c132e6c3_i c49ae122_o
dmvpn{187}: AES_CBC_256/HMAC_SHA2_512_256, 469 bytes_i (6 pkts, 2s ago), 326 bytes_o (6 pkts, 2s ago), rekeying in 90 minutes
dmvpn{187}: 172.17.50.1/32[gre] === 90.100.150.200/32[gre]
dmvpn[120]: ESTABLISHED 8 seconds ago, 172.17.50.1[spoke1]...90.100.150.200[spoke3]
dmvpn[120]: IKEv2 SPIs: 46f81c8ec9a4b753_i* f768298b31ebe4da_r, rekeying in 3 hours, pre-shared key reauthentication in 11 hours
dmvpn[120]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{186}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: cad2c1c9_i cd5a287c_o
dmvpn{186}: AES_CBC_256/HMAC_SHA2_512_256, 74 bytes_i (1 pkt, 2s ago), 46 bytes_o (1 pkt, 2s ago), rekeying in 91 minutes
dmvpn{186}: 172.17.50.1/32[gre] === 90.100.150.200/32[gre]
dmvpn[119]: ESTABLISHED 2 hours ago, 172.17.50.1[spoke1]...50.60.70.80[hub]
dmvpn[119]: IKEv2 SPIs: 0e999ad802ced9cc_i* 6eaa469463601437_r, rekeying in 84 minutes, pre-shared key reauthentication in 8 hours
dmvpn[119]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{185}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c84d6035_i cb72cd30_o
dmvpn{185}: AES_CBC_256/HMAC_SHA2_512_256, 35764 bytes_i (473 pkts, 0s ago), 38266 bytes_o (384 pkts, 0s ago), rekeying in 46 minutes
dmvpn{185}: 172.17.50.1/32[gre] === 50.60.70.80/32[gre]
</nowiki>}}

Dynamic Multipoint VPN (DMVPN) Phase 3 with Quagga NHRPd

2015-09-08T08:20:26Z

Fcolista: Created page with "= THIS DOC IS STILL A DRAFT = = Overview = This is a follow-up of the most famous document [http://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)], since opennhrp h..."

= THIS DOC IS STILL A DRAFT =

= Overview =
This is a follow-up of the most famous document [http://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)],
since opennhrp has been rewritten as quagga plugin [1], supporting interoperability with new Cisco's FlexVPN and Strongswan.

This NHRP implementation has some limits yet (Multicast is not ready, so you need to use BGP rather than OSPF), though is usable in a production environment.

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

This How-To will show you how to configure a DMVPN solution with this key items:

.1 VPN setup with Strongswan with PSK for the authentication (same PSK between all of the spokes and hub)

.2 DMVPN setup with quagga.nhrpd;

.3 iBGP used for announce LAN subnet

.4 Awall rules to allow NHRP shortcuts between spokes

The goal is making private network of spoke's nodes and hub to communicate each other over VPN created dynamically.
Routes are learned via BGP, and hte IPSEC VPN is authenticated via PSK.

The logical setup is configured as shown:

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

= Hardware =

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Alpine Installation =

Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

= Spoke Nodes =

== Spoke Node 1 ==

== Networking ==

We're going to setup the spoke node 1 as follow:

{|class="wikitable"
!'''Host'''
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|rowspan="3"|Spoke 1
|eth0
|Internet
|DHCP
|-
|eth1
|LAN
|192.168.10.0/24
|-
|gre1
|Tunnel
|172.16.1.1
|-
|rowspan="3"|Spoke 2
|eth0
|Internet
|DHCP
|-
|eth1
|LAN
|192.168.20.0/24
|-
|gre1
|Tunnel
|172.16.2.1
|-
|rowspan="3"|Spoke 3
|eth0
|Internet
|90.100.150.200
|-
|eth1
|LAN
|192.168.30.0/24
|-
|gre1
|Tunnel
|172.16.3.1
|-
|}

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto eth1
iface eth1 inet static
address 192.168.10.1
netmask 255.255.255.0
}}

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

Restart ssh:
{{Cmd|/etc/init.d/sshd restart}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add gre1 mode gre key 42 ttl 64 dev eth0 || true
address 172.16.1.1
netmask 255.255.255.255
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add strongswan
}}

{{cat|/etc/swanctl/swanctl.conf|<nowiki>
connections {
dmvpn {
version = 2
pull = no
mobike = no
dpd_delay = 15
dpd_timeout = 30
fragmentation = yes
unique = replace
rekey_time = 4h
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
auth = psk
id = spoke1
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
dpd_action = clear
reqid = 1
}
}
}
}
</nowiki>}}

{{cat|/etc/ipsec.secrets|
# /etc/ipsec.secrets - strongSwan IPsec secrets file

%any : PSK "cisco12345678987654321"
}}

Start service(s):

{{Cmd|/etc/init.d/charon start
rc-update add charon}}

== Routing ==

This section will configure the routing protocol suite quagga patched with NHRP support.

{{Cmd|apk add quagga-nhrp
touch /etc/quagga/zebra.conf /etc/quagga/bgpd.conf /etc/quagga/nhrpd.conf}}}

Fix permissions:
{{Cmd|chown -R quagga:quagga /etc/quagga}}}

Start all the daemons:

{{Cmd|/etc/init.d/zebra start
/etc/init.d/bgpd start
/etc/init.d/nhrpd start
}}

Configure it to start from boot:
{{Cmd|rc-update add zebra nhrpd bgpd}}

Now we're going to configure it with <code>vtysh</code> cli:

{{Cmd|vtysh

configure terminal
log syslog
debug nhrp common

router bgp 65000
bgp router-id 172.16.1.1
network 192.168.10.0/24
neighbor spokes-ibgp peer-group
neighbor spokes-ibgp remote-as 65000
neighbor spokes-ibgp ebgp-multihop 1
neighbor spokes-ibgp disable-connected-check
neighbor spokes-ibgp advertisement-interval 1
neighbor spokes-ibgp next-hop-self
neighbor spokes-ibgp soft-reconfiguration inbound
neighbor 172.16.0.1 peer-group spokes-ibgp
exit

nhrp nflog-group 1
interface gre1
ip nhrp network-id 1
ip nhrp nhs dynamic nbma 50.60.70.80
ip nhrp registration no-unique
ip nhrp shortcut
ipv6 nd suppress-ra
no link-detect
tunnel protection vici profile dmvpn
tunnel source eth0
exit
write mem
}}

= Hub Node =

We will document only what changes from the Spoke node setup.

== Networking ==

The NHS (Hub) has the following settings:

{|class="wikitable"
!'''Host'''
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|rowspan="2"|Hub
|eth0
|Internet
|50.60.70.80
|-
|eth1
|LAN
|192.168.1.0/24
|}

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 50.60.70.80
netmask 255.255.255.0
gateway 50.60.70.1

auto eth1
iface eth1 inet static
address 192.168.1.1
netmask 255.255.255.0
}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|
auto gre1
iface gre1 inet static
pre-up ip tunnel add gre1 mode gre key 42 ttl 64 dev eth0 || true
address 172.16.0.1
netmask 255.255.255.255
post-down ip tunnel del $IFACE || true
}}

Bring up the new gre1 interface:

{{Cmd|ifup gre1}}

== Routing ==

Again, routing is configured directly with <code>vtysh</code>

{{Cmd|vtysh

configure terminal
log syslog
debug nhrp common

router bgp 65000
bgp router-id 172.16.0.1
bgp deterministic-med
network 172.16.0.0/16
redistribute nhrp
neighbor spokes-ibgp peer-group
neighbor spokes-ibgp remote-as 65000
neighbor spokes-ibgp ebgp-multihop 1
neighbor spokes-ibgp disable-connected-check
neighbor spokes-ibgp route-reflector-client
neighbor spokes-ibgp next-hop-self all
neighbor spokes-ibgp advertisement-interval 1
neighbor spokes-ibgp soft-reconfiguration inbound
neighbor 172.16.1.1 peer-group spokes-ibgp
exit

interface gre1
ip nhrp network-id 1
ip nhrp nhs dynamic nbma 50.60.70.80
ip nhrp registration no-unique
ip nhrp shortcut
ipv6 nd suppress-ra
no link-detect
tunnel protection vici profile dmvpn
tunnel source eth0
exit
write mem
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have.
For instance, if you want to add spoke node with gre1 address 172.16.3.1:

{{Cmd|vtysh
conf t
router bgp 65000
neighbor 172.16.3.1 peer-group spokes-ibgp
exit
write mem
}}

== Awall ==

Differently from DMVPN Phase 2, in the Phase 3 DMVPN the HUB is the default gateway for all the spokes, then the spokes are able to communicate directly each other by means of NHRP redirects.

(For a good explanation of the differences between Phase 1, Phase 2 and Phase 3 DMVPN, see http://blog.ine.com/2008/12/23/dmvpn-phase-3/).

This is implemented by sending traffic indication notifications with iptables nflog.

This is the complete firewall configuration for the HUB, using Alpine Firewall Framework, Awall [http://wiki.alpinelinux.org/wiki/Alpine_Wall].

With your favorite editor open <code>/etc/awall/optional/zones.json</code>:

{{cat|/etc/awall/optional/zones.json|<nowiki>

{
"description": "Zones - zone definition for management",

"variable": {
"SUBNETS": [ "192.168.0.0/16", "172.16.0.0/16" ]
},

"zone": {
"DMVPN": { "addr": "$SUBNETS" }
}
}
</nowiki>}}

Now, create <code>/etc/awall/optional/inet.json</code>:

{{cat|/etc/awall/optional/inet.json|<nowiki>
{
"description": "Internet - Host Management (rate limited)",

"zone": {
"INET": { "iface": "eth0" }
},

"policy": [
{ "in": "INET", "action": "drop" }
],

"filter": [
{
"in": "INET",
"out": "_fw",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "INET",
"out": "_fw",
"service": "ssh",
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},
{
"in": "_fw",
"out": "INET",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
</nowiki>}}

Now, the DMVPN rule:

{{cat|/etc/awall/optional/dmvpn.json|<nowiki>
{
"description": "DMVPN specific rules",

"import": [ "inet", "zones" ],

"variable": {
"HUB": true
},

"policy": [
{ "in": "DMVPN", "out": "DMVPN", "action": "accept" }
],

"zone": {
"DMVPN": { "iface": "gre1", "addr": "$SUBNETS", "route-back": "$HUB" }
},

"filter": [
{ "in": "INET", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "INET", "service": "ipsec", "action": "accept" },
{
"in": "INET",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "INET",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "DMVPN", "service": "bgp", "action": "accept" },
{ "in": "DMVPN", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "INET", "dest": "$SUBNETS", "action": "reject" }
]
}
</nowiki>}}

Management interface allowed traffic:

{{cat|/etc/awall/optional/management.json|<nowiki>
{
"description": "Host Management (ssh, https, ping)",

"import": [ "zones" ],

"policy": [
{ "in": "DMVPN", "out": "_fw", "action": "reject" }
],

"filter": [
{
"in": "DMVPN",
"out": "_fw",
"service": [ "ping", "ssh", "https", "bgp" ],
"action": "accept"
},
{
"in": "_fw",
"out": "DMVPN",
"service": [ "ping", "ssh", "http", "http-alt", "https", "dns", "ntp" ],
"action": "accept"
}
]
}
</nowiki>}}

NHRP redirects rule:

{{cat|/etc/awall/optional/vpnredirect.json|<nowiki>
{
"description": "NHRP Traffic Indication Probe",

"log": {
"dmvpn": {
"mode": "nflog",
"group": 1,
"range": 128,
"limit": {
"count": 6,
"interval": 60,
"mask": {
"inet": { "src": 16, "dest": 16 },
"inet6": { "src": 48, "dest": 48 }
}
}
}
},

"packet-log": [ { "in": "DMVPN", "out": "DMVPN", "log": "dmvpn" } ]
}
</nowiki>}}

Enable awall rules:

{{Cmd|awall enable zones
awall enable inet
awall enable dmvpn
awall enable vpnredirect
}}

Apply awall rules:

{{Cmd|awall activate -f
}}

== IPSEC ==
Install package(s):

{{Cmd|apk add strongswan
}}

{{cat|/etc/swanctl/swanctl.conf|<nowiki>

connections {
dmvpn {
version = 2
pull = no
mobike = no
dpd_delay = 15
dpd_timeout = 30
fragmentation = yes
unique = replace
rekey_time = 4h
reauth_time = 13h
proposals = aes256-sha512-ecp384
local {
auth = psk
id = hub
}
remote {
auth = psk
}
children {
dmvpn {
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
dpd_action = clear
reqid = 1
}
}
}
}
</nowiki>}}

{{cat|/etc/ipsec.secrets|
# /etc/ipsec.secrets - strongSwan IPsec secrets file

%any : PSK "cisco12345678987654321"
}}

Start service(s):

{{Cmd|/etc/init.d/charon start
rc-update add charon}}

Now, test if it works.
In this example, spoke 1 tries to connect to spoke 3, who announces his subnet 192.168.30.0/24 via iBGP, the gre1 address is 172.16.3.1 and the public ip address is 90.100.150.200.

The first traffic goes from through the HUB.

{{Cmd|spoke1:~/root# traceroute -n 192.168.30.1
traceroute to 192.168.30.1 (192.168.30.1), 30 hops max, 38 byte packets
1 172.16.0.1 0.664 ms 0.461 ms 0.457 ms
2 192.168.30.1 0.907 ms 0.776 ms 0.771 ms
}}

Then, once the VPN is created, the traffic goes directly to the spoke node.

{{Cmd|spoke1:~/root# traceroute -n 192.168.30.1
traceroute to 192.168.30.1 (192.168.30.1), 30 hops max, 38 byte packets
1 192.168.30.1 0.456 ms 0.385 ms 0.357 ms
}}

With <code>ipsec --status-all</code> you can see alle the VPNs created:

{{Cmd|spoke1:~/root# ipsec statusall<nowiki>
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.18.20-1-grsec, i686):
uptime: 9 days, since Aug 28 14:22:27 2015
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 28
loaded plugins: charon random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp unity
Listening IP addresses:
192.168.10.1
172.17.50.1
172.16.1.1
Connections:
dmvpn: %any...%any IKEv2, dpddelay=15s
dmvpn: local: [spoke1] uses pre-shared key authentication
dmvpn: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear
Security Associations (3 up, 0 connecting):
dmvpn[121]: ESTABLISHED 4 seconds ago, 172.17.50.1[spoke1]...90.100.150.200[spoke3]
dmvpn[121]: IKEv2 SPIs: c770729967ea636c_i 0de8ffedbe32f21c_r*, rekeying in 3 hours, pre-shared key reauthentication in 12 hours
dmvpn[121]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{187}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c132e6c3_i c49ae122_o
dmvpn{187}: AES_CBC_256/HMAC_SHA2_512_256, 469 bytes_i (6 pkts, 2s ago), 326 bytes_o (6 pkts, 2s ago), rekeying in 90 minutes
dmvpn{187}: 172.17.50.1/32[gre] === 90.100.150.200/32[gre]
dmvpn[120]: ESTABLISHED 8 seconds ago, 172.17.50.1[spoke1]...90.100.150.200[spoke3]
dmvpn[120]: IKEv2 SPIs: 46f81c8ec9a4b753_i* f768298b31ebe4da_r, rekeying in 3 hours, pre-shared key reauthentication in 11 hours
dmvpn[120]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{186}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: cad2c1c9_i cd5a287c_o
dmvpn{186}: AES_CBC_256/HMAC_SHA2_512_256, 74 bytes_i (1 pkt, 2s ago), 46 bytes_o (1 pkt, 2s ago), rekeying in 91 minutes
dmvpn{186}: 172.17.50.1/32[gre] === 90.100.150.200/32[gre]
dmvpn[119]: ESTABLISHED 2 hours ago, 172.17.50.1[spoke1]...50.60.70.80[hub]
dmvpn[119]: IKEv2 SPIs: 0e999ad802ced9cc_i* 6eaa469463601437_r, rekeying in 84 minutes, pre-shared key reauthentication in 8 hours
dmvpn[119]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_384
dmvpn{185}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: c84d6035_i cb72cd30_o
dmvpn{185}: AES_CBC_256/HMAC_SHA2_512_256, 35764 bytes_i (473 pkts, 0s ago), 38266 bytes_o (384 pkts, 0s ago), rekeying in 46 minutes
dmvpn{185}: 172.17.50.1/32[gre] === 50.60.70.80/32[gre]
</nowiki>}}

Patch Workflow

2015-07-20T07:55:39Z

Fcolista: Added "how to submit a patch"

This is a '''very draft''' docs that aims to have a defined workflow for sending and applying patch.

It provides a background both for alpine developers and contributors.

It's in the form of FAQ, but it might be changed with a better approach.

Also, a graphical workflow would be useful. A nice idea is here: [https://sourceware.org/glibc/wiki/Patch%20Review%20Workflow]

== I want to contribute to Alpine project by sending patches. How can i do this? ==

First of all, thanks :)

Please, take a look at http://wiki.alpinelinux.org/wiki/Development_using_git and docs linked to it.

== How should i submit a patch to alpine-aports ML? ==

You can follow this document: http://wiki.alpinelinux.org/wiki/Creating_patches

Please note that Patchwork is able to catch the patch if they are sent inline, rather than as attachment.

== Ok, now i've an aports git tree ready and i've sent a patch to alpine-aports ML. And now? ==

Well done. Now the patch is in our workflow.

After you've sent the patch, it is going to be injected in patchwork.alpinelinux.org.

There's a web interface where you can see all the patches sent to git.

From there, alpine delevopers will check the patch and proceed accordingly.

Workflow status are:

New:
Patch has been submitted to the list, and none of the maintainers has changed it's state since. Under Review::
Accepted:
When a patch has been applied to a custodian repository that gets used for pulling from into upstream, they are put into "accepted" state.
Rejected:
Rejected means we just don't want to do what the patch does.
RFC:
The patch is not intended to be applied to any of the mainline repositories, but merely for discussing or testing some idea or new feature.
Not Applicable:
The patch does not apply cleanly against the current U-Boot repository, most probably because it was made against a much older version of U-Boot, or because the submitter's mailer mangled it (for example by converting TABs into SPACEs, or by breaking long lines).
Changes Requested:
The patch looks mostly OK, but requires some rework before it will be accepted for mainline. Awaiting Upstream::
Superseeded:
Patches are marked as 'superseeded' when the poster submits a new version of these patches.
Deferred:
Deferred usually means the patch depends on something else that isn't upstream, such as patches that only apply against some specific other repository.
Archived:
Archiving puts the patch away somewhere where it doesn't appear in the normal pages and needs extra effort to get to.

We also can put patches in a "bundle". I don't know yet if that has any deeper sense but to mark them to be handled together, like a patch series that logically belongs together.

'''Note:''' Set "approved" on webif does not have an impact on the git tree.
If is actually approved, after pwclient git-am the state of the patch will automatically be changed to "approved".
This is the right way to change state.
Generally speaking, change the state on webif is not needed.
Webpage only report what the user does with pwclient tool.

== I'm an alpine developer. How can I start to use patchwork ? ==

There are two ways to work with patches from alpine-aports Mailing List:

.1 Web Interface: https://patchwork.alpinelinux.org/

.2 On your local build environment, you need pwclient:

apk add pwclient
cd $your_aports_dir
pwclient list

This command returns the list of patches sent to alpine-aports@lists.alpinelinux.org and injected in patchwork workflow.

look at the patch:

pwclient view $PATCH_ID.

Let's assume is 66:

pwclient view 66

<pre>
host:~/aports$ pwclient view 66
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [alpine-aports] testing/proxychains-ng: install and install-config
returns 1 in case of error
From: Francesco Colista <fcolista@alpinelinux.org>
X-Patchwork-Id: 66
Message-Id: <1430294296-26952-1-git-send-email-fcolista@alpinelinux.org>
To: alpine-aports@lists.alpinelinux.org
Cc: Francesco Colista <fcolista@alpinelinux.org>
Date: Wed, 29 Apr 2015 07:58:16 +0000

---
testing/proxychains-ng/APKBUILD | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/testing/proxychains-ng/APKBUILD b/testing/proxychains-ng/APKBUILD
index 463a2ac..b40ba25 100644
--- a/testing/proxychains-ng/APKBUILD
+++ b/testing/proxychains-ng/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=proxychains-ng
pkgver=4.8.1
-pkgrel=0
+pkgrel=1
pkgdesc="This tool provides proxy server support to any app."
url="https://github.com/rofl0r/proxychains-ng"
arch="all"
@@ -36,8 +36,7 @@ build() {

package() {
cd "$_builddir"
- make DESTDIR="$pkgdir" install
- make DESTDIR="$pkgdir" install-config
+ make DESTDIR="$pkgdir" install install-config || return 1
ln -s proxychains4 "$pkgdir"/usr/bin/proxychains
}
</pre>

If it looks fine, try to apply the patch, first, in your git tree, and test it.

There are three ways to apply patch in the local tree. We are going to show all of them...then choose what is more fitting for you.

'''.1 pwclient apply'''

'''Note:''' pwclient apply command apply patch using -p1. So patch is applied starting from the current dir.
pwclient apply 66
This apply patch in your local git tree.
Then you can:
abuild -r.
If patch is ok, then you need to reset the your git tree (because it got modified by applying the patch).
so:
git checkout --
then
pwclient git-am 66

this apply and commit the patch in one shot.

Last step is pushing the change to git repo with:
git pull--rebase && git push

'''.2 pwclient get'''
pwclient get 66
update the APKBUILD in order to apply the patch, then build it with the usual:

abuild -r

If patch is ok, then you need to reset the your git tree (because it got modified by applying the patch).
so:
git checkout --
then
pwclient git-am 66

this apply and commit the patch in one shot.

Last step is pushing the change to git repo with:
git pull--rebase && git push

'''.3 pwclient git-am'''

This can be done by:
pwclient git-am 66

Since this command aply and commits directly as already stated before, the last step is pushing the change to git repo with:
git pull--rebase && git push

== Patch does not apply. And now? ==
If you have used
pwclient apply
or
pwclient get
Then you shoud go for:
git checkout

If you have used
pwclient git-am

Then patch is committed, so you need to
git reset HEAD@{1}
This uses the last entry in the reflog.
If you did other things in between, look at:
git reflog
to see which number corresponds to which commit.

== Oh, looks that someone else already applied the patch while i was going to do it. Now, when i try to git pull --rebase, i got: "It looks like git-am is in progress. Cannot rebase." and now? ==

git am --abort

== I sent a patch that was already applied. ==

At the moment, patchwork does not allow to comment reasons for a state change (it's in their todo list)

So, we can simple set it as "Not Applicable" (since "Duplicate" does not exists)

== My patch got rejected. ==

You'll be alterted via email about that.
You can ask why patch is got rejected on #alpine-devel IRC channel.

[[Category:Development]]
[[Category:Git]]

Patch Workflow

2015-04-30T09:47:49Z

Fcolista:

This is a '''very draft''' docs that aims to have a defined workflow for sending and applying patch.

It provides a background both for alpine developers and contributors.

It's in the form of FAQ, but it might be changed with a better approach.

Also, a graphical workflow would be useful. A nice idea is here: [https://sourceware.org/glibc/wiki/Patch%20Review%20Workflow]

== I want to contribute to Alpine project by sending patches. How can i do this? ==

First of all, thanks :)

Please, take a look at http://wiki.alpinelinux.org/wiki/Development_using_git and docs linked to it.

== Ok, now i've an aports git tree ready and i've sent a patch to alpine-aports ML. And now? ==

Well done. Now the patch is in our workflow.

After you've sent the patch, it is going to be injected in patchwork.alpinelinux.org.

There's a web interface where you can see all the patches sent to git.

From there, alpine delevopers will check the patch and proceed accordingly.

Workflow status are:

New:
Patch has been submitted to the list, and none of the maintainers has changed it's state since. Under Review::
Accepted:
When a patch has been applied to a custodian repository that gets used for pulling from into upstream, they are put into "accepted" state.
Rejected:
Rejected means we just don't want to do what the patch does.
RFC:
The patch is not intended to be applied to any of the mainline repositories, but merely for discussing or testing some idea or new feature.
Not Applicable:
The patch does not apply cleanly against the current U-Boot repository, most probably because it was made against a much older version of U-Boot, or because the submitter's mailer mangled it (for example by converting TABs into SPACEs, or by breaking long lines).
Changes Requested:
The patch looks mostly OK, but requires some rework before it will be accepted for mainline. Awaiting Upstream::
Superseeded:
Patches are marked as 'superseeded' when the poster submits a new version of these patches.
Deferred:
Deferred usually means the patch depends on something else that isn't upstream, such as patches that only apply against some specific other repository.
Archived:
Archiving puts the patch away somewhere where it doesn't appear in the normal pages and needs extra effort to get to.

We also can put patches in a "bundle". I don't know yet if that has any deeper sense but to mark them to be handled together, like a patch series that logically belongs together.

'''Note:''' Set "approved" on webif does not have an impact on the git tree.
If is actually approved, after pwclient git-am the state of the patch will automatically be changed to "approved".
This is the right way to change state.
Generally speaking, change the state on webif is not needed.
Webpage only report what the user does with pwclient tool.

== I'm an alpine developer. How can I start to use patchwork ? ==

There are two ways to work with patches from alpine-aports Mailing List:

.1 Web Interface: https://patchwork.alpinelinux.org/

.2 On your local build environment, you need pwclient:

apk add pwclient
cd $your_aports_dir
pwclient list

This command returns the list of patches sent to alpine-aports@lists.alpinelinux.org and injected in patchwork workflow.

look at the patch:

pwclient view $PATCH_ID.

