Alpine Linux - User contributions [en]

Tutorials and Howtos

2024-05-07T11:01:06Z

Larena:

{{Todo|This material has been re-organized..., but grouping should be checked: '''Howtos are smaller articles''' and '''tutorials are more detailed document'''}}

[[Image:package_edutainment.svg|right|link=]]
{{TOC left}}
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''

'''The tutorials are hands-on''' and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.

'''Howtos are smaller articles''' explaining how to perform a particular task with Alpine Linux, that expects a minimal knowledge from reader to perform actions.

'''IMPORTANT:''' contributions on those pages must be complete articles as well as requesting topics to be covered, don't override already made contributions. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].

{{Clear}}

= Howtos =

== Applications ==

=== Miscellaneous ===

* [[Ansible]] ''(Configuration management)''

=== Monitoring ===

* [[Awstats]] ''(Free log file analyzer)''
* [[Cacti: traffic analysis and monitoring network]] ''(Front-end for rrdtool networking monitor)''
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' 
* [[Linfo]]
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''
* [[Matomo]] ''(A real time web analytics software program)''
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' 
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance; for alpine 3.10-3.12 only)'' 
* [[Setting up lm_sensors]]
* [[SqStat]] ''(Script to look at active squid users connections)''
* [[Traffic monitoring]] 
** [[Setting up monitoring using rrdtool (and rrdcollect)]]
** [[Setting up traffic monitoring using rrdtool (and snmp)]] 
* [[Zabbix|Zabbix - the professional complete manager]] ''(Monitor and track the status of network services and hardware)''
* [[ZoneMinder video camera security and surveillance]]

=== Networking ===

* Alpine Wall ''(a new firewall management framework)''
** [[Alpine Wall]]
** [https://git.alpinelinux.org/awall/about/ Alpine Wall User's Guide]
** [[How-To Alpine Wall]]
* [[Freeradius Active Directory Integration]]
* [[GNUnet]]
* [[Setting up a OpenVPN server|OpenVPN server]] ''(Allowing single users or devices to remotely connect to your network)''
* [[OpenVSwitch]]
* [[Using Alpine on Windows domain with IPSEC isolation]]
* [[Configure a Wireguard interface (wg)|Wireguard]]

=== Telephony ===

* [[FreePBX|FreePBX on Alpine Linux]]
* [[Setting up Zaptel/Asterisk on Alpine]]
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''

== Backup and data migration ==

* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''
** [[Back Up a Flash Memory Installation]]
** [[Manually editing a existing apkovl]]
* [[Migrating data]]
* [[Rsnapshot]] - setting up periodic backups

== Desktop ==

* [[Alpine and UEFI]]
* [[Default applications]]
* Desktop cloud
** [[Nextcloud]] ''(Self hostable cloud suite - Dropbox Alternative)''
* [[Desktop environments and Window managers]] (overall information only)
* [[Printer Setup]]
* [[Remote Desktop Server]]
* Sound Systems
** [[ALSA]]
** [[PipeWire]]
** [[PulseAudio]]
* [[Configure action when power-button is pressed]]
* [[Suspend on LID close]]
* [[Alpine setup scripts#setup-xorg-base|Xorg Setup]]
* Wayland compositors:
** [[Sway]]
** [[River]]
** [[LabWC]]

== Networking ==

* [[Bluetooth]] - Instructions for installing and configuring Bluetooth
* [[Bonding]] - Bond (or aggregate) multiple ethernet interfaces
* [[Bridge]] - Configuring a network bridge
** [[Bridge wlan0 to eth0]]
* [[Configure Networking]]
* [[How to configure static routes]]
* Modem
** [[Using HSDPA modem]]
** [[Using serial modem]]
* [[mDNS]] - Howto implement multicast DNS resolution in Alpine.
* [[Multi ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''
* [[PXE boot]]
* Wi-Fi
** [[Wi-Fi|Connecting to a wireless access point]]
** [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''
* [[VLAN]]

== Other Architectures ==

=== ARM ===

* [[Alpine on ARM]]

==== Raspberry Pi ====

* [[Raspberry Pi Bluetooth Speaker|Raspberry Pi - Bluetooth Speaker]]
* [[Raspberry Pi|Raspberry Pi - Installation]]
* [[Linux Router with VPN on a Raspberry Pi|Raspberry Pi - Router with VPN]]
* [[Linux Router with VPN on a Raspberry Pi (IPv6)|Raspberry Pi - Router with VPN (IPv6)]]
* [[Classic install or sys mode on Raspberry Pi|Raspberry Pi - Sys mode install]]
* [[RPI Video Receiver|Raspberry Pi - Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''
* [[Raspberry Pi 3 - Browser Client]] - kiosk or digital sign
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]
* [[Raspberry Pi 3 - Setting Up Bluetooth]]
* [[Raspberry Pi 4 - Persistent system acting as a NAS and Time Machine]]
* [[How to set up Alpine as a wireless router|Raspberry Pi Zero W - Wireless router]] ''(Setting up a firewalled, Wireless AP with wired network on a Pi Zero W)''

=== IBM Z (IBM z Systems) ===

* [[s390x|s390x - Installation]]

=== PowerPC ===

* [[Ppc64le|Powerpc64le - Installation]]

== Post-Install ==

* [[CPU frequency scaling]]
* [[Repositories#Enabling_the_community_repository|Enable Community repository]] ''(Providing additional packages)''
* [[Enable Serial Console on Boot]]
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''
** [[Multiple Instances of Services|Init System - Multiple Instances of Services]]
** [[Writing Init Scripts|Init System - Writing Init Scripts]]
* [[Installing Oracle Java|Oracle Java (installation)]]
* [[IGMPproxy]]
* [[Alpine Package Keeper|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''
** [[Comparison with other distros|Package Management - Comparison with other distros]]
* [[Running glibc programs]]
* [[Setting up a new user]]
* [[Upgrading Alpine]]
* [[Daily driver guide]]

== Remote Administration ==

* ACF
** [[Changing passwords for ACF|ACF - changing passwords]]
** [[Generating SSL certs with ACF]] 
** [[setup-acf| ACF - setup]] ''(Configures ACF (webconfiguration/webmin) so you can manage your box through https)''
* [[Setting up a SSH server]] ''(Using ssh is a good way to administer your box remotely)''
** [[HOWTO OpenSSH 2FA with password and Google Authenticator |OpenSSH 2FA]] ''(A simple two factor setup for OpenSSH)''
* [[OpenVCP]] ''(VServer Control Panel)''
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''
* [[Webmin]] ''(A web-based interface for Linux system)''

== Server ==

* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''
* [[Hosting Web/Email services on Alpine]]

=== DNS ===

* [[DNSCrypt-Proxy]] ''Encrypt and authenticate DNS calls from your system''
* [[Setting up nsd DNS server]]
* [[Setting up unbound DNS server]]
* [[TinyDNS Format]]

=== HTTP ===

* [[Apache]]
** [[Apache with php-fpm]]
** [[Setting Up Apache with PHP]]
** [[Apache authentication: NTLM Single Signon]]
* [[Darkhttpd]]
* [[Lighttpd]]
** [[Lighttpd Advanced security]]
** [[Setting Up Lighttpd With FastCGI]]
* [[Nginx]]
** [[Nginx as reverse proxy with acme (letsencrypt)]]
** [[Nginx with PHP]]
* Squid Proxy
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' 
** [[Setting up Explicit Squid Proxy]]
** [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''
** [[SqStat]] ''(Script to look at active squid users connections)''
* [[Tomcat]]

==== Hostable Content ====

* [[DokuWiki]]
* [[Drupal]] ''(Content Management System (CMS) written in PHP)''
* [[Kopano]] ''(Microsoft Outlook compatible Groupware)''
* [[Mahara]] ''(E-portfolio and social networking system)''
* [[MediaWiki]] ''(Free web-based wiki software application)''
* [[Pastebin]] ''(Pastebin software application)''
* [[WordPress]] ''(Web software to create website or blog)''

=== IRC ===

* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''

=== Mail ===

* Exim/Dovecot
** [[Small-Time Email with Exim and Dovecot]] ''(A simple configuration for your home network.)
** [[Setting up dovecot with imap and tls]]
* [[relay email to gmail (msmtp, mailx, sendmail]]
* [[Roundcube]] ''(Webmail system)''
* [[Setting up postfix with virtual domains]]
* Server protection
** [[Setting up clamsmtp]]

=== Other Servers ===

* [[Chrony and GPSD | Chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]
* [[Glpi]] ''(Manage inventory of technical resources)''
* [[How to setup a Alpine Linux mirror]]
* [[Setting up an NFS server|nfs-server]]
* [[Odoo]]
* [[Configure OpenLDAP | OpenLDAP]] ''(Installing and configuring the Alpine package for OpenLDAP)''
* [[Setting up a samba-ad-dc|samba-ad-dc]] ''(Active Directory compatible domain controller)''
* [[Setting up a Samba server|samba-server]] ''(standard file sharing)''
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]

=== Software development ===

* [[Cgit]]
* [[OsTicket]] ''(Ticket system)''
* [[Patchwork]] ''(Patch review management system)''
* [[Redmine]] ''(Project management system)''
* [[Request Tracker]] ''(Ticket system)''
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''

== Storage ==

* [[Setting up disks manually|Disk setup (manual)]]
* [[Filesystems]]
** [[Burning ISOs]]
* [[Setting up iSCSI|iSCSI Setup]]
** [[iSCSI Raid and Clustered File Systems]]
** [[Linux iSCSI Target (TCM)|iSCSI Target (TCM)/LinuxIO (LIO)]]
** [[Linux iSCSI Target (tgt)|User space iSCSI Target (tgt)]]
* [[Setting up Logical Volumes with LVM|LVM Setup]]
** [[Setting up LVM on GPT-labeled disks|LVM on GPT-labeled disks]]
** [[Installing on GPT LVM|LVM on GPT-labeled disks (updated)]]
** [[LVM on LUKS]]
* RAID
** [[Raid Administration]]
** [[Setting up a software RAID array]]
* ZFS
** [[Root on ZFS with native encryption]]
** [[Setting up ZFS on LUKS]]
** [[Setting up ZFS with native encryption]]
** [[ZFS scrub and trim]]
* [[CEPH|CEPH]]

== Virtualization ==

* [[Docker]]
* [[Installing Alpine in a virtual machine]]
** [[Install Alpine on VMware ESXi]]
* [[KVM]] ''(Setting up Alpine as a KVM hypervisor)''
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''
* [[QEMU]]
* Xen
** [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''
** [[Xen Dom0 on USB or SD]]
** [[Create Alpine Linux PV DomU|Xen DomU (paravirtualized)]]
** [[Xen LiveCD]]
** [[Xen PCI Passthrough]]

= Tutorials =

== Miscellaneous ==

* [[TTY_Autologin|TTY Autologin]]
* [[Kexec|Faster rebooting with kexec]]
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small Office Services]]
* [[DIY Fully working Alpine Linux for Allwinner and Other ARM SOCs]]
* [[Fault Tolerant Routing with Alpine Linux]]
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''
* [[Linux iSCSI Target (TCM)]]
* [[ISP Mail Server 3.x HowTo]]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-service ISP mail server)''
* [[Replacing non-Alpine Linux with Alpine remotely]]
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' 
* [[Streaming Security Camera Video with VLC]]

== Newbie corner ==

* [[How to get regular stuff working]] ''some notes on need-to-know topics''

== Servers ==

* [[Alpine production deploy]]
** [[Production Web server: Lighttpd|Production web server: Lighttpd‎‎]]
** [[MySQL|Production database: MySQL]]
** [[Production LAMP system: Lighttpd + PHP + MySQL‎‎]]
* Alpine production monitoring
** [[Cacti: traffic analysis and monitoring network]]
** [[Zabbix|Zabbix - the professional complete manager]]
* Kubernetes
** [[K8s]] Building a K8s Cluster on Alpine Linux

CEPH

2024-05-07T10:58:48Z

Larena: /* Bootstrap the first MONITOR */

{{Draft|work in progress}}

CEPH is a software defined storage platform. There are various methods and tools to deploy CEPH, none of which (to my knowledge, please correct this statement if wrong) work on Alpine. However CEPH has been available in the community repository since Alpine 3.10. Thanks to the maintainer that has done an amazing job, even maintaining multiple versions! So that's why this how-to, we will see how to deploy CEPH monitors, managers and OSDs, via APK, manually. Eventually I'm planning to write an Ansible playbook Alpine-specific.

== Installing MONITORs ==
=== Bootstrapping the first MONITOR ===
In this example we use 3 hosts as monitor and manager roles:
<pre>
MON_HOST1="mon01"
MON_HOST1_IP="%IP_ADDRESS%"
MON_HOST2="mon02"
MON_HOST2_IP="%IP_ADDRESS%"
MON_HOST3="mon03"
MON_HOST3_IP="%IP_ADDRESS%"
FSID=$(cat /proc/sys/kernel/random/uuid) #store this FSID
echo $FSID
CLUSTER_NAME="ceph" # default value if unspecified
HOSTNAME=$(cat /etc/hostname)
PUBLIC_NETWORK="%NETWORK_CIDR%"
MYNET="%NETWORK_CIDR%"
VERSION=17
</pre>

{{Cmd|#apk add ceph$VERSION-mon ceph$VERSION-mon-daemon ceph$VERSION-mon-tools ceph$VERSION-openrc sudo}}

<pre>
cat << EOF > /etc/ceph/$CLUSTER_NAME.conf
[global]
# Cluster unique identifier
fsid = $FSID
mon_initial_members = $MON_HOST1
mon_host = $MON_HOST1_IP, $MON_HOST2_IP, $MON_HOST3_IP
mon_allow_pool_delete = true
ms_bind_ipv4 = false # change as needed
ms_bind_ipv6 = true # change as needed
public_network = $PUBLIC_NETWORK
# Enable authentication
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
# https://docs.ceph.com/en/latest/rados/configuration/pool-pg-config-ref/#pool-pg-and-crush-config-reference
osd_pool_default_size = 3 # Write an object three times
osd_pool_default_min_size = 2 # Accept an I/O operation to a degraded PG that has two copies of an object
osd_pool_default_pg_num = 128 # total number of OSDs * 100 / osd_pool_default_size. Use nearest power of two.
osd_crush_chooseleaf_type = 1
rgw_data = /var/lib/ceph/radosgw/\$cluster-\$id # literal variables

[mon]
mon_data = /var/lib/ceph/mon/\$cluster-$FSID # "cluster" is a literal variable
EOF

</pre>

<pre>
ceph-authtool --create-keyring /tmp/$CLUSTER_NAME.mon.keyring --gen-key -n mon. --cap mon 'allow *'
ceph-authtool --create-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
ceph-authtool --create-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring --gen-key -n client.bootstrap-osd --cap mon 'profile bootstrap-osd' --cap mgr 'allow r'

ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring
ceph-authtool /tmp/ceph.mon.keyring --import-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

chown ceph:ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring
</pre>

Create AWall policies:

<pre>
cat << EOF > /etc/awall/optional/ceph-mon.json
{
"description": "Ceph cluster monitor component",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mon",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-client-osd.json
{
"description": "Ceph cluster OSD client",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mon
awall enable ceph-client-osd
awall activate -f
ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

Inspect that the first node was bootstrapped correctly running {{Cmd|ceph -s}}

=== Adding other MONITOR nodes ===
Copy /etc/ceph/ceph.conf, /tmp/ceph.mon.keyring /etc/ceph/ceph.client.admin.keyring /var/lib/ceph/bootstrap-osd/ceph.keyring from existing monitor to the new monitor node.
<pre>
install -d --owner ceph --group ceph /etc/ceph /var/lib/ceph/bootstrap-osd
install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID
chown ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring

ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

If <code>ceph -s</code> returns <code>mon is allowing insecure global_id reclaim</code> fix with {{Cmd|ceph config set mon auth_allow_insecure_global_id_reclaim false}}

== Installing MANAGERs ==

<pre>
install -d --owner ceph --group ceph /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME
# note this keyring is unique per manager, does not need to be copied across the cluster!
ceph auth get-or-create mgr.$HOSTNAME mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME/keyring
</pre>

<pre>
cat << EOF > /etc/awall/optional/ceph-mgr.json
{
"description": "Ceph cluster Manager component",

"service": {
"ceph-mgr": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mgr",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mgr
awall activate -f

apk add ceph$VERSION-mgr ceph$VERSION-mgr-dashboard
ln -s ceph /etc/init.d/ceph-mgr.$HOSTNAME
rc-update add ceph-mgr.$HOSTNAME
openrc
</pre>

Expected issues:

Module 'restful' has failed dependency: PyO3 modules may only be initialized once per interpreter process

https://github.com/bazaah/aur-ceph/issues/20

https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA/#FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA

Workaround: <code>ceph mgr module disable restful</code>

== Installing OSDs ==
<pre>
setup-devd udev #alpine eudev drop-in replacement for udev
apk add ceph$VERSION-osd ceph$VERSION-osd-daemon ceph$VERSION-osd-tools eudev ceph$VERSION-openrc
mkdir -p /var/lib/ceph/bootstrap-osd /etc/ceph
</pre>

Copy /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring from a monitor node to /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

Copy /etc/ceph/ceph.conf from a monitor node to /etc/ceph/ceph.conf

<pre>
cat << EOF > /etc/awall/optional/ceph-client-mon.json
{
"description": "Ceph cluster monitor client",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-osd.json
{
"description": "Ceph cluster OSD component",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-osd",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-client-mon
awall enable ceph-osd
awall activate -f

ln -s /var/lib/ceph/bootstrap-osd/ceph.keyring /etc/ceph/ceph.client.bootstrap-osd.keyring #it seems it wants the keyring in this location
ceph-volume lvm create --data /dev/sdX --no-systemd
<pre>

CEPH

2024-05-07T10:58:34Z

Larena: /* Add other MONITOR nodes */

{{Draft|work in progress}}

CEPH is a software defined storage platform. There are various methods and tools to deploy CEPH, none of which (to my knowledge, please correct this statement if wrong) work on Alpine. However CEPH has been available in the community repository since Alpine 3.10. Thanks to the maintainer that has done an amazing job, even maintaining multiple versions! So that's why this how-to, we will see how to deploy CEPH monitors, managers and OSDs, via APK, manually. Eventually I'm planning to write an Ansible playbook Alpine-specific.

== Installing MONITORs ==
=== Bootstrap the first MONITOR ===
In this example we use 3 hosts as monitor and manager roles:
<pre>
MON_HOST1="mon01"
MON_HOST1_IP="%IP_ADDRESS%"
MON_HOST2="mon02"
MON_HOST2_IP="%IP_ADDRESS%"
MON_HOST3="mon03"
MON_HOST3_IP="%IP_ADDRESS%"
FSID=$(cat /proc/sys/kernel/random/uuid) #store this FSID
echo $FSID
CLUSTER_NAME="ceph" # default value if unspecified
HOSTNAME=$(cat /etc/hostname)
PUBLIC_NETWORK="%NETWORK_CIDR%"
MYNET="%NETWORK_CIDR%"
VERSION=17
</pre>

{{Cmd|#apk add ceph$VERSION-mon ceph$VERSION-mon-daemon ceph$VERSION-mon-tools ceph$VERSION-openrc sudo}}

<pre>
cat << EOF > /etc/ceph/$CLUSTER_NAME.conf
[global]
# Cluster unique identifier
fsid = $FSID
mon_initial_members = $MON_HOST1
mon_host = $MON_HOST1_IP, $MON_HOST2_IP, $MON_HOST3_IP
mon_allow_pool_delete = true
ms_bind_ipv4 = false # change as needed
ms_bind_ipv6 = true # change as needed
public_network = $PUBLIC_NETWORK
# Enable authentication
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
# https://docs.ceph.com/en/latest/rados/configuration/pool-pg-config-ref/#pool-pg-and-crush-config-reference
osd_pool_default_size = 3 # Write an object three times
osd_pool_default_min_size = 2 # Accept an I/O operation to a degraded PG that has two copies of an object
osd_pool_default_pg_num = 128 # total number of OSDs * 100 / osd_pool_default_size. Use nearest power of two.
osd_crush_chooseleaf_type = 1
rgw_data = /var/lib/ceph/radosgw/\$cluster-\$id # literal variables

[mon]
mon_data = /var/lib/ceph/mon/\$cluster-$FSID # "cluster" is a literal variable
EOF

</pre>

<pre>
ceph-authtool --create-keyring /tmp/$CLUSTER_NAME.mon.keyring --gen-key -n mon. --cap mon 'allow *'
ceph-authtool --create-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
ceph-authtool --create-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring --gen-key -n client.bootstrap-osd --cap mon 'profile bootstrap-osd' --cap mgr 'allow r'

ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring
ceph-authtool /tmp/ceph.mon.keyring --import-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

chown ceph:ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring
</pre>

Create AWall policies:

<pre>
cat << EOF > /etc/awall/optional/ceph-mon.json
{
"description": "Ceph cluster monitor component",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mon",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-client-osd.json
{
"description": "Ceph cluster OSD client",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mon
awall enable ceph-client-osd
awall activate -f
ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

Inspect that the first node was bootstrapped correctly running {{Cmd|ceph -s}}

=== Adding other MONITOR nodes ===
Copy /etc/ceph/ceph.conf, /tmp/ceph.mon.keyring /etc/ceph/ceph.client.admin.keyring /var/lib/ceph/bootstrap-osd/ceph.keyring from existing monitor to the new monitor node.
<pre>
install -d --owner ceph --group ceph /etc/ceph /var/lib/ceph/bootstrap-osd
install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID
chown ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring

ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

If <code>ceph -s</code> returns <code>mon is allowing insecure global_id reclaim</code> fix with {{Cmd|ceph config set mon auth_allow_insecure_global_id_reclaim false}}

== Installing MANAGERs ==

<pre>
install -d --owner ceph --group ceph /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME
# note this keyring is unique per manager, does not need to be copied across the cluster!
ceph auth get-or-create mgr.$HOSTNAME mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME/keyring
</pre>

<pre>
cat << EOF > /etc/awall/optional/ceph-mgr.json
{
"description": "Ceph cluster Manager component",

"service": {
"ceph-mgr": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mgr",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mgr
awall activate -f

apk add ceph$VERSION-mgr ceph$VERSION-mgr-dashboard
ln -s ceph /etc/init.d/ceph-mgr.$HOSTNAME
rc-update add ceph-mgr.$HOSTNAME
openrc
</pre>

Expected issues:

Module 'restful' has failed dependency: PyO3 modules may only be initialized once per interpreter process

https://github.com/bazaah/aur-ceph/issues/20

https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA/#FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA

Workaround: <code>ceph mgr module disable restful</code>

== Installing OSDs ==
<pre>
setup-devd udev #alpine eudev drop-in replacement for udev
apk add ceph$VERSION-osd ceph$VERSION-osd-daemon ceph$VERSION-osd-tools eudev ceph$VERSION-openrc
mkdir -p /var/lib/ceph/bootstrap-osd /etc/ceph
</pre>

Copy /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring from a monitor node to /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

Copy /etc/ceph/ceph.conf from a monitor node to /etc/ceph/ceph.conf

<pre>
cat << EOF > /etc/awall/optional/ceph-client-mon.json
{
"description": "Ceph cluster monitor client",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-osd.json
{
"description": "Ceph cluster OSD component",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-osd",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-client-mon
awall enable ceph-osd
awall activate -f

ln -s /var/lib/ceph/bootstrap-osd/ceph.keyring /etc/ceph/ceph.client.bootstrap-osd.keyring #it seems it wants the keyring in this location
ceph-volume lvm create --data /dev/sdX --no-systemd
<pre>

CEPH

2024-05-07T10:57:32Z

Larena: /* Bootstrap the first MONITOR */

{{Draft|work in progress}}

CEPH is a software defined storage platform. There are various methods and tools to deploy CEPH, none of which (to my knowledge, please correct this statement if wrong) work on Alpine. However CEPH has been available in the community repository since Alpine 3.10. Thanks to the maintainer that has done an amazing job, even maintaining multiple versions! So that's why this how-to, we will see how to deploy CEPH monitors, managers and OSDs, via APK, manually. Eventually I'm planning to write an Ansible playbook Alpine-specific.

== Installing MONITORs ==
=== Bootstrap the first MONITOR ===
In this example we use 3 hosts as monitor and manager roles:
<pre>
MON_HOST1="mon01"
MON_HOST1_IP="%IP_ADDRESS%"
MON_HOST2="mon02"
MON_HOST2_IP="%IP_ADDRESS%"
MON_HOST3="mon03"
MON_HOST3_IP="%IP_ADDRESS%"
FSID=$(cat /proc/sys/kernel/random/uuid) #store this FSID
echo $FSID
CLUSTER_NAME="ceph" # default value if unspecified
HOSTNAME=$(cat /etc/hostname)
PUBLIC_NETWORK="%NETWORK_CIDR%"
MYNET="%NETWORK_CIDR%"
VERSION=17
</pre>

{{Cmd|#apk add ceph$VERSION-mon ceph$VERSION-mon-daemon ceph$VERSION-mon-tools ceph$VERSION-openrc sudo}}

<pre>
cat << EOF > /etc/ceph/$CLUSTER_NAME.conf
[global]
# Cluster unique identifier
fsid = $FSID
mon_initial_members = $MON_HOST1
mon_host = $MON_HOST1_IP, $MON_HOST2_IP, $MON_HOST3_IP
mon_allow_pool_delete = true
ms_bind_ipv4 = false # change as needed
ms_bind_ipv6 = true # change as needed
public_network = $PUBLIC_NETWORK
# Enable authentication
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
# https://docs.ceph.com/en/latest/rados/configuration/pool-pg-config-ref/#pool-pg-and-crush-config-reference
osd_pool_default_size = 3 # Write an object three times
osd_pool_default_min_size = 2 # Accept an I/O operation to a degraded PG that has two copies of an object
osd_pool_default_pg_num = 128 # total number of OSDs * 100 / osd_pool_default_size. Use nearest power of two.
osd_crush_chooseleaf_type = 1
rgw_data = /var/lib/ceph/radosgw/\$cluster-\$id # literal variables

[mon]
mon_data = /var/lib/ceph/mon/\$cluster-$FSID # "cluster" is a literal variable
EOF

</pre>

<pre>
ceph-authtool --create-keyring /tmp/$CLUSTER_NAME.mon.keyring --gen-key -n mon. --cap mon 'allow *'
ceph-authtool --create-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
ceph-authtool --create-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring --gen-key -n client.bootstrap-osd --cap mon 'profile bootstrap-osd' --cap mgr 'allow r'

ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring
ceph-authtool /tmp/ceph.mon.keyring --import-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

chown ceph:ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring
</pre>

Create AWall policies:

<pre>
cat << EOF > /etc/awall/optional/ceph-mon.json
{
"description": "Ceph cluster monitor component",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mon",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-client-osd.json
{
"description": "Ceph cluster OSD client",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mon
awall enable ceph-client-osd
awall activate -f
ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

Inspect that the first node was bootstrapped correctly running {{Cmd|ceph -s}}

=== Add other MONITOR nodes ===
Copy /etc/ceph/ceph.conf, /tmp/ceph.mon.keyring /etc/ceph/ceph.client.admin.keyring /var/lib/ceph/bootstrap-osd/ceph.keyring from existing monitor to the new monitor node.
<pre>
install -d --owner ceph --group ceph /etc/ceph /var/lib/ceph/bootstrap-osd
install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID
chown ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring

ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

If <code>ceph -s</code> returns <code>mon is allowing insecure global_id reclaim</code> fix with {{Cmd|ceph config set mon auth_allow_insecure_global_id_reclaim false}}

== Installing MANAGERs ==

<pre>
install -d --owner ceph --group ceph /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME
# note this keyring is unique per manager, does not need to be copied across the cluster!
ceph auth get-or-create mgr.$HOSTNAME mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME/keyring
</pre>

<pre>
cat << EOF > /etc/awall/optional/ceph-mgr.json
{
"description": "Ceph cluster Manager component",

"service": {
"ceph-mgr": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mgr",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mgr
awall activate -f

apk add ceph$VERSION-mgr ceph$VERSION-mgr-dashboard
ln -s ceph /etc/init.d/ceph-mgr.$HOSTNAME
rc-update add ceph-mgr.$HOSTNAME
openrc
</pre>

Expected issues:

Module 'restful' has failed dependency: PyO3 modules may only be initialized once per interpreter process

https://github.com/bazaah/aur-ceph/issues/20

https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA/#FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA

Workaround: <code>ceph mgr module disable restful</code>

== Installing OSDs ==
<pre>
setup-devd udev #alpine eudev drop-in replacement for udev
apk add ceph$VERSION-osd ceph$VERSION-osd-daemon ceph$VERSION-osd-tools eudev ceph$VERSION-openrc
mkdir -p /var/lib/ceph/bootstrap-osd /etc/ceph
</pre>

Copy /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring from a monitor node to /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

Copy /etc/ceph/ceph.conf from a monitor node to /etc/ceph/ceph.conf

<pre>
cat << EOF > /etc/awall/optional/ceph-client-mon.json
{
"description": "Ceph cluster monitor client",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-osd.json
{
"description": "Ceph cluster OSD component",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-osd",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-client-mon
awall enable ceph-osd
awall activate -f

ln -s /var/lib/ceph/bootstrap-osd/ceph.keyring /etc/ceph/ceph.client.bootstrap-osd.keyring #it seems it wants the keyring in this location
ceph-volume lvm create --data /dev/sdX --no-systemd
<pre>

CEPH

2024-05-07T10:54:48Z

Larena:

{{Draft|work in progress}}

CEPH is a software defined storage platform. There are various methods and tools to deploy CEPH, none of which (to my knowledge, please correct this statement if wrong) work on Alpine. However CEPH has been available in the community repository since Alpine 3.10. Thanks to the maintainer that has done an amazing job, even maintaining multiple versions! So that's why this how-to, we will see how to deploy CEPH monitors, managers and OSDs, via APK, manually. Eventually I'm planning to write an Ansible playbook Alpine-specific.

