Alpine Linux - User contributions [en]

Podman

2025-07-20T01:44:13Z

Liliace: Add how to get podman socket

[https://podman.io/ Podman] is a utility provided as part of the libpod library. It can be used to create and maintain containers. Podman (Pod Manager) is a fully featured container engine that is a simple daemonless tool.

== Installation ==

Podman can be installed via {{Pkg|podman}} package in the community repository: {{Cmd|# apk add podman}}

== Configuration ==

To run podman you'll need to enable the <code>cgroups</code> service. {{Cmd|<nowiki># rc-update add cgroups
# rc-service cgroups start</nowiki>}}

In the past cgroups v2 needs to be enabled in OpenRC. Currently this is the default setting in [[OpenRC#cgroups v2|cgroups v2]].

If you are running on top of [[Btrfs]], consider setting storage driver to <code>btrfs</code>: {{Cmd|$ cat /etc/containers/storage.conf | grep 'driver ='}}
driver = "btrfs"
If you're running podman inside a container, change the storage driver to <code>vfs</code>

You might need to restart your machine at this stage for the above changes to work properly.

=== Running as root ===

No further steps are required to run as root. Run an example container to verify everything works: {{Cmd|# podman run --rm hello-world}}

=== Running in rootless mode ===

To run podman in rootless mode, run the following commands. Replace <USER> with your username in the following commands: {{Cmd|<nowiki># modprobe tun
# echo tun >>/etc/modules
# echo <USER>:100000:65536 >/etc/subuid
# echo <USER>:100000:65536 >/etc/subgid </nowiki>}}

Run an example container to verify everything works: {{Cmd|$ podman run --rm hello-world}}

=== Getting socket ===
You do not need the socket if you are only using the podman CLI locally.
If you want to use the podman API or use podman remotely, you need the podman socket.
You can get it by starting the podman service: {{Cmd|rc-service podman start}}
The default location of the socket is {{Path|/run/podman/podman.sock}}.

=== Shared mount ===

Containers on linux might require filesystems to be mounted with different propagation than the kernel default of 'private'.
{{Cmd|$ findmnt -o PROPAGATION /}} will produce the following output:
PROPAGATION
private

This section explains few ways to mount your root('''/''') as shared for Distrobox to function. This is not needed when running in rootless mode.

Method1:
Fill in the file {{path|/etc/local.d/mount-rshared.start}} as follows:{{Cat|/etc/local.d/mount-rshared.start|<nowiki>#!/bin/sh
mount --make-rshared /</nowiki>}}

Mark it as executable: {{cmd|# chmod +x /etc/local.d/mount-rshared.start}}

Then enable the service to autostart through [[OpenRC]]. {{cmd|<nowiki># rc-update add local default
# rc-service local start </nowiki>}}

Method2:
An alternate solution with OpenRC v0.54.2-r1 onwards, edit the file {{path|/etc/fstab}} and add {{ic|shared}} option to the root partition such that:{{Cat|/etc/fstab|...
/dev/sda2 / ext4 rw,relatime,shared 0 1
...}}

For both the above cases, after a reboot test the working of shared '''/''' mount using the command: {{Cmd|# findmnt -o PROPAGATION /}} which will produce the following output:
PROPAGATION
shared

=== Docker compose ===

The {{Pkg|podman-compose}} package from provides a drop-in replacement for docker compose. Each time a docker compose is used, a warning will remind that this is using podman under the hood. This warning can be squelched permanently by running: {{cmd|# touch /etc/containers/nodocker}}

== Troubleshooting ==

=== "/" is not a shared mount ===

If you see a warning:
: WARN[0000] "/" is not a shared mount, this could cause issues or missing mounts with rootless containers

You might want to fix this temporarily, for currently running system by issuing the command:{{ic|# mount --make-rshared /}}
Alternately, refer to [[#Shared mount|Shared mount]] section for permanent solution(s).

[[Category:Virtualization]]

Classic install or sys mode on Raspberry Pi

2024-05-05T06:28:50Z

Liliace: say we only need one of the two configurations before giving instructions on the first configuration

{{TOC right}}

A how-to for classic ("sys mode") installation.

This method works with a desktop PC under Ubuntu and other Linuxes.

= Preparation =

[https://alpinelinux.org/downloads/ Download] the Alpine for Raspberry Pi tarball. Use the [[Raspberry_Pi#Compability_list|compatibility list]] when choosing image/file to download.
'''Sha256''' and '''GPG''' links appear next to the link to check the download.

Create an MBR partition table with two partitions on an 8 GB (or larger) class 10 sd-card:
* First one, a '''fat16''' type, of 256MB. You may have to set <code>boot</code> and <code>lba</code> flags
* The second one, an '''ext4''' type, occupying the remaining space on the media

Eject and re-insert your SD card to ensure recognition of all the partitions.

Go into the first partition ('''fat16''').

