https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=Bt129&feedformat=atomAlpine Linux - User contributions [en]2024-03-29T13:13:30ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=S390x/Known_Issues&diff=20158S390x/Known Issues2021-09-29T05:35:09Z<p>Bt129: </p>
<hr />
<div>{{draft}}<br />
<br />
When running the 3.9 netboot installer, you might face this problem mostly '''z/VM hypervisor''' (common among architectures without a RTC clock like armhf, aarch64, s390x) :<br />
<pre><br />
Which NTP client to run? ('busybox', 'openntpd', 'chrony' or 'none') [chrony] busybox<br />
\* service ntpd added to runlevel default<br />
\* Starting busybox ntpd ... [ ok ]<br />
ssl_client: mirrors.alpinelinux.org: ocsp verify failed: ocsp response not current<br />
wget: error getting response: Connection reset by peer<br />
r) Add random from the above list<br />
f) Detect and add fastest mirror from above list<br />
e) Edit /etc/apk/repositories with text editor<br />
<br />
Enter mirror number (1-0) or URL to add (or r/f/e/done) [f]: <br />
</pre><br />
<br />
This is because the clocksource on s390x was not detected. There is a pull request to make this work (should be available in the 3.9.1 release):<br />
<pre><br />
https://github.com/alpinelinux/aports/pull/6183<br />
https://github.com/alpinelinux/aports/pull/6184<br />
</pre><br />
<br />
In the meantime, to overcome this problem, you need to update the system time, either manullay using <code> date </code> command or using NTP then start the installer as shown below:<br />
<br />
<pre><br />
# setup-interfaces<br />
# setup-dns<br />
# service networking start<br />
# ntpd -qn -p pool.ntp.org<br />
# setup-alpine<br />
</pre><br />
<br />
<br />
[[category:IBM]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=S390x/Docker&diff=20157S390x/Docker2021-09-29T05:32:56Z<p>Bt129: /* Running Alpine containers on Docker on Alpine s390x */</p>
<hr />
<div>== Running Alpine containers on Docker on Alpine s390x ==<br />
<br />
After [https://wiki.alpinelinux.org/wiki/S390x installing] Alpine on s390x, Docker needs to be installed first by adding the <code>community</code> respository:<br />
<br />
:For stable release, run:<br />
<br />
:<code># echo http://dl-cdn.alpinelinux.org/alpine/latest-stable/community >> /etc/apk/repositories</code><br />
<br />
:For rolling release, run:<br />
<br />
:<code># echo http://dl-cdn.alpinelinux.org/alpine/edge/community >> /etc/apk/repositories</code><br />
<br />
{{Note| <code>community</code> repository must match <code>main</code> repository's release version (stable or edge) }}<br />
<br />
Install Docker:<br />
<br />
<code> # apk update </code><br />
<br />
<code> # apk add docker </code><br />
<br />
Start Docker service:<br />
<br />
<code> # service docker start </code><br />
<br />
Enable the Docker service to auto start on next boot:<br />
<br />
<code> # rc-update add docker </code><br />
<br />
Run Alpine s390x container:<br />
<br />
<code> # docker run -ti alpine sh </code><br />
<br />
== Running Alpine containers on Docker on other s390x distros ==<br />
<br />
Run:<br />
<br />
<code> # docker run -ti alpine sh </code><br />
<br />
<br />
[[category:IBM]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=S390x/Installation&diff=20156S390x/Installation2021-09-29T05:29:08Z<p>Bt129: /* Kernel parameters (and parmfile) */</p>
<hr />
<div>{{TOC right}}<br />
<br />
= 1. Known Issues =<br />
1. Installation on 2 or more DASDs (either ECKD and FBA) on z/VM is not supported in the installer script (<code>setup-alpine</code>) at the moment. If you want to install/extend on more than 1 DASD, see [https://wiki.alpinelinux.org/wiki/S390x#Extending_LVM_volume "Extending LVM volume"]. However, installation on 2 or more virtio (SCSI) disks on KVM is supported just like other architectures.<br />
<br />
= 2. The boot media =<br />
<br />
For KVM, both ISO image and netboot media (kernel and initramfs) are supported.<br />
<br />
For z/VM, netboot media is supported.<br />
<br />
For LPAR, netboot media is supported. See [https://wiki.alpinelinux.org/wiki/S390x/Installation/LPAR "LPAR"] for more information.<br />
<br />
Boot media are found at:<br />
<br />
* http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/<br />
<br />
<br />
== Kernel parameters (and parmfile) ==<br />
The Alpine s390x boot media requires following kernel parameters to work: (Details at : <code>https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt</code>)<br />
<br />
<code>ip=dhcp</code> : use DHCP for network configuration.<br />
<br />
<code>ip=client-ip:server-ip:gw-ip:netmask:hostname:device:autoconf:dns1:dns2</code> : use static IP configuration, each field is separated by a colon <code>:</code><br />
* <code>client-ip</code> ip address of the guest VM where we are going to run the installer<br />
* <code>server-ip</code> not used, leave blank or fill with <code>none</code><br />
* <code>gw-ip</code> the gateway ip address<br />
* <code>netmask</code> the netmask<br />
* <code>hostname</code> not used, leave blank or fill with <code>none</code><br />
* <code>device</code> the network interface of the guest VM, default is <code>eth0</code> if left blank<br />
* <code>autoconf</code> not used, leave blank or fill with <code>none</code> or <code>off</code><br />
* <code>dns1</code> address of the DNS server<br />
* <code>dns2</code> address of the 2nd DNS server<br />
<br />
<code>alpine_repo=</code> : the location of the Alpine repository from which packages are downloaded.<br />
<br />
:For stable release, use <code>http://dl-cdn.alpinelinux.org/alpine/v3.10/main</code><br />
<br />
:For rolling release, use <code>http://dl-cdn.alpinelinux.org/alpine/edge/main</code><br />
<br />
<code>modloop=</code> : the remote location of the image containing kernel's modules, required for LVM and raid setup.<br />
<br />
:The remote location of the <code>modloop</code> image is the same as the kernel and initramfs (see below).<br />
<br />
<code>ssh_key=</code> : the remote location of your SSH public key which is used to allow SSH connection into the installer. It will be downloaded and copied into <code>/root/.ssh/authorized_keys</code> in the installer.<br />
<br />
{{Note|Fetching public keys from HTTP, HTTPS and FTPS is supported. HTTP should be used only in a local environment where you own the network.}}<br />
<br />
{{Note|Alpine Linux security policies are against using passwords for root access via SSH as we consider using public-private key pairs to be a much better approach.}}<br />
<br />
<br />
'''z/VM only'''<br />
<br />
<code>dasd=</code> : the addresses of the DASD devices, either ECKD or FBA DASDs. Each device is separated with a comma.<br />
<br />
<code>s390x_net=</code> : the network interface type and its subchannels. At the moment, only QETH layer 2 is supported, thus the name <code>qeth_l2</code> is used (see below).<br />
<br />
= 3. Pre-installation =<br />
<br />
<br />
== KVM ==<br />
Create a virtual disk:<br />
$ qemu-img create alpine_disk.qcow2 5G<br />
<br />
==== Using iso image ====<br />
Download latest iso image from : http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x<br />
<br />
Start qemu:<br />
<br />
$ qemu-system-s390x -M s390-ccw-virtio \<br />
-m 1024 -smp 2 -nographic -enable-kvm \<br />
-net nic -net tap,ifname=tap0,script=no \<br />
-hda alpine_disk.qcow2 \<br />
-boot d -cdrom alpine-standard-3.10.0-s390x.iso<br />
<br />
==== Using netboot media ====<br />
Download the latest [http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/vmlinuz-vanilla kernel] and [http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/initramfs-vanilla initramfs].<br />
<br />
Start qemu: (modify <code>ip=</code> <code>alpine_repo=</code> <code>ssh_key=</code> for your needs)<br />
<br />
$ qemu-system-s390x -M s390-ccw-virtio \<br />
-m 1024 -smp 2 -nographic -enable-kvm \<br />
-net nic -net tap,ifname=tap0,script=no \<br />
-hda alpine_disk.qcow2 \<br />
-kernel vmlinuz-vanilla \<br />
-initrd initramfs-vanilla \<br />
-append "ip=192.168.1.2::192.168.1.1:255.255.255.0::::8.8.8.8:1.1.1.1 alpine_repo=http://dl-cdn.alpinelinux.org/alpine/v3.10/main modloop=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/modloop-vanilla ssh_key=https://your-website.com/your-ssh-key.pub"<br />
<br />
{{Note|If you have direct access to the qemu console, <code>ssh_key</code> might not be required.}}<br />
<br />
== z/VM ==<br />
To ease out the process of downloading the images, punch the readers, ipl, etc., [https://github.com/trothr/znetboot '''ZNETBOOT'''] is used.<br />
<br />
{{Note|Using a FTP server to host the images and download them from x3270 console also works - thus no need to use ZNETBOOT. }}<br />
<br />
<br />
<br />
==== Create the parm file ====<br />
On your workstation/laptop, create a file named <code>alpine.znetboot</code> in your home directory with contents below (modify <code>dasd=</code><code>s390x_net=</code> <code>ip=</code> <code>alpine_repo=</code> <code>ssh_key=</code> for your needs)<br />
<br />
<pre><br />
ZNETBOOT_KERNEL=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/vmlinuz-vanilla<br />
ZNETBOOT_INITRD=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/initramfs-vanilla<br />
ZNETBOOT_PROGRESS=1M<br />
<br />
alpine_repo=http://dl-cdn.alpinelinux.org/alpine/v3.10/main<br />
modloop=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/modloop-vanilla<br />
<br />
dasd=0.0.04c0,0.0.05d1<br />
s390x_net=qeth_l2,0.0.0560,0.0.0561,0.0.0562<br />
ip=192.168.1.2::192.168.1.1:255.255.255.0::::8.8.8.8:1.1.1.1<br />
<br />
ssh_key=https://your-website.com/your-ssh-key.pub<br />
<br />
</pre><br />
<br />
==== Upload to z/VM system via 3270 client ====<br />
[[File:X3270-1.png|right|300px|thumb|Figure 1.]]<br />
On your workstation/laptop, download 2 files [https://raw.githubusercontent.com/trothr/znetboot/master/znetboot.exec <code>znetboot.exec</code>], and [https://raw.githubusercontent.com/trothr/znetboot/master/curl.rexx <code>curl.rexx</code>] to your home directory.<br />
<br />
Open 3270 client and log in the z/VM system with your z/VM username and password.<br />
<br />
Upload 3 files <code>alpine.znetboot</code>, <code>znetboot.exec</code>, <code>curl.rexx</code> to the z/VM environment using the 3270 client (this tutorial uses x3270). On the top left corner, click "File", then "File Transfer". (Figure 1.)<br />
<br />
Do following steps : (Figure 2.) [[File:X3270-2.png|right|300px|thumb|Figure 2.]]<br />
* On "Local File Name" box, enter '''alpine.znetboot''' (the file in your laptop/workstation, at '''~/alpine.znetboot''')<br />
* On "Host File Name" box, enter '''alpine znetboot''' (the file will be in z/VM console)<br />
<br />
{{Note|Beware the difference between '''the dot <code>.</code>''' and '''the space <code> </code>''' characters in the file names.}}<br />
<br />
* Choose '''Send to host'''<br />
* Choose '''Host is VM/CMS'''<br />
* Choose either '''Fixed''' or '''Variable''' for '''Record Format'''<br />
:Enter a number for LRECL and BLKSIZE, respectively<br />
{{Note|Any line in '''alpine.znetboot''' that has more 80 chars (columns) will be splitted into more than 1 line when uploaded to z/VM (CMS) console via 3270. Count the number of characters/column of the longest line in your '''alpine.znetboot''' and fill it in LRECL. There is no restriction for BLKSIZE but 80 is preferred.}}<br />
<br />
* Click '''Transfer File''' box<br />
<br />
Repeat the same steps with <code>znetboot.exec</code> and <code>curl.rexx</code> files.<br />
<br />
==== (Optional) Check the configuration files ====<br />
On 3270 client, enter following commands to check if the configuration files are correctly transferred:<br />
<br />
<code>xedit alpine znetboot</code><br />
<br />
<code>xedit znetboot exec</code><br />
<br />
<code>xedit curl rex</code><br />
<br />
or <code>filel</code> and put <code>xedit</code> on CMD column to edit respective file.<br />
<br />
==== Start ZNETBOOT ====<br />
On 3270 client, type below command and wait till Figure 3.: [[File:X3270-3.png|right|300px|thumb|Figure 3.]]<br />
<br />
<code>znetboot alpine</code><br />
<br />
= 4. Installation =<br />
If you install on z/VM, steps in this part does not involve the interaction with the 3270 client anymore. Everything is done in the terminal with SSH client.<br />
<br />
If you install on KVM, you can either SSH into the installer (below) or directly use the console starting qemu.<br />
<br />
Either installing in KVM or z/VM environments, from your workstation/laptop, you will be able to run:<br />
$ ssh root@192.168.1.2 (change ip address to what you specified earlier)<br />
<br />
Remaining steps are similar to installing Alpine on other architectures (x86, arm, ppc, etc.), either on KVM (using virtio/SCSI disks) or on z/VM with FBA DASDs. Installing on ECKD DASDs requires an additional step, as described below.<br />
<br />
<br />
== Example ==<br />
Below is the detailed walkthrough of installing Alpine on a single ECKD DASD using LVM and extend that LVM to the second ECKD DASD.<br />
<br />
<br />
After SSH-ing into the Alpine installer, run:<br />
# setup-alpine<br />
<br />
<code>Select keyboard layout [none]:</code><br />
:press Enter for none<br />
<br />
<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
:enter your hostname<br />
<br />
<pre><br />
Available interfaces are: eth0.<br />
Enter '?' for help on bridges, bonding and vlans.<br />
Which one do you want to initialize? (or '?' or 'done') [eth0]:</pre><br />
:type 'eth0' or press Enter<br />
<br />
<code>Ip address for eth0? (or 'dhcp', 'none', '?') [192.168.1.2]</code><br />
:enter ip address or 'dhcp'<br />
<br />
<code>Netmask? [255.255.255.0]</code><br />
:enter netmask<br />
<code>Gateway? (or 'none') [192.168.1.1]</code><br />
:enter gateway's ip address<br />
<br />
<code>Do you want to do any manual network configuration? [no]</code><br />
:enter 'no' or press Enter<br />
<br />
<code>DNS domain name? (e.g 'bar.com') []</code><br />
:enter domain name or press Enter for none<br />
<br />
<code>DNS nameserver(s)? [8.8.8.8 ]</code><br />
:enter DNS nameserver<br />
<br />
<code>Changing password for root</code><br />
:enter root password<br />
<br />
<code>Which timezone are you in? ('?' for list) [UTC]</code><br />
:enter timezone or '?' for list of timezones<br />
<br />
<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
:enter proxy or press Enter for none<br />
<br />
<code>Enter mirror number (1-27) or URL to add (or r/f/e/done) [f]:</code><br />
:enter a number or 'r' or 'f' or 'e' or 'done' as described<br />
<br />
<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]</code><br />
:enter SSH server or press Enter for openssh<br />
<br />
<code>Which NTP client to run? ('busybox', 'openntpd', 'chrony' or 'none') [chrony]</code><br />
:enter 'busybox' or press Enter for chrony<br />
<br />
''' (next step is the additional step for ECKD DASDs on z/VM)'''<br />
<pre><br />
Available ECKD DASD(s) are:<br />
0.0.04c0 (3390/0c 3990/e9 IBM)<br />
0.0.05d1 (3390/0c 3990/e9 IBM)<br />
Which ECKD DASD(s) would you like to be formatted using dasdfmt? (enter '?' for help) [all]</pre><br />
:enter 'all' or '0.0.04c0 0.0.05d1' '''(separated by a space)''' to format all/both DASDs<br />
:enter '0.0.04c0' or '0.0.05d1' to format respective DASD<br />
:enter '?' for help<br />
<br />
<code>WARNING: Erase ECKD DASD 0.0.04c0? [y/N]:</code><br />
:enter 'y' to format<br />
<br />
<pre><br />
Available disks are:<br />
dasda (2.5 GB IBM 0.0.04c0)<br />
Which disk(s) would you like to use? (or '?' for help or 'none') [dasda]</pre><br />
:enter 'dasda' or press Enter<br />
<br />
<pre><br />
The following disk is selected:<br />
dasda (2.5 GB IBM 0.0.04c0)<br />
How would you like to use it? ('sys', 'data', 'lvm' or '?' for help) [?]</pre><br />
:enter 'lvm'<br />
<br />
<pre><br />
The following disk is selected (with LVM):<br />
dasda (2.5 GB IBM 0.0.04c0)<br />
How would you like to use it? ('sys', 'data' or '?' for help) [?]</pre><br />
:enter 'sys' to install Alpine on disk<br />
<br />
<pre><br />
WARNING: The following disk(s) will be erased:<br />
dasda (2.5 GB IBM 0.0.04c0)<br />
WARNING: Erase the above disk(s) and continue? [y/N]:</pre><br />
:enter 'y'<br />
<br />
<code>Installation is complete. Please reboot.</code><br />
:the installation is finished<br />
<br />
At this point, don't poweroff the installer right away. Go to [https://wiki.alpinelinux.org/wiki/S390x#Copying_SSH_keys_to_new_Alpine_system "Copying SSH keys to new Alpine system"] (below) to have SSH access to your new Alpine system.<br />
<br />
<br />
== Copying SSH keys to new Alpine system ==<br />
<br />
By default, Alpine disables root login with a password via SSH. SSH keys are used instead.<br />
<br />
After the installer's done running (<code>Installation is complete. Please reboot.</code>), there are 2 ways to copy your SSH key into the new Alpine system:<br />
* Option 1: mount the installed disk and copy the SSH keys while still at the installer's terminal<br />
* Option 2: poweroff the installer, start the new Alpine system and directly add the SSH keys<br />
::: if you install on KVM, boot the new Alpine system on qemu, and copy the SSH keys<br />
::: if you install on z/VM, use the 3270 client to ipl the new Alpine system and copy the SSH keys<br />
<br />
'''Option 1'''<br />
<br />
If you use 'lvm' + 'sys' installation (like in above example), do:<br />
<br />
:<code> # mount /dev/vg0/lv_root /mnt</code><br />
<br />
:<code> # cp -ar /root/.ssh /mnt/root</code><br />
<br />
If you use 'sys' (without LVM) installation, do:<br />
<br />
:<code> # mount /dev/dasda3 /mnt</code> (change dasda to dasdb or dasdc, etc. for whichever DASD you chose)<br />
<br />
:<code> # cp -ar /root/.ssh /mnt/root</code><br />
<br />
{{Note|In 'sys' installation, 1st partition is boot, 2nd partition is swap, 3rd partition is root }}<br />
<br />
<br />
Then run <code> # poweroff</code>.<br />
<br />
Go to [https://wiki.alpinelinux.org/wiki/S390x#Login_to_new_Alpine_system "Login to new Alpine system"]<br />
<br />
'''Option 2'''<br />
<br />
Run <code> # poweroff</code>.<br />
<br />
If you use KVM, start qemu with new Alpine system (removing <code>-kernel</code>, <code>-initrd</code>, <code>-append</code> options)<br />
<br />
If you use z/VM, open the 3270 client, login with your z/VM username and password. You may need to run <code> ipl cms</code>. Then run <code> ipl 04c0</code> (or whichever DASD device you chose as root disk in earlier steps).<br />
<br />
<br />
Wait for new Alpine system go up, then login as root user while in the qemu console (on KVM) or 3270 client (on z/VM). Then run:<br />
::<code> # mkdir /root/.ssh</code><br />
::<code> # wget https://your-website.com/your-ssh-key.pub -O /root/.ssh/authorized_keys</code><br />
::<code> # chmod 700 /root/.ssh</code><br />
::<code> # chmod 600 /root/.ssh/authorized_keys</code><br />
<br />
Go to [https://wiki.alpinelinux.org/wiki/S390x#Login_to_new_Alpine_system "Login to new Alpine system"]<br />
<br />
<br />
== Login to new Alpine system ==<br />
On your workstation/laptop, use SSH client to login new Alpine system:<br />
<code> $ ssh root@192.168.1.2</code> (or whichever ip address you used)<br />
<br />
<br />
== Extending LVM volume ==<br />
After logging in to your new Alpine system, run:<br />
<pre><br />
# apk add -q util-linux e2fsprogs-extra<br />
<br />
# lsblk<br />
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT<br />
dasda 94:0 0 2.3G 0 disk <br />
├─dasda1 94:1 0 100M 0 part /boot<br />
└─dasda2 94:2 0 2.2G 0 part <br />
├─vg0-lv_swap 254:0 0 588M 0 lvm [SWAP]<br />
└─vg0-lv_root 254:1 0 1.6G 0 lvm /<br />
dasdb 94:4 0 2.3G 0 disk<br />
<br />
# dasdfmt -b 4096 -d cdl -yp /dev/dasdb<br />
<br />
# fdasd -a /dev/dasdb<br />
<br />
# pvcreate /dev/dasdb1<br />
<br />
# vgextend vg0 /dev/dasdb1<br />
<br />
# lvextend -l +100%FREE /dev/vg0/lv_root<br />
<br />
# resize2fs /dev/vg0/lv_root<br />
<br />
# lsblk<br />
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT<br />
dasda 94:0 0 2.3G 0 disk <br />
├─dasda1 94:1 0 100M 0 part /boot<br />
└─dasda2 94:2 0 2.2G 0 part <br />
├─vg0-lv_swap 254:0 0 588M 0 lvm [SWAP]<br />
└─vg0-lv_root 254:1 0 3.9G 0 lvm /<br />
dasdb 94:4 0 2.3G 0 disk <br />
└─dasdb1 94:5 0 2.3G 0 part <br />
└─vg0-lv_root 254:1 0 3.9G 0 lvm /<br />
</pre><br />
<br />
<br />
<br />
= 5. Tips =<br />
If you want to disable swap partition, after finishing NTP client step, quit the installer by pressing <code>Ctrl + C</code>. Then run following command to complete remaining steps:<br />
<br />
<code># setup-disk -s 0</code><br />
<br />
{{Note|If you do 'sys' installation, there will be no swap partition anymore and 1st partition will be boot, 2nd partition will be root}}<br />
<br />
<br />
[[category:IBM]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=S390x/Installation&diff=20155S390x/Installation2021-09-29T05:26:19Z<p>Bt129: /* 1. Known Issues */</p>
<hr />
<div>{{TOC right}}<br />
<br />
= 1. Known Issues =<br />
1. Installation on 2 or more DASDs (either ECKD and FBA) on z/VM is not supported in the installer script (<code>setup-alpine</code>) at the moment. If you want to install/extend on more than 1 DASD, see [https://wiki.alpinelinux.org/wiki/S390x#Extending_LVM_volume "Extending LVM volume"]. However, installation on 2 or more virtio (SCSI) disks on KVM is supported just like other architectures.<br />
<br />
= 2. The boot media =<br />
<br />
For KVM, both ISO image and netboot media (kernel and initramfs) are supported.<br />
<br />
For z/VM, netboot media is supported.<br />
<br />
For LPAR, netboot media is supported. See [https://wiki.alpinelinux.org/wiki/S390x/Installation/LPAR "LPAR"] for more information.<br />
<br />
Boot media are found at:<br />
<br />
* http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/<br />
<br />
<br />
== Kernel parameters (and parmfile) ==<br />
The Alpine s390x boot media requires following kernel parameters to work: (Details at : <code>https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt</code>)<br />
<br />
<code>ip=dhcp</code> : use DHCP for network configuration.<br />
<br />
<code>ip=client-ip:server-ip:gw-ip:netmask:hostname:device:autoconf:dns1:dns2</code> : use static IP configuration, each field is separated by a colon <code>:</code><br />
* <code>client-ip</code> ip address of the guest VM where we are going to run the installer<br />
* <code>server-ip</code> not used, leave blank or fill with <code>none</code><br />
* <code>gw-ip</code> the gateway ip address<br />
* <code>netmask</code> the netmask<br />
* <code>hostname</code> not used, leave blank or fill with <code>none</code><br />
* <code>device</code> the network interface of the guest VM, default is <code>eth0</code> if left blank<br />
* <code>autoconf</code> not used, leave blank or fill with <code>none</code> or <code>off</code><br />
* <code>dns1</code> address of the DNS server<br />
* <code>dns2</code> address of the 2nd DNS server<br />
<br />
<code>alpine_repo=</code> : the location of the Alpine repository from which packages are downloaded.<br />
<br />
:For stable release, use <code>http://dl-cdn.alpinelinux.org/alpine/v3.10/main</code><br />
<br />
:For rolling release, use <code>http://dl-cdn.alpinelinux.org/alpine/edge/main</code><br />
<br />
<code>modloop=</code> : the remote location of the image containing kernel's modules, required for LVM and raid setup.<br />
<br />
:The remote location of the <code>modloop</code> image is the same as the kernel and initramfs (see below).<br />
<br />
<code>ssh_key=</code> : the remote location of your SSH public key which is used to allow SSH connection into the installer. It will be downloaded and copied into <code>/root/.ssh/authorized_keys</code> in the installer.<br />
<br />
{{Note|Fetching public keys from HTTP, HTTPS and FTPS are supported. HTTP should only be used in local development network where you own the network.}}<br />
<br />
{{Note|Alpine Linux security policies are against using passwords for root access via SSH as we consider using public-private key pairs is a much better approach.}}<br />
<br />
<br />
'''z/VM only'''<br />
<br />
<code>dasd=</code> : the addresses of the DASD devices, either ECKD or FBA DASDs. Each device is separated with a comma.<br />
<br />
<code>s390x_net=</code> : the network interface type and its subchannels. At the moment, only QETH layer 2 is supported, thus the name <code>qeth_l2</code> is used (see below).<br />
<br />
= 3. Pre-installation =<br />
<br />
<br />
== KVM ==<br />
Create a virtual disk:<br />
$ qemu-img create alpine_disk.qcow2 5G<br />
<br />
==== Using iso image ====<br />
Download latest iso image from : http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x<br />
<br />
Start qemu:<br />
<br />
$ qemu-system-s390x -M s390-ccw-virtio \<br />
-m 1024 -smp 2 -nographic -enable-kvm \<br />
-net nic -net tap,ifname=tap0,script=no \<br />
-hda alpine_disk.qcow2 \<br />
-boot d -cdrom alpine-standard-3.10.0-s390x.iso<br />
<br />
==== Using netboot media ====<br />
Download the latest [http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/vmlinuz-vanilla kernel] and [http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/initramfs-vanilla initramfs].<br />
<br />
Start qemu: (modify <code>ip=</code> <code>alpine_repo=</code> <code>ssh_key=</code> for your needs)<br />
<br />
$ qemu-system-s390x -M s390-ccw-virtio \<br />
-m 1024 -smp 2 -nographic -enable-kvm \<br />
-net nic -net tap,ifname=tap0,script=no \<br />
-hda alpine_disk.qcow2 \<br />
-kernel vmlinuz-vanilla \<br />
-initrd initramfs-vanilla \<br />
-append "ip=192.168.1.2::192.168.1.1:255.255.255.0::::8.8.8.8:1.1.1.1 alpine_repo=http://dl-cdn.alpinelinux.org/alpine/v3.10/main modloop=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/modloop-vanilla ssh_key=https://your-website.com/your-ssh-key.pub"<br />
<br />
{{Note|If you have direct access to the qemu console, <code>ssh_key</code> might not be required.}}<br />
<br />
== z/VM ==<br />
To ease out the process of downloading the images, punch the readers, ipl, etc., [https://github.com/trothr/znetboot '''ZNETBOOT'''] is used.<br />
<br />
{{Note|Using a FTP server to host the images and download them from x3270 console also works - thus no need to use ZNETBOOT. }}<br />
<br />
<br />
<br />
==== Create the parm file ====<br />
On your workstation/laptop, create a file named <code>alpine.znetboot</code> in your home directory with contents below (modify <code>dasd=</code><code>s390x_net=</code> <code>ip=</code> <code>alpine_repo=</code> <code>ssh_key=</code> for your needs)<br />
<br />
<pre><br />
ZNETBOOT_KERNEL=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/vmlinuz-vanilla<br />
ZNETBOOT_INITRD=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/initramfs-vanilla<br />
ZNETBOOT_PROGRESS=1M<br />
<br />
alpine_repo=http://dl-cdn.alpinelinux.org/alpine/v3.10/main<br />
modloop=http://dl-cdn.alpinelinux.org/alpine/v3.10/releases/s390x/netboot/modloop-vanilla<br />
<br />
dasd=0.0.04c0,0.0.05d1<br />
s390x_net=qeth_l2,0.0.0560,0.0.0561,0.0.0562<br />
ip=192.168.1.2::192.168.1.1:255.255.255.0::::8.8.8.8:1.1.1.1<br />
<br />
ssh_key=https://your-website.com/your-ssh-key.pub<br />
<br />
</pre><br />
<br />
==== Upload to z/VM system via 3270 client ====<br />
[[File:X3270-1.png|right|300px|thumb|Figure 1.]]<br />
On your workstation/laptop, download 2 files [https://raw.githubusercontent.com/trothr/znetboot/master/znetboot.exec <code>znetboot.exec</code>], and [https://raw.githubusercontent.com/trothr/znetboot/master/curl.rexx <code>curl.rexx</code>] to your home directory.<br />
<br />
Open 3270 client and log in the z/VM system with your z/VM username and password.<br />
<br />
Upload 3 files <code>alpine.znetboot</code>, <code>znetboot.exec</code>, <code>curl.rexx</code> to the z/VM environment using the 3270 client (this tutorial uses x3270). On the top left corner, click "File", then "File Transfer". (Figure 1.)<br />
<br />
Do following steps : (Figure 2.) [[File:X3270-2.png|right|300px|thumb|Figure 2.]]<br />
* On "Local File Name" box, enter '''alpine.znetboot''' (the file in your laptop/workstation, at '''~/alpine.znetboot''')<br />
* On "Host File Name" box, enter '''alpine znetboot''' (the file will be in z/VM console)<br />
<br />
{{Note|Beware the difference between '''the dot <code>.</code>''' and '''the space <code> </code>''' characters in the file names.}}<br />
<br />
* Choose '''Send to host'''<br />
* Choose '''Host is VM/CMS'''<br />
* Choose either '''Fixed''' or '''Variable''' for '''Record Format'''<br />
:Enter a number for LRECL and BLKSIZE, respectively<br />
{{Note|Any line in '''alpine.znetboot''' that has more 80 chars (columns) will be splitted into more than 1 line when uploaded to z/VM (CMS) console via 3270. Count the number of characters/column of the longest line in your '''alpine.znetboot''' and fill it in LRECL. There is no restriction for BLKSIZE but 80 is preferred.}}<br />
<br />
* Click '''Transfer File''' box<br />
<br />
Repeat the same steps with <code>znetboot.exec</code> and <code>curl.rexx</code> files.<br />
<br />
==== (Optional) Check the configuration files ====<br />
On 3270 client, enter following commands to check if the configuration files are correctly transferred:<br />
<br />
<code>xedit alpine znetboot</code><br />
<br />
<code>xedit znetboot exec</code><br />
<br />
<code>xedit curl rex</code><br />
<br />
or <code>filel</code> and put <code>xedit</code> on CMD column to edit respective file.<br />
<br />
==== Start ZNETBOOT ====<br />
On 3270 client, type below command and wait till Figure 3.: [[File:X3270-3.png|right|300px|thumb|Figure 3.]]<br />
<br />
<code>znetboot alpine</code><br />
<br />
= 4. Installation =<br />
If you install on z/VM, steps in this part does not involve the interaction with the 3270 client anymore. Everything is done in the terminal with SSH client.<br />
<br />
If you install on KVM, you can either SSH into the installer (below) or directly use the console starting qemu.<br />
<br />
Either installing in KVM or z/VM environments, from your workstation/laptop, you will be able to run:<br />
$ ssh root@192.168.1.2 (change ip address to what you specified earlier)<br />
<br />
Remaining steps are similar to installing Alpine on other architectures (x86, arm, ppc, etc.), either on KVM (using virtio/SCSI disks) or on z/VM with FBA DASDs. Installing on ECKD DASDs requires an additional step, as described below.<br />
<br />
<br />
== Example ==<br />
Below is the detailed walkthrough of installing Alpine on a single ECKD DASD using LVM and extend that LVM to the second ECKD DASD.<br />
<br />
<br />
After SSH-ing into the Alpine installer, run:<br />
# setup-alpine<br />
<br />
<code>Select keyboard layout [none]:</code><br />
:press Enter for none<br />
<br />
<code>Enter system hostname (short form, e.g. 'foo') [localhost]:</code><br />
:enter your hostname<br />
<br />
<pre><br />
Available interfaces are: eth0.<br />
Enter '?' for help on bridges, bonding and vlans.<br />
Which one do you want to initialize? (or '?' or 'done') [eth0]:</pre><br />
:type 'eth0' or press Enter<br />
<br />
<code>Ip address for eth0? (or 'dhcp', 'none', '?') [192.168.1.2]</code><br />
:enter ip address or 'dhcp'<br />
<br />
<code>Netmask? [255.255.255.0]</code><br />
:enter netmask<br />
<code>Gateway? (or 'none') [192.168.1.1]</code><br />
:enter gateway's ip address<br />
<br />
<code>Do you want to do any manual network configuration? [no]</code><br />
:enter 'no' or press Enter<br />
<br />
<code>DNS domain name? (e.g 'bar.com') []</code><br />
:enter domain name or press Enter for none<br />
<br />
<code>DNS nameserver(s)? [8.8.8.8 ]</code><br />
:enter DNS nameserver<br />
<br />
<code>Changing password for root</code><br />
:enter root password<br />
<br />
<code>Which timezone are you in? ('?' for list) [UTC]</code><br />
:enter timezone or '?' for list of timezones<br />
<br />
<code>HTTP/FTP proxy URL? (e.g. 'http://proxy:8080', or 'none') [none]</code><br />
:enter proxy or press Enter for none<br />
<br />
<code>Enter mirror number (1-27) or URL to add (or r/f/e/done) [f]:</code><br />
:enter a number or 'r' or 'f' or 'e' or 'done' as described<br />
<br />
<code>Which SSH server? ('openssh', 'dropbear' or 'none') [openssh]</code><br />
:enter SSH server or press Enter for openssh<br />
<br />
<code>Which NTP client to run? ('busybox', 'openntpd', 'chrony' or 'none') [chrony]</code><br />
:enter 'busybox' or press Enter for chrony<br />
<br />
''' (next step is the additional step for ECKD DASDs on z/VM)'''<br />
<pre><br />
Available ECKD DASD(s) are:<br />
0.0.04c0 (3390/0c 3990/e9 IBM)<br />
0.0.05d1 (3390/0c 3990/e9 IBM)<br />
Which ECKD DASD(s) would you like to be formatted using dasdfmt? (enter '?' for help) [all]</pre><br />
:enter 'all' or '0.0.04c0 0.0.05d1' '''(separated by a space)''' to format all/both DASDs<br />
:enter '0.0.04c0' or '0.0.05d1' to format respective DASD<br />
:enter '?' for help<br />
<br />
<code>WARNING: Erase ECKD DASD 0.0.04c0? [y/N]:</code><br />
:enter 'y' to format<br />
<br />
<pre><br />
Available disks are:<br />
dasda (2.5 GB IBM 0.0.04c0)<br />
Which disk(s) would you like to use? (or '?' for help or 'none') [dasda]</pre><br />
:enter 'dasda' or press Enter<br />
<br />
<pre><br />
The following disk is selected:<br />
dasda (2.5 GB IBM 0.0.04c0)<br />
How would you like to use it? ('sys', 'data', 'lvm' or '?' for help) [?]</pre><br />
:enter 'lvm'<br />
<br />
<pre><br />
The following disk is selected (with LVM):<br />
dasda (2.5 GB IBM 0.0.04c0)<br />
How would you like to use it? ('sys', 'data' or '?' for help) [?]</pre><br />
:enter 'sys' to install Alpine on disk<br />
<br />
<pre><br />
WARNING: The following disk(s) will be erased:<br />
dasda (2.5 GB IBM 0.0.04c0)<br />
WARNING: Erase the above disk(s) and continue? [y/N]:</pre><br />
:enter 'y'<br />
<br />
<code>Installation is complete. Please reboot.</code><br />
:the installation is finished<br />
<br />
At this point, don't poweroff the installer right away. Go to [https://wiki.alpinelinux.org/wiki/S390x#Copying_SSH_keys_to_new_Alpine_system "Copying SSH keys to new Alpine system"] (below) to have SSH access to your new Alpine system.<br />
<br />
<br />
== Copying SSH keys to new Alpine system ==<br />
<br />
By default, Alpine disables root login with a password via SSH. SSH keys are used instead.<br />
<br />
After the installer's done running (<code>Installation is complete. Please reboot.</code>), there are 2 ways to copy your SSH key into the new Alpine system:<br />
* Option 1: mount the installed disk and copy the SSH keys while still at the installer's terminal<br />
* Option 2: poweroff the installer, start the new Alpine system and directly add the SSH keys<br />
::: if you install on KVM, boot the new Alpine system on qemu, and copy the SSH keys<br />
::: if you install on z/VM, use the 3270 client to ipl the new Alpine system and copy the SSH keys<br />
<br />
'''Option 1'''<br />
<br />
If you use 'lvm' + 'sys' installation (like in above example), do:<br />
<br />
:<code> # mount /dev/vg0/lv_root /mnt</code><br />
<br />
:<code> # cp -ar /root/.ssh /mnt/root</code><br />
<br />
If you use 'sys' (without LVM) installation, do:<br />
<br />
:<code> # mount /dev/dasda3 /mnt</code> (change dasda to dasdb or dasdc, etc. for whichever DASD you chose)<br />
<br />
:<code> # cp -ar /root/.ssh /mnt/root</code><br />
<br />
{{Note|In 'sys' installation, 1st partition is boot, 2nd partition is swap, 3rd partition is root }}<br />
<br />
<br />
Then run <code> # poweroff</code>.<br />
<br />
Go to [https://wiki.alpinelinux.org/wiki/S390x#Login_to_new_Alpine_system "Login to new Alpine system"]<br />
<br />
'''Option 2'''<br />
<br />
Run <code> # poweroff</code>.<br />
<br />
If you use KVM, start qemu with new Alpine system (removing <code>-kernel</code>, <code>-initrd</code>, <code>-append</code> options)<br />
<br />
If you use z/VM, open the 3270 client, login with your z/VM username and password. You may need to run <code> ipl cms</code>. Then run <code> ipl 04c0</code> (or whichever DASD device you chose as root disk in earlier steps).<br />
<br />
<br />
Wait for new Alpine system go up, then login as root user while in the qemu console (on KVM) or 3270 client (on z/VM). Then run:<br />
::<code> # mkdir /root/.ssh</code><br />
::<code> # wget https://your-website.com/your-ssh-key.pub -O /root/.ssh/authorized_keys</code><br />
::<code> # chmod 700 /root/.ssh</code><br />
::<code> # chmod 600 /root/.ssh/authorized_keys</code><br />
<br />
Go to [https://wiki.alpinelinux.org/wiki/S390x#Login_to_new_Alpine_system "Login to new Alpine system"]<br />
<br />
<br />
== Login to new Alpine system ==<br />
On your workstation/laptop, use SSH client to login new Alpine system:<br />
<code> $ ssh root@192.168.1.2</code> (or whichever ip address you used)<br />
<br />
<br />
== Extending LVM volume ==<br />
After logging in to your new Alpine system, run:<br />
<pre><br />
# apk add -q util-linux e2fsprogs-extra<br />
<br />
# lsblk<br />
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT<br />
dasda 94:0 0 2.3G 0 disk <br />
├─dasda1 94:1 0 100M 0 part /boot<br />
└─dasda2 94:2 0 2.2G 0 part <br />
├─vg0-lv_swap 254:0 0 588M 0 lvm [SWAP]<br />
└─vg0-lv_root 254:1 0 1.6G 0 lvm /<br />
dasdb 94:4 0 2.3G 0 disk<br />
<br />
# dasdfmt -b 4096 -d cdl -yp /dev/dasdb<br />
<br />
# fdasd -a /dev/dasdb<br />
<br />
# pvcreate /dev/dasdb1<br />
<br />
# vgextend vg0 /dev/dasdb1<br />
<br />
# lvextend -l +100%FREE /dev/vg0/lv_root<br />
<br />
# resize2fs /dev/vg0/lv_root<br />
<br />
# lsblk<br />
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT<br />
dasda 94:0 0 2.3G 0 disk <br />
├─dasda1 94:1 0 100M 0 part /boot<br />
└─dasda2 94:2 0 2.2G 0 part <br />
├─vg0-lv_swap 254:0 0 588M 0 lvm [SWAP]<br />
└─vg0-lv_root 254:1 0 3.9G 0 lvm /<br />
dasdb 94:4 0 2.3G 0 disk <br />
└─dasdb1 94:5 0 2.3G 0 part <br />
└─vg0-lv_root 254:1 0 3.9G 0 lvm /<br />
</pre><br />
<br />
<br />
<br />
= 5. Tips =<br />
If you want to disable swap partition, after finishing NTP client step, quit the installer by pressing <code>Ctrl + C</code>. Then run following command to complete remaining steps:<br />
<br />
<code># setup-disk -s 0</code><br />
<br />
{{Note|If you do 'sys' installation, there will be no swap partition anymore and 1st partition will be boot, 2nd partition will be root}}<br />
<br />
<br />
[[category:IBM]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Raspberry_Pi_Bluetooth_Speaker&diff=20154Raspberry Pi Bluetooth Speaker2021-09-29T05:25:21Z<p>Bt129: /* Getting the Speaker(s) Working */</p>
<hr />
<div>=How To Build a Raspberry Pi Bluetooth Speaker=<br />
<br />
This articles describes how to build a Bluetooth speaker. This article is being actively written. Currently it is full of bugs but will provide some useful pointers.<br />
<br />
=Before You Start=<br />
You’ll need:<br />
* A Raspberry Pi<br />
* A Bluetooth USB dongle (if your Pi doesn’t have Bluetooth on board)<br />
* Sound card and speaker(s)<br />
<br />
=Article Completion=<br />
# Test everything<br />
# Turn every background task into a service<br />
# More investigation on Bluetooth pairing<br />
<br />
=Getting the Speaker(s) Working=<br />
To get the best results, you'll need an dedicated audio add-on board and matching speakers. Higher end passive speakers need a proper amplifier (e.g. HiFiBerry Amp2 or IQaudIO IQaudIO DigiAMP+).<br />
<br />
I've used the whole range of IQaudio audio boards with different speakers and headphones. I'd also recommend a dedicated USB Bluetooth dongle (don't get the cheapest versions of these). It is possible to test by using the on-board Bluetooth and the on-board audio with headphones but because of dropped packets, the audio quality isn't great.<br />
<br />
Once the speakers and audio card are connected to the Raspberry Pi, it's time to install a fresh version of Alpine Linux. The armv7 version from the [https://alpinelinux.org/downloads/ Downloads] page works on almost all Pis. This Wiki has several articles about installing Alpine on a Raspberry Pi.<br />
<br />
Enable writing to the boot media:<br />
<br />
mount /media/mmcblk0p1 -o rw,remount<br />
<br />
Then, either enable the on board sound:<br />
<br />
echo "dtparam=audio=on" >> /media/mmcblk0p1/usercfg.txt<br />
<br />
or your sound card (e.g. IQaudIO):<br />
<br />
echo "dtoverlay=iqaudio-dacplus,unmute_amp" >> /media/mmcblk0p1/usercfg.txt<br />
<br />
reboot.<br />
<br />
Follow [https://wiki.alpinelinux.org/wiki/ALSA these instructions] to enable ALSA. In summary<br />
<br />
apk add alsa-utils alsa-utils-doc alsa-lib alsaconf # the required software for sound<br />
aplay -l # should display a List of PLAYBACK Hardware Devices<br />
<br />
In my case my list is:<br />
<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: Headphones [bcm2835 Headphones], device 0: bcm2835 Headphones [bcm2835 Headphones]<br />
Subdevices: 8/8<br />
Subdevice #0: subdevice #0<br />
Subdevice #1: subdevice #1<br />
Subdevice #2: subdevice #2<br />
Subdevice #3: subdevice #3<br />
Subdevice #4: subdevice #4<br />
Subdevice #5: subdevice #5<br />
Subdevice #6: subdevice #6<br />
<br />
Before you play anything from your speakers, I recommend turnong down the volume.<br />
<br />
amixer<br />
<br />
displays a list of "simple controls." For my headphones and the on-board sound, the output looks like this:<br />
<br />
Simple mixer control 'Headphone',0<br />
Capabilities: pvolume pvolume-joined pswitch pswitch-joined<br />
Playback channels: Mono<br />
Limits: Playback -10239 - 400<br />
Mono: Playback 0 [96%] [0.00dB] [on]<br />
<br />
In this case, there is only 1 control, 'Headphone', so I issue this command to lower the maximum volume to a comfortable level. (50%)<br />
<br />
amixer sset Headphone 50%<br />
<br />
The IQaudIO DAC that I use has a much larger set of controls. I issued this command to set the volume:<br />
<br />
amixer sset 'Digital' 50 # quotes may be required if there are spaces in the control name<br />
<br />
Note: there can be several interlinked controls, some of which are muted by defualt. ALSA (and other audio software on Linux) is notoriously under-documented, try `man amixer` for more information. Sometimes it is easier to use a more visual control to change the configuration:<br />
<br />
alsamixer<br />
<br />
Finally, if you issue this command:<br />
<br />
speaker-test -t wav -c 2<br />
<br />
Then you should hear "Front Left, Front Right" repeating from your chosen speakers. Now it's time to setup Bluetooth. Don't forget to save your changes (lbu commit).<br />
<br />
=Bluetooth=<br />
I used [https://wiki.alpinelinux.org/wiki/Raspberry_Pi_3_-_Setting_Up_Bluetooth Raspberry Pi 3 - Setting Up Bluetooth] as a reference with some slight modifications as I am using a Pi 4.<br />
<br />
Raspberry Pi 4<br />
<br />
apk add bluez<br />
btattach -B /dev/ttyAMA0 -P bcm -S 3000000 &<br />
# btattach -B /dev/ttyAMA0 -P bcm -S 115200 -N & # Pi 3 - not tested by me<br />
rc-service bluetooth start<br />
<br />
edit {{Path|/etc/mdev.conf}} and enable bluetooth. We're using `sed`, where '''s/#rpi bluetooth/rpi bluetooth/''' means replace '''#rpi bluetooth''' with '''rpi bluetooth'''.<br />
