https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=Jch&feedformat=atomAlpine Linux - User contributions [en]2024-03-28T19:32:00ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Remote_Desktop_Server&diff=12482Remote Desktop Server2016-03-09T13:38:06Z<p>Jch: /* Remote Desktop Server based on Vino and XRDP */</p>
<hr />
<div><br />
== Remote Desktop Server based on Vino and XRDP ==<br />
First of all make sure you have a Desktop environment properly installed (you can follow this [[MATE|MATE Setup]])<br />
<br />
Next, install Vino and XRDP with the following command:<br />
{{Cmd| apk add vino@community xrdp}}<br />
<br />
Replace the file /etc/xrdp/xrdp.ini content with:<br />
<br />
<pre style="white-space: pre-wrap; <br />
white-space: -moz-pre-wrap; <br />
white-space: -pre-wrap; <br />
white-space: -o-pre-wrap; <br />
word-wrap: break-word;"><br />
[globals]<br />
bitmap_cache=yes<br />
bitmap_compression=yes<br />
port=3389<br />
crypt_level=low<br />
channel_code=1<br />
max_bpp=24<br />
<br />
[xrdp1]<br />
name=Vino<br />
lib=libvnc.so<br />
ip=127.0.0.1<br />
port=5900<br />
username=ask<br />
password=ask<br />
</pre><br />
<br />
If you want the XRDP service starts automaticaly, add the services to default runlevel:<br />
{{Cmd|rc-update add xrdp<br />
rc-update add xrdp-sesman<br />
rc-update add vino}}<br />
<br />
To start:<br />
{{Cmd|rc-service xrdp start<br />
rc-service xrdp-sesman start<br />
rc-service vino start}}<br />
<br />
=== Misc ===<br />
==== Disabling XRDP Notification and Confirmation ====<br />
If you do not want the client confirmation before the session being accepted:<br />
<br />
<code>export DISPLAY=:0.0</code><br />
{{Cmd|gsettings set org.gnome.Vino notify-on-connect false<br />
gsettings set org.gnome.Vino prompt-enabled false<br />
}}<br />
<br />
== Remote Desktop Server based on x2go ==<br />
In ''testing''{{Draft}}</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Talk:Remote_Desktop_Server&diff=12481Talk:Remote Desktop Server2016-03-09T13:35:24Z<p>Jch: Created page with " == Performances ? == What about the performances of such solution versus, for instance, ssh -X ? ~~~~"</p>
<hr />
<div><br />
== Performances ? ==<br />
<br />
What about the performances of such solution versus, for instance, ssh -X ?<br />
<br />
[[User:Jch|Jch]] ([[User talk:Jch|talk]]) 13:35, 9 March 2016 (UTC)</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Talk:Kamailio&diff=11699Talk:Kamailio2016-02-16T11:25:00Z<p>Jch: Created page with "For sure this howto seems out-of-date as some packages do not exist anymore on AL 3.3.1... (with all repo enabled: main, community, edge and testing) <pre> alpine331:~# apk s..."</p>
<hr />
<div>For sure this howto seems out-of-date as some packages do not exist anymore on AL 3.3.1... (with all repo enabled: main, community, edge and testing) <br />
<pre><br />
alpine331:~# apk search kamailio<br />
kamailio-lua-4.3.4-r1<br />
kamailio-xml-4.3.4-r1<br />
kamailio-memcached-4.3.4-r1<br />
kamailio-dbtext-4.3.4-r1<br />
acf-kamailio-0.10.0-r1<br />
kamailio-ev-4.3.4-r1<br />
kamailio-4.3.4-r1<br />
kamailio-cpl-4.3.4-r1<br />
kamailio-utils-4.3.4-r1<br />
kamailio-mysql-4.3.4-r1<br />
kamailio-postgres-4.3.4-r1<br />
kamailio-websocket-4.3.4-r1<br />
kamailio-snmpstats-4.3.4-r1<br />
kamailio-uuid-4.3.4-r1<br />
kamailio-redis-4.3.4-r1<br />
kamailio-authephemeral-4.3.4-r1<br />
kamailio-xmpp-4.3.4-r1<br />
kamailio-debugger-4.3.4-r1<br />
kamailio-outbound-4.3.4-r1<br />
kamailio-db-4.3.4-r1<br />
kamailio-unixodbc-4.3.4-r1<br />
kamailio-doc-4.3.4-r1<br />
kamailio-geoip2-4.3.4-r1<br />
kamailio-json-4.3.4-r1<br />
kamailio-ims-4.3.4-r1<br />
kamailio-jansson-4.3.4-r1<br />
kamailio-dbg-4.3.4-r1<br />
kamailio-ldap-4.3.4-r1<br />
kamailio-presence-4.3.4-r1<br />
kamailio-sqlite-4.3.4-r1<br />
kamailio-tls-4.3.4-r1<br />
kamailio-carrierroute-4.3.4-r1<br />
kamailio-extras-4.3.4-r1<br />
</pre></div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11692User talk:Jch2016-02-12T11:03:22Z<p>Jch: /* New_lab_machine */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
we now use xnbd ^^<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
The Alpine kernel has now RBD modules compiled.<br />
<br />
We will build a CEPH cluster out of 3 Ubuntu LTS and use AL boxes as client if possible (to launch qemu instances directly from RBD). If not, we then will attach RBD and reexport them with xNBD inside a debian KVM.<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
AL 3.3 with +/etc/inittab+ <pre><br />
tty5::respawn:/usr/bin/su - jch mcabber<br />
tty6::respawn:/usr/bin/su - jch tmux<br />
tty7::respawn:/usr/bin/su - jch startx<br />
</pre> and +~/.xinitrc+ <pre><br />
#!/bin/sh<br />
exec chromium-browser --no-sandbox<br />
</pre><br />
<br />
== About gpve ==<br />
<br />
http://pkgs.alpinelinux.org/package/main/x86_64/gvpe<br />
http://software.schmorp.de/pkg/gvpe.html<br />
<br />
Plan to use it to interconnect about 5 sites.<br />
<br />
== About freeswitch ==<br />
<br />
I have a request to run a SIP server for a couple of users.<br/><br />
I'm doing it in some LXC accessed trough an openVPN from Jolla phones.<br />
<br />
== New rollout of our infra ==<br />
<br />
This week, we will upgrade some hardware and also redo all the infrastructure based on the fresh 3.3 serie.<br />
<br />
The compute nodes will run (on baremetal) with mdadm, openvswitch, qemu, consul, collectd, screen (maybe tmux) and openssh.<br />
<br />
The storage nodes will run a CEPH cluster (unfortunately not based on AL).<br />
<br />
Everything else will run in various KVM on the compute nodes.<br />
<br />
First, let's check if the needed package are available in the basic ISOs. If yes we will be able to run from USB keys. If not we will need to have sys install on the HDD...</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11691User talk:Jch2016-02-12T11:02:55Z<p>Jch: /* About NBD */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
we now use xnbd ^^<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
The Alpine kernel has now RBD modules compiled.<br />
<br />
We will build a CEPH cluster out of 3 Ubuntu LTS and use AL boxes as client if possible (to launch qemu instances directly from RBD). If not, we then will attach RBD and reexport them with xNBD inside a debian KVM.<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
AL 3.3 with +/etc/inittab+ <pre><br />
tty5::respawn:/usr/bin/su - jch mcabber<br />
tty6::respawn:/usr/bin/su - jch tmux<br />
tty7::respawn:/usr/bin/su - jch startx<br />
</pre> and +~/.xinitrc+ <pre><br />
#!/bin/sh<br />
exec chromium-browser --no-sandbox<br />
</pre><br />
<br />
== About gpve ==<br />
<br />
http://pkgs.alpinelinux.org/package/main/x86_64/gvpe<br />
http://software.schmorp.de/pkg/gvpe.html<br />
<br />
Plan to use it to interconnect about 5 sites.<br />
<br />
== About freeswitch ==<br />
<br />
I have a request to run a SIP server for a couple of users.<br/><br />
I'm doing it in some LXC accessed trough an openVPN from Jolla phones.<br />
<br />
== New rollout of our infra ==<br />
<br />
This week, we will upgrade some hardware and also redo all the infrastructure based on the fresh 3.3 serie.<br />
<br />
The compute nodes will run (on baremetal) with mdadm, openvswitch, qemu, consul, collectd, screen (maybe tmux) and openssh.<br />
<br />
The storage nodes will run a CEPH cluster (unfortunately not based on AL).<br />
<br />
Everything else will run in various KVM on the compute nodes.<br />
<br />
First, let's check if the needed package are available in the basic ISOs. If yes we will be able to run from USB keys. If not we will need to have sys install on the HDD...</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11537User talk:Jch2015-12-25T21:13:53Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
The Alpine kernel has now RBD modules compiled.<br />
<br />
We will build a CEPH cluster out of 3 Ubuntu LTS and use AL boxes as client if possible (to launch qemu instances directly from RBD). If not, we then will attach RBD and reexport them with xNBD inside a debian KVM.<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
AL 3.3 with +/etc/inittab+ <pre><br />
tty5::respawn:/usr/bin/su - jch mcabber<br />
tty6::respawn:/usr/bin/su - jch tmux<br />
tty7::respawn:/usr/bin/su - jch startx<br />
</pre> and +~/.xinitrc+ <pre><br />
#!/bin/sh<br />
exec chromium-browser --no-sandbox<br />
</pre><br />
<br />
== About gpve ==<br />
<br />
http://pkgs.alpinelinux.org/package/main/x86_64/gvpe<br />
http://software.schmorp.de/pkg/gvpe.html<br />
<br />
Plan to use it to interconnect about 5 sites.<br />
<br />
== About freeswitch ==<br />
<br />
I have a request to run a SIP server for a couple of users.<br/><br />
I'm doing it in some LXC accessed trough an openVPN from Jolla phones.<br />
<br />
== New rollout of our infra ==<br />
<br />
This week, we will upgrade some hardware and also redo all the infrastructure based on the fresh 3.3 serie.<br />
<br />
The compute nodes will run (on baremetal) with mdadm, openvswitch, qemu, consul, collectd, screen (maybe tmux) and openssh.<br />
<br />
The storage nodes will run a CEPH cluster (unfortunately not based on AL).<br />
<br />
Everything else will run in various KVM on the compute nodes.<br />
<br />
First, let's check if the needed package are available in the basic ISOs. If yes we will be able to run from USB keys. If not we will need to have sys install on the HDD...</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11536User talk:Jch2015-12-25T21:08:04Z<p>Jch: /* About CEPH */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
The Alpine kernel has now RBD modules compiled.<br />
<br />
We will build a CEPH cluster out of 3 Ubuntu LTS and use AL boxes as client if possible (to launch qemu instances directly from RBD). If not, we then will attach RBD and reexport them with xNBD inside a debian KVM.<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===<br />
<br />
After backuping relevant files from previous install, it's time to clean this HDD...<br/><br />
I define 4 primaries partition: 1-3 as 5GB normal partitions and 4 as LUKS container with the remaining space. 2 and 3 will be used fo experimental alternate boot.<br />
<br />
I still encouter a race condition at boot time :(<br/><br />
Running in ''run-from-ram'' from the first partition on the HDD.<br/><br />
/etc/local.d/*.start scripts want to launch some KVM. Those KVM are not reachable when started at boot but "rc-service local restart" does the job!<br/><br />
What's the difference? Some ENV? PATH? mount status of '/media/*'?<br />
<br />
=== IOMMU ===<br />
<br />
Unfortunately my laptop is to low-end to offer IOMMU needed for the full setup I wanted to implement :(<br />
I fact after setting it up, I realize I was reproducing the qubeOS architecture ;) but with KVM instead of Xen and Alpine instead of Fedora.<br />
<br />
== About gpve ==<br />
<br />
http://pkgs.alpinelinux.org/package/main/x86_64/gvpe<br />
http://software.schmorp.de/pkg/gvpe.html<br />
<br />
Plan to use it to interconnect about 5 sites.<br />
<br />
== About freeswitch ==<br />
<br />
I have a request to run a SIP server for a couple of users.<br/><br />
