https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=Clandmeter&feedformat=atomAlpine Linux - User contributions [en]2024-03-28T08:51:47ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Alpine_Linux:Developers&diff=20223Alpine Linux:Developers2021-11-01T09:33:42Z<p>Clandmeter: /* Contact */</p>
<hr />
<div>= Supporting Developers =<br />
<br />
Supporting developers CAN and WILL:<br />
* Encourage them to continue working on the project<br />
* Be a reward about something they did and you find useful<br />
* Remind that people care about the project<br />
* Books/etc can improve know-how of the project developers<br />
<br />
It does NOT:<br />
* Entitle you to get priority support<br />
* Entitle you to receive private support<br />
* Ensure that your feature request will get priority<br />
* Ensure that your feature request will be done<br />
<br />
== Timo Teräs ==<br />
<br />
Email: timo.teras@iki.fi<br />
<br />
Working mostly on:<br />
* apk-tools<br />
* ARM port, musl support<br />
* DMVPN: opennhrp, ipsec-tools, linux kernel ipsec support, openssl<br />
* kamailio, Asterisk, DAHDI, zaphfc<br />
<br />
Accepts:<br />
* Books on programming, algorithms and/or security (inquire if you need titles, or have something you can send)<br />
* Coffee and single malts (within EU to avoid import tax)<br />
* Paypal donations<br />
<br />
<br />
== Natanael Copa ==<br />
<br />
Email: ncopa@alpinelinux.org<br />
<br />
Working mostly on:<br />
* Release engineering<br />
* aports/packages (maintainer for 1300+ packages)<br />
* build tools (abuild)<br />
* security patching<br />
<br />
Accepts:<br />
* Books on programming (ask for titles)<br />
* Paypal donations: ncopa@alpinelinux.org<br />
* Bitcoin: 14t8AKhQyWe8nfRZCaXmzXWBiyUZb3QTVA<br />
<br />
== Carlo Landmeter ==<br />
<br />
=== Contact ===<br />
* Email: clandmeter@alpinelinux.org<br />
* IRC: clandmeter (CET)<br />
<br />
=== Work on Alpine ===<br />
* Alpine Council, TSC and Infra member<br />
* Developer/Maintainer of some packages<br />
* aarch64 port (including its infrastructure)<br />
* riscv64 port (bootstrapped most of world)<br />
* Created multiple Alpine web based solutions (www, pkgs, and more)<br />
<br />
=== Ways to support ===<br />
* Send friendly greetings<br />
* PayPal: clandmeter@alpinelinux.org</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Linux:Developers&diff=20222Alpine Linux:Developers2021-11-01T09:33:31Z<p>Clandmeter: /* Ways to support */</p>
<hr />
<div>= Supporting Developers =<br />
<br />
Supporting developers CAN and WILL:<br />
* Encourage them to continue working on the project<br />
* Be a reward about something they did and you find useful<br />
* Remind that people care about the project<br />
* Books/etc can improve know-how of the project developers<br />
<br />
It does NOT:<br />
* Entitle you to get priority support<br />
* Entitle you to receive private support<br />
* Ensure that your feature request will get priority<br />
* Ensure that your feature request will be done<br />
<br />
== Timo Teräs ==<br />
<br />
Email: timo.teras@iki.fi<br />
<br />
Working mostly on:<br />
* apk-tools<br />
* ARM port, musl support<br />
* DMVPN: opennhrp, ipsec-tools, linux kernel ipsec support, openssl<br />
* kamailio, Asterisk, DAHDI, zaphfc<br />
<br />
Accepts:<br />
* Books on programming, algorithms and/or security (inquire if you need titles, or have something you can send)<br />
* Coffee and single malts (within EU to avoid import tax)<br />
* Paypal donations<br />
<br />
<br />
== Natanael Copa ==<br />
<br />
Email: ncopa@alpinelinux.org<br />
<br />
Working mostly on:<br />
* Release engineering<br />
* aports/packages (maintainer for 1300+ packages)<br />
* build tools (abuild)<br />
* security patching<br />
<br />
Accepts:<br />
* Books on programming (ask for titles)<br />
* Paypal donations: ncopa@alpinelinux.org<br />
* Bitcoin: 14t8AKhQyWe8nfRZCaXmzXWBiyUZb3QTVA<br />
<br />
== Carlo Landmeter ==<br />
<br />
=== Contact ===<br />
* Email: clandmeter@gmail.com<br />
* IRC: clandmeter (CET)<br />
<br />
=== Work on Alpine ===<br />
* Alpine Council, TSC and Infra member<br />
* Developer/Maintainer of some packages<br />
* aarch64 port (including its infrastructure)<br />
* riscv64 port (bootstrapped most of world)<br />
* Created multiple Alpine web based solutions (www, pkgs, and more)<br />
<br />
=== Ways to support ===<br />
* Send friendly greetings<br />
* PayPal: clandmeter@alpinelinux.org</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Linux:Developers&diff=20221Alpine Linux:Developers2021-11-01T09:33:09Z<p>Clandmeter: /* Carlo Landmeter */</p>
<hr />
<div>= Supporting Developers =<br />
<br />
Supporting developers CAN and WILL:<br />
* Encourage them to continue working on the project<br />
* Be a reward about something they did and you find useful<br />
* Remind that people care about the project<br />
* Books/etc can improve know-how of the project developers<br />
<br />
It does NOT:<br />
* Entitle you to get priority support<br />
* Entitle you to receive private support<br />
* Ensure that your feature request will get priority<br />
* Ensure that your feature request will be done<br />
<br />
== Timo Teräs ==<br />
<br />
Email: timo.teras@iki.fi<br />
<br />
Working mostly on:<br />
* apk-tools<br />
* ARM port, musl support<br />
* DMVPN: opennhrp, ipsec-tools, linux kernel ipsec support, openssl<br />
* kamailio, Asterisk, DAHDI, zaphfc<br />
<br />
Accepts:<br />
* Books on programming, algorithms and/or security (inquire if you need titles, or have something you can send)<br />
* Coffee and single malts (within EU to avoid import tax)<br />
* Paypal donations<br />
<br />
<br />
== Natanael Copa ==<br />
<br />
Email: ncopa@alpinelinux.org<br />
<br />
Working mostly on:<br />
* Release engineering<br />
* aports/packages (maintainer for 1300+ packages)<br />
* build tools (abuild)<br />
* security patching<br />
<br />
Accepts:<br />
* Books on programming (ask for titles)<br />
* Paypal donations: ncopa@alpinelinux.org<br />
* Bitcoin: 14t8AKhQyWe8nfRZCaXmzXWBiyUZb3QTVA<br />
<br />
== Carlo Landmeter ==<br />
<br />
=== Contact ===<br />
* Email: clandmeter@gmail.com<br />
* IRC: clandmeter (CET)<br />
<br />
=== Work on Alpine ===<br />
* Alpine Council, TSC and Infra member<br />
* Developer/Maintainer of some packages<br />
* aarch64 port (including its infrastructure)<br />
* riscv64 port (bootstrapped most of world)<br />
* Created multiple Alpine web based solutions (www, pkgs, and more)<br />
<br />
=== Ways to support ===<br />
* Send friendly greetings<br />
* PayPal: clandmeter@gmail.com</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=16477Configure a Wireguard interface (wg)2019-10-03T15:11:47Z<p>Clandmeter: </p>
<hr />
<div>Wireguard is a very promising VPN technology and available since Alpine 3.10 in the community repository.<br />
<br />
apk add wireguard-vanilla (or wireguard-virt)<br />
<br />
The official documents from wireguard will show examples of how to setup an interface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use plain wg command and busybox ifupdown.<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 manual page of wg].<br />
<br />
After you have finished setting up your wgX interface config you can add it to your /etc/networking/interfaces:<br />
<br />
auto wg0<br />
iface wg0 inet static<br />
address x.x.x.x<br />
netmask 255.255.255.0<br />
pre-up ip link add dev wg0 type wireguard<br />
pre-up wg setconf wg0 /etc/wireguard/wg0.conf<br />
post-up ip route add x.x.x.x/24 dev wg0<br />
post-down ip link delete dev wg0<br />
<br />
This config will do:<br />
<br />
* bring the wireguard interface up<br />
* assign a config to this interface (which you have previously created)<br />
* setup the interface address and netmask<br />
* add the route ones the interface is up<br />
* remove the interface when it goes down<br />
<br />
To start the interface and stop it you can execute:<br />
<br />
ifup wg0<br />
ifdown wg0<br />
<br />
<br />
[[Category:Networking]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=16476Configure a Wireguard interface (wg)2019-10-03T15:11:21Z<p>Clandmeter: </p>
<hr />
<div>Wireguard is a very promising VPN technology and available since Alpine 3.10.<br />
<br />
apk add wireguard-vanilla (or wireguard-virt)<br />
<br />
The official documents from wireguard will show examples of how to setup an interface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use plain wg command and busybox ifupdown.<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg.8 manual page of wg].<br />
<br />
After you have finished setting up your wgX interface config you can add it to your /etc/networking/interfaces:<br />
<br />
auto wg0<br />
iface wg0 inet static<br />
address x.x.x.x<br />
netmask 255.255.255.0<br />
pre-up ip link add dev wg0 type wireguard<br />
pre-up wg setconf wg0 /etc/wireguard/wg0.conf<br />
post-up ip route add x.x.x.x/24 dev wg0<br />
post-down ip link delete dev wg0<br />
<br />
This config will do:<br />
<br />
* bring the wireguard interface up<br />
* assign a config to this interface (which you have previously created)<br />
* setup the interface address and netmask<br />
* add the route ones the interface is up<br />
* remove the interface when it goes down<br />
<br />
To start the interface and stop it you can execute:<br />
<br />
ifup wg0<br />
ifdown wg0<br />
<br />
<br />
[[Category:Networking]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Bridge&diff=16258Bridge2019-08-27T09:51:59Z<p>Clandmeter: /* Configuration file */</p>
<hr />
<div>[[Category:Networking]]<br />
This document describes how to configure a [http://en.wikipedia.org/wiki/Bridging_%28networking%29 network bridge] interface in Alpine Linux.<br />
<br />
== Using brctl ==<br />
Bridges are manually managed with the '''brctl''' command.<br />
<pre><br />
Usage: brctl COMMAND [BRIDGE [INTERFACE]]<br />
<br />
Manage ethernet bridges<br />
<br />
Commands:<br />
show Show a list of bridges<br />
addbr BRIDGE Create BRIDGE<br />
delbr BRIDGE Delete BRIDGE<br />
addif BRIDGE IFACE Add IFACE to BRIDGE<br />
delif BRIDGE IFACE Delete IFACE from BRIDGE<br />
setageing BRIDGE TIME Set ageing time<br />
setfd BRIDGE TIME Set bridge forward delay<br />
sethello BRIDGE TIME Set hello time<br />
setmaxage BRIDGE TIME Set max message age<br />
setpathcost BRIDGE COST Set path cost<br />
setportprio BRIDGE PRIO Set port priority<br />
setbridgeprio BRIDGE PRIO Set bridge priority<br />
stp BRIDGE [1|0] STP on/off<br />
</pre><br />
<br />
To manually create a bridge interface br0:<br />
{{Cmd|brctl addbr br0}}<br />
<br />
To add interface eth0 and eth1 to the bridge br0:<br />
{{Cmd|brctl addif br0 eth0<br />
brctl addif br0 eth1}}<br />
<br />
Note that you need to set the link status to ''up'' on the added interfaces.<br />
{{Cmd|ip link set dev eth0 up<br />
ip link set dev eth1 up}}<br />
<br />
[[Category:Networking]]<br />
<br />
== Configuration file ==<br />
{{Note|Alpine Linux v2.4 or newer is required for this}}<br />
Install the scripts that configures the bridge.<br />
{{Cmd|apk add bridge}}<br />
<br />
Bridging is then configured in ''/etc/network/interfaces'' with the ''bridge-ports'' keyword.<br />
Note that you normally don't assign ip addresses to the bridged interfaces (eth0 and eth1 in our example) but to the bridge itself (br0).<br />
<br />
In this example the address 192.168.0.1/24 is used.<br />
<br />
<pre><br />
auto br0<br />
iface br0 inet static<br />
bridge-ports eth0 eth1<br />
bridge-stp 0<br />
address 192.168.0.1<br />
netmask 255.255.255.0<br />
</pre><br />
<br />
You can set the various options with those keywords:<br />
; bridge-ports<br />
: Set bridge ports (ethX) or none for no physical interfaces<br />
; bridge-aging<br />
: Set ageing time<br />
; bridge-fd<br />
: Set bridge forward delay<br />
; bridge-hello<br />
: Set hello time<br />
; bridge-maxage<br />
: Set bridge max message age<br />
; bridge-pathcost<br />
: Set path cost<br />
; bridge-portprio<br />
: Set port priority<br />
; bridge-bridgeprio<br />
: Set bridge priority<br />
; bridge-stp<br />
: STP on/off<br />
<br />
== Using pre-up/post-down ==<br />
For older versions of Alpine Linux, or if you want be able to control the bridge interfaces individually, you need to use pre-up/post-down hooks.<br />
<br />
Example ''/etc/network/interfaces'':<br />
<br />
<pre><br />
auto br0<br />
iface br0 inet static<br />
pre-up brctl addbr br0<br />
pre-up echo 0 > /proc/sys/net/bridge/bridge-nf-call-arptables<br />
pre-up echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables<br />
pre-up echo 0 > /proc/sys/net/bridge/bridge-nf-call-ip6tables<br />
address 192.168.0.253<br />
netmask 255.255.255.0<br />
gateway 192.168.0.254<br />
post-down brctl delbr br0<br />
<br />
auto eth0<br />
iface eth0 inet manual<br />
up ip link set $IFACE up<br />
up brctl addif br0 $IFACE<br />
down brctl delif br0 $IFACE || true<br />
down ip link set $IFACE down<br />
<br />
auto eth1<br />
iface eth1 inet manual<br />
up ip link set $IFACE up<br />
up brctl addif br0 $IFACE<br />
down brctl delif br0 $IFACE || true<br />
down ip link set $IFACE down<br />
</pre><br />
<br />
That way you create br0 with: ifup br0, and you can add/remove<br />
individual interfaces to the bridge with ifup eth0, ifdown eth0.<br />
<br />
== Bridging for a Xen dom0 ==<br />
Bridging in a dom0 is a bit specific as it consists in bridging a real interface (i.e. ethX) with a virtual interface (i.e. vifX.Y).<br />
At bridge creation time, the virtual interface does not exist and will be added by the Xen toolstack when a domU is booting (see Xen documentation on how to link the virtual interface to the correct bridge).<br />
<br />
;Particularities :<br />
- the bridge consists of a single physical interface <br/><br />
- the physical interface does not have an IP and is configured as manual <br/><br />
- the bridge will have the IP and will be auto, resulting in bringing up the physical interface <br/><br />
<br />
This translates to this sample config :<br />
<br />
Example ''/etc/network/interfaces'':<br />
<br />
<pre><br />
auto eth0<br />
iface eth0 inet manual<br />
<br />
auto br0<br />
iface br0 inet static<br />
address 192.168.0.253<br />
netmask 255.255.255.0<br />
gateway 192.168.0.254<br />
bridge_ports eth0<br />
bridge_stp 0<br />
</pre><br />
<br />
After the domU OS is started, the virtual interface wil be added and the working bridge can be checked with<br />
<pre><br />
brctl show<br />
<br />
ifconfig -a<br />
</pre><br />
<br />
== Bridging for KVM ==<br />
<br />
Example ''/etc/network/interfaces'':<br />
<br />
{{Note|I personally remove the eth0 declaration without any issue.}}<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge_ports eth0<br />
bridge_stp 0<br />
</pre><br />
<br />
=== Little script to allow dhcp over iptables ===<br />
{{Note|I tried the Using pre-up/post-down as mentionned in #3 but it did'nt work well for me }}<br />
{{Note|Usually it will be in /etc/rc.local as mentioned [https://wiki.libvirt.org/page/Networking#Debian.2FUbuntu_Bridging here] }}<br />
<br />
<pre><br />
rc-update add local<br />
</pre><br />
<br />
<pre><br />
cat >> /etc/local.d/iptables_dhcp_kvm.start << EOM<br />
echo 0 > /proc/sys/net/bridge/bridge-nf-call-arptables<br />
echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables<br />
echo 0 > /proc/sys/net/bridge/bridge-nf-call-ip6tables<br />
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu<br />
exit 0<br />
EOM<br />
</pre><br />
<br />
<pre><br />
cat >> /etc/local.d/iptables_dhcp_kvm.stop << EOM<br />
exit 0<br />
EOM<br />
</pre><br />
<br />
<pre><br />
chmod +x /etc/local.d/iptables_dhcp_kvm.*<br />
</pre></div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=16084LVM on LUKS2019-07-29T13:13:30Z<p>Clandmeter: /* Installing Alpine Linux */</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux using a logical volume (LV), that is installed in an encrypted partition. To encrypt the partition the logical volume manager (LVM) the volume group (VG) is installed in, the Device Mapper crypt (dm-crypt) module and Linux Unified Key Setup (LUKS) is used.<br />
<br />
Note that you must install the <code>/boot/</code> directory on an unecrypted partition to boot correctly.<br />
<br />
== Hard Disk Device Name ==<br />
<br />
The following documentation uses the <code>vda</code> device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
{{Note|All settings in this section apply only to the temporary environment and not to the later installed Alpine Linux on your hard disk.}}<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without password to log in.<br />
<br />
Optionally, set the keyboard language:<br />
<br />
<pre># setup-keymap</pre><br />
<br />
: The default keyboard mapping is <code>us-us</code><br />
<br />
Configure the network interface:<br />
<br />
<pre># setup-interfaces</pre><br />
<br />
: If you set a static IP address, additionally configure DNS be able to resolve host names:<br />
<br />
<pre># setup-dns</pre><br />
<br />
Enable the network interface. For example:<br />
<br />
<pre># ifup eth0</pre><br />
<br />
Set an apk repository and update the cache:<br />
<br />
<pre><br />
# setup-apkrepos<br />
# apk update<br />
</pre><br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
<pre><br />
# apk add lvm2 cryptsetup e2fsprogs<br />
</pre><br />
<br />
Optionally, install and start the <code>haveged</code> service for unpredictable random numbers used for encryption:<br />
<br />
<pre><br />
# apk add haveged<br />
# rc-service haveged start<br />
</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted LVM physical volume (PV).<br />
<br />
Start the <code>fdisk</code> utility to set up partitions:<br />
<br />
<pre># fdisk /dev/vda</pre><br />
<br />
Create the <code>/boot/</code> partition:<br />
* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>1</code> &rarr; <code>1</code> &rarr; <code>+100m</code> to create a new 100 MB primary partition.<br />
<br />
Set the <code>/boot/</code> partition active:<br />
* Enter <code>a</code> &rarr; <code>1</code>.<br />
<br />
Create the LVM PV partition:<br />
* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the size of partition. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively press <code>Enter</code> to set the maximum available size.<br />
<br />
Set the partition type for the LVM PV:<br />
* Enter <code>t</code> &rarr; <code>2</code> &rarr; <code>8e</code><br />
<br />
To verify the settings, press <code>p</code>. The output shows, for example:<br />
<br />
<pre><br />
Device Boot Start End Blocks Id System<br />
/dev/vda1 * 1 100 50368+ 83 Linux<br />
/dev/vda2 101 10402 5192208 8e Linux LVM<br />
</pre><br />
<br />
Press <code>w</code> to save the changes.<br />
<br />
Optionally, wipe the LVM PV partition with random values:<br />
<br />
<pre># haveged -n 0 | dd of=/dev/vda2</pre><br />
<br />
Depending on the size of the partition, this process can take several minutes to hours.<br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV:<br />
<br />
<pre># cryptsetup luksFormat /dev/vda2</pre><br />
<br />
If you prefer setting an individual hashing algorithm and hashing schema:<br />
<br />
* To run a benchmark:<br />
<br />
<pre># cryptsetup benchmark</pre><br />
<br />
* To encrypt the partition using individual settings, enter, for example:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup open --type luks /dev/vda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>/dev/vda</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
Create the LVs:<br />
<br />
: In the following you will create a LV for the root partition. However, you can use the same command with a different LV name to create further LVs for other mount points you want to create.<br />
<br />
* To create a 2 GB LV named <code>root</code> in the <code>vg0</code> VG:<br />
<br />
<pre># lvcreate -L 2G vg0 -n root</pre><br />
<br />
* Create a 512 MB swap LV:<br />
<br />
<pre># lvcreate -L 512M vg0 -n swap</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
Format the <code>root</code> LV using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
If you created further LVs in the previous step, create the file systems on them using the same command with the path to the LV.<br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
== Mounting the File Systems ==<br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
If you created further partitions or LVs, create the mount points within the <code>/mnt/</code> directory and mount the devices.<br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
Install Alpine Linux:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the <code>fstab</code> file, which are currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
To enable the operating system to decrypt the PV at boot time, create the <code>/mnt/etc/crypttab</code> file. Enter the following line into the file to decrypt the <code>/dev/vda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:<br />
<br />
<pre>lvmcrypt /dev/vda2 none luks</pre><br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the <code>/mnt/etc/fstab</code> file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u>"</pre><br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
=== Syslinux ===<br />
<br />
Format the <code>/dev/vda1</code> device for the <code>/boot/</code> partition using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vda1</pre><br />
<br />
Create <code>/mnt/boot/</code> directory and mount the <code>/dev/vda1</code> partition in this directory:<br />
<br />
<pre><br />
# mkdir /mnt/boot/<br />
# mount -t ext4 /dev/vda1 /mnt/boot/<br />
</pre><br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit the <code>/mnt/etc/update-extlinux.conf</code> file and append the following kernel options to the <code>default_kernel_opts</code> parameter:<br />
<br />
<pre>default_kernel_opts="... <u>cryptroot=/dev/vda2 cryptdm=lvmcrypt</u>"</pre><br />
<br />
: The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.<br />
<br />
Because the <code>update-extlinux</code> utility operators only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre><br />
# chroot /mnt/<br />
# update-extlinux<br />
# exit<br />
</pre><br />
<br />
: Ignore the errors the <code>update-extlinux</code> utility displays.<br />
<br />
Write the MBR to the <code>/dev/vda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda</pre><br />
<br />
=== Grub on EFI ===<br />
<br />
Format the <code>/dev/vda1</code> device for the <code>/boot/</code> partition using the FAT32 file system:<br />
<br />
<pre><br />
# apk add dosfstools<br />
# mkfs.fat -F32 /dev/vda1<br />
</pre><br />
<br />
Create <code>/mnt/boot/</code> directory and mount the <code>/dev/vda1</code> partition in this directory:<br />
<br />
<pre><br />
# mkdir /mnt/boot/<br />
# mount /dev/vda1 /mnt/boot/<br />
</pre><br />
<br />
Edit the <code>/mnt/etc/default/grub</code> file and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter:<br />
<br />
<pre>cryptroot=/dev/vda2 cryptdm=lvmcrypt</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre><br />
# mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre><br />
# (chroot) chroot /mnt<br />
# (chroot) apk add grub grub-efi efibootmgr<br />
# (chroot) grub-install --target=x86_64-efi --efi-directory=/boot<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit<br />
</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Umount <code>/mnt/boot/</code> and <code>/mnt/</code>:<br />
<br />
<pre><br />
# umount /mnt/boot/<br />
# umount /mnt/<br />
</pre><br />
<br />
{{Note|If you mounted further partitions or LVs below <code>/mnt/</code>, you must first unmount all of them before you can unmount <code>/mnt/</code>.}}<br />
<br />
Disable the swap partition:<br />
<br />
<pre># swapoff -a</pre><br />
<br />
Deactivate the VG:<br />
<br />
<pre># vgchange -a n</pre><br />
<br />
Close the <code>lvmcrypt</code> device:<br />
<br />
<pre># cryptsetup luksClose lvmcrypt</pre><br />
<br />
Reboot the system:<br />
<br />
<pre># reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Activate the VGs:<br />
<br />
<pre># vgchange -a y</pre><br />
<br />
[[#Mounting_the_File_Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.<br />
<br />
[[#Unmounting_the_Volumes_and_Partitions|Unmount the volumes and partitions]]<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=16083LVM on LUKS2019-07-29T13:11:28Z<p>Clandmeter: /* Installing Alpine Linux */</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux using a logical volume (LV), that is installed in an encrypted partition. To encrypt the partition the logical volume manager (LVM) the volume group (VG) is installed in, the Device Mapper crypt (dm-crypt) module and Linux Unified Key Setup (LUKS) is used.<br />
<br />
Note that you must install the <code>/boot/</code> directory on an unecrypted partition to boot correctly.<br />
<br />
== Hard Disk Device Name ==<br />
<br />
The following documentation uses the <code>vda</code> device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
{{Note|All settings in this section apply only to the temporary environment and not to the later installed Alpine Linux on your hard disk.}}<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without password to log in.<br />
<br />
Optionally, set the keyboard language:<br />
<br />
<pre># setup-keymap</pre><br />
<br />
: The default keyboard mapping is <code>us-us</code><br />
<br />
Configure the network interface:<br />
<br />
<pre># setup-interfaces</pre><br />
<br />
: If you set a static IP address, additionally configure DNS be able to resolve host names:<br />
<br />
<pre># setup-dns</pre><br />
<br />
Enable the network interface. For example:<br />
<br />
<pre># ifup eth0</pre><br />
<br />
Set an apk repository and update the cache:<br />
<br />
<pre><br />
# setup-apkrepos<br />
# apk update<br />
</pre><br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
<pre><br />
# apk add lvm2 cryptsetup e2fsprogs<br />
</pre><br />
<br />
Optionally, install and start the <code>haveged</code> service for unpredictable random numbers used for encryption:<br />
<br />
<pre><br />
# apk add haveged<br />
# rc-service haveged start<br />
</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted LVM physical volume (PV).<br />
<br />
Start the <code>fdisk</code> utility to set up partitions:<br />
<br />
<pre># fdisk /dev/vda</pre><br />
<br />
Create the <code>/boot/</code> partition:<br />
* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>1</code> &rarr; <code>1</code> &rarr; <code>+100m</code> to create a new 100 MB primary partition.<br />
<br />
Set the <code>/boot/</code> partition active:<br />
* Enter <code>a</code> &rarr; <code>1</code>.<br />
<br />
Create the LVM PV partition:<br />
* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the size of partition. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively press <code>Enter</code> to set the maximum available size.<br />
<br />
Set the partition type for the LVM PV:<br />
* Enter <code>t</code> &rarr; <code>2</code> &rarr; <code>8e</code><br />
<br />
To verify the settings, press <code>p</code>. The output shows, for example:<br />
<br />
<pre><br />
Device Boot Start End Blocks Id System<br />
/dev/vda1 * 1 100 50368+ 83 Linux<br />
/dev/vda2 101 10402 5192208 8e Linux LVM<br />
</pre><br />
<br />
Press <code>w</code> to save the changes.<br />
<br />
Optionally, wipe the LVM PV partition with random values:<br />
<br />
<pre># haveged -n 0 | dd of=/dev/vda2</pre><br />
<br />
Depending on the size of the partition, this process can take several minutes to hours.<br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV:<br />
<br />
<pre># cryptsetup luksFormat /dev/vda2</pre><br />
<br />
If you prefer setting an individual hashing algorithm and hashing schema:<br />
<br />
* To run a benchmark:<br />
<br />
<pre># cryptsetup benchmark</pre><br />
<br />
* To encrypt the partition using individual settings, enter, for example:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup open --type luks /dev/vda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>/dev/vda</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
Create the LVs:<br />
<br />
: In the following you will create a LV for the root partition. However, you can use the same command with a different LV name to create further LVs for other mount points you want to create.<br />
<br />
* To create a 2 GB LV named <code>root</code> in the <code>vg0</code> VG:<br />
<br />
<pre># lvcreate -L 2G vg0 -n root</pre><br />
<br />
* Create a 512 MB swap LV:<br />
<br />
<pre># lvcreate -L 512M vg0 -n swap</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
Format the <code>root</code> LV using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
If you created further LVs in the previous step, create the file systems on them using the same command with the path to the LV.<br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
== Mounting the File Systems ==<br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
If you created further partitions or LVs, create the mount points within the <code>/mnt/</code> directory and mount the devices.<br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
Install Alpine Linux:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the <code>fstab</code> file, which are currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
To enable the operating system to decrypt the PV at boot time, create the <code>/mnt/etc/crypttab</code> file. Enter the following line into the file to decrypt the <code>/dev/vda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:<br />
<br />
<pre>lvmcrypt /dev/vda2 none luks</pre><br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the <code>/mnt/etc/fstab</code> file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u>"</pre><br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap<code> feature to the list above.}}<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
=== Syslinux ===<br />
<br />
Format the <code>/dev/vda1</code> device for the <code>/boot/</code> partition using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vda1</pre><br />
<br />
Create <code>/mnt/boot/</code> directory and mount the <code>/dev/vda1</code> partition in this directory:<br />
<br />
<pre><br />
# mkdir /mnt/boot/<br />
# mount -t ext4 /dev/vda1 /mnt/boot/<br />
</pre><br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit the <code>/mnt/etc/update-extlinux.conf</code> file and append the following kernel options to the <code>default_kernel_opts</code> parameter:<br />
<br />
<pre>default_kernel_opts="... <u>cryptroot=/dev/vda2 cryptdm=lvmcrypt</u>"</pre><br />
<br />
: The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.<br />
<br />
Because the <code>update-extlinux</code> utility operators only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre><br />
# chroot /mnt/<br />
# update-extlinux<br />
# exit<br />
</pre><br />
<br />
: Ignore the errors the <code>update-extlinux</code> utility displays.<br />
<br />
Write the MBR to the <code>/dev/vda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda</pre><br />
<br />
=== Grub on EFI ===<br />
<br />
Format the <code>/dev/vda1</code> device for the <code>/boot/</code> partition using the FAT32 file system:<br />
<br />
<pre><br />
# apk add dosfstools<br />
# mkfs.fat -F32 /dev/vda1<br />
</pre><br />
<br />
Create <code>/mnt/boot/</code> directory and mount the <code>/dev/vda1</code> partition in this directory:<br />
<br />
<pre><br />
# mkdir /mnt/boot/<br />
# mount /dev/vda1 /mnt/boot/<br />
</pre><br />
<br />
Edit the <code>/mnt/etc/default/grub</code> file and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter:<br />
<br />
<pre>cryptroot=/dev/vda2 cryptdm=lvmcrypt</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre><br />
# mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre><br />
# (chroot) chroot /mnt<br />
# (chroot) apk add grub grub-efi efibootmgr<br />
# (chroot) grub-install --target=x86_64-efi --efi-directory=/boot<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit<br />
</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Umount <code>/mnt/boot/</code> and <code>/mnt/</code>:<br />
<br />
<pre><br />
# umount /mnt/boot/<br />
# umount /mnt/<br />
</pre><br />
<br />
{{Note|If you mounted further partitions or LVs below <code>/mnt/</code>, you must first unmount all of them before you can unmount <code>/mnt/</code>.}}<br />
<br />
Disable the swap partition:<br />
<br />
<pre># swapoff -a</pre><br />
<br />
Deactivate the VG:<br />
<br />
<pre># vgchange -a n</pre><br />
<br />
Close the <code>lvmcrypt</code> device:<br />
<br />
<pre># cryptsetup luksClose lvmcrypt</pre><br />
<br />
Reboot the system:<br />
<br />
<pre># reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Activate the VGs:<br />
<br />
<pre># vgchange -a y</pre><br />
<br />
[[#Mounting_the_File_Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.<br />
<br />
[[#Unmounting_the_Volumes_and_Partitions|Unmount the volumes and partitions]]<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=16082LVM on LUKS2019-07-29T13:10:43Z<p>Clandmeter: /* Installing Alpine Linux */</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux using a logical volume (LV), that is installed in an encrypted partition. To encrypt the partition the logical volume manager (LVM) the volume group (VG) is installed in, the Device Mapper crypt (dm-crypt) module and Linux Unified Key Setup (LUKS) is used.<br />
<br />
Note that you must install the <code>/boot/</code> directory on an unecrypted partition to boot correctly.<br />
<br />
== Hard Disk Device Name ==<br />
<br />
The following documentation uses the <code>vda</code> device as installation destination. If your environment uses a different device name for your hard disk, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
{{Note|All settings in this section apply only to the temporary environment and not to the later installed Alpine Linux on your hard disk.}}<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without password to log in.<br />
<br />
Optionally, set the keyboard language:<br />
<br />
<pre># setup-keymap</pre><br />
<br />
: The default keyboard mapping is <code>us-us</code><br />
<br />
Configure the network interface:<br />
<br />
<pre># setup-interfaces</pre><br />