<br />
sed -i 's/#rpi bluetooth/rpi bluetooth/' /etc/mdev.conf<br />
sed -i 's/#ttyAMA0 root:tty 660 @btattach -B \/dev\/$MDEV -P bcm -S 115200/ttyAMA0 root:tty 660 @btattach -B \/dev\/$MDEV -P bcm -S 3000000/' /etc/mdev.conf<br />
<br />
Note: the last command uncomments the ''btattach'' command and changes it to work with the Pi 4. <br />
<br />
Changes to {{Path|/etc/bluetooth/main.conf}}<br />
<br />
Name = Pi-Bluetooth-Speaker # This is what you'll see when connecting <br />
Class = 0x41C # Adding audio playback and recording to this Bluetooth device<br />
DiscoverableTimeout = 0 # Always discoverable<br />
AlwaysPairable = true # Always pairable<br />
PairableTimeout = 0 # no time limit<br />
AutoEnable=true # starts Bluetooth when Linux 'sees' the Bluetooth device at boot<br />
<br />
Ensure that Bluetooth is started at boot:<br />
<br />
rc-update add bluetooth<br />
<br />
Bluetooth's state, including paired devices, in held in {{Path|/var/lib/bluetooth}} so you'll need to add this to `lbu` state:<br />
<br />
lbu include /var/lib/bluetooth<br />
lbu commit && reboot<br />
<br />
Manual device pairing<br />
<br />
bluetoothctl<br />
<br />
[bluetooth]# discoverable on<br />
[agent] Confirm passkey 627133 (yes/no): yes<br />
[agent] Authorize service 0000110e-0000-1000-8000-00805f9b34fb (yes/no): yes<br />
<br />
Device pairing:<br />
<br />
apk add python3 py3-dbus py3-gobject3<br />
<br />
Getting this to work currently involves running the bluez-simple-agent after having edited it to always return sucessful. You'll need to comment out some lines (by adding "#" at the beginning):<br />
<br />
vi /usr/bin/bluez-simple-agent<br />
<br />
#import bluezutils<br />
<br />
def RequestConfirmation(self, device, passkey):<br />
#print("RequestConfirmation (%s, %06d)" % (device, passkey))<br />
#confirm = ask("Confirm passkey (yes/no): ")<br />
#if (confirm == "yes"):<br />
set_trusted(device) <br />
return <br />
#raise Rejected("Passkey doesn't match")<br />
<br />
And then running the revised agent in the background, and pair your devices:<br />
<br />
bluez-simple-agent &<br />
lbu include /usr/bin/bluez-simple-agent<br />
lbu commit<br />
<br />
Notes: [https://www.kynetics.com/docs/2018/pairing_agents_bluez/ Pairing Agents in BlueZ stack]<br />
[https://stackoverflow.com/questions/59214524/since-bluez-5-48-iphones-require-pairing-when-connecting-on-a-ble-gap-periphera Since Bluez 5.48, iPhones require pairing when connecting on a BLE GAP peripheral, why?]<br />
[https://gist.github.com/mill1000/74c7473ee3b4a5b13f6325e9994ff84c Headless A2DP Audio Streaming on Raspbian Stretch ]<br />
<br />
=bluez-alsa=<br />
At the time of writing this article, bluez-alsa is only found in the community repositories, so you need to edit your repository list:<br />
<br />
vi /etc/apk/repositories<br />
<br />
remove the "#" from the community repository, mine is:<br />
<br />
http://uk.alpinelinux.org/alpine/v3.14/community<br />
<br />
This is the final stretch. We've got bluetooth working and now we want to link bluetooth to the speakers<br />
<br />
apk add bluez-alsa<br />
bluealsa -p a2dp-source -p a2dp-sink &<br />
bluealsa-aplay &<br />
<br />
[https://github.com/Arkq/bluez-alsa Bluetooth Audio ALSA Backend]<br />
[https://github.com/Arkq/bluez-alsa/tree/master/doc bluez-alsa doc]<br />
[https://manpages.debian.org/unstable/bluez-alsa-utils/bluealsa.8.en.html man bluealsa]<br />
[https://manpages.debian.org/unstable/bluez-alsa-utils/bluealsa-aplay.1.en.html man bluealsa-aplay]<br />
[https://panther.kapsi.fi/posts/2018-11-17_linux_bluetooth_audio Bluetooth audio in Linux: ALSA and LDAC]<br />
<br />
=See Also=<br />
Raspberry Pi's blog on [https://www.raspberrypi.org/blog/how-to-play-sound-and-make-noise-with-your-raspberry-pi/ How to play sound and make noise with your Raspberry P]<br />
<br />
There are lots of speaker and amplifier options:<br />
* Raspberry Pi's [https://www.raspberrypi.org/blog/iqaudio-is-now-raspberry-pi/ IQaudIO boards]<br />
* Pimoroni's [https://shop.pimoroni.com/products/audio-amp-shim-3w-mono-amp Audio Amp SHIM (3W Mono Amp)] and [https://shop.pimoroni.com/products/mini-speaker-4-3w Mini Speaker 4Ω (3W)]<br />
* The Pi Hut offers this [https://thepihut.com/products/adafruit-i2s-3w-stereo-speaker-bonnet-for-raspberry-pi Adafruit I2S 3W Stereo Speaker Bonnet for Raspberry Pi (Mini Kit)] and the [https://thepihut.com/products/stereo-enclosed-speaker-set-3w-4-ohm Stereo Enclosed Speaker Set - 3W 4 Ohm]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Raspberry_Pi_Zero_W_-_Installation&diff=20153Raspberry Pi Zero W - Installation2021-09-29T05:16:27Z<p>Bt129: /* Configure services and reboot */</p>
<hr />
<div>{{TOC right}}<br />
= Introduction =<br />
This wiki describes how I installed Alpine Linux 3.9.2 armhf on a Raspberry Pi Zero W. I had problems with it initially as WiFi wouldn't connect when going through the setup-alpine script and when I was able to get it connect (after numerous failed manual attempts) it wouldn't reconnect on reboot. The solution documented below adds and starts the rngd service prior to running setup-alpine which fixes the wifi connection problems and allows you to walk through the setup script successfully. It also adds the rngd and wpa_supplicant services to start at boot and removes the network service from the rc-update list completely, which seems like the wrong thing to do and probably is - networking still gets started, probably as a dependency to something else, and it starts after rngd and wpa_supplicant, which is what I needed. When the networking service was set to "boot" (which it was out of the box) it was starting before rngd and wpa_supplicant so wlan0 would never connect.<br />
<br />
I need to go back through this again but it should work as written. Some steps may not be necessary for your use case and some steps may not be necessary at all, but don't seem to hurt. I'm still learning about Alpine Linux and hope to improve this process as I do more reading and experimentation.<br />
<br />
Update - 7 Dec 2019 - I went through installation again on a Pi Zero W with Alpine 3.10.3 for armhf. First boot after writing the image to the SD card seems to work ok as far as WiFi functionality is concerned. Setup script completes and I was able to connect to WiFi and pull down packages etc. I decided to not install the rngd related packages at this point to see how a reboot looked, answer is not good. The dhcp request just times out. Running setup-alpine again at this point also doesn't work. If you start over and rewrite the image to the SD card, the first boot will again work ok, it's only rebooting that breaks Wifi. I think it's best to follow the steps for installing the rngd related packages and configuring the service to start at boot. Note that you can install what you need on first boot using apk, you don't need to copy the packages to the SD card offline as written below.<br />
<br />
Update - 29 Dec 2019 - See also a method to perform a headless setup: [[Raspberry Pi - Headless Installation]]<br />
<br />
= Write image to SD =<br />
First, format an SD card with the FAT filesystem. That can be done with a graphical tool like GParted once the SD card is mounted on your operating system. The following assumes the SD card device is at /dev/sdb1.<br />
<br />
Mount the SD card:<br />
{{Cmd|sudo mount /dev/sdb1 /mnt}}<br />
<br />
Then, copy the files:<br />
{{Cmd|tar -xzvf alpine-rpi-3.9.2-armhf.tar.gz -C /mnt --no-same-owner}}<br />
If you have no means to mount the SD card normally with an SD reader, it can be mounted via USB via the Raspberry Pi Zero W, using the usbbootgui tool to mount as eMMC/SD card reader. On Ubuntu, this can be installed as follows:<br />
{{Cmd|sudo add-apt-repository ppa:rpi-distro/ppa}}<br />
{{Cmd|sudo apt install usbbootgui}}<br />
<br />
A GUI should open as soon as you plug in your Pi; otherwise run<br />
{{Cmd|usbbootgui}}<br />
<br />
= Edit cmdline.txt and add line for serial console (Optional)=<br />
<br />
This is for my use case and optional if you are using a local keyboard and monitor. I do not connect a keyboard and monitor but rather do the setup via the Pi's serial GPIO pins.<br />
<br />
Create a file called cmdline.txt in the root of the SD card and place the following text in it:<br />
{{Cmd|modules{{=}}loop,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable{{=}}0 console{{=}}tty1 console{{=}}ttyAMA0,115200}}<br />
<br />
= Create usercfg.txt and edit (Optional) =<br />
<br />
This is mostly optional I believe and applies to my use case where I will be running the Pi in a headless appliance type mode. I reduce the memory allocated for the GPU, turn off audio (not sure I still need this on the Zero W), disable bluetooth (which I think puts the serial console back on the real uart, again, need to double check), add w1 for a temperature sensor, and set the enable_uart to 1 (may not be necessary, need to verify and add comments). This can be done by creating a file called usercfg.txt at the base of the SD card with the following contents:<br />
{{Cmd|gpu_mem{{=}}16<br />
dtparam{{=}}audio{{=}}off<br />
dtoverlay{{=}}pi3-disable-bt<br />
dtoverlay{{=}}w1-gpio<br />
enable_uart{{=}}1}}<br />
<br />
= Create cache folder and add rng-tools packages =<br />
{{Cmd|mkdir /mnt/cache}}<br />
I copied/pasted the following into the cache dir on the SD card. I have another Alpine env to apk fetch packages from (chroot on Fedora)<br />
{{Cmd|rng-tools-6.3.1-r1.652a1399.apk<br />
rng-tools-openrc-6.3.1-r1.e9b063f8.apk}}<br />
<br />
= Boot Pi with prepared SD card, login as root and add packages =<br />
<br />
I'm still new to Alpine, not sure if the setup-apkcache step is necessary or accomplishes anything here.<br />
{{Cmd|localhost:~# setup-apkcache <br />
Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: /media/mmcblk0p1/cache/<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-6.3.1-r1.652a1399.apk <br />
(1/1) Installing rng-tools (6.3.1-r1)<br />
Executing busybox-1.29.3-r10.trigger<br />
OK: 8 MiB in 21 packages<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-openrc-6.3.1-r1.e9b063f8.apk <br />
(1/1) Installing rng-tools-openrc (6.3.1-r1)<br />
OK: 8 MiB in 22 packages}}<br />
<br />
= Start rngd service =<br />
{{Cmd|localhost:~# service rngd start<br />
* Caching service dependencies ...<br />
[ ok ]<br />
* Starting rngd ...<br />
<br />
Initalizing available sources<br />
[ ok ]}}<br />
<br />
= Run setup-alpine. Wifi connection should setup ok with rngd running. =<br />
The setup process turns off the rngd service at some point, but that happens after wifi is connected.<br />
{{Cmd|setup-alpine}}<br />
<br />
= Configure services and reboot =<br />
Removing networking from boot results in it not being present in any stage which seems like the wrong fix, but it runs after rngd and wpa_supplicant, which is what we want:<br />
{{Cmd|pet-protect:~# rc-update add rngd boot<br />
* service rngd added to runlevel boot<br />
<br />
pet-protect:~# rc-update add wpa_supplicant boot<br />
* service wpa_supplicant added to runlevel boot<br />
<br />
pet-protect:~# rc-update del networking boot<br />
* service networking removed from runlevel boot<br />
<br />
pet-protect:~# rc-update -u<br />
* Caching service dependencies ...<br />
[ ok ]<br />
<br />
pet-protect:~# lbu commit -d<br />
pet-protect:~# reboot}}<br />
<br />
[[category:Installation]]<br />
[[category: Raspberry]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Raspberry_Pi_Zero_W_-_Installation&diff=20152Raspberry Pi Zero W - Installation2021-09-29T05:07:17Z<p>Bt129: /* Run setup-alpine wifi connection should setup ok with rngd running. */</p>
<hr />
<div>{{TOC right}}<br />
= Introduction =<br />
This wiki describes how I installed Alpine Linux 3.9.2 armhf on a Raspberry Pi Zero W. I had problems with it initially as WiFi wouldn't connect when going through the setup-alpine script and when I was able to get it connect (after numerous failed manual attempts) it wouldn't reconnect on reboot. The solution documented below adds and starts the rngd service prior to running setup-alpine which fixes the wifi connection problems and allows you to walk through the setup script successfully. It also adds the rngd and wpa_supplicant services to start at boot and removes the network service from the rc-update list completely, which seems like the wrong thing to do and probably is - networking still gets started, probably as a dependency to something else, and it starts after rngd and wpa_supplicant, which is what I needed. When the networking service was set to "boot" (which it was out of the box) it was starting before rngd and wpa_supplicant so wlan0 would never connect.<br />
<br />
I need to go back through this again but it should work as written. Some steps may not be necessary for your use case and some steps may not be necessary at all, but don't seem to hurt. I'm still learning about Alpine Linux and hope to improve this process as I do more reading and experimentation.<br />
<br />
Update - 7 Dec 2019 - I went through installation again on a Pi Zero W with Alpine 3.10.3 for armhf. First boot after writing the image to the SD card seems to work ok as far as WiFi functionality is concerned. Setup script completes and I was able to connect to WiFi and pull down packages etc. I decided to not install the rngd related packages at this point to see how a reboot looked, answer is not good. The dhcp request just times out. Running setup-alpine again at this point also doesn't work. If you start over and rewrite the image to the SD card, the first boot will again work ok, it's only rebooting that breaks Wifi. I think it's best to follow the steps for installing the rngd related packages and configuring the service to start at boot. Note that you can install what you need on first boot using apk, you don't need to copy the packages to the SD card offline as written below.<br />
<br />
Update - 29 Dec 2019 - See also a method to perform a headless setup: [[Raspberry Pi - Headless Installation]]<br />
<br />
= Write image to SD =<br />
First, format an SD card with the FAT filesystem. That can be done with a graphical tool like GParted once the SD card is mounted on your operating system. The following assumes the SD card device is at /dev/sdb1.<br />
<br />
Mount the SD card:<br />
{{Cmd|sudo mount /dev/sdb1 /mnt}}<br />
<br />
Then, copy the files:<br />
{{Cmd|tar -xzvf alpine-rpi-3.9.2-armhf.tar.gz -C /mnt --no-same-owner}}<br />
If you have no means to mount the SD card normally with an SD reader, it can be mounted via USB via the Raspberry Pi Zero W, using the usbbootgui tool to mount as eMMC/SD card reader. On Ubuntu, this can be installed as follows:<br />
{{Cmd|sudo add-apt-repository ppa:rpi-distro/ppa}}<br />
{{Cmd|sudo apt install usbbootgui}}<br />
<br />
A GUI should open as soon as you plug in your Pi; otherwise run<br />
{{Cmd|usbbootgui}}<br />
<br />
= Edit cmdline.txt and add line for serial console (Optional)=<br />
<br />
This is for my use case and optional if you are using a local keyboard and monitor. I do not connect a keyboard and monitor but rather do the setup via the Pi's serial GPIO pins.<br />
<br />
Create a file called cmdline.txt in the root of the SD card and place the following text in it:<br />
{{Cmd|modules{{=}}loop,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable{{=}}0 console{{=}}tty1 console{{=}}ttyAMA0,115200}}<br />
<br />
= Create usercfg.txt and edit (Optional) =<br />
<br />
This is mostly optional I believe and applies to my use case where I will be running the Pi in a headless appliance type mode. I reduce the memory allocated for the GPU, turn off audio (not sure I still need this on the Zero W), disable bluetooth (which I think puts the serial console back on the real uart, again, need to double check), add w1 for a temperature sensor, and set the enable_uart to 1 (may not be necessary, need to verify and add comments). This can be done by creating a file called usercfg.txt at the base of the SD card with the following contents:<br />
{{Cmd|gpu_mem{{=}}16<br />
dtparam{{=}}audio{{=}}off<br />
dtoverlay{{=}}pi3-disable-bt<br />
dtoverlay{{=}}w1-gpio<br />
enable_uart{{=}}1}}<br />
<br />
= Create cache folder and add rng-tools packages =<br />
{{Cmd|mkdir /mnt/cache}}<br />
I copied/pasted the following into the cache dir on the SD card. I have another Alpine env to apk fetch packages from (chroot on Fedora)<br />
{{Cmd|rng-tools-6.3.1-r1.652a1399.apk<br />
rng-tools-openrc-6.3.1-r1.e9b063f8.apk}}<br />
<br />
= Boot Pi with prepared SD card, login as root and add packages =<br />
<br />
I'm still new to Alpine, not sure if the setup-apkcache step is necessary or accomplishes anything here.<br />
{{Cmd|localhost:~# setup-apkcache <br />
Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: /media/mmcblk0p1/cache/<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-6.3.1-r1.652a1399.apk <br />
(1/1) Installing rng-tools (6.3.1-r1)<br />
Executing busybox-1.29.3-r10.trigger<br />
OK: 8 MiB in 21 packages<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-openrc-6.3.1-r1.e9b063f8.apk <br />
(1/1) Installing rng-tools-openrc (6.3.1-r1)<br />
OK: 8 MiB in 22 packages}}<br />
<br />
= Start rngd service =<br />
{{Cmd|localhost:~# service rngd start<br />
* Caching service dependencies ...<br />
[ ok ]<br />
* Starting rngd ...<br />
<br />
Initalizing available sources<br />
[ ok ]}}<br />
<br />
= Run setup-alpine. Wifi connection should setup ok with rngd running. =<br />
The setup process turns off the rngd service at some point, but that happens after wifi is connected.<br />
{{Cmd|setup-alpine}}<br />
<br />
= Configure services and reboot =<br />
Removing networking from boot results in it not being present in any stage which seems like the wrong fix but it still gets run by something and after rngd and wpa_supplicant which is what we want:<br />
{{Cmd|pet-protect:~# rc-update add rngd boot<br />
* service rngd added to runlevel boot<br />
<br />
pet-protect:~# rc-update add wpa_supplicant boot<br />
* service wpa_supplicant added to runlevel boot<br />
<br />
pet-protect:~# rc-update del networking boot<br />
* service networking removed from runlevel boot<br />
<br />
pet-protect:~# rc-update -u<br />
* Caching service dependencies ...<br />
[ ok ]<br />
<br />
pet-protect:~# lbu commit -d<br />
pet-protect:~# reboot}}<br />
<br />
[[category:Installation]]<br />
[[category: Raspberry]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Raspberry_Pi_Zero_W_-_Installation&diff=20151Raspberry Pi Zero W - Installation2021-09-29T04:56:03Z<p>Bt129: /* Create cache folder and add rng-tools packages */</p>
<hr />
<div>{{TOC right}}<br />
= Introduction =<br />
This wiki describes how I installed Alpine Linux 3.9.2 armhf on a Raspberry Pi Zero W. I had problems with it initially as WiFi wouldn't connect when going through the setup-alpine script and when I was able to get it connect (after numerous failed manual attempts) it wouldn't reconnect on reboot. The solution documented below adds and starts the rngd service prior to running setup-alpine which fixes the wifi connection problems and allows you to walk through the setup script successfully. It also adds the rngd and wpa_supplicant services to start at boot and removes the network service from the rc-update list completely, which seems like the wrong thing to do and probably is - networking still gets started, probably as a dependency to something else, and it starts after rngd and wpa_supplicant, which is what I needed. When the networking service was set to "boot" (which it was out of the box) it was starting before rngd and wpa_supplicant so wlan0 would never connect.<br />
<br />
I need to go back through this again but it should work as written. Some steps may not be necessary for your use case and some steps may not be necessary at all, but don't seem to hurt. I'm still learning about Alpine Linux and hope to improve this process as I do more reading and experimentation.<br />
<br />
Update - 7 Dec 2019 - I went through installation again on a Pi Zero W with Alpine 3.10.3 for armhf. First boot after writing the image to the SD card seems to work ok as far as WiFi functionality is concerned. Setup script completes and I was able to connect to WiFi and pull down packages etc. I decided to not install the rngd related packages at this point to see how a reboot looked, answer is not good. The dhcp request just times out. Running setup-alpine again at this point also doesn't work. If you start over and rewrite the image to the SD card, the first boot will again work ok, it's only rebooting that breaks Wifi. I think it's best to follow the steps for installing the rngd related packages and configuring the service to start at boot. Note that you can install what you need on first boot using apk, you don't need to copy the packages to the SD card offline as written below.<br />
<br />
Update - 29 Dec 2019 - See also a method to perform a headless setup: [[Raspberry Pi - Headless Installation]]<br />
<br />
= Write image to SD =<br />
First, format an SD card with the FAT filesystem. That can be done with a graphical tool like GParted once the SD card is mounted on your operating system. The following assumes the SD card device is at /dev/sdb1.<br />
<br />
Mount the SD card:<br />
{{Cmd|sudo mount /dev/sdb1 /mnt}}<br />
<br />
Then, copy the files:<br />
{{Cmd|tar -xzvf alpine-rpi-3.9.2-armhf.tar.gz -C /mnt --no-same-owner}}<br />
If you have no means to mount the SD card normally with an SD reader, it can be mounted via USB via the Raspberry Pi Zero W, using the usbbootgui tool to mount as eMMC/SD card reader. On Ubuntu, this can be installed as follows:<br />
{{Cmd|sudo add-apt-repository ppa:rpi-distro/ppa}}<br />
{{Cmd|sudo apt install usbbootgui}}<br />
<br />
A GUI should open as soon as you plug in your Pi; otherwise run<br />
{{Cmd|usbbootgui}}<br />
<br />
= Edit cmdline.txt and add line for serial console (Optional)=<br />
<br />
This is for my use case and optional if you are using a local keyboard and monitor. I do not connect a keyboard and monitor but rather do the setup via the Pi's serial GPIO pins.<br />
<br />
Create a file called cmdline.txt in the root of the SD card and place the following text in it:<br />
{{Cmd|modules{{=}}loop,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable{{=}}0 console{{=}}tty1 console{{=}}ttyAMA0,115200}}<br />
<br />
= Create usercfg.txt and edit (Optional) =<br />
<br />
This is mostly optional I believe and applies to my use case where I will be running the Pi in a headless appliance type mode. I reduce the memory allocated for the GPU, turn off audio (not sure I still need this on the Zero W), disable bluetooth (which I think puts the serial console back on the real uart, again, need to double check), add w1 for a temperature sensor, and set the enable_uart to 1 (may not be necessary, need to verify and add comments). This can be done by creating a file called usercfg.txt at the base of the SD card with the following contents:<br />
{{Cmd|gpu_mem{{=}}16<br />
dtparam{{=}}audio{{=}}off<br />
dtoverlay{{=}}pi3-disable-bt<br />
dtoverlay{{=}}w1-gpio<br />
enable_uart{{=}}1}}<br />
<br />
= Create cache folder and add rng-tools packages =<br />
{{Cmd|mkdir /mnt/cache}}<br />
I copied/pasted the following into the cache dir on the SD card. I have another Alpine env to apk fetch packages from (chroot on Fedora)<br />
{{Cmd|rng-tools-6.3.1-r1.652a1399.apk<br />
rng-tools-openrc-6.3.1-r1.e9b063f8.apk}}<br />
<br />
= Boot Pi with prepared SD card, login as root and add packages =<br />
<br />
I'm still new to Alpine, not sure if the setup-apkcache step is necessary or accomplishes anything here.<br />
{{Cmd|localhost:~# setup-apkcache <br />
Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: /media/mmcblk0p1/cache/<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-6.3.1-r1.652a1399.apk <br />
(1/1) Installing rng-tools (6.3.1-r1)<br />
Executing busybox-1.29.3-r10.trigger<br />
OK: 8 MiB in 21 packages<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-openrc-6.3.1-r1.e9b063f8.apk <br />
(1/1) Installing rng-tools-openrc (6.3.1-r1)<br />
OK: 8 MiB in 22 packages}}<br />
<br />
= Start rngd service =<br />
{{Cmd|localhost:~# service rngd start<br />
* Caching service dependencies ...<br />
[ ok ]<br />
* Starting rngd ...<br />
<br />
Initalizing available sources<br />
[ ok ]}}<br />
<br />
= Run setup-alpine wifi connection should setup ok with rngd running. =<br />
The setup process turns off the rngd service at some point but it's after wifi is connected<br />
{{Cmd|setup-alpine}}<br />
= Configure services and reboot =<br />
Removing networking from boot results in it not being present in any stage which seems like the wrong fix but it still gets run by something and after rngd and wpa_supplicant which is what we want:<br />
{{Cmd|pet-protect:~# rc-update add rngd boot<br />
* service rngd added to runlevel boot<br />
<br />
pet-protect:~# rc-update add wpa_supplicant boot<br />
* service wpa_supplicant added to runlevel boot<br />
<br />
pet-protect:~# rc-update del networking boot<br />
* service networking removed from runlevel boot<br />
<br />
pet-protect:~# rc-update -u<br />
* Caching service dependencies ...<br />
[ ok ]<br />
<br />
pet-protect:~# lbu commit -d<br />
pet-protect:~# reboot}}<br />
<br />
[[category:Installation]]<br />
[[category: Raspberry]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Raspberry_Pi_Zero_W_-_Installation&diff=20150Raspberry Pi Zero W - Installation2021-09-29T04:54:25Z<p>Bt129: /* Edit cmdline.txt and add line for serial console (Optional) */</p>
<hr />
<div>{{TOC right}}<br />
= Introduction =<br />
This wiki describes how I installed Alpine Linux 3.9.2 armhf on a Raspberry Pi Zero W. I had problems with it initially as WiFi wouldn't connect when going through the setup-alpine script and when I was able to get it connect (after numerous failed manual attempts) it wouldn't reconnect on reboot. The solution documented below adds and starts the rngd service prior to running setup-alpine which fixes the wifi connection problems and allows you to walk through the setup script successfully. It also adds the rngd and wpa_supplicant services to start at boot and removes the network service from the rc-update list completely, which seems like the wrong thing to do and probably is - networking still gets started, probably as a dependency to something else, and it starts after rngd and wpa_supplicant, which is what I needed. When the networking service was set to "boot" (which it was out of the box) it was starting before rngd and wpa_supplicant so wlan0 would never connect.<br />
<br />
I need to go back through this again but it should work as written. Some steps may not be necessary for your use case and some steps may not be necessary at all, but don't seem to hurt. I'm still learning about Alpine Linux and hope to improve this process as I do more reading and experimentation.<br />
<br />
Update - 7 Dec 2019 - I went through installation again on a Pi Zero W with Alpine 3.10.3 for armhf. First boot after writing the image to the SD card seems to work ok as far as WiFi functionality is concerned. Setup script completes and I was able to connect to WiFi and pull down packages etc. I decided to not install the rngd related packages at this point to see how a reboot looked, answer is not good. The dhcp request just times out. Running setup-alpine again at this point also doesn't work. If you start over and rewrite the image to the SD card, the first boot will again work ok, it's only rebooting that breaks Wifi. I think it's best to follow the steps for installing the rngd related packages and configuring the service to start at boot. Note that you can install what you need on first boot using apk, you don't need to copy the packages to the SD card offline as written below.<br />
<br />
Update - 29 Dec 2019 - See also a method to perform a headless setup: [[Raspberry Pi - Headless Installation]]<br />
<br />
= Write image to SD =<br />
First, format an SD card with the FAT filesystem. That can be done with a graphical tool like GParted once the SD card is mounted on your operating system. The following assumes the SD card device is at /dev/sdb1.<br />
<br />
Mount the SD card:<br />
{{Cmd|sudo mount /dev/sdb1 /mnt}}<br />
<br />
Then, copy the files:<br />
{{Cmd|tar -xzvf alpine-rpi-3.9.2-armhf.tar.gz -C /mnt --no-same-owner}}<br />
If you have no means to mount the SD card normally with an SD reader, it can be mounted via USB via the Raspberry Pi Zero W, using the usbbootgui tool to mount as eMMC/SD card reader. On Ubuntu, this can be installed as follows:<br />
{{Cmd|sudo add-apt-repository ppa:rpi-distro/ppa}}<br />
{{Cmd|sudo apt install usbbootgui}}<br />
<br />
A GUI should open as soon as you plug in your Pi; otherwise run<br />
{{Cmd|usbbootgui}}<br />
<br />
= Edit cmdline.txt and add line for serial console (Optional)=<br />
<br />
This is for my use case and optional if you are using a local keyboard and monitor. I do not connect a keyboard and monitor but rather do the setup via the Pi's serial GPIO pins.<br />
<br />
Create a file called cmdline.txt in the root of the SD card and place the following text in it:<br />
{{Cmd|modules{{=}}loop,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable{{=}}0 console{{=}}tty1 console{{=}}ttyAMA0,115200}}<br />
<br />
= Create usercfg.txt and edit (Optional) =<br />
<br />
This is mostly optional I believe and applies to my use case where I will be running the Pi in a headless appliance type mode. I reduce the memory allocated for the GPU, turn off audio (not sure I still need this on the Zero W), disable bluetooth (which I think puts the serial console back on the real uart, again, need to double check), add w1 for a temperature sensor, and set the enable_uart to 1 (may not be necessary, need to verify and add comments). This can be done by creating a file called usercfg.txt at the base of the SD card with the following contents:<br />
{{Cmd|gpu_mem{{=}}16<br />
dtparam{{=}}audio{{=}}off<br />
dtoverlay{{=}}pi3-disable-bt<br />
dtoverlay{{=}}w1-gpio<br />
enable_uart{{=}}1}}<br />
<br />
= Create cache folder and add rng-tools packages =<br />
{{Cmd|mkdir /mnt/cache}}<br />
I copy pasted the following into the cache dir on sd card. I have another Alpine env to apk fetch packages from (chroot on Fedora)<br />
{{Cmd|rng-tools-6.3.1-r1.652a1399.apk<br />
rng-tools-openrc-6.3.1-r1.e9b063f8.apk}}<br />
<br />
= Boot Pi with prepared SD card, login as root and add packages =<br />
<br />
I'm still new to Alpine, not sure if the setup-apkcache step is necessary or accomplishes anything here.<br />
{{Cmd|localhost:~# setup-apkcache <br />
Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: /media/mmcblk0p1/cache/<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-6.3.1-r1.652a1399.apk <br />
(1/1) Installing rng-tools (6.3.1-r1)<br />
Executing busybox-1.29.3-r10.trigger<br />
OK: 8 MiB in 21 packages<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-openrc-6.3.1-r1.e9b063f8.apk <br />
(1/1) Installing rng-tools-openrc (6.3.1-r1)<br />
OK: 8 MiB in 22 packages}}<br />
<br />
= Start rngd service =<br />
{{Cmd|localhost:~# service rngd start<br />
* Caching service dependencies ...<br />
[ ok ]<br />
* Starting rngd ...<br />
<br />
Initalizing available sources<br />
[ ok ]}}<br />
<br />
= Run setup-alpine wifi connection should setup ok with rngd running. =<br />
The setup process turns off the rngd service at some point but it's after wifi is connected<br />
{{Cmd|setup-alpine}}<br />
= Configure services and reboot =<br />
Removing networking from boot results in it not being present in any stage which seems like the wrong fix but it still gets run by something and after rngd and wpa_supplicant which is what we want:<br />
{{Cmd|pet-protect:~# rc-update add rngd boot<br />
* service rngd added to runlevel boot<br />
<br />
pet-protect:~# rc-update add wpa_supplicant boot<br />
* service wpa_supplicant added to runlevel boot<br />
<br />
pet-protect:~# rc-update del networking boot<br />
* service networking removed from runlevel boot<br />
<br />
pet-protect:~# rc-update -u<br />
* Caching service dependencies ...<br />
[ ok ]<br />
<br />
pet-protect:~# lbu commit -d<br />
pet-protect:~# reboot}}<br />
<br />
[[category:Installation]]<br />
[[category: Raspberry]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Raspberry_Pi_Zero_W_-_Installation&diff=20149Raspberry Pi Zero W - Installation2021-09-29T04:53:47Z<p>Bt129: /* Write image to SD */</p>
<hr />
<div>{{TOC right}}<br />
= Introduction =<br />
This wiki describes how I installed Alpine Linux 3.9.2 armhf on a Raspberry Pi Zero W. I had problems with it initially as WiFi wouldn't connect when going through the setup-alpine script and when I was able to get it connect (after numerous failed manual attempts) it wouldn't reconnect on reboot. The solution documented below adds and starts the rngd service prior to running setup-alpine which fixes the wifi connection problems and allows you to walk through the setup script successfully. It also adds the rngd and wpa_supplicant services to start at boot and removes the network service from the rc-update list completely, which seems like the wrong thing to do and probably is - networking still gets started, probably as a dependency to something else, and it starts after rngd and wpa_supplicant, which is what I needed. When the networking service was set to "boot" (which it was out of the box) it was starting before rngd and wpa_supplicant so wlan0 would never connect.<br />
<br />
I need to go back through this again but it should work as written. Some steps may not be necessary for your use case and some steps may not be necessary at all, but don't seem to hurt. I'm still learning about Alpine Linux and hope to improve this process as I do more reading and experimentation.<br />
<br />
Update - 7 Dec 2019 - I went through installation again on a Pi Zero W with Alpine 3.10.3 for armhf. First boot after writing the image to the SD card seems to work ok as far as WiFi functionality is concerned. Setup script completes and I was able to connect to WiFi and pull down packages etc. I decided to not install the rngd related packages at this point to see how a reboot looked, answer is not good. The dhcp request just times out. Running setup-alpine again at this point also doesn't work. If you start over and rewrite the image to the SD card, the first boot will again work ok, it's only rebooting that breaks Wifi. I think it's best to follow the steps for installing the rngd related packages and configuring the service to start at boot. Note that you can install what you need on first boot using apk, you don't need to copy the packages to the SD card offline as written below.<br />
<br />
Update - 29 Dec 2019 - See also a method to perform a headless setup: [[Raspberry Pi - Headless Installation]]<br />
<br />
= Write image to SD =<br />
First, format an SD card with the FAT filesystem. That can be done with a graphical tool like GParted once the SD card is mounted on your operating system. The following assumes the SD card device is at /dev/sdb1.<br />
<br />
Mount the SD card:<br />
{{Cmd|sudo mount /dev/sdb1 /mnt}}<br />
<br />
Then, copy the files:<br />
{{Cmd|tar -xzvf alpine-rpi-3.9.2-armhf.tar.gz -C /mnt --no-same-owner}}<br />
If you have no means to mount the SD card normally with an SD reader, it can be mounted via USB via the Raspberry Pi Zero W, using the usbbootgui tool to mount as eMMC/SD card reader. On Ubuntu, this can be installed as follows:<br />
{{Cmd|sudo add-apt-repository ppa:rpi-distro/ppa}}<br />
{{Cmd|sudo apt install usbbootgui}}<br />
<br />
A GUI should open as soon as you plug in your Pi; otherwise run<br />
{{Cmd|usbbootgui}}<br />
<br />
= Edit cmdline.txt and add line for serial console (Optional)=<br />
<br />
This is for my use case and optional if you are using a local keyboard and monitor. I do not connect a keyboard and monitor but rather do the setup via the Pi's serial GPIO pins.<br />
<br />
Create a file called cmdline.txt in the root of the SD card and place the following text:<br />
{{Cmd|modules{{=}}loop,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable{{=}}0 console{{=}}tty1 console{{=}}ttyAMA0,115200}}<br />
<br />
= Create usercfg.txt and edit (Optional) =<br />
<br />
This is mostly optional I believe and applies to my use case where I will be running the Pi in a headless appliance type mode. I reduce the memory allocated for the GPU, turn off audio (not sure I still need this on the Zero W), disable bluetooth (which I think puts the serial console back on the real uart, again, need to double check), add w1 for a temperature sensor, and set the enable_uart to 1 (may not be necessary, need to verify and add comments). This can be done by creating a file called usercfg.txt at the base of the SD card with the following contents:<br />
{{Cmd|gpu_mem{{=}}16<br />
dtparam{{=}}audio{{=}}off<br />
dtoverlay{{=}}pi3-disable-bt<br />
dtoverlay{{=}}w1-gpio<br />
enable_uart{{=}}1}}<br />
<br />
= Create cache folder and add rng-tools packages =<br />
{{Cmd|mkdir /mnt/cache}}<br />
I copy pasted the following into the cache dir on sd card. I have another Alpine env to apk fetch packages from (chroot on Fedora)<br />
{{Cmd|rng-tools-6.3.1-r1.652a1399.apk<br />
rng-tools-openrc-6.3.1-r1.e9b063f8.apk}}<br />
<br />
= Boot Pi with prepared SD card, login as root and add packages =<br />
<br />
I'm still new to Alpine, not sure if the setup-apkcache step is necessary or accomplishes anything here.<br />
{{Cmd|localhost:~# setup-apkcache <br />
Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: /media/mmcblk0p1/cache/<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-6.3.1-r1.652a1399.apk <br />
(1/1) Installing rng-tools (6.3.1-r1)<br />
Executing busybox-1.29.3-r10.trigger<br />
OK: 8 MiB in 21 packages<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-openrc-6.3.1-r1.e9b063f8.apk <br />
(1/1) Installing rng-tools-openrc (6.3.1-r1)<br />
OK: 8 MiB in 22 packages}}<br />
<br />
= Start rngd service =<br />
{{Cmd|localhost:~# service rngd start<br />
* Caching service dependencies ...<br />
[ ok ]<br />
* Starting rngd ...<br />
<br />
Initalizing available sources<br />
[ ok ]}}<br />
<br />
= Run setup-alpine wifi connection should setup ok with rngd running. =<br />
The setup process turns off the rngd service at some point but it's after wifi is connected<br />
{{Cmd|setup-alpine}}<br />
= Configure services and reboot =<br />
Removing networking from boot results in it not being present in any stage which seems like the wrong fix but it still gets run by something and after rngd and wpa_supplicant which is what we want:<br />
{{Cmd|pet-protect:~# rc-update add rngd boot<br />
* service rngd added to runlevel boot<br />
<br />
pet-protect:~# rc-update add wpa_supplicant boot<br />
* service wpa_supplicant added to runlevel boot<br />
<br />
pet-protect:~# rc-update del networking boot<br />
* service networking removed from runlevel boot<br />
<br />
pet-protect:~# rc-update -u<br />
* Caching service dependencies ...<br />
[ ok ]<br />
<br />
pet-protect:~# lbu commit -d<br />
pet-protect:~# reboot}}<br />
<br />
[[category:Installation]]<br />
[[category: Raspberry]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Raspberry_Pi_Zero_W_-_Installation&diff=20147Raspberry Pi Zero W - Installation2021-09-29T04:21:26Z<p>Bt129: /* Introduction */</p>
<hr />
<div>{{TOC right}}<br />
= Introduction =<br />
This wiki describes how I installed Alpine Linux 3.9.2 armhf on a Raspberry Pi Zero W. I had problems with it initially as WiFi wouldn't connect when going through the setup-alpine script and when I was able to get it connect (after numerous failed manual attempts) it wouldn't reconnect on reboot. The solution documented below adds and starts the rngd service prior to running setup-alpine which fixes the wifi connection problems and allows you to walk through the setup script successfully. It also adds the rngd and wpa_supplicant services to start at boot and removes the network service from the rc-update list completely, which seems like the wrong thing to do and probably is - networking still gets started, probably as a dependency to something else, and it starts after rngd and wpa_supplicant, which is what I needed. When the networking service was set to "boot" (which it was out of the box) it was starting before rngd and wpa_supplicant so wlan0 would never connect.<br />
<br />
I need to go back through this again but it should work as written. Some steps may not be necessary for your use case and some steps may not be necessary at all, but don't seem to hurt. I'm still learning about Alpine Linux and hope to improve this process as I do more reading and experimentation.<br />
<br />
Update - 7 Dec 2019 - I went through installation again on a Pi Zero W with Alpine 3.10.3 for armhf. First boot after writing the image to the SD card seems to work ok as far as WiFi functionality is concerned. Setup script completes and I was able to connect to WiFi and pull down packages etc. I decided to not install the rngd related packages at this point to see how a reboot looked, answer is not good. The dhcp request just times out. Running setup-alpine again at this point also doesn't work. If you start over and rewrite the image to the SD card, the first boot will again work ok, it's only rebooting that breaks Wifi. I think it's best to follow the steps for installing the rngd related packages and configuring the service to start at boot. Note that you can install what you need on first boot using apk, you don't need to copy the packages to the SD card offline as written below.<br />
<br />
Update - 29 Dec 2019 - See also a method to perform a headless setup: [[Raspberry Pi - Headless Installation]]<br />
<br />
= Write image to SD =<br />
Format an SD card with fat filesystem first. This can be done with a graphical tool like GParted once the SD card is mounted on your operating system. The following assumes the SD card device is at /dev/sdb1.<br />
<br />
First, mount the SD card:<br />
{{Cmd|sudo mount /dev/sdb1 /mnt}}<br />
<br />
Then, copy the files:<br />
{{Cmd|tar -xzvf alpine-rpi-3.9.2-armhf.tar.gz -C /mnt --no-same-owner}}<br />
If you have no means to mount the SD card normally with an SD reader, it can be mounted via USB via the Raspberry Pi Zero W, using the usbbootgui tool to mount as eMMC/SD card reader. On Ubuntu, this can be installed as follows:<br />
{{Cmd|sudo add-apt-repository ppa:rpi-distro/ppa}}<br />
{{Cmd|sudo apt install usbbootgui}}<br />
<br />
A GUI should open as soon as you plug in your Pi; otherwise run<br />
{{Cmd|usbbootgui}}<br />
<br />
= Edit cmdline.txt and add line for serial console (Optional)=<br />
<br />
This is for my use case and optional if you are using a local keyboard and monitor. I do not connect a keyboard and monitor but rather do the setup via the Pi's serial GPIO pins.<br />
<br />
Create a file called cmdline.txt in the root of the SD card and place the following text:<br />
{{Cmd|modules{{=}}loop,squashfs,sd-mod,usb-storage quiet dwc_otg.lpm_enable{{=}}0 console{{=}}tty1 console{{=}}ttyAMA0,115200}}<br />
<br />