I'm doing it in some LXC accessed trough an openVPN from Jolla phones.<br />
<br />
== New rollout of our infra ==<br />
<br />
This week, we will upgrade some hardware and also redo all the infrastructure based on the fresh 3.3 serie.<br />
<br />
The compute nodes will run (on baremetal) with mdadm, openvswitch, qemu, consul, collectd, screen (maybe tmux) and openssh.<br />
<br />
The storage nodes will run a CEPH cluster (unfortunately not based on AL).<br />
<br />
Everything else will run in various KVM on the compute nodes.<br />
<br />
First, let's check if the needed package are available in the basic ISOs. If yes we will be able to run from USB keys. If not we will need to have sys install on the HDD...</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11527User talk:Jch2015-12-19T22:42:36Z<p>Jch: /* New rollout of our infra */ new section</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===<br />
<br />
After backuping relevant files from previous install, it's time to clean this HDD...<br/><br />
I define 4 primaries partition: 1-3 as 5GB normal partitions and 4 as LUKS container with the remaining space. 2 and 3 will be used fo experimental alternate boot.<br />
<br />
I still encouter a race condition at boot time :(<br/><br />
Running in ''run-from-ram'' from the first partition on the HDD.<br/><br />
/etc/local.d/*.start scripts want to launch some KVM. Those KVM are not reachable when started at boot but "rc-service local restart" does the job!<br/><br />
What's the difference? Some ENV? PATH? mount status of '/media/*'?<br />
<br />
=== IOMMU ===<br />
<br />
Unfortunately my laptop is to low-end to offer IOMMU needed for the full setup I wanted to implement :(<br />
I fact after setting it up, I realize I was reproducing the qubeOS architecture ;) but with KVM instead of Xen and Alpine instead of Fedora.<br />
<br />
== About gpve ==<br />
<br />
http://pkgs.alpinelinux.org/package/main/x86_64/gvpe<br />
http://software.schmorp.de/pkg/gvpe.html<br />
<br />
Plan to use it to interconnect about 5 sites.<br />
<br />
== About freeswitch ==<br />
<br />
I have a request to run a SIP server for a couple of users.<br/><br />
I'm doing it in some LXC accessed trough an openVPN from Jolla phones.<br />
<br />
== New rollout of our infra ==<br />
<br />
This week, we will upgrade some hardware and also redo all the infrastructure based on the fresh 3.3 serie.<br />
<br />
The compute nodes will run (on baremetal) with mdadm, openvswitch, qemu, consul, collectd, screen (maybe tmux) and openssh.<br />
<br />
The storage nodes will run a CEPH cluster (unfortunately not based on AL).<br />
<br />
Everything else will run in various KVM on the compute nodes.<br />
<br />
First, let's check if the needed package are available in the basic ISOs. If yes we will be able to run from USB keys. If not we will need to have sys install on the HDD...</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11206User talk:Jch2015-09-11T15:14:16Z<p>Jch: /* About freeswitch */ new section</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===<br />
<br />
After backuping relevant files from previous install, it's time to clean this HDD...<br/><br />
I define 4 primaries partition: 1-3 as 5GB normal partitions and 4 as LUKS container with the remaining space. 2 and 3 will be used fo experimental alternate boot.<br />
<br />
I still encouter a race condition at boot time :(<br/><br />
Running in ''run-from-ram'' from the first partition on the HDD.<br/><br />
/etc/local.d/*.start scripts want to launch some KVM. Those KVM are not reachable when started at boot but "rc-service local restart" does the job!<br/><br />
What's the difference? Some ENV? PATH? mount status of '/media/*'?<br />
<br />
=== IOMMU ===<br />
<br />
Unfortunately my laptop is to low-end to offer IOMMU needed for the full setup I wanted to implement :(<br />
I fact after setting it up, I realize I was reproducing the qubeOS architecture ;) but with KVM instead of Xen and Alpine instead of Fedora.<br />
<br />
== About gpve ==<br />
<br />
http://pkgs.alpinelinux.org/package/main/x86_64/gvpe<br />
http://software.schmorp.de/pkg/gvpe.html<br />
<br />
Plan to use it to interconnect about 5 sites.<br />
<br />
== About freeswitch ==<br />
<br />
I have a request to run a SIP server for a couple of users.<br/><br />
I'm doing it in some LXC accessed trough an openVPN from Jolla phones.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11124User talk:Jch2015-08-06T05:28:28Z<p>Jch: /* About gpve */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===<br />
<br />
After backuping relevant files from previous install, it's time to clean this HDD...<br/><br />
I define 4 primaries partition: 1-3 as 5GB normal partitions and 4 as LUKS container with the remaining space. 2 and 3 will be used fo experimental alternate boot.<br />
<br />
I still encouter a race condition at boot time :(<br/><br />
Running in ''run-from-ram'' from the first partition on the HDD.<br/><br />
/etc/local.d/*.start scripts want to launch some KVM. Those KVM are not reachable when started at boot but "rc-service local restart" does the job!<br/><br />
What's the difference? Some ENV? PATH? mount status of '/media/*'?<br />
<br />
=== IOMMU ===<br />
<br />
Unfortunately my laptop is to low-end to offer IOMMU needed for the full setup I wanted to implement :(<br />
I fact after setting it up, I realize I was reproducing the qubeOS architecture ;) but with KVM instead of Xen and Alpine instead of Fedora.<br />
<br />
== About gpve ==<br />
<br />
http://pkgs.alpinelinux.org/package/main/x86_64/gvpe<br />
http://software.schmorp.de/pkg/gvpe.html<br />
<br />
Plan to use it to interconnect about 5 sites.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11123User talk:Jch2015-08-06T05:27:29Z<p>Jch: /* About gpve */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===<br />
<br />
After backuping relevant files from previous install, it's time to clean this HDD...<br/><br />
I define 4 primaries partition: 1-3 as 5GB normal partitions and 4 as LUKS container with the remaining space. 2 and 3 will be used fo experimental alternate boot.<br />
<br />
I still encouter a race condition at boot time :(<br/><br />
Running in ''run-from-ram'' from the first partition on the HDD.<br/><br />
/etc/local.d/*.start scripts want to launch some KVM. Those KVM are not reachable when started at boot but "rc-service local restart" does the job!<br/><br />
What's the difference? Some ENV? PATH? mount status of '/media/*'?<br />
<br />
=== IOMMU ===<br />
<br />
Unfortunately my laptop is to low-end to offer IOMMU needed for the full setup I wanted to implement :(<br />
I fact after setting it up, I realize I was reproducing the qubeOS architecture ;) but with KVM instead of Xen and Alpine instead of Fedora.<br />
<br />
== About gpve ==<br />
<br />
http://pkgs.alpinelinux.org/package/main/x86_64/gvpe<br />
<br />
Plan to use it to interconnect about 5 sites.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11122User talk:Jch2015-08-06T05:26:48Z<p>Jch: /* About gpve */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===<br />
<br />
After backuping relevant files from previous install, it's time to clean this HDD...<br/><br />
I define 4 primaries partition: 1-3 as 5GB normal partitions and 4 as LUKS container with the remaining space. 2 and 3 will be used fo experimental alternate boot.<br />
<br />
I still encouter a race condition at boot time :(<br/><br />
Running in ''run-from-ram'' from the first partition on the HDD.<br/><br />
/etc/local.d/*.start scripts want to launch some KVM. Those KVM are not reachable when started at boot but "rc-service local restart" does the job!<br/><br />
What's the difference? Some ENV? PATH? mount status of '/media/*'?<br />
<br />
=== IOMMU ===<br />
<br />
Unfortunately my laptop is to low-end to offer IOMMU needed for the full setup I wanted to implement :(<br />
I fact after setting it up, I realize I was reproducing the qubeOS architecture ;) but with KVM instead of Xen and Alpine instead of Fedora.<br />
<br />
== About gpve ==<br />
<br />
Plan to use it to interconnect about 5 sites.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11121User talk:Jch2015-08-06T05:25:51Z<p>Jch: /* About gpve */ new section</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===<br />
<br />
After backuping relevant files from previous install, it's time to clean this HDD...<br/><br />
I define 4 primaries partition: 1-3 as 5GB normal partitions and 4 as LUKS container with the remaining space. 2 and 3 will be used fo experimental alternate boot.<br />
<br />
I still encouter a race condition at boot time :(<br/><br />
Running in ''run-from-ram'' from the first partition on the HDD.<br/><br />
/etc/local.d/*.start scripts want to launch some KVM. Those KVM are not reachable when started at boot but "rc-service local restart" does the job!<br/><br />
What's the difference? Some ENV? PATH? mount status of '/media/*'?<br />
<br />
=== IOMMU ===<br />
<br />
Unfortunately my laptop is to low-end to offer IOMMU needed for the full setup I wanted to implement :(<br />
I fact after setting it up, I realize I was reproducing the qubeOS architecture ;) but with KVM instead of Xen and Alpine instead of Fedora.<br />
<br />
== About gpve ==<br />
<br />
...</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch/fail2ban&diff=11023User talk:Jch/fail2ban2015-06-25T09:42:53Z<p>Jch: rc-service does not work</p>
<hr />
<div>== rc-service does not work ==<br />
<br />
"rc-service fail2ban start" says OK but nothing is running.<br />
<br />
"rc-service fail2ban stop" says KO and start is not possible afterwards.<br />
<br />
The start|stop are just a wrapper around "fail2ban-client start|stop" which are running fine from the command line...</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User:Jch/fail2ban&diff=11022User:Jch/fail2ban2015-06-25T09:28:20Z<p>Jch: How to setup fail2ban on a log server to control a remote firewall</p>
<hr />
<div>{{draft}}<br />
<br />
= How to setup fail2ban on a log server to control a remote firewall =<br />
<br />
I want to follow auth.log on a syslog-ng server running in a LXC to update iptables on a separate firewall machine.<br />
<br />
Installation is easy but it doesn't work (yet) as expected.<br/><br />
Even if it's working from the command line :(<br />
<br />
The syslog-ng machine is called "cerberus".<br/><br />
The firewall is called "firewall".<br />
<br />
First, cerberus has to be able to log without password on firewall with root credentials (to update the iptables rules). This is done with usual id_rsa private and public key (in /root/.ssh/authorized_keys on firewall).<br />
<br />
Next is to add a wrapper script for iptables commands. I did it in /usr/local/bin/do with <pre><br />
#!/bin/sh<br />
logger -t do_firewall "$1"<br />
ssh -l root -p22 -i /root/.ssh/id_rsa firewall "$1"<br />
</pre><br />
<br />
This wrapper was added in front of rules in /etc/fail2ban/action.d/iptables.conf like (to all rules) <pre><br />
actionstop = /usr/local/bin/do "iptables -D <chain> -p <protocol> --dport <port> -j f2b-<name>"<br />
/usr/local/bin/do "iptables -F f2b-<name>"<br />
/usr/local/bin/do "iptables -X f2b-<name>"<br />