Let's assume is 66:

pwclient view 66

<pre>
host:~/aports$ pwclient view 66
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [alpine-aports] testing/proxychains-ng: install and install-config
returns 1 in case of error
From: Francesco Colista <fcolista@alpinelinux.org>
X-Patchwork-Id: 66
Message-Id: <1430294296-26952-1-git-send-email-fcolista@alpinelinux.org>
To: alpine-aports@lists.alpinelinux.org
Cc: Francesco Colista <fcolista@alpinelinux.org>
Date: Wed, 29 Apr 2015 07:58:16 +0000

---
testing/proxychains-ng/APKBUILD | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/testing/proxychains-ng/APKBUILD b/testing/proxychains-ng/APKBUILD
index 463a2ac..b40ba25 100644
--- a/testing/proxychains-ng/APKBUILD
+++ b/testing/proxychains-ng/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=proxychains-ng
pkgver=4.8.1
-pkgrel=0
+pkgrel=1
pkgdesc="This tool provides proxy server support to any app."
url="https://github.com/rofl0r/proxychains-ng"
arch="all"
@@ -36,8 +36,7 @@ build() {

package() {
cd "$_builddir"
- make DESTDIR="$pkgdir" install
- make DESTDIR="$pkgdir" install-config
+ make DESTDIR="$pkgdir" install install-config || return 1
ln -s proxychains4 "$pkgdir"/usr/bin/proxychains
}
</pre>

If it looks fine, try to apply the patch, first, in your git tree, and test it.

There are three ways to apply patch in the local tree. We are going to show all of them...then choose what is more fitting for you.

'''.1 pwclient apply'''

'''Note:''' pwclient apply command apply patch using -p1. So patch is applied starting from the current dir.
pwclient apply 66
This apply patch in your local git tree.
Then you can:
abuild -r.
If patch is ok, then you need to reset the your git tree (because it got modified by applying the patch).
so:
git checkout --
then
pwclient git-am 66

this apply and commit the patch in one shot.

Last step is pushing the change to git repo with:
git pull--rebase && git push

'''.2 pwclient get'''
pwclient get 66
update the APKBUILD in order to apply the patch, then build it with the usual:

abuild -r

If patch is ok, then you need to reset the your git tree (because it got modified by applying the patch).
so:
git checkout --
then
pwclient git-am 66

this apply and commit the patch in one shot.

Last step is pushing the change to git repo with:
git pull--rebase && git push

'''.3 pwclient git-am'''

This can be done by:
pwclient git-am 66

Since this command aply and commits directly as already stated before, the last step is pushing the change to git repo with:
git pull--rebase && git push

== Patch does not apply. And now? ==
If you have used
pwclient apply
or
pwclient get
Then you shoud go for:
git checkout

If you have used
pwclient git-am

Then patch is committed, so you need to
git reset HEAD@{1}
This uses the last entry in the reflog.
If you did other things in between, look at:
git reflog
to see which number corresponds to which commit.

== Oh, looks that someone else already applied the patch while i was going to do it. Now, when i try to git pull --rebase, i got: "It looks like git-am is in progress. Cannot rebase." and now? ==

git am --abort

== I sent a patch that was already applied. ==

At the moment, patchwork does not allow to comment reasons for a state change (it's in their todo list)

So, we can simple set it as "Not Applicable" (since "Duplicate" does not exists)

== My patch got rejected. ==

You'll be alterted via email about that.
You can ask why patch is got rejected on #alpine-devel IRC channel.

Patch Workflow

2015-04-30T09:46:35Z

Fcolista: Created page with "This is a '''very draft''' docs that aims to have a defined workflow for sending and applying patch. It provides a background both for alpine developers and contributors. It..."

This is a '''very draft''' docs that aims to have a defined workflow for sending and applying patch.

It provides a background both for alpine developers and contributors.

It's in the form of FAQ, but it might be changed with a better approach.

Also, a graphical workflow would be useful. A nice idea is here: [https://sourceware.org/glibc/wiki/Patch%20Review%20Workflow]

== I want to contribute to Alpine project by sending patches. How can i do this? ==

First of all, thanks :)

Please, take a look at http://wiki.alpinelinux.org/wiki/Development_using_git and docs linked to it.

== Ok, now i've an aports git tree ready and i've sent a patch to alpine-aports ML. And now? ==

Well done. Now the patch is in our workflow.

After you've sent the patch, it is going to be injected in patchwork.alpinelinux.org.

There's a web interface where you can see all the patches sent to git.

From there, alpine delevopers will check the patch and proceed accordingly.

Workflow status are:

New:
Patch has been submitted to the list, and none of the maintainers has changed it's state since. Under Review::
Accepted:
When a patch has been applied to a custodian repository that gets used for pulling from into upstream, they are put into "accepted" state.
Rejected:
Rejected means we just don't want to do what the patch does.
RFC:
The patch is not intended to be applied to any of the mainline repositories, but merely for discussing or testing some idea or new feature.
Not Applicable:
The patch does not apply cleanly against the current U-Boot repository, most probably because it was made against a much older version of U-Boot, or because the submitter's mailer mangled it (for example by converting TABs into SPACEs, or by breaking long lines).
Changes Requested:
The patch looks mostly OK, but requires some rework before it will be accepted for mainline. Awaiting Upstream::
Superseeded:
Patches are marked as 'superseeded' when the poster submits a new version of these patches.
Deferred:
Deferred usually means the patch depends on something else that isn't upstream, such as patches that only apply against some specific other repository.
Archived:
Archiving puts the patch away somewhere where it doesn't appear in the normal pages and needs extra effort to get to.

We also can put patches in a "bundle". I don't know yet if that has any deeper sense but to mark them to be handled together, like a patch series that logically belongs together.

'''Note:''' Set "approved" on webif does not have an impact on the git tree.
If is actually approved, after pwclient git-am the state of the patch will automatically be changed to "approved".
This is the right way to change state.
Generally speaking, change the state on webif is not needed.
Webpage only report what the user does with pwclient tool.

== I'm an alpine developer. How can I start to use patchwork ? ==

There are two ways to work with patches from alpine-aports Mailing List:

.1 Web Interface: https://patchwork.alpinelinux.org/

.2 On your local build environment, you need pwclient:

apk add pwclient
cd $your_aports_dir
pwclient list

This command returns the list of patches sent to alpine-aports@lists.alpinelinux.org and injected in patchwork workflow.

look at the patch:

pwclient view $PATCH_ID.

Let's assume is 66:

pwclient view 66

<pre>
host:~/aports$ pwclient view 66
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [alpine-aports] testing/proxychains-ng: install and install-config
returns 1 in case of error
From: Francesco Colista <fcolista@alpinelinux.org>
X-Patchwork-Id: 66
Message-Id: <1430294296-26952-1-git-send-email-fcolista@alpinelinux.org>
To: alpine-aports@lists.alpinelinux.org
Cc: Francesco Colista <fcolista@alpinelinux.org>
Date: Wed, 29 Apr 2015 07:58:16 +0000

---
testing/proxychains-ng/APKBUILD | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/testing/proxychains-ng/APKBUILD b/testing/proxychains-ng/APKBUILD
index 463a2ac..b40ba25 100644
--- a/testing/proxychains-ng/APKBUILD
+++ b/testing/proxychains-ng/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Francesco Colista <fcolista@alpinelinux.org>
pkgname=proxychains-ng
pkgver=4.8.1
-pkgrel=0
+pkgrel=1
pkgdesc="This tool provides proxy server support to any app."
url="https://github.com/rofl0r/proxychains-ng"
arch="all"
@@ -36,8 +36,7 @@ build() {

package() {
cd "$_builddir"
- make DESTDIR="$pkgdir" install
- make DESTDIR="$pkgdir" install-config
+ make DESTDIR="$pkgdir" install install-config || return 1
ln -s proxychains4 "$pkgdir"/usr/bin/proxychains
}
</pre>

If it looks fine, try to apply the patch, first, in your git tree, and test it.

There are three ways to apply patch in the local tree. We are going to show all of them...then choose what is more fitting for you.

'''.1 pwclient apply'''

Note: pwclient apply command apply patch using -p1. So patch is applied starting from the current dir.
pwclient apply 66
This apply patch in your local git tree.
Then you can:
abuild -r.
If patch is ok, then you need to reset the your git tree (because it got modified by applying the patch).
so:
git checkout --
then
pwclient git-am 66

this apply and commit the patch in one shot.

Last step is pushing the change to git repo with:
git pull--rebase && git push

'''.2 pwclient get'''
pwclient get 66
update the APKBUILD in order to apply the patch, then build it with the usual:

abuild -r

If patch is ok, then you need to reset the your git tree (because it got modified by applying the patch).
so:
git checkout --
then
pwclient git-am 66

this apply and commit the patch in one shot.

Last step is pushing the change to git repo with:
git pull--rebase && git push

'''.3 pwclient git-am'''

This can be done by:
pwclient git-am 66

Since this command aply and commits directly as already stated before, the last step is pushing the change to git repo with:
git pull--rebase && git push

== Patch does not apply. And now? ==
If you have used
pwclient apply
or
pwclient get
Then you shoud go for:
git checkout

If you have used
pwclient git-am

Then patch is committed, so you need to
git reset HEAD@{1}
This uses the last entry in the reflog.
If you did other things in between, look at:
git reflog
to see which number corresponds to which commit.

== Oh, looks that someone else already applied the patch while i was going to do it. Now, when i try to git pull --rebase, i got: "It looks like git-am is in progress. Cannot rebase." and now? ==

git am --abort

== I sent a patch that was already applied. ==

At the moment, patchwork does not allow to comment reasons for a state change (it's in their todo list)

So, we can simple set it as "Not Applicable" (since "Duplicate" does not exists)

== My patch got rejected. ==

You'll be alterted via email about that.
You can ask why patch is got rejected on #alpine-devel IRC channel.

Tutorials and Howtos

2015-04-18T15:25:19Z

Fcolista: /* Other Servers */

[[Image:package_edutainment.svg|right|link=]]
{{TOC left}}
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''

The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.

Howtos are smaller articles explaining how to perform a particular task with Alpine Linux.

We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].

{{Clear}}
== Storage ==

* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' 
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]

* [[Setting up disks manually]] 
* [[Setting up a software RAID array]]

* [[Raid Administration]]
* [[Setting up encrypted volumes with LUKS]]
* [[Setting up LVM on LUKS]]
* [[Setting up Logical Volumes with LVM]]
** [[Setting up LVM on GPT-labeled disks]]
** [[Installing on GPT LVM]]
* [[Filesystems|Formatting HD/Floppy/Other]] 

* [[Setting up iSCSI]]
** [[iSCSI Raid and Clustered File Systems]]
* [[Setting up NBD]]
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' 
* [[Linux iSCSI Target (TCM)]]
* [[Disk Replication with DRBD]] 

* [[Burning ISOs]] 
* [[Partitioning and Bootmanagers]]
* [[Migrating data]]

== Networking ==

* [[Configure Networking]]
* [[Connecting to a wireless access point]]
* [[Bonding]]
* [[Vlan]]
* [[Bridge]]
* [[OpenVSwitch]]
* [[How to configure static routes]]

* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''

* [[Using serial modem]]
* [[Using HSDPA modem]]
* [[Setting up Satellite Internet Connection]]
* [[Using Alpine on Windows domain with IPSEC isolation]]

* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' 
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''

* [[Experiences with OpenVPN-client on ALIX.2D3]] 

* [[Generating SSL certs with ACF]] 
* [[Setting up unbound DNS server]]
* [[Setting up nsd DNS server]]
* [[TinyDNS Format]]
* [[Fault Tolerant Routing with Alpine Linux]] 
* [[Freeradius Active Directory Integration]]
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''
* [[OwnCloud]] ''(Installing OwnCloud)''

* [[Apache with php-fpm]]
* [[Seafile: setting up your own private cloud]]

== Post-Install ==


* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''

** [[Comparison with other distros]]
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''
** [[Multiple Instances of Services]]

* [[Upgrading Alpine]]


* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''
* [[Changing passwords for ACF|Changing passwords]]
* [[Ansible]] ''(Configuration management)''

* [[Enable Serial Console on Boot]]


== Virtualization==

* [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''
* [[Xen Dom0 on USB or SD]]
* [[Create Alpine Linux PV DomU]]
* [[Xen PCI Passthrough]]
* [[Xen LiveCD]]
* [[qemu]]
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''
* [[Docker]]

== Desktop Environment ==

* [[Awesome(wm) Setup]]
* [[EyeOS]] ''(Cloud Computing Desktop)''
* [[Gnome Setup]]
* [[MATE|MATE Setup]]
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')
* [[Remote Desktop Server]]
* [[Suspend on LID close]]
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]

== Applications ==

=== Telephony ===
* [[Setting up Zaptel/Asterisk on Alpine]]
** [[Setting up Streaming an Asterisk Channel]]
* [[Freepbx on Alpine Linux]]
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''

=== Mail ===
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''
** [[Hosting Web/Email services on Alpine]]
* [[ISP Mail Server HowTo]] 
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[Roundcube]] ''(Webmail system)''
* [[Setting up postfix with virtual domains]]
* [[Protecting your email server with Alpine]]
* [[Setting up clamsmtp]]
* [[Setting up dovecot with imap and ssl]]

=== HTTP ===
* [[Lighttpd]]
** [[Lighttpd Https access]]
** [[Setting Up Lighttpd with PHP]]
** [[Setting Up Lighttpd With FastCGI]]
* [[Cherokee]]
* [[Nginx]]
* [[Apache]]
** [[Setting Up Apache with PHP]]
** [[Apache authentication: NTLM Single Signon]]

* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' 

* [[Setting up Transparent Squid Proxy]] 
** [[SqStat]] ''(Script to look at active squid users connections)''
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[Setting up Explicit Squid Proxy]]

* [[Drupal]] ''(Content Management System (CMS) written in PHP)''
* [[WordPress]] ''(Web software to create website or blog)''
* [[MediaWiki]] ''(Free web-based wiki software application)''
* [[DokuWiki]]
* [[Darkhttpd]]

=== Other Servers ===
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''

* [[Setting up a nfs-server]]
* [[Phpizabi]] ''(Social Networking Platform)''
* [[Statusnet]] ''(Microblogging Platform)''
* [[Pastebin]] ''(Pastebin software application)''
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]

* [[Patchwork]] ''(Patch review management system)''
* [[Redmine]] ''(Project management system)''
* [[Request-Tracker]] ''(Ticket system)''
* [[OsTicket]] ''(Ticket system)''
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''

* [[Cgit]]
** [[Setting up a git repository server with gitolite and cgit]] 
* [[Roundcube]] ''(Webmail system)''
* [[Glpi]] ''(Manage inventory of technical resources)''

* [[How to setup a Alpine Linux mirror]]
* [[Cups]]
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''
* [[OpenVCP]] ''(VServer Control Panel)''
* [[Mahara]] ''(E-portfolio and social networking system)''
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]
* [[Sending SMS using gnokii]]

=== Monitoring ===
* [[Traffic monitoring]] 
* [[Setting up traffic monitoring using rrdtool (and snmp)]] 
* [[Setting up monitoring using rrdtool (and rrdcollect)]]
* [[Setting up Cacti|Cacti]] ''(Front-end for rrdtool networking monitor)''
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' 
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' 
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' 
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' 

* [[IP Accounting]] 
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[SqStat]] ''(Script to look at active squid users connections)''

* [[Piwik]] ''(A real time web analytics software program)''
* [[Awstats]] ''(Free log file analyzer)''
* [[Intrusion Detection using Snort]]
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''

* [[Webmin]] ''(A web-based interface for Linux system)''
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''
* [[Linfo]]

* [[Setting up lm_sensors]]

* [[ZoneMinder video camera security and surveillance]]

== Misc ==

* [[:Category:Shell]]
* [[:Category:Programming]]
* [[Running glibc programs]]
* [[:Category:Drivers]]
* [[:Category:Multimedia]]

== Complete Solutions ==
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[High performance SCST iSCSI Target on Linux software Raid]]
* [[Fault Tolerant Routing with Alpine Linux]]
* [[Experiences with OpenVPN-client on ALIX.2D3]]

* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
* [[Streaming Security Camera Video with VLC]]
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]
* [[RPI Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''

Patchwork

2015-04-18T15:23:14Z

Fcolista:

Patchwork it's a widely used patch review system.

This How-To aims to give a basis to setup Patchwork with PostgreSQL as backend.

There are some aspects which can be improved that this how-to is not covering.
* Create an apk for patchwork with init script
* Describe how to setup Patchwork for one project
* Describe how to setup Patchwork with MariaDB

== Initial package installation and setup PostgreSQL==
{{Cmd|apk add python py-django1.5 py-psycopg2 py-django-registration git postgresql}}
{{Cmd|/etc/init.d/postgresql setup}}
{{Cmd|/etc/init.d/postgresql start}}

'''Note:''' we are using py-django1.5 even if py-django (ver.1.7) is present in the repository.
This is because Patchwork is not yet compatible with django 1.7.

Create a regular account called "pwuser":
{{Cmd|adduser pwuser}}

As root:
{{Cmd|su - postgresql
createdb patchwork
createuser pwuser
createuser www-data
createuser nobody}}

Last two users are hardcoded in one of the next sql script. That's why you need to create it.

== Patchwork Installation and Configuration ==
Login with "pwuser" and clone the patchwork's git repository:
{{Cmd|git clone git://ozlabs.org/home/jk/git/patchwork}}

Create a local_settings.py starting from settings.py:
{{Cmd|cd patchwork/apps
cp settings.py local_settings.py}}

Customize local_settings.py according with your need.

SECRET_KEY can be generated with the following python script:

<pre>
import string, random
chars = string.letters + string.digits + string.punctuation
print repr("".join([random.choice(chars) for i in range(0,50)]))
</pre>

Now, populate PostgreSQL with patchwork database.

As "pwuser":
{{Cmd|python patchwork/apps/manage.py syncdb}}

At the end, the script will ask for patchwork's administrator username,email, and password.

Run another script for setting up the user's permissions:
{{Cmd|psql -f patchwork/lib/sql/grant-all.postgres.sql patchwork}}

Now you can run the server:
{{Cmd|python patchwork/apps/manage.py runserver 0.0.0.0:8000}}

Point your browser to http://$PATCHWORKS_SERVER_ADDRESS:8000

Login with the username and password you set before.

Enjoy.

[[Category:Mail]]
[[Category:Server]]
[[Category:Programming]]

Patchwork

2015-04-18T15:20:07Z

Fcolista: Created page with "Patchwork it's a widely used patch review system. This How-To aims to give a basis to setup Patchwork with PostgreSQL as backend. There are some aspects which can be improve..."

Patchwork it's a widely used patch review system.

This How-To aims to give a basis to setup Patchwork with PostgreSQL as backend.

There are some aspects which can be improved that this how-to is not covering.
* Create an apk for patchwork with init script
* Describe how to setup Patchwork for one project
* Describe how to setup Patchwork with MariaDB

== Initial package installation and setup PostgreSQL==
{{Cmd|apk add python py-django1.5 py-psycopg2 py-django-registration git postgresql}}
{{Cmd|/etc/init.d/postgresql setup}}
{{Cmd|/etc/init.d/postgresql start}}

Create a regular account called "pwuser":
{{Cmd|adduser pwuser}}

As root:
{{Cmd|su - postgresql
createdb patchwork
createuser pwuser
createuser www-data
createuser nobody}}

Last two users are hardcoded in one of the next sql script. That's why you need to create it.

== Patchwork Installation and Configuration ==
Login with "pwuser" and clone the patchwork's git repository:
{{Cmd|git clone git://ozlabs.org/home/jk/git/patchwork}}

Create a local_settings.py starting from settings.py:
{{Cmd|cd patchwork/apps
cp settings.py local_settings.py}}

Customize local_settings.py according with your need.

SECRET_KEY can be generated with the following python script:

<pre>
import string, random
chars = string.letters + string.digits + string.punctuation
print repr("".join([random.choice(chars) for i in range(0,50)]))
</pre>

Now, populate PostgreSQL with patchwork database.

As "pwuser":
{{Cmd|python patchwork/apps/manage.py syncdb}}

At the end, the script will ask for patchwork's administrator username,email, and password.

Run another script for setting up the user's permissions:
{{Cmd|psql -f patchwork/lib/sql/grant-all.postgres.sql patchwork}}

Now you can run the server:
{{Cmd|python patchwork/apps/manage.py runserver 0.0.0.0:8000}}

Point your browser to http://$PATCHWORKS_SERVER_ADDRESS:8000

Login with the username and password you set before.

Enjoy.

[[Category:Mail]]
[[Category:Server]]
[[Category:Programming]]

Tutorials and Howtos

2015-04-18T14:36:14Z

Fcolista: /* Other Servers */

[[Image:package_edutainment.svg|right|link=]]
{{TOC left}}
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''

The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.

Howtos are smaller articles explaining how to perform a particular task with Alpine Linux.

We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].

{{Clear}}
== Storage ==

* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' 
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]

* [[Setting up disks manually]] 
* [[Setting up a software RAID array]]

* [[Raid Administration]]
* [[Setting up encrypted volumes with LUKS]]
* [[Setting up LVM on LUKS]]
* [[Setting up Logical Volumes with LVM]]
** [[Setting up LVM on GPT-labeled disks]]
** [[Installing on GPT LVM]]
* [[Filesystems|Formatting HD/Floppy/Other]] 

* [[Setting up iSCSI]]
** [[iSCSI Raid and Clustered File Systems]]
* [[Setting up NBD]]
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' 
* [[Linux iSCSI Target (TCM)]]
* [[Disk Replication with DRBD]] 

* [[Burning ISOs]] 
* [[Partitioning and Bootmanagers]]
* [[Migrating data]]

== Networking ==

* [[Configure Networking]]
* [[Connecting to a wireless access point]]
* [[Bonding]]
* [[Vlan]]
* [[Bridge]]
* [[OpenVSwitch]]
* [[How to configure static routes]]

* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''

* [[Using serial modem]]
* [[Using HSDPA modem]]
* [[Setting up Satellite Internet Connection]]
* [[Using Alpine on Windows domain with IPSEC isolation]]

* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' 
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''

* [[Experiences with OpenVPN-client on ALIX.2D3]] 

* [[Generating SSL certs with ACF]] 
* [[Setting up unbound DNS server]]
* [[Setting up nsd DNS server]]
* [[TinyDNS Format]]
* [[Fault Tolerant Routing with Alpine Linux]] 
* [[Freeradius Active Directory Integration]]
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''
* [[OwnCloud]] ''(Installing OwnCloud)''

* [[Apache with php-fpm]]
* [[Seafile: setting up your own private cloud]]

== Post-Install ==


* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''

** [[Comparison with other distros]]
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''
** [[Back Up a Flash Memory Installation]] 
** [[Manually editing a existing apkovl]]
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''
** [[Multiple Instances of Services]]

* [[Upgrading Alpine]]


* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''
* [[Changing passwords for ACF|Changing passwords]]
* [[Ansible]] ''(Configuration management)''

* [[Enable Serial Console on Boot]]


== Virtualization==

* [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''
* [[Xen Dom0 on USB or SD]]
* [[Create Alpine Linux PV DomU]]
* [[Xen PCI Passthrough]]
* [[Xen LiveCD]]
* [[qemu]]
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''
* [[Docker]]

== Desktop Environment ==

* [[Awesome(wm) Setup]]
* [[EyeOS]] ''(Cloud Computing Desktop)''
* [[Gnome Setup]]
* [[MATE|MATE Setup]]
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')
* [[Remote Desktop Server]]
* [[Suspend on LID close]]
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]

== Applications ==

=== Telephony ===
* [[Setting up Zaptel/Asterisk on Alpine]]
** [[Setting up Streaming an Asterisk Channel]]
* [[Freepbx on Alpine Linux]]
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''

=== Mail ===
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''
** [[Hosting Web/Email services on Alpine]]
* [[ISP Mail Server HowTo]] 
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[Roundcube]] ''(Webmail system)''
* [[Setting up postfix with virtual domains]]
* [[Protecting your email server with Alpine]]
* [[Setting up clamsmtp]]
* [[Setting up dovecot with imap and ssl]]

=== HTTP ===
* [[Lighttpd]]
** [[Lighttpd Https access]]
** [[Setting Up Lighttpd with PHP]]
** [[Setting Up Lighttpd With FastCGI]]
* [[Cherokee]]
* [[Nginx]]
* [[Apache]]
** [[Setting Up Apache with PHP]]
** [[Apache authentication: NTLM Single Signon]]

* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' 

* [[Setting up Transparent Squid Proxy]] 
** [[SqStat]] ''(Script to look at active squid users connections)''
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[Setting up Explicit Squid Proxy]]

* [[Drupal]] ''(Content Management System (CMS) written in PHP)''
* [[WordPress]] ''(Web software to create website or blog)''
* [[MediaWiki]] ''(Free web-based wiki software application)''
* [[DokuWiki]]
* [[Darkhttpd]]

=== Other Servers ===
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''

* [[Setting up a nfs-server]]
* [[Phpizabi]] ''(Social Networking Platform)''
* [[Statusnet]] ''(Microblogging Platform)''
* [[Pastebin]] ''(Pastebin software application)''
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]

* [[Patchwork]] ''(Project management system)''
* [[Redmine]] ''(Project management system)''
* [[Request-Tracker]] ''(Ticket system)''
* [[OsTicket]] ''(Ticket system)''
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''

* [[Cgit]]
** [[Setting up a git repository server with gitolite and cgit]] 
* [[Roundcube]] ''(Webmail system)''
* [[Glpi]] ''(Manage inventory of technical resources)''

* [[How to setup a Alpine Linux mirror]]
* [[Cups]]
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''
* [[OpenVCP]] ''(VServer Control Panel)''
* [[Mahara]] ''(E-portfolio and social networking system)''
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]
* [[Sending SMS using gnokii]]

=== Monitoring ===
* [[Traffic monitoring]] 
* [[Setting up traffic monitoring using rrdtool (and snmp)]] 
* [[Setting up monitoring using rrdtool (and rrdcollect)]]
* [[Setting up Cacti|Cacti]] ''(Front-end for rrdtool networking monitor)''
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' 
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' 
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' 
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' 

* [[IP Accounting]] 
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[SqStat]] ''(Script to look at active squid users connections)''

* [[Piwik]] ''(A real time web analytics software program)''
* [[Awstats]] ''(Free log file analyzer)''
* [[Intrusion Detection using Snort]]
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''

* [[Webmin]] ''(A web-based interface for Linux system)''
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''
* [[Linfo]]

* [[Setting up lm_sensors]]

* [[ZoneMinder video camera security and surveillance]]

== Misc ==

* [[:Category:Shell]]
* [[:Category:Programming]]
* [[Running glibc programs]]
* [[:Category:Drivers]]
* [[:Category:Multimedia]]

== Complete Solutions ==
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[High performance SCST iSCSI Target on Linux software Raid]]
* [[Fault Tolerant Routing with Alpine Linux]]
* [[Experiences with OpenVPN-client on ALIX.2D3]]

* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
* [[Streaming Security Camera Video with VLC]]
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]
* [[RPI Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''

Flyspray

2014-06-25T06:02:19Z

Fcolista: /* Flyspray configuration */

{{Draft}}

=Installing Flyspray=

{{Cmd|apk add flyspray}}

=Database support=

Flyspray supports only MySQL and PostgreSQL. Here we cover MySQL installation, but the steps are basically the same with PostgreSQL.