= Create usercfg.txt and edit (Optional) =<br />
<br />
This is mostly optional I believe and applies to my use case where I will be running the Pi in a headless appliance type mode. I reduce the memory allocated for the GPU, turn off audio (not sure I still need this on the Zero W), disable bluetooth (which I think puts the serial console back on the real uart, again, need to double check), add w1 for a temperature sensor, and set the enable_uart to 1 (may not be necessary, need to verify and add comments). This can be done by creating a file called usercfg.txt at the base of the SD card with the following contents:<br />
{{Cmd|gpu_mem{{=}}16<br />
dtparam{{=}}audio{{=}}off<br />
dtoverlay{{=}}pi3-disable-bt<br />
dtoverlay{{=}}w1-gpio<br />
enable_uart{{=}}1}}<br />
<br />
= Create cache folder and add rng-tools packages =<br />
{{Cmd|mkdir /mnt/cache}}<br />
I copy pasted the following into the cache dir on sd card. I have another Alpine env to apk fetch packages from (chroot on Fedora)<br />
{{Cmd|rng-tools-6.3.1-r1.652a1399.apk<br />
rng-tools-openrc-6.3.1-r1.e9b063f8.apk}}<br />
<br />
= Boot Pi with prepared SD card, login as root and add packages =<br />
<br />
I'm still new to Alpine, not sure if the setup-apkcache step is necessary or accomplishes anything here.<br />
{{Cmd|localhost:~# setup-apkcache <br />
Enter apk cache directory (or '?' or 'none') [/var/cache/apk]: /media/mmcblk0p1/cache/<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-6.3.1-r1.652a1399.apk <br />
(1/1) Installing rng-tools (6.3.1-r1)<br />
Executing busybox-1.29.3-r10.trigger<br />
OK: 8 MiB in 21 packages<br />
<br />
localhost:~# apk add --allow-untrusted /media/mmcblk0p1/cache/rng-tools-openrc-6.3.1-r1.e9b063f8.apk <br />
(1/1) Installing rng-tools-openrc (6.3.1-r1)<br />
OK: 8 MiB in 22 packages}}<br />
<br />
= Start rngd service =<br />
{{Cmd|localhost:~# service rngd start<br />
* Caching service dependencies ...<br />
[ ok ]<br />
* Starting rngd ...<br />
<br />
Initalizing available sources<br />
[ ok ]}}<br />
<br />
= Run setup-alpine wifi connection should setup ok with rngd running. =<br />
The setup process turns off the rngd service at some point but it's after wifi is connected<br />
{{Cmd|setup-alpine}}<br />
= Configure services and reboot =<br />
Removing networking from boot results in it not being present in any stage which seems like the wrong fix but it still gets run by something and after rngd and wpa_supplicant which is what we want:<br />
{{Cmd|pet-protect:~# rc-update add rngd boot<br />
* service rngd added to runlevel boot<br />
<br />
pet-protect:~# rc-update add wpa_supplicant boot<br />
* service wpa_supplicant added to runlevel boot<br />
<br />
pet-protect:~# rc-update del networking boot<br />
* service networking removed from runlevel boot<br />
<br />
pet-protect:~# rc-update -u<br />
* Caching service dependencies ...<br />
[ ok ]<br />
<br />
pet-protect:~# lbu commit -d<br />
pet-protect:~# reboot}}<br />
<br />
[[category:Installation]]<br />
[[category: Raspberry]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Linux_Router_with_VPN_on_a_Raspberry_Pi&diff=20123Linux Router with VPN on a Raspberry Pi2021-08-29T14:05:48Z<p>Bt129: </p>
<hr />
<div>{{TOC right}}<br />
<br />
= Rationale =<br />
<br />
This guide demonstrates how to set up a Linux router with a VPN tunnel. You will need a second ethernet adapter. If you are using a Raspberry Pi, then you can use something like this [http://store.apple.com/us/product/MC704LL/A/apple-usb-ethernet-adapter Apple USB Ethernet Adapter] as it contains a ASIX AX88772 which has good Linux support.<br />
<br />
You may choose to also buy a [http://www.element14.com/community/docs/DOC-68907/l/shim-rtc-realtime-clock-accessory-board-for-raspberry-pi Real Time clock]. If you don't have an RTC, the time is lost when your Pi is shut down. When it is rebooted, the time will be set back to Thursday, 1 January 1970. As this is earlier than the creation time of your VPN certificates OpenVPN will refuse to start, which may mean you cannot do DNS lookups over VPN.<br />
<br />
For wireless, a separate access point was purchased ([http://wiki.openwrt.org/toh/ubiquiti/unifi Ubiquiti UniFi AP]) because it contains a Atheros AR9287 which is supported by [https://wireless.wiki.kernel.org/en/users/drivers/ath9k ath9k].<br />
<br />
I chose a Raspberry Pi because it's inexpensive. I was not concerned with getting high PPS ([https://en.wikipedia.org/wiki/Throughput Packets Per Second]). You could choose to use an old x86/amd64 system instead. If I had better internet I'd probably go with an offering from [https://soekris.com Soekris] such as the [https://soekris.com/products/net6501-1.html net6501] as it would have a much lower power consumption than a generic x86_64 desktop processor.<br />
<br />
If you want to route speeds above 100 Mbit/s you'll want to make use of hardware encryption like [https://en.wikipedia.org/wiki/AES_instruction_set AES-NI]. The [https://soekris.com Soekris] offerings have the option of an additional hardware encryption module ([https://soekris.com/products/vpn-1411.html vpn1411]). Another option is to use a [https://en.wikipedia.org/wiki/Mini-ITX Mini ITX motherboard], with a managed switch. I chose the [https://www.ubnt.com/edgemax/edgeswitch Ubiquiti ES-16-150W].<br />
<br />
If you wish to use IPv6 you should consider looking at [[Linux Router with VPN on a Raspberry Pi (IPv6)]] as the implementation does differ slightly from this tutorial.<br />
<br />
The network in this tutorial looks like this: <br />
<br />
[[File:Network diagram ipv4 basic.svg|900px|center|Network Diagram Single IPv4]]<br />
<br />
= Installation =<br />
This guide assumes you're using Alpine Linux from a micro SD card in ramdisk mode. It assumes you've read the basics of how to use [[Alpine local backup]]. The [[Raspberry Pi]] article contains information on how to install Alpine Linux on a Raspberry Pi.<br />
<br />
= Modem in full bridge mode =<br />
This particular page uses an example where you have a modem that uses PPPoE. You will need to modify the parts which do not apply to you. <br />
<br />
In this example, I have a modem which has been configured in full bridge mode. PPP sessions are initiated on the router.<br />
<br />
The modem I am using is a [http://www.cisco.com/c/en/us/products/routers/877-integrated-services-router-isr/index.html Cisco 877 Integrated Services Router]. It has no web interface and is controlled over SSH. More information can be found [[Configuring a Cisco 877 in full bridge mode]].<br />
<br />
= Network =<br />
<br />
== /etc/hostname ==<br />
Set this to your hostname eg:<br />
<br />
<pre><HOST_NAME></pre><br />
<br />
== /etc/hosts ==<br />
Set your host and hostname<br />
<pre>127.0.0.1 <HOST_NAME> <HOST_NAME>.<DOMAIN_NAME><br />
<br />
::1 <HOST_NAME> ipv6-gateway ipv6-loopback<br />
ff00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
== /etc/network/interfaces ==<br />
Configure your network interfaces. Change "yourISP" to the file name of the file in /etc/ppp/peers/yourISP<br />
<br />
<pre>#<br />
# Network Interfaces<br />
#<br />
<br />
# Loopback interfaces<br />
auto lo<br />
iface lo inet loopback<br />
address 127.0.0.1<br />
netmask 255.0.0.0<br />
<br />
# Internal Interface - facing LAN<br />
auto eth0<br />
iface eth0 inet static<br />
address 192.168.1.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.1.255</pre><br />
<br />
<br />
=== PPP ===<br />
Next you need to configure your router to be able to dial a PPP connection with the modem.<br />
<br />
If your ISP uses [https://en.wikipedia.org/wiki/Point-to-Point_Protocol PPP] you may need to configure it. See [[PPP]].<br />
<br />
You will want to make sure you set your WAN interface, in this example we used eth1.<br />
<br />
<pre># External Interface - facing Modem<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
pre-up /sbin/ip link set eth1 up<br />
up ifup ppp0=yourISP<br />
down ifdown ppp0=yourISP<br />
post-down /sbin/ip link set eth1 up<br />
<br />
# Link to ISP<br />
iface yourISP inet ppp<br />
provider yourISP</pre><br />
<br />
=== IPoE ===<br />
Alternatively, it's quite common for ISPs to use [https://en.wikipedia.org/wiki/IPoE IPoE]. IPoE is much simpler and runs DHCP only on the external interface. It should look something like:<br />
<br />
<pre># External interface to ISP<br />
allow-hotplug eth1<br />
auto eth1<br />
iface eth1 inet dhcp<br />
<br />
iface eth1 inet static<br />
address 192.168.0.2<br />
netmask 255.255.255.252<br />
broadcast 192.168.0.3<br />
<br />
iface eth1 inet6 manual</pre><br />
<br />
==== DHCP from ISP ====<br />
<br />
Above we set DHCP and we set a static IP. This is so we can still forward packets through to the modem to be able to access the web interface or SSH.<br />
<br />
We do still need DHCP to get an IP address from our ISP though. I like to use dhcpcd instead of udhcp (the default in Alpine Linux), because it allows for [https://en.wikipedia.org/wiki/Prefix_delegation Prefix Delegation], which is used in IPv6 networks.<br />
<br />
My /etc/dhcpcd.conf looks like this:<br />
<br />
<pre># Enable extra debugging<br />
# debug<br />
# logfile /var/log/dhcpcd.log<br />
<br />
# Allow users of this group to interact with dhcpcd via the control<br />
# socket.<br />
#controlgroup wheel<br />
<br />
# Inform the DHCP server of the hostname for DDNS.<br />
hostname gateway<br />
<br />
# Use the hardware address of the interface for the Client ID.<br />
# clientid<br />
# or<br />
# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as<br />
# per RFC4361. Some non-RFC compliant DHCP servers do not reply with<br />
# this set. In this case, comment out duid and enable clientid above.<br />
duid<br />
<br />
# Persist interface configuration when dhcpcd exits.<br />
persistent<br />
<br />
# Rapid commit support.<br />
# Safe to enable by default because it requires the equivalent option<br />
# set on the server to actually work.<br />
option rapid_commit<br />
<br />
# A list of options to request from the DHCP server.<br />
option domain_name_servers, domain_name, domain_search, host_name<br />
option classless_static_routes<br />
<br />
# Most distributions have NTP support.<br />
option ntp_servers<br />
<br />
# Respect the network MTU.<br />
# Some interface drivers reset when changing the MTU so disabled by<br />
# default.<br />
#option interface_mtu 1586<br />
<br />
# A ServerID is required by RFC2131.<br />
require dhcp_server_identifier<br />
<br />
# Generate Stable Private IPv6 Addresses instead of hardware based<br />
# ones<br />
slaac private<br />
<br />
# A hook script is provided to lookup the hostname if not set by the<br />
# DHCP server, but it should not be run by default.<br />
nohook lookup-hostname<br />
<br />
# Disable solicitations on all interfaces<br />
noipv6rs<br />
<br />
# Wait for IP before forking to background<br />
waitip 6<br />
<br />
# Don't touch DNS<br />
nohook resolv.conf<br />
<br />
allowinterfaces eth1 eth0.2<br />
# Use the interface connected to WAN<br />
interface eth1<br />
waitip 4<br />
noipv4ll<br />
ipv6rs # enable routing solicitation get the default IPv6 route<br />
iaid 1<br />
ia_pd 1/::/56 eth0.2/2/64<br />
timeout 30<br />
<br />
interface eth0.2<br />
ipv6only</pre><br />
<br />
== Basic IPtables firewall with routing ==<br />
This demonstrates how to set up basic routing with a permissive outgoing firewall. Incoming packets are blocked. The rest is commented in the rule set.<br />
<br />
First install iptables:<br />
<br />
{{cmd|apk add iptables ip6tables}}<br />
<br />
<pre>#########################################################################<br />
# Basic iptables IPv4 routing rule set<br />
#<br />
# 192.168.1.0/24 routed directly to PPP0 via NAT<br />
# <br />
#########################################################################<br />
<br />
#<br />
# Mangle Table<br />
# We leave this empty for the moment.<br />
#<br />
*mangle<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT packets<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
*filter<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
<br />
# Forward LAN traffic out<br />
-A FWD_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP to modem's webserver<br />
-A FWD_ETH1 -s 192.168.0.0/30 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward traffic to ISP<br />
-A FWD_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP to modem<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens as well as "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
-A PREROUTING -i ppp0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.1.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface or SSH<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 22 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE<br />
COMMIT</pre><br />
<br />
I'd also highly suggest reading these resources if you are new to iptables: <br />
<br />
* [https://www.frozentux.net/category/linux/iptables Frozen Tux Iptables-tutorial]<br />
* [http://inai.de/links/iptables/ Words of wisdom for #netfilter]<br />
* [http://sfvlug.editthis.info/wiki/Things_You_Should_Know_About_Netfilter Things You Should Know About Netfilter]<br />
* [http://inai.de/documents/Perfect_Ruleset.pdf Towards the perfect ruleset]<br />
<br />
== /etc/sysctl.d/local.conf ==<br />
<pre># Controls IP packet forwarding<br />
net.ipv4.ip_forward = 1<br />
<br />
# Needed to use fwmark, only required if you want to set up the VPN subnet later in this article<br />
net.ipv4.conf.all.rp_filter = 2<br />
<br />
# Disable IPv6<br />
net.ipv6.conf.all.disable_ipv6 = 1<br />
net.ipv6.conf.lo.disable_ipv6 = 1<br />
net.ipv6.conf.default.disable_ipv6 = 1</pre><br />
<br />
Note IPv6 is disabled here if you want that see the other tutorial [[Linux Router with VPN on a Raspberry Pi (IPv6)]]. You may also wish to look at [https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ip-sysctl.txt] to read about the other keys.<br />
<br />
= DHCP =<br />
{{cmd|apk add dhcp}}<br />
<br />
== /etc/conf.d/dhcpd ==<br />
Specify the configuration file location, interface to run on, and that you want DHCPD to run in IPv4 mode.<br />
<br />
<pre># /etc/conf.d/dhcpd: config file for /etc/init.d/dhcpd<br />
<br />
# If you require more than one instance of dhcpd, you can create symbolic<br />
# links to dhcpd service like so<br />
# cd /etc/init.d<br />
# ln -s dhcpd dhcpd.foo<br />
# cd ../conf.d<br />
# cp dhcpd dhcpd.foo<br />
# Now you can edit dhcpd.foo and specify a different configuration file.<br />
# You'll also need to specify a pidfile in the dhcpd.conf file.<br />
# See the pid-file-name option in the dhcpd.conf man page for details.<br />
<br />
# If you wish to run dhcpd in a chroot environment, uncomment the following line<br />
# DHCPD_CHROOT="/var/lib/dhcp/chroot"<br />
<br />
# All file paths below are relative to the chroot.<br />
# You can specify a different chroot directory, but MAKE SURE it's empty.<br />
<br />
# Specify a configuration file - the default is /etc/dhcp/dhcpd.conf<br />
DHCPD_CONF="/etc/dhcp/dhcpd.conf"<br />
<br />
# Configure which interface or interfaces to for dhcpd to listen on.<br />
# List all interfaces space separated. If this is not specified then<br />
# we listen on all interfaces.<br />
DHCPD_IFACE="eth0"<br />
<br />
# Insert any other dhcpd options. See the man page for a full list.<br />
DHCPD_OPTS="-4"</pre><br />
<br />
== /etc/dhcp/dhcpd.conf ==<br />
Configure your DHCP configuration server. For my DHCP server I'm going to have three subnets. Each has a specific purpose. You may choose to have any number of subnets as shown below. The broadcast-address will be different if you used VLANs. However, in this case VLANs are not used.<br />
<br />
<pre>authoritative;<br />
ddns-update-style interim;<br />
<br />
shared-network home {<br />
subnet 192.168.1.0 netmask 255.255.255.0 {<br />
range 192.168.1.10 192.168.1.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option ntp-servers 192.168.1.1;<br />
option domain-name-servers 192.168.1.1;<br />
allow unknown-clients;<br />
}<br />
<br />
subnet 192.168.2.0 netmask 255.255.255.0 {<br />
range 192.168.2.10 192.168.2.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option ntp-servers 192.168.2.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
<br />
subnet 192.168.3.0 netmask 255.255.255.0 {<br />
range 192.168.3.10 192.168.3.240;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
option ntp-servers 192.168.3.1;<br />
option domain-name-servers 192.168.1.1;<br />
ignore unknown-clients;<br />
}<br />
}<br />
<br />
host Gaming_Computer {<br />
hardware ethernet 00:53:00:FF:FF:11;<br />
fixed-address 192.168.1.20;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.1.255;<br />
option routers 192.168.1.1;<br />
option host-name "gaming_computer";<br />
}<br />
<br />
host Linux_Workstation {<br />
hardware ethernet 00:53:00:FF:FF:22;<br />
fixed-address 192.168.2.21;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.2.255;<br />
option routers 192.168.2.1;<br />
option host-name "linux_workstation";<br />
}<br />
<br />
host printer {<br />
hardware ethernet 00:53:00:FF:FF:33;<br />
fixed-address 192.168.3.9;<br />
option subnet-mask 255.255.255.0;<br />
option broadcast-address 192.168.3.255;<br />
option routers 192.168.3.1;<br />
}</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add dhcpd default}}<br />
<br />
= Synchronizing the clock =<br />
<br />
You can choose to use BusyBox's ntpd or you can choose a more fully fledged option like [http://www.openntpd.org OpenNTPD] or [https://chrony.tuxfamily.org Chrony]<br />
<br />
== Busybox /etc/conf.d/ntpd ==<br />
Allow clients to synchronize their clocks with the router.<br />
<br />
<pre># By default ntpd runs as a client. Add -l to run as a server on port 123.<br />
NTPD_OPTS="-l -N -p <REMOTE TIME SERVER>"</pre><br />
<br />
Make sure to add this to the default run level once configured:<br />
{{cmd|rc-update add ntpd default}}<br />
<br />
or if you prefer, to synchronize with multiple servers...<br />
<br />
== Chrony /etc/chrony.conf ==<br />
{{cmd|apk add chrony}}<br />
<br />
<pre>logdir /var/log/chrony<br />
log measurements statistics tracking<br />
<br />
allow 192.168.0.0/30<br />
allow 192.168.1.0/24<br />
allow 192.168.2.0/24<br />
allow 192.168.3.0/24<br />
allow 192.168.4.0/24<br />
broadcast 30 192.168.0.3<br />
broadcast 30 192.168.1.255<br />
broadcast 30 192.168.2.255<br />
broadcast 30 192.168.3.255<br />
broadcast 30 192.168.4.255<br />
<br />
server 0.pool.ntp.org iburst<br />
server 1.pool.ntp.org iburst<br />
server 2.pool.ntp.org iburst<br />
server 3.pool.ntp.org iburst<br />
<br />
initstepslew 10 pool.ntp.org<br />
driftfile /var/lib/chrony/chrony.drift<br />
hwclockfile /etc/adjtime<br />
rtcdevice /dev/rtc0<br />
rtcsync</pre><br />
<br />
== OpenNTPD /etc/ntpd.conf ==<br />
<br />
Install OpenNTPD<br />
{{cmd|apk add openntpd}}<br />
<br />
Add to default run level.<br />
{{cmd|rc-update add openntpd default}}<br />
<br />
=== /etc/ntpd.conf ===<br />
<pre># sample ntpd configuration file, see ntpd.conf(5)<br />
<br />
# Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
<br />
# sync to a single server<br />
#server ntp.example.org<br />
<br />
# use a random selection of NTP Pool Time Servers<br />
# see http://support.ntp.org/bin/view/Servers/NTPPoolServers<br />
server 0.pool.ntp.org<br />
server 1.pool.ntp.org<br />
server 2.pool.ntp.org<br />
server 3.pool.ntp.org</pre><br />
<br />
== tlsdate ==<br />
The time can also be extracted from a https handshake. If the certificate is self-signed you will need to use skip-verification:<br />
<br />
{{cmd|apk add tlsdate}}<br />
{{cmd|tlsdate -V --skip-verification -p 80 -H example.com}}<br />
<br />
== timezone ==<br />
You might also want to set a timezone, see [[Setting the timezone]].<br />
<br />
= Saving Time =<br />
There are two ways to do this. If you didn't buy an RTC, see [[Saving time with Software Clock]]. If you did, like the PiFace Real Time Clock, see [[Saving time with Hardware Clock]]<br />
<br />
= Unbound DNS forwarder with dnscrypt =<br />
We want to be able to do lookups using [https://dnscrypt.info/ dnscrypt] without installing DNSCrypt on every client on the network. DNSCrypt can use it's [https://dnscrypt.info/protocol own protocol] or [https://en.wikipedia.org/wiki/DNS_over_HTTPS DNS over HTTPS].<br />
<br />
The router will also run a DNS forwarder and request unknown domains over DNSCrypt for our clients. Borrowed from the ArchLinux wiki article on [https://wiki.archlinux.org/index.php/dnscrypt-proxy dnscrypt-proxy].<br />
<br />
== Unbound ==<br />
First install {{cmd|apk add unbound}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
<pre>server:<br />
# Use this to include other text into the file.<br />
include: "/etc/unbound/filter.conf"<br />
<br />
# verbosity number, 0 is least verbose. 1 is default.<br />
verbosity: 1<br />
<br />
# specify the interfaces to answer queries from by ip-address.<br />
# The default is to listen to localhost (127.0.0.1 and ::1).<br />
# specify 0.0.0.0 and ::0 to bind to all available interfaces.<br />
# specify every interface[@port] on a new 'interface:' labelled line.<br />
# The listen interfaces are not changed on reload, only on restart.<br />
interface: 192.168.2.1<br />
interface: 192.168.3.1<br />
<br />
# Enable IPv4, "yes" or "no".<br />
do-ip4: yes<br />
<br />
# Enable IPv6, "yes" or "no".<br />
do-ip6: yes<br />
<br />
# Enable UDP, "yes" or "no".<br />
do-udp: yes<br />
<br />
# Enable TCP, "yes" or "no".<br />
do-tcp: yes<br />
<br />
# control which clients are allowed to make (recursive) queries<br />
# to this server. Specify classless netblocks with /size and action.<br />
# By default everything is refused, except for localhost.<br />
# Choose deny (drop message), refuse (polite error reply),<br />
# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),<br />
# allow_snoop (recursive and nonrecursive ok)<br />
# deny_non_local (drop queries unless can be answered from local-data)<br />
# refuse_non_local (like deny_non_local but polite error reply).<br />
# access-control: 0.0.0.0/0 refuse<br />
# access-control: 127.0.0.0/8 allow<br />
# access-control: ::0/0 refuse<br />
# access-control: ::1 allow<br />
# access-control: ::ffff:127.0.0.1 allow<br />
access-control: 192.168.1.0/24 allow<br />
access-control: 192.168.2.0/24 allow<br />
access-control: 192.168.3.0/24 allow<br />
<br />
# the log file, "" means log to stderr.<br />
# Use of this option sets use-syslog to "no".<br />
logfile: "/var/log/unbound/unbound.log"<br />
<br />
# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to<br />
# log to. If yes, it overrides the logfile.<br />
use-syslog: no<br />
<br />
# print one line with time, IP, name, type, class for every query.<br />
# log-queries: no<br />
<br />
# print one line per reply, with time, IP, name, type, class, rcode,<br />
# timetoresolve, fromcache and responsesize.<br />
# log-replies: no<br />
<br />
# enable to not answer id.server and hostname.bind queries.<br />
hide-identity: yes<br />
<br />
# enable to not answer version.server and version.bind queries.<br />
# hide-version: yes<br />
<br />
# enable to not answer trustanchor.unbound queries.<br />
hide-trustanchor: yes<br />
<br />
<br />
# Harden against very small EDNS buffer sizes.<br />
harden-short-bufsize: yes<br />
<br />
# Harden against unseemly large queries.<br />
harden-large-queries: yes<br />
<br />
# Harden against out of zone rrsets, to avoid spoofing attempts.<br />
harden-glue: yes<br />
<br />
# Harden against receiving dnssec-stripped data. If you turn it<br />
# off, failing to validate dnskey data for a trustanchor will<br />
# trigger insecure mode for that zone (like without a trustanchor).<br />
# Default on, which insists on dnssec data for trust-anchored zones.<br />
harden-dnssec-stripped: yes<br />
<br />
# Harden against queries that fall under dnssec-signed nxdomain names.<br />
harden-below-nxdomain: yes<br />
<br />
# Harden the referral path by performing additional queries for<br />
# infrastructure data. Validates the replies (if possible).<br />
# Default off, because the lookups burden the server. Experimental<br />
# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.<br />
# harden-referral-path: no<br />
<br />
# Harden against algorithm downgrade when multiple algorithms are<br />
# advertised in the DS record. If no, allows the weakest algorithm<br />
# to validate the zone.<br />
harden-algo-downgrade: yes<br />
<br />
# Use 0x20-encoded random bits in the query to foil spoof attempts.<br />
# This feature is an experimental implementation of draft dns-0x20.<br />
use-caps-for-id: yes<br />
<br />
# Allow the domain (and its subdomains) to contain private addresses.<br />
# local-data statements are allowed to contain private addresses too.<br />
private-domain: "<HOSTNAME>"<br />
<br />
# if yes, the above default do-not-query-address entries are present.<br />
# if no, localhost can be queried (for testing and debugging).<br />
do-not-query-localhost: no<br />
<br />
# File with trusted keys, kept uptodate using RFC5011 probes,<br />
# initial file like trust-anchor-file, then it stores metadata.<br />
# Use several entries, one per domain name, to track multiple zones.<br />
#<br />
# If you want to perform DNSSEC validation, run unbound-anchor before<br />
# you start unbound (i.e. in the system boot scripts). And enable:<br />
# Please note usage of unbound-anchor root anchor is at your own risk<br />
# and under the terms of our LICENSE (see that file in the source).<br />
# auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@"<br />
auto-trust-anchor-file: "/etc/unbound/root.key"<br />
<br />
# If unbound is running service for the local host, then it is useful<br />
# to perform lan-wide lookups to the upstream, and unblock the<br />
# long list of local-zones above. If this unbound is a dns server<br />
# for a network of computers, disabled is better and stops information<br />
# leakage of local lan information.<br />
unblock-lan-zones: no<br />
<br />
# If you configure local-data without specifying local-zone, by<br />
# default, a transparent local-zone is created for the data.<br />
#<br />
# You can add locally served data with<br />
# local-zone: "local." static<br />
# local-data: "mycomputer.local. IN A 192.0.2.51"<br />
# local-data: 'mytext.local TXT "content of text record"'<br />
<br />
# request upstream over TLS (with plain DNS inside the TLS stream).<br />
# Default is no. Can be turned on and off with unbound-control.<br />
# tls-upstream: no<br />
<br />
# Forward zones<br />
# Create entries like below, to make all queries for 'example.com' and<br />
# 'example.org' go to the given list of servers. These servers have to handle<br />
# recursion to other nameservers. List zero or more nameservers by hostname<br />
# or by ipaddress. Use an entry with name "." to forward all queries.<br />
# If you enable forward-first, it attempts without the forward if it fails.<br />
# forward-zone:<br />
# name: "example.com"<br />
# forward-addr: 192.0.2.68<br />
# forward-addr: 192.0.2.73@5355 # forward to port 5355.<br />
# forward-first: no<br />
# forward-tls-upstream: no<br />
# forward-no-cache: no<br />
# forward-zone:<br />
# name: "example.org"<br />
# forward-host: fwd.example.com<br />
<br />
forward-zone:<br />
name: "."<br />
forward-addr: 172.16.32.1@53<br />
forward-addr: ::1@53000<br />
forward-addr: 127.0.0.1@53000</pre><br />
<br />
== Additional DNS level filtering ==<br />
<br />
This script takes in a list of domains and produces a filter file. We are directing all lookups to "0.0.0.1" which is an invalid IP and should fail immediately, unlike localhost.<br />
<br />
{{Note| If you're filtering telemetry from Windows based PCs you should either use a [https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services group policy] or [https://www.oo-software.com/en/shutup10 ShutUp10]}}<br />
<br />
=== /etc/unbound/unbound.conf ===<br />
In your main unbound configuration, add<br />
<pre>include: /etc/unbound/filter.conf</pre><br />
<br />
=== Script to prepare/sort domains for Unbound ===<br />
<pre>#!/bin/sh<br />
<br />
##################################################<br />
# Script taken from http://npr.me.uk/unbound.html<br />
# Note: you need GNU sed<br />
##################################################<br />
<br />
# Remove "#" comments<br />
# Remove space and tab<br />
# Remove blank lines<br />
# Remove localhost and broadcasthost lines<br />
# Keep just the hosts<br />
# Remove leading and trailing space and tab (again)<br />
# Make everything lower case<br />
<br />
sed -e "s/#.*//" \<br />
-e "s/[ \x09]*$//"\<br />
-e "/^$/ d" \<br />
-e "/^.*local.*/ d" \<br />
-e "/^.*broadcasthost.*/ d" \<br />
-e "s/\(^.*\) \([a-zA-Z0-9\.\-]*\)/\2/" \<br />
-e "s/^[ \x09]*//;s/[ \x09]*$//" $1 \<br />
-e "s/\(.*\)/\L\1/" hosts.txt > temp1.txt<br />
<br />
# Remove any duplicate hosts<br />
<br />
sort temp1.txt | uniq >temp2.txt<br />
<br />
# Remove any hosts starting with "."<br />
# Create the two required lines for each host.<br />
<br />
sed -e "/^\..*/ d" \<br />
-e "s/\(^.*\)/local-zone: \x22\1\x22 redirect\nlocal-data: \x22\1 A 0.0.0.1\x22/" \<br />
temp2.txt > filter.conf<br />
<br />
# Clean up<br />
rm temp1.txt<br />
rm temp2.txt</pre><br />
<br />
== DNSCrypt ==<br />
You can test that you're not getting DNS leaks by using [https://www.dnsleaktest.com dnsleak.com] or this one from [https://www.grc.com/dns/dns.htm GRC]. Providers like CloudFlare and Google (1.1.1.1, 8.8.8.8) use [https://en.wikipedia.org/wiki/Anycast anycast] which should be pointing to a server located to where your VPN exits.<br />
<br />
=== /etc/dnscrypt-proxy/dnscrypt-proxy.toml ===<br />
Using the sample dnscrypt config is fine. You'll need to make these changes:<br />
<br />
<pre>listen_addresses = ['127.0.0.1:53000', '[::1]:53000']</pre><br />
<br />
== Add policy route for dnscrypt over VPN ==<br />
<br />
Add a [https://en.wikipedia.org/wiki/Policy-based_routing policy based route] based on the uid of the dnscrypt user. On Alpine Linux dnscrypt-proxy runs as a specific user so check /etc/passwd<br />
<br />
<pre>dnscrypt:x:103:104:dnscrypt:/var/empty:/sbin/nologin</pre><br />
<br />
In this example, the dnscrypt user has the uid 103.<br />
<br />
{{Warning|Make sure you check the uid of '''your''' dnscrypt user. Don't just copy the one here!}}<br />
<br />
Add this to [https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a_Raspberry_Pi#.2Fetc.2Fnetwork.2Ffwmark_rules fwmark_rules] eg:<br />
<br />
=== /etc/network/fwmark_rules ===<br />
<pre># Route DNSCrypt user through the VPN table<br />
/sbin/ip rule add uidrange 103-103 table VPN prio 200</pre><br />
<br />
{{cmd|rc-update add unbound default}}<br />
{{cmd|rc-update add dnscrypt-proxy default}}<br />
<br />
= Random number generation =<br />
There are two ways to assist with random number generation [[Entropy and randomness]]. This can be particularly useful if you're generating your own Diffie-Hellman nonce file, used in the [[FreeRadius EAP-TLS configuration]] section, or any process such as generating certificates or public private keys.<br />
<br />
== Haveged ==<br />
[http://www.issihosts.com/haveged Haveged] is a great way to improve random number generation speed. It uses the unpredictable random number generator based upon an adaptation of the [http://www.irisa.fr/caps/projects/hipsor/ HAVEGE] algorithm.<br />
<br />
Install haveged:<br />
{{cmd|apk add haveged}}<br />
<br />
Start haveged service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot<br />
{{cmd|rc-update add haveged default}}<br />
<br />
Start rngd service:<br />
{{cmd|service haveged start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add haveged default}}<br />
<br />
== rng-tools with bcm2708-rng ==<br />
<br />
=== Pre Alpine Linux 3.8 (which includes rngd 5) ===<br />
All Raspberry Pis come with the bcm2708-rng random number generator on board. If you are doing this project on a Raspberry Pi then you may choose to use that.<br />
<br />
Add the kernel module to /etc/modules:<br />
{{cmd|echo "bcm2708-rng" > /etc/modules}}<br />
<br />
Insert module:<br />
{{cmd|modprobe bcm2708-rng}}<br />
<br />
Install rng-tools:<br />
{{cmd|apk add rng-tools}}<br />
<br />
Set the random device (/dev/random) and rng device (/dev/hwrng) in /etc/conf.d/rngd<br />
{{cmd|<nowiki>RNGD_OPTS="--no-drng=1 --no-tpm=1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
=== Post Alpine Linux 3.8 (which includes rngd 6) ===<br />
<br />
With AlpineLinux 3.8 you don't have to insert the module as it is built in the kernel.<br />
<br />
Additionally, the syntax has changed for rngd so for /etc/conf.d/rngd you'll need<br />
<br />
{{cmd|<nowiki>RNGD_OPTS="-x1 -o /dev/random -r /dev/hwrng"</nowiki>}}<br />
<br />
Start rngd service:<br />
{{cmd|service rngd start}}<br />
<br />
Add service to boot:<br />
{{cmd|rc-update add rngd default}}<br />
<br />
You can test it with:<br />
{{cmd|<nowiki>cat /dev/hwrng | rngtest -c 1000</nowiki>}}<br />
<br />
You should see something like:<br />
<br />
<pre>rngtest 5<br />
Copyright (c) 2004 by Henrique de Moraes Holschuh<br />
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.<br />
<br />
rngtest: starting FIPS tests...<br />
rngtest: bits received from input: 20000032<br />
rngtest: FIPS 140-2 successes: 1000<br />
rngtest: FIPS 140-2 failures: 0<br />
rngtest: FIPS 140-2(2001-10-10) Monobit: 0<br />
rngtest: FIPS 140-2(2001-10-10) Poker: 0<br />
rngtest: FIPS 140-2(2001-10-10) Runs: 0<br />
rngtest: FIPS 140-2(2001-10-10) Long run: 0<br />
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0<br />
rngtest: input channel speed: (min=117.709; avg=808.831; max=3255208.333)Kibits/s<br />
rngtest: FIPS tests speed: (min=17.199; avg=22.207; max=22.653)Mibits/s<br />
rngtest: Program run time: 25178079 microseconds</pre><br />
<br />
It's possible you might have a some failures. That's okay, two runs I did previously had a failure each.<br />
<br />
= WiFi 802.1x EAP and FreeRadius =<br />
A more secure way than using pre-shared keys (WPA2) is to use [https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TLS EAP-TLS] and use separate certificates for each device. See [[FreeRadius EAP-TLS configuration]]<br />
<br />
= VPN Tunnel on specific subnet =<br />
As mentioned earlier in this article, it might be useful to have a VPN subnet and a non-VPN subnet. Typically, gaming consoles or computers might want low-latency connections. For this exercise we use fwmark.<br />
<br />
We expand the network to look like this:<br />
<br />
[[File:Network diagram ipv4 tunnel.svg|900px|center|Network Diagram with IPv4 tunnel]]<br />
<br />
Install the necessary packages:<br />
{{cmd|apk add openvpn iproute2 iputils}}<br />
<br />
== /etc/modules ==<br />
You'll want to add the tun module<br />
<pre>tun</pre><br />
<br />
== /etc/iproute2/rt_tables ==<br />
Add the two routing tables to the bottom of rt_tables. It should look something like this:<br />
<pre>#<br />
# reserved values<br />
#<br />
255 local<br />
254 main<br />
253 default<br />
0 unspec<br />
#<br />
# local<br />
#<br />
#1 inr.ruhep<br />
1 ISP<br />
2 VPN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Next, add the virtual interface (really just a IP address to eth0) eth0:2, just under eth0 will do.<br />
<br />
<pre># Route to VPN subnet<br />
auto eth0:2<br />
iface eth0:2 inet static<br />
address 192.168.2.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.2.255<br />
post-up /etc/network/fwmark_rules</pre><br />
<br />
== /etc/sysctl.d/local.conf ==<br />
If you want to use fwmark rules you need to change this setting. It causes the router to still do source validation.<br />
<br />
<pre># Needed to use fwmark<br />
net.ipv4.conf.all.rp_filter = 2<br />
</pre><br />
<br />
fwmark won't work if you have this set to 1.<br />
<br />
== /etc/network/fwmark_rules ==<br />
In this file, we want to put the fwmark rules and set the correct priorities.<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Normal packets to go direct out WAN<br />
/sbin/ip rule add fwmark 1 table ISP prio 100<br />
<br />
# Put packets destined into VPN when VPN is up<br />
/sbin/ip rule add fwmark 2 table VPN prio 200<br />
<br />
# Prevent packets from being routed out when VPN is down.<br />
# This prevents packets from falling back to the main table<br />
# that has a priority of 32766<br />
/sbin/ip rule add prohibit fwmark 2 prio 300</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Next, we want to create the routes that should be run when PPP comes online. There are special hooks we can use in ip-up and ip-down to refer to the IP address, [https://ppp.samba.org/pppd.html#sect13 ppp man file - Scripts ] You can also read about them in your man file if you have ppp-doc installed.<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd when there's a successful ppp connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table ISP<br />
<br />
# Add route to table from subnets on LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table ISP<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table ISP<br />
<br />
# Add route from IP given by ISP to the table<br />
/sbin/ip rule add from ${IPREMOTE} table ISP prio 100<br />
<br />
# Add a default route<br />
/sbin/ip route add table ISP default via ${IPREMOTE} dev ${IFNAME}</pre><br />
<br />
== /etc/ppp/ip-down ==<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by pppd after the connection has ended.<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${IPREMOTE} table ISP prio 100</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
OpenVPN needs similar routing scripts and it also has it's own special hooks that allow you to specify particular values. A full list is here [https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html#lbAS OpenVPN man file - Environmental Variables]<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN when there's a successful VPN connection.<br />
#<br />
<br />
# Flush out any old rules that might be there<br />
/sbin/ip route flush table VPN<br />
<br />
# Add route to table from 192.168.2.0/24 subnet on LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table VPN<br />
<br />
# Add route from VPN interface IP to the VPN table<br />
/sbin/ip rule add from ${ifconfig_local} table VPN prio 200<br />
<br />
# Add a default route<br />
/sbin/ip route add default via ${ifconfig_local} dev ${dev} table VPN</pre><br />
<br />
== /etc/openvpn/route-pre-down-fwmark.sh ==<br />
<br />
<pre>#!/bin/sh<br />
#<br />
# This script is run by OpenVPN after the connection has ended<br />
#<br />
<br />
# Delete the rules when we take the interface down<br />
/sbin/ip rule del from ${ifconfig_local} table VPN prio 200</pre><br />
<br />
What I found was when starting and stopping the OpenVPN service if you used:<br />
<br />
{{cmd|service openvpn stop}}<br />
<br />
The rules in route-pre-down-fwmark.sh were not executed.<br />
<br />
However:<br />
<br />
{{cmd|/etc/init.d/openvpn stop}}<br />
<br />
seemed to work correctly.<br />
<br />
== Advanced IPtables rules that allow us to route into our two routing tables ==<br />
This is an expansion of the previous set of rules. It sets up NAT masquerading for the 192.168.2.0 to go through the VPN using marked packets.<br />
<br />
I used these guides to write complete this: <br />
<br />
* [http://nerdboys.com/2006/05/05/conning-the-mark-multiwan-connections-using-iptables-mark-connmark-and-iproute2 Conning the Mark: Multiwan connections using IPTables, MARK, CONNMARK and iproute2 ]<br />
* [http://nerdboys.com/2006/05/08/multiwan-connections-addendum Multiwan connections addendum]<br />
* [http://inai.de/images/nf-packet-flow.png Netfilter packet flow]<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
#<br />
#########################################################################<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens and "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT things<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Set mark to 0 - This is for the modem. Otherwise it will mark with 0x1 or 0x2<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
You may want to delete certain rules here that do not apply to you, e.g. the FreeRadius rules. That is covered later in this article.<br />
<br />
== OpenVPN Routing ==<br />
Usually when you connect with OpenVPN, the remote VPN server will push routes down to your system. We don't want this as we still want to be able to access the internet without the VPN. We have also created our own routes that we want to use earlier in this guide.<br />
<br />
You'll need to add this to the bottom of your OpenVPN configuration file:<br />
<pre># Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh</pre><br />
<br />
My VPNs are arranged like this in /etc/openvpn:<br />
<br />
OpenVPN configuration file for that server:<br />
<pre>countrycode.serverNumber.openvpn.conf</pre><br />
<br />
OpenVPN certs for that server:<br />
<pre>countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.crt<br />
countrycode.serverNumber.openvpn/countrycode.serverNumber.openvpn.key<br />
countrycode.serverNumber.openvpn/myKey.crt<br />
countrycode.serverNumber.openvpn/myKey.key</pre><br />
<br />
So I use this helpful script to automate the process of changing between servers:<br />
<br />
<pre>#!/bin/sh<br />
<br />
vpn_server_filename=$1<br />
<br />
rm /etc/openvpn/openvpn.conf<br />
ln -s $vpn_server_filename /etc/openvpn/openvpn.conf<br />
chown -R openvpn:openvpn /etc/openvpn<br />
chmod -R a=-rwx,u=+rX /etc/openvpn<br />
chmod u=x /etc/openvpn/*.sh*<br />
<br />
if grep -Fxq "#CustomStuffHere" openvpn.conf<br />
then<br />
echo "Not adding custom routes, this server has been used previously"<br />
else<br />
echo "Adding custom route rules"<br />
cat <<EOF >> /etc/openvpn/openvpn.conf<br />
<br />
#CustomStuffHere<br />
# Prevents default gateway from being set on the default routing table<br />
route-noexec<br />
<br />
# Allows route-up script to be executed<br />
script-security 2<br />
<br />
# Calls custom shell script after connection to add necessary routes<br />
route-up /etc/openvpn/route-up-fwmark.sh<br />
route-pre-down /etc/openvpn/route-pre-down-fwmark.sh<br />
<br />
# Logging of OpenVPN to file<br />
#log /etc/openvpn/openvpn.log<br />
EOF<br />
<br />
fi<br />
echo "Remember to set BitTorrent port forward in VPN control panel"</pre><br />
<br />
That way I can simply change between servers by running:<br />
{{cmd|changevpn.sh countrycode.serverNumber.openvpn}}<br />
<br />
and then restart openvpn. I am also reminded to put the port forward through on the VPN control panel so my BitTorrent client is connectable:<br />
<br />
{{cmd|service openvpn restart}}<br />
<br />
Finally add openvpn to the default run level<br />
{{cmd|rc-update add openvpn default}}<br />
<br />
= Creating a LAN only Subnet =<br />