<br />
: If you set a static IP address, additionally configure DNS be able to resolve host names:<br />
<br />
<pre># setup-dns</pre><br />
<br />
Enable the network interface. For example:<br />
<br />
<pre># ifup eth0</pre><br />
<br />
Set an apk repository and update the cache:<br />
<br />
<pre><br />
# setup-apkrepos<br />
# apk update<br />
</pre><br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
<pre><br />
# apk add lvm2 cryptsetup e2fsprogs<br />
</pre><br />
<br />
Optionally, install and start the <code>haveged</code> service for unpredictable random numbers used for encryption:<br />
<br />
<pre><br />
# apk add haveged<br />
# rc-service haveged start<br />
</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
Linux requires an unencrypted <code>/boot/</code> partition to boot. You can assign the remaining space for the encrypted LVM physical volume (PV).<br />
<br />
Start the <code>fdisk</code> utility to set up partitions:<br />
<br />
<pre># fdisk /dev/vda</pre><br />
<br />
Create the <code>/boot/</code> partition:<br />
* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>1</code> &rarr; <code>1</code> &rarr; <code>+100m</code> to create a new 100 MB primary partition.<br />
<br />
Set the <code>/boot/</code> partition active:<br />
* Enter <code>a</code> &rarr; <code>1</code>.<br />
<br />
Create the LVM PV partition:<br />
* Enter <code>n</code> &rarr; <code>p</code> &rarr; <code>2</code> to start creating the next partition. Press <code>Enter</code> to select the default start cylinder. Enter the size of partition. For example, <code>512m</code> for 512 MB or <code>5g</code> for 5 GB. Alternatively press <code>Enter</code> to set the maximum available size.<br />
<br />
Set the partition type for the LVM PV:<br />
* Enter <code>t</code> &rarr; <code>2</code> &rarr; <code>8e</code><br />
<br />
To verify the settings, press <code>p</code>. The output shows, for example:<br />
<br />
<pre><br />
Device Boot Start End Blocks Id System<br />
/dev/vda1 * 1 100 50368+ 83 Linux<br />
/dev/vda2 101 10402 5192208 8e Linux LVM<br />
</pre><br />
<br />
Press <code>w</code> to save the changes.<br />
<br />
Optionally, wipe the LVM PV partition with random values:<br />
<br />
<pre># haveged -n 0 | dd of=/dev/vda2</pre><br />
<br />
Depending on the size of the partition, this process can take several minutes to hours.<br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV:<br />
<br />
<pre># cryptsetup luksFormat /dev/vda2</pre><br />
<br />
If you prefer setting an individual hashing algorithm and hashing schema:<br />
<br />
* To run a benchmark:<br />
<br />
<pre># cryptsetup benchmark</pre><br />
<br />
* To encrypt the partition using individual settings, enter, for example:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/vda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup open --type luks /dev/vda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>/dev/vda</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
Create the LVs:<br />
<br />
: In the following you will create a LV for the root partition. However, you can use the same command with a different LV name to create further LVs for other mount points you want to create.<br />
<br />
* To create a 2 GB LV named <code>root</code> in the <code>vg0</code> VG:<br />
<br />
<pre># lvcreate -L 2G vg0 -n root</pre><br />
<br />
* Create a 512 MB swap LV:<br />
<br />
<pre># lvcreate -L 512M vg0 -n swap</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
Format the <code>root</code> LV using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
If you created further LVs in the previous step, create the file systems on them using the same command with the path to the LV.<br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
== Mounting the File Systems ==<br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
If you created further partitions or LVs, create the mount points within the <code>/mnt/</code> directory and mount the devices.<br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
Install Alpine Linux:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in the <code>fstab</code> file, which are currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
To enable the operating system to decrypt the PV at boot time, create the <code>/mnt/etc/crypttab</code> file. Enter the following line into the file to decrypt the <code>/dev/vda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:<br />
<br />
<pre>lvmcrypt /dev/vda2 none luks</pre><br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the <code>/mnt/etc/fstab</code> file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the <code>/mnt/etc/mkinitfs/mkinitfs.conf</code> file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="ata base ide scsi usb virtio ext4 lvm <u>cryptsetup</u>"</pre><br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap<code> feature to the list above.}}<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
# mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)<br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
=== Syslinux ===<br />
<br />
Format the <code>/dev/vda1</code> device for the <code>/boot/</code> partition using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vda1</pre><br />
<br />
Create <code>/mnt/boot/</code> directory and mount the <code>/dev/vda1</code> partition in this directory:<br />
<br />
<pre><br />
# mkdir /mnt/boot/<br />
# mount -t ext4 /dev/vda1 /mnt/boot/<br />
</pre><br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit the <code>/mnt/etc/update-extlinux.conf</code> file and append the following kernel options to the <code>default_kernel_opts</code> parameter:<br />
<br />
<pre>default_kernel_opts="... <u>cryptroot=/dev/vda2 cryptdm=lvmcrypt</u>"</pre><br />
<br />
: The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.<br />
<br />
Because the <code>update-extlinux</code> utility operators only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre><br />
# chroot /mnt/<br />
# update-extlinux<br />
# exit<br />
</pre><br />
<br />
: Ignore the errors the <code>update-extlinux</code> utility displays.<br />
<br />
Write the MBR to the <code>/dev/vda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/vda</pre><br />
<br />
=== Grub on EFI ===<br />
<br />
Format the <code>/dev/vda1</code> device for the <code>/boot/</code> partition using the FAT32 file system:<br />
<br />
<pre><br />
# apk add dosfstools<br />
# mkfs.fat -F32 /dev/vda1<br />
</pre><br />
<br />
Create <code>/mnt/boot/</code> directory and mount the <code>/dev/vda1</code> partition in this directory:<br />
<br />
<pre><br />
# mkdir /mnt/boot/<br />
# mount /dev/vda1 /mnt/boot/<br />
</pre><br />
<br />
Edit the <code>/mnt/etc/default/grub</code> file and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter:<br />
<br />
<pre>cryptroot=/dev/vda2 cryptdm=lvmcrypt</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre><br />
# mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre><br />
# (chroot) chroot /mnt<br />
# (chroot) apk add grub grub-efi efibootmgr<br />
# (chroot) grub-install --target=x86_64-efi --efi-directory=/boot<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit<br />
</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Umount <code>/mnt/boot/</code> and <code>/mnt/</code>:<br />
<br />
<pre><br />
# umount /mnt/boot/<br />
# umount /mnt/<br />
</pre><br />
<br />
{{Note|If you mounted further partitions or LVs below <code>/mnt/</code>, you must first unmount all of them before you can unmount <code>/mnt/</code>.}}<br />
<br />
Disable the swap partition:<br />
<br />
<pre># swapoff -a</pre><br />
<br />
Deactivate the VG:<br />
<br />
<pre># vgchange -a n</pre><br />
<br />
Close the <code>lvmcrypt</code> device:<br />
<br />
<pre># cryptsetup luksClose lvmcrypt</pre><br />
<br />
Reboot the system:<br />
<br />
<pre># reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Activate the VGs:<br />
<br />
<pre># vgchange -a y</pre><br />
<br />
[[#Mounting_the_File_Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary.<br />
<br />
[[#Unmounting_the_Volumes_and_Partitions|Unmount the volumes and partitions]]<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_Networking&diff=16048Configure Networking2019-07-08T19:12:45Z<p>Clandmeter: /* Additional IP addresses */</p>
<hr />
<div>This page will assist you in setting up networking on Alpine Linux.<br />
{{Note|You must be logged in as root in order to perform the actions on this page.}}<br />
<br />
= Setting System Hostname =<br />
To set the system hostname, do something like the following:<br />
{{Cmd|echo "shortname" > /etc/hostname}}<br />
<br />
Then, to activate the change, do the following:<br />
{{Cmd|hostname -F /etc/hostname}}<br />
<br />
If you're using IPv6, you should also add the following special IPv6 addresses to your <code>/etc/hosts</code> file:<br />
<pre>::1 localhost ipv6-localhost ipv6-loopback<br />
fe00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
{{Tip|If you are going to use automatic IP configuration, such as IPv4 DHCP or IPv6 Stateless Autoconfiguration, you can skip ahead to [[#Configuring_DNS|Configuring DNS]]. Otherwise, if you are going to use a static IPv4 or IPv6 address, continue below.}}<br />
<br />
For a static IP configuration, it's common to also add the machine's hostname you just set (above) to the <code>/etc/hosts</code> file.<br />
<br />
Here's an IPv4 example:<br />
<pre>192.168.1.150 shortname.domain.com</pre><br />
<br />
And here's an IPv6 example:<br />
<pre>2001:470:ffff:ff::2 shortname.domain.com</pre><br />
<br />
= Configuring DNS =<br />
{{Tip|'''For users of IPv4 DHCP:''' Please note that <code>/etc/resolv.conf</code> will be completely overwritten with any nameservers provided by DHCP. Also, if DHCP does not provide any nameservers, then <code>/etc/resolv.conf</code> will still be overwritten, but will not contain any nameservers!}}<br />
<br />
For using a static IP and static nameservers, use one of the following examples.<br />
<br />
For IPv4 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://en.wikipedia.org/wiki/Google_Public_DNS Google's Public DNS servers].<br />
nameserver 8.8.8.8<br />
nameserver 8.8.4.4<br />
<br />
For IPv6 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://www.he.net/ Hurricane Electric's] public DNS server.<br />
nameserver 2001:470:20::2<br />
You can also use Hurricane Electric's public DNS server via IPv4:<br />
nameserver 74.82.42.42<br />
<br />
{{Tip|If you decide to use Hurricane Electric's nameserver, be aware that it is 'Google-whitelisted'. What does this mean? It allows you access to many of Google's services via IPv6. (Just don't add other, non-whitelisted, nameservers to <code>/etc/resolv.conf</code> — ironically, such as Google's Public DNS Servers.) Read [http://www.google.com/intl/en/ipv6/ here] for more information.}}<br />
<br />
= Enabling IPv6 (Optional) =<br />
<br />
If you use IPv6, do the following to enable IPv6 for now and at each boot:<br />
{{Cmd|modprobe ipv6<br />
echo "ipv6" >> /etc/modules}}<br />
<br />
= Interface Configuration =<br />
<br />
== Loopback Configuration (Required) ==<br />
{{Note|The loopback configuration must appear first in <code>/etc/network/interfaces</code> to prevent networking issues.}}<br />
To configure loopback, add the following to a new file <code>/etc/network/interfaces</code>:<br />
<pre>auto lo<br />
iface lo inet loopback</pre><br />
<br />
The above works to setup the IPv4 loopback address (127.0.0.1), and the IPv6 loopback address (<code>::1</code>) — if you enabled IPv6.<br />
<br />
== Wireless Configuration ==<br />
<br />
See [[Connecting to a wireless access point]].<br />
<br />
== Ethernet Configuration ==<br />
For the following Ethernet configuration examples, we will assume that you are using Ethernet device <code>eth0</code>.<br />
<br />
=== Initial Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, above any IP configuration for <code>eth0</code>:<br />
<pre>auto eth0</pre><br />
<br />
=== IPv4 DHCP Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet dhcp</pre><br />
By default, the busybox DHCP client (udhcpc) requests a static set of options from the DHCP server. If you need to extend this set, you can do it by setting some additional command line options for the DHCP client, via the <code>udhcpc_opts</code> in your interface configuration. The following example additionally requests <code>domain-search</code> option:<br />
<pre>iface eth0 inet dhcp<br />
udhcpc_opts -O search</pre><br />
For a complete list of command line options for udhcpc, see [https://busybox.net/downloads/BusyBox.html#udhcpc this document].<br />
<br />
=== IPv4 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1</pre><br />
<br />
==== Additional IP addresses ====<br />
<br />
<pre>iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1<br />
<br />
iface eth0 inet static<br />
address 192.168.1.151<br />
netmask 255.255.255.0<br />
</pre><br />
<br />
=== IPv6 Stateless Autoconfiguration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 manual<br />
pre-up echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
{{Tip|The "inet6 manual" method is available in busybox 1.17.3-r3 and later.}}<br />
<br />
=== IPv6 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
== Example: Dual-Stack Configuration ==<br />
This example shows a dual-stack configuration.<br />
<pre>auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
<br />
iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1<br />
<br />
iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
= Firewalling with iptables and ip6tables =<br />
<br />
See also: [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]]<br />
<br />
== Install iptables/ip6tables ==<br />
* To install iptables:<br />
: {{Cmd|apk add iptables}}<br />
<br />
* To install ip6tables:<br />
: {{Cmd|apk add ip6tables}}<br />
<br />
* To install the man pages for iptables and ip6tables:<br />
: {{Cmd|apk add iptables-doc}}<br />
<br />
== Configure iptables/ip6tables ==<br />
{{ Tip| Good examples of how to write iptables rules can be found at the Linux Home Networking Wiki http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables }}<br />
<br />
== Save Firewall Rules ==<br />
<br />
=== For iptables ===<br />
# Set iptables to start on reboot<br />
#* {{ Cmd| rc-update add iptables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/iptables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/iptables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
=== For ip6tables ===<br />
# Set ip6tables to start on reboot<br />
#* {{ Cmd| rc-update add ip6tables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/ip6tables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/ip6tables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
= Activating Changes and Testing Connectivity =<br />
Changes made to <code>/etc/network/interfaces</code> can be activated by running:<br />
{{Cmd|/etc/init.d/networking restart}}<br />
If you did not get any errors, you can now test that networking is configured properly by attempting to ping out:<br />
{{Cmd|ping www.google.com}}<br />
<pre>PING www.l.google.com (74.125.47.103) 56(84) bytes of data.<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=1 ttl=48 time=58.5 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=2 ttl=48 time=56.4 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=3 ttl=48 time=57.0 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=4 ttl=48 time=60.2 ms<br />
^C<br />
--- www.l.google.com ping statistics ---<br />
4 packets transmitted, 4 received, 0% packet loss, time 3007ms<br />
rtt min/avg/max/mdev = 56.411/58.069/60.256/1.501 ms</pre><br />
<br />
For an IPv6 traceroute (<code>traceroute6</code>), you will first need to install the <code>iputils</code> package:<br />
{{Cmd|apk add iputils}}<br />
<br />
Then run <code>traceroute6</code>:<br />
{{Cmd|traceroute6 ipv6.google.com}}<br />
<pre>traceroute to ipv6.l.google.com (2001:4860:8009::67) from 2001:470:ffff:ff::2, 30 hops max, 16 byte packets<br />
1 2001:470:ffff:ff::1 (2001:470:ffff:ff::1) 3.49 ms 0.62 ms 0.607 ms<br />
2 * * *<br />
3 * * *<br />
4 pr61.iad07.net.google.com (2001:504:0:2:0:1:5169:1) 134.313 ms 95.342 ms 88.425 ms<br />
5 2001:4860::1:0:9ff (2001:4860::1:0:9ff) 100.759 ms 100.537 ms 89.907 ms<br />
6 2001:4860::1:0:5db (2001:4860::1:0:5db) 115.563 ms 102.946 ms 106.191 ms<br />
7 2001:4860::2:0:a7 (2001:4860::2:0:a7) 101.754 ms 100.475 ms 100.512 ms<br />
8 2001:4860:0:1::c3 (2001:4860:0:1::c3) 99.272 ms 111.989 ms 99.835 ms<br />
9 yw-in-x67.1e100.net (2001:4860:8009::67) 101.545 ms 109.675 ms 99.431 ms</pre><br />
<br />
= Additional Utilities =<br />
<br />
== iproute2 ==<br />
<br />
You may wish to install the 'iproute2' package (note that this will also install iptables if not yet installed)<br />
<br />
{{Cmd|apk add iproute2}}<br />
<br />
This provides the 'ss' command which is IMHO a 'better' version of netstat.<br />
<br />
Show listening tcp ports:<br />
{{Cmd|ss -tl}}<br />
<br />
Show listening tcp ports and associated processes:<br />
{{Cmd|ss -ptl}}<br />
<br />
Show listening and established tcp connections:<br />
{{Cmd|ss -ta}}<br />
<br />
Show socket usage summary:<br />
{{Cmd|ss -s}}<br />
<br />
Show more options:<br />
{{Cmd|ss -h}}<br />
<br />
== drill ==<br />
<br />
You may also wish to install 'drill' (it will also install the 'ldns' package) which is a superior (IMHO) replacement for nslookup and dig etc:<br />
<br />
{{Cmd|apk add drill}}<br />
<br />
Then use it as you would for dig:<br />
<br />
{{Cmd|drill alpinelinux.org @8.8.8.8}}<br />
<br />
To perform a reverse lookup (get a name from an IP) use the following syntax:<br />
<br />
{{Cmd|drill -x 8.8.8.8 @208.67.222.222}}<br />
<br />
= Related articles =<br />
<br />
You may also wish to review the following network related articles:<br />
<br />
[[Vlan|VLAN setup]]<br />
<br />
[[Bonding|Bonding setup]]<br />
<br />
[[Bridge|Network bridge setup]]<br />
<br />
[[udhcpc|udhcpc configuration]]<br />
<br />
<br />
[[Category:Networking]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_Networking&diff=16047Configure Networking2019-07-08T19:11:21Z<p>Clandmeter: /* Additional IP addresses */</p>
<hr />
<div>This page will assist you in setting up networking on Alpine Linux.<br />
{{Note|You must be logged in as root in order to perform the actions on this page.}}<br />
<br />
= Setting System Hostname =<br />
To set the system hostname, do something like the following:<br />
{{Cmd|echo "shortname" > /etc/hostname}}<br />
<br />
Then, to activate the change, do the following:<br />
{{Cmd|hostname -F /etc/hostname}}<br />
<br />
If you're using IPv6, you should also add the following special IPv6 addresses to your <code>/etc/hosts</code> file:<br />
<pre>::1 localhost ipv6-localhost ipv6-loopback<br />
fe00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
{{Tip|If you are going to use automatic IP configuration, such as IPv4 DHCP or IPv6 Stateless Autoconfiguration, you can skip ahead to [[#Configuring_DNS|Configuring DNS]]. Otherwise, if you are going to use a static IPv4 or IPv6 address, continue below.}}<br />
<br />
For a static IP configuration, it's common to also add the machine's hostname you just set (above) to the <code>/etc/hosts</code> file.<br />
<br />
Here's an IPv4 example:<br />
<pre>192.168.1.150 shortname.domain.com</pre><br />
<br />
And here's an IPv6 example:<br />
<pre>2001:470:ffff:ff::2 shortname.domain.com</pre><br />
<br />
= Configuring DNS =<br />
{{Tip|'''For users of IPv4 DHCP:''' Please note that <code>/etc/resolv.conf</code> will be completely overwritten with any nameservers provided by DHCP. Also, if DHCP does not provide any nameservers, then <code>/etc/resolv.conf</code> will still be overwritten, but will not contain any nameservers!}}<br />
<br />
For using a static IP and static nameservers, use one of the following examples.<br />
<br />
For IPv4 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://en.wikipedia.org/wiki/Google_Public_DNS Google's Public DNS servers].<br />
nameserver 8.8.8.8<br />
nameserver 8.8.4.4<br />
<br />
For IPv6 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://www.he.net/ Hurricane Electric's] public DNS server.<br />
nameserver 2001:470:20::2<br />
You can also use Hurricane Electric's public DNS server via IPv4:<br />
nameserver 74.82.42.42<br />
<br />
{{Tip|If you decide to use Hurricane Electric's nameserver, be aware that it is 'Google-whitelisted'. What does this mean? It allows you access to many of Google's services via IPv6. (Just don't add other, non-whitelisted, nameservers to <code>/etc/resolv.conf</code> — ironically, such as Google's Public DNS Servers.) Read [http://www.google.com/intl/en/ipv6/ here] for more information.}}<br />
<br />
= Enabling IPv6 (Optional) =<br />
<br />
If you use IPv6, do the following to enable IPv6 for now and at each boot:<br />
{{Cmd|modprobe ipv6<br />
echo "ipv6" >> /etc/modules}}<br />
<br />
= Interface Configuration =<br />
<br />
== Loopback Configuration (Required) ==<br />
{{Note|The loopback configuration must appear first in <code>/etc/network/interfaces</code> to prevent networking issues.}}<br />
To configure loopback, add the following to a new file <code>/etc/network/interfaces</code>:<br />
<pre>auto lo<br />
iface lo inet loopback</pre><br />
<br />
The above works to setup the IPv4 loopback address (127.0.0.1), and the IPv6 loopback address (<code>::1</code>) — if you enabled IPv6.<br />
<br />
== Wireless Configuration ==<br />
<br />
See [[Connecting to a wireless access point]].<br />
<br />
== Ethernet Configuration ==<br />
For the following Ethernet configuration examples, we will assume that you are using Ethernet device <code>eth0</code>.<br />
<br />
=== Initial Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, above any IP configuration for <code>eth0</code>:<br />
<pre>auto eth0</pre><br />
<br />
=== IPv4 DHCP Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet dhcp</pre><br />
By default, the busybox DHCP client (udhcpc) requests a static set of options from the DHCP server. If you need to extend this set, you can do it by setting some additional command line options for the DHCP client, via the <code>udhcpc_opts</code> in your interface configuration. The following example additionally requests <code>domain-search</code> option:<br />
<pre>iface eth0 inet dhcp<br />
udhcpc_opts -O search</pre><br />
For a complete list of command line options for udhcpc, see [https://busybox.net/downloads/BusyBox.html#udhcpc this document].<br />
<br />
=== IPv4 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1</pre><br />
<br />
==== Additional IP addresses ====<br />
Repeat the above stanza to add an additional IP address to the interface.<br />
<br />
<pre>iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1<br />
<br />
iface eth0 inet static<br />
address 192.168.1.151<br />
netmask 255.255.255.0<br />
</pre><br />
<br />
=== IPv6 Stateless Autoconfiguration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 manual<br />
pre-up echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
{{Tip|The "inet6 manual" method is available in busybox 1.17.3-r3 and later.}}<br />
<br />
=== IPv6 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
== Example: Dual-Stack Configuration ==<br />
This example shows a dual-stack configuration.<br />
<pre>auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
<br />
iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1<br />
<br />
iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
= Firewalling with iptables and ip6tables =<br />
<br />
See also: [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]]<br />
<br />
== Install iptables/ip6tables ==<br />
* To install iptables:<br />
: {{Cmd|apk add iptables}}<br />
<br />
* To install ip6tables:<br />
: {{Cmd|apk add ip6tables}}<br />
<br />
* To install the man pages for iptables and ip6tables:<br />
: {{Cmd|apk add iptables-doc}}<br />
<br />
== Configure iptables/ip6tables ==<br />
{{ Tip| Good examples of how to write iptables rules can be found at the Linux Home Networking Wiki http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables }}<br />
<br />
== Save Firewall Rules ==<br />
<br />
=== For iptables ===<br />
# Set iptables to start on reboot<br />
#* {{ Cmd| rc-update add iptables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/iptables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/iptables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
=== For ip6tables ===<br />
# Set ip6tables to start on reboot<br />
#* {{ Cmd| rc-update add ip6tables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/ip6tables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/ip6tables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
= Activating Changes and Testing Connectivity =<br />
Changes made to <code>/etc/network/interfaces</code> can be activated by running:<br />
{{Cmd|/etc/init.d/networking restart}}<br />
If you did not get any errors, you can now test that networking is configured properly by attempting to ping out:<br />
{{Cmd|ping www.google.com}}<br />
<pre>PING www.l.google.com (74.125.47.103) 56(84) bytes of data.<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=1 ttl=48 time=58.5 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=2 ttl=48 time=56.4 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=3 ttl=48 time=57.0 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=4 ttl=48 time=60.2 ms<br />
^C<br />
--- www.l.google.com ping statistics ---<br />
4 packets transmitted, 4 received, 0% packet loss, time 3007ms<br />
rtt min/avg/max/mdev = 56.411/58.069/60.256/1.501 ms</pre><br />
<br />
For an IPv6 traceroute (<code>traceroute6</code>), you will first need to install the <code>iputils</code> package:<br />
{{Cmd|apk add iputils}}<br />
<br />
Then run <code>traceroute6</code>:<br />
{{Cmd|traceroute6 ipv6.google.com}}<br />
<pre>traceroute to ipv6.l.google.com (2001:4860:8009::67) from 2001:470:ffff:ff::2, 30 hops max, 16 byte packets<br />
1 2001:470:ffff:ff::1 (2001:470:ffff:ff::1) 3.49 ms 0.62 ms 0.607 ms<br />
2 * * *<br />
3 * * *<br />
4 pr61.iad07.net.google.com (2001:504:0:2:0:1:5169:1) 134.313 ms 95.342 ms 88.425 ms<br />
5 2001:4860::1:0:9ff (2001:4860::1:0:9ff) 100.759 ms 100.537 ms 89.907 ms<br />
6 2001:4860::1:0:5db (2001:4860::1:0:5db) 115.563 ms 102.946 ms 106.191 ms<br />
7 2001:4860::2:0:a7 (2001:4860::2:0:a7) 101.754 ms 100.475 ms 100.512 ms<br />
8 2001:4860:0:1::c3 (2001:4860:0:1::c3) 99.272 ms 111.989 ms 99.835 ms<br />
9 yw-in-x67.1e100.net (2001:4860:8009::67) 101.545 ms 109.675 ms 99.431 ms</pre><br />
<br />
= Additional Utilities =<br />
<br />
== iproute2 ==<br />
<br />
You may wish to install the 'iproute2' package (note that this will also install iptables if not yet installed)<br />
<br />
{{Cmd|apk add iproute2}}<br />
<br />
This provides the 'ss' command which is IMHO a 'better' version of netstat.<br />
<br />
Show listening tcp ports:<br />
{{Cmd|ss -tl}}<br />
<br />
Show listening tcp ports and associated processes:<br />
{{Cmd|ss -ptl}}<br />
<br />
Show listening and established tcp connections:<br />
{{Cmd|ss -ta}}<br />
<br />
Show socket usage summary:<br />
{{Cmd|ss -s}}<br />
<br />
Show more options:<br />
{{Cmd|ss -h}}<br />
<br />
== drill ==<br />
<br />
You may also wish to install 'drill' (it will also install the 'ldns' package) which is a superior (IMHO) replacement for nslookup and dig etc:<br />
<br />
{{Cmd|apk add drill}}<br />
<br />
Then use it as you would for dig:<br />
<br />
{{Cmd|drill alpinelinux.org @8.8.8.8}}<br />
<br />
To perform a reverse lookup (get a name from an IP) use the following syntax:<br />
<br />
{{Cmd|drill -x 8.8.8.8 @208.67.222.222}}<br />
<br />
= Related articles =<br />
<br />
You may also wish to review the following network related articles:<br />
<br />
[[Vlan|VLAN setup]]<br />
<br />
[[Bonding|Bonding setup]]<br />
<br />
[[Bridge|Network bridge setup]]<br />
<br />
[[udhcpc|udhcpc configuration]]<br />
<br />
<br />
[[Category:Networking]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_Networking&diff=16046Configure Networking2019-07-08T19:10:03Z<p>Clandmeter: /* Additional IP addresses */</p>
<hr />
<div>This page will assist you in setting up networking on Alpine Linux.<br />
{{Note|You must be logged in as root in order to perform the actions on this page.}}<br />
<br />
= Setting System Hostname =<br />
To set the system hostname, do something like the following:<br />
{{Cmd|echo "shortname" > /etc/hostname}}<br />
<br />
Then, to activate the change, do the following:<br />
{{Cmd|hostname -F /etc/hostname}}<br />
<br />
If you're using IPv6, you should also add the following special IPv6 addresses to your <code>/etc/hosts</code> file:<br />
<pre>::1 localhost ipv6-localhost ipv6-loopback<br />
fe00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
{{Tip|If you are going to use automatic IP configuration, such as IPv4 DHCP or IPv6 Stateless Autoconfiguration, you can skip ahead to [[#Configuring_DNS|Configuring DNS]]. Otherwise, if you are going to use a static IPv4 or IPv6 address, continue below.}}<br />
<br />
For a static IP configuration, it's common to also add the machine's hostname you just set (above) to the <code>/etc/hosts</code> file.<br />
<br />
Here's an IPv4 example:<br />
<pre>192.168.1.150 shortname.domain.com</pre><br />
<br />
And here's an IPv6 example:<br />
<pre>2001:470:ffff:ff::2 shortname.domain.com</pre><br />
<br />
= Configuring DNS =<br />
{{Tip|'''For users of IPv4 DHCP:''' Please note that <code>/etc/resolv.conf</code> will be completely overwritten with any nameservers provided by DHCP. Also, if DHCP does not provide any nameservers, then <code>/etc/resolv.conf</code> will still be overwritten, but will not contain any nameservers!}}<br />
<br />
For using a static IP and static nameservers, use one of the following examples.<br />
<br />
For IPv4 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://en.wikipedia.org/wiki/Google_Public_DNS Google's Public DNS servers].<br />
nameserver 8.8.8.8<br />
nameserver 8.8.4.4<br />
<br />
For IPv6 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://www.he.net/ Hurricane Electric's] public DNS server.<br />
nameserver 2001:470:20::2<br />
You can also use Hurricane Electric's public DNS server via IPv4:<br />
nameserver 74.82.42.42<br />
<br />
{{Tip|If you decide to use Hurricane Electric's nameserver, be aware that it is 'Google-whitelisted'. What does this mean? It allows you access to many of Google's services via IPv6. (Just don't add other, non-whitelisted, nameservers to <code>/etc/resolv.conf</code> — ironically, such as Google's Public DNS Servers.) Read [http://www.google.com/intl/en/ipv6/ here] for more information.}}<br />
<br />
= Enabling IPv6 (Optional) =<br />
<br />
If you use IPv6, do the following to enable IPv6 for now and at each boot:<br />
{{Cmd|modprobe ipv6<br />
echo "ipv6" >> /etc/modules}}<br />
<br />
= Interface Configuration =<br />
<br />
== Loopback Configuration (Required) ==<br />
{{Note|The loopback configuration must appear first in <code>/etc/network/interfaces</code> to prevent networking issues.}}<br />
To configure loopback, add the following to a new file <code>/etc/network/interfaces</code>:<br />
<pre>auto lo<br />
iface lo inet loopback</pre><br />
<br />
The above works to setup the IPv4 loopback address (127.0.0.1), and the IPv6 loopback address (<code>::1</code>) — if you enabled IPv6.<br />
<br />
== Wireless Configuration ==<br />
<br />
See [[Connecting to a wireless access point]].<br />
<br />
== Ethernet Configuration ==<br />
For the following Ethernet configuration examples, we will assume that you are using Ethernet device <code>eth0</code>.<br />
<br />
=== Initial Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, above any IP configuration for <code>eth0</code>:<br />
<pre>auto eth0</pre><br />
<br />
=== IPv4 DHCP Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet dhcp</pre><br />
By default, the busybox DHCP client (udhcpc) requests a static set of options from the DHCP server. If you need to extend this set, you can do it by setting some additional command line options for the DHCP client, via the <code>udhcpc_opts</code> in your interface configuration. The following example additionally requests <code>domain-search</code> option:<br />
<pre>iface eth0 inet dhcp<br />
udhcpc_opts -O search</pre><br />
For a complete list of command line options for udhcpc, see [https://busybox.net/downloads/BusyBox.html#udhcpc this document].<br />
<br />
=== IPv4 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1</pre><br />
<br />
==== Additional IP addresses ====<br />
Repeat the above stanza to add an additional IP address to the interface.<br />
<br />
=== IPv6 Stateless Autoconfiguration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 manual<br />
pre-up echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
{{Tip|The "inet6 manual" method is available in busybox 1.17.3-r3 and later.}}<br />
<br />
=== IPv6 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
== Example: Dual-Stack Configuration ==<br />
This example shows a dual-stack configuration.<br />
<pre>auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
<br />
iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1<br />
<br />
iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
= Firewalling with iptables and ip6tables =<br />
<br />
See also: [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]]<br />
<br />
== Install iptables/ip6tables ==<br />
* To install iptables:<br />
: {{Cmd|apk add iptables}}<br />
<br />
* To install ip6tables:<br />
: {{Cmd|apk add ip6tables}}<br />
<br />
* To install the man pages for iptables and ip6tables:<br />
: {{Cmd|apk add iptables-doc}}<br />
<br />
== Configure iptables/ip6tables ==<br />
{{ Tip| Good examples of how to write iptables rules can be found at the Linux Home Networking Wiki http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables }}<br />
<br />
== Save Firewall Rules ==<br />
<br />
=== For iptables ===<br />
# Set iptables to start on reboot<br />
#* {{ Cmd| rc-update add iptables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/iptables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/iptables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
=== For ip6tables ===<br />