== Install Database support ==

{{Cmd|apk add flyspray-mysqli}}

Notice that even though flyspray-mysql package is available, if you install it Flyspray will report that the function library is deprecated, that is quite annoying.

Is better to use mysqli package.

Now before we continue we need to create the database.

{{Cmd|create database flyspray;
create user 'flyspraydbuser'@'localhost' identified by 'my_password';
grant all privileges on flyspray.* to 'flyspraydbuser'@'localhost';}}

If you need mysql client, you can install it like this:

{{Cmd|apk add mysql-client}}

You can of course also use a tool like phpmyadmin to create the database and setup the user.

=Setup Lighttpd=

Now our database is ready, we need to install and configure Lighttpd, with PHP support.

{{Cmd|apk add lighttpd}}

Now, you should enable PHP/FastCGI support modifying Lighttpd configuration.

You can find it in /etc/lighttpd.

{{Cmd|vi /etc/lighttpd/lighttpd.conf}}

...
include "mod_fastcgi.conf"
...

{{Cmd|/etc/init.d/lighttpd start}}

If your server does not run, you can find information in /var/log/lighttpd. If that does not provide a clue you can also run Lighttpd in foreground. It should display some more debug information.

{{Cmd|/etc/init.d/lighttpd stop
lighttpd -f /etc/lighttpd/lighttpd.conf -D}}

=Flyspray configuration=

Now that everything is ready, you need to make Flyspray visible to the webserver.
For doing that, create a symlink from /usr/share/webapps/flyspray (that is the default location where flyspray is installed) to /var/www/localhost/htdocs.
This is the document root directory of lighttpd server. If you use another webserver, check what is the document root and put the symlink there.

{{Cmd|ln -s /usr/share/webapps/flyspray /var/www/localhost/htdocs/flyspray}}

Flyspray needs permission to write on flyspray.conf.php that is in the root directory.

{{Cmd|touch /usr/share/webapps/flyspray/flyspray.conf
chmod 775 /usr/share/webapps/flyspray/flyspray.conf.php
chgrp www-data /usr/share/webapps/flyspray/flyspray.conf.php}}

That's all.

Open your browser to http://$FLYSPRAY_SERVER/flyspray and follow the instruction.

Flyspray

2014-06-24T15:21:19Z

Fcolista: /* Flyspray configuration */

{{Draft}}

=Installing Flyspray=

{{Cmd|apk add flyspray}}

=Database support=

Flyspray supports only MySQL and PostgreSQL. Here we cover MySQL installation, but the steps are basically the same with PostgreSQL.

== Install Database support ==

{{Cmd|apk add flyspray-mysqli}}

Notice that even though flyspray-mysql package is available, if you install it Flyspray will report that the function library is deprecated, that is quite annoying.

Is better to use mysqli package.

Now before we continue we need to create the database.

{{Cmd|create database flyspray;
create user 'flyspraydbuser'@'localhost' identified by 'my_password';
grant all privileges on flyspray.* to 'flyspraydbuser'@'localhost';}}

If you need mysql client, you can install it like this:

{{Cmd|apk add mysql-client}}

You can of course also use a tool like phpmyadmin to create the database and setup the user.

=Setup Lighttpd=

Now our database is ready, we need to install and configure Lighttpd, with PHP support.

{{Cmd|apk add lighttpd}}

Now, you should enable PHP/FastCGI support modifying Lighttpd configuration.

You can find it in /etc/lighttpd.

{{Cmd|vi /etc/lighttpd/lighttpd.conf}}

...
include "mod_fastcgi.conf"
...

{{Cmd|/etc/init.d/lighttpd start}}

If your server does not run, you can find information in /var/log/lighttpd. If that does not provide a clue you can also run Lighttpd in foreground. It should display some more debug information.

{{Cmd|/etc/init.d/lighttpd stop
lighttpd -f /etc/lighttpd/lighttpd.conf -D}}

=Flyspray configuration=

Now that everything is ready, you need to make Flyspray visible to the webserver.
For doing that, create a symlink from /usr/share/webapps/flyspray (that is the default location where flyspray is installed) to /var/www/localhost/htdocs.
This is the document root directory of lighttpd server. If you use another webserver, check what is the document root and put the symlink there.

{{Cmd|ln -s /usr/share/webapps/flyspray /var/www/localhost/htdocs/flyspray}}

Flyspray needs permission to write on flyspray.conf.php that is in the root directory.

{{Cmd|touch /usr/share/webapps/flyspray/flyspray.conf
chmod 775 /usr/share/webapps/flyspray/flyspray.conf.php
chgrp www-data /usr/share/webapps/flyspray/flyspray.conf}}

That's all.

Open your browser to http://$FLYSPRAY_SERVER/flyspray and follow the instruction.

Flyspray

2014-06-24T15:17:54Z

Fcolista: Created page with "{{Draft}} =Installing Flyspray= {{Cmd|apk add flyspray}} =Database support= Flyspray supports only MySQL and PostgreSQL. Here we cover MySQL installation, but the steps ar..."

{{Draft}}

=Installing Flyspray=

{{Cmd|apk add flyspray}}

=Database support=

Flyspray supports only MySQL and PostgreSQL. Here we cover MySQL installation, but the steps are basically the same with PostgreSQL.

== Install Database support ==

{{Cmd|apk add flyspray-mysqli}}

Notice that even though flyspray-mysql package is available, if you install it Flyspray will report that the function library is deprecated, that is quite annoying.

Is better to use mysqli package.

Now before we continue we need to create the database.

{{Cmd|create database flyspray;
create user 'flyspraydbuser'@'localhost' identified by 'my_password';
grant all privileges on flyspray.* to 'flyspraydbuser'@'localhost';}}

If you need mysql client, you can install it like this:

{{Cmd|apk add mysql-client}}

You can of course also use a tool like phpmyadmin to create the database and setup the user.

=Setup Lighttpd=

Now our database is ready, we need to install and configure Lighttpd, with PHP support.

{{Cmd|apk add lighttpd}}

Now, you should enable PHP/FastCGI support modifying Lighttpd configuration.

You can find it in /etc/lighttpd.

{{Cmd|vi /etc/lighttpd/lighttpd.conf}}

...
include "mod_fastcgi.conf"
...

{{Cmd|/etc/init.d/lighttpd start}}

If your server does not run, you can find information in /var/log/lighttpd. If that does not provide a clue you can also run Lighttpd in foreground. It should display some more debug information.

{{Cmd|/etc/init.d/lighttpd stop
lighttpd -f /etc/lighttpd/lighttpd.conf -D}}

=Flyspray configuration=

Now that everything is ready, you need to make Flyspray visible to the webserver. For doing that, create a symlink from /usr/share/webapps/flyspray (that is the default location where flyspray is installed) to /var/www/localhost/htdocs.
This is the document root directory of lighttpd server. If you use another webserver, check what is the document root and put the symlink there.

{{Cmd|ln -s /usr/share/webapps/flyspray /var/www/localhost/htdocs/flyspray}}

Flyspray needs permission to write on flyspray.conf.php that is in the root directory.

{{Cmd|touch /usr/share/webapps/flyspray/flyspray.conf && chmod 775 /usr/share/webapps/flyspray/flyspray.conf.php
chgrp www-data /usr/share/webapps/flyspray/flyspray.conf}}

That's all.

Open your browser to http://$FLYSPRAY_SERVER/flyspray and follow the instruction.

How To Setup Your Own IRC Network

2013-03-13T19:35:35Z

Fcolista: /* Configure Atheme-iris */

This doc aims to assist you on setup your own irc network with Alpine Linux.

We will configure two irc daemons and a simple ajax webirc client.

The irc daemons will work together sharing the channel, users and other informations.

From charybdis point of view, this configuration is called '''"cluster"''', but this word should not be understood with the common meaning of "cluster".

We assume that, as example, we want create Alpine Linux IRC Network.

We have irc1 and irc2 servers, called respectively irc1.alpinelab.lan and irc2.alpinelab.lan.

== Prerequisites ==

Prerequisites are two PC with Alpine Linux installed (v2.5).

Packages that we are going to install are:

* Charybdis
* atheme-iris

Both of those packages are in edge.
Charybdis is in main, atheme-iris in testing.

You can easily use this pinning edge repo:
{{Cmd|vi /etc/apk/repositories}}

Add the line:
{{Cmd|@edgem http://dl-2.alpinelinux.org/alpine/edge/main}}
{{Cmd|@edget http://dl-2.alpinelinux.org/alpine/edge/testing}}

Then:
{{Cmd|apk update}}
{{Cmd|apk add charybdis@edgem}}
{{Cmd|apk add atheme-iris@edget}}

== Configure Charybdis ==

{{Cmd|cp /etc/charybdis/example.conf /etc/charybdis/ircd.conf}}

{{Cmd|vi /etc/charybdis/ircd.conf}}

Modify the file starting from /etc/charybdis/reference.conf (that is well documented).

<pre>
loadmodule "extensions/chm_operonly.so";
loadmodule "extensions/extb_account.so";
loadmodule "extensions/extb_canjoin.so";
loadmodule "extensions/extb_channel.so";
loadmodule "extensions/extb_extgecos.so";
loadmodule "extensions/extb_oper.so";
loadmodule "extensions/extb_realname.so";
loadmodule "extensions/m_identify.so";
loadmodule "extensions/m_mkpasswd.so";
loadmodule "extensions/m_webirc.so";
loadmodule "extensions/sno_farconnect.so";
loadmodule "extensions/sno_globalkline.so";
loadmodule "extensions/sno_globaloper.so";

serverinfo {
name = "irc1.alpinelab.lan";
sid = "01A";
description = "Alpine Linux IRC Server";
network_name = "Alpine Linux Network";
network_desc = "Alpine Linux IRC network.";
hub = yes;
default_max_clients = 10000;
nicklen = 30;
};

admin {
name = "admin";
description = "Alpine Linux IRC network administrator";
email = "ircadmin@alpinelab.lan";
};

log {
fname_userlog = "logs/userlog";
#fname_fuserlog = "logs/fuserlog";
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
#fname_ioerrorlog = "logs/ioerror";
};

class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 10;
number_per_ip_global = 50;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 200;
max_number = 100;
sendq = 400 kbytes;
};

class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 1000;
sendq = 1 megabyte;
};

class "server" {
ping_time = 5 minutes;
connectfreq = 5 minutes;
max_number = 10;
sendq = 4 megabytes;
};

listen {
defer_accept = yes;
port = 5000, 6665 .. 6669;
sslport = 6697;
};

auth {
user = "*@*";
class = "users";
};

privset "local_op" {
privs = oper:local_kill, oper:operwall;
};

privset "server_bot" {
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};

privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};

privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy;
};

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
snomask = "+Zbfkrsuy";
flags = ~encrypted;
privset = "admin";
};

connect "irc2.alpinelab.lan" {
host="10.0.2.10";
send_password = "Password_To_Server";
accept_password = "Password_From_Server";
port = 6666;
hub_mask = "*";
class = "server";
flags = compressed, topicburst, autoconn;
};

service {
name = "services.int";
};

cluster {
name = "*.alpinelab.lan";
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
};

shared {
oper = "*@*", "*";
flags = all, rehash;
};

channel {
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};

serverhide {
flatten_links = yes;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
};

blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";

/* Example of a blacklist that supports both IPv4 and IPv6 */
};

alias "NickServ" {
target = "NickServ";
};

alias "ChanServ" {
target = "ChanServ";
};

alias "OperServ" {
target = "OperServ";
};

alias "MemoServ" {
target = "MemoServ";
};

alias "NS" {
target = "NickServ";
};

alias "CS" {
target = "ChanServ";
};

alias "OS" {
target = "OperServ";
};

alias "MS" {
target = "MemoServ";
};

general {
hide_error_messages = opers;
hide_spoof_ips = yes;
default_umodes = "+i";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
default_floodcount = 10;
failed_oper_notice = yes;
dots_in_ident=2;
min_nonwildcard = 4;
min_nonwildcard_simple = 3;
max_accept = 100;
max_monitor = 100;
anti_nick_flood = yes;
max_nick_time = 20 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 5 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
collision_fnc = yes;
resv_fnc = yes;
global_snotices = yes;
dline_with_reason = yes;
kline_delay = 0 seconds;
kline_with_reason = yes;
kline_reason = "K-Lined";
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
non_redundant_klines = yes;
warn_no_nline = yes;
use_propagated_bans = yes;
stats_e_disabled = no;
stats_c_oper_only=no;
stats_h_oper_only=no;
stats_y_oper_only=no;
stats_o_oper_only=yes;
stats_P_oper_only=no;
stats_i_oper_only=masked;
stats_k_oper_only=masked;
map_oper_only = no;
operspy_admin_only = no;
operspy_dont_care_user_info = no;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
short_motd = no;
ping_cookie = no;
connect_timeout = 30 seconds;
default_ident_timeout = 5;
disable_auth = no;
no_oper_flood = yes;
max_targets = 4;
client_flood_max_lines = 20;
use_whois_actually = no;
oper_only_umodes = operwall, locops, servnotice;
oper_umodes = locops, servnotice, operwall, wallop;
oper_snomask = "+s";
burst_away = yes;
nick_delay = 0 seconds; # 15 minutes if you want to enable this
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
throttle_duration = 60;
throttle_count = 4;
max_ratelimit_tokens = 30;
away_interval = 30;
};

modules {
path = "/usr/lib/charybdis/modules";
path = "/usr/lib/charybdis/modules/autoload";
};
</pre>

Relevant part of the config file are:

<pre>
serverinfo {
.
.
sid = "01A"; <----------- This must be unique. You can choose two cipher and one letter.
hub = yes; <----------- This works as an hub. Allows other irc server to connects.
.
.
}

listen {
port = 5000, 6665 .. 6669; <---- Port where charybdis is listening. You can also bind to a specific ip adding "host" directive. If not specifyied charybdis listen on all interfaces.
sslport = 6697; <---- Port for SSL connection. You need a certificate in order to use this feature.
};

operator "ircadmin" {
user = "*@*"; <----------- This is a masq used to match who can become operator. This support CIDR. If you want to allows only 10.0.0.0/24, you can choose "*@10.0.0.*".
password = "MyStrongPassword"; <---- Password used to become IRC Operator.
flags = ~encrypted; <---- Tilde "~" means not. So the password used in this block is not encrypted. Without "~", you need to write the password in this block encrypted.
privset = "admin";
};

connect "irc2.alpinelab.lan" { <----------- Descriptive name of the server you want to connect to.
host="10.0.2.10"; <----------- IP or HOST. They MUST be valid. If hostname, it MUST be an A record.
send_password = "Password_To_Server"; <------- Password you sent TO irc2. In irc2 this is "accept_password".
accept_password = "Password_From_Server"; <------- Password you expect to receive FROM irc2. In irc2 this is "send_password"
flags = compressed, topicburst, autoconn; <------- Autoconn means that irc1 will try automatically to connect to irc2.
};

cluster {
name = "*.alpinelab.lan"; <----------- Masq to indicate what servers can share the information. Those information are written in the following "flags" entry.
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; <--- Check IRC documentation to understand the meaning of those flags.
};

shared {
oper = "*@*", "*"; <----------- The user@host and the server must be on in order to set klines.
flags = all,rehash; <----------- flags: list of what to allow them to place. All oper will receive this.
};
</pre>

You can even remove the *Serv entries. Charybdis itselfs does not have this features, you should use externa programs that works as bot for that (atheme services for example).

In the other server, irc2, configuration is pretty similar.

Those are the only difference of /etc/charybdis/ircd.conf:

<pre>
serverinfo {
sid = "02A";
hub = yes;
}

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
flags = ~encrypted;
privset = "admin";
};

connect "irc1.alpinelab.lan" {
host="10.0.1.10";
send_password = "Password_From_Server";
accept_password = "Password_To_Server";
flags = compressed, topicburst;
};
</pre>

In flags directive, connect{} block, we do not set "autoconn".
This means that irc1 will automatically connect to irc2, but not the contrary.

Charybdis has a lot of other cool features, like ssl connection, spam blacklisting and so on.
Look at documentation here: [http://www.stack.nl/~jilles/irc/charybdis-oper-guide/]

After having modifyied the ircd.conf in both server, fix the permissions:

{{Cmd|chown ircd /etc/charybdis/ircd.conf}}
{{Cmd|chmod 400 /etc/charybdis/ircd.conf}}

== Configure Atheme-iris ==

Atheme-iris is a nice webchat written in AJAX and Python. It's a fork of the famous qwebirc.

Configuration in pretty simple.

By default, atheme-iris will listen on all interfaces. If you want modify this behaviour, change /etc/conf.d/atheme-iris and set the IP address where atheme will bind.

<pre>
[execution]
args: -n -p 3989
syslog_addr:
syslog_port: 514

[irc]
server: localhost
port: 6667
ssl: false
bind_ip: 127.0.0.1
realname: http://irc1.alpinelab.lan
ident: nick
ident_string: webchat
webirc_mode: webirc
webirc_password: fish

[athemeengine]
# Leave this unset to disable all Atheme integration.
xmlrpc_path:
chan_list_enabled: true
chan_list_max_age: 120
chan_list_count: 3

[feedbackengine]
from: moo@moo.com
to: moo@moo.com
smtp_host: 127.0.0.1
smtp_port: 25

[frontend]
base_url: http://irc1.alpinelab.lan:9090
network_name: AlpineLinux
app_title: %(network_name)s Web IRC
extra_html:
initial_nick:
prompt: true
chan_prompt: true
chan_autoconnect: true
static_base_url: /
dynamic_base_url: /

[atheme]
# Even if we don't use nickserv, disabling it cause atheme-iris to not work.
# Look at https://github.com/atheme/iris/issues/12
nickserv_login: true
chan_list_on_start: true
chan_list_cloud_view: false

[ui]
dedicated_msg_window: false
dedicated_notice_window: false
hide_joinparts: false
simple_color: false
fg_color: DDDDDD
fg_sec_color: 999999
bg_color: 111111
lastpos_line: true
nick_click_query: false
nick_colors: false
nick_status: false
flash_on_mention: false
beep_on_mention: false

[adminengine]
hosts: 127.0.0.1

[proxy]
forwarded_for_header:
forwarded_for_ips: 127.0.0.1

[tuneback]
update_freq: 0.5
maxbuflen: 100000
maxsubscriptions: 1
maxlinelen: 600
dns_timeout: 5
http_ajax_request_timeout: 30
http_request_timeout: 5
</pre>

In the [execution] block, parameters are overridden by /etc/conf.d/atheme-iris settings.

Replicate the same configuration in irc2.alpinelab.lan.

But in irc2 server, change the entry irc1.alpinelab.lan with irc2.alpinelab.lan.

Atheme-iris will connect to charybdis on 127.0.0.1 ip, according with this directive:

<pre>server: localhost</pre>

That's all.

Now, you can go with one browser to http://irc1.alpinelab.lan:9090 and another in http://irc2.alpinelab.lan:9090.

Login with two different users in the same channel.

You should view both users on both webclients.

Happy chatting.

'''Note:'''

When you login into webchat, you will see "webchat@127.0.0.1".

If you're wondering how change 127.0.0.1 with a spoofed address, you need another auth{} block in charybdis. Look at /etc/charybdis/reference.conf for details.

If you want the real ip address of the client, you need to setup cgi:irc with atheme-iris, and Charybdis will use the module called _mwebirc to "glue" himself with atheme-iris. Cgiirc is available in edge/testing repository.

If you want to remove the button "Menu" which appears in the top-left position into webchat, then:

<pre>
vim /var/lib/atheme-iris/css/qui.mcss
</pre>

Look for .dropdown-tab and then add "display: none;" as follows:

<pre>
.qwebirc-qui .outertabbar .dropdown-tab {
float: left;
width: 24px;
cursor: pointer;
cursor: hand;
display: none; <---- This is what you need to add.
}
</pre>

Enjoy!

== Useful links ==

'''IRC Commands'''

http://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

'''*-Line flags'''

http://en.wikipedia.org/wiki/K-line_%28IRC%29#K-line

How To Setup Your Own IRC Network

2013-03-13T19:26:07Z

Fcolista: /* Prerequisites */

This doc aims to assist you on setup your own irc network with Alpine Linux.

We will configure two irc daemons and a simple ajax webirc client.

The irc daemons will work together sharing the channel, users and other informations.

From charybdis point of view, this configuration is called '''"cluster"''', but this word should not be understood with the common meaning of "cluster".

We assume that, as example, we want create Alpine Linux IRC Network.

We have irc1 and irc2 servers, called respectively irc1.alpinelab.lan and irc2.alpinelab.lan.

== Prerequisites ==

Prerequisites are two PC with Alpine Linux installed (v2.5).

Packages that we are going to install are:

* Charybdis
* atheme-iris

Both of those packages are in edge.
Charybdis is in main, atheme-iris in testing.

You can easily use this pinning edge repo:
{{Cmd|vi /etc/apk/repositories}}

Add the line:
{{Cmd|@edgem http://dl-2.alpinelinux.org/alpine/edge/main}}
{{Cmd|@edget http://dl-2.alpinelinux.org/alpine/edge/testing}}

Then:
{{Cmd|apk update}}
{{Cmd|apk add charybdis@edgem}}
{{Cmd|apk add atheme-iris@edget}}

== Configure Charybdis ==

{{Cmd|cp /etc/charybdis/example.conf /etc/charybdis/ircd.conf}}

{{Cmd|vi /etc/charybdis/ircd.conf}}

Modify the file starting from /etc/charybdis/reference.conf (that is well documented).