</pre><br />
<br />
This is working as expected when manually invoked<br />
<pre><br />
cerberus:~# fail2ban-client start<br />
cerberus:~# fail2ban-client set sshd banip 4.34.47.232<br />
</pre><br />
<br />
But nothing happens from the fail2ban daemon :(</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Talk:Redmine&diff=11021Talk:Redmine2015-06-23T14:48:34Z<p>Jch: /* page needs update */ new section</p>
<hr />
<div>Why redmine and mysql?<br />
Everything else in Alpine prefers sqlite3 or postgresql<br />
<br />
I followed http://www.redmine.org/wiki/redmine/RedmineInstall when setting up Redmine on my test system and am more familiar with MySQL,<br />
so used it. I'm sure it'd work just as well with postgres of sqlite. [[User:Jbilyk|Jbilyk]] 16:33, 20 December 2010 (UTC)<br />
<br />
== command lacks proper path ==<br />
<br />
Hi<br />
<br />
Running command {{Cmd|su -pc "/usr/lib/ruby/gems/1.8/bin/rake generate_session_store" lighttpd}} yields:<br />
<pre><br />
rake aborted!<br />
No Rakefile found (looking for: rakefile, Rakefile, rakefile.rb, Rakefile.rb)<br />
<br />
(See full trace by running task with --trace)<br />
</pre><br />
Even though this command is run from the /usr/share/webapps/redmine directory, the su command runs it from the lighttpd user home directory, so it yields the above. I got around it by running: {{Cmd|su -p lighttpd}} and then running the rake generate_session_store command.<br />
<br />
Same goes for the following command in the documentation for creating the redmine DB structure.<br />
<br />
What might be a better way of documenting this command?<br />
<br />
--[[User:Djhughes|Djhughes]] 11:50, 9 May 2012 (UTC)<br />
<br />
== page needs update ==<br />
<br />
I was trying to delploy a new redmine but with no success :(<br />
I suppose this how-to needs some update...<br />
see http://bugs.alpinelinux.org/issues/3941 also</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=11020User talk:Jch2015-06-23T13:16:00Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===<br />
<br />
After backuping relevant files from previous install, it's time to clean this HDD...<br/><br />
I define 4 primaries partition: 1-3 as 5GB normal partitions and 4 as LUKS container with the remaining space. 2 and 3 will be used fo experimental alternate boot.<br />
<br />
I still encouter a race condition at boot time :(<br/><br />
Running in ''run-from-ram'' from the first partition on the HDD.<br/><br />
/etc/local.d/*.start scripts want to launch some KVM. Those KVM are not reachable when started at boot but "rc-service local restart" does the job!<br/><br />
What's the difference? Some ENV? PATH? mount status of '/media/*'?<br />
<br />
=== IOMMU ===<br />
<br />
Unfortunately my laptop is to low-end to offer IOMMU needed for the full setup I wanted to implement :(<br />
I fact after setting it up, I realize I was reproducing the qubeOS architecture ;) but with KVM instead of Xen and Alpine instead of Fedora.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Talk:LXC&diff=10943Talk:LXC2015-06-03T21:11:05Z<p>Jch: /* About lxc-attach */ new section</p>
<hr />
<div><br />
= Alternative Network Setup =<br />
<br />
These are notes on macvlan on a box with real vlans. The goal here is to have the host on a management vlan, and several guests each on other vlans. There's no need for the host to talk to the guests. The host resides on the "OOB" network, and if the host needs to talk to a guest, it does so with lxc-console, like having a KVM. Each guest should get its address from the DHCP server on the appropriate vlan.Something like this:<br />
<br />
Setup:<br />
{| class="wikitable" border="1"<br />
|-<br />
| host<br />
| dhcp on vlan 8<br />
|-<br />
| guest1<br />
| dhcp on vlan 64<br />
|-<br />
| guest2<br />
| dhcp on vlan 129<br />
|-<br />
| guest3<br />
| dhcp on vlan64 (different address)<br />
|}<br />
<br />
* Host's /etc/network/interfaces file<br />
auto lo<br />
iface lo inet loopback<br />
<br />
# MGMT vlan<br />
auto eth0.8<br />
iface eth0.8 inet dhcp<br />
hostname lxchost<br />
<br />
# USR vlan - we bring it up, but dont assign an address<br />
auto eth0.65<br />
iface eth0.65 inet manual<br />
up ip link set $IFACE addr de:ad:be:ef:ca:fe<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
# VoIP vlan - we bring it up, but dont assign an address<br />
auto eth0.129<br />
iface eth0.129 inet manual<br />
up ip link set $IFACE addr 0f:f1:ce:c0:ff:ee<br />
up ip link set $IFACE up<br />
down ip link set $IFACE down<br />
<br />
* Here's /etc/lxc/lxc.conf<br />
lxc.network.type = macvlan<br />
# Allow guests on the same vlan to see each other <br />
lxc.network.macvlan.mode = bridge <br />
lxc.network.link = eth0.65 <br />
lxc.network.name = eth0 <br />
# lxc.network.hwaddr = de:ad:be:ef:c0:00 # macvlan will make one up, but possible if wanted <br />
# lxc.network.flags = up # Do NOT bring up the interface, we will do so within the container<br />
# lxc.network.ipv4 = 0.0.0.0 # Do NOT assign an address, we do so within the container <br />
<br />
# Capabilities to drop (for instance, to stop the guest from mounting sys) <br />
# Taken from http://sourceforge.net/mailarchive/message.php?msg_id=28285704 <br />
# sys_boot is not listed here, as it causes problems when the host tries to stop the guest<br />
<br />
# If you trust the guest, then you can get by without dropping capabilities<br />
<br />
lxc.cap.drop= sys_admin audit_control audit_write fsetid ipc_lock <br />
lxc.cap.drop= ipc_owner lease linux_immutable mac_admin mac_override mknod setfcap<br />
lxc.cap.drop= setpcap sys_module sys_nice sys_pacct sys_ptrace sys_rawio<br />
lxc.cap.drop= sys_tty_config sys_time <br />
* Create the guests<br />
for a in `seq 1 3`; do <br />
lxc-create -n guest${a} -f /etc/lxc/lxc.conf -t alpine<br />
ln -s /etc/init.d/lxc /etc/init.d/lxc.guest${a}<br />
done<br />
* vi /var/lib/lxc/guest2/config<br />
change lxc.network.link to eth0.129<br />
* Start and enter the first guest (this is where the fun starts)<br />
/etc/init.d/lxc.guest1 start<br />
lxc-console -n guest1<br />
<br />
=== Fun inside the guest ===<br />
<br />
* /dev/null is currently created as a regular file<br />
* /dev/zero doesn't exist<br />
<br />
To create these, do the following from ''the host''<br />
<br />
<pre><br />
rm -f /var/lib/lxc/[guest-name]/rootfs/dev/null<br />
rm -f /var/lib/lxc/[guest-name]/rootfs/dev/zero<br />
mknod /var/lib/lxc/[guest-name]/rootfs/dev/zero c 1 5<br />
mknod /var/lib/lxc/[guest-name]/rootfs/dev/null c 1 3<br />
</pre><br />
<br />
We do this in the host because our default config drops mknod capabilites in the guest.<br />
<br />
=== What Works, What Doesnt ===<br />
* Pro<br />
** Each guest has its own mac address<br />
** Network connectivity between each guest <br />
** No communication allowed between host and guests (this is a plus in our case - managment vlan != user vlan)<br />
** if iptables modules are loaded in the host, each guest can create its own iptables rules (awall for all! sweet)<br />
* Con<br />
** No communication allowed between host and guests because we are not using a bridge interface (this is a plus in our case - managment vlan != user vlan)<br />
<br />
== About lxc-attach ==<br />
<br />
I cannot conncect to any AL LXC build under AL... the response is always <pre><br />
infra:~# lxc-attach --name=git -- "ps ax"<br />
lxc_container: attach.c: lxc_attach_to_ns: 196 Operation not permitted - failed to set namespace 'pid'<br />
lxc_container: attach.c: lxc_attach: 844 failed to enter the namespace<br />
</pre><br />
What did I possibly wrong?<br/><br />
Or is it a bug in AL LXC?</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10942User talk:Jch2015-06-03T10:36:36Z<p>Jch: /* Going to the HDD */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===<br />
<br />
After backuping relevant files from previous install, it's time to clean this HDD...<br/><br />
I define 4 primaries partition: 1-3 as 5GB normal partitions and 4 as LUKS container with the remaining space. 2 and 3 will be used fo experimental alternate boot.<br />
<br />
I still encouter a race condition at boot time :(<br/><br />
Running in ''run-from-ram'' from the first partition on the HDD.<br/><br />
/etc/local.d/*.start scripts want to launch some KVM. Those KVM are not reachable when started at boot but "rc-service local restart" does the job!<br/><br />
What's the difference? Some ENV? PATH? mount status of '/media/*'?</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10941User talk:Jch2015-06-03T07:52:21Z<p>Jch: /* My laptop setup */ new section 'Going to the HDD' added</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
=== First try with USB stick in run-from-ram mode ===<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...<br />
<br />
=== Going to the HDD ===</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Tutorials_and_Howtos&diff=10940Tutorials and Howtos2015-06-01T20:39:15Z<p>Jch: /* Monitoring */ collectd</p>
<hr />
<div>[[Image:package_edutainment.svg|right|link=]]<br />
{{TOC left}}<br />
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''<br />
<br />
The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.<br />
<br />
Howtos are smaller articles explaining how to perform a particular task with Alpine Linux.<br />
<br />
We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].<br />
<br />
{{Clear}}<br />
== Storage ==<br />
<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' <!-- Installation and Storage --><br />
** [[Back Up a Flash Memory Installation]] <!-- Installation and Storage --><br />
** [[Manually editing a existing apkovl]]<br />
<br />
* [[Setting up disks manually]] <!-- Installation and Storage --><br />
* [[Setting up a software RAID array]]<br />
<!-- ** [[Setting up a /var partition on software IDE raid1]] Obsolete, Installation and Storage --> <br />
* [[Raid Administration]]<br />
* [[Setting up encrypted volumes with LUKS]]<br />
* [[Setting up LVM on LUKS]]<br />
* [[Setting up Logical Volumes with LVM]]<br />
** [[Setting up LVM on GPT-labeled disks]]<br />
** [[Installing on GPT LVM]]<br />
* [[Filesystems|Formatting HD/Floppy/Other]] <!-- just a stub --><br />
<br />
* [[Setting up iSCSI]]<br />
** [[iSCSI Raid and Clustered File Systems]]<br />
* [[Setting up NBD]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' <!-- solution --><br />
* [[Linux iSCSI Target (TCM)]]<br />
* [[Disk Replication with DRBD]] <!-- draft --><br />
<br />
* [[Burning ISOs]] <!-- just some links now --><br />
* [[Partitioning and Bootmanagers]]<br />
* [[Migrating data]]<br />
* [[Create a bootable Raspberry Pi SDHC from a Mac]]<br />
<br />
== Networking ==<br />
<br />
* [[Configure Networking]]<br />
* [[Connecting to a wireless access point]]<br />
* [[Bonding]]<br />
* [[Vlan]]<br />
* [[Bridge]]<br />
* [[OpenVSwitch]]<br />
* [[How to configure static routes]]<br />
<br />
* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''<br />
<br />
* [[PXE boot]]<br />
<br />
* [[Using serial modem]]<br />
* [[Using HSDPA modem]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' <!-- Server and Networking --><br />
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''<br />
