https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&feedformat=atom&user=ItoffshoreAlpine Linux - User contributions [en]2026-04-30T13:57:02ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Root_on_ZFS_with_native_encryption&diff=16533Root on ZFS with native encryption2019-10-20T12:48:11Z<p>Itoffshore: fix typo</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux using ZFS with a pool that uses ZFS' native encryption capabilities, which have been recently introduced in ZFS on Linux (ZoL) 0.8.0.<br />
<br />
Note that you must install the <code>/boot/</code> directory on an unencrypted partition (either an unencrypted ZFS pool or any other FS of your choosing, if it's compatible with your bootloader) to boot correctly.<br />
<br />
== Requirements ==<br />
<br />
You'll need a medium to put a live image on. You can use any live medium that supports ZoL >=0.8.x, but as of writing this it's easiest to use [https://cdimage.debian.org/cdimage/weekly-live-builds/amd64/iso-hybrid/ Debian Buster's live images] for this.<br />
<br />
== Hard Disk Device Name ==<br />
<br />
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples. It also uses <code>rpool</code> as name of the root pool, you can change this at will, but be sure to change it everywhere it's mentioned.<br />
<br />
= Setting up Alpine Linux Using ZFS with native encryption =<br />
<br />
To install Alpine Linux in a ZFS pool with encryption enable, you cannot use the [[Installation|official installation]] procedure, so follow along this guide.<br />
<br />
== Preparing the Installation Environment ==<br />
<br />
This section assumes that you're using the previously mentioned Debian installation medium. If you're using a different medium feel free to skip this section.<br />
<br />
After booting the Debian image you'll have to enable the <code>experimental</code> repos for the time being to be able to access ZFS 0.8. For this you'll have to edit <code>/etc/apt/sources.list</code>:<br />
<br />
# sed 's/buster/experimental/' -i /etc/apt/sources.list<br />
# echo 'deb http://deb.debian.org/debian experimental contrib'<br />
<br />
Now install ZFS 0.8:<br />
<br />
# apt update<br />
# apt install libnvpair1linux libuutil1linux libzfs2linux libzpool2linux zfs-dkms zfsutils-linux zfs-zed<br />
<br />
And load the ZFS module:<br />
<br />
# modprobe zfs<br />
<br />
== Creating the Partition Layout ==<br />
<br />
Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted ZFS pool.<br />
<br />
* Start the <code>fdisk</code> utility to set up partitions:<br />
<br />
# fdisk /dev/sda<br />
<br />
:* Create the <code>/boot/</code> partition:<br />
::* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>1</code> &rarr; <code>1</code> &rarr; <code>100m</code> to create a new 100 MB primary partition.<br />
<br />
:* Set the <code>/boot/</code> partition active:<br />
::* Enter <code>a</code> &rarr; <code>1</code>.<br />
<br />
:* Create the ZFS partition:<br />
::* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the size of partition. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively press <code>Enter</code> to set the maximum available size.<br />
<br />
:* To verify the settings, press <code>p</code>. The output shows, for example:<br />
<pre><br />
Device Boot Start End Sectors Size Id Type<br />
/dev/sda1 * 2048 206847 204800 100M 83 Linux<br />
/dev/sda2 206848 41943039 41736192 19.9G 83 Linux<br />
</pre><br />
* Press <code>w</code> to save the changes.<br />
<br />
== Setting up the root pool ==<br />
<br />
You can create your rootpool with the following command:<br />
<br />
# zpool create -o ashift=12 \<br />
-O acltype=posixacl -O canmount=off -O compression=lz4 \<br />
-O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \<br />
-O encryption=aes-256-gcm -O keylocation=prompt -O keyformat=passphrase \<br />
-O mountpoint=/ -R /mnt \<br />
rpool /dev/sda2<br />
<br />
You will have to enter your passphrase at this point. Choose wisely, as your passphrase is most likely [https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions#5-security-aspects the weakest link in this setup].<br />
<br />
A few notes on the options supplied to zpool:<br />
<br />
* <code>ashift=12</code> is recommended here because many drives today have 4KiB (or larger) physical sectors, even though they present 512B logical sectors<br />
<br />
* <code>acltype=posixacl</code> enables POSIX ACLs globally<br />
<br />
* <code>normalization=formD</code> eliminates some corner cases relating to UTF-8 filename normalization. It also enables <code>utf8only=on</code>, meaning that only files with valid UTF-8 filenames will be accepted.<br />
<br />
* <code>xattr=sa</code> vastly improves the performance of extended attributes, but is Linux-only. If you care about using this pool on other OpenZFS implementation don't specify this option.<br />
<br />
After completing this, confirm that the pool has been created:<br />
<br />
# zpool status<br />
<br />
Should return something like:<br />
<pre><br />
pool: rpool<br />
state: ONLINE<br />
scan: none requested<br />
config:<br />
<br />
NAME STATE READ WRITE CKSUM<br />
rpool ONLINE 0 0 0<br />
sda2 ONLINE 0 0 0<br />
<br />
errors: No known data errors<br />
</pre><br />
<br />
=== Creating the required datasets ===<br />
<br />
# zfs create -o mountpoint=none -o canmount=off rpool/ROOT<br />
# zfs create -o mountpoint=legacy rpool/ROOT/alpine<br />
# mount -t zfs rpool/ROOT/alpine /mnt/<br />
<br />
=== Creating optional datasets (feel free to add your own) ===<br />
<br />
# zfs create -o mountpoint=/home rpool/HOME<br />
# zfs create -o mountpoint=/var/log rpool/LOG<br />
<br />
== Creating the <code>/boot</code> filesystem ==<br />
<br />
# mkfs.ext4 /dev/sda1<br />
<br />
== Mounting the <code>/boot</code> filesystem ==<br />
<br />
* Create the <code>/mnt/boot/</code> directory and mount the <code>/dev/sda1</code> partition in this directory:<br />
<br />
# mkdir /mnt/boot/<br />
# mount -t ext4 /dev/sda1 /mnt/boot/<br />
<br />
== Installing Alpine Linux ==<br />
<br />
Please follow [[Installing_Alpine_Linux_in_a_chroot|Installing Alpine Linux in a chroot]] to setup a base install of Alpine Linux.<br />
<br />
After you've followed that guide, you still have to do some additional setup for ZFS:<br />
<br />
* As of the time of writing this ZFS 0.8.x is only available in [[Edge]], so you'll have to enable it in <code>/etc/apk/repositories</code>. Check [https://pkgs.alpinelinux.org/packages?name=zfs pkgs.alpinelinux.org] to see the status of this.<br />
<br />
* Install the ZoL and linux-vanilla package: <code>apk install linux-vanilla zfs</code><br />
<br />
* Enable ZFS' services:<br />
<br />
# rc-update add zfs-import sysinit<br />
# rc-update add zfs-mount sysinit<br />
<br />
* Edit the <code>/etc/mkinitfs/mkinitfs.conf</code> file and append <code>zfs</code> module to the <code>features</code> parameter:<br />
<br />
features="ata base ide scsi usb virtio ext4 lvm <u>zfs</u>"<br />
<br />
Be mindful to also include other modules which may be required for your setup, such as the <code>nvme</code> module.<br />
<br />
* Rebuild the initial RAM disk:<br />
<br />
# mkinitfs $(ls /lib/modules/)<br />
<br />
* Edit the <code>/etc/update-extlinux.conf</code> file, set the root ZFS dataset and append the following kernel options to the <code>default_kernel_opts</code> parameter:<br />
<br />
root=rpool/ROOT/alpine<br />
default_kernel_opts="... <u>rootfstype=zfs</u>"<br />
<br />
* Update extlinux's config (if you're not using a different bootloader)<br />
<br />
# update-extlinux<br />
# exit<br />
<br />
: Ignore the errors the <code>update-extlinux</code> utility displays.<br />
<br />
* Write the MBR to the <code>/dev/sda</code> device:<br />
<br />
# dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda<br />
<br />
== Unmounting the filesystems ==<br />
<br />
* Unmount <code>/mnt/boot/</code>:<br />
<br />
# umount /mnt/boot/<br />
<br />
* Unmount all zfs filesystems:<br />
<br />
# zfs unmount -a<br />
<br />
* Reboot the system:<br />
<br />
# reboot<br />
<br />
== Booting the system ==<br />
<br />
Right now mkinitfs doesn't support ZFS asking for passwords during boot, so it'll throw you into a rescue shell for you to enter the password during boot. You have to do the following things after pressing enter:<br />
<br />
# zfs load-key -a<br />
# mount -t zfs rpool/ROOT/alpine /sysroot<br />
# exit<br />
<br />
And your system should continue booting! :)<br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations:<br />
<br />
* [[#Preparing_the_Installation_Environment|Preparing the Installation Environment]]<br />
<br />
* Load the ZFS kernel module:<br />
<br />
# modprobe zfs<br />
<br />
* [[#Mounting_the_File_Systems|Mount the file systems]]<br />
<br />
# zpool import -R /mnt rpool<br />
# mount -t ext4 /dev/sda1 /mnt/boot<br />
<br />
* Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=11548Setting up a OpenVPN server2015-12-31T23:49:16Z<p>Itoffshore: /* Initial setup for administrating certificates */</p>
<hr />
<div><br />
This article describes how to set up an OpenVPN server with the Alpine Linux.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: [http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses WikiPedia]<br />
<br />
If your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
= Setup Alpine =<br />
== Initial Setup ==<br />
Follow [[Installing_Alpine]] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
{{Cmd| apk add openvpn}}<br />
<br />
Prepare autostart of OpenVPN<br />
<br />
{{Cmd|rc-update add openvpn default}}<br />
<br />
{{Cmd|modprobe tun<br />
echo "tun" >>/etc/modules}}<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.<br />
<br />
You will need to create a server (ssl_server_cert) certificate for the server and one client (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.<br />
<br />
To extract the three parts of each .pfx file, use the following commands:<br />
<br />
To get the ca cert out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem}}<br />
<br />
To get the cert file out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem}}<br />
<br />
To get the private key file out. Make sure this stays private.<br />
<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem}}<br />
<br />
On the VPN server, you can also install the '''acf-openvpn''' package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie Hellman parameters.<br />
<br />
If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternative Certificate Method]]<br />
<br />
= Configure OpenVPN server =<br />
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca openvpn_certs/server-ca.pem<br />
cert openvpn_certs/server-cert.pem<br />
dh openvpn_certs/dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
log-append /var/log/openvpn.log<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
<br />
{{Cmd|openvpn --config /etc/openvpn/openvpn.conf}}<br />
<br />
= Configure OpenVPN client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca client-ca.pem<br />
cert client-cert.pem<br />
key client-key.pem<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings if you are running a RAM-based system.<br />
{{Cmd|lbu commit}}<br />
<br />
= More than one server or client =<br />
<br />
If you want more than one server or client running on the same alpine box, use the standard [[Multiple Instances of Services]] process.<br />
<br />
For example, to create a config named "AlphaBravo":<br />
<br />
* Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf" <br />
* create a new symlink of the init.d script:<br />
{{Cmd|ln -s /etc/init.d/openvpn /etc/init.d/openvpn.AlphaBravo}}<br />
* Have the new service start automatically<br />
{{Cmd|rc-update add openvpn.AlphaBravo}}<br />
<br />
= Alternative Certificate Method =<br />
== Manual Certificate Commands ==<br />
(''Instructions are based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
=== Initial setup for administrating certificates ===<br />
The following instructions assume that you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
{{Cmd|apk add easy-rsa # from the community repo<br />
cd /usr/share/easy-rsa}}<br />
If not already done then create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR><br />
{{Cmd|mkdir /etc/openvpn/keys<br />
cp ./vars.example ./vars #easy-rsa v3<br />
cp ./vars /etc/openvpn/keys #easy-rsa v2}}<br />
<br />
For EasyRSA v3 see: https://community.openvpn.net/openvpn/wiki/EasyRSA<br />
<br />
The instructions below are for EasyRSA v2:<br />
<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