In this section, we'll be creating a LAN only subnet. This subnet will be 192.168.3.0/24. The idea of this subnet is nodes in it cannot have their packets forwarded to the Internet, however they can be accessed via the other LAN subnets 192.168.1.0/24 and 192.168.2.0/24. This approach doesn't use VLANs although that would be recommended if you had a managed switch. The idea of this subnet is for things like WiFi access points, IP Phones which contact a local Asterisk server and of course printers.<br />
<br />
At the end of this section we will have something like:<br />
<br />
[[File:Network diagram ipv4 tunnel LANONLY ROUTE.svg|900px|center|Network Diagram LAN ONLY Route with IPv4]]<br />
<br />
== /etc/iproute2/rt_tables ==<br />
First we'll add a third routing table:<br />
<br />
<pre>3 LAN</pre><br />
<br />
== /etc/network/interfaces ==<br />
Add a an extra virtual interface (really just a IP address to eth0).<br />
<br />
<pre># LAN Only<br />
auto eth0:3<br />
iface eth0:3 inet static<br />
address 192.168.3.1<br />
netmask 255.255.255.0<br />
broadcast 192.168.3.255<br />
post-up /etc/network/route_LAN</pre><br />
<br />
== /etc/network/route_LAN ==<br />
This file will have our route added to it<br />
<br />
<pre>#!/bin/sh<br />
<br />
# Add routes from ISP to LAN<br />
/sbin/ip route add 192.168.1.0/24 dev eth0 table LAN<br />
<br />
# Add route from VPN to LAN<br />
/sbin/ip route add 192.168.2.0/24 dev eth0 table LAN<br />
<br />
# Add route from LAN to it's own table<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table LAN</pre><br />
<br />
== /etc/ppp/ip-up ==<br />
Append a route from the LAN subnet to the ISP table<br />
<br />
<pre># Add route to LAN subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table ISP</pre><br />
<br />
== /etc/openvpn/route-up-fwmark.sh ==<br />
Append a route from the LAN subnet to the VPN table<br />
<br />
<pre># Add route to LAN only subnet<br />
/sbin/ip route add 192.168.3.0/24 dev eth0 table VPN</pre><br />
<br />
== /etc/ntpd.conf ==<br />
Add a listen address for ntp (OpenNTPD).<br />
<br />
You should now have:<br />
<br />
<pre># Addresses to listen on (ntpd does not listen by default)<br />
listen on 192.168.1.1<br />
listen on 192.168.2.1<br />
listen on 192.168.3.1</pre><br />
<br />
Devices needing the correct time will need to use this NTP server because they will not be able to get it from the Internet.<br />
<br />
== Blocking bogons ==<br />
Our LAN now has 4 subnets in total that are possible:<br />
<br />
* 192.168.0.0/30 (connection between modem and router)<br />
* 192.168.1.0/24 (ISP table, directly routed out WAN)<br />
* 192.168.2.0/24 (VPN table, routed out VPN)<br />
* 192.168.3.0/24 (Null routed subnet for LAN only hosts)<br />
* 172.16.32.0/20 (VPN provider's network, so we can access things on the VPN's network).<br />
<br />
Everything else should be rejected. No packets should ever be forwarded on 192.168.5.2 or 10.0.0.5 for example.<br />
<br />
=== Installing ipset ===<br />
Install ipset:<br />
<br />
{{cmd|apk add ipset}}<br />
<br />
Add it to start up:<br />
{{cmd|rc-update add ipset default}}<br />
<br />
Now we need to load the lists of addresses into ipset [http://blog.ls20.com/securing-your-server-using-ipset-and-dynamic-blocklists Securing Your Server using IPset and Dynamic Blocklists] mentions a [https://gist.github.com/hwdsl2/6dce75072274abfd2781 script] which was particularly useful. This script could be run on a cron job if you wanted to regularly update it and for the full bogon list you should as they change when that address space has been allocated.<br />
<br />
For the purpose of this we will be using just the [https://files.pfsense.org/lists/bogon-bn-nonagg.txt bogon-bn-nonagg.txt] list. <br />
<br />
<pre>0.0.0.0/8<br />
10.0.0.0/8<br />
100.64.0.0/10<br />
127.0.0.0/8<br />
169.254.0.0/16<br />
172.16.0.0/12<br />
192.0.0.0/24<br />
192.0.2.0/24<br />
192.168.0.0/16<br />
198.18.0.0/15<br />
198.51.100.0/24<br />
203.0.113.0/24<br />
224.0.0.0/4<br />
240.0.0.0/4</pre><br />
<br />
This is unlikely to change as it's the IPV4 [https://en.wikipedia.org/wiki/Reserved_IP_addresses Reserved IP addresses] space. The script: <br />
<br />
<pre>#! /bin/bash<br />
<br />
# /usr/local/sbin/fullbogons-ipv4<br />
# BoneKracker<br />
# Rev. 11 October 2012<br />
# Tested with ipset 6.13<br />
<br />
# Purpose: Periodically update an ipset used in a running firewall to block<br />
# bogons. Bogons are addresses that nobody should be using on the public<br />
# Internet because they are either private, not to be assigned, or have<br />
# not yet been assigned.<br />
#<br />
# Notes: Call this from crontab. Feed updated every 4 hours.<br />
<br />
# target="http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt"<br />
# Use alternative URL from pfSense, due to 404 error with URL above<br />
target="https://files.pfsense.org/lists/bogon-bn-nonagg.txt"<br />
ipset_params="hash:net"<br />
<br />
filename=$(basename ${target})<br />
firewall_ipset=${filename%.*} # ipset will be filename minus ext<br />
data_dir="/var/tmp/${firewall_ipset}" # data directory will be same<br />
data_file="${data_dir}/${filename}"<br />
<br />
# if data directory does not exist, create it<br />
mkdir -pm 0750 ${data_dir}<br />
<br />
# function to get modification time of the file in log-friendly format<br />
get_timestamp() {<br />
date -r $1 +%m/%d' '%R<br />
}<br />
<br />
# file modification time on server is preserved during wget download<br />
[ -w ${data_file} ] && old_timestamp=$(get_timestamp ${data_file})<br />
<br />
# fetch file only if newer than the version we already have<br />
wget -qNP ${data_dir} ${target}<br />
<br />
if [ "$?" -ne "0" ]; then<br />
logger -p cron.err "IPSet: ${firewall_ipset} wget failed."<br />
exit 1<br />
fi<br />
<br />
timestamp=$(get_timestamp ${data_file})<br />
<br />
# compare timestamps because wget returns success even if no newer file<br />
if [ "${timestamp}" != "${old_timestamp}" ]; then<br />
<br />
temp_ipset="${firewall_ipset}_temp"<br />
ipset create ${temp_ipset} ${ipset_params}<br />
<br />
#sed -i '/^#/d' ${data_file} # strip comments<br />
sed -ri '/^[#< \t]|^$/d' ${data_file} # occasionally the file has been xhtml<br />
<br />
while read network; do<br />
ipset add ${temp_ipset} ${network}<br />
done < ${data_file}<br />
<br />
# if ipset does not exist, create it<br />
ipset create -exist ${firewall_ipset} ${ipset_params}<br />
<br />
# swap the temp ipset for the live one<br />
ipset swap ${temp_ipset} ${firewall_ipset}<br />
ipset destroy ${temp_ipset}<br />
<br />
# log the file modification time for use in minimizing lag in cron schedule<br />
logger -p cron.notice "IPSet: ${firewall_ipset} updated (as of: ${timestamp})."<br />
<br />
fi</pre><br />
<br />
Now you should see the list loaded into memory when you do:<br />
<br />
{{cmd|ipset list}}<br />
<br />
We want to save it so our router can refer to it next time it starts up. To do that:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
=== Adding our allowed networks ===<br />
<br />
==== IPv4 ====<br />
{{cmd|ipset create allowed-nets-ipv4 hash:net,iface family inet}}<br />
<br />
Then you can add each of your allowed networks:<br />
<br />
<pre>ipset add allowed-nets-ipv4 192.168.0.0/30,eth1<br />
ipset add allowed-nets-ipv4 192.168.1.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.2.0/24,eth0<br />
ipset add allowed-nets-ipv4 192.168.3.0/24,eth0<br />
ipset add allowed-nets-ipv4 127.0.0.0/8,lo<br />
ipset add allowed-nets-ipv4 172.16.32.0/20,tun0</pre><br />
<br />
==== IPv6 ====<br />
For IPv6, if you've got any [https://en.wikipedia.org/wiki/Unique_local_address Unique local address] ranges you may choose to add them:<br />
<br />
{{cmd|ipset create allowed-nets-ipv6 hash:net,iface family inet6}}<br />
<br />
<pre>ipset add allowed-nets-ipv6 fde4:8dba:82e1::/48,tun0<br />
ipset add allowed-nets-ipv6 fde4:8dba:82e1:ffff::/64,eth0</pre><br />
<br />
<br />
Finally, save the sets with this command so they can be loaded at the next boot:<br />
<br />
{{cmd|/etc/init.d/ipset save}}<br />
<br />
== Restricting our LAN subnet with iptables, and blocking the bogons ==<br />
Finally, we can apply our iptables rules, to filter both 192.168.3.0/24 and make sure that subnets like 192.168.5.0/24 are not forwarded or accessible by our router. You will need to review these rules, and remove the ones that do not apply to you.<br />
<br />
Don't forget to change your RADIUS rules if you moved your WiFi APs into the 192.168.3.0/24 subnet. You'll also need to edit /etc/raddb/clients.conf<br />
<br />
I used a new table here called "raw". This table is more primitive than the filter table. It cannot have FORWARD rules or INPUT rules. Therefore you will still need a FORWARD rule in your filter table to block bogons originating from your LAN.<br />
<br />
The only kind of rules we may use here are PREROUTING and OUTPUT. The OUTPUT rules will only filter traffic originating from our router's local processes, such as if we ran the ping command to a bogon range on the router's command prompt.<br />
<br />
Traffic passes over the raw table, before connecting marking as indicated by this packet flow map: [http://inai.de/images/nf-packet-flow.png Netfilter packet flow graph] this means we don't have to strip the mark off the bogon range in the mangle table anymore.<br />
<br />
<pre>#########################################################################<br />
# Advanced routing rule set<br />
# Uses 192.168.1.0 via ISP<br />
# 192.168.2.0 via VPN<br />
# 192.168.3.0 via LAN<br />
#<br />
# Packets to/from 192.168.1.0/24 are marked with 0x1 and routed to ISP<br />
# Packets to/from 192.168.2.0/24 are marked with 0x2 and routed to VPN<br />
# Packets to/from 192.168.3.0/24 are routed to LAN and not forwarded onto<br />
# the internet<br />
#<br />
#########################################################################<br />
<br />
#<br />
# Raw Table<br />
# This table is the place where we drop all illegal packets from networks that<br />
# do not exist<br />
#<br />
*raw<br />
:PREROUTING ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Allows traffic from VPN tunnel<br />
-A PREROUTING -s 172.16.32.0/20 -i tun0 -j ACCEPT<br />
<br />
# Allows traffic to VPN tunnel<br />
-A PREROUTING -d 172.16.32.0/20 -j ACCEPT<br />
<br />
# Block specified bogons coming in from ISP and VPN<br />
# (unlikely to happen as they filter them on their router)<br />
-A PREROUTING -i ppp0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
-A PREROUTING -i tun0 -m set --match-set bogon-bn-nonagg src -j LOG_DROP_BOGON<br />
<br />
# Allows my excepted ranges.<br />
-A PREROUTING -m set --match-set allowed-nets-ipv4 src,src -j ACCEPT<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Log drop chain<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon (ipv4) : " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Block packets originating from the router destined to bogon ranges<br />
-A OUT_PPP0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Blocks packets originating from the router destined to bogon ranges<br />
-A OUT_TUN0 -d 172.16.32.0/20 -j ACCEPT<br />
-A OUT_TUN0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
COMMIT<br />
<br />
#<br />
# NAT Table<br />
# This is where translation of packets happens as well as "forwarding" of ports<br />
# to specific hosts.<br />
#<br />
*nat<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Port forwarding for Bittorrent<br />
-A PREROUTING -i tun0 -p tcp -m tcp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
-A PREROUTING -i tun0 -p udp -m udp --dport 6881:6889 -j DNAT --to-destination 192.168.2.20<br />
<br />
# Allows routing to our modem subnet so we can access the web interface<br />
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
-A POSTROUTING -s 192.168.2.0/24 -d 192.168.0.1/32 -o eth1 -p tcp -m tcp --dport 80 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the VPN tunnel<br />
-A POSTROUTING -o tun0 -j MASQUERADE<br />
<br />
# Allows hosts of the network to use the PPP tunnel<br />
-A POSTROUTING -o ppp0 -j MASQUERADE<br />
COMMIT<br />
<br />
#<br />
# Filter Table<br />
# This is where we decide to ACCEPT, DROP or REJECT packets<br />
#<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
<br />
# Create rule chain per input interface for forwarding packets<br />
:FWD_ETH0 - [0:0]<br />
:FWD_ETH1 - [0:0]<br />
:FWD_PPP0 - [0:0]<br />
:FWD_TUN0 - [0:0]<br />
<br />
# Create rule chain per input interface for input packets (for host itself)<br />
:IN_ETH0 - [0:0]<br />
:IN_ETH1 - [0:0]<br />
:IN_PPP0 - [0:0]<br />
:IN_TUN0 - [0:0]<br />
<br />
# Create a drop chain<br />
:LOG_DROP - [0:0]<br />
<br />
# Create a log drop chain<br />
:LOG_DROP_BOGON - [0:0]<br />
<br />
# Create a reject chain<br />
:LOG_REJECT_LANONLY - [0:0]<br />
<br />
# Create an output chain<br />
:OUT_PPP0 - [0:0]<br />
:OUT_TUN0 - [0:0]<br />
<br />
# Pass input packet to corresponding rule chain<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -i eth0 -j IN_ETH0<br />
-A INPUT -i eth1 -j IN_ETH1<br />
-A INPUT -i ppp0 -j IN_PPP0<br />
-A INPUT -i tun0 -j IN_TUN0<br />
<br />
# Track forwarded packets<br />
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Pass forwarded packet to corresponding rule chain<br />
-A FORWARD -i eth0 -j FWD_ETH0<br />
-A FORWARD -i eth1 -j FWD_ETH1<br />
-A FORWARD -i ppp0 -j FWD_PPP0<br />
-A FORWARD -i tun0 -j FWD_TUN0<br />
<br />
# Pass output interface to corresponding chain<br />
-A OUTPUT -o ppp0 -j OUT_PPP0<br />
-A OUTPUT -o tun0 -j OUT_TUN0<br />
<br />
# Forward traffic to Modem<br />
-A FWD_ETH0 -d 192.168.0.1/32 -j ACCEPT<br />
<br />
# Allow routing to remote address on VPN<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 172.16.32.1/32 -o tun0 -j ACCEPT<br />
<br />
# Allow forwarding from LAN hosts to LAN ONLY subnet<br />
-A FWD_ETH0 -s 192.168.1.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT<br />
<br />
# Allow LAN ONLY subnet to contact other LAN hosts<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.1.0/24 -j ACCEPT<br />
-A FWD_ETH0 -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT<br />
<br />
# Refuse to forward bogons to the internet!<br />
-A FWD_ETH0 -m set --match-set bogon-bn-nonagg dst -j LOG_DROP_BOGON<br />
<br />
# Forward traffic to ISP<br />
-A FWD_ETH0 -s 192.168.1.0/24 -j ACCEPT<br />
<br />
# Forward traffic to VPN<br />
-A FWD_ETH0 -s 192.168.2.0/24 -j ACCEPT<br />
<br />
# Prevent 192.168.3.0/24 from accessing internet<br />
-A FWD_ETH0 -s 192.168.3.0/24 -j LOG_REJECT_LANONLY<br />
<br />
# Allow excepted server to be FORWARD to ppp0<br />
#-A FWD_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# Forward SSH packets from network to modem<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward HTTP packets from network to mode<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_ETH1 -s 192.168.0.1/32 -d 192.168.2.0/24 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Forward Bittorrent Port to workstation<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p tcp -m tcp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A FWD_TUN0 -d 192.168.2.20/32 -p udp -m udp --dport 6881:6889 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# SSH to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# DNS to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
# FreeRadius Client (eg a UniFi AP)<br />
-A IN_ETH0 -s 192.168.3.10/32 -p tcp -m tcp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 1812 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Ubiquiti UAP Device Discovery Broadcast<br />
-A IN_ETH0 -s 192.168.3.10/32 -p udp -m udp --dport 10001 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# NTP to Router<br />
-A IN_ETH0 -s 192.168.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.3.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept traffic to router on both subnets<br />
-A IN_ETH0 -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
-A IN_ETH0 -s 192.168.2.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Allow excepted server to be INPUT to eth0 from LAN<br />
#-A IN_ETH0 -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -o ppp0 -j ACCEPT<br />
<br />
# SSH To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# HTTP To Modem from Router<br />
-A IN_ETH1 -s 192.168.0.1/32 -d 192.168.0.0/30 -p tcp -m tcp --sport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT<br />
<br />
# Accept incoming tracked PPP0 connection<br />
-A IN_PPP0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on PPP0<br />
-A IN_PPP0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_PPP0 -j LOG_DROP<br />
<br />
# Accept incoming tracked TUN0 connection<br />
-A IN_TUN0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
# Log dropped packets coming in on TUN0<br />
-A IN_TUN0 -j LOG --log-prefix "DROP:INPUT (ipv4) " --log-level 6<br />
-A IN_TUN0 -j LOG_DROP<br />
<br />
# Log dropped bogons that never got forwarded<br />
-A LOG_DROP_BOGON -j LOG --log-prefix "Dropped Bogon forward (ipv4) " --log-level 6<br />
-A LOG_DROP_BOGON -j DROP<br />
<br />
# Log rejected packets<br />
-A LOG_REJECT_LANONLY -j LOG --log-prefix "Rejected packet from LAN only range : " --log-level 6<br />
-A LOG_REJECT_LANONLY -j REJECT --reject-with icmp-port-unreachable<br />
COMMIT<br />
<br />
#<br />
# Mangle Table<br />
# This is the place where our markings happen, whether they be 0x1 or 0x2<br />
#<br />
*mangle<br />
<br />
# Set default policies for table<br />
:PREROUTING ACCEPT [0:0]<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:POSTROUTING ACCEPT [0:0]<br />
<br />
# Restore CONNMARK to the MARK (If one doesn't exist then no mark is set)<br />
-A PREROUTING -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
<br />
# If packet MARK is 2, then it means there is already a connection mark and the<br />
# original packet came in on VPN<br />
-A PREROUTING -s 192.168.2.0/24 -m mark --mark 0x2 -j ACCEPT<br />
<br />
# Check exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) are 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets coming from 192.168.2.0/24 are 0x2<br />
-A PREROUTING -s 192.168.2.0/24 -j MARK --set-xmark 0x2/0xffffffff<br />
<br />
# If packet MARK is 1, then it means there is already a connection mark and the<br />
# original packet came in on ISP<br />
-A PREROUTING -s 192.168.1.0/24 -m mark --mark 0x1 -j ACCEPT<br />
<br />
# Mark packets 192.168.1.0/24 are 0x1<br />
-A PREROUTING -s 192.168.1.0/24 -j MARK --set-xmark 0x1/0xffffffff<br />
<br />
# Mark exception (this is a server which when accessed on a 192.168.2.0/24 address will go out the ISP table) as 0x1<br />
#-A PREROUTING -s 192.168.2.0/24 -d <IP_OF_EXCEPTED_SERVER>/32 -j MARK --set-xmark 0x1/0xffffff<br />
<br />
# Strip mark if packet is destined for modem<br />
-A PREROUTING -d 192.168.0.1/32 -j MARK --set-xmark 0x0/0xffffffff<br />
<br />
# Save MARK to CONNMARK (remember iproute can't see CONNMARKs)<br />
-A PREROUTING -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff<br />
COMMIT</pre><br />
<br />
= Other Tips =<br />
<br />
== Diagnosing firewall problems ==<br />
<br />
=== netcat, netcat6 ===<br />
Netcat can be useful for testing if a port is open or closed or filtered.<br />
<br />
{{cmd|apk add netcat-openbsd}}<br />
<br />
After installing netcat, we can use it like this:<br />
<br />
Say we wanted to test for IPv6, UDP, Port 547 we would do this on the router:<br />
<br />
{{cmd|nc -6 -u -l 547}}<br />
<br />
and then this on the client to connect to it:<br />
<br />
{{cmd|nc -u -v -6 2001:0db8:1234:0001::1 547}}<br />
<br />
=== tcpdump ===<br />
<br />
tcpdump can also be useful for dumping the contents of packets coming in on an interface:<br />
<br />
{{cmd|apk add tcpdump}}<br />
<br />
Then we can run it. This example captures all DNS traffic originating from 192.168.2.20.<br />
<br />
{{cmd|tcpdump -i eth0 udp and src 192.168.2.20 and port 53}}<br />
<br />
You can write the file out with the -w option, and view it in Wireshark locally on your computer. You can increase the verbosity with the -v option. Using -vv will be even more verbose. -vvv will show even more.<br />
<br />
== lbu cache ==<br />
Configure lbu cache so that you don't need to download packages when you restart your router eg [[Local APK cache]]<br />
<br />
This is particularly important as some of the images do not contain ppp-pppoe. This might mean you're unable to get an internet connection to download the other packages on boot.<br />
<br />
== lbu encryption /etc/lbu/lbu.conf ==<br />
In /etc/lbu/lbu.conf you might want to enable encryption to protect your VPN keys.<br />
<br />
<pre># what cipher to use with -e option<br />
DEFAULT_CIPHER=aes-256-cbc<br />
<br />
# Uncomment the row below to encrypt config by default<br />
ENCRYPTION=$DEFAULT_CIPHER<br />
<br />
# Uncomment below to avoid <media> option to 'lbu commit'<br />
# Can also be set to 'floppy'<br />
LBU_MEDIA=mmcblk0p1<br />
<br />
# Set the LBU_BACKUPDIR variable in case you prefer to save the apkovls<br />
# in a normal directory instead of mounting an external medium.<br />
# LBU_BACKUPDIR=/root/config-backups<br />
<br />
# Uncomment below to let lbu make up to 3 backups<br />
# BACKUP_LIMIT=3</pre><br />
<br />
Remember to set a root password, by default Alpine Linux's root account is passwordless.<br />
{{cmd|passwd root}}<br />
<br />
== Backup apkprov ==<br />
It's a good idea to back up your apk provision file. You can pull it from your router to your local workstation with:<br />
<br />
{{cmd|scp -r root@192.168.2.1:/media/mmcblk0p1/<YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc ./}}<br />
<br />
And decrypt it with:<br />
{{cmd|openssl enc -d -aes-256-cbc -in <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc -out <YOUR HOST NAME>.apkovl.tar.gz}}<br />
<br />
It can be encrypted with:<br />
{{cmd|openssl aes-256-cbc -salt -in <YOUR HOST NAME>.apkovl.tar.gz -out <YOUR HOST NAME>.apkovl.tar.gz.aes-256-cbc}}<br />
<br />
== Harden SSH ==<br />
<br />
=== Generate a SSH key ===<br />
{{cmd|ssh-keygen -t rsa -b 4096}}<br />
<br />
You will want to put the contents of id_rsa.pub in /etc/ssh/authorized_keys<br />
<br />
You can put multiple public keys on multiple lines if more than one person has access to the router.<br />
<br />
=== /etc/ssh/sshd_config ===<br />
A couple of good options to set in here can be:<br />
<br />
<pre>ListenAddress 192.168.1.1<br />
ListenAddress 192.168.2.1</pre><br />
<br />
While this isn't usually a good idea, a router doesn't need more than one user.<br />
<pre>PermitRootLogin yes</pre><br />
<br />
The most important options:<br />
<pre>RSAAuthentication yes<br />
PubkeyAuthentication yes<br />
AuthorizedKeysFile /etc/ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
AllowTcpForwarding no<br />
X11Forwarding no</pre><br />
<br />
=== /etc/conf.d/sshd ===<br />
You will want to add <pre>rc_need="net"</pre><br />
<br />
This instructs OpenRC to make sure the network is up before starting SSH.<br />
<br />
Finally add sshd to the default run level<br />
{{cmd|rc-update add sshd default}}<br />
<br />
<br />
Additionally you may want to look at [https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell] and tighten OpenSSH's cryptography options.<br />
<br />
= References =<br />
* https://wiki.gentoo.org/wiki/Home_Router<br />
* https://help.ubuntu.com/community/ADSLPPPoE<br />
* https://wiki.archlinux.org/index.php/Router<br />
* https://wiki.gentoo.org/wiki/IPv6_router_guide<br />
* [https://vk5tu.livejournal.com/37206.html IPv6 at home, under the hood with Debian Wheezy and Internode]<br />
* [http://vk5tu.livejournal.com/43059.html Raspberry Pi random number generator]<br />
* [https://www.raspberrypi.org/forums/viewtopic.php?f=56&t=60569 rng-tools post by ktb]<br />
<br />
[[category: VPN]]<br />
[[category: Raspberry]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=RPI_Video_Receiver&diff=20122RPI Video Receiver2021-08-26T02:35:24Z<p>Bt129: /* Raspberry Pi Video Receiver */</p>
<hr />
<div>= Raspberry Pi Video Receiver =<br />
<br />
One of the benefits of using Alpine Linux is that the SD/MMC is always mounted read-only. It will not wear out, and it's safe to power-off the device any time. Additionally the boot process has been given a professional look so that only the splash screen is displayed.<br />
<br />
The boot time is about 60 seconds. It should speed up ~10 seconds after https://bugs.freedesktop.org/show_bug.cgi?id=64766 is fixed.<br />
<br />
Quick demo:<br />
* Format SD/MMC with one primary partition, FAT32 file system<br />
* Extract http://nl.alpinelinux.org/alpine/v3.1/releases/armhf/alpine-rpi-3.1.1-armhf.rpi.tar.gz to the SD/MMC card<br />
* Extract http://dev.alpinelinux.org/~tteras/rpi-video-decoder.tar.gz on top of that<br />
<br />
The overlay image contains the following changes:<br />
* fbsplash.ppm provide the splash screen with the Alpine logo<br />
* cmdline.txt has "blacklist=fbcon" appended to disable video console<br />
* a default overlay is provided to play BBC world news<br />
* root password is set to 'rpi'<br />
<br />
To build the configuration overlay:<br />
<nowiki><br />
apk add openssh chrony omxplayer<br />
vi /etc/network/interfaces # eth0 configured for dhcp<br />
vi /etc/conf.d/omxplayer # to configure TV-channel URL<br />
rc-update add networking<br />
rc-update add chronyd<br />
rc-update add sshd<br />
rc-update add omxplayer<br />
rc<br />
rm /etc/ssh/ssh_host_* # so you get new ssh key on boot<br />
lbu commit</nowiki><br />
<br />
[[Category:Hardware]]<br />
[[Category:Embedded Systems]]<br />
[[Category:Installation]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Classic_install_or_sys_mode_on_Raspberry_Pi&diff=20119Classic install or sys mode on Raspberry Pi2021-08-25T08:52:13Z<p>Bt129: </p>
<hr />
<div>{{TOC right}}<br />
<br />
A how-to for classic ("sys mode") installation.<br />
<br />
This method works with a desktop PC under Ubuntu and other Linuxes.<br />
<br />
= Preparation =<br />
<br />
Download the archive from the '''Rasperry Pi armhf''' link [https://alpinelinux.org/downloads/ here].<br />
'''Sha256''' and '''GPG''' links appear next to the link to check the download.<br />
<br />
Create two partitions on an 8 GB (or larger) class 10 sd-card:<br />
* First one, a '''fat16''' type, of 256MB. You may have to set <code>boot</code> and <code>lba</code> flags<br />
* The second one, an '''ext4''' type, occupying the remaining space on the media<br />
<br />
Eject and re-insert your SD card to ensure recognition of all the partitions.<br />
<br />
Go into the first partition ('''fat16''').<br />
<br />
Untar the archive with {{pkg|tar}}:<br />
tar zxvf ~/Download/alpine-rpi-*-armhf.tar.gz<br />
<br />
Due to a bug, it is recommended to add a file named <code>usercfg.txt</code> into the partition. The file should contain the following single line:<br />
<br />
enable_uart=1<br />
<br />
For headless use, you can add the following parameters to maximize available memory (32 megs is required for the rpi bootloader):<br />
<br />
gpu_mem=32<br />
<br />
to enable audio support:<br />
<br />
dtparam=audio=on<br />
<br />
Eject the SD card properly. Insert it into the Raspberry Pi. Plug in a usb keyboard as well as the HDMI and network cables. Power on.<br />
<br />
When the command prompt displays, log in as root. (no password)<br />
<br />
== OSX Preparation: creating a FAT16 partition on microSD ==<br />
<br />
To create a FAT16 partition with OSX, use the diskutil program and a USB microSD card reader (I used an older version of this: https://www.bestbuy.com/site/insignia-usb-3-0-memory-card-reader/5787406.p?skuId=5787406).<br />
<br />
Put the microSD card in the reader. Connect the reader to a USB port and type <code>ls -1 /Volumes</code> in a terminal. Note the name of the microSD volume; for example, VOL1 in the output below:<br />
$ ls -1 /Volumes<br />
Macintosh HD<br />
Preboot<br />
VOL1<br />
$<br />
<br />
Unmount the reader. Disconnect it and re-run <code>ls -1 /Volumes</code>. Verify the microSD volume name is no longer listed, then re-insert the USB reader.<br />
<br />
Find the mount point of your microSD volume. For example, disk3 in the output below:<br />
$ diskutil list VOL1<br />
/dev/disk3 (external, physical):<br />
#: TYPE NAME SIZE IDENTIFIER<br />
0: FDisk_partition_scheme *31.4 GB disk3<br />
1: DOS_FAT_16 VOL1 256.0 MB disk3s1<br />
2: Linux 30.0 GB disk3s2<br />
3: Linux_Swap 1.2 GB disk3s3<br />
$<br />
<br />
(For help with the diskutil command, type <code>diskutil</code> to list all command verbs. For help on a specific verb, add the verb. For example, <code>diskutil partitionDisk</code>)<br />
<br />
Destroy all the existing partitions on the microSD card and create two new ones: <br />
# a 256MB, FAT16, DOS-compatible partition and <br />
# a free space gap for the rest of the card<br />
<br />
$ diskutil partitionDisk disk3 MBR "MS-DOS FAT16" VOL1 256MB "Free Space" VOL2 R<br />
Started partitioning on disk3<br />
Unmounting disk<br />
Creating the partition map<br />
Waiting for partitions to activate<br />
Formatting disk3s1 as MS-DOS (FAT16) with name VOL1<br />
512 bytes per physical sector<br />
/dev/rdisk3s1: 499472 sectors in 62434 FAT16 clusters (4096 bytes/cluster)<br />
bps=512 spc=8 res=1 nft=2 rde=512 mid=0xf8 spf=244 spt=32 hds=32 hid=2 drv=0x80 bsec=500000<br />
Mounting disk<br />
Finished partitioning on disk3<br />
/dev/disk3 (external, physical):<br />
#: TYPE NAME SIZE IDENTIFIER<br />
0: FDisk_partition_scheme *31.4 GB disk3<br />
1: DOS_FAT_16 VOL1 256.0 MB disk3s1<br />
$ <br />
<br />
Change your current working directory to the new FAT16 partition then continue with the untar instruction in the parent prep section.<br />
<br />
$ cd /Volumes/VOL1/<br />
<br />
= Installation =<br />
<br />
Execute the following commands. Make sure there is an internet connection available otherwise setting up the apk mirrors will fail.<br />
<br />
setup-alpine <br />
<br />
Set the keyboard map, the timezone, how to connect to the network ('''dhcp''' is the best method), say '''none''' at <code>save config</code> and <code>save cache</code>.<br />
<br />
apk update<br />
<br />
If the extra space in the sd card was left empty, a partition must be created now:<br />
<br />
apk add cfdisk # or the tool of your choice<br />
cfdisk /dev/mmcblk0 # create the new partition with the free space<br />
mkfs.ext4 /dev/mmcblk0p2 # create the ext4 filesystem in the new partition<br />
<br />
Raspberry Pi has no hardware clock, so synchronize with an ntp server:<br />
<br />
apk add chrony <br />
service chronyd restart<br />
apk add e2fsprogs<br />
<br />
{{warning | 22 June 2021 - There is currently a bug that causes setup-disk to fail on ext4 mounts on Raspberry Pi. The work around is marked in the instructions below. <br />[https://gitlab.alpinelinux.org/alpine/aports/-/issues/12353] }}<br />
<br />
mount /dev/mmcblk0p2 /mnt # The second partition, in ext4 format, where Alpine Linux is installing in sys mode<br />
export FORCE_BOOTFS=1 # work around for issue 12353<br />
setup-disk -m sys /mnt<br />
mount -o remount,rw /media/mmcblk0p1 # An update in the first partition is required for the next reboot.<br />
<br />
You may get some warning about syslinux when you run setup-disk. You can safely ignore this.<br />
<br />
Clean up the boot folder in the first partition to drop unused files:<br />
<br />
rm -f /media/mmcblk0p1/boot/* <br />
cd /mnt # We are in the second partition <br />
rm boot/boot # Drop the unused symbolink link<br />
<br />
Move the image and <code>init ram</code> for Alpine Linux into the right place:<br />
<br />
mv boot/* /media/mmcblk0p1/boot/ <br />
rm -Rf boot<br />
mkdir media/mmcblk0p1 # It's the mount point for the first partition on the next reboot<br />
<br />
Don't worry about the error when you execute the following:<br />
<br />
ln -s media/mmcblk0p1/boot boot<br />
<br />
Update <code>/etc/fstab</code>:<br />
<br />
echo "/dev/mmcblk0p1 /media/mmcblk0p1 vfat defaults 0 0" >> etc/fstab<br />
sed -i '/cdrom/d' etc/fstab # Of course, you don't have any cdrom or floppy on the Raspberry Pi<br />
sed -i '/floppy/d' etc/fstab<br />
cd /media/mmcblk0p1<br />
<br />
If you want to activate the edge repository:<br />
sed -i '/edge/s/^#//' etc/apk/repositories # But enable the repository for community if you want vim, mc, php, apache, nginx, etc.<br />
<br />
For the next boot, indicate that the root filesystem is on the second partition. If the cmdline.txt file<br />
contains a line that starts with <code>/root</code>, then use sed:<br />
<br />
sed -i 's/$/root=\/dev\/mmcblk0p2 /' /media/mmcblk0p1/cmdline.txt <br />
reboot<br />
<br />
That works on '''Raspberry Pi 3B''' and '''1B''', but if you have the '''1B''' version, you'll need to be very, very patient (several tens of minutes).<br />
<br />
If a hard disk is connected via '''usb''', you can replace the <code>/dev/mmcblk0p2</code> above with <code>/dev/sda1</code>, for example.<br />
<br />
If you don't want to use '''sed''', you can use the nano editor instead, after executing the following command:<br />
<br />
apk add nano<br />
<br />
= Post-installation =<br />
<br />
The '''Raspberry Pi (RPI)''' has no battery to keep the time updated. Therefore, we need to enable the right service to synchronize with an ntp server:<br />
<br />
rc-update del hwclock boot<br />
rc-update add swclock boot<br />
service hwclock stop<br />
service swclock start<br />
<br />
Update and upgrade the system:<br />
<br />
apk update<br />
apk upgrade<br />
<br />
If you want a cool editor ({{Pkg|vim}}), a file manager ({{Pkg|mc}}), and to determine which tasks are running and which services are starting on boot ({{Pkg|htop}}), add the the following packages:<br />
<br />
apk add vim mc htop<br />
htop<br />
rc-update<br />
<br />
The '''RPI 3B''' has wifi on board. To start the service for the encrypted key using wpa2 protocol:<br />
<br />
apk add wpa_supplicant<br />
rc-update add wpa_supplicant boot<br />
service wpa_supplicant start<br />
setup-interfaces <br />
Replace the IP address by dhcp for all the interfaces if necessary; select the SSID network for wifi, add the password.<br />
ip addr # to find the IP address for all interfaces<br />
<br />
If you want to connect to your RPI via <code>ssh</code>, an additional user (''foo'') and the {{Pkg|sudo}} package are required because it's forbidden to connect as root:<br />
<br />
apk add sudo<br />
adduser foo<br />
adduser foo wheel<br />
visudo <br />
<br />
Uncomment line #82 with <code>wheel ALL=(ALL) ALL</code>. If {{Pkg|vim}} is installed, save the changes by typing '''Esc :x'''<br />
<br />
= Troubleshooting =<br />
<br />
Following the preparation instructions for setting up the boot partition as outlined, using the armv7 image (3.10.3), my rpi2 would not even boot, and I was trapped at the dreaded rainbow screen, with the green led blinking a few times in a row, repeatedly.<br />
<br />
The rpi2 I had appears to require '''fat32''' for the boot partition, NOT '''fat16''' as suggested in the instructions. Use linux fdisk to set the boot partition type as "c" (for fat32/lba) amd set the '''lba''' and '''boot''' flags for the partition as suggested. Create the boot partition filesystem as fat32 with:<br />
<br />
mkdosfs -F 32 /dev/sdX1 <br />
<br />
Mount and unpacke the tarball to that, and everything should work as documented after the prep instructions.<br />
<br />
After booting, you may find less system memory available than you expect. Currently the Pi requires a minimum of 32 megs of memory for the gpu, to boot unless you have the cut down boot loader installed, in which case you can use 16. However, you may find more gpu memory is still being used, even if you configure it for less, if you enable audio or camera support. To find out how your system is actually split:<br />
<br />
apk add raspberrypi<br />
/opt/vc/bin/vcgencmd get_mem gpu<br />
/opt/vc/bin/vcgencmd get_mem arm<br />
<br />
= See also =<br />
<br />
* [[Raspberry Pi]]<br />
* [[Raspberry Pi 3 - Setting Up Bluetooth]]<br />
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]<br />
* [[Linux Router with VPN on a Raspberry Pi]]<br />
<br />
[[Category:Installation]]<br />
[[category: Raspberry]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Tutorials_and_Howtos&diff=20112Tutorials and Howtos2021-08-21T04:42:36Z<p>Bt129: /* PowerPC */</p>
<hr />
<div>{{Todo|This material needs to be re-organized .. as '''Howtos are smaller articles''' and '''tutorials are more detailed document''' both need to be reordered as independent sections }}<br />
<br />
[[Image:package_edutainment.svg|right|link=]]<br />
{{TOC left}}<br />
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''<br />
<br />
'''The tutorials are hands-on''' and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.<br />
<br />
'''Howtos are smaller articles''' explaining how to perform a particular task with Alpine Linux, that expects a minimal knowledge from reader to perform actions.<br />
<br />
'''IMPORTANT:''' contributions on those pages must be complete articles as well as requesting topics to be covered, don't override already made contributions. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].<br />
<br />
<br />
{{Clear}}<br />
<br />
== New users and Newbies ==<br />
<br />
* [[Newbie Alpine Ecosystem]] (for overall information in funny sections)<br />
<br />
==== Installation: Use cases ====<br />
<br />
* [[Alpine newbie install manual]]<br />
** [[Alpine Install: from a disc to a new computer single only boot]]<br />
** [[Alpine Install: from a disc to a old computer single only boot]]<br />
** [[Alpine Install: from a disc to a virtualbox machine single only]]<br />
** [[Alpine Install: from a iso to a virtualbox machine with external disc]]<br />
* [[Alpine_newbie_install_manual#Ways_to_install_Alpine_listed_by_architectures|Ways to install listed by architectures]]<br />
** [[Alpine_newbie_install_manual#x86_64_x86_32_x86|x86_64 x86_32 x86 s390]]<br />
** [[Alpine_newbie_install_manual#armhf_armv7|armhf armv7 aarch64]]<br />
** [[Alpine_newbie_install_manual#ppc64le|ppc64le others PPC]]<br />
<br />
==== Postinstall: desktops and applications ====<br />
<br />
* [[Alpine newbie apk packages|Overall info and minimal packages common to any working desktop]]<br />
** [[Alpine newbie desktops|Alpine newbie desktops, (overall information only)]]<br />
** [[XFCE Setup]]<br />
** [[Alpine Newbies LXDE Desktop Environment]]<br />
** [[Alpine Newbies Openbox Window Manager|Alpine Newbies Xorg and Openbox Window Manager]]<br />
** [[MATE|Alpine Newbies MATE Desktop Environment]]<br />
* [[Alpine and UEFI|Alpine and UEFI Support Status and related topics]]<br />
<br />
==== Developers: compilers, IDEs and tools ====<br />
<br />
* [[Alpine newbie developer]]<br />
** [[Alpine newbie developer: gitea|Alpine newbie developer: Git management web frontend gitea]]<br />
** [[Alpine newbie developer: full stack web]]<br />
<br />
==== Servers: deploy in production ====<br />
<br />
* [[Alpine production deploy]]<br />
** [[Production Web server: Lighttpd]]<br />
** [[Production DataBases : mysql]]<br />
** [[Production LAMP system: Lighttpd + PHP + MySQL]]<br />
* Alpine production monitoring<br />
** [[Cacti: traffic analysis and monitoring network]]<br />
** [[Zabbix|Zabbix - the professional complete manager]]<br />
<br />
== Storage ==<br />
<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' <!-- Installation and Storage --><br />
** [[Back Up a Flash Memory Installation]] <!-- Installation and Storage --><br />
** [[Manually editing a existing apkovl]]<br />
<br />
* [[Setting up disks manually]] <!-- Installation and Storage --><br />
* [[Setting up a software RAID array]]<br />
<!-- ** [[Setting up a /var partition on software IDE raid1]] Obsolete, Installation and Storage --> <br />
* [[Raid Administration]]<br />
* [[Setting up encrypted volumes with LUKS]]<br />
* [[Setting up LVM on LUKS]]<br />
* [[Setting up Logical Volumes with LVM]]<br />
** [[Setting up LVM on GPT-labeled disks]]<br />
** [[Installing on GPT LVM]]<br />
* [[Filesystems|Formatting HD/Floppy/Other]] <!-- just a stub --><br />
<br />
* [[Setting up iSCSI]]<br />
** [[iSCSI Raid and Clustered File Systems]]<br />
* [[Setting up NBD]]<br />
* [[Setting up ZFS on LUKS]]<br />
* [[Setting up ZFS with native encryption]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' <!-- solution --><br />
* [[Linux iSCSI Target (TCM)]]<br />
* [[Disk Replication with DRBD]] <!-- draft --><br />
<br />
* [[Burning ISOs]] <!-- just some links now --><br />
* [[Partitioning and Bootmanagers]]<br />
* [[Migrating data]]<br />
* [[Create a bootable SDHC from a Mac]]<br />
* [[Alpine on ARM]]<br />
<br />
== Networking ==<br />
<br />
* [[Configure Networking]]<br />
* [[Connecting to a wireless access point]]<br />
* [[Bonding]]<br />
* [[Vlan]]<br />
* [[Bridge]]<br />
* [[Bridge wlan0 to eth0]]<br />
* [[OpenVSwitch]]<br />
* [[How to configure static routes]]<br />
* [[Configure a Wireguard interface (wg)]]<br />
<br />
* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''<br />
<br />
* [[PXE boot]]<br />
<br />
* [[Using serial modem]]<br />
* [[Using HSDPA modem]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is the preferred way to administer your box remotely)'' <!-- Server and Networking --><br />
** [[HOWTO OpenSSH 2FA with password and Google Authenticator]] ''(A simple two factor setup for OpenSSH)''<br />
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''<br />
* [[How to set up Alpine as a wireless router]] ''(Setting up a firewalled, Wireless AP with wired network on a Pi Zero W)''<br />
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''<br />
<!-- [[Using Racoon for Remote Sites]] is a different VPN tunnelling method, but that article is just a stub --><br />
* [[Experiences with OpenVPN-client on ALIX.2D3]] <!-- solution --><br />
<br />
* [[Generating SSL certs with ACF]] <!-- Generating SSL certs with ACF 1.9 --><br />
* [[Setting up unbound DNS server]]<br />
* [[Setting up nsd DNS server]]<br />
* [[TinyDNS Format]]<br />
* [[Fault Tolerant Routing with Alpine Linux]] <!-- solution --><br />
* [[Freeradius Active Directory Integration]]<br />
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''<br />
* [[OwnCloud]] ''(Installing OwnCloud)''<br />
<br />
* [[Seafile: setting up your own private cloud]]<br />
<br />
* [[GNUnet]]<br />
<br />
== Post-Install ==<br />
<!-- If you edit this, please coordinate with Installation and Developer_Documentation#Package_management. Note that these three sections are not exact duplicates. --><br />
<br />
* [[Alpine_newbie_apk_packages|Alpine newbie users post install and easy setups]]<br />
** [[Alpine_newbie_apk_packages#New_users:_hostname_and_network_wired_connection|First steps at post install]]<br />
** [[Alpine_newbie_apk_packages#New_users:_common_needed_package_to_install|Enable repositories]]<br />
** [[Alpine_newbie_apk_packages#New_users:_management_of_users_and_logins|Added the first user to use the system]]<br />
** [[Alpine_newbie_apk_packages#install_basic_tools|First packages to install]] (need the previous [[Alpine_newbie_apk_packages#New_users:_common_needed_package_to_install|Enable repositories]]) already done!<br />
<br />
* [[Setting up a new user]]<br />
* [[Enable Community Repository]] ''(Providing additional packages)''<br />
* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''<br />