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''<br />
<!-- [[Using Racoon for Remote Sites]] is a different VPN tunnelling method, but that article is just a stub --><br />
* [[Experiences with OpenVPN-client on ALIX.2D3]] <!-- solution --><br />
<br />
* [[Generating SSL certs with ACF]] <!-- Generating SSL certs with ACF 1.9 --><br />
* [[Setting up unbound DNS server]]<br />
* [[Setting up nsd DNS server]]<br />
* [[TinyDNS Format]]<br />
* [[Fault Tolerant Routing with Alpine Linux]] <!-- solution --><br />
* [[Freeradius Active Directory Integration]]<br />
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''<br />
* [[OwnCloud]] ''(Installing OwnCloud)''<br />
<br />
* [[Apache with php-fpm]]<br />
* [[Seafile: setting up your own private cloud]]<br />
<br />
== Post-Install ==<br />
<!-- If you edit this, please coordinate with Installation#Post-Install and Developer_Documentation#Package_management. Note that these three sections are not exact duplicates. --><br />
<br />
* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''<br />
<!-- [[Alpine Linux package management#Local_Cache|How to enable APK caching]] --><br />
** [[Comparison with other distros]]<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''<br />
** [[Back Up a Flash Memory Installation]] <!-- new --><br />
** [[Manually editing a existing apkovl]]<br />
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''<br />
** [[Multiple Instances of Services]]<br />
<!-- [[Writing Init Scripts]] --><br />
* [[Alpine setup scripts#setup-xorg-base|Setting up Xorg]]<br />
* [[Upgrading Alpine]]<br />
<!-- Obsolete<br />
[[Upgrading Alpine - v1.9.x]]<br />
[[Upgrading Alpine - CD v1.8.x]]<br />
[[Upgrading Alpine - HD v1.8.x]]<br />
[[Upgrade to repository main|Upgrading to signed repositories]]<br />
--><br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''<br />
* [[Changing passwords for ACF|Changing passwords]]<br />
* [[Ansible]] ''(Configuration management)''<br />
<br />
* [[Enable Serial Console on Boot]]<br />
<!-- Obsolete?<br />
* [[Error message on boot: Address space collision: host bridge window conflicts with Adaptor ROM]]<br />
--><br />
<br />
== Virtualization==<br />
<br />
* [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''<br />
* [[Xen Dom0 on USB or SD]]<br />
* [[Create Alpine Linux PV DomU]]<br />
* [[Xen PCI Passthrough]]<br />
* [[Xen LiveCD]]<br />
* [[qemu]]<br />
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''<br />
* [[Docker]]<br />
<br />
== Desktop Environment ==<br />
<br />
* [[Awesome(wm) Setup]]<br />
* [[EyeOS]] ''(Cloud Computing Desktop)''<br />
* [[Gnome Setup]]<br />
* [[MATE|MATE Setup]]<br />
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')<br />
* [[Remote Desktop Server]]<br />
* [[Suspend on LID close]]<br />
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]<br />
* [[Installing Adobe flash player for Firefox]]<br />
<br />
== Applications ==<br />
<br />
=== Telephony ===<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
** [[Setting up Streaming an Asterisk Channel]]<br />
* [[Freepbx on Alpine Linux]]<br />
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''<br />
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''<br />
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''<br />
<br />
=== Mail ===<br />
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''<br />
** [[Hosting Web/Email services on Alpine]]<br />
* [[ISP Mail Server HowTo]] <!-- solution, Mail --><br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Setting up postfix with virtual domains]]<br />
* [[Protecting your email server with Alpine]]<br />
* [[Setting up clamsmtp]]<br />
* [[Setting up dovecot with imap and ssl]]<br />
<br />
=== HTTP ===<br />
* [[Lighttpd]]<br />
** [[Lighttpd Https access]]<br />
** [[Setting Up Lighttpd with PHP]]<br />
** [[Setting Up Lighttpd With FastCGI]]<br />
* [[Cherokee]]<br />
* [[Nginx]]<br />
* [[Apache]]<br />
** [[Setting Up Apache with PHP]]<br />
** [[Apache authentication: NTLM Single Signon]]<br />
<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' <!-- solution, Server --><br />
<br />
* [[Setting up Transparent Squid Proxy]] <!-- draft --><br />
** [[SqStat]] ''(Script to look at active squid users connections)''<br />
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[Setting up Explicit Squid Proxy]]<br />
<br />
* [[Drupal]] ''(Content Management System (CMS) written in PHP)''<br />
* [[WordPress]] ''(Web software to create website or blog)''<br />
* [[MediaWiki]] ''(Free web-based wiki software application)''<br />
* [[DokuWiki]]<br />
* [[Darkhttpd]]<br />
<br />
=== Other Servers ===<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
<br />
* [[Setting up a nfs-server]]<br />
* [[Phpizabi]] ''(Social Networking Platform)''<br />
* [[Statusnet]] ''(Microblogging Platform)''<br />
* [[Pastebin]] ''(Pastebin software application)''<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
<br />
* [[Patchwork]] ''(Patch review management system)''<br />
* [[Redmine]] ''(Project management system)''<br />
* [[Request-Tracker]] ''(Ticket system)''<br />
* [[OsTicket]] ''(Ticket system)''<br />
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''<br />
<br />
* [[Cgit]]<br />
** [[Setting up a git repository server with gitolite and cgit]] <!-- doesn't exist yet --><br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Glpi]] ''(Manage inventory of technical resources)''<br />
<br />
* [[How to setup a Alpine Linux mirror]]<br />
* [[Cups]]<br />
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''<br />
* [[OpenVCP]] ''(VServer Control Panel)''<br />
* [[Mahara]] ''(E-portfolio and social networking system)''<br />
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]<br />
* [[Sending SMS using gnokii]]<br />
<br />
=== Monitoring ===<br />
* Setting up [[collectd]]<br />
* [[Traffic monitoring]] <!-- Networking and Monitoring --><br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]] <!-- Monitoring --><br />
* [[Setting up monitoring using rrdtool (and rrdcollect)]]<br />
* [[Setting up Cacti|Cacti]] ''(Front-end for rrdtool networking monitor)''<br />
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft, solution, Networking and Monitoring and Server --><br />
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' <!-- Networking and Monitoring --><br />
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' <!-- Networking and Monitoring --><br />
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]<br />
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' <!-- Networking and Monitoring --><br />
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' <!-- Monitoring and Security --><br />
<br />
* [[IP Accounting]] <!-- Networking and Monitoring --><br />
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[SqStat]] ''(Script to look at active squid users connections)''<br />
<br />
* [[Piwik]] ''(A real time web analytics software program)''<br />
* [[Awstats]] ''(Free log file analyzer)''<br />
* [[Intrusion Detection using Snort]]<br />
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]<br />
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''<br />
<br />
* [[Webmin]] ''(A web-based interface for Linux system)''<br />
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''<br />
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''<br />
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''<br />
* [[Linfo]]<br />
<br />
* [[Setting up lm_sensors]]<br />
<br />
* [[ZoneMinder video camera security and surveillance]]<br />
<br />
== Misc ==<br />
<br />
* [[:Category:Shell]]<br />
* [[:Category:Programming]]<br />
* [[Running glibc programs]]<br />
* [[:Category:Drivers]]<br />
* [[:Category:Multimedia]]<br />
* [[Kernel Modesetting]]<br />
<br />
== Complete Solutions ==<br />
* [[Replacing non-Alpine Linux with Alpine remotely]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]]<br />
* [[Fault Tolerant Routing with Alpine Linux]]<br />
* [[Experiences with OpenVPN-client on ALIX.2D3]]<br />
* [[Building a cloud with Alpine Linux]]<br />
<br />
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''<br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft --><br />
* [[Streaming Security Camera Video with VLC]]<br />
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]<br />
* [[RPI Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''<br />
<br />
<br />
<!--<br />
This does not attempt to be complete. Is it useful to have these listed here? I find them more accessible if grouped with their topics; also, an up-to-date list of all Draft or Obsolete pages can be found at [[Project:Wiki maintenance]].<br />
<br />
== Drafts ==<br />
Currently unfinished/works-in-progress.<br />
* [[Using Racoon for Remote Sites]]<br />
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''<br />
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)'' [!-- no longer a draft --]<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)''<br />
* [[Intrusion Detection using Snort]] ''(Installing and configuring Snort and related applications on Alpine 2.0.x)''<br />
* [[IP Accounting]] ''(Installing and configuring pmacct for IP Accounting, Netflow/sFlow collector)''<br />
* [[Disk Replication with DRBD]]<br />
--></div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Tutorials_and_Howtos&diff=10939Tutorials and Howtos2015-06-01T20:33:19Z<p>Jch: /* Monitoring */</p>
<hr />
<div>[[Image:package_edutainment.svg|right|link=]]<br />
{{TOC left}}<br />
'''Welcome to Tutorials and Howtos, a place of basic and advanced configuration tasks for your Alpine Linux.'''<br />
<br />
The tutorials are hands-on and the reader is expected to try and achieve the goals described in each step, possibly with the help of a good example. The output in one step is the starting point for the following step.<br />
<br />
Howtos are smaller articles explaining how to perform a particular task with Alpine Linux.<br />
<br />
We encourage people to send in both complete articles as well as requesting topics to be covered. If you think you have the skills and knowledge to write an Alpine Linux related article please do so on this Wiki. If you want to request a topic, please add your request in this page's [[Talk:Tutorials_and_Howtos|Discussion]].<br />
<br />
{{Clear}}<br />
== Storage ==<br />
<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)'' <!-- Installation and Storage --><br />
** [[Back Up a Flash Memory Installation]] <!-- Installation and Storage --><br />
** [[Manually editing a existing apkovl]]<br />
<br />
* [[Setting up disks manually]] <!-- Installation and Storage --><br />
* [[Setting up a software RAID array]]<br />
<!-- ** [[Setting up a /var partition on software IDE raid1]] Obsolete, Installation and Storage --> <br />
* [[Raid Administration]]<br />
* [[Setting up encrypted volumes with LUKS]]<br />
* [[Setting up LVM on LUKS]]<br />
* [[Setting up Logical Volumes with LVM]]<br />
** [[Setting up LVM on GPT-labeled disks]]<br />
** [[Installing on GPT LVM]]<br />
* [[Filesystems|Formatting HD/Floppy/Other]] <!-- just a stub --><br />
<br />
* [[Setting up iSCSI]]<br />
** [[iSCSI Raid and Clustered File Systems]]<br />
* [[Setting up NBD]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]] ''(deprecated)'' <!-- solution --><br />