Untar the archive with {{pkg|tar|arch=}}:
tar zxvf ~/Download/alpine-rpi-{{AlpineLatest}}-armhf.tar.gz

If using the UART is required, add a file named <code>usercfg.txt</code> into the partition containing the following single line:

enable_uart=1

For headless use, you can add the following parameters to maximize available memory (32 megs is required for the rpi bootloader):

gpu_mem=32

to enable audio support:

dtparam=audio=on

Eject the SD card properly. Insert it into the Raspberry Pi. Plug in a usb keyboard as well as the HDMI and network cables. Power on.

When the command prompt displays, log in as root. (no password)

== OSX Preparation: creating a FAT16 partition on microSD ==

To create a FAT16 partition with OSX, use the diskutil program and a USB microSD card reader (I used an older version of this: https://www.bestbuy.com/site/insignia-usb-3-0-memory-card-reader/5787406.p?skuId=5787406).

Put the microSD card in the reader. Connect the reader to a USB port and type <code>ls -1 /Volumes</code> in a terminal. Note the name of the microSD volume; for example, VOL1 in the output below:
$ ls -1 /Volumes
Macintosh HD
Preboot
VOL1
$

Unmount the reader. Disconnect it and re-run <code>ls -1 /Volumes</code>. Verify the microSD volume name is no longer listed, then re-insert the USB reader.

Find the mount point of your microSD volume. For example, disk3 in the output below:
$ diskutil list VOL1
/dev/disk3 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *31.4 GB disk3
1: DOS_FAT_16 VOL1 256.0 MB disk3s1
2: Linux 30.0 GB disk3s2
3: Linux_Swap 1.2 GB disk3s3
$

(For help with the diskutil command, type <code>diskutil</code> to list all command verbs. For help on a specific verb, add the verb. For example, <code>diskutil partitionDisk</code>)

Destroy all the existing partitions on the microSD card and create two new ones:
# a 256MB, FAT16, DOS-compatible partition and
# a free space gap for the rest of the card

$ diskutil partitionDisk disk3 MBR "MS-DOS FAT16" VOL1 256MB "Free Space" VOL2 R
Started partitioning on disk3
Unmounting disk
Creating the partition map
Waiting for partitions to activate
Formatting disk3s1 as MS-DOS (FAT16) with name VOL1
512 bytes per physical sector
/dev/rdisk3s1: 499472 sectors in 62434 FAT16 clusters (4096 bytes/cluster)
bps=512 spc=8 res=1 nft=2 rde=512 mid=0xf8 spf=244 spt=32 hds=32 hid=2 drv=0x80 bsec=500000
Mounting disk
Finished partitioning on disk3
/dev/disk3 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *31.4 GB disk3
1: DOS_FAT_16 VOL1 256.0 MB disk3s1
$

Change your current working directory to the new FAT16 partition then continue with the untar instruction in the parent prep section.

$ cd /Volumes/VOL1/

= Installation =

Execute the following commands. Make sure there is an internet connection available otherwise setting up the apk mirrors will fail.

setup-alpine

Set the keyboard map, the timezone, how to connect to the network ('''dhcp''' is the best method), say '''none''' at <code>save config</code> and <code>save cache</code>.

apk update

If the extra space in the sd card was left empty, a partition must be created now:

apk add {{pkg|cfdisk|arch=*}} {{pkg|e2fsprogs|arch=*}} # or the tool of your choice
cfdisk /dev/mmcblk0 # create the new partition with the free space
mkfs.ext4 /dev/mmcblk0p2 # create the ext4 filesystem in the new partition

Raspberry Pi has no hardware clock, so synchronize with an ntp server:

apk add {{pkg|chrony|arch=a*}}
service chronyd restart

{{warning | 22 June 2021 - There is a bug in Alpine 3.12.x and older that causes setup-disk to fail on ext4 mounts on Raspberry Pi. The work around is marked in the instructions below. <br />{{Issue|12353}} }}

mount /dev/mmcblk0p2 /mnt # The second partition, in ext4 format, where Alpine Linux is installing in sys mode
export FORCE_BOOTFS=1 # work around for issue 12353
setup-disk -m sys /mnt
mount -o remount,rw /media/mmcblk0p1 # An update in the first partition is required for the next reboot.

You may get some warning about syslinux when you run setup-disk. You can safely ignore this.

== Update boot partition (keep alpine-rpi* image layout) ==
From here we can either update boot partition to keep the alpine-rpi* image layout
or to keep the system partition/setup-alpine's layout (see next section).
We only need one of the two. Not both.

Clean up the boot folder in the first partition to drop unused files:

rm -f /media/mmcblk0p1/boot/*
cd /mnt # We are in the second partition
rm boot/boot # Drop the unused symbolic link

Move the image and initramfs for Alpine Linux into the right place:

mv boot/* /media/mmcblk0p1/boot/
rm -Rf boot
mkdir media/mmcblk0p1 # It's the mount point for the first partition on the next reboot

Don't worry about the error when you execute the following:

ln -s media/mmcblk0p1/boot boot

== Update boot partition (keep system partition/setup-alpine layout) ==
It turns out that the system partition created by setup-alpine has a working boot layout. To keep this, perform the following steps '''instead''' of the steps in the previous chapter.