== Installing MONITORs ==
=== Bootstrap the first MONITOR ===
In this example we use 3 hosts as monitor and manager roles:
<pre>
MON_HOST1="mon01"
MON_HOST1_IP="%IP_ADDRESS%"
MON_HOST2="mon02"
MON_HOST2_IP="%IP_ADDRESS%"
MON_HOST3="mon03"
MON_HOST3_IP="%IP_ADDRESS%"
FSID=$(cat /proc/sys/kernel/random/uuid) #store this FSID
echo $FSID
CLUSTER_NAME="ceph" # default value if unspecified
HOSTNAME=$(cat /etc/hostname)
PUBLIC_NETWORK="%NETWORK_CIDR%"
MYNET="%NETWORK_CIDR%"
VERSION=17
</pre>

{{Cmd|#apk add ceph$VERSION-mon ceph$VERSION-mon-daemon ceph$VERSION-mon-tools ceph$VERSION-openrc sudo}}

<pre>
cat << EOF > /etc/ceph/$CLUSTER_NAME.conf
[global]
# Cluster unique identifier
fsid = $FSID
mon_initial_members = $MON_HOST1
mon_host = $MON_HOST1_IP, $MON_HOST2_IP, $MON_HOST3_IP
mon_allow_pool_delete = true
ms_bind_ipv4 = false
ms_bind_ipv6 = true
public_network = $PUBLIC_NETWORK
# Enable authentication
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
# https://docs.ceph.com/en/latest/rados/configuration/pool-pg-config-ref/#pool-pg-and-crush-config-reference
osd_pool_default_size = 3 # Write an object three times
osd_pool_default_min_size = 2 # Accept an I/O operation to a degraded PG that has two copies of an object
osd_pool_default_pg_num = 128 # total number of OSDs * 100 / osd_pool_default_size. Use nearest power of two.
osd_crush_chooseleaf_type = 1
rgw_data = /var/lib/ceph/radosgw/\$cluster-\$id # literal variables

[mon]
mon_data = /var/lib/ceph/mon/\$cluster-$FSID # "cluster" is a literal variable
EOF

</pre>

<pre>
ceph-authtool --create-keyring /tmp/$CLUSTER_NAME.mon.keyring --gen-key -n mon. --cap mon 'allow *'
ceph-authtool --create-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
ceph-authtool --create-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring --gen-key -n client.bootstrap-osd --cap mon 'profile bootstrap-osd' --cap mgr 'allow r'

ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring
ceph-authtool /tmp/ceph.mon.keyring --import-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

chown ceph:ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring
</pre>

Create AWall policies:

<pre>
cat << EOF > /etc/awall/optional/ceph-mon.json
{
"description": "Ceph cluster monitor component",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mon",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-client-osd.json
{
"description": "Ceph cluster OSD client",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mon
awall enable ceph-client-osd
awall activate -f
ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

Inspect that the first node was bootstrapped correctly running {{Cmd|ceph -s}}

=== Add other MONITOR nodes ===
Copy /etc/ceph/ceph.conf, /tmp/ceph.mon.keyring /etc/ceph/ceph.client.admin.keyring /var/lib/ceph/bootstrap-osd/ceph.keyring from existing monitor to the new monitor node.
<pre>
install -d --owner ceph --group ceph /etc/ceph /var/lib/ceph/bootstrap-osd
install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID
chown ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring

ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

If <code>ceph -s</code> returns <code>mon is allowing insecure global_id reclaim</code> fix with {{Cmd|ceph config set mon auth_allow_insecure_global_id_reclaim false}}

== Installing MANAGERs ==

<pre>
install -d --owner ceph --group ceph /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME
# note this keyring is unique per manager, does not need to be copied across the cluster!
ceph auth get-or-create mgr.$HOSTNAME mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME/keyring
</pre>

<pre>
cat << EOF > /etc/awall/optional/ceph-mgr.json
{
"description": "Ceph cluster Manager component",

"service": {
"ceph-mgr": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mgr",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mgr
awall activate -f

apk add ceph$VERSION-mgr ceph$VERSION-mgr-dashboard
ln -s ceph /etc/init.d/ceph-mgr.$HOSTNAME
rc-update add ceph-mgr.$HOSTNAME
openrc
</pre>

Expected issues:

Module 'restful' has failed dependency: PyO3 modules may only be initialized once per interpreter process

https://github.com/bazaah/aur-ceph/issues/20

https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA/#FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA

Workaround: <code>ceph mgr module disable restful</code>

== Installing OSDs ==
<pre>
setup-devd udev #alpine eudev drop-in replacement for udev
apk add ceph$VERSION-osd ceph$VERSION-osd-daemon ceph$VERSION-osd-tools eudev ceph$VERSION-openrc
mkdir -p /var/lib/ceph/bootstrap-osd /etc/ceph
</pre>

Copy /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring from a monitor node to /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

Copy /etc/ceph/ceph.conf from a monitor node to /etc/ceph/ceph.conf

<pre>
cat << EOF > /etc/awall/optional/ceph-client-mon.json
{
"description": "Ceph cluster monitor client",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-osd.json
{
"description": "Ceph cluster OSD component",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-osd",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-client-mon
awall enable ceph-osd
awall activate -f

ln -s /var/lib/ceph/bootstrap-osd/ceph.keyring /etc/ceph/ceph.client.bootstrap-osd.keyring #it seems it wants the keyring in this location
ceph-volume lvm create --data /dev/sdX --no-systemd
<pre>

CEPH

2024-05-07T10:20:42Z

Larena: /* Bootstrap the first MONITOR */

{{Draft|work in progress}}

CEPH is a software defined storage platform. There are various methods and tools to deploy CEPH, none of which (to my knowledge, please correct this statement if wrong) work on Alpine. However CEPH has been available in the community repository since Alpine 3.10. Thanks to the maintainer that has done an amazing job, even maintaining multiple versions! So that's why this how-to, I will show how to deploy CEPH monitors, managers and OSDs, via APK, manually. Eventually I'm planning to write an Ansible playbook Alpine-specific.

== Installing MONITORs ==
=== Bootstrap the first MONITOR ===
In this example we use 3 hosts as monitor and manager roles:
<pre>
MON_HOST1="mon01"
MON_HOST1_IP="%IP_ADDRESS%"
MON_HOST2="mon02"
MON_HOST2_IP="%IP_ADDRESS%"
MON_HOST3="mon03"
MON_HOST3_IP="%IP_ADDRESS%"
FSID=$(cat /proc/sys/kernel/random/uuid) #store this FSID
echo $FSID
CLUSTER_NAME="ceph" # default value if unspecified
HOSTNAME=$(cat /etc/hostname)
PUBLIC_NETWORK="%NETWORK_CIDR%"
MYNET="%NETWORK_CIDR%"
VERSION=17
</pre>

{{Cmd|#apk add ceph$VERSION-mon ceph$VERSION-mon-daemon ceph$VERSION-mon-tools ceph$VERSION-openrc sudo}}

<pre>
cat << EOF > /etc/ceph/$CLUSTER_NAME.conf
[global]
# Cluster unique identifier
fsid = $FSID
mon_initial_members = $MON_HOST1
mon_host = $MON_HOST1_IP, $MON_HOST2_IP, $MON_HOST3_IP
mon_allow_pool_delete = true
ms_bind_ipv4 = false
ms_bind_ipv6 = true
public_network = $PUBLIC_NETWORK
# Enable authentication
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
# https://docs.ceph.com/en/latest/rados/configuration/pool-pg-config-ref/#pool-pg-and-crush-config-reference
osd_pool_default_size = 3 # Write an object three times
osd_pool_default_min_size = 2 # Accept an I/O operation to a degraded PG that has two copies of an object
osd_pool_default_pg_num = 128 # total number of OSDs * 100 / osd_pool_default_size. Use nearest power of two.
osd_crush_chooseleaf_type = 1
rgw_data = /var/lib/ceph/radosgw/\$cluster-\$id # literal variables

[mon]
mon_data = /var/lib/ceph/mon/\$cluster-$FSID # "cluster" is a literal variable
EOF

</pre>

<pre>
ceph-authtool --create-keyring /tmp/$CLUSTER_NAME.mon.keyring --gen-key -n mon. --cap mon 'allow *'
ceph-authtool --create-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
ceph-authtool --create-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring --gen-key -n client.bootstrap-osd --cap mon 'profile bootstrap-osd' --cap mgr 'allow r'

ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring
ceph-authtool /tmp/ceph.mon.keyring --import-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

chown ceph:ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring
</pre>

Create AWall policies:

<pre>
cat << EOF > /etc/awall/optional/ceph-mon.json
{
"description": "Ceph cluster monitor component",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mon",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-client-osd.json
{
"description": "Ceph cluster OSD client",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mon
awall enable ceph-client-osd
awall activate -f
ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

Inspect that the first node was bootstrapped correctly running {{Cmd|ceph -s}}

=== Add other MONITOR nodes ===
Copy /etc/ceph/ceph.conf, /tmp/ceph.mon.keyring /etc/ceph/ceph.client.admin.keyring /var/lib/ceph/bootstrap-osd/ceph.keyring from existing monitor to the new monitor node.
<pre>
install -d --owner ceph --group ceph /etc/ceph /var/lib/ceph/bootstrap-osd
install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID
chown ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring

ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

If <code>ceph -s</code> returns <code>mon is allowing insecure global_id reclaim</code> fix with {{Cmd|ceph config set mon auth_allow_insecure_global_id_reclaim false}}

== Installing MANAGERs ==

<pre>
install -d --owner ceph --group ceph /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME
# note this keyring is unique per manager, does not need to be copied across the cluster!
ceph auth get-or-create mgr.$HOSTNAME mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME/keyring
</pre>

<pre>
cat << EOF > /etc/awall/optional/ceph-mgr.json
{
"description": "Ceph cluster Manager component",

"service": {
"ceph-mgr": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mgr",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mgr
awall activate -f

apk add ceph$VERSION-mgr ceph$VERSION-mgr-dashboard
ln -s ceph /etc/init.d/ceph-mgr.$HOSTNAME
rc-update add ceph-mgr.$HOSTNAME
openrc
</pre>

Expected issues:

Module 'restful' has failed dependency: PyO3 modules may only be initialized once per interpreter process

https://github.com/bazaah/aur-ceph/issues/20

https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA/#FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA

Workaround: <code>ceph mgr module disable restful</code>

== Installing OSDs ==
<pre>
setup-devd udev #alpine eudev drop-in replacement for udev
apk add ceph$VERSION-osd ceph$VERSION-osd-daemon ceph$VERSION-osd-tools eudev ceph$VERSION-openrc
mkdir -p /var/lib/ceph/bootstrap-osd /etc/ceph
</pre>

Copy /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring from a monitor node to /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

Copy /etc/ceph/ceph.conf from a monitor node to /etc/ceph/ceph.conf

<pre>
cat << EOF > /etc/awall/optional/ceph-client-mon.json
{
"description": "Ceph cluster monitor client",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-osd.json
{
"description": "Ceph cluster OSD component",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-osd",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-client-mon
awall enable ceph-osd
awall activate -f

ln -s /var/lib/ceph/bootstrap-osd/ceph.keyring /etc/ceph/ceph.client.bootstrap-osd.keyring #it seems it wants the keyring in this location
ceph-volume lvm create --data /dev/sdX --no-systemd
<pre>

CEPH

2024-05-07T10:18:27Z

Larena:

{{Draft|work in progress}}

CEPH is a software defined storage platform. There are various methods and tools to deploy CEPH, none of which (to my knowledge, please correct this statement if wrong) work on Alpine. However CEPH has been available in the community repository since Alpine 3.10. Thanks to the maintainer that has done an amazing job, even maintaining multiple versions! So that's why this how-to, I will show how to deploy CEPH monitors, managers and OSDs, via APK, manually. Eventually I'm planning to write an Ansible playbook Alpine-specific.

== Installing MONITORs ==
=== Bootstrap the first MONITOR ===
In this example we use 3 hosts as monitor role:
<pre>
MON_HOST1="mon01"
MON_HOST1_IP="%IP_ADDRESS%"
MON_HOST2="mon02"
MON_HOST2_IP="%IP_ADDRESS%"
MON_HOST3="mon03"
MON_HOST3_IP="%IP_ADDRESS%"
FSID=$(cat /proc/sys/kernel/random/uuid) #store this FSID
echo $FSID
CLUSTER_NAME="ceph" # default value if unspecified
HOSTNAME=$(cat /etc/hostname)
PUBLIC_NETWORK="%NETWORK_CIDR%"
MYNET="%NETWORK_CIDR%"
VERSION=17
</pre>

{{Cmd|#apk add ceph$VERSION-mon ceph$VERSION-mon-daemon ceph$VERSION-mon-tools ceph$VERSION-openrc sudo}}

<pre>
cat << EOF > /etc/ceph/$CLUSTER_NAME.conf
[global]
# Cluster unique identifier
fsid = $FSID
mon_initial_members = $MON_HOST1
mon_host = $MON_HOST1_IP, $MON_HOST2_IP, $MON_HOST3_IP
mon_allow_pool_delete = true
ms_bind_ipv4 = false
ms_bind_ipv6 = true
public_network = $PUBLIC_NETWORK
# Enable authentication
auth_cluster_required = cephx
auth_service_required = cephx
auth_client_required = cephx
# https://docs.ceph.com/en/latest/rados/configuration/pool-pg-config-ref/#pool-pg-and-crush-config-reference
osd_pool_default_size = 3 # Write an object three times
osd_pool_default_min_size = 2 # Accept an I/O operation to a degraded PG that has two copies of an object
osd_pool_default_pg_num = 128 # total number of OSDs * 100 / osd_pool_default_size. Use nearest power of two.
osd_crush_chooseleaf_type = 1
rgw_data = /var/lib/ceph/radosgw/\$cluster-\$id # literal variables

[mon]
mon_data = /var/lib/ceph/mon/\$cluster-$FSID # "cluster" is a literal variable
EOF

</pre>

<pre>
ceph-authtool --create-keyring /tmp/$CLUSTER_NAME.mon.keyring --gen-key -n mon. --cap mon 'allow *'
ceph-authtool --create-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring --gen-key -n client.admin --cap mon 'allow *' --cap osd 'allow *' --cap mds 'allow *' --cap mgr 'allow *'
ceph-authtool --create-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring --gen-key -n client.bootstrap-osd --cap mon 'profile bootstrap-osd' --cap mgr 'allow r'

ceph-authtool /tmp/ceph.mon.keyring --import-keyring /etc/ceph/$CLUSTER_NAME.client.admin.keyring
ceph-authtool /tmp/ceph.mon.keyring --import-keyring /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

chown ceph:ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring
</pre>

Create AWall policies:

<pre>
cat << EOF > /etc/awall/optional/ceph-mon.json
{
"description": "Ceph cluster monitor component",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mon",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-client-osd.json
{
"description": "Ceph cluster OSD client",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mon
awall enable ceph-client-osd
awall activate -f
ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

Inspect that the first node was bootstrapped correctly running {{Cmd|ceph -s}}

=== Add other MONITOR nodes ===
Copy /etc/ceph/ceph.conf, /tmp/ceph.mon.keyring /etc/ceph/ceph.client.admin.keyring /var/lib/ceph/bootstrap-osd/ceph.keyring from existing monitor to the new monitor node.
<pre>
install -d --owner ceph --group ceph /etc/ceph /var/lib/ceph/bootstrap-osd
install -d -o ceph /var/lib/ceph/mon/$CLUSTER_NAME-$FSID
chown ceph /tmp/$CLUSTER_NAME.mon.keyring

monmaptool --create --add $MON_HOST1 $MON_HOST1_IP --add $MON_HOST2 $MON_HOST2_IP --add $MON_HOST3 $MON_HOST3_IP --fsid $FSID /tmp/monmap

sudo -u ceph ceph-mon --cluster $CLUSTER_NAME --mkfs -i $HOSTNAME --inject-monmap /tmp/monmap --keyring /tmp/$CLUSTER_NAME.mon.keyring

ln -s ceph /etc/init.d/ceph-mon.$HOSTNAME
rc-update add ceph-mon.$HOSTNAME
openrc
</pre>

If <code>ceph -s</code> returns <code>mon is allowing insecure global_id reclaim</code> fix with {{Cmd|ceph config set mon auth_allow_insecure_global_id_reclaim false}}

== Installing MANAGERs ==

<pre>
install -d --owner ceph --group ceph /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME
# note this keyring is unique per manager, does not need to be copied across the cluster!
ceph auth get-or-create mgr.$HOSTNAME mon 'allow profile mgr' osd 'allow *' mds 'allow *' > /var/lib/ceph/mgr/$CLUSTER_NAME-$HOSTNAME/keyring
</pre>

<pre>
cat << EOF > /etc/awall/optional/ceph-mgr.json
{
"description": "Ceph cluster Manager component",

"service": {
"ceph-mgr": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-mgr",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-mgr
awall activate -f

apk add ceph$VERSION-mgr ceph$VERSION-mgr-dashboard
ln -s ceph /etc/init.d/ceph-mgr.$HOSTNAME
rc-update add ceph-mgr.$HOSTNAME
openrc
</pre>

Expected issues:

Module 'restful' has failed dependency: PyO3 modules may only be initialized once per interpreter process

https://github.com/bazaah/aur-ceph/issues/20

https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA/#FB7XE6WYDK3EBJYPABSPX5B2LEILWWJA

Workaround: <code>ceph mgr module disable restful</code>

== Installing OSDs ==
<pre>
setup-devd udev #alpine eudev drop-in replacement for udev
apk add ceph$VERSION-osd ceph$VERSION-osd-daemon ceph$VERSION-osd-tools eudev ceph$VERSION-openrc
mkdir -p /var/lib/ceph/bootstrap-osd /etc/ceph
</pre>

Copy /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring from a monitor node to /var/lib/ceph/bootstrap-osd/$CLUSTER_NAME.keyring

Copy /etc/ceph/ceph.conf from a monitor node to /etc/ceph/ceph.conf

<pre>
cat << EOF > /etc/awall/optional/ceph-client-mon.json
{
"description": "Ceph cluster monitor client",

"service": {
"ceph-mon": { "proto": "tcp", "port": [ 3300, 6789 ] }
},

"filter": [
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-mon",
"action": "accept"
}
]
}
EOF

cat << EOF > /etc/awall/optional/ceph-osd.json
{
"description": "Ceph cluster OSD component",

"service": {
"ceph-osd": { "proto": "tcp", "port": "6800-7300" }
},

"filter": [
{
"src": "\$MYNET",
"out": "_fw",
"service": "ceph-osd",
"action": "accept"
},
{
"in": "_fw",
"dest": "\$MYNET",
"service": "ceph-osd",
"action": "accept"
}
]
}
EOF
</pre>

<pre>
awall enable ceph-client-mon
awall enable ceph-osd
awall activate -f

ln -s /var/lib/ceph/bootstrap-osd/ceph.keyring /etc/ceph/ceph.client.bootstrap-osd.keyring #it seems it wants the keyring in this location
ceph-volume lvm create --data /dev/sdX --no-systemd
<pre>

CEPH

2024-05-07T09:56:00Z

Larena: Created page with "{{Draft|work in progress}} CEPH is a software defined storage platform. There are various methods and tools to deploy CEPH, none of which (to my knowledge, please correct this statement if wrong) work on Alpine. However CEPH has been available in the community repository since Alpine 3.10. Thanks to the maintainer that has done an amazing job, even maintaining multiple versions! So that's why this how-to, I will show how to deploy CEPH monitors, managers and OSDs, via A..."

Disk Replication with DRBD

2021-10-04T12:30:24Z

Larena: /* Disk Replication with DRBD */

{{Draft}}

== Disk Replication with DRBD ==

#apk add drbd

Load DRBD kernel driver:

#modprobe drbd

Sample DRBD configuration in /etc/drbd.d/r0.res (resource 0):

resource r0 {
device /dev/drbd1;
disk /dev/md0;
meta-disk internal;
on host1 {
address 192.168.0.1:7789;
}
on host2 {
address 192.168.0.2:7789;
}
}

It is recommended to have a dedicated heartbeat interface for DRBD where replication occurs.

Create the DRBD device and bring it up on '''both nodes''':

#drbdadm create-md r0
#drbdadm up r0

On primary node start replication:

#drbdadm -- --overwrite-data-of-peer primary r0

If you want to temporarily speed up replication, run (e.g. 1G):

#drbdsetup /dev/drbd1 syncer -r 1G

Control replication status:

#cat /proc/drbd

[[Category:Storage]]

Setting up GVM11

2020-12-14T09:37:15Z

Larena: gvm user cannot be created if daemon is not started

= Greenbone Vulnerability Management (GVM) 11 =
= Introduction =

OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

= Install =
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:

{{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}}

= Configuration =

== PostgreSQL ==

OpenVAS relies on PostgreSQL, that now is mandatory.

Start PostgreSQL and add it to default runlevel:
rc-service postgresql setup
rc-service postgresql start
rc-update add postgresql

Create and configure the gvm database:

su - postgres
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension if not exists "uuid-ossp";
create extension "pgcrypto";
exit

== GVMd ==

GVMd run as gvm user. Generate the certificate.
The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
You can setup the certificate automatically with:
su - gvm
gvm-manage-certs -a

Create credentials used to interact with gvmd:

rc-service gvmd start
gvmd --create-user=admin --password=admin

Certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the config "Full and Fast".

gvmd will only create these resources if a "Feed Import Owner" is configured:

gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>

The UUIDs of all created users can be found using

gvmd --get-users --verbose

== Update GVM definitions ==

Download the GVM definitions and start GVMd, as gvm user.
Be patient...it will take a while:

su - gvm
greenbone-feed-sync --type GVMD_DATA
greenbone-feed-sync --type SCAP
greenbone-feed-sync --type CERT

This three feeds needs to be scheduled via cron.

Add gvmd to start on boot:

rc-update add gvmd

Download NVT definitions:

su - gvm
greenbone-nvt-sync

== Greenbone Security Assistant (GSAD) ==

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Create '''/etc/conf.d/gsad:''' with:
echo 'GSAD_LISTEN_ADDRESS="0.0.0.0"' > /etc/conf.d/gsad

Start GSAD and add it to default runlevel:
rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on http port 9392, and login with the credentials previously created.

Happy vulnerability assestment!

[[Category:Server]]
[[Category:Monitoring]]

Setting up GVM11

2020-12-08T08:26:59Z

Larena: GVM definitions can be downloaded as gvm user

= Greenbone Vulnerability Management (GVM) 11 =
= Introduction =

OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

= Install =
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:

{{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}}

= Configuration =

== PostgreSQL ==

OpenVAS relies on PostgreSQL, that now is mandatory.

Start PostgreSQL and add it to default runlevel:
rc-service postgresql setup
rc-service postgresql start
rc-update add postgresql

Create and configure the gvm database:

su - postgres
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension if not exists "uuid-ossp";
create extension "pgcrypto";
exit

== GVMd ==

GVMd run as gvm user. Generate the certificate.
The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
You can setup the certificate automatically with:
su - gvm
gvm-manage-certs -a

Create credentials used to interact with gvmd:

gvmd --create-user=admin --password=admin

Certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the config "Full and Fast".

gvmd will only create these resources if a "Feed Import Owner" is configured:

gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>

The UUIDs of all created users can be found using

gvmd --get-users --verbose

== Update GVM definitions ==

Download the GVM definitions and start GVMd, as gvm user.
Be patient...it will take a while:

su - gvm
greenbone-feed-sync --type GVMD_DATA
greenbone-feed-sync --type SCAP
greenbone-feed-sync --type CERT

This three feeds needs to be scheduled via cron.

rc-service gvmd start

Add gvmd to start on boot:

rc-update add gvmd

Download NVT definitions:

su - gvm
greenbone-nvt-sync

== Greenbone Security Assistant (GSAD) ==

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Create '''/etc/conf.d/gsad:''' with:
echo 'GSAD_LISTEN_ADDRESS="0.0.0.0"' > /etc/conf.d/gsad

Start GSAD and add it to default runlevel:
rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on http port 9392, and login with the credentials previously created.

Happy vulnerability assestment!

[[Category:Server]]
[[Category:Monitoring]]

Setting up GVM11

2020-12-07T14:35:41Z

Larena: Add missing setup steps

= Greenbone Vulnerability Management (GVM) 11 =
= Introduction =

OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

= Install =
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:

{{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}}

= Configuration =

== PostgreSQL ==

OpenVAS relies on PostgreSQL, that now is mandatory.

Start PostgreSQL and add it to default runlevel:
rc-service postgresql setup
rc-service postgresql start
rc-update add postgresql

Create and configure the gvm database:

su - postgres
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension if not exists "uuid-ossp";
create extension "pgcrypto";
exit

== GVMd ==

GVMd run as gvm user. Generate the certificate.
The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
You can setup the certificate automatically with:
su - gvm
gvm-manage-certs -a

Create credentials used to interact with gvmd:

gvmd --create-user=admin --password=admin

Certain resources that were previously part of the gvmd source code are now shipped via the feed. An example is the config "Full and Fast".

gvmd will only create these resources if a "Feed Import Owner" is configured:

gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value <uuid_of_user>

The UUIDs of all created users can be found using

gvmd --get-users --verbose

== Update GVM definitions ==

Download the GVM definitions and start GVMd, as root user.
Be patient...it will take a while:

greenbone-feed-sync --type GVMD_DATA
greenbone-feed-sync --type SCAP
greenbone-feed-sync --type CERT

This three feeds needs to be scheduled via cron.

rc-service gvmd start

Add gvmd to start on boot:

rc-update add gvmd

NVT definitions can be downloaded as gvm user:

su - gvm
greenbone-nvt-sync

== Greenbone Security Assistant (GSAD) ==

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Create '''/etc/conf.d/gsad:''' with:
echo 'GSAD_LISTEN_ADDRESS="0.0.0.0"' > /etc/conf.d/gsad

Start GSAD and add it to default runlevel:
rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on http port 9392, and login with the credentials previously created.

Happy vulnerability assestment!

[[Category:Server]]
[[Category:Monitoring]]

Setting up GVM11

2020-12-07T13:45:04Z

Larena: Update GSAD binding settings

= Greenbone Vulnerability Management (GVM) 11 =
= Introduction =

OpenVAS with version 11 has been renamed in Greenbone Vulnerability Management and it is available in community repository.

This How-To will guide you to install a complete server solution for vulnerability scanning and vulnerability management solution.

= Install =
[[Enable_Community_Repository|Enable the community repository]] and install the required packages:

{{Cmd|apk add openvas openvas-config gvmd gvm-libs greenbone-security-assistant ospd-openvas}}

= Configuration =

== PostgreSQL ==

OpenVAS relies on PostgreSQL, that now is mandatory.

Start PostgreSQL and add it to default runlevel:
rc-service postgresql setup
rc-service postgresql start
rc-update add postgresql

Create and configure the gvm database:

su - postgres
createuser -DRS gvm
createdb -O gvm gvmd
psql gvmd
create role dba with superuser noinherit;
grant dba to gvm;
create extension if not exists "uuid-ossp";
create extension "pgcrypto";
exit

== GVMd ==

GVMd run as gvm user. Generate the certificate.
The certificate infrastructure enables GVMd to communicate in a secure manner and is used for authentication and authorization before establishing TLS connections between the daemons.
You can setup the certificate automatically with:
su - gvm
gvm-manage-certs -a

Create credentials used to interact with gvmd:

gvmd --create-user=admin --password=admin

== Update GVM definitions ==

Download the GVM definitions and start GVMd, as root user.
Be patient...it will take a while:

greenbone-scapdata-sync
greenbone-certdata-sync
rc-service gvmd start

Add gvmd to start on boot:

rc-update add gvmd

NVT definitions can be downloaded as gvm user:

su - gvm
greenbone-nvt-sync

== Greenbone Security Assistant (GSAD) ==

Configure Greenbone Security Assistant (GSAD) to listen to other interfaces rather than localhost only, so it is reachable from other hosts.

Create '''/etc/conf.d/gsad:''' with:
echo 'GSAD_LISTEN_ADDRESS="0.0.0.0"' > /etc/conf.d/gsad

Start GSAD and add it to default runlevel:
rc-service gsad start
rc-update add gsad

Open the browser at the IP address where GSAD is running, on http port 9392, and login with the credentials previously created.

Happy vulnerability assestment!

[[Category:Server]]
[[Category:Monitoring]]

Creating patches

2019-02-06T07:32:08Z

Larena: Specify were new aports should go and the repository dependencies.

Patches should be created with git and submitted to [mailto:alpine-aports@lists.alpinelinux.org alpine-aports] mailing list with ''git send-email'' (which needs the ''git-email'' Alpine package).

New aports should normally go into testing repository. After a reasonable testing period if the package is complete (e.g. it has an init script, it has a working and sane default configuration, etc.) and it has a maintainer it can be moved into community repository. Main repository is for packages are either core of the linux system or are dependencies of other core packages. A package in main cannot have a dependency in community or testing.

== Only the last commit with 'git send-email' ==

To submit the last commit as a patch to [mailto:alpine-aports@lists.alpinelinux.org alpine-aports] mailing list:

{{Cmd|git send-email --to alpine-aports@lists.alpinelinux.org -1}}

{{Tip|You save the To-address (does not require '--to alpine-aports@lists.alpinelinux.org') in the git config with: {{Cmd|git config sendemail.to alpine-aports@lists.alpinelinux.org}}}}

The first line in commit message will be ''subject'' and the long description (separated with empty line) will be the body in the email. The example below shows

<pre>
testing/packagename: new aport <- header

https://example.com/packagename <- body
wonderful package
</pre>

{{Note|The git send-email command is provided by the '''git-email''' package ('''git-perl''' in v2.7 and older). }}

See [[Development using git#Email_configuration]] on how configure SMTP Auth.

== Multiple commits with 'git send-email' ==

If you have many commits you can create a directory with patches and send them with <tt>git send-email</tt>.

{{Cmd|<nowiki>rm -Rf patches
mkdir patches
git format-patch -o patches origin
git send-email patches --compose --no-chain-reply-to --to alpine-aports@lists.alpinelinux.org</nowiki>}}

You can also format patches for the last x number of commits with:
{{Cmd|<nowiki>git format-patch -x -o patches</nowiki>}}

This will produce the patches for each local commit in the directory "patches" and send them.
Use '''--no-chain-reply-to''' to avoid that each patch is sent as a ''reply'' to the previous patch.

Eg.
* [PATCH 0/m]
** [PATCH 1/m]
*** [PATCH 2/m]
**** ...

With the option '''--no-chain-reply-to''' the patches will be sent as a reply to the first email, the ''cover letter'' (the [PATCH 0/m]) and will make the email thread nicer.
Like this:
* [PATCH 0/m]
** [PATCH 1/m]
** [PATCH 2/m]
** ..

== Resend an updated patch ==
Sometimes patches are rejected due to minor issues in the patch. Do not send an incremental patch on top of your initial, bad, patch. Instead, recreate the patch and send a new, fixed version of your patch. (use ''git commit --amend'' to edit a local commit).

When you sending a second version of the patch use '''--subject-prefix "PATCH v2"''' to indicate that this is a new version of a previously sent patch. You may also use '''--in-reply-to <message-id>''' where <message-id> the the id of email requesting the resend.

You should also write a note on the what was changed. Use '''--annotate''' for this and write the comment under the three dashes "---" so the note is not included in the commit message. For example:
<pre>
...
Subject: [PATCH v2] testing/mypackage: new aport

https://example.com
Example package
---
Changes v1 -> v2:
- removed depends
- added zlib-dev to makedepends

testing/mypackage/APKBUILD | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
create mode 100644 testing/mypackage/APKBUILD
...
</pre>

Note that the notes that are below the "---" will not be included in the commit message.
[[Category:Development]]
[[Category:Git]]

== See also ==
* [[Patch Workflow]]

Alpine Linux:Releases

2018-11-19T15:46:28Z

Larena:

There are several releases of Alpine Linux available at the same time. There is no fixed release cycle but rather every 6 month we make a snapshot of '''[[Edge|edge]]''' and make a release. We support each stable release for a certain time, normally for 2 years. We can do security fixes beyond that on request and when patches are available.