<!-- [[Alpine Linux package management#Local_Cache|How to enable APK caching]] --><br />
** [[Comparison with other distros]]<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''<br />
** [[Back Up a Flash Memory Installation]] <!-- new --><br />
** [[Manually editing a existing apkovl]]<br />
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''<br />
** [[Multiple Instances of Services]]<br />
<!-- [[Writing Init Scripts]] --><br />
* [[Alpine setup scripts#setup-xorg-base|Setting up Xorg]]<br />
* [[Upgrading Alpine]]<br />
<!-- Obsolete<br />
[[Upgrading Alpine - v1.9.x]]<br />
[[Upgrading Alpine - CD v1.8.x]]<br />
[[Upgrading Alpine - HD v1.8.x]]<br />
[[Upgrade to repository main|Upgrading to signed repositories]]<br />
--><br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
** [[HOWTO OpenSSH 2FA with password and Google Authenticator]] ''(A simple two factor setup for OpenSSH)''<br />
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''<br />
* [[Changing passwords for ACF|Changing passwords]]<br />
* [[Ansible]] ''(Configuration management)''<br />
<br />
* [[Enable Serial Console on Boot]]<br />
<!-- Obsolete?<br />
* [[Error message on boot: Address space collision: host bridge window conflicts with Adaptor ROM]]<br />
--><br />
* [[How to get regular stuff working]] ''some notes on need-to-know topics''<br />
* [[Installing Oracle Java]]<br />
* [[Rsnapshot|Setting up periodic backups with <samp>rsnapshot</samp>]]<br />
<br />
== Virtualization==<br />
<br />
* [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''<br />
* [[Xen Dom0 on USB or SD]]<br />
* [[Create Alpine Linux PV DomU]]<br />
* [[Xen PCI Passthrough]]<br />
* [[Xen LiveCD]]<br />
* [[qemu]]<br />
* [[KVM]] ''(Setting up Alpine as a KVM hypervisor)''<br />
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''<br />
* [[Docker]]<br />
* [[Install_Alpine_on_VirtualBox]]<br />
* [[Install Alpine on VMWare]]<br />
<br />
== Desktop Environment ==<br />
<br />
* [[Awesome(wm) Setup]]<br />
* [[dwm]] ''(dynamic window manager for X)''<br />
* [[EyeOS]] ''(Cloud Computing Desktop)''<br />
* [[Gnome Setup]]<br />
* [[KDE]]<br />
* [[MATE|MATE Setup]]<br />
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')<br />
* [[Remote Desktop Server]]<br />
* [[Suspend on LID close]]<br />
* [[Sway]]<br />
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]<br />
* [[Installing Adobe flash player for Firefox]]<br />
* [[Sound Setup]]<br />
* [[PipeWire]]<br />
* [[Printer Setup]]<br />
* [[Default applications]]<br />
<br />
== Raspberry Pi ==<br />
<br />
* [[Raspberry Pi|Raspberry Pi (Installation)]]<br />
* [[Raspberry Pi - Headless Installation]]<br />
* [[Classic install or sys mode on Raspberry Pi]]<br />
* [[RPI Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''<br />
* [[Linux Router with VPN on a Raspberry Pi]]<br />
* [[Linux Router with VPN on a Raspberry Pi (IPv6)]]<br />
* [[Raspberry Pi 4 - Persistent system acting as a NAS and Time Machine]]<br />
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]<br />
* [[Raspberry Pi 3 - Setting Up Bluetooth]]<br />
* [[Raspberry Pi 3 - Browser Client]] - kiosk or digital sign<br />
* [[Raspberry Pi Zero W - Installation]]<br />
* [[Raspberry Pi Bluetooth Speaker]]<br />
<br />
== PowerPC ==<br />
<br />
* [[Ppc64le|Powerpc64le (Installation)]]<br />
<br />
== IBM Z (IBM z Systems) ==<br />
<br />
* [[s390x|s390x (Installation)]]<br />
<br />
== Applications ==<br />
<br />
=== Telephony ===<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
** [[Setting up Streaming an Asterisk Channel]]<br />
* [[Freepbx on Alpine Linux]]<br />
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''<br />
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''<br />
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''<br />
<br />
=== Mail ===<br />
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''<br />
** [[Hosting Web/Email services on Alpine]]<br />
* [[ISP Mail Server HowTo]] <!-- solution, Mail --><br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
** [[ISP Mail Server 3.x HowTo]]<br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Setting up postfix with virtual domains]]<br />
* [[Protecting your email server with Alpine]]<br />
* [[Setting up clamsmtp]]<br />
* [[Setting up dovecot with imap and ssl]]<br />
* [[relay email to gmail (msmtp, mailx, sendmail]]<br />
<br />
=== HTTP ===<br />
* [[Lighttpd]]<br />
** [[Lighttpd Https access]]<br />
** [[Setting Up Lighttpd with PHP]]<br />
** [[Setting Up Lighttpd With FastCGI]]<br />
* [[Cherokee]]<br />
* [[Nginx]]<br />
** [[Nginx_with_PHP#Nginx_with_PHP|Nginx with PHP]]<br />
** [[Nginx as reverse proxy with acme (letsencrypt)]]<br />
* [[Apache]]<br />
** [[Apache with php-fpm]]<br />
** [[Setting Up Apache with PHP]]<br />
** [[Apache authentication: NTLM Single Signon]]<br />
<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' <!-- solution, Server --><br />
<br />
* [[Setting up Transparent Squid Proxy]] <!-- draft --><br />
** [[SqStat]] ''(Script to look at active squid users connections)''<br />
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[Setting up Explicit Squid Proxy]]<br />
<br />
* [[Drupal]] ''(Content Management System (CMS) written in PHP)''<br />
* [[WordPress]] ''(Web software to create website or blog)''<br />
* [[MediaWiki]] ''(Free web-based wiki software application)''<br />
* [[DokuWiki]]<br />
* [[Darkhttpd]]<br />
* [[Tomcat]]<br />
* [[Kopano]] ''(Microsoft Outlook compatible Groupware)''<br />
<br />
=== Other Servers ===<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
** [[HOWTO OpenSSH 2FA with password and Google Authenticator]] ''(A simple two factor setup for OpenSSH)''<br />
<br />
* [[Setting up a nfs-server]]<br />
* [[Setting up a samba-server]] ''(standard file sharing)''<br />
* [[Setting up a samba-ad-dc]] ''(Active Directory compatible domain controller)''<br />
* [[Phpizabi]] ''(Social Networking Platform)''<br />
* [[Statusnet]] ''(Microblogging Platform)''<br />
* [[Pastebin]] ''(Pastebin software application)''<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
<br />
* [[Patchwork]] ''(Patch review management system)''<br />
* [[Redmine]] ''(Project management system)''<br />
* [[Request-Tracker]] ''(Ticket system)''<br />
* [[OsTicket]] ''(Ticket system)''<br />
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''<br />
<br />
* [[Alpine_newbie_developer: gitea|Setting up Git management web frontend gitea]]<br />
* [[Cgit]]<br />
** [[Setting up a git repository server with gitolite and cgit]] <!-- doesn't exist yet --><br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Glpi]] ''(Manage inventory of technical resources)''<br />
<br />
* [[How to setup a Alpine Linux mirror]]<br />
* [[Cups]]<br />
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''<br />
* [[How To Setup Your Own IRC Network]] ''(Using {{Pkg|charybdis}} and {{Pkg|atheme-iris}})''<br />
* [[OpenVCP]] ''(VServer Control Panel)''<br />
* [[Mahara]] ''(E-portfolio and social networking system)''<br />
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]<br />
* [[Sending SMS using gnokii]]<br />
* [[IPTV How To|Internet Protocol television (IPTV)]]<br />
* [[UniFi_Controller]]<br />
* [[DNSCrypt-Proxy]] ''Encrypt and authenticate DNS calls from your system''<br />
* [[Odoo]]<br />
<br />
=== Monitoring ===<br />
* Setting up [[collectd]]<br />
* [[Traffic monitoring]] <!-- Networking and Monitoring --><br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]] <!-- Monitoring --><br />
* [[Setting up monitoring using rrdtool (and rrdcollect)]]<br />
* [[Cacti: traffic analysis and monitoring network]] ''(Front-end for rrdtool networking monitor)''<br />
* [[LTTng]] ''(Kernel and userspace tracing)''<br />
* [[Zabbix|Zabbix - the professional complete manager]] ''(Monitor and track the status of network services and hardware)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft, solution, Networking and Monitoring and Server --><br />
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' <!-- Networking and Monitoring --><br />
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' <!-- Networking and Monitoring --><br />
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]<br />
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' <!-- Networking and Monitoring --><br />
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' <!-- Monitoring and Security --><br />
<br />
* [[IP Accounting]] <!-- Networking and Monitoring --><br />
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[SqStat]] ''(Script to look at active squid users connections)''<br />
<br />
* [[Piwik]] ''(A real time web analytics software program)''<br />
* [[Awstats]] ''(Free log file analyzer)''<br />
* [[Intrusion Detection using Snort]]<br />
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]<br />
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''<br />
<br />
* [[Webmin]] ''(A web-based interface for Linux system)''<br />
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''<br />
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''<br />
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''<br />
* [[Linfo]]<br />
<br />
* [[Setting up lm_sensors]]<br />
<br />
* [[ZoneMinder video camera security and surveillance]]<br />
<br />
== Misc ==<br />
<br />
* [[:Category:Shell]]<br />
* [[:Category:Programming]]<br />
* [[Running glibc programs]]<br />
* [[:Category:Drivers]]<br />
* [[:Category:Multimedia]]<br />
* [[Kernel Modesetting]]<br />
* [[CPU frequency scaling]]<br />
<br />
== Complete Solutions ==<br />
* [[DIY Fully working Alpine Linux for Allwinner and Other ARM SOCs]]<br />
* [[Alpine on the Aopen Chromebase or Chromebox Mini with Mainline Kernel]]<br />
* [[Replacing non-Alpine Linux with Alpine remotely]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]]<br />
* [[Fault Tolerant Routing with Alpine Linux]]<br />
* [[Experiences with OpenVPN-client on ALIX.2D3]]<br />
* [[Building a cloud with Alpine Linux]]<br />
<br />
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''<br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft --><br />
* [[Streaming Security Camera Video with VLC]]<br />
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]<br />
<br />
<br />
<!--<br />
This does not attempt to be complete. Is it useful to have these listed here? I find them more accessible if grouped with their topics; also, an up-to-date list of all Draft or Obsolete pages can be found at [[Project:Wiki maintenance]].<br />
<br />
== Drafts ==<br />
Currently unfinished/works-in-progress.<br />
* [[Using Racoon for Remote Sites]]<br />
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''<br />
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)'' [!-- no longer a draft --]<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)''<br />
* [[Intrusion Detection using Snort]] ''(Installing and configuring Snort and related applications on Alpine 2.0.x)''<br />
* [[IP Accounting]] ''(Installing and configuring pmacct for IP Accounting, Netflow/sFlow collector)''<br />
* [[Disk Replication with DRBD]]<br />
--><br />
<br />
<br />
[[Category:Newbie]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Printer_Setup&diff=20102Printer Setup2021-08-18T04:02:01Z<p>Bt129: </p>
<hr />
<div>First, you'll need [https://en.wikipedia.org/wiki/CUPS CUPS]. If you have a ''Hewlett-Packard'' (''HP'') printer, add the [https://en.wikipedia.org/wiki/HP_Linux_Imaging_and_Printing HPLIP] package. Some of these packages are outside of main, and the appropriate repos will need to be configured. See tip below.<br />
<br />
{{cmd|# apk add cups cups-libs cups-pdf cups-client cups-filters hplip}}<br />
<br />
{{Tip|As with all installation processes, Alpine's [[Alpine_Linux_package_management|package management]] can guide you on the need to pull various packages from other repositories (e.g.''@testing'') other than the enabled ''main'' or ''edge'' repositories throughout this wiki page, as long as the other repos have been [https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management#Repository_pinning pinned]. For example, for Alpine version 3.7.0 on x86_64 systems, '''apk''' would have guided you to substitute in <code>cups-pdf@testing</code> and <code>hplip@testing</code>.}}<br />
<br />
Confirm cups starts. You may also set it to run at boot-up.<br />
{{cmd|# /etc/init.d/cupsd start}}<br />
{{cmd|# rc-update add cupsd boot}}<br />
<br />
Go to http://localhost:631 with your web browser and follow the steps to "Add Printer". It will ask you to log in to add a printer. Log in as root, then finish the steps. Once you're done, you should be able to print.<br />
<br />
If that doesn't work, you may also need to add HPLIP's dependencies separately. There are currently no packages for '''CUPS DDK''', <code>hp-setup</code> or <code>foomatic</code>.<br />
{{cmd|# apk add libusb ghostscript qt py-qt python3 py-reportlab libjpeg libjpeg-turbo net-snmp}}<br />
<br />
<br />
{{Expand|Modifications/sections required e.g. to address container user-case scenarios, etc.}} <br />
<br />
== mdev hacks for USB printers ==<br />
<br />
By default USB printer with ''mdev'' would have ownership ''root:root'' and permission ''0660''. As ''cupsd'' would try to open a libusb-based printer as ''lp'' user, it won't have permission to use the device in ''/dev/bus/usb''.<br />
<br />
First let's get some info about our USB printer.<br />
<br />
# lsusb | grep Printer<br />
Bus 002 Device 011: ID 04b8:0007 Seiko Epson Corp. Printer<br />
<br />
Now use ''002'' and ''011'' for next query.<br />
<br />
# apk add eudev<br />
# udevadm info -p $(udevadm info -q path -n /dev/bus/usb/002/011)<br />
P: /devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1<br />
N: bus/usb/002/011<br />
E: BUSNUM=002<br />
E: DEVNAME=/dev/bus/usb/002/011<br />
E: DEVNUM=011<br />
E: DEVPATH=/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.1<br />
E: DEVTYPE=usb_device<br />
E: DRIVER=usb<br />
E: MAJOR=189<br />
E: MINOR=138<br />
E: PRODUCT=4b8/7/100<br />
E: SUBSYSTEM=usb<br />
E: TYPE=0/0/0<br />
<br />
What is important for us is 'PRODUCT'.<br />
<br />
# cat >> /etc/mdev.conf <<EOF<br />
SUBSYSTEM=usb;PRODUCT=4b8/7/100;.* root:lp 660 */lib/mdev/usbdev<br />
EOF<br />
<br />
Unplug the USB cable and plug it in again. Now the USB printer device at ''/dev/bus/usb/'' will have valid ownership and permissions.<br />
<br />
# ls -l /dev/bus/usb/002/011<br />
crw-rw---- 1 root lp 189, 138 Apr 14 21:19 /dev/bus/usb/002/011<br />
<br />
CUPS will be able now to use libusb to discover the local USB printer.<br />
<br />
<br />
== Desktop Environment ==<br />
Additionally, in a desktop environment you could proceed as follows.<br />
<br />
Check whether ''root'' and the user's username (''yourusername'') are already members of the <code>lp</code> and <code>lpadmin</code> groups. Note: ''yourusername'' can be added to the <code>lpadmin</code> group if they need to administer the CUPS system.<br />
$ id root<br />
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)<br />
$ id ''yourusername''<br />
uid=1000(yourusername) gid=1000(yourusername) groups=1000(yourusername),6(disk),10(wheel),18(audio),19(cdrom),20(dialout),27(video),100(users),1001(plugdev)<br />
<br />
If not, add them:<br />
$ sudo adduser root lp<br />
$ sudo adduser root lpadmin<br />
$ sudo adduser ''yourusername'' lp<br />
$ sudo adduser ''yourusername'' lpadmin<br />
<br />
Start CUPS ('''cupsd''') and make it persist between boots; then reboot:<br />
$ sudo rc-service cupsd start<br />
$ sudo rc-update add cupsd<br />
$ sudo reboot<br />
<br />
Credit to ArchWiki's excellent [https://wiki.archlinux.org/index.php/CUPS CUPS] page for guidance with the following basic steps.<br />
''' Locate your printer '''<br />
<br />
With your printer connected and powered on, determine the ''URI'' for your printer. Depending on whether the connection is via '''usb''' or '''parallel''' ports, the URI will carry a <code>usb://</code> or <code>parallel:/</code> prefix.<br />
<br />
$ lpinfo -v #<br />
network lpd<br />
network socket<br />
network beh<br />
file cups-brf:/<br />
direct usb://HP/LaserJet%202200<br />
network ipp<br />
network ipps<br />
network https<br />
network http<br />
direct hp<br />
<br />
In the example above, the URI is <code>usb://HP/LaserJet%202200</code><br />
<br />
''' Find a .ppd or .ppd.gz ''driver''. '''<br />
<br />
If your printer supports ''IPP Everywhere'' -- most recent models do -- see the ''driverless'' command in ''cups-filters'':<br />
<br />
$ driverless ipp_uri > printer.ppd<br />
<br />
or just pass ''-m everywhere'' to ''lpadmin''.<br />
<br />
Otherwise, you could list all the drivers available by running <code>lpinfo -m</code> and then searching through the results to find a .ppd or .ppd.gz specific to your printer. A quick solution is to use the <code>--make-and-model</code> flag and <code>grep</code> to filter the results by plugging in your printer's make, model and series in this fashion:<br />
<br />
$ lpinfo --make-and-model "''make_and_model_names''" -m | grep -i ''printer_series''<br />
<br />
{{Tip|<br />
*Search for the term ''HP'' to find instances of ''Hewlett-Packard''.<br />
*You do not need to state the <code>printer_series</code> in whole if at all e.g. ''2200'' may be preferable to searching for ''2200M'', etc.}}<br />
<br />
For example, type:<br />
<br />
$ lpinfo --make-and-model "HP LaserJet" -m | grep -i 2200<br />
<br />
From the results, you might select the following .ppd ''driver'':<br />
drv:///hp/hpcups.drv/hp-laserjet_2200_series.ppd<br />
<br />
If required, additional drivers can be obtained by installing [http://gimp-print.sourceforge.net/ gutenprint], and running the <code>lpinfo</code> search again. These may not specify .ppd names.<br />
<br />
$ sudo apk add gutenprint gutenprint-doc<br />
<br />
''' Configure a queue '''<br />
<br />
Create a queue using a ''queue_name'' of your choice. Your selected printer's name is an obvious choice, but do not use spaces.<BR><br />
You will also need to be root or use <code>sudo</code>, and you will also need to plug in the ''URI'' and the .ppd ''driver'':<br />
<br />
# lpadmin -p ''queue_name'' -E -v "''uri''" -m ''driver''<br />
<br />
With this example, you could set as follows, but there are other solutions.<br />
<br />
# lpadmin -p HP_LaserJet_2200 -E -v "usb://HP/LaserJet%202200" -m drv:///hp/hpcups.drv/hp-laserjet_2200-pcl3.ppd<br />
<br />
This printer queue could be set as '''default''':<br />
<br />
# lpoptions -d HP_LaserJet_2200<br />
<br />
Printer settings can typically be set in your GUI application's '''Print''' menu or by examining the CUPS [https://www.cups.org/doc/man-lpoptions.html lpoptions] page. If you have a single queue, the setting options available (such as page type, duplex, etc.) for your queue can simply be '''listed''' by using the '''-l''' flag. Asterisks(*) indicate current settings:<br />
<br />
# lpoptions -l<br />
PageSize/Media Size: Card3x5 Hagaki Photo4x6 A6 Photo5x7 Card5x8 Oufuku A5 B5 JB5 Executive 16k Letter *A4 ExecutiveJIS FLSA Legal EnvA2 EnvC6 EnvChou4 EnvMonarch EnvDL Env10 EnvChou3 EnvC5 EnvB5 Custom.WIDTHxHEIGHT<br />
Duplex/Double-Sided Printing: DuplexNoTumble DuplexTumble *None<br />
InputSlot/Media Source: *Auto PhotoTray Upper Lower Envelope LargeCapacity Manual MPTray<br />
ColorModel/Output Mode: *Gray<br />
MediaType/Media Type: *Plain<br />
OutputMode/Print Quality: *Normal Draft Best<br />
OptionDuplex/Duplexer Installed: *False True<br />
<br />
If there is only one queue, '''options''' can be set by simply using '''-o''' flags for each setting:<br />
<br />
# lpoptions -o PageSize=Legal -o Duplex=DuplexNoTumble<br />
<br />
== See also ==<br />
<br />
* [https://www.cups.org/documentation.html CUPS documentation]<br />
<br />
[[Category:Printers]]<br />
[[Category:Installation]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=20101PipeWire2021-08-18T03:47:03Z<p>Bt129: /* Usage */</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
When elogind is not available, the user has to be added to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
=== XDG_RUNTIME_DIR ===<br />
<br />
If you are not using a Desktop Manager, ensure that your <code>XDG_RUNTIME_DIR</code> is set to a user-writable location. By default for pulseaudio this is {{Path|/run/user/1000/}} or {{Path|/tmp}}. If this is not set, pipewire will create a directory in your home folder instead, called <code>~/pulse</code>, and on attempting to run Pavucontrol or pactl, you will get the following error:<br />
<br />
<pre><br />
$ pactl list<br />
Connection failure: Connection refused<br />
pa_context_connect() failed: Connection refused<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
Create custom configuration file in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
# mkdir /etc/pipewire<br />
# cp /usr/share/pipewire/pipewire.conf /etc/pipewire/<br />
</pre><br />
<br />
Uncomment the following line in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
{ path = "/usr/bin/pipewire-media-session" args = "" }<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== ALSA ===<br />
<br />
If you use neither Jack nor PulseAudio and you don't intend to.<br />
<br />
<pre><br />
# touch /etc/pipewire/media-session.d/with-alsa<br />
</pre><br />
<br />
=== PulseAudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ PulseAudio] daemon which should allow all existing PulseAudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
It should be automatically enabled.<br />
<br />
=== JACK ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ JACK] applications install the required package and make system wide links to the PipeWire replacement JACK libraries (I have not had success using <code>pw-jack</code>). You will not need to start a JACK server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on:<br />
* GNOME with <code>xdg-desktop-portal-gtk</code><br />
* KDE Plasma with <code>xdg-desktop-portal-kde</code> and Firefox<br />
* Sway with <code>xdg-desktop-portal-wlr</code> and Firefox<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test audio recording is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test PulseAudio clients using a media player (most use PulseAudio) and if you use JACK test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make PipeWire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=20100PipeWire2021-08-18T03:45:01Z<p>Bt129: /* ALSA */</p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
When elogind is not available, the user has to be added to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup audio <user><br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
=== XDG_RUNTIME_DIR ===<br />
<br />
If you are not using a Desktop Manager, ensure that your <code>XDG_RUNTIME_DIR</code> is set to a user-writable location. By default for pulseaudio this is {{Path|/run/user/1000/}} or {{Path|/tmp}}. If this is not set, pipewire will create a directory in your home folder instead, called <code>~/pulse</code>, and on attempting to run Pavucontrol or pactl, you will get the following error:<br />
<br />
<pre><br />
$ pactl list<br />
Connection failure: Connection refused<br />
pa_context_connect() failed: Connection refused<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire<br />
</pre><br />
<br />
Create custom configuration file in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
# mkdir /etc/pipewire<br />
# cp /usr/share/pipewire/pipewire.conf /etc/pipewire/<br />
</pre><br />
<br />
Uncomment the following line in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
{ path = "/usr/bin/pipewire-media-session" args = "" }<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== ALSA ===<br />
<br />
If you use neither Jack nor PulseAudio and you don't intend to.<br />
<br />
<pre><br />
# touch /etc/pipewire/media-session.d/with-alsa<br />
</pre><br />
<br />
=== PulseAudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ PulseAudio] daemon which should allow all existing PulseAudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
It should be automatically enabled.<br />
<br />
=== JACK ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ JACK] applications install the required package and make system wide links to the PipeWire replacement JACK libraries (I have not had success using <code>pw-jack</code>). You will not need to start a JACK server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on:<br />
* GNOME with <code>xdg-desktop-portal-gtk</code><br />
* KDE Plasma with <code>xdg-desktop-portal-kde</code> and Firefox<br />
* Sway with <code>xdg-desktop-portal-wlr</code> and Firefox<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test recording audio is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test PulseAudio clients using a media player (most use PulseAudio) and if you use JACK test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make PipeWire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=ALSA&diff=20099ALSA2021-08-18T03:39:30Z<p>Bt129: /* Install */</p>
<hr />
<div>== Install ==<br />
<br />
First you will need to install the Alsa packages, Linux sound driver and volume adjuster.<br />
<br />
# apk add alsa-utils alsa-utils-doc alsa-lib alsaconf<br />
<br />
== Setup ==<br />
<br />
Then you will need to add all your users (including root) to the <code>audio</code> group.<br />
<br />
# addgroup $USER audio<br />
# addgroup root audio<br />
<br />
Find the default sound card.<br />
<br />
# alsamixer<br />
<br />
The default sound card will show up. Try turning up the volume of Master and the device(s) such as speakers or microphones that you need, and audio should work (''F1'' - help, ''M'' - toggle mute, ...)<br />
<br />
If there are no volume controls visible, try hitting ''F6'' on your keyboard and toggling between the sound cards (which all might have the same name in the context menu that pops up except for the numbers next to and before the names).<br />
<br />
Once you've found the sound card name that gives you volume controls, set the unique number that showed up in the ''F6'' context menu as your default soundcard.<br />
<br />
# nano /usr/share/alsa/alsa.conf<br />
<br />
Scroll down until you find the lines that start with <code>defaults.ctl.card</code> and <code>defaults.pcm.card</code> and put the number (you found in the ''F6'' context menu of the alsamixer command for the soundcard you want as your default) at the end of those lines separated by a space for each. For example, if the default sound card you want is "1".<br />
<br />
<code>defaults.ctl.card 1</code><br />
<code>defaults.pcm.card 1</code><br />
<br />
Save your nano work by pressing ''Ctrl+O'' and confirm the changes by pressing ''Enter''. Then exit nano by pressing ''Ctrl+X''.<br />
<br />
Try turning up the volume of Master and the device(s) such as speakers or microphones that you need with the <code>alsamixer</code> command, and audio should work.<br />
<br />
Alsa service is not started on install, you need to start it and to add it on rc.<br />
rc-service alsa start<br />
rc-update add alsa<br />
<br />
Gstreamer can now catch the device and the audio mixer is working.<br />
<br />
[[Category:Installation]]<br />
[[Category:Desktop]]<br />
[[Category:Multimedia]]<br />
[[Category:Sound]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Sway&diff=20082Sway2021-08-11T05:12:18Z<p>Bt129: </p>
<hr />
<div>[http://swaywm.org Sway] is a tiling Wayland compositor. It's a drop-in replacement for the i3 window manager.<br />
<br />
== Prerequisites ==<br />
<br />
First, install & configure eudev:<br />
<br />
<pre><br />
# apk add eudev<br />
# setup-udev<br />
</pre><br />
<br />
Then install graphics drivers appropriate to your system:<br />
<br />
<pre><br />
# apk add mesa-dri-gallium # gallium<br />
# apk add mesa-dri-classic # or classic<br />
</pre><br />
<br />
The following links contain guides for setting up the video stack.<br />
<br />
* [https://wiki.alpinelinux.org/wiki/Intel_Video Intel Video]<br />
* [https://wiki.alpinelinux.org/wiki/Radeon_Video Radeon Video]<br />
<br />
Add yourself to the input and video groups:<br />
<br />
<pre><br />
# adduser $USER input<br />
# adduser $USER video<br />
</pre><br />
<br />
You have to log out and back in for this to take effect. <br />
<br />
Install some TTF fonts:<br />
<br />
<pre><br />
# apk add ttf-dejavu<br />
</pre><br />
<br />
== Installation ==<br />
<br />
We can now install sway:<br />
<br />
<pre><br />
# apk add sway sway-doc<br />
# apk add \ # Install optional dependencies:<br />
xwayland \ # strongly reccommended for compatibility reasons<br />
alacritty \ # default terminal emulator<br />
dmenu \ # default application launcher<br />
swaylock \ # lockscreen tool<br />
swayidle # idle management (DPMS) daemon<br />
</pre><br />
<br />
== Running Sway ==<br />
<br />
To run sway, first set XDG_RUNTIME_DIR to a suitable location (e.g. /tmp). Install & configure elogind to skip this step. Then run sway from the Linux console:<br />
<br />
<pre><br />
$ XDG_RUNTIME_DIR=/tmp sway<br />
</pre><br />
<br />
See the [https://wiki.alpinelinux.org/wiki/Wayland Wayland] page for a permanent configuration<br />
<br />
== Configuration and Usage ==<br />
<br />
An example config is provided at <code>/etc/sway/config</code>. Copy it to <code>~/.config/sway/config</code> and read through it to learn the default keybindings.<br />
<br />
For additional information, start at <code>man 5 sway</code> and read the [https://github.com/swaywm/sway/wiki upstream FAQ].<br />
<br />
[[Category:Desktop]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Suspend_on_LID_close&diff=20081Suspend on LID close2021-08-11T05:08:11Z<p>Bt129: </p>
<hr />
<div>This article explains how to make your laptop go to Suspend when closing the LID.<br />
<br />
This can be done via <code>acpid</code> with a hook in {{path|/etc/acpi/LID/00000080}}:<br />
<br />
'''a) with pm-utils:'''<br />
{{cmd|apk add pm-utils}}<br />
{{cat|/etc/acpi/LID/00000080|#!/bin/sh<br />
exec pm-suspend<br />
}}<br />
<br />
'''b) with this raw variant:'''<br />
{{cat|/etc/acpi/LID/00000080|#!/bin/sh<br />
echo mem > /sys/power/state<br />
}}<br />
<br />
<br />
Make the hook executable:<br />
{{cmd|chmod +x /etc/acpi/LID/00000080}}<br />
<br />
That should be it. To make sure that the acpid daemon is running, execute:<br />
{{cmd|/etc/init.d/acpid start}}<br />
<br />
= =<br />
* [https://unix.stackexchange.com/questions/484550/pm-suspend-vs-systemctl-suspend pm-suspend vs systemd...]<br />
* [http://archive.md/Bcqlz pm-utils (arch wiki)]<br />
<br />
[[Category:Power Management]]<br />
[[category: Desktop]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Installation&diff=20079Installation2021-08-09T20:34:53Z<p>Bt129: </p>
<hr />
<div><br />
[[Image:hdd_mount.png|left|link=]]<br />
<br /><br />
<br />
<br />
<br />
<br />
This page explains the basics to get started. But before actually installing, it can also help to skim through the [[Alpine_Linux:FAQ| Frequenty Asked Questions (FAQ)]].<br />
<br />
{{Tip|This is a wiki!<br />
If something isn't correct (anymore), or still incomplete, you will have to try figuring it out, or ask for the correct solution in the [https://alpinelinux.org/community/ community].<br />
<br />
And then carefully edit the wiki page.<br />
<br />
Just as those before you did it for you.<br />
}}<br />
<br />
<br />
== Minimal Hardware Requirements ==<br />
<br />
* At least 100 MB of RAM. [A graphical desktop system may require up to 1 GB minimum.]<br />
* At least 0-700 MB space on a writable storage device. [Only required in "sys" or "data" mode installations (explained below). It is optional in "diskless" mode, only needed to save newer data and configurations states of a running system.]<br />
<br />
For more information please check [[Requirements]]<br />
<br />
== Installation Overview ==<br />
<br />
=== The general course of action ===<br />
[Note: For single-board-computer (SBC) architectures which can not boot .iso images, see [[Alpine_on_ARM|Alpine on ARM]] for peculiarities.]<br />
<br />
<br />
As usual, the regular installation procedure starts with three basic steps (additional details for all the steps follow [[Installation#additional details|below]]):<br><br />
<br />
<br />
'''1.)''' Downloading and verifying the proper [http://alpinelinux.org/downloads stable-release ISO installation image-file] for the computer's architecture, and the corresponding <code>sha256</code> (checksum) and <code>GPG</code> (signature) files. <br />
<br />
'''2.)''' Either burning the ISO image-file onto a blank CD/DVD/Blu-ray disk with disk burning software, or flashing the installation image onto a bootable storage device (USB-device, CF-/MMC-/SD-card, floppy, ...).<br />
<br />
'''3.)''' Booting the computer from the prepared disk or storage device.<br />
<br />
<br />
The boot process copies the entire operating system into the RAM memory, then runs it from there, after which, the command line environment does not depend on reading from the (possibly slow) initial boot media.<br />
<br />
Log-in is possible as the user <code>root</code>. Initially, the root user has no password.<br />
<br />
An interactive script named <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> is available at the command prompt to configure and install the initial Alpine Linux system.<br />
<br />
The <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> question-and-answer dialog can configure installations that boot into one of three different '''Alpinelinux disk modes''', '''"diskless"''', '''"data"''', and '''"sys"'''. These are explained in more detail in the following subsections. However, a newly installed system may always be configured into a fully usable, standalone, "diskless" live-system by runing <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> and answering "none" when asked for the disk to use, where to store configs, and the location for the package cache.<br />
<br />
Once a "diskless" system is configured by running <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code>, it's possible to use the [[Alpine_Linux_package_management|apk package manager]] to install any desired tool that may be missing in the live system to configure available hardware.<br />
<br />
Specific hardware configuration may be desired, for example, for available disk drives. <br />
e.g. If you need to install a custom partition or filesystem scheme, and if the installation should not use and/or overwrite the entire disk ([[Installation#Custom_partitioning_of_the_harddisk|details below]]).<br />
<br />
After the desired adjustments have been made using the "diskless" system, <code>[[Alpine_setup_scripts#setup-lbu|setup-lbu]]</code> and <code>[[Alpine_setup_scripts#setup-apkcache|setup-apkcache]]</code> may be run to add persistent configuration and package cache storage to the running "diskless" system. After that, the system state may be saved with <code>[[Alpine_local_backup|lbu commit]]</code>. Or, <code>[[Alpine_setup_scripts#setup-disk|setup-disk]]</code> may be run to add a "data" mode partition, or do a classic full install of the "diskless" system onto a "sys" disk or partition.<br />
<br />
More [[Alpine_setup_scripts|setup-scripts]] are available to configure other specifics. They may be run separately to set up a system, or to adjust only specific parts later. For example, to set up a graphical environment (covered in [[Installation#Post-Install|Post-Install]] below).<br />
<br />
==='''Diskless Mode'''=== <br />
This is the default boot mode of the .iso images. <code>[[Alpine_setup_scripts#setup-alpine|setup-alpine]]</code> configures this if "disk=none" is selected during installation. It means the entire operating system and all applications are loaded into, then run from, RAM. This is extremely fast and can save on unnecessary disk spin-ups, power, and wear. It is similar to what is called a "frugal" install running with the "toram" option as with some other distros, but without the need to<br />
remaster the install media.<br />
<br />
Custom configurations and package selections may be preserved across reboots with the Alpine local backup tool <code>[[Alpine_local_backup|lbu]]</code>. It enables committing and reverting system states using .apkovl files that are saved to writable storage and loaded when booting. If additional or updated packages have been added to the system, these may also be made available for automatic (re)installation during the boot phase, by enabling a [[Alpine_Linux_package_management#Local_Cache|local package cache]] on the writable storage.<br />
<br />
[[https://gitlab.alpinelinux.org/alpine/alpine-conf/-/issues/10473 FIXME-1]: Storing local configs and the package cache on an ''internal'' disk still requires [[Alpine_local_backup#Saving_and_loading_ISO_image_customizations|some manual steps]] to have the partition listed, i.e. making a /etc/fstab entry, mountpoint, and mount, *before* running setup-alpine. And requires manually committing the configuration to disk afterwards.]<br />
<br />
To allow for local backups, <code>setup-alpine</code> can be told to store the configs and the package cache on a writable partition. (Later, directories on that same partition or another available partition may also be mounted as /home, or for important applications, e.g. to keep their run-time and user data on it.)<br />
<br />
The boot device of the newly configured local "diskless" system may remain the initial (and possibly read-only) installation media. But it is also possible to copy the boot system to a partition (e.g. /dev/sdXY) with <code>[[Alpine_setup_scripts#setup-bootable|setup-bootable]]</code>.<br />
<br />
==='''Data Disk Mode'''=== <br />
This mode also runs from system RAM, thus it enjoys the same accelerated operation speed as "diskless" mode. However, swap storage and the entire {{Path|/var}} directory tree get mounted from a persistent storage device (two newly created partitions). The directory {{Path|/var}} holds e.g. all log files, mailspools, databases, etc., as well as <code>[[Alpine_local_backup|lbu]]</code> backup commits and the package cache. This mode is useful for having RAM accelerated servers with variable amounts of user-data that exceed the available RAM size. It enables the entire current system state (not just the boot state) to survive a system crash in accordance with the particular filesystem guarantees. <br />
<br />
[[https://gitlab.alpinelinux.org/alpine/alpine-conf/-/issues/10474 FIXME-2]: Setup-alpine can not yet configure storage of the lbu configs to the "data disk" after selecting one. It's still necessary to first select to save configs to "none" in setup-alpine (the new data partition is not listed), and to manually edit /etc/lbu/lbu.conf to set e.g. LBU_MEDIA=sdXY, then execute a corresponding <code>echo "/dev/sdXY /media/sdXY vfat rw 0 0" >> /etc/fstab</code> afterwards, and save the config with <code>lbu commit</code> to have the partition (here, denoted as sdXY) mounted when booting.]<br />
<br />
In data disk mode, the boot device may also remain the initial (and possibly read-only) installation media, or be copied to a partition (e.g. /dev/sdXY) with <code>[[Alpine_setup_scripts#setup-bootable|setup-bootable]]</code>.<br />
<br />
==='''System Disk Mode'''=== <br />
This is a traditional hard-disk install.<br />
<br />
If this mode is selected, the <code>[[setup-alpine]]</code> script creates three partitions on the selected storage device, {{Path|/boot}}, {{Path|swap}} and {{Path|/}} (the filesystem root). This mode may, for example, be used for generic [[Desktops|desktop]] and development machines.<br />
<br />
For custom partitioning, see [[Setting_up_disks_manually]].<br />
<br />
To install along side another operating systems, see [[Installing_Alpine_on_HDD_dualbooting]].<br />
<br />
== Additional Details ==<br />
<br />
{{Expand| }}<br />
<br />
This "Additional Details" section needs to be consolidated with the work at '''[https://docs.alpinelinux.org https://docs.alpinelinux.org] (not finished)''' <br />
(Restructuring things there, moving and linking from here or there?). <br />
<br />
<br />
=== Verifying the downloaded image-file ===<br />
<br />
{| class="wikitable" style="width:95%; align=center"<br />
|+ Commands to verify the checksum and GPG signature of a downloaded image-file on different systems.<br />
|-<br />
! width=100px | OS type<br />
! <code>SHA256</code> check !! <code>SHA256</code> calculation (to be compared manually) !! <code>GPG</code> signature verification<br />
|-<br />
! Linux<br />
| <code>sha256sum -c alpine-*.iso.sha256</code> || || <code>curl https://alpinelinux.org/keys/ncopa.asc &#124; gpg --import ;</code><br />
<code> gpg --verify alpine-<version>.iso.asc alpine-<version>.iso</code><br />
|-<br />
! MACOS <br />
| - ? - || <code>shasum -a 256 alpine-*.iso</code> || - ? -<br />
|-<br />
! BSD <br />
| - ? - || <code>/usr/local/bin/shasum -a 256 alpine-*.iso</code> || - ? -<br />
|-<br />
! Windows (PowerShell installed)<br />
| - ? - || <code>Get-FileHash .\alpine-<image-version>.iso -Algorithm SHA256</code> || - ? -<br />
|}<br />
<br />
=== Flashing (direct data writing) the installation image-file onto a device or media ===<br />
<br />
==== Unix/Linux ====<br />
<br />
Under Unix (and thus Linux), "everything is a file" and the data in the image-file can be written to a device or media with the <code>dd</code> command. Afterward, executing the <code>eject</code> command removes the target device from the system and ensures the write cache is completely flushed.<br />
<br />
dd if=<iso-file-to-read-in> of=<target-device-node-to-write-out-to> bs=4M oflag=sync status=progress; eject <target-device-node-to-write-to><br />
<br />
Be careful to correctly identify the target device as any data on it '''will''' be lost! All connected "bulk storage devices" can be listed with <code><nowiki>lsblk</nowiki></code> and <code><nowiki>blkid</nowiki></code>.<br />
<br />
# lsblk<br />
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT<br />
sdX 0:0 0 64,0G 0 disk <br />
├─sdX1 0:1 0 2G 0 part <br />
└─sdX2 0:2 0 30G 0 part /mnt/sdX2<br />
<br />
# blkid<br />
/dev/sdX1: LABEL="some" UUID="..." TYPE="vfat"<br />
/dev/sdX2: LABEL="other" UUID="..." TYPE="ext4"<br />
<br />
For example, if /dev/sdX is the desired target device, first make sure you un-mount all mounted partitions of the target device. For example sdX1 and sdX2:<br />
<br />
umount /dev/sdX1 /dev/sdX2<br />
<br />
<br />
For <code>dd</code>'s output-file (<code>of=</code>), however, do '''not''' specify a partition number. For example, write to sdX, '''not''' sdX1:<br />
<br />
Warning: '''This will overwrite the target device /dev/sdX''', so before executing, make sure you have a backup of the data if you can't afford to lose it.<br />
<br />
dd if=~/Downloads/alpine-standard-3.00.0-x86_64.iso of=/dev/sdX bs=4M oflag=sync status=progress; eject /dev/sdX<br />
<br />
==== Windows ====<br />
<br />
For example, there is the [https://rufus.ie/ Rufus] program. Rufus will enable you to create bootable USB flash drives under Windows. <br />
<br />
Rufus has been tested and works for Alpine Linux 3.12.x with the following settings:<br />
* '''Partition scheme''': <code>MBR</code><br />