<pre>
loadmodule "extensions/chm_operonly.so";
loadmodule "extensions/extb_account.so";
loadmodule "extensions/extb_canjoin.so";
loadmodule "extensions/extb_channel.so";
loadmodule "extensions/extb_extgecos.so";
loadmodule "extensions/extb_oper.so";
loadmodule "extensions/extb_realname.so";
loadmodule "extensions/m_identify.so";
loadmodule "extensions/m_mkpasswd.so";
loadmodule "extensions/m_webirc.so";
loadmodule "extensions/sno_farconnect.so";
loadmodule "extensions/sno_globalkline.so";
loadmodule "extensions/sno_globaloper.so";

serverinfo {
name = "irc1.alpinelab.lan";
sid = "01A";
description = "Alpine Linux IRC Server";
network_name = "Alpine Linux Network";
network_desc = "Alpine Linux IRC network.";
hub = yes;
default_max_clients = 10000;
nicklen = 30;
};

admin {
name = "admin";
description = "Alpine Linux IRC network administrator";
email = "ircadmin@alpinelab.lan";
};

log {
fname_userlog = "logs/userlog";
#fname_fuserlog = "logs/fuserlog";
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
#fname_ioerrorlog = "logs/ioerror";
};

class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 10;
number_per_ip_global = 50;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 200;
max_number = 100;
sendq = 400 kbytes;
};

class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 1000;
sendq = 1 megabyte;
};

class "server" {
ping_time = 5 minutes;
connectfreq = 5 minutes;
max_number = 10;
sendq = 4 megabytes;
};

listen {
defer_accept = yes;
port = 5000, 6665 .. 6669;
sslport = 6697;
};

auth {
user = "*@*";
class = "users";
};

privset "local_op" {
privs = oper:local_kill, oper:operwall;
};

privset "server_bot" {
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};

privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};

privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy;
};

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
snomask = "+Zbfkrsuy";
flags = ~encrypted;
privset = "admin";
};

connect "irc2.alpinelab.lan" {
host="10.0.2.10";
send_password = "Password_To_Server";
accept_password = "Password_From_Server";
port = 6666;
hub_mask = "*";
class = "server";
flags = compressed, topicburst, autoconn;
};

service {
name = "services.int";
};

cluster {
name = "*.alpinelab.lan";
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
};

shared {
oper = "*@*", "*";
flags = all, rehash;
};

channel {
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};

serverhide {
flatten_links = yes;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
};

blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";

/* Example of a blacklist that supports both IPv4 and IPv6 */
};

alias "NickServ" {
target = "NickServ";
};

alias "ChanServ" {
target = "ChanServ";
};

alias "OperServ" {
target = "OperServ";
};

alias "MemoServ" {
target = "MemoServ";
};

alias "NS" {
target = "NickServ";
};

alias "CS" {
target = "ChanServ";
};

alias "OS" {
target = "OperServ";
};

alias "MS" {
target = "MemoServ";
};

general {
hide_error_messages = opers;
hide_spoof_ips = yes;
default_umodes = "+i";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
default_floodcount = 10;
failed_oper_notice = yes;
dots_in_ident=2;
min_nonwildcard = 4;
min_nonwildcard_simple = 3;
max_accept = 100;
max_monitor = 100;
anti_nick_flood = yes;
max_nick_time = 20 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 5 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
collision_fnc = yes;
resv_fnc = yes;
global_snotices = yes;
dline_with_reason = yes;
kline_delay = 0 seconds;
kline_with_reason = yes;
kline_reason = "K-Lined";
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
non_redundant_klines = yes;
warn_no_nline = yes;
use_propagated_bans = yes;
stats_e_disabled = no;
stats_c_oper_only=no;
stats_h_oper_only=no;
stats_y_oper_only=no;
stats_o_oper_only=yes;
stats_P_oper_only=no;
stats_i_oper_only=masked;
stats_k_oper_only=masked;
map_oper_only = no;
operspy_admin_only = no;
operspy_dont_care_user_info = no;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
short_motd = no;
ping_cookie = no;
connect_timeout = 30 seconds;
default_ident_timeout = 5;
disable_auth = no;
no_oper_flood = yes;
max_targets = 4;
client_flood_max_lines = 20;
use_whois_actually = no;
oper_only_umodes = operwall, locops, servnotice;
oper_umodes = locops, servnotice, operwall, wallop;
oper_snomask = "+s";
burst_away = yes;
nick_delay = 0 seconds; # 15 minutes if you want to enable this
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
throttle_duration = 60;
throttle_count = 4;
max_ratelimit_tokens = 30;
away_interval = 30;
};

modules {
path = "/usr/lib/charybdis/modules";
path = "/usr/lib/charybdis/modules/autoload";
};
</pre>

Relevant part of the config file are:

<pre>
serverinfo {
.
.
sid = "01A"; <----------- This must be unique. You can choose two cipher and one letter.
hub = yes; <----------- This works as an hub. Allows other irc server to connects.
.
.
}

listen {
port = 5000, 6665 .. 6669; <---- Port where charybdis is listening. You can also bind to a specific ip adding "host" directive. If not specifyied charybdis listen on all interfaces.
sslport = 6697; <---- Port for SSL connection. You need a certificate in order to use this feature.
};

operator "ircadmin" {
user = "*@*"; <----------- This is a masq used to match who can become operator. This support CIDR. If you want to allows only 10.0.0.0/24, you can choose "*@10.0.0.*".
password = "MyStrongPassword"; <---- Password used to become IRC Operator.
flags = ~encrypted; <---- Tilde "~" means not. So the password used in this block is not encrypted. Without "~", you need to write the password in this block encrypted.
privset = "admin";
};

connect "irc2.alpinelab.lan" { <----------- Descriptive name of the server you want to connect to.
host="10.0.2.10"; <----------- IP or HOST. They MUST be valid. If hostname, it MUST be an A record.
send_password = "Password_To_Server"; <------- Password you sent TO irc2. In irc2 this is "accept_password".
accept_password = "Password_From_Server"; <------- Password you expect to receive FROM irc2. In irc2 this is "send_password"
flags = compressed, topicburst, autoconn; <------- Autoconn means that irc1 will try automatically to connect to irc2.
};

cluster {
name = "*.alpinelab.lan"; <----------- Masq to indicate what servers can share the information. Those information are written in the following "flags" entry.
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; <--- Check IRC documentation to understand the meaning of those flags.
};

shared {
oper = "*@*", "*"; <----------- The user@host and the server must be on in order to set klines.
flags = all,rehash; <----------- flags: list of what to allow them to place. All oper will receive this.
};
</pre>

You can even remove the *Serv entries. Charybdis itselfs does not have this features, you should use externa programs that works as bot for that (atheme services for example).

In the other server, irc2, configuration is pretty similar.

Those are the only difference of /etc/charybdis/ircd.conf:

<pre>
serverinfo {
sid = "02A";
hub = yes;
}

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
flags = ~encrypted;
privset = "admin";
};

connect "irc1.alpinelab.lan" {
host="10.0.1.10";
send_password = "Password_From_Server";
accept_password = "Password_To_Server";
flags = compressed, topicburst;
};
</pre>

In flags directive, connect{} block, we do not set "autoconn".
This means that irc1 will automatically connect to irc2, but not the contrary.

Charybdis has a lot of other cool features, like ssl connection, spam blacklisting and so on.
Look at documentation here: [http://www.stack.nl/~jilles/irc/charybdis-oper-guide/]

After having modifyied the ircd.conf in both server, fix the permissions:

{{Cmd|chown ircd /etc/charybdis/ircd.conf}}
{{Cmd|chmod 400 /etc/charybdis/ircd.conf}}

== Configure Atheme-iris ==

Atheme-iris is a nice webchat written in AJAX and Python. It's a fork of the famous qwebirc.

Configuration in pretty simple.

By default, atheme-iris will listen on all interfaces. If you want modify this behaviour, change /etc/conf.d/atheme-iris and set the IP address where atheme will bind.

<pre>
[execution]
args: -n -p 3989
syslog_addr:
syslog_port: 514

[irc]
server: localhost
port: 6667
ssl: false
bind_ip: 127.0.0.1
realname: http://irc1.alpinelab.lan
ident: nick
ident_string: webchat
webirc_mode: webirc
webirc_password: fish

[athemeengine]
xmlrpc_path:
chan_list_enabled: true
chan_list_max_age: 120
chan_list_count: 3

[feedbackengine]
from: moo@moo.com
to: moo@moo.com
smtp_host: 127.0.0.1
smtp_port: 25

[frontend]
base_url: http://irc1.alpinelab.lan:9090
network_name: AlpineLinux
app_title: %(network_name)s Web IRC
extra_html:
initial_nick:
prompt: true
chan_prompt: true
chan_autoconnect: true
static_base_url: /
dynamic_base_url: /

[atheme]
nickserv_login: true
chan_list_on_start: true
chan_list_cloud_view: false

[ui]
dedicated_msg_window: false
dedicated_notice_window: false
hide_joinparts: false
simple_color: false
fg_color: DDDDDD
fg_sec_color: 999999
bg_color: 111111
lastpos_line: true
nick_click_query: false
nick_colors: false
nick_status: false
flash_on_mention: false
beep_on_mention: false

[adminengine]
hosts: 127.0.0.1

[proxy]
forwarded_for_header:
forwarded_for_ips: 127.0.0.1

[tuneback]
update_freq: 0.5
maxbuflen: 100000
maxsubscriptions: 1
maxlinelen: 600
dns_timeout: 5
http_ajax_request_timeout: 30
http_request_timeout: 5
</pre>

In the [execution] block, parameters are overridden by /etc/conf.d/atheme-iris settings.

Replicate the same configuration in irc2.alpinelab.lan.

But in irc2 server, change the entry irc1.alpinelab.lan with irc2.alpinelab.lan.

Atheme-iris will connect to charybdis on 127.0.0.1 ip, according with this directive:

<pre>server: localhost</pre>

That's all.

Now, you can go with one browser to http://irc1.alpinelab.lan:9090 and another in http://irc2.alpinelab.lan:9090.

Login with two different users in the same channel.

You should view both users on both webclients.

Happy chatting.

'''Note:'''

When you login into webchat, you will see "webchat@127.0.0.1".

If you're wondering how change 127.0.0.1 with a spoofed address, you need another auth{} block in charybdis. Look at /etc/charybdis/reference.conf for details.

If you want the real ip address of the client, you need to setup cgi:irc with atheme-iris, and Charybdis will use the module called _mwebirc to "glue" himself with atheme-iris.

== Useful links ==

'''IRC Commands'''

http://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

'''*-Line flags'''

http://en.wikipedia.org/wiki/K-line_%28IRC%29#K-line

How To Setup Your Own IRC Network

2013-03-13T19:23:46Z

Fcolista: /* Configure Charybdis */

This doc aims to assist you on setup your own irc network with Alpine Linux.

We will configure two irc daemons and a simple ajax webirc client.

The irc daemons will work together sharing the channel, users and other informations.

From charybdis point of view, this configuration is called '''"cluster"''', but this word should not be understood with the common meaning of "cluster".

We assume that, as example, we want create Alpine Linux IRC Network.

We have irc1 and irc2 servers, called respectively irc1.alpinelab.lan and irc2.alpinelab.lan.

== Prerequisites ==

Prerequisites are two PC with Alpine Linux installed (v2.5).

Packages that we are going to install are:

* Charybdis
* atheme-iris

Both of those packages are in edge testing.

You can easily use this pinning edge repo:
{{Cmd|vi /etc/apk/repositories}}

Add the line:
{{Cmd|@edge http://dl-2.alpinelinux.org/alpine/edge/testing}}

Then:
{{Cmd|apk update}}
{{Cmd|apk add charybdis}}
{{Cmd|apk add atheme-iris}}

== Configure Charybdis ==

{{Cmd|cp /etc/charybdis/example.conf /etc/charybdis/ircd.conf}}

{{Cmd|vi /etc/charybdis/ircd.conf}}

Modify the file starting from /etc/charybdis/reference.conf (that is well documented).

<pre>
loadmodule "extensions/chm_operonly.so";
loadmodule "extensions/extb_account.so";
loadmodule "extensions/extb_canjoin.so";
loadmodule "extensions/extb_channel.so";
loadmodule "extensions/extb_extgecos.so";
loadmodule "extensions/extb_oper.so";
loadmodule "extensions/extb_realname.so";
loadmodule "extensions/m_identify.so";
loadmodule "extensions/m_mkpasswd.so";
loadmodule "extensions/m_webirc.so";
loadmodule "extensions/sno_farconnect.so";
loadmodule "extensions/sno_globalkline.so";
loadmodule "extensions/sno_globaloper.so";

serverinfo {
name = "irc1.alpinelab.lan";
sid = "01A";
description = "Alpine Linux IRC Server";
network_name = "Alpine Linux Network";
network_desc = "Alpine Linux IRC network.";
hub = yes;
default_max_clients = 10000;
nicklen = 30;
};

admin {
name = "admin";
description = "Alpine Linux IRC network administrator";
email = "ircadmin@alpinelab.lan";
};

log {
fname_userlog = "logs/userlog";
#fname_fuserlog = "logs/fuserlog";
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
#fname_ioerrorlog = "logs/ioerror";
};

class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 10;
number_per_ip_global = 50;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 200;
max_number = 100;
sendq = 400 kbytes;
};

class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 1000;
sendq = 1 megabyte;
};

class "server" {
ping_time = 5 minutes;
connectfreq = 5 minutes;
max_number = 10;
sendq = 4 megabytes;
};

listen {
defer_accept = yes;
port = 5000, 6665 .. 6669;
sslport = 6697;
};

auth {
user = "*@*";
class = "users";
};

privset "local_op" {
privs = oper:local_kill, oper:operwall;
};

privset "server_bot" {
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};

privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};

privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy;
};

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
snomask = "+Zbfkrsuy";
flags = ~encrypted;
privset = "admin";
};

connect "irc2.alpinelab.lan" {
host="10.0.2.10";
send_password = "Password_To_Server";
accept_password = "Password_From_Server";
port = 6666;
hub_mask = "*";
class = "server";
flags = compressed, topicburst, autoconn;
};

service {
name = "services.int";
};

cluster {
name = "*.alpinelab.lan";
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
};

shared {
oper = "*@*", "*";
flags = all, rehash;
};

channel {
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};

serverhide {
flatten_links = yes;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
};

blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";

/* Example of a blacklist that supports both IPv4 and IPv6 */
};

alias "NickServ" {
target = "NickServ";
};

alias "ChanServ" {
target = "ChanServ";
};

alias "OperServ" {
target = "OperServ";
};

alias "MemoServ" {
target = "MemoServ";
};

alias "NS" {
target = "NickServ";
};

alias "CS" {
target = "ChanServ";
};

alias "OS" {
target = "OperServ";
};

alias "MS" {
target = "MemoServ";
};

general {
hide_error_messages = opers;
hide_spoof_ips = yes;
default_umodes = "+i";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
default_floodcount = 10;
failed_oper_notice = yes;
dots_in_ident=2;
min_nonwildcard = 4;
min_nonwildcard_simple = 3;
max_accept = 100;
max_monitor = 100;
anti_nick_flood = yes;
max_nick_time = 20 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 5 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
collision_fnc = yes;
resv_fnc = yes;
global_snotices = yes;
dline_with_reason = yes;
kline_delay = 0 seconds;
kline_with_reason = yes;
kline_reason = "K-Lined";
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
non_redundant_klines = yes;
warn_no_nline = yes;
use_propagated_bans = yes;
stats_e_disabled = no;
stats_c_oper_only=no;
stats_h_oper_only=no;
stats_y_oper_only=no;
stats_o_oper_only=yes;
stats_P_oper_only=no;
stats_i_oper_only=masked;
stats_k_oper_only=masked;
map_oper_only = no;
operspy_admin_only = no;
operspy_dont_care_user_info = no;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
short_motd = no;
ping_cookie = no;
connect_timeout = 30 seconds;
default_ident_timeout = 5;
disable_auth = no;
no_oper_flood = yes;
max_targets = 4;
client_flood_max_lines = 20;
use_whois_actually = no;
oper_only_umodes = operwall, locops, servnotice;
oper_umodes = locops, servnotice, operwall, wallop;
oper_snomask = "+s";
burst_away = yes;
nick_delay = 0 seconds; # 15 minutes if you want to enable this
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
throttle_duration = 60;
throttle_count = 4;
max_ratelimit_tokens = 30;
away_interval = 30;
};

modules {
path = "/usr/lib/charybdis/modules";
path = "/usr/lib/charybdis/modules/autoload";
};
</pre>

Relevant part of the config file are:

<pre>
serverinfo {
.
.
sid = "01A"; <----------- This must be unique. You can choose two cipher and one letter.
hub = yes; <----------- This works as an hub. Allows other irc server to connects.
.
.
}

listen {
port = 5000, 6665 .. 6669; <---- Port where charybdis is listening. You can also bind to a specific ip adding "host" directive. If not specifyied charybdis listen on all interfaces.
sslport = 6697; <---- Port for SSL connection. You need a certificate in order to use this feature.
};

operator "ircadmin" {
user = "*@*"; <----------- This is a masq used to match who can become operator. This support CIDR. If you want to allows only 10.0.0.0/24, you can choose "*@10.0.0.*".
password = "MyStrongPassword"; <---- Password used to become IRC Operator.
flags = ~encrypted; <---- Tilde "~" means not. So the password used in this block is not encrypted. Without "~", you need to write the password in this block encrypted.
privset = "admin";
};

connect "irc2.alpinelab.lan" { <----------- Descriptive name of the server you want to connect to.
host="10.0.2.10"; <----------- IP or HOST. They MUST be valid. If hostname, it MUST be an A record.
send_password = "Password_To_Server"; <------- Password you sent TO irc2. In irc2 this is "accept_password".
accept_password = "Password_From_Server"; <------- Password you expect to receive FROM irc2. In irc2 this is "send_password"
flags = compressed, topicburst, autoconn; <------- Autoconn means that irc1 will try automatically to connect to irc2.
};

cluster {
name = "*.alpinelab.lan"; <----------- Masq to indicate what servers can share the information. Those information are written in the following "flags" entry.
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; <--- Check IRC documentation to understand the meaning of those flags.
};

shared {
oper = "*@*", "*"; <----------- The user@host and the server must be on in order to set klines.
flags = all,rehash; <----------- flags: list of what to allow them to place. All oper will receive this.
};
</pre>

You can even remove the *Serv entries. Charybdis itselfs does not have this features, you should use externa programs that works as bot for that (atheme services for example).

In the other server, irc2, configuration is pretty similar.

Those are the only difference of /etc/charybdis/ircd.conf:

<pre>
serverinfo {
sid = "02A";
hub = yes;
}

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
flags = ~encrypted;
privset = "admin";
};

connect "irc1.alpinelab.lan" {
host="10.0.1.10";
send_password = "Password_From_Server";
accept_password = "Password_To_Server";
flags = compressed, topicburst;
};
</pre>

In flags directive, connect{} block, we do not set "autoconn".
This means that irc1 will automatically connect to irc2, but not the contrary.

Charybdis has a lot of other cool features, like ssl connection, spam blacklisting and so on.
Look at documentation here: [http://www.stack.nl/~jilles/irc/charybdis-oper-guide/]

After having modifyied the ircd.conf in both server, fix the permissions:

{{Cmd|chown ircd /etc/charybdis/ircd.conf}}
{{Cmd|chmod 400 /etc/charybdis/ircd.conf}}

== Configure Atheme-iris ==

Atheme-iris is a nice webchat written in AJAX and Python. It's a fork of the famous qwebirc.

Configuration in pretty simple.

By default, atheme-iris will listen on all interfaces. If you want modify this behaviour, change /etc/conf.d/atheme-iris and set the IP address where atheme will bind.

<pre>
[execution]
args: -n -p 3989
syslog_addr:
syslog_port: 514

[irc]
server: localhost
port: 6667
ssl: false
bind_ip: 127.0.0.1
realname: http://irc1.alpinelab.lan
ident: nick
ident_string: webchat
webirc_mode: webirc
webirc_password: fish

[athemeengine]
xmlrpc_path:
chan_list_enabled: true
chan_list_max_age: 120
chan_list_count: 3

[feedbackengine]
from: moo@moo.com
to: moo@moo.com
smtp_host: 127.0.0.1
smtp_port: 25

[frontend]
base_url: http://irc1.alpinelab.lan:9090
network_name: AlpineLinux
app_title: %(network_name)s Web IRC
extra_html:
initial_nick:
prompt: true
chan_prompt: true
chan_autoconnect: true
static_base_url: /
dynamic_base_url: /

[atheme]
nickserv_login: true
chan_list_on_start: true
chan_list_cloud_view: false

[ui]
dedicated_msg_window: false
dedicated_notice_window: false
hide_joinparts: false
simple_color: false
fg_color: DDDDDD
fg_sec_color: 999999
bg_color: 111111
lastpos_line: true
nick_click_query: false
nick_colors: false
nick_status: false
flash_on_mention: false
beep_on_mention: false

[adminengine]
hosts: 127.0.0.1

[proxy]
forwarded_for_header:
forwarded_for_ips: 127.0.0.1

[tuneback]
update_freq: 0.5
maxbuflen: 100000
maxsubscriptions: 1
maxlinelen: 600
dns_timeout: 5
http_ajax_request_timeout: 30
http_request_timeout: 5
</pre>

In the [execution] block, parameters are overridden by /etc/conf.d/atheme-iris settings.

Replicate the same configuration in irc2.alpinelab.lan.

But in irc2 server, change the entry irc1.alpinelab.lan with irc2.alpinelab.lan.

Atheme-iris will connect to charybdis on 127.0.0.1 ip, according with this directive:

<pre>server: localhost</pre>

That's all.

Now, you can go with one browser to http://irc1.alpinelab.lan:9090 and another in http://irc2.alpinelab.lan:9090.

Login with two different users in the same channel.

You should view both users on both webclients.

Happy chatting.

'''Note:'''

When you login into webchat, you will see "webchat@127.0.0.1".

If you're wondering how change 127.0.0.1 with a spoofed address, you need another auth{} block in charybdis. Look at /etc/charybdis/reference.conf for details.

If you want the real ip address of the client, you need to setup cgi:irc with atheme-iris, and Charybdis will use the module called _mwebirc to "glue" himself with atheme-iris.

== Useful links ==

'''IRC Commands'''

http://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

'''*-Line flags'''

http://en.wikipedia.org/wiki/K-line_%28IRC%29#K-line

How To Setup Your Own IRC Network

2013-03-06T15:01:15Z

Fcolista:

This doc aims to assist you on setup your own irc network with Alpine Linux.

We will configure two irc daemons and a simple ajax webirc client.

The irc daemons will work together sharing the channel, users and other informations.

From charybdis point of view, this configuration is called '''"cluster"''', but this word should not be understood with the common meaning of "cluster".

We assume that, as example, we want create Alpine Linux IRC Network.

We have irc1 and irc2 servers, called respectively irc1.alpinelab.lan and irc2.alpinelab.lan.

== Prerequisites ==

Prerequisites are two PC with Alpine Linux installed (v2.5).

Packages that we are going to install are:

* Charybdis
* atheme-iris

Both of those packages are in edge testing.

You can easily use this pinning edge repo:
{{Cmd|vi /etc/apk/repositories}}

Add the line:
{{Cmd|@edge http://dl-2.alpinelinux.org/alpine/edge/testing}}

Then:
{{Cmd|apk update}}
{{Cmd|apk add charybdis}}
{{Cmd|apk add atheme-iris}}

== Configure Charybdis ==

{{Cmd|cp /etc/charybdis/example.conf /etc/charybdis/ircd.conf}}

{{Cmd|vi /etc/charybdis/ircd.conf}}

Modify the file starting from /etc/charybdis/reference.conf (that is well documented).

<pre>
loadmodule "extensions/chm_operonly.so";
loadmodule "extensions/extb_account.so";
loadmodule "extensions/extb_canjoin.so";
loadmodule "extensions/extb_channel.so";
loadmodule "extensions/extb_extgecos.so";
loadmodule "extensions/extb_oper.so";
loadmodule "extensions/extb_realname.so";
loadmodule "extensions/m_identify.so";
loadmodule "extensions/m_mkpasswd.so";
loadmodule "extensions/m_webirc.so";
loadmodule "extensions/sno_farconnect.so";
loadmodule "extensions/sno_globalkline.so";
loadmodule "extensions/sno_globaloper.so";

serverinfo {
name = "irc1.alpinelab.lan";
sid = "01A";
description = "Alpine Linux IRC Server";
network_name = "Alpine Linux Network";
network_desc = "Alpine Linux IRC network.";
hub = yes;
default_max_clients = 10000;
nicklen = 30;
};

admin {
name = "admin";
description = "Alpine Linux IRC network administrator";
email = "ircadmin@alpinelab.lan";
};

log {
fname_userlog = "logs/userlog";
#fname_fuserlog = "logs/fuserlog";
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
#fname_ioerrorlog = "logs/ioerror";
};

class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 10;
number_per_ip_global = 50;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 200;
max_number = 100;
sendq = 400 kbytes;
};

class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 1000;
sendq = 1 megabyte;
};

class "server" {
ping_time = 5 minutes;
connectfreq = 5 minutes;
max_number = 10;
sendq = 4 megabytes;
};

listen {
defer_accept = yes;
port = 5000, 6665 .. 6669;
sslport = 6697;
};

auth {
user = "*@*";
class = "users";
};

privset "local_op" {
privs = oper:local_kill, oper:operwall;
};

privset "server_bot" {
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};

privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};

privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy;
};

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
snomask = "+Zbfkrsuy";
flags = ~encrypted;
privset = "admin";
};

connect "irc2.alpinelab.lan" {
host="10.0.2.10";
send_password = "Password_To_Server";
accept_password = "Password_From_Server";
port = 6666;
hub_mask = "*";
class = "server";
flags = compressed, topicburst, autoconn;
};

service {
name = "services.int";
};

cluster {
name = "*.alpinelab.lan";
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
};

shared {
oper = "*@*", "*";
flags = all, rehash;
};

/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
exempt {
ip = "127.0.0.1";
};

channel {
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};

serverhide {
flatten_links = yes;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
};

blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";

/* Example of a blacklist that supports both IPv4 and IPv6 */
};

alias "NickServ" {
target = "NickServ";
};

alias "ChanServ" {
target = "ChanServ";
};

alias "OperServ" {
target = "OperServ";
};

alias "MemoServ" {
target = "MemoServ";
};

alias "NS" {
target = "NickServ";
};

alias "CS" {
target = "ChanServ";
};

alias "OS" {
target = "OperServ";
};

alias "MS" {
target = "MemoServ";
};

general {
hide_error_messages = opers;
hide_spoof_ips = yes;
default_umodes = "+i";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
default_floodcount = 10;
failed_oper_notice = yes;
dots_in_ident=2;
min_nonwildcard = 4;
min_nonwildcard_simple = 3;
max_accept = 100;
max_monitor = 100;
anti_nick_flood = yes;
max_nick_time = 20 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 5 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
collision_fnc = yes;
resv_fnc = yes;
global_snotices = yes;
dline_with_reason = yes;
kline_delay = 0 seconds;
kline_with_reason = yes;
kline_reason = "K-Lined";
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
non_redundant_klines = yes;
warn_no_nline = yes;
use_propagated_bans = yes;
stats_e_disabled = no;
stats_c_oper_only=no;
stats_h_oper_only=no;
stats_y_oper_only=no;
stats_o_oper_only=yes;
stats_P_oper_only=no;
stats_i_oper_only=masked;
stats_k_oper_only=masked;
map_oper_only = no;
operspy_admin_only = no;
operspy_dont_care_user_info = no;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
short_motd = no;
ping_cookie = no;
connect_timeout = 30 seconds;
default_ident_timeout = 5;
disable_auth = no;
no_oper_flood = yes;
max_targets = 4;
client_flood_max_lines = 20;
use_whois_actually = no;
oper_only_umodes = operwall, locops, servnotice;
oper_umodes = locops, servnotice, operwall, wallop;
oper_snomask = "+s";
burst_away = yes;
nick_delay = 0 seconds; # 15 minutes if you want to enable this
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
throttle_duration = 60;
throttle_count = 4;
max_ratelimit_tokens = 30;
away_interval = 30;
};

modules {
path = "/usr/lib/charybdis/modules";
path = "/usr/lib/charybdis/modules/autoload";
};
</pre>

Relevant part of the config file are:

<pre>
serverinfo {
.
.
sid = "01A"; <----------- This must be unique. You can choose two cipher and one letter.
hub = yes; <----------- This works as an hub. Allows other irc server to connects.
.
.
}

listen {
port = 5000, 6665 .. 6669; <---- Port where charybdis is listening. You can also bind to a specific ip adding "host" directive. If not specifyied charybdis listen on all interfaces.
sslport = 6697; <---- Port for SSL connection. You need a certificate in order to use this feature.
};

operator "ircadmin" {
user = "*@*"; <----------- This is a masq used to match who can become operator. This support CIDR. If you want to allows only 10.0.0.0/24, you can choose "*@10.0.0.*".
password = "MyStrongPassword"; <---- Password used to become IRC Operator.
flags = ~encrypted; <---- Tilde "~" means not. So the password used in this block is not encrypted. Without "~", you need to write the password in this block encrypted.
privset = "admin";
};

connect "irc2.alpinelab.lan" { <----------- Descriptive name of the server you want to connect to.
host="10.0.2.10"; <----------- IP or HOST. They MUST be valid. If hostname, it MUST be an A record.
send_password = "Password_To_Server"; <------- Password you sent TO irc2. In irc2 this is "accept_password".
accept_password = "Password_From_Server"; <------- Password you expect to receive FROM irc2. In irc2 this is "send_password"
flags = compressed, topicburst, autoconn; <------- Autoconn means that irc1 will try automatically to connect to irc2.
};

cluster {
name = "*.alpinelab.lan"; <----------- Masq to indicate what servers can share the information. Those information are written in the following "flags" entry.
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; <--- Check IRC documentation to understand the meaning of those flags.
};

shared {
oper = "*@*", "*"; <----------- The user@host and the server must be on in order to set klines.
flags = all,rehash; <----------- flags: list of what to allow them to place. All oper will receive this.
};
</pre>

In the other server, irc2, configuration is pretty similar.