* [[Linux iSCSI Target (TCM)]]<br />
* [[Disk Replication with DRBD]] <!-- draft --><br />
<br />
* [[Burning ISOs]] <!-- just some links now --><br />
* [[Partitioning and Bootmanagers]]<br />
* [[Migrating data]]<br />
* [[Create a bootable Raspberry Pi SDHC from a Mac]]<br />
<br />
== Networking ==<br />
<br />
* [[Configure Networking]]<br />
* [[Connecting to a wireless access point]]<br />
* [[Bonding]]<br />
* [[Vlan]]<br />
* [[Bridge]]<br />
* [[OpenVSwitch]]<br />
* [[How to configure static routes]]<br />
<br />
* [[Alpine Wall]] - [[How-To Alpine Wall]] - [[Alpine Wall User's Guide]] ''(a new firewall management framework)''<br />
<br />
* [[PXE boot]]<br />
<br />
* [[Using serial modem]]<br />
* [[Using HSDPA modem]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)'' <!-- Server and Networking --><br />
* [[How to setup a wireless access point]] ''(Setting up Secure Wireless AP w/ WPA encryption with bridge to wired network)''<br />
* [[Setting up a OpenVPN server with Alpine]] ''(Allowing single users or devices to remotely connect to your network)''<br />
<!-- [[Using Racoon for Remote Sites]] is a different VPN tunnelling method, but that article is just a stub --><br />
* [[Experiences with OpenVPN-client on ALIX.2D3]] <!-- solution --><br />
<br />
* [[Generating SSL certs with ACF]] <!-- Generating SSL certs with ACF 1.9 --><br />
* [[Setting up unbound DNS server]]<br />
* [[Setting up nsd DNS server]]<br />
* [[TinyDNS Format]]<br />
* [[Fault Tolerant Routing with Alpine Linux]] <!-- solution --><br />
* [[Freeradius Active Directory Integration]]<br />
* [[Multi_ISP]] ''(Dual-ISP setup with load-balancing and automatic failover)''<br />
* [[OwnCloud]] ''(Installing OwnCloud)''<br />
<br />
* [[Apache with php-fpm]]<br />
* [[Seafile: setting up your own private cloud]]<br />
<br />
== Post-Install ==<br />
<!-- If you edit this, please coordinate with Installation#Post-Install and Developer_Documentation#Package_management. Note that these three sections are not exact duplicates. --><br />
<br />
* [[Alpine Linux package management|Package Management (apk)]] ''(How to add/remove packages on your Alpine)''<br />
<!-- [[Alpine Linux package management#Local_Cache|How to enable APK caching]] --><br />
** [[Comparison with other distros]]<br />
* [[Alpine local backup|Alpine local backup (lbu)]] ''(Permanently store your modifications in case your box needs reboot)''<br />
** [[Back Up a Flash Memory Installation]] <!-- new --><br />
** [[Manually editing a existing apkovl]]<br />
* [[Alpine Linux Init System|Init System (OpenRC)]] ''(Configure a service to automatically boot at next reboot)''<br />
** [[Multiple Instances of Services]]<br />
<!-- [[Writing Init Scripts]] --><br />
* [[Alpine setup scripts#setup-xorg-base|Setting up Xorg]]<br />
* [[Upgrading Alpine]]<br />
<!-- Obsolete<br />
[[Upgrading Alpine - v1.9.x]]<br />
[[Upgrading Alpine - CD v1.8.x]]<br />
[[Upgrading Alpine - HD v1.8.x]]<br />
[[Upgrade to repository main|Upgrading to signed repositories]]<br />
--><br />
<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
* [[setup-acf]] ''(Configures ACF (webconfiguration) so you can manage your box through https)''<br />
* [[Changing passwords for ACF|Changing passwords]]<br />
* [[Ansible]] ''(Configuration management)''<br />
<br />
* [[Enable Serial Console on Boot]]<br />
<!-- Obsolete?<br />
* [[Error message on boot: Address space collision: host bridge window conflicts with Adaptor ROM]]<br />
--><br />
<br />
== Virtualization==<br />
<br />
* [[Xen Dom0]] ''(Setting up Alpine as a dom0 for Xen hypervisor)''<br />
* [[Xen Dom0 on USB or SD]]<br />
* [[Create Alpine Linux PV DomU]]<br />
* [[Xen PCI Passthrough]]<br />
* [[Xen LiveCD]]<br />
* [[qemu]]<br />
* [[LXC]] ''(Setting up a Linux container in Alpine Linux)''<br />
* [[Docker]]<br />
<br />
== Desktop Environment ==<br />
<br />
* [[Awesome(wm) Setup]]<br />
* [[EyeOS]] ''(Cloud Computing Desktop)''<br />
* [[Gnome Setup]]<br />
* [[MATE|MATE Setup]]<br />
* [[Oneye]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
* [[Owncloud]] ''(Cloud Computing Desktop - Dropbox Alternative)''<br />
** (to be merged with [[OwnCloud]] ''(Your personal Cloud for storing and sharing your data on-line)'')<br />
* [[Remote Desktop Server]]<br />
* [[Suspend on LID close]]<br />
* [[XFCE Setup]] and [[Xfce Desktop|Desktop Ideas]]<br />
* [[Installing Adobe flash player for Firefox]]<br />
<br />
== Applications ==<br />
<br />
=== Telephony ===<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
** [[Setting up Streaming an Asterisk Channel]]<br />
* [[Freepbx on Alpine Linux]]<br />
* [[FreePBX_V3]] ''(FreeSWITCH, Asterisk GUI web acces tool)''<br />
* [[2600hz]] ''(FreeSWITCH, Asterisk GUI web access tool)''<br />
* [[Kamailio]] ''(SIP Server, formerly OpenSER)''<br />
<br />
=== Mail ===<br />
* [[Hosting services on Alpine]] ''(Hosting mail, webservices and other services)''<br />
** [[Hosting Web/Email services on Alpine]]<br />
* [[ISP Mail Server HowTo]] <!-- solution, Mail --><br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Setting up postfix with virtual domains]]<br />
* [[Protecting your email server with Alpine]]<br />
* [[Setting up clamsmtp]]<br />
* [[Setting up dovecot with imap and ssl]]<br />
<br />
=== HTTP ===<br />
* [[Lighttpd]]<br />
** [[Lighttpd Https access]]<br />
** [[Setting Up Lighttpd with PHP]]<br />
** [[Setting Up Lighttpd With FastCGI]]<br />
* [[Cherokee]]<br />
* [[Nginx]]<br />
* [[Apache]]<br />
** [[Setting Up Apache with PHP]]<br />
** [[Apache authentication: NTLM Single Signon]]<br />
<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)'' <!-- solution, Server --><br />
<br />
* [[Setting up Transparent Squid Proxy]] <!-- draft --><br />
** [[SqStat]] ''(Script to look at active squid users connections)''<br />
** [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[Setting up Explicit Squid Proxy]]<br />
<br />
* [[Drupal]] ''(Content Management System (CMS) written in PHP)''<br />
* [[WordPress]] ''(Web software to create website or blog)''<br />
* [[MediaWiki]] ''(Free web-based wiki software application)''<br />
* [[DokuWiki]]<br />
* [[Darkhttpd]]<br />
<br />
=== Other Servers ===<br />
* [[Setting up a ssh-server]] ''(Using ssh is a good way to administer your box remotely)''<br />
<br />
* [[Setting up a nfs-server]]<br />
* [[Phpizabi]] ''(Social Networking Platform)''<br />
* [[Statusnet]] ''(Microblogging Platform)''<br />
* [[Pastebin]] ''(Pastebin software application)''<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
<br />
* [[Patchwork]] ''(Patch review management system)''<br />
* [[Redmine]] ''(Project management system)''<br />
* [[Request-Tracker]] ''(Ticket system)''<br />
* [[OsTicket]] ''(Ticket system)''<br />
* [[Setting up trac wiki|Trac]] ''(Enhanced wiki and issue tracking system for software development projects)''<br />
<br />
* [[Cgit]]<br />
** [[Setting up a git repository server with gitolite and cgit]] <!-- doesn't exist yet --><br />
* [[Roundcube]] ''(Webmail system)''<br />
* [[Glpi]] ''(Manage inventory of technical resources)''<br />
<br />
* [[How to setup a Alpine Linux mirror]]<br />
* [[Cups]]<br />
* [[NgIRCd]] ''(Server for Internet Relay Chat/IRC)''<br />
* [[OpenVCP]] ''(VServer Control Panel)''<br />
* [[Mahara]] ''(E-portfolio and social networking system)''<br />
* [[Chrony and GPSD | Using chrony, gpsd, and a garmin LVC 18 as a Stratum 1 NTP source ]]<br />
* [[Sending SMS using gnokii]]<br />
<br />
=== Monitoring ===<br />
* [[Setting up collectd|collectd]]<br />
* [[Traffic monitoring]] <!-- Networking and Monitoring --><br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]] <!-- Monitoring --><br />
* [[Setting up monitoring using rrdtool (and rrdcollect)]]<br />
* [[Setting up Cacti|Cacti]] ''(Front-end for rrdtool networking monitor)''<br />
* [[Setting up Zabbix|Zabbix]] ''(Monitor and track the status of network services and hardware)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft, solution, Networking and Monitoring and Server --><br />
** [[Setting up NRPE daemon]] ''(Performs remote Nagios checks)'' <!-- Networking and Monitoring --><br />
* [[Setting up Smokeping|Smokeping]] ''(Network latency monitoring)'' <!-- Networking and Monitoring --><br />
** [[Setting up MRTG and Smokeping to Monitor Bandwidth Usage and Network Latency]]<br />
* [[Setting Up Fprobe And Ntop|Ntop]] ''(NetFlow collection and analysis using a remote fprobe instance)'' <!-- Networking and Monitoring --><br />
* [[Cvechecker]] ''(Compare installed packages for Common Vulnerabilities Exposure)'' <!-- Monitoring and Security --><br />
<br />
* [[IP Accounting]] <!-- Networking and Monitoring --><br />
* [[Obtaining user information via SNMP]] ''(Using squark-auth-snmp as a Squid authentication helper)'' <!-- Networking and Server, <== Using squark-auth-snmp --><br />
* [[SqStat]] ''(Script to look at active squid users connections)''<br />
<br />
* [[Piwik]] ''(A real time web analytics software program)''<br />
* [[Awstats]] ''(Free log file analyzer)''<br />
* [[Intrusion Detection using Snort]]<br />
** [[Intrusion Detection using Snort, Sguil, Barnyard and more]]<br />
* [[Dglog]] ''(Log analyzer for the web content filter DansGuardian)''<br />
<br />
* [[Webmin]] ''(A web-based interface for Linux system)''<br />
* [[PhpPgAdmin]] ''(Web-based administration tool for PostgreSQL)''<br />
* [[PhpMyAdmin]] ''(Web-based administration tool for MYSQL)''<br />
* [[PhpSysInfo]] ''(A simple application that displays information about the host it's running on)''<br />
* [[Linfo]]<br />
<br />
* [[Setting up lm_sensors]]<br />
<br />
* [[ZoneMinder video camera security and surveillance]]<br />
<br />
== Misc ==<br />
<br />
* [[:Category:Shell]]<br />
* [[:Category:Programming]]<br />
* [[Running glibc programs]]<br />
* [[:Category:Drivers]]<br />
* [[:Category:Multimedia]]<br />
* [[Kernel Modesetting]]<br />
<br />
== Complete Solutions ==<br />
* [[Replacing non-Alpine Linux with Alpine remotely]]<br />
* [[High performance SCST iSCSI Target on Linux software Raid]]<br />
* [[Fault Tolerant Routing with Alpine Linux]]<br />
* [[Experiences with OpenVPN-client on ALIX.2D3]]<br />
* [[Building a cloud with Alpine Linux]]<br />
<br />
* [[ISP Mail Server HowTo]] ''(Postfix+PostfixAdmin+DoveCot+Roundcube+ClamAV+Spamd - A full-serivce ISP mail server)''<br />
** [[ISP Mail Server Upgrade 2.x]]<br />
** [[ISP Mail Server 2.x HowTo]] ''(Beta, please test)''<br />
* [[High Availability High Performance Web Cache]] ''(uCarp + HAProxy for High Availability Services such as Squid web proxy)''<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)'' <!-- draft --><br />
* [[Streaming Security Camera Video with VLC]]<br />
* [[Dynamic Multipoint VPN (DMVPN)]] combined with [[Small_Office_Services]]<br />
* [[RPI Video Receiver]] ''(network video decoder using Rasperry Pi and omxplayer)''<br />
<br />
<br />
<!--<br />
This does not attempt to be complete. Is it useful to have these listed here? I find them more accessible if grouped with their topics; also, an up-to-date list of all Draft or Obsolete pages can be found at [[Project:Wiki maintenance]].<br />