* '''Target system''': <code>BIOS or UEFI</code><br />
* '''File system''': <code>FAT32</code><br />
* '''Cluster size''': <code>4096 bytes (default)</code><br />
<br />
=== Verifying the written installation media ===<br />
<br />
After detaching and re-attaching the device, a bit-wise comparison can verify the data written to the device (instead of just data buffered in RAM). If the comparison terminates with an end-of-file error on the .iso file side, all the contents from the image have been written (and re-read) successfully:<br />
<br />
# cmp ~/Downloads/alpine-standard-3.00.0-x86_64.iso /dev/sdX<br />
cmp: EOF on alpine-standard-3.00.0-x86_64.iso<br />
<br />
=== Booting from external devices ===<br />
<br />
Insert the boot media to a proper drive or port of the computer and turn the machine on, or restart it, if already running.<br />
<br />
If the computer does not automatically boot from the desired device, one needs to bring up the boot menu and choose the media to boot from. Depending on the computer, the menu may be accessed by repeatedly pressing a key quickly when booting starts. Some computers require that you press the button ''before'' starting the computer and hold it down while the computer boots. Typical keys are: `F9`-`F12`, sometimes `F7` or `F8`. If these don't bring up the boot menu, it may be necessary to enter the BIOS configuration and adjust the boot settings, for which typical keys are: `Del.` `F1` `F2` `F6` or `Esc.`<br />
<br />
=== Custom partitioning of the harddisk ===<br />
<br />
It is possible to specify configurations for RAID, encryption, LVM, etc. as well as manual partitioning.<br />
<br />
For "diskless" or "data disk" mode installs, manual partitioning may be needed to prepare the harddisk for committing local backups of the system state with <code>[[Alpine_local_backup|lbu commit]]</code>, a package cache, or to use it as the /var mount. <br />
<br />
For a "sys" install, custom partitioning is needed only if the desired scheme differs from overwriting an entire disk, or creating the default /boot, swap and root partitions.<br />
<br />
See [[Setting_up_disks_manually]] for the alpine options for RAID, encryption, LVM, etc. and manual partitioning.<br />
<br />
=== Questions asked by <code>setup-alpine</code> ===<br />
[[File:Installation-alpine-alpine-setup-3-setup-scripts.png|350px|thumb|right|Example <code>setup-alpine</code> session]]<br />
<br />
The <code>[[setup-alpine]]</code> script offers the following configuration options:<br />
<br />
* '''Keyboard Layout''' (Local keyboard language and usage mode, e.g. ''us'' and variant of ''us-nodeadkeys''.)<br />
* '''Hostname''' (The name for the computer.)<br />
* '''Network''' (For example, automatic IP address discovery with the "DHCP" protocol.)<br />
* '''DNS Servers''' (Domain Name Servers to query. For privacy reasons it is NOT recommended to route every local request to servers like google's <s>8.8.8.8</s> .)<br />
* '''Timezone'''<br />
* '''Proxy''' (Proxy server to use for accessing the web. Use "none" for direct connections to the internet.)<br />
* '''Mirror''' (From where to download packages. Choose the organization you trust giving your usage patterns to.)<br />
* '''SSH''' (Secure SHell remote access server. "Openssh" is part of the default install image. Use "none" to disable remote login, e.g. on laptops.)<br />
* '''NTP''' (Network Time Protocol client used for keeping the system clock in sync with a time server. Package "chrony" is part of the default install image.)<br />
* '''Disk Mode''' (Select between diskless (disk="none"), "data" or "sys", as described above.) <br />
{{Warning|The data on a chosen device will be overwritten!}}<br />
<br />
=== Preparing for the first boot ===<br />
<br />
If <code>setup-alpine</code> has finished configuring the "sys" disk mode, the system should be ready to reboot right away (see next subsection).<br />
<br />
If the new local system was configured to run in "diskless" or "data" mode, and you do not want keep booting from the initial (and possibly read-only) installation media, the boot system needs to be copied to another device or partition.<br />
<br />
The target partition may be identified using <code><nowiki>lsblk</nowiki></code> (after installing it with <code>apk add lsblk</code>) and/or <code>blkid</code>, similar to previously identifying the initial installation media device.<br />
<br />
The procedure to copy the boot system is explained at <code>[[Alpine_setup_scripts#setup-bootable|setup-bootable]]</code><br />
<br />
Once everything is in place, save your customized configuration with <code>lbu commit</code> before rebooting.<br />
<br />
=== Rebooting and testing the new system ===<br />
<br />
First, remove the initial installation media from the boot drive, or detach it fron the port it's connected to.<br />
<br />
The system may now be power-cycled or rebooted to confirm everything is working correctly.<br />
<br />
The relevant commands for this are <code>poweroff</code> or <code>reboot</code>.<br />
<br />
=== Completing the installation ===<br />
<br />
The installation script installs only the base operating system. '''No''' applications e.g. web server, mail server, desktop environment, or web browser are installed, and <code>root</code> is the only user.<br />
<br />
Please look under "Post-Install" below, for some common things to do after installation.<br />
<br />
= Additional Documentation =<br />
<br />
=== Installing ===<br />
<br />
* [[Kernels]] ''(kernel selection, e.g. for VMs or RPi)''<br />
* [[Directly booting an ISO file]] ''(without flashing it to a disk or device)''<br />
* [[Installing_Alpine_on_HDD_dualbooting|Dual/multi-boot install to HDD partition]]<br />
* [[Tutorials_and_Howtos#Networking|Setting up Networking]] ''(including non-standard configurations)''<br />
<br><br />
* [[How to make a custom ISO image with mkimage]] ''(installation media with its own configuration)''<br />
<br />
<br />
=== Post-Install ===<br />
<br />
<!-- If you edit post-install, also consider [[Tutorials_and_Howtos#Post-Install]], [[Developer_Documentation#Package_management]] and the Handbook.<br />
Here, only the most relevant jumping off points are listed, not exact list duplicates!!! --><br />
<br />
<br />
Language support<br />
* Fix unicode defaults: <code>sed -i s/#unicode="NO"\n\n#/#unicode="NO"\n\nunicode="YES"\n\n#/ /etc/rc.conf</code><br />
* <code>apk add musl-locales</code> Installs a limited set of locales (languages) for musl (C library) generated console messages.<br />
* Listing defined locales is possible with <code>locales -a</code><br />
* <code>cp /etc/profile.d/locale.sh /etc/profile.d/locale.sh.sh</code> Copies the default locale settings. Then the custom override file can be edited <code>nano /etc/profile.d/locale.sh.sh</code>.<br />
* <code>apk add lang</code> Pulls in the translation packages of all installed packages.<br />
* <code>apk list hunspell*</code> To list available hunspell dictionary packages.<br />
* <code>apk list *-xy *-xy-*</code> To list translation packages for your specific (xy) language (for example, pt for Portuguese).<br />
<br />
Documentation<br />
* <code>apk add man-pages</code> Installs basic manual pages.<br />
* <code>apk add mandoc</code> Installs the man command to be able to open man pages.<br />
* <code>apk add mandoc-apropos</code> Installs the apropos command to search in man pages.<br />
* <code>apk add docs</code> Installs all the *-doc sub-packages of installed packages.<br />
<br />
<br />
<br><br />
* [[Setting up a new user]] ''(to allow remote, console, or graphical logins)''<br />
<br><br />
* [[Enable Community Repository]] ''(access to additional packages)''<br />
* [[Alpine Linux package management|Package Management (apk)]] ''(how to search/add/del packages etc.)''<br />
* [[Alpine setup scripts#setup-xorg-base|<code>setup-xorg-base</code>]] ''(setup graphical base environment)''<br />
** [[Xfce_Setup]] / [[Gnome_Setup]] / [[KDE]] / [[MATE]] (desktop environments)<br />
* [[How to get regular stuff working]] ''(things one may miss in a too lightweight installation )''<br />
<br><br />
* [[Alpine_local_backup|Local backup utility <code>lbu</code>]] ''(persisting RAM system configurations)''<br />
** [[Back Up a Flash Memory Installation]] ''("diskless mode" systems)''<br />
** [[Manually_editing_a_existing_apkovl]] ''(the stored custom configs)''<br />
<br><br />
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(configure a service to automatically boot at next reboot)''<br />
** [[Multiple Instances of Services]]<br />
** [[Writing Init Scripts]]<br />
<br><br />
* [[Hosting services on Alpine]] ''(links to several mail/web/ssh server setup pages)''<br />
* Running applications and services in their own [[Firejail Security Sandbox]]<br />
<br><br />
* [[Alpine_Linux_package_management#Upgrade_a_Running_System|Upgrading Alpine]] ''(checking for and installing updates)''<br />
<br />
=== Additional Help and Information ===<br />
<br />
* [[Comparison with other distros]] ''(how common things are done on Alpine)''<br />
* [[Running glibc programs]] ''(installation and development)''<br />
<br />
<!-- * [[setup-acf]] ''(configures ACF (webconfiguration) so you can manage your box through https)''<br />
* [[Changing passwords for ACF|Changing passwords]]<br />
--><br />
<br />
* [[FAQ|FAQs]]<br />
* [[Tutorials and Howtos]]<br />
<br />
* [[Contribute|How to Contribute]]<br />
* [[Developer Documentation]]<br />
* [[Alpine_Linux:Wiki_etiquette|Wiki etiquette]] ''to collaborate on this documentation''<br />
<br />
<br />
<br />
{{Tip| Alpine linux packages stay close to the upstream design. Therefore, all upstream documentation about configuring a software package, as well as good configuration guides from other distributions that stay close to upstream, e.g. those in the [https://wiki.archlinux.org/ Arch Wiki], are to a large degree, also applicable to configuring the software on alpine linux, thus can be very useful.}}<br />
<br />
= Other Guides =<br />
<br />
There may still be something useful to find and sort out of some "newbie" install notes in this wiki, but beware that these pages can lack explanations and contain highly opinionated content, redundantly on many convoluted pages.<br />
<br />
# [[Newbie_Alpine_Ecosystem]]<br />
# [[Alpine newbie install manual]]<br />
# [[Alpine_newbie#Install|Alpine_newbie Install section]]<br />
# [https://mckayemu.github.io/alpineinstalls/ https://mckayemu.github.io/alpineinstalls/ All informatin for Spanish users]<br />
<br />
[[Category:Installation]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=OwnCloud&diff=20076OwnCloud2021-08-08T15:01:29Z<p>Bt129: /* Webserver */</p>
<hr />
<div>{{Obsolete|OwnCloud is deprecated in favor of [[Nextcloud|Nextcloud]]}} <br />
<br />
[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and on-line sharing of your data, files, images, video, music, calendars and contacts. With Alpine, you can have your ownCloud instance up and running in 5 minutes!<br />
<br />
= Installation =<br />
{{pkg|ownCloud}} is available from Alpine v2.5 and later.<br />
<br />
Before you start installing anything, make sure you have the latest packages available. Make sure you are using an 'http' repository in your {{path|/etc/apk/repositories}}, then run:<br />
{{cmd|apk update}}<br />
{{tip|Detailed information can be found in [[Include:Upgrading_to_latest_release|this]] doc.}}<br />
<br />
== Database ==<br />
First you have to decide which database to use. Follow one of the database alternatives shown below:<br />
=== sqlite ===<br />
All you need to do is to install the package<br />
{{cmd|apk add owncloud-sqlite}}<br />
<br />
=== postgresql ===<br />
Install the package<br />
{{cmd|apk add owncloud-pgsql}}<br />
<br />
Configure and start the database<br />
{{cmd|/etc/init.d/postgresql setup<br />
/etc/init.d/postgresql start}}<br />
<br />
Create a user and temporarily grant the CREATEDB privilege.<br />
{{cmd|psql -U postgres<br />
CREATE USER mycloud WITH PASSWORD 'test123';<br />
ALTER ROLE mycloud CREATEDB;<br />
\q}}<br />
{{Note|Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You'll need them later.}}<br />
<br />
=== mysql ===<br />
Install the package<br />
{{cmd|apk add owncloud-mysql mysql-client}}<br />
<br />
Configure and start {{pkg|mysql}}<br />
{{cmd|/etc/init.d/mysql setup<br />
/etc/init.d/mysql start<br />
/usr/bin/mysql_secure_installation}}<br />
Follow the wizard to set up passwords etc.<br />
{{Note|Remember the usernames/passwords that you set with the wizard. You'll need them later.}}<br />
<br />
Create a user, database and set permissions.<br />
{{cmd|mysql -u root -p<br />
CREATE DATABASE owncloud;<br />
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';<br />
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';<br />
FLUSH PRIVILEGES;<br />
EXIT}}<br />
{{Note|Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You'll need them later.}}<br />
<br />
{{pkg|mysql-client}} is no longer needed. To uninstall it, run:<br />
{{cmd|apk del mysql-client}}<br />
<br />
== Webserver ==<br />
Choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter will consume a lot of memory when working with large files (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install the webserver of your choice as long as it supports PHP and FastCGI. We won't be covering how to generate an SSL certificate for your webserver.<br />
<br />
=== Nginx ===<br />
Install the required packages<br />
{{cmd|apk add nginx php-fpm}}<br />
<br />
'''Remove/comment''' any section like this in<br />
{{cat|/etc/nginx/nginx.conf|<br />
server {<br />
listen ...<br />
}<br />
}}<br />
<br />
Include the following directive in<br />
{{cat|/etc/nginx/nginx.conf|<br />
http {<br />
...<br />
include /etc/nginx/sites-enabled/*;<br />
...<br />
}}<br />
<br />
Create a directory for your website<br />
{{cmd|mkdir /etc/nginx/sites-available}}<br />
<br />
Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com<br />
<pre><br />
server {<br />
#listen [::]:80; #uncomment for IPv6 support<br />
listen 80;<br />
return 301 https://$host$request_uri;<br />
server_name mysite.mydomain.com;<br />
}<br />
<br />
server {<br />
#listen [::]:443 ssl; #uncomment for IPv6 support<br />
listen 443 ssl;<br />
server_name mysite.mydomain.com;<br />
<br />
root /var/www/vhosts/mysite.mydomain.com/www;<br />
index index.php index.html index.htm;<br />
disable_symlinks off;<br />
<br />
ssl_certificate /etc/ssl/cert.pem;<br />
ssl_certificate_key /etc/ssl/key.pem;<br />
<br />
ssl_session_cache shared:SSL:1m;<br />
ssl_session_timeout 5m;<br />
<br />
#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities<br />
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)<br />
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;<br />
#ssl_prefer_server_ciphers on;<br />
<br />
<br />
location / {<br />
try_files $uri $uri/ /index.html;<br />
}<br />
<br />
# pass the PHP scripts to the FastCGI server listening on 127.0.0.1:9000<br />
location ~ [^/]\.php(/|$) {<br />
fastcgi_split_path_info ^(.+?\.php)(/.*)$;<br />
if (!-f $document_root$fastcgi_script_name) {<br />
return 404;<br />
}<br />
fastcgi_pass 127.0.0.1:9000;<br />
#fastcgi_pass unix:/var/run/php-fpm/socket;<br />
fastcgi_index index.php;<br />
include fastcgi.conf;<br />
}<br />
}<br />
</pre><br />
<br />
If you are running from RAM, and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on a hard disk.<br />
<pre><br />
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;<br />
</pre><br />
<br />
Large file upload takes some time to be processed by php-fpm. So you need to increase the Nginx default read timeout:<br />
<br />
<pre><br />
fastcgi_read_timeout 300s;<br />
</pre><br />
<br />
Set user and group for php-fpm in /etc/php/php-fpm.conf<br />
<pre><br />
...<br />
user = nginx<br />
group = www-data<br />
...<br />
</pre><br />
<br />
{{Note|If you are serving multiple users, make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}<br />
<br />
Make the nginx user a member of the www-data group<br />
{{cmd|addgroup nginx www-data}}<br />
<br />
Enable your website<br />
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}<br />
<br />
Start services<br />
{{cmd|rc-service php-fpm start<br />
rc-service nginx start}}<br />
<br />
=== Lighttpd ===<br />
Install the package<br />
{{cmd|apk add lighttpd php-cgi}}<br />
<br />
Make sure you have FastCGI enabled in {{pkg|lighttpd}}:<br />
{{cat|/etc/lighttpd/lighttpd.conf|...<br />
include "mod_fastcgi.conf"<br />
...}}<br />
<br />
Start the webserver<br />
{{cmd|/etc/init.d/lighttpd start}}<br />
<br />
{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}<br />
<br />
Link {{pkg|owncloud}} installation to web server directory:<br />
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}<br />
<br />
== Other settings ==<br />
=== Hardening ===<br />
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:<br />
{{cat|/etc/lighttpd/lighttpd.conf|...<br />
url.access-deny {{=}} ("~", ".inc", "config.php")<br />
...}}<br />
Restart {{pkg|lighttpd}} to activate the changes<br />
{{cmd|/etc/init.d/lighttpd restart}}<br />
<br />
=== Additional packages ===<br />
Some large apps, such as text editors, documents and video viewer are in separate packages:<br />
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}<br />
<br />
= Configure and use ownCloud =<br />
== Configure ==<br />
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.<br />
<br />
== Hardening postgresql ==<br />
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:<br />
{{cmd|psql -U postgres<br />
ALTER ROLE mycloud NOCREATEDB;<br />
\q}}<br />
<br />
== Increase upload size ==<br />
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:<br />
<pre><br />
upload_max_filesize = 2M<br />
post_max_size = 8M<br />
</pre><br />
<br />
== Clients ==<br />
There are clients available for many platforms, Android included:<br />
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''<br />
* http://owncloud.org/support/android/ ''(Android client)''<br />
<br />
[[Category:Server]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=OwnCloud&diff=20075OwnCloud2021-08-08T14:58:16Z<p>Bt129: /* mysql */</p>
<hr />
<div>{{Obsolete|OwnCloud is deprecated in favor of [[Nextcloud|Nextcloud]]}} <br />
<br />
[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and on-line sharing of your data, files, images, video, music, calendars and contacts. With Alpine, you can have your ownCloud instance up and running in 5 minutes!<br />
<br />
= Installation =<br />
{{pkg|ownCloud}} is available from Alpine v2.5 and later.<br />
<br />
Before you start installing anything, make sure you have the latest packages available. Make sure you are using an 'http' repository in your {{path|/etc/apk/repositories}}, then run:<br />
{{cmd|apk update}}<br />
{{tip|Detailed information can be found in [[Include:Upgrading_to_latest_release|this]] doc.}}<br />
<br />
== Database ==<br />
First you have to decide which database to use. Follow one of the database alternatives shown below:<br />
=== sqlite ===<br />
All you need to do is to install the package<br />
{{cmd|apk add owncloud-sqlite}}<br />
<br />
=== postgresql ===<br />
Install the package<br />
{{cmd|apk add owncloud-pgsql}}<br />
<br />
Configure and start the database<br />
{{cmd|/etc/init.d/postgresql setup<br />
/etc/init.d/postgresql start}}<br />
<br />
Create a user and temporarily grant the CREATEDB privilege.<br />
{{cmd|psql -U postgres<br />
CREATE USER mycloud WITH PASSWORD 'test123';<br />
ALTER ROLE mycloud CREATEDB;<br />
\q}}<br />
{{Note|Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You'll need them later.}}<br />
<br />
=== mysql ===<br />
Install the package<br />
{{cmd|apk add owncloud-mysql mysql-client}}<br />
<br />
Configure and start {{pkg|mysql}}<br />
{{cmd|/etc/init.d/mysql setup<br />
/etc/init.d/mysql start<br />
/usr/bin/mysql_secure_installation}}<br />
Follow the wizard to set up passwords etc.<br />
{{Note|Remember the usernames/passwords that you set with the wizard. You'll need them later.}}<br />
<br />
Create a user, database and set permissions.<br />
{{cmd|mysql -u root -p<br />
CREATE DATABASE owncloud;<br />
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';<br />
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';<br />
FLUSH PRIVILEGES;<br />
EXIT}}<br />
{{Note|Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You'll need them later.}}<br />
<br />
{{pkg|mysql-client}} is no longer needed. To uninstall it, run:<br />
{{cmd|apk del mysql-client}}<br />
<br />
== Webserver ==<br />
Choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter will consume a lot of memory when working with large files (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We won't be covering how to generate an SSL certificate for your webserver.<br />
<br />
=== Nginx ===<br />
Install the required packages<br />
{{cmd|apk add nginx php-fpm}}<br />
<br />
'''Remove/comment''' any section like this in<br />
{{cat|/etc/nginx/nginx.conf|<br />
server {<br />
listen ...<br />
}<br />
}}<br />
<br />
Include the following directive in<br />
{{cat|/etc/nginx/nginx.conf|<br />
http {<br />
...<br />
include /etc/nginx/sites-enabled/*;<br />
...<br />
}}<br />
<br />
Create a directory for your website<br />
{{cmd|mkdir /etc/nginx/sites-available}}<br />
<br />
Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com<br />
<pre><br />
server {<br />
#listen [::]:80; #uncomment for IPv6 support<br />
listen 80;<br />
return 301 https://$host$request_uri;<br />
server_name mysite.mydomain.com;<br />
}<br />
<br />
server {<br />
#listen [::]:443 ssl; #uncomment for IPv6 support<br />
listen 443 ssl;<br />
server_name mysite.mydomain.com;<br />
<br />
root /var/www/vhosts/mysite.mydomain.com/www;<br />
index index.php index.html index.htm;<br />
disable_symlinks off;<br />
<br />
ssl_certificate /etc/ssl/cert.pem;<br />
ssl_certificate_key /etc/ssl/key.pem;<br />
<br />
ssl_session_cache shared:SSL:1m;<br />
ssl_session_timeout 5m;<br />
<br />
#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities<br />
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)<br />
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;<br />
#ssl_prefer_server_ciphers on;<br />
<br />
<br />
location / {<br />
try_files $uri $uri/ /index.html;<br />
}<br />
<br />
# pass the PHP scripts to the FastCGI server listening on 127.0.0.1:9000<br />
location ~ [^/]\.php(/|$) {<br />
fastcgi_split_path_info ^(.+?\.php)(/.*)$;<br />
if (!-f $document_root$fastcgi_script_name) {<br />
return 404;<br />
}<br />
fastcgi_pass 127.0.0.1:9000;<br />
#fastcgi_pass unix:/var/run/php-fpm/socket;<br />
fastcgi_index index.php;<br />
include fastcgi.conf;<br />
}<br />
}<br />
</pre><br />
<br />
If you are running from RAM, and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on a hard disk.<br />
<pre><br />
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;<br />
</pre><br />
<br />
Large file upload takes some time to be processed by php-fpm. So you need to bump the Nginx default read timeout:<br />
<br />
<pre><br />
fastcgi_read_timeout 300s;<br />
</pre><br />
<br />
Set user and group for php-fpm in /etc/php/php-fpm.conf<br />
<pre><br />
...<br />
user = nginx<br />
group = www-data<br />
...<br />
</pre><br />
<br />
{{Note|If you are serving multiple users, make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}<br />
<br />
Make nginx user a member of the www-data group<br />
{{cmd|addgroup nginx www-data}}<br />
<br />
Enable your website<br />
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}<br />
<br />
Start services<br />
{{cmd|rc-service php-fpm start<br />
rc-service nginx start}}<br />
<br />
=== Lighttpd ===<br />
Install the package<br />
{{cmd|apk add lighttpd php-cgi}}<br />
<br />
Make sure you have FastCGI enabled in {{pkg|lighttpd}}:<br />
{{cat|/etc/lighttpd/lighttpd.conf|...<br />
include "mod_fastcgi.conf"<br />
...}}<br />
<br />
Start the webserver<br />
{{cmd|/etc/init.d/lighttpd start}}<br />
<br />
{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}<br />
<br />
Link {{pkg|owncloud}} installation to web server directory:<br />
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}<br />
<br />
== Other settings ==<br />
=== Hardening ===<br />
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:<br />
{{cat|/etc/lighttpd/lighttpd.conf|...<br />
url.access-deny {{=}} ("~", ".inc", "config.php")<br />
...}}<br />
Restart {{pkg|lighttpd}} to activate the changes<br />
{{cmd|/etc/init.d/lighttpd restart}}<br />
<br />
=== Additional packages ===<br />
Some large apps, such as text editors, documents and video viewer are in separate packages:<br />
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}<br />
<br />
= Configure and use ownCloud =<br />
== Configure ==<br />
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.<br />
<br />
== Hardening postgresql ==<br />
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:<br />
{{cmd|psql -U postgres<br />
ALTER ROLE mycloud NOCREATEDB;<br />
\q}}<br />
<br />
== Increase upload size ==<br />
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:<br />
<pre><br />
upload_max_filesize = 2M<br />
post_max_size = 8M<br />
</pre><br />
<br />
== Clients ==<br />
There are clients available for many platforms, Android included:<br />
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''<br />
* http://owncloud.org/support/android/ ''(Android client)''<br />
<br />
[[Category:Server]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=OwnCloud&diff=20074OwnCloud2021-08-08T14:56:56Z<p>Bt129: /* postgresql */</p>
<hr />
<div>{{Obsolete|OwnCloud is deprecated in favor of [[Nextcloud|Nextcloud]]}} <br />
<br />
[http://owncloud.org/ ownCloud] is WedDAV-based solution for storing and on-line sharing of your data, files, images, video, music, calendars and contacts. With Alpine, you can have your ownCloud instance up and running in 5 minutes!<br />
<br />
= Installation =<br />
{{pkg|ownCloud}} is available from Alpine v2.5 and later.<br />
<br />
Before you start installing anything, make sure you have the latest packages available. Make sure you are using an 'http' repository in your {{path|/etc/apk/repositories}}, then run:<br />
{{cmd|apk update}}<br />
{{tip|Detailed information can be found in [[Include:Upgrading_to_latest_release|this]] doc.}}<br />
<br />
== Database ==<br />
First you have to decide which database to use. Follow one of the database alternatives shown below:<br />
=== sqlite ===<br />
All you need to do is to install the package<br />
{{cmd|apk add owncloud-sqlite}}<br />
<br />
=== postgresql ===<br />
Install the package<br />
{{cmd|apk add owncloud-pgsql}}<br />
<br />
Configure and start the database<br />
{{cmd|/etc/init.d/postgresql setup<br />
/etc/init.d/postgresql start}}<br />
<br />
Create a user and temporarily grant the CREATEDB privilege.<br />
{{cmd|psql -U postgres<br />
CREATE USER mycloud WITH PASSWORD 'test123';<br />
ALTER ROLE mycloud CREATEDB;<br />
\q}}<br />
{{Note|Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings. You'll need them later.}}<br />
<br />
=== mysql ===<br />
Install the package<br />
{{cmd|apk add owncloud-mysql mysql-client}}<br />
<br />
Configure and start {{pkg|mysql}}<br />
{{cmd|/etc/init.d/mysql setup<br />
/etc/init.d/mysql start<br />
/usr/bin/mysql_secure_installation}}<br />
Follow the wizard to set up passwords etc.<br />
{{Note|Remember the usernames/passwords that you set with the wizard. You'll need them later.}}<br />
<br />
Create a user, database and set permissions.<br />
{{cmd|mysql -u root -p<br />
CREATE DATABASE owncloud;<br />
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost' IDENTIFIED BY 'test123';<br />
GRANT ALL ON owncloud.* TO 'mycloud'@'localhost.localdomain' IDENTIFIED BY 'test123';<br />
FLUSH PRIVILEGES;<br />
EXIT}}<br />
{{Note|Replace the above username 'mycloud' and password 'test123' with something secure. Remember these settings> You'll need them later.}}<br />
<br />
{{pkg|mysql-client}} is no longer needed. To uninstall it, run:<br />
{{cmd|apk del mysql-client}}<br />
<br />
== Webserver ==<br />
Choose, install and configure a webserver. In this example we will install {{pkg|nginx}} or {{pkg|lighttpd}}. ''Nginx'' is preferred over ''Lighttpd'' since the latter will consume a lot of memory when working with large files (see [http://redmine.lighttpd.net/issues/1283 lighty bug #1283]). You are free to install any other webserver of your choice as long as it supports PHP and FastCGI. We won't be covering how to generate an SSL certificate for your webserver.<br />
<br />
=== Nginx ===<br />
Install the required packages<br />
{{cmd|apk add nginx php-fpm}}<br />
<br />
'''Remove/comment''' any section like this in<br />
{{cat|/etc/nginx/nginx.conf|<br />
server {<br />
listen ...<br />
}<br />
}}<br />
<br />
Include the following directive in<br />
{{cat|/etc/nginx/nginx.conf|<br />
http {<br />
...<br />
include /etc/nginx/sites-enabled/*;<br />
...<br />
}}<br />
<br />
Create a directory for your website<br />
{{cmd|mkdir /etc/nginx/sites-available}}<br />
<br />
Create a configuration file for your site in /etc/nginx/sites-available/mysite.mydomain.com<br />
<pre><br />
server {<br />
#listen [::]:80; #uncomment for IPv6 support<br />
listen 80;<br />
return 301 https://$host$request_uri;<br />
server_name mysite.mydomain.com;<br />
}<br />
<br />
server {<br />
#listen [::]:443 ssl; #uncomment for IPv6 support<br />
listen 443 ssl;<br />
server_name mysite.mydomain.com;<br />
<br />
root /var/www/vhosts/mysite.mydomain.com/www;<br />
index index.php index.html index.htm;<br />
disable_symlinks off;<br />
<br />
ssl_certificate /etc/ssl/cert.pem;<br />
ssl_certificate_key /etc/ssl/key.pem;<br />
<br />
ssl_session_cache shared:SSL:1m;<br />
ssl_session_timeout 5m;<br />
<br />
#Enable Perfect Forward Secrecy and ciphers without known vulnerabilities<br />
#Beware! It breaks compatibility with older OS and browsers (e.g. Windows XP, Android 2.x, etc.)<br />
#ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA;<br />
#ssl_prefer_server_ciphers on;<br />
<br />
<br />
location / {<br />
try_files $uri $uri/ /index.html;<br />
}<br />
<br />
# pass the PHP scripts to the FastCGI server listening on 127.0.0.1:9000<br />
location ~ [^/]\.php(/|$) {<br />
fastcgi_split_path_info ^(.+?\.php)(/.*)$;<br />
if (!-f $document_root$fastcgi_script_name) {<br />
return 404;<br />
}<br />
fastcgi_pass 127.0.0.1:9000;<br />
#fastcgi_pass unix:/var/run/php-fpm/socket;<br />
fastcgi_index index.php;<br />
include fastcgi.conf;<br />
}<br />
}<br />
</pre><br />
<br />
If you are running from RAM, and you're dealing with large files you might need to move the FastCGI temp file from /tmp to /var/tmp or to a directory that is mounted on a hard disk.<br />
<pre><br />
fastcgi_temp_path /var/tmp/nginx/fastcgi 1 2;<br />
</pre><br />
<br />
Large file upload takes some time to be processed by php-fpm. So you need to bump the Nginx default read timeout:<br />
<br />
<pre><br />
fastcgi_read_timeout 300s;<br />
</pre><br />
<br />
Set user and group for php-fpm in /etc/php/php-fpm.conf<br />
<pre><br />
...<br />
user = nginx<br />
group = www-data<br />
...<br />
</pre><br />
<br />
{{Note|If you are serving multiple users, make sure to tune the *''children'' settings in /etc/php/php-fpm.conf}}<br />
<br />
Make nginx user a member of the www-data group<br />
{{cmd|addgroup nginx www-data}}<br />
<br />
Enable your website<br />
{{cmd|ln -s ../sites-available/mysite.mydomain.com /etc/nginx/sites-enabled/mysite.mydomain.com}}<br />
<br />
Start services<br />
{{cmd|rc-service php-fpm start<br />
rc-service nginx start}}<br />
<br />
=== Lighttpd ===<br />
Install the package<br />
{{cmd|apk add lighttpd php-cgi}}<br />
<br />
Make sure you have FastCGI enabled in {{pkg|lighttpd}}:<br />
{{cat|/etc/lighttpd/lighttpd.conf|...<br />
include "mod_fastcgi.conf"<br />
...}}<br />
<br />
Start the webserver<br />
{{cmd|/etc/init.d/lighttpd start}}<br />
<br />
{{tip|You might want to follow the [http://wiki.alpinelinux.org/wiki/Lighttpd_Https_access Lighttpd_Https_access] doc in order to configure lighttpd to use https ''(securing your connections to your owncloud server)''.}}<br />
<br />
Link {{pkg|owncloud}} installation to web server directory:<br />
{{cmd|ln -s /usr/share/webapps/owncloud /var/www/localhost/htdocs}}<br />
<br />
== Other settings ==<br />
=== Hardening ===<br />
Consider updating the variable <code>url.access-deny</code> in {{path|/etc/lighttpd/lighttpd.conf}} for additional security. Add <code>"config.php"</code> to the variable ''(that's where the database is stored)'' so it looks something like this:<br />
{{cat|/etc/lighttpd/lighttpd.conf|...<br />
url.access-deny {{=}} ("~", ".inc", "config.php")<br />
...}}<br />
Restart {{pkg|lighttpd}} to activate the changes<br />
{{cmd|/etc/init.d/lighttpd restart}}<br />
<br />
=== Additional packages ===<br />
Some large apps, such as text editors, documents and video viewer are in separate packages:<br />
{{cmd|apk add owncloud-texteditor owncloud-documents owncloud-videoviewer}}<br />
<br />
= Configure and use ownCloud =<br />
== Configure ==<br />
Point your browser at <code><nowiki>https://mysite.mydomain.com</nowiki></code> and follow the on-screen instructions to complete the installation, supplying the database user and password created before.<br />
<br />
== Hardening postgresql ==<br />
If you have chosen PGSQL backend, revoke CREATEDB privilege from 'mycloud' user:<br />
{{cmd|psql -U postgres<br />
ALTER ROLE mycloud NOCREATEDB;<br />
\q}}<br />
<br />
== Increase upload size ==<br />
Default configuration for php is limited to 2Mb file size. You might want to increase that size by editing the {{path|/etc/php/php.ini}} and change the following values to something that suits you:<br />
<pre><br />
upload_max_filesize = 2M<br />
post_max_size = 8M<br />
</pre><br />
<br />
== Clients ==<br />
There are clients available for many platforms, Android included:<br />
* http://owncloud.org/sync-clients/ ''(ownCloud Sync clients)''<br />
* http://owncloud.org/support/android/ ''(Android client)''<br />
<br />
[[Category:Server]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Oneye&diff=20073Oneye2021-08-08T14:54:14Z<p>Bt129: </p>
<hr />
<div>[http://oneye-project.org/ oneye] is a takeover of the legacy series 1 from the eyeos project. This new project is powered by the community around the web desktop eyeos 1.<br />
<br />
In addition new technologies get combined and a totally new designed framework will be released as oneye 0.9. You can log into this cloud using a desktop, or a mobile phone.<br />
<br />
= Install lighttpd, PHP, and sqlite =<br />
<br />
{{Cmd|apk add lighttpd gzip sqlite php php-sqlite php-imap nano}}<br />
<br />
== Configure lighttpd == <br />
<br />
{{Cmd|nano +46 /etc/lighttpd/lighttpd.conf}}<br />
<br />
Uncomment '''include "mod_fastcgi.conf"'''<br />
<br />
= Installing and configuring oneye =<br />
<br />
'''Install oneye'''<br />
<br />
* Make the webapps folder<br />
<br />
{{Cmd|mkdir /usr/share/webapps/ -p}}<br />
<br />
* Change directory and retrieve the file<br />
<br />
{{Cmd|cd /usr/share/webapps/ <br />
wget http://ufpr.dl.sourceforge.net/project/eyeos/oneye/0.8.0/oneye_0.8.0.zip}}<br />
<br />
* Unpack <br />
<br />
{{Cmd|unzip oneye_0.8.0.zip <br />
rm oneye_0.8.0.zip}}<br />
<br />
* Rename Folder <br />
<br />
{{Cmd|mv /usr/share/webapps/oneye_0.8.0 /usr/share/webapps/oneye}}<br />
<br />
* Unpack the config files <br />
<br />
{{Cmd|mv /usr/share/webapps/oneye/package.eyepackage /usr/share/webapps/oneye/package.tar.gz<br />
cd oneye<br />
tar zxvf /usr/share/webapps/oneye/package.tar.gz }}<br />
<br />
* Change Persmissions<br />
<br />
{{Cmd|chmod 777 /usr/share/webapps/oneye/installer/*.php<br />
chmod 777 /usr/share/webapps/oneye/*.html}}<br />
<br />
* Make symlinks to oneye<br />
<br />
{{Cmd|ln -s /usr/share/webapps/oneye /var/www/localhost/htdocs/oneye}}<br />
<br />
== Starting the web server ==<br />
<br />
Start http service and add to boot<br />
<br />
{{Cmd|/etc/init.d/lighttpd start && rc-update add lighttpd default}}<br />
<br />
== Config your eyeos ==<br />
Browse to: http://WEBSERVER_IP_ADDRESS/oneye/installer<br />
<br />
Please fill out the following form to install oneye:<br />
<br />
Root Password<br />
<br />
Retype Password<br />
<br />
System Name<br />
<br />
Allow users to create accounts (yes/no)<br />
<br />
When you finish, press the "Install oenye!" button, and thats all. :)<br />
You have eyeOS cloud computing system working. <br />
<br />
After creating your account, to log from:<br />
<br />
* Desktop: http://WEBSERVER_IP_ADDRESS/oneye/<br />
* Iphone: http://WEBSERVER_IP_ADDRESS/oneye/iphone/<br />
* Mobile: http://WEBSERVER_IP_ADDRESS/oneye/mobile/<br />
<br />
== eyeSync==<br />
<br />
You can use this application to synchronize two or more folders between a remote server and your local desktop, as a Dropbox alternative.<br />
<br />
In order to run eyeSync, you need to install the .NET Framework first, (only on Windows) or Mono.<br />
<br />
Windows users are recommended to take the simplest install package. <br />
<br />
''' Windows side'''<br />
<br />
* Download the application<br />
<br />
{{Cmd|http://eyeos.svn.sourceforge.net/viewvc/eyeos/playground/lk/eyeSync/eyeSync.exe}}<br />
<br />
* Configure eyeSync<br />
<br />
After install, you have to set:<br />
<br />
Server URL: http://WEBSERVER_IP_ADDRESS/oneye/<br />
<br />
User / Password: <br />
<br />
Now you can create jobs to synchronize from Remote to Local / Local to Remote, manual or automatic/scheduled.<br />
<br />
[[Category:Desktop]]<br />
[[Category:Server]]<br />
[[Category:PHP]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=KDE&diff=20072KDE2021-08-08T14:36:58Z<p>Bt129: </p>
<hr />
<div>{{TOC right}}<br />
<br />
KDE is a software project comprising a desktop environment known as Plasma, a collection of libraries and frameworks known as KDE Frameworks, and several applications known as KDE Applications. Their [https://userbase.kde.org/Welcome_to_KDE_UserBase UserBase wiki] has detailed information about most KDE Applications.<br />
<br />
Note: the {{Pkg|plasma}} package isn't available for the <code>ppc64le</code> and <code>s390x</code> architectures due to the {{Pkg|kdeplasma-addons}} dependency not being available there. However, the rest of Plasma can be installed separately to get a functional desktop.<br />
<br />
= Installation =<br />
<br />
=== Prerequisites ===<br />
<br />
* [[Installation|Alpine Installation]]<br />
* [[Setting_up_a_new_user#Creating_a_new_user|Create user accounts]]<br />
* [[Alpine_setup_scripts#setup-xorg-base|Graphical base environment]]<br />
* [[Enable_Community_Repository#Using_community_repositories|Enabled "community" repository]]<br />
<br />
=== Plasma ===<br />
<br />
Install the {{Pkg|plasma}} meta-package. This will install the required Plasma packages and {{Pkg|sddm}} and pre-configure it to use the Breeze theme.<br />
<br />
Alternatively, a smaller installation can be done by installing {{Pkg|plasma-desktop}}.<br />
<br />
=== KDE Applications ===<br />
<br />
To install the full set of KDE Applications, install {{Pkg|kde-applications}}. You can also choose to install a smaller set of applications by installing any of the subpackages:<br />
<br />
* {{Pkg|kde-applications-accessibility}}<br />
* {{Pkg|kde-applications-admin}}<br />
* {{Pkg|kde-applications-base}}<br />
* {{Pkg|kde-applications-edu}}, not available for <code>ppc64le</code> and <code>s390x</code><br />
* {{Pkg|kde-applications-games}}<br />
* {{Pkg|kde-applications-graphics}}<br />
* {{Pkg|kde-applications-multimedia}}<br />
* {{Pkg|kde-applications-network}}, not available for <code>ppc64le</code> and <code>s390x</code><br />
* {{Pkg|kde-applications-pim}}, not available for <code>ppc64le</code> and <code>s390x</code><br />
* {{Pkg|kde-applications-sdk}}<br />
* {{Pkg|kde-applications-utils}}<br />
* {{Pkg|kde-applications-webdev}}<br />
<br />
= Starting Plasma =<br />
<br />
Plasma can be started using a display manager or from the console.<br />
<br />
=== Using a display manager ===<br />
<br />
When Plasma is installed via the {{Pkg|plasma}} meta-package, the display manager is set up using {{Pkg|sddm}}.<br />
<br />
Make sure you enable and start the SDDM service.<br />
<br />
<pre><br />
rc-update add sddm<br />
rc-service sddm start<br />
</pre><br />
<br />
* Select ''Plasma'' to launch a new session in Wayland<br />
* Select ''Plasma (X11)'' to launch a new session in Xorg<br />
<br />
=== From the console ===<br />
<br />
The Xorg session can be launched by installing {{Pkg|xinit}} and appending <code>exec startplasma-x11</code> to your <code>.xinitrc</code> file. To start X:<br />
{{Cmd|xinit}}<br />
<br />
For the Wayland session run<br />
<pre><br />
XDG_SESSION_TYPE=wayland dbus-run-session startplasma-wayland<br />
</pre><br />
<br />
=See also=<br />
* [[Flatpak]]<br />
<br />
[[category:Desktop]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=GNOME&diff=20071GNOME2021-08-08T14:30:23Z<p>Bt129: /* Troubleshooting */</p>
<hr />
<div><br />
= Prerequisites =<br />
<br />
* [[Installation|Alpine Installation]]<br />
* [[Setting_up_a_new_user#Creating_a_new_user|Create user accounts]]<br />
* [[Alpine_setup_scripts#setup-xorg-base|Graphical base environment]]<br />
* [[Enable_Community_Repository#Using_community_repositories|Enabled "community" repository]]<br />
<br />
= Installing packages =<br />
<br />
Install basic desktop system and gnome packages.<br />
{{Cmd|# apk add gnome}}<br />
<br />
<br />
If you want, you can install additional GNOME apps for a more complete GNOME experience with:<br />
{{Cmd|# apk add gnome-apps}}<br />
<br />
= Graphical login =<br />
To start the GDM display manager and login with your user, you need a user other than root for this to succeed. GDM will refuse to start if no user accounts (accounts with a UID >= 1000) are available.<br />
{{Cmd|rc-service gdm start}}<br />
<br />
Once you have verified correct operation, you can make GDM start at boot:<br />
{{Cmd|rc-update add gdm}}<br />
<br />
= Enabling terminal apps =<br />
If you want to use the gnome-terminal/other terminal applications you will need to install bash. If you want a typical bash setup also enable bash completion:<br />
{{cmd|# apk add bash}}<br />
{{cmd|# apk add bash-completion}}<br />
<br />
= Troubleshooting =<br />
If you are unable to log in, check /var/log/gdm/greeter.log, there may be info there from X that indicates failed modules, etc.<br />
<br />
If logging in from GDM kicks you back to the login screen, try {{cmd|# apk add bash}} (bug report: #10953 sorry cannot link yet)<br />
<br />
If GNOME Terminal doesn't start, add the following to /etc/locale.conf: LANG=en_US.UTF-8 and reboot.<br />
<br />
If the on-screen keyboard shows up in GDM after installing other UIs such as Phosh, you need to disable it by opening the Accessibility menu (top right) when you are in the GDM login screen. You can disable the on-screen keyboard there. Or set <code>org.gnome.desktop.a11y.applications screen-keyboard-enabled</code> to <code>false</code> for the <code>gdm</code> user with <code>dconf</code><br />