The latest release of Alpine Linux is: '''3.8.1''' [https://alpinelinux.org/posts/Alpine-3.8.1-released.html Release notes], [http://git.alpinelinux.org/cgit/aports/log/?h=v3.8.1 git log]

{| cellpadding="5" border="1" class="wikitable"
|-
! Branch
! Branch Date
! Latest Release
! Previous minor releases
! Directory name
! Updates
! End of Support
|-
| '''[[edge]]'''
| current
| rolling
| -
| [http://nl.alpinelinux.org/alpine/edge/ edge]
| development
| n/a
|-
| '''v3.8'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.8-stable 2018-06-26]
| [http://alpinelinux.org/posts/Alpine-3.8.1-released.html 3.8.1]
| [http://alpinelinux.org/posts/Alpine-3.8.0-released.html 3.8.0]
| [http://dl-cdn.alpinelinux.org/alpine/v3.8/ v3.8]
| bug fixes
| 2020-05-01
|-
| '''v3.7'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.7-stable 2017-11-30]
| [http://alpinelinux.org/posts/Alpine-3.7.0-released.html 3.7.0]
| -
| [http://dl-cdn.alpinelinux.org/alpine/v3.7/ v3.7]
| bug fixes
| 2019-11-01
|-
| '''v3.6'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.6-stable 2017-05-24]
| [http://alpinelinux.org/posts/Alpine-3.6.2-released.html 3.6.2]
| [http://alpinelinux.org/posts/Alpine-3.6.0-released.html 3.6.0], [http://alpinelinux.org/posts/Alpine-3.6.1-released.html 3.6.1]
| [http://dl-cdn.alpinelinux.org/alpine/v3.6/ v3.6]
| security only
| 2019-05-01
|-
| '''v3.5'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.5-stable 2016-12-22]
| [http://alpinelinux.org/posts/Alpine-3.5.2-released.html 3.5.2]
| [http://alpinelinux.org/posts/Alpine-3.5.0-released.html 3.5.0], [http://alpinelinux.org/posts/Alpine-3.5.1-released.html 3.5.1]
| [http://dl-cdn.alpinelinux.org/alpine/v3.5/ v3.5]
| security only
| 2018-11-01
|-
| '''v3.4'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.4-stable 2016-05-31]
| [http://alpinelinux.org/posts/Alpine-3.4.6-released.html 3.4.6]
| [http://alpinelinux.org/posts/Alpine-3.4.0-released.html 3.4.0], [http://alpinelinux.org/posts/Alpine-3.4.1-released.html 3.4.1], [http://alpinelinux.org/posts/Alpine-3.4.2-released.html 3.4.2], [http://alpinelinux.org/posts/Alpine-3.4.3-released.html 3.4.3], [http://alpinelinux.org/posts/Alpine-3.4.4-released.html 3.4.4], [http://alpinelinux.org/posts/Alpine-3.4.5-released.html 3.4.5]
| [http://dl-cdn.alpinelinux.org/alpine/v3.4/ v3.4]
| on request only
| 2018-05-01
|-
| '''v3.3'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.3-stable 2016-01-06]
| [http://alpinelinux.org/posts/Alpine-3.3.3-released.html 3.3.3]
| [http://alpinelinux.org/posts/Alpine-3.3.0-released.html 3.3.0], [http://alpinelinux.org/posts/Alpine-3.3.1-released.html 3.3.1], [http://alpinelinux.org/posts/Alpine-3.3.2-released.html 3.3.2]
| [http://nl.alpinelinux.org/alpine/v3.3/ v3.3]
| on request only
| 2017-11-01
|-
| '''v3.2'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.2-stable 2015-05-26]
| [http://alpinelinux.org/posts/Alpine-3.2.3-released.html 3.2.3]
| [http://alpinelinux.org/posts/Alpine-3.2.0-released.html 3.2.0], [http://alpinelinux.org/posts/Alpine-3.2.1-released.html 3.2.1], [http://alpinelinux.org/posts/Alpine-3.2.2-released.html 3.2.2]
| [http://nl.alpinelinux.org/alpine/v3.2/ v3.2]
| on request only
| 2017-05-01
|-
| '''v3.1'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.1-stable 2014-12-10]
| [http://alpinelinux.org/posts/Alpine-3.1.4-released.html 3.1.4]
| [http://alpinelinux.org/release-3.1.0 3.1.0], [http://alpinelinux.org/release-3.1.1 3.1.1], [http://alpinelinux.org/posts/Alpine-3.1.2-released.html 3.1.2], [http://alpinelinux.org/posts/Alpine-3.1.3-released.html 3.1.3]
| [http://nl.alpinelinux.org/alpine/v3.1/ v3.1]
| on request only
| 2016-11-01
|-
| '''v3.0'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=3.0-stable 2014-06-04]
| [http://alpinelinux.org/release-3.0.6 3.0.6]
| [http://alpinelinux.org/release-3.0.0 3.0.0], [http://alpinelinux.org/release-3.0.1 3.0.1], [http://alpinelinux.org/release-3.0.2 3.0.2], [http://alpinelinux.org/release-3.0.3 3.0.3], [http://alpinelinux.org/release-3.0.4 3.0.4], [http://alpinelinux.org/release-3.0.5 3.0.5]
| [http://nl.alpinelinux.org/alpine/v3.0/ v3.0]
| on request only
| 2016-05-01
|-
| '''v2.7'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.7-stable 2013-11-08]
| [http://alpinelinux.org/release-2.7.9 2.7.9]
| [http://alpinelinux.org/release-2.7.0 2.7.0], [http://alpinelinux.org/release-2.7.1 2.7.1], [http://alpinelinux.org/release-2.7.2 2.7.2], [http://alpinelinux.org/release-2.7.3 2.7.3], [http://alpinelinux.org/release-2.7.4 2.7.4], [http://alpinelinux.org/release-2.7.5 2.7.5], [http://alpinelinux.org/release-2.7.6 2.7.6], [http://alpinelinux.org/release-2.7.7 2.7.7], [http://alpinelinux.org/release-2.7.8 2.7.8]
| [http://nl.alpinelinux.org/alpine/v2.7/ v2.7]
| on request only
| 2015-11-01
|-
| '''v2.6'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.6-stable 2013-05-17]
| [http://alpinelinux.org/release-2.6.6 2.6.6]
| [http://alpinelinux.org/release-2.6.0 2.6.0], [http://alpinelinux.org/release-2.6.1 2.6.1], [http://alpinelinux.org/release-2.6.2 2.6.2], [http://alpinelinux.org/release-2.6.3 2.6.3], [http://alpinelinux.org/release-2.6.4 2.6.4], [http://alpinelinux.org/release-2.6.5 2.6.5]
| [http://nl.alpinelinux.org/alpine/v2.6/ v2.6]
| on request only
| 2015-05-01
|-
| '''v2.5'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.5-stable 2012-11-07]
| [http://alpinelinux.org/release-2.5.4 2.5.4]
| [http://alpinelinux.org/release-2.5.0 2.5.0], [http://alpinelinux.org/release-2.5.1 2.5.1], [http://alpinelinux.org/release-2.5.2 2.5.2], [http://alpinelinux.org/release-2.5.3 2.5.3]
| [http://nl.alpinelinux.org/alpine/v2.5/ v2.5]
| on request only
| 2014-11-01
|-
| '''v2.4'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.4-stable 2012-05-02]
| [http://alpinelinux.org/release-2.4.11 2.4.11]
| [http://alpinelinux.org/node/13811 2.4.0], [http://alpinelinux.org/node/13812 2.4.1], [http://alpinelinux.org/node/13845 2.4.2], [http://alpinelinux.org/node/13906 2.4.3], [http://alpinelinux.org/release-2.4.4 2.4.4], [http://alpinelinux.org/release-2.4.5 2.4.5], [http://alpinelinux.org/release-2.4.6 2.4.6], [http://alpinelinux.org/release-2.4.7 2.4.7], 2.4.8, [http://alpinelinux.org/node/14664 2.4.9], [http://alpinelinux.org/release-2.4.10 2.4.10]
| [http://nl.alpinelinux.org/alpine/v2.4/ v2.4]
| on request only
| 2014-05-01
|-
| '''v2.3'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.3-stable 2011-11-01]
| [http://alpinelinux.org/node/13503 2.3.6]
| [http://alpinelinux.org/node/6841 2.3.0], [http://alpinelinux.org/node/6866 2.3.1], [http://alpinelinux.org/node/6911 2.3.2], [http://alpinelinux.org/node/6999 2.3.3], [http://alpinelinux.org/node/13466 2.3.4 & 2.3.5]
| [http://nl.alpinelinux.org/alpine/v2.3/ v2.3]
| on request only
| 2013-11-01
|-
| '''v2.2'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.2-stable 2011-05-03]
| [http://alpinelinux.org/node/6455 2.2.3]
| [http://alpinelinux.org/node/5237 2.2.0], [http://lists.alpinelinux.org/alpine-devel/1618.html 2.2.1], [http://alpinelinux.org/node/5955 2.2.2]
| [http://nl.alpinelinux.org/alpine/v2.2/ v2.2]
| on request only
| 2013-05-01
|-
| '''v2.1'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.1-stable 2010-11-01]
| [http://alpinelinux.org/node/5236 2.1.6]
| [[Release_Notes_for_Alpine_2.1.0|2.1.0]], [[Release_Notes_for_Alpine_2.1.1|2.1.1]], [[Release_Notes_for_Alpine_2.1.2|2.1.2]], [[Release_Notes_for_Alpine_2.1.3|2.1.3]], [http://alpinelinux.org/node/5230 2.1.4], [http://alpinelinux.org/node/5235 2.1.5]
| [http://nl.alpinelinux.org/alpine/v2.1/ v2.1]
| on request only
| 2012-11-01
|-
| '''v2.0'''
| [http://git.alpinelinux.org/cgit/aports/log/?h=2.0-stable 2010-08-16]
| [http://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_2.0.3 2.0.3]
| [[Release_Notes_for_Alpine_2.0.0|2.0.0]], [[Release_Notes_for_Alpine_2.0.1|2.0.1]], [[Release_Notes_for_Alpine_2.0.2|2.0.2]]
| [http://nl.alpinelinux.org/alpine/v2.0/ v2.0]
| on request only
| 2012-04-01
|}

An archive for [[older releases]] is also available.

APKBUILD Reference

2018-02-07T07:31:39Z

Larena: don't include $install in $source

APKBUILDs are the scripts that are created in order to build Alpine packages using the [[abuild]] tool.

See [[aports]] for details on Alpine's official ports repository.

This page is intended to serve as a reference for creating APKBUILDs; if this is your first time creating a package for Alpine Linux, please see [[Creating an Alpine package]].

= Legend =
The following notes will assist you in understanding this document.

In description text:
* If a variable is not prefixed with a ''$'', it will be represented by italics (i.e., ''srcdir'' ).
* Functions will also be represented by italics, but will also end with a pair of parentheses (i.e., ''build()'' ).
* Shell commands will be represented <code>like this</code>.

= Variables =
{{Note|Variables that contain a path (e.g. ''$srcdir'' and ''$pkgdir'') should always be quoted using double quotes (i.e., ''"$srcdir"''). This is done to prevent things from breaking, should the user have the APKBUILD in a directory path that contains spaces.}}
{{Note|All arbitrary variable and function names should be prefixed with an underscore character ( _ ) to avoid name clashes with the internals of abuild (for example, ''_luaversions'').}}

== abuild-defined variables ==
The following variables are defined by abuild:

==== startdir ====
: The directory where the APKBUILD script is.
==== srcdir ====
: The directory where sources, from the ''source'' variable, are downloaded to and unpacked to.
==== pkgdir ====
: This directory should receive the files for the main package. For example, a normal [http://en.wikipedia.org/wiki/GNU_build_system autotools] package would have <code>make DESTDIR="$pkgdir" install</code> in the ''package()'' function.
==== subpkgdir ====
: This directory should receive the files for a subpackage. This variable should only be used from subpackage functions.
==== builddir ====
: This variable should point to the directory inside the ''srcdir'' where the main package source is unpacked. This is typically ''$srcdir/$pkgname-$pkgver''. It’s used by the default ''prepare()'' function as a working directory when applying patches.

== User-defined variables ==
The following variables should be defined by the user:
==== arch ====
: Package architecture(s) to build for. Can be one of: '''[[x86]], [[x86_64]], [[armhf]], [[aarch64]], [[ppc64le]], [[s390x]], all''', or '''noarch''', where '''all''' means all architectures, and '''noarch''' means it's architecture-independent (e.g., a pure-python package).
: {{Tip|To determine if your APKBUILD can use '''noarch''': First specify '''all''' and then build the package by executing <code>abuild -r</code>. Watch the output towards the end for warnings saying that '''noarch''' can be used. If the main package and all subpackages, if you have any subpackages, give a warning saying that '''noarch''' can be used, then you can use '''noarch'''.}}

==== depends ====
: Run-time dependency package(s) that are not shared-object dependencies. Shared objects dependencies are auto-detected and should not be specified here.
==== depends_dev ====
: Run-time dependency package(s) for the '''$pkgname-dev''' subpackage.

: {{Note|From ncopa on IRC: To find out if you need to add a package to depends_dev have a look at *requires* in usr/lib/pkgconfig/*.pc. With libtool it gets more complicated, but we should delete the .la files. Also check if there are any /usr/bin/*-configure #!/bin/bash #!/usr/bin/perl or Python. Sometimes scripts or similar are generated at build time (i.e autoconf automake) then you normally don't need add those to depends_dev. You can also just add all -dev makedepends to depends_dev but it will slow the build process a little bit (more build dependencies).}}
==== giturl ====
:Git repository from which <code>abuild checkout</code> checks out. You can checkout a specific branch in git by adding <code>-b $branch</code>.
==== install ====
: There are 6 different types of install scripts. Install scripts are named '''$pkgname.action''', where '''action''' can be: '''pre-install, post-install, pre-upgrade, post-upgrade, pre-deinstall''', or '''post-deinstall'''. For example, if ''pkgname'' is set to '''mypackage''' and ''install'' is set to '''$pkgname.post-install''', then a script named '''mypackage.post-install''' must exist along-side the APKBUILD.
<blockquote>{{Note|Always use <code>/bin/sh</code> for the command-line interpreter on the [http://en.wikipedia.org/wiki/Shebang_%28Unix%29 shebang line] of your install scripts.}}</blockquote>

The following are the different types of install scripts in detail:

===== $pkgname.pre-install =====
: This script is executed ''before installing'' the package. Typical use is when the package needs a group and a user to be created. For example:
<blockquote><pre>
#!/bin/sh

addgroup -S clamav 2>/dev/null
adduser -S -D -H -s /bin/false -G clamav -g clamav clamav 2>/dev/null

exit 0
</pre>
{{Note|If the script exits with a failure (e.g., if the user already exists), the package will not be installed and <code>apk</code> will exit with failure, hence the <code>exit 0</code> at the end.}}</blockquote>

===== $pkgname.post-install =====
: This script is executed ''after installing'' the package.

===== $pkgname.pre-upgrade =====
: This script is executed ''before upgrading/downgrading/reinstalling'' the package. Note that exiting with failure will not cause apk to exit with failure, but will mark the package as broken.

===== $pkgname.post-upgrade =====
: This script is executed ''after upgrading/downgrading/reinstalling'' the package.

===== $pkgname.pre-deinstall =====
: This script is executed ''before uninstalling'' the package.
: {{Note|If the script exits with failure, <code>apk</code> will not uninstall the package.}}

===== $pkgname.post-deinstall =====
: This script is executed ''after uninstalling'' the package.

==== install_if ====
:install_if can be used when a package needs to be installed when some packages are already installed or are in the dependency tree. It works in reverse to the ''recommends'' feature, that other package managers provide.

: '''Example:''' When package <code>A</code> has <code>install_if="B C"</code>, and the user runs <code>apk add B C</code>, then package <code>A</code> will get automatically installed.

: '''Example 2:''' A real use-case in Alpine is open-vm-tools. Currently it contains the userspace tools and separate packages for the kernel modules (grsec and vserver). When we install the userspace tools, apk should automatically install the correct kernel modules and will need to figure out for which kernel. This is where install_if jumps in. For any of the kernel modules package we would use:

:<pre>install_if="linux-${_flavor}=${_kernelver} open-vm-tools"</pre>

:This will automatically install the package when the specified packages are installed or are in dependency tree.

==== license ====
: License(s) for the package, for example <code>GPL-3.0-or-later</code>, <code>BSD-2-Clause</code> or <code>MIT</code> [[Creating_an_Alpine_package#license|(details)]].

==== makedepends ====
: Build-time dependency package(s).
==== md5sums/sha256sums/sha512sums ====
: Checksums for the files/URLs listed in ''source''. The checksums are normally generated and updated by executing <code>abuild checksum</code> and should be the last item in the APKBUILD.

New packages should use only sha512sums.

==== options ====
: Build-time options for the package.

: {| class="wikitable"
! Option
! Description
|-
| <code>!archcheck</code>
| Do not try to verify that the architecture of the binary files is the same architecture as abuild should build for. One example where it makes sense to set this are packages with firmware files, that get executed on another CPU (such as WiFi firmware).
|-
| <code>!check</code>
| Do not try to run the <code>check()</code> function. Please always add a short comment after the <code>!check</code> about why it's disabled. [https://github.com/alpinelinux/aports/pull/2322#discussion_r142545300] Creating a very simple check function, that calls <code>program --version</code> is better than disabling tests completely. [https://github.com/alpinelinux/aports/pull/2322#discussion_r142543002]
|-
| <code>!strip</code>
| Avoid stripping symbols from binaries.
|-
| <code>suid</code>
| Allow [https://en.wikipedia.org/wiki/Setuid setuid] binaries.
|-
| <code>!tracedeps</code>
| Do not automatically find dependencies (e.g. by using <code>ldd</code> to find dynamic libraries, which the resulting binary links against).
|}

==== pkgdesc ====
: A brief, one-line description of what the package does.

: Here's an example from the OpenSSH client package:
: <pre>pkgdesc="Port of OpenBSD's free SSH release - client"</pre>
==== pkggroups ====
: System group(s) to be created during build-time. System group(s) should also be created in the '''[[APKBUILD Reference#.24pkgname.pre-install|$pkgname.pre-install]]''' script, so that the system group(s) are also created prior to package installation for run-time use.
==== pkgname ====
: The name of the package. All letters should be lowercase.
: {{Note|When creating an APKBUILD of a module or library for another package, we use some common package prefixes, such as: ''lua-'', ''perl-'', ''php-'', and ''py-''. Search aports for other common prefixes.}}

==== pkgrel ====
: Alpine package release number. Starts at 0 (zero). Always increment ''pkgrel'' when making updates to an aport; reset ''pkgrel'' to 0 (zero) when incrementing ''pkgver''.
==== pkgusers ====
: System user(s) to be created during build-time. System user(s) should also be created in the '''[[APKBUILD Reference#.24pkgname.pre-install|$pkgname.pre-install]]''' script, so that the system user(s) are also created prior to package installation for run-time use.
==== pkgver ====
: The version of the software being packaged. Format for valid versions: <code>{digit}{.digit}...{letter}{_suf{#}}...{-r#}</code> [https://git.alpinelinux.org/cgit/apk-tools/tree/src/version.c#n17]
: A Suffix <code>suf</code> in the above format can be one of the following to indicate that the release is ''less recent'' than the version without the suffix: <code>alpha</code>, <code>beta</code>, <code>pre</code>, <code>rc</code> [https://git.alpinelinux.org/cgit/apk-tools/tree/src/version.c#n75]
: These are for indicating ''more recent'' releases: <code>cvs</code>, <code>svn</code>, <code>git</code>, <code>hg</code>, <code>p</code> [https://git.alpinelinux.org/cgit/apk-tools/tree/src/version.c#n76]
: All other suffices are invalid. To package a specific git commit, the date of the commit gets appended to the latest release, e.g. <code>1.0.0_git20180204</code>.

==== provides ====
: List of package names (and optionally version info) this package provides.

: If package with a version is provided (provides='foo=1.2') apk will consider it as an alternate name and it will automatically consider the package for installation by the alternate name, and conflict with other packages having the same name, or provides.

: If version is not provided (provides='foo'), apk will consider it as virtual package name. Several package with same non-versioned provides can be installed simultaneously. However, none of them will be installed by default when requested by the virtual name - instead, error message is given and user is asked to choose which package providing the virtual name should be installed.
==== provider_priority ====
: A numeric value which is used by apk-tools to break ties when choosing a virtual package to satisfy a dependency. Higher values have higher priority. The primary use case is to specify the primary package that satisfies a virtual (provider).
==== replaces ====
: Package(s) that this package replaces. This package will "take over" files owned by packages listed in the ''replaces'' variable. This is useful when files move from one package to another, or when a package gets renamed.
==== replaces_priority ====
: The priority of the replaces. If multiple packages replace each other, then will the package with highest ''replaces_priority'' win.
==== source ====
: The source variable is not only used to list the remote source files to fetch, it is also used to list the local files that abuild will need in order to build the apk. Examples of such local files include: init.d files, conf.d files, install files (see [[APKBUILD Reference#install|install variable]]), patches, and all other necessary files.

: Here are few things to note:

:* When you are finished adding local and/or remote files to ''source'', you can execute the following command to add their checksums to the APKBUILD file:
:: {{Cmd|abuild checksum}}
:: {{Note|When later updating the content of ''source'', or updating a file that is listed in ''source'', you must also update their checksums again with the same command.}}

:* When the remote file is hosted at SourceForge, it's best to specify the special mirrors link used by SourceForge:
:: <pre>http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz</pre>
:: (or similar depending on the package).

:* You can set target filename (eg 'save as...') by prefixing the URI with ''filename::''. This is useful when the remote filename is not specified in the URI (ie, does not end in '/software-1.0.tar.gz'), such as:
:: <pre>http://oss.example.org/?get=software&ver=1.0</pre>
:: or when the filename is braindead, like githubs' download tags:
:: <pre>https://github.com/software/software/archive/v$pkgver.tar.gz</pre>
:: The above two examples needs a target filename prefix:
:: <pre>$pkgname-$pkgver.tar.gz::http://oss.example.org/?get=software&ver=$pkgver</pre>
:: and:
:: <pre>$pkgname-$pkgver.tar.gz::https://github.com/software/software/archive/v$pkgver.tar.gz</pre>

:* abuild currently supports the following protocols for remote file retrieval:
:** http
:** https
:** ftp

:* abuild currently supports the following archive types/archive file extensions:
:** .tar.gz / .tgz
:** .tar.bz2
:** .tar.lzma
:** .tar.xz
:** .zip

:: {{Note|Legacy APKBUILD scripts define ''source'' variable as "saveas-[brain-dead-url]/[target-filename]" format instead of the modern [target-filename]::[brain-dead-url]. ''BAD'': source="saveas-http://releases.ddvtech.com/download.php?pack=libmist_dist&ver=RC/$pkgname-$pkgver.tar.gz" ''GOOD'': source=$pkgname-$pkgver.tar.gz::http://releases.ddvtech.com/download.php?pack=libmist_dist&ver=RC"}}

==== subpackages ====
: Subpackages built from this APKBUILD. abuild will parse this variable and try to find a subpackage split function. The split function must ''move'' files that do not belong in the main package, from ''$pkgdir'' to ''$subpkgdir''. Files and directories can also be ''copied'' from ''$startdir'' and ''$srcdir'' to ''$subpkgdir''.

: The split function can be specified in 1 of 3 different methods:
:# subpkgname:'''splitfunc'''
:# $pkgname-'''splitfunc'''
:# '''splitfunc'''

: {{Note|Split function names '''cannot''' use hyphens; use the first method above if the subpackage name contains a hyphen (-) character, like this: ''subpkg-name:subpkg_name'', where <code>subpkg-name</code> is the name of the '''subpackage''' and <code>subpkg_name</code> is the name of the '''subpackage's split function'''.}}

: {{Tip|For more information, see the [[APKBUILD_examples:Subpackages|Subpackages example]].}}

==== triggers ====
: Apk-tools can "monitor" directories and execute a trigger if any package installed/uninstalled any file in the monitored dir. The triggers are always execute after the apk action (install, uninstall, upgrade).

: The triggers are specified in the format: ''scriptname''=''pathlist'' where ''scriptname'' is the (sub)package name + .trigger suffix and pathlist is : separated list of the dirs to monitor.

: The '''triggers''' variable must include the triggers for subpackages too if they have any.

: It is possible to use wildcards (*) in the dir list.

==== url ====
: The homepage for the package. This is to help users find upstream documentation and other information regarding the package.

= Functions =
{{Note|All functions should consider the current working directory as undefined, and should therefore use the [[APKBUILD Reference#abuild-defined_variables|abuild-defined directory variables]] to their advantage.}}

== abuild-defined functions ==
The following functions are provided by abuild and can be overridden:

==== fetch() ====
: Downloads remote sources listed in ''source'' to ''SRCDEST'' (''SRCDEST'' is configured in ''/etc/abuild.conf'') and creates symlinks in ''$srcdir''.
==== unpack() ====
: Unpacks .tgz, .tar.gz, .tar.bz2, .tar.lzma, .tar.xz, and .zip archives in ''$srcdir'' to ''$srcdir''.
==== dev() ====
: Subpackage function for the '''$pkgname-dev''' package. Without specifying a custom ''dev()'' function, abuild will call it's internal ''dev()'' function, which in turn calls ''default_dev()'', which will move ''"$pkgdir"/usr/include'', ''*.a'', ''*.la'' and similar files to ''$subpkgdir''.
==== doc() ====
: Subpackage function for the '''$pkgname-doc''' package. Without specifying a custom ''doc()'' function, abuild will call it's internal ''doc()'' function, which in turn calls ''default_doc()'', which will move ''"$pkgdir"/usr/share/doc'', ''"$pkgdir"/usr/share/man'' and similar to ''$subpkgdir''.

== User-defined functions ==
The following functions should be defined by the user:

==== prepare() ====
: {{note|Please adjust old APKBUILDs, which still have a ''prepare()'' function that does the same as the ''default_prepare()'' when you edit them anyway.}}
: '''''Optional''.''' Used for build preparation: patches, etc, should be applied here. When you don't specify a custom ''prepare()'', the built-in ''default_prepare()'' from abuild will be used. It applies patches already (always prepare them in the <code>-p1</code> format), so '''usually it makes sense to not create a custom ''prepare()'' function at all!''' If you do create one, call ''default_prepare()'' inside it:

<pre>
prepare() {
default_prepare
# your custom code here
}
</pre>

==== build() ====
: '''Required.''' This is the compilation stage. This function will be called as the current user (unless the ''package()'' function is missing - for compatibility reasons). If no compilation is needed, this function can contain a single line: <code>return 0</code>
==== check() ====
: '''Recommended.''' This function is called right after the build stage. It should check that the packaged thing is actually working, typically by running (integration) tests, if provided by upstream. If there’s no (easy) way how to test the package, you can declare that it does not want to use ''check()'' by adding "!check" into the ''options'' variable (<code>options="!check"</code>).
==== package() ====
: '''Required.''' This is the packaging stage. Here, the built application and support files should be installed into '''$pkgdir'''. If this is a metapackage, this function can contain a single line: <code>mkdir -p "$pkgdir"</code>

{{Note|Building in fakeroot will reduce performance for parallel builds dramatically. It is for this reason that we split the build and package process into two separate functions.}}

= Examples =
The [[APKBUILD examples]] page will assist you in understanding how to create an APKBUILD.

[[Category:Development]]

Writing Init Scripts

2017-07-20T14:20:29Z

Larena: Add cfgfile var

{{Draft}}

== Introduction ==

Alpine Linux uses the [https://github.com/OpenRC/openrc OpenRC] init system to start services. Don't confuse OpenRC init with out system init (the first process that is executed aka pid 1). Many of the current init.d script found in Alpine Linux are takes from Gentoo. If you want to save time you could search [https://packages.gentoo.org/categories Gentoo's repository] for an existing initscript for your service. You can also check [https://wiki.gentoo.org/wiki/Handbook:X86/Working/Initscripts#Writing_initscripts Gentoo's wiki] for some additional OpenRC information.

If you cannot find an init.d script from Gentoo, or you just want to start to write your own init.d scripts, we provide you with some basic information on how to write simple OpenRC init scripts.

Primary information about the OpenRC format can be found in the [http://manpages.org/openrc-run/8 OpenRC man page openrc-run].

<code>apk add openrc-doc man</code>

<code>man openrc-run</code>

== Mandatory ==

Every init.d script you write needs to start with a [https://en.wikipedia.org/wiki/Shebang_(Unix) shebang] like:

<code>#!/sbin/openrc-run</code>

The only mandatory variable needed to be defined for OpenRC is:

<code>command=</code>

The rest of the below basic example could be omitted, but that would most probably leave you with an non working initd script.

== Basic example ==

<pre>
#!/sbin/openrc-run

name=$RC_SVCNAME
cfgfile="/etc/$RC_SVCNAME/$RC_SVCNAME.conf"
command="/usr/bin/my_daemon"
command_args="--my-daemon-args"
command_user="my_system_user"
pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"
start_stop_daemon_args="--args-for-start-stop-daemon"
command_background="yes"

depend() {
need net
}

start_pre() {
checkpath --directory --owner $command_user:$command_user --mode 0775 \
/run/$RC_SVCNAME /var/log/$RC_SVCNAME
}
</pre>

== start, stop, restart functions ==

OpenRC defined a few basic functions ie: start, stop, restart. These functions are defined by default but can be overwritten by defining your own set of functions.
This is generally only necessary if you want to do something special which is not provided by the default start/stop/restart implementations.

=== start ===

<pre>
start() {
ebegin "Starting mydaemon"
start-stop-daemon --start \
--exec /usr/sbin/mydaemon \
--pidfile /var/run/mydaemon.pid \
-- \
--args-for-mydaemon
eend $?
}
</pre>

=== stop ===

=== restart ===

== Daemon, Forking, Logging ==

TODO...

[[Category:Booting]]

Two Factor Authentication With OpenSSH

2017-06-12T14:12:07Z

Larena: tested setup

{{Note|Currently the packages required to follow this how-to are available only in edge (future AL3.7). You can [[Alpine_Linux_package_management#Repository_pinning|pin edge repository]] if you're on a stable version.}}

== Using Google Authenticator ==
{{cmd|apk add google-authenticator openssh-server-pam}}

{{cmd|cat /etc/ssh/sshd_config}}
<pre>
AuthenticationMethods publickey,keyboard-interactive
ChallengeResponseAuthentication yes
PermitRootLogin yes
UsePAM yes
</pre>
{{Note|This configuration does NOT allow password authentication globally}}

{{cmd|cat /etc/pam.d/sshd #create the file if needed}}
<pre>
account include base-account

auth required pam_env.so
auth required pam_nologin.so successok
auth include google-authenticator
</pre>

== Time-based One Time Password authentication (TOTP RFC 6238) ==
As user root:
{{cmd|google-authenticator}}
{{Note|Please take note of <secret>}}
<pre>
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/<pruned>
Your new secret key is: <secret>
Your verification code is <pruned>
Your emergency scratch codes are:
<pruned>
<pruned>
<pruned>
<pruned>
<pruned>

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) n

By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) n

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) n
</pre>

{{Tip|You might want to answer differently at questions 2, 3 and 4 based on your paranoia's level and firewall settings :)}}

Re-run <code>google-authenticator</code> for each user that needs to login via SSH. Don't forget to include <code>.google_authenticator</code> files in your [[Alpine_local_backup|LBU]] if you're running from RAM.