# Set ip6tables to start on reboot<br />
#* {{ Cmd| rc-update add ip6tables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/ip6tables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/ip6tables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
= Activating Changes and Testing Connectivity =<br />
Changes made to <code>/etc/network/interfaces</code> can be activated by running:<br />
{{Cmd|/etc/init.d/networking restart}}<br />
If you did not get any errors, you can now test that networking is configured properly by attempting to ping out:<br />
{{Cmd|ping www.google.com}}<br />
<pre>PING www.l.google.com (74.125.47.103) 56(84) bytes of data.<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=1 ttl=48 time=58.5 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=2 ttl=48 time=56.4 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=3 ttl=48 time=57.0 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=4 ttl=48 time=60.2 ms<br />
^C<br />
--- www.l.google.com ping statistics ---<br />
4 packets transmitted, 4 received, 0% packet loss, time 3007ms<br />
rtt min/avg/max/mdev = 56.411/58.069/60.256/1.501 ms</pre><br />
<br />
For an IPv6 traceroute (<code>traceroute6</code>), you will first need to install the <code>iputils</code> package:<br />
{{Cmd|apk add iputils}}<br />
<br />
Then run <code>traceroute6</code>:<br />
{{Cmd|traceroute6 ipv6.google.com}}<br />
<pre>traceroute to ipv6.l.google.com (2001:4860:8009::67) from 2001:470:ffff:ff::2, 30 hops max, 16 byte packets<br />
1 2001:470:ffff:ff::1 (2001:470:ffff:ff::1) 3.49 ms 0.62 ms 0.607 ms<br />
2 * * *<br />
3 * * *<br />
4 pr61.iad07.net.google.com (2001:504:0:2:0:1:5169:1) 134.313 ms 95.342 ms 88.425 ms<br />
5 2001:4860::1:0:9ff (2001:4860::1:0:9ff) 100.759 ms 100.537 ms 89.907 ms<br />
6 2001:4860::1:0:5db (2001:4860::1:0:5db) 115.563 ms 102.946 ms 106.191 ms<br />
7 2001:4860::2:0:a7 (2001:4860::2:0:a7) 101.754 ms 100.475 ms 100.512 ms<br />
8 2001:4860:0:1::c3 (2001:4860:0:1::c3) 99.272 ms 111.989 ms 99.835 ms<br />
9 yw-in-x67.1e100.net (2001:4860:8009::67) 101.545 ms 109.675 ms 99.431 ms</pre><br />
<br />
= Additional Utilities =<br />
<br />
== iproute2 ==<br />
<br />
You may wish to install the 'iproute2' package (note that this will also install iptables if not yet installed)<br />
<br />
{{Cmd|apk add iproute2}}<br />
<br />
This provides the 'ss' command which is IMHO a 'better' version of netstat.<br />
<br />
Show listening tcp ports:<br />
{{Cmd|ss -tl}}<br />
<br />
Show listening tcp ports and associated processes:<br />
{{Cmd|ss -ptl}}<br />
<br />
Show listening and established tcp connections:<br />
{{Cmd|ss -ta}}<br />
<br />
Show socket usage summary:<br />
{{Cmd|ss -s}}<br />
<br />
Show more options:<br />
{{Cmd|ss -h}}<br />
<br />
== drill ==<br />
<br />
You may also wish to install 'drill' (it will also install the 'ldns' package) which is a superior (IMHO) replacement for nslookup and dig etc:<br />
<br />
{{Cmd|apk add drill}}<br />
<br />
Then use it as you would for dig:<br />
<br />
{{Cmd|drill alpinelinux.org @8.8.8.8}}<br />
<br />
To perform a reverse lookup (get a name from an IP) use the following syntax:<br />
<br />
{{Cmd|drill -x 8.8.8.8 @208.67.222.222}}<br />
<br />
= Related articles =<br />
<br />
You may also wish to review the following network related articles:<br />
<br />
[[Vlan|VLAN setup]]<br />
<br />
[[Bonding|Bonding setup]]<br />
<br />
[[Bridge|Network bridge setup]]<br />
<br />
[[udhcpc|udhcpc configuration]]<br />
<br />
<br />
[[Category:Networking]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_Networking&diff=16045Configure Networking2019-07-08T19:09:42Z<p>Clandmeter: /* IPv4 Static Address Configuration */</p>
<hr />
<div>This page will assist you in setting up networking on Alpine Linux.<br />
{{Note|You must be logged in as root in order to perform the actions on this page.}}<br />
<br />
= Setting System Hostname =<br />
To set the system hostname, do something like the following:<br />
{{Cmd|echo "shortname" > /etc/hostname}}<br />
<br />
Then, to activate the change, do the following:<br />
{{Cmd|hostname -F /etc/hostname}}<br />
<br />
If you're using IPv6, you should also add the following special IPv6 addresses to your <code>/etc/hosts</code> file:<br />
<pre>::1 localhost ipv6-localhost ipv6-loopback<br />
fe00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
{{Tip|If you are going to use automatic IP configuration, such as IPv4 DHCP or IPv6 Stateless Autoconfiguration, you can skip ahead to [[#Configuring_DNS|Configuring DNS]]. Otherwise, if you are going to use a static IPv4 or IPv6 address, continue below.}}<br />
<br />
For a static IP configuration, it's common to also add the machine's hostname you just set (above) to the <code>/etc/hosts</code> file.<br />
<br />
Here's an IPv4 example:<br />
<pre>192.168.1.150 shortname.domain.com</pre><br />
<br />
And here's an IPv6 example:<br />
<pre>2001:470:ffff:ff::2 shortname.domain.com</pre><br />
<br />
= Configuring DNS =<br />
{{Tip|'''For users of IPv4 DHCP:''' Please note that <code>/etc/resolv.conf</code> will be completely overwritten with any nameservers provided by DHCP. Also, if DHCP does not provide any nameservers, then <code>/etc/resolv.conf</code> will still be overwritten, but will not contain any nameservers!}}<br />
<br />
For using a static IP and static nameservers, use one of the following examples.<br />
<br />
For IPv4 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://en.wikipedia.org/wiki/Google_Public_DNS Google's Public DNS servers].<br />
nameserver 8.8.8.8<br />
nameserver 8.8.4.4<br />
<br />
For IPv6 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://www.he.net/ Hurricane Electric's] public DNS server.<br />
nameserver 2001:470:20::2<br />
You can also use Hurricane Electric's public DNS server via IPv4:<br />
nameserver 74.82.42.42<br />
<br />
{{Tip|If you decide to use Hurricane Electric's nameserver, be aware that it is 'Google-whitelisted'. What does this mean? It allows you access to many of Google's services via IPv6. (Just don't add other, non-whitelisted, nameservers to <code>/etc/resolv.conf</code> — ironically, such as Google's Public DNS Servers.) Read [http://www.google.com/intl/en/ipv6/ here] for more information.}}<br />
<br />
= Enabling IPv6 (Optional) =<br />
<br />
If you use IPv6, do the following to enable IPv6 for now and at each boot:<br />
{{Cmd|modprobe ipv6<br />
echo "ipv6" >> /etc/modules}}<br />
<br />
= Interface Configuration =<br />
<br />
== Loopback Configuration (Required) ==<br />
{{Note|The loopback configuration must appear first in <code>/etc/network/interfaces</code> to prevent networking issues.}}<br />
To configure loopback, add the following to a new file <code>/etc/network/interfaces</code>:<br />
<pre>auto lo<br />
iface lo inet loopback</pre><br />
<br />
The above works to setup the IPv4 loopback address (127.0.0.1), and the IPv6 loopback address (<code>::1</code>) — if you enabled IPv6.<br />
<br />
== Wireless Configuration ==<br />
<br />
See [[Connecting to a wireless access point]].<br />
<br />
== Ethernet Configuration ==<br />
For the following Ethernet configuration examples, we will assume that you are using Ethernet device <code>eth0</code>.<br />
<br />
=== Initial Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, above any IP configuration for <code>eth0</code>:<br />
<pre>auto eth0</pre><br />
<br />
=== IPv4 DHCP Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet dhcp</pre><br />
By default, the busybox DHCP client (udhcpc) requests a static set of options from the DHCP server. If you need to extend this set, you can do it by setting some additional command line options for the DHCP client, via the <code>udhcpc_opts</code> in your interface configuration. The following example additionally requests <code>domain-search</code> option:<br />
<pre>iface eth0 inet dhcp<br />
udhcpc_opts -O search</pre><br />
For a complete list of command line options for udhcpc, see [https://busybox.net/downloads/BusyBox.html#udhcpc this document].<br />
<br />
=== IPv4 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1</pre><br />
<br />
==== Additional IP addresses ====<br />
Repeat this stanza to add an additional IP address to the interface.<br />
<br />
=== IPv6 Stateless Autoconfiguration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 manual<br />
pre-up echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
{{Tip|The "inet6 manual" method is available in busybox 1.17.3-r3 and later.}}<br />
<br />
=== IPv6 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
== Example: Dual-Stack Configuration ==<br />
This example shows a dual-stack configuration.<br />
<pre>auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
<br />
iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1<br />
<br />
iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
= Firewalling with iptables and ip6tables =<br />
<br />
See also: [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]]<br />
<br />
== Install iptables/ip6tables ==<br />
* To install iptables:<br />
: {{Cmd|apk add iptables}}<br />
<br />
* To install ip6tables:<br />
: {{Cmd|apk add ip6tables}}<br />
<br />
* To install the man pages for iptables and ip6tables:<br />
: {{Cmd|apk add iptables-doc}}<br />
<br />
== Configure iptables/ip6tables ==<br />
{{ Tip| Good examples of how to write iptables rules can be found at the Linux Home Networking Wiki http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables }}<br />
<br />
== Save Firewall Rules ==<br />
<br />
=== For iptables ===<br />
# Set iptables to start on reboot<br />
#* {{ Cmd| rc-update add iptables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/iptables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/iptables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
=== For ip6tables ===<br />
# Set ip6tables to start on reboot<br />
#* {{ Cmd| rc-update add ip6tables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/ip6tables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/ip6tables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
= Activating Changes and Testing Connectivity =<br />
Changes made to <code>/etc/network/interfaces</code> can be activated by running:<br />
{{Cmd|/etc/init.d/networking restart}}<br />
If you did not get any errors, you can now test that networking is configured properly by attempting to ping out:<br />
{{Cmd|ping www.google.com}}<br />
<pre>PING www.l.google.com (74.125.47.103) 56(84) bytes of data.<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=1 ttl=48 time=58.5 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=2 ttl=48 time=56.4 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=3 ttl=48 time=57.0 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=4 ttl=48 time=60.2 ms<br />
^C<br />
--- www.l.google.com ping statistics ---<br />
4 packets transmitted, 4 received, 0% packet loss, time 3007ms<br />
rtt min/avg/max/mdev = 56.411/58.069/60.256/1.501 ms</pre><br />
<br />
For an IPv6 traceroute (<code>traceroute6</code>), you will first need to install the <code>iputils</code> package:<br />
{{Cmd|apk add iputils}}<br />
<br />
Then run <code>traceroute6</code>:<br />
{{Cmd|traceroute6 ipv6.google.com}}<br />
<pre>traceroute to ipv6.l.google.com (2001:4860:8009::67) from 2001:470:ffff:ff::2, 30 hops max, 16 byte packets<br />
1 2001:470:ffff:ff::1 (2001:470:ffff:ff::1) 3.49 ms 0.62 ms 0.607 ms<br />
2 * * *<br />
3 * * *<br />
4 pr61.iad07.net.google.com (2001:504:0:2:0:1:5169:1) 134.313 ms 95.342 ms 88.425 ms<br />
5 2001:4860::1:0:9ff (2001:4860::1:0:9ff) 100.759 ms 100.537 ms 89.907 ms<br />
6 2001:4860::1:0:5db (2001:4860::1:0:5db) 115.563 ms 102.946 ms 106.191 ms<br />
7 2001:4860::2:0:a7 (2001:4860::2:0:a7) 101.754 ms 100.475 ms 100.512 ms<br />
8 2001:4860:0:1::c3 (2001:4860:0:1::c3) 99.272 ms 111.989 ms 99.835 ms<br />
9 yw-in-x67.1e100.net (2001:4860:8009::67) 101.545 ms 109.675 ms 99.431 ms</pre><br />
<br />
= Additional Utilities =<br />
<br />
== iproute2 ==<br />
<br />
You may wish to install the 'iproute2' package (note that this will also install iptables if not yet installed)<br />
<br />
{{Cmd|apk add iproute2}}<br />
<br />
This provides the 'ss' command which is IMHO a 'better' version of netstat.<br />
<br />
Show listening tcp ports:<br />
{{Cmd|ss -tl}}<br />
<br />
Show listening tcp ports and associated processes:<br />
{{Cmd|ss -ptl}}<br />
<br />
Show listening and established tcp connections:<br />
{{Cmd|ss -ta}}<br />
<br />
Show socket usage summary:<br />
{{Cmd|ss -s}}<br />
<br />
Show more options:<br />
{{Cmd|ss -h}}<br />
<br />
== drill ==<br />
<br />
You may also wish to install 'drill' (it will also install the 'ldns' package) which is a superior (IMHO) replacement for nslookup and dig etc:<br />
<br />
{{Cmd|apk add drill}}<br />
<br />
Then use it as you would for dig:<br />
<br />
{{Cmd|drill alpinelinux.org @8.8.8.8}}<br />
<br />
To perform a reverse lookup (get a name from an IP) use the following syntax:<br />
<br />
{{Cmd|drill -x 8.8.8.8 @208.67.222.222}}<br />
<br />
= Related articles =<br />
<br />
You may also wish to review the following network related articles:<br />
<br />
[[Vlan|VLAN setup]]<br />
<br />
[[Bonding|Bonding setup]]<br />
<br />
[[Bridge|Network bridge setup]]<br />
<br />
[[udhcpc|udhcpc configuration]]<br />
<br />
<br />
[[Category:Networking]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=15737Configure a Wireguard interface (wg)2019-03-01T08:06:09Z<p>Clandmeter: </p>
<hr />
<div>Wireguard is a very promising VPN technology but is currently (Alpine 3.9.0) not stable and thus only available via the edge/testing repository.<br />
To be able to use it you will need to install a kernel from the edge/testing repository including all the out of tree modules you like to use.<br />
This mean when you are running a stable system you will have to [[Alpine_Linux_package_management#Repository_pinning|pin the edge/testing repository in your repositories file]] and install it by:<br />
<br />
apk add linux-vanilla (or linux-virt)<br />
apk add wireguard-vanilla (or wireguard-virt)<br />
<br />
The official documents from wireguard will show examples of how to setup an inteface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use the plain wg command and busybox ifupdown.<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 manual page of wg].<br />
<br />
After you have finished setting up your wgX interface config you can add it to your /etc/networking/interfaces:<br />
<br />
auto wg0<br />
iface wg0 inet static<br />
address x.x.x.x<br />
netmask 255.255.255.0<br />
pre-up ip link add dev wg0 type wireguard<br />
pre-up wg setconf wg0 /etc/wireguard/wg0.conf<br />
post-up ip route add x.x.x.x/24 dev wg0<br />
post-down ip link delete dev wg0<br />
<br />
This config will do:<br />
<br />
* bring the wireguard interface up<br />
* assign a config to this interface (which you have previously created)<br />
* setup the interface address and netmask<br />
* add the route ones the interface is up<br />
* remove the interface when it goes down<br />
<br />
To start the interface and stop it you can execute:<br />
<br />
ifup wg0<br />
ifdown wg0</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=15736Configure a Wireguard interface (wg)2019-03-01T08:05:56Z<p>Clandmeter: </p>
<hr />
<div>Wireguard is a very promising VPN technology but is currently (Alpine 3.9.0) not stable and thus only available via the edge/testing repository.<br />
To be able to use it you will need to install a kernel from the edge/testing repository including all the out of tree modules you like to use.<br />
This mean when you are running a stable system you will have to [[Alpine_Linux_package_management#Repository_pinning|pinthe edge/testing repository in your repositories file]] and install it by:<br />
<br />
apk add linux-vanilla (or linux-virt)<br />
apk add wireguard-vanilla (or wireguard-virt)<br />
<br />
The official documents from wireguard will show examples of how to setup an inteface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use the plain wg command and busybox ifupdown.<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 manual page of wg].<br />
<br />
After you have finished setting up your wgX interface config you can add it to your /etc/networking/interfaces:<br />
<br />
auto wg0<br />
iface wg0 inet static<br />
address x.x.x.x<br />
netmask 255.255.255.0<br />
pre-up ip link add dev wg0 type wireguard<br />
pre-up wg setconf wg0 /etc/wireguard/wg0.conf<br />
post-up ip route add x.x.x.x/24 dev wg0<br />
post-down ip link delete dev wg0<br />
<br />
This config will do:<br />
<br />
* bring the wireguard interface up<br />
* assign a config to this interface (which you have previously created)<br />
* setup the interface address and netmask<br />
* add the route ones the interface is up<br />
* remove the interface when it goes down<br />
<br />
To start the interface and stop it you can execute:<br />
<br />
ifup wg0<br />
ifdown wg0</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=15735Configure a Wireguard interface (wg)2019-03-01T08:04:06Z<p>Clandmeter: </p>
<hr />
<div>Wireguard is a very promising VPN technology but is currently (Alpine 3.9.0) not stable and thus only available via the edge/testing repository.<br />
To be able to use it you will need to install a kernel from the edge/testing repository including all the out of tree modules you like to use.<br />
This mean when you are running a stable system you will have to [[Alpine_Linux_package_management#Repository_pinning|pin]] the edge/testing repository in your repositories file and install it by:<br />
<br />
apk add linux-vanilla (or linux-virt)<br />
apk add wireguard-vanilla (or wireguard-virt)<br />
<br />
The official documents from wireguard will show examples of how to setup an inteface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use the plain wg command and busybox ifupdown.<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 manual page of wg].<br />
<br />
After you have finished setting up your wgX interface config you can add it to your /etc/networking/interfaces:<br />
<br />
auto wg0<br />
iface wg0 inet static<br />
address x.x.x.x<br />
netmask 255.255.255.0<br />
pre-up ip link add dev wg0 type wireguard<br />
pre-up wg setconf wg0 /etc/wireguard/wg0.conf<br />
post-up ip route add x.x.x.x/24 dev wg0<br />
post-down ip link delete dev wg0<br />
<br />
This config will do:<br />
<br />
* bring the wireguard interface up<br />
* assign a config to this interface (which you have previously created)<br />
* setup the interface address and netmask<br />
* add the route ones the interface is up<br />
* remove the interface when it goes down<br />
<br />
To start the interface and stop it you can execute:<br />
<br />
ifup wg0<br />
ifdown wg0</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=15703Configure a Wireguard interface (wg)2019-02-04T22:41:22Z<p>Clandmeter: </p>
<hr />
<div>Wireguard is a very promising VPN technology but is currently (Alpine 3.9.0) not stable and thus only available via the edge/testing repository.<br />
To be able to use it you will need to install a kernel from the edge/testing repository including all the out of tree modules you like to use.<br />
This mean when you are running a stable system you will have to pin the edge/testing repository in your repositories file and install it by:<br />
<br />
apk add linux-vanilla (or linux-virt)<br />
apk add wireguard-vanilla (or wireguard-virt)<br />
<br />
The official documents from wireguard will show examples of how to setup an inteface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use the plain wg command and busybox ifupdown.<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 manual page of wg].<br />
<br />
After you have finished setting up your wgX interface config you can add it to your /etc/networking/interfaces:<br />
<br />
auto wg0<br />
iface wg0 inet static<br />
address x.x.x.x<br />
netmask 255.255.255.0<br />
pre-up ip link add dev wg0 type wireguard<br />
pre-up wg setconf wg0 /etc/wireguard/wg0.conf<br />
post-up ip route add x.x.x.x/24 dev wg0<br />
post-down ip link delete dev wg0<br />
<br />
This config will do:<br />
<br />
* bring the wireguard interface up<br />
* assign a config to this interface (which you have previously created)<br />
* setup the interface address and netmask<br />
* add the route ones the interface is up<br />
* remove the interface when it goes down<br />
<br />
To start the interface and stop it you can execute:<br />
<br />
ifup wg0<br />
ifdown wg0</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=15702Configure a Wireguard interface (wg)2019-02-04T22:40:03Z<p>Clandmeter: </p>
<hr />
<div>Wireguard is a very promising VPN technology but is currently (Alpine 3.9.0) not stable and thus only available via the edge/testing repository.<br />
To be able to use it you will need to install a kernel from the edge/testing repository including all the out of tree modules you like to use.<br />
This mean when you are running a stable system you will have to pin the edge/testing repository in your repositories file and install it by:<br />
<br />
apk add linux-vanilla (or linux-virt)<br />
apk add wireguard-vanilla (or wireguard-virt)<br />
<br />
The official documents from wireguard will show examples of how to setup an inteface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use the plain wg command and busybox ifupdown.<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 manual page of wg].<br />
<br />
After you have finished setting up your wgX interface config you can add it to your /etc/networking/interfaces:<br />
<br />
auto wg0<br />
iface wg0 inet static<br />
address x.x.x.x<br />
netmask 255.255.255.0<br />
pre-up ip link add dev wg0 type wireguard<br />
pre-up wg setconf wg0 /etc/wireguard/wg0.conf<br />
post-up ip route add x.x.x.x/24 dev wg0<br />
post-down ip link delete dev wg0<br />
<br />
This config will do:<br />
<br />
* bring the wireguard interface up<br />
* assign a config to this interface (which you have previously created)<br />
* setup the interface address and netmask<br />
* add the route ones the interface is up<br />
* remove the interface when it goes down</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=15701Configure a Wireguard interface (wg)2019-02-04T22:39:34Z<p>Clandmeter: </p>
<hr />
<div>Wireguard is a very promising VPN technology but is currently (Alpine 3.9.0) not stable and thus only available via the edge/testing repository.<br />
To be able to use it you will need to install a kernel from the edge/testing repository including all the out of tree modules you like to use.<br />
This mean when you are running a stable system you will have to pin the edge/testing repository in your repositories file and install it by:<br />
<br />
apk add linux-vanilla (or linux-virt)<br />
apk add wireguard-vanilla (or wireguard-virt)<br />
<br />
The official documents from wireguard will show examples of how to setup an inteface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use the plain wg command and busybox ifupdown.<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consult the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 manual page of wg].<br />
<br />
After you have finished setting up your wgX interface config you can add it to your /etc/networking/interfaces:<br />
<br />
auto wg0<br />
iface wg0 inet static<br />
address x.x.x.x<br />
netmask 255.255.255.0<br />
pre-up ip link add dev wg0 type wireguard<br />
pre-up wg setconf wg0 /etc/wireguard/wg0.conf<br />
post-up ip route add x.x.x.x/24 dev wg0<br />
post-down ip link delete dev wg0<br />
<br />
This config will do:<br />
<br />
* bring the wireguard interface up<br />
* assign a config to this interface (which you have previously created)<br />
* setup the interface address and netmask<br />
* add the route ones the interface is up<br />
* remove the interface when it goes down</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_a_Wireguard_interface_(wg)&diff=15700Configure a Wireguard interface (wg)2019-02-04T22:33:52Z<p>Clandmeter: Created page with "Wireguard is a very promising VPN technology but is currently (Alpine 3.9.0) not stable and thus only available via the edge/testing repository. To be able to use it you will..."</p>
<hr />
<div>Wireguard is a very promising VPN technology but is currently (Alpine 3.9.0) not stable and thus only available via the edge/testing repository.<br />
To be able to use it you will need to install a kernel from the edge/testing repository including all the out of tree modules you like to use.<br />
This mean when you are running a stable system you will have to pin the edge/testing repository in your repositories file and install it by:<br />
<br />
apk add linux-vanilla (or linux-virt)<br />
apk add wireguard-vanilla (or wireguard-virt)<br />
<br />
The official documents from wireguard will show examples of how to setup an inteface with the use of wg-quick.<br />
In this howto we are not going to use this utility but are going to use the plain wg command and busybox ifupdown.<br />
<br />
apk add wireguard-tools-wg<br />
<br />
Now that you have all the tools installed we can setup the interface.<br />
The setup of your interface config is out of the scope of this document, you should consolt the [https://git.zx2c4.com/WireGuard/about/src/tools/man/wg-quick.8 manual page of wg].</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Tutorials_and_Howtos&diff=15697Tutorials and Howtos2019-02-04T22:20:46Z<p>Clandmeter: /* Networking */</p>
<hr />
<div>[[Image:package_edutainment.svg|right|link=]]<br />
{{TOC left}}<br />
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''<br />
<br />
The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.<br />
<br />
Howtos are smaller articles explaining how to perform a particular task with Alpine Linux.<br />
<br />
We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].<br />
<br />
{{Clear}}<br />
== Storage ==<br />
<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' <!-- Installation and Storage --><br />
** [[Back Up a Flash Memory Installation]] <!-- Installation and Storage --><br />
** [[Manually editing a existing apkovl]]<br />
<br />
* [[Setting up disks manually]] <!-- Installation and Storage --><br />
* [[Setting up a software RAID array]]<br />
<!-- ** [[Setting up a /var partition on software IDE raid1]] Obsolete, Installation and Storage --> <br />
* [[Raid Administration]]<br />
* [[Setting up encrypted volumes with LUKS]]<br />
* [[Setting up LVM on LUKS]]<br />
* [[Setting up Logical Volumes with LVM]]<br />
** [[Setting up LVM on GPT-labeled disks]]<br />
** [[Installing on GPT LVM]]<br />
* [[Filesystems|Formatting HD/Floppy/Other]] <!-- just a stub --><br />
<br />
* [[Setting up iSCSI]]<br />
** [[iSCSI Raid and Clustered File Systems]]<br />
* [[Setting up NBD]]<br />
* [[Setting up ZFS on LUKS]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' <!-- solution --><br />
* [[Linux iSCSI Target (TCM)]]<br />
* [[Disk Replication with DRBD]] <!-- draft --><br />
<br />
* [[Burning ISOs]] <!-- just some links now --><br />
* [[Partitioning and Bootmanagers]]<br />
* [[Migrating data]]<br />
* [[Create a bootable SDHC from a Mac]]<br />
* [[Alpine on ARM]]<br />
<br />
== Networking ==<br />
<br />
* [[Configure Networking]]<br />
* [[Connecting to a wireless access point]]<br />
* [[Bonding]]<br />
* [[Vlan]]<br />
* [[Bridge]]<br />
* [[OpenVSwitch]]<br />
* [[How to configure static routes]]<br />
* [[Configure a Wireguard interface (wg)]]<br />
<br />
* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''<br />
<br />
* [[PXE boot]]<br />
<br />
* [[Using serial modem]]<br />
* [[Using HSDPA modem]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' <!-- Server and Networking --><br />
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''<br />
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''<br />
<!-- [[Using Racoon for Remote Sites]] is a different VPN tunnelling method, but that article is just a stub --><br />
* [[Experiences with OpenVPN-client on ALIX.2D3]] <!-- solution --><br />
<br />
* [[Generating SSL certs with ACF]] <!-- Generating SSL certs with ACF 1.9 --><br />
* [[Setting up unbound DNS server]]<br />
* [[Setting up nsd DNS server]]<br />
* [[TinyDNS Format]]<br />
* [[Fault Tolerant Routing with Alpine Linux]] <!-- solution --><br />
* [[Freeradius Active Directory Integration]]<br />
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''<br />
* [[OwnCloud]] ''(Installing OwnCloud)''<br />
<br />
* [[Seafile: setting up your own private cloud]]<br />
<br />
== Post-Install ==<br />
<!-- If you edit this, please coordinate with Installation#Post-Install and Developer_Documentation#Package_management. Note that these three sections are not exact duplicates. --><br />
<br />
* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''<br />
<!-- [[Alpine Linux package management#Local_Cache|How to enable APK caching]] --><br />
** [[Comparison with other distros]]<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''<br />
** [[Back Up a Flash Memory Installation]] <!-- new --><br />
** [[Manually editing a existing apkovl]]<br />
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''<br />
** [[Multiple Instances of Services]]<br />
<!-- [[Writing Init Scripts]] --><br />
* [[Alpine setup scripts#setup-xorg-base|Setting up Xorg]]<br />
* [[Upgrading Alpine]]<br />
<!-- Obsolete<br />
[[Upgrading Alpine - v1.9.x]]<br />
[[Upgrading Alpine - CD v1.8.x]]<br />
[[Upgrading Alpine - HD v1.8.x]]<br />
[[Upgrade to repository main|Upgrading to signed repositories]]<br />
--><br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''<br />
* [[Changing passwords for ACF|Changing passwords]]<br />
* [[Ansible]] ''(Configuration management)''<br />
<br />
* [[Enable Serial Console on Boot]]<br />
<!-- Obsolete?<br />
* [[Error message on boot: Address space collision: host bridge window conflicts with Adaptor ROM]]<br />
--><br />
* [[How to get regular stuff working]] ''some notes on need-to-know topics''<br />
* [[Installing Oracle Java]]<br />
* [[Rsnapshot|Setting up periodic backups with <samp>rsnapshot</samp>]]<br />
<br />
== Virtualization==<br />
<br />
* [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''<br />
* [[Xen Dom0 on USB or SD]]<br />
* [[Create Alpine Linux PV DomU]]<br />
* [[Xen PCI Passthrough]]<br />
* [[Xen LiveCD]]<br />
* [[qemu]]<br />
* [[KVM]] ''(Setting up Alpine as a KVM hypervisor)''<br />
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''<br />
* [[Docker]]<br />
* [[Install_Alpine_on_VirtualBox]]<br />
<br />
== Desktop Environment ==<br />
<br />
* [[Awesome(wm) Setup]]<br />
* [[EyeOS]] ''(Cloud Computing Desktop)''<br />
* [[Gnome Setup]]<br />
* [[MATE|MATE Setup]]<br />
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')<br />
* [[Remote Desktop Server]]<br />
* [[Suspend on LID close]]<br />
* [[Sway]]<br />
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]<br />
* [[Installing Adobe flash player for Firefox]]<br />
* [[Sound Setup]]<br />
* [[Printer Setup]]<br />
* [[Default applications]]<br />
<br />
== Raspberry Pi ==<br />
<br />
* [[Raspberry Pi|Raspberry Pi (Installation)]]<br />
* [[Classic install or sys mode on Raspberry Pi]]<br />
* [[RPI Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''<br />
* [[Linux Router with VPN on a Raspberry Pi]]<br />
* [[Linux Router with VPN on a Raspberry Pi (IPv6)]]<br />
* [[Raspberry Pi 3 - Configuring it as wireless access point -AP Mode]]<br />
* [[Raspberry Pi 3 - Setting Up Bluetooth]]<br />
<br />
== PowerPC ==<br />
<br />
* [[Ppc64le|Powepc64le (Installation)]]<br />
<br />
== IBM Z (IBM z Systems) ==<br />
<br />
* [[s390x|s390x (Installation)]]<br />
<br />
== Applications ==<br />
<br />
=== Telephony ===<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
** [[Setting up Streaming an Asterisk Channel]]<br />
* [[Freepbx on Alpine Linux]]<br />
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''<br />
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''<br />
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''<br />
<br />
=== Mail ===<br />
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''<br />
** [[Hosting Web/Email services on Alpine]]<br />
* [[ISP Mail Server HowTo]] <!-- solution, Mail --><br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
** [[ISP Mail Server 3.x HowTo]]<br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Setting up postfix with virtual domains]]<br />
* [[Protecting your email server with Alpine]]<br />
* [[Setting up clamsmtp]]<br />
* [[Setting up dovecot with imap and ssl]]<br />
* [[relay email to gmail (msmtp, mailx, sendmail]]<br />
<br />
=== HTTP ===<br />
* [[Lighttpd]]<br />
** [[Lighttpd Https access]]<br />
** [[Setting Up Lighttpd with PHP]]<br />
** [[Setting Up Lighttpd With FastCGI]]<br />
* [[Cherokee]]<br />
* [[Nginx]]<br />
** [[Nginx_with_PHP#Nginx_with_PHP|Nginx with PHP]]<br />
** [[Nginx as reverse proxy with acme (letsencrypt)]]<br />
* [[Apache]]<br />
** [[Apache with php-fpm]]<br />
** [[Setting Up Apache with PHP]]<br />
** [[Apache authentication: NTLM Single Signon]]<br />
<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' <!-- solution, Server --><br />
<br />
* [[Setting up Transparent Squid Proxy]] <!-- draft --><br />
** [[SqStat]] ''(Script to look at active squid users connections)''<br />
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[Setting up Explicit Squid Proxy]]<br />
<br />
* [[Drupal]] ''(Content Management System (CMS) written in PHP)''<br />
* [[WordPress]] ''(Web software to create website or blog)''<br />
* [[MediaWiki]] ''(Free web-based wiki software application)''<br />
* [[DokuWiki]]<br />
* [[Darkhttpd]]<br />
* [[Tomcat]]<br />
<br />
=== Other Servers ===<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
<br />
* [[Setting up a nfs-server]]<br />
* [[Setting up a samba-server]] ''(standard file sharing)''<br />
* [[Setting up a samba-ad-dc]] ''(Active Directory compatible domain controller)''<br />
* [[Phpizabi]] ''(Social Networking Platform)''<br />
* [[Statusnet]] ''(Microblogging Platform)''<br />
* [[Pastebin]] ''(Pastebin software application)''<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
<br />
* [[Patchwork]] ''(Patch review management system)''<br />
* [[Redmine]] ''(Project management system)''<br />
* [[Request-Tracker]] ''(Ticket system)''<br />