<br />
== Drafts ==<br />
Currently unfinished/works-in-progress.<br />
* [[Using Racoon for Remote Sites]]<br />
* [[Setting up Transparent Squid Proxy]] ''(Covers Squid proxy and URL Filtering system)''<br />
** [[Obtaining user information via SNMP]] ''(Using the Squark Squid authentication helper)'' [!-- no longer a draft --]<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Setting up A Network Monitoring and Inventory System]] ''(Nagios + OpenAudit and related components)''<br />
* [[Intrusion Detection using Snort]] ''(Installing and configuring Snort and related applications on Alpine 2.0.x)''<br />
* [[IP Accounting]] ''(Installing and configuring pmacct for IP Accounting, Netflow/sFlow collector)''<br />
* [[Disk Replication with DRBD]]<br />
--></div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10936User talk:Jch2015-06-01T06:35:52Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.<br />
<br />
Now the '''sound'''... I want to produce the sound inside the KVM-desktop but to play it on baremetal hardware. <br/><br />
I have read that it is possible to deactivate the control of some PCI device on the host and offer it as pass-trough to a guest KVM...</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10935User talk:Jch2015-06-01T06:33:15Z<p>Jch: /* My laptop setup */ Running_Alpine_in_Qemu_Live_mode</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/ntpd/emailrelay+postfix/proxy soks (TOR)<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X; cups); DE; cryptsetup<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhere in this wiki.<br />
<br />
For details on how to run the KVM in ''run-from-ram'' mode with specific apkovl see [[Running_Alpine_in_Qemu_Live_mode]].<br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query KVM-desktop</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys. At this stage it's working and had good performances while running. But the boot sequence from an USB2.0 stick is awfull. Hope to improve it a lot when I will setup-bootable it to the laptop's hdd... But I first want to be 100% happy withe the architectural and functionnal aspects before trying to optimize the boot sequence.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Running_Alpine_in_Live_mode_in_QEMU&diff=10934Running Alpine in Live mode in QEMU2015-06-01T06:22:01Z<p>Jch: typo</p>
<hr />
<div>If your just want to give Alpine Linux a try, qemu can be used without a disk image and further configuration.<br />
<br />
{{Cmd|qemu -m 512 -cdrom alpine-3.2.0-x86_64.iso}}<br />
<br />
You need to issue {{Cmd|grsec nomodeset}} at boot prompt to avoid being forced in graphical mode and loosing access.<br />
<br />
<u>Question</u>: Is there a way to pass an apkovl as paramater at this stage?<br/><br />
<u>Response</u> ''to self'': Yes. I do it like this and I mount /dev/vda1 as /media/config to store the '''apkovl''' and the '''apkcache''': <pre><br />
mkdir -p /media/usb/images<br />
qemu-img create -f raw /media/usb/images/mykvm.config 32M<br />
qemu-system-x86_64 -enable-kvm -m 384 \<br />
-name mykvm \<br />
-cdrom /media/usb/images/alpine-3.2.0-x86_64.iso \<br />
-drive file=/media/usb/images/mykvm.config,if=virtio \ <br />
-net lan \<br />
-boot d &<br />
</pre> And inside the KVM <pre><br />
fdisk /dev/vda<br />
mkdosfs /dev/vda1<br />
mkdir -p /media/config<br />
echo "/dev/vda1 /media/config vfat rw 0 0" >> /etc/fstab<br />
mount /media/config<br />
setup-alpine<br />
lbu ci<br />
</pre> At next reboot, it will use the newly generated apkovl and apkcache stored on /dev/vda1 running in ''run-from-ram'' from the latest official ISO.<br />
<br />
[[Category:Virtualization]]</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Running_Alpine_in_Live_mode_in_QEMU&diff=10933Running Alpine in Live mode in QEMU2015-06-01T06:20:25Z<p>Jch: </p>
<hr />
<div>If your just want to give Alpine Linux a try, qemu can be used without a disk image and further configuration.<br />
<br />
{{Cmd|qemu -m 512 -cdrom alpine-3.2.0-x86_64.iso}}<br />
<br />
You need to issue {{Cmd|grsec nomodeset}} at boot prompt to avoid being forced in graphical mode and loosing access.<br />
<br />
<u>Question</u>: Is there a way to pass an apkovl as paramater at this stage?<br/><br />
<u>Response</u> ''to self'': Yes. I do it like this and I mount /dev/vda1 as /media/config to store the '''apkovl''' and the '''apkcache''': <pre><br />
mkdir -p /media/usb/images<br />
qemu-img create -f raw /media/usb/images/mykvm.config 32M<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name mykvm \<br />
-cdrom /media/usb/images/alpine-3.2.0-x86_64.iso \<br />
-drive file=/media/usb/images/mykvm.config,if=virtio \ <br />
-net lan \<br />
-boot d &<br />
</pre> And inside the KVM <pre><br />
fdisk /dev/vda<br />
mkdosfs /dev/vda1<br />
mkdir -p /media/config<br />
echo "/dev/vda1 /media/config vfat rw 0 0" >> /etc/fstab<br />
mount /media/config<br />
setup-alpine<br />
lbu ci<br />
</pre> At next reboot, it will use the newly generated apkovl and apkcache stored on /dev/vda1 running in ''run-from-ram'' from the latest official ISO.<br />
<br />
[[Category:Virtualization]]</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Running_Alpine_in_Live_mode_in_QEMU&diff=10932Running Alpine in Live mode in QEMU2015-06-01T06:16:02Z<p>Jch: Q: Is there a way to pass an apkovl as paramater at this stage? R: Yes!</p>
<hr />
<div>If your just want to give Alpine Linux a try, qemu can be used without a disk image and further configuration.<br />
<br />
{{Cmd|qemu -m 512 -cdrom alpine-3.2.0-x86_64.iso}}<br />
<br />
You need to issue {{Cmd|grsec nomodeset}} at boot prompt to avoid being forced in graphical mode and loosing access.<br />
<br />
<u>Question</u>: Is there a way to pass an apkovl as paramater at this stage?<br/><br />
<u>Response</u> ''to self'': Yes. I do it like this and I mount /dev/vda1 as /media/config to store the '''apkovl''' and the '''apkcache''': <pre><br />
mkdir -p /media/usb/images<br />
qemu-img create -f raw /media/usb/images/mykvm.config 32M<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name mykvm \<br />
-cdrom /media/usb/images/alpine-3.2.0-x86_64.iso \<br />
-drive file=/media/usb/images/mykvm.config \ <br />
-net lan \<br />
-boot d &<br />
</pre> And inside the KVM <pre><br />
fdisk /dev/vda<br />
mkdosfs /dev/vda1<br />
mkdir -p /media/config<br />
echo "/dev/vda1 /media/config vfat rw 0 0" >> /etc/fstab<br />
mount /media/config<br />
setup-alpine<br />
</pre><br />
<br />
[[Category:Virtualization]]</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10931User talk:Jch2015-05-31T21:44:15Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo lan vpn wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
iface lan inet static<br />
address 172.17.0.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.0.255<br />
iface vpn inet static<br />
address 172.17.3.1<br />
netmask 255.255.255.0<br />
broadcast 172.17.3.255<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
First <br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br vpn<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
qemu-img create -f raw /media/usb/images/router.img<br />
qemu-img create -f raw /media/usb/images/proxy.img<br />
qemu-img create -f raw /media/usb/images/desktop.img<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
</pre><br />
<br />
Then launch <pre><br />
screen -m -d -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom /media/sda1/images/ampine.iso \<br />
-drive file=/media/sda1/images/san.img \ <br />
-net lan \<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br/><br />
<u>/etc/local.d/41-KVM-proxy stop</u><br/><br />
<u>/etc/local.d/42-KVM-router.stop</u><br/><br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br/><br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop. <pre>Xorg -query 172.17.3.4</pre><br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10930User talk:Jch2015-05-31T09:23:30Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
[[File:Laptop-jch.png]]<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
First <br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
Then launch <pre><br />
screen -m -d -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net lan \<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
{{cat|/etc/local.d/41-KVM-router.start|<br />
screen -m -d -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-name router -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net storage \<br />
-boot d<br />
}}<br />
''run-from-ram'' from cd-rom iso and apkovl. We have a clean install at each boot. <br />
<br />
{{cat|/etc/local.d/42-KVM-proxy.start|<br />
screen -m -d -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:proxy \<br />
-net lan \<br />
-net storage \ <br />
-boot d<br />
}}<br />
''run-from-ram'' based on an apkovl<br />
<br />
{{cat|/etc/local.d/43-KVM-desktop.start|<br />
screen -m -d -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-name desktop -curses \<br />
-drive file=nbd:kvm-san:desktop \ # / LUKS+swap LUKS+/var LUKS+/usr/local<br />
-drive file=nbd:kvm-san:home \ # LUKS+/home<br />
-net lan \<br />
-net storage \<br />
-boot c<br />
}}<br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
'''What if this KVM is launched, not from screen but as X shell on baremetal?'''<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br/><br />
<u>/etc/local.d/41-KVM-proxy stop</u><br/><br />
<u>/etc/local.d/42-KVM-router.stop</u><br/><br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br/><br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop.<br/><br />
It's working but the screen resolution is not good...<br/><br />
https://www.tablix.org/~avian/blog/archives/2013/05/custom_display_resolutions_in_qemu/<br />
<br />
Will go back to plain remote X...<br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=File:Laptop-jch.png&diff=10929File:Laptop-jch.png2015-05-31T09:22:15Z<p>Jch: internal architectural schema of jch's laptop</p>
<hr />
<div>internal architectural schema of jch's laptop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10925User talk:Jch2015-05-30T16:15:19Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in {{cat|/etc/network/interfaces|<br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
}}<br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment {{cat|/etc/apk/world|<br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
}}<br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
First <br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
Then launch <pre><br />
screen -m -d -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net lan \<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
{{cat|/etc/local.d/41-KVM-router.start|<br />
screen -m -d -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-name router -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net storage \<br />
-boot d<br />
}}<br />
''run-from-ram'' from cd-rom iso and apkovl. We have a clean install at each boot. <br />
<br />
{{cat|/etc/local.d/42-KVM-proxy.start|<br />
screen -m -d -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:proxy \<br />
-net lan \<br />
-net storage \ <br />
-boot d<br />
}}<br />
''run-from-ram'' based on an apkovl<br />
<br />