== Prover ==
Download '''Google Authenticator''' app from your ''App Store''. Startup '''Google Authenticator''' app and enter manually your <secret> key.

== Login ==
{{cmd|ssh -v root@yourbox}}
You should see the last lines saying:
<pre>
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Verification code:
</pre>
<code>Authenticated with partial success</code> means that pubkey authentication was successfull and now the verifier is asking for the verification code generated from the '''Google Authenticator''' app.

Two Factor Authentication With OpenSSH

2017-06-12T10:28:44Z

Larena: first draft

{{Draft}}

{{Note|Currently the packages required to follow this how-to are available only on edge (future AL3.7)}}

== Using Google Authenticator ==

{{cmd|apk add google-authenticator openssh-server-pam}}

{{cmd|cat /etc/pam.d/base-auth}}
<pre>
# basic PAM configuration for Alpine.

auth required pam_env.so
#auth required pam_unix.so nullok_secure
auth required pam_nologin.so successok
auth required /lib/security/pam_google_authenticator.so
</pre>

{{cmd|cat /etc/ssh/sshd_config}}
<pre>
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
ChallengeResponseAuthentication yes
PermitRootLogin yes
</pre>
{{Note|This configuration does NOT allow password authentication. To allow password authentication append "password" to "AuthenticatioMethods"}}

As user root:
{{cmd|google-authenticator}}
<pre>
Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/<pruned>
Your new secret key is: <secret>
Your verification code is <pruned>
Your emergency scratch codes are:
<pruned>
<pruned>
<pruned>
<pruned>
<pruned>

Do you want me to update your "/root/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) n

By default, tokens are good for 30 seconds. In order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with
poor time synchronization, you can increase the window from its default
size of +-1min (window size of 3) to about +-4min (window size of
17 acceptable tokens).
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) n
</pre>

Download '''Google Authenticator''' app and enter manually your <secret> key

OwnCloud

2017-06-12T09:59:58Z

Larena: Deprecate

{{Obsolete|OwnCloud is deprecated in favor of [[Nextcloud|Nextcloud]]}}

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Large files upload takes sometime to be processed by php-fpm. So you need to bump the Nginx read default timeout:

<pre>
fastcgi_read_timeout 300s;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd php-cgi}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

ISCSI Raid and Clustered File Systems

2017-06-12T09:58:46Z

Larena: Deprecate

{{Obsolete|SCST is deprecated since Alpine 2.6 in favor of [[Linux_iSCSI_Target_(TCM)|TCM]] and OCFS2 isn't available in Alpine 3.6}}

This document describes how to created a raided file system that is exported to multiple host via ISCSI.

== Raid Configuration ==

Very Similar to [[Setting up a software RAID array]].

apk install mdadm

mdadm --create --level=5 --raid-devices=3 /dev/md0 /dev/hda /dev/hdb /dev/hdc

To see the status of the creation of these devices

cat /proc/mdstat

You Don't have to wait to continue to use the disk.

== iSCSI Target Config ==

[http://scst.sourceforge.net/target_iscsi.html SCST] is recommended over [http://iscsitarget.sourceforge.net/ IET], due to bugfixes, performance and RFC compliance.
For a detailed config how-to please look at [[High_performance_SCST_iSCSI_Target_on_Linux_software_Raid]]

== Initiator Config ==

iscsiadm --mode node --targetname NAME_OF_TARGET --portal IP_OF_TARGET --login

This should then give you a device /dev/sda. Check by dmesg.

fdisk /dev/sda

Create a partition to use. sda1 file system type 83

Add ocfs2 tools (available in Alpine 2.3 or greater)

apk add ocfs2-tools

It can take care of starting and stopping services, copying the cluster.conf between nodes,creating the filesystem, and mounting it.

Need to create a /etc/ocfs2/cluster.conf.

This configuration file should be the same on all the nodes in the cluster. Should look similar to the following...

node:
ip_port = 7777
ip_address = 192.168.1.202
number = 0
name = bubba
cluster = ocfs2

node:
ip_port = 7777
ip_address = 192.168.1.102
number = 1
name = bobo
cluster = ocfs2

cluster:
node_count = 2
name = ocfs2

Load modules:

echo ocfs2 >> /etc/modules
echo dlm >> /etc/modules

modprobe ocfs2
modprobe dlm

Mount ocfs2 metafilesystems

echo none /sys/kernel/config configfs defaults 0 0 >> /etc/fstab
echo none /sys/kernel/dlm ocfs2_dlmfs defaults 0 0 >> /etc/fstab

Start ocfs2 cluster

/etc/init.d/o2cb start

Run the following command only on one node.

mkfs.ocfs2 -L LABELNAME /dev/sda1

Run the following command on both nodes.

/etc/init.d/o2cb enable

mount /dev/sda1 /media/iscsi1

Now you can create read/write/change on both machines to the one drive at the same time.

[[Category:Storage]]

Nextcloud

2017-01-05T10:03:09Z

Larena: Add nextcloud-client availability note

[http://nextcloud.com/ Nextcloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. [http://karlitschek.de/2016/06/nextcloud/ Nextcloud is a fork of ownCloud with enterprise features included].

= Installation =
{{pkg|nextcloud}} is available from Alpine 3.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.

=== Sqlite ===
All you need to do is to install the package
{{cmd|apk add nextcloud-sqlite}}

=== PostgreSQL ===
Install the package
{{cmd|apk add nextcloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

=== MySQL ===
Install the package
{{cmd|apk add nextcloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE nextcloud;
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Large files upload takes sometime to be processed by php-fpm. So you need to bump the Nginx read default timeout:

<pre>
fastcgi_read_timeout 300s;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd php-cgi}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your nextcloud server)''.}}

Link {{pkg|nextcloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/nextcloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as pdfviewer, texteditor, notifications and videoplayer are in separate package:
{{cmd|apk add nextcloud-pdfviewer nextcloud-texteditor nextcloud-notifications nextcloud-videoplayer}}

= Configure and use Nextcloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening PostgreSQL ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://nextcloud.org/sync-clients/ ''(nextcloud Sync clients)''
* http://nextcloud.org/support/android/ ''(Android client)''

[http://pkgs.alpinelinux.org/packages?name=nextcloud-client&branch=&repo=&arch=&maintainer= nextcloud-client] is currently available in the testing repo.

= Video Communication =
One of the major features of Nextcloud 11, available on Alpine 3.6 (currently edge) is a [https://nextcloud.com/webrtc/ WebRTC app], which relies on Spreed WebRTC server, which is available in the Alpine testing repository. Everything is still beta, so be aware of it :-). If you want a private video conferencing server install Nextcloud using Nginx and do the following (you can use Apache as well and follow the ''Apache config'' instructions [https://nextcloud.com/webrtc/ nextcloud.com]):

Put the following config in the ''server'' section of Nginx:
<pre>
# Spreed WebRTC
location ^~ /webrtc {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_buffering on;
proxy_ignore_client_abort off;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
}
</pre>

Put the following section in the ''http'' section of Nginx:
<pre>
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
</pre>

Reload Nginx:
{{cmd|rc-service nginx reload}}

Install Spreed WedRTC server (make sure you have the testing [https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management#Packages_and_Repositories repository] enabled):
{{cmd|apk add spreed-web-server}}

Using the configuration file in ''/etc/spreed-webrtc/spreed-webrtc-server.conf'' follow the instructions at [https://nextcloud.com/webrtc/ nextcloud.com] to configure Spreed WebRTC server. Then start the server:
{{cmd|rc-service spreed-web-server start}}
{{cmd|rc-update add spreed-web-server}}

Install the ''Spreed video calls'' app in Nextcloud and enjoy your private video calls.

[[Category:Server]]

Nextcloud

2017-01-04T09:40:38Z

Larena: Apache can be used too

[http://nextcloud.com/ Nextcloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. [http://karlitschek.de/2016/06/nextcloud/ Nextcloud is a fork of ownCloud with enterprise features included].

= Installation =
{{pkg|nextcloud}} is available from Alpine 3.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.

=== Sqlite ===
All you need to do is to install the package
{{cmd|apk add nextcloud-sqlite}}

=== PostgreSQL ===
Install the package
{{cmd|apk add nextcloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

=== MySQL ===
Install the package
{{cmd|apk add nextcloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE nextcloud;
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Large files upload takes sometime to be processed by php-fpm. So you need to bump the Nginx read default timeout:

<pre>
fastcgi_read_timeout 300s;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd php-cgi}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your nextcloud server)''.}}

Link {{pkg|nextcloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/nextcloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as pdfviewer, texteditor, notifications and videoplayer are in separate package:
{{cmd|apk add nextcloud-pdfviewer nextcloud-texteditor nextcloud-notifications nextcloud-videoplayer}}

= Configure and use Nextcloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening PostgreSQL ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://nextcloud.org/sync-clients/ ''(nextcloud Sync clients)''
* http://nextcloud.org/support/android/ ''(Android client)''

= Video Communication =
One of the major features of Nextcloud 11, available on Alpine 3.6 (currently edge) is a [https://nextcloud.com/webrtc/ WebRTC app], which relies on Spreed WebRTC server, which is available in the Alpine testing repository. Everything is still beta, so be aware of it :-). If you want a private video conferencing server install Nextcloud using Nginx and do the following (you can use Apache as well and follow the ''Apache config'' instructions [https://nextcloud.com/webrtc/ nextcloud.com]):

Put the following config in the ''server'' section of Nginx:
<pre>
# Spreed WebRTC
location ^~ /webrtc {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_buffering on;
proxy_ignore_client_abort off;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
}
</pre>

Put the following section in the ''http'' section of Nginx:
<pre>
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
</pre>

Reload Nginx:
{{cmd|rc-service nginx reload}}

Install Spreed WedRTC server (make sure you have the testing [https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management#Packages_and_Repositories repository] enabled):
{{cmd|apk add spreed-web-server}}

Using the configuration file in ''/etc/spreed-webrtc/spreed-webrtc-server.conf'' follow the instructions at [https://nextcloud.com/webrtc/ nextcloud.com] to configure Spreed WebRTC server. Then start the server:
{{cmd|rc-service spreed-web-server start}}
{{cmd|rc-update add spreed-web-server}}

Install the ''Spreed video calls'' app in Nextcloud and enjoy your private video calls.

[[Category:Server]]

Nextcloud

2017-01-04T09:30:47Z

Larena: Video calls section added

[http://nextcloud.com/ Nextcloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. [http://karlitschek.de/2016/06/nextcloud/ Nextcloud is a fork of ownCloud with enterprise features included].

= Installation =
{{pkg|nextcloud}} is available from Alpine 3.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.

=== Sqlite ===
All you need to do is to install the package
{{cmd|apk add nextcloud-sqlite}}

=== PostgreSQL ===
Install the package
{{cmd|apk add nextcloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

=== MySQL ===
Install the package
{{cmd|apk add nextcloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE nextcloud;
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Large files upload takes sometime to be processed by php-fpm. So you need to bump the Nginx read default timeout:

<pre>
fastcgi_read_timeout 300s;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd php-cgi}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your nextcloud server)''.}}

Link {{pkg|nextcloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/nextcloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as pdfviewer, texteditor, notifications and videoplayer are in separate package:
{{cmd|apk add nextcloud-pdfviewer nextcloud-texteditor nextcloud-notifications nextcloud-videoplayer}}

= Configure and use Nextcloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening PostgreSQL ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://nextcloud.org/sync-clients/ ''(nextcloud Sync clients)''
* http://nextcloud.org/support/android/ ''(Android client)''

= Video Communication =
One of the major features of Nextcloud 11, available on Alpine 3.6 (currently edge) is a [https://nextcloud.com/webrtc/ WebRTC app], which relies on Spreed WebRTC server, which is available in the Alpine testing repository. Everything is still beta, so be aware of it :-). If you want a private video conferencing server install Nextcloud using Nginx and do the following:

Put the following config in the ''server'' section of Nginx:
<pre>
# Spreed WebRTC
location ^~ /webrtc {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_buffering on;
proxy_ignore_client_abort off;
proxy_redirect off;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_next_upstream error timeout invalid_header http_502 http_503 http_504;
}
</pre>

Put the following section in the ''http'' section of Nginx:
<pre>
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
</pre>

Reload Nginx:
{{cmd|rc-service nginx reload}}

Install Spreed WedRTC server (make sure you have the testing [https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management#Packages_and_Repositories repository] enabled):
{{cmd|apk add spreed-web-server}}

Using the configuration file in ''/etc/spreed-webrtc/spreed-webrtc-server.conf'' follow the instructions at [https://nextcloud.com/webrtc/ nextcloud.com] to configure Spreed WebRTC server. Then start the server:
{{cmd|rc-service spreed-web-server start}}
{{cmd|rc-update add spreed-web-server}}

Install the ''Spreed video calls'' app in Nextcloud and enjoy your private video calls.

[[Category:Server]]

Nextcloud

2016-07-25T19:24:33Z

Larena: typo

{{Draft|This is just a fork of OwnCloud AL wiki page. Do not follow these instructions until this notice is removed}}

[http://nextcloud.com/ Next] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. [http://karlitschek.de/2016/06/nextcloud/ Nextcloud is a fork of ownCloud with enterprise features included].

= Installation =
{{pkg|nextcloud}} is available from Alpine 3.5 (currently edge) and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add nextcloud-sqlite}}

=== postgresql ===
Install the package
{{cmd|apk add nextcloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

=== mysql ===
Install the package
{{cmd|apk add nextcloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE nextcloud;
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Large files upload takes sometime to be processed by php-fpm. So you need to bump the Nginx read default timeout:

<pre>
fastcgi_read_timeout 300s;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd php-cgi}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your nextcloud server)''.}}

Link {{pkg|nextcloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/nextcloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add nextcloud-texteditor nextcloud-documents nextcloud-videoviewer}}

= Configure and use nextcloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://nextcloud.org/sync-clients/ ''(nextcloud Sync clients)''
* http://nextcloud.org/support/android/ ''(Android client)''

[[Category:Server]]

Nextcloud

2016-07-25T19:23:52Z

Larena: created

{{Draft|This is just a fork of OwnCloud AL wiki page. Do not follow these instructions until this notice is removed}}

[http://nextcloud.com/ Next] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. [http://karlitschek.de/2016/06/nextcloud/ Nextcloud is a fork of nextcloud with enterprise features included].

= Installation =
{{pkg|nextcloud}} is available from Alpine 3.5 (currently edge) and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add nextcloud-sqlite}}

=== postgresql ===
Install the package
{{cmd|apk add nextcloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

=== mysql ===
Install the package
{{cmd|apk add nextcloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE nextcloud;
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON nextcloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up nextcloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Large files upload takes sometime to be processed by php-fpm. So you need to bump the Nginx read default timeout:

<pre>
fastcgi_read_timeout 300s;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd php-cgi}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your nextcloud server)''.}}

Link {{pkg|nextcloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/nextcloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add nextcloud-texteditor nextcloud-documents nextcloud-videoviewer}}

= Configure and use nextcloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://nextcloud.org/sync-clients/ ''(nextcloud Sync clients)''
* http://nextcloud.org/support/android/ ''(Android client)''

[[Category:Server]]

Install Alpine on Amazon EC2

2016-06-03T11:21:49Z

Larena:

{{Draft}}

The goal here is to have a "1GB" (the smallest possible) EBS 'virtual usb stick' that can boot and run Alpine Linux.

= Create an EBS backed Alpine Linux AMI =

{{Note|You need to do this process at least once in each availability region. EBS can't be shared between Ireland and California, for instance.}}

* Create an Amazon instance in the desired availability region. A micro instance is fine - we will need it only long enough to create our EBS usb stick.
* Create a new 1GB EBS volume
* Attach the new volume to the running instance
* The new volume will have a name like /dev/xvdf or such
* Format the volume as ext4 {{Cmd|mke2fs -t ext4 /dev/xvdf}} ''Do not partition it - just format the whole volume''
* wget a '''x86_64''' iso and extract it to the new volume. 32bit will not work.
<pre>
wget http://dl-4.alpinelinux.org/alpine/v2.4/releases/x86_64/alpine-2.4.5-x86_64.iso
mkdir target
mkdir source
mount /dev/xvdf target
mount -o loop alpine-2.4.5-x86_64.iso source
cp -av source/boot target
cp -av source/apks target
umount source
</pre>
* Create a grub.conf on the new partition.
<pre>
mkdir -p target/boot/grub
cat - >target/boot/grub/grub.conf <<EOF
default=0
timeout=3
hiddenmenu

title Alpine Linux
root (hd0)
kernel /boot/virtgrsec alpine_dev=xvda1:ext4 modules=loop,squashfs,sd-mod,ext4 console=hvc0 pax_nouderef BOOT_IMAGE=/boot/vmlinuz-grsec
initrd /boot/initramfs-grsec
EOF
</pre>
:* Syslinux automatically adds BOOT_IMAGE to the kernel command line; grub does not, so make sure you specify it in the grub.conf
:* You do not need any other grub files - just boot.conf
* symlink the grub.conf to menu.lst
<pre>
ln -sf ./grub.conf target/boot/grub/menu.lst
</pre>
* Create an amazon.apkovl.tar.gz file to put on the target
** This is probably easiest on a local alpine linux instance. Make sure the following are configured:
*** eth0 uses dhcp
*** networking is set to autostart
*** sshd is installed and set to autostart
*** Your ssh public key is in /root/.ssh/authorized_keys
*** The root password is set to something
*** lbu include root/.ssh
*** (optional) - Delete the /etc/ssh/*key* files, so they are created on the new box
** {{Cmd|lbu package amazon.apkovl.tar.gz}} {{Warning|If you are packaging on a 32bit box, manually delete etc/apk/arch from the apkovl.tar.gz file}}
** Copy amazon.apkovl.tar.gz to target/
* Unmount target
* '''Do the following from the Amazon web interface'''
** Detach the new volume
** Make note of the volume ID
** Launch NEW instance. Use defaults, amazon linux, micro; we are going to canibalize it in a bit, so defaults are fine here.
** Once the instance starts, ''stop'' but ''do not terminate'' the instance.
** Under EBS, detach the existing volume, and attach the alpine linux volume as /dev/sda1 (note the 1 at the end)
** Restart the instance
* Log in and make sure it works
* Do any final cleanups necessary, and if necessary lbu ci
** Only make configs that are appropriate for an AMI, we are going to snapshot this instance and create an AMI out of it
* Again from the Amazon web interface
** Delete the 8GB volume that is no longer needed
** ''Stop'' but do not terminate the instance
** Right click the stopped instance and choose 'Create Image (EBS AMI)'
*** Image name should be unique for the image - example AlpineLinux-2.4.5
*** Description can be anything - example 'Base AlpineLinux Installation - no services'
* Done.

[[Category:Virtualization]]

Install Alpine on Amazon EC2

2016-06-03T08:22:13Z

Larena: update kernel/initrd filename for AL3.3

{{Draft}}

The goal here is to have a "1GB" (the smallest possible) EBS 'virtual usb stick' that can boot and run Alpine Linux.

= Create an EBS backed Alpine Linux AMI =

{{Note|You need to do this process at least once in each availability region. EBS can't be shared between Ireland and California, for instance.}}

* Create an Amazon instance in the desired availability region. A micro instance is fine - we will need it only long enough to create our EBS usb stick.
* Create a new 1GB EBS volume
* Attach the new volume to the running instance
* The new volume will have a name like /dev/xvdf or such
* Format the volume as ext4 {{Cmd|mke2fs -t ext4 /dev/xvdf}} ''Do not partition it - just format the whole volume''
* wget a '''x86_64''' iso and extract it to the new volume. 32bit will not work.
<pre>
wget http://dl-4.alpinelinux.org/alpine/v2.4/releases/x86_64/alpine-2.4.5-x86_64.iso
mkdir target
mkdir source
mount /dev/xvdf target
mount -o loop alpine-2.4.5-x86_64.iso source
cp -av source/boot target
cp -av source/apks target
umount source
</pre>
* Create a grub.conf on the new partition.
<pre>
mkdir -p target/boot/grub
cat - >target/boot/grub/grub.conf <<EOF
default=0
timeout=3
hiddenmenu

title Alpine Linux
root (hd0)
kernel /boot/grsec alpine_dev=xvda1:ext4 modules=loop,squashfs,sd-mod,ext4 console=hvc0 pax_nouderef BOOT_IMAGE=/boot/vmlinuz-grsec
initrd /boot/initramfs-grsec
EOF
</pre>
:* Syslinux automatically adds BOOT_IMAGE to the kernel command line; grub does not, so make sure you specify it in the grub.conf
:* You do not need any other grub files - just boot.conf
* symlink the grub.conf to menu.lst
<pre>
ln -sf ./grub.conf target/boot/grub/menu.lst
</pre>
* Create an amazon.apkovl.tar.gz file to put on the target
** This is probably easiest on a local alpine linux instance. Make sure the following are configured:
*** eth0 uses dhcp
*** networking is set to autostart
*** sshd is installed and set to autostart
*** Your ssh public key is in /root/.ssh/authorized_keys
*** The root password is set to something
*** lbu include root/.ssh
*** (optional) - Delete the /etc/ssh/*key* files, so they are created on the new box
** {{Cmd|lbu package amazon.apkovl.tar.gz}} {{Warning|If you are packaging on a 32bit box, manually delete etc/apk/arch from the apkovl.tar.gz file}}
** Copy amazon.apkovl.tar.gz to target/
* Unmount target
* '''Do the following from the Amazon web interface'''
** Detach the new volume
** Make note of the volume ID
** Launch NEW instance. Use defaults, amazon linux, micro; we are going to canibalize it in a bit, so defaults are fine here.
** Once the instance starts, ''stop'' but ''do not terminate'' the instance.
** Under EBS, detach the existing volume, and attach the alpine linux volume as /dev/sda1 (note the 1 at the end)
** Restart the instance
* Log in and make sure it works
* Do any final cleanups necessary, and if necessary lbu ci
** Only make configs that are appropriate for an AMI, we are going to snapshot this instance and create an AMI out of it
* Again from the Amazon web interface
** Delete the 8GB volume that is no longer needed
** ''Stop'' but do not terminate the instance
** Right click the stopped instance and choose 'Create Image (EBS AMI)'
*** Image name should be unique for the image - example AlpineLinux-2.4.5
*** Description can be anything - example 'Base AlpineLinux Installation - no services'
* Done.

[[Category:Virtualization]]

Setting up Homer

2016-05-16T14:16:22Z

Larena: first edit, rough notes

{{Draft}}

Rough notes for setting up [http://sipcapture.org Homer] on Alpine Linux from testing repository

{{Cmd|apk add homer-ui homer-api-doc nginx php5-fpm
apk add mariadb mariadb-client
rc-service mariadb setup
rc-service mariadb start
rc-update add mariadb
/usr/bin/mysql_secure_installation
mysql -u root -p < /usr/share/homer-api/sql/homer_databases.sql
mysql -u root -p < /usr/share/homer-api/sql/homer_user.sql
mysql -u root homer_data -p < /usr/share/homer-api/sql/schema_data.sql
mysql -u root homer_configuration -p < /usr/share/homer-api/sql/schema_configuration.sql
mysql -u root homer_statistic -p < /usr/share/homer-api/sql/schema_statistic.sql
cp /usr/share/doc/homer-api/examples/web/homer5.nginx /etc/nginx/sites-available/homer5
cp /usr/share/doc/homer-api/examples/web/homer5.php-fpm /etc/php5/fpm.d/homer5.conf
rc-service php-fpm start
rc-update add php-fpm
rm /etc/nginx/sites-enabled/test
ln ../sites-available/homer5 /etc/nginx/sites-enabled/homer5
rc-service nginx start
rc-update add nginx
ln -s /usr/share/webapps/homer-ui /var/www/localhost/htdocs/homer
edit "root", "server" in /etc/nginx/sites-available/homer5.nginx "/var/www/localhost/htdocs/homer"
edit "HOMER_TIMEZONE" in /etc/homer/preferences.php
}}

How-To Alpine Wall

2015-10-23T08:02:25Z

Larena: /* Help and debugging */

= General =
Purpose of this doc is to illustrate Alpine Wall ({{pkg|AWall}}) by examples. 
We will explain {{pkg|AWall}} from the viewpoint of a Shorewall user. 

{{pkg|AWall}} is available since Alpine v2.4. 
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.

Some of the below features and examples assumes that you are running {{pkg|AWall}} version 0.2.12 or later. 
Make sure you are running latest version by running the following commands:
{{cmd|apk update
apk add -u awall
apk version awall}}

== Structure ==
Your {{pkg|AWall}} firewall configuration file(s) goes to {{Path|/etc/awall/optional}} 
Each such file is called ''Policy''. 
{{note| {{pkg|AWall}} versions prior 0.2.12 will only look for ''Policy'' files in {{Path|/usr/share/awall/optional}}. From version 0.2.12 and higher, {{pkg|AWall}} will look for ''Policy'' files in both {{Path|/etc/awall/optional}} and {{Path|/usr/share/awall/optional}}}}
You may have multiple ''Policy'' files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''. 
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|{{pkg|AWall}}'s ''Policy'' files are not equivalent to Shorewalls {{Path|/etc/shorewall/policy}} file.}}
An {{pkg|AWall}} ''Policy'' can contain definitions of:
* variables ''(like {{Path|/etc/shorewall/params}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
* interfaces ''(like {{Path|/etc/shorewall/interfaces}})''
* policies ''(like {{Path|/etc/shorewall/policy}})''
* filters and NAT rules ''(like {{Path|/etc/shorewall/rules}})''
* services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''

== Prerequisites ==
After installing {{pkg|AWall}}, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat #if NAT is used}}

This is needed only the first time, after {{pkg|AWall}} installation.

Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}

= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to {{pkg|AWall}}.

== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:

'''/etc/shorewall/zones'''
<pre>
inet ipv4
loc ipv4
</pre>

'''/etc/shorewall/interfaces'''
<pre>
inet eth0
loc eth1
</pre>

'''/etc/shorewall/policy'''
<pre>
fw all ACCEPT
loc inet ACCEPT
all all DROP
</pre>

'''/etc/shorewall/masq'''
<pre>
eth0 0.0.0.0/0
</pre>

== Example firewall using AWall ==
Now we will configure {{pkg|AWall}} to do the same thing as we just did with the above Shorewall example.

Create a new file called {{Path|/etc/awall/optional/test-policy.json}} and add the following content to the file. 
{{Tip|You could call it something else as long as you save it in {{Path|/etc/awall/optional/}} and name it {{Path|???'''.json'''}})}}
<pre>
{
"description": "Home firewall",

"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},

"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],

"snat": [
{ "out": "inet" }
]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does not mean "static NAT".}}
{{Tip| {{pkg|AWall}} has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}

=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy # Enables the 'Policy'
awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}

If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.

= Advanced Firewall settings =
Assuming you have your {{Path|/etc/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in {{Path|/etc/awall/optional/}} for testing some of the below examples}}

== Logging ==
{{pkg|AWall}} will ''(since v0.2.7)'' automatically log dropped packets. 
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
{{Note|If you are using Alpine 2.4 repository ({{pkg|AWall}} v0.2.5 or below), you should use <code>"action": "logdrop"</code> in order to log dropped packets .}}
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}

== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". 
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
<pre>
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT inet loc:192.168.1.10 tcp 80
</pre>

Lets configure our {{pkg|AWall}} ''Policy'' file likewise by adding the following content.
<pre>
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},

"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|{{pkg|AWall}} already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}

If you need to forward to a different port (e.g. 8080) you can do:

<pre>
"dnat": [
{"in": "inet", "dest": "$STATIC_IP", "to-addr": "$APACHE", "service": "http", "to-port": 8080 }
]
</pre>

== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
</pre>
{{Note|You can not override a "service" definition that comes from {{Path|/usr/share/awall/mandatory/services.json}} }}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}

== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>

== Specify load order ==
By default policies are loaded on alphabetical order. 
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>

= Other =
== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall # (With no parameters) Shows some basic help about awall application
awall dump # Dump definitions like zones and variables
iptables -L -n # Show what's in <code>iptables</code>}}

[[Category:Networking]]
[[Category:Security]]

How-To Alpine Wall

2015-10-23T08:01:21Z

Larena: add awall dump

OwnCloud

2015-08-14T07:32:23Z

Larena: add fastcgi_read_timeout

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Large files upload takes sometime to be processed by php-fpm. So you need to bump the Nginx read default timeout:

<pre>
fastcgi_read_timeout 300s;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd php-cgi}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

LXC

2015-07-31T14:22:24Z

Larena: Remove CMD format

[http://lxc.sourceforge.net/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".

== Installation ==
Install the required packages:
{{Cmd|apk add lxc lxc-templates bridge}}

== Prepare network on host ==
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':
<pre>
auto br0
iface br0 inet dhcp
bridge-ports eth0
</pre>

Create a network configuration template for the guests, ''/etc/lxc/lxc.conf'':
<pre>
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
</pre>

== Create a guest ==

=== Alpine Template ===

{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}

This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.

Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console

If running on x86_64 architecture, it is possible to create a 32bit guest:

{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}

=== Debian template ===

In order to create a debian template container you will need to install some packages:

{{Cmd|apk add debootstrap rsync}}

Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Please remember to turn them back on, or just simply reboot the system.

Now you can run:
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}

=== Ubuntu template ===

In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Please remember to turn them back on, or just simply reboot the system.

Now you can run (replace %MIRROR% with the actual hostname):

MIRROR="http://%MIRROR%/ubuntu/" lxc-create -n ubtn -f /etc/lxc/default.conf -t ubuntu -- -r trusty

== Starting/Stopping the guest ==
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}

You can start your guest with:
{{Cmd|/etc/init.d/lxc.guest1 start}}

Stop it with:
{{Cmd|/etc/init.d/lxc.guest1 stop}}

Make it autostart on boot up with:
{{Cmd| rc-update add lxc.guest1}}

You can also add to the container config: <code>lxc.start.auto = 1</code>

& {{Cmd|rc-update add lxc}}

to autostart containers by the lxc service only.

== Connecting to the guest ==
By default sshd is not installed, so you will have to connect to a virtual console. This is done with:
{{Cmd|lxc-console -n guest1}}

To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}

== Deleting a guest ==
Make sure the guest is stopped and run:
{{Cmd|lxc-destroy -n guest1}}
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}

== Advanced ==

=== Creating a LXC container without modifying your network interfaces ===

The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.

The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.

So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)

{{Cmd|modprobe dummy}}

This will create a dummy interface called dummy0 on your host.

Now we will create a bridge called br0

{{Cmd |brctl addbr br0
brctl setfd br0 0 }}

and then make that dummy interface one end of the bridge

{{Cmd | brctl addif br0 dummy0 }}

Next, let's give that bridged interface a reason to exists

{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}

Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.

<pre>
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth1
lxc.network.ipv4 = 192.168.1.2/24
</pre>

and build your container with that file

{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}

You should now be able to ping your container from your hosts, and your host from your container.

Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0
From inside the container run

{{ Cmd | route add default gw 192.168.1.1 }}

The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose

We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.

Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:

{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface br0 -j ACCEPT
}}

Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!