* [[OsTicket]] ''(Ticket system)''<br />
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''<br />
<br />
* [[Cgit]]<br />
** [[Setting up a git repository server with gitolite and cgit]] <!-- doesn't exist yet --><br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Glpi]] ''(Manage inventory of technical resources)''<br />
<br />
* [[How to setup a Alpine Linux mirror]]<br />
* [[Cups]]<br />
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''<br />
* [[How To Setup Your Own IRC Network]] ''(Using {{Pkg|charybdis}} and {{Pkg|atheme-iris}})''<br />
* [[OpenVCP]] ''(VServer Control Panel)''<br />
* [[Mahara]] ''(E-portfolio and social networking system)''<br />
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]<br />
* [[Sending SMS using gnokii]]<br />
* [[IPTV How To|Internet Protocol television (IPTV)]]<br />
* [[UniFi_Controller]]<br />
<br />
=== Monitoring ===<br />
* Setting up [[collectd]]<br />
* [[Traffic monitoring]] <!-- Networking and Monitoring --><br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]] <!-- Monitoring --><br />
* [[Setting up monitoring using rrdtool (and rrdcollect)]]<br />
* [[Setting up Cacti|Cacti]] ''(Front-end for rrdtool networking monitor)''<br />
* [[LTTng]] ''(Kernel and userspace tracing)''<br />
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft, solution, Networking and Monitoring and Server --><br />
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' <!-- Networking and Monitoring --><br />
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' <!-- Networking and Monitoring --><br />
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]<br />
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' <!-- Networking and Monitoring --><br />
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' <!-- Monitoring and Security --><br />
<br />
* [[IP Accounting]] <!-- Networking and Monitoring --><br />
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[SqStat]] ''(Script to look at active squid users connections)''<br />
<br />
* [[Piwik]] ''(A real time web analytics software program)''<br />
* [[Awstats]] ''(Free log file analyzer)''<br />
* [[Intrusion Detection using Snort]]<br />
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]<br />
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''<br />
<br />
* [[Webmin]] ''(A web-based interface for Linux system)''<br />
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''<br />
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''<br />
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''<br />
* [[Linfo]]<br />
<br />
* [[Setting up lm_sensors]]<br />
<br />
* [[ZoneMinder video camera security and surveillance]]<br />
<br />
== Misc ==<br />
<br />
* [[:Category:Shell]]<br />
* [[:Category:Programming]]<br />
* [[Running glibc programs]]<br />
* [[:Category:Drivers]]<br />
* [[:Category:Multimedia]]<br />
* [[Kernel Modesetting]]<br />
* [[CPU frequency scaling]]<br />
<br />
== Complete Solutions ==<br />
* [[DIY Fully working Alpine Linux for Allwinner and Other ARM SOCs]]<br />
* [[Replacing non-Alpine Linux with Alpine remotely]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]]<br />
* [[Fault Tolerant Routing with Alpine Linux]]<br />
* [[Experiences with OpenVPN-client on ALIX.2D3]]<br />
* [[Building a cloud with Alpine Linux]]<br />
<br />
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''<br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft --><br />
* [[Streaming Security Camera Video with VLC]]<br />
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]<br />
<br />
<br />
<!--<br />
This does not attempt to be complete. Is it useful to have these listed here? I find them more accessible if grouped with their topics; also, an up-to-date list of all Draft or Obsolete pages can be found at [[Project:Wiki maintenance]].<br />
<br />
== Drafts ==<br />
Currently unfinished/works-in-progress.<br />
* [[Using Racoon for Remote Sites]]<br />
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''<br />
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)'' [!-- no longer a draft --]<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)''<br />
* [[Intrusion Detection using Snort]] ''(Installing and configuring Snort and related applications on Alpine 2.0.x)''<br />
* [[IP Accounting]] ''(Installing and configuring pmacct for IP Accounting, Netflow/sFlow collector)''<br />
* [[Disk Replication with DRBD]]<br />
--></div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15695LXC2019-02-01T10:19:18Z<p>Clandmeter: /* Upgrading from 2.x */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Since Alpine 3.9 we ship LXC version 3.1.<br />
LXC 3.x has major changes which will/can break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the alpine template you will need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15694LXC2019-02-01T10:17:55Z<p>Clandmeter: /* Upgrading from 2.x */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Since Alpine 3.9 we ship LXC version 3.1.<br />
LXC 3.x has major changes which will/can break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the alpine template you will need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have '''removed''' '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15693LXC2019-02-01T10:16:02Z<p>Clandmeter: /* Upgrading from 2.x */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Since Alpine 3.9 we ship LXC version 3.1.<br />
LXC 3.x has major changes which will/can break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the alpine template you will need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed '''cgroup_enable''' from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15692LXC2019-02-01T10:02:24Z<p>Clandmeter: /* Upgrading from 2.x */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Since Alpine 3.9 we ship LXC version 3.1.<br />
LXC 3.x has major changes which will/can break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the alpine template you will need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
Make sure you have removed cgroup_enable from your cmdline as this will fail to mount cgroups and fail LXC service.<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15688LXC2019-01-31T10:48:58Z<p>Clandmeter: /* Upgrading from 2.x */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Since Alpine 3.9 we ship LXC version 3.1.<br />
LXC 3.x has major changes which will/can break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the alpine template you will need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15687LXC2019-01-31T10:48:02Z<p>Clandmeter: </p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Upgrading from 2.x ==<br />
<br />
Since Alpine 3.9 we ship LXC version 3.1.<br />
LXC 3.x has major changes which will/can break your current setup.<br />
LXC 3.x will NOT ship with legacy container templates. Check your current container configs to see if you have any includes pointing to files that don't exist (shipped by legacy templates).<br />
For example if you use Alpine containers created with the alpine template you will need to install:<br />
<br />
apk add lxc-templates-legacy-alpine<br />
<br />
Also make sure you convert your LXC config files to the new 2.x format (this is now required).<br />
<br />
lxc-update-config -c /var/lib/lxc/container-name/config<br />
<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Writing_Init_Scripts&diff=15677Writing Init Scripts2019-01-24T11:40:00Z<p>Clandmeter: Reverted edits by Lchristolo (talk) to last revision by OxR463</p>
<hr />
<div>{{Draft}}<br />
<br />
== Introduction ==<br />
<br />
Alpine Linux uses the [https://github.com/OpenRC/openrc OpenRC] init system to start services. Don't confuse OpenRC init with our system init (the first process that is executed aka pid 1). Many of the current init.d script found in Alpine Linux are taken from Gentoo. If you want to save time you could search [https://packages.gentoo.org/categories Gentoo's repository] for an existing initscript for your service. You can also check [https://wiki.gentoo.org/wiki/Handbook:X86/Working/Initscripts#Writing_initscripts Gentoo's wiki] for some additional OpenRC information.<br />
<br />
<strong>NOTE</strong>: OpenRC recently added [https://github.com/OpenRC/openrc/blob/master/service-script-guide.md documentation] on how to write proper Init scripts. Make sure you read it!<br />
<br />
If you cannot find an init.d script from Gentoo, or you just want to start to write your own init.d scripts, we provide you with some basic information on how to write simple OpenRC init scripts.<br />
<br />
Primary information about the OpenRC format can be found in the [http://manpages.org/openrc-run/8 OpenRC man page openrc-run].<br />
<br />
<code>apk add openrc-doc man</code><br />
<br />
<code>man openrc-run</code><br />
<br />
== Minimal Templates ==<br />
<br />
Every init.d script you write needs to start with a [https://en.wikipedia.org/wiki/Shebang_(Unix) shebang] like:<br />
<br />
<code>#!/sbin/openrc-run</code><br />
<br />
=== Services relying on OpenRC exclusively ===<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
command="/path/to/command"<br />
</pre><br />
<br />
=== Services supervised by [http://www.skarnet.org/software/s6/ s6] ===<br />
<br />
Notes:<br />
<br />
* Install and configure the <code>s6-scan</code> service to start on system boot<br />
* Exclude <code>start()</code>, <code>stop()</code> and <code>status()</code> functions in order for s6 supervision to work reliably. OpenRC has built-in equivalent functions which invoke the necessary s6 commands.<br />
* Include a <code>depend()</code> stanza to ensure that the <code>s6-svscan</code> service is already running.<br />
* Add a <code>start_pre()</code> stanza to symlink the service directory into the scan directory, because the <code>/etc/init.d/bootmisc</code> scripts cleans out the <code>/run</code> directory on system boot.<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name="foo"<br />
supervisor="s6"<br />
s6_service_path="${RC_SVCDIR}/s6-scan/${name}"<br />
<br />
depend() {<br />
need s6-svscan<br />
}<br />
<br />
start_pre() {<br />
if [ ! -L "${RC_SVC_DIR}/s6-scan/${name}" ]; then<br />
ln -s "/path/to/${name}/service/dir" "${RC_SVCDIR}/s6-scan/${name}"<br />
fi<br />
}<br />
</pre><br />
<br />
The rest of the below basic example could be omitted, but that would most probably leave you with an non working initd script.<br />
<br />
== Basic example ==<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name=$RC_SVCNAME<br />
cfgfile="/etc/$RC_SVCNAME/$RC_SVCNAME.conf"<br />
command="/usr/bin/my_daemon"<br />
command_args="--my-daemon-args"<br />
command_user="my_system_user"<br />
pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"<br />
start_stop_daemon_args="--args-for-start-stop-daemon"<br />
command_background="yes"<br />
<br />
depend() {<br />
need net<br />
}<br />
<br />
start_pre() {<br />
checkpath --directory --owner $command_user:$command_user --mode 0775 \<br />
/run/$RC_SVCNAME /var/log/$RC_SVCNAME<br />
}<br />
</pre><br />
<br />
== start, stop, restart functions ==<br />
<br />
OpenRC defined a few basic functions ie: start, stop, restart. These functions are defined by default but can be overwritten by defining your own set of functions.<br />
This is generally only necessary if you want to do something special which is not provided by the default start/stop/restart implementations.<br />
<br />
=== start ===<br />
<br />
<pre><br />
start() {<br />
ebegin "Starting mydaemon"<br />
start-stop-daemon --start \<br />
--exec /usr/sbin/mydaemon \<br />
--pidfile /var/run/mydaemon.pid \<br />
-- \<br />
--args-for-mydaemon<br />
eend $?<br />
}<br />
</pre><br />
<br />
=== stop ===<br />
<br />
=== restart ===<br />
<br />
== Daemon, Forking, Logging ==<br />
<br />
TODO...<br />
<br />
[[Category:Booting]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Configure_Networking&diff=15471Configure Networking2018-09-18T07:20:26Z<p>Clandmeter: /* IPv4 Static Address Configuration */</p>
<hr />
<div>This page will assist you in setting up networking on Alpine Linux.<br />
{{Note|You must be logged in as root in order to perform the actions on this page.}}<br />
<br />
= Setting System Hostname =<br />
To set the system hostname, do something like the following:<br />
{{Cmd|echo "shortname" > /etc/hostname}}<br />
<br />
Then, to activate the change, do the following:<br />
{{Cmd|hostname -F /etc/hostname}}<br />
<br />
If you're using IPv6, you should also add the following special IPv6 addresses to your <code>/etc/hosts</code> file:<br />
<pre>::1 localhost ipv6-localhost ipv6-loopback<br />
fe00::0 ipv6-localnet<br />
ff00::0 ipv6-mcastprefix<br />
ff02::1 ipv6-allnodes<br />
ff02::2 ipv6-allrouters<br />
ff02::3 ipv6-allhosts</pre><br />
<br />
{{Tip|If you are going to use automatic IP configuration, such as IPv4 DHCP or IPv6 Stateless Autoconfiguration, you can skip ahead to [[#Configuring_DNS|Configuring DNS]]. Otherwise, if you are going to use a static IPv4 or IPv6 address, continue below.}}<br />
<br />
For a static IP configuration, it's common to also add the machine's hostname you just set (above) to the <code>/etc/hosts</code> file.<br />
<br />
Here's an IPv4 example:<br />
<pre>192.168.1.150 shortname.domain.com</pre><br />
<br />
And here's an IPv6 example:<br />
<pre>2001:470:ffff:ff::2 shortname.domain.com</pre><br />
<br />
= Configuring DNS =<br />
{{Tip|'''For users of IPv4 DHCP:''' Please note that <code>/etc/resolv.conf</code> will be completely overwritten with any nameservers provided by DHCP. Also, if DHCP does not provide any nameservers, then <code>/etc/resolv.conf</code> will still be overwritten, but will not contain any nameservers!}}<br />
<br />
For using a static IP and static nameservers, use one of the following examples.<br />
<br />
For IPv4 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://en.wikipedia.org/wiki/Google_Public_DNS Google's Public DNS servers].<br />
nameserver 8.8.8.8<br />
nameserver 8.8.4.4<br />
<br />
For IPv6 nameservers, edit your <code>/etc/resolv.conf</code> file to look like this:<br /><br />
The following example uses [http://www.he.net/ Hurricane Electric's] public DNS server.<br />
nameserver 2001:470:20::2<br />
You can also use Hurricane Electric's public DNS server via IPv4:<br />
nameserver 74.82.42.42<br />
<br />
{{Tip|If you decide to use Hurricane Electric's nameserver, be aware that it is 'Google-whitelisted'. What does this mean? It allows you access to many of Google's services via IPv6. (Just don't add other, non-whitelisted, nameservers to <code>/etc/resolv.conf</code> — ironically, such as Google's Public DNS Servers.) Read [http://www.google.com/intl/en/ipv6/ here] for more information.}}<br />
<br />
= Enabling IPv6 (Optional) =<br />
<br />
If you use IPv6, do the following to enable IPv6 for now and at each boot:<br />
{{Cmd|modprobe ipv6<br />
echo "ipv6" >> /etc/modules}}<br />
<br />
= Interface Configuration =<br />
<br />
== Loopback Configuration (Required) ==<br />
{{Note|The loopback configuration must appear first in <code>/etc/network/interfaces</code> to prevent networking issues.}}<br />
To configure loopback, add the following to a new file <code>/etc/network/interfaces</code>:<br />
<pre>auto lo<br />
iface lo inet loopback</pre><br />
<br />
The above works to setup the IPv4 loopback address (127.0.0.1), and the IPv6 loopback address (<code>::1</code>) — if you enabled IPv6.<br />
<br />
== Wireless Configuration ==<br />
<br />
See [[Connecting to a wireless access point]].<br />
<br />
== Ethernet Configuration ==<br />
For the following Ethernet configuration examples, we will assume that you are using Ethernet device <code>eth0</code>.<br />
<br />
=== Initial Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, above any IP configuration for <code>eth0</code>:<br />
<pre>auto eth0</pre><br />
<br />
=== IPv4 DHCP Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet dhcp</pre><br />
By default, the busybox DHCP client (udhcpc) requests a static set of options from the DHCP server. If you need to extend this set, you can do it by setting some additional command line options for the DHCP client, via the <code>udhcpc_opts</code> in your interface configuration. The following example additionally requests <code>domain-search</code> option:<br />
<pre>iface eth0 inet dhcp<br />
udhcpc_opts -O search</pre><br />
For a complete list of command line options for udhcpc, see [https://busybox.net/downloads/BusyBox.html#udhcpc this document].<br />
<br />
=== IPv4 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1</pre><br />
<br />
Repeat this stanza to add an additional IP address to the interface.<br />
<br />
=== IPv6 Stateless Autoconfiguration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 manual<br />
pre-up echo 1 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
{{Tip|The "inet6 manual" method is available in busybox 1.17.3-r3 and later.}}<br />
<br />
=== IPv6 Static Address Configuration ===<br />
Add the following to the file <code>/etc/network/interfaces</code>, below the <code>auto eth0</code> definition:<br />
<pre>iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
== Example: Dual-Stack Configuration ==<br />
This example shows a dual-stack configuration.<br />
<pre>auto lo<br />
iface lo inet loopback<br />
<br />
auto eth0<br />
<br />
iface eth0 inet static<br />
address 192.168.1.150<br />
netmask 255.255.255.0<br />
gateway 192.168.1.1<br />
<br />
iface eth0 inet6 static<br />
address 2001:470:ffff:ff::2<br />
netmask 64<br />
gateway 2001:470:ffff:ff::1<br />
pre-up echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_ra</pre><br />
<br />
= Firewalling with iptables and ip6tables =<br />
<br />
See also: [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]]<br />
<br />
== Install iptables/ip6tables ==<br />
* To install iptables:<br />
: {{Cmd|apk add iptables}}<br />
<br />
* To install ip6tables:<br />
: {{Cmd|apk add ip6tables}}<br />
<br />
* To install the man pages for iptables and ip6tables:<br />
: {{Cmd|apk add iptables-doc}}<br />
<br />
== Configure iptables/ip6tables ==<br />
{{ Tip| Good examples of how to write iptables rules can be found at the Linux Home Networking Wiki http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables }}<br />
<br />
== Save Firewall Rules ==<br />
<br />
=== For iptables ===<br />
# Set iptables to start on reboot<br />
#* {{ Cmd| rc-update add iptables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/iptables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/iptables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
=== For ip6tables ===<br />
# Set ip6tables to start on reboot<br />
#* {{ Cmd| rc-update add ip6tables }}<br />
# Write the firewall rules to disk<br />
#* {{ Cmd| /etc/init.d/ip6tables save}}<br />
# If you use Alpine Local Backup:<br />
<!-- Not needed on Alpine > 2.3<br />
## Add the firewall rules to Alpine Local Backup<br />
##* {{ Cmd| lbu add /var/lib/ip6tables/rules-save }}<br />
--><br />
## Save the configuration<br />
##* {{ Cmd| lbu ci }}<br />
<br />
= Activating Changes and Testing Connectivity =<br />
Changes made to <code>/etc/network/interfaces</code> can be activated by running:<br />
{{Cmd|/etc/init.d/networking restart}}<br />
If you did not get any errors, you can now test that networking is configured properly by attempting to ping out:<br />
{{Cmd|ping www.google.com}}<br />
<pre>PING www.l.google.com (74.125.47.103) 56(84) bytes of data.<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=1 ttl=48 time=58.5 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=2 ttl=48 time=56.4 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=3 ttl=48 time=57.0 ms<br />
64 bytes from yw-in-f103.1e100.net (74.125.47.103): icmp_seq=4 ttl=48 time=60.2 ms<br />
^C<br />
--- www.l.google.com ping statistics ---<br />
4 packets transmitted, 4 received, 0% packet loss, time 3007ms<br />
rtt min/avg/max/mdev = 56.411/58.069/60.256/1.501 ms</pre><br />
<br />
For an IPv6 traceroute (<code>traceroute6</code>), you will first need to install the <code>iputils</code> package:<br />
{{Cmd|apk add iputils}}<br />
<br />
Then run <code>traceroute6</code>:<br />
{{Cmd|traceroute6 ipv6.google.com}}<br />
<pre>traceroute to ipv6.l.google.com (2001:4860:8009::67) from 2001:470:ffff:ff::2, 30 hops max, 16 byte packets<br />
1 2001:470:ffff:ff::1 (2001:470:ffff:ff::1) 3.49 ms 0.62 ms 0.607 ms<br />
2 * * *<br />
3 * * *<br />
4 pr61.iad07.net.google.com (2001:504:0:2:0:1:5169:1) 134.313 ms 95.342 ms 88.425 ms<br />
5 2001:4860::1:0:9ff (2001:4860::1:0:9ff) 100.759 ms 100.537 ms 89.907 ms<br />
6 2001:4860::1:0:5db (2001:4860::1:0:5db) 115.563 ms 102.946 ms 106.191 ms<br />
7 2001:4860::2:0:a7 (2001:4860::2:0:a7) 101.754 ms 100.475 ms 100.512 ms<br />
8 2001:4860:0:1::c3 (2001:4860:0:1::c3) 99.272 ms 111.989 ms 99.835 ms<br />
9 yw-in-x67.1e100.net (2001:4860:8009::67) 101.545 ms 109.675 ms 99.431 ms</pre><br />
<br />
= Additional Utilities =<br />
<br />
== iproute2 ==<br />
<br />
You may wish to install the 'iproute2' package (note that this will also install iptables if not yet installed)<br />
<br />
{{Cmd|apk add iproute2}}<br />
<br />
This provides the 'ss' command which is IMHO a 'better' version of netstat.<br />
<br />
Show listening tcp ports:<br />
{{Cmd|ss -tl}}<br />
<br />
Show listening tcp ports and associated processes:<br />
{{Cmd|ss -ptl}}<br />
<br />
Show listening and established tcp connections:<br />
{{Cmd|ss -ta}}<br />
<br />
Show socket usage summary:<br />
{{Cmd|ss -s}}<br />
<br />
Show more options:<br />
{{Cmd|ss -h}}<br />
<br />
== drill ==<br />
<br />
You may also wish to install 'drill' (it will also install the 'ldns' package) which is a superior (IMHO) replacement for nslookup and dig etc:<br />
<br />
{{Cmd|apk add drill}}<br />
<br />
Then use it as you would for dig:<br />
<br />
{{Cmd|drill alpinelinux.org @8.8.8.8}}<br />
<br />
To perform a reverse lookup (get a name from an IP) use the following syntax:<br />
<br />
{{Cmd|drill -x 8.8.8.8 @208.67.222.222}}<br />
<br />
= Related articles =<br />
<br />
You may also wish to review the following network related articles:<br />
<br />
[[Vlan|VLAN setup]]<br />
<br />
[[Bonding|Bonding setup]]<br />
<br />
[[Bridge|Network bridge setup]]<br />
<br />
[[udhcpc|udhcpc configuration]]<br />
<br />
<br />
[[Category:Networking]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15469LXC2018-09-14T09:35:13Z<p>Clandmeter: /* Grsecurity restrictions */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
'''NOTE''': since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15468LXC2018-09-14T09:34:42Z<p>Clandmeter: /* Grsecurity restrictions */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
**NOTE**: since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15467LXC2018-09-14T09:34:24Z<p>Clandmeter: /* Grsecurity restrictions */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
***NOTE***: since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=15466LXC2018-09-14T09:34:05Z<p>Clandmeter: /* Grsecurity restrictions */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
NOTE: since alpine 3.8 we no longer ship grsecurity and it should not be used in lxc setup.<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_software_RAID_array&diff=15279Setting up a software RAID array2018-06-21T13:54:15Z<p>Clandmeter: /* Creating the partitions */</p>
<hr />
<div>[[Category:Storage]]<br />
<br />
There are various forms of RAID: via a hardware RAID controller, via "fake RAID", and "software RAID" using <code>mdadm</code>, which is Linux-only. These instructions only discuss the last form of RAID. Also, it only discusses how to setup a RAID array for arbitrary storage. It is possible to have one's system root {{Path|/}}, or {{Path|/var}}, or swap, or even one's {{Path|/boot}}, on a RAID array. See [[Setting up disks manually]] for more details about doing any of that.<br />
<br />
== RAID Levels ==<br />
<br />
There are several "levels" of RAID to choose between:<br />
<br />
* RAID0 essentially just glues two devices together, making a larger virtual drive. Reads and writes are "striped" between the drives for speed improvements. (That is, your hardware may read from, or write different data to, multiple devices in parallel.) A "device" here is usually a partition of a hard drive.<br />
* RAID1 "mirrors" writes to two devices, for improved safety. Then if one of the devices fails, the data will still be available on the other.<br />
* RAID5 is similar to RAID1, but it uses three devices and provides the space of two of them. The data will be preserved as long as any two of the three devices continue to work.<br />
<br />
There are other RAID levels as well. [http://www.acnc.com/raidedu/0 Here is more explanation of their differences.]<br />
<br />
== Advice ==<br />
<br />
* Your {{Path|/boot}} partition should either not be on RAID, or else be on a RAID1 array, with no further layers of encryption or LVM. (Alpine's default bootloader extlinux can't handle either. Grub2 can handle {{Path|/boot}} being on LVM.) The usual practice is to create a small (32--100 MB) partition for {{Path|/boot}}. That can be a mirrored (RAID1) volume, however this is just for post-init access. That way, when you write a new kernel or bootloader config file to {{Path|/boot}}, it gets written to multiple physical partitions. During the pre-init, bootloader phase, only one of those partitions will be used (and it will be mounted read-only).<br />
* You can put swap on a RAID0 volume, but there doesn't seem to be any good reason to do so. The Linux kernel already knows how to stripe several swap partitions. So you can just devote multiple ordinary (not-residing-on-RAID) partitions to swap, and get the same effect. The downside from doing either of these things is that when one of your disk fails, the system will go down. For better reliability, you can create a mirrored (RAID1) volume and put swap there. This will let your system keep running even when one of the disks fails.<br />
* All partitions in a RAID array should be the same size.<br />
* Don't ever mount just one of the devices in a RAID1 array, even though it "has the same data" as the other. If you mount it r/w, then---even if you don't explicitly write anything to the device---it may get out of sync with the unmounted device, for example because the journal on its filesystem has been updated. If you ever subsequently mount the other device, or the two of them together, your data will likely become corrupted. If you have to do this, make sure you mount your device r/o. Better yet, abandon the device you didn't mount. '''Zero out its RAID headers''', and tell <code>mdadm</code> that that device has failed. Then you can if you like treat it as a new disk, which you can add as a replacement to your (now degraded) original RAID array.<br />
* A mirrored RAID array (level 1 or 5) protects you against hardware failure. It doesn't protect against <code>rm -rf /</code>, software errors, exploits, earthquakes, fire. Don't rely on RAID as a backup strategy.<br />
* Running a mirrored RAID only provides one line of defense against drive failures. It doesn't license you to stop thinking about them. If a device in a RAID 1 starts failing and you aren't aware of it, your data will end up just as silently corrupted as it would be if you were running one drive. You have to watch your logs.<br />
<br />
This document was updated for Alpine 2.4.6.<br />
<br />
== Loading needed modules ==<br />
Start with loading the raid1 kernel module:<br />
<br />
{{Cmd|modprobe raid1}}<br />
<br />
Add it to {{Path|/etc/modules}} so it gets loaded during next reboot:<br />
<br />
{{Cmd|echo raid1 >> /etc/modules}}<br />
<br />
== Creating the partitions ==<br />
<br />
Please read up on [https://raid.wiki.kernel.org/index.php/Partition_Types partition types], and why you should consider using 0xda instead of 0xfd.<br />
<br />
I will use {{Path|/dev/sda}} and {{Path|/dev/sdb}} in this document but your devices may be different. To find what disks you have available, look in {{Path|/proc/partitions}}.<br />
<br />
Create the partitions using fdisk.<br />
<br />
{{Cmd|fdisk /dev/sda}}<br />
<br />
I will create one single partition of type Linux raid autodetect. Use '''n''' in fdisk to create the partition and '''t''' to set type. Logical volumes will be created later. My partition table looks like this ('p' to print partition table):<br />
<br />
Device Boot Start End Blocks Id System<br />
/dev/sda1 1 17753 8388261 fd Linux raid autodetect<br />
<br />
Use '''w''' to '''w'''rite and quit.<br />
Do the same with your second disk.<br />
<br />
{{Cmd|fdisk /dev/sdb}}<br />
<br />
Mine looks like this:<br />
Device Boot Start End Blocks Id System<br />
/dev/sdb1 1 17753 8388261 fd Linux raid autodetect<br />
<br />
Alternately, if your disks are the same size (as they should be, see [[#Advice|above]]) you can copy the partition table from one to the other like this:<br />
<br />
{{Cmd|1=apk add sfdisk<br />
sfdisk -d /dev/sda {{!}} sfdisk /dev/sdb}}<br />
<br />
== Setting up the RAID array ==<br />
Install mdadm to set up the arrays.<br />
<br />
{{Cmd|apk add mdadm}}<br />
<br />
Create the array.<br />
<br />
{{Cmd|1=mdadm --create --level=1 --raid-devices=2 /dev/md0 /dev/sda1 /dev/sdb1}}<br />
<br />
<br />
== Monitoring sync status ==<br />
You should now be able to see the array syncronize by looking at the contents of {{Path|/proc/mdstat}}.<br />
<br />
~ # cat /proc/mdstat <br />
Personalities : [raid1] <br />
md0 : active raid1 sdb1[1] sda1[0]<br />
8388160 blocks [2/2] [UU]<br />
[=========>...........] resync = 45.3% (3800064/8388160) finish=0.3min speed=200003K/sec<br />
<br />
unused devices: <none><br />
<br />
You don't need to wait til it is fully syncronized to continue.<br />
<br />
== Saving config ==<br />
Create the /etc/mdadm.conf file so mdadm knows how your raid setup is:<br />
<br />
{{Cmd|mdadm --detail --scan > /etc/mdadm.conf}}<br />
<br />
To make sure the raid devices start during the next reboot run:<br />
{{Cmd|rc-update add mdadm-raid}}<br />
<br />
If you're not running Alpine from a hard disk install, use {{Cmd|lbu commit}} as usual to save your configuration changes to your removable media.<br />
<br />
The raid device {{Path|/dev/md0}} is now ready to be used with [[Setting up Logical Volumes with LVM|LVM]] or mkfs.<br />
<br />
== Adding a RAID after the installation ==<br />
To add a softRAID on an already installed Alpine, you have to start with these 3 steps : <br />
<br />
3. [[Setting_up_a_software_RAID_array#Loading_needed_modules|Loading needed modules]]<br />
<br />
4. [[Setting_up_a_software_RAID_array#Creating_the_partitions|Creating the partitions]]<br />
<br />
5. [[Setting_up_a_software_RAID_array#Setting_up_the_RAID_array|Setting up the RAID array]]<br />
<br />
Then you have to update your initfs with the command mkinitfs.<br />
<br />
1. Be sure {{Path|/etc/mkinitfs/mkinitfs.conf}} contain '''raid''' which should looks like this :<br />
<br />
<code>features="ata base ide scsi usb virtio ext4 lvm raid"</code><br />
<br />
2. Update the initfs by this command<br />
<br />
{{Cmd|mkinitfs -c /etc/mkinitfs/mkinitfs.conf -b /}}<br />
<br />
== More Info on RAID ==<br />
These resources may be helpful:<br />
<br />
* [https://wiki.archlinux.org/index.php/RAID Arch wiki page on RAID]<br />
* [https://wiki.archlinux.org/index.php/Software_RAID_and_LVM Arch wiki page on RAID and LVM]<br />
* [https://wiki.archlinux.org/index.php/Convert_a_single_drive_system_to_RAID Arch wiki page on Converting an existing system to RAID] [http://en.gentoo-wiki.com/wiki/Migrate_to_RAID Gentoo wiki page on the same]<br />
* http://en.gentoo-wiki.com/wiki/RAID/Software<br />
* http://en.gentoo-wiki.com/wiki/Software_RAID_Install<br />
* http://www.gentoo.org/doc/en/gentoo-x86-tipsntricks.xml#software-raid<br />
* http://www.gentoo.org/doc/en/gentoo-x86+raid+lvm2-quickinstall.xml<br />
<br />
* http://yannickloth.be/blog/2010/08/01/installing-archlinux-with-software-raid1-encrypted-filesystem-and-lvm2/<br />
* http://anonscm.debian.org/gitweb/?p=pkg-mdadm/mdadm.git;a=blob_plain;f=debian/FAQ;hb=HEAD Debian MDADM FAQ<br />
* http://tldp.org/FAQ/Linux-RAID-FAQ/x37.html Linux RAID FAQ<br />
* https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-raid.html<br />
* http://linux-101.org/howto/arch-linux-software-raid-installation-guide<br />
* https://raid.wiki.kernel.org/index.php/Linux_Raid</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=LXC&diff=14804LXC2018-03-08T10:37:47Z<p>Clandmeter: /* Prepare network on host */</p>
<hr />
<div>[https://linuxcontainers.org/ Linux Containers (LXC)] provides containers similar BSD Jails, Linux VServer and Solaris Zones. It gives the impression of virtualization, but shares the kernel and resources with the "host".<br />
<br />
== Installation ==<br />
Install the required packages:<br />
{{Cmd|apk add lxc bridge}}<br />
<br />
If you want to create containers other than alpine you will need lxc-templates:<br />
<br />
{{Cmd|apk add lxc-templates}}<br />
<br />
== Prepare network on host ==<br />
Set up a [[bridge]] on the host. Example ''/etc/network/interfaces'':<br />
<pre><br />
auto br0<br />
iface br0 inet dhcp<br />
bridge-ports eth0<br />
</pre><br />
<br />
Create a network configuration template for the guests, ''/etc/lxc/default.conf'':<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.link = br0<br />
lxc.network.flags = up<br />
lxc.network.hwaddr = fe:xx:xx:xx:xx:xx<br />
</pre><br />
<br />
== Grsecurity restrictions ==<br />
<br />
Some restrictions will be applied when using a grsecurity kernel (Alpine Linux default kernel).<br />
The most notable is the use of lxc-attach which will not be allowed because of GRKERNSEC_CHROOT_CAPS.<br />
To solve this we will have to disable this grsec restriction by creating a sysctl profile for lxc.<br />
Create the following file ''/etc/sysctl.d/10-lxc.conf'' and add:<br />
<pre><br />
kernel.grsecurity.chroot_caps = 0<br />
</pre><br />
<br />
There are a few other restrictions that can prevent proper container functionality. <br />
When things do not work as expected always check the kernel log with dmesg to see if grsec prevented things from happening.<br />
<br />
Other possible restrictions are:<br />
<br />
<pre><br />
kernel.grsecurity.chroot_deny_chroot = 0<br />
kernel.grsecurity.chroot_deny_mount = 0<br />