Those are the only difference of /etc/charybdis/ircd.conf:

<pre>
serverinfo {
sid = "02A";
hub = yes;
}

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
flags = ~encrypted;
privset = "admin";
};

connect "irc1.alpinelab.lan" {
host="10.0.1.10";
send_password = "Password_From_Server";
accept_password = "Password_To_Server";
flags = compressed, topicburst;
};
</pre>

In flags directive, connect{} block, we do not set "autoconn".
This means that irc1 will automatically connect to irc2, but not the contrary.

Charybdis has a lot of other cool features, like ssl connection, spam blacklisting and so on.
Look at documentation here: [http://www.stack.nl/~jilles/irc/charybdis-oper-guide/]

After having modifyied the ircd.conf in both server, fix the permissions:

{{Cmd|chown ircd /etc/charybdis/ircd.conf}}
{{Cmd|chmod 400 /etc/charybdis/ircd.conf}}

== Configure Atheme-iris ==

Atheme-iris is a nice webchat written in AJAX and Python. It's a fork of the famous qwebirc.

Configuration in pretty simple.

By default, atheme-iris will listen on all interfaces. If you want modify this behaviour, change /etc/conf.d/atheme-iris and set the IP address where atheme will bind.

<pre>
[execution]
args: -n -p 3989
syslog_addr:
syslog_port: 514

[irc]
server: localhost
port: 6667
ssl: false
bind_ip: 127.0.0.1
realname: http://irc1.alpinelab.lan
ident: nick
ident_string: webchat
webirc_mode: webirc
webirc_password: fish

[athemeengine]
xmlrpc_path:
chan_list_enabled: true
chan_list_max_age: 120
chan_list_count: 3

[feedbackengine]
from: moo@moo.com
to: moo@moo.com
smtp_host: 127.0.0.1
smtp_port: 25

[frontend]
base_url: http://irc1.alpinelab.lan:9090
network_name: AlpineLinux
app_title: %(network_name)s Web IRC
extra_html:
initial_nick:
prompt: true
chan_prompt: true
chan_autoconnect: true
static_base_url: /
dynamic_base_url: /

[atheme]
nickserv_login: true
chan_list_on_start: true
chan_list_cloud_view: false

[ui]
dedicated_msg_window: false
dedicated_notice_window: false
hide_joinparts: false
simple_color: false
fg_color: DDDDDD
fg_sec_color: 999999
bg_color: 111111
lastpos_line: true
nick_click_query: false
nick_colors: false
nick_status: false
flash_on_mention: false
beep_on_mention: false

[adminengine]
hosts: 127.0.0.1

[proxy]
forwarded_for_header:
forwarded_for_ips: 127.0.0.1

[tuneback]
update_freq: 0.5
maxbuflen: 100000
maxsubscriptions: 1
maxlinelen: 600
dns_timeout: 5
http_ajax_request_timeout: 30
http_request_timeout: 5
</pre>

In the [execution] block, parameters are overridden by /etc/conf.d/atheme-iris settings.

Replicate the same configuration in irc2.alpinelab.lan.

But in irc2 server, change the entry irc1.alpinelab.lan with irc2.alpinelab.lan.

Atheme-iris will connect to charybdis on 127.0.0.1 ip, according with this directive:

<pre>server: localhost</pre>

That's all.

Now, you can go with one browser to http://irc1.alpinelab.lan:9090 and another in http://irc2.alpinelab.lan:9090.

Login with two different users in the same channel.

You should view both users on both webclients.

Happy chatting.

'''Note:'''

When you login into webchat, you will see "webchat@127.0.0.1".

If you're wondering how change 127.0.0.1 with a spoofed address, you need another auth{} block in charybdis. Look at /etc/charybdis/reference.conf for details.

If you want the real ip address of the client, you need to setup cgi:irc with atheme-iris, and Charybdis will use the module called _mwebirc to "glue" himself with atheme-iris.

== Useful links ==

'''IRC Commands'''

http://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

'''*-Line flags'''

http://en.wikipedia.org/wiki/K-line_%28IRC%29#K-line

How To Setup Your Own IRC Network

2013-03-06T15:00:23Z

Fcolista:

This doc aims to assist you on setup your own irc network with Alpine Linux.

We will configure two irc daemons and a simple ajax webirc client.

The irc daemons will work together sharing the channel, users and other informations.

From charybdis point of view, this configuration is called '''"cluster"''', but this word should not be understood with the common meaning of "cluster".

We assume that, as example, we want create Alpine Linux IRC Network.

We have irc1 and irc2 servers, called respectively irc1.alpinelab.lan and irc2.alpinelab.lan.

== Prerequisites ==

Prerequisites are two PC with Alpine Linux installed (v2.5).

Packages that we are going to install are:

* Charybdis
* atheme-iris

Both of those packages are in edge testing.

You can easily use this pinning edge repo:
{{Cmd|vi /etc/apk/repositories}}

Add the line:
{{Cmd|@edge http://dl-2.alpinelinux.org/alpine/edge/testing}}

Then:
{{Cmd|apk update}}
{{Cmd|apk add charybdis}}
{{Cmd|apk add atheme-iris}}

== Configure Charybdis ==

{{Cmd|cp /etc/charybdis/example.conf /etc/charybdis/ircd.conf}}

{{Cmd|vi /etc/charybdis/ircd.conf}}

Modify the file starting from /etc/charybdis/reference.conf (that is well documented).

<pre>
loadmodule "extensions/chm_operonly.so";
loadmodule "extensions/extb_account.so";
loadmodule "extensions/extb_canjoin.so";
loadmodule "extensions/extb_channel.so";
loadmodule "extensions/extb_extgecos.so";
loadmodule "extensions/extb_oper.so";
loadmodule "extensions/extb_realname.so";
loadmodule "extensions/m_identify.so";
loadmodule "extensions/m_mkpasswd.so";
loadmodule "extensions/m_webirc.so";
loadmodule "extensions/sno_farconnect.so";
loadmodule "extensions/sno_globalkline.so";
loadmodule "extensions/sno_globaloper.so";

serverinfo {
name = "irc1.alpinelab.lan";
sid = "01A";
description = "Alpine Linux IRC Server";
network_name = "Alpine Linux Network";
network_desc = "Alpine Linux IRC network.";
hub = yes;
default_max_clients = 10000;
nicklen = 30;
};

admin {
name = "admin";
description = "Alpine Linux IRC network administrator";
email = "ircadmin@alpinelab.lan";
};

log {
fname_userlog = "logs/userlog";
#fname_fuserlog = "logs/fuserlog";
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
#fname_ioerrorlog = "logs/ioerror";
};

class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 10;
number_per_ip_global = 50;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 200;
max_number = 100;
sendq = 400 kbytes;
};

class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 1000;
sendq = 1 megabyte;
};

class "server" {
ping_time = 5 minutes;
connectfreq = 5 minutes;
max_number = 10;
sendq = 4 megabytes;
};

listen {
defer_accept = yes;
port = 5000, 6665 .. 6669;
sslport = 6697;
};

auth {
user = "*@*";
class = "users";
};

privset "local_op" {
privs = oper:local_kill, oper:operwall;
};

privset "server_bot" {
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};

privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};

privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy;
};

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
snomask = "+Zbfkrsuy";
flags = ~encrypted;
privset = "admin";
};

connect "irc2.alpinelab.lan" {
host="10.0.2.10";
send_password = "Password_To_Server";
accept_password = "Password_From_Server";
port = 6666;
hub_mask = "*";
class = "server";
flags = compressed, topicburst, autoconn;
};

service {
name = "services.int";
};

cluster {
name = "*.alpinelab.lan";
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
};

shared {
oper = "*@*", "*";
flags = all, rehash;
};

/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
exempt {
ip = "127.0.0.1";
};

channel {
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};

serverhide {
flatten_links = yes;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
};

blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";

/* Example of a blacklist that supports both IPv4 and IPv6 */
};

alias "NickServ" {
target = "NickServ";
};

alias "ChanServ" {
target = "ChanServ";
};

alias "OperServ" {
target = "OperServ";
};

alias "MemoServ" {
target = "MemoServ";
};

alias "NS" {
target = "NickServ";
};

alias "CS" {
target = "ChanServ";
};

alias "OS" {
target = "OperServ";
};

alias "MS" {
target = "MemoServ";
};

general {
hide_error_messages = opers;
hide_spoof_ips = yes;
default_umodes = "+i";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
default_floodcount = 10;
failed_oper_notice = yes;
dots_in_ident=2;
min_nonwildcard = 4;
min_nonwildcard_simple = 3;
max_accept = 100;
max_monitor = 100;
anti_nick_flood = yes;
max_nick_time = 20 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 5 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
collision_fnc = yes;
resv_fnc = yes;
global_snotices = yes;
dline_with_reason = yes;
kline_delay = 0 seconds;
kline_with_reason = yes;
kline_reason = "K-Lined";
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
non_redundant_klines = yes;
warn_no_nline = yes;
use_propagated_bans = yes;
stats_e_disabled = no;
stats_c_oper_only=no;
stats_h_oper_only=no;
stats_y_oper_only=no;
stats_o_oper_only=yes;
stats_P_oper_only=no;
stats_i_oper_only=masked;
stats_k_oper_only=masked;
map_oper_only = no;
operspy_admin_only = no;
operspy_dont_care_user_info = no;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
short_motd = no;
ping_cookie = no;
connect_timeout = 30 seconds;
default_ident_timeout = 5;
disable_auth = no;
no_oper_flood = yes;
max_targets = 4;
client_flood_max_lines = 20;
use_whois_actually = no;
oper_only_umodes = operwall, locops, servnotice;
oper_umodes = locops, servnotice, operwall, wallop;
oper_snomask = "+s";
burst_away = yes;
nick_delay = 0 seconds; # 15 minutes if you want to enable this
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
throttle_duration = 60;
throttle_count = 4;
max_ratelimit_tokens = 30;
away_interval = 30;
};

modules {
path = "/usr/lib/charybdis/modules";
path = "/usr/lib/charybdis/modules/autoload";
};
</pre>

Relevant part of the config file are:

<pre>
serverinfo {
.
.
sid = "01A"; <----------- This must be unique. You can choose two cipher and one letter.
hub = yes; <----------- This works as an hub. Allows other irc server to connects.
.
.
}

listen {
port = 5000, 6665 .. 6669; <---- Port where charybdis is listening. You can also bind to a specific ip adding "host" directive. If not specifyied charybdis listen on all interfaces.
sslport = 6697; <---- Port for SSL connection. You need a certificate in order to use this feature.
};

operator "ircadmin" {
user = "*@*"; <----------- This is a masq used to match who can become operator. This support CIDR. If you want to allows only 10.0.0.0/24, you can choose "*@10.0.0.*".
password = "MyStrongPassword"; <---- Password used to become IRC Operator.
flags = ~encrypted; <---- Tilde "~" means not. So the password used in this block is not encrypted. Without "~", you need to write the password in this block encrypted.
privset = "admin";
};

connect "irc2.alpinelab.lan" { <----------- Descriptive name of the server you want to connect to.
host="10.0.2.10"; <----------- IP or HOST. They MUST be valid. If hostname, it MUST be an A record.
send_password = "Password_To_Server"; <------- Password you sent TO irc2. In irc2 this is "accept_password".
accept_password = "Password_From_Server"; <------- Password you expect to receive FROM irc2. In irc2 this is "send_password"
flags = compressed, topicburst, autoconn; <------- Autoconn means that irc1 will try automatically to connect to irc2.
};

cluster {
name = "*.alpinelab.lan"; <----------- Masq to indicate what servers can share the information. Those information are written in the following "flags" entry.
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; <--- Check IRC documentation to understand the meaning of those flags.
};

shared {
oper = "*@*", "*"; <----------- The user@host and the server must be on in order to set klines.
flags = all,rehash; <----------- flags: list of what to allow them to place. All oper will receive this.
};
</pre>

In the other server, irc2, configuration is pretty similar.

Those are the only difference of /etc/charybdis/ircd.conf:

<pre>
serverinfo {
sid = "02A";
hub = yes;
}

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
flags = ~encrypted;
privset = "admin";
};

connect "irc1.alpinelab.lan" {
host="10.0.1.10";
send_password = "Password_From_Server";
accept_password = "Password_To_Server";
flags = compressed, topicburst;
};
</pre>

In flags directive, connect{} block, we do not set "autoconn".
This means that irc1 will automatically connect to irc2, but not the contrary.

Charybdis has a lot of other cool features, like ssl connection, spam blacklisting and so on.
Look at documentation here: [http://www.stack.nl/~jilles/irc/charybdis-oper-guide/]

After having modifyied the ircd.conf in both server, fix the permissions:

{{Cmd|chown ircd /etc/charybdis/ircd.conf}}
{{Cmd|chmod 400 /etc/charybdis/ircd.conf}}

== Configure Atheme-iris ==

Atheme-iris is a nice webchat written in AJAX and Python. It's a fork of the famous qwebirc.

Configuration in pretty simple.

By default, atheme-iris will listen on all interfaces. If you want modify this behaviour, change /etc/conf.d/atheme-iris and set the IP address where atheme will bind.

<pre>
[execution]
args: -n -p 3989
syslog_addr:
syslog_port: 514

[irc]
server: localhost
port: 6667
ssl: false
bind_ip: 127.0.0.1
realname: http://irc1.alpinelab.lan
ident: nick
ident_string: webchat
webirc_mode: webirc
webirc_password: fish

[athemeengine]
xmlrpc_path:
chan_list_enabled: true
chan_list_max_age: 120
chan_list_count: 3

[feedbackengine]
from: moo@moo.com
to: moo@moo.com
smtp_host: 127.0.0.1
smtp_port: 25

[frontend]
base_url: http://irc1.alpinelab.lan:9090
network_name: AlpineLinux
app_title: %(network_name)s Web IRC
extra_html:
initial_nick:
prompt: true
chan_prompt: true
chan_autoconnect: true
static_base_url: /
dynamic_base_url: /

[atheme]
nickserv_login: true
chan_list_on_start: true
chan_list_cloud_view: false

[ui]
dedicated_msg_window: false
dedicated_notice_window: false
hide_joinparts: false
simple_color: false
fg_color: DDDDDD
fg_sec_color: 999999
bg_color: 111111
lastpos_line: true
nick_click_query: false
nick_colors: false
nick_status: false
flash_on_mention: false
beep_on_mention: false

[adminengine]
hosts: 127.0.0.1

[proxy]
forwarded_for_header:
forwarded_for_ips: 127.0.0.1

[tuneback]
update_freq: 0.5
maxbuflen: 100000
maxsubscriptions: 1
maxlinelen: 600
dns_timeout: 5
http_ajax_request_timeout: 30
http_request_timeout: 5
</pre>

In the [execution] block, parameters are overridden by /etc/conf.d/atheme-iris settings.

Replicate the same configuration in irc2.alpinelab.lan.

But in irc2 server, change the entry irc1.alpinelab.lan with irc2.alpinelab.lan.

Atheme-iris will connect to charybdis on 127.0.0.1 ip, according with this directive:

<pre>server: localhost</pre>

That's all.

Now, you can go with one browser to http://irc1.alpinelab.lan:9090 and another in http://irc2.alpinelab.lan:9090.

Login with two different users in the same channel.

You should view both users on both webclients.

Happy chatting.

'''Note:'''

When you login into webchat, you will see "webchat@127.0.0.1". If you're wondering how change 127.0.0.1 with a spoofed address, you need another auth{} block in charybdis. Look at reference.conf for details.
If you want the real ip address of the client, you need to setup cgi:irc with atheme-iris, and Charybdis will use the module called _mwebirc to "glue" himself with atheme-iris.

== Useful links ==

'''IRC Commands'''

http://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

'''*-Line flags'''

http://en.wikipedia.org/wiki/K-line_%28IRC%29#K-line

How To Setup Your Own IRC Network

2013-03-06T14:55:22Z

Fcolista: /* Prerequisites */

This doc aims to assist you on setup your own irc network with Alpine Linux.
We will configure two irc daemons and a simple ajax webirc client.
The irc daemons will work together sharing the channel, users and other informations.
From charybdis point of view, this configuration is called "cluster", but this word should not be understood with the common meaning of "cluster".

We assume that, as example, we want create Alpine Linux IRC Network.
We have irc1 and irc2 servers.

== Prerequisites ==

Prerequisites are two PC with Alpine Linux installed (v2.5).

Packages that we are going to install are:

* Charybdis
* atheme-iris

Both of those packages are in edge testing.

You can easily use this pinning edge repo:
{{Cmd|vi /etc/apk/repositories}}

Add the line:
{{Cmd|@edge http://dl-2.alpinelinux.org/alpine/edge/testing}}

Then:
{{Cmd|apk update}}
{{Cmd|apk add charybdis}}
{{Cmd|apk add atheme-iris}}

== Configure Charybdis ==

{{Cmd|cp /etc/charybdis/example.conf /etc/charybdis/ircd.conf}}

{{Cmd|vi /etc/charybdis/ircd.conf}}

Modify the file starting from /etc/charybdis/reference.conf (that is well documented).

<pre>
loadmodule "extensions/chm_operonly.so";
loadmodule "extensions/extb_account.so";
loadmodule "extensions/extb_canjoin.so";
loadmodule "extensions/extb_channel.so";
loadmodule "extensions/extb_extgecos.so";
loadmodule "extensions/extb_oper.so";
loadmodule "extensions/extb_realname.so";
loadmodule "extensions/m_identify.so";
loadmodule "extensions/m_mkpasswd.so";
loadmodule "extensions/m_webirc.so";
loadmodule "extensions/sno_farconnect.so";
loadmodule "extensions/sno_globalkline.so";
loadmodule "extensions/sno_globaloper.so";

serverinfo {
name = "irc1.alpinelab.lan";
sid = "01A";
description = "Alpine Linux IRC Server";
network_name = "Alpine Linux Network";
network_desc = "Alpine Linux IRC network.";
hub = yes;
default_max_clients = 10000;
nicklen = 30;
};

admin {
name = "admin";
description = "Alpine Linux IRC network administrator";
email = "ircadmin@alpinelab.lan";
};

log {
fname_userlog = "logs/userlog";
#fname_fuserlog = "logs/fuserlog";
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
#fname_ioerrorlog = "logs/ioerror";
};

class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 10;
number_per_ip_global = 50;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 200;
max_number = 100;
sendq = 400 kbytes;
};

class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 1000;
sendq = 1 megabyte;
};

class "server" {
ping_time = 5 minutes;
connectfreq = 5 minutes;
max_number = 10;
sendq = 4 megabytes;
};

listen {
defer_accept = yes;
port = 5000, 6665 .. 6669;
sslport = 6697;
};

auth {
user = "*@*";
class = "users";
};

privset "local_op" {
privs = oper:local_kill, oper:operwall;
};

privset "server_bot" {
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};

privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};

privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy;
};

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
snomask = "+Zbfkrsuy";
flags = ~encrypted;
privset = "admin";
};

connect "irc2.alpinelab.lan" {
host="10.0.2.10";
send_password = "Password_To_Server";
accept_password = "Password_From_Server";
port = 6666;
hub_mask = "*";
class = "server";
flags = compressed, topicburst, autoconn;
};

service {
name = "services.int";
};

cluster {
name = "*.alpinelab.lan";
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
};

shared {
oper = "*@*", "*";
flags = all, rehash;
};

/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
exempt {
ip = "127.0.0.1";
};

channel {
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};

serverhide {
flatten_links = yes;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
};

blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";

/* Example of a blacklist that supports both IPv4 and IPv6 */
};

alias "NickServ" {
target = "NickServ";
};

alias "ChanServ" {
target = "ChanServ";
};

alias "OperServ" {
target = "OperServ";
};

alias "MemoServ" {
target = "MemoServ";
};

alias "NS" {
target = "NickServ";
};

alias "CS" {
target = "ChanServ";
};

alias "OS" {
target = "OperServ";
};

alias "MS" {
target = "MemoServ";
};

general {
hide_error_messages = opers;
hide_spoof_ips = yes;
default_umodes = "+i";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
default_floodcount = 10;
failed_oper_notice = yes;
dots_in_ident=2;
min_nonwildcard = 4;
min_nonwildcard_simple = 3;
max_accept = 100;
max_monitor = 100;
anti_nick_flood = yes;
max_nick_time = 20 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 5 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
collision_fnc = yes;
resv_fnc = yes;
global_snotices = yes;
dline_with_reason = yes;
kline_delay = 0 seconds;
kline_with_reason = yes;
kline_reason = "K-Lined";
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
non_redundant_klines = yes;
warn_no_nline = yes;
use_propagated_bans = yes;
stats_e_disabled = no;
stats_c_oper_only=no;
stats_h_oper_only=no;
stats_y_oper_only=no;
stats_o_oper_only=yes;
stats_P_oper_only=no;
stats_i_oper_only=masked;
stats_k_oper_only=masked;
map_oper_only = no;
operspy_admin_only = no;
operspy_dont_care_user_info = no;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
short_motd = no;
ping_cookie = no;
connect_timeout = 30 seconds;
default_ident_timeout = 5;
disable_auth = no;
no_oper_flood = yes;
max_targets = 4;
client_flood_max_lines = 20;
use_whois_actually = no;
oper_only_umodes = operwall, locops, servnotice;
oper_umodes = locops, servnotice, operwall, wallop;
oper_snomask = "+s";
burst_away = yes;
nick_delay = 0 seconds; # 15 minutes if you want to enable this
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
throttle_duration = 60;
throttle_count = 4;
max_ratelimit_tokens = 30;
away_interval = 30;
};

modules {
path = "/usr/lib/charybdis/modules";
path = "/usr/lib/charybdis/modules/autoload";
};
</pre>

Relevant part of the config file are:

<pre>
serverinfo {
.
.
sid = "01A"; <----------- This must be unique. You can choose two cipher and one letter.
hub = yes; <----------- This works as an hub. Allows other irc server to connects.
.
.
}

listen {
port = 5000, 6665 .. 6669; <---- Port where charybdis is listening. You can also bind to a specific ip adding "host" directive. If not specifyied charybdis listen on all interfaces.
sslport = 6697; <---- Port for SSL connection. You need a certificate in order to use this feature.
};

operator "ircadmin" {
user = "*@*"; <----------- This is a masq used to match who can become operator. This support CIDR. If you want to allows only 10.0.0.0/24, you can choose "*@10.0.0.*".
password = "MyStrongPassword"; <---- Password used to become IRC Operator.
flags = ~encrypted; <---- Tilde "~" means not. So the password used in this block is not encrypted. Without "~", you need to write the password in this block encrypted.
privset = "admin";
};

connect "irc2.alpinelab.lan" { <----------- Descriptive name of the server you want to connect to.
host="10.0.2.10"; <----------- IP or HOST. They MUST be valid. If hostname, it MUST be an A record.
send_password = "Password_To_Server"; <------- Password you sent TO irc2. In irc2 this is "accept_password".
accept_password = "Password_From_Server"; <------- Password you expect to receive FROM irc2. In irc2 this is "send_password"
flags = compressed, topicburst, autoconn; <------- Autoconn means that irc1 will try automatically to connect to irc2.
};

cluster {
name = "*.alpinelab.lan"; <----------- Masq to indicate what servers can share the information. Those information are written in the following "flags" entry.
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; <--- Check IRC documentation to understand the meaning of those flags.
};

shared {
oper = "*@*", "*"; <----------- The user@host and the server must be on in order to set klines.
flags = all,rehash; <----------- flags: list of what to allow them to place. All oper will receive this.
};
</pre>

In the other server, irc2, configuration is pretty similar.

Those are the only difference of /etc/charybdis/ircd.conf:

<pre>
serverinfo {
sid = "02A";
hub = yes;
}

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
flags = ~encrypted;
privset = "admin";
};

connect "irc1.alpinelab.lan" {
host="10.0.1.10";
send_password = "Password_From_Server";
accept_password = "Password_To_Server";
flags = compressed, topicburst;
};
</pre>

In flags directive, connect{} block, we do not set "autoconn".
This means that irc1 will automatically connect to irc2, but not the contrary.

Charybdis has a lot of other cool features, like ssl connection, spam blacklisting and so on.
Look at documentation here: [http://www.stack.nl/~jilles/irc/charybdis-oper-guide/]

After having modifyied the ircd.conf in both server, fix the permissions:

{{Cmd|chown ircd /etc/charybdis/ircd.conf}}
{{Cmd|chmod 400 /etc/charybdis/ircd.conf}}

== Configure Atheme-iris ==

Atheme-iris is a nice webchat written in AJAX and Python. It's a fork of the famous qwebirc.