You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)

=== Using static IP ===

If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces''

from

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''dhcp'''

to

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''static'''
address <lxc-container-ip> # IP which the lxc container should use
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host
netmask <netmask>

=== mem and swap ===

{{Cmd|vim /boot/extlinux.conf}}

{{Cmd|
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1
}}

=== checkconfig ===
{{Cmd|lxc-checkconfig}}

{{Cmd|
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.13-1-grsec
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: missing
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig

}}

=== VirtualBox ===

In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.

[[File:VirtualBoxNetworkAdapter.jpg]]

[[Category:Virtualization]]

=== postgreSQL ===

Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}

=== openVPN ===

see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]

== LXC 1.0 Additional information ==

Some info regarding new features in LXC 1.0

https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/

LXC

2015-07-31T14:19:22Z

Larena: add Ubuntu template creation

[http://lxc.sourceforge.net/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".

== Installation ==
Install the required packages:
{{Cmd|apk add lxc lxc-templates bridge}}

== Prepare network on host ==
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':
<pre>
auto br0
iface br0 inet dhcp
bridge-ports eth0
</pre>

Create a network configuration template for the guests, ''/etc/lxc/lxc.conf'':
<pre>
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
</pre>

== Create a guest ==

=== Alpine Template ===

{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}

This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.

Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console

If running on x86_64 architecture, it is possible to create a 32bit guest:

{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}

=== Debian template ===

In order to create a debian template container you will need to install some packages:

{{Cmd|apk add debootstrap rsync}}

Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Please remember to turn them back on, or just simply reboot the system.

Now you can run:
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}

=== Ubuntu template ===

In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:

{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod
}}

Please remember to turn them back on, or just simply reboot the system.

Now you can run (replace %MIRROR% with the actual hostname):
{{Cmd|MIRROR="http://%MIRROR%/ubuntu/" lxc-create -n ubtn -f /etc/lxc/default.conf -t ubuntu -- -r trusty
}}

== Starting/Stopping the guest ==
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}

You can start your guest with:
{{Cmd|/etc/init.d/lxc.guest1 start}}

Stop it with:
{{Cmd|/etc/init.d/lxc.guest1 stop}}

Make it autostart on boot up with:
{{Cmd| rc-update add lxc.guest1}}

You can also add to the container config: <code>lxc.start.auto = 1</code>

& {{Cmd|rc-update add lxc}}

to autostart containers by the lxc service only.

== Connecting to the guest ==
By default sshd is not installed, so you will have to connect to a virtual console. This is done with:
{{Cmd|lxc-console -n guest1}}

To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}

== Deleting a guest ==
Make sure the guest is stopped and run:
{{Cmd|lxc-destroy -n guest1}}
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}

== Advanced ==

=== Creating a LXC container without modifying your network interfaces ===

The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.

The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.

So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)

{{Cmd|modprobe dummy}}

This will create a dummy interface called dummy0 on your host.

Now we will create a bridge called br0

{{Cmd |brctl addbr br0
brctl setfd br0 0 }}

and then make that dummy interface one end of the bridge

{{Cmd | brctl addif br0 dummy0 }}

Next, let's give that bridged interface a reason to exists

{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}

Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.

<pre>
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth1
lxc.network.ipv4 = 192.168.1.2/24
</pre>

and build your container with that file

{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}

You should now be able to ping your container from your hosts, and your host from your container.

Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0
From inside the container run

{{ Cmd | route add default gw 192.168.1.1 }}

The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose

We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.

Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:

{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface br0 -j ACCEPT
}}

Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!

You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)

=== Using static IP ===

If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces''

from

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''dhcp'''

to

#auto lo
iface lo inet loopback
auto eth0
iface eth0 inet '''static'''
address <lxc-container-ip> # IP which the lxc container should use
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host
netmask <netmask>

=== mem and swap ===

{{Cmd|vim /boot/extlinux.conf}}

{{Cmd|
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1
}}

=== checkconfig ===
{{Cmd|lxc-checkconfig}}

{{Cmd|
Kernel configuration not found at /proc/config.gz; searching...
Kernel configuration found at /boot/config-3.10.13-1-grsec
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: missing
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup clone_children flag: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: missing
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled

Note : Before booting a new kernel, you can check its configuration
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig

}}

=== VirtualBox ===

In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.

[[File:VirtualBoxNetworkAdapter.jpg]]

[[Category:Virtualization]]

=== postgreSQL ===

Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}

=== openVPN ===

see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]

== LXC 1.0 Additional information ==

Some info regarding new features in LXC 1.0

https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/

Request Tracker

2015-05-29T11:25:52Z

Larena: Fix syntax of latest versions of postgresql-client utilities

This guide will get [http://bestpractical.com/rt/ Request Tracker] 4 setup working, with support for emails sent to an mlmmj mailing list to be inserted first into the ticket system, then sent on to mlmmj. It is intended for a HelpDesk-type deployment. This howto assumes that you have a working postfix setup already. 

Note: This document has been tested on Alpine Linux 2.2.2, but contains some packages which are currently in the [[Edge|edge/testing]] repository. 
Note: Use a computer with at least 512MB of RAM. 

== Initial package installation and setup ==

* add edge/main repository to /etc/apk/repositories
{{Cmd|printf "http://nl.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories
apk update}}
* {{Cmd|apk add lighttpd fcgi postgresql rt4 postfix postfix-pcre mlmmj}}
* Edit ''/etc/lighttpd/lighttpd.conf'' and enable fastcgi
* {{Cmd|/etc/init.d/postgresql setup}}
* {{Cmd|/etc/init.d/postgresql start}}
* {{Cmd|su - postgres -c "createuser -P rt_user"}}
Enter password for new role: '''''rtpass'''''
Enter it again: '''''rtpass'''''
Shall the new role be a superuser? (y/n) '''n'''
Shall the new role be allowed to create databases? (y/n) '''y'''
Shall the new role be allowed to create more new roles? (y/n) '''y'''

== Setup RT4 environment ==
* {{Cmd|cp /etc/rt4/RT_Config.pm /etc/rt4/RT_SiteConfig.pm}}
* {{Cmd|chmod 644 /etc/rt4/RT_SiteConfig.pm}}
* Setup RT_SiteConfig.pm with proper queue name, link to your organization's homepage, support postgresql, set outbound email defaults.
** /etc/rt4/RT_SiteConfig.pm:
Set($rtname, 'support');
Set($Organization, 'example.com');
Set($WebDomain, 'fqdn.in.example.com');
Set($OwnerEmail, 'RTAdmin@example.com');
Set($LogoLinkURL, 'http://www.example.com/');
Set($LogoAltText, 'Example.com Support');
# Set($LogoURL, '');

Set($DatabaseType, 'Pg');
Set($DatabaseUser, 'rt_user');
Set($DatabasePassword, 'rtpass');
Set($DatabaseName, 'support_rt');

Set($LogToSyslog, 'warning');

Set($MailCommand, 'sendmailpipe');
Set($SendmailArguments , '-fpostmaster@example.com -oi -t');
Set($ParseNewMessageForTicketCCs, 1);
Set($UseTransactionBatch, 1);
Set($CorrespondAddress, 'support@example.com');
Set($CommentAddress, 'support@example.com');
Set($RecordOutgoingEmail, 0);
Set($ForwardFromUser, 1);
Set($SetOutgoingMailFrom, 1);
Set($FriendlyFromLineFormat, '"%s" <%s>');
* {{Cmd|/usr/sbin/rt-setup-database --action init --dba postgres}}
* {{Cmd|rt-server}}
* Test and make sure that you can access rt using the built-in webserver first.
** Tools -> Config -> Users -> Create
** Username: Support-lists, Email: support-lists@example.com, etc -> Create
** Tools -> Config -> Groups -> Create
** Name: Support Users, etc -> Create
** Tools -> Configuration -> Queues -> Create... Give it a name like 'support', and set support-list@example.com to be both reply and comment addresses. Remember the name 'support' which you'll use in the next sections (including the email address)

== Modify Postfix Configuration for RT4 and mlmmj ==

* adduser mlmmj
* mkdir /var/spool/mlmmj
* mlmmj-make-ml.sh -L support-list
* Support sending bcc to list
** touch /var/spool/mlmmj/support-list/control/tocc
* Allow support@example.com to send to list without being subscribed to it
** mlmmj-sub -L /var/spool/mlmmj/support-list -a support@example.com -n
* Add to ''/etc/postfix/master.cf'':
rt4 unix - n n - - pipe flags=DORhu user=lighttpd argv=/usr/bin/rt-mailgate --queue $nexthop --action correspond --url http://fqdn.in.example.com/
mlmmj unix - n n - - pipe flags=DORhu user=mlmmj argv=/usr/bin/mlmmj-recieve -F -L /var/spool/mlmmj/$nexthop
* Add to ''/etc/postfix/main.cf'':
myhostname = mx1.example.com
mydomain = mx1.example.com
relay_domains = example.com
recipient_delimiter = +
transport_maps = hash:/etc/postfix/transport
* Create ''/etc/postfix/transport'' (and run "postmap transport" after editing):
support@example.com rt4:support
support-list@example.com mlmmj:support-list
postmaster@example.com local:
example.com error:No such mailbox.
* Edit ''/etc/postfix/aliases'' for the postmaster alias (and run "newaliases")
* Allow users to create tickets by email by checking all General Rights for group Everyone in Tools -> Configuration -> Global -> Group Rights

== Lighttpd configuration ==

* Stop rt-server
* /etc/lightttpd/lighttpd.conf:
include "rt4.conf"
* /etc/lighttpd/rt4.conf:
server.modules += ("mod_fastcgi")

$HTTP["host"] == "fqdn.in.example.com" {
server.document-root = "/usr/share/rt4/html"
index.file-names = ( "index.html" )

fastcgi.server = ( "/" =>
((
"bin-path" => "/usr/sbin/rt-server.fcgi",
"socket" => "/var/run/lighttpd/rt4.socket",
"check-local" => "disable",
"fix-root-scriptname" => "enable"
)),
)
}
* {{Cmd|/etc/init.d/lighttpd start}}

== Final RT4 configuration ==

* Login to http://fqdn.in.example.com (your RT server)
** Add AdminCC for Support Users to support queue
** New template called 'Support Users Correspondence' (anyone you add to Support Users group will have their outbound email rewritten to 'Support Team' instead of their realname
{
my $output = undef;
my $groups = $Transaction->CreatorObj->OwnGroups();
while( my $group = $groups->Next ) {
my $queue = $Ticket->QueueObj;
my $realname = $queue->Description;
my $email = $queue->CorrespondAddress || RT->Config->Get('CorrespondAddress');
$output = 'From: "' . $realname . '" <' . $email . '>' if $group->Name eq 'Support Team';
}
$output;
}
RT-Attach-Message: yes

{$Transaction->Content()}
** Edit Resolved template and add the following to the end:
{
my $old_user = $Ticket->CurrentUser;
$Ticket->CurrentUser( $RT::SystemUser );
my $batch = $Ticket->TransactionBatch;
my $comment;
if( !$batch || !ref($batch) ) {
$RT::Logger->info("TransactionBatch stage is disabled,
fallback to last comment.
Turn on TransactionBatch stages for acurate results.");
my $transactions = $Ticket->Transactions;
$transactions->Limit( FIELD => 'Type', VALUE => 'Comment' );
$transactions->OrderByCols( { FIELD => 'Created',
ORDER => 'DESC' },
{ FIELD => 'id',
ORDER => 'DESC' } );
$transactions->RowsPerPage(1);
$comment = $transactions->First;
} else {
$comment = (grep { ($_->Type eq 'Comment')? 1: 0;} @$batch)[0];
}
$OUT = " ";
if ( $comment ) {
$OUT = "Resolution:\n";
$OUT .= ("-"x76) ."\n";
$OUT .= $comment->Content;
}
$Ticket->CurrentUser( $old_user );
}
* Test that inbound and outbound emails, creating tickets by email and replying to ticket emails works as expected:
** Emails from end-users should be sent to support@example.com
** Those emails are either created as a new ticket in RT, or if the subject line contains a ticket ID, then it's inserted into the appropriate ticket
** Ticket comments and correspondence will be sent on to support-list@example.com, which is an mlmmj list, which can be subscribed to using support-list+subscribe@example.com
** The RT4 web interface is available at http://fqdn.in.example.com

[[Category:Mail]]
[[Category:Server]]
[[Category:Programming]]

== Upgrading RT ==
Upgrading the web interfaces should be easy as upgrading any Alpine package
{{Cmd|apk add -u rt4}}
Now upgrade the database:
{{Cmd|rt-setup-database --dba postgres --datadir /etc/rt4/upgrade --action upgrade}}
Answers to the questions asked.

OwnCloud

2015-02-09T13:02:35Z

Larena: sqlite installation is good

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2015-02-09T12:42:56Z

Larena: install php-cgi with lighty

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)'' ''(Seems to work OK 2013-05-27)''}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd php-cgi}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2015-01-23T08:37:05Z

Larena: Add run-from-RAM settings and note about php-fpm children

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)'' ''(Seems to work OK 2013-05-27)''}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

If you are running-from-RAM and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on hdd
<pre>
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

{{Note|If you are serving serveral users make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

How-To Alpine Wall

2014-09-17T07:08:28Z

Larena: Add port-forwarding to a different port

{{Draft}}

= General =
Purpose of this doc is to illustrate Alpine Wall ({{pkg|AWall}}) by examples. 
We will explain {{pkg|AWall}} from the viewpoint of a Shorewall user. 

{{pkg|AWall}} is available since Alpine v2.4. 
Please see [[Alpine_Wall_User's_Guide]] for details about the syntax.

Some of the below features and examples assumes that you are running {{pkg|AWall}} version 0.2.12 or later. 
Make sure you are running latest version by running the following commands:
{{cmd|apk update
apk add -u awall
apk version awall}}

== Structure ==
Your {{pkg|AWall}} firewall configuration file(s) goes to {{Path|/etc/awall/optional}} 
Each such file is called ''Policy''. 
{{note| {{pkg|AWall}} versions prior 0.2.12 will only look for ''Policy'' files in {{Path|/usr/share/awall/optional}}. From version 0.2.12 and higher, {{pkg|AWall}} will look for ''Policy'' files in both {{Path|/etc/awall/optional}} and {{Path|/usr/share/awall/optional}}}}
You may have multiple ''Policy'' files ''(it is useful to have separate files for eg. HTTP,FTP and other roles)''. 
The ''Policy(s)'' can be enabled or disabled by using the "awall [enable|disable]" command.
{{note|{{pkg|AWall}}'s ''Policy'' files are not equivalent to Shorewalls {{Path|/etc/shorewall/policy}} file.}}
An {{pkg|AWall}} ''Policy'' can contain definitions of:
* variables ''(like {{Path|/etc/shorewall/params}})''
* zones ''(like {{Path|/etc/shorewall/zones}})''
* interfaces ''(like {{Path|/etc/shorewall/interfaces}})''
* policies ''(like {{Path|/etc/shorewall/policy}})''
* filters and NAT rules ''(like {{Path|/etc/shorewall/rules}})''
* services ''(like {{Path|/usr/share/shorewall/macro.HTTP}})''

== Prerequisites ==
After installing {{pkg|AWall}}, you need to load the following iptables modules:
{{cmd|modprobe ip_tables
modprobe iptable_nat #if NAT is used}}

This is needed only the first time, after {{pkg|AWall}} installation.

Make the firewall autostart at boot and autoload the needed modules:
{{cmd|rc-update add iptables}}

= A Basic Home Firewall =
We will give a example on how you can convert a "Basic home firewall" from Shorewall to {{pkg|AWall}}.

== Example firewall using Shorewall ==
Let's suppose you have the following Shorewall configuration:

'''/etc/shorewall/zones'''
<pre>
inet ipv4
loc ipv4
</pre>

'''/etc/shorewall/interfaces'''
<pre>
inet eth0
loc eth1
</pre>

'''/etc/shorewall/policy'''
<pre>
fw all ACCEPT
loc inet ACCEPT
all all DROP
</pre>

'''/etc/shorewall/masq'''
<pre>
eth0 0.0.0.0/0
</pre>

== Example firewall using AWall ==
Now we will configure {{pkg|AWall}} to do the same thing as we just did with the above Shorewall example.

Create a new file called {{Path|/etc/awall/optional/test-policy.json}} and add the following content to the file. 
{{Tip|You could call it something else as long as you save it in {{Path|/etc/awall/optional/}} and name it {{Path|???'''.json'''}})}}
<pre>
{
"description": "Home firewall",

"zone": {
"inet": { "iface": "eth0" },
"loc": { "iface": "eth1" }
},

"policy": [
{ "in": "_fw", "action": "accept" },
{ "in": "loc", "out": "inet", "action": "accept" }
],

"snat": [
{ "out": "inet" }
]
}
</pre>
The above configuration will:
* Create a description of your ''Policy''
* Define ''zones''
* Define ''policy''
* Define ''snat'' ''(to masqurade the outgoing traffic)''
{{Note|''snat'' means "source NAT". It does not mean "static NAT".}}
{{Tip| {{pkg|AWall}} has a built-in zone named "_fw" which is the "firewall itself". This corresponds to the Shorewall "fw" zone.}}

=== Activating/Applying a Policy ===
After saving the ''Policy'' you can run the following commands to activate your firewall settings:
{{cmd|awall list # Listing available 'Policy(s)' (This step is optional)
awall enable test-policy # Enables the 'Policy'
awall activate # Genereates firewall configuration from the 'Policy' files and enables it (starts the firewall)}}

If you have multiple policies, after enabling or disabling them, you need to always run ''awall activate'' in order to update the iptables rules.

= Advanced Firewall settings =
Assuming you have your {{Path|/etc/awall/optional/test-policy.json}} with your "Basic home firewall" settings, you could choose to modify that file to test the below examples.
{{tip|You could create new files in {{Path|/etc/awall/optional/}} for testing some of the below examples}}

== Logging ==
{{pkg|AWall}} will ''(since v0.2.7)'' automatically log dropped packets. 
You could add the following row to the "policy" section in your ''Policy'' file in order to see the dropped packets.
<pre>{ "in": "inet", "out": "loc", "action": "drop" }</pre>
{{Note|If you are using Alpine 2.4 repository ({{pkg|AWall}} v0.2.5 or below), you should use <code>"action": "logdrop"</code> in order to log dropped packets .}}
{{Note|If you are adding the above content to an already existing file, then make sure you add "," signs where they are needed!}}

== Port-Forwarding ==
Let's suppose you have a local web server (192.168.1.10) that you want to make accessible from the "inet". 
With Shorewall you would have a rule like this in your {{Path|/etc/shorewall/rules}}:
<pre>
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) DEST
DNAT inet loc:192.168.1.10 tcp 80
</pre>

Lets configure our {{pkg|AWall}} ''Policy'' file likewise by adding the following content.
<pre>
"variable": {
"APACHE": "192.168.1.10",
"STATIC_IP": "1.2.3.4"
},

"filter": [
{ "in": "inet",
"dest": "$STATIC_IP",
"service": "http",
"action": "accept",
"dnat": "$APACHE"
}
]
</pre>
As you can see in the above example, we create a
* "variable" section where we specify some IP-addresses
* "filter" section where we do the actual port-forwarding (using the variables we just created and using some preexisting "services" definitions)
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}
{{Tip|{{pkg|AWall}} already has a "service" definition list for several services like HTTP, FTP, SNMP, etc. ''(see {{Path|/usr/share/awall/mandatory/services.json}})''}}

If you need to forward to a different port (e.g. 8080) you can do:

<pre>
"dnat": [
{"in": "inet", "dest": "$STATIC_IP", "to-addr": "$APACHE", "service": "http", "to-port": 8080 }
]
</pre>

== Create your own service definitions ==
You can add your own service definitions into your ''Policy'' files:
<pre>
"service": {
"openvpn": { "proto": "udp", "port": 1194 }
}
</pre>
{{Note|You can not override a "service" definition that comes from {{Path|/usr/share/awall/mandatory/services.json}} }}
{{Note|If you are adding the above content to a already existing file, then make sure you add "," signs where they are needed!}}

== Inherit services or variables ==
You can import a ''Policy'' into other ''Policy'' files for inheriting services or variables definitions:
<pre>
"import": "myfirewall"
</pre>

== Specify load order ==
By default policies are loaded on alphabetical order. 
You can change the load order with the keywords "before" and "after":
<pre>
"before": "myfirewall"
"after": "someotherpolicy"
</pre>

= Other =
== Help and debugging ==
If you end up in some kind of trouble, you might find some commands useful when debugging:
{{cmd|awall # (With no parameters) Shows some basic help about awall application
iptables -L -n # Show what's in <code>iptables</code>}}

[[Category:Networking]]
[[Category:Security]]

Dynamic Multipoint VPN (DMVPN)

2014-08-16T21:26:22Z

Larena: update on Alpine version supported

http://alpinelinux.org/about under '''Why the Name Alpine?''' states: [ref?]

''The first open-source implementation of Cisco's DMVPN, called OpenNHRP, was written for Alpine Linux.''

So the aim of this document is to be the reference Linux DMVPN setup, with all the networking services needed for the clients that will use the DMVPN (DNS, firewall, etc.). [[Small Office Services]] offers additional services such as DHCP for clients, http proxying, and a basic SIP telephone system.

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

{{Tip|At the time of this writing the recommended Alpine version for building a DMVPN should be at minimum 2.4.11. Don't use 2.5.x, or 2.6.0 since the kernel has in-tunnel IP fragmentation issues. Alpine 3.0 has also a Musl issue in getprotobyname(). Alpine 2.7.x has been thoroughly tested and 3.0.3 hasn't shown any issue so far.}}

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

= Hardware =
If you are looking for hundreds of megabits of throughput for your VPN with a limited budget, you should consider using [http://www.via.com.tw/en/initiatives/padlock/hardware.jsp VIA Padlock] engine present in VIA processor C7, Eden, Nano and Quad. If you need gigabits throughput you should go instead for an Intel Xeon processor with [http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni AES-NI] and [http://software.intel.com/en-us/articles/intel-sha-extensions SHA Extensions]

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Extract Certificates =
We will use certificates for DMVPN and for OpenVPN (RoadWarrior clients). If you are in need to generate your own certificates, please see [[Generating_SSL_certs_with_ACF]]. You should use a separate machine for this purpose. If you downloaded the certificates on a Windows machine, you may use [http://winscp.net/eng/download.php WinSCP] to copy them on the DMVPN box.

Here are the general purpose instruction for extracting certificates from pfx files:

{{Cmd|openssl pkcs12 -in cert.pfx -cacerts -nokeys -out cacert.pem
openssl pkcs12 -in cert.pfx -nocerts -nodes -out serverkey.pem
openssl pkcs12 -in cert.pfx -nokeys -clcerts -out cert.pem
}}

Set appropriate permission for your certificate files:

{{Cmd|chmod 600 *.pem *.pfx}}

= Spoke Node =
A local spoke node network has support for multiple ISP connections, along with redundant layer 2 switches. At least one 802.1q capable switch is required, and a second is optional for redundancy purposes. The typical spoke node network looks like:

[[File:DMVPN-Spoke.png]]

== Boot Alpine USB ==
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

== Alpine Setup ==
We will setup the network interfaces as follows:

{|class="wikitable"
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|bond0.3
|Management
|10.1.0.129/26
|-
|bond0.101
|LAN
|10.1.0.0/25
|-
|bond0.256
|Internet from ISP1
|Allocated from ISP
|-
|bond0.257
|Internet from ISP2
|Allocated from ISP
|-
|bond0.620
|Transit between wifi proxy and dmvpn spoke node
|10.1.0.252/30
|-
|bond0.701
|WiFi clients (no access to DMVPN network)
|172.17.48.0/24
|-
|bond0.1101
|Voice
|10.2.0.0/24
|}

{{Cmd|setup-alpine}}

{|class="wikitable"
!'''You will be prompted something like this...'''
!'''Suggestion on what you could enter...'''
|-
|<code>Select keyboard layout [none]:</code>
|''Type an appropriate layout for you''
|-
|<code>Select variant:</code>
|''Type an appropriate layout for you (if prompted)''
|-
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code>
|''Enter the hostname, e.g.'' '''vpnc'''
|-
|<code>Available interfaces are: eth0 Enter '?' for help on bridges, bonding and vlans. Which one do you want to initialize? (or '?' done')</code>
|''Enter'' '''bond0.101'''
|-
|<code>Available bond slaves are: eth0 eth1 Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code>
|'''eth0 eth1'''
|-
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>IP address for bond0.101? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Enter the IP address of your LAN interface, e.g.'' '''10.1.0.1'''
|-
|<code>Netmask? [255.255.255.0]:</code>
|''Press Enter confirming '255.255.255.0' or type another appropriate subnet mask''
|-
|<code>Gateway? (or 'none') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>Do you want to do any manual network configuration? [no]</code>
|'''yes'''
|-
|''Make a copy of the bond0.101 configuration for bond0.620, bond0.701, bond0.1101, bond0.256 and bond0.257 (optional) interfaces. Don't forget to add a gateway and a metric value for ISP interfaces when multiple gateways are set. Save and close the file (:wq)''
|-
|<code>DNS domain name? (e.g. 'bar.com') []:</code>
|''Enter the domain name of your intranet, e.g.,'' '''example.net'''
|-
|<code>DNS nameservers(s)? []:</code>
|'''8.8.8.8 8.8.4.4''' (we will change them later)
|-
|<code>Changing password for root New password:</code>
|''Enter a secure password for the console''
|-
|<code>Retype password:</code>
|''Retype the above password''
|-
|<code>Which timezone are you in? ('?' for list) [UTC]:</code>
|''Press Enter confirming 'UTC'''
|-
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code>
|''Press Enter confirming 'none'''
|-
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code>
|''Select a mirror close to you and press Enter''
|-
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code>
|''Press Enter confirming 'openssh'''
|-
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code>
|''Press Enter confirming 'chrony'''
|-
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code>
|''Press Enter confirming 'none' or type 'none' if needed''
|-
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code>
|''Press Enter confirming 'usb'''
|-
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code>
|''Press Enter confirming '/media/usb/cache'''
|}

== Networking ==
Update the networking configuration.

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
...

auto bond0.101
iface bond0.101 inet static
address 10.1.0.1
netmask 255.255.255.192

auto bond0.620
iface bond0.620 inet static
address 10.1.0.253
netmask 255.255.255.252

auto bond0.701
iface bond0.101 inet static
address 172.17.48.1
netmask 255.255.255.0

auto bond0.1101
iface bond0.101 inet static
address 10.2.0.1
netmask 255.255.255.0

auto bond0.256
iface bond0.256 inet static
address <%ISP1_IP_ADDRESS%>
netmask <%ISP1_NETMASK%>

auto bond0.257
iface bond0.257 inet static
address <%ISP2_IP_ADDRESS%>
netmask <%ISP2_NETMASK%>
}}

== Bonding ==
Update the bonding configuration.

With your favorite editor open <code>/etc/network/interfaces</code> and add <code>bond-mode</code>, <code>bond-miimon</code> and <code>bond-updelay</code> parameters to the <code>bond0</code> stanza:

{{cat|/etc/network/interfaces|
auto bond0
iface bond0 inet manual
bond-slaves eth0 eth1
bond-mode balance-tlb
bond-miimon 100
bond-updelay 500
...
}}

Bring up the new bonding settings:

{{Cmd|ifdown bond0
ifup bond0}}

== Physically install ==
At this point, you're ready to connect the VPN Spoke Node to the network if you haven't already done so. Please set up an 802.1q capable switch with the VLANs listed in AlpineSetup section. Once done, tag all of the VLANs on one port. Connect that port to <code>eth0</code>. Then, connect your first ISP's CPE to a switchport with VLAN 256 untagged.

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

Restart ssh:
{{Cmd|/etc/init.d/sshd restart}}

== NTP server ==
In order to have attached devices syncing their time agains this host, we need to do some modifications to chrony config. 
Add '<code>allow all</code>' to the end of the '<code>/etc/chrony/chrony.conf</code>' so the file looks something like this:

{{cat|/etc/chrony/chrony.conf|
server pool.ntp.org
initstepslew 10 pool.ntp.org
commandkey 10
keyfile /etc/chrony/chrony.keys
driftfile /etc/chrony/chrony.drift
allow all
}}

Restart chronyd for the changes to take effect
{{cmd|/etc/init.d/chronyd restart}}

== Recursive DNS ==
Install package(s):

{{Cmd|apk add -U unbound}}

With your favorite editor open <code>/etc/unbound/unbound.conf</code> and add the following configuration. If you have a domain that you want unbound to resolve but is internal to your network only, the stub-zone stanza is present:

{{cat|/etc/unbound/unbound.conf|
server:
verbosity: 1
interface: 10.1.0.1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 10.1.0.0/16 allow
access-control: 127.0.0.0/8 allow

do-not-query-localhost: no

root-hints: "/etc/unbound/root.hints"

stub-zone:
name: "location1.example.net"
stub-addr: 10.1.0.2

stub-zone:
name: "example.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

stub-zone:
name: "example2.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7
}}

Start unbound and start using unbound on this host:

{{Cmd|/etc/init.d/unbound start
rc-update add unbound
echo nameserver 10.1.0.1 > /etc/resolv.conf}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add ipsec-tools}}

With your favorite editor create <code>/etc/ipsec.conf</code> and set the content to the following:

{{cat|/etc/ipsec.conf|
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
}}

Create missing directory:

{{Cmd|mkdir /etc/racoon/}}

Extract your pfx into <code>/etc/racoon</code>, using the filenames '''<code>ca.pem</code>''', '''<code>cert.pem</code>''', and '''<code>key.pem</code>''' (see [[Dynamic_Multipoint_VPN_%28DMVPN%29#Extract_Certificates|instructions above]] for command).

With your favorite editor create <code>/etc/racoon/racoon.conf</code> and set the content to the following:

{{cat|/etc/racoon/racoon.conf|
path certificate "/etc/racoon/";
remote anonymous {
exchange_mode main;
lifetime time 2 hour;
certificate_type x509 "/etc/racoon/cert.pem" "/etc/racoon/key.pem";
ca_type x509 "/etc/racoon/ca.pem";
my_identifier asn1dn;
nat_traversal on;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
dpd_delay 120;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp4096;
}
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}

sainfo anonymous {
pfs_group 2;
lifetime time 2 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
}}

Edit <code>/etc/conf.d/racoon</code> and unset <code>RACOON_PSK_FILE</code>:

{{cat|/etc/conf.d/racoon|
...
RACOON_PSK_FILE{{=}}
...
}}

Start service(s):

{{Cmd|/etc/init.d/racoon start
rc-update add racoon}}

== Next Hop Resolution Protocol (NHRP) ==
Install package(s):

{{Cmd|apk add opennhrp}}

With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
dynamic-map 172.16.0.0/16 hub.example.com
shortcut
redirect
non-caching

interface bond0.8
shortcut-destination

interface bond0.64
shortcut-destination

interface bond0.620
shortcut-destination
}}

You must have a DNS A record ''<code>hub.example.com</code>'' for each hub node IP address.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp-script|<nowiki>#!/bin/sh

MYAS=$(sed -n 's/router bgp $\d*$/\1/p' < /etc/quagga/bgpd.conf)

case $1 in
interface-up)
echo "Interface $NHRP_INTERFACE is up"
if [ "$NHRP_INTERFACE" = "gre1" ]; then
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE

vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor core" \
-c "neighbor core peer-group"
fi
;;
peer-register)
;;
peer-up)
if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
fi
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
;;
nhs-up)
echo "NHS UP $NHRP_DESTADDR"
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "neighbor $NHRP_DESTADDR remote-as 65000" \
-c "neighbor $NHRP_DESTADDR peer-group core" \
-c "exit" \
-c "exit" \
-c "clear bgp $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
nhs-down)
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
ip route flush cache
;;
esac

exit 0
</nowiki>}}

Make it executable and start service(s):

{{Cmd|chmod +x /etc/opennhrp/opennhrp-script
/etc/init.d/opennhrp start
rc-update add opennhrp}}

== BGP ==
Install package(s):

{{Cmd|apk add quagga
touch /etc/quagga/zebra.conf}}

With your favorite editor open <code>/etc/quagga/bgpd.conf</code> and change the content to the following (replace <code>strongpassword</code> with a password of your choice and <code>%HUB_GRE_IP%</code> with the '''Hub''' node GRE IP address):
* Add the line <code>neighbor %HUB_GRE_IP% remote-as 65000</code> for each '''Hub''' host you have in your NBMA cloud.