{{Cmd|vim /etc/openvpn/keys/vars}}<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
{{Cmd|source /etc/openvpn/keys/vars}}<br />
{{Cmd|touch /etc/openvpn/keys/index.txt<br />
echo 00 > /etc/openvpn/keys/serial}}<br />
<br />
=== Set up a 'Certificate Authority' (CA) ===<br />
Clean up the '''keys''' folder.<br />
<br />
{{Cmd|./clean-all}}<br />
<br />
Generate Diffie Hellman parameters<br />
<br />
{{Cmd|./build-dh}}<br />
<br />
Now lets make the CA certificates and keys<br />
<br />
{{Cmd|./build-ca}}<br />
<br />
=== Set up a 'OpenVPN Server' ===<br />
Create server certificates<br />
<br />
{{Cmd|./build-key-server <commonname>}}<br />
<br />
=== Set up a 'OpenVPN Client' ===<br />
Create client certificates<br />
{{Cmd|./build-key <commonname>}}<br />
<br />
=== Revoke a certificate ===<br />
To revoke a certificate<br />
<br />
{{Cmd|./revoke-full <commonname>}}<br />
<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<br />
<br />
{{Cmd|crl-verify crl.pem}}<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]<br />
<br />
= openVPN and LXC =<br />
<br />
Let's call this LXC "mylxc"...<br />
<br />
On the host <pre><br />
modprobe tun<br />
mkdir /var/lib/lxc/mylxc/rootfs/dev/net<br />
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200<br />
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun<br />
</pre><br />
<br />
In /var/lib/lxc/mylxc/config <pre><br />
lxc.cgroup.devices.allow = c 10:200 rwm<br />
</pre><br />
<br />
In the guest <pre><br />
apk add openvpn<br />
</pre> Then config as usual...<br />
<br />
This should work both as server and as client.</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=11547Setting up a OpenVPN server2015-12-31T23:46:32Z<p>Itoffshore: /* Initial setup for administrating certificates */</p>
<hr />
<div><br />
This article describes how to set up an OpenVPN server with the Alpine Linux.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: [http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses WikiPedia]<br />
<br />
If your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
= Setup Alpine =<br />
== Initial Setup ==<br />
Follow [[Installing_Alpine]] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
{{Cmd| apk add openvpn}}<br />
<br />
Prepare autostart of OpenVPN<br />
<br />
{{Cmd|rc-update add openvpn default}}<br />
<br />
{{Cmd|modprobe tun<br />
echo "tun" >>/etc/modules}}<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.<br />
<br />
You will need to create a server (ssl_server_cert) certificate for the server and one client (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.<br />
<br />
To extract the three parts of each .pfx file, use the following commands:<br />
<br />
To get the ca cert out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem}}<br />
<br />
To get the cert file out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem}}<br />
<br />
To get the private key file out. Make sure this stays private.<br />
<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem}}<br />
<br />
On the VPN server, you can also install the '''acf-openvpn''' package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie Hellman parameters.<br />
<br />
If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternative Certificate Method]]<br />
<br />
= Configure OpenVPN server =<br />
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca openvpn_certs/server-ca.pem<br />
cert openvpn_certs/server-cert.pem<br />
dh openvpn_certs/dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
log-append /var/log/openvpn.log<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
<br />
{{Cmd|openvpn --config /etc/openvpn/openvpn.conf}}<br />
<br />
= Configure OpenVPN client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca client-ca.pem<br />
cert client-cert.pem<br />
key client-key.pem<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings if you are running a RAM-based system.<br />
{{Cmd|lbu commit}}<br />
<br />
= More than one server or client =<br />
<br />
If you want more than one server or client running on the same alpine box, use the standard [[Multiple Instances of Services]] process.<br />
<br />
For example, to create a config named "AlphaBravo":<br />
<br />
* Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf" <br />
* create a new symlink of the init.d script:<br />
{{Cmd|ln -s /etc/init.d/openvpn /etc/init.d/openvpn.AlphaBravo}}<br />
* Have the new service start automatically<br />
{{Cmd|rc-update add openvpn.AlphaBravo}}<br />
<br />
= Alternative Certificate Method =<br />
== Manual Certificate Commands ==<br />
(''Instructions are based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
=== Initial setup for administrating certificates ===<br />
The following instructions assume that you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
{{Cmd|apk add easy-rsa # from the community repo<br />
cd /usr/share/easy-rsa}}<br />
If not already done then create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR><br />
{{Cmd|mkdir /etc/openvpn/keys<br />
cp ./vars.example ./vars #easy-rsa v3<br />
cp ./vars /etc/openvpn/keys #easy-rsa v2}}<br />
<br />
For EasyRSA v3 see: https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto<br />
<br />
The instructions below are for EasyRSA v2:<br />
<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
{{Cmd|vim /etc/openvpn/keys/vars}}<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
{{Cmd|source /etc/openvpn/keys/vars}}<br />
{{Cmd|touch /etc/openvpn/keys/index.txt<br />
echo 00 > /etc/openvpn/keys/serial}}<br />
<br />
=== Set up a 'Certificate Authority' (CA) ===<br />
Clean up the '''keys''' folder.<br />
<br />
{{Cmd|./clean-all}}<br />
<br />
Generate Diffie Hellman parameters<br />
<br />
{{Cmd|./build-dh}}<br />
<br />
Now lets make the CA certificates and keys<br />
<br />
{{Cmd|./build-ca}}<br />
<br />
=== Set up a 'OpenVPN Server' ===<br />
Create server certificates<br />
<br />
{{Cmd|./build-key-server <commonname>}}<br />
<br />
=== Set up a 'OpenVPN Client' ===<br />
Create client certificates<br />
{{Cmd|./build-key <commonname>}}<br />
<br />
=== Revoke a certificate ===<br />
To revoke a certificate<br />
<br />
{{Cmd|./revoke-full <commonname>}}<br />
<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<br />
<br />
{{Cmd|crl-verify crl.pem}}<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]<br />
<br />
= openVPN and LXC =<br />
<br />
Let's call this LXC "mylxc"...<br />
<br />
On the host <pre><br />
modprobe tun<br />
mkdir /var/lib/lxc/mylxc/rootfs/dev/net<br />
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200<br />
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun<br />
</pre><br />
<br />
In /var/lib/lxc/mylxc/config <pre><br />
lxc.cgroup.devices.allow = c 10:200 rwm<br />
</pre><br />
<br />
In the guest <pre><br />
apk add openvpn<br />
</pre> Then config as usual...<br />
<br />
This should work both as server and as client.</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=11546Setting up a OpenVPN server2015-12-31T23:00:43Z<p>Itoffshore: /* Initial setup for administrating certificates */</p>
<hr />
<div><br />
This article describes how to set up an OpenVPN server with the Alpine Linux.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: [http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses WikiPedia]<br />
<br />
If your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
= Setup Alpine =<br />
== Initial Setup ==<br />
Follow [[Installing_Alpine]] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
{{Cmd| apk add openvpn}}<br />
<br />
Prepare autostart of OpenVPN<br />
<br />
{{Cmd|rc-update add openvpn default}}<br />
<br />
{{Cmd|modprobe tun<br />
echo "tun" >>/etc/modules}}<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.<br />
<br />
You will need to create a server (ssl_server_cert) certificate for the server and one client (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.<br />
<br />
To extract the three parts of each .pfx file, use the following commands:<br />
<br />
To get the ca cert out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem}}<br />
<br />
To get the cert file out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem}}<br />
<br />
To get the private key file out. Make sure this stays private.<br />
<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem}}<br />
<br />
On the VPN server, you can also install the '''acf-openvpn''' package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie Hellman parameters.<br />
<br />
If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternative Certificate Method]]<br />
<br />
= Configure OpenVPN server =<br />
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca openvpn_certs/server-ca.pem<br />
cert openvpn_certs/server-cert.pem<br />
dh openvpn_certs/dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
log-append /var/log/openvpn.log<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
<br />
{{Cmd|openvpn --config /etc/openvpn/openvpn.conf}}<br />
<br />
= Configure OpenVPN client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca client-ca.pem<br />
cert client-cert.pem<br />
key client-key.pem<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings if you are running a RAM-based system.<br />
{{Cmd|lbu commit}}<br />
<br />
= More than one server or client =<br />
<br />
If you want more than one server or client running on the same alpine box, use the standard [[Multiple Instances of Services]] process.<br />
<br />
For example, to create a config named "AlphaBravo":<br />
<br />
* Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf" <br />
* create a new symlink of the init.d script:<br />
{{Cmd|ln -s /etc/init.d/openvpn /etc/init.d/openvpn.AlphaBravo}}<br />
* Have the new service start automatically<br />
{{Cmd|rc-update add openvpn.AlphaBravo}}<br />
<br />
= Alternative Certificate Method =<br />
== Manual Certificate Commands ==<br />
(''Instructions are based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
=== Initial setup for administrating certificates ===<br />
The following instructions assume that you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
{{Cmd|apk add easy-rsa # from the community repo<br />
cd /usr/share/easy-rsa}}<br />
If not already done then create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR><br />
{{Cmd|mkdir /etc/openvpn/keys<br />
cp ./vars.example /etc/openvpn/keys/vars}}<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
{{Cmd|vim /etc/openvpn/keys/vars}}<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
{{Cmd|source /etc/openvpn/keys/vars}}<br />
{{Cmd|touch /etc/openvpn/keys/index.txt<br />
echo 00 > /etc/openvpn/keys/serial}}<br />
<br />
=== Set up a 'Certificate Authority' (CA) ===<br />
Clean up the '''keys''' folder.<br />
<br />
{{Cmd|./clean-all}}<br />
<br />
Generate Diffie Hellman parameters<br />
<br />
{{Cmd|./build-dh}}<br />
<br />
Now lets make the CA certificates and keys<br />
<br />
{{Cmd|./build-ca}}<br />
<br />
=== Set up a 'OpenVPN Server' ===<br />
Create server certificates<br />
<br />
{{Cmd|./build-key-server <commonname>}}<br />
<br />
=== Set up a 'OpenVPN Client' ===<br />
Create client certificates<br />
{{Cmd|./build-key <commonname>}}<br />
<br />
=== Revoke a certificate ===<br />
To revoke a certificate<br />
<br />
{{Cmd|./revoke-full <commonname>}}<br />
<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<br />
<br />
{{Cmd|crl-verify crl.pem}}<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]<br />
<br />
= openVPN and LXC =<br />
<br />
Let's call this LXC "mylxc"...<br />
<br />
On the host <pre><br />
modprobe tun<br />
mkdir /var/lib/lxc/mylxc/rootfs/dev/net<br />
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200<br />
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun<br />
</pre><br />
<br />
In /var/lib/lxc/mylxc/config <pre><br />
lxc.cgroup.devices.allow = c 10:200 rwm<br />
</pre><br />
<br />
In the guest <pre><br />
apk add openvpn<br />
</pre> Then config as usual...<br />
<br />
This should work both as server and as client.</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=11545Setting up a OpenVPN server2015-12-31T22:58:22Z<p>Itoffshore: /* Initial setup for administrating certificates */</p>
<hr />
<div><br />
This article describes how to set up an OpenVPN server with the Alpine Linux.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: [http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses WikiPedia]<br />
<br />
If your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
= Setup Alpine =<br />
== Initial Setup ==<br />
Follow [[Installing_Alpine]] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
{{Cmd| apk add openvpn}}<br />