Clean up the boot / first partition to drop unused files:

rm -f /media/mmcblk0p1/*
cd /mnt # We are in the second partition
rm boot/boot # Drop the unused symbolink link

Move the boot folder created by setup-alpine into the right place:

cd /media/mmcblk0p1
mkdir boot
cd ..
cd boot
mv boot/* /media/mmcblk0p1/
cd ..
rm -Rf boot
mkdir media/mmcblk0p1 **# It's the mount point for the first partition on the next reboot**

Don't worry about the error when you execute the following:

ln -s media/mmcblk0p1 boot

== End of update boot partition - continue here in both cases ==

Update <code>/etc/fstab</code>:

echo "/dev/mmcblk0p1 /media/mmcblk0p1 vfat defaults 0 0" >> etc/fstab
sed -i '/cdrom/d' etc/fstab # Of course, you don't have any cdrom or floppy on the Raspberry Pi
sed -i '/floppy/d' etc/fstab
cd /media/mmcblk0p1

If you want to activate the edge repository:
sed -i '/edge/s/^#//' etc/apk/repositories # But enable the repository for community if you want vim, mc, php, apache, nginx, etc.

For the next boot, indicate that the root filesystem is on the second partition. If the cmdline.txt file
contains a line that starts with <code>/root</code>, then use sed:

sed -i 's/$/ root=\/dev\/mmcblk0p2 /' /media/mmcblk0p1/cmdline.txt
reboot

That works on '''Raspberry Pi 3B''' and '''1B''', but if you have the '''1B''' version, you'll need to be very, very patient (several tens of minutes).

If a hard disk is connected via '''usb''', you can replace the <code>/dev/mmcblk0p2</code> above with <code>/dev/sda1</code>, for example.

If you don't want to use '''sed''', you can use the nano editor instead, after executing the following command:

apk add {{pkg|nano|arch=a*}}

= Post-installation =

See the [[Raspberry_Pi#Post_Installation]] for common post-installation steps.

Additionally, the following may be of value on a sys mode installation:

If you want a cool editor ({{Pkg|vim}}), a file manager ({{Pkg|mc}}), and to determine which tasks are running and which services are starting on boot ({{Pkg|htop}}), install the packages with this command:

apk add {{pkg|vim|arch=a*}} {{pkg|mc|arch=a*}} {{pkg|htop|arch=a*}}

The '''RPI 3B''' has wifi on board. To start the service for the encrypted key using wpa2 protocol:

apk add {{pkg|wpa_supplicant|arch=a*}}
rc-update add wpa_supplicant boot
service wpa_supplicant start
setup-interfaces
Replace the IP address by dhcp for all the interfaces if necessary; select the SSID network for wifi, add the password.
ip addr # to find the IP address for all interfaces

If you want to connect to your RPI via <code>ssh</code>, an additional user (''foo'') and the {{Pkg|sudo|arch=*}} package are required because it's forbidden to connect as root:

apk add sudo
adduser foo
adduser foo wheel
visudo

Uncomment line #82 with <code>wheel ALL=(ALL) ALL</code>. If {{Pkg|vim}} is installed, save the changes by typing '''Esc :x'''

= Troubleshooting =

Following the preparation instructions for setting up the boot partition as outlined, using the armv7 image (3.10.3), my rpi2 would not even boot, and I was trapped at the dreaded rainbow screen, with the green led blinking a few times in a row, repeatedly.

The rpi2 I had appears to require '''fat32''' for the boot partition, NOT '''fat16''' as suggested in the instructions. Use linux fdisk to set the boot partition type as "c" (for fat32/lba) and set the '''lba''' and '''boot''' flags for the partition as suggested. Create the boot partition filesystem as fat32 with:

mkdosfs -F 32 /dev/sdX1

Mount and unpacke the tarball to that, and everything should work as documented after the prep instructions.

After booting, you may find less system memory available than you expect. Currently the Pi requires a minimum of 32 megs of memory for the gpu, to boot unless you have the cut down boot loader installed, in which case you can use 16. However, you may find more gpu memory is still being used, even if you configure it for less, if you enable audio or camera support. To find out how your system is actually split:

{{Note|Directions below are for Alpine versions older than 3.18... Help wanted: Is there something equivalent in current versions?}}
apk add {{pkg|raspberrypi|arch=*|branch=v3.17}}
/opt/vc/bin/vcgencmd get_mem gpu
/opt/vc/bin/vcgencmd get_mem arm

= See also =

* [[Raspberry Pi]]
* [[Raspberry Pi 3 - Setting Up Bluetooth]]
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]
* [[Linux Router with VPN on a Raspberry Pi]]

[[Category:Installation]]
[[category: Raspberry]]

Classic install or sys mode on Raspberry Pi

2024-05-05T06:11:08Z

Liliace: fix formatting and typo

{{TOC right}}

A how-to for classic ("sys mode") installation.