<br />
[[Category:Desktop]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=GNOME&diff=20070GNOME2021-08-08T13:44:23Z<p>Bt129: /* Graphical login */</p>
<hr />
<div><br />
= Prerequisites =<br />
<br />
* [[Installation|Alpine Installation]]<br />
* [[Setting_up_a_new_user#Creating_a_new_user|Create user accounts]]<br />
* [[Alpine_setup_scripts#setup-xorg-base|Graphical base environment]]<br />
* [[Enable_Community_Repository#Using_community_repositories|Enabled "community" repository]]<br />
<br />
= Installing packages =<br />
<br />
Install basic desktop system and gnome packages.<br />
{{Cmd|# apk add gnome}}<br />
<br />
<br />
If you want, you can install additional GNOME apps for a more complete GNOME experience with:<br />
{{Cmd|# apk add gnome-apps}}<br />
<br />
= Graphical login =<br />
To start the GDM display manager and login with your user, you need a user other than root for this to succeed. GDM will refuse to start if no user accounts (accounts with a UID >= 1000) are available.<br />
{{Cmd|rc-service gdm start}}<br />
<br />
Once you have verified correct operation, you can make GDM start at boot:<br />
{{Cmd|rc-update add gdm}}<br />
<br />
= Enabling terminal apps =<br />
If you want to use the gnome-terminal/other terminal applications you will need to install bash. If you want a typical bash setup also enable bash completion:<br />
{{cmd|# apk add bash}}<br />
{{cmd|# apk add bash-completion}}<br />
<br />
= Troubleshooting =<br />
If you are unable to login, check /var/log/gdm/greeter.log, there may be output there from X to indicate failed modules, etc.<br />
<br />
If logging in from GDM returns to logging screen, try {{cmd|# apk add bash}} (bug report: #10953 sorry cannot link yet)<br />
<br />
If GNOME Terminal doesn't start, add the following to /etc/locale.conf: LANG=en_US.UTF-8 and reboot.<br />
<br />
If the on-screen keyboard shows up in GDM after installing other UIs such as Phosh, you need to disable it by opening the Accessibility menu (top right) when you are in the GDM login screen. You can disable the on-screen keyboard there. Or set <code>org.gnome.desktop.a11y.applications screen-keyboard-enabled</code> to <code>false</code> for the <code>gdm</code> user with <code>dconf</code><br />
<br />
[[Category:Desktop]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=GNOME&diff=20069GNOME2021-08-08T13:42:46Z<p>Bt129: /* Installing packages */</p>
<hr />
<div><br />
= Prerequisites =<br />
<br />
* [[Installation|Alpine Installation]]<br />
* [[Setting_up_a_new_user#Creating_a_new_user|Create user accounts]]<br />
* [[Alpine_setup_scripts#setup-xorg-base|Graphical base environment]]<br />
* [[Enable_Community_Repository#Using_community_repositories|Enabled "community" repository]]<br />
<br />
= Installing packages =<br />
<br />
Install basic desktop system and gnome packages.<br />
{{Cmd|# apk add gnome}}<br />
<br />
<br />
If you want, you can install additional GNOME apps for a more complete GNOME experience with:<br />
{{Cmd|# apk add gnome-apps}}<br />
<br />
= Graphical login =<br />
To start the GDM display manager and login with your user, you need a user other than root for this to succeed, since GDM will refuse starting if no user accounts (meaning accounts with a UID >= 1000) are available.<br />
{{Cmd|rc-service gdm start}}<br />
<br />
Once you have verified that it actually works you can make gdm start up at boot:<br />
{{Cmd|rc-update add gdm}}<br />
<br />
= Enabling terminal apps =<br />
If you want to use the gnome-terminal/other terminal applications you will need to install bash. If you want a typical bash setup also enable bash completion:<br />
{{cmd|# apk add bash}}<br />
{{cmd|# apk add bash-completion}}<br />
<br />
= Troubleshooting =<br />
If you are unable to login, check /var/log/gdm/greeter.log, there may be output there from X to indicate failed modules, etc.<br />
<br />
If logging in from GDM returns to logging screen, try {{cmd|# apk add bash}} (bug report: #10953 sorry cannot link yet)<br />
<br />
If GNOME Terminal doesn't start, add the following to /etc/locale.conf: LANG=en_US.UTF-8 and reboot.<br />
<br />
If the on-screen keyboard shows up in GDM after installing other UIs such as Phosh, you need to disable it by opening the Accessibility menu (top right) when you are in the GDM login screen. You can disable the on-screen keyboard there. Or set <code>org.gnome.desktop.a11y.applications screen-keyboard-enabled</code> to <code>false</code> for the <code>gdm</code> user with <code>dconf</code><br />
<br />
[[Category:Desktop]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Raspberry_Pi_3_-_Browser_Client&diff=20068Raspberry Pi 3 - Browser Client2021-08-08T13:22:59Z<p>Bt129: </p>
<hr />
<div>This is a guide for setting up a RAM based Alpine which is able to run X, and firefox. This tutorial will go through setting up auto login, and starting X on boot without user interaction, useful as a kiosk or for digital signage.<br />
<br />
'''Tested as of 05/2020''' - RPI 3<br />
<br />
'''12/2020''' - x86<br />
<br />
'''04/2021''' - RPI 4<br />
<br />
==Overview==<br />
This guide uses the following:<br />
* aarch64 img (though this guide is also x86-compatible)<br />
* Raspberry Pi3<br />
* community repo.<br />
<br />
It is based on this guide: [[Raspberry_Pi]]. Due to the dependencies required to run X and Firefox, after this tutorial is complete there is very little RAM disk space for the user to operate in. (about 30MB in v3.11). The 2GB RPI 4 has 1GB of ram available without adjusting /boot/config.txt. 1GB may be enough for most needs.<br />
<br />
aarch64 is used because firefox-esr is in the community repo. armhf (as of v3.11) does not have firefox prepackaged in the base or community repo.<br />
<br />
See https://pkgs.alpinelinux.org/packages?name=*firefox*&branch=v3.11&arch=aarch64<br />
<br />
Note: the aarch64 build is not compatible with all Raspberry Pi models. See [[Raspberry Pi]].<br />
<br />
==Steps==<br />
===Base Install===<br />
<br />
These steps are duplicated from the [[Raspberry_Pi]] page.<br />
<br />
Use fdisk or gdisk to format the SD card. The first partition must be a bootable, FAT filesystem. <br />
e.g.:<br />
<pre><br />
Command (m for help): p<br />
Disk /dev/sdb: 59.5 GiB, 63864569856 bytes, 124735488 sectors<br />
Units: sectors of 1 * 512 = 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disklabel type: dos<br />
Disk identifier: 0x00000000<br />
<br />
Device Boot Start End Sectors Size Id Type<br />
/dev/sdb1 * 2048 62916607 62914560 30G b W95 FAT32<br />
</pre><br />
mkdosfs -F 32 /dev/sdX1<br />
<br />
untar onto mounted disk<br />
<br />
mount /dev/sdX1 /mnt/folder<br />
tar xvf archive.tar -C /mnt/folder/.<br />
<br />
If you plan to increase available RAM (e.g. for RPI4 with 2 or 4GB) or change other<br />
config settings, do so in usercfg.txt now.<br />
<br />
Again, duplicating the [[Raspberry Pi]] page <br />
<br />
Insert the SD card into the Raspberry Pi and turn it on<br />
Log in to Alpine as root. Leave the password empty.<br />
Type setup-alpine, hit enter.<br />
Once the installation is complete, commit the changes by typing lbu commit -d<br />
<br />
Things to keep in mind:<br />
* There is no need to make multiple partitions (e.g. on an sdcard). One partition that occupies the entire storage medium will suffice in diskless / sys mode. <br />
* For the setup-alpine install, most of the choices will be the defaults. Particularly when prompted with "No disks available, try boot media /mmcblk0p1". Select the default [n]. If you make a mistake during the install, you can always reimage and start over.<br />
<br />
Saving space: busybox instead of chronyd, dropbear instead of openssh<br />
<br />
After setup, make sure dropbear is installed<br />
apk add dropbear<br />
<br />
Start it:<br />
rc-service dropbear start<br />
<br />
Add it to the default runlevel:<br />
rc-update add dropbear<br />
<br />
If you need an accurate clock, enable software/ntp here. (this step is optional)<br />
rc-update add swclock boot # enable the software clock <br />
rc-update del hwclock boot # disable the hardware clock<br />
setup-ntp<br />
<br />
===Browser Client Install===<br />
<br />
Enable community repo (/etc/apk/repositories) (uncomment community)<br />
nano /etc/apk/repositories<br />
apk update<br />
<br />
install the firefox and X dependencies:<br />
apk add libx11-dev libxft-dev libxinerama-dev adwaita-gtk2-theme adwaita-icon-theme ttf-dejavu<br />
<small>Note: the fonts/icon theme is required for FF to display correctly. Without it, firefox will load, but text will not render on the browser menus.</small><br />
<br />
the amount of RAM tmp fs available can be viewed while installing with: watch df -h<br />
<br />
install firefox<br />
apk add firefox-esr<br />
install X<br />
setup-xorg-base<br />
The RPI also requires for X:<br />
apk add xf86-video-fbdev<br />
<br />
<small>note: this command can vary if you are using x86. For example, I installed no xf86-video... drivers, and had a libEGL.so missing library error on Xorg that was resolved with "apk search libEGL.so" which pointed to mesa-egl. Note: apk search is case sensitive.</small><br />
<br />
At this point, we have about 421MB of RAM used (if NTP was not set up).<br />
<pre><br />
Filesystem Size Used Available Use% Mounted on<br />
devtmpfs 10.0M 0 10.0M 0% /dev<br />
shm 457.9M 0 457.9M 0% /dev/shm<br />
/dev/mmcblk0p1 30.0G 259.4M 29.7G 1% /media/mmcblk0p1<br />
tmpfs 457.9M 420.0M 37.9M 92% /<br />
tmpfs 91.6M 188.0K 91.4M 0% /run<br />
/dev/loop0 24.9M 24.9M 0 100% /.modloop<br />
</pre><br />
<br />
lbu_commit -d<br />
<br />
===AutoLogin, Startx automatically on Boot===<br />
<br />
At this point, you should be able to login as root, and run startx manually. Now we'll add configuration files to enable that without user interaction.<br />
<br />
/root/ doesn't save any files, so it's necessary to edit files in /etc/ and run lbu_commit -d after all changes. First let's add a file that we'll call firefox.<br />
<small>lbu_commit is alpine local backup. If you want to save folders other than /etc see:https://wiki.alpinelinux.org/wiki/Alpine_local_backup#Include_special_files.2Ffolders_to_the_apkovl<br />
also see: /etc/apk/protected_paths.d/lbu.list</small><br />
<br />
create a file named /etc/startup.sh:<br />
#!/bin/ash<br />
firefox http://somewebsite.com<br />
<br />
!!!NOTE: This is ash, not bash. By default, alpine ships with the ash shell. Bash is available in the repositories.<br />
<br />
We have to edit xinitrc, and the profile configs. Normally, this would be done in the user's directory, but here we will use the globals for simplicity.<br />
mv /etc/X11/xinit/xinitrc /etc/X11/xinit/xinitrc_BAK<br />
nano /etc/X11/xinit/xinitrc<br />
In this file, insert:<br />
/etc/startup.sh<br />
At the end of /etc/profile (leave the existing file) append<br />
startx<br />
Remember to run lbu_commit -d<BR><br />
For autologin, alpine uses busybox, which has an alias to /sbin/getty as well as /bin/login. It's possible to navigate to /sbin/ or /bin/ and run /sbin/getty -h to see what settings are available. To have root auto login at boot, review the existing inittab and edit as needed according to the config below:<br />
<pre><br />
# Set up a couple of gettys<br />
#tty1::respawn:/sbin/getty 38400 tty1<br />
tty2::respawn:/sbin/getty 38400 tty2<br />
tty3::respawn:/sbin/getty 38400 tty3<br />
tty4::respawn:/sbin/getty 38400 tty4<br />
tty5::respawn:/sbin/getty 38400 tty5<br />
tty6::respawn:/sbin/getty 38400 tty6<br />
<br />
tty1::respawn:/bin/login -f root<br />
</pre><br />
<br />
===Disable Screensaver, and refresh webpage (optional)===<br />
<br />
As a kiosk, a Raspberry Pi needs to have the screensaver ([https://wiki.archlinux.org/DPMS DPMS]) disabled. My particular application (video streams) required a refresh occasionally. These were managed with xorg.conf, xdotool, and crontab respectively.<br />
<br />
{{cat|/etc/X11/xorg.conf|<br />
Section "Extensions"<br />
Option "DPMS" "Disable"<br />
EndSection}} <br />
<br />
{{cmd|# apk add xdotool}}<br />
<br />
<pre># crontab -u root -e <br />
* * * * * DISPLAY=:0 /usr/bin/xdotool key F5</pre><br />
<br />
<small>Note: xset is not an option here as it's not included by default. It can be installed from the repositories, if needed.</small><BR><br />
That's it. Reboot and the RPI should boot into firefox without user intervention. At this point, you have a functioning minimal OS booting from RAM, with firefox, and ~30MB of available space for further configuration.<br />
<br />
==Digital Signage==<br />
It's common to use GNULinux and x86/RPIs for digital signage. A quick glance at https://elinux.org/RPi_Projects/Digital_Signage will show a number of options. Why would you use this guide for digital signage vs. those pre-built projects? <br />
# Alpine runs from RAM, which increases the lifetime of the storage (flash / hdd). <br />
# There is no requirement to use 'cloud' services, or an internet connection. <br />
# You have full control over the build and design (all kiosk build steps are documented & have a small learning curve, compared to some of the more complex projects mentioned above).<br />
# Free software. No recurring costs (outside of optional maintenance). <br />
# No ties to external infrastructure / frameworks. Full freedom.<br />
<br />
In this addition to the guide above, we'll install Chromium, which seems to be the defacto standard. However, you could use any X-Window application. Here we'll also run a web server with PHP, which hosts the resources we want to display on the sign.<br />
Make sure community apk is enabled in /etc/apk/repositories<br />
apk add chromium<br />
In /etc/startup.sh add chromium instead of firefox:<br />
chromium-browser --home-page http://127.0.0.1/resource --no-sandbox --window-size=1920,1280 --start-fullscreen --test-type<br />
Note: this is a potentially insecure setup. Users are advised to add a user, and remove the --no-sandbox tag. The following tags are used: --home-page will start us on a given URL. --no-sandbox will allow root to run chromium. --window-size will give us the resolution we want, and start-fullscreen will ensure the browser occupies the entire screen.<br />
<br />
If you deploy the device on a TV, and you're unsure what resolution it is, you can access the resolution from the terminal (not in X), by using <br />
xrandr -d :0<br />
For example, I built my device on a computer monitor that was 1920x1280, but when I deployed, the TV was 1920x1080. Since we run chromium straight on X, without any WM, it's necessary to query xrandr from the console. If desired, you could install DWM and hide the bar, obtaining access to a terminal accessible via keyboard shortcut configured in dwm's config.h, But a WM is not required.<br />
<br />
Make sure to run lbu_commit -d, in order to save any changes as needed in the apkvol on the SD or HDD storage.<br />
<br />
===Install Apache/PHP===<br />
See [[Apache]].<br />
<br />
===Install xset to disable screensaver===<br />
apk add xset<br />
xset q<br />
xset s off<br />
<br />
===Hide Scrollbars of Browser===<br />
This can be done with CSS.<br />
body {<br />
overflow: hidden; /* Hide scrollbars */<br />
}<br />
<br />
==Tips/Troubleshooting==<br />
===Why was this setup used? Why not Awesome, or dwm?===<br />
I ran through a few different setups of Alpine on the RPi, and found that (dwm | awesome) and Firefox required too many dependencies to run on an RPI3 with 512MB in /tmp (running in RAM). Other browsers that used fewer dependencies were unstable (the application was viewing video streams). Running firefox direct on X fit in the available space, and was stable. This is one of the reasons aarch64 was used, instead of armhf. With Alpine, by default the 2GB RPI4 has 1GB of RAM available (for storage), and doesn't have this limitation. It should be possible to get more RAM via /boot/config.txt<br />
<br />
If your application doesn't require media (e.g. a static webpage) you may be able to run other browsers on the RPi, such as midori, falkon, or surf, without stability issues.<br />
<br />
It is possible that VLC or a GTK/QT app would also fit into the limited space on the RPI 3. That was not tested.<br />
<br />
===Width & height of firefox doesn't fit the monitor===<br />
Firefox can be called with -height and -width flags, e.g. <br />
firefox -width 480 -height 640 somewebsite.com<br />
<br />
===Periodic Firefox Crashes on RPI3 due to Low Memory===<br />
With the RPI3, I found firefox would crash consistently after watching video for a couple of days. On the server I saw notices of memory running out. This may have been a memory leak. With the small amount of RAM available, Firefox would crash, leaving the screen blank. <br />
<br />
The solution was to setup a nightly reboot of the system via cron. The system has been stable since. However, if I were to do this again, I would use an RPi4 with >1GB ram which may eliminate the need for a nightly reboot.<br />
<br />
<br />
==Related Links==<br />
* [[dwm]]<br />
* [[Raspberry Pi]]<br />
* [[Apache]]<br />
<br />
<br />
[[Category:Raspberry]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Dwm&diff=20067Dwm2021-08-08T12:28:51Z<p>Bt129: </p>
<hr />
<div>{{TOC right}}<br />
<br />
[https://dwm.suckless.org/ dwm] is a dynamic window manager for X. It manages windows in tiled, monocle and floating layouts.<br />
<br />
This guide covers:<br />
<br />
* Creating a user account that can run sudo <br />
* Installing dependencies for the [https://suckless.org suckless] tools and installing firefox <br />
* Installing from source dwm (dynamic window manager), dmenu (dynamic menu), st (simple terminal)<br />
* Configuring the new profile to run dwm at login.<br />
<br />
<br />
== Creating a new user account ==<br />
After installing Alpine you get the root account. We want to create an account that is not root, but can run sudo. <br />
{{cmd|# adduser myname}}<br />
Where '''myname''' is the user name you want to use.<br />
<br />
Install sudo so we can add '''myname''' to sudoers.<br />
{{cmd|# apk add sudo}}<br />
<br />
Edit the sudoers file by running:<br />
{{cmd|# visudo}}<br />
{{Note|Edit the sudoers file using only '''visudo'''}}<br />
Add the newly create account to sudoers. Insert the line '''after''' the root definition. The relevant section should look like this:<br />
{{cat|/etc/sudoers.tmp|<br />
<pre><br />
##<br />
## User privilege specification<br />
##<br />
root ALL=(ALL) ALL<br />
myname ALL=(ALL) ALL</pre>}}<br />
<br />
Switch to the new account <br />
{{cmd|# su myname}} Where '''myname''' is your username.<br />
<br />
== Installing Xorg ==<br />
Run the following command to install X.org:<br />
{{cmd|# sudo setup-xorg-base}}<br />
<br />
== Configure the community repositories ==<br />
This is needed so you can install Firefox. Edit the file with this command:<br />
{{cmd|# sudo vi /etc/apk/repositories}}<br />
Uncomment the community line by removing the '''#''' then save the file and exit. <br />
It should look something like this: <br />
{{cat|/etc/apk/repositories|<br />
#/media/cdrom/apks<br />
http://linorg.usp.br/AlpineLinux/v3.9/main<br />
http://linorg.usp.br/AlpineLinux/v3.9/community<br />
#http://linorg.usp.br/AlpineLinux/edge/main<br />
#http://linorg.usp.br/AlpineLinux/edge/community<br />
#http://linorg.usp.br/AlpineLinux/edge/testing}} <br />
Next, tell the package manager about the change: <br />
{{cmd|# sudo apk update}}<br />
<br />
== Installing dependencies ==<br />
{{Note|<br />
'''git make gcc g++ libx11-dev libxft-dev libxinerama-dev ncurses''' is needed to install suckless tools from source.<br />
<br />
'''dbus-x11''' is needed for the dbus system (enables firefox running in dwm to open in a tile)<br />
<br />
The last three '''adwaita-gtk2-theme adwaita-icon-theme ttf-dejavu''' are optional, but recommended for a nicer looking firefox.}}<br />
<br />
The command to install the dependencies:<br />
{{cmd|# sudo apk add git make gcc g++ libx11-dev libxft-dev libxinerama-dev ncurses dbus-x11 firefox-esr adwaita-gtk2-theme adwaita-icon-theme ttf-dejavu}}<br />
<br />
== Installing suckless tools dwm, dmenu, and st from source ==<br />
Change to the /tmp directory. {{cmd| # cd /tmp}} then execute:<br />
{{cmd|# git clone https://git.suckless.org/dwm}}<br />
Once downloaded, go to the dwm directory {{cmd|# cd dwm}}<br />
To install, run:<br />
{{cmd|# sudo make clean install}}<br />
Next, go up one directory level {{cmd|# cd ..}} to install dmenu:<br />
{{cmd|# git clone https://git.suckless.org/dmenu}}<br />
{{cmd|# cd dmenu}}<br />
{{cmd|# sudo make clean install}}<br />
Finally, go up one more directory level {{cmd|# cd ..}} to install st:<br />
{{cmd|# git clone https://git.suckless.org/st}}<br />
{{cmd|# cd st}}<br />
{{cmd|# sudo make clean install}}<br />
== Setting up your profile ==<br />
Change to your home directory:<br />
{{cmd|# cd /home/myname}} Where '''myname''' is your username.<br />
Create .xinitrc:<br />
{{cmd|# vi .xinitrc}}<br />
Add this line:<br />
{{cat|~/.xinitrc|<br />
exec dwm}}<br />
Save the file and exit vi.<br />
<br />
Next, create .profile.:<br />
{{cmd|# vi .profile}}<br />
Add this line:<br />
{{cat|~/.profile|<br />
startx}}<br />
<br />
{{Note|If you install additional programs that call your `$SHELL` with the POSIX `-l` login flag, you'll need to make launching `startx` conditional, otherwise X will attempt to launch every time your shell is called with the login flag.<br />
{{cat|~/.profile|<br />
if [[ -z $DISPLAY ]] && [[ $(tty) = /dev/tty1 ]]; then<br />
startx<br />
fi<br />
}}<br />
|gotchas}}<br />
<br />
Log out or reboot. dwm will run the next time you log in. <br />
Press alt+p to launch dmenu. Type firefox then press enter. Firefox will load and run in tile 9.<br />
<br />
= =<br />
* https://pkgs.alpinelinux.org/contents?file=dwm<br />
* [https://wiki.gentoo.org/wiki/Dwm "dwm is only a single binary, and its source code is intended to never exceed 2000 SLOC. dwm is customized through editing its source code"]<br />
* [[Awesome]]<br />
* [[Raspberry Pi 3 - Browser Client]] - A guide which omits dwm, but uses similar steps to install firefox in a diskless install on ARM. dwm is not used on the RPI3, due to tmpfs limitations.<br />
<br />
[[category:Desktop]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=AwesomeWM&diff=20066AwesomeWM2021-08-08T06:34:48Z<p>Bt129: </p>
<hr />
<div>[[file: awesome-01.png |thumb |Screenshot]]<br />
{{TOC right}}<br />
<br />
= Initial setup =<br />
Start by booting Alpine (see [[Installation|these]] instructions on how to do that)<BR><br />
When Alpine is up and running, do the initial setup.<br />
{{Cmd|# setup-alpine}}<br />
<br />
= Enable Community Repository =<br />
In order to install the awesome package (see "Install packages" below), you need to enable the community repository for your version. Uncomment {{codeline|http://<url>/alpine/<version>/community}} in {{path|/etc/apk/repositories}}. For example:<br />
{{cat|/etc/apk/repositories|<nowiki># /etc/apk/repositories<br />
<br />
#/media/sdb/apks<br />
http://mirror.csclub.uwaterloo.ca/alpine/v3.8/main<br />
http://mirror.csclub.uwaterloo.ca/alpine/v3.8/community<br />
#http://mirror.csclub.uwaterloo.ca/alpine/v3.8/testing<br />
</nowiki><br />
}}<br />
<br />
= Install packages =<br />
Install awesome, feh and aterm.<BR><br />
Depending on your network speed, it might take a few minutes.<br />
{{Cmd|# apk add awesome feh aterm}}<br />
If aterm is not recognized by apk (Alpine Linux 3.2.x or above) you can install lxterminal instead.<BR><br />
On the same version of Alpine Linux (3.2.x or above) you have to install the package lua otherwise awesome will not start<br />
{{Cmd|# apk add lua}}<br />
You may need to add packages for the Adwaita theme.<br />
{{Cmd|# apk add adwaita-gtk2-theme adwaita-icon-theme}}<br />
<br />
Add other apps as needed. e.g. firefox, gnumeric, xchat, gimp, pidgin, geany, vim, etc.<BR><br />
For Alpine Linux 2.6.x add the following pkgs<br />
{{Cmd|# apk add cairo-gobject pango}}<br />
<br />
== Optional packages ==<br />
=== Video and Input packages ===<br />
You <u>might</u> want to install a package suitable for your video chipset and input devices.<BR><br />
For example, if you have an Sis video chipset, install 'xf86-video-sis'. For Intel video chipset, install 'xf86-video-intel'.<BR><br />
{{Cmd|# apk add xf86-video-sis}}<br />
and / or <br />
{{Cmd|# apk add xf86-input-synaptics}}<br />
<br />
Run 'apk search xf86-video*' to see available xf86-video packages.<BR><br />
Run 'apk search xf86-input*' to see available xf86-input packages.<BR><br />
<br />
=== acpid ===<br />
If you installed your Alpine Linux as a VirtualBox or VMWare guest, you might find it handy to be able execute an ACPI shutdown.<BR><br />
{{Cmd|# rc-update add acpid}}<br />
<br />
= Configure xorg-server =<br />
On most systems, xorg should be able to autodetect all devices. However, you can still configure xorg-server manually by launching:<br />
{{Cmd|# setup-xorg-base}}<br />
<br />
= Create user accounts =<br />
Create a normal user account.<br />
{{Cmd|# adduser <user>}}<br />
<br />
Optionally, give that user sudo permissions in /etc/sudoers. When doing so, it is important to use the command: {{Cmd|# visudo}} This ensures that only one user is changing the file at any given time. Visudo has two modes: Command mode and Insert mode. To edit the file, use the arrows to navigate to the appropriate line and enter Insert mode by pressing the 'i' key. To save and exit, enter Command mode by pressing the 'Esc' key, then ':w' + 'enter' to save, and finally ':q' + 'enter' to quit.<br />
<br />
Log out of the root account and log in to the newly created account.<br />
<br />
= Start your desktop =<br />
{{Cmd|$ echo 'awesome' >> /home/<newuser>/.xinitrc}}<br />
{{Cmd|$ mkdir /home/<newuser>/.config}}<br />
{{Cmd|$ cp -r /etc/xdg/awesome /home/<newuser>/.config}}<br />
{{Cmd|$ vi /home/<newuser>/.config/awesome/rc.lua}}<br />
Replace instances of xterm with aterm or (if 3.2.x or above use lxterminal instead)<br />
<br />
Start awesome.<br />
{{Cmd|$ startx}}<br />
<br />
= Troubleshooting =<br />
<br />
D-Bus problems:<br />
<br />
{{Cmd|D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/var/lib/dbus/machine-id": No such file or directory}}<br />
<br />
If startx fails and returns an error about D-Bus failed to read machine uuid, as shown above, proceed as follows:<br />
<br />
Install dbus from apk (you must be logged in as root for the step shown below)<br />
{{Cmd|# apk add dbus}}<br />
<br />
Log in or su to the root account, then launch the following command (Note: sudo does not work for this step):<br />
{{Cmd|# dbus-uuidgen > /var/lib/dbus/machine-id}}<br />
<br />
Now if startx is launched, it should load the desktop correctly<br />
<br />
= =<br />
* [[Dwm]]<br />
<br />
[[Category:Desktop]]<br />
[[category: Lua]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Install_Alpine_on_VMware_ESXi&diff=20064Install Alpine on VMware ESXi2021-08-07T17:33:37Z<p>Bt129: </p>
<hr />
<div>{{TOC right}}<br />
<br />
= Preparation =<br />
<br />
This Guide assumes you are using the latest (as of this writing, ESXi 6.7) host client on a free install of ESXi, not the VSphere client. Options may be slightly different for that client.<br />
<br />
== Download Alpine and upload to a reachable Datastore ==<br />
For this guide, I used the latest Virtual Images, which at the time was, 3.10.2<br />
<br />
== Create VM Options ==<br />
<br />
# Name: Choose any name you like<br />
# Compatibility: Linux<br />
# Guest OS Version: Select ''Other 4.x or later Linux (64-bit)'' if you downloaded the x86_64 Alpine-ISO, or ''Other 4.x or later Linux (32-bit)'' if you downloaded the x86 Alpine-ISO.<br />
<br />
== Edit VM Settings once Created ==<br />
The default alpine linux iso images only boot from bios, not the ESXi default of UEFI for Linux 4.0+ hosts. To get around this limitation, you have three options:<br />
# Change the VM to use Bios Boot<br />
## Make sure the VM is powered off. (If it is on, you will not be able to change boot options, and your save will fail.)<br />
## Right click on the VM, and select Edit Settings<br />
## Select VM Options<br />
## Under Boot Options > Firmware, select bios<br />
## Click save.<br />
# You could create a new ISO image following the [[Create_UEFI_seureboot_USB]] guide (outside the scope of this guide)<br />
# You can change the VM Compatability options to ''Other Linux (64-bit)'' but you loose the VMXNET and SR-IOV Passthrough NIC options (helpful for a virtualized firewall) and are limited to the E1000 NIC driver which has been known to drop network connectivity.<br />
<br />
= Installation =<br />
Install Alpine Linux. I used the default setup-alpine script <br />
<br />
= Post-Install =<br />
== Install and enable Open-VM-Tools ==<br />
<br />
# Enable the Community repo<br />
using root/sudo/wheel privileges, edit /etc/apk/repos and un-comment the community repo<br />
# Install {{Pkg|open-vm-tools}}<br />
{{Cmd | apk add --update open-vm-tools }}<br />
# Start and enable at boot. As of this writing the open-rc scripts are included in the base open-vm-tools package instead of a separate -openrc package.<br />
{{Cmd | /etc/init.d/open-vm-tools start<br />
rc-update add open-vm-tools}}<br />
<br />
<br />
[[category:Virtualization]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Docker&diff=20062Docker2021-08-07T17:16:13Z<p>Bt129: </p>
<hr />
<div>== Installation ==<br />
<br />
The Docker package is in the 'Community' repository. See [[Alpine_Linux_package_management]] how to add a repository.<br />
<br />
apk add docker<br />
<br />
Connecting to the Docker daemon through its socket requires you to add yourself to the `docker` group.<br />
<br />
addgroup username docker<br />
<br />
To start the Docker daemon at boot, see [[Alpine_Linux_Init_System]].<br />
<br />
rc-update add docker boot<br />
service docker start<br />
<br />
{{Note|On older versions of Alpine Linux with older versions of docker you'll also need to disable some kernel security flags in order to build images:}}<br />
<br />
sysctl -w kernel.grsecurity.chroot_deny_chmod=0<br />
sysctl -w kernel.grsecurity.chroot_deny_mknod=0<br />
<br />
For more information, have a look at the [https://github.com/docker/docker/issues/20303 corresponding Github issue].<br />
<br />
This weakening of security is not necessary to do with Alpine 3.4.x and Docker 1.12 as of August 2016.<br />
<br />
=== Docker Compose ===<br />
<br />
'docker-compose' is in the 'Community' repository starting with Alpine Linux 3.10.<br />
<br />
apk add docker-compose<br />
<br />
For older releases:<br />
<br />
'''To install docker-compose, first install pip:'''<br />
<br />
apk add py-pip python3-dev libffi-dev openssl-dev gcc libc-dev make<br />
pip3 install docker-compose</code><br />
<br />
== Isolate containers with a user namespace ==<br />
<pre><br />
adduser -SDHs /sbin/nologin dockremap<br />
addgroup -S dockremap<br />
echo dockremap:$(cat /etc/passwd|grep dockremap|cut -d: -f3):65536 >> /etc/subuid<br />
echo dockremap:$(cat /etc/passwd|grep dockremap|cut -d: -f4):65536 >> /etc/subgid<br />
</pre><br />
<br />
add to '''/etc/docker/daemon.json'''<br />
<br />
<pre><br />
{ <br />
"userns-remap": "dockremap"<br />
}<br />
</pre><br />
<br />
''You may also consider these options : '''<br />
"experimental": false,<br />
"live-restore": true,<br />
"ipv6": false,<br />
"icc": false,<br />
"no-new-privileges": false'''''<br />
<br />
You'll find all possible configurations here[https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file].<br />
<br />
== Example: How to install docker from Arch ==<br />
<br />
https://wiki.archlinux.org/index.php/Docker<br />
<br />
== "WARNING: No {swap,memory} limit support" ==<br />
<br />
You might encounter this message when executing <code>docker info</code>.<br />
To correct this situation, we have to enable the <code>cgroup_enable=memory swapaccount=1</code><br />
<br />
==== Alpine 3.8 ====<br />
It may not have been the case before, but with Alpine 3.8, you must config cgroups properly<br />
<br />
'''''Warning''''': This seems ''not'' to work with Alpine 3.9 and Docker 18.06. Follow the instructions for grub or extlinux below instead.<br />
<br />
<pre>echo "cgroup /sys/fs/cgroup cgroup defaults 0 0" >> /etc/fstab</pre><br />
<pre><br />
cat >> /etc/cgconfig.conf <<EOF<br />
mount {<br />
cpuacct = /cgroup/cpuacct;<br />
memory = /cgroup/memory;<br />
devices = /cgroup/devices;<br />
freezer = /cgroup/freezer;<br />
net_cls = /cgroup/net_cls;<br />
blkio = /cgroup/blkio;<br />
cpuset = /cgroup/cpuset;<br />
cpu = /cgroup/cpu;<br />
}<br />
EOF<br />
</pre><br />
<br />
=== Grub ===<br />
If you use Grub, add the cgroup condition into <code>/etc/default/grub</code>, then upgrade your grub<br />
<br />
<pre>GRUB_CMDLINE_LINUX_DEFAULT="... e=memory swapaccount=1"</pre><br />
<br />
=== Extlinux ===<br />
With Extlinux, you add the cgroup condition, but inside of <code>/etc/update-extlinux.conf</code><br />
<br />
<pre>default_kernel_opts="... cgroup_enable=memory swapaccount=1"</pre><br />
<br />
then update the config and reboot<br />
<br />
<code>update-extlinux</code><br />
<br />
== '''How to use docker''' ==<br />
<br />
The best documentation on using Docker and creating containers is at the main docker site. Adding anything to it here would be redundant.<br />
<br />
'''http://docs.docker.com/'''<br />
<br />
If you create an account at docker.com, you can browse through user images and learn from the syntax in contributed dockerfiles.<br />
<br />
Official Docker image files are denoted on the website by a blue ribbon.<br />
<br />
== See also ==<br />
* [https://www.erianna.com/creating-a-alpine-linux-repository/ Creating and Hosting an Alpine Linux Package Repository for Docker Packages]<br />
* [[Running Alpine in a Docker Container]]<br />
<br />
[[Category:Virtualization]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=LXC&diff=20061LXC2021-08-07T17:00:11Z<p>Bt129: /* Creating a LXC container without modifying your network interfaces */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge lxcfs}}<br />
<br />
If you want to create containers other than Alpine, you'll need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Starting with Alpine 3.9, we ship LXC version 3.1.<br />
LXC 3.x has major changes which can and will break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the Alpine template, you'll need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': As of Alpine version 3.8, we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this, we will have to disable the grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container operation. <br />
When things do not work as expected, check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finish creating your new sysctl profile, you can apply it by restarting sysctl service:<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x64 compatible hardware, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you'll need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}<br />
<br />
{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise, most functionality will be broken}}<br />
<br />
=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===<br />
<br />
To enable unprivileged containers, one must create a uidgid map:<br />
<br />
echo root:1000000:65536 | tee -a /etc/subuid <br />
echo root:1000000:65536 | tee -a /etc/subgid<br />
<br />
This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.<br />
<br />
To configure containers to use this mapping, add the following lines to the configuration:<br />
<br />
lxc.idmap = u 0 1000000 65536<br />
lxc.idmap = g 0 1000000 65536<br />
<br />
This can be in the global or container-specific configuration.<br />
<br />
To create an unprivileged lxc container, you need to use the download template. The download template must be installed:<br />
<br />
{{Cmd|apk add gnupg xz lxc-download<br />
lxc-create -n container-name -t download}}<br />
choose the Distribution | Release | Architecture.<br />
<br />
To be able to log in to a Debian container, you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
<br />
First, you should enable the cgroup script:<br />
<br />
{{Cmd|rc-update add cgroups}}<br />
<br />
If you don't want to reboot, you can start the service by running<br />
<br />
{{Cmd|rc-service cgroups start}}<br />
<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart at boot-up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
{{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers with the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default, sshd is not installed. You'll have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Type exit to detach from the container again (please check the grsec notes above)<br />
<br />
== Connect to virtual console ==<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped, then run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
Let's say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exist:<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = br0<br />
lxc.net.0.name = eth1<br />
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255<br />
lxc.net.0.ipv4.gateway = 192.168.1.1<br />
lxc.net.0.veth.pair = veth-if-0<br />
</pre><br />
<br />
and build your container with that file:<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your host, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=LXC&diff=20060LXC2021-08-07T16:58:35Z<p>Bt129: /* Connecting to the guest */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge lxcfs}}<br />
<br />
If you want to create containers other than Alpine, you'll need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Starting with Alpine 3.9, we ship LXC version 3.1.<br />
LXC 3.x has major changes which can and will break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the Alpine template, you'll need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': As of Alpine version 3.8, we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this, we will have to disable the grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container operation. <br />
When things do not work as expected, check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finish creating your new sysctl profile, you can apply it by restarting sysctl service:<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x64 compatible hardware, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you'll need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}<br />
<br />
{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise, most functionality will be broken}}<br />
<br />
=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===<br />
<br />
To enable unprivileged containers, one must create a uidgid map:<br />
<br />
echo root:1000000:65536 | tee -a /etc/subuid <br />
echo root:1000000:65536 | tee -a /etc/subgid<br />
<br />
This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.<br />
<br />
To configure containers to use this mapping, add the following lines to the configuration:<br />
<br />
lxc.idmap = u 0 1000000 65536<br />
lxc.idmap = g 0 1000000 65536<br />
<br />
This can be in the global or container-specific configuration.<br />
<br />
To create an unprivileged lxc container, you need to use the download template. The download template must be installed:<br />
<br />
{{Cmd|apk add gnupg xz lxc-download<br />
lxc-create -n container-name -t download}}<br />
choose the Distribution | Release | Architecture.<br />
<br />
To be able to log in to a Debian container, you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
<br />
First, you should enable the cgroup script:<br />
<br />
{{Cmd|rc-update add cgroups}}<br />
<br />
If you don't want to reboot, you can start the service by running<br />
<br />
{{Cmd|rc-service cgroups start}}<br />
<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart at boot-up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
{{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers with the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default, sshd is not installed. You'll have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Type exit to detach from the container again (please check the grsec notes above)<br />
<br />
== Connect to virtual console ==<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped, then run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
For example, say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exist:<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = br0<br />
lxc.net.0.name = eth1<br />
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255<br />
lxc.net.0.ipv4.gateway = 192.168.1.1<br />
lxc.net.0.veth.pair = veth-if-0<br />
</pre><br />
<br />
and build your container with that file:<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your host, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=LXC&diff=20059LXC2021-08-07T16:55:32Z<p>Bt129: /* Starting/Stopping the guest */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge lxcfs}}<br />
<br />
If you want to create containers other than Alpine, you'll need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Starting with Alpine 3.9, we ship LXC version 3.1.<br />
LXC 3.x has major changes which can and will break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the Alpine template, you'll need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': As of Alpine version 3.8, we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this, we will have to disable the grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container operation. <br />
When things do not work as expected, check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finish creating your new sysctl profile, you can apply it by restarting sysctl service:<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x64 compatible hardware, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you'll need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}<br />
<br />
{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise, most functionality will be broken}}<br />
<br />
=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===<br />
<br />
To enable unprivileged containers, one must create a uidgid map:<br />
<br />
echo root:1000000:65536 | tee -a /etc/subuid <br />
echo root:1000000:65536 | tee -a /etc/subgid<br />
<br />
This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.<br />
<br />
To configure containers to use this mapping, add the following lines to the configuration:<br />
<br />
lxc.idmap = u 0 1000000 65536<br />
lxc.idmap = g 0 1000000 65536<br />
<br />
This can be in the global or container-specific configuration.<br />
<br />
To create an unprivileged lxc container, you need to use the download template. The download template must be installed:<br />
<br />
{{Cmd|apk add gnupg xz lxc-download<br />
lxc-create -n container-name -t download}}<br />
choose the Distribution | Release | Architecture.<br />
<br />
To be able to log in to a Debian container, you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
<br />
First, you should enable the cgroup script:<br />
<br />