<br />
Prepare autostart of OpenVPN<br />
<br />
{{Cmd|rc-update add openvpn default}}<br />
<br />
{{Cmd|modprobe tun<br />
echo "tun" >>/etc/modules}}<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.<br />
<br />
You will need to create a server (ssl_server_cert) certificate for the server and one client (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.<br />
<br />
To extract the three parts of each .pfx file, use the following commands:<br />
<br />
To get the ca cert out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem}}<br />
<br />
To get the cert file out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem}}<br />
<br />
To get the private key file out. Make sure this stays private.<br />
<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem}}<br />
<br />
On the VPN server, you can also install the '''acf-openvpn''' package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie Hellman parameters.<br />
<br />
If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternative Certificate Method]]<br />
<br />
= Configure OpenVPN server =<br />
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca openvpn_certs/server-ca.pem<br />
cert openvpn_certs/server-cert.pem<br />
dh openvpn_certs/dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
log-append /var/log/openvpn.log<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
<br />
{{Cmd|openvpn --config /etc/openvpn/openvpn.conf}}<br />
<br />
= Configure OpenVPN client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca client-ca.pem<br />
cert client-cert.pem<br />
key client-key.pem<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings if you are running a RAM-based system.<br />
{{Cmd|lbu commit}}<br />
<br />
= More than one server or client =<br />
<br />
If you want more than one server or client running on the same alpine box, use the standard [[Multiple Instances of Services]] process.<br />
<br />
For example, to create a config named "AlphaBravo":<br />
<br />
* Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf" <br />
* create a new symlink of the init.d script:<br />
{{Cmd|ln -s /etc/init.d/openvpn /etc/init.d/openvpn.AlphaBravo}}<br />
* Have the new service start automatically<br />
{{Cmd|rc-update add openvpn.AlphaBravo}}<br />
<br />
= Alternative Certificate Method =<br />
== Manual Certificate Commands ==<br />
(''Instructions are based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
=== Initial setup for administrating certificates ===<br />
The following instructions assume that you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
{{Cmd|apk add easy-rsa # from the community repo<br />
cd /usr/share/easy-rsa}}<br />
If not already done then create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR><br />
{{Cmd|mkdir /etc/openvpn/keys<br />
cp ./vars.example /etc/openvpn/keys}}<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
{{Cmd|vim /etc/openvpn/keys/vars}}<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
{{Cmd|source /etc/openvpn/keys/vars}}<br />
{{Cmd|touch /etc/openvpn/keys/index.txt<br />
echo 00 > /etc/openvpn/keys/serial}}<br />
<br />
=== Set up a 'Certificate Authority' (CA) ===<br />
Clean up the '''keys''' folder.<br />
<br />
{{Cmd|./clean-all}}<br />
<br />
Generate Diffie Hellman parameters<br />
<br />
{{Cmd|./build-dh}}<br />
<br />
Now lets make the CA certificates and keys<br />
<br />
{{Cmd|./build-ca}}<br />
<br />
=== Set up a 'OpenVPN Server' ===<br />
Create server certificates<br />
<br />
{{Cmd|./build-key-server <commonname>}}<br />
<br />
=== Set up a 'OpenVPN Client' ===<br />
Create client certificates<br />
{{Cmd|./build-key <commonname>}}<br />
<br />
=== Revoke a certificate ===<br />
To revoke a certificate<br />
<br />
{{Cmd|./revoke-full <commonname>}}<br />
<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<br />
<br />
{{Cmd|crl-verify crl.pem}}<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]<br />
<br />
= openVPN and LXC =<br />
<br />
Let's call this LXC "mylxc"...<br />
<br />
On the host <pre><br />
modprobe tun<br />
mkdir /var/lib/lxc/mylxc/rootfs/dev/net<br />
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200<br />
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun<br />
</pre><br />
<br />
In /var/lib/lxc/mylxc/config <pre><br />
lxc.cgroup.devices.allow = c 10:200 rwm<br />
</pre><br />
<br />
In the guest <pre><br />
apk add openvpn<br />
</pre> Then config as usual...<br />
<br />
This should work both as server and as client.</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=11544Setting up a OpenVPN server2015-12-31T22:45:57Z<p>Itoffshore: /* Manual Certificate Commands */</p>
<hr />
<div><br />
This article describes how to set up an OpenVPN server with the Alpine Linux.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here: [http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses WikiPedia]<br />
<br />
If your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
= Setup Alpine =<br />
== Initial Setup ==<br />
Follow [[Installing_Alpine]] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
{{Cmd| apk add openvpn}}<br />
<br />
Prepare autostart of OpenVPN<br />
<br />
{{Cmd|rc-update add openvpn default}}<br />
<br />
{{Cmd|modprobe tun<br />
echo "tun" >>/etc/modules}}<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is to make sure that you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice not to have your certificate server be on the same machine as the router being used for remote connectivity.<br />
<br />
You will need to create a server (ssl_server_cert) certificate for the server and one client (ssl_client_cert) for each client. To use the certificates, you should download the .pfx file and extract it.<br />
<br />
To extract the three parts of each .pfx file, use the following commands:<br />
<br />
To get the ca cert out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem}}<br />
<br />
To get the cert file out...<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem}}<br />
<br />
To get the private key file out. Make sure this stays private.<br />
<br />
{{Cmd|openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem}}<br />
<br />
On the VPN server, you can also install the '''acf-openvpn''' package, which contains a web page to automatically upload and extract the server certificate. There is also a button to automatically generate the Diffie Hellman parameters.<br />
<br />
If you would prefer to generate your certificates using OpenVPN utilities, see [[#Alternative Certificate Method]]<br />
<br />
= Configure OpenVPN server =<br />
Example configuration file for server. Place the following content in /etc/openvpn/openvpn.conf:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca openvpn_certs/server-ca.pem<br />
cert openvpn_certs/server-cert.pem<br />
dh openvpn_certs/dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status /var/log/openvpn-status.log<br />
log-append /var/log/openvpn.log<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
<br />
{{Cmd|openvpn --config /etc/openvpn/openvpn.conf}}<br />
<br />
= Configure OpenVPN client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca client-ca.pem<br />
cert client-cert.pem<br />
key client-key.pem<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions are based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings if you are running a RAM-based system.<br />
{{Cmd|lbu commit}}<br />
<br />
= More than one server or client =<br />
<br />
If you want more than one server or client running on the same alpine box, use the standard [[Multiple Instances of Services]] process.<br />
<br />
For example, to create a config named "AlphaBravo":<br />
<br />
* Create an approriate /etc/openvpn/openvpn.conf file, but name it "/etc/openvpn/AlphaBravo.conf" <br />
* create a new symlink of the init.d script:<br />
{{Cmd|ln -s /etc/init.d/openvpn /etc/init.d/openvpn.AlphaBravo}}<br />
* Have the new service start automatically<br />
{{Cmd|rc-update add openvpn.AlphaBravo}}<br />
<br />
= Alternative Certificate Method =<br />
== Manual Certificate Commands ==<br />
(''Instructions are based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
=== Initial setup for administrating certificates ===<br />
The following instructions assume that you want to save your configs, certs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
{{Cmd|apk add easy-rsa # from the community repo<br />
cd /usr/share/easy-rsa}}<br />
If not already done then create a folder where you will save your certificates and save a copy of your '''/usr/share/easy-rsa/vars''' for later use.<BR><br />
{{Cmd|mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys}}<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
{{Cmd|vim /etc/openvpn/keys/vars}}<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
{{Cmd|source /etc/openvpn/keys/vars}}<br />
{{Cmd|touch /etc/openvpn/keys/index.txt<br />
echo 00 > /etc/openvpn/keys/serial}}<br />
<br />
=== Set up a 'Certificate Authority' (CA) ===<br />
Clean up the '''keys''' folder.<br />
<br />
{{Cmd|./clean-all}}<br />
<br />
Generate Diffie Hellman parameters<br />
<br />
{{Cmd|./build-dh}}<br />
<br />
Now lets make the CA certificates and keys<br />
<br />
{{Cmd|./build-ca}}<br />
<br />
=== Set up a 'OpenVPN Server' ===<br />
Create server certificates<br />
<br />
{{Cmd|./build-key-server <commonname>}}<br />
<br />
=== Set up a 'OpenVPN Client' ===<br />
Create client certificates<br />
{{Cmd|./build-key <commonname>}}<br />
<br />
=== Revoke a certificate ===<br />
To revoke a certificate<br />
<br />
{{Cmd|./revoke-full <commonname>}}<br />
<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<br />
<br />
{{Cmd|crl-verify crl.pem}}<br />
<br />
[[Category:Networking]]<br />
[[Category:Security]]<br />
<br />
= openVPN and LXC =<br />
<br />
Let's call this LXC "mylxc"...<br />
<br />
On the host <pre><br />
modprobe tun<br />
mkdir /var/lib/lxc/mylxc/rootfs/dev/net<br />
mknod /var/lib/lxc/mylxc/rootfs/dev/net/tun c 10 200<br />
chmod 666 /var/lib/lxc/mylxc/rootfs/dev/net/tun<br />
</pre><br />
<br />
In /var/lib/lxc/mylxc/config <pre><br />
lxc.cgroup.devices.allow = c 10:200 rwm<br />
</pre><br />
<br />
In the guest <pre><br />
apk add openvpn<br />
</pre> Then config as usual...<br />
<br />
This should work both as server and as client.</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Include:Copying_Alpine_to_Flash&diff=11528Include:Copying Alpine to Flash2015-12-20T12:28:36Z<p>Itoffshore: Add note for creating USB in KVM</p>
<hr />
<div>=== Boot Alpine Linux CD-ROM ===<br />
# Insert the Alpine Linux CD-ROM into a computer.<br />
# Boot the computer from the Alpine Linux CD-ROM.<br />
#* This step may require changes to the BIOS settings to select booting from CD. <br />
# Login with the username ''root''. No password is needed.<br />
<br />
{{Tip|If you're not able to boot from the CD, then another option is to boot from a regular Alpine installation, and [[Burning_ISOs|manually mount the ISO image to {{Path|/media/cdrom}}]].}} <br />
<br />
=== Determine the Device Name of the {{{1|Flash Medium}}} ===<br />
Determine the name your computer uses for your {{{1|flash medium}}}. The following step is one way to do this.<br />
# After inserting the {{{1|flash medium}}}, run the command:<br />
#* {{Cmd|dmesg}}<br />
#* At the end of this command you should see the name of your {{{1|flash medium}}}, likely starting with "sd". (For example: "sda").<br />
#* The remainder of this document will assume that your {{{1|flash medium}}} is called /dev/sda<br />
<br />
{{Warning|If you are not using a virtual machine, be very careful about this. You do not want to mistakenly wipe your hard drive if it's on /dev/sda}}<br />
<br />
=== Format {{{1|Flash Medium}}} ===<br />
Run fdisk (replacing sda with your {{{1|flash medium}}} name):<br />
{{Cmd|fdisk /dev/sda}}<br />
<br />
# (''Optional'') - Create new partition table with one FAT32 partition<br />
#* '''d''' Delete all partitions (this may take a few steps)<br />
#* '''n''' Create a new partition<br />
#* '''p''' A primary partition<br />
#* '''1''' Partition number 1<br />
#** Use defaults for first and last cylinder (just press [Enter] twice).<br />
#* '''t''' Change partition type<br />
#* '''c''' Partition type (Win95 FAT32/LBA)<br />
#Verify that the primary partition is bootable<br />
#* '''p''' Print list of partitions<br />
#* If there is no '*' next to the first partition, follow the next steps:<br />
#** '''a''' <big>Make the partition bootable (set boot flag)</big><br />
#** '''1''' Partition number 1<br />
#'''w''' Write your changes to the device<br />
<br />