kernel.grsecurity.chroot_deny_mknod = 0<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
</pre><br />
<br />
When you finished creating your new sysctl profile you can apply it by restarting sysctl service<br />
<br />
<pre><br />
rc-service sysctl restart<br />
</pre><br />
<br />
NOTE: Always consult the [https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options Grsecurity documentation] before applying these settings.<br />
<br />
== Create a guest ==<br />
<br />
=== Alpine Template ===<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine}}<br />
<br />
This will create a ''/var/lib/lxc/guest1'' directory with a ''config'' file and a ''rootfs'' directory.<br />
<br />
Note that by default alpine template '''does not have networking service on''', you will need to add it using lxc-console<br />
<br />
<br />
If running on x86_64 architecture, it is possible to create a 32bit guest:<br />
<br />
{{Cmd|lxc-create -n guest1 -f /etc/lxc/lxc.conf -t alpine -- --arch x86}}<br />
<br />
=== Debian template ===<br />
<br />
In order to create a debian template container you will need to install some packages:<br />
<br />
{{Cmd|apk add debootstrap rsync}}<br />
<br />
Also you will need to turn off some grsecurity chroot options otherwise the debootstrap will fail:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run:<br />
{{Cmd|SUITE{{=}}wheezy lxc-create -n guest1 -f /etc/lxc/lxc.conf -t debian}}<br />
<br />
=== Ubuntu template ===<br />
<br />
In order to create an ubuntu template container you will need to turn off some grsecurity chroot options:<br />
<br />
{{Cmd|echo 0 > /proc/sys/kernel/grsecurity/chroot_caps<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chroot<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mknod<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_chmod<br />
}}<br />
<br />
Please remember to turn them back on, or just simply reboot the system.<br />
<br />
Now you can run (replace %MIRROR% with the actual hostname, for example: http://us.archive.ubuntu.com/ubuntu/)<br />
<br />
<br />
lxc-create -n guest2 -f /etc/lxc/default.conf -t ubuntu -- -r xenial -a amd64 -u user --password secretpassword --mirror $MIRROR<br />
<br />
=== Unprivileged LXC images (Debian / Ubuntu / Centos etc..) ===<br />
<br />
{{Cmd|apk add gnupg xz<br />
lxc-create -n container-name -t download}}<br />
& choose the Distribution | Release | Architecture.<br />
<br />
To be able to login to a Debian container you currently need to:<br />
{{Cmd|rm /lib/systemd/system/container-getty\@.service}}<br />
<br />
You can also [http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_a_Debian_jessie/sid_installationers remove Systemd from the container].<br />
<br />
== Starting/Stopping the guest ==<br />
Create a symlink to the ''/etc/init.d/lxc'' script for your guest.<br />
{{Cmd|ln -s lxc /etc/init.d/lxc.guest1}}<br />
<br />
You can start your guest with:<br />
{{Cmd|/etc/init.d/lxc.guest1 start}}<br />
<br />
Stop it with:<br />
{{Cmd|/etc/init.d/lxc.guest1 stop}}<br />
<br />
Make it autostart on boot up with:<br />
{{Cmd| rc-update add lxc.guest1}}<br />
<br />
You can also add to the container config: <code>lxc.start.auto = 1</code><br />
<br />
& {{Cmd|rc-update add lxc}}<br />
<br />
to autostart containers by the lxc service only.<br />
<br />
== Connecting to the guest ==<br />
By default sshd is not installed, so you will have to attach to the container or connect to the virtual console. This is done with:<br />
<br />
=== Attach to container ===<br />
<br />
{{Cmd|lxc-attach -n guest1}}<br />
<br />
Just type exit to detach the container again (please do check the grsec notes above)<br />
<br />
=== Connect to virtual console ===<br />
<br />
{{Cmd|lxc-console -n guest1}}<br />
<br />
To disconnect from it, press {{key|Ctrl}}+{{key|a}} {{key|q}}<br />
<br />
== Deleting a guest ==<br />
Make sure the guest is stopped and run:<br />
{{Cmd|lxc-destroy -n guest1}}<br />
This will erase everything, without asking any questions. It is equivalent to: {{Cmd|rm -r /var/lib/lxc/guest1}}<br />
<br />
== Advanced ==<br />
<br />
=== Creating a LXC container without modifying your network interfaces ===<br />
<br />
The problem with bridging is that the interface you bridge gets replaced with your new bridge interface.<br />
That is to say that say you have an interface eth0 that you want to bridge, your eth0 interface gets replaced with the br0 interface that you create. It also means that the interface you use needs to be placed into promiscuous mode to catch all the traffic that could de destined to the other side of the bridge, which again may not be what you want.<br />
<br />
The solution is to create a dummy network interface, bridge that, and set up NAT so that traffic out of your bridge interface gets pushed through the interface of your choice.<br />
<br />
So, first, lets create that dummy interface (thanks to ncopa for talking me out of macvlan and pointing out the dummy interface kernel module)<br />
<br />
{{Cmd|modprobe dummy}}<br />
<br />
This will create a dummy interface called dummy0 on your host.<br />
<br />
Now we will create a bridge called br0<br />
<br />
{{Cmd |brctl addbr br0<br />
brctl setfd br0 0 }}<br />
<br />
and then make that dummy interface one end of the bridge<br />
<br />
{{Cmd | brctl addif br0 dummy0 }}<br />
<br />
Next, let's give that bridged interface a reason to exists<br />
<br />
{{ Cmd | ifconfig br0 192.168.1.1 netmask 255.255.255.0 up}}<br />
<br />
Create a file for your container, let's say /etc/lxc/bridgenat.conf, with the following settings.<br />
<br />
<pre><br />
lxc.network.type = veth<br />
lxc.network.flags = up<br />
lxc.network.link = br0<br />
lxc.network.name = eth1<br />
lxc.network.ipv4 = 192.168.1.2/24<br />
</pre><br />
<br />
and build your container with that file<br />
<br />
{{ Cmd | lxc-create -n alpine -f /etc/lxc/bridgenat.conf -t alpine }}<br />
<br />
You should now be able to ping your container from your hosts, and your host from your container.<br />
<br />
Your container needs to know where to push traffic that isn't within it's subnet. To do so, we tell the container to route through the bridge interface br0<br />
From inside the container run<br />
<br />
{{ Cmd | route add default gw 192.168.1.1 }}<br />
<br />
The next step is you push the traffic coming from your private subnet over br0 out through your internet facing interface, or any interface you chose<br />
<br />
We are messing with your IP tables here, so make sure these settings don't conflict with anything you may have already set up, obviously.<br />
<br />
Say eth0 was your internet facing network interface, and br0 is the name of the bridge you made earlier, we'd do this:<br />
<br />
{{ Cmd | echo 1 > /proc/sys/net/ipv4/ip_forward<br />
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE<br />
iptables --append FORWARD --in-interface br0 -j ACCEPT<br />
}}<br />
<br />
Now you should be able to route through your bridge interface to the internet facing interface of your host from your container, just like at home!<br />
<br />
You could also have a dhcp server running on your host, and set it up to give IP addresses from your private subnet to any container that requests it, and then have one template for multiple alpine LXC containers, perfect for alpine development :)<br />
<br />
=== Using static IP ===<br />
<br />
If you're using static IP, you need to configure this properly on guest's /etc/network/interfaces. To stay on the above example, modify ''/var/lib/lxc/guest1/rootfs/etc/network/interfaces'' <br />
<br />
from<br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''dhcp'''<br />
<br />
to <br />
<br />
#auto lo<br />
iface lo inet loopback<br />
auto eth0<br />
iface eth0 inet '''static'''<br />
address <lxc-container-ip> # IP which the lxc container should use<br />
gateway <gateway-ip> # IP of gateway to use, mostly same as on lxc-host<br />
netmask <netmask><br />
<br />
=== mem and swap ===<br />
<br />
{{Cmd|vim /boot/extlinux.conf}}<br />
<br />
{{Cmd|<br />
APPEND initrd{{=}}initramfs-3.10.13-1-grsec root{{=}}UUID{{=}}7cd8789f-5659-40f8-9548-ae8f89c918ab modules{{=}}sd-mod,usb-storage,ext4 quiet cgroup_enable{{=}}memory swapaccount{{=}}1<br />
}}<br />
<br />
=== checkconfig ===<br />
{{Cmd|lxc-checkconfig}}<br />
<br />
{{Cmd|<br />
Kernel configuration not found at /proc/config.gz; searching...<br />
Kernel configuration found at /boot/config-3.10.13-1-grsec<br />
--- Namespaces ---<br />
Namespaces: enabled<br />
Utsname namespace: enabled<br />
Ipc namespace: enabled<br />
Pid namespace: enabled<br />
User namespace: missing<br />
Network namespace: enabled<br />
Multiple /dev/pts instances: enabled<br />
<br />
--- Control groups ---<br />
Cgroup: enabled<br />
Cgroup clone_children flag: enabled<br />
Cgroup device: enabled<br />
Cgroup sched: enabled<br />
Cgroup cpu account: enabled<br />
Cgroup memory controller: missing<br />
Cgroup cpuset: enabled<br />
<br />
--- Misc ---<br />
Veth pair device: enabled<br />
Macvlan: enabled<br />
Vlan: enabled<br />
File capabilities: enabled<br />
<br />
Note : Before booting a new kernel, you can check its configuration<br />
usage : CONFIG{{=}}/path/to/config /usr/bin/lxc-checkconfig<br />
<br />
}}<br />
<br />
=== VirtualBox ===<br />
<br />
In order for network to work on containers you need to set "Promiscuous Mode" to "Allow All" in VirtualBox settings for the network adapter.<br />
<br />
[[File:VirtualBoxNetworkAdapter.jpg]]<br />
<br />
[[Category:Virtualization]]<br />
<br />
=== postgreSQL ===<br />
<br />
Inside the container run: {{Cmd|chmod go+w /dev/null}} to fix {{Cmd|rc-service postgresql start}}<br />
<br />
=== openVPN ===<br />
<br />
see [[Setting_up_a_OpenVPN_server#openVPN_and_LXC]]<br />
<br />
== LXC 1.0 Additional information ==<br />
<br />
Some info regarding new features in LXC 1.0<br />
<br />
https://www.stgraber.org/2013/12/20/lxc-1-0-blog-post-series/<br />
<br />
== See also ==<br />
* [[Howto-lxc-simple]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Writing_Init_Scripts&diff=14620Writing Init Scripts2018-02-20T18:25:17Z<p>Clandmeter: /* Introduction */</p>
<hr />
<div>{{Draft}}<br />
<br />
== Introduction ==<br />
<br />
Alpine Linux uses the [https://github.com/OpenRC/openrc OpenRC] init system to start services. Don't confuse OpenRC init with out system init (the first process that is executed aka pid 1). Many of the current init.d script found in Alpine Linux are takes from Gentoo. If you want to save time you could search [https://packages.gentoo.org/categories Gentoo's repository] for an existing initscript for your service. You can also check [https://wiki.gentoo.org/wiki/Handbook:X86/Working/Initscripts#Writing_initscripts Gentoo's wiki] for some additional OpenRC information.<br />
<br />
<strong>NOTE</strong>: OpenRC recently added [https://github.com/OpenRC/openrc/blob/master/service-script-guide.md documentation] on how to write proper Init scripts. Make sure you read it!<br />
<br />
If you cannot find an init.d script from Gentoo, or you just want to start to write your own init.d scripts, we provide you with some basic information on how to write simple OpenRC init scripts.<br />
<br />
Primary information about the OpenRC format can be found in the [http://manpages.org/openrc-run/8 OpenRC man page openrc-run].<br />
<br />
<code>apk add openrc-doc man</code><br />
<br />
<code>man openrc-run</code><br />
<br />
== Minimal Templates ==<br />
<br />
Every init.d script you write needs to start with a [https://en.wikipedia.org/wiki/Shebang_(Unix) shebang] like:<br />
<br />
<code>#!/sbin/openrc-run</code><br />
<br />
=== Services relying on OpenRC exclusively ===<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
command="/path/to/command"<br />
</pre><br />
<br />
=== Services supervised by [http://www.skarnet.org/software/s6/ s6] ===<br />
<br />
Notes:<br />
<br />
* Install and configure the <code>s6-scan</code> service to start on system boot<br />
* Exclude <code>start()</code>, <code>stop()</code> and <code>status()</code> functions in order for s6 supervision to work reliably. OpenRC has built-in equivalent functions which invoke the necessary s6 commands.<br />
* Include a <code>depend()</code> stanza to ensure that the <code>s6-svscan</code> service is already running.<br />
* Add a <code>start_pre()</code> stanza to symlink the service directory into the scan directory, because the <code>/etc/init.d/bootmisc</code> scripts cleans out the <code>/run</code> directory on system boot.<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name="foo"<br />
supervisor="s6"<br />
s6_service_path="${RC_SVCDIR}/s6-scan/${name}"<br />
<br />
depend() {<br />
need s6-svscan<br />
}<br />
<br />
start_pre() {<br />
if [ ! -L "${RC_SVC_DIR}/s6-scan/${name}" ]; then<br />
ln -s "/path/to/${name}/service/dir" "${RC_SVCDIR}/s6-scan/${name}"<br />
fi<br />
}<br />
</pre><br />
<br />
The rest of the below basic example could be omitted, but that would most probably leave you with an non working initd script.<br />
<br />
== Basic example ==<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name=$RC_SVCNAME<br />
cfgfile="/etc/$RC_SVCNAME/$RC_SVCNAME.conf"<br />
command="/usr/bin/my_daemon"<br />
command_args="--my-daemon-args"<br />
command_user="my_system_user"<br />
pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"<br />
start_stop_daemon_args="--args-for-start-stop-daemon"<br />
command_background="yes"<br />
<br />
depend() {<br />
need net<br />
}<br />
<br />
start_pre() {<br />
checkpath --directory --owner $command_user:$command_user --mode 0775 \<br />
/run/$RC_SVCNAME /var/log/$RC_SVCNAME<br />
}<br />
</pre><br />
<br />
== start, stop, restart functions ==<br />
<br />
OpenRC defined a few basic functions ie: start, stop, restart. These functions are defined by default but can be overwritten by defining your own set of functions.<br />
This is generally only necessary if you want to do something special which is not provided by the default start/stop/restart implementations.<br />
<br />
=== start ===<br />
<br />
<pre><br />
start() {<br />
ebegin "Starting mydaemon"<br />
start-stop-daemon --start \<br />
--exec /usr/sbin/mydaemon \<br />
--pidfile /var/run/mydaemon.pid \<br />
-- \<br />
--args-for-mydaemon<br />
eend $?<br />
}<br />
</pre><br />
<br />
=== stop ===<br />
<br />
=== restart ===<br />
<br />
== Daemon, Forking, Logging ==<br />
<br />
TODO...<br />
<br />
[[Category:Booting]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Writing_Init_Scripts&diff=14619Writing Init Scripts2018-02-20T18:24:38Z<p>Clandmeter: /* Introduction */</p>
<hr />
<div>{{Draft}}<br />
<br />
== Introduction ==<br />
<br />
Alpine Linux uses the [https://github.com/OpenRC/openrc OpenRC] init system to start services. Don't confuse OpenRC init with out system init (the first process that is executed aka pid 1). Many of the current init.d script found in Alpine Linux are takes from Gentoo. If you want to save time you could search [https://packages.gentoo.org/categories Gentoo's repository] for an existing initscript for your service. You can also check [https://wiki.gentoo.org/wiki/Handbook:X86/Working/Initscripts#Writing_initscripts Gentoo's wiki] for some additional OpenRC information.<br />
<br />
<strong>NOTE</strong>: OpenRC recently added [https://github.com/OpenRC/openrc/blob/master/service-script-guide.md documentation] on how to write proper Init scripts<br />
<br />
If you cannot find an init.d script from Gentoo, or you just want to start to write your own init.d scripts, we provide you with some basic information on how to write simple OpenRC init scripts.<br />
<br />
Primary information about the OpenRC format can be found in the [http://manpages.org/openrc-run/8 OpenRC man page openrc-run].<br />
<br />
<code>apk add openrc-doc man</code><br />
<br />
<code>man openrc-run</code><br />
<br />
== Minimal Templates ==<br />
<br />
Every init.d script you write needs to start with a [https://en.wikipedia.org/wiki/Shebang_(Unix) shebang] like:<br />
<br />
<code>#!/sbin/openrc-run</code><br />
<br />
=== Services relying on OpenRC exclusively ===<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
command="/path/to/command"<br />
</pre><br />
<br />
=== Services supervised by [http://www.skarnet.org/software/s6/ s6] ===<br />
<br />
Notes:<br />
<br />
* Install and configure the <code>s6-scan</code> service to start on system boot<br />
* Exclude <code>start()</code>, <code>stop()</code> and <code>status()</code> functions in order for s6 supervision to work reliably. OpenRC has built-in equivalent functions which invoke the necessary s6 commands.<br />
* Include a <code>depend()</code> stanza to ensure that the <code>s6-svscan</code> service is already running.<br />
* Add a <code>start_pre()</code> stanza to symlink the service directory into the scan directory, because the <code>/etc/init.d/bootmisc</code> scripts cleans out the <code>/run</code> directory on system boot.<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name="foo"<br />
supervisor="s6"<br />
s6_service_path="${RC_SVCDIR}/s6-scan/${name}"<br />
<br />
depend() {<br />
need s6-svscan<br />
}<br />
<br />
start_pre() {<br />
if [ ! -L "${RC_SVC_DIR}/s6-scan/${name}" ]; then<br />
ln -s "/path/to/${name}/service/dir" "${RC_SVCDIR}/s6-scan/${name}"<br />
fi<br />
}<br />
</pre><br />
<br />
The rest of the below basic example could be omitted, but that would most probably leave you with an non working initd script.<br />
<br />
== Basic example ==<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name=$RC_SVCNAME<br />
cfgfile="/etc/$RC_SVCNAME/$RC_SVCNAME.conf"<br />
command="/usr/bin/my_daemon"<br />
command_args="--my-daemon-args"<br />
command_user="my_system_user"<br />
pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"<br />
start_stop_daemon_args="--args-for-start-stop-daemon"<br />
command_background="yes"<br />
<br />
depend() {<br />
need net<br />
}<br />
<br />
start_pre() {<br />
checkpath --directory --owner $command_user:$command_user --mode 0775 \<br />
/run/$RC_SVCNAME /var/log/$RC_SVCNAME<br />
}<br />
</pre><br />
<br />
== start, stop, restart functions ==<br />
<br />
OpenRC defined a few basic functions ie: start, stop, restart. These functions are defined by default but can be overwritten by defining your own set of functions.<br />
This is generally only necessary if you want to do something special which is not provided by the default start/stop/restart implementations.<br />
<br />
=== start ===<br />
<br />
<pre><br />
start() {<br />
ebegin "Starting mydaemon"<br />
start-stop-daemon --start \<br />
--exec /usr/sbin/mydaemon \<br />
--pidfile /var/run/mydaemon.pid \<br />
-- \<br />
--args-for-mydaemon<br />
eend $?<br />
}<br />
</pre><br />
<br />
=== stop ===<br />
<br />
=== restart ===<br />
<br />
== Daemon, Forking, Logging ==<br />
<br />
TODO...<br />
<br />
[[Category:Booting]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Writing_Init_Scripts&diff=14618Writing Init Scripts2018-02-20T18:24:01Z<p>Clandmeter: /* Introduction */</p>
<hr />
<div>{{Draft}}<br />
<br />
== Introduction ==<br />
<br />
Alpine Linux uses the [https://github.com/OpenRC/openrc OpenRC] init system to start services. Don't confuse OpenRC init with out system init (the first process that is executed aka pid 1). Many of the current init.d script found in Alpine Linux are takes from Gentoo. If you want to save time you could search [https://packages.gentoo.org/categories Gentoo's repository] for an existing initscript for your service. You can also check [https://wiki.gentoo.org/wiki/Handbook:X86/Working/Initscripts#Writing_initscripts Gentoo's wiki] for some additional OpenRC information.<br />
<br />
<strong>NOTE</strong>: OpenRC recently added [documentation https://github.com/OpenRC/openrc/blob/master/service-script-guide.md] on how to write proper Init scripts<br />
<br />
If you cannot find an init.d script from Gentoo, or you just want to start to write your own init.d scripts, we provide you with some basic information on how to write simple OpenRC init scripts.<br />
<br />
Primary information about the OpenRC format can be found in the [http://manpages.org/openrc-run/8 OpenRC man page openrc-run].<br />
<br />
<code>apk add openrc-doc man</code><br />
<br />
<code>man openrc-run</code><br />
<br />
== Minimal Templates ==<br />
<br />
Every init.d script you write needs to start with a [https://en.wikipedia.org/wiki/Shebang_(Unix) shebang] like:<br />
<br />
<code>#!/sbin/openrc-run</code><br />
<br />
=== Services relying on OpenRC exclusively ===<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
command="/path/to/command"<br />
</pre><br />
<br />
=== Services supervised by [http://www.skarnet.org/software/s6/ s6] ===<br />
<br />
Notes:<br />
<br />
* Install and configure the <code>s6-scan</code> service to start on system boot<br />
* Exclude <code>start()</code>, <code>stop()</code> and <code>status()</code> functions in order for s6 supervision to work reliably. OpenRC has built-in equivalent functions which invoke the necessary s6 commands.<br />
* Include a <code>depend()</code> stanza to ensure that the <code>s6-svscan</code> service is already running.<br />
* Add a <code>start_pre()</code> stanza to symlink the service directory into the scan directory, because the <code>/etc/init.d/bootmisc</code> scripts cleans out the <code>/run</code> directory on system boot.<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name="foo"<br />
supervisor="s6"<br />
s6_service_path="${RC_SVCDIR}/s6-scan/${name}"<br />
<br />
depend() {<br />
need s6-svscan<br />
}<br />
<br />
start_pre() {<br />
if [ ! -L "${RC_SVC_DIR}/s6-scan/${name}" ]; then<br />
ln -s "/path/to/${name}/service/dir" "${RC_SVCDIR}/s6-scan/${name}"<br />
fi<br />
}<br />
</pre><br />
<br />
The rest of the below basic example could be omitted, but that would most probably leave you with an non working initd script.<br />
<br />
== Basic example ==<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name=$RC_SVCNAME<br />
cfgfile="/etc/$RC_SVCNAME/$RC_SVCNAME.conf"<br />
command="/usr/bin/my_daemon"<br />
command_args="--my-daemon-args"<br />
command_user="my_system_user"<br />
pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"<br />
start_stop_daemon_args="--args-for-start-stop-daemon"<br />
command_background="yes"<br />
<br />
depend() {<br />
need net<br />
}<br />
<br />
start_pre() {<br />
checkpath --directory --owner $command_user:$command_user --mode 0775 \<br />
/run/$RC_SVCNAME /var/log/$RC_SVCNAME<br />
}<br />
</pre><br />
<br />
== start, stop, restart functions ==<br />
<br />
OpenRC defined a few basic functions ie: start, stop, restart. These functions are defined by default but can be overwritten by defining your own set of functions.<br />
This is generally only necessary if you want to do something special which is not provided by the default start/stop/restart implementations.<br />
<br />
=== start ===<br />
<br />
<pre><br />
start() {<br />
ebegin "Starting mydaemon"<br />
start-stop-daemon --start \<br />
--exec /usr/sbin/mydaemon \<br />
--pidfile /var/run/mydaemon.pid \<br />
-- \<br />
--args-for-mydaemon<br />
eend $?<br />
}<br />
</pre><br />
<br />
=== stop ===<br />
<br />
=== restart ===<br />
<br />
== Daemon, Forking, Logging ==<br />
<br />
TODO...<br />
<br />
[[Category:Booting]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Writing_Init_Scripts&diff=14617Writing Init Scripts2018-02-20T18:23:33Z<p>Clandmeter: /* Introduction */</p>
<hr />
<div>{{Draft}}<br />
<br />
== Introduction ==<br />
<br />
Alpine Linux uses the [https://github.com/OpenRC/openrc OpenRC] init system to start services. Don't confuse OpenRC init with out system init (the first process that is executed aka pid 1). Many of the current init.d script found in Alpine Linux are takes from Gentoo. If you want to save time you could search [https://packages.gentoo.org/categories Gentoo's repository] for an existing initscript for your service. You can also check [https://wiki.gentoo.org/wiki/Handbook:X86/Working/Initscripts#Writing_initscripts Gentoo's wiki] for some additional OpenRC information.<br />
<br />
NOTE: OpenRC recently added [documentation https://github.com/OpenRC/openrc/blob/master/service-script-guide.md] on how to write proper Init scripts<br />
<br />
If you cannot find an init.d script from Gentoo, or you just want to start to write your own init.d scripts, we provide you with some basic information on how to write simple OpenRC init scripts.<br />
<br />
Primary information about the OpenRC format can be found in the [http://manpages.org/openrc-run/8 OpenRC man page openrc-run].<br />
<br />
<code>apk add openrc-doc man</code><br />
<br />
<code>man openrc-run</code><br />
<br />
== Minimal Templates ==<br />
<br />
Every init.d script you write needs to start with a [https://en.wikipedia.org/wiki/Shebang_(Unix) shebang] like:<br />
<br />
<code>#!/sbin/openrc-run</code><br />
<br />
=== Services relying on OpenRC exclusively ===<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
command="/path/to/command"<br />
</pre><br />
<br />
=== Services supervised by [http://www.skarnet.org/software/s6/ s6] ===<br />
<br />
Notes:<br />
<br />
* Install and configure the <code>s6-scan</code> service to start on system boot<br />
* Exclude <code>start()</code>, <code>stop()</code> and <code>status()</code> functions in order for s6 supervision to work reliably. OpenRC has built-in equivalent functions which invoke the necessary s6 commands.<br />
* Include a <code>depend()</code> stanza to ensure that the <code>s6-svscan</code> service is already running.<br />
* Add a <code>start_pre()</code> stanza to symlink the service directory into the scan directory, because the <code>/etc/init.d/bootmisc</code> scripts cleans out the <code>/run</code> directory on system boot.<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name="foo"<br />
supervisor="s6"<br />
s6_service_path="${RC_SVCDIR}/s6-scan/${name}"<br />
<br />
depend() {<br />
need s6-svscan<br />
}<br />
<br />
start_pre() {<br />
if [ ! -L "${RC_SVC_DIR}/s6-scan/${name}" ]; then<br />
ln -s "/path/to/${name}/service/dir" "${RC_SVCDIR}/s6-scan/${name}"<br />
fi<br />
}<br />
</pre><br />
<br />
The rest of the below basic example could be omitted, but that would most probably leave you with an non working initd script.<br />
<br />
== Basic example ==<br />
<br />
<pre><br />
#!/sbin/openrc-run<br />
<br />
name=$RC_SVCNAME<br />
cfgfile="/etc/$RC_SVCNAME/$RC_SVCNAME.conf"<br />
command="/usr/bin/my_daemon"<br />
command_args="--my-daemon-args"<br />
command_user="my_system_user"<br />
pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"<br />
start_stop_daemon_args="--args-for-start-stop-daemon"<br />
command_background="yes"<br />
<br />
depend() {<br />
need net<br />
}<br />
<br />
start_pre() {<br />
checkpath --directory --owner $command_user:$command_user --mode 0775 \<br />
/run/$RC_SVCNAME /var/log/$RC_SVCNAME<br />
}<br />
</pre><br />
<br />
== start, stop, restart functions ==<br />
<br />
OpenRC defined a few basic functions ie: start, stop, restart. These functions are defined by default but can be overwritten by defining your own set of functions.<br />
This is generally only necessary if you want to do something special which is not provided by the default start/stop/restart implementations.<br />
<br />
=== start ===<br />
<br />
<pre><br />
start() {<br />
ebegin "Starting mydaemon"<br />
start-stop-daemon --start \<br />
--exec /usr/sbin/mydaemon \<br />
--pidfile /var/run/mydaemon.pid \<br />
-- \<br />
--args-for-mydaemon<br />
eend $?<br />
}<br />
</pre><br />
<br />
=== stop ===<br />
<br />
=== restart ===<br />
<br />
== Daemon, Forking, Logging ==<br />
<br />
TODO...<br />
<br />
[[Category:Booting]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Desktop-notes&diff=14099Desktop-notes2017-10-23T13:19:40Z<p>Clandmeter: /* Tweaks */</p>
<hr />
<div>These are my personal xfce4 desktop notes.<br />
<br />
== Base system setup ==<br />
<br />
# Do a minimal Alpine install<br />
# Enable community repo in repositories<br />
# setup-xorg-base<br />
# apk add dbus<br />
# rc-update add dbus<br />
# apk add sudo<br />
# apk add xfce4<br />
# apk add chromium<br />
# apk add slim<br />
# apk add paper-icon-theme paper-gtk-theme<br />
# apk add font-noto<br />
# apk add xf86-video-intel (for intel video only) (you can also choose xf86-video-modesetting)<br />
# apk add xf86-input-synaptics (it currently has support for palm detection which libinput does not).<br />
# add local user and add to sudo list<br />
# add user to specific groups<br />
## adduser (username) audio<br />
## adduser (username) video<br />
## adduser (username) dialout<br />
# Add /etc/X11/xorg.conf.d/30-intel.conf to have tear free scrolling:<br />
<pre><br />
Section "Device"<br />
Identifier "Intel Graphics"<br />
Driver "intel"<br />
Option "TearFree" "true"<br />
EndSection<br />
</pre><br />
<br />
== Testing basic xorg system ==<br />
<br />
# reboot system<br />
# rc-service slim start<br />
# verify xorg starts correctly and you can login to slim<br />
# rc-update add slim<br />
<br />
== Changing cosmetics ==<br />
<br />
# change xfce4 style/icons to paper: Settings -> Appearance -> Style and Icons<br />
# change window manager theme to Paper: Settings -> Window Manager -> Style<br />
# Change mouse Theme to Paper: Settings -> Mouse and Trackpad -> Theme<br />
# enable all Composer Shadows: Settings -> Window Manager Tweaks -> Composer<br />
# change fonts to noto<br />
## Settings - > Appearance -> Fonts: Set to Noto Sans UI<br />
### Turn on Anti-aliasing (is the default) and enable Sub-Pixel order -> RGB<br />
<br />
== Setting up Alsa audio ==<br />
<br />
# apk add alsa-utils<br />
# rc-update add alsa<br />
# rc-service alsa start<br />
# Set the default sound device<br />
## List sound devices: <code>cat /proc/asound/card*/id</code><br />
## Depending on your setup select the proper device<br />
### create a /etc/asound.conf with following content where PCH is sound card name.<br />
<pre><br />
pcm.!default {<br />
type plug<br />
slave.pcm {<br />
@func getenv<br />
vars [ ALSAPCM ]<br />
default "hw:PCH"<br />
}<br />
}<br />
</pre><br />
<br />
== additional software ==<br />
<br />
# apk add geany<br />
# apk add thunar-archive thunar-volman<br />
# apk add xarchiver<br />
<br />
== Tweaks ==<br />
<br />
Enable webgl on chromium when running on hardened kernel:<br />
<br />
Edit: <code>/boot/extlinux.conf</code><br />
<br />
Add: <code>grsec_sysfs_restrict=0</code> to the end of the of the APPEND line.<br />
<br />
Don't forget to add it to your update-extlinux.conf<br />
<br />
[[Category:Installation]]<br />
[[Category:Desktop]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Desktop-notes&diff=14098Desktop-notes2017-10-23T13:15:32Z<p>Clandmeter: /* Base system setup */</p>
<hr />
<div>These are my personal xfce4 desktop notes.<br />
<br />
== Base system setup ==<br />
<br />
# Do a minimal Alpine install<br />
# Enable community repo in repositories<br />
# setup-xorg-base<br />
# apk add dbus<br />
# rc-update add dbus<br />
# apk add sudo<br />
# apk add xfce4<br />
# apk add chromium<br />
# apk add slim<br />
# apk add paper-icon-theme paper-gtk-theme<br />
# apk add font-noto<br />
# apk add xf86-video-intel (for intel video only) (you can also choose xf86-video-modesetting)<br />
# apk add xf86-input-synaptics (it currently has support for palm detection which libinput does not).<br />
# add local user and add to sudo list<br />
# add user to specific groups<br />
## adduser (username) audio<br />
## adduser (username) video<br />
## adduser (username) dialout<br />
# Add /etc/X11/xorg.conf.d/30-intel.conf to have tear free scrolling:<br />
<pre><br />
Section "Device"<br />
Identifier "Intel Graphics"<br />
Driver "intel"<br />
Option "TearFree" "true"<br />
EndSection<br />
</pre><br />
<br />
== Testing basic xorg system ==<br />
<br />
# reboot system<br />
# rc-service slim start<br />
# verify xorg starts correctly and you can login to slim<br />
# rc-update add slim<br />
<br />
== Changing cosmetics ==<br />
<br />
# change xfce4 style/icons to paper: Settings -> Appearance -> Style and Icons<br />
# change window manager theme to Paper: Settings -> Window Manager -> Style<br />
# Change mouse Theme to Paper: Settings -> Mouse and Trackpad -> Theme<br />
# enable all Composer Shadows: Settings -> Window Manager Tweaks -> Composer<br />
# change fonts to noto<br />
## Settings - > Appearance -> Fonts: Set to Noto Sans UI<br />
### Turn on Anti-aliasing (is the default) and enable Sub-Pixel order -> RGB<br />
<br />
== Setting up Alsa audio ==<br />
<br />
# apk add alsa-utils<br />
# rc-update add alsa<br />
# rc-service alsa start<br />
# Set the default sound device<br />
## List sound devices: <code>cat /proc/asound/card*/id</code><br />
## Depending on your setup select the proper device<br />
### create a /etc/asound.conf with following content where PCH is sound card name.<br />
<pre><br />
pcm.!default {<br />
type plug<br />
slave.pcm {<br />
@func getenv<br />
vars [ ALSAPCM ]<br />
default "hw:PCH"<br />
}<br />
}<br />
</pre><br />
<br />
== additional software ==<br />
<br />
# apk add geany<br />
# apk add thunar-archive thunar-volman<br />
# apk add xarchiver<br />
<br />
== Tweaks ==<br />
<br />
Enable webgl on chromium when running on hardened kernel:<br />
<br />
Edit: <code>/boot/extlinux.conf</code><br />
<br />
Add: <code>grsec_sysfs_restrict=0</code> to the end of the of the APPEND line.<br />
<br />
[[Category:Installation]]<br />
[[Category:Desktop]]</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Desktop-notes&diff=14057Desktop-notes2017-10-07T10:05:48Z<p>Clandmeter: /* Tweaks */</p>
<hr />
<div>These are my personal xfce4 desktop notes.<br />
<br />
== Base system setup ==<br />
<br />
# Do a minimal Alpine install<br />
# Enable community repo in repositories<br />
# setup-xorg-base<br />
# apk add dbus<br />
# rc-update add dbus<br />
# apk add sudo<br />
# apk add xfce4<br />
# apk add chromium<br />
# apk add slim<br />
# apk add paper-icon-theme paper-gtk-theme<br />
# apk add font-noto<br />
# apk add xf86-video-intel (for intel video only)<br />
# apk add xf86-input-keyboard xf86-input-evdev<br />
# add local user and add to sudo list<br />
# add user to specific groups<br />
## adduser (username) audio<br />
## adduser (username) video<br />
## adduser (username) dialout<br />
# Add /etc/X11/xorg.conf.d/30-intel.conf to have tear free scrolling:<br />
<pre><br />