This method works with a desktop PC under Ubuntu and other Linuxes.

= Preparation =

[https://alpinelinux.org/downloads/ Download] the Alpine for Raspberry Pi tarball. Use the [[Raspberry_Pi#Compability_list|compatibility list]] when choosing image/file to download.
'''Sha256''' and '''GPG''' links appear next to the link to check the download.

Create an MBR partition table with two partitions on an 8 GB (or larger) class 10 sd-card:
* First one, a '''fat16''' type, of 256MB. You may have to set <code>boot</code> and <code>lba</code> flags
* The second one, an '''ext4''' type, occupying the remaining space on the media

Eject and re-insert your SD card to ensure recognition of all the partitions.

Go into the first partition ('''fat16''').

Untar the archive with {{pkg|tar|arch=}}:
tar zxvf ~/Download/alpine-rpi-{{AlpineLatest}}-armhf.tar.gz

If using the UART is required, add a file named <code>usercfg.txt</code> into the partition containing the following single line:

enable_uart=1

For headless use, you can add the following parameters to maximize available memory (32 megs is required for the rpi bootloader):

gpu_mem=32

to enable audio support:

dtparam=audio=on

Eject the SD card properly. Insert it into the Raspberry Pi. Plug in a usb keyboard as well as the HDMI and network cables. Power on.

When the command prompt displays, log in as root. (no password)

== OSX Preparation: creating a FAT16 partition on microSD ==

To create a FAT16 partition with OSX, use the diskutil program and a USB microSD card reader (I used an older version of this: https://www.bestbuy.com/site/insignia-usb-3-0-memory-card-reader/5787406.p?skuId=5787406).

Put the microSD card in the reader. Connect the reader to a USB port and type <code>ls -1 /Volumes</code> in a terminal. Note the name of the microSD volume; for example, VOL1 in the output below:
$ ls -1 /Volumes
Macintosh HD
Preboot
VOL1
$

Unmount the reader. Disconnect it and re-run <code>ls -1 /Volumes</code>. Verify the microSD volume name is no longer listed, then re-insert the USB reader.

Find the mount point of your microSD volume. For example, disk3 in the output below:
$ diskutil list VOL1
/dev/disk3 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *31.4 GB disk3
1: DOS_FAT_16 VOL1 256.0 MB disk3s1
2: Linux 30.0 GB disk3s2
3: Linux_Swap 1.2 GB disk3s3
$

(For help with the diskutil command, type <code>diskutil</code> to list all command verbs. For help on a specific verb, add the verb. For example, <code>diskutil partitionDisk</code>)

Destroy all the existing partitions on the microSD card and create two new ones:
# a 256MB, FAT16, DOS-compatible partition and
# a free space gap for the rest of the card

$ diskutil partitionDisk disk3 MBR "MS-DOS FAT16" VOL1 256MB "Free Space" VOL2 R
Started partitioning on disk3
Unmounting disk
Creating the partition map
Waiting for partitions to activate
Formatting disk3s1 as MS-DOS (FAT16) with name VOL1
512 bytes per physical sector
/dev/rdisk3s1: 499472 sectors in 62434 FAT16 clusters (4096 bytes/cluster)
bps=512 spc=8 res=1 nft=2 rde=512 mid=0xf8 spf=244 spt=32 hds=32 hid=2 drv=0x80 bsec=500000
Mounting disk
Finished partitioning on disk3
/dev/disk3 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: FDisk_partition_scheme *31.4 GB disk3
1: DOS_FAT_16 VOL1 256.0 MB disk3s1
$

Change your current working directory to the new FAT16 partition then continue with the untar instruction in the parent prep section.

$ cd /Volumes/VOL1/

= Installation =

Execute the following commands. Make sure there is an internet connection available otherwise setting up the apk mirrors will fail.

setup-alpine

Set the keyboard map, the timezone, how to connect to the network ('''dhcp''' is the best method), say '''none''' at <code>save config</code> and <code>save cache</code>.

apk update

If the extra space in the sd card was left empty, a partition must be created now:

apk add {{pkg|cfdisk|arch=*}} {{pkg|e2fsprogs|arch=*}} # or the tool of your choice
cfdisk /dev/mmcblk0 # create the new partition with the free space
mkfs.ext4 /dev/mmcblk0p2 # create the ext4 filesystem in the new partition

Raspberry Pi has no hardware clock, so synchronize with an ntp server:

apk add {{pkg|chrony|arch=a*}}
service chronyd restart

{{warning | 22 June 2021 - There is a bug in Alpine 3.12.x and older that causes setup-disk to fail on ext4 mounts on Raspberry Pi. The work around is marked in the instructions below. <br />{{Issue|12353}} }}

mount /dev/mmcblk0p2 /mnt # The second partition, in ext4 format, where Alpine Linux is installing in sys mode
export FORCE_BOOTFS=1 # work around for issue 12353
setup-disk -m sys /mnt
mount -o remount,rw /media/mmcblk0p1 # An update in the first partition is required for the next reboot.