{{cat|/etc/quagga/bgpd.conf|
password strongpassword
enable password strongpassword
log syslog

access-list 1 remark Command line access authorized IP
access-list 1 permit 127.0.0.1
line vty
access-class 1

hostname vpnc.example.net

router bgp 65001
bgp router-id 172.16.1.1
network 10.1.0.0/16
neighbor %HUB_GRE_IP% remote-as 65000
neighbor %HUB_GRE_IP% remote-as 65000
...
}}

Start service(s):

{{Cmd|/etc/init.d/bgpd start
rc-update add bgpd}}

== OpenVPN ==
Install package(s):

{{Cmd|echo tun >> /etc/modules
modprobe tun
apk add openvpn openssl
openssl dhparam -out /etc/openvpn/dh1024.pem 1024}}

Configure openvpn:

{{cat|/etc/openvpn/openvpn.conf|
dev tun
proto udp
port 1194

server 10.1.128.0 255.255.255.0
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.1.0.1"

tls-server
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/servercert.pem
key /etc/openvpn/serverkey.pem

crl-verify /etc/openvpn/crl.pem

dh /etc/openvpn/dh1024.pem

persist-key
persist-tun

keepalive 10 120

comp-lzo

status /var/log/openvpn.status
mute 20
verb 3
}}

Start service(s):

{{Cmd|/etc/init.d/openvpn start
rc-update add openvpn}}

== Firewall ==
Install package(s):

{{Cmd|apk add awall}}

Enable IP forwarding:

{{Cmd|sysctl -w net.ipv4.ip_forward{{=}}1
sed -i 's/.*net\.ipv4\.ip_forward.*$/net.ipv4.ip_forward {{=}} 1/g' /etc/sysctl.conf}}

With your favorite editor, edit the following files and set their contents as follows:

{{cat|/etc/awall/optional/params.json|
{
"description": "params",

"variable": {
"B_IF": "bond0.8",
"C_IF": "bond0.64",
"DE_IF": "bond0.620",
"ISP1_IF": "bond0.256",
"ISP2_IF": "bond0.257"
}
}
}}

{{cat|/etc/awall/optional/internet-host.json|
{
"description": "Internet host",

"import": "params",

"zone": {
"E": { "iface": [ "$ISP1_IF", "$ISP2_IF" ] },
"ISP1": { "iface": "$ISP1_IF" },
"ISP2": { "iface": "$ISP2_IF" }
},

"filter": [
{
"in": "E",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "E",
"out": "_fw",
"service": [ "ssh", "https" ],
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},

{
"in": "_fw",
"out": "E",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
}}

{{cat|/etc/awall/optional/openvpn.json|
{
"description": "OpenVPN support",

"import": "internet-host",

"service": {
"openvpn": { "proto": "udp", "port": 1194 }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "openvpn", "action": "accept" }
]
}
}}

{{cat|/etc/awall/optional/clampmss.json|
{
"description": "Deal with ISPs afraid of ICMP",

"import": "internet-host",

"clamp-mss": [ { "out": "E" } ]
}
}}

{{cat|/etc/awall/optional/mark.json|
{
"description": "Mark traffic based on ISP",

"import": [ "params", "internet-host" ],

"route-track": [
{ "out": "ISP1", "mark": 1 },
{ "out": "ISP2", "mark": 2 }
]
}
}}

{{cat|/etc/awall/optional/dmvpn.json|
{
"description": "DMVPN router",

"import": "internet-host",

"variable": {
"A_ADDR": [ "10.0.0.0/8", "172.16.0.0/16" ]
},

"zone": {
"A": { "addr": "$A_ADDR", "iface": "gre1" }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "E", "service": "ipsec", "action": "accept" },
{
"in": "E",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "E",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "A", "service": "bgp", "action": "accept" },
{ "in": "A", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "E", "dest": "$A_ADDR", "action": "reject" }
]
}
}}

{{cat|/etc/awall/optional/vpnc.json|
{
"description": "VPNc",

"import": [ "params", "internet-host", "dmvpn" ],

"zone": {
"B": { "iface": "$B_IF" },
"C": { "iface": "$C_IF" },
"DE": { "iface": "$DE_IF" }

},

"policy": [
{ "in": "A", "action": "accept" },
{ "in": "B", "out": "A", "action": "accept" },
{ "in": "C", "out": [ "A", "E" ], "action": "accept" },
{ "in": "DE", "out": "E", "action": "accept" },
{ "in": "E", "action": "drop" },
{ "in": "_fw", "out": "A", "action": "accept" }
],

"snat": [
{ "out": "E" }
],

"filter": [
{
"in": "A",
"out": "_fw",
"service": [ "ping", "ssh", "http", "https" ],
"action": "accept"
},

{
"in": [ "B", "C" ],
"out": "_fw",
"service": [ "dns", "ntp", "http", "https", "ssh" ],
"action": "accept"
},

{
"in": "_fw",
"out": [ "B", "C" ],
"service": [ "dns", "ntp" ],
"action": "accept"
},

{
"in": [ "A", "B", "C" ],
"out": "_fw",
"proto": "icmp",
"action": "accept"
},

{
"out": "DE",
"service": [ "ssh", "http", "https", "ping" ],
"action": "accept"
}

]
}
}}

Activate the firewall:

{{Cmd|modprobe ip_tables
modprobe iptable_nat
awall enable clampmss
awall enable openvpn
awall enable vpnc
awall activate -f
rc-update add iptables}}

== ISP Failover ==
Install package(s):

{{Cmd|apk add pingu
echo -e "1\tisp1">> /etc/iproute2/rt_tables
echo -e "2\tisp2">> /etc/iproute2/rt_tables}}

Configure pingu to monitor our <code>bond0.256</code> and <code>bond0.257</code> interfaces in <code>/etc/pingu/pingu.conf</code>. Add the hosts to monitor for ISP failover to <code>/etc/pingu/pingu.conf</code> and bind to primary ISP. We also set the ping timeout to 4 seconds.:

{{cat|/etc/pingu/pingu.conf|
timeout 4
required 2
retry 11

interface bond0.256 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 1
fwmark 1
rule-priority 20000
# google dns
ping 8.8.8.8
# opendns
ping 208.67.222.222
}

interface bond0.257 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 2
fwmark 2
rule-priority 20000
}
}}

Make sure we can reach the public IP from our LAN by adding static route rules for our private net(s). Edit <code>/etc/pingu/route-rules</code>:

{{cat|/etc/pingu/route-rules|
to 10.0.0.0/8 table main prio 1000
to 172.16.0.0/12 table main prio 1000
}}

Start service(s):

{{Cmd|/etc/init.d/pingu start
rc-update add pingu}}

Now, if both hosts stop responding to pings, ISP-1 will be considered down and all gateways via bond0.256 will be removed from main route table. Note that the gateway will not be removed from the route table '1'. This is so we can continue try ping via <code>bond0.256</code> so we can detect that the ISP is back online. When ISP starts working again, the gateways will be added back to main route table again.

== Commit Configuration ==
Commit configuration:

{{Cmd|lbu ci}}

= Hub Node =
We will document only what changes from the Spoke node setup.

== Routing Tables ==
<pre>
echo -e "42\tnhrp_shortcut\n43\tnhrp_mtu\n44\tquagga\n>> /etc/iproute2/rt_tables
</pre>

Add the following "up" commands:
{{cat|/etc/network/interfaces|
auto gre1
...
up ip rule add lookup nhrp_shortcut pref 11000
up ip rule add lookup quagga pref 11001
up ip rule add lookup nhrp_mtu pref 11999
}}

== NHRP ==
With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
map %Hub1_GRE_IP%/%MaskBit% hub1.example.org
route-table 44
shortcut
redirect
non-caching
}}

Do the same on Hub 1 adding the data relative to Hub 2.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and set the content as follows:

<pre>
#!/bin/sh
case $1 in
interface-up)
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE
;;
peer-register)
CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -t opennhrp-script -p auth.err "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi
logger -t opennhrp-script -p auth.info "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA authenticated"

(
flock -x 200

AS=`echo "$CERT" | grep "^AS=" | cut -b 4-`
vtysh -d bgpd -c "configure terminal" \
-c "router bgp 65000" \
-c "neighbor $NHRP_DESTADDR remote-as $AS" \
-c "neighbor $NHRP_DESTADDR peer-group leaf" \
-c "neighbor $NHRP_DESTADDR prefix-list net-$AS-in in"

SEQ=5
(echo "$CERT" | grep "^NET=" | cut -b 5-) | while read NET; do
vtysh -d bgpd -c "configure terminal" \
-c "ip prefix-list net-$AS-in seq $SEQ permit $NET le 26"
SEQ=$(($SEQ+5))
done
) 200>/var/lock/opennhrp-script.lock
;;
peer-up)
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1

CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -p daemon.err "GRE mapping of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi

if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU table nhrp_mtu
fi
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if [ "$NHRP_PEER_DOWN_REASON" != "lower-down" ]; then
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
fi
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42 table nhrp_mtu
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE table nhrp_shortcut
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 table nhrp_shortcut
ip route flush cache
;;
esac

exit 0
</pre>

== BGP ==
With your favorite editor open <code>/etc/quagga/bgpd.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/quagga/bgpd.conf|
password zebra
enable password zebra
log syslog

router bgp 65000
bgp router-id %Hub2_GRE_IP%
bgp deterministic-med
network %GRE_NETWORK%/%MASK_BITS%
neighbor hub peer-group
neighbor hub next-hop-self
neighbor hub route-map CORE-IN in
neighbor spoke peer-group
neighbor spoke passive
neighbor spoke next-hop-self
neighbor %Spoke1_GRE_IP% remote-as 65001
neighbor %Spoke1_GRE_IP% peer-group spoke
neighbor %Spoke1_GRE_IP% prefix-list net-65001-in in
...
...
...

neighbor hub remote-as 65000
neighbor %Hub1_GRE_IP% peer-group core

ip prefix-list net-65001-in seq 5 permit 10.1.0.0/16 le 26
...

route-map CORE-IN permit 10
set metric +100
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have. Do the same on Hub 1, changing the relevant data for Hub 2.

= Troubleshooting the DMVPN =
== Broken [http://en.wikipedia.org/wiki/Path_MTU_Discovery Path MTU Discovery (PMTUD)] ==
ISPs afraid of ICMP (which is somehow legitimate) often just blindly add <code>no ip unreachables</code> in their router interfaces, effectively creating a [http://en.wikipedia.org/wiki/Black_hole_%28networking%29 blackhole router] that breaks PMTUD, since ICMP Type 3 Code 4 packets (Fragmentation Needed) are dropped. PMTUD is needed by ISAKMP that runs on UDP (TCP works because it uses CLAMPMSS).

For technical details see http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

PMTUD could also be broken due to badly configured DSL modem/routers or bugged firmware. Turning off the firewall on modem itself or any VPN passthrough functionality it may help.

You can easily detect which host is the blackhole router by pinging with DF bit set and with packets of standard MTU size, each hop given in your traceroute to destination:

{{Cmd|ping -M do -s 1472 %IP%}}
{{Note|"-M do" requires GNU ping, present in <code>iputils</code> package}}

If you don't get a response back (either Echo-Response or Fragmentation-Needed) there's firewall dropping ICMP packets. If it answers to normal ping packets (DF bit cleared), most likely you have hit a blackhole router.

== Kernel and NHRP Routing Cache Issues ==
{{Todo|...}}

Dynamic Multipoint VPN (DMVPN)

2014-08-16T21:20:14Z

Larena: formatting fix

http://alpinelinux.org/about under '''Why the Name Alpine?''' states: [ref?]

''The first open-source implementation of Cisco's DMVPN, called OpenNHRP, was written for Alpine Linux.''

So the aim of this document is to be the reference Linux DMVPN setup, with all the networking services needed for the clients that will use the DMVPN (DNS, firewall, etc.). [[Small Office Services]] offers additional services such as DHCP for clients, http proxying, and a basic SIP telephone system.

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

{{Tip|At the time of this writing the recommended Alpine version for building a DMVPN should be at minimum 2.4.11. Don't use 2.5.x, or 2.6.0 since the kernel has in-tunnel IP fragmentation issues. Alpine 2.6.1 or later should be okay instead.}}

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

= Hardware =
If you are looking for hundreds of megabits of throughput for your VPN with a limited budget, you should consider using [http://www.via.com.tw/en/initiatives/padlock/hardware.jsp VIA Padlock] engine present in VIA processor C7, Eden, Nano and Quad. If you need gigabits throughput you should go instead for an Intel Xeon processor with [http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni AES-NI] and [http://software.intel.com/en-us/articles/intel-sha-extensions SHA Extensions]

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Extract Certificates =
We will use certificates for DMVPN and for OpenVPN (RoadWarrior clients). If you are in need to generate your own certificates, please see [[Generating_SSL_certs_with_ACF]]. You should use a separate machine for this purpose. If you downloaded the certificates on a Windows machine, you may use [http://winscp.net/eng/download.php WinSCP] to copy them on the DMVPN box.

Here are the general purpose instruction for extracting certificates from pfx files:

{{Cmd|openssl pkcs12 -in cert.pfx -cacerts -nokeys -out cacert.pem
openssl pkcs12 -in cert.pfx -nocerts -nodes -out serverkey.pem
openssl pkcs12 -in cert.pfx -nokeys -clcerts -out cert.pem
}}

Set appropriate permission for your certificate files:

{{Cmd|chmod 600 *.pem *.pfx}}

= Spoke Node =
A local spoke node network has support for multiple ISP connections, along with redundant layer 2 switches. At least one 802.1q capable switch is required, and a second is optional for redundancy purposes. The typical spoke node network looks like:

[[File:DMVPN-Spoke.png]]

== Boot Alpine USB ==
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

== Alpine Setup ==
We will setup the network interfaces as follows:

{|class="wikitable"
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|bond0.3
|Management
|10.1.0.129/26
|-
|bond0.101
|LAN
|10.1.0.0/25
|-
|bond0.256
|Internet from ISP1
|Allocated from ISP
|-
|bond0.257
|Internet from ISP2
|Allocated from ISP
|-
|bond0.620
|Transit between wifi proxy and dmvpn spoke node
|10.1.0.252/30
|-
|bond0.701
|WiFi clients (no access to DMVPN network)
|172.17.48.0/24
|-
|bond0.1101
|Voice
|10.2.0.0/24
|}

{{Cmd|setup-alpine}}

{|class="wikitable"
!'''You will be prompted something like this...'''
!'''Suggestion on what you could enter...'''
|-
|<code>Select keyboard layout [none]:</code>
|''Type an appropriate layout for you''
|-
|<code>Select variant:</code>
|''Type an appropriate layout for you (if prompted)''
|-
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code>
|''Enter the hostname, e.g.'' '''vpnc'''
|-
|<code>Available interfaces are: eth0 Enter '?' for help on bridges, bonding and vlans. Which one do you want to initialize? (or '?' done')</code>
|''Enter'' '''bond0.101'''
|-
|<code>Available bond slaves are: eth0 eth1 Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code>
|'''eth0 eth1'''
|-
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>IP address for bond0.101? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Enter the IP address of your LAN interface, e.g.'' '''10.1.0.1'''
|-
|<code>Netmask? [255.255.255.0]:</code>
|''Press Enter confirming '255.255.255.0' or type another appropriate subnet mask''
|-
|<code>Gateway? (or 'none') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>Do you want to do any manual network configuration? [no]</code>
|'''yes'''
|-
|''Make a copy of the bond0.101 configuration for bond0.620, bond0.701, bond0.1101, bond0.256 and bond0.257 (optional) interfaces. Don't forget to add a gateway and a metric value for ISP interfaces when multiple gateways are set. Save and close the file (:wq)''
|-
|<code>DNS domain name? (e.g. 'bar.com') []:</code>
|''Enter the domain name of your intranet, e.g.,'' '''example.net'''
|-
|<code>DNS nameservers(s)? []:</code>
|'''8.8.8.8 8.8.4.4''' (we will change them later)
|-
|<code>Changing password for root New password:</code>
|''Enter a secure password for the console''
|-
|<code>Retype password:</code>
|''Retype the above password''
|-
|<code>Which timezone are you in? ('?' for list) [UTC]:</code>
|''Press Enter confirming 'UTC'''
|-
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code>
|''Press Enter confirming 'none'''
|-
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code>
|''Select a mirror close to you and press Enter''
|-
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code>
|''Press Enter confirming 'openssh'''
|-
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code>
|''Press Enter confirming 'chrony'''
|-
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code>
|''Press Enter confirming 'none' or type 'none' if needed''
|-
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code>
|''Press Enter confirming 'usb'''
|-
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code>
|''Press Enter confirming '/media/usb/cache'''
|}

== Networking ==
Update the networking configuration.

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
...

auto bond0.101
iface bond0.101 inet static
address 10.1.0.1
netmask 255.255.255.192

auto bond0.620
iface bond0.620 inet static
address 10.1.0.253
netmask 255.255.255.252

auto bond0.701
iface bond0.101 inet static
address 172.17.48.1
netmask 255.255.255.0

auto bond0.1101
iface bond0.101 inet static
address 10.2.0.1
netmask 255.255.255.0

auto bond0.256
iface bond0.256 inet static
address <%ISP1_IP_ADDRESS%>
netmask <%ISP1_NETMASK%>

auto bond0.257
iface bond0.257 inet static
address <%ISP2_IP_ADDRESS%>
netmask <%ISP2_NETMASK%>
}}

== Bonding ==
Update the bonding configuration.

With your favorite editor open <code>/etc/network/interfaces</code> and add <code>bond-mode</code>, <code>bond-miimon</code> and <code>bond-updelay</code> parameters to the <code>bond0</code> stanza:

{{cat|/etc/network/interfaces|
auto bond0
iface bond0 inet manual
bond-slaves eth0 eth1
bond-mode balance-tlb
bond-miimon 100
bond-updelay 500
...
}}

Bring up the new bonding settings:

{{Cmd|ifdown bond0
ifup bond0}}

== Physically install ==
At this point, you're ready to connect the VPN Spoke Node to the network if you haven't already done so. Please set up an 802.1q capable switch with the VLANs listed in AlpineSetup section. Once done, tag all of the VLANs on one port. Connect that port to <code>eth0</code>. Then, connect your first ISP's CPE to a switchport with VLAN 256 untagged.

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

Restart ssh:
{{Cmd|/etc/init.d/sshd restart}}

== NTP server ==
In order to have attached devices syncing their time agains this host, we need to do some modifications to chrony config. 
Add '<code>allow all</code>' to the end of the '<code>/etc/chrony/chrony.conf</code>' so the file looks something like this:

{{cat|/etc/chrony/chrony.conf|
server pool.ntp.org
initstepslew 10 pool.ntp.org
commandkey 10
keyfile /etc/chrony/chrony.keys
driftfile /etc/chrony/chrony.drift
allow all
}}

Restart chronyd for the changes to take effect
{{cmd|/etc/init.d/chronyd restart}}

== Recursive DNS ==
Install package(s):

{{Cmd|apk add -U unbound}}

With your favorite editor open <code>/etc/unbound/unbound.conf</code> and add the following configuration. If you have a domain that you want unbound to resolve but is internal to your network only, the stub-zone stanza is present:

{{cat|/etc/unbound/unbound.conf|
server:
verbosity: 1
interface: 10.1.0.1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 10.1.0.0/16 allow
access-control: 127.0.0.0/8 allow

do-not-query-localhost: no

root-hints: "/etc/unbound/root.hints"

stub-zone:
name: "location1.example.net"
stub-addr: 10.1.0.2

stub-zone:
name: "example.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

stub-zone:
name: "example2.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7
}}

Start unbound and start using unbound on this host:

{{Cmd|/etc/init.d/unbound start
rc-update add unbound
echo nameserver 10.1.0.1 > /etc/resolv.conf}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add ipsec-tools}}

With your favorite editor create <code>/etc/ipsec.conf</code> and set the content to the following:

{{cat|/etc/ipsec.conf|
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
}}

Create missing directory:

{{Cmd|mkdir /etc/racoon/}}

Extract your pfx into <code>/etc/racoon</code>, using the filenames '''<code>ca.pem</code>''', '''<code>cert.pem</code>''', and '''<code>key.pem</code>''' (see [[Dynamic_Multipoint_VPN_%28DMVPN%29#Extract_Certificates|instructions above]] for command).

With your favorite editor create <code>/etc/racoon/racoon.conf</code> and set the content to the following:

{{cat|/etc/racoon/racoon.conf|
path certificate "/etc/racoon/";
remote anonymous {
exchange_mode main;
lifetime time 2 hour;
certificate_type x509 "/etc/racoon/cert.pem" "/etc/racoon/key.pem";
ca_type x509 "/etc/racoon/ca.pem";
my_identifier asn1dn;
nat_traversal on;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
dpd_delay 120;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp4096;
}
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}

sainfo anonymous {
pfs_group 2;
lifetime time 2 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
}}

Edit <code>/etc/conf.d/racoon</code> and unset <code>RACOON_PSK_FILE</code>:

{{cat|/etc/conf.d/racoon|
...
RACOON_PSK_FILE{{=}}
...
}}

Start service(s):

{{Cmd|/etc/init.d/racoon start
rc-update add racoon}}

== Next Hop Resolution Protocol (NHRP) ==
Install package(s):

{{Cmd|apk add opennhrp}}

With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
dynamic-map 172.16.0.0/16 hub.example.com
shortcut
redirect
non-caching

interface bond0.8
shortcut-destination

interface bond0.64
shortcut-destination

interface bond0.620
shortcut-destination
}}

You must have a DNS A record ''<code>hub.example.com</code>'' for each hub node IP address.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp-script|<nowiki>#!/bin/sh

MYAS=$(sed -n 's/router bgp $\d*$/\1/p' < /etc/quagga/bgpd.conf)

case $1 in
interface-up)
echo "Interface $NHRP_INTERFACE is up"
if [ "$NHRP_INTERFACE" = "gre1" ]; then
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE

vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor core" \
-c "neighbor core peer-group"
fi
;;
peer-register)
;;
peer-up)
if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
fi
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
;;
nhs-up)
echo "NHS UP $NHRP_DESTADDR"
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "neighbor $NHRP_DESTADDR remote-as 65000" \
-c "neighbor $NHRP_DESTADDR peer-group core" \
-c "exit" \
-c "exit" \
-c "clear bgp $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
nhs-down)
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
ip route flush cache
;;
esac

exit 0
</nowiki>}}

Make it executable and start service(s):

{{Cmd|chmod +x /etc/opennhrp/opennhrp-script
/etc/init.d/opennhrp start
rc-update add opennhrp}}

== BGP ==
Install package(s):

{{Cmd|apk add quagga
touch /etc/quagga/zebra.conf}}

With your favorite editor open <code>/etc/quagga/bgpd.conf</code> and change the content to the following (replace <code>strongpassword</code> with a password of your choice and <code>%HUB_GRE_IP%</code> with the '''Hub''' node GRE IP address):
* Add the line <code>neighbor %HUB_GRE_IP% remote-as 65000</code> for each '''Hub''' host you have in your NBMA cloud.

{{cat|/etc/quagga/bgpd.conf|
password strongpassword
enable password strongpassword
log syslog

access-list 1 remark Command line access authorized IP
access-list 1 permit 127.0.0.1
line vty
access-class 1

hostname vpnc.example.net

router bgp 65001
bgp router-id 172.16.1.1
network 10.1.0.0/16
neighbor %HUB_GRE_IP% remote-as 65000
neighbor %HUB_GRE_IP% remote-as 65000
...
}}

Start service(s):

{{Cmd|/etc/init.d/bgpd start
rc-update add bgpd}}

== OpenVPN ==
Install package(s):

{{Cmd|echo tun >> /etc/modules
modprobe tun
apk add openvpn openssl
openssl dhparam -out /etc/openvpn/dh1024.pem 1024}}

Configure openvpn:

{{cat|/etc/openvpn/openvpn.conf|
dev tun
proto udp
port 1194

server 10.1.128.0 255.255.255.0
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.1.0.1"

tls-server
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/servercert.pem
key /etc/openvpn/serverkey.pem

crl-verify /etc/openvpn/crl.pem

dh /etc/openvpn/dh1024.pem

persist-key
persist-tun

keepalive 10 120

comp-lzo

status /var/log/openvpn.status
mute 20
verb 3
}}

Start service(s):

{{Cmd|/etc/init.d/openvpn start
rc-update add openvpn}}

== Firewall ==
Install package(s):

{{Cmd|apk add awall}}

Enable IP forwarding:

{{Cmd|sysctl -w net.ipv4.ip_forward{{=}}1
sed -i 's/.*net\.ipv4\.ip_forward.*$/net.ipv4.ip_forward {{=}} 1/g' /etc/sysctl.conf}}

With your favorite editor, edit the following files and set their contents as follows:

{{cat|/etc/awall/optional/params.json|
{
"description": "params",

"variable": {
"B_IF": "bond0.8",
"C_IF": "bond0.64",
"DE_IF": "bond0.620",
"ISP1_IF": "bond0.256",
"ISP2_IF": "bond0.257"
}
}
}}

{{cat|/etc/awall/optional/internet-host.json|
{
"description": "Internet host",

"import": "params",

"zone": {
"E": { "iface": [ "$ISP1_IF", "$ISP2_IF" ] },
"ISP1": { "iface": "$ISP1_IF" },
"ISP2": { "iface": "$ISP2_IF" }
},

"filter": [
{
"in": "E",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "E",
"out": "_fw",
"service": [ "ssh", "https" ],
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},

{
"in": "_fw",
"out": "E",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
}}

{{cat|/etc/awall/optional/openvpn.json|
{
"description": "OpenVPN support",

"import": "internet-host",

"service": {
"openvpn": { "proto": "udp", "port": 1194 }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "openvpn", "action": "accept" }
]
}
}}

{{cat|/etc/awall/optional/clampmss.json|
{
"description": "Deal with ISPs afraid of ICMP",

"import": "internet-host",

"clamp-mss": [ { "out": "E" } ]
}
}}

{{cat|/etc/awall/optional/mark.json|
{
"description": "Mark traffic based on ISP",

"import": [ "params", "internet-host" ],

"route-track": [
{ "out": "ISP1", "mark": 1 },
{ "out": "ISP2", "mark": 2 }
]
}
}}

{{cat|/etc/awall/optional/dmvpn.json|
{
"description": "DMVPN router",

"import": "internet-host",

"variable": {
"A_ADDR": [ "10.0.0.0/8", "172.16.0.0/16" ]
},

"zone": {
"A": { "addr": "$A_ADDR", "iface": "gre1" }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "E", "service": "ipsec", "action": "accept" },
{
"in": "E",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "E",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "A", "service": "bgp", "action": "accept" },
{ "in": "A", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "E", "dest": "$A_ADDR", "action": "reject" }
]
}
}}

{{cat|/etc/awall/optional/vpnc.json|
{
"description": "VPNc",

"import": [ "params", "internet-host", "dmvpn" ],

"zone": {
"B": { "iface": "$B_IF" },
"C": { "iface": "$C_IF" },
"DE": { "iface": "$DE_IF" }

},

"policy": [
{ "in": "A", "action": "accept" },
{ "in": "B", "out": "A", "action": "accept" },
{ "in": "C", "out": [ "A", "E" ], "action": "accept" },
{ "in": "DE", "out": "E", "action": "accept" },
{ "in": "E", "action": "drop" },
{ "in": "_fw", "out": "A", "action": "accept" }
],

"snat": [
{ "out": "E" }
],

"filter": [
{
"in": "A",
"out": "_fw",
"service": [ "ping", "ssh", "http", "https" ],
"action": "accept"
},

{
"in": [ "B", "C" ],
"out": "_fw",
"service": [ "dns", "ntp", "http", "https", "ssh" ],
"action": "accept"
},

{
"in": "_fw",
"out": [ "B", "C" ],
"service": [ "dns", "ntp" ],
"action": "accept"
},

{
"in": [ "A", "B", "C" ],
"out": "_fw",
"proto": "icmp",
"action": "accept"
},

{
"out": "DE",
"service": [ "ssh", "http", "https", "ping" ],
"action": "accept"
}

]
}
}}

Activate the firewall:

{{Cmd|modprobe ip_tables
modprobe iptable_nat
awall enable clampmss
awall enable openvpn
awall enable vpnc
awall activate -f
rc-update add iptables}}

== ISP Failover ==
Install package(s):

{{Cmd|apk add pingu
echo -e "1\tisp1">> /etc/iproute2/rt_tables
echo -e "2\tisp2">> /etc/iproute2/rt_tables}}

Configure pingu to monitor our <code>bond0.256</code> and <code>bond0.257</code> interfaces in <code>/etc/pingu/pingu.conf</code>. Add the hosts to monitor for ISP failover to <code>/etc/pingu/pingu.conf</code> and bind to primary ISP. We also set the ping timeout to 4 seconds.:

{{cat|/etc/pingu/pingu.conf|
timeout 4
required 2
retry 11

interface bond0.256 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 1
fwmark 1
rule-priority 20000
# google dns
ping 8.8.8.8
# opendns
ping 208.67.222.222
}

interface bond0.257 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 2
fwmark 2
rule-priority 20000
}
}}

Make sure we can reach the public IP from our LAN by adding static route rules for our private net(s). Edit <code>/etc/pingu/route-rules</code>:

{{cat|/etc/pingu/route-rules|
to 10.0.0.0/8 table main prio 1000
to 172.16.0.0/12 table main prio 1000
}}

Start service(s):

{{Cmd|/etc/init.d/pingu start
rc-update add pingu}}

Now, if both hosts stop responding to pings, ISP-1 will be considered down and all gateways via bond0.256 will be removed from main route table. Note that the gateway will not be removed from the route table '1'. This is so we can continue try ping via <code>bond0.256</code> so we can detect that the ISP is back online. When ISP starts working again, the gateways will be added back to main route table again.

== Commit Configuration ==
Commit configuration:

{{Cmd|lbu ci}}

= Hub Node =
We will document only what changes from the Spoke node setup.