{{Cmd|rc-update add cgroups}}<br />
<br />
If you don't want to reboot, you can start the service by running<br />
<br />
{{Cmd|rc-service cgroups start}}<br />
<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart at boot-up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
{{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers with the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed. So you'll have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Type exit to detach from the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped, then run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
For example, say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exist:<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = br0<br />
lxc.net.0.name = eth1<br />
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255<br />
lxc.net.0.ipv4.gateway = 192.168.1.1<br />
lxc.net.0.veth.pair = veth-if-0<br />
</pre><br />
<br />
and build your container with that file:<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your host, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=LXC&diff=20058LXC2021-08-07T16:54:26Z<p>Bt129: /* Starting/Stopping the guest */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge lxcfs}}<br />
<br />
If you want to create containers other than Alpine, you'll need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Starting with Alpine 3.9, we ship LXC version 3.1.<br />
LXC 3.x has major changes which can and will break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the Alpine template, you'll need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': As of Alpine version 3.8, we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this, we will have to disable the grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container operation. <br />
When things do not work as expected, check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finish creating your new sysctl profile, you can apply it by restarting sysctl service:<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x64 compatible hardware, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you'll need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}<br />
<br />
{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise, most functionality will be broken}}<br />
<br />
=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===<br />
<br />
To enable unprivileged containers, one must create a uidgid map:<br />
<br />
echo root:1000000:65536 | tee -a /etc/subuid <br />
echo root:1000000:65536 | tee -a /etc/subgid<br />
<br />
This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.<br />
<br />
To configure containers to use this mapping, add the following lines to the configuration:<br />
<br />
lxc.idmap = u 0 1000000 65536<br />
lxc.idmap = g 0 1000000 65536<br />
<br />
This can be in the global or container-specific configuration.<br />
<br />
To create an unprivileged lxc container, you need to use the download template. The download template must be installed:<br />
<br />
{{Cmd|apk add gnupg xz lxc-download<br />
lxc-create -n container-name -t download}}<br />
choose the Distribution | Release | Architecture.<br />
<br />
To be able to log in to a Debian container, you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
<br />
First, you should enable the cgroup script:<br />
<br />
{{Cmd|rc-update add cgroups}}<br />
<br />
If you don't want to reboot, you can start the service by running<br />
<br />
{{Cmd|rc-service cgroups start}}<br />
<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart at boot-up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers with the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed. So you'll have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Type exit to detach from the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped, then run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
For example, say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exist:<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = br0<br />
lxc.net.0.name = eth1<br />
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255<br />
lxc.net.0.ipv4.gateway = 192.168.1.1<br />
lxc.net.0.veth.pair = veth-if-0<br />
</pre><br />
<br />
and build your container with that file:<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your host, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=LXC&diff=20057LXC2021-08-07T16:51:05Z<p>Bt129: /* Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge lxcfs}}<br />
<br />
If you want to create containers other than Alpine, you'll need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Starting with Alpine 3.9, we ship LXC version 3.1.<br />
LXC 3.x has major changes which can and will break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the Alpine template, you'll need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': As of Alpine version 3.8, we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this, we will have to disable the grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container operation. <br />
When things do not work as expected, check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finish creating your new sysctl profile, you can apply it by restarting sysctl service:<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x64 compatible hardware, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you'll need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}<br />
<br />
{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise, most functionality will be broken}}<br />
<br />
=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===<br />
<br />
To enable unprivileged containers, one must create a uidgid map:<br />
<br />
echo root:1000000:65536 | tee -a /etc/subuid <br />
echo root:1000000:65536 | tee -a /etc/subgid<br />
<br />
This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.<br />
<br />
To configure containers to use this mapping, add the following lines to the configuration:<br />
<br />
lxc.idmap = u 0 1000000 65536<br />
lxc.idmap = g 0 1000000 65536<br />
<br />
This can be in the global or container-specific configuration.<br />
<br />
To create an unprivileged lxc container, you need to use the download template. The download template must be installed:<br />
<br />
{{Cmd|apk add gnupg xz lxc-download<br />
lxc-create -n container-name -t download}}<br />
choose the Distribution | Release | Architecture.<br />
<br />
To be able to log in to a Debian container, you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
<br />
At first, you should enable the cgroup script:<br />
<br />
{{Cmd|rc-update add cgroups}}<br />
<br />
If you don't want to reboot, you can start the service now:<br />
<br />
{{Cmd|rc-service cgroups start}}<br />
<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart at boot-up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers with the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed. So you'll have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Type exit to detach from the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped, then run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
For example, say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exist:<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = br0<br />
lxc.net.0.name = eth1<br />
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255<br />
lxc.net.0.ipv4.gateway = 192.168.1.1<br />
lxc.net.0.veth.pair = veth-if-0<br />
</pre><br />
<br />
and build your container with that file:<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your host, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=LXC&diff=20056LXC2021-08-07T16:49:55Z<p>Bt129: /* Ubuntu template */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge lxcfs}}<br />
<br />
If you want to create containers other than Alpine, you'll need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Starting with Alpine 3.9, we ship LXC version 3.1.<br />
LXC 3.x has major changes which can and will break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the Alpine template, you'll need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': As of Alpine version 3.8, we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this, we will have to disable the grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container operation. <br />
When things do not work as expected, check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finish creating your new sysctl profile, you can apply it by restarting sysctl service:<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x64 compatible hardware, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you'll need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}<br />
<br />
{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise, most functionality will be broken}}<br />
<br />
=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===<br />
<br />
To enable unprivileged containers, one must create a uidgid map:<br />
<br />
echo root:1000000:65536 | tee -a /etc/subuid <br />
echo root:1000000:65536 | tee -a /etc/subgid<br />
<br />
This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.<br />
<br />
To configure containers to use this mapping, add the following lines to the configuration:<br />
<br />
lxc.idmap = u 0 1000000 65536<br />
lxc.idmap = g 0 1000000 65536<br />
<br />
This can be in the global or container-specific configuration.<br />
<br />
To create an unprivileged lxc container, you need to use the download template. The download template must be installed:<br />
<br />
{{Cmd|apk add gnupg xz lxc-download<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container, you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
<br />
At first, you should enable the cgroup script:<br />
<br />
{{Cmd|rc-update add cgroups}}<br />
<br />
If you don't want to reboot, you can start the service now:<br />
<br />
{{Cmd|rc-service cgroups start}}<br />
<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart at boot-up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers with the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed. So you'll have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Type exit to detach from the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped, then run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
For example, say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exist:<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = br0<br />
lxc.net.0.name = eth1<br />
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255<br />
lxc.net.0.ipv4.gateway = 192.168.1.1<br />
lxc.net.0.veth.pair = veth-if-0<br />
</pre><br />
<br />
and build your container with that file:<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your host, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=LXC&diff=20055LXC2021-08-07T16:48:24Z<p>Bt129: /* Grsecurity restrictions */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge lxcfs}}<br />
<br />
If you want to create containers other than Alpine, you'll need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Starting with Alpine 3.9, we ship LXC version 3.1.<br />
LXC 3.x has major changes which can and will break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the Alpine template, you'll need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': As of Alpine version 3.8, we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this, we will have to disable the grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container operation. <br />
When things do not work as expected, check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finish creating your new sysctl profile, you can apply it by restarting sysctl service:<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x64 compatible hardware, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you'll need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}<br />
<br />
{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise most functionality will be broken}}<br />
<br />
=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===<br />
<br />
To enable unprivileged containers, one must create a uidgid map:<br />
<br />
echo root:1000000:65536 | tee -a /etc/subuid <br />
echo root:1000000:65536 | tee -a /etc/subgid<br />
<br />
This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.<br />
<br />
To configure containers to use this mapping, add the following lines to the configuration:<br />
<br />
lxc.idmap = u 0 1000000 65536<br />
lxc.idmap = g 0 1000000 65536<br />
<br />
This can be in the global or container-specific configuration.<br />
<br />
To create an unprivileged lxc container, you need to use the download template. The download template must be installed:<br />
<br />
{{Cmd|apk add gnupg xz lxc-download<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container, you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
<br />
At first, you should enable the cgroup script:<br />
<br />
{{Cmd|rc-update add cgroups}}<br />
<br />
If you don't want to reboot, you can start the service now:<br />
<br />
{{Cmd|rc-service cgroups start}}<br />
<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart at boot-up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers with the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed. So you'll have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Type exit to detach from the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped, then run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
For example, say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exist:<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = br0<br />
lxc.net.0.name = eth1<br />
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255<br />
lxc.net.0.ipv4.gateway = 192.168.1.1<br />
lxc.net.0.veth.pair = veth-if-0<br />
</pre><br />
<br />
and build your container with that file:<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your host, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=LXC&diff=20054LXC2021-08-07T16:46:40Z<p>Bt129: /* Upgrading from 2.x */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge lxcfs}}<br />
<br />
If you want to create containers other than Alpine, you'll need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Starting with Alpine 3.9, we ship LXC version 3.1.<br />
LXC 3.x has major changes which can and will break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the Alpine template, you'll need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container operation. <br />
When things do not work as expected, check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finish creating your new sysctl profile, you can apply it by restarting sysctl service:<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x64 compatible hardware, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you'll need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}<br />
<br />
{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise most functionality will be broken}}<br />
<br />
=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===<br />
<br />
To enable unprivileged containers, one must create a uidgid map:<br />
<br />
echo root:1000000:65536 | tee -a /etc/subuid <br />
echo root:1000000:65536 | tee -a /etc/subgid<br />
<br />
This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.<br />
<br />
To configure containers to use this mapping, add the following lines to the configuration:<br />
<br />
lxc.idmap = u 0 1000000 65536<br />
lxc.idmap = g 0 1000000 65536<br />
<br />
This can be in the global or container-specific configuration.<br />
<br />
To create an unprivileged lxc container, you need to use the download template. The download template must be installed:<br />
<br />
{{Cmd|apk add gnupg xz lxc-download<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container, you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
<br />
At first, you should enable the cgroup script:<br />
<br />
{{Cmd|rc-update add cgroups}}<br />
<br />
If you don't want to reboot, you can start the service now:<br />
<br />
{{Cmd|rc-service cgroups start}}<br />
<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart at boot-up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers with the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed. So you'll have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Type exit to detach from the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped, then run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
For example, say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exist:<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = br0<br />
lxc.net.0.name = eth1<br />
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255<br />
lxc.net.0.ipv4.gateway = 192.168.1.1<br />
lxc.net.0.veth.pair = veth-if-0<br />
</pre><br />
<br />
and build your container with that file:<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your host, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=LXC&diff=20053LXC2021-08-07T06:51:33Z<p>Bt129: </p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar to BSD Jails, Linux VServers and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host". You can use lxc directly or through [[LXD]].<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge lxcfs}}<br />
<br />
If you want to create containers other than Alpine, you'll need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Since Alpine 3.9 we ship LXC version 3.1.<br />
LXC 3.x has major changes which can and will break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the Alpine template, you'll need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.link = br0<br />
lxc.net.0.flags = up<br />
lxc.net.0.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container operation. <br />
When things do not work as expected, check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finish creating your new sysctl profile, you can apply it by restarting sysctl service:<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note: by default, the alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x64 compatible hardware, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/default.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you'll need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
You'll need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/default.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container, you'll need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Remember to turn them back on, or simply reboot.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
{{Cmd|lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR }}<br />
<br />
{{Warning|Be sure to set systemd_container to yes in /etc/conf.d/lxc.CONTAINER. Otherwise most functionality will be broken}}<br />
<br />
=== Unprivileged LXC images (Alpine / Debian / Ubuntu / Centos etc..) ===<br />
<br />
To enable unprivileged containers, one must create a uidgid map:<br />
<br />
echo root:1000000:65536 | tee -a /etc/subuid <br />
echo root:1000000:65536 | tee -a /etc/subgid<br />
<br />
This creates a uid and gid map for the root user starting at 1000000 with a size of 65536.<br />
<br />
To configure containers to use this mapping, add the following lines to the configuration:<br />
<br />
lxc.idmap = u 0 1000000 65536<br />
lxc.idmap = g 0 1000000 65536<br />
<br />
This can be in the global or container-specific configuration.<br />
<br />
To create an unprivileged lxc container, you need to use the download template. The download template must be installed:<br />
<br />
{{Cmd|apk add gnupg xz lxc-download<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container, you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
<br />
At first, you should enable the cgroup script:<br />
<br />
{{Cmd|rc-update add cgroups}}<br />
<br />
If you don't want to reboot, you can start the service now:<br />
<br />
{{Cmd|rc-service cgroups start}}<br />
<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart at boot-up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers with the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed. So you'll have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Type exit to detach from the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped, then run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
For example, say you have interface eth0 that you want to bridge. Your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
Let's create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host. To create this interface on every boot, append "dummy" to /etc/modules:<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exist:<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container. Let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.net.0.type = veth<br />
lxc.net.0.flags = up<br />
lxc.net.0.link = br0<br />
lxc.net.0.name = eth1<br />
lxc.net.0.ipv4.address = 192.168.1.2/24 192.168.1.255<br />
lxc.net.0.ipv4.gateway = 192.168.1.1<br />
lxc.net.0.veth.pair = veth-if-0<br />
</pre><br />
<br />
and build your container with that file:<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your host, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface, br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is to push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier. We'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on the guest /etc/network/interfaces. To stay in line with the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for the network to work on containers, you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=KVM&diff=20052KVM2021-08-07T06:31:28Z<p>Bt129: /* Management */</p>
<hr />
<div>[https://www.linux-kvm.org/page/Main_Page KVM] is an free and open source virtualization solution in a kernel module. Although it is often simply referred to as KVM, the actual hypervisor is [https://www.qemu.org QEMU]. QEMU runs from user-space, but can integrate with KVM, providing better performance by leveraging the hardware from kernel-space. QEMU can virtualize x86, PowerPC, and S390 guests, amongst others. [https://libvirt.org Libvirt] is a management framework that integrates with QEMU/KVM, [https://wiki.alpinelinux.org/wiki/LXC LXC], [https://wiki.alpinelinux.org/wiki/Xen_Dom0 Xen] and others.<br />
<br />
== Installation ==<br />
The following commands provide '''libvirt''' as well as '''QEMU with emulation for x86_64''' and '''qemu-img''', a necessary component for using various disk formats such as qcow2. Without qemu-img, only raw disks are available. It can also convert images between several formats like vhdx and vmdk. It also provides the metapackage '''qemu-modules''', which provides subpackages needed for special features. In versions of Alpine before 3.13.0 these features were covered by '''QEMU with emulation for x86_64'''.<br />
{{Cmd|<nowiki># apk add libvirt-daemon qemu-img qemu-system-x86_64 qemu-modules<br />
# rc-update add libvirtd</nowiki>}}<br />
<br />
== Networking ==<br />
By default, libvirt uses NAT for VM connectivity. If you want to use the default configuration, you need to load the tun module.<br />
{{Cmd|# modprobe tun}}<br />
<br />
If you prefer bridging a guest over your Ethernet interface, you need to make a [https://wiki.alpinelinux.org/wiki/Bridge#Configuration_file bridge].<br />
<br />
It's quite common to use bridges with KVM environments. But when IPv6 is used, Alpine will assign itself a link-local address as well as an SLAAC address in case there's a router sending Router Advertisements. You don't want this because you don't want to have the KVM host an IP address in every network it serves to guests. Unfortunately IPv6 can not just be disabled for the bridge via a sysctl configuration file, because the bridge might not be up when the sysctl config is applied during boot. What works is to put a post-up hook into the /etc/network/interfaces file like this:<br />
auto brlan<br />
iface brlan inet manual<br />
bridge-ports eth1.5<br />
bridge-stp 0<br />
post-up ip -6 a flush dev brlan; sysctl -w net.ipv6.conf.brlan.disable_ipv6=1<br />
<br />
== Management ==<br />
For non-root management, you will need to add your user to the libvirt group.<br />
{{Cmd|# addgroup user libvirt}}<br />
<br />
You can use libvirt's virsh at the CLI. It can execute commands as well as run as an interactive shell. Read its manual page and/or use the "help" command for more info. Some basic commands are:<br />
<br />
{{Cmd|<nowiki>virsh help<br />
virsh list --all<br />
virsh start $domain<br />
virsh shutdown $domain</nowiki><br />
}}<br />
<br />
The libvirt project provides a GUI for managing hosts, called virt-manager. It handles local systems as well as remote ones via SSH.<br />
{{Cmd|<nowiki># apk add dbus polkit virt-manager terminus-font<br />
# rc-update add dbus</nowiki>}}<br />
<br />
In order to use libvirtd to remotely control KVM over ssh PolicyKit needs a .pkla informing it that this is allowed.<br />
Write the following file to /etc/polkit-1/localauthority/50-local.d/50-libvirt-ssh-remote-access-policy.pkla<br />
{{Cmd|<nowiki>[Remote libvirt SSH access]<br />
Identity=unix-group:libvirt<br />
Action=org.libvirt.unix.manage<br />
ResultAny=yes<br />
ResultInactive=yes<br />
ResultActive=yes</nowiki><br />
}}<br />
<br />
== Guest lifecycle management ==<br />
The libvirt-guests service (available from Alpine 3.13.5) allows running guests to be automatically suspended or shut down when the host is shut down or rebooted.<br />
<br />
The service is configured in /etc/conf.d/libvirt-guests. Enable the service with {{Cmd|# rc-update add libvirt-guests}}<br />
<br />
== vfio ==<br />
<br />
VFIO is more flexible way to do PCI passthrough. Let's suppose you want to use following ethernet card as PCI device in a VM.<br />
<br />
# lspci | grep 02:00.0<br />
02:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)<br />
# lspci -n -s 02:00.0<br />
02:00.0 0200: 8086:10c9 (rev 01)<br />
<br />
First, create ''/etc/mkinitfs/features.d/vfio.modules'' with the following content, so mkinitfs includes the VFIO modules in the initramfs.<br />
<br />
kernel/drivers/vfio/vfio.ko<br />
kernel/drivers/vfio/vfio_virqfd.ko<br />
kernel/drivers/vfio/vfio_iommu_type1.ko<br />
kernel/drivers/vfio/pci/vfio-pci.ko<br />
<br />
Add ''vfio'' the the list of features in ''/etc/mkinitfs/mkinitfs.conf''.<br />
<br />
Modify following file to instruct ''mkinitfs'' to load following module with the options and rebuild kernel ramdisk.<br />
<br />
# cat /etc/modprobe.d/vfio.conf <<EOF<br />
options vfio-pci ids=8086:10c9<br />
options vfio_iommu_type1 allow_unsafe_interrupts=1<br />
softdep igb pre: vfio-pci<br />
EOF<br />
# mkinitfs<br />
<br />
Now modify GRUB, include ''intel_iommu=o iommu=pt'' for Intel platform (AMD uses ''amd_iommu=on'') and add the VFIO modules.<br />
<br />
# grep ^GRUB_CMDLINE_LINUX_DEFAULT /etc/default/grub<br />
GRUB_CMDLINE_LINUX_DEFAULT="modules=sd-mod,usb-storage,ext4,raid1,vfio,vfio-pci,vfio_iommu_type1,vfio_virqfd nomodeset rootfstype=ext4 intel_iommu=on iommu=pt console=ttyS0,115200"<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
Reboot and check dmesg.<br />
<br />
# grep -i -e DMAR -e IOMMU /var/log/dmesg<br />
[ 0.343795] DMAR: Host address width 36<br />
[ 0.343797] DMAR: DRHD base: 0x000000fed90000 flags: 0x1<br />
[ 0.343804] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap c90780106f0462 ecap f020e3<br />
[ 0.343806] DMAR: RMRR base: 0x000000000ed000 end: 0x000000000effff<br />
[ 0.343807] DMAR: RMRR base: 0x000000bf7ed000 end: 0x000000bf7fffff<br />
[ 0.553830] iommu: Default domain type: Passthrough (set via kernel command line)<br />
[ 0.902477] DMAR: No ATSR found<br />
[ 0.902563] DMAR: dmar0: Using Queued invalidation<br />
...<br />
[ 0.903256] pci 0000:02:00.0: Adding to iommu group 12<br />
...<br />
[ 0.903768] DMAR: Intel(R) Virtualization Technology for Directed I/O<br />
<br />
If you do not run libvirt VMs under ''root'' (''egrep '^#*user' /etc/libvirt/qemu.conf''), then you must have correct permission on ''/dev/vfio/<iommu_group>'', eg. ''/dev/vfio/12''. You have to tune ''/etc/mdev.conf'' or UDEV rules. Also note that if there are multiple PCI devices in the same iommu group, you always have to add all of them to the VM otherwise you'll get an error message like "Please ensure all devices within the iommu_group are bound to their vfio bus driver"<br />
<br />
# virsh dumpxml vm01 | xmllint --xpath '//*/hostdev' -<br />
<hostdev mode="subsystem" type="pci" managed="yes"><br />
<driver name="vfio"/><br />
<source><br />
<address domain="0x0000" bus="0x02" slot="0x00" function="0x0"/><br />
</source><br />
<alias name="hostdev0"/><br />
<address type="pci" domain="0x0000" bus="0x00" slot="0x06" function="0x0"/><br />
</hostdev><br />
<hostdev mode="subsystem" type="pci" managed="yes"><br />
<driver name="vfio"/><br />
<source><br />
<address domain="0x0000" bus="0x02" slot="0x00" function="0x1"/><br />
</source><br />
<alias name="hostdev1"/><br />
<address type="pci" domain="0x0000" bus="0x00" slot="0x08" function="0x0"/><br />
</hostdev><br />
<br />
If you directly use QEMU without libvirt and are trying to pass a GPU to your VM, you may get a "VFIO_MAP_DMA failed: Out of memory" error, when starting the VM as a non-root user. One way to fix it is to install the ''shadow'' package, and increase the amount of memory the user can lock via the ''/etc/security/limits.conf'' file:<br />
{{Cmd|<nowiki># apk add shadow<br />
# echo "youruser soft memlock RAMamount \<br />
youruser hard memlock RAMamount" >> /etc/security/limits.conf<br />
# reboot</nowiki>}}<br />
<br />
Replace "youruser" with the user you wish to run the VM as, and "RAMamount" with how much RAM your VM will need (in KB). The exact amount may throw the same error in the end, so you probably want to increase this value by a few dozen MB (typically +40).<br />
<br />
A lot of info at [https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF].<br />
<br />
[[Category:Virtualization]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Install_Alpine_in_QEMU&diff=20051Install Alpine in QEMU2021-08-07T06:26:21Z<p>Bt129: /* Booting the Virtual Machine */</p>
<hr />
<div>==Before You Start==<br />
<br />
* Download the [http://alpinelinux.org/downloads latest Alpine image].<br />
* Install QEMU on your system (e.g. <code>sudo apt install qemu</code> on Ubuntu, <code>yum -y install qemu</code> on Fedora)<br />
<br />
==Create the Virtual Machine==<br />
<br />
Create a disk image if you want to install Alpine Linux.<br />
<br />
{{Cmd|qemu-img create -f qcow2 alpine.qcow2 8G}}<br />
<br />
The following command starts QEMU with the Alpine ISO image as CDROM, the default network configuration, 512MB RAM, the disk image that was created in the previous step, and CDROM as the boot device.<br />
<br />
{{Cmd|1=qemu-system-x86_64 -m 512 -nic user -boot d -cdrom alpine-standard-3.10.2-x86_64.iso -hda alpine.qcow2}}<br />
<br />
{{Tip|Add option <code>-enable-kvm</code> if your hardware support this.}}<br />
<br />
Log in as <code>root</code> (no password) and run: {{Cmd|setup-alpine}}<br />
Follow the [[Alpine_setup_scripts#setup-alpine|setup-alpine installation steps]].<br />
<br />
Run <code>poweroff</code> to shut down the machine.<br />
<br />
== Booting the Virtual Machine ==<br />
After the installation, QEMU can be started from disk image (<code>-boot c</code>) without CDROM.<br />
<br />
{{Cmd|qemu-system-x86_64 -m 512 -nic user -hda alpine.qcow2}}<br />
<br />
[[Category:Virtualization]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Install_Alpine_in_QEMU&diff=20050Install Alpine in QEMU2021-08-07T06:24:41Z<p>Bt129: /* Create the Virtual Machine */</p>
<hr />
<div>==Before You Start==<br />
<br />
* Download the [http://alpinelinux.org/downloads latest Alpine image].<br />
* Install QEMU on your system (e.g. <code>sudo apt install qemu</code> on Ubuntu, <code>yum -y install qemu</code> on Fedora)<br />
<br />
==Create the Virtual Machine==<br />
<br />
Create a disk image if you want to install Alpine Linux.<br />
<br />
{{Cmd|qemu-img create -f qcow2 alpine.qcow2 8G}}<br />
<br />
The following command starts QEMU with the Alpine ISO image as CDROM, the default network configuration, 512MB RAM, the disk image that was created in the previous step, and CDROM as the boot device.<br />
<br />
{{Cmd|1=qemu-system-x86_64 -m 512 -nic user -boot d -cdrom alpine-standard-3.10.2-x86_64.iso -hda alpine.qcow2}}<br />
<br />
{{Tip|Add option <code>-enable-kvm</code> if your hardware support this.}}<br />
<br />
Log in as <code>root</code> (no password) and run: {{Cmd|setup-alpine}}<br />
Follow the [[Alpine_setup_scripts#setup-alpine|setup-alpine installation steps]].<br />
<br />
Run <code>poweroff</code> to shut down the machine.<br />
<br />
== Booting the Virtual Machine ==<br />
After the installation QEMU can be started from disk image (<code>-boot c</code>) without CDROM.<br />
<br />
{{Cmd|qemu-system-x86_64 -m 512 -nic user -hda alpine.qcow2}}<br />
<br />
[[Category:Virtualization]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Xen_LiveCD&diff=20049Xen LiveCD2021-08-07T06:08:37Z<p>Bt129: </p>
<hr />
<div>The Alpine Linux distribution provides a Xen LiveCD which can be used to run Xen without installing it. It comes with specific scripts that will help you set up a basic environment to create guests. To use it, just [http://alpinelinux.org/downloads download the "Alpine Linux Xen" ISO]. You need to burn it to a CD or create a bootable USB device. More information about this procedure can be found at [[Create a Bootable USB]]. Once you have your CD or USB device ready, boot from it. You will see the Xen Hypervisor kernel booting, and after that, the Linux kernel. When the boot process has finished, login as root and execute the following scripts:<br />
<br />
<pre><br />
# setup-xen-dom0<br />
# setup-alpine<br />
</pre><br />
<br />
When executing "setup-alpine" you will be asked several questions. When asked about the network configuration it is very important you set up at least one bridge so you are able to add the virtual network interfaces of guests to that bridge. You can find more information about Xen on the Xen.org Wiki [http://wiki.xen.org/wiki/Main_Page].<br />
<br />
[[Category:Virtualization]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Xen_PCI_Passthrough&diff=20048Xen PCI Passthrough2021-08-06T16:04:41Z<p>Bt129: </p>
<hr />
<div>This guide is to show how to configure PCI Passthrough on Alpine.<br />
<br />
First, use lspci to find the the PCI-Address of the Device you want to Passthrough:<br />
<pre><br />
node03:~# lspci<br />
00:00.0 Host bridge: Intel Corporation Xeon E3-1200 Processor Family DRAM Controller (rev 09)<br />
00:19.0 Ethernet controller: Intel Corporation 82579LM Gigabit Network Connection (rev 05)<br />
00:1a.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2 (rev 05)<br />
00:1c.0 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 1 (rev b5)<br />
00:1c.4 PCI bridge: Intel Corporation 6 Series/C200 Series Chipset Family PCI Express Root Port 5 (rev b5)<br />
00:1d.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #1 (rev 05)<br />
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev a5)<br />
00:1f.0 ISA bridge: Intel Corporation C204 Chipset Family LPC Controller (rev 05)<br />
00:1f.2 SATA controller: Intel Corporation 6 Series/C200 Series Chipset Family SATA AHCI Controller (rev 05)<br />
00:1f.3 SMBus: Intel Corporation 6 Series/C200 Series Chipset Family SMBus Controller (rev 05)<br />
01:00.0 Serial Attached SCSI controller: LSI Logic / Symbios Logic SAS2008 PCI-Express Fusion-MPT SAS-2 [Falcon] (rev 03)<br />
02:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection<br />
03:03.0 VGA compatible controller: Matrox Electronics Systems Ltd. MGA G200eW WPCM450 (rev 0a)<br />
</pre><br />
<br />
In this example, I want to passthrough the SAS Controller. So the Address is 01:00.0<br />
Currently there is a bug [http://bugs.alpinelinux.org/issues/3609 #3609]in Alpine that prevents using default Kernelparameters.<br />
<br />
Edit /etc/modules and reboot the server:<br />
<pre><br />
node03:~# grep pciback /etc/modules <br />
xen_pciback hide=(01:00.0)<br />
</pre><br />
<br />
After rebooting, you should be able to verify the pci-device is using the pciback Kernelmodule and that it's visible to passthrough via xl:<br />
<pre><br />
node03:~# lspci -k | grep -A2 '01:00.0'<br />
01:00.0 Serial Attached SCSI controller: LSI Logic / Symbios Logic SAS2008 PCI-Express Fusion-MPT SAS-2 [Falcon] (rev 03)<br />
Subsystem: LSI Logic / Symbios Logic Device 3020<br />
Kernel driver in use: pciback<br />
node03:~# xl pci-assignable-list<br />
0000:01:00.0<br />
</pre><br />
<br />
Add the following line to your DomU's Config:<br />
<pre><br />
pci = [ '01:00.0' ]<br />
</pre><br />
<br />
====Known Issue with LSI Controllers====<br />
As the Kernelmodule for LSI Controllers is built into the Alpine Initramfs, the real Module is loaded before the pciback Module can be assigned.<br />
<BR>You'll need to blacklist the mpt2sas module in /etc/modprobe.d/blacklist.conf and rebuild your initramfs.<br />
<pre><br />
node03:~# grep sas /etc/modprobe.d/blacklist.conf <br />
blacklist mpt2sas<br />
node03:~# mkinitfs <br />
==> initramfs: creating /boot/initramfs-grsec<br />
11538 blocks<br />
33641 blocks<br />
</pre><br />
<br />
[[Category:Virtualization]]</div>Bt129https://wiki.alpinelinux.org/w/index.php?title=Create_Alpine_Linux_PV_DomU&diff=20047Create Alpine Linux PV DomU2021-08-06T15:56:01Z<p>Bt129: </p>
<hr />
<div>== Obtain a copy of Alpine Linux ==<br />
<br />
To create an Alpine Linux paravirtualized (PV) DomU you'll need an Alpine Linux iso.<br />
<br />
Download the latest alpine-virt iso from https://alpinelinux.org/downloads/<br />
<br />
In this example we'll use {{path|/data/}} for the download and disk images.<br />
<br />
==Mount the ISO image ==<br />
<br />
Next, mount the iso so you can read the kernel and initramfs:<br />
<br />
{{cmd | mount -t iso9660 -o loop /data/alpine-virt-{{AlpineLatest}}-x86_64.iso /media/cdrom }}<br />
<br />
Now you have the kernel in {{path|/media/cdrom/boot/vmlinuz-virt}} and initramfs in {{path|/media/cdrom/boot/initramfs-virt}}.<br />
<br />
Alternatively you can use {{path|uniso}} or {{path|p7zip}} to extract the content to a temporary area.<br />
<br />
== Create the disk image ==<br />
Now you need to create an empty file to be used as the hard drive of the DomU (in this example we are using a 3GB disk):<br />
<br />
{{cmd | <nowiki>dd if=/dev/zero of=/data/a1.img bs=1M count=3000</nowiki>}}<br />
<br />
Alternatively, if an LVM volume group (e.g. vg1) with free space is available on dom0, create a logical volume for Alpine:<br />
<br />
{{cmd | <nowiki>sudo lvcreate -n alpine -L 10g vg1</nowiki>}}<br />
<br />
== Create a DomU config file that boots the ISO image ==<br />
Next, create a basic DomU configuration file, so you can launch the pv guest iso (save it where you like, although the most common place is {{path|/etc/xen/}}).<br />
<br />
{{cat | /etc/xen/a1.cfg | <nowiki># Alpine Linux PV DomU<br />
<br />
# Kernel paths for install<br />
kernel = "/media/cdrom/boot/vmlinuz-virt"<br />
ramdisk = "/media/cdrom/boot/initramfs-virt"<br />
extra="modules=loop,squashfs console=hvc0"<br />
<br />
# Path to HDD and iso file<br />
disk = [<br />
'format=raw, vdev=xvda, access=w, target=/data/a1.img',<br />
'format=raw, vdev=xvdc, access=r, devtype=cdrom, target=/data/alpine-virt-</nowiki>{{AlpineLatest}}<nowiki>-x86_64.iso'<br />
]<br />
<br />
# Network configuration<br />
vif = ['bridge=br0']<br />
<br />
# DomU settings<br />
memory = 512<br />
name = "alpine-a1"<br />
vcpus = 1<br />
maxvcpus = 1<br />
</nowiki>}}<br />
<br />
If using LVM, replace {{path|/data/a1.img}} with {{path|/dev/vg1/alpine}} in the disk specification. <br />
<br />
== Install the guest ==<br />
Now that you have the necessary files, you can start the DomU to proceed with the install:<br />
<br />
{{cmd|xl create -f /etc/xen/a1.cfg -c}}<br />
<br />
Log into the system with user "root" and no password.<br />
<br />
After configuring the basic system, you will be asked where would you like to install Alpine. Choose xvda and sys.<br />
<br />
That will create three partitions on your disk. xvda1 for /boot, xvda2 for swap and xvda3 for /<br />
<br />
<pre><br />
Available disks are:<br />
xvda (3.1 GB )<br />
Which disk(s) would you like to use? (or '?' for help or 'none') [none] xvda<br />
The following disk is selected:<br />
xvda (3.1 GB )<br />
How would you like to use it? ('sys', 'data' or '?' for help) [?] sys<br />
WARNING: The following disk(s) will be erased:<br />
xvda (3.1 GB )<br />
WARNING: Erase the above disk(s) and continue? [y/N]: y<br />
Initializing partitions on /dev/xvda...<br />
Creating file systems...<br />
Installing system on /dev/xvda3:<br />
<br />
<br />
Installation is complete. Please reboot.<br />
<br />
#<br />
</pre><br />
<br />
When you reboot, the pv bootloader pvgrub, will look to /boot/grub/grub.cfg for its menu, so create that file first. <br />
<br />
Mount the boot partition and create a {{path|grub/grub.cfg}} file for pvgrub. (Note that grub.cfg is for pvgrub2 which replaced pvgrub1 and its menu.lst beginning in 2013.)<br />
<br />
{{cmd |<nowiki>mount /dev/xvda1 /mnt<br />
mkdir /mnt/grub</nowiki>}}<br />
<br />
Install a basic text editor like nano or vim:<br/><br />
{{cmd | apk add nano}}<br />
<br />
If using nano, enter:<br/><br />
{{cmd | nano /mnt/grub/grub.cfg}}<br />
<br />
Then add the following to create a basic grub2 configuration file:<br />
{{cat | /mnt/grub/grub.cfg |<nowiki>menuentry 'alpine-xen' {<br />
set root=(xen/xvda,msdos1)<br />
linux /boot/vmlinuz-virt root=/dev/xvda3 modules=ext4<br />
initrd /boot/initramfs <br />
}</nowiki>}}<br />
<br />
Finally, Ctrl-S to save, Ctrl-X to exit nano.<br />
<br />
Unmount and power off.<br />
{{cmd |umount /mnt<br />
poweroff}}<br />
<br />
== Adjust the domU config file to boot from fresh install ==<br />
<br />
In your Dom0, edit your DomU config file to boot with pvgrub.<br />
<br />
{{cat | /etc/xen/a1.cfg |<nowiki># Alpine Linux PV DomU<br />
<br />
kernel = "/usr/lib/xen/boot/pv-grub-x86_64.gz"<br />
<br />
# Path to HDD and iso file<br />
disk = [<br />
'format=raw, vdev=xvda, access=w, target=/data/a1.img'<br />
]<br />
<br />
# Network configuration<br />
vif = ['bridge=br0']<br />
<br />
# DomU settings<br />
memory = 512<br />
name = "alpine-a1"<br />
vcpus = 1<br />
maxvcpus = 1<br />
</nowiki>}}<br />
<br />
The name and location of pvgrub in Dom0 is distribution-specific, so you may need to change the "kernel=" line, above. <br />
<br />
For example, in Debian 10, it's {{path|'/usr/lib/grub-xen/grub-x86_64-xen.bin'}}<br />
<br />
Remember to unmount the loopback iso image.<br />
{{cmd | umount /media/cdrom}}<br />
<br />
The next time you boot, you'll be presented with the grub boot menu, and your VM will boot.<br />
<br />
== See also ==<br />
* [https://www.linkedin.com/pulse/setting-up-alpine-linux-370-domu-vm-xenserver-72-ali-poursamadi Setting up Alpine Linux 3.7.0 as a domU VM on XenServer 7.2]<br />
<br />
[[Category:Virtualization]]</div>Bt129