Section "Device"<br />
Identifier "Intel Graphics"<br />
Driver "intel"<br />
Option "TearFree" "true"<br />
EndSection<br />
</pre><br />
<br />
== Testing basic xorg system ==<br />
<br />
# reboot system<br />
# rc-service slim start<br />
# verify xorg starts correctly and you can login to slim<br />
# rc-update add slim<br />
<br />
== Changing cosmetics ==<br />
<br />
# change xfce4 style/icons to paper: Settings -> Appearance -> Style and Icons<br />
# change window manager theme to Paper: Settings -> Window Manager -> Style<br />
# Change mouse Theme to Paper: Settings -> Mouse and Trackpad -> Theme<br />
# enable all Composer Shadows: Settings -> Window Manager Tweaks -> Composer<br />
# change fonts to noto<br />
## Settings - > Appearance -> Fonts: Set to Noto Sans UI<br />
### Turn on Anti-aliasing (is the default) and enable Sub-Pixel order -> RGB<br />
<br />
== Setting up Alsa audio ==<br />
<br />
# apk add alsa-utils<br />
# rc-update add alsa<br />
# rc-service alsa start<br />
# Set the default sound device<br />
## List sound devices: <code>cat /proc/asound/card*/id</code><br />
## Depending on your setup select the proper device<br />
### create a /etc/asound.conf with following content where PCH is sound card name.<br />
<pre><br />
pcm.!default {<br />
type plug<br />
slave.pcm {<br />
@func getenv<br />
vars [ ALSAPCM ]<br />
default "hw:PCH"<br />
}<br />
}<br />
</pre><br />
<br />
== additional software ==<br />
<br />
# apk add geany<br />
# apk add thunar-archive thunar-volman<br />
# apk add xarchiver<br />
<br />
== Tweaks ==<br />
<br />
Enable webgl on chromium when running on hardenend kernel:<br />
<br />
Edit: <code>/boot/extlinux.conf</code><br />
<br />
Add: <code>grsec_sysfs_restrict=0</code> to the end of the of the APPEND line.</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Desktop-notes&diff=14056Desktop-notes2017-10-07T10:04:57Z<p>Clandmeter: </p>
<hr />
<div>These are my personal xfce4 desktop notes.<br />
<br />
== Base system setup ==<br />
<br />
# Do a minimal Alpine install<br />
# Enable community repo in repositories<br />
# setup-xorg-base<br />
# apk add dbus<br />
# rc-update add dbus<br />
# apk add sudo<br />
# apk add xfce4<br />
# apk add chromium<br />
# apk add slim<br />
# apk add paper-icon-theme paper-gtk-theme<br />
# apk add font-noto<br />
# apk add xf86-video-intel (for intel video only)<br />
# apk add xf86-input-keyboard xf86-input-evdev<br />
# add local user and add to sudo list<br />
# add user to specific groups<br />
## adduser (username) audio<br />
## adduser (username) video<br />
## adduser (username) dialout<br />
# Add /etc/X11/xorg.conf.d/30-intel.conf to have tear free scrolling:<br />
<pre><br />
Section "Device"<br />
Identifier "Intel Graphics"<br />
Driver "intel"<br />
Option "TearFree" "true"<br />
EndSection<br />
</pre><br />
<br />
== Testing basic xorg system ==<br />
<br />
# reboot system<br />
# rc-service slim start<br />
# verify xorg starts correctly and you can login to slim<br />
# rc-update add slim<br />
<br />
== Changing cosmetics ==<br />
<br />
# change xfce4 style/icons to paper: Settings -> Appearance -> Style and Icons<br />
# change window manager theme to Paper: Settings -> Window Manager -> Style<br />
# Change mouse Theme to Paper: Settings -> Mouse and Trackpad -> Theme<br />
# enable all Composer Shadows: Settings -> Window Manager Tweaks -> Composer<br />
# change fonts to noto<br />
## Settings - > Appearance -> Fonts: Set to Noto Sans UI<br />
### Turn on Anti-aliasing (is the default) and enable Sub-Pixel order -> RGB<br />
<br />
== Setting up Alsa audio ==<br />
<br />
# apk add alsa-utils<br />
# rc-update add alsa<br />
# rc-service alsa start<br />
# Set the default sound device<br />
## List sound devices: <code>cat /proc/asound/card*/id</code><br />
## Depending on your setup select the proper device<br />
### create a /etc/asound.conf with following content where PCH is sound card name.<br />
<pre><br />
pcm.!default {<br />
type plug<br />
slave.pcm {<br />
@func getenv<br />
vars [ ALSAPCM ]<br />
default "hw:PCH"<br />
}<br />
}<br />
</pre><br />
<br />
== additional software ==<br />
<br />
# apk add geany<br />
# apk add thunar-archive thunar-volman<br />
# apk add xarchiver<br />
<br />
== Tweaks ==<br />
<br />
Enable webgl with chromium:<br />
<br />
Edit: <code>/boot/extlinux.conf</code><br />
<br />
Add: <code>grsec_sysfs_restrict=0</code> to the end of the of the APPEND line.</div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Zero-To-Awall&diff=14050Zero-To-Awall2017-10-04T12:48:17Z<p>Clandmeter: /* Service Policies */</p>
<hr />
<div>= Awall for dummies =<br />
<br />
This howto is aimed at users with no (or little) experience with iptables and other firewall frameworks (like Shorewall).<br />
<br />
This howto is going to be split into 5 parts.<br />
<br />
# Defining our base json file which holds our zones and base policies.<br />
# Creating service policies.<br />
# Using aliases and custom services.<br />
# Enabling and testing policies.<br />
# Finishing up and making it start (at boot)<br />
<br />
NOTE: please be aware that all configuration files are stored as JSON files. JSON is not a human friendly standard, <br />
for instance it does not support comments so you will have to move them outside of the json structure.<br />
Beginners should use a decent text editor with JSON highlight support which will make your life easier.<br />
Since recent versions of awall it is also possible to use yaml instead of json but this is out of the scope of this howto.<br />
<br />
== Base policies ==<br />
<br />
Creating zones depends on the function of your firewall. Is it installed on a endpoint (server) or will it act as a router and filter/forward.<br />
For this howto we assume you are going to setup a router and use NAT to forward services (ports) to different hosts on your network.<br />
<br />
For each interface on router we will setup a zone and assign it a zone name. We do this by creating the following file: /etc/awall/private/base.json<br />
<pre><br />
{<br />
"description": "Base zones and policies",<br />
<br />
"zone": {<br />
"WAN": { "iface": "eth0" },<br />
"LAN": { "iface": "eth1" },<br />
"VPN": { "iface": "tun+" }<br />
},<br />
<br />
"policy": [<br />
{ "in": "VPN", "action": "accept" },<br />
{ "out": "VPN", "action": "accept" },<br />
{ "in": "LAN", "action": "accept" },<br />
{ "out": "LAN", "action": "accept" },<br />
{ "in": "_fw", "action": "accept" },<br />
{ "in": "_fw", "out": "WAN" , "action": "accept" },<br />
{ "in": "WAN", "action": "drop" }<br />
],<br />
<br />
"snat": [ { "out": "WAN" } ],<br />
<br />
"clamp-mss": [ { "out": "WAN" } ]<br />
<br />
}<br />
</pre><br />
<br />
Lets break this down into sections<br />
<br />
=== description ===<br />
<br />
The description is here just for reference and will be used by <code>awall list</code>.<br />
<br />
=== zone ===<br />
<br />
This is where our zones are defined. Zones are defined based on a interface and assigned a name to be used in your policies.<br />
In our example you can see that we have two real interfaces eth0 and eth1 and one or more virtual interfaces tun+ (the plus sign stands for any digit like tun0 tun1 and so on). In case you are installing awall on an endpoint (a server) then you will most probably not have the eth1 interfaces and can leave it out. In our example the tun+ interface is added as it is very commonly used like when using openvpn.<br />
<br />
=== policy ===<br />
<br />
These are our main policies. It will tell our firewall what to do with when a packet enters or leaves from one of the zones (interfaces).<br />
You will notice a special <code>_fw</code> name which means the internal firewall (the local machine) which means the packet does not leave the firewall via another interface but should be send to one of the local services.<br />
You can see that we by default do not filter any package coming from or going to our VPN zone/interface. You could instead change the default action to drop all packets and create separate policies to allow specific traffic but this is out of the scope of this howto.<br />
<br />
=== snat ===<br />
<br />
Apply source nat for outgoing packets. This is only needed if your firewall acts as a router and traffic behind the router needs a modified source address (translate from local ip to public ip).<br />
<br />
=== clamp-mss ===<br />
<br />
https://github.com/alpinelinux/awall#mss-clamping-rules<br />
<br />
== Service policies ==<br />
<br />
Now that we have the base firewall in place we can start to define specific policies so our services will be reachable from the outside world.\<br />
By default we are blocking all traffic coming in on our WAN interface (action=drop). The first thing we want to open is our SSH port/service. To do this we need to create a new policy inside the "optional" directory.<br />
You could be wondering why the optional name, thats is because mandatory policies are stored in <code>/usr/share/awall/mandatory</code> and not to be touched and our optional policies can be enabled/disabled on the run.<br />
<br />
=== SSH service ===<br />
<br />
To add our SSH policies we create a new file: /etc/awall/optional/ssh.json<br />
<pre><br />
{<br />
"description": "Allow rate-limited SSH on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ssh",<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
==== description ====<br />
<br />
This is similar for any policy<br />
<br />
==== Filter ====<br />
<br />
This is the actual filter that is currently set to drop the packets arriving or leaving the interface.<br />
<br />
===== in =====<br />
<br />
The interface the packets arrive on, in this case its the WAN interface.<br />
<br />
===== out =====<br />
<br />
The interface the packets leave on, in this case its _fw which means it does not leave our firewall/device and is targeted at our local SSH service.<br />
<br />
===== service =====<br />
<br />
This is the service definition provided by awall or a custom service which we will discuss later on.<br />
<br />
===== action =====<br />
<br />
The action on the packet, this inverts the default action of drop and accepts the packets.<br />
<br />
===== conn-limit =====<br />
<br />
This is a special feature of our firewall/iptables to allow only a certain amount of packets in a certain amount of time. For more information please check our awall manual.<br />
<br />
=== SSH to another Host ===<br />
<br />
edit the following file: /etc/awall/optional/ssh-to-hostname.json<br />
<br />
<pre><br />
{<br />
<br />
"description": "Forward SSH to hostname",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
],<br />
<br />
"dnat": [<br />
{<br />
"in": "WAN",<br />
"dest": "$SERVER",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"to-port": "22"<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
Lets discuss the differences between this policy and the previous SSH policy.<br />
<br />
==== Filter ====<br />
<br />
===== service =====<br />
<br />
Because port 22 is already in use by our own firewall, we need to listen on a different port. In this example we listen on port 22001.<br />
And because we are not using the default port 22 we need to define our own service specification.<br />
<br />
==== dnat ====<br />
<br />
Also known as destination NAT.<br />
<br />
===== dest =====<br />
<br />
The destination the packet will be forwarded to. In this case we are using a variable named $HOSTNAME. Anywhere in your policies you can define your own variables and use them.<br />
In our case we have used a file in /etc/awall/private/aliases.json more on this topic later on.<br />
<br />
===== to-port =====<br />
<br />
This is the destination target port number. The packet will be forwarded from 22001 to 22 on the $hostname<br />
<br />
=== OpenVPN Service ===<br />
<br />
This is the most generic config available. It does nothing more then opening port(s) defined for our openvpn service in <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow local OpenVPN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "openvpn",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
<br />
</pre><br />
<br />
=== Allow ping on WAN ===<br />
<br />
Allow rate-limited ping on WAN. Which has the same kind of flow limit as our previous SSH policy.<br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow rate-limited ping on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ping",<br />
"action": "accept",<br />
"flow-limit": { "count": 10, "interval": 6 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
== Using aliases and custom services ==<br />
<br />
=== Aliases ===<br />
<br />
To make life easier when your firewall rules increase, it can be nice to map specific hosts to names.<br />
Awall supports something called [https://github.com/alpinelinux/awall#variable-expansion variable expansion] which is a mapping between a value and a variable.<br />
When you have many devices behind your firewall/router, your policies can be harder to read. Also when one of your devices IP address change you will have to update all of your policies.<br />
With awalls variables you can assign the ip address of a device to a variable name. Edit the following file: <code>/etc/awall/private/aliases.json</code><br />
<pre><br />
{<br />
"description": "Hostname aliases",<br />
<br />
"variable": {<br />
"PRINTER": "192.168.1.1",<br />
"SERVER": "192.168.1.2"<br />
}<br />
<br />
}<br />
</pre><br />
<br />
Look in the example above where $SERVER is used to forward port 22001 to port 22.<br />
<br />
NOTE: You are not limited to assigning only IP addresses to variables. You can use it however you like. More information can be found in the awall manual.<br />
<br />
=== Custom services ===<br />
<br />
Awall includes a predefined list of [https://github.com/alpinelinux/awall/blob/master/json/services.json services]. If the service you try to define in your policy does not exist in awalls services list you can define services yourself.<br />
<br />
Create the file: <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
"service": {<br />
<br />
"mqtt": [<br />
{ "proto": "udp", "port": 1883 },<br />
{ "proto": "tcp", "port": 1883 }<br />
],<br />
<br />
"openvpn": [<br />
{ "proto": "udp", "port": 1194 },<br />
{ "proto": "tcp", "port": 1194 }<br />
]<br />
<br />
}<br />
}<br />
</pre><br />
<br />
NOTE: although you are free to name your policy files however you want, you cannot name this file <code>services.json</code> because this policy name is already in use by the included services.json of awall.<br />
<br />
== Using our policies ==<br />
<br />
You should now have two directories in your awall config directory named optional and private with multiple json files. The biggest difference between these two directories is the ability to enable and disable policies located in the optional directory. When you enable a policy by using <code>awall enable policy-name</code> awall will generate a symlink in your awall config directory and will automatically load them when you activate the firewall. To be able to also use the files in the private directory we will need to include them in one of our optional policies. You can name the file however you like as long it doesn't conflict with existing policies names (including the ones in private directory and awall's system policies). Example names would be hostname.json main.json firewall.json. For this example we will use main.json.<br />
<br />
Create the file: <code>/etc/awall/main.json</code><br />
<pre><br />
{<br />
"description": "Main firewall",<br />
<br />
"import": [ "base", "aliases", "custom-services" ]<br />
<br />
}<br />
</pre><br />
<br />
Contents of your awall directory:<br />
<pre><br />
awall<br />
│<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
└── private<br />
├── aliases.json<br />
├── base.json<br />
└── custom-services.json<br />
</pre><br />
<br />
=== Enabling optional policies ===<br />
<br />
Lets enable our created policies. First we list them by running <code>awall list</code> which would show something like:<br />
<pre><br />
openvpn disabled Allow local OpenVPN<br />
main disabled Main firewall<br />
ping disabled Allow rate-limited ping on WAN<br />
ssh disabled Allow rate-limited SSH on WAN<br />
ssh-to-hostname disabled Forward SSH to hostname<br />
</pre><br />
<br />
Each of these needs to be enabled:<br />
<pre><br />
awall enable openvpn<br />
awall enable main<br />
awall enable ping<br />
awall enable ssh<br />
awall enable ssh-to-hostname<br />
</pre><br />
<br />
The contents of your awall directory should now look like:<br />
<pre><br />
awall/<br />
├── main.json -> ./optional/main.json<br />
├── openvpn.json -> ./optional/openvpn.json<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ping.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
├── ping.json -> ./optional/ping.json<br />
├── private<br />
│ ├── aliases.json<br />
│ ├── base.json<br />
│ └── custom-services.json<br />
├── ssh-to-hostname.json -> ./optional/ssh-to-hostname.json<br />
└── ssh.json -> ./optional/ssh.json<br />
<br />
2 directories, 13 files<br />
</pre><br />
<br />
=== Testing policies ===<br />
<br />
<code>awall translate --verify</code><br />
<br />
if everything goes well the output should be null.<br />
<br />
=== Activating the firewall ===<br />
<br />
Now that all our policies are verified for proper json we can activate it.<br />
<br />
<code>awall activate</code><br />
<br />
This will load the firewall rules and show you a message to confirm. If by accident you made a mistake and lock yourself out you just have to wait for awall to disable itself again.<br />
<br />
== Finishing up ==<br />
<br />
=== Activating firewall rules at boot ===<br />
<br />
When awall has been properly activated it will generate a file with all iptables rules which iptables will read when its is started via openrc.<br />
Make sure you have added iptables to an openrc runlevel.<br />
<br />
<code>rc-update add iptables</code><br />
<br />
=== Allow IPv4 forwarding ===<br />
<br />
To allow iptables to forward packets from one zone to the other we need to enable this at the iptables level.<br />
<br />
==== On the fly ====<br />
<br />
To enable it on the fly:<br />
<code>sysctl -w net.ipv4.ip_forward=1</code><br />
<br />
==== Enable within iptables tools (at boot) ====<br />
<br />
Add the following to:<br />
<code>/etc/conf.d/iptables</code><br />
<pre><br />
# Enable/disable IPv4 forwarding with the rules<br />
IPFORWARD="yes"<br />
</pre></div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Zero-To-Awall&diff=14049Zero-To-Awall2017-10-04T12:48:01Z<p>Clandmeter: /* Creating the base */</p>
<hr />
<div>= Awall for dummies =<br />
<br />
This howto is aimed at users with no (or little) experience with iptables and other firewall frameworks (like Shorewall).<br />
<br />
This howto is going to be split into 5 parts.<br />
<br />
# Defining our base json file which holds our zones and base policies.<br />
# Creating service policies.<br />
# Using aliases and custom services.<br />
# Enabling and testing policies.<br />
# Finishing up and making it start (at boot)<br />
<br />
NOTE: please be aware that all configuration files are stored as JSON files. JSON is not a human friendly standard, <br />
for instance it does not support comments so you will have to move them outside of the json structure.<br />
Beginners should use a decent text editor with JSON highlight support which will make your life easier.<br />
Since recent versions of awall it is also possible to use yaml instead of json but this is out of the scope of this howto.<br />
<br />
== Base policies ==<br />
<br />
Creating zones depends on the function of your firewall. Is it installed on a endpoint (server) or will it act as a router and filter/forward.<br />
For this howto we assume you are going to setup a router and use NAT to forward services (ports) to different hosts on your network.<br />
<br />
For each interface on router we will setup a zone and assign it a zone name. We do this by creating the following file: /etc/awall/private/base.json<br />
<pre><br />
{<br />
"description": "Base zones and policies",<br />
<br />
"zone": {<br />
"WAN": { "iface": "eth0" },<br />
"LAN": { "iface": "eth1" },<br />
"VPN": { "iface": "tun+" }<br />
},<br />
<br />
"policy": [<br />
{ "in": "VPN", "action": "accept" },<br />
{ "out": "VPN", "action": "accept" },<br />
{ "in": "LAN", "action": "accept" },<br />
{ "out": "LAN", "action": "accept" },<br />
{ "in": "_fw", "action": "accept" },<br />
{ "in": "_fw", "out": "WAN" , "action": "accept" },<br />
{ "in": "WAN", "action": "drop" }<br />
],<br />
<br />
"snat": [ { "out": "WAN" } ],<br />
<br />
"clamp-mss": [ { "out": "WAN" } ]<br />
<br />
}<br />
</pre><br />
<br />
Lets break this down into sections<br />
<br />
=== description ===<br />
<br />
The description is here just for reference and will be used by <code>awall list</code>.<br />
<br />
=== zone ===<br />
<br />
This is where our zones are defined. Zones are defined based on a interface and assigned a name to be used in your policies.<br />
In our example you can see that we have two real interfaces eth0 and eth1 and one or more virtual interfaces tun+ (the plus sign stands for any digit like tun0 tun1 and so on). In case you are installing awall on an endpoint (a server) then you will most probably not have the eth1 interfaces and can leave it out. In our example the tun+ interface is added as it is very commonly used like when using openvpn.<br />
<br />
=== policy ===<br />
<br />
These are our main policies. It will tell our firewall what to do with when a packet enters or leaves from one of the zones (interfaces).<br />
You will notice a special <code>_fw</code> name which means the internal firewall (the local machine) which means the packet does not leave the firewall via another interface but should be send to one of the local services.<br />
You can see that we by default do not filter any package coming from or going to our VPN zone/interface. You could instead change the default action to drop all packets and create separate policies to allow specific traffic but this is out of the scope of this howto.<br />
<br />
=== snat ===<br />
<br />
Apply source nat for outgoing packets. This is only needed if your firewall acts as a router and traffic behind the router needs a modified source address (translate from local ip to public ip).<br />
<br />
=== clamp-mss ===<br />
<br />
https://github.com/alpinelinux/awall#mss-clamping-rules<br />
<br />
== Service Policies ==<br />
<br />
Now that we have the base firewall in place we can start to define specific policies so our services will be reachable from the outside world.\<br />
By default we are blocking all traffic coming in on our WAN interface (action=drop). The first thing we want to open is our SSH port/service. To do this we need to create a new policy inside the "optional" directory.<br />
You could be wondering why the optional name, thats is because mandatory policies are stored in <code>/usr/share/awall/mandatory</code> and not to be touched and our optional policies can be enabled/disabled on the run.<br />
<br />
=== SSH service ===<br />
<br />
To add our SSH policies we create a new file: /etc/awall/optional/ssh.json<br />
<pre><br />
{<br />
"description": "Allow rate-limited SSH on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ssh",<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
==== description ====<br />
<br />
This is similar for any policy<br />
<br />
==== Filter ====<br />
<br />
This is the actual filter that is currently set to drop the packets arriving or leaving the interface.<br />
<br />
===== in =====<br />
<br />
The interface the packets arrive on, in this case its the WAN interface.<br />
<br />
===== out =====<br />
<br />
The interface the packets leave on, in this case its _fw which means it does not leave our firewall/device and is targeted at our local SSH service.<br />
<br />
===== service =====<br />
<br />
This is the service definition provided by awall or a custom service which we will discuss later on.<br />
<br />
===== action =====<br />
<br />
The action on the packet, this inverts the default action of drop and accepts the packets.<br />
<br />
===== conn-limit =====<br />
<br />
This is a special feature of our firewall/iptables to allow only a certain amount of packets in a certain amount of time. For more information please check our awall manual.<br />
<br />
=== SSH to another Host ===<br />
<br />
edit the following file: /etc/awall/optional/ssh-to-hostname.json<br />
<br />
<pre><br />
{<br />
<br />
"description": "Forward SSH to hostname",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
],<br />
<br />
"dnat": [<br />
{<br />
"in": "WAN",<br />
"dest": "$SERVER",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"to-port": "22"<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
Lets discuss the differences between this policy and the previous SSH policy.<br />
<br />
==== Filter ====<br />
<br />
===== service =====<br />
<br />
Because port 22 is already in use by our own firewall, we need to listen on a different port. In this example we listen on port 22001.<br />
And because we are not using the default port 22 we need to define our own service specification.<br />
<br />
==== dnat ====<br />
<br />
Also known as destination NAT.<br />
<br />
===== dest =====<br />
<br />
The destination the packet will be forwarded to. In this case we are using a variable named $HOSTNAME. Anywhere in your policies you can define your own variables and use them.<br />
In our case we have used a file in /etc/awall/private/aliases.json more on this topic later on.<br />
<br />
===== to-port =====<br />
<br />
This is the destination target port number. The packet will be forwarded from 22001 to 22 on the $hostname<br />
<br />
=== OpenVPN Service ===<br />
<br />
This is the most generic config available. It does nothing more then opening port(s) defined for our openvpn service in <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow local OpenVPN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "openvpn",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
<br />
</pre><br />
<br />
=== Allow ping on WAN ===<br />
<br />
Allow rate-limited ping on WAN. Which has the same kind of flow limit as our previous SSH policy.<br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow rate-limited ping on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ping",<br />
"action": "accept",<br />
"flow-limit": { "count": 10, "interval": 6 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
== Using aliases and custom services ==<br />
<br />
=== Aliases ===<br />
<br />
To make life easier when your firewall rules increase, it can be nice to map specific hosts to names.<br />
Awall supports something called [https://github.com/alpinelinux/awall#variable-expansion variable expansion] which is a mapping between a value and a variable.<br />
When you have many devices behind your firewall/router, your policies can be harder to read. Also when one of your devices IP address change you will have to update all of your policies.<br />
With awalls variables you can assign the ip address of a device to a variable name. Edit the following file: <code>/etc/awall/private/aliases.json</code><br />
<pre><br />
{<br />
"description": "Hostname aliases",<br />
<br />
"variable": {<br />
"PRINTER": "192.168.1.1",<br />
"SERVER": "192.168.1.2"<br />
}<br />
<br />
}<br />
</pre><br />
<br />
Look in the example above where $SERVER is used to forward port 22001 to port 22.<br />
<br />
NOTE: You are not limited to assigning only IP addresses to variables. You can use it however you like. More information can be found in the awall manual.<br />
<br />
=== Custom services ===<br />
<br />
Awall includes a predefined list of [https://github.com/alpinelinux/awall/blob/master/json/services.json services]. If the service you try to define in your policy does not exist in awalls services list you can define services yourself.<br />
<br />
Create the file: <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
"service": {<br />
<br />
"mqtt": [<br />
{ "proto": "udp", "port": 1883 },<br />
{ "proto": "tcp", "port": 1883 }<br />
],<br />
<br />
"openvpn": [<br />
{ "proto": "udp", "port": 1194 },<br />
{ "proto": "tcp", "port": 1194 }<br />
]<br />
<br />
}<br />
}<br />
</pre><br />
<br />
NOTE: although you are free to name your policy files however you want, you cannot name this file <code>services.json</code> because this policy name is already in use by the included services.json of awall.<br />
<br />
== Using our policies ==<br />
<br />
You should now have two directories in your awall config directory named optional and private with multiple json files. The biggest difference between these two directories is the ability to enable and disable policies located in the optional directory. When you enable a policy by using <code>awall enable policy-name</code> awall will generate a symlink in your awall config directory and will automatically load them when you activate the firewall. To be able to also use the files in the private directory we will need to include them in one of our optional policies. You can name the file however you like as long it doesn't conflict with existing policies names (including the ones in private directory and awall's system policies). Example names would be hostname.json main.json firewall.json. For this example we will use main.json.<br />
<br />
Create the file: <code>/etc/awall/main.json</code><br />
<pre><br />
{<br />
"description": "Main firewall",<br />
<br />
"import": [ "base", "aliases", "custom-services" ]<br />
<br />
}<br />
</pre><br />
<br />
Contents of your awall directory:<br />
<pre><br />
awall<br />
│<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
└── private<br />
├── aliases.json<br />
├── base.json<br />
└── custom-services.json<br />
</pre><br />
<br />
=== Enabling optional policies ===<br />
<br />
Lets enable our created policies. First we list them by running <code>awall list</code> which would show something like:<br />
<pre><br />
openvpn disabled Allow local OpenVPN<br />
main disabled Main firewall<br />
ping disabled Allow rate-limited ping on WAN<br />
ssh disabled Allow rate-limited SSH on WAN<br />
ssh-to-hostname disabled Forward SSH to hostname<br />
</pre><br />
<br />
Each of these needs to be enabled:<br />
<pre><br />
awall enable openvpn<br />
awall enable main<br />
awall enable ping<br />
awall enable ssh<br />
awall enable ssh-to-hostname<br />
</pre><br />
<br />
The contents of your awall directory should now look like:<br />
<pre><br />
awall/<br />
├── main.json -> ./optional/main.json<br />
├── openvpn.json -> ./optional/openvpn.json<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ping.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
├── ping.json -> ./optional/ping.json<br />
├── private<br />
│ ├── aliases.json<br />
│ ├── base.json<br />
│ └── custom-services.json<br />
├── ssh-to-hostname.json -> ./optional/ssh-to-hostname.json<br />
└── ssh.json -> ./optional/ssh.json<br />
<br />
2 directories, 13 files<br />
</pre><br />
<br />
=== Testing policies ===<br />
<br />
<code>awall translate --verify</code><br />
<br />
if everything goes well the output should be null.<br />
<br />
=== Activating the firewall ===<br />
<br />
Now that all our policies are verified for proper json we can activate it.<br />
<br />
<code>awall activate</code><br />
<br />
This will load the firewall rules and show you a message to confirm. If by accident you made a mistake and lock yourself out you just have to wait for awall to disable itself again.<br />
<br />
== Finishing up ==<br />
<br />
=== Activating firewall rules at boot ===<br />
<br />
When awall has been properly activated it will generate a file with all iptables rules which iptables will read when its is started via openrc.<br />
Make sure you have added iptables to an openrc runlevel.<br />
<br />
<code>rc-update add iptables</code><br />
<br />
=== Allow IPv4 forwarding ===<br />
<br />
To allow iptables to forward packets from one zone to the other we need to enable this at the iptables level.<br />
<br />
==== On the fly ====<br />
<br />
To enable it on the fly:<br />
<code>sysctl -w net.ipv4.ip_forward=1</code><br />
<br />
==== Enable within iptables tools (at boot) ====<br />
<br />
Add the following to:<br />
<code>/etc/conf.d/iptables</code><br />
<pre><br />
# Enable/disable IPv4 forwarding with the rules<br />
IPFORWARD="yes"<br />
</pre></div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Zero-To-Awall&diff=14048Zero-To-Awall2017-10-04T12:47:43Z<p>Clandmeter: /* Policies (services) */</p>
<hr />
<div>= Awall for dummies =<br />
<br />
This howto is aimed at users with no (or little) experience with iptables and other firewall frameworks (like Shorewall).<br />
<br />
This howto is going to be split into 5 parts.<br />
<br />
# Defining our base json file which holds our zones and base policies.<br />
# Creating service policies.<br />
# Using aliases and custom services.<br />
# Enabling and testing policies.<br />
# Finishing up and making it start (at boot)<br />
<br />
NOTE: please be aware that all configuration files are stored as JSON files. JSON is not a human friendly standard, <br />
for instance it does not support comments so you will have to move them outside of the json structure.<br />
Beginners should use a decent text editor with JSON highlight support which will make your life easier.<br />
Since recent versions of awall it is also possible to use yaml instead of json but this is out of the scope of this howto.<br />
<br />
== Creating the base ==<br />
<br />
Creating zones depends on the function of your firewall. Is it installed on a endpoint (server) or will it act as a router and filter/forward.<br />
For this howto we assume you are going to setup a router and use NAT to forward services (ports) to different hosts on your network.<br />
<br />
For each interface on router we will setup a zone and assign it a zone name. We do this by creating the following file: /etc/awall/private/base.json<br />