You may get some warning about syslinux when you run setup-disk. You can safely ignore this.

== Update boot partition (keep alpine-rpi* image layout) ==
Clean up the boot folder in the first partition to drop unused files:

rm -f /media/mmcblk0p1/boot/*
cd /mnt # We are in the second partition
rm boot/boot # Drop the unused symbolic link

Move the image and initramfs for Alpine Linux into the right place:

mv boot/* /media/mmcblk0p1/boot/
rm -Rf boot
mkdir media/mmcblk0p1 # It's the mount point for the first partition on the next reboot

Don't worry about the error when you execute the following:

ln -s media/mmcblk0p1/boot boot

== Update boot partition (keep system partition/setup-alpine layout) ==
It turns out that the system partition created by setup-alpine has a working boot layout. To keep this, perform the following steps '''instead''' of the steps in the previous chapter.

Clean up the boot / first partition to drop unused files:

rm -f /media/mmcblk0p1/*
cd /mnt # We are in the second partition
rm boot/boot # Drop the unused symbolink link

Move the boot folder created by setup-alpine into the right place:

cd /media/mmcblk0p1
mkdir boot
cd ..
cd boot
mv boot/* /media/mmcblk0p1/
cd ..
rm -Rf boot
mkdir media/mmcblk0p1 **# It's the mount point for the first partition on the next reboot**

Don't worry about the error when you execute the following:

ln -s media/mmcblk0p1 boot

== End of update boot partition - continue here in both cases ==

Update <code>/etc/fstab</code>:

echo "/dev/mmcblk0p1 /media/mmcblk0p1 vfat defaults 0 0" >> etc/fstab
sed -i '/cdrom/d' etc/fstab # Of course, you don't have any cdrom or floppy on the Raspberry Pi
sed -i '/floppy/d' etc/fstab
cd /media/mmcblk0p1

If you want to activate the edge repository:
sed -i '/edge/s/^#//' etc/apk/repositories # But enable the repository for community if you want vim, mc, php, apache, nginx, etc.

For the next boot, indicate that the root filesystem is on the second partition. If the cmdline.txt file
contains a line that starts with <code>/root</code>, then use sed:

sed -i 's/$/ root=\/dev\/mmcblk0p2 /' /media/mmcblk0p1/cmdline.txt
reboot

That works on '''Raspberry Pi 3B''' and '''1B''', but if you have the '''1B''' version, you'll need to be very, very patient (several tens of minutes).

If a hard disk is connected via '''usb''', you can replace the <code>/dev/mmcblk0p2</code> above with <code>/dev/sda1</code>, for example.

If you don't want to use '''sed''', you can use the nano editor instead, after executing the following command:

apk add {{pkg|nano|arch=a*}}

= Post-installation =

See the [[Raspberry_Pi#Post_Installation]] for common post-installation steps.

Additionally, the following may be of value on a sys mode installation:

If you want a cool editor ({{Pkg|vim}}), a file manager ({{Pkg|mc}}), and to determine which tasks are running and which services are starting on boot ({{Pkg|htop}}), install the packages with this command:

apk add {{pkg|vim|arch=a*}} {{pkg|mc|arch=a*}} {{pkg|htop|arch=a*}}

The '''RPI 3B''' has wifi on board. To start the service for the encrypted key using wpa2 protocol:

apk add {{pkg|wpa_supplicant|arch=a*}}
rc-update add wpa_supplicant boot
service wpa_supplicant start
setup-interfaces
Replace the IP address by dhcp for all the interfaces if necessary; select the SSID network for wifi, add the password.
ip addr # to find the IP address for all interfaces

If you want to connect to your RPI via <code>ssh</code>, an additional user (''foo'') and the {{Pkg|sudo|arch=*}} package are required because it's forbidden to connect as root:

apk add sudo
adduser foo
adduser foo wheel
visudo

Uncomment line #82 with <code>wheel ALL=(ALL) ALL</code>. If {{Pkg|vim}} is installed, save the changes by typing '''Esc :x'''

= Troubleshooting =

Following the preparation instructions for setting up the boot partition as outlined, using the armv7 image (3.10.3), my rpi2 would not even boot, and I was trapped at the dreaded rainbow screen, with the green led blinking a few times in a row, repeatedly.

The rpi2 I had appears to require '''fat32''' for the boot partition, NOT '''fat16''' as suggested in the instructions. Use linux fdisk to set the boot partition type as "c" (for fat32/lba) and set the '''lba''' and '''boot''' flags for the partition as suggested. Create the boot partition filesystem as fat32 with:

mkdosfs -F 32 /dev/sdX1

Mount and unpacke the tarball to that, and everything should work as documented after the prep instructions.