=== Add Alpine Linux to the {{{1|Flash Medium}}} ===<br />
To boot from your {{{1|flash medium}}} you need to copy the contents of the CDROM to the {{{1|flash medium}}} and make it bootable. Those two operations can be automated with the [[setup-bootable]] tool or can be done manually.<br />
<br />
See also notes to [http://it-offshore.co.uk/linux/alpine-linux/48-alpine-linux-usb-stick-kvm create an Alpine Linux USB stick from within KVM] with [[setup-bootable]].<br />
<br />
{{Note|If the following commands fail due to 'No such file or directory', you may have to remove and reinsert the {{{1|flash medium}}}, or even reboot, to get /dev/sda1 to appear}}<br />
<br />
==== Automated ====<br />
{{Tip|If using Alpine Linux 1.10.4 or newer, you can use this section to complete the install. Otherwise, follow the Manual steps below.}}<br />
{{Note|The target partition has to be formatted. Use the <code>mkdosfs</code> command from the Manual steps below if needed.}}<br />
# Run the [[setup-bootable]] script to add Alpine Linux to the {{{1|flash medium}}} and make it bootable (replacing sda with your {{{1|flash medium}}} name):<br />
#: {{Cmd|setup-bootable /media/cdrom /dev/sda1}}<br />
{{Note|If you get something like '<code>Failed to mount /dev/sda1 on /media/sda1</code>' when running the above [[setup-bootable]] command, you might want to try running:<br />
{{Cmd|modprobe vfat}}<br />
and then try re-run the [[setup-bootable]] command as described above.}}<br />
{{Warning|If you are installing to a USB Stick, you may need to modify the {{Path|syslinux.cfg}} file to say <code>usbdisk</code> as [[#Wrong_Device_Name|described below]], or you will face possible problems booting and definite problems with the package cache. Recent versions of <code>setup-bootable</code> will specify the alpine_dev using a UUID instead, so it should work properly by default.}}<br />
<br />
==== Manual ====<br />
# (''Optional'') - If you created a new partition above, format the {{{1|flash medium}}} with a FAT32 filesystem (replacing sda with your {{{1|flash medium}}} name):<br />
#: {{Cmd|apk add dosfstools<BR>mkdosfs -F32 /dev/sda1}}<br />
# Install syslinux and MBR (replacing sda with your {{{1|flash medium}}} name):<br />
#: {{Cmd|{{{|apk add syslinux<BR>dd if=/usr/share/syslinux/mbr.bin of=/dev/sda}}}<BR>syslinux /dev/sda1}}<br />
#Copy the files to the {{{1|flash medium}}} (replacing sda with your {{{1|flash medium}}} name):<br />
#: {{Cmd|<nowiki>mkdir -p /media/sda1<br />
mount -t vfat /dev/sda1 /media/sda1<br />
cd /media/cdrom<br />
cp -a .alpine-release * /media/sda1/<br />
umount /media/sda1</nowiki>}}<br />
# (''Optional'') Remove any apkovl files that were transfered as part of the copy process. This should be done if you wish to have a fresh install. Replace sda with your {{{1|flash medium}}} name)<br />
#: {{Cmd|<nowiki>mount -t vfat /dev/sda1 /media/sda1<br />
rm /media/sda1/*.apkovl.tar.gz<br />
umount /media/sda1</nowiki>}}<br />
<br />
== Troubleshooting ==<br />
=== Wrong Device Name ===<br />
If you cannot boot from the {{{1|flash medium}}} and you see something like:<br />
Mounting boot media failed.<br />
initramfs emergency recovery shell launched. Type 'exit' to continue boot<br />
then it is likely that the device name in {{Path|syslinux.cfg}} is wrong. You should replace the device name in this line:<br />
append initrd=/boot/grsec.gz alpine_dev='''usbdisk''':vfat modules=loop,cramfs,sd-mod,usb-storage quiet<br />
with the proper device name.<br />
* For boot from USB, the device name should be 'usbdisk' (as shown above)<br />
* For other options, you can run <code>cat /proc/partitions</code> to see the available disks (i.e. 'sda' or 'sdb')<br />
<br />
=== Non-FAT32 Filesystems ===<br />
When your {{{1|flash medium}}} is formatted with a filesystem other than FAT32, you might have to specify the necessary filesystem modules in the boot parameters.<br />
<br />
To do so, mount the {{{1|flash medium}}} and change the {{Path|syslinux.cfg}} file line from <br />
append initrd=/boot/grsec.gz alpine_dev=usbdisk:vfat modules=loop,cramfs,sd-mod,usb-storage quiet<br />
to<br />
append initrd=/boot/grsec.gz alpine_dev=usbdisk:'''ext3''' modules=loop,cramfs,sd-mod,usb-storage''',ext3''' quiet<br />
in the case of an ext3 formatted partition. A similar procedure might apply to other filesystems (if they are supported by syslinux and the Alpine Linux kernel).</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=11524LXC2015-12-11T15:05:52Z<p>Itoffshore: /* Ubuntu template */</p>
<hr />
<div>[http://lxc.sourceforge.net/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc lxc-templates bridge}}<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/lxc.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
</pre><br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname):<br />
<br />
MIRROR="http://%MIRROR%/ubuntu/" lxc-create -n ubtn -f /etc/lxc/default.conf -t ubuntu -- -r trusty<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to connect to a virtual console. This is done with:<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=11523LXC2015-12-11T15:05:24Z<p>Itoffshore: </p>
<hr />
<div>[http://lxc.sourceforge.net/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc lxc-templates bridge}}<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/lxc.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
</pre><br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname):<br />
<br />
MIRROR="http://%MIRROR%/ubuntu/" lxc-create -n ubtn -f /etc/lxc/default.conf -t ubuntu -- -r trusty<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to connect to a virtual console. This is done with:<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=11522LXC2015-12-11T15:02:25Z<p>Itoffshore: /* Debian template */</p>
<hr />
<div>[http://lxc.sourceforge.net/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc lxc-templates bridge}}<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/lxc.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
</pre><br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname):<br />
<br />
MIRROR="http://%MIRROR%/ubuntu/" lxc-create -n ubtn -f /etc/lxc/default.conf -t ubuntu -- -r trusty<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to connect to a virtual console. This is done with:<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=11369LVM on LUKS2015-11-04T04:28:56Z<p>Itoffshore: </p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
The manual notes on this page can be [http://it-offshore.co.uk/linux/21-linux/alpine-linux/25-alpine-linux-luks-encrypted-installations automated] with:<br />
<br />
* '''A custom version of 'setup-disk' with LUKS support.'''<br />
* '''A custom Partition Editor ('setup-partitions') to create & mount normal / LUKS / LVM partitions.'''<br />
* '''[http://it-offshore.co.uk/linux/21-linux/alpine-linux/25-alpine-linux-luks-encrypted-installations Both scripts] support GPT Partition Schemes.'''<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support <br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
or alternatively rebuild the initramfs with:<br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
* [http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
rc-update add haveged default<br />
<br />
* As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:<br />
<br />
tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777 0 0<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
rc-service haveged start<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
<nowiki># *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.</nowiki><br />
<br />
<nowiki># mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper </nowiki><br />
<br />
<nowiki># LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs</nowiki><br />
<br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
<nowiki># alternative method (ignore extlinux errors)</nowiki><br />
<br />
<nowiki># apk fix --root $MNT linux-grsec</nowiki><br />
<br />
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki><br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_disks_manually&diff=11368Setting up disks manually2015-11-04T04:13:35Z<p>Itoffshore: /* Custom partitioning */</p>
<hr />
<div>{{Draft}}<br />
<br />
You may have complex needs that aren't handled automatically by the [[Alpine Setup Scripts]]. In those cases, you'll need to prepare your disks manually.<br />
<br />
It is possible to have one or more of RAID, encryption, and/or LVM on your {{Path|/}} (root) volume. However, the Alpine init script only knows how to handle them when they're layered in that order, and your initram and extlinux.conf file in the {{Path|/boot}} partition are configured properly.<br />
<br />
Your {{Path|/boot}} cannot reside on a encrypted or LVM volume, at least not with Alpine's default bootloader (extlinux). (Grub2 can deal with {{Path|/boot}} being on an LVM volume.) The usual practice is to create a small partition for {{Path|/boot}}, and then devote the rest of your disk to a separate partition on which you layer one or more of RAID, encryption, and/or LVM.<br />
<br />
Sometimes {{Path|/boot}} is also setup as a mirrored (RAID1) volume, however this is just for post-init access. That way, when you write a new kernel or bootloader config file to {{Path|/boot}}, it gets written to multiple physical partitions. During the pre-init, bootloader phase, only one of those partitions will be read from.<br />
<br />
So, typical setups might look like this:<br />
<br />
<pre><br />
One-disk system<br />
---------------<br />
+------------------------------------------------+<br />
| small partition (32--100M), holding |<br />
| only /boot, filesystem needn't be journaled |<br />
+------------------------------------------------+<br />
| rest of disk in second partition |<br />
| +------------------------------------------+ |<br />
| | cryptsetup volume | |<br />
| | +-------------------------------------+ | |<br />
| | | LVM PV, containing single VG, | | |<br />
| | | containing multiple LVs, holding | | |<br />
| | | /, /home, swap, etc | | |<br />
| | +-------------------------------------+ | |<br />
| +------------------------------------------+ |<br />
+------------------------------------------------+<br />
<br />
<br />
Two-disk system<br />
---------------<br />
+------------------------------------------------+ +------------------------------------------------+<br />
| small partition (32--100M), holding | | small partition (32--100M), holding | These 2 partitions might<br />
| only /boot, filesystem needn't be journaled | | only /boot, filesystem needn't be journaled | form a mirrored (RAID1)<br />
+------------------------------------------------+ +------------------------------------------------+ volume<br />
| rest of disk in second partition | | rest of disk in second partition |<br />
| T================================================================================================T | These 2 partitions form<br />
| T +--------------------------------------------------------------------------------------------+ T | a second mirrored<br />
| T | cryptsetup volume | T | (RAID1) volume<br />
| T | +---------------------------------------------------------------------------------------+ | T |<br />
| T | | LVM PV, containing single VG, | | T |<br />
| T | | containing multiple LVs, holding | | T |<br />
| T | | /, /home, swap, etc | | T |<br />
| T | +---------------------------------------------------------------------------------------+ | T |<br />
| T +--------------------------------------------------------------------------------------------+ T |<br />
| T================================================================================================T |<br />
| | | |<br />
+------------------------------------------------+ +------------------------------------------------+<br />
<br />
</pre><br />
<br />
In a three-disk system, the {{Path|/boot}} would still be RAID1, but the larger partition might in that case be RAID5.<br />
<br />
<br />
=== RAID ===<br />
<code>setup-disk</code> will automatically build a RAID array if you supply the '''-r''' switch, or if you specify more than one device.<br />
<br />
If you instead want to build your RAID array manually, see [[Setting up a software RAID array]]. Then you can add additional layers of encryption and/or LVM, or just assemble the RAID array, and supply the {{Path|/dev/md<i>i</i>}} device directly to [[setup-disk]]. When you're finished, be sure to disassemble the RAID array before rebooting.<br />
<br />