{{cat|/etc/local.d/43-KVM-desktop.start|<br />
screen -m -d -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-name desktop -curses \<br />
-drive file=nbd:kvm-san:desktop \ # / LUKS+swap LUKS+/var LUKS+/usr/local<br />
-drive file=nbd:kvm-san:home \ # LUKS+/home<br />
-net lan \<br />
-net storage \<br />
-boot c<br />
}}<br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
'''What if this KVM is launched, not from screen but as X shell on baremetal?'''<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br/><br />
<u>/etc/local.d/41-KVM-proxy stop</u><br/><br />
<u>/etc/local.d/42-KVM-router.stop</u><br/><br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br/><br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop.<br/><br />
It's working but the screen resolution is not good...<br/><br />
https://www.tablix.org/~avian/blog/archives/2013/05/custom_display_resolutions_in_qemu/<br />
<br />
Will go back to plain remote X...<br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10924User talk:Jch2015-05-30T15:38:33Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
First <br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
Then launch <pre><br />
screen -m -d -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net lan \<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-name router -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net storage \<br />
-boot d</pre><br />
''run-from-ram'' from cd-rom iso and apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:proxy \<br />
-net lan \<br />
-net storage \ <br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-name desktop -curses \<br />
-drive file=nbd:kvm-san:desktop \ # / LUKS+swap LUKS+/var LUKS+/usr/local<br />
-drive file=nbd:kvm-san:home \ # LUKS+/home<br />
-net lan \<br />
-net storage \<br />
-boot c<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
'''What if this KVM is launched, not from screen but as X shell on baremetal?'''<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop.<br/><br />
It's working but the screen resolution is not good...<br/><br />
https://www.tablix.org/~avian/blog/archives/2013/05/custom_display_resolutions_in_qemu/<br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=Running_Alpine_in_Live_mode_in_QEMU&diff=10911Running Alpine in Live mode in QEMU2015-05-29T06:29:18Z<p>Jch: Is there a way to pass an apkovl as paramater at this stage?</p>
<hr />
<div>If your just want to give Alpine Linux a try, qemu can be used without a disk image and further configuration.<br />
<br />
{{Cmd|qemu -m 512 -cdrom alpine-3.2.0-x86_64.iso}}<br />
<br />
You need to issue {{Cmd|grsec nomodeset}} at boot prompt to avoid being forced in graphical mode and loosing access.<br />
<br />
<u>Question</u>: Is there a way to pass an apkovl as paramater at this stage?<br />
<br />
[[Category:Virtualization]]</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10910User talk:Jch2015-05-29T04:23:33Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
First <br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
Then launch <pre><br />
screen -m -d -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net lan \<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-name router -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net storage \<br />
-boot d</pre><br />
''run-from-ram'' from cd-rom iso and apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:proxy \<br />
-net lan \<br />
-net storage \ <br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-name desktop -curses \<br />
-drive file=nbd:kvm-san:desktop \ # / LUKS+swap LUKS+/var LUKS+/usr/local<br />
-drive file=nbd:kvm-san:home \ # LUKS+/home<br />
-net lan \<br />
-net storage \<br />
-boot c<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
'''What if this KVM is launched, not from screen but as X shell on baremetal?'''<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop.<br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10909User talk:Jch2015-05-28T09:38:08Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
First <br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br consul<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
Then launch <pre><br />
screen -m -d -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net lan \<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-name router -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:router \ # /var<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net consul \<br />
-net storage \<br />
-boot d</pre><br />
''run-from-ram'' from cd-rom iso and apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:proxy \<br />
-net lan \<br />
-net storage \ <br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-name desktop -curses \<br />
-drive file=nbd:kvm-san:desktop \ # / LUKS+swap LUKS+/var LUKS+/usr/local<br />
-drive file=nbd:kvm-san:home \ # LUKS+/home<br />
-net lan \<br />
-net storage<br />
-net vpn \<br />
-boot c<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop.<br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10908User talk:Jch2015-05-28T09:24:20Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
First <br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br consul<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
Then launch <pre><br />
screen -m -d -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net lan \<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-name router -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:router \ # /var<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net consul \<br />
-boot d</pre><br />
''run-from-ram'' from cd-rom iso and apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:proxy \<br />
-net lan \<br />
-net storage \ <br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-name desktop -curses \<br />
-drive file=nbd:kvm-san:desktop \ # / LUKS+swap LUKS+/var LUKS+/usr/local<br />
-drive file=nbd:kvm-san:home \ # LUKS+/home<br />
-net lan \<br />
-net storage<br />
-net vpn \<br />
-boot c<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop.<br />
<br />
Now is time to wipe the current install from disk to follow http://it-offshore.co.uk/downloads/setup-lvm and adapt it a little bit to use '''setup-bootable''' instead of setup-disk sys.</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10907User talk:Jch2015-05-28T09:06:51Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' <br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
First <br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br consul<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
Then launch <pre><br />
screen -m -d -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-name router -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:router \ # /var<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net consul \<br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-drive file=nbd:kvm-san:proxy -net ...\ # /var<br />
-boot n</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-name desktop -curses \<br />
-drive file=nbd:kvm-san:desktop \ # /usr<br />
-drive file=nbd:kvm-san:home \ # /home<br />
-net ...\<br />
-boot n<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10906User talk:Jch2015-05-28T09:02:50Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync;syslog-ng;collectd (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
First <br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br consul<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
Then launch <pre><br />
screen -m -d -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-name router -curses \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:router \ # /var<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net consul \<br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-drive file=nbd:kvm-san:proxy -net ...\ # /var<br />
-boot n</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre><br />
screen -m -d -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-name desktop -curses \<br />
-drive file=nbd:kvm-san:desktop \ # /usr<br />
-drive file=nbd:kvm-san:home \ # /home<br />
-net ...\<br />
-boot n<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10905User talk:Jch2015-05-28T08:45:37Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
For details on individual packages, please refer to relevant pages elsewhare in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net storage \<br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl<br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br consul<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:router \ # /var<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net consul \<br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-drive file=nbd:kvm-san:proxy -net ...\ # /var<br />
-boot n</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-drive file=nbd:kvm-san:desktop \ # /usr<br />
-drive file=nbd:kvm-san:home \ # /home<br />
-net ...\<br />
-boot n<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10904User talk:Jch2015-05-28T08:42:43Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/><br />
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/><br />
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync (AL local repo)<br />
# KVM-Desktop : xorg (X ; x2goclient; cups); DE<br />
# KVM-proxy : squid+privoxy<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net storage \<br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl<br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br consul<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:router \ # /var<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net consul \<br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-drive file=nbd:kvm-san:proxy -net ...\ # /var<br />
-boot n</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-drive file=nbd:kvm-san:desktop \ # /usr<br />
-drive file=nbd:kvm-san:home \ # /home<br />
-net ...\<br />
-boot n<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10903User talk:Jch2015-05-28T08:36:06Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC.<br/><br />
# KVM-router firewall/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync (AL local repo)<br />
# KVM-Desktop server (X ; x2goclient; cups)<br />
# KVM-proxy squid+privoxy<br />
<br />
For details for a specific package in the above lists, please refer to appropriate page in this wiki.<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
D'abord <pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br consul<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
fdisk /dev/sda<br />
sync<br />
<br />
</pre><br />
<br />
et lancer <pre><br />
screen -d -m -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre><br />
screen -d -m -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:router \ # /var<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net consul \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre><br />
<br />
screen -d -m -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-drive file=nbd:kvm-san:proxy -net ...\ # /var<br />
-boot n<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre><br />
screen -d -m -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-drive file=nbd:kvm-san:desktop \ # /usr<br />