Configuration in pretty simple.

By default, atheme-iris will listen on all interfaces. If you want modify this behaviour, change /etc/conf.d/atheme-iris and set the IP address where atheme will bind.

<pre>
[execution]
args: -n -p 3989
syslog_addr:
syslog_port: 514

[irc]
server: localhost
port: 6667
ssl: false
bind_ip: 127.0.0.1
realname: http://irc1.alpinelab.lan
ident: nick
ident_string: webchat
webirc_mode: webirc
webirc_password: fish

[athemeengine]
xmlrpc_path:
chan_list_enabled: true
chan_list_max_age: 120
chan_list_count: 3

[feedbackengine]
from: moo@moo.com
to: moo@moo.com
smtp_host: 127.0.0.1
smtp_port: 25

[frontend]
base_url: http://irc1.alpinelab.lan:9090
network_name: AlpineLinux
app_title: %(network_name)s Web IRC
extra_html:
initial_nick:
prompt: true
chan_prompt: true
chan_autoconnect: true
static_base_url: /
dynamic_base_url: /

[atheme]
nickserv_login: true
chan_list_on_start: true
chan_list_cloud_view: false

[ui]
dedicated_msg_window: false
dedicated_notice_window: false
hide_joinparts: false
simple_color: false
fg_color: DDDDDD
fg_sec_color: 999999
bg_color: 111111
lastpos_line: true
nick_click_query: false
nick_colors: false
nick_status: false
flash_on_mention: false
beep_on_mention: false

[adminengine]
hosts: 127.0.0.1

[proxy]
forwarded_for_header:
forwarded_for_ips: 127.0.0.1

[tuneback]
update_freq: 0.5
maxbuflen: 100000
maxsubscriptions: 1
maxlinelen: 600
dns_timeout: 5
http_ajax_request_timeout: 30
http_request_timeout: 5
</pre>

In the [execution] block, parameters are overridden by /etc/conf.d/atheme-iris settings.

Replicate the same configuration in irc2.alpinelab.lan.

But in irc2 server, change the entry irc1.alpinelab.lan with irc2.alpinelab.lan.

Atheme-iris will connect to charybdis on 127.0.0.1 ip, according with this directive:

<pre>server: localhost</pre>

That's all.

Now, you can go with one browser to http://irc1.alpinelab.lan:9090 and another in http://irc2.alpinelab.lan:9090.

Login with two different users in the same channel.

You should view both users on both webclients.

Happy chatting.

== Useful links ==

'''IRC Commands'''

http://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

'''*-Line flags'''

http://en.wikipedia.org/wiki/K-line_%28IRC%29#K-line

How To Setup Your Own IRC Network

2013-03-06T14:53:48Z

Fcolista: /* Useful links: */

This doc aims to assist you on setup your own irc network with Alpine Linux.
We will configure two irc daemons and a simple ajax webirc client.
The irc daemons will work together sharing the channel, users and other informations.
From charybdis point of view, this configuration is called "cluster", but this word should not be understood with the common meaning of "cluster".

We assume that, as example, we want create Alpine Linux IRC Network.
We have irc1 and irc2 servers.

== Prerequisites ==

Prerequisites are two PC with Alpine Linux installed (v2.5).

Packages that we are going to install are:

- Charybdis
- atheme-iris

Both of those packages are in edge testing.

You can easily use this pinning edge repo:
{{Cmd|vi /etc/apk/repositories}}

Add the line
{{Cmd|@edge http://dl-2.alpinelinux.org/alpine/edge/testing}}

Then:
{{Cmd|apk update}}
{{Cmd|apk add charybdis}}
{{Cmd|apk add atheme-iris}}

== Configure Charybdis ==

{{Cmd|cp /etc/charybdis/example.conf /etc/charybdis/ircd.conf}}

{{Cmd|vi /etc/charybdis/ircd.conf}}

Modify the file starting from /etc/charybdis/reference.conf (that is well documented).

<pre>
loadmodule "extensions/chm_operonly.so";
loadmodule "extensions/extb_account.so";
loadmodule "extensions/extb_canjoin.so";
loadmodule "extensions/extb_channel.so";
loadmodule "extensions/extb_extgecos.so";
loadmodule "extensions/extb_oper.so";
loadmodule "extensions/extb_realname.so";
loadmodule "extensions/m_identify.so";
loadmodule "extensions/m_mkpasswd.so";
loadmodule "extensions/m_webirc.so";
loadmodule "extensions/sno_farconnect.so";
loadmodule "extensions/sno_globalkline.so";
loadmodule "extensions/sno_globaloper.so";

serverinfo {
name = "irc1.alpinelab.lan";
sid = "01A";
description = "Alpine Linux IRC Server";
network_name = "Alpine Linux Network";
network_desc = "Alpine Linux IRC network.";
hub = yes;
default_max_clients = 10000;
nicklen = 30;
};

admin {
name = "admin";
description = "Alpine Linux IRC network administrator";
email = "ircadmin@alpinelab.lan";
};

log {
fname_userlog = "logs/userlog";
#fname_fuserlog = "logs/fuserlog";
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
#fname_ioerrorlog = "logs/ioerror";
};

class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 10;
number_per_ip_global = 50;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 200;
max_number = 100;
sendq = 400 kbytes;
};

class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 1000;
sendq = 1 megabyte;
};

class "server" {
ping_time = 5 minutes;
connectfreq = 5 minutes;
max_number = 10;
sendq = 4 megabytes;
};

listen {
defer_accept = yes;
port = 5000, 6665 .. 6669;
sslport = 6697;
};

auth {
user = "*@*";
class = "users";
};

privset "local_op" {
privs = oper:local_kill, oper:operwall;
};

privset "server_bot" {
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};

privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};

privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy;
};

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
snomask = "+Zbfkrsuy";
flags = ~encrypted;
privset = "admin";
};

connect "irc2.alpinelab.lan" {
host="10.0.2.10";
send_password = "Password_To_Server";
accept_password = "Password_From_Server";
port = 6666;
hub_mask = "*";
class = "server";
flags = compressed, topicburst, autoconn;
};

service {
name = "services.int";
};

cluster {
name = "*.alpinelab.lan";
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
};

shared {
oper = "*@*", "*";
flags = all, rehash;
};

/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
exempt {
ip = "127.0.0.1";
};

channel {
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};

serverhide {
flatten_links = yes;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
};

blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";

/* Example of a blacklist that supports both IPv4 and IPv6 */
};

alias "NickServ" {
target = "NickServ";
};

alias "ChanServ" {
target = "ChanServ";
};

alias "OperServ" {
target = "OperServ";
};

alias "MemoServ" {
target = "MemoServ";
};

alias "NS" {
target = "NickServ";
};

alias "CS" {
target = "ChanServ";
};

alias "OS" {
target = "OperServ";
};

alias "MS" {
target = "MemoServ";
};

general {
hide_error_messages = opers;
hide_spoof_ips = yes;
default_umodes = "+i";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
default_floodcount = 10;
failed_oper_notice = yes;
dots_in_ident=2;
min_nonwildcard = 4;
min_nonwildcard_simple = 3;
max_accept = 100;
max_monitor = 100;
anti_nick_flood = yes;
max_nick_time = 20 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 5 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
collision_fnc = yes;
resv_fnc = yes;
global_snotices = yes;
dline_with_reason = yes;
kline_delay = 0 seconds;
kline_with_reason = yes;
kline_reason = "K-Lined";
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
non_redundant_klines = yes;
warn_no_nline = yes;
use_propagated_bans = yes;
stats_e_disabled = no;
stats_c_oper_only=no;
stats_h_oper_only=no;
stats_y_oper_only=no;
stats_o_oper_only=yes;
stats_P_oper_only=no;
stats_i_oper_only=masked;
stats_k_oper_only=masked;
map_oper_only = no;
operspy_admin_only = no;
operspy_dont_care_user_info = no;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
short_motd = no;
ping_cookie = no;
connect_timeout = 30 seconds;
default_ident_timeout = 5;
disable_auth = no;
no_oper_flood = yes;
max_targets = 4;
client_flood_max_lines = 20;
use_whois_actually = no;
oper_only_umodes = operwall, locops, servnotice;
oper_umodes = locops, servnotice, operwall, wallop;
oper_snomask = "+s";
burst_away = yes;
nick_delay = 0 seconds; # 15 minutes if you want to enable this
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
throttle_duration = 60;
throttle_count = 4;
max_ratelimit_tokens = 30;
away_interval = 30;
};

modules {
path = "/usr/lib/charybdis/modules";
path = "/usr/lib/charybdis/modules/autoload";
};
</pre>

Relevant part of the config file are:

<pre>
serverinfo {
.
.
sid = "01A"; <----------- This must be unique. You can choose two cipher and one letter.
hub = yes; <----------- This works as an hub. Allows other irc server to connects.
.
.
}

listen {
port = 5000, 6665 .. 6669; <---- Port where charybdis is listening. You can also bind to a specific ip adding "host" directive. If not specifyied charybdis listen on all interfaces.
sslport = 6697; <---- Port for SSL connection. You need a certificate in order to use this feature.
};

operator "ircadmin" {
user = "*@*"; <----------- This is a masq used to match who can become operator. This support CIDR. If you want to allows only 10.0.0.0/24, you can choose "*@10.0.0.*".
password = "MyStrongPassword"; <---- Password used to become IRC Operator.
flags = ~encrypted; <---- Tilde "~" means not. So the password used in this block is not encrypted. Without "~", you need to write the password in this block encrypted.
privset = "admin";
};

connect "irc2.alpinelab.lan" { <----------- Descriptive name of the server you want to connect to.
host="10.0.2.10"; <----------- IP or HOST. They MUST be valid. If hostname, it MUST be an A record.
send_password = "Password_To_Server"; <------- Password you sent TO irc2. In irc2 this is "accept_password".
accept_password = "Password_From_Server"; <------- Password you expect to receive FROM irc2. In irc2 this is "send_password"
flags = compressed, topicburst, autoconn; <------- Autoconn means that irc1 will try automatically to connect to irc2.
};

cluster {
name = "*.alpinelab.lan"; <----------- Masq to indicate what servers can share the information. Those information are written in the following "flags" entry.
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; <--- Check IRC documentation to understand the meaning of those flags.
};

shared {
oper = "*@*", "*"; <----------- The user@host and the server must be on in order to set klines.
flags = all,rehash; <----------- flags: list of what to allow them to place. All oper will receive this.
};
</pre>

In the other server, irc2, configuration is pretty similar.

Those are the only difference of /etc/charybdis/ircd.conf:

<pre>
serverinfo {
sid = "02A";
hub = yes;
}

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
flags = ~encrypted;
privset = "admin";
};

connect "irc1.alpinelab.lan" {
host="10.0.1.10";
send_password = "Password_From_Server";
accept_password = "Password_To_Server";
flags = compressed, topicburst;
};
</pre>

In flags directive, connect{} block, we do not set "autoconn".
This means that irc1 will automatically connect to irc2, but not the contrary.

Charybdis has a lot of other cool features, like ssl connection, spam blacklisting and so on.
Look at documentation here: [http://www.stack.nl/~jilles/irc/charybdis-oper-guide/]

After having modifyied the ircd.conf in both server, fix the permissions:

{{Cmd|chown ircd /etc/charybdis/ircd.conf}}
{{Cmd|chmod 400 /etc/charybdis/ircd.conf}}

== Configure Atheme-iris ==

Atheme-iris is a nice webchat written in AJAX and Python. It's a fork of the famous qwebirc.

Configuration in pretty simple.

By default, atheme-iris will listen on all interfaces. If you want modify this behaviour, change /etc/conf.d/atheme-iris and set the IP address where atheme will bind.

<pre>
[execution]
args: -n -p 3989
syslog_addr:
syslog_port: 514

[irc]
server: localhost
port: 6667
ssl: false
bind_ip: 127.0.0.1
realname: http://irc1.alpinelab.lan
ident: nick
ident_string: webchat
webirc_mode: webirc
webirc_password: fish

[athemeengine]
xmlrpc_path:
chan_list_enabled: true
chan_list_max_age: 120
chan_list_count: 3

[feedbackengine]
from: moo@moo.com
to: moo@moo.com
smtp_host: 127.0.0.1
smtp_port: 25

[frontend]
base_url: http://irc1.alpinelab.lan:9090
network_name: AlpineLinux
app_title: %(network_name)s Web IRC
extra_html:
initial_nick:
prompt: true
chan_prompt: true
chan_autoconnect: true
static_base_url: /
dynamic_base_url: /

[atheme]
nickserv_login: true
chan_list_on_start: true
chan_list_cloud_view: false

[ui]
dedicated_msg_window: false
dedicated_notice_window: false
hide_joinparts: false
simple_color: false
fg_color: DDDDDD
fg_sec_color: 999999
bg_color: 111111
lastpos_line: true
nick_click_query: false
nick_colors: false
nick_status: false
flash_on_mention: false
beep_on_mention: false

[adminengine]
hosts: 127.0.0.1

[proxy]
forwarded_for_header:
forwarded_for_ips: 127.0.0.1

[tuneback]
update_freq: 0.5
maxbuflen: 100000
maxsubscriptions: 1
maxlinelen: 600
dns_timeout: 5
http_ajax_request_timeout: 30
http_request_timeout: 5
</pre>

In the [execution] block, parameters are overridden by /etc/conf.d/atheme-iris settings.

Replicate the same configuration in irc2.alpinelab.lan.

But in irc2 server, change the entry irc1.alpinelab.lan with irc2.alpinelab.lan.

Atheme-iris will connect to charybdis on 127.0.0.1 ip, according with this directive:

<pre>server: localhost</pre>

That's all.

Now, you can go with one browser to http://irc1.alpinelab.lan:9090 and another in http://irc2.alpinelab.lan:9090.

Login with two different users in the same channel.

You should view both users on both webclients.

Happy chatting.

== Useful links ==

'''IRC Commands'''

http://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

'''*-Line flags'''

http://en.wikipedia.org/wiki/K-line_%28IRC%29#K-line

How To Setup Your Own IRC Network

2013-03-06T14:53:07Z

Fcolista: Created page with "This doc aims to assist you on setup your own irc network with Alpine Linux. We will configure two irc daemons and a simple ajax webirc client. The irc daemons will work toget..."

This doc aims to assist you on setup your own irc network with Alpine Linux.
We will configure two irc daemons and a simple ajax webirc client.
The irc daemons will work together sharing the channel, users and other informations.
From charybdis point of view, this configuration is called "cluster", but this word should not be understood with the common meaning of "cluster".

We assume that, as example, we want create Alpine Linux IRC Network.
We have irc1 and irc2 servers.

== Prerequisites ==

Prerequisites are two PC with Alpine Linux installed (v2.5).

Packages that we are going to install are:

- Charybdis
- atheme-iris

Both of those packages are in edge testing.

You can easily use this pinning edge repo:
{{Cmd|vi /etc/apk/repositories}}

Add the line
{{Cmd|@edge http://dl-2.alpinelinux.org/alpine/edge/testing}}

Then:
{{Cmd|apk update}}
{{Cmd|apk add charybdis}}
{{Cmd|apk add atheme-iris}}

== Configure Charybdis ==

{{Cmd|cp /etc/charybdis/example.conf /etc/charybdis/ircd.conf}}

{{Cmd|vi /etc/charybdis/ircd.conf}}

Modify the file starting from /etc/charybdis/reference.conf (that is well documented).

<pre>
loadmodule "extensions/chm_operonly.so";
loadmodule "extensions/extb_account.so";
loadmodule "extensions/extb_canjoin.so";
loadmodule "extensions/extb_channel.so";
loadmodule "extensions/extb_extgecos.so";
loadmodule "extensions/extb_oper.so";
loadmodule "extensions/extb_realname.so";
loadmodule "extensions/m_identify.so";
loadmodule "extensions/m_mkpasswd.so";
loadmodule "extensions/m_webirc.so";
loadmodule "extensions/sno_farconnect.so";
loadmodule "extensions/sno_globalkline.so";
loadmodule "extensions/sno_globaloper.so";

serverinfo {
name = "irc1.alpinelab.lan";
sid = "01A";
description = "Alpine Linux IRC Server";
network_name = "Alpine Linux Network";
network_desc = "Alpine Linux IRC network.";
hub = yes;
default_max_clients = 10000;
nicklen = 30;
};

admin {
name = "admin";
description = "Alpine Linux IRC network administrator";
email = "ircadmin@alpinelab.lan";
};

log {
fname_userlog = "logs/userlog";
#fname_fuserlog = "logs/fuserlog";
fname_operlog = "logs/operlog";
#fname_foperlog = "logs/foperlog";
fname_serverlog = "logs/serverlog";
#fname_klinelog = "logs/klinelog";
fname_killlog = "logs/killlog";
fname_operspylog = "logs/operspylog";
#fname_ioerrorlog = "logs/ioerror";
};

class "users" {
ping_time = 2 minutes;
number_per_ident = 10;
number_per_ip = 10;
number_per_ip_global = 50;
cidr_ipv4_bitlen = 24;
cidr_ipv6_bitlen = 64;
number_per_cidr = 200;
max_number = 100;
sendq = 400 kbytes;
};

class "opers" {
ping_time = 5 minutes;
number_per_ip = 10;
max_number = 1000;
sendq = 1 megabyte;
};

class "server" {
ping_time = 5 minutes;
connectfreq = 5 minutes;
max_number = 10;
sendq = 4 megabytes;
};

listen {
defer_accept = yes;
port = 5000, 6665 .. 6669;
sslport = 6697;
};

auth {
user = "*@*";
class = "users";
};

privset "local_op" {
privs = oper:local_kill, oper:operwall;
};

privset "server_bot" {
extends = "local_op";
privs = oper:kline, oper:remoteban, snomask:nick_changes;
};

privset "global_op" {
extends = "local_op";
privs = oper:global_kill, oper:routing, oper:kline, oper:unkline, oper:xline,
oper:resv, oper:mass_notice, oper:remoteban;
};

privset "admin" {
extends = "global_op";
privs = oper:admin, oper:die, oper:rehash, oper:spy;
};

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
snomask = "+Zbfkrsuy";
flags = ~encrypted;
privset = "admin";
};

connect "irc2.alpinelab.lan" {
host="10.0.2.10";
send_password = "Password_To_Server";
accept_password = "Password_From_Server";
port = 6666;
hub_mask = "*";
class = "server";
flags = compressed, topicburst, autoconn;
};

service {
name = "services.int";
};

cluster {
name = "*.alpinelab.lan";
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv;
};

shared {
oper = "*@*", "*";
flags = all, rehash;
};

/* exempt {}: IPs that are exempt from Dlines and rejectcache. (OLD d:) */
exempt {
ip = "127.0.0.1";
};

channel {
use_invex = yes;
use_except = yes;
use_forward = yes;
use_knock = yes;
knock_delay = 5 minutes;
knock_delay_channel = 1 minute;
max_chans_per_user = 15;
max_bans = 100;
max_bans_large = 500;
default_split_user_count = 0;
default_split_server_count = 0;
no_create_on_split = no;
no_join_on_split = no;
burst_topicwho = yes;
kick_on_split_riding = no;
only_ascii_channels = no;
resv_forcepart = yes;
channel_target_change = yes;
disable_local_channels = no;
};

serverhide {
flatten_links = yes;
links_delay = 5 minutes;
hidden = no;
disable_hidden = no;
};

blacklist {
host = "rbl.efnetrbl.org";
type = ipv4;
reject_reason = "${nick}, your IP (${ip}) is listed in EFnet's RBL. For assistance, see http://efnetrbl.org/?i=${ip}";

/* Example of a blacklist that supports both IPv4 and IPv6 */
};

alias "NickServ" {
target = "NickServ";
};

alias "ChanServ" {
target = "ChanServ";
};

alias "OperServ" {
target = "OperServ";
};

alias "MemoServ" {
target = "MemoServ";
};

alias "NS" {
target = "NickServ";
};

alias "CS" {
target = "ChanServ";
};

alias "OS" {
target = "OperServ";
};

alias "MS" {
target = "MemoServ";
};

general {
hide_error_messages = opers;
hide_spoof_ips = yes;
default_umodes = "+i";
default_operstring = "is an IRC Operator";
default_adminstring = "is a Server Administrator";
servicestring = "is a Network Service";
disable_fake_channels = no;
tkline_expire_notices = no;
default_floodcount = 10;
failed_oper_notice = yes;
dots_in_ident=2;
min_nonwildcard = 4;
min_nonwildcard_simple = 3;
max_accept = 100;
max_monitor = 100;
anti_nick_flood = yes;
max_nick_time = 20 seconds;
max_nick_changes = 5;
anti_spam_exit_message_time = 5 minutes;
ts_warn_delta = 30 seconds;
ts_max_delta = 5 minutes;
client_exit = yes;
collision_fnc = yes;
resv_fnc = yes;
global_snotices = yes;
dline_with_reason = yes;
kline_delay = 0 seconds;
kline_with_reason = yes;
kline_reason = "K-Lined";
identify_service = "NickServ@services.int";
identify_command = "IDENTIFY";
non_redundant_klines = yes;
warn_no_nline = yes;
use_propagated_bans = yes;
stats_e_disabled = no;
stats_c_oper_only=no;
stats_h_oper_only=no;
stats_y_oper_only=no;
stats_o_oper_only=yes;
stats_P_oper_only=no;
stats_i_oper_only=masked;
stats_k_oper_only=masked;
map_oper_only = no;
operspy_admin_only = no;
operspy_dont_care_user_info = no;
caller_id_wait = 1 minute;
pace_wait_simple = 1 second;
pace_wait = 10 seconds;
short_motd = no;
ping_cookie = no;
connect_timeout = 30 seconds;
default_ident_timeout = 5;
disable_auth = no;
no_oper_flood = yes;
max_targets = 4;
client_flood_max_lines = 20;
use_whois_actually = no;
oper_only_umodes = operwall, locops, servnotice;
oper_umodes = locops, servnotice, operwall, wallop;
oper_snomask = "+s";
burst_away = yes;
nick_delay = 0 seconds; # 15 minutes if you want to enable this
reject_ban_time = 1 minute;
reject_after_count = 3;
reject_duration = 5 minutes;
throttle_duration = 60;
throttle_count = 4;
max_ratelimit_tokens = 30;
away_interval = 30;
};

modules {
path = "/usr/lib/charybdis/modules";
path = "/usr/lib/charybdis/modules/autoload";
};
</pre>

Relevant part of the config file are:

<pre>
serverinfo {
.
.
sid = "01A"; <----------- This must be unique. You can choose two cipher and one letter.
hub = yes; <----------- This works as an hub. Allows other irc server to connects.
.
.
}

listen {
port = 5000, 6665 .. 6669; <---- Port where charybdis is listening. You can also bind to a specific ip adding "host" directive. If not specifyied charybdis listen on all interfaces.
sslport = 6697; <---- Port for SSL connection. You need a certificate in order to use this feature.
};

operator "ircadmin" {
user = "*@*"; <----------- This is a masq used to match who can become operator. This support CIDR. If you want to allows only 10.0.0.0/24, you can choose "*@10.0.0.*".
password = "MyStrongPassword"; <---- Password used to become IRC Operator.
flags = ~encrypted; <---- Tilde "~" means not. So the password used in this block is not encrypted. Without "~", you need to write the password in this block encrypted.
privset = "admin";
};

connect "irc2.alpinelab.lan" { <----------- Descriptive name of the server you want to connect to.
host="10.0.2.10"; <----------- IP or HOST. They MUST be valid. If hostname, it MUST be an A record.
send_password = "Password_To_Server"; <------- Password you sent TO irc2. In irc2 this is "accept_password".
accept_password = "Password_From_Server"; <------- Password you expect to receive FROM irc2. In irc2 this is "send_password"
flags = compressed, topicburst, autoconn; <------- Autoconn means that irc1 will try automatically to connect to irc2.
};

cluster {
name = "*.alpinelab.lan"; <----------- Masq to indicate what servers can share the information. Those information are written in the following "flags" entry.
flags = kline, tkline, unkline, xline, txline, unxline, resv, tresv, unresv; <--- Check IRC documentation to understand the meaning of those flags.
};

shared {
oper = "*@*", "*"; <----------- The user@host and the server must be on in order to set klines.
flags = all,rehash; <----------- flags: list of what to allow them to place. All oper will receive this.
};
</pre>

In the other server, irc2, configuration is pretty similar.

Those are the only difference of /etc/charybdis/ircd.conf:

<pre>
serverinfo {
sid = "02A";
hub = yes;
}

operator "ircadmin" {
user = "*@*";
password = "MyStrongPassword";
flags = ~encrypted;
privset = "admin";
};

connect "irc1.alpinelab.lan" {
host="10.0.1.10";
send_password = "Password_From_Server";
accept_password = "Password_To_Server";
flags = compressed, topicburst;
};
</pre>

In flags directive, connect{} block, we do not set "autoconn".
This means that irc1 will automatically connect to irc2, but not the contrary.

Charybdis has a lot of other cool features, like ssl connection, spam blacklisting and so on.
Look at documentation here: [http://www.stack.nl/~jilles/irc/charybdis-oper-guide/]

After having modifyied the ircd.conf in both server, fix the permissions:

{{Cmd|chown ircd /etc/charybdis/ircd.conf}}
{{Cmd|chmod 400 /etc/charybdis/ircd.conf}}

== Configure Atheme-iris ==

Atheme-iris is a nice webchat written in AJAX and Python. It's a fork of the famous qwebirc.

Configuration in pretty simple.

By default, atheme-iris will listen on all interfaces. If you want modify this behaviour, change /etc/conf.d/atheme-iris and set the IP address where atheme will bind.