After booting, you may find less system memory available than you expect. Currently the Pi requires a minimum of 32 megs of memory for the gpu, to boot unless you have the cut down boot loader installed, in which case you can use 16. However, you may find more gpu memory is still being used, even if you configure it for less, if you enable audio or camera support. To find out how your system is actually split:

{{Note|Directions below are for Alpine versions older than 3.18... Help wanted: Is there something equivalent in current versions?}}
apk add {{pkg|raspberrypi|arch=*|branch=v3.17}}
/opt/vc/bin/vcgencmd get_mem gpu
/opt/vc/bin/vcgencmd get_mem arm

= See also =

* [[Raspberry Pi]]
* [[Raspberry Pi 3 - Setting Up Bluetooth]]
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]
* [[Linux Router with VPN on a Raspberry Pi]]

[[Category:Installation]]
[[category: Raspberry]]

Custom Kernel

2023-02-16T07:28:30Z

Liliace: fix typo

{{Draft}}

This process of building a '''custom configured kernel''' assumes you are running on Alpine Linux utilizing abuild & aports.

== But why? ==

You want to build a custom kernel to enable experimental hardware or features or outdated hardware, to reduce bloat further, to tune the kernel to the hardware.

The lts kernel for most Alpine ARCHs uses defaults to balance throughput at the expense of some responsiveness, and support for many devices. You can tweak the kernel for desktop use and low latency and responsiveness.

You should disable modules to increase security. By default, Alpine will install modules but not disable most of them. Disabling modules will reduce an DMA attack but not eliminate it completely. If you have a newer processor with VT-d, you can mitigate as long as you:

Leave CONFIG_INTEL_IOMMU_DEFAULT_ON=y or pass intel_iommu=on as a kernel parameter and disable kernel logging so the attacker doesn't gain DMAR address information through dmesg.[http://blog.frizk.net/2016/11/disable-virtualization-based-security.html] Also remove references to the kernel version to calculate the IOMMU addresses.[https://link.springer.com/content/pdf/10.1186/s13173-017-0066-7.pdf]

To increase the security of the boot process, if you have a TPM, you could set CONFIG_INTEL_TXT=y (Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)) (which is not enabled in the hardened kernel by default), then you would need the SINIT module (provided only by Intel)[https://software.intel.com/en-us/articles/intel-trusted-execution-technology], a possibly compiled TrustedGrub2[https://github.com/Rohde-Schwarz-Cybersecurity/TrustedGRUB2], trousers[https://sourceforge.net/projects/trousers/?source=navbar], tboot[https://sourceforge.net/projects/tboot/]. These packages are not in aports and it is unknown if these tools work on musl. It's not recommended for Edge. Also, there would be trigger packages to generate hashes for the kernel and the mkinitfs updates.

== Setting up the Alpine Build System ==

First, you need to follow the steps in [[Creating_an_Alpine_package#Setup_your_system_and_account|Setup your system and account for building packages]]. You also need to configure your /etc/apk/repositories so that they search locally for your apks. See [[Creating_an_Alpine_package#Testing_the_package_locally|Testing the package locally]] for details.

After setting up accounts and repos, change your shell's current working directory to '''aports''' that you just cloned.

cd aports

== Working with aports ==

We will try using an existing lts kernel just tweaking the lts.ARCH.config file.

=== Switching to the proper release version ===

You need to switch to the proper branch that matches the release so that the kernel compiles against the dependencies properly.

{| cellpadding="5" border="1" class="wikitable"
|-
! Alpine version
! Remote branch
|-
| Edge
| master
|-
| 3.7.0
| 3.7-stable
|-
|}

The following is required to get access to the APKBUILD released for that version of Alpine and which you will create a commit for.

If you are on 3.7 do:

git checkout -b 3.7-stable origin/3.7-stable

If you are on Edge do:

git checkout master

=== Creating your config ===

You can use linux-lts but what you should do is create a local branch by doing:

For Alpine Edge:

git checkout -b my-custom-kernel

For Alpine 3.7:

git checkout -b my-custom-kernel origin/3.7-stable

Doing it this way, you do less work in maintaining. All you need to do is keep ''master'' or ''3.7-stable'' in sync[https://help.github.com/articles/syncing-a-fork/][https://help.github.com/articles/configuring-a-remote-for-a-fork/] and merge any conflicts.

First switch to the branch by doing <code>git checkout my-custom-kernel</code>. Then, you need to navigate to the ''main/linux-lts'' folder where you should see a APKBUILD and some config- files. When you are done with your edits either by editing directly the APKBUILD and copying the lts.ARCH.config as .config in the linux-4.15 folder. You will then move the .config back overriding the lts.ARCH.config generated by <code>make menuconfig</code> (discussed below in the ''Configuring kernel'' section). After generating your config, you need to <code>abuild checksum</code>. Then, do <code>git add APKBUILD lts.ARCH.config</code> where ARCH is whatever architecture (x86, x86_64, ...) you use. Then, you need to do <code>git commit APKBUILD config-NAME.ARCH -m "Enabled these options ...."</code> for your customization the ARCHitecture of your system. You do this so that git can keep your code separate from Alpine's and so your changes float forward between kernel updates.

== Adding custom patches ==

Custom patches should be added to ''sources=''.