If <code>setup-disk</code> sees that you're using RAID---either because you gave it the <code>-r</code> switch, or multiple devices, or a {{Path|/dev/md<i>i</i>}} device---then it will setup your initramfs and extlinux.conf file properly. However, in other cases, such as when you're also using encryption, or you invoke <code>setup-disk</code> with a mounted directory argument, these might not be properly setup for RAID. In that case, you may need to manually edit/rebuild them. The following assumes that <code>$MNT</code> holds the root directory you're installing into:<br />
<br />
{{Cmd|1=echo "/sbin/mdadm" > $MNT/etc/mkinitfs/files.d/raid<br />
echo "/etc/mdadm.conf" >> $MNT/etc/mkinitfs/files.d/raid<br />
&#35; edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..."<br />
&#35; includes raid (this field is space-separated and quoted)<br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT<br />
&#35; edit $MNT/etc/update-extlinux.conf to make sure modules=... contains<br />
&#35; raid1 or raid456 (whichever your / is on; this field is comma-separated)<br />
&#35; also check the root= setting<br />
extlinux --raid --install $MNT/boot --update<br />
}}<br />
<br />
{{Todo|Does adding the <code>--update</code> option to <code>extlinux ...</code> suffice to make {{Path|/boot/extlinux.conf}} be regenerated? Or do we need to manually tweak that file, or run <code>update-extlinux</code>, as well?}}<br />
<br />
You might also need to manually tweak {{Path|$MNT/etc/fstab}}. And you might need to copy {{Path|/usr/share/syslinux/mbr.bin}} to your disk's MBR.<br />
<br />
=== Encryption ===<br />
<br />
See [[Setting up encrypted volumes with LUKS]]. Then you can add an additional layer of LVM, or just unlock the volume you've created (using <code>cryptsetup luksOpen ...</code>), and supply the {{Path|/dev/mapper/<i>something</i>}} device directly to [[setup-disk]]. When you're finished, be sure to relock the volume (using <code>cryptsetup luksClose ...</code>) before rebooting.<br />
<br />
If you install your {{Path|/}} (root) on an encrypted volume, you'll need to manually edit/rebuild your initram and your extlinux.conf file. The following assumes that <code>$MNT</code> holds the root directory you're installing into, that you've created the cryptvolume on the device {{Path|/dev/md2}}, and that you want to unlock the encrypted volume into a virtual volume named "crypt":<br />
<br />
{{Cmd|1=&#35; edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..."<br />
&#35; includes cryptsetup (this field is space-separated and quoted)<br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT<br />
&#35; edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..."<br />
&#35; contains cryptroot=/dev/md1 and cryptdm=crypt (this field is also space-separated and quoted)<br />
&#35; also check the root= setting<br />
extlinux --install $MNT/boot --update<br />
}}<br />
<br />
{{Todo|Does adding the <code>--update</code> option to <code>extlinux ...</code> suffice to make {{Path|/boot/extlinux.conf}} be regenerated? Or do we need to manually tweak that file, or run <code>update-extlinux</code>, as well?}}<br />
<br />
You might also need to manually tweak {{Path|$MNT/etc/fstab}}.<br />
<br />
=== LVM ===<br />
<code>setup-disk</code> will automatically build and use volumes in a LVM group if you supply the '''-L''' switch.<br />
<br />
If you instead want to build your LVM system manually, see [[Setting up Logical Volumes with LVM]]. Then <code>vgchange -ay</code>, format and mount your volumes, and supply the root mountpoint to [[setup-disk]]. When you're finished, be sure to<br />
{{Cmd|umount ...<br />
vgchange -an}}<br />
before rebooting.<br />
<br />
<br />
If <code>setup-disk</code> sees that you're using LVM---perhaps because you gave it the <code>-L</code> switch---then it will setup your initram and extlinux.conf file properly. However, in other cases, these might not be properly setup. In that case, you may need to manually edit/rebuild them. The following assumes that <code>$MNT</code> holds the root directory you're installing into:<br />
<br />
{{Cmd|1=&#35; edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..."<br />
&#35; includes lvm (this field is space-separated and quoted)<br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT<br />
&#35; edit $MNT/etc/update-extlinux.conf to make sure root= is set correctly<br />
extlinux --install $MNT/boot --update<br />
}}<br />
<br />
{{Todo|Does adding the <code>--update</code> option to <code>extlinux ...</code> suffice to make {{Path|/boot/extlinux.conf}} be regenerated? Or do we need to manually tweak that file, or run <code>update-extlinux</code>, as well?}}<br />
<br />
You might also need to manually tweak {{Path|$MNT/etc/fstab}}.<br />
<br />
=== Custom partitioning ===<br />
<code>setup-disk</code> will by default set up a root parition, a separate /boot partition and a swap. If you want a different layout you can manually create the parititions, filesystems and mount them up on {{Path|/mnt}} (or any other mount point) and then run:<br />
<br />
{{Cmd|setup-disk /mnt}}<br />
<br />
<code>setup-disk</code> will install your running system on the mounted root, detect your file system layout and generate a fstab. You are responsible for making the proper partition bootable and make sure the MBR is ok for extlinux.<br />
<br />
See also [https://github.com/itoffshore/alpine-linux-scripts setup-partitions]<br />
<br />
=== Dual-booting ===<br />
See [[Installing Alpine on HDD dualbooting|Install to HDD with dual-boot]]<br />
<br />
=== Other needs ===<br />
* [[Installing Alpine Linux in a chroot]]<br />
* [[Replacing non-Alpine Linux with Alpine remotely]]<br />
<br />
<br />
<!--<br />
Create partition with with type "Linux" (83).<br />
apk_add e2fsprogs rsync<br />
mkfs.ext3 /dev/hda1<br />
mount -t ext3 /dev/hda1 /mnt<br />
ROOT=/mnt apk_add uclibc busybox apk-tools alpine-baselayout alpine-conf<br />
# Install busybox links<br />
mkdir /mnt/proc && mount --bind /proc /mnt/proc && chroot /mnt /bin/busybox --install -s && umount /mnt/proc<br />
# Copy the apk repository<br />
rsync -ruav /media/cdrom/apks /mnt<br />
mkdir /mnt/etc/apk && echo "APK_PATH=file://apks" > /mnt/etc/apk/apk.conf<br />
# Copy the hd/ext3 initramfs image, kernel and kernel modules<br />
rsync -ruav /media/cdrom/kernel/generic/hd-ext3.gz /media/cdrom/kernel/generic/bzImage /mnt<br />
rsync -ruav /lib/modules/* /mnt/lib/modules/<br />
--><br />
<br />
<br />
<!--<br />
== Setting up the RAID ==<br />
Set up a raid array as described [[Setting up a software RAID1 array|here]].<br />
In this document two raid arrays are configured: md0 for swap (512MB) and md1 for /var. <br />
<br />
== Create filesystem ==<br />
We need to install the software to create the filesystem ("format" the partition).<br />
apk_add e2fsprogs<br />
<br />
If you use an Alpine release older than 1.3.8 you will need to manually create a link to /etc/mtab.<br />
ln -fs /proc/mounts /etc/mtab<br />
<br />
Create the filesystem. The -j option makes it ext'''3'''. Without the -j option it will become non-journaling ext'''2'''. This step might take some time if your partition is big.<br />
mke2fs -j /dev/md1<br />
<br />
<br />
Now edit /etc/fstab and add your new partitions. Mine looks like this:<br />
none /proc proc defaults 0 0<br />
none /sys sysfs defaults 0 0<br />
udev /dev tmpfs size=100k 0 0<br />
none /dev/pts devpts defaults 0 0<br />
tmpfs /dev/shm tmpfs defaults 0 0<br />
/dev/cdrom /media/cdrom iso9660 ro 0 0<br />
/dev/fd0 /media/floppy vfat noauto 0 0<br />
/dev/usba1 /media/usb vfat noauto 0 0<br />
none /proc/bus/usb usbfs noauto 0 0<br />
<br />
/dev/md0 swap swap defaults 0 0<br />
/dev/md1 /var ext3 defaults 0 0<br />
<br />
== Move the data ==<br />
Now you should stop all services running that put anything in /var (syslog for example). If you have booted on a clean installation and not run setup-alpine, then no services should be running. However, some packages might have created dirs in /var so we need to backup /var mount the new and move all backed up dirs back to the raided /var.<br />
<br />
mv /var /var.tmp<br />
mkdir /var<br />
mount /var<br />
mv /var.tmp/* /var<br />
rmdir /var.tmp<br />
<br />
Verify that everyting looks ok with the ''df'' utility.<br />
~ $ df<br />
Filesystem 1k-blocks Used Available Use% Mounted on<br />
none 255172 23544 231628 9% /<br />
udev 100 0 100 0% /dev<br />
/dev/cdrom 142276 142276 0 100% /media/cdrom<br />
/dev/md1 37977060 181056 35866876 1% /var<br />
<br />
== Survive reboots ==<br />
Now we have everything up and running. We need to make sure that everything will be restored during next reboot.<br />
<br />
Create an initscript that will mount /var for you during boot. I call it /etc/init.d/mountdisk and it looks like this:<br />
#!/sbin/runscript<br />
<br />
start() {<br />
ebegin "Mounting /var"<br />
mount /var<br />
eend $?<br />
}<br />
<br />
stop() {<br />
ebegin "Unmounting /var"<br />
umount /var<br />
eend $?<br />
}<br />
<br />
Make it exectutable:<br />
chmod +x /etc/init.d/mountdisk<br />
<br />
'''NOTE:''' Since Alpine-1.7.3 there is a ''localmount'' script shipped so you will not need to create your own ''mountdisk'' script.<br />
<br />
And that /var is mounted *after* raid is created. The -k option will make alpine to unmount the /Var partition during boot. Also add start of swap too boot<br />
rc_add -k -s 06 mountdisk<br />
rc_add -k -s 06 swap<br />
<br />
The /dev/md* device nodes will not be created automatically so we need to put the on floppy too.<br />
lbu include /dev/md*<br />
<br />
If you have users on the server and want /home to be permanent, you can create a directory /var/home and create links to /var/home.<br />
mkdir /var/home<br />
mv /home/* /var/home/<br />
ln -s /var/home/* /home/<br />
<br />
'''NOTE:''' You cannot just replace /home with a link that points to /var/home since the base has a /home directory. When the boot tries to copy the config from floppy it will fail because of the already existing /home directory.<br />
<br />
Make sure the links are stored to floppy:<br />
lbu include /home/*<br />
<br />
Also remember to move any newly created users to /var/home and create a link:<br />
adduser bob<br />
mv /home/bob /var/home/<br />
ln -s /var/home/bob /home/bob<br />
lbu include /home/bob<br />
<br />
Save to floppy:<br />
lbu commit floppy<br />
<br />
== Test it works ==<br />
Reboot computer. Now should the raid start and /var should be mounted. Check with df:<br />
~ $ df<br />
Filesystem 1k-blocks Used Available Use% Mounted on<br />
none 255172 23976 231196 9% /<br />
mdev 100 0 100 0% /dev<br />
/dev/cdrom 140932 140932 0 100% /media/cdrom<br />
/dev/md1 37977060 180984 35866948 1% /var<br />
<br />
== Upgrades ==<br />
Since the package database is placed on disk, you cannot update by simply replacing the CDROM. You will have to either run the upgrade on the new CDROM or run ''apk_add -u ... && update-conf'' manually.<br />
--><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
== Setting up swap ==<br />
<br />
# create partition with type "linux swap" (82) (If you're going to use an LVM logical volume for swap, skip this step and <code>lvcreate</code> that instead.)<br />
# <code>mkswap /dev/sda2</code><br />
# <code>echo -e "/dev/sda2 none swap sw 0 0" >> /mnt/etc/fstab</code><br />
# <code>swapon /dev/sda2</code> (or <code>rc-service swap start</code>)<br />
<br />
Then {{Cmd|free -m}} will show how much swap space is available (in MB).<br />
<br />
If you prefer maximum speed, you don't need configure any raid devices for swap. Just add 2 swap partitions on different disks and linux will stripe them automatically. The downside is that at the moment one disk fails, the system will go down. For better reliability, put swap on RAID1. <br />
<br />
{{Todo|Instructions for cryptswap?}}<br />
<br />
[[Category:Installation]]<br />
[[Category:Storage]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Logical_Volumes_with_LVM&diff=11367Setting up Logical Volumes with LVM2015-11-04T04:06:09Z<p>Itoffshore: /* More Info on LVM */</p>
<hr />
<div>[[Category:Storage]]<br />
{{Tip|This process can be done automatically by using the [[setup-disk]] script, using the -L option.}}<br />
This document how to create logical volumes in Alpine using lvm2.<br />
<br />
LVM is collection of programs that allow larger physical disks to be reassembled into "logical" disks that can be shrunk or expanded as data needs change.<br />
<br />
In this document we will use a [[Setting up a software RAID array|software RAID1 device]] as physical storage for our logical volumes. We will set up a swap partition and a data partition for [[Setting up a basic vserver|vservers ]]<br />