<pre>
[execution]
args: -n -p 3989
syslog_addr:
syslog_port: 514

[irc]
server: localhost
port: 6667
ssl: false
bind_ip: 127.0.0.1
realname: http://irc1.alpinelab.lan
ident: nick
ident_string: webchat
webirc_mode: webirc
webirc_password: fish

[athemeengine]
xmlrpc_path:
chan_list_enabled: true
chan_list_max_age: 120
chan_list_count: 3

[feedbackengine]
from: moo@moo.com
to: moo@moo.com
smtp_host: 127.0.0.1
smtp_port: 25

[frontend]
base_url: http://irc1.alpinelab.lan:9090
network_name: AlpineLinux
app_title: %(network_name)s Web IRC
extra_html:
initial_nick:
prompt: true
chan_prompt: true
chan_autoconnect: true
static_base_url: /
dynamic_base_url: /

[atheme]
nickserv_login: true
chan_list_on_start: true
chan_list_cloud_view: false

[ui]
dedicated_msg_window: false
dedicated_notice_window: false
hide_joinparts: false
simple_color: false
fg_color: DDDDDD
fg_sec_color: 999999
bg_color: 111111
lastpos_line: true
nick_click_query: false
nick_colors: false
nick_status: false
flash_on_mention: false
beep_on_mention: false

[adminengine]
hosts: 127.0.0.1

[proxy]
forwarded_for_header:
forwarded_for_ips: 127.0.0.1

[tuneback]
update_freq: 0.5
maxbuflen: 100000
maxsubscriptions: 1
maxlinelen: 600
dns_timeout: 5
http_ajax_request_timeout: 30
http_request_timeout: 5
</pre>

In the [execution] block, parameters are overridden by /etc/conf.d/atheme-iris settings.

Replicate the same configuration in irc2.alpinelab.lan.

But in irc2 server, change the entry irc1.alpinelab.lan with irc2.alpinelab.lan.

Atheme-iris will connect to charybdis on 127.0.0.1 ip, according with this directive:

<pre>server: localhost</pre>

That's all.

Now, you can go with one browser to http://irc1.alpinelab.lan:9090 and another in http://irc2.alpinelab.lan:9090.

Login with two different users in the same channel.

You should view both users on both webclients.

Happy chatting.

== Useful links: ==

'''IRC Commands'''
[http://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands]

'''*-Line flags'''
[http://en.wikipedia.org/wiki/K-line_%28IRC%29#K-line]

OpenVCP

2012-10-26T18:18:58Z

Fcolista: /* Installing openvcp web access */

OpenVCP is a Open-Source VServer Control Panel published under the GNU General Public Licence (GPL). OpenVCP is developed for use with Linux in combination with Linux-Vserver ( http://www.linux-vserver.org ). It provides a web-based interface to manage a whole farm of VServer hosts, build guests, control the guests, account traffic and much more.

== Install openvcp daemon ==

{{Cmd|apk add util-vserver util-vserver-dev php-tls sqlite sqlite-dev libxml2 libxml2-dev libpcap libpcap-dev rsync libtool alpine-sdk}}

Download

{{Cmd|cd /tmp/
wget http://files.openvcp.org/openvcpd-0.5rc3.tar.gz}}

Unpack and delete tar file

{{Cmd|tar zxvf openvcpd-0.5rc3.tar.gz}}

{{Cmd|cd openvcpd-0.5rc3/}}

Configure Compile & install the daemon

{{Cmd|<nowiki>./configure --prefix=/usr --sysconfdir=/etc
make
make install</nowiki>}}

Create directories

{{Cmd|mkdir -p /vservers/backups
mkdir -p /vservers/userbackups
mkdir -p /vservers/images}}

Edit the config file

Change "IP" to your own ip and "Ifaces" to the interface you want to measure traffic on

{{Cmd|nano /etc/openvcpd.conf}}

Copy some images to your image directory usually "/vservers/images" (e.g.: http://www.openvcp.org/wiki/Downloads. ( These Images are just folders that contain a Linux system )

Start the daemon

{{Cmd|openvcpd}}

== Install openvcp web access with Lighttpd ==

{{:Setting Up Lighttpd With FastCGI}}

Install extra packages

{{Cmd|apk add mysql mysql-client php-mysql php-mysqli php-gettext php-sockets}}

== Configuring MySql ==

/usr/bin/mysql_install_db --user=mysql
/etc/init.d/mysql start && rc-update add mysql default
/usr/bin/mysqladmin -u root password 'password'

'''Create the openvcp database'''

Note: you can import the database from command line or from the openvcp web page later.

mysql -u root -p

CREATE DATABASE openvcp;
GRANT ALL PRIVILEGES ON openvcp.* TO "root";
FLUSH PRIVILEGES;
EXIT

== Installing openvcp web access ==

Make webapps folder

mkdir /usr/share/webapps/ -p

Download

cd /usr/share/webapps/
wget http://files.openvcp.org/openvcp-web-0.5rc3.tar.gz

Unpack and delete tar file

tar zxvf openvcp-web-0.5rc3.tar.gz
rm openvcp-web-0.5rc3.tar.gz

Change Folder Persmissions

chmod -R 777 /usr/share/webapps/openvcp/core/cache

Make symlinks to openvcp

ln -s /usr/share/webapps/openvcp/ /var/www/localhost/htdocs/openvcp

== Configuring openvcp web access ==

Browse to: http://WEBSERVER_IP_ADDRESS/openvcp/ and Install openvcp completing the information as appropriate from the web browser.

Openvcp Installation steps:

Welcome to the setup of OpenVCP

MySQL

* host: '''localhost'''
* dn: '''openvcp'''
* user: '''root'''
* Password: '''password'''
* prefix: '''openvcp_'''

Other

* location: '''/openvcp'''
relative to webroot
* default locale: '''en_US'''
* admin email: '''yourname@email.com'''

After set all click on "setup" to finish the installation.

Congratulations, you installed openvcp!

You have openvcp web access system working, to access go to http://WEBSERVER_IP_ADDRESS/openvcp/ user: ''Admin'' password: ''test''

[[Category:Server]]
[[Category:Virtualization]]

OpenVCP

2012-10-26T18:16:36Z

Fcolista: /* Configuring MySql */

OpenVCP is a Open-Source VServer Control Panel published under the GNU General Public Licence (GPL). OpenVCP is developed for use with Linux in combination with Linux-Vserver ( http://www.linux-vserver.org ). It provides a web-based interface to manage a whole farm of VServer hosts, build guests, control the guests, account traffic and much more.

== Install openvcp daemon ==

{{Cmd|apk add util-vserver util-vserver-dev php-tls sqlite sqlite-dev libxml2 libxml2-dev libpcap libpcap-dev rsync libtool alpine-sdk}}

Download

{{Cmd|cd /tmp/
wget http://files.openvcp.org/openvcpd-0.5rc3.tar.gz}}

Unpack and delete tar file

{{Cmd|tar zxvf openvcpd-0.5rc3.tar.gz}}

{{Cmd|cd openvcpd-0.5rc3/}}

Configure Compile & install the daemon

{{Cmd|<nowiki>./configure --prefix=/usr --sysconfdir=/etc
make
make install</nowiki>}}

Create directories

{{Cmd|mkdir -p /vservers/backups
mkdir -p /vservers/userbackups
mkdir -p /vservers/images}}

Edit the config file

Change "IP" to your own ip and "Ifaces" to the interface you want to measure traffic on

{{Cmd|nano /etc/openvcpd.conf}}

Copy some images to your image directory usually "/vservers/images" (e.g.: http://www.openvcp.org/wiki/Downloads. ( These Images are just folders that contain a Linux system )

Start the daemon

{{Cmd|openvcpd}}

== Install openvcp web access with Lighttpd ==

{{:Setting Up Lighttpd With FastCGI}}

Install extra packages

{{Cmd|apk add mysql mysql-client php-mysql php-mysqli php-gettext php-sockets}}

== Configuring MySql ==

/usr/bin/mysql_install_db --user=mysql
/etc/init.d/mysql start && rc-update add mysql default
/usr/bin/mysqladmin -u root password 'password'

'''Create the openvcp database'''

Note: you can import the database from command line or from the openvcp web page later.

mysql -u root -p

CREATE DATABASE openvcp;
GRANT ALL PRIVILEGES ON openvcp.* TO "root";
FLUSH PRIVILEGES;
EXIT

== Installing openvcp web access ==

Make webapps folder

{Cmd|mkdir /usr/share/webapps/ -p}}

Download

{Cmd|cd /usr/share/webapps/
wget http://files.openvcp.org/openvcp-web-0.5rc3.tar.gz}}

Unpack and delete tar file

{Cmd|tar zxvf openvcp-web-0.5rc3.tar.gz
rm openvcp-web-0.5rc3.tar.gz}}

Change Folder Persmissions

{Cmd|chmod -R 777 /usr/share/webapps/openvcp/core/cache}}

Make symlinks to openvcp

{Cmd|ln -s /usr/share/webapps/openvcp/ /var/www/localhost/htdocs/openvcp}}

== Configuring openvcp web access ==

Browse to: http://WEBSERVER_IP_ADDRESS/openvcp/ and Install openvcp completing the information as appropriate from the web browser.

Openvcp Installation steps:

Welcome to the setup of OpenVCP

MySQL

* host: '''localhost'''
* dn: '''openvcp'''
* user: '''root'''
* Password: '''password'''
* prefix: '''openvcp_'''

Other

* location: '''/openvcp'''
relative to webroot
* default locale: '''en_US'''
* admin email: '''yourname@email.com'''

After set all click on "setup" to finish the installation.

Congratulations, you installed openvcp!

You have openvcp web access system working, to access go to http://WEBSERVER_IP_ADDRESS/openvcp/ user: ''Admin'' password: ''test''

[[Category:Server]]
[[Category:Virtualization]]

Cvechecker

2012-05-25T07:49:05Z

Fcolista:

{{Draft}}

= How to check Alpine Security with CVEChecker =

== How Does it works ==

From the homepage of cvechecker: http://cvechecker.sourceforge.net/

cvechecker is an useful tool which helps to compare packeges installed in your distribution with the Common Vulnerabilities Exposure.
Is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn’t able to detect the revision itself),
yet it is still better than nothing.
The idea is to automatize security check. But, clearly, this is not (and must not be) the only way to check security.
With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system.
You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).
Those are the steps:
- pull in the latest CVE entries as well as software/version detection rules (Adminsitrative task only)
- generate a list of files to scan
- gather installed software/version information
- output which CVE entries might affect your system
- generate a report informing you about the CVE entries

== Installation ==

cvechecker is available in edge main repo. If you are running a stable version of alpine, you can add the package from edge in this way:

apk update -X http://rsync.alpinelinux.org/alpine/edge/main && apk add -X http://rsync.alpinelinux.org/alpine/edge/main cvechecker

== Configuration with sqlite ==

CVEChecker's installation scripts create an user and a group, both called "cvechecker", in order to have a user with minimum privileges to run cvechecker.
In this folder cvechecker will creates the database (according with the cvechecker.conf, we use sqlite3. But also mysql is supported. This could be useful if you want to share only one DB with many routers/servers running Alpine)

Before use cvechecker you should configure cvechecker to use sqlite, then populate the DB with cve entries.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
dbtype = "sqlite";
#dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

Now, you can initialize the DB with:

cvechecker -i

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

== Configuration with MySQL ==

MySQL is another backend that cvechecker is able to use. Could be useful if you have several cvechecker installed in your network. In that way, you have only one "repository" of CVEs that needs to be updated.

apk add mysql mysql-client

/etc/init.d/mysql setup

/etc/init.d/mysql start && rc-update add mysql default

/usr/bin/mysqladmin -u root password 'new-password'

create a db user for cvechecker:

mysql -u root -p
mysql>CREATE DATABASE cvechecker;
mysql>CREATE USER 'cvechecker'@'%' IDENTIFIED BY 'cvecheckpass';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'localhost';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'%';
mysql>FLUSH PRIVILEGES;

I set % because the DB and the users should allow access from other hosts. You can restrict this to allow only your domain.

You have two way to create tables into DB:

=== Via .sql script ===

Login as cvechecker into mysql:

mysql -D cvechecker -u cvechecker -p
mysql>source /usr/share/cvechecker/mysql_cvechecker.sql;

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

=== Via cvechecker ===

After you configured the DB, you can create tables with:

cvechecker -i

But in order to make it works, you have to configure DB settings in cvechecker.conf.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
#dbtype = "sqlite";
dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

'''NOTE:'''
Running cvechecker -i (initialize database) it removes ALL entries in the DB.

=== Using CVEChecker ===

After the db is created, you have to pull the necessary data from the Internet:

pullcves pull

According with the manual, "This will take a very long time, so please be patient (loading over half a million CVE entries in a database is a time consuming - but one-time - activity).
Future pulls will not take this much time as they will not redownload the CVE entries from all previous years (unless you ask it to)."

(If you're behind a proxy, you should set it from env variable or with wget.rc)

Could be useful to crontab this task, maybe every day. Become the cvecheker user and run "crontab -e".
Insert the following to run pullcves every day at 5:00 AM

* 5 * * * /usr/bin/pullcves pull

Now, make a list of executables file as well as /proc/version and allows cvechecker to verify if there are kernel-related CVE entries for your Linux kernel and software installed.

find / -type f -perm -o+x > /tmp/cvecheck.tmp
cat /proc/version >> /tmp/cvecheck.tmp

Now, in /tmp/cvecheck.tmp you'll have all the binaries of your system with their version.
Check if there are cve with the following:

cvechecker -b /tmp/cvecheck.tmp

If you want, you can create a report with the entries (if they are found):

cvechecker -r

Simple script that helps to do it automatically. Copy and past it, save it as run_cvecheck.sh and give it exec permissions.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=<%EMAIL ADDRESS USED FOR THIS TASK%>
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
cvechecker -r > $tempfile > /dev/null 2>&1 # Create a report
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
rm $tempfile

'''Note''':
if you want to send email, syou have to add mailx and configure an smtp server (like ssmtp). But this information goes beyond the purpose of this doc.

In order to make the last rows sent via email, you should configure an smtp server. Widely used is ssmtp.

Coul be a good idea run this script as cronjob.

So, you can do the same you did with pullcves: become the cvecheker user and run "crontab -e".

* 6 * * * /var/cvechecker/run_cvecheck.sh

=== Create Report ===

CVEChecker generate reports in a CSV format. Could be nice generate an html from this CSV.

This is a sample script that uses csv2xml and cvereport.xsl (two scripts that comes with cvechecker) that allows the generation of html file starting by csv.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=root@localhost
WEBDIR=/var/www/localhost/htdocs/cvechecker/
CONFFILE=/etc/cvechecker.conf
DATADIR=$(awk -F'=' '/^datadir/ {print $2}' ${CONFFILE} | awk -F'"' '{print $2}');
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
# Create Report.
# FYI: acknowledgements.xml is an hard-coded file name.
cvechecker -rC > $WEBDIR/report.csv
awk -F, -f ${DATADIR}/csv2xml.awk $WEBDIR/report.csv > ${DATADIR}/acknowledgements.xml
xsltproc ${DATADIR}/cvereport.xsl $DATADIR/acknowledgements.xml > ${WEBDIR}/report.html
printf "done\n".

'''Note''':
the html generated is pretty ugly, because cvereport.xsl has hard-coded the css file which is stored in /usr/share/cvechecker dir. Filename is report.css
You can copy the report.css file into $WEBDIR in order to have a nicer html file.

That's all. Enjoy Alpine!

[[Category:Security]]

Cvechecker

2012-05-17T11:39:20Z

Fcolista:

{{Draft}}

= How to check Alpine Security with CVEChecker =

== How Does it works ==

From the homepage of cvechecker: http://cvechecker.sourceforge.net/

cvechecker is an useful tool which helps to compare packeges installed in your distribution with the Common Vulnerabilities Exposure.
Is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn’t able to detect the revision itself),
yet it is still better than nothing.
The idea is to automatize security check. But, clearly, this is not (and must not be) the only way to check security.
With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system.
You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).
Those are the steps:
- pull in the latest CVE entries as well as software/version detection rules (Adminsitrative task only)
- generate a list of files to scan
- gather installed software/version information
- output which CVE entries might affect your system
- generate a report informing you about the CVE entries

== Installation ==

cvechecker is available in edge main repo. If you are running a stable version of alpine, you can add the package from edge in this way:

apk update -X http://rsync.alpinelinux.org/alpine/edge/main && apk add -X http://rsync.alpinelinux.org/alpine/edge/main cvechecker

== Configuration with sqlite ==

CVEChecker's installation scripts create an user and a group, both called "cvechecker", in order to have a user with minimum privileges to run cvechecker.
In this folder cvechecker will creates the database (according with the cvechecker.conf, we use sqlite3. But also mysql is supported. This could be useful if you want to share only one DB with many routers/servers running Alpine)

Before use cvechecker you should configure cvechecker to use sqlite, then populate the DB with cve entries.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
dbtype = "sqlite";
#dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

Now, you can initialize the DB with:

cvechecker -i

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

== Configuration with MySQL ==

MySQL is another backend that cvechecker is able to use. Could be useful if you have several cvechecker installed in your network. In that way, you have only one "repository" of CVEs that needs to be updated.

apk add mysql mysql-client

/etc/init.d/mysql setup

/etc/init.d/mysql start && rc-update add mysql default

/usr/bin/mysqladmin -u root password 'new-password'

create a db user for cvechecker:

mysql -u root -p
mysql>CREATE DATABASE cvechecker;
mysql>CREATE USER 'cvechecker'@'%' IDENTIFIED BY 'cvecheckpass';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'localhost';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'%';
mysql>FLUSH PRIVILEGES;

I set % because the DB and the users should allow access from other hosts. You can restrict this to allow only your domain.

You have two way to create tables into DB:

=== Via .sql script ===

Login as cvechecker into mysql:

mysql -D cvechecker -u cvechecker -p
mysql>source /usr/share/cvechecker/mysql_cvechecker.sql;

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

=== Via cvechecker ===

After you configured the DB, you can create tables with:

cvechecker -i

But in order to make it works, you have to configure DB settings in cvechecker.conf.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
#dbtype = "sqlite";
dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

'''NOTE:'''
Running cvechecker -i (initialize database) it removes ALL entries in the DB.

=== Using CVEChecker ===

After the db is created, you have to pull the necessary data from the Internet:

pullcves pull

According with the manual, "This will take a very long time, so please be patient (loading over half a million CVE entries in a database is a time consuming - but one-time - activity).
Future pulls will not take this much time as they will not redownload the CVE entries from all previous years (unless you ask it to)."

(If you're behind a proxy, you should set it from env variable or with wget.rc)

Could be useful to crontab this task, maybe every day. Become the cvecheker user and run "crontab -e".
Insert the following to run pullcves every day at 5:00 AM

* 5 * * * /usr/bin/pullcves pull

Now, make a list of executables file as well as /proc/version and allows cvechecker to verify if there are kernel-related CVE entries for your Linux kernel and software installed.

find / -type f -perm -o+x > /tmp/cvecheck.tmp
cat /proc/version >> /tmp/cvecheck.tmp

Now, in /tmp/cvecheck.tmp you'll have all the binaries of your system with their version.
Check if there are cve with the following:

cvechecker -b /tmp/cvecheck.tmp

If you want, you can create a report with the entries (if they are found):

cvechecker -r

Simple script that helps to do it automatically. Copy and past it, save it as run_cvecheck.sh and give it exec permissions.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=<%EMAIL ADDRESS USED FOR THIS TASK%>
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
cvechecker -r > $tempfile > /dev/null 2>&1 # Create a report
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
rm $tempfile

In order to make the last rows sent via email, you should configure an smtp server. Widely used is ssmtp.

Coul be a good idea run this script as cronjob.

So, you can do the same you did with pullcves: become the cvecheker user and run "crontab -e".

* 6 * * * /var/cvechecker/run_cvecheck.sh

That's all. Enjoy Alpine!

[[Category:Security]]

Cvechecker

2012-05-16T13:49:49Z

Fcolista:

{{Draft}}

= How to check Alpine Security with CVEChecker =

== How Does it works ==

From the homepage of cvechecker: http://cvechecker.sourceforge.net/

cvechecker is an useful tool which helps to compare packeges installed in your distribution with the Common Vulnerabilities Exposure.
Is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn’t able to detect the revision itself),
yet it is still better than nothing.
The idea is to automatize security check. But, clearly, this is not (and must not be) the only way to check security.
With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system.
You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).
Those are the steps:
- pull in the latest CVE entries as well as software/version detection rules (Adminsitrative task only)
- generate a list of files to scan
- gather installed software/version information
- output which CVE entries might affect your system
- generate a report informing you about the CVE entries

== Installation ==

cvechecker is available in edge main repo. If you are running a stable version of alpine, you can add the package from edge in this way:

apk update -X http://rsync.alpinelinux.org/alpine/edge/main && apk add -X http://rsync.alpinelinux.org/alpine/edge/main cvechecker

== Configuration with sqlite ==

CVEChecker's installation scripts create an user and a group, both called "cvechecker", in order to have a user with minimum privileges to run cvechecker.
In this folder cvechecker will creates the database (according with the cvechecker.conf, we use sqlite3. But also mysql is supported. This could be useful if you want to share only one DB with many routers/servers running Alpine)

Before use cvechecker you should configure cvechecker to use sqlite, then populate the DB with cve entries.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
dbtype = "sqlite";
#dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

Now, you can initialize the DB with:

cvechecker -i

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

== Configuration with MySQL ==

MySQL is another backend that cvechecker is able to use. Could be useful if you have several cvechecker installed in your network. In that way, you have only one "repository" of CVEs that needs to be updated.

apk add mysql mysql-client

/etc/init.d/mysql setup

/etc/init.d/mysql start && rc-update add mysql default

/usr/bin/mysqladmin -u root password 'new-password'

create a db user for cvechecker:

mysql -u root -p
mysql>CREATE DATABASE cvechecker;
mysql>CREATE USER 'cvechecker'@'%' IDENTIFIED BY 'cvecheckpass';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'localhost';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'%';
mysql>FLUSH PRIVILEGES;

I set % because the DB and the users should allow access from other hosts. You can restrict this to allow only your domain.

Login as cvechecker into mysql:

mysql -D cvechecker -u cvechecker -p
mysql>source /usr/share/cvechecker/mysql_cvechecker.sql;

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
#dbtype = "sqlite";
dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

'''NOTE:'''
Running cvechecker -i (initialize database) it removes ALL entries in the DB.

=== Using CVEChecker ===

After the db is created, you have to pull the necessary data from the Internet:

pullcves pull

According with the manual, "This will take a very long time, so please be patient (loading over half a million CVE entries in a database is a time consuming - but one-time - activity).
Future pulls will not take this much time as they will not redownload the CVE entries from all previous years (unless you ask it to)."

(If you're behind a proxy, you should set it from env variable or with wget.rc)

Could be useful to crontab this task, maybe every day. Become the cvecheker user and run "crontab -e".
Insert the following to run pullcves every day at 5:00 AM

* 5 * * * /usr/bin/pullcves pull

Now, make a list of executables file as well as /proc/version and allows cvechecker to verify if there are kernel-related CVE entries for your Linux kernel and software installed.

find / -type f -perm -o+x > /tmp/cvecheck.tmp
cat /proc/version >> /tmp/cvecheck.tmp

Now, in /tmp/cvecheck.tmp you'll have all the binaries of your system with their version.
Check if there are cve with the following:

cvechecker -b /tmp/cvecheck.tmp

If you want, you can create a report with the entries (if they are found):

cvechecker -r

Simple script that helps to do it automatically. Copy and past it, save it as run_cvecheck.sh and give it exec permissions.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=<%EMAIL ADDRESS USED FOR THIS TASK%>
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
cvechecker -r > $tempfile > /dev/null 2>&1 # Create a report
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
rm $tempfile

In order to make the last rows sent via email, you should configure an smtp server. Widely used is ssmtp.

Coul be a good idea run this script as cronjob.

So, you can do the same you did with pullcves: become the cvecheker user and run "crontab -e".

* 6 * * * /var/cvechecker/run_cvecheck.sh

That's all. Enjoy Alpine!

[[Category:Security]]

Cvechecker

2012-05-16T13:46:02Z

Fcolista:

{{Draft}}

= How to check Alpine Security with CVEChecker =

== How Does it works ==

From the homepage of cvechecker: http://cvechecker.sourceforge.net/

cvechecker is an useful tool which helps to compare packeges installed in your distribution with the Common Vulnerabilities Exposure.
Is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn’t able to detect the revision itself),
yet it is still better than nothing.
The idea is to automatize security check. But, clearly, this is not (and must not be) the only way to check security.
With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system.
You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).
Those are the steps:
- pull in the latest CVE entries as well as software/version detection rules (Adminsitrative task only)
- generate a list of files to scan
- gather installed software/version information
- output which CVE entries might affect your system
- generate a report informing you about the CVE entries

== Installation ==

cvechecker is available in edge main repo. If you are running a stable version of alpine, you can add the package from edge in this way:

apk update -X http://rsync.alpinelinux.org/alpine/edge/main && apk add -X http://rsync.alpinelinux.org/alpine/edge/main cvechecker

== Configuration with sqlite ==

CVEChecker's installation scripts create an user and a group, both called "cvechecker", in order to have a user with minimum privileges to run cvechecker.
In this folder cvechecker will creates the database (according with the cvechecker.conf, we use sqlite3. But also mysql is supported. This could be useful if you want to share only one DB with many routers/servers running Alpine)

Before use cvechecker you should configure cvechecker to use sqlite, then populate the DB with cve entries.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
dbtype = "sqlite";
#dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

Now, you can initialize the DB with:

cvechecker -i

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

== Configuration with MySQL ==

MySQL is another backend that cvechecker is able to use. Could be useful if you have several cvechecker installed in your network. In that way, you have only one "repository" of CVEs that needs to be updated.

apk add mysql mysql-client

/etc/init.d/mysql setup

/etc/init.d/mysql start && rc-update add mysql default

/usr/bin/mysqladmin -u root password 'new-password'

create a db user for cvechecker:

mysql -u root -p
mysql>CREATE DATABASE cvechecker;
mysql>CREATE USER 'cvechecker'@'%' IDENTIFIED BY 'cvecheckpass';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'localhost';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'%';
mysql>FLUSH PRIVILEGES;

I set % because the DB and the users should allow access from other hosts. You can restrict this to allow only your domain.