After you added the URL, you need to produce a checksum by doing <code>abuild checksum</code>.

The custom patches may not be autopatched, due to being distributed as an archive or different patch level, so you need to define what to do with it in the prepare().

== Configuring kernel ==

Attempt to build the kernel first. To do that, you do abuild -rK to install most of the dependencies. If it complains about a dependency like elfutils-dev use -rKd. Then, when it prompts for values for new found config options just hold enter till it starts compiling the kernel. There should be two sets one for -lts and the other for the -virt. Just Ctrl+C out of the compilation process after the second set so you can further customize the config. Then you go into the src/linux-VER and edit the config file. Copy the .config file overriding the lts.ARCH.config in the srcdir.

The alternative is to use the kernel configuration menu in the build-NAME folder, but before yo do that you need to <code>sudo apk add ncurses-dev</code>

After you are done using the menu in the build-NAME folder by doing <code>make menuconfig</code>, you want to remove <code>ncurses-dev</code>. When you are done, it will be stored in ''.config'' which you need to again override the lts.ARCH.config file. When you are done updating the config-NAME.ARCH, you need to do <code>abuild checksum</code>.

The options in the kernel config are typically defaults. If your device is old, it may be set to n by default.

=== Vanilla targets and tuning ===

{|cellpadding="5" border="1" class="wikitable"
!ARCH
!Processor Type / CPU Selection / System Type
!Code Generation / Instruction Extensions
!Timer Frequency
!Preemption Model
!Bitness
|-
|s390x
|IBM zEnterprise 114 and 196
|IBM zBC12 and zEC12 (<code>-march=zEC12 -mtune=zEC12</code>)
|100 Hz
|No Forced Preemption (Server)
|64
|-
|ppc64le
|Server processors
|POWER8 (<code>-mcpu=power8</code>), AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>), VSX
|100 HZ
|No Forced Preemption (Server)
|64
|-
|ppc
|
512x/52xx/6xx/7xx/74xx/82xx/83xx/86xx
* Apple PowerMac based machines
|AltiVec (<code>-Wa,-maltivec</code> to assembler or <code>-maltivec -mabi=altivec</code>) on >=74xx
|250 HZ
|No Forced Preemption (Server)
|32
|-
|x86_64
|Generic-x86-64
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|300 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|x86
|586/K5/5x86/6x86/6x86MX
|(-mtune=generic ; SIMD assembly modules enabled based on simple compile test and/or presence of CPU flag)
|300 HZ
|Voluntary Kernel Preemption (Desktop)
|32
|-
|armhf
|
* ARMv7 based platforms (Cortex-A, PJ4, Scorpion, Krait)
* Freescale i.MX family -- Cortex A (i.MX51, i.MX53, i.MX6 Quad/DualLite, i.MX6 SoloLite, i.MX6 SoloX, i.MX6 UltraLite, i.MX7 Dual)
* Qualcomm -- (MSM8X60, MSM8960, MSM8974)
* Allwinner SoCs -- (A10 (sun4i), A10s / A13 (sun5i), A31 (sun6i), A20 (sun7i), sun8i Family, (sun9i))
* ARM Ldt Versatile Express family --
|Either <code>-march=armv7-a</code> or <code>-march=armv5t -Wa,-march=armv7-a</code> based on a compile test. <code>-mfpu=vfp</code>
|100 Hz
|Voluntary Kernel Preemption (Desktop)
|32
|-
|aarch64
|
* Allwinner sunxi 64-bit SoC Family
* Broadcom BCM2835 family
* Marvell Berlin SoC Family
* ARMv8 based Samsung Exynos SoC family
* ARMv8 based Freescale Layerscape SoC family
* Hisilicon SoC Family
* Mediatek MT65xx & MT81xx ARMv8 SoC
* Marvell EBU SoC Family
* Qualcomm Platforms
* Rockchip Platforms
* AMD Seattle SoC Family
* Altera's Stratix 10 SoCFPGA Family
* NVIDIA Tegra SoC Family
* Spreadtrum SoC platform
* Cavium Inc. Thunder SoC Family
* ARMv8 software model (Versatile Express)
* AppliedMicro X-Gene SOC Family
* Xilinx ZynqMP Family
|
|300 HZ
|Voluntary Kernel Preemption (Desktop)
|64
|-
|}
If you do desktop multitasking, you may want to switch to Voluntary Kernel Preemption (Desktop) or Preemptible Kernel (Low-Latency Desktop) and up the Timer Frequency. If you run a dedicated render farm node or a dedicated bitcoin miner use No Forced Preemption (Server) and decrease the Timer Frequency.