=== Installing LVM software ===<br />
First we need to load the kernel driver, ''dm-mod''<br />
<br />
{{Cmd|modprobe dm-mod}}<br />
<br />
We also want it to be loaded during next reboot.<br />
<br />
{{Cmd|echo dm-mod >> /etc/modules}}<br />
<br />
We also need the userspace programs.<br />
<br />
{{Cmd|apk add lvm2}}<br />
<br />
=== Preparing the physical volumes ===<br />
First we need to tell LVM that the partition is available as a physical volume and can be added to a volume group. In this example we use a software raid array as physical volume.<br />
<br />
{{Cmd|pvcreate /dev/md0}}<br />
<br />
=== Preparing the Volume Group ===<br />
We can then create a volume group and add the physical volume ''/dev/md0''<br />
<br />
{{Cmd|vgcreate vg0 /dev/md0}}<br />
<br />
If we later need more space we can add additional physcal volumes with ''vgextend''. All physcal disks/partitions added need to be prepared with ''pvcreate''.<br />
<br />
=== Creating Logical volumes ===<br />
In the volume group we can create logical volumes. To create a 1GB volume called ''swap'' and a 6GB volume called 'vservers'' on the volume group ''vg0'' we run<br />
<br />
{{Cmd|lvcreate -n swap -L 1G vg0<br />
lvcreate -n vservers -L 6G vg0}}<br />
<br />
=== Display Logical Volumes ===<br />
You can now se the logical volumes with the lvdisplay utility.<br />
<br />
lvdisplay<br />
--- Logical volume ---<br />
LV Name /dev/vg0/swap<br />
VG Name vg0<br />
LV UUID a4NYOi-FQP6-Lj5Q-0TYk-Jjtk-Qxjt-nxeBPn<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 1.00 GB<br />
Current LE 256<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:0<br />
<br />
--- Logical volume ---<br />
LV Name /dev/vg0/vservers<br />
VG Name vg0<br />
LV UUID 16VMmy-7I0s-eeoW-tL2V-JrlN-jM6C-d0wEg0<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 6.00 GB<br />
Current LE 1536<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:1<br />
<br />
=== Rename Logical Volumes ===<br />
<br />
{{Cmd|lvrename /dev/vg0/vservers /dev/vg0/database}}<br />
<br />
=== Extend Logical Volumes ===<br />
If you want to add space and the volume has the room for it...<br />
<br />
{{Cmd|lvextend -L +50G /dev/vg0/vservers}}<br />
<br />
If you want to set the space to a new larger size...<br />
<br />
{{Cmd|lvextend -L 10G /dev/vg0/vservers}}<br />
<br />
=== Start LVM during Boot ===<br />
We want lvm to init the logical volumes during boot. There is a boot service named ''lvm'' to do this. If your volumes are on raid, make sure that ''/etc/init.d/lvm'' is started after mdadm-raid.<br />
<br />
{{Cmd|rc-update add lvm}}<br />
<br />
Or, on Alpine Linux 1.8 or earlier:<br />
<br />
{{Cmd|rc_add -s 12 -k lvm}}<br />
<br />
=== Setting up swap ===<br />
Now we have our devices in /dev/vg0 and can use them as normal disk paritions. To set up swap:<br />
<br />
{{Cmd|mkswap /dev/vg0/swap}}<br />
<br />
Add the following line to your ''/etc/fstab'':<br />
<br />
/dev/vg0/swap none swap sw 0 0<br />
<br />
=== Setting up /vservers partition ===<br />
Finally we want to set up an XFS partition for /vservers.<br />
<br />
Install xfsprogs.<br />
<br />
{{Cmd|apk add xfsprogs}}<br />
<br />
Create filesystem on /dev/vg0/vservers.<br />
<br />
{{Cmd|mkfs.xfs /dev/vg0/vservers}}<br />
<br />
Add the mount information to your /etc/fstab: NOTE:tagxid may cause this not to mount. Try this by hand and check dmesg to see if there are any errors<br />
<br />
/dev/vg0/vservers /vservers xfs noatime,tagxid 0 0<br />
<br />
Note that the ''tagxid'' option is specific for setting up vserver [http://oldwiki.linux-vserver.org/Disk+Limits disk limits] so it might be you don't want it. The ''noatime'' option is to increase performance but you will no longer know when files were accessed last time.<br />
<br />
=== Starting localmount and swap ===<br />
<br />
Now we can mount our partition.<br />
{{Cmd|mount /vservers}}<br />
<br />
Make sure we run ''localmount'' during boot too, and that it is done after lvm. In Alpine Linux 1.9 and newer this should not be needed<br />
<br />
{{Cmd|rc-update add localmount boot}}<br />
<br />
Or, on Alpine Linux 1.8 or earlier:<br />
<br />
{{Cmd|rc_add -s 14 -k localmount}}<br />
<br />
Start the swap service and make sure it starts during next reboot and that it starts '''after''' lvm.<br />
<br />
{{Cmd|/etc/init.d/swap start<br />
rc-update add swap}}<br />
<br />
Or, on Alpine Linux 1.8 or earlier:<br />
{{Cmd|/etc/init.d/swap start<br />
rc_add -s 14 -k swap}}<br />
<br />
=== More Info on LVM ===<br />
These resources may be helpful:<br />
<br />
* the [http://tldp.org/HOWTO/LVM-HOWTO/commontask.html common tasks] section in the [http://tldp.org/HOWTO/LVM-HOWTO/index.html LVM Howto]<br />
* [http://wiki.alpinelinux.org/wiki/LVM_on_LUKS Alpine wiki page for LVM on LUKS]<br />
* [https://wiki.archlinux.org/index.php/LVM Arch wiki page on LVM]<br />
* [https://wiki.archlinux.org/index.php/Software_RAID_and_LVM Arch wiki page on RAID and LVM]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=11366LVM on LUKS2015-11-04T04:02:03Z<p>Itoffshore: </p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
The manual notes on this page can be [http://it-offshore.co.uk/linux/21-linux/alpine-linux/25-alpine-linux-luks-encrypted-installations automated] with:<br />
<br />
* '''A custom version of 'setup-disk' with LUKS support.'''<br />
* '''A custom Partition Editor ('setup-partitions') to create & mount normal / LUKS / LVM partitions.'''<br />
* '''Both scripts support GPT Partition Schemes.'''<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support <br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
or alternatively rebuild the initramfs with:<br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
* [http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
rc-update add haveged default<br />
<br />
* As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:<br />
<br />
tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777 0 0<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
rc-service haveged start<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
<nowiki># *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.</nowiki><br />
<br />
<nowiki># mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper </nowiki><br />
<br />
<nowiki># LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs</nowiki><br />
<br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
<nowiki># alternative method (ignore extlinux errors)</nowiki><br />
<br />
<nowiki># apk fix --root $MNT linux-grsec</nowiki><br />
<br />
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki><br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_encrypted_volumes_with_LUKS&diff=11365Setting up encrypted volumes with LUKS2015-11-04T03:36:26Z<p>Itoffshore: </p>
<hr />
<div>See:<br />
<br />
http://wiki.alpinelinux.org/wiki/LVM_on_LUKS <br />
<br />
https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS<nowiki /><br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=User:Itoffshore&diff=11043User:Itoffshore2015-07-11T22:59:32Z<p>Itoffshore: Created page with "On <code>#alpine-linux</code> & <code>#alpine-devel</code> I am <code>BitL0G1c</code> Various guides for Alpine can be found on [http://it-offshore.co.uk/linux/alpine-linux m..."</p>
<hr />
<div>On <code>#alpine-linux</code> & <code>#alpine-devel</code> I am <code>BitL0G1c</code><br />
<br />
Various guides for Alpine can be found on [http://it-offshore.co.uk/linux/alpine-linux my website].<br />
<br />
My setup-scripts are hosted on [https://github.com/itoffshore/alpine-linux-scripts Github].</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Creating_patches&diff=10840Creating patches2015-05-06T16:10:00Z<p>Itoffshore: fix git send-mail for multiple patches</p>
<hr />
<div>Patches should be created with git and submitted to [mailto:alpine-aports@lists.alpinelinux.org alpine-aports] mailing list with ''git send-email''.<br />
<br />
== Only the last commit with 'git send-email' ==<br />
<br />
To submit the last commit as a patch to [mailto:alpine-aports@lists.alpinelinux.org alpine-aports] mailing list:<br />
<br />
{{Cmd|git send-email --to alpine-aports@lists.alpinelinux.org HEAD^}}<br />
<br />
The first line in commit message will be ''subject'' and the long description (separated with empty line) will be the body in the email. The example below shows <br />
<br />
<pre><br />
Initial APKBUILD file of packagename <- Subject line<br />
<br />
Enter some details about your package <- Mail body<br />
here if you like. <br />
</pre><br />
<br />
{{Note|The git send-email command is provided by the '''git-email''' package ('''git-perl''' in v2.7 and older). }}<br />
<br />
Read [[Development using git]] to send patch with SMTP Auth.<br />
<br />
== Multiple commits with 'git send-email' ==<br />
<br />
If you have many commits you can create a directory with patches and send them with <tt>git send-email</tt>.<br />
<br />
{{Cmd|<nowiki>rm -Rf patches<br />
mkdir patches<br />
git format-patch -o patches origin<br />
git send-email patches --compose --no-chain-reply-to --to alpine-aports@lists.alpinelinux.org</nowiki>}}<br />
<br />
You can also format patches for the last x number of commits with:<br />
{{Cmd|<nowiki>git format-patch -x -o patches</nowiki>}}<br />
<br />
This will produce the patches for each local commit in the directory "patches" and send them.<br />
Use --no-chain-reply-to make sure it doesn't reply.<br />
<br />
<!-- what does the following mean? --><br />
Don't do:<br />
* [PATCH 0/m]<br />
** [PATCH 1/m]<br />
*** [PATCH 2/m]<br />
**** ...<br />
But do:<br />
* [PATCH 0/m]<br />
** [PATCH 1/m]<br />
** [PATCH 2/m]<br />
** ..<br />
<br />
[[Category:Development]]<br />
[[Category:Git]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=10834LXC2015-05-03T21:17:26Z<p>Itoffshore: Add note for postgresql + autostart note - I think the original autostart note is broken in current LXC & s/be removed ?</p>
<hr />
<div>[http://lxc.sourceforge.net/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc lxc-templates bridge}}<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/lxc.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
</pre><br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to connect to a virtual console. This is done with:<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=10602LVM on LUKS2015-04-02T19:40:24Z<p>Itoffshore: /* Configuring LVM on top of LUKS */</p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
* '''An install script with LUKS support can be found [http://it-offshore.co.uk/linux/21-linux/alpine-linux/25-alpine-linux-luks-encrypted-installations here]. A script to create & mount LUKS / LVM partitions is also available.'''<br />
<br />
* '''Both scripts support GPT Partition Schemes.'''<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support <br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
or alternatively rebuild the initramfs with:<br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
* [http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
rc-update add haveged default<br />
<br />
* As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:<br />
<br />
tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777 0 0<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
rc-service haveged start<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
<nowiki># *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.</nowiki><br />
<br />
<nowiki># mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper </nowiki><br />
<br />
<nowiki># LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs</nowiki><br />
<br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
<nowiki># alternative method (ignore extlinux errors)</nowiki><br />
<br />
<nowiki># apk fix --root $MNT linux-grsec</nowiki><br />
<br />
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki><br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=10601LVM on LUKS2015-04-02T19:37:32Z<p>Itoffshore: /* Configuring LVM on top of LUKS */</p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
'''An install script with LUKS support can be found [http://it-offshore.co.uk/linux/21-linux/alpine-linux/25-alpine-linux-luks-encrypted-installations here]. A script to create & mount LUKS / LVM partitions is also available. Both scripts support GPT Partition Schemes.'''<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support <br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
or alternatively rebuild the initramfs with:<br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
* [http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
rc-update add haveged default<br />