Login as cvechecker into mysql:

mysql -D cvechecker -u cvechecker -p
mysql>source /usr/share/cvechecker/mysql_cvechecker.sql;

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
#dbtype = "sqlite";
dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

'''NOTE:'''
Running cvechecker -i (initialize database) it removes ALL entries in the DB.

=== Using CVEChecker ===

After the db is created, you have to pull the necessary data from the Internet:

pullcves pull

According with the manual, "This will take a very long time, so please be patient (loading over half a million CVE entries in a database is a time consuming - but one-time - activity).
Future pulls will not take this much time as they will not redownload the CVE entries from all previous years (unless you ask it to)."

(If you're behind a proxy, you should set it from env variable or with wget.rc)

Could be useful to crontab this task, maybe every day. Become the cvecheker user and run "crontab -e".
Insert the following to run pullcves every day at 5:00 AM

* 5 * * * /usr/bin/pullcves pull

Now, make a list of executables file as well as /proc/version and allows cvechecker to verify if there are kernel-related CVE entries for your Linux kernel and software installed.

find / -type f -perm -o+x > /tmp/cvecheck.tmp
cat /proc/version >> /tmp/cvecheck.tmp

Now, in /tmp/cvecheck.tmp you'll have all the binaries of your system with their version.
Check if there are cve with the following:

cvechecker -b /tmp/cvecheck.tmp

If you want, you can create a report with the entries (if they are found):

cvechecker -r

Simple script that helps to do it automatically. Copy and past it, save it as run_cvecheck.sh and give it exec permissions.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=<%EMAIL ADDRESS USED FOR THIS TASK%>
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
cvechecker -r > $tempfile > /dev/null 2>&1 # Create a report
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
rm $tempfile

In order to make the last rows sent via email, you should configure an smtp server. Widely used is ssmtp.

Coul be a good idea run this script as cronjob.

So, you can do the same you did with pullcves: become the cvecheker user and run "crontab -e".

* 6 * * * /var/cvechecker/run_cvecheck.sh

That's all. Enjoy Alpine!

Cvechecker

2012-05-16T13:44:22Z

Fcolista: Created page with "{{Draft}} = How to check Alpine Security with CVEChecker = == How Does it works == From the homepage of cvechecker: http://cvechecker.sourceforge.net/ cvechecker is an ..."

{{Draft}}

= How to check Alpine Security with CVEChecker =

== How Does it works ==

From the homepage of cvechecker: http://cvechecker.sourceforge.net/

cvechecker is an useful tool which helps to compare packeges installed in your distribution with the Common Vulnerabilities Exposure.
Is not a bullet-proof method and you will most likely have many false positives (vulnerability is fixed with a revision-release, but the tool isn’t able to detect the revision itself),
yet it is still better than nothing.
The idea is to automatize security check. But, clearly, this is not (and must not be) the only way to check security.
With the proper reporting in place, you are immediately warned when a new CVE has been released that might match your system.
You can then take the appropriate steps (acknowledge report, verify incident, fix package or mark as false positive).
Those are the steps:
- pull in the latest CVE entries as well as software/version detection rules (Adminsitrative task only)
- generate a list of files to scan
- gather installed software/version information
- output which CVE entries might affect your system
- generate a report informing you about the CVE entries

== Installation ==

cvechecker is available in edge main repo. If you are running a stable version of alpine, you can add the package from edge in this way:

apk update -X http://rsync.alpinelinux.org/alpine/edge/main && apk add -X http://rsync.alpinelinux.org/alpine/edge/main cvechecker

== Configuration with sqlite ==

CVEChecker's installation scripts create an user and a group, both called "cvechecker", in order to have a user with minimum privileges to run cvechecker.
In this folder cvechecker will creates the database (according with the cvechecker.conf, we use sqlite3. But also mysql is supported. This could be useful if you want to share only one DB with many routers/servers running Alpine)

Before use cvechecker you should configure cvechecker to use sqlite, then populate the DB with cve entries.
According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
dbtype = "sqlite";
#dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

Now, you can initialize the DB with:

cvechecker -i

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

== Configuration with MySQL ==

MySQL is another backend that cvechecker is able to use. Could be useful if you have several cvechecker installed in your network. In that way, you have only one "repository" of CVEs that needs to be updated.

apk add mysql mysql-client

/etc/init.d/mysql setup

/etc/init.d/mysql start && rc-update add mysql default

/usr/bin/mysqladmin -u root password 'new-password'

create a db user for cvechecker:

mysql -u root -p
mysql>CREATE DATABASE cvechecker;
mysql>CREATE USER 'cvechecker'@'%' IDENTIFIED BY 'cvecheckpass';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'localhost';
mysql>GRANT ALL ON cvechecker.* TO 'cvechecker'@'%';
mysql>FLUSH PRIVILEGES;

I set % because the DB and the users should allow access from other hosts. You can restrict this to allow only your domain.

Login as cvechecker into mysql:

mysql -D cvechecker -u cvechecker -p
mysql>source /usr/share/cvechecker/mysql_cvechecker.sql;

DB is ready.
Now, we should configure cvechecker to use mysql then populate the DB with cve entries.

According with our settings, /etc/cvechecker.conf would looks like:

# Generic settings
#
#dbtype = "sqlite";
dbtype="mysql";
cvecache = "/var/cvechecker/cache";
datadir = "/usr/share/cvechecker";
stringcmd = "/usr/bin/strings -n 3 '@file@'";
version_url = "http://cvechecker.svn.sourceforge.net/viewvc/cvechecker/versions.dat";
#userkey = "servertag";
#
# For Sqlite3
#
sqlite3: {
localdb = "/var/cvechecker/local";
globaldb = "/var/cvechecker/global.db";
};
#
# For MySQL
#
mysql: {
dbname = "cvechecker";
dbuser = "cvechecker";
dbpass = "cvecheckpass";
dbhost = "$IPADDRESS_OF_MYSQL_SERVER";
};

'''NOTE:'''
Running cvechecker -i (initialize database) it removes ALL entries in the DB.

=== Using CVEChecker ===

After the db is created, you have to pull the necessary data from the Internet:

pullcves pull

According with the manual, "This will take a very long time, so please be patient (loading over half a million CVE entries in a database is a time consuming - but one-time - activity).
Future pulls will not take this much time as they will not redownload the CVE entries from all previous years (unless you ask it to)."

(If you're behind a proxy, you should set it from env variable or with wget.rc)

Could be useful to crontab this task, maybe every day. Become the cvecheker user and run "crontab -e".
Insert the following to run pullcves every day at 5:00 AM

* 5 * * * /usr/bin/pullcves pull

Now, make a list of executables file as well as /proc/version and allows cvechecker to verify if there are kernel-related CVE entries for your Linux kernel and software installed.

find / -type f -perm -o+x > /tmp/cvecheck.tmp
cat /proc/version >> /tmp/cvecheck.tmp

Now, in /tmp/cvecheck.tmp you'll have all the binaries of your system with their version.
Check if there are cve with the following:

cvechecker -b /tmp/cvecheck.tmp

If you want, you can create a report with the entries (if they are found):

cvechecker -r

Simple script that helps to do it automatically. Copy and past it, save it as run_cvecheck.sh and give it exec permissions.

#!/bin/sh
tempfile=/tmp/cvecheck.tmp
EMAILADMIN=<%EMAIL ADDRESS USED FOR THIS TASK%>
find / -type f -perm -o+x > $tempfile
cat /proc/version >> $tempfile
cvechecker -b $tempfile > /dev/null 2>&1 # Run cvechecker against the software list
cvechecker -r > $tempfile > /dev/null 2>&1 # Create a report
if [ -s "$tempfile" ] ; then # If exists and non-zero, send it via email
mail $EMAILADMIN -s "CVE Checker" < $tempfile
fi ;
rm $tempfile

In order to make the last rows sent via email, you should configure an smtp server. Widely used is ssmtp.
This also can be run as cronjob.
So, you can do the same you did with pullcves: become the cvecheker user and run "crontab -e".

* 6 * * * /var/cvechecker/run_cvecheck.sh

Tutorials and Howtos

2011-08-02T09:12:39Z

Fcolista: /* Web Applications */

[[Image:package_edutainment.svg|left|link=]]
{{TOC right}}'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''
The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good examples. The output in one step is the starting point for the following step. 
Howtos are smaller articles explaining how to perform a particular task with Alpine Linux. We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page [[Talk:Tutorials_and_Howtos|Discussion]].

== Installation ==

* [[Setting up a basic vserver]]
* [[Setting up Logical Volumes with LVM]]
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[XFCE Setup]]
* [[Gnome Setup]]
* [[Enable Serial Console on Boot]]
* [[Alpine Linux package management#Local_Cache | How to enable APK caching]]
* [[Installing Alpine on a virtual machine| Installation of Alpine Linux in a virtual machine]]
* [[Setting up Alpine in a chroot]]
* [[Upgrading to Edge]]
* [[Setting up a software raid1 array]]
* [[Manually editing a existing apkovl]]

== Networking ==
* [[Configure Networking]]
* [[Howto Configure a Network Bridge]]
* [[Howto Configure static routes]]
* [[Using serial modem]]
* [[Using HSDPA modem]]
* [[Using Alpine on Windows domain with IPSEC isolation]]
* [[Setting up Satellite Internet Connection]]
* [[Connecting to a wireless accesspoint]]
* [[Fault Tolerant Routing with Alpine Linux]]

== iSCSI ==
* [[iSCSI Target and Initiator Configuration]]
* [[iSCSI Raid and Clustered File Systems]]
* [[High performance SCST iSCSI Target on Linux software Raid]]

== Network Services ==
* [[Setting Up Lighttpd With FastCGI]]
* [[Setting up a OpenVPN-server with Alpine]]
* [[Setting up Zaptel/Asterisk on Alpine]]
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]
* [[Hosting services on Alpine]] ''(This applies to hosting mail, webservices and other services)''
** [[Setting up postfix with virtual domains]]
** [[Protecting your email server with Alpine]]
** [[Hosting Web/Email services on Alpine]]
* [[Setting up a ssh-server]]
* [[Multiple Instances of Services]]
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''
** [[ISP Mail Server Upgrade 2.x]]
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''
* [[Freepbx on Alpine Linux]]
* [[Apache authentication: NTLM Single Signon]]
* [[Generating SSL certs with ACF]]
* [[Changing passwords for ACF]]
* [[Freeradius Active Directory Integration]]
* [[High Availability High Performance Web Cache]] ''uCarp + HAProxy for High Availability Services such as Squid web proxy''

== Web Applications ==
* [[2600hz]] ''FreeSWITCH, Asterisk GUI web acces tool.''
* [[Awstats]] ''Free log file analyzer.''
* [[Drupal]] ''Content Management System (CMS) written in PHP.''
* [[EyeOS]] ''Cloud Computing Desktop.''
* [[FreePBX_V3]] ''FreeSWITCH, Asterisk GUI web acces tool.''
* [[Glpi]] ''Information Resource-Manager.''
* [[MediaWiki]] ''Free web-based wiki software application''
* [[Pastebin]] ''Pastebin software application''
* [[Phpizabi]] ''Social Networking Platform.''
* [[PhpPgAdmin]] ''Web-based administration tool for PostgreSQL.''
* [[Phpmyadmin]] ''Web-based administration tool for MYSQL.''
* [[Redmine]] ''Project management system ''
* [[Request-Tracker]] ''Ticket system''
* [[Roundcube]] ''Webmail system''
* [[Statusnet]] ''Microblogging Platform.''
* [[Sqstat]] ''Script to look active squid users connections.''
* [[Webmin]] ''A web-based interface for Linux system.''
* [[WordPress]] ''Web software to create website or blog. ''

== Monitoring ==
* [[Traffic monitoring]] ''(For Alpine Linux firewalls)''
* [[Setting up traffic monitoring using rrdtool (and snmp)]]
* [[Setting up Smokeping]] ''(Smokeping network latency monitoring)''
* [[Setting up Cacti]]
* [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)''
* [[Setting up Zabbix]]
* [[Setting Up Fprobe And Ntop]] ''NetFlow collection and analysis''

== Misc ==
* [[Setting up lm_sensors]]
* [[Formatting HD/Floppy/Other]]
* [[Screen on console]]
* [[Using espeak on Alpine Linux]]
* [[IPTV How To]]
* [[Pllua]]
* [[Error message on boot: Address space collision: host bridge window conflicts with Adaptor ROM]]

== Drafts ==
Those are not finished yet.
* [[Install Alpine on coLinux]]
* [[Using Racoon for Remote Sites]]
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)''
* [[Setting up Streaming an Asterisk Channel]]
* [[Setting up A Network Monitoring and Inventory System]] ''((Nagios + OpenAudit and related components)''
* [[Intrusion Detection using Snort]] ''Installing and configuring Snort and related applications on Alpine 2.0.x''
* [[IP Accounting]] ''Installing and configuring pmacct for IP Accounting, Netflow/sFlow collector''
* [[Howto Setup a Wireless Access Point]] ''Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network''

== Obsolete Docs ==
Those are candidates for rewriting/removal.
* [[Bootstrapping Alpine on Soekris net4xxx]]
* [[Bootstrapping Alpine on PC Engines ALIX.3]]
* [[Setting up a /var partition on software IDE raid1]]
* [[Native Harddisk Install]]
* [[Installing XUbuntu using Alpine boot floppy]]
* [[Setting up trac wiki]]

Pastebin

2011-08-02T09:07:45Z

Fcolista: /* How To Install Your Own Pastebin Service */

= How To Install Your Own Pastebin Service =

A quick'n dirty doc about how to install a provate pastebin service.

There are a lot of pastebin service (http://en.wikipedia.org/wiki/Comparison_of_pastebins). We're going to use the oldest pastebin service, without DB support but only file.

'''Requirements:'''

* An up-and-running Web server (here are quoted apache, but is also possible to add nginx and lighttpd configuration) with modules:
* PHP
* vhosts
* mod_rewrite (for Apache and lighttpd, or NginxHttpRewriteModule for nginx)

== Download Pastebin setup file ==

{{Cmd|wget http://pastebin.dixo.net/pastebin.tar.gz}}

== Web Server Configuration to host pastebin ==

'''Apache'''
Unzip the downloaded file in the web server vhosts dir:
{{
Cmd|tar -zxvf pastebin.tar.gz -C /var/www/vhosts
}}

Rename vhosts dir:
{{
Cmd|mv /var/www/vhosts/pastebin-0.60 /var/www/vhosts/pastebin
}}

* Edit /etc/apache/httpd.conf and add the following:

<VirtualHost *:80>
ServerName pastebin.my.domain
DocumentRoot /var/www/vhosts/pastebin/public_html
ErrorLog /var/log/apache2/pastebin-error.log
CustomLog /var/log/apache2/pastebin-access.log common
php_value include_path .:/var/www/vhosts/pastebin/lib
php_value register_globals off
DirectoryIndex pastebin.php
RewriteEngine on
RewriteLog /var/log/apache2/pastebin-rewrite.log
RewriteRule /([a-z0-9]+)$ /pastebin.php?show=$1 [L]
</VirtualHost>

'''lighttpd'''
* Edit lighttpd.conf:
$HTTP["host"] =~ "(^|\.)paste.bin\.com$" {
server.document-root = "/var/www/vhosts/pastebin/public_html"
accesslog.filename = "/var/log/lighttpd/pastebin/access.log"
fastcgi.server = (
".php" => (
"localhost" => (
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php-pastebin.socket",
"min-procs" => 1,
"max-procs" => 2,
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
)
)
)
)
compress.cache-dir = "/var/www/cache/pastebin/"
url.rewrite-once = (
"^/(pastebin.css)" => "$0",
"^/(pastebin.js)" => "$0",
"^/diff/(.*)" => "/pastebin.php?diff=$1",
"^/(.*)" => "/pastebin.php?show=$1"
)
}

'''Nginx'''
* Edit nginx.conf (this is the significative part).
rewrite ^/([a-z0-9]+)$/pastebin.php?show=$1 last;

[[N.B. Nginx and Lighttpd configuration was not tested. These directive give you an idea on how is possibile to implement pastebin on those web servers.]]

== Configure pastebin ==

The configuration file is outside the directory "public_html", but is in "/lib/config" dir.

Copy''' default.conf.php''' into file that match your fqdn where pastebin service is hosted (e.g. pastebin.mydomain.com) with .conf.php extension.

In this case, will be: '''pastebin.mydomain.com.conf.php'''

* Edit '''pastebin.mydomain.com.conf.php''' and modify the following part:

$CONF['dbsystem']='file';
$CONF['base_domain_elements']=2;

The others directive are not mandatory, but should be modified according with your needs.

The [[first]] directive mean that the backend must be a file instead of mysql (that is by default).

The [[second]] specify which part of the filename '''pastebin.mydomain.com.conf.php''' is the domain name.

In this case the number is 2: mydomain and com.

Now, you have to create the directory that will contain the posts file.

According with '''db.file.class.php''' the directory must be '''$_SERVER['DOCUMENT_ROOT'].'/../posts/''' and must be writable by the user which runs webserver daemon.

{{Cmd|mkdir -p /var/www/vhosts/pastebin/posts
chown apache:apache /var/www/vhosts/pastebin/posts
}}

Now, restart the web server. Pastebin service should be reachable on pastebin.mydomain.com

[[Pastebin]]

Pastebin

2011-08-02T09:05:34Z

Fcolista: /* How To Install Pastebin Service */

Pastebin

2011-08-02T09:05:17Z

Fcolista: /* How To Install Pastebin Service */

= How To Install Pastebin Service =

A quick'n dirty doc about how to install a provate pastebin service.

There are a lot of pastebin service (http://en.wikipedia.org/wiki/Comparison_of_pastebins). We're going to use the oldest pastebin service, without DB support but only file.

'''Requirements:'''

* An up-and-running Web server (here are quoted apache, but is also possible to add nginx and lighttpd configuration) with modules:
* PHP
* vhosts
* mod_rewrite (for Apache and lighttpd, or NginxHttpRewriteModule for nginx)

== Download Pastebin setup file ==

{{Cmd|wget http://pastebin.dixo.net/pastebin.tar.gz}}

== Web Server Configuration to host pastebin ==

'''Apache'''
Unzip the downloaded file in the web server vhosts dir:
{{
Cmd|tar -zxvf pastebin.tar.gz -C /var/www/vhosts
}}

Rename vhosts dir:
{{
Cmd|mv /var/www/vhosts/pastebin-0.60 /var/www/vhosts/pastebin
}}

* Edit /etc/apache/httpd.conf and add the following:

<VirtualHost *:80>
ServerName pastebin.my.domain
DocumentRoot /var/www/vhosts/pastebin/public_html
ErrorLog /var/log/apache2/pastebin-error.log
CustomLog /var/log/apache2/pastebin-access.log common
php_value include_path .:/var/www/vhosts/pastebin/lib
php_value register_globals off
DirectoryIndex pastebin.php
RewriteEngine on
RewriteLog /var/log/apache2/pastebin-rewrite.log
RewriteRule /([a-z0-9]+)$ /pastebin.php?show=$1 [L]
</VirtualHost>

'''lighttpd'''
* Edit lighttpd.conf:
$HTTP["host"] =~ "(^|\.)paste.bin\.com$" {
server.document-root = "/var/www/vhosts/pastebin/public_html"
accesslog.filename = "/var/log/lighttpd/pastebin/access.log"
fastcgi.server = (
".php" => (
"localhost" => (
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php-pastebin.socket",
"min-procs" => 1,
"max-procs" => 2,
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
)
)
)
)
compress.cache-dir = "/var/www/cache/pastebin/"
url.rewrite-once = (
"^/(pastebin.css)" => "$0",
"^/(pastebin.js)" => "$0",
"^/diff/(.*)" => "/pastebin.php?diff=$1",
"^/(.*)" => "/pastebin.php?show=$1"
)
}

'''Nginx'''
* Edit nginx.conf (this is the significative part).
rewrite ^/([a-z0-9]+)$/pastebin.php?show=$1 last;

[[N.B. Nginx and Lighttpd configuration was not tested. These directive give you an idea on how is possibile to implement pastebin on those web servers.]]

== Configure pastebin ==

The configuration file is outside the directory "public_html", but is in "/lib/config" dir.

Copy''' default.conf.php''' into file that match your fqdn where pastebin service is hosted (e.g. pastebin.mydomain.com) with .conf.php extension.

In this case, will be: '''pastebin.mydomain.com.conf.php'''

* Edit '''pastebin.mydomain.com.conf.php''' and modify the following part:

$CONF['dbsystem']='file';
$CONF['base_domain_elements']=2;

The others directive are not mandatory, but should be modified according with your needs.

The [[first]] directive mean that the backend must be a file instead of mysql (that is by default).

The [[second]] specify which part of the filename '''pastebin.mydomain.com.conf.php''' is the domain name.

In this case the number is 2: mydomain and com.

Now, you have to create the directory that will contain the posts file.

According with '''db.file.class.php''' the directory must be '''$_SERVER['DOCUMENT_ROOT'].'/../posts/''' and must be writable by the user which runs webserver daemon.

{{Cmd|mkdir -p /var/www/vhosts/pastebin/posts
chown apache:apache /var/www/vhosts/pastebin/posts
}}

Now, restart the web server. Pastebin service should be reachable on pastebin.mydomain.com

Pastebin

2011-08-02T09:04:37Z

Fcolista: /* How To Install Pastebin Service */

Pastebin

2011-08-02T09:03:54Z

Fcolista: /* How To Install Pastebin Service */

= How To Install Pastebin Service =

A quick'n dirty doc about how to install a provate pastebin service.

There are a lot of pastebin service (http://en.wikipedia.org/wiki/Comparison_of_pastebins). We're going to use the oldest pastebin service, without DB support but only file.

'''Requirements:'''

* An up-and-running Web server (here are quoted apache, but is also possible to add nginx and lighttpd configuration) with modules:
* PHP
* vhosts
* mod_rewrite (for Apache and lighttpd, or NginxHttpRewriteModule for nginx)

== Download Pastebin setup file ==

{{Cmd|wget http://pastebin.dixo.net/pastebin.tar.gz}}

== Web Server Configuration to host pastebin ==

'''Apache'''

Unzip the downloaded file in the web server vhosts dir:
{{
Cmd|tar -zxvf pastebin.tar.gz -C /var/www/vhosts
}}

Rename vhosts dir:
{{
Cmd|mv /var/www/vhosts/pastebin-0.60 /var/www/vhosts/pastebin
}}

* Edit /etc/apache/httpd.conf and add the following:

<VirtualHost *:80>
ServerName pastebin.my.domain
DocumentRoot /var/www/vhosts/pastebin/public_html
ErrorLog /var/log/apache2/pastebin-error.log
CustomLog /var/log/apache2/pastebin-access.log common
php_value include_path .:/var/www/vhosts/pastebin/lib
php_value register_globals off
DirectoryIndex pastebin.php
RewriteEngine on
RewriteLog /var/log/apache2/pastebin-rewrite.log
RewriteRule /([a-z0-9]+)$ /pastebin.php?show=$1 [L]
</VirtualHost>

'''lighttpd'''

* Edit lighttpd.conf:
$HTTP["host"] =~ "(^|\.)paste.bin\.com$" {
server.document-root = "/var/www/vhosts/pastebin/public_html"
accesslog.filename = "/var/log/lighttpd/pastebin/access.log"
fastcgi.server = (
".php" => (
"localhost" => (
"bin-path" => "/usr/bin/php-cgi",
"socket" => "/tmp/php-pastebin.socket",
"min-procs" => 1,
"max-procs" => 2,
"bin-copy-environment" => (
"PATH", "SHELL", "USER"
)
)
)
)
compress.cache-dir = "/var/www/cache/pastebin/"
url.rewrite-once = (
"^/(pastebin.css)" => "$0",
"^/(pastebin.js)" => "$0",
"^/diff/(.*)" => "/pastebin.php?diff=$1",
"^/(.*)" => "/pastebin.php?show=$1"
)
}

'''Nginx'''

* Edit nginx.conf (this is the significative part).
rewrite ^/([a-z0-9]+)$/pastebin.php?show=$1 last;

[[N.B. Nginx and Lighttpd configuration was not tested. These directive give you an idea on how is possibile to implement pastebin on those web servers.]]

== Configure pastebin ==

The configuration file is outside the directory "public_html", but is in "/lib/config" dir.

Copy''' default.conf.php''' into file that match your fqdn where pastebin service is hosted (e.g. pastebin.mydomain.com) with .conf.php extension.

In this case, will be: '''pastebin.mydomain.com.conf.php'''

* Edit '''pastebin.mydomain.com.conf.php''' and modify the following part:

$CONF['dbsystem']='file';
$CONF['base_domain_elements']=2;

The others directive are not mandatory, but should be modified according with your needs.

The [[first]] directive mean that the backend must be a file instead of mysql (that is by default).

The [[second]] specify which part of the filename '''pastebin.mydomain.com.conf.php''' is the domain name.

In this case the number is 2: mydomain and com.

Now, you have to create the directory that will contain the posts file.

According with '''db.file.class.php''' the directory must be '''$_SERVER['DOCUMENT_ROOT'].'/../posts/''' and must be writable by the user which runs webserver daemon.

{{Cmd|mkdir -p /var/www/vhosts/pastebin/posts
chown apache:apache /var/www/vhosts/pastebin/posts
}}

Now, restart the web server. Pastebin service should be reachable on pastebin.mydomain.com

Pastebin

2011-08-02T07:59:22Z

Fcolista: Created page with "= How To Install Pastebin Service = A quick'n dirty doc about how to install a provate pastebin service. There are a lot of pastebin service (http://en.wikipedia.org/wiki/Compa..."