<pre><br />
{<br />
"description": "Base zones and policies",<br />
<br />
"zone": {<br />
"WAN": { "iface": "eth0" },<br />
"LAN": { "iface": "eth1" },<br />
"VPN": { "iface": "tun+" }<br />
},<br />
<br />
"policy": [<br />
{ "in": "VPN", "action": "accept" },<br />
{ "out": "VPN", "action": "accept" },<br />
{ "in": "LAN", "action": "accept" },<br />
{ "out": "LAN", "action": "accept" },<br />
{ "in": "_fw", "action": "accept" },<br />
{ "in": "_fw", "out": "WAN" , "action": "accept" },<br />
{ "in": "WAN", "action": "drop" }<br />
],<br />
<br />
"snat": [ { "out": "WAN" } ],<br />
<br />
"clamp-mss": [ { "out": "WAN" } ]<br />
<br />
}<br />
</pre><br />
<br />
Lets break this down into sections<br />
<br />
=== description ===<br />
<br />
The description is here just for reference and will be used by <code>awall list</code>.<br />
<br />
=== zone ===<br />
<br />
This is where our zones are defined. Zones are defined based on a interface and assigned a name to be used in your policies.<br />
In our example you can see that we have two real interfaces eth0 and eth1 and one or more virtual interfaces tun+ (the plus sign stands for any digit like tun0 tun1 and so on). In case you are installing awall on an endpoint (a server) then you will most probably not have the eth1 interfaces and can leave it out. In our example the tun+ interface is added as it is very commonly used like when using openvpn.<br />
<br />
=== policy ===<br />
<br />
These are our main policies. It will tell our firewall what to do with when a packet enters or leaves from one of the zones (interfaces).<br />
You will notice a special <code>_fw</code> name which means the internal firewall (the local machine) which means the packet does not leave the firewall via another interface but should be send to one of the local services.<br />
You can see that we by default do not filter any package coming from or going to our VPN zone/interface. You could instead change the default action to drop all packets and create separate policies to allow specific traffic but this is out of the scope of this howto.<br />
<br />
=== snat ===<br />
<br />
Apply source nat for outgoing packets. This is only needed if your firewall acts as a router and traffic behind the router needs a modified source address (translate from local ip to public ip).<br />
<br />
=== clamp-mss ===<br />
<br />
https://github.com/alpinelinux/awall#mss-clamping-rules<br />
<br />
== Service Policies ==<br />
<br />
Now that we have the base firewall in place we can start to define specific policies so our services will be reachable from the outside world.\<br />
By default we are blocking all traffic coming in on our WAN interface (action=drop). The first thing we want to open is our SSH port/service. To do this we need to create a new policy inside the "optional" directory.<br />
You could be wondering why the optional name, thats is because mandatory policies are stored in <code>/usr/share/awall/mandatory</code> and not to be touched and our optional policies can be enabled/disabled on the run.<br />
<br />
=== SSH service ===<br />
<br />
To add our SSH policies we create a new file: /etc/awall/optional/ssh.json<br />
<pre><br />
{<br />
"description": "Allow rate-limited SSH on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ssh",<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
==== description ====<br />
<br />
This is similar for any policy<br />
<br />
==== Filter ====<br />
<br />
This is the actual filter that is currently set to drop the packets arriving or leaving the interface.<br />
<br />
===== in =====<br />
<br />
The interface the packets arrive on, in this case its the WAN interface.<br />
<br />
===== out =====<br />
<br />
The interface the packets leave on, in this case its _fw which means it does not leave our firewall/device and is targeted at our local SSH service.<br />
<br />
===== service =====<br />
<br />
This is the service definition provided by awall or a custom service which we will discuss later on.<br />
<br />
===== action =====<br />
<br />
The action on the packet, this inverts the default action of drop and accepts the packets.<br />
<br />
===== conn-limit =====<br />
<br />
This is a special feature of our firewall/iptables to allow only a certain amount of packets in a certain amount of time. For more information please check our awall manual.<br />
<br />
=== SSH to another Host ===<br />
<br />
edit the following file: /etc/awall/optional/ssh-to-hostname.json<br />
<br />
<pre><br />
{<br />
<br />
"description": "Forward SSH to hostname",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
],<br />
<br />
"dnat": [<br />
{<br />
"in": "WAN",<br />
"dest": "$SERVER",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"to-port": "22"<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
Lets discuss the differences between this policy and the previous SSH policy.<br />
<br />
==== Filter ====<br />
<br />
===== service =====<br />
<br />
Because port 22 is already in use by our own firewall, we need to listen on a different port. In this example we listen on port 22001.<br />
And because we are not using the default port 22 we need to define our own service specification.<br />
<br />
==== dnat ====<br />
<br />
Also known as destination NAT.<br />
<br />
===== dest =====<br />
<br />
The destination the packet will be forwarded to. In this case we are using a variable named $HOSTNAME. Anywhere in your policies you can define your own variables and use them.<br />
In our case we have used a file in /etc/awall/private/aliases.json more on this topic later on.<br />
<br />
===== to-port =====<br />
<br />
This is the destination target port number. The packet will be forwarded from 22001 to 22 on the $hostname<br />
<br />
=== OpenVPN Service ===<br />
<br />
This is the most generic config available. It does nothing more then opening port(s) defined for our openvpn service in <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow local OpenVPN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "openvpn",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
<br />
</pre><br />
<br />
=== Allow ping on WAN ===<br />
<br />
Allow rate-limited ping on WAN. Which has the same kind of flow limit as our previous SSH policy.<br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow rate-limited ping on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ping",<br />
"action": "accept",<br />
"flow-limit": { "count": 10, "interval": 6 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
== Using aliases and custom services ==<br />
<br />
=== Aliases ===<br />
<br />
To make life easier when your firewall rules increase, it can be nice to map specific hosts to names.<br />
Awall supports something called [https://github.com/alpinelinux/awall#variable-expansion variable expansion] which is a mapping between a value and a variable.<br />
When you have many devices behind your firewall/router, your policies can be harder to read. Also when one of your devices IP address change you will have to update all of your policies.<br />
With awalls variables you can assign the ip address of a device to a variable name. Edit the following file: <code>/etc/awall/private/aliases.json</code><br />
<pre><br />
{<br />
"description": "Hostname aliases",<br />
<br />
"variable": {<br />
"PRINTER": "192.168.1.1",<br />
"SERVER": "192.168.1.2"<br />
}<br />
<br />
}<br />
</pre><br />
<br />
Look in the example above where $SERVER is used to forward port 22001 to port 22.<br />
<br />
NOTE: You are not limited to assigning only IP addresses to variables. You can use it however you like. More information can be found in the awall manual.<br />
<br />
=== Custom services ===<br />
<br />
Awall includes a predefined list of [https://github.com/alpinelinux/awall/blob/master/json/services.json services]. If the service you try to define in your policy does not exist in awalls services list you can define services yourself.<br />
<br />
Create the file: <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
"service": {<br />
<br />
"mqtt": [<br />
{ "proto": "udp", "port": 1883 },<br />
{ "proto": "tcp", "port": 1883 }<br />
],<br />
<br />
"openvpn": [<br />
{ "proto": "udp", "port": 1194 },<br />
{ "proto": "tcp", "port": 1194 }<br />
]<br />
<br />
}<br />
}<br />
</pre><br />
<br />
NOTE: although you are free to name your policy files however you want, you cannot name this file <code>services.json</code> because this policy name is already in use by the included services.json of awall.<br />
<br />
== Using our policies ==<br />
<br />
You should now have two directories in your awall config directory named optional and private with multiple json files. The biggest difference between these two directories is the ability to enable and disable policies located in the optional directory. When you enable a policy by using <code>awall enable policy-name</code> awall will generate a symlink in your awall config directory and will automatically load them when you activate the firewall. To be able to also use the files in the private directory we will need to include them in one of our optional policies. You can name the file however you like as long it doesn't conflict with existing policies names (including the ones in private directory and awall's system policies). Example names would be hostname.json main.json firewall.json. For this example we will use main.json.<br />
<br />
Create the file: <code>/etc/awall/main.json</code><br />
<pre><br />
{<br />
"description": "Main firewall",<br />
<br />
"import": [ "base", "aliases", "custom-services" ]<br />
<br />
}<br />
</pre><br />
<br />
Contents of your awall directory:<br />
<pre><br />
awall<br />
│<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
└── private<br />
├── aliases.json<br />
├── base.json<br />
└── custom-services.json<br />
</pre><br />
<br />
=== Enabling optional policies ===<br />
<br />
Lets enable our created policies. First we list them by running <code>awall list</code> which would show something like:<br />
<pre><br />
openvpn disabled Allow local OpenVPN<br />
main disabled Main firewall<br />
ping disabled Allow rate-limited ping on WAN<br />
ssh disabled Allow rate-limited SSH on WAN<br />
ssh-to-hostname disabled Forward SSH to hostname<br />
</pre><br />
<br />
Each of these needs to be enabled:<br />
<pre><br />
awall enable openvpn<br />
awall enable main<br />
awall enable ping<br />
awall enable ssh<br />
awall enable ssh-to-hostname<br />
</pre><br />
<br />
The contents of your awall directory should now look like:<br />
<pre><br />
awall/<br />
├── main.json -> ./optional/main.json<br />
├── openvpn.json -> ./optional/openvpn.json<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ping.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
├── ping.json -> ./optional/ping.json<br />
├── private<br />
│ ├── aliases.json<br />
│ ├── base.json<br />
│ └── custom-services.json<br />
├── ssh-to-hostname.json -> ./optional/ssh-to-hostname.json<br />
└── ssh.json -> ./optional/ssh.json<br />
<br />
2 directories, 13 files<br />
</pre><br />
<br />
=== Testing policies ===<br />
<br />
<code>awall translate --verify</code><br />
<br />
if everything goes well the output should be null.<br />
<br />
=== Activating the firewall ===<br />
<br />
Now that all our policies are verified for proper json we can activate it.<br />
<br />
<code>awall activate</code><br />
<br />
This will load the firewall rules and show you a message to confirm. If by accident you made a mistake and lock yourself out you just have to wait for awall to disable itself again.<br />
<br />
== Finishing up ==<br />
<br />
=== Activating firewall rules at boot ===<br />
<br />
When awall has been properly activated it will generate a file with all iptables rules which iptables will read when its is started via openrc.<br />
Make sure you have added iptables to an openrc runlevel.<br />
<br />
<code>rc-update add iptables</code><br />
<br />
=== Allow IPv4 forwarding ===<br />
<br />
To allow iptables to forward packets from one zone to the other we need to enable this at the iptables level.<br />
<br />
==== On the fly ====<br />
<br />
To enable it on the fly:<br />
<code>sysctl -w net.ipv4.ip_forward=1</code><br />
<br />
==== Enable within iptables tools (at boot) ====<br />
<br />
Add the following to:<br />
<code>/etc/conf.d/iptables</code><br />
<pre><br />
# Enable/disable IPv4 forwarding with the rules<br />
IPFORWARD="yes"<br />
</pre></div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Zero-To-Awall&diff=14047Zero-To-Awall2017-10-04T07:35:25Z<p>Clandmeter: /* Enabling optional policies */</p>
<hr />
<div>= Awall for dummies =<br />
<br />
This howto is aimed at users with no (or little) experience with iptables and other firewall frameworks (like Shorewall).<br />
<br />
This howto is going to be split into 5 parts.<br />
<br />
# Defining our base json file which holds our zones and base policies.<br />
# Creating service policies.<br />
# Using aliases and custom services.<br />
# Enabling and testing policies.<br />
# Finishing up and making it start (at boot)<br />
<br />
NOTE: please be aware that all configuration files are stored as JSON files. JSON is not a human friendly standard, <br />
for instance it does not support comments so you will have to move them outside of the json structure.<br />
Beginners should use a decent text editor with JSON highlight support which will make your life easier.<br />
Since recent versions of awall it is also possible to use yaml instead of json but this is out of the scope of this howto.<br />
<br />
== Creating the base ==<br />
<br />
Creating zones depends on the function of your firewall. Is it installed on a endpoint (server) or will it act as a router and filter/forward.<br />
For this howto we assume you are going to setup a router and use NAT to forward services (ports) to different hosts on your network.<br />
<br />
For each interface on router we will setup a zone and assign it a zone name. We do this by creating the following file: /etc/awall/private/base.json<br />
<pre><br />
{<br />
"description": "Base zones and policies",<br />
<br />
"zone": {<br />
"WAN": { "iface": "eth0" },<br />
"LAN": { "iface": "eth1" },<br />
"VPN": { "iface": "tun+" }<br />
},<br />
<br />
"policy": [<br />
{ "in": "VPN", "action": "accept" },<br />
{ "out": "VPN", "action": "accept" },<br />
{ "in": "LAN", "action": "accept" },<br />
{ "out": "LAN", "action": "accept" },<br />
{ "in": "_fw", "action": "accept" },<br />
{ "in": "_fw", "out": "WAN" , "action": "accept" },<br />
{ "in": "WAN", "action": "drop" }<br />
],<br />
<br />
"snat": [ { "out": "WAN" } ],<br />
<br />
"clamp-mss": [ { "out": "WAN" } ]<br />
<br />
}<br />
</pre><br />
<br />
Lets break this down into sections<br />
<br />
=== description ===<br />
<br />
The description is here just for reference and will be used by <code>awall list</code>.<br />
<br />
=== zone ===<br />
<br />
This is where our zones are defined. Zones are defined based on a interface and assigned a name to be used in your policies.<br />
In our example you can see that we have two real interfaces eth0 and eth1 and one or more virtual interfaces tun+ (the plus sign stands for any digit like tun0 tun1 and so on). In case you are installing awall on an endpoint (a server) then you will most probably not have the eth1 interfaces and can leave it out. In our example the tun+ interface is added as it is very commonly used like when using openvpn.<br />
<br />
=== policy ===<br />
<br />
These are our main policies. It will tell our firewall what to do with when a packet enters or leaves from one of the zones (interfaces).<br />
You will notice a special <code>_fw</code> name which means the internal firewall (the local machine) which means the packet does not leave the firewall via another interface but should be send to one of the local services.<br />
You can see that we by default do not filter any package coming from or going to our VPN zone/interface. You could instead change the default action to drop all packets and create separate policies to allow specific traffic but this is out of the scope of this howto.<br />
<br />
=== snat ===<br />
<br />
Apply source nat for outgoing packets. This is only needed if your firewall acts as a router and traffic behind the router needs a modified source address (translate from local ip to public ip).<br />
<br />
=== clamp-mss ===<br />
<br />
https://github.com/alpinelinux/awall#mss-clamping-rules<br />
<br />
== Policies (services) ==<br />
<br />
Now that we have the base firewall in place we can start to define specific policies so our services will be reachable from the outside world.\<br />
By default we are blocking all traffic coming in on our WAN interface (action=drop). The first thing we want to open is our SSH port/service. To do this we need to create a new policy inside the "optional" directory.<br />
You could be wondering why the optional name, thats is because mandatory policies are stored in <code>/usr/share/awall/mandatory</code> and not to be touched and our optional policies can be enabled/disabled on the run.<br />
<br />
=== SSH service ===<br />
<br />
To add our SSH policies we create a new file: /etc/awall/optional/ssh.json<br />
<pre><br />
{<br />
"description": "Allow rate-limited SSH on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ssh",<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
==== description ====<br />
<br />
This is similar for any policy<br />
<br />
==== Filter ====<br />
<br />
This is the actual filter that is currently set to drop the packets arriving or leaving the interface.<br />
<br />
===== in =====<br />
<br />
The interface the packets arrive on, in this case its the WAN interface.<br />
<br />
===== out =====<br />
<br />
The interface the packets leave on, in this case its _fw which means it does not leave our firewall/device and is targeted at our local SSH service.<br />
<br />
===== service =====<br />
<br />
This is the service definition provided by awall or a custom service which we will discuss later on.<br />
<br />
===== action =====<br />
<br />
The action on the packet, this inverts the default action of drop and accepts the packets.<br />
<br />
===== conn-limit =====<br />
<br />
This is a special feature of our firewall/iptables to allow only a certain amount of packets in a certain amount of time. For more information please check our awall manual.<br />
<br />
=== SSH to another Host ===<br />
<br />
edit the following file: /etc/awall/optional/ssh-to-hostname.json<br />
<br />
<pre><br />
{<br />
<br />
"description": "Forward SSH to hostname",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
],<br />
<br />
"dnat": [<br />
{<br />
"in": "WAN",<br />
"dest": "$SERVER",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"to-port": "22"<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
Lets discuss the differences between this policy and the previous SSH policy.<br />
<br />
==== Filter ====<br />
<br />
===== service =====<br />
<br />
Because port 22 is already in use by our own firewall, we need to listen on a different port. In this example we listen on port 22001.<br />
And because we are not using the default port 22 we need to define our own service specification.<br />
<br />
==== dnat ====<br />
<br />
Also known as destination NAT.<br />
<br />
===== dest =====<br />
<br />
The destination the packet will be forwarded to. In this case we are using a variable named $HOSTNAME. Anywhere in your policies you can define your own variables and use them.<br />
In our case we have used a file in /etc/awall/private/aliases.json more on this topic later on.<br />
<br />
===== to-port =====<br />
<br />
This is the destination target port number. The packet will be forwarded from 22001 to 22 on the $hostname<br />
<br />
=== OpenVPN Service ===<br />
<br />
This is the most generic config available. It does nothing more then opening port(s) defined for our openvpn service in <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow local OpenVPN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "openvpn",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
<br />
</pre><br />
<br />
=== Allow ping on WAN ===<br />
<br />
Allow rate-limited ping on WAN. Which has the same kind of flow limit as our previous SSH policy.<br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow rate-limited ping on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ping",<br />
"action": "accept",<br />
"flow-limit": { "count": 10, "interval": 6 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
== Using aliases and custom services ==<br />
<br />
=== Aliases ===<br />
<br />
To make life easier when your firewall rules increase, it can be nice to map specific hosts to names.<br />
Awall supports something called [https://github.com/alpinelinux/awall#variable-expansion variable expansion] which is a mapping between a value and a variable.<br />
When you have many devices behind your firewall/router, your policies can be harder to read. Also when one of your devices IP address change you will have to update all of your policies.<br />
With awalls variables you can assign the ip address of a device to a variable name. Edit the following file: <code>/etc/awall/private/aliases.json</code><br />
<pre><br />
{<br />
"description": "Hostname aliases",<br />
<br />
"variable": {<br />
"PRINTER": "192.168.1.1",<br />
"SERVER": "192.168.1.2"<br />
}<br />
<br />
}<br />
</pre><br />
<br />
Look in the example above where $SERVER is used to forward port 22001 to port 22.<br />
<br />
NOTE: You are not limited to assigning only IP addresses to variables. You can use it however you like. More information can be found in the awall manual.<br />
<br />
=== Custom services ===<br />
<br />
Awall includes a predefined list of [https://github.com/alpinelinux/awall/blob/master/json/services.json services]. If the service you try to define in your policy does not exist in awalls services list you can define services yourself.<br />
<br />
Create the file: <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
"service": {<br />
<br />
"mqtt": [<br />
{ "proto": "udp", "port": 1883 },<br />
{ "proto": "tcp", "port": 1883 }<br />
],<br />
<br />
"openvpn": [<br />
{ "proto": "udp", "port": 1194 },<br />
{ "proto": "tcp", "port": 1194 }<br />
]<br />
<br />
}<br />
}<br />
</pre><br />
<br />
NOTE: although you are free to name your policy files however you want, you cannot name this file <code>services.json</code> because this policy name is already in use by the included services.json of awall.<br />
<br />
== Using our policies ==<br />
<br />
You should now have two directories in your awall config directory named optional and private with multiple json files. The biggest difference between these two directories is the ability to enable and disable policies located in the optional directory. When you enable a policy by using <code>awall enable policy-name</code> awall will generate a symlink in your awall config directory and will automatically load them when you activate the firewall. To be able to also use the files in the private directory we will need to include them in one of our optional policies. You can name the file however you like as long it doesn't conflict with existing policies names (including the ones in private directory and awall's system policies). Example names would be hostname.json main.json firewall.json. For this example we will use main.json.<br />
<br />
Create the file: <code>/etc/awall/main.json</code><br />
<pre><br />
{<br />
"description": "Main firewall",<br />
<br />
"import": [ "base", "aliases", "custom-services" ]<br />
<br />
}<br />
</pre><br />
<br />
Contents of your awall directory:<br />
<pre><br />
awall<br />
│<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
└── private<br />
├── aliases.json<br />
├── base.json<br />
└── custom-services.json<br />
</pre><br />
<br />
=== Enabling optional policies ===<br />
<br />
Lets enable our created policies. First we list them by running <code>awall list</code> which would show something like:<br />
<pre><br />
openvpn disabled Allow local OpenVPN<br />
main disabled Main firewall<br />
ping disabled Allow rate-limited ping on WAN<br />
ssh disabled Allow rate-limited SSH on WAN<br />
ssh-to-hostname disabled Forward SSH to hostname<br />
</pre><br />
<br />
Each of these needs to be enabled:<br />
<pre><br />
awall enable openvpn<br />
awall enable main<br />
awall enable ping<br />
awall enable ssh<br />
awall enable ssh-to-hostname<br />
</pre><br />
<br />
The contents of your awall directory should now look like:<br />
<pre><br />
awall/<br />
├── main.json -> ./optional/main.json<br />
├── openvpn.json -> ./optional/openvpn.json<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ping.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
├── ping.json -> ./optional/ping.json<br />
├── private<br />
│ ├── aliases.json<br />
│ ├── base.json<br />
│ └── custom-services.json<br />
├── ssh-to-hostname.json -> ./optional/ssh-to-hostname.json<br />
└── ssh.json -> ./optional/ssh.json<br />
<br />
2 directories, 13 files<br />
</pre><br />
<br />
=== Testing policies ===<br />
<br />
<code>awall translate --verify</code><br />
<br />
if everything goes well the output should be null.<br />
<br />
=== Activating the firewall ===<br />
<br />
Now that all our policies are verified for proper json we can activate it.<br />
<br />
<code>awall activate</code><br />
<br />
This will load the firewall rules and show you a message to confirm. If by accident you made a mistake and lock yourself out you just have to wait for awall to disable itself again.<br />
<br />
== Finishing up ==<br />
<br />
=== Activating firewall rules at boot ===<br />
<br />
When awall has been properly activated it will generate a file with all iptables rules which iptables will read when its is started via openrc.<br />
Make sure you have added iptables to an openrc runlevel.<br />
<br />
<code>rc-update add iptables</code><br />
<br />
=== Allow IPv4 forwarding ===<br />
<br />
To allow iptables to forward packets from one zone to the other we need to enable this at the iptables level.<br />
<br />
==== On the fly ====<br />
<br />
To enable it on the fly:<br />
<code>sysctl -w net.ipv4.ip_forward=1</code><br />
<br />
==== Enable within iptables tools (at boot) ====<br />
<br />
Add the following to:<br />
<code>/etc/conf.d/iptables</code><br />
<pre><br />
# Enable/disable IPv4 forwarding with the rules<br />
IPFORWARD="yes"<br />
</pre></div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Zero-To-Awall&diff=14046Zero-To-Awall2017-10-04T07:35:08Z<p>Clandmeter: /* Enabling optional policies */</p>
<hr />
<div>= Awall for dummies =<br />
<br />
This howto is aimed at users with no (or little) experience with iptables and other firewall frameworks (like Shorewall).<br />
<br />
This howto is going to be split into 5 parts.<br />
<br />
# Defining our base json file which holds our zones and base policies.<br />
# Creating service policies.<br />
# Using aliases and custom services.<br />
# Enabling and testing policies.<br />
# Finishing up and making it start (at boot)<br />
<br />
NOTE: please be aware that all configuration files are stored as JSON files. JSON is not a human friendly standard, <br />
for instance it does not support comments so you will have to move them outside of the json structure.<br />
Beginners should use a decent text editor with JSON highlight support which will make your life easier.<br />
Since recent versions of awall it is also possible to use yaml instead of json but this is out of the scope of this howto.<br />
<br />
== Creating the base ==<br />
<br />
Creating zones depends on the function of your firewall. Is it installed on a endpoint (server) or will it act as a router and filter/forward.<br />
For this howto we assume you are going to setup a router and use NAT to forward services (ports) to different hosts on your network.<br />
<br />
For each interface on router we will setup a zone and assign it a zone name. We do this by creating the following file: /etc/awall/private/base.json<br />
<pre><br />
{<br />
"description": "Base zones and policies",<br />
<br />
"zone": {<br />
"WAN": { "iface": "eth0" },<br />
"LAN": { "iface": "eth1" },<br />
"VPN": { "iface": "tun+" }<br />
},<br />
<br />
"policy": [<br />
{ "in": "VPN", "action": "accept" },<br />
{ "out": "VPN", "action": "accept" },<br />
{ "in": "LAN", "action": "accept" },<br />
{ "out": "LAN", "action": "accept" },<br />
{ "in": "_fw", "action": "accept" },<br />
{ "in": "_fw", "out": "WAN" , "action": "accept" },<br />
{ "in": "WAN", "action": "drop" }<br />
],<br />
<br />
"snat": [ { "out": "WAN" } ],<br />
<br />
"clamp-mss": [ { "out": "WAN" } ]<br />
<br />
}<br />
</pre><br />
<br />
Lets break this down into sections<br />
<br />
=== description ===<br />
<br />
The description is here just for reference and will be used by <code>awall list</code>.<br />
<br />
=== zone ===<br />
<br />
This is where our zones are defined. Zones are defined based on a interface and assigned a name to be used in your policies.<br />
In our example you can see that we have two real interfaces eth0 and eth1 and one or more virtual interfaces tun+ (the plus sign stands for any digit like tun0 tun1 and so on). In case you are installing awall on an endpoint (a server) then you will most probably not have the eth1 interfaces and can leave it out. In our example the tun+ interface is added as it is very commonly used like when using openvpn.<br />
<br />
=== policy ===<br />
<br />
These are our main policies. It will tell our firewall what to do with when a packet enters or leaves from one of the zones (interfaces).<br />
You will notice a special <code>_fw</code> name which means the internal firewall (the local machine) which means the packet does not leave the firewall via another interface but should be send to one of the local services.<br />
You can see that we by default do not filter any package coming from or going to our VPN zone/interface. You could instead change the default action to drop all packets and create separate policies to allow specific traffic but this is out of the scope of this howto.<br />
<br />
=== snat ===<br />
<br />
Apply source nat for outgoing packets. This is only needed if your firewall acts as a router and traffic behind the router needs a modified source address (translate from local ip to public ip).<br />
<br />
=== clamp-mss ===<br />
<br />
https://github.com/alpinelinux/awall#mss-clamping-rules<br />
<br />
== Policies (services) ==<br />
<br />
Now that we have the base firewall in place we can start to define specific policies so our services will be reachable from the outside world.\<br />
By default we are blocking all traffic coming in on our WAN interface (action=drop). The first thing we want to open is our SSH port/service. To do this we need to create a new policy inside the "optional" directory.<br />
You could be wondering why the optional name, thats is because mandatory policies are stored in <code>/usr/share/awall/mandatory</code> and not to be touched and our optional policies can be enabled/disabled on the run.<br />
<br />
=== SSH service ===<br />
<br />
To add our SSH policies we create a new file: /etc/awall/optional/ssh.json<br />
<pre><br />
{<br />
"description": "Allow rate-limited SSH on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ssh",<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
==== description ====<br />
<br />
This is similar for any policy<br />
<br />
==== Filter ====<br />
<br />
This is the actual filter that is currently set to drop the packets arriving or leaving the interface.<br />
<br />
===== in =====<br />
<br />
The interface the packets arrive on, in this case its the WAN interface.<br />
<br />
===== out =====<br />
<br />
The interface the packets leave on, in this case its _fw which means it does not leave our firewall/device and is targeted at our local SSH service.<br />
<br />
===== service =====<br />
<br />
This is the service definition provided by awall or a custom service which we will discuss later on.<br />
<br />
===== action =====<br />
<br />
The action on the packet, this inverts the default action of drop and accepts the packets.<br />
<br />
===== conn-limit =====<br />
<br />
This is a special feature of our firewall/iptables to allow only a certain amount of packets in a certain amount of time. For more information please check our awall manual.<br />
<br />
=== SSH to another Host ===<br />
<br />
edit the following file: /etc/awall/optional/ssh-to-hostname.json<br />
<br />
<pre><br />
{<br />
<br />
"description": "Forward SSH to hostname",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
],<br />
<br />
"dnat": [<br />
{<br />
"in": "WAN",<br />
"dest": "$SERVER",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"to-port": "22"<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
Lets discuss the differences between this policy and the previous SSH policy.<br />
<br />
==== Filter ====<br />
<br />
===== service =====<br />
<br />
Because port 22 is already in use by our own firewall, we need to listen on a different port. In this example we listen on port 22001.<br />
And because we are not using the default port 22 we need to define our own service specification.<br />
<br />
==== dnat ====<br />
<br />
Also known as destination NAT.<br />
<br />
===== dest =====<br />
<br />
The destination the packet will be forwarded to. In this case we are using a variable named $HOSTNAME. Anywhere in your policies you can define your own variables and use them.<br />
In our case we have used a file in /etc/awall/private/aliases.json more on this topic later on.<br />
<br />
===== to-port =====<br />
<br />
This is the destination target port number. The packet will be forwarded from 22001 to 22 on the $hostname<br />
<br />
=== OpenVPN Service ===<br />
<br />
This is the most generic config available. It does nothing more then opening port(s) defined for our openvpn service in <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow local OpenVPN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "openvpn",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
<br />
</pre><br />
<br />
=== Allow ping on WAN ===<br />
<br />