<br />
* As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:<br />
<br />
tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777 0 0<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
rc-service haveged start<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
<nowiki># *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.</nowiki><br />
<br />
<nowiki># mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper </nowiki><br />
<br />
<nowiki># LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs</nowiki><br />
<br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
<nowiki># alternative method (ignore extlinux errors)</nowiki><br />
<br />
<nowiki># apk fix --root $MNT linux-grsec</nowiki><br />
<br />
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki><br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=10592LVM on LUKS2015-03-26T17:40:35Z<p>Itoffshore: </p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
'''An install script with LUKS support can be found [http://it-offshore.co.uk/linux/21-linux/alpine-linux/25-alpine-linux-luks-encrypted-installations here]. A script to create & mount LUKS / LVM partitions is also available.'''<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support <br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
or alternatively rebuild the initramfs with:<br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
* [http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
rc-update add haveged default<br />
<br />
* As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:<br />
<br />
tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777 0 0<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
rc-service haveged start<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
<nowiki># *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.</nowiki><br />
<br />
<nowiki># mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper </nowiki><br />
<br />
<nowiki># LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs</nowiki><br />
<br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
<nowiki># alternative method (ignore extlinux errors)</nowiki><br />
<br />
<nowiki># apk fix --root $MNT linux-grsec</nowiki><br />
<br />
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki><br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=10250LVM on LUKS2015-01-10T21:07:46Z<p>Itoffshore: /* Configuring LVM on top of LUKS */</p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support <br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
or alternatively rebuild the initramfs with:<br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
* [http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
rc-update add haveged default<br />
<br />
* As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:<br />
<br />
tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777 0 0<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
rc-service haveged start<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
<nowiki># *** note mounts under /dev/vol/partition NOT /dev/mapper/vol-partition - for installation ONLY.</nowiki><br />
<br />
<nowiki># mkinitfs fails to generate a working initramfs for LUKS when installing a new system with /dev/mapper </nowiki><br />
<br />
<nowiki># LVM devices mounted (but boots installed systems with /dev/mapper LVM devices in /etc/fstab without problems</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvmcrypt /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs</nowiki><br />
<br />
mkinitfs -c $MNT/etc/mkinitfs/mkinitfs.conf -b $MNT <br />
<br />
<nowiki># alternative method (ignore extlinux errors)</nowiki><br />
<br />
<nowiki># apk fix --root $MNT linux-grsec</nowiki><br />
<br />
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki><br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=9974LVM on LUKS2014-05-15T09:33:58Z<p>Itoffshore: </p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors) <br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
* [http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
rc-update add haveged default<br />
<br />
* As an alternative to creating a /tmp partition in the below instructions, /tmp can be mounted in RAM with the following entry in /etc/fstab:<br />
<br />
tmpfs /tmp tmpfs defaults,noexec,noatime,nodev,nosuid,mode=1777 0 0<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs (ignore extlinux errors)</nowiki><br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki><br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=9972LVM on LUKS2014-05-13T11:47:43Z<p>Itoffshore: </p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors) <br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
[http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs (ignore extlinux errors)</nowiki><br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki><br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=9965LVM on LUKS2014-05-07T22:49:57Z<p>Itoffshore: </p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors) <br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
[http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid,mode=1777 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs (ignore extlinux errors)</nowiki><br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
<nowiki># 'apk fix' will give an error for missing modules - fix with a symlink in /lib/modules & rerun 'apk fix' above</nowiki><br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=9951LVM on LUKS2014-05-05T18:23:59Z<p>Itoffshore: </p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors) <br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
[http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid,mode=1777 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs (ignore extlinux errors)</nowiki><br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Tutorials_and_Howtos&diff=9950Tutorials and Howtos2014-05-01T20:59:11Z<p>Itoffshore: /* Storage */</p>
<hr />
<div>[[Image:package_edutainment.svg|right|link=]]<br />
{{TOC left}}<br />
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''<br />
<br />
The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.<br />
<br />
Howtos are smaller articles explaining how to perform a particular task with Alpine Linux.<br />
<br />
We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].<br />
<br />
{{Clear}}<br />
== Storage ==<br />
<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' <!-- Installation and Storage --><br />
** [[Back Up a Flash Memory Installation]] <!-- Installation and Storage --><br />
** [[Manually editing a existing apkovl]]<br />
<br />
* [[Setting up disks manually]] <!-- Installation and Storage --><br />
* [[Setting up a software RAID1 array]]<br />
<!-- ** [[Setting up a /var partition on software IDE raid1]] Obsolete, Installation and Storage --> <br />
* [[Raid Administration]]<br />
* [[Setting up encrypted volumes with LUKS]]<br />
* [[Setting up LVM on LUKS]]<br />
* [[Setting up Logical Volumes with LVM]]<br />
** [[Setting up LVM on GPT-labeled disks]]<br />
** [[Installing on GPT LVM]]<br />
* [[Filesystems|Formatting HD/Floppy/Other]] <!-- just a stub --><br />
<br />
* [[Setting up iSCSI]]<br />
** [[iSCSI Raid and Clustered File Systems]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' <!-- solution --><br />
* [[Linux iSCSI Target (TCM)]]<br />
* [[Disk Replication with DRBD]] <!-- draft --><br />
<br />
* [[Burning ISOs]] <!-- just some links now --><br />
* [[Bootmanagers]]<br />
* [[Migrating data]]<br />
<br />
== Networking ==<br />
<br />
* [[Configure Networking]]<br />
* [[Connecting to a wireless access point]]<br />
* [[Bonding]]<br />
* [[Vlan]]<br />
* [[Bridge]]<br />
* [[How to configure static routes]]<br />
<br />
* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''<br />
<br />
* [[Using serial modem]]<br />
* [[Using HSDPA modem]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' <!-- Server and Networking --><br />
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''<br />
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''<br />
<!-- [[Using Racoon for Remote Sites]] is a different VPN tunnelling method, but that article is just a stub --><br />
* [[Experiences with OpenVPN-client on ALIX.2D3]] <!-- solution --><br />
<br />
* [[Generating SSL certs with ACF]] <!-- Generating SSL certs with ACF 1.9 --><br />
* [[Setting up unbound DNS server]]<br />
* [[Setting up nsd DNS server]]<br />
* [[TinyDNS Format]]<br />
* [[Fault Tolerant Routing with Alpine Linux]] <!-- solution --><br />
* [[Freeradius Active Directory Integration]]<br />
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''<br />
* [[OwnCloud]] ''(Installing OwnCloud)''<br />
<br />
== Post-Install ==<br />
<!-- If you edit this, please coordinate with Installation#Post-Install and Developer_Documentation#Package_management. Note that these three sections are not exact duplicates. --><br />
<br />
* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''<br />
<!-- [[Alpine Linux package management#Local_Cache|How to enable APK caching]] --><br />
** [[Comparison with other distros]]<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''<br />
** [[Back Up a Flash Memory Installation]] <!-- new --><br />
** [[Manually editing a existing apkovl]]<br />
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''<br />
** [[Multiple Instances of Services]]<br />
<!-- [[Writing Init Scripts]] --><br />
* [[Upgrading Alpine]]<br />
<!-- Obsolete<br />
[[Upgrading Alpine - v1.9.x]]<br />
[[Upgrading Alpine - CD v1.8.x]]<br />
[[Upgrading Alpine - HD v1.8.x]]<br />
[[Upgrade to repository main|Upgrading to signed repositories]]<br />
--><br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''<br />
* [[Changing passwords for ACF|Changing passwords]]<br />
* [[Ansible]] ''(Configuration management)''<br />
<br />
* [[Enable Serial Console on Boot]]<br />
* [[Error message on boot: Address space collision: host bridge window conflicts with Adaptor ROM]]<br />
<br />
== Desktop Environment ==<br />
<br />
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]<br />
* [[EyeOS]] ''(Cloud Computing Desktop)''<br />
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')<br />
* [[Gnome Setup]]<br />
* [[Awesome(wm) Setup]]<br />
<br />
== Applications ==<br />
<br />
=== Telephony ===<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
** [[Setting up Streaming an Asterisk Channel]]<br />
* [[Freepbx on Alpine Linux]]<br />
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''<br />
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''<br />
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''<br />
<br />
=== Mail ===<br />
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''<br />
** [[Hosting Web/Email services on Alpine]]<br />
* [[ISP Mail Server HowTo]] <!-- solution, Mail --><br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Setting up postfix with virtual domains]]<br />
* [[Protecting your email server with Alpine]]<br />
* [[Setting up clamsmtp]]<br />
* [[Setting up dovecot with imap and ssl]]<br />
<br />
=== HTTP ===<br />
* [[Lighttpd]]<br />
** [[Lighttpd Https access]]<br />
** [[Setting Up Lighttpd with PHP]]<br />
** [[Setting Up Lighttpd With FastCGI]]<br />
* [[Cherokee]]<br />
* [[Nginx]]<br />
* [[Apache]]<br />
** [[Setting Up Apache with PHP]]<br />
** [[Apache authentication: NTLM Single Signon]]<br />
<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' <!-- solution, Server --><br />
<br />
* [[Setting up Transparent Squid Proxy]] <!-- draft --><br />
** [[SqStat]] ''(Script to look at active squid users connections)''<br />
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[Setting up Explicit Squid Proxy]]<br />
<br />
* [[Drupal]] ''(Content Management System (CMS) written in PHP)''<br />
* [[WordPress]] ''(Web software to create website or blog)''<br />
* [[MediaWiki]] ''(Free web-based wiki software application)''<br />
* [[DokuWiki]]<br />
* [[Darkhttpd]]<br />
<br />
=== Other Servers ===<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
<br />
* [[Setting up a nfs-server]]<br />
* [[Phpizabi]] ''(Social Networking Platform)''<br />
* [[Statusnet]] ''(Microblogging Platform)''<br />
* [[Pastebin]] ''(Pastebin software application)''<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
<br />
* [[Redmine]] ''(Project management system)''<br />
* [[Request-Tracker]] ''(Ticket system)''<br />
* [[OsTicket]] ''(Ticket system)''<br />
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''<br />
<br />
* [[Cgit]]<br />