== Routing Tables ==
<pre>
echo -e "42\tnhrp_shortcut\n43\tnhrp_mtu\n44\tquagga\n>> /etc/iproute2/rt_tables
</pre>

Add the following "up" commands:
{{cat|/etc/network/interfaces|
auto gre1
...
up ip rule add lookup nhrp_shortcut pref 11000
up ip rule add lookup quagga pref 11001
up ip rule add lookup nhrp_mtu pref 11999
}}

== NHRP ==
With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
map %Hub1_GRE_IP%/%MaskBit% hub1.example.org
route-table 44
shortcut
redirect
non-caching
}}

Do the same on Hub 1 adding the data relative to Hub 2.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and set the content as follows:

<pre>
#!/bin/sh
case $1 in
interface-up)
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE
;;
peer-register)
CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -t opennhrp-script -p auth.err "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi
logger -t opennhrp-script -p auth.info "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA authenticated"

(
flock -x 200

AS=`echo "$CERT" | grep "^AS=" | cut -b 4-`
vtysh -d bgpd -c "configure terminal" \
-c "router bgp 65000" \
-c "neighbor $NHRP_DESTADDR remote-as $AS" \
-c "neighbor $NHRP_DESTADDR peer-group leaf" \
-c "neighbor $NHRP_DESTADDR prefix-list net-$AS-in in"

SEQ=5
(echo "$CERT" | grep "^NET=" | cut -b 5-) | while read NET; do
vtysh -d bgpd -c "configure terminal" \
-c "ip prefix-list net-$AS-in seq $SEQ permit $NET le 26"
SEQ=$(($SEQ+5))
done
) 200>/var/lock/opennhrp-script.lock
;;
peer-up)
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1

CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -p daemon.err "GRE mapping of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi

if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU table nhrp_mtu
fi
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if [ "$NHRP_PEER_DOWN_REASON" != "lower-down" ]; then
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
fi
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42 table nhrp_mtu
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE table nhrp_shortcut
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 table nhrp_shortcut
ip route flush cache
;;
esac

exit 0
</pre>

== BGP ==
With your favorite editor open <code>/etc/quagga/bgpd.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/quagga/bgpd.conf|
password zebra
enable password zebra
log syslog

router bgp 65000
bgp router-id %Hub2_GRE_IP%
bgp deterministic-med
network %GRE_NETWORK%/%MASK_BITS%
neighbor hub peer-group
neighbor hub next-hop-self
neighbor hub route-map CORE-IN in
neighbor spoke peer-group
neighbor spoke passive
neighbor spoke next-hop-self
neighbor %Spoke1_GRE_IP% remote-as 65001
neighbor %Spoke1_GRE_IP% peer-group spoke
neighbor %Spoke1_GRE_IP% prefix-list net-65001-in in
...
...
...

neighbor hub remote-as 65000
neighbor %Hub1_GRE_IP% peer-group core

ip prefix-list net-65001-in seq 5 permit 10.1.0.0/16 le 26
...

route-map CORE-IN permit 10
set metric +100
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have. Do the same on Hub 1, changing the relevant data for Hub 2.

= Troubleshooting the DMVPN =
== Broken [http://en.wikipedia.org/wiki/Path_MTU_Discovery Path MTU Discovery (PMTUD)] ==
ISPs afraid of ICMP (which is somehow legitimate) often just blindly add <code>no ip unreachables</code> in their router interfaces, effectively creating a [http://en.wikipedia.org/wiki/Black_hole_%28networking%29 blackhole router] that breaks PMTUD, since ICMP Type 3 Code 4 packets (Fragmentation Needed) are dropped. PMTUD is needed by ISAKMP that runs on UDP (TCP works because it uses CLAMPMSS).

For technical details see http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

PMTUD could also be broken due to badly configured DSL modem/routers or bugged firmware. Turning off the firewall on modem itself or any VPN passthrough functionality it may help.

You can easily detect which host is the blackhole router by pinging with DF bit set and with packets of standard MTU size, each hop given in your traceroute to destination:

{{Cmd|ping -M do -s 1472 %IP%}}
{{Note|"-M do" requires GNU ping, present in <code>iputils</code> package}}

If you don't get a response back (either Echo-Response or Fragmentation-Needed) there's firewall dropping ICMP packets. If it answers to normal ping packets (DF bit cleared), most likely you have hit a blackhole router.

== Kernel and NHRP Routing Cache Issues ==
{{Todo|...}}

Dynamic Multipoint VPN (DMVPN)

2014-08-16T21:18:17Z

Larena: add ip rules for routing tables

http://alpinelinux.org/about under '''Why the Name Alpine?''' states: [ref?]

''The first open-source implementation of Cisco's DMVPN, called OpenNHRP, was written for Alpine Linux.''

So the aim of this document is to be the reference Linux DMVPN setup, with all the networking services needed for the clients that will use the DMVPN (DNS, firewall, etc.). [[Small Office Services]] offers additional services such as DHCP for clients, http proxying, and a basic SIP telephone system.

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

{{Tip|At the time of this writing the recommended Alpine version for building a DMVPN should be at minimum 2.4.11. Don't use 2.5.x, or 2.6.0 since the kernel has in-tunnel IP fragmentation issues. Alpine 2.6.1 or later should be okay instead.}}

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

= Hardware =
If you are looking for hundreds of megabits of throughput for your VPN with a limited budget, you should consider using [http://www.via.com.tw/en/initiatives/padlock/hardware.jsp VIA Padlock] engine present in VIA processor C7, Eden, Nano and Quad. If you need gigabits throughput you should go instead for an Intel Xeon processor with [http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni AES-NI] and [http://software.intel.com/en-us/articles/intel-sha-extensions SHA Extensions]

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Extract Certificates =
We will use certificates for DMVPN and for OpenVPN (RoadWarrior clients). If you are in need to generate your own certificates, please see [[Generating_SSL_certs_with_ACF]]. You should use a separate machine for this purpose. If you downloaded the certificates on a Windows machine, you may use [http://winscp.net/eng/download.php WinSCP] to copy them on the DMVPN box.

Here are the general purpose instruction for extracting certificates from pfx files:

{{Cmd|openssl pkcs12 -in cert.pfx -cacerts -nokeys -out cacert.pem
openssl pkcs12 -in cert.pfx -nocerts -nodes -out serverkey.pem
openssl pkcs12 -in cert.pfx -nokeys -clcerts -out cert.pem
}}

Set appropriate permission for your certificate files:

{{Cmd|chmod 600 *.pem *.pfx}}

= Spoke Node =
A local spoke node network has support for multiple ISP connections, along with redundant layer 2 switches. At least one 802.1q capable switch is required, and a second is optional for redundancy purposes. The typical spoke node network looks like:

[[File:DMVPN-Spoke.png]]

== Boot Alpine USB ==
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

== Alpine Setup ==
We will setup the network interfaces as follows:

{|class="wikitable"
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|bond0.3
|Management
|10.1.0.129/26
|-
|bond0.101
|LAN
|10.1.0.0/25
|-
|bond0.256
|Internet from ISP1
|Allocated from ISP
|-
|bond0.257
|Internet from ISP2
|Allocated from ISP
|-
|bond0.620
|Transit between wifi proxy and dmvpn spoke node
|10.1.0.252/30
|-
|bond0.701
|WiFi clients (no access to DMVPN network)
|172.17.48.0/24
|-
|bond0.1101
|Voice
|10.2.0.0/24
|}

{{Cmd|setup-alpine}}

{|class="wikitable"
!'''You will be prompted something like this...'''
!'''Suggestion on what you could enter...'''
|-
|<code>Select keyboard layout [none]:</code>
|''Type an appropriate layout for you''
|-
|<code>Select variant:</code>
|''Type an appropriate layout for you (if prompted)''
|-
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code>
|''Enter the hostname, e.g.'' '''vpnc'''
|-
|<code>Available interfaces are: eth0 Enter '?' for help on bridges, bonding and vlans. Which one do you want to initialize? (or '?' done')</code>
|''Enter'' '''bond0.101'''
|-
|<code>Available bond slaves are: eth0 eth1 Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code>
|'''eth0 eth1'''
|-
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>IP address for bond0.101? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Enter the IP address of your LAN interface, e.g.'' '''10.1.0.1'''
|-
|<code>Netmask? [255.255.255.0]:</code>
|''Press Enter confirming '255.255.255.0' or type another appropriate subnet mask''
|-
|<code>Gateway? (or 'none') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>Do you want to do any manual network configuration? [no]</code>
|'''yes'''
|-
|''Make a copy of the bond0.101 configuration for bond0.620, bond0.701, bond0.1101, bond0.256 and bond0.257 (optional) interfaces. Don't forget to add a gateway and a metric value for ISP interfaces when multiple gateways are set. Save and close the file (:wq)''
|-
|<code>DNS domain name? (e.g. 'bar.com') []:</code>
|''Enter the domain name of your intranet, e.g.,'' '''example.net'''
|-
|<code>DNS nameservers(s)? []:</code>
|'''8.8.8.8 8.8.4.4''' (we will change them later)
|-
|<code>Changing password for root New password:</code>
|''Enter a secure password for the console''
|-
|<code>Retype password:</code>
|''Retype the above password''
|-
|<code>Which timezone are you in? ('?' for list) [UTC]:</code>
|''Press Enter confirming 'UTC'''
|-
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code>
|''Press Enter confirming 'none'''
|-
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code>
|''Select a mirror close to you and press Enter''
|-
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code>
|''Press Enter confirming 'openssh'''
|-
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code>
|''Press Enter confirming 'chrony'''
|-
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code>
|''Press Enter confirming 'none' or type 'none' if needed''
|-
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code>
|''Press Enter confirming 'usb'''
|-
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code>
|''Press Enter confirming '/media/usb/cache'''
|}

== Networking ==
Update the networking configuration.

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
...

auto bond0.101
iface bond0.101 inet static
address 10.1.0.1
netmask 255.255.255.192

auto bond0.620
iface bond0.620 inet static
address 10.1.0.253
netmask 255.255.255.252

auto bond0.701
iface bond0.101 inet static
address 172.17.48.1
netmask 255.255.255.0

auto bond0.1101
iface bond0.101 inet static
address 10.2.0.1
netmask 255.255.255.0

auto bond0.256
iface bond0.256 inet static
address <%ISP1_IP_ADDRESS%>
netmask <%ISP1_NETMASK%>

auto bond0.257
iface bond0.257 inet static
address <%ISP2_IP_ADDRESS%>
netmask <%ISP2_NETMASK%>
}}

== Bonding ==
Update the bonding configuration.

With your favorite editor open <code>/etc/network/interfaces</code> and add <code>bond-mode</code>, <code>bond-miimon</code> and <code>bond-updelay</code> parameters to the <code>bond0</code> stanza:

{{cat|/etc/network/interfaces|
auto bond0
iface bond0 inet manual
bond-slaves eth0 eth1
bond-mode balance-tlb
bond-miimon 100
bond-updelay 500
...
}}

Bring up the new bonding settings:

{{Cmd|ifdown bond0
ifup bond0}}

== Physically install ==
At this point, you're ready to connect the VPN Spoke Node to the network if you haven't already done so. Please set up an 802.1q capable switch with the VLANs listed in AlpineSetup section. Once done, tag all of the VLANs on one port. Connect that port to <code>eth0</code>. Then, connect your first ISP's CPE to a switchport with VLAN 256 untagged.

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

Restart ssh:
{{Cmd|/etc/init.d/sshd restart}}

== NTP server ==
In order to have attached devices syncing their time agains this host, we need to do some modifications to chrony config. 
Add '<code>allow all</code>' to the end of the '<code>/etc/chrony/chrony.conf</code>' so the file looks something like this:

{{cat|/etc/chrony/chrony.conf|
server pool.ntp.org
initstepslew 10 pool.ntp.org
commandkey 10
keyfile /etc/chrony/chrony.keys
driftfile /etc/chrony/chrony.drift
allow all
}}

Restart chronyd for the changes to take effect
{{cmd|/etc/init.d/chronyd restart}}

== Recursive DNS ==
Install package(s):

{{Cmd|apk add -U unbound}}

With your favorite editor open <code>/etc/unbound/unbound.conf</code> and add the following configuration. If you have a domain that you want unbound to resolve but is internal to your network only, the stub-zone stanza is present:

{{cat|/etc/unbound/unbound.conf|
server:
verbosity: 1
interface: 10.1.0.1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 10.1.0.0/16 allow
access-control: 127.0.0.0/8 allow

do-not-query-localhost: no

root-hints: "/etc/unbound/root.hints"

stub-zone:
name: "location1.example.net"
stub-addr: 10.1.0.2

stub-zone:
name: "example.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

stub-zone:
name: "example2.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7
}}

Start unbound and start using unbound on this host:

{{Cmd|/etc/init.d/unbound start
rc-update add unbound
echo nameserver 10.1.0.1 > /etc/resolv.conf}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add ipsec-tools}}

With your favorite editor create <code>/etc/ipsec.conf</code> and set the content to the following:

{{cat|/etc/ipsec.conf|
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
}}

Create missing directory:

{{Cmd|mkdir /etc/racoon/}}

Extract your pfx into <code>/etc/racoon</code>, using the filenames '''<code>ca.pem</code>''', '''<code>cert.pem</code>''', and '''<code>key.pem</code>''' (see [[Dynamic_Multipoint_VPN_%28DMVPN%29#Extract_Certificates|instructions above]] for command).

With your favorite editor create <code>/etc/racoon/racoon.conf</code> and set the content to the following:

{{cat|/etc/racoon/racoon.conf|
path certificate "/etc/racoon/";
remote anonymous {
exchange_mode main;
lifetime time 2 hour;
certificate_type x509 "/etc/racoon/cert.pem" "/etc/racoon/key.pem";
ca_type x509 "/etc/racoon/ca.pem";
my_identifier asn1dn;
nat_traversal on;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
dpd_delay 120;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp4096;
}
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}

sainfo anonymous {
pfs_group 2;
lifetime time 2 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
}}

Edit <code>/etc/conf.d/racoon</code> and unset <code>RACOON_PSK_FILE</code>:

{{cat|/etc/conf.d/racoon|
...
RACOON_PSK_FILE{{=}}
...
}}

Start service(s):

{{Cmd|/etc/init.d/racoon start
rc-update add racoon}}

== Next Hop Resolution Protocol (NHRP) ==
Install package(s):

{{Cmd|apk add opennhrp}}

With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
dynamic-map 172.16.0.0/16 hub.example.com
shortcut
redirect
non-caching

interface bond0.8
shortcut-destination

interface bond0.64
shortcut-destination

interface bond0.620
shortcut-destination
}}

You must have a DNS A record ''<code>hub.example.com</code>'' for each hub node IP address.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp-script|<nowiki>#!/bin/sh

MYAS=$(sed -n 's/router bgp $\d*$/\1/p' < /etc/quagga/bgpd.conf)

case $1 in
interface-up)
echo "Interface $NHRP_INTERFACE is up"
if [ "$NHRP_INTERFACE" = "gre1" ]; then
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE

vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor core" \
-c "neighbor core peer-group"
fi
;;
peer-register)
;;
peer-up)
if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
fi
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
;;
nhs-up)
echo "NHS UP $NHRP_DESTADDR"
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "neighbor $NHRP_DESTADDR remote-as 65000" \
-c "neighbor $NHRP_DESTADDR peer-group core" \
-c "exit" \
-c "exit" \
-c "clear bgp $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
nhs-down)
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
ip route flush cache
;;
esac

exit 0
</nowiki>}}

Make it executable and start service(s):

{{Cmd|chmod +x /etc/opennhrp/opennhrp-script
/etc/init.d/opennhrp start
rc-update add opennhrp}}

== BGP ==
Install package(s):

{{Cmd|apk add quagga
touch /etc/quagga/zebra.conf}}

With your favorite editor open <code>/etc/quagga/bgpd.conf</code> and change the content to the following (replace <code>strongpassword</code> with a password of your choice and <code>%HUB_GRE_IP%</code> with the '''Hub''' node GRE IP address):
* Add the line <code>neighbor %HUB_GRE_IP% remote-as 65000</code> for each '''Hub''' host you have in your NBMA cloud.

{{cat|/etc/quagga/bgpd.conf|
password strongpassword
enable password strongpassword
log syslog

access-list 1 remark Command line access authorized IP
access-list 1 permit 127.0.0.1
line vty
access-class 1

hostname vpnc.example.net

router bgp 65001
bgp router-id 172.16.1.1
network 10.1.0.0/16
neighbor %HUB_GRE_IP% remote-as 65000
neighbor %HUB_GRE_IP% remote-as 65000
...
}}

Start service(s):

{{Cmd|/etc/init.d/bgpd start
rc-update add bgpd}}

== OpenVPN ==
Install package(s):

{{Cmd|echo tun >> /etc/modules
modprobe tun
apk add openvpn openssl
openssl dhparam -out /etc/openvpn/dh1024.pem 1024}}

Configure openvpn:

{{cat|/etc/openvpn/openvpn.conf|
dev tun
proto udp
port 1194

server 10.1.128.0 255.255.255.0
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.1.0.1"

tls-server
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/servercert.pem
key /etc/openvpn/serverkey.pem

crl-verify /etc/openvpn/crl.pem

dh /etc/openvpn/dh1024.pem

persist-key
persist-tun

keepalive 10 120

comp-lzo

status /var/log/openvpn.status
mute 20
verb 3
}}

Start service(s):

{{Cmd|/etc/init.d/openvpn start
rc-update add openvpn}}

== Firewall ==
Install package(s):

{{Cmd|apk add awall}}

Enable IP forwarding:

{{Cmd|sysctl -w net.ipv4.ip_forward{{=}}1
sed -i 's/.*net\.ipv4\.ip_forward.*$/net.ipv4.ip_forward {{=}} 1/g' /etc/sysctl.conf}}

With your favorite editor, edit the following files and set their contents as follows:

{{cat|/etc/awall/optional/params.json|
{
"description": "params",

"variable": {
"B_IF": "bond0.8",
"C_IF": "bond0.64",
"DE_IF": "bond0.620",
"ISP1_IF": "bond0.256",
"ISP2_IF": "bond0.257"
}
}
}}

{{cat|/etc/awall/optional/internet-host.json|
{
"description": "Internet host",

"import": "params",

"zone": {
"E": { "iface": [ "$ISP1_IF", "$ISP2_IF" ] },
"ISP1": { "iface": "$ISP1_IF" },
"ISP2": { "iface": "$ISP2_IF" }
},

"filter": [
{
"in": "E",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "E",
"out": "_fw",
"service": [ "ssh", "https" ],
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},

{
"in": "_fw",
"out": "E",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
}}

{{cat|/etc/awall/optional/openvpn.json|
{
"description": "OpenVPN support",

"import": "internet-host",

"service": {
"openvpn": { "proto": "udp", "port": 1194 }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "openvpn", "action": "accept" }
]
}
}}

{{cat|/etc/awall/optional/clampmss.json|
{
"description": "Deal with ISPs afraid of ICMP",

"import": "internet-host",

"clamp-mss": [ { "out": "E" } ]
}
}}

{{cat|/etc/awall/optional/mark.json|
{
"description": "Mark traffic based on ISP",

"import": [ "params", "internet-host" ],

"route-track": [
{ "out": "ISP1", "mark": 1 },
{ "out": "ISP2", "mark": 2 }
]
}
}}

{{cat|/etc/awall/optional/dmvpn.json|
{
"description": "DMVPN router",

"import": "internet-host",

"variable": {
"A_ADDR": [ "10.0.0.0/8", "172.16.0.0/16" ]
},

"zone": {
"A": { "addr": "$A_ADDR", "iface": "gre1" }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "E", "service": "ipsec", "action": "accept" },
{
"in": "E",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "E",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "A", "service": "bgp", "action": "accept" },
{ "in": "A", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "E", "dest": "$A_ADDR", "action": "reject" }
]
}
}}

{{cat|/etc/awall/optional/vpnc.json|
{
"description": "VPNc",

"import": [ "params", "internet-host", "dmvpn" ],

"zone": {
"B": { "iface": "$B_IF" },
"C": { "iface": "$C_IF" },
"DE": { "iface": "$DE_IF" }

},

"policy": [
{ "in": "A", "action": "accept" },
{ "in": "B", "out": "A", "action": "accept" },
{ "in": "C", "out": [ "A", "E" ], "action": "accept" },
{ "in": "DE", "out": "E", "action": "accept" },
{ "in": "E", "action": "drop" },
{ "in": "_fw", "out": "A", "action": "accept" }
],

"snat": [
{ "out": "E" }
],

"filter": [
{
"in": "A",
"out": "_fw",
"service": [ "ping", "ssh", "http", "https" ],
"action": "accept"
},

{
"in": [ "B", "C" ],
"out": "_fw",
"service": [ "dns", "ntp", "http", "https", "ssh" ],
"action": "accept"
},

{
"in": "_fw",
"out": [ "B", "C" ],
"service": [ "dns", "ntp" ],
"action": "accept"
},

{
"in": [ "A", "B", "C" ],
"out": "_fw",
"proto": "icmp",
"action": "accept"
},

{
"out": "DE",
"service": [ "ssh", "http", "https", "ping" ],
"action": "accept"
}

]
}
}}

Activate the firewall:

{{Cmd|modprobe ip_tables
modprobe iptable_nat
awall enable clampmss
awall enable openvpn
awall enable vpnc
awall activate -f
rc-update add iptables}}

== ISP Failover ==
Install package(s):

{{Cmd|apk add pingu
echo -e "1\tisp1">> /etc/iproute2/rt_tables
echo -e "2\tisp2">> /etc/iproute2/rt_tables}}

Configure pingu to monitor our <code>bond0.256</code> and <code>bond0.257</code> interfaces in <code>/etc/pingu/pingu.conf</code>. Add the hosts to monitor for ISP failover to <code>/etc/pingu/pingu.conf</code> and bind to primary ISP. We also set the ping timeout to 4 seconds.:

{{cat|/etc/pingu/pingu.conf|
timeout 4
required 2
retry 11

interface bond0.256 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 1
fwmark 1
rule-priority 20000
# google dns
ping 8.8.8.8
# opendns
ping 208.67.222.222
}

interface bond0.257 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 2
fwmark 2
rule-priority 20000
}
}}

Make sure we can reach the public IP from our LAN by adding static route rules for our private net(s). Edit <code>/etc/pingu/route-rules</code>:

{{cat|/etc/pingu/route-rules|
to 10.0.0.0/8 table main prio 1000
to 172.16.0.0/12 table main prio 1000
}}

Start service(s):

{{Cmd|/etc/init.d/pingu start
rc-update add pingu}}

Now, if both hosts stop responding to pings, ISP-1 will be considered down and all gateways via bond0.256 will be removed from main route table. Note that the gateway will not be removed from the route table '1'. This is so we can continue try ping via <code>bond0.256</code> so we can detect that the ISP is back online. When ISP starts working again, the gateways will be added back to main route table again.

== Commit Configuration ==
Commit configuration:

{{Cmd|lbu ci}}

= Hub Node =
We will document only what changes from the Spoke node setup.

== Routing Tables ==
<pre>
echo -e "42\tnhrp_shortcut\n43\tnhrp_mtu\n44\tquagga\n>> /etc/iproute2/rt_tables
</pre>

Add the following commands into /etc/network/interfaces:
<pre>
auto gre1
...
up ip rule add lookup nhrp_shortcut pref 11000
up ip rule add lookup quagga pref 11001
up ip rule add lookup nhrp_mtu pref 11999
</pre>

== NHRP ==
With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
map %Hub1_GRE_IP%/%MaskBit% hub1.example.org
route-table 44
shortcut
redirect
non-caching
}}

Do the same on Hub 1 adding the data relative to Hub 2.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and set the content as follows:

<pre>
#!/bin/sh
case $1 in
interface-up)
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE
;;
peer-register)
CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -t opennhrp-script -p auth.err "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi
logger -t opennhrp-script -p auth.info "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA authenticated"

(
flock -x 200

AS=`echo "$CERT" | grep "^AS=" | cut -b 4-`
vtysh -d bgpd -c "configure terminal" \
-c "router bgp 65000" \
-c "neighbor $NHRP_DESTADDR remote-as $AS" \
-c "neighbor $NHRP_DESTADDR peer-group leaf" \
-c "neighbor $NHRP_DESTADDR prefix-list net-$AS-in in"

SEQ=5
(echo "$CERT" | grep "^NET=" | cut -b 5-) | while read NET; do
vtysh -d bgpd -c "configure terminal" \
-c "ip prefix-list net-$AS-in seq $SEQ permit $NET le 26"
SEQ=$(($SEQ+5))
done
) 200>/var/lock/opennhrp-script.lock
;;
peer-up)
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1

CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -p daemon.err "GRE mapping of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi

if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU table nhrp_mtu
fi
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if [ "$NHRP_PEER_DOWN_REASON" != "lower-down" ]; then
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
fi
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42 table nhrp_mtu
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE table nhrp_shortcut
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 table nhrp_shortcut
ip route flush cache
;;
esac

exit 0
</pre>

== BGP ==
With your favorite editor open <code>/etc/quagga/bgpd.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/quagga/bgpd.conf|
password zebra
enable password zebra
log syslog

router bgp 65000
bgp router-id %Hub2_GRE_IP%
bgp deterministic-med
network %GRE_NETWORK%/%MASK_BITS%
neighbor hub peer-group
neighbor hub next-hop-self
neighbor hub route-map CORE-IN in
neighbor spoke peer-group
neighbor spoke passive
neighbor spoke next-hop-self
neighbor %Spoke1_GRE_IP% remote-as 65001
neighbor %Spoke1_GRE_IP% peer-group spoke
neighbor %Spoke1_GRE_IP% prefix-list net-65001-in in
...
...
...

neighbor hub remote-as 65000
neighbor %Hub1_GRE_IP% peer-group core

ip prefix-list net-65001-in seq 5 permit 10.1.0.0/16 le 26
...

route-map CORE-IN permit 10
set metric +100
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have. Do the same on Hub 1, changing the relevant data for Hub 2.

= Troubleshooting the DMVPN =
== Broken [http://en.wikipedia.org/wiki/Path_MTU_Discovery Path MTU Discovery (PMTUD)] ==
ISPs afraid of ICMP (which is somehow legitimate) often just blindly add <code>no ip unreachables</code> in their router interfaces, effectively creating a [http://en.wikipedia.org/wiki/Black_hole_%28networking%29 blackhole router] that breaks PMTUD, since ICMP Type 3 Code 4 packets (Fragmentation Needed) are dropped. PMTUD is needed by ISAKMP that runs on UDP (TCP works because it uses CLAMPMSS).

For technical details see http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

PMTUD could also be broken due to badly configured DSL modem/routers or bugged firmware. Turning off the firewall on modem itself or any VPN passthrough functionality it may help.

You can easily detect which host is the blackhole router by pinging with DF bit set and with packets of standard MTU size, each hop given in your traceroute to destination:

{{Cmd|ping -M do -s 1472 %IP%}}
{{Note|"-M do" requires GNU ping, present in <code>iputils</code> package}}

If you don't get a response back (either Echo-Response or Fragmentation-Needed) there's firewall dropping ICMP packets. If it answers to normal ping packets (DF bit cleared), most likely you have hit a blackhole router.

== Kernel and NHRP Routing Cache Issues ==
{{Todo|...}}

OwnCloud

2014-08-05T20:10:18Z

Larena:

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)'' ''(Seems to work OK 2013-05-27)''}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2014-08-05T20:07:43Z

Larena: /* Publish owncloud */

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)'' ''(Seems to work OK 2013-05-27)''}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

=== Publish owncloud (Lighttpd only) ===
Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2014-08-05T20:06:54Z

Larena: /* Configure */

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)'' ''(Seems to work OK 2013-05-27)''}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

=== Publish owncloud ===
Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2014-08-05T20:06:00Z

Larena: /* Additional packages */

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)'' ''(Seems to work OK 2013-05-27)''}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

=== Publish owncloud ===
Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor, documents and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

OwnCloud

2014-08-05T20:04:46Z

Larena: add nginx setup

[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and sharing on-line your data, files, images, video, music, calendars and contacts. You can have your ownCloud instance up and running in 5 minutes with Alpine!

= Installation =
{{pkg|ownCloud}} is available from Alpine 2.5 and greater.

Before you start installing anything, make sure you have latest packages available. Make sure you are using a 'http' repository in your {{path|/etc/apk/repositories}} and then run:
{{cmd|apk update}}
{{tip|Detailed information is found in [[Include:Upgrading_to_latest_release|this]] doc.}}

== Database ==
First you have to decide which database to use. Follow one of the below database alternatives.
=== sqlite ===
All you need to do is to install the package
{{cmd|apk add owncloud-sqlite}}
{{warning|{{pkg|sqlite}}+{{pkg|owncould}} is known to have some problem, so do not expect it work. This note should be removed when {{pkg|sqlite}}+{{pkg|owncould}} works. ''(Still a problem at 2012-11-15)'' ''(Seems to work OK 2013-05-27)''}}

=== postgresql ===
Install the package
{{cmd|apk add owncloud-pgsql}}

Next thing is to configure and start the database
{{cmd|/etc/init.d/postgresql setup
/etc/init.d/postgresql start}}

Next you need to create a user, and temporary grant CREATEDB privilege.
{{cmd|psql -U postgres
CREATE USER mycloud WITH PASSWORD 'test123';
ALTER ROLE mycloud CREATEDB;
\q}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

=== mysql ===
Install the package
{{cmd|apk add owncloud-mysql mysql-client}}

Now configure and start {{pkg|mysql}}
{{cmd|/etc/init.d/mysql setup
/etc/init.d/mysql start
/usr/bin/mysql_secure_installation}}
Follow the wizard to setup passwords etc.
{{Note|Remember the usernames/passwords that you set using the wizard, you will need them later.}}

Next you need to create a user, database and set permissions.
{{cmd|mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';
FLUSH PRIVILEGES;
EXIT}}
{{Note|Replace the above username 'mycloud' and password 'test123' to something secure. Remember these settings, you will need them later when setting up owncloud.}}

{{pkg|mysql-client}} is not needed anymore. Let's uninstall it:
{{cmd|apk del mysql-client}}

== Webserver ==
Next thing is to choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter when working with large files will consume a lot of memory (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We're not explaining how to generate an SSL certificate for your webserver.