Allow rate-limited ping on WAN. Which has the same kind of flow limit as our previous SSH policy.<br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow rate-limited ping on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ping",<br />
"action": "accept",<br />
"flow-limit": { "count": 10, "interval": 6 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
== Using aliases and custom services ==<br />
<br />
=== Aliases ===<br />
<br />
To make life easier when your firewall rules increase, it can be nice to map specific hosts to names.<br />
Awall supports something called [https://github.com/alpinelinux/awall#variable-expansion variable expansion] which is a mapping between a value and a variable.<br />
When you have many devices behind your firewall/router, your policies can be harder to read. Also when one of your devices IP address change you will have to update all of your policies.<br />
With awalls variables you can assign the ip address of a device to a variable name. Edit the following file: <code>/etc/awall/private/aliases.json</code><br />
<pre><br />
{<br />
"description": "Hostname aliases",<br />
<br />
"variable": {<br />
"PRINTER": "192.168.1.1",<br />
"SERVER": "192.168.1.2"<br />
}<br />
<br />
}<br />
</pre><br />
<br />
Look in the example above where $SERVER is used to forward port 22001 to port 22.<br />
<br />
NOTE: You are not limited to assigning only IP addresses to variables. You can use it however you like. More information can be found in the awall manual.<br />
<br />
=== Custom services ===<br />
<br />
Awall includes a predefined list of [https://github.com/alpinelinux/awall/blob/master/json/services.json services]. If the service you try to define in your policy does not exist in awalls services list you can define services yourself.<br />
<br />
Create the file: <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
"service": {<br />
<br />
"mqtt": [<br />
{ "proto": "udp", "port": 1883 },<br />
{ "proto": "tcp", "port": 1883 }<br />
],<br />
<br />
"openvpn": [<br />
{ "proto": "udp", "port": 1194 },<br />
{ "proto": "tcp", "port": 1194 }<br />
]<br />
<br />
}<br />
}<br />
</pre><br />
<br />
NOTE: although you are free to name your policy files however you want, you cannot name this file <code>services.json</code> because this policy name is already in use by the included services.json of awall.<br />
<br />
== Using our policies ==<br />
<br />
You should now have two directories in your awall config directory named optional and private with multiple json files. The biggest difference between these two directories is the ability to enable and disable policies located in the optional directory. When you enable a policy by using <code>awall enable policy-name</code> awall will generate a symlink in your awall config directory and will automatically load them when you activate the firewall. To be able to also use the files in the private directory we will need to include them in one of our optional policies. You can name the file however you like as long it doesn't conflict with existing policies names (including the ones in private directory and awall's system policies). Example names would be hostname.json main.json firewall.json. For this example we will use main.json.<br />
<br />
Create the file: <code>/etc/awall/main.json</code><br />
<pre><br />
{<br />
"description": "Main firewall",<br />
<br />
"import": [ "base", "aliases", "custom-services" ]<br />
<br />
}<br />
</pre><br />
<br />
Contents of your awall directory:<br />
<pre><br />
awall<br />
│<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
└── private<br />
├── aliases.json<br />
├── base.json<br />
└── custom-services.json<br />
</pre><br />
<br />
=== Enabling optional policies ===<br />
<br />
Lets enable our created policies. First we list them by running <code>awall list</code> which would show something like:<br />
<pre><br />
openvpn disabled Allow local OpenVPN<br />
main disabled Main firewall<br />
ping disabled Allow rate-limited ping on WAN<br />
ssh disabled Allow rate-limited SSH on WAN<br />
ssh-to-hostname disabled Forward SSH to hostname<br />
</pre><br />
<br />
Each of these needs to be enabled:<br />
<pre><br />
awall enable openvpn<br />
awall enable main<br />
awall enable ping<br />
awall enable ssh<br />
</pre><br />
<br />
The contents of your awall directory should now look like:<br />
<pre><br />
awall/<br />
├── main.json -> ./optional/main.json<br />
├── openvpn.json -> ./optional/openvpn.json<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ping.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
├── ping.json -> ./optional/ping.json<br />
├── private<br />
│ ├── aliases.json<br />
│ ├── base.json<br />
│ └── custom-services.json<br />
├── ssh-to-hostname.json -> ./optional/ssh-to-hostname.json<br />
└── ssh.json -> ./optional/ssh.json<br />
<br />
2 directories, 13 files<br />
</pre><br />
<br />
=== Testing policies ===<br />
<br />
<code>awall translate --verify</code><br />
<br />
if everything goes well the output should be null.<br />
<br />
=== Activating the firewall ===<br />
<br />
Now that all our policies are verified for proper json we can activate it.<br />
<br />
<code>awall activate</code><br />
<br />
This will load the firewall rules and show you a message to confirm. If by accident you made a mistake and lock yourself out you just have to wait for awall to disable itself again.<br />
<br />
== Finishing up ==<br />
<br />
=== Activating firewall rules at boot ===<br />
<br />
When awall has been properly activated it will generate a file with all iptables rules which iptables will read when its is started via openrc.<br />
Make sure you have added iptables to an openrc runlevel.<br />
<br />
<code>rc-update add iptables</code><br />
<br />
=== Allow IPv4 forwarding ===<br />
<br />
To allow iptables to forward packets from one zone to the other we need to enable this at the iptables level.<br />
<br />
==== On the fly ====<br />
<br />
To enable it on the fly:<br />
<code>sysctl -w net.ipv4.ip_forward=1</code><br />
<br />
==== Enable within iptables tools (at boot) ====<br />
<br />
Add the following to:<br />
<code>/etc/conf.d/iptables</code><br />
<pre><br />
# Enable/disable IPv4 forwarding with the rules<br />
IPFORWARD="yes"<br />
</pre></div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Zero-To-Awall&diff=14045Zero-To-Awall2017-10-04T07:32:08Z<p>Clandmeter: </p>
<hr />
<div>= Awall for dummies =<br />
<br />
This howto is aimed at users with no (or little) experience with iptables and other firewall frameworks (like Shorewall).<br />
<br />
This howto is going to be split into 5 parts.<br />
<br />
# Defining our base json file which holds our zones and base policies.<br />
# Creating service policies.<br />
# Using aliases and custom services.<br />
# Enabling and testing policies.<br />
# Finishing up and making it start (at boot)<br />
<br />
NOTE: please be aware that all configuration files are stored as JSON files. JSON is not a human friendly standard, <br />
for instance it does not support comments so you will have to move them outside of the json structure.<br />
Beginners should use a decent text editor with JSON highlight support which will make your life easier.<br />
Since recent versions of awall it is also possible to use yaml instead of json but this is out of the scope of this howto.<br />
<br />
== Creating the base ==<br />
<br />
Creating zones depends on the function of your firewall. Is it installed on a endpoint (server) or will it act as a router and filter/forward.<br />
For this howto we assume you are going to setup a router and use NAT to forward services (ports) to different hosts on your network.<br />
<br />
For each interface on router we will setup a zone and assign it a zone name. We do this by creating the following file: /etc/awall/private/base.json<br />
<pre><br />
{<br />
"description": "Base zones and policies",<br />
<br />
"zone": {<br />
"WAN": { "iface": "eth0" },<br />
"LAN": { "iface": "eth1" },<br />
"VPN": { "iface": "tun+" }<br />
},<br />
<br />
"policy": [<br />
{ "in": "VPN", "action": "accept" },<br />
{ "out": "VPN", "action": "accept" },<br />
{ "in": "LAN", "action": "accept" },<br />
{ "out": "LAN", "action": "accept" },<br />
{ "in": "_fw", "action": "accept" },<br />
{ "in": "_fw", "out": "WAN" , "action": "accept" },<br />
{ "in": "WAN", "action": "drop" }<br />
],<br />
<br />
"snat": [ { "out": "WAN" } ],<br />
<br />
"clamp-mss": [ { "out": "WAN" } ]<br />
<br />
}<br />
</pre><br />
<br />
Lets break this down into sections<br />
<br />
=== description ===<br />
<br />
The description is here just for reference and will be used by <code>awall list</code>.<br />
<br />
=== zone ===<br />
<br />
This is where our zones are defined. Zones are defined based on a interface and assigned a name to be used in your policies.<br />
In our example you can see that we have two real interfaces eth0 and eth1 and one or more virtual interfaces tun+ (the plus sign stands for any digit like tun0 tun1 and so on). In case you are installing awall on an endpoint (a server) then you will most probably not have the eth1 interfaces and can leave it out. In our example the tun+ interface is added as it is very commonly used like when using openvpn.<br />
<br />
=== policy ===<br />
<br />
These are our main policies. It will tell our firewall what to do with when a packet enters or leaves from one of the zones (interfaces).<br />
You will notice a special <code>_fw</code> name which means the internal firewall (the local machine) which means the packet does not leave the firewall via another interface but should be send to one of the local services.<br />
You can see that we by default do not filter any package coming from or going to our VPN zone/interface. You could instead change the default action to drop all packets and create separate policies to allow specific traffic but this is out of the scope of this howto.<br />
<br />
=== snat ===<br />
<br />
Apply source nat for outgoing packets. This is only needed if your firewall acts as a router and traffic behind the router needs a modified source address (translate from local ip to public ip).<br />
<br />
=== clamp-mss ===<br />
<br />
https://github.com/alpinelinux/awall#mss-clamping-rules<br />
<br />
== Policies (services) ==<br />
<br />
Now that we have the base firewall in place we can start to define specific policies so our services will be reachable from the outside world.\<br />
By default we are blocking all traffic coming in on our WAN interface (action=drop). The first thing we want to open is our SSH port/service. To do this we need to create a new policy inside the "optional" directory.<br />
You could be wondering why the optional name, thats is because mandatory policies are stored in <code>/usr/share/awall/mandatory</code> and not to be touched and our optional policies can be enabled/disabled on the run.<br />
<br />
=== SSH service ===<br />
<br />
To add our SSH policies we create a new file: /etc/awall/optional/ssh.json<br />
<pre><br />
{<br />
"description": "Allow rate-limited SSH on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ssh",<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
==== description ====<br />
<br />
This is similar for any policy<br />
<br />
==== Filter ====<br />
<br />
This is the actual filter that is currently set to drop the packets arriving or leaving the interface.<br />
<br />
===== in =====<br />
<br />
The interface the packets arrive on, in this case its the WAN interface.<br />
<br />
===== out =====<br />
<br />
The interface the packets leave on, in this case its _fw which means it does not leave our firewall/device and is targeted at our local SSH service.<br />
<br />
===== service =====<br />
<br />
This is the service definition provided by awall or a custom service which we will discuss later on.<br />
<br />
===== action =====<br />
<br />
The action on the packet, this inverts the default action of drop and accepts the packets.<br />
<br />
===== conn-limit =====<br />
<br />
This is a special feature of our firewall/iptables to allow only a certain amount of packets in a certain amount of time. For more information please check our awall manual.<br />
<br />
=== SSH to another Host ===<br />
<br />
edit the following file: /etc/awall/optional/ssh-to-hostname.json<br />
<br />
<pre><br />
{<br />
<br />
"description": "Forward SSH to hostname",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
],<br />
<br />
"dnat": [<br />
{<br />
"in": "WAN",<br />
"dest": "$SERVER",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"to-port": "22"<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
Lets discuss the differences between this policy and the previous SSH policy.<br />
<br />
==== Filter ====<br />
<br />
===== service =====<br />
<br />
Because port 22 is already in use by our own firewall, we need to listen on a different port. In this example we listen on port 22001.<br />
And because we are not using the default port 22 we need to define our own service specification.<br />
<br />
==== dnat ====<br />
<br />
Also known as destination NAT.<br />
<br />
===== dest =====<br />
<br />
The destination the packet will be forwarded to. In this case we are using a variable named $HOSTNAME. Anywhere in your policies you can define your own variables and use them.<br />
In our case we have used a file in /etc/awall/private/aliases.json more on this topic later on.<br />
<br />
===== to-port =====<br />
<br />
This is the destination target port number. The packet will be forwarded from 22001 to 22 on the $hostname<br />
<br />
=== OpenVPN Service ===<br />
<br />
This is the most generic config available. It does nothing more then opening port(s) defined for our openvpn service in <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow local OpenVPN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "openvpn",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
<br />
</pre><br />
<br />
=== Allow ping on WAN ===<br />
<br />
Allow rate-limited ping on WAN. Which has the same kind of flow limit as our previous SSH policy.<br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow rate-limited ping on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ping",<br />
"action": "accept",<br />
"flow-limit": { "count": 10, "interval": 6 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
== Using aliases and custom services ==<br />
<br />
=== Aliases ===<br />
<br />
To make life easier when your firewall rules increase, it can be nice to map specific hosts to names.<br />
Awall supports something called [https://github.com/alpinelinux/awall#variable-expansion variable expansion] which is a mapping between a value and a variable.<br />
When you have many devices behind your firewall/router, your policies can be harder to read. Also when one of your devices IP address change you will have to update all of your policies.<br />
With awalls variables you can assign the ip address of a device to a variable name. Edit the following file: <code>/etc/awall/private/aliases.json</code><br />
<pre><br />
{<br />
"description": "Hostname aliases",<br />
<br />
"variable": {<br />
"PRINTER": "192.168.1.1",<br />
"SERVER": "192.168.1.2"<br />
}<br />
<br />
}<br />
</pre><br />
<br />
Look in the example above where $SERVER is used to forward port 22001 to port 22.<br />
<br />
NOTE: You are not limited to assigning only IP addresses to variables. You can use it however you like. More information can be found in the awall manual.<br />
<br />
=== Custom services ===<br />
<br />
Awall includes a predefined list of [https://github.com/alpinelinux/awall/blob/master/json/services.json services]. If the service you try to define in your policy does not exist in awalls services list you can define services yourself.<br />
<br />
Create the file: <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
"service": {<br />
<br />
"mqtt": [<br />
{ "proto": "udp", "port": 1883 },<br />
{ "proto": "tcp", "port": 1883 }<br />
],<br />
<br />
"openvpn": [<br />
{ "proto": "udp", "port": 1194 },<br />
{ "proto": "tcp", "port": 1194 }<br />
]<br />
<br />
}<br />
}<br />
</pre><br />
<br />
NOTE: although you are free to name your policy files however you want, you cannot name this file <code>services.json</code> because this policy name is already in use by the included services.json of awall.<br />
<br />
== Using our policies ==<br />
<br />
You should now have two directories in your awall config directory named optional and private with multiple json files. The biggest difference between these two directories is the ability to enable and disable policies located in the optional directory. When you enable a policy by using <code>awall enable policy-name</code> awall will generate a symlink in your awall config directory and will automatically load them when you activate the firewall. To be able to also use the files in the private directory we will need to include them in one of our optional policies. You can name the file however you like as long it doesn't conflict with existing policies names (including the ones in private directory and awall's system policies). Example names would be hostname.json main.json firewall.json. For this example we will use main.json.<br />
<br />
Create the file: <code>/etc/awall/main.json</code><br />
<pre><br />
{<br />
"description": "Main firewall",<br />
<br />
"import": [ "base", "aliases", "custom-services" ]<br />
<br />
}<br />
</pre><br />
<br />
Contents of your awall directory:<br />
<pre><br />
awall<br />
│<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
└── private<br />
├── aliases.json<br />
├── base.json<br />
└── custom-services.json<br />
</pre><br />
<br />
=== Enabling optional policies ===<br />
<br />
Lets enable our created policies. First we list them by running <code>awall list</code> which would show something like:<br />
<pre><br />
openvpn disabled Allow local OpenVPN<br />
main disabled Main firewall<br />
ping disabled Allow rate-limited ping on WAN<br />
ssh disabled Allow rate-limited SSH on WAN<br />
</pre><br />
<br />
Each of these needs to be enabled:<br />
<pre><br />
awall enable openvpn<br />
awall enable main<br />
awall enable ping<br />
awall enable ssh<br />
</pre><br />
<br />
The contents of your awall directory should now look like:<br />
<pre><br />
awall/<br />
├── main.json -> ./optional/main.json<br />
├── openvpn.json -> ./optional/openvpn.json<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ping.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
├── ping.json -> ./optional/ping.json<br />
├── private<br />
│ ├── aliases.json<br />
│ ├── base.json<br />
│ └── custom-services.json<br />
├── ssh-to-hostname.json -> ./optional/ssh-to-hostname.json<br />
└── ssh.json -> ./optional/ssh.json<br />
<br />
2 directories, 13 files<br />
</pre><br />
<br />
=== Testing policies ===<br />
<br />
<code>awall translate --verify</code><br />
<br />
if everything goes well the output should be null.<br />
<br />
=== Activating the firewall ===<br />
<br />
Now that all our policies are verified for proper json we can activate it.<br />
<br />
<code>awall activate</code><br />
<br />
This will load the firewall rules and show you a message to confirm. If by accident you made a mistake and lock yourself out you just have to wait for awall to disable itself again.<br />
<br />
== Finishing up ==<br />
<br />
=== Activating firewall rules at boot ===<br />
<br />
When awall has been properly activated it will generate a file with all iptables rules which iptables will read when its is started via openrc.<br />
Make sure you have added iptables to an openrc runlevel.<br />
<br />
<code>rc-update add iptables</code><br />
<br />
=== Allow IPv4 forwarding ===<br />
<br />
To allow iptables to forward packets from one zone to the other we need to enable this at the iptables level.<br />
<br />
==== On the fly ====<br />
<br />
To enable it on the fly:<br />
<code>sysctl -w net.ipv4.ip_forward=1</code><br />
<br />
==== Enable within iptables tools (at boot) ====<br />
<br />
Add the following to:<br />
<code>/etc/conf.d/iptables</code><br />
<pre><br />
# Enable/disable IPv4 forwarding with the rules<br />
IPFORWARD="yes"<br />
</pre></div>Clandmeterhttps://wiki.alpinelinux.org/w/index.php?title=Zero-To-Awall&diff=14044Zero-To-Awall2017-10-04T07:30:35Z<p>Clandmeter: </p>
<hr />
<div>= Awall for dummies =<br />
<br />
This howto is aimed at users with no (or little) experience with iptables and other firewall frameworks (like Shorewall).<br />
<br />
This howto is going to be split into 5 parts.<br />
<br />
# Defining our base json file which holds our zones and base policies.<br />
# Creating service policies.<br />
# Using aliases and custom services.<br />
# Enabling and testing policies.<br />
# Finishing up and making it start (at boot)<br />
<br />
NOTE: please be aware that all configuration files are stored as JSON files. JSON is not a human friendly standard, <br />
for instance it does not support comments so you will have to move them outside of the json structure.<br />
Beginners should use a decent text editor with JSON highlight support which will make your life easier.<br />
Since recent versions of awall it is also possible to use yaml instead of json but this is out of the scope of this howto.<br />
<br />
== Creating the base ==<br />
<br />
Creating zones depends on the function of your firewall. Is it installed on a endpoint (server) or will it act as a router and filter/forward.<br />
For this howto we assume you are going to setup a router and use NAT to forward services (ports) to different hosts on your network.<br />
<br />
For each interface on router we will setup a zone and assign it a zone name. We do this by creating the following file: /etc/awall/private/base.json<br />
<pre><br />
{<br />
"description": "Base zones and policies",<br />
<br />
"zone": {<br />
"WAN": { "iface": "eth0" },<br />
"LAN": { "iface": "eth1" },<br />
"VPN": { "iface": "tun+" }<br />
},<br />
<br />
"policy": [<br />
{ "in": "VPN", "action": "accept" },<br />
{ "out": "VPN", "action": "accept" },<br />
{ "in": "LAN", "action": "accept" },<br />
{ "out": "LAN", "action": "accept" },<br />
{ "in": "_fw", "action": "accept" },<br />
{ "in": "_fw", "out": "WAN" , "action": "accept" },<br />
{ "in": "WAN", "action": "drop" }<br />
],<br />
<br />
"snat": [ { "out": "WAN" } ],<br />
<br />
"clamp-mss": [ { "out": "WAN" } ]<br />
<br />
}<br />
</pre><br />
<br />
Lets break this down into sections<br />
<br />
=== description ===<br />
<br />
The description is here just for reference and will be used by <code>awall list</code>.<br />
<br />
=== zone ===<br />
<br />
This is where our zones are defined. Zones are defined based on a interface and assigned a name to be used in your policies.<br />
In our example you can see that we have two real interfaces eth0 and eth1 and one or more virtual interfaces tun+ (the plus sign stands for any digit like tun0 tun1 and so on). In case you are installing awall on an endpoint (a server) then you will most probably not have the eth1 interfaces and can leave it out. In our example the tun+ interface is added as it is very commonly used like when using openvpn.<br />
<br />
=== policy ===<br />
<br />
These are our main policies. It will tell our firewall what to do with when a packet enters or leaves from one of the zones (interfaces).<br />
You will notice a special <code>_fw</code> name which means the internal firewall (the local machine) which means the packet does not leave the firewall via another interface but should be send to one of the local services.<br />
You can see that we by default do not filter any package coming from or going to our VPN zone/interface. You could instead change the default action to drop all packets and create separate policies to allow specific traffic but this is out of the scope of this howto.<br />
<br />
=== snat ===<br />
<br />
Apply source nat for outgoing packets. This is only needed if your firewall acts as a router and traffic behind the router needs a modified source address (translate from local ip to public ip).<br />
<br />
=== clamp-mss ===<br />
<br />
https://github.com/alpinelinux/awall#mss-clamping-rules<br />
<br />
== Policies (services) ==<br />
<br />
Now that we have the base firewall in place we can start to define specific policies so our services will be reachable from the outside world.\<br />
By default we are blocking all traffic coming in on our WAN interface (action=drop). The first thing we want to open is our SSH port/service. To do this we need to create a new policy inside the "optional" directory.<br />
You could be wondering why the optional name, thats is because mandatory policies are stored in <code>/usr/share/awall/mandatory</code> and not to be touched and our optional policies can be enabled/disabled on the run.<br />
<br />
=== SSH service ===<br />
<br />
To add our SSH policies we create a new file: /etc/awall/optional/ssh.json<br />
<pre><br />
{<br />
"description": "Allow rate-limited SSH on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ssh",<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
==== description ====<br />
<br />
This is similar for any policy<br />
<br />
==== Filter ====<br />
<br />
This is the actual filter that is currently set to drop the packets arriving or leaving the interface.<br />
<br />
===== in =====<br />
<br />
The interface the packets arrive on, in this case its the WAN interface.<br />
<br />
===== out =====<br />
<br />
The interface the packets leave on, in this case its _fw which means it does not leave our firewall/device and is targeted at our local SSH service.<br />
<br />
===== service =====<br />
<br />
This is the service definition provided by awall or a custom service which we will discuss later on.<br />
<br />
===== action =====<br />
<br />
The action on the packet, this inverts the default action of drop and accepts the packets.<br />
<br />
===== conn-limit =====<br />
<br />
This is a special feature of our firewall/iptables to allow only a certain amount of packets in a certain amount of time. For more information please check our awall manual.<br />
<br />
=== SSH to another Host ===<br />
<br />
edit the following file: /etc/awall/optional/ssh-to-hostname.json<br />
<br />
<pre><br />
{<br />
<br />
"description": "Forward SSH to hostname",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"action": "accept",<br />
"conn-limit": { "count": 3, "interval": 20 }<br />
}<br />
],<br />
<br />
"dnat": [<br />
{<br />
"in": "WAN",<br />
"dest": "$SERVER",<br />
"service": { "proto": "tcp", "port": 22001 },<br />
"to-port": "22"<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
Lets discuss the differences between this policy and the previous SSH policy.<br />
<br />
==== Filter ====<br />
<br />
===== service =====<br />
<br />
Because port 22 is already in use by our own firewall, we need to listen on a different port. In this example we listen on port 22001.<br />
And because we are not using the default port 22 we need to define our own service specification.<br />
<br />
==== dnat ====<br />
<br />
Also known as destination NAT.<br />
<br />
===== dest =====<br />
<br />
The destination the packet will be forwarded to. In this case we are using a variable named $HOSTNAME. Anywhere in your policies you can define your own variables and use them.<br />
In our case we have used a file in /etc/awall/private/aliases.json more on this topic later on.<br />
<br />
===== to-port =====<br />
<br />
This is the destination target port number. The packet will be forwarded from 22001 to 22 on the $hostname<br />
<br />
=== OpenVPN Service ===<br />
<br />
This is the most generic config available. It does nothing more then opening port(s) defined for our openvpn service in <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow local OpenVPN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "openvpn",<br />
"action": "accept"<br />
}<br />
]<br />
}<br />
<br />
</pre><br />
<br />
=== Allow ping on WAN ===<br />
<br />
Allow rate-limited ping on WAN. Which has the same kind of flow limit as our previous SSH policy.<br />
<br />
<pre><br />
{<br />
<br />
"description": "Allow rate-limited ping on WAN",<br />
<br />
"filter": [<br />
{<br />
"in": "WAN",<br />
"out": "_fw",<br />
"service": "ping",<br />
"action": "accept",<br />
"flow-limit": { "count": 10, "interval": 6 }<br />
}<br />
]<br />
}<br />
</pre><br />
<br />
== Using aliases and custom services ==<br />
<br />
=== Aliases ===<br />
<br />
To make life easier when your firewall rules increase, it can be nice to map specific hosts to names.<br />
Awall supports something called [https://github.com/alpinelinux/awall#variable-expansion variable expansion] which is a mapping between a value and a variable.<br />
When you have many devices behind your firewall/router, your policies can be harder to read. Also when one of your devices IP address change you will have to update all of your policies.<br />
With awalls variables you can assign the ip address of a device to a variable name. Edit the following file: <code>/etc/awall/private/aliases.json</code><br />
<pre><br />
{<br />
"description": "Hostname aliases",<br />
<br />
"variable": {<br />
"PRINTER": "192.168.1.1",<br />
"SERVER": "192.168.1.2"<br />
}<br />
<br />
}<br />
</pre><br />
<br />
Look in the example above where $SERVER is used to forward port 22001 to port 22.<br />
<br />
NOTE: You are not limited to assigning only IP addresses to variables. You can use it however you like. More information can be found in the awall manual.<br />
<br />
=== Custom services ===<br />
<br />
Awall includes a predefined list of [https://github.com/alpinelinux/awall/blob/master/json/services.json services]. If the service you try to define in your policy does not exist in awalls services list you can define services yourself.<br />
<br />
Create the file: <code>/etc/awall/private/custom-services.json</code><br />
<br />
<pre><br />
{<br />
"service": {<br />
<br />
"mqtt": [<br />
{ "proto": "udp", "port": 1883 },<br />
{ "proto": "tcp", "port": 1883 }<br />
],<br />
<br />
"openvpn": [<br />
{ "proto": "udp", "port": 1194 },<br />
{ "proto": "tcp", "port": 1194 }<br />
]<br />
<br />
}<br />
}<br />
</pre><br />
<br />
NOTE: although you are free to name your policy files however you want, you cannot name this file <code>services.json</code> because this policy name is already in use by the included services.json of awall.<br />
<br />
== Using our policies ==<br />
<br />
You should now have two directories in your awall config directory named optional and private with multiple json files. The biggest difference between these two directories is the ability to enable and disable policies located in the optional directory. When you enable a policy by using <code>awall enable policy-name</code> awall will generate a symlink in your awall config directory and will automatically load them when you activate the firewall. To be able to also use the files in the private directory we will need to include them in one of our optional policies. You can name the file however you like as long it doesn't conflict with existing policies names (including the ones in private directory and awall's system policies). Example names would be hostname.json main.json firewall.json. For this example we will use main.json.<br />
<br />
Create the file: <code>/etc/awall/main.json</code><br />
<pre><br />
{<br />
"description": "Main firewall",<br />
<br />
"import": [ "base", "aliases", "custom-services" ]<br />
<br />
}<br />
</pre><br />
<br />
Contents of your awall directory:<br />
<pre><br />
awall<br />
│<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
└── private<br />
├── aliases.json<br />
├── base.json<br />
└── custom-services.json<br />
</pre><br />
<br />
=== Enabling optional policies ===<br />
<br />
Lets enable our created policies. First we list them by running <code>awall list</code> which would show something like:<br />
<pre><br />
openvpn disabled Allow local OpenVPN<br />
main disabled Main firewall<br />
ping disabled Allow rate-limited ping on WAN<br />
ssh disabled Allow rate-limited SSH on WAN<br />
</pre><br />
<br />
Each of these needs to be enabled:<br />
<pre><br />
awall enable openvpn<br />
awall enable main<br />
awall enable ping<br />
awall enable ssh<br />
</pre><br />
<br />
The contents of your awall directory should now look like:<br />
<pre><br />
awall/<br />
├── main.json -> ./optional/main.json<br />
├── openvpn.json -> ./optional/openvpn.json<br />
├── optional<br />
│ ├── main.json<br />
│ ├── openvpn.json<br />
│ ├── ping.json<br />
│ ├── ssh-to-hostname.json<br />
│ └── ssh.json<br />
├── ping.json -> ./optional/ping.json<br />
├── private<br />
│ ├── aliases.json<br />
│ ├── base.json<br />
│ └── custom-services.json<br />
├── ssh-to-hostname.json -> ./optional/ssh-to-hostname.json<br />
└── ssh.json -> ./optional/ssh.json<br />
<br />
2 directories, 13 files<br />
</pre><br />
<br />
=== Testing policies ===<br />
<br />
<code>awall translate --verify</code><br />
<br />
if everything goes well the output should be null.<br />
<br />
=== Activating the firewall ===<br />
<br />
Now that all our policies are verified for proper json we can activate it.<br />
<br />
<code>awall activate</code><br />
<br />
This will load the firewall rules and show you a message to confirm. If by accident you made a mistake and lock yourself out you just have to wait for awall to disable itself again.<br />
<br />
== Finishing up ==<br />
<br />
=== Activating firewall rules at boot ===<br />
<br />
When awall has been properly activated it will generate a file with all iptables rules which iptables will read when its is started via openrc.<br />
Make sure you have added iptables to an openrc runlevel.<br />
<br />
<code>rc-update add iptables</code><br />
<br />
== Allow IPv4 forwarding ==<br />
<br />
To allow iptables to forward packets from one zone to the other we need to enable this at the iptables level.<br />
<br />
=== On the fly ===<br />
<br />
To enable it on the fly:<br />
<code>sysctl -w net.ipv4.ip_forward=1</code><br />
<br />
=== Enable it inside iptables tools (at boot) ===<br />
<br />
Add the following to:<br />
<code>/etc/conf.d/iptables</code><br />
<pre><br />
# Enable/disable IPv4 forwarding with the rules<br />
IPFORWARD="yes"<br />
</pre></div>Clandmeter