** [[Setting up a git repository server with gitolite and cgit]] <!-- doesn't exist yet --><br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Glpi]] ''(Manage inventory of technical resources)''<br />
<br />
* [[How to setup a Alpine Linux mirror]]<br />
* [[Cups]]<br />
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''<br />
* [[OpenVCP]] ''(VServer Control Panel)''<br />
* [[Mahara]] ''(E-portfolio and social networking system)''<br />
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]<br />
* [[Sending SMS using gnokii]]<br />
<br />
=== Monitoring ===<br />
* [[Traffic monitoring]] <!-- Networking and Monitoring --><br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]] <!-- Monitoring --><br />
* [[Setting up monitoring using rrdtool (and rrdcollect)]]<br />
* [[Setting up Cacti|Cacti]] ''(Front-end for rrdtool networking monitor)''<br />
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft, solution, Networking and Monitoring and Server --><br />
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' <!-- Networking and Monitoring --><br />
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' <!-- Networking and Monitoring --><br />
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]<br />
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' <!-- Networking and Monitoring --><br />
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' <!-- Monitoring and Security --><br />
<br />
* [[IP Accounting]] <!-- Networking and Monitoring --><br />
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[SqStat]] ''(Script to look at active squid users connections)''<br />
<br />
* [[Piwik]] ''(A real time web analytics software program)''<br />
* [[Awstats]] ''(Free log file analyzer)''<br />
* [[Intrusion Detection using Snort]]<br />
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]<br />
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''<br />
<br />
* [[Webmin]] ''(A web-based interface for Linux system)''<br />
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''<br />
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''<br />
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''<br />
* [[Linfo]]<br />
<br />
* [[Setting up lm_sensors]]<br />
<br />
== Misc ==<br />
<br />
* [[:Category:Shell]]<br />
* [[:Category:Programming]]<br />
* [[Running glibc programs]]<br />
* [[:Category:Drivers]]<br />
* [[:Category:Multimedia]]<br />
<br />
== Complete Solutions ==<br />
* [[Replacing non-Alpine Linux with Alpine remotely]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]]<br />
* [[Fault Tolerant Routing with Alpine Linux]]<br />
* [[Experiences with OpenVPN-client on ALIX.2D3]]<br />
<br />
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''<br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft --><br />
* [[Streaming Security Camera Video with VLC]]<br />
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]<br />
<br />
<br />
<!--<br />
This does not attempt to be complete. Is it useful to have these listed here? I find them more accessible if grouped with their topics; also, an up-to-date list of all Draft or Obsolete pages can be found at [[Project:Wiki maintenance]].<br />
<br />
== Drafts ==<br />
Currently unfinished/works-in-progress.<br />
* [[Using Racoon for Remote Sites]]<br />
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''<br />
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)'' [!-- no longer a draft --]<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)''<br />
* [[Intrusion Detection using Snort]] ''(Installing and configuring Snort and related applications on Alpine 2.0.x)''<br />
* [[IP Accounting]] ''(Installing and configuring pmacct for IP Accounting, Netflow/sFlow collector)''<br />
* [[Disk Replication with DRBD]]<br />
--></div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_LVM_on_LUKS&diff=9948Setting up LVM on LUKS2014-05-01T20:50:58Z<p>Itoffshore: Itoffshore moved page New page to Setting up LVM on LUKS: renaming from "New Page"</p>
<hr />
<div>#REDIRECT [[LVM on LUKS]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_LVM_on_LUKS&diff=9947Setting up LVM on LUKS2014-05-01T20:43:10Z<p>Itoffshore: Itoffshore moved page New page to LVM on LUKS: renaming from "New Page"</p>
<hr />
<div>#REDIRECT [[LVM on LUKS]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=9946LVM on LUKS2014-05-01T20:43:10Z<p>Itoffshore: Itoffshore moved page New page to LVM on LUKS: renaming from "New Page"</p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors) <br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
[http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid,mode=1777 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs (ignore extlinux errors)</nowiki><br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=9945LVM on LUKS2014-05-01T20:26:01Z<p>Itoffshore: </p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
<br />
* '''(1)''' Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors) <br />
apk fix --root $MNT linux-grsec<br />
<br />
* '''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
* '''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
fdisk /dev/vda<br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
* Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with: <br />
cryptsetup benchmark<br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
<br />
[http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code>setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid,mode=1777 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs (ignore extlinux errors)</nowiki><br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki></code><br />
<br />
----<br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshorehttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=9944LVM on LUKS2014-05-01T19:53:23Z<p>Itoffshore: Created page with " == Configuring LVM on top of LUKS == The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following: '''(1)''' Mount p..."</p>
<hr />
<div><br />
== Configuring LVM on top of LUKS ==<br />
<br />
<br />
The most common errors for failure to boot a LUKS installation can be fixed with '''(1)''' or all of the following:<br />
<br />
<br />
'''(1)''' Mount partitions & rebuild initramfs to include LUKS support (ignore extlinux errors) <br />
<br />
<code>apk fix --root $MNT linux-grsec</code><br />
<br />
'''(2)''' Write MBR (also needed for LVM manual / custom installations)<br />
<br />
<code>dd bs=440 count=1 conv=notrunc if=$MNT/usr/share/syslinux/mbr.bin of=/dev/vda</code><br />
<br />
'''(3)''' Change partition system id ('t') to "8e" with fdisk for partition type LVM <br />
<br />
<code>fdisk /dev/vda</code><br />
<br />
<br />
----<br />
<br />
'''Additional Notes'''<br />
<br />
<br />
Before choosing a LUKS encryption scheme find the most efficient scheme for your processor / system with:<br />
<br />
<code>cryptsetup benchmark</code><br />
<br />
(You may or may not be able to take advantage of AES hardware acceleration)<br />
<br />
[http://linux.die.net/man/8/haveged Haveged] can also be run as a daemon to add entropy to your system for better randomness (certificate generation for OpenSSL / OpenVPN etc....)<br />
<br />
<br />
----<br />
<br />
'''ALPINE KVM SETUP'''<br />
<br />
<br />
<code><br />
setup-interfaces<br />
<br />
ifup eth0<br />
<br />
setup-apkrepos<br />
<br />
apk update<br />
<br />
apk add nano haveged lvm2 cryptsetup e2fsprogs syslinux<br />
<br />
<nowiki># Partition disks (100meg boot / 2nd partition for LVM)</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m <br />
<br />
n<br />
<br />
etc........ <br />
<br />
<nowiki># Wipe partition with random data</nowiki><br />
<br />
haveged -n 0 | dd of=/dev/vda2<br />
<br />
<nowiki># Don't forget to run 'cryptsetup benchmark' first to check the best scheme for your system</nowiki><br />
<br />
cryptsetup -v -c serpent-xts-plain64 -s 512 --hash sha512 --iter-time 5000 --use-random luksFormat /dev/vda2<br />
<br />
<nowiki># Open LUKS partition</nowiki><br />
<br />
cryptsetup open --type luks /dev/vda2 lvmcrypt<br />
<br />
<nowiki># The name used for the mapper must also be used for the 'cryptdm=" Default Kernel Option setting</nowiki><br />
<br />
<nowiki># shown further down in $MNT/etc/update-extlinux.conf</nowiki><br />
<br />
pvcreate /dev/mapper/lvmcrypt<br />
<br />
<nowiki># Create LVM partitions</nowiki><br />
<br />
vgcreate vg0 /dev/mapper/lvmcrypt<br />
<br />
lvcreate -L 1G vg0 -n root<br />
<br />
lvcreate -L 256M vg0 -n swap<br />
<br />
lvcreate -L 500M vg0 -n home<br />
<br />
lvcreate -L 50M vg0 -n tmp<br />
<br />
<nowiki># NOTE small "l" for 100% FREE allocation</nowiki><br />
<br />
lvcreate -l 100%FREE vg0 -n var<br />
<br />
<nowiki># Create filesystems</nowiki><br />
<br />
mkfs.ext2 /dev/vda1<br />
<br />
mkfs.ext4 /dev/mapper/vg0-root<br />
<br />
mkfs.ext4 /dev/mapper/vg0-home<br />
<br />
mkfs.ext4 /dev/mapper/vg0-tmp<br />
<br />
mkfs.ext4 /dev/mapper/vg0-var<br />
<br />
mkswap /dev/mapper/vg0-swap<br />
<br />
<nowiki># Open LVM volumes</nowiki><br />
<br />
vgchange -a y<br />
<br />
<nowiki># Mount Partitions</nowiki><br />
<br />
mount -t ext4 /dev/vg0/root /mnt<br />
<br />
mkdir /mnt/boot /mnt/home /mnt/tmp /mnt/var<br />
<br />
mount -t ext4 /dev/vg0/home /mnt/home<br />
<br />
mount -t ext4 /dev/vg0/tmp /mnt/tmp<br />
<br />
mount -t ext4 /dev/vg0/var /mnt/var<br />
<br />
mount -t ext2 /dev/vda1 /mnt/boot<br />
<br />
swapon /dev/mapper/vg0-swap<br />
<br />
<nowiki># Install Alpine</nowiki><br />
<br />
setup-disk -m sys /mnt<br />
<br />
<nowiki># Setup crypttab</nowiki><br />
<br />
echo "lvm /dev/vda2 none luks" > /mnt/etc/crypttab<br />
<br />
<nowiki># Setup fstab</nowiki><br />
<br />
<nowiki># You could also setup devices with uuid's by running 'blkid'</nowiki><br />
<br />
echo "/dev/mapper/vg0-root / ext4 defaults,errors=remount-ro 0 1" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-var /var ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-home /home ext4 defaults 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-tmp /tmp ext4 defaults,noexec,noatime,nodev,nosuid,mode=1777 0 2" >> /mnt/etc/fstab<br />
<br />
echo "/dev/mapper/vg0-swap none swap sw 0 0" >> /mnt/etc/fstab<br />
<br />
<nowiki># Make vda1 bootable</nowiki><br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
a<br />
<br />
1<br />
<br />
<nowiki># Edit $MNT/etc/mkinitfs/mkinitfs.conf to make sure features="..." includes cryptsetup (this field is space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Edit $MNT/etc/update-extlinux.conf to make sure default_kernel_opts="..." contains cryptroot=/dev/vda2 and cryptdm=lvmcrypt</nowiki> <br />
<br />
<nowiki># (this field is also space-separated and quoted)</nowiki> <br />
<br />
<nowiki># Also check the root= setting = /dev/mapper/vg0-root</nowiki><br />
<br />
extlinux --install $MNT/boot --update<br />
<br />
<nowiki># Rebuild initramfs (ignore extlinux errors)</nowiki><br />
<br />
apk fix --root $MNT linux-grsec<br />
<br />
<nowiki># Write MBR (also needed for LVM manual / custom installations)</nowiki><br />
<br />
dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda<br />
<br />
<nowiki># Change partition type to "8e" with fdisk for the LVM partition</nowiki> <br />
<br />
fdisk /dev/vda<br />
<br />
m<br />
<br />
t<br />
<br />
2<br />
<br />
8e<br />
<br />
w<br />
<br />
<nowiki># See instructions below for unmounting LVM volumes & closing the LUKS partition</nowiki><br />
<br />
----<br />
</code><br />
<br />
<br />
The following details for mounting your installation into a chroot may be helpful if you ever need to repair an installation:<br />
<br />
<br />
<code><br />
<nowiki># CHROOT MOUNTS ###</nowiki><br />
<br />
vgchange -a y <br />
<br />
<nowiki># Follow instructions above for mounting LVM partitions</nowiki><br />
<br />
cd /mnt<br />
<br />
mount --bind /dev dev<br />
<br />
mount -t devpts devpts dev/pts<br />
<br />
mount -t tmpfs tmpfs dev/shm<br />
<br />
mount -t proc proc proc<br />
<br />
mount -t sysfs sysfs sys<br />
<br />
chroot /mnt /bin/ash<br />
<br />
<br />
<nowiki># UNMOUNTING ###</nowiki><br />
<br />
umount dev/pts<br />
<br />
umount dev/shm<br />
<br />
umount dev<br />
<br />
umount /mnt/boot<br />
<br />
umount /mnt/var<br />
<br />
umount /mnt/home<br />
<br />
umount /mnt/tmp<br />
<br />
swapoff /dev/mapper/vg0-swap<br />
<br />
umount /mnt<br />
<br />
<nowiki># Deactivate LVM volumes</nowiki><br />
<br />
vgchange -a n <br />
<br />
<nowiki># Close LUKS partition</nowiki><br />
<br />
cryptsetup luksClose lvmcrypt <br />
</code><br />
<br />
<br />
--[[User:Itoffshore|Stuart Cardall]] ([[User talk:Itoffshore|talk]]) 19:53, 1 May 2014 (UTC)<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Itoffshore