Optimized modules (most are already compiled as modules):
* raid6 -- altivec, avx512, ssse3, avx2, mmx, sse, sse2, neon
* some operations of raid5 -- mmx (32 bit), sse (64 bit), avx
For Kernel API:
* 32-bit memcpy -- 3dnow
* 32-bit memory page clearing and copying -- sse (Athlon/K7 only), mmx
From x86/crypto, arm/crypto, powerpc/crypto:
* CAMELLIA -- avx2, avx, aes-ni
* CHACHA20 -- avx2, neon
* CAST5 -- avx
* CAST6 -- avx
* TWOFISH -- avx
* SERPENT -- avx2, avx, sse2
* SHA1 -- avx2, ssse3, neon, spe
* SHA2 -- avx2
* SHA256 -- ssse3, neon, spe
* SHA512 -- avx2, ssse3, neon
* POLY1305 -- avx2
* GHASH -- pclmulqdq (part of aes-ni), vmx (power8)
* AES -- aes-ni, neon, vmx (power8), spe
* CRC32 -- pclmulqdq, sse, neon, vmx (power8)
* CRCT10DIF -- pclmulqdq, sse, neon, vmx (power8)

=== Fast reboots with kexec ===

If you want to reboot the kernel fast avoiding the POST test, you need <code>sudo apk add kexec-tools</code> and enable kexec in the kernel:

Processor type and features
[*] kexec system call

=== Hibernation to prevent data loss ===

Power management and ACPI options
[*] Hibernation (aka 'suspend to disk')

Hibernation should be used if you have a laptop. You don't want the laptop to suddenly shut off resulting in data loss, you want it to save your work based on a percentage of battery life (this requires special script). When you do hibernation and when it restores back, it should lock down the computer and ask for prompt. Depending on your needs, the hibernated image can be encrypted/decrypted which again requires additional customization to scripts.

Hibernation with an unsanitized swap file is generally insecure because data and unlocked memory pages is swapped out in plaintext. To increase the security either disable swap (Alpine default) or use an encrypted swap. The swap file/partition is typically used as a dump of the hibernated image.

== Building ==

Before building, you may want to remove as many modules as possible. This will reduce the time to compile greatly. Also, you may want to use cache for faster recompiles especially if you are searching for the minimal set of options or modules to use or include.

You should then do an <code>abuild -r</code> to attempt to build it.

== Installing ==

To install it you do a <code>sudo apk add linux-NAME</code> where NAME is your custom kernel name.

== Testing ==

Before you test, you should install the lts kernel too, using <code>sudo apk add linux-hardened</code>. You may be missing a module and can't boot, so you use the other kernel as the fallback boot kernel. Don't forget to update your bootloader configuration.

To test, first you should make a bootable Alpine USB image. Then, when you have your rescue USB done, you <code>doas reboot</code> the computer.

To test it, you basically do trial and error. Sometimes your config is missing something if you want to have a bare minimum setting.

If you are curious about correctness testing, some kernel modules or components do preform self tests at the beginning of the boot process. The tools may have test suites that you run with the make command.

[[Category:Kernel]]

Include:Setup your system and account for building packages

2023-02-15T23:36:01Z

Liliace: provide more precise location of abuild.conf

The {{Pkg|alpine-sdk}} is a metapackage that pulls in the most essential packages used to build new packages. Also install and configure a way to elevate privileges, such as sudo or doas, and an editor, such as vi, nano, micro.

{{Cmd|# apk add alpine-sdk}}

This would be a good time to [[Setting_up_a_new_user|create a normal user account for you to work in]]. To make life easier later, it's a good idea to add this user to the wheel group; operations that require superuser privileges can now be done with sudo or doas.

The [[Aports_tree|aports tree]] is in git so before we clone it, let's configure git.

{{Cmd|$ git config --global user.name "Your Full Name"
$ git config --global user.email "your@email.address"}}

Read carefully [[Development using git]] to grasp basic Git operations and how to configure for sending email patches.

Now we can clone the [[Aports_tree|aports tree]].

{{Cmd|$ git clone https://gitlab.alpinelinux.org/alpine/aports}}

Before we start creating or modifying [[APKBUILD_Reference|APKBUILD]] files, we need to setup abuild for our system and user. Edit the file {{Path|/etc/abuild.conf}} to your requirements.

Most of the defaults can be left alone, unless you are developing for a custom platform, in which case the comments in the file should guide you. The one field to edit is PACKAGER, so that you can get credit (or blame) for packages you create.

To use 'abuild -r' command to install dependency packages automatically.
{{Cmd|# addgroup <yourusername> abuild}}

We also need to prepare the location where the build process caches files when they are downloaded. By default this is {{Path|/var/cache/distfiles/}}. To create this directory and ensure that it is writeable, enter the following commands:

{{Cmd|# mkdir -p /var/cache/distfiles}}
{{Cmd|# chmod a+w /var/cache/distfiles}}

As an alternative to the second command, you can add yourself to the abuild group:

{{Cmd|# chgrp abuild /var/cache/distfiles}}
{{Cmd|# chmod g+w /var/cache/distfiles}}

{{Note|Remember to logout and login again for the group change to have effect.}}

The last step is to configure the security keys with the [[Abuild-keygen|abuild-keygen]] script for [[Abuild|abuild]] with the command:

{{Cmd|# abuild-keygen -a -i}}

[[Category:Development]]