=== Nginx ===
Install the needed packages
{{cmd|apk add nginx php-fpm}}

'''Remove/comment''' any section like this in
{{cat|/etc/nginx/nginx.conf|
server {
listen ...
}
}}

Include the following directive in
{{cat|/etc/nginx/nginx.conf|
http {
...
include /etc/nginx/sites-enabled/*;
...
}}

Create a directory for your websites
{{cmd|mkdir /etc/nginx/sites-available}}

Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com
<pre>
server {
#listen [::]:80; #uncomment for IPv6 support
listen 80;
return 301 https://$host$request_uri;
server_name mysite.mydomain.com;
}

server {
#listen [::]:443 ssl; #uncomment for IPv6 support
listen 443 ssl;
server_name mysite.mydomain.com;

root /var/www/vhosts/mysite.mydomain.com/www;
index index.php index.html index.htm;
disable_symlinks off;

ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;
#ssl_prefer_server_ciphers on;

location / {
try_files $uri $uri/ /index.html;
}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
#fastcgi_pass unix:/var/run/php-fpm/socket;
fastcgi_index index.php;
include fastcgi.conf;
}
}
</pre>

Set user and group for php-fpm in /etc/php/php-fpm.conf
<pre>
...
user = nginx
group = www-data
...
</pre>

Make nginx user member of www-data group
{{cmd|addgroup nginx www-data}}

Enable your website
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}

Start services
{{cmd|rc-service php-fpm start
rc-service nginx start}}

=== Lighttpd ===
Install the package
{{cmd|apk add lighttpd}}

Make sure you have FastCGI enabled in {{pkg|lighttpd}}:
{{cat|/etc/lighttpd/lighttpd.conf|...
include "mod_fastcgi.conf"
...}}

Start up the webserver
{{cmd|/etc/init.d/lighttpd start}}

{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}

=== Publish owncloud ===
Link {{pkg|owncloud}} installation to web server directory:
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs/owncloud}}

== Other settings ==
=== Hardening ===
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:
{{cat|/etc/lighttpd/lighttpd.conf|...
url.access-deny {{=}} ("~", ".inc", "config.php")
...}}
Restart {{pkg|lighttpd}} to activate the changes
{{cmd|/etc/init.d/lighttpd restart}}

=== Additional packages ===
Some large apps, such as texteditor and videoviewer are in separate package:
{{cmd|apk add owncloud-texteditor owncloud-videoviewer}}

= Configure and use ownCloud =
== Configure ==
Point your browser at <code><nowiki>http://<%MY_SERVER_IP%>/owncloud</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.

== Hardening postgresql ==
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:
{{cmd|psql -U postgres
ALTER ROLE mycloud NOCREATEDB;
\q}}

== Increase upload size ==
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:
<pre>
upload_max_filesize = 2M
post_max_size = 8M
</pre>

== Clients ==
There are clients available for many platforms, Android included:
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''
* http://owncloud.org/support/android/ ''(Android client)''

[[Category:Server]]

Owncloud

2014-08-05T19:09:08Z

Larena: deprecated info

#REDIRECT [[OwnCloud]]

OwnCloud

2014-07-30T17:12:18Z

Larena: remove folder permission section

Dynamic Multipoint VPN (DMVPN)

2014-07-26T15:30:08Z

Larena: fix route tables creation

http://alpinelinux.org/about under '''Why the Name Alpine?''' states: [ref?]

''The first open-source implementation of Cisco's DMVPN, called OpenNHRP, was written for Alpine Linux.''

So the aim of this document is to be the reference Linux DMVPN setup, with all the networking services needed for the clients that will use the DMVPN (DNS, firewall, etc.). [[Small Office Services]] offers additional services such as DHCP for clients, http proxying, and a basic SIP telephone system.

= Terminology =
;NBMA: ''Non-Broadcast Multi-Access'' network as described in [http://tools.ietf.org/html/rfc2332 RFC 2332]

;Hub: the ''Next Hop Server'' (NHS) performing the Next Hop Resolution Protocol service within the NBMA cloud.

;Spoke: the ''Next Hop Resolution Protocol Client'' (NHC) which initiates NHRP requests of various types in order to obtain access to the NHRP service.

{{Tip|At the time of this writing the recommended Alpine version for building a DMVPN should be at minimum 2.4.11. Don't use 2.5.x, or 2.6.0 since the kernel has in-tunnel IP fragmentation issues. Alpine 2.6.1 or later should be okay instead.}}

{{Note|This document assumes that all Alpine installations are run in [[Installation#Basics|diskless mode]] and that the configuration is saved on USB key}}

= Hardware =
If you are looking for hundreds of megabits of throughput for your VPN with a limited budget, you should consider using [http://www.via.com.tw/en/initiatives/padlock/hardware.jsp VIA Padlock] engine present in VIA processor C7, Eden, Nano and Quad. If you need gigabits throughput you should go instead for an Intel Xeon processor with [http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni AES-NI] and [http://software.intel.com/en-us/articles/intel-sha-extensions SHA Extensions]

For supporting VIA Padlock engine enable its modules:

{{Cmd|echo -e "padlock_aes\npadlock-sha" >> /etc/modules}}

= Extract Certificates =
We will use certificates for DMVPN and for OpenVPN (RoadWarrior clients). If you are in need to generate your own certificates, please see [[Generating_SSL_certs_with_ACF]]. You should use a separate machine for this purpose. If you downloaded the certificates on a Windows machine, you may use [http://winscp.net/eng/download.php WinSCP] to copy them on the DMVPN box.

Here are the general purpose instruction for extracting certificates from pfx files:

{{Cmd|openssl pkcs12 -in cert.pfx -cacerts -nokeys -out cacert.pem
openssl pkcs12 -in cert.pfx -nocerts -nodes -out serverkey.pem
openssl pkcs12 -in cert.pfx -nokeys -clcerts -out cert.pem
}}

Set appropriate permission for your certificate files:

{{Cmd|chmod 600 *.pem *.pfx}}

= Spoke Node =
A local spoke node network has support for multiple ISP connections, along with redundant layer 2 switches. At least one 802.1q capable switch is required, and a second is optional for redundancy purposes. The typical spoke node network looks like:

[[File:DMVPN-Spoke.png]]

== Boot Alpine USB ==
Follow the instructions on http://wiki.alpinelinux.org/wiki/Create_a_Bootable_USB about how to create a bootable USB.

== Alpine Setup ==
We will setup the network interfaces as follows:

{|class="wikitable"
!'''Interface'''
!'''Description'''
!'''Subnet'''
|-
|bond0.3
|Management
|10.1.0.129/26
|-
|bond0.101
|LAN
|10.1.0.0/25
|-
|bond0.256
|Internet from ISP1
|Allocated from ISP
|-
|bond0.257
|Internet from ISP2
|Allocated from ISP
|-
|bond0.620
|Transit between wifi proxy and dmvpn spoke node
|10.1.0.252/30
|-
|bond0.701
|WiFi clients (no access to DMVPN network)
|172.17.48.0/24
|-
|bond0.1101
|Voice
|10.2.0.0/24
|}

{{Cmd|setup-alpine}}

{|class="wikitable"
!'''You will be prompted something like this...'''
!'''Suggestion on what you could enter...'''
|-
|<code>Select keyboard layout [none]:</code>
|''Type an appropriate layout for you''
|-
|<code>Select variant:</code>
|''Type an appropriate layout for you (if prompted)''
|-
|<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code>
|''Enter the hostname, e.g.'' '''vpnc'''
|-
|<code>Available interfaces are: eth0 Enter '?' for help on bridges, bonding and vlans. Which one do you want to initialize? (or '?' done')</code>
|''Enter'' '''bond0.101'''
|-
|<code>Available bond slaves are: eth0 eth1 Which slave(s) do you want to add to bond0? (or 'done') [eth0]</code>
|'''eth0 eth1'''
|-
|<code>IP address for bond0? (or 'dhcp', 'none', '?') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>IP address for bond0.101? (or 'dhcp', 'none', '?') [dhcp]:</code>
|''Enter the IP address of your LAN interface, e.g.'' '''10.1.0.1'''
|-
|<code>Netmask? [255.255.255.0]:</code>
|''Press Enter confirming '255.255.255.0' or type another appropriate subnet mask''
|-
|<code>Gateway? (or 'none') [none]:</code>
|''Press Enter confirming 'none'''
|-
|<code>Do you want to do any manual network configuration? [no]</code>
|'''yes'''
|-
|''Make a copy of the bond0.101 configuration for bond0.620, bond0.701, bond0.1101, bond0.256 and bond0.257 (optional) interfaces. Don't forget to add a gateway and a metric value for ISP interfaces when multiple gateways are set. Save and close the file (:wq)''
|-
|<code>DNS domain name? (e.g. 'bar.com') []:</code>
|''Enter the domain name of your intranet, e.g.,'' '''example.net'''
|-
|<code>DNS nameservers(s)? []:</code>
|'''8.8.8.8 8.8.4.4''' (we will change them later)
|-
|<code>Changing password for root New password:</code>
|''Enter a secure password for the console''
|-
|<code>Retype password:</code>
|''Retype the above password''
|-
|<code>Which timezone are you in? ('?' for list) [UTC]:</code>
|''Press Enter confirming 'UTC'''
|-
|<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code>
|''Press Enter confirming 'none'''
|-
|<code>Enter mirror number (1-9) or URL to add (or r/f/e/done) [f]:</code>
|''Select a mirror close to you and press Enter''
|-
|<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]:</code>
|''Press Enter confirming 'openssh'''
|-
|<code>Which NTP client to run? ('openntpd', 'chrony' or 'none') [chrony]:</code>
|''Press Enter confirming 'chrony'''
|-
|<code>Which disk(s) would you like to use? (or '?' for help or 'none') [none]:</code>
|''Press Enter confirming 'none' or type 'none' if needed''
|-
|<code>Enter where to store configs ('floppy', 'usb' or 'none') [usb]:</code>
|''Press Enter confirming 'usb'''
|-
|<code>Enter apk cache directory (or '?' or 'none') [/media/usb/cache]:</code>
|''Press Enter confirming '/media/usb/cache'''
|}

== Networking ==
Update the networking configuration.

With your favorite editor open <code>/etc/network/interfaces</code> and add interfaces:

{{cat|/etc/network/interfaces|
...

auto bond0.101
iface bond0.101 inet static
address 10.1.0.1
netmask 255.255.255.192

auto bond0.620
iface bond0.620 inet static
address 10.1.0.253
netmask 255.255.255.252

auto bond0.701
iface bond0.101 inet static
address 172.17.48.1
netmask 255.255.255.0

auto bond0.1101
iface bond0.101 inet static
address 10.2.0.1
netmask 255.255.255.0

auto bond0.256
iface bond0.256 inet static
address <%ISP1_IP_ADDRESS%>
netmask <%ISP1_NETMASK%>

auto bond0.257
iface bond0.257 inet static
address <%ISP2_IP_ADDRESS%>
netmask <%ISP2_NETMASK%>
}}

== Bonding ==
Update the bonding configuration.

With your favorite editor open <code>/etc/network/interfaces</code> and add <code>bond-mode</code>, <code>bond-miimon</code> and <code>bond-updelay</code> parameters to the <code>bond0</code> stanza:

{{cat|/etc/network/interfaces|
auto bond0
iface bond0 inet manual
bond-slaves eth0 eth1
bond-mode balance-tlb
bond-miimon 100
bond-updelay 500
...
}}

Bring up the new bonding settings:

{{Cmd|ifdown bond0
ifup bond0}}

== Physically install ==
At this point, you're ready to connect the VPN Spoke Node to the network if you haven't already done so. Please set up an 802.1q capable switch with the VLANs listed in AlpineSetup section. Once done, tag all of the VLANs on one port. Connect that port to <code>eth0</code>. Then, connect your first ISP's CPE to a switchport with VLAN 256 untagged.

== SSH ==
Remove password authentication and DNS reverse lookup:

{{Cmd|sed -i "s/.PasswordAuthentication yes/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/.UseDNS yes/UseDNS no/" /etc/ssh/sshd_config}}

Restart ssh:
{{Cmd|/etc/init.d/sshd restart}}

== NTP server ==
In order to have attached devices syncing their time agains this host, we need to do some modifications to chrony config. 
Add '<code>allow all</code>' to the end of the '<code>/etc/chrony/chrony.conf</code>' so the file looks something like this:

{{cat|/etc/chrony/chrony.conf|
server pool.ntp.org
initstepslew 10 pool.ntp.org
commandkey 10
keyfile /etc/chrony/chrony.keys
driftfile /etc/chrony/chrony.drift
allow all
}}

Restart chronyd for the changes to take effect
{{cmd|/etc/init.d/chronyd restart}}

== Recursive DNS ==
Install package(s):

{{Cmd|apk add -U unbound}}

With your favorite editor open <code>/etc/unbound/unbound.conf</code> and add the following configuration. If you have a domain that you want unbound to resolve but is internal to your network only, the stub-zone stanza is present:

{{cat|/etc/unbound/unbound.conf|
server:
verbosity: 1
interface: 10.1.0.1
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
do-daemonize: yes
access-control: 10.1.0.0/16 allow
access-control: 127.0.0.0/8 allow

do-not-query-localhost: no

root-hints: "/etc/unbound/root.hints"

stub-zone:
name: "location1.example.net"
stub-addr: 10.1.0.2

stub-zone:
name: "example.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7

stub-zone:
name: "example2.net"
stub-addr: 172.16.255.1
stub-addr: 172.16.255.2
stub-addr: 172.16.255.3
stub-addr: 172.16.255.4
stub-addr: 172.16.255.5
stub-addr: 172.16.255.7
}}

Start unbound and start using unbound on this host:

{{Cmd|/etc/init.d/unbound start
rc-update add unbound
echo nameserver 10.1.0.1 > /etc/resolv.conf}}

== GRE Tunnel ==
With your favorite editor open <code>/etc/network/interfaces</code> and add the following:

{{cat|/etc/network/interfaces|<nowiki>
auto gre1
iface gre1 inet static
pre-up ip tunnel add $IFACE mode gre ttl 64 tos inherit key 12.34.56.78 || true
address 172.16.1.1
netmask 255.255.0.0
post-down ip tunnel del $IFACE || true
</nowiki>}}

Bring up the new <code>gre1</code> interface:

{{Cmd|ifup gre1}}

== IPSEC ==
Install package(s):

{{Cmd|apk add ipsec-tools}}

With your favorite editor create <code>/etc/ipsec.conf</code> and set the content to the following:

{{cat|/etc/ipsec.conf|
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
}}

Create missing directory:

{{Cmd|mkdir /etc/racoon/}}

Extract your pfx into <code>/etc/racoon</code>, using the filenames '''<code>ca.pem</code>''', '''<code>cert.pem</code>''', and '''<code>key.pem</code>''' (see [[Dynamic_Multipoint_VPN_%28DMVPN%29#Extract_Certificates|instructions above]] for command).

With your favorite editor create <code>/etc/racoon/racoon.conf</code> and set the content to the following:

{{cat|/etc/racoon/racoon.conf|
path certificate "/etc/racoon/";
remote anonymous {
exchange_mode main;
lifetime time 2 hour;
certificate_type x509 "/etc/racoon/cert.pem" "/etc/racoon/key.pem";
ca_type x509 "/etc/racoon/ca.pem";
my_identifier asn1dn;
nat_traversal on;
script "/etc/opennhrp/racoon-ph1dead.sh" phase1_dead;
dpd_delay 120;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp4096;
}
proposal {
encryption_algorithm aes 256;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}

sainfo anonymous {
pfs_group 2;
lifetime time 2 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
}}

Edit <code>/etc/conf.d/racoon</code> and unset <code>RACOON_PSK_FILE</code>:

{{cat|/etc/conf.d/racoon|
...
RACOON_PSK_FILE{{=}}
...
}}

Start service(s):

{{Cmd|/etc/init.d/racoon start
rc-update add racoon}}

== Next Hop Resolution Protocol (NHRP) ==
Install package(s):

{{Cmd|apk add opennhrp}}

With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
dynamic-map 172.16.0.0/16 hub.example.com
shortcut
redirect
non-caching

interface bond0.8
shortcut-destination

interface bond0.64
shortcut-destination

interface bond0.620
shortcut-destination
}}

You must have a DNS A record ''<code>hub.example.com</code>'' for each hub node IP address.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and change the content to the following:

{{cat|/etc/opennhrp/opennhrp-script|<nowiki>#!/bin/sh

MYAS=$(sed -n 's/router bgp $\d*$/\1/p' < /etc/quagga/bgpd.conf)

case $1 in
interface-up)
echo "Interface $NHRP_INTERFACE is up"
if [ "$NHRP_INTERFACE" = "gre1" ]; then
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE

vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor core" \
-c "neighbor core peer-group"
fi
;;
peer-register)
;;
peer-up)
if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU
fi
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42
;;
nhs-up)
echo "NHS UP $NHRP_DESTADDR"
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "neighbor $NHRP_DESTADDR remote-as 65000" \
-c "neighbor $NHRP_DESTADDR peer-group core" \
-c "exit" \
-c "exit" \
-c "clear bgp $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
nhs-down)
(
flock -x 200
vtysh -d bgpd \
-c "configure terminal" \
-c "router bgp $MYAS" \
-c "no neighbor $NHRP_DESTADDR"
) 200>/var/lock/opennhrp-script.lock
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42
ip route flush cache
;;
esac

exit 0
</nowiki>}}

Make it executable and start service(s):

{{Cmd|chmod +x /etc/opennhrp/opennhrp-script
/etc/init.d/opennhrp start
rc-update add opennhrp}}

== BGP ==
Install package(s):

{{Cmd|apk add quagga
touch /etc/quagga/zebra.conf}}

With your favorite editor open <code>/etc/quagga/bgpd.conf</code> and change the content to the following (replace <code>strongpassword</code> with a password of your choice and <code>%HUB_GRE_IP%</code> with the '''Hub''' node GRE IP address):
* Add the line <code>neighbor %HUB_GRE_IP% remote-as 65000</code> for each '''Hub''' host you have in your NBMA cloud.

{{cat|/etc/quagga/bgpd.conf|
password strongpassword
enable password strongpassword
log syslog

access-list 1 remark Command line access authorized IP
access-list 1 permit 127.0.0.1
line vty
access-class 1

hostname vpnc.example.net

router bgp 65001
bgp router-id 172.16.1.1
network 10.1.0.0/16
neighbor %HUB_GRE_IP% remote-as 65000
neighbor %HUB_GRE_IP% remote-as 65000
...
}}

Start service(s):

{{Cmd|/etc/init.d/bgpd start
rc-update add bgpd}}

== OpenVPN ==
Install package(s):

{{Cmd|echo tun >> /etc/modules
modprobe tun
apk add openvpn openssl
openssl dhparam -out /etc/openvpn/dh1024.pem 1024}}

Configure openvpn:

{{cat|/etc/openvpn/openvpn.conf|
dev tun
proto udp
port 1194

server 10.1.128.0 255.255.255.0
push "route 10.0.0.0 255.0.0.0"
push "dhcp-option DNS 10.1.0.1"

tls-server
ca /etc/openvpn/cacert.pem
cert /etc/openvpn/servercert.pem
key /etc/openvpn/serverkey.pem

crl-verify /etc/openvpn/crl.pem

dh /etc/openvpn/dh1024.pem

persist-key
persist-tun

keepalive 10 120

comp-lzo

status /var/log/openvpn.status
mute 20
verb 3
}}

Start service(s):

{{Cmd|/etc/init.d/openvpn start
rc-update add openvpn}}

== Firewall ==
Install package(s):

{{Cmd|apk add awall}}

Enable IP forwarding:

{{Cmd|sysctl -w net.ipv4.ip_forward{{=}}1
sed -i 's/.*net\.ipv4\.ip_forward.*$/net.ipv4.ip_forward {{=}} 1/g' /etc/sysctl.conf}}

With your favorite editor, edit the following files and set their contents as follows:

{{cat|/etc/awall/optional/params.json|
{
"description": "params",

"variable": {
"B_IF": "bond0.8",
"C_IF": "bond0.64",
"DE_IF": "bond0.620",
"ISP1_IF": "bond0.256",
"ISP2_IF": "bond0.257"
}
}
}}

{{cat|/etc/awall/optional/internet-host.json|
{
"description": "Internet host",

"import": "params",

"zone": {
"E": { "iface": [ "$ISP1_IF", "$ISP2_IF" ] },
"ISP1": { "iface": "$ISP1_IF" },
"ISP2": { "iface": "$ISP2_IF" }
},

"filter": [
{
"in": "E",
"service": "ping",
"action": "accept",
"flow-limit": { "count": 10, "interval": 6 }
},
{
"in": "E",
"out": "_fw",
"service": [ "ssh", "https" ],
"action": "accept",
"conn-limit": { "count": 3, "interval": 60 }
},

{
"in": "_fw",
"out": "E",
"service": [ "dns", "http", "ntp" ],
"action": "accept"
},
{
"in": "_fw",
"service": [ "ping", "ssh" ],
"action": "accept"
}
]
}
}}

{{cat|/etc/awall/optional/openvpn.json|
{
"description": "OpenVPN support",

"import": "internet-host",

"service": {
"openvpn": { "proto": "udp", "port": 1194 }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "openvpn", "action": "accept" }
]
}
}}

{{cat|/etc/awall/optional/clampmss.json|
{
"description": "Deal with ISPs afraid of ICMP",

"import": "internet-host",

"clamp-mss": [ { "out": "E" } ]
}
}}

{{cat|/etc/awall/optional/mark.json|
{
"description": "Mark traffic based on ISP",

"import": [ "params", "internet-host" ],

"route-track": [
{ "out": "ISP1", "mark": 1 },
{ "out": "ISP2", "mark": 2 }
]
}
}}

{{cat|/etc/awall/optional/dmvpn.json|
{
"description": "DMVPN router",

"import": "internet-host",

"variable": {
"A_ADDR": [ "10.0.0.0/8", "172.16.0.0/16" ]
},

"zone": {
"A": { "addr": "$A_ADDR", "iface": "gre1" }
},

"filter": [
{ "in": "E", "out": "_fw", "service": "ipsec", "action": "accept" },
{ "in": "_fw", "out": "E", "service": "ipsec", "action": "accept" },
{
"in": "E",
"out": "_fw",
"ipsec": "in",
"service": "gre",
"action": "accept"
},
{
"in": "_fw",
"out": "E",
"ipsec": "out",
"service": "gre",
"action": "accept"
},

{ "in": "_fw", "out": "A", "service": "bgp", "action": "accept" },
{ "in": "A", "out": "_fw", "service": "bgp", "action": "accept"},
{ "out": "E", "dest": "$A_ADDR", "action": "reject" }
]
}
}}

{{cat|/etc/awall/optional/vpnc.json|
{
"description": "VPNc",

"import": [ "params", "internet-host", "dmvpn" ],

"zone": {
"B": { "iface": "$B_IF" },
"C": { "iface": "$C_IF" },
"DE": { "iface": "$DE_IF" }

},

"policy": [
{ "in": "A", "action": "accept" },
{ "in": "B", "out": "A", "action": "accept" },
{ "in": "C", "out": [ "A", "E" ], "action": "accept" },
{ "in": "DE", "out": "E", "action": "accept" },
{ "in": "E", "action": "drop" },
{ "in": "_fw", "out": "A", "action": "accept" }
],

"snat": [
{ "out": "E" }
],

"filter": [
{
"in": "A",
"out": "_fw",
"service": [ "ping", "ssh", "http", "https" ],
"action": "accept"
},

{
"in": [ "B", "C" ],
"out": "_fw",
"service": [ "dns", "ntp", "http", "https", "ssh" ],
"action": "accept"
},

{
"in": "_fw",
"out": [ "B", "C" ],
"service": [ "dns", "ntp" ],
"action": "accept"
},

{
"in": [ "A", "B", "C" ],
"out": "_fw",
"proto": "icmp",
"action": "accept"
},

{
"out": "DE",
"service": [ "ssh", "http", "https", "ping" ],
"action": "accept"
}

]
}
}}

Activate the firewall:

{{Cmd|modprobe ip_tables
modprobe iptable_nat
awall enable clampmss
awall enable openvpn
awall enable vpnc
awall activate -f
rc-update add iptables}}

== ISP Failover ==
Install package(s):

{{Cmd|apk add pingu
echo -e "1\tisp1">> /etc/iproute2/rt_tables
echo -e "2\tisp2">> /etc/iproute2/rt_tables}}

Configure pingu to monitor our <code>bond0.256</code> and <code>bond0.257</code> interfaces in <code>/etc/pingu/pingu.conf</code>. Add the hosts to monitor for ISP failover to <code>/etc/pingu/pingu.conf</code> and bind to primary ISP. We also set the ping timeout to 4 seconds.:

{{cat|/etc/pingu/pingu.conf|
timeout 4
required 2
retry 11

interface bond0.256 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 1
fwmark 1
rule-priority 20000
# google dns
ping 8.8.8.8
# opendns
ping 208.67.222.222
}

interface bond0.257 {
# route-table must correspond with mark in /etc/awall/optional/mark.json
route-table 2
fwmark 2
rule-priority 20000
}
}}

Make sure we can reach the public IP from our LAN by adding static route rules for our private net(s). Edit <code>/etc/pingu/route-rules</code>:

{{cat|/etc/pingu/route-rules|
to 10.0.0.0/8 table main prio 1000
to 172.16.0.0/12 table main prio 1000
}}

Start service(s):

{{Cmd|/etc/init.d/pingu start
rc-update add pingu}}

Now, if both hosts stop responding to pings, ISP-1 will be considered down and all gateways via bond0.256 will be removed from main route table. Note that the gateway will not be removed from the route table '1'. This is so we can continue try ping via <code>bond0.256</code> so we can detect that the ISP is back online. When ISP starts working again, the gateways will be added back to main route table again.

== Commit Configuration ==
Commit configuration:

{{Cmd|lbu ci}}

= Hub Node =
We will document only what changes from the Spoke node setup.

== Routing Tables ==
{{Cmd|echo -e "42\tnhrp_shortcut\n43\tnhrp_mtu\n44\tquagga\n}} >> /etc/iproute2/rt_tables

== NHRP ==
With your favorite editor open <code>/etc/opennhrp/opennhrp.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/opennhrp/opennhrp.conf|
interface gre1
map %Hub1_GRE_IP%/%MaskBit% hub1.example.org
route-table 44
shortcut
redirect
non-caching
}}

Do the same on Hub 1 adding the data relative to Hub 2.

With your favorite editor open <code>/etc/opennhrp/opennhrp-script</code> and set the content as follows:

<pre>
#!/bin/sh
case $1 in
interface-up)
ip route flush proto 42 dev $NHRP_INTERFACE
ip neigh flush dev $NHRP_INTERFACE
;;
peer-register)
CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -t opennhrp-script -p auth.err "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi
logger -t opennhrp-script -p auth.info "GRE registration of $NHRP_DESTADDR to $NHRP_DESTNBMA authenticated"

(
flock -x 200

AS=`echo "$CERT" | grep "^AS=" | cut -b 4-`
vtysh -d bgpd -c "configure terminal" \
-c "router bgp 65000" \
-c "neighbor $NHRP_DESTADDR remote-as $AS" \
-c "neighbor $NHRP_DESTADDR peer-group leaf" \
-c "neighbor $NHRP_DESTADDR prefix-list net-$AS-in in"

SEQ=5
(echo "$CERT" | grep "^NET=" | cut -b 5-) | while read NET; do
vtysh -d bgpd -c "configure terminal" \
-c "ip prefix-list net-$AS-in seq $SEQ permit $NET le 26"
SEQ=$(($SEQ+5))
done
) 200>/var/lock/opennhrp-script.lock
;;
peer-up)
echo "Create link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
racoonctl establish-sa -w isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA || exit 1
racoonctl establish-sa -w esp inet $NHRP_SRCNBMA $NHRP_DESTNBMA gre || exit 1

CERT=`racoonctl get-cert inet $NHRP_SRCNBMA $NHRP_DESTNBMA | openssl x509 -inform der -text -noout | egrep -o "/OU=[^/]*(/[0-9]+)?" | cut -b 5-`
if [ -z "`echo "$CERT" | grep "^GRE=$NHRP_DESTADDR"`" ]; then
logger -p daemon.err "GRE mapping of $NHRP_DESTADDR to $NHRP_DESTNBMA DENIED"
exit 1
fi

if [ -n "$NHRP_DESTMTU" ]; then
ARGS=`ip route get $NHRP_DESTNBMA from $NHRP_SRCNBMA | head -1`
ip route add $ARGS proto 42 mtu $NHRP_DESTMTU table nhrp_mtu
fi
;;
peer-down)
echo "Delete link from $NHRP_SRCADDR ($NHRP_SRCNBMA) to $NHRP_DESTADDR ($NHRP_DESTNBMA)"
if [ "$NHRP_PEER_DOWN_REASON" != "lower-down" ]; then
racoonctl delete-sa isakmp inet $NHRP_SRCNBMA $NHRP_DESTNBMA
fi
ip route del $NHRP_DESTNBMA src $NHRP_SRCNBMA proto 42 table nhrp_mtu
;;
route-up)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is up"
ip route replace $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 via $NHRP_NEXTHOP dev $NHRP_INTERFACE table nhrp_shortcut
ip route flush cache
;;
route-down)
echo "Route $NHRP_DESTADDR/$NHRP_DESTPREFIX is down"
ip route del $NHRP_DESTADDR/$NHRP_DESTPREFIX proto 42 table nhrp_shortcut
ip route flush cache
;;
esac

exit 0
</pre>

== BGP ==
With your favorite editor open <code>/etc/quagga/bgpd.conf</code> on Hub 2 and set the content as follows:

{{cat|/etc/quagga/bgpd.conf|
password zebra
enable password zebra
log syslog

router bgp 65000
bgp router-id %Hub2_GRE_IP%
bgp deterministic-med
network %GRE_NETWORK%/%MASK_BITS%
neighbor hub peer-group
neighbor hub next-hop-self
neighbor hub route-map CORE-IN in
neighbor spoke peer-group
neighbor spoke passive
neighbor spoke next-hop-self
neighbor %Spoke1_GRE_IP% remote-as 65001
neighbor %Spoke1_GRE_IP% peer-group spoke
neighbor %Spoke1_GRE_IP% prefix-list net-65001-in in
...
...
...

neighbor hub remote-as 65000
neighbor %Hub1_GRE_IP% peer-group core

ip prefix-list net-65001-in seq 5 permit 10.1.0.0/16 le 26
...

route-map CORE-IN permit 10
set metric +100
}}

Add the lines <code>neighbor %Spoke1_GRE_IP%...</code> for each spoke node you have. Do the same on Hub 1, changing the relevant data for Hub 2.

= Troubleshooting the DMVPN =
== Broken [http://en.wikipedia.org/wiki/Path_MTU_Discovery Path MTU Discovery (PMTUD)] ==
ISPs afraid of ICMP (which is somehow legitimate) often just blindly add <code>no ip unreachables</code> in their router interfaces, effectively creating a [http://en.wikipedia.org/wiki/Black_hole_%28networking%29 blackhole router] that breaks PMTUD, since ICMP Type 3 Code 4 packets (Fragmentation Needed) are dropped. PMTUD is needed by ISAKMP that runs on UDP (TCP works because it uses CLAMPMSS).

For technical details see http://packetlife.net/blog/2008/oct/9/disabling-unreachables-breaks-pmtud/

PMTUD could also be broken due to badly configured DSL modem/routers or bugged firmware. Turning off the firewall on modem itself or any VPN passthrough functionality it may help.

You can easily detect which host is the blackhole router by pinging with DF bit set and with packets of standard MTU size, each hop given in your traceroute to destination:

{{Cmd|ping -M do -s 1472 %IP%}}
{{Note|"-M do" requires GNU ping, present in <code>iputils</code> package}}

If you don't get a response back (either Echo-Response or Fragmentation-Needed) there's firewall dropping ICMP packets. If it answers to normal ping packets (DF bit cleared), most likely you have hit a blackhole router.

== Kernel and NHRP Routing Cache Issues ==
{{Todo|...}}