-drive file=nbd:kvm-san:home \ # /home<br />
-net ...\<br />
-boot n<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre><br />
screen -d -m -S KVM-desktop \<br />
kill pidof<br />
</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre><br />
screen -d -m -S KVM-proxy \<br />
kill pidof<br />
</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre><br />
screen -d -m -S KVM-router \<br />
kill pidof<br />
</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre><br />
screen -d -m -S KVM-san \<br />
kill pidof<br />
</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10902User talk:Jch2015-05-28T08:33:24Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC.<br/><br />
# KVM-router firewall/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync (AL local repo)<br />
# KVM-Desktop server (X ; x2goclient; cups)<br />
# KVM-proxy squid+privoxy<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
D'abord <pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br consul<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
fdisk /dev/sda<br />
sync<br />
<br />
</pre><br />
<br />
et lancer <pre><br />
screen -d -m -S KVM-san \<br />
qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-name san -curses \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net storage \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre><br />
screen -d -m -S KVM-router \<br />
qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:router \ # /var<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net consul \<br />
-boot d<br />
</pre><br />
''run-from-ram'' based on an apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre><br />
<br />
screen -d -m -S KVM-proxy \<br />
qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-name proxy -curses \<br />
-drive file=nbd:kvm-san:proxy -net ...\ # /var<br />
-boot n<br />
</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre><br />
screen -d -m -S KVM-desktop \<br />
qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-drive file=nbd:kvm-san:desktop \ # /usr<br />
-drive file=nbd:kvm-san:home \ # /home<br />
-net ...\<br />
-boot n<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre><br />
screen -d -m -S KVM-desktop \<br />
kill pidof<br />
</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre><br />
screen -d -m -S KVM-proxy \<br />
kill pidof<br />
</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre><br />
screen -d -m -S KVM-router \<br />
kill pidof<br />
</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre><br />
screen -d -m -S KVM-san \<br />
kill pidof<br />
</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10901User talk:Jch2015-05-28T06:46:36Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC.<br/><br />
# KVM-router firewall/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync (AL local repo)<br />
# KVM-Desktop server (X ; x2goclient; cups)<br />
# KVM-proxy squid+privoxy<br />
<br />
<u>/etc/local.d/40-KVM-SAN.start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-cdrom file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net storage \<br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl<br />
<pre><br />
ovs-vsctl add-br wan<br />
ovs-vsctl add-br storage<br />
ovs-vsctl add-br lan<br />
ovs-vsctl add-br consul<br />
mount -o remount,rw /media/usb<br />
mkdir /media/usb/images<br />
cd /media/usb/images<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso<br />
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso<br />
qemu-img create -f raw /media/usb/images/san.img<br />
sync<br />
cd<br />
mkdir /media/usb/apkovl<br />
apk -v sync<br />
mount -o remount,ro /media/usb<br />
lbu package # or lbu ci<br />
</pre><br />
<br />
<u>/etc/local.d/41-KVM-router.start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /<br />
-drive file=nbd:kvm-san:router \ # /var<br />
-net wan \<br />
-net lan \<br />
-net vpn \<br />
-net consul \<br />
-boot d</pre><br />
''run-from-ram'' based on an apkovl. We have a clean install at each boot. <br />
<br />
<u>/etc/local.d/42-KVM-proxy start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-drive file=nbd:kvm-san:proxy -net ...\ # /var<br />
-boot n</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
<u>/etc/local.d/43-KVM-desktop start</u><br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-drive file=nbd:kvm-san:desktop \ # /usr<br />
-drive file=nbd:kvm-san:home \ # /home<br />
-net ...\<br />
-boot n<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
<u>/etc/local.d/40-KVM-desktop stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/41-KVM-proxy stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/42-KVM-router.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>/etc/local.d/43-KVM-SAN.stop</u><br />
<br />
<pre>kill pidof</pre><br />
<br />
<u>Start X</u> on bare-metal against KVM-desktop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10896User talk:Jch2015-05-28T04:03:44Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC.<br/><br />
# KVM-router firewall/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync (AL local repo)<br />
# KVM-Desktop server (X ; x2goclient; cups)<br />
# KVM-proxy squid+privoxy<br />
<br />
/etc/local.d/40-KVM-SAN.start<br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 384 \<br />
-drive file=/media/sda1/images/san.img \ # /<br />
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)<br />
-net ...\<br />
-boot c</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
/etc/local.d/41-KVM-router.start<br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 128 \<br />
-drive file=nbd:kvm-san:router -net ...\ # /var<br />
-boot c</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
/etc/local.d/42-KVM-proxy start<br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 256 \<br />
-drive file=nbd:kvm-san:proxy -net ...\ # /var<br />
-boot n</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
/etc/local.d/43-KVM-desktop start<br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 3000 \<br />
-drive file=nbd:kvm-san:desktop \ # /usr<br />
-drive file=nbd:kvm-san:home \ # /home<br />
-net ...\<br />
-boot n<br />
</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
/etc/local.d/40-KVM-desktop stop<br />
<br />
<pre>kill pidof</pre><br />
<br />
/etc/local.d/41-KVM-proxy stop<br />
<br />
<pre>kill pidof</pre><br />
<br />
/etc/local.d/42-KVM-router.stop<br />
<br />
<pre>kill pidof</pre><br />
<br />
/etc/local.d/43-KVM-SAN.stop<br />
<br />
<pre>kill pidof</pre><br />
<br />
Start X on bare-metal against KVM-desktop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10893User talk:Jch2015-05-28T03:48:52Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
screen<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC.<br/><br />
# KVM-router firewall/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp<br />
# KVM-Desktop server (X ; x2goclient; cups)<br />
# KVM-proxy squid+privoxy<br />
<br />
/etc/local.d/40-KVM-SAN.start<br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 384 drive file=... net ...</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
/etc/local.d/41-KVM-router.start<br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 128 drive file=... net ...</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
/etc/local.d/42-KVM-proxy start<br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 256 drive file=... net ...</pre><br />
''run-from-ram'' based on an apkovl<br />
<br />
/etc/local.d/43-KVM-desktop start<br />
<br />
<pre>qemu-systems-x86_64 -enable-kvm -m 3000 drive file=... net ...</pre><br />
''sys'' install on NBD and NFS<br />
takes on the sound system<br />
<br />
/etc/local.d/40-KVM-desktop stop<br />
<br />
<pre>kill pidof</pre><br />
<br />
/etc/local.d/41-KVM-proxy stop<br />
<br />
<pre>kill pidof</pre><br />
<br />
/etc/local.d/42-KVM-router.stop<br />
<br />
<pre>kill pidof</pre><br />
<br />
/etc/local.d/43-KVM-SAN.stop<br />
<br />
<pre>kill pidof</pre><br />
<br />
Start X on bare-metal against KVM-desktop</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10892User talk:Jch2015-05-28T03:23:13Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
qemu-systems-x86_64<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC.<br/><br />
# KVM-router firewall/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd<br />
# KVM-SAN-NAS lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp<br />
# KVM-Desktop server (X ; x2goclient; cups)<br />
# KVM-proxy squid+privoxy</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10891User talk:Jch2015-05-28T03:17:13Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment, the system is usable as internet machine with '''/etc/apk/world''' <pre><br />
alpine-base<br />
wireless-tools<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
awesome<br />
lxterminal<br />
openssh-client<br />
midori<br />
claws-mail<br />
</pre><br />
<br />
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC.<br/><br />
# a KVM-router/firewall/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)<br />
# a KVM-Desktop server (X ; x2goclient; cups)<br />
# a KVM-proxy squid+privoxy<br />
# a KVM-SAN-NAS (lvm2+nbd-server;ssh;nfs;samba)</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10890User talk:Jch2015-05-27T20:38:25Z<p>Jch: /* My laptop setup */</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files, <br/><br />
At the end it could be pushed as kind of sys install (more later on the topic).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(/<br/><br />
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)<br />
<br />
My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in '''/etc/network/interfaces''' <pre><br />
auto lo wlan0 wan<br />
allow-hotplug eth0 <br />
iface lo inet loopback<br />
iface eth0 inet manual<br />
up ip link set eth0 up<br />
up ip link set wlan0 down<br />
down ip link set eth0 down<br />
down ip link set wlan0 up<br />
iface wlan0 inet manual<br />
up ip link set wlan0 up<br />
down ip link set wlan0 down<br />
iface wan inet dhcp<br />
pre-up ip link set eth0 up<br />
hostname jch-laptop<br />
</pre><br />
With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link.<br />
Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...<br/><br />
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected. <br/><br />
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.<br/><br />
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...<br />
<br />
We need to fire an event (script) on eth0 link state changes!<br/><br />
To (re)start the dhcp client on wan and to restart openvpn.*...<br/><br />
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.<br/><br />
I tried with a script called with a up stanza. To no result.<br/><br />
To launch the script manually does the trick for now.<br />
<br />
'''setup-xorg-base''' and '''awesome''' <u>minimal</u> with '''(claws-mail, midori, lxterminal)'''<br />
<br />
At this moment, the system is usable as internet machine with '''/etc/apk/world''' <pre><br />
alpine-base<br />
wpa_supplicant<br />
openvswitch<br />
openvpn<br />
xorg-server<br />
xf86-video-vesa<br />
xf86-video-intel<br />
xf86-video-modesetting<br />
xf86-intput-evdev<br />
xf86-intput-mouse<br />
xf86-intput-keyboard<br />
xf86-intput-synaptics<br />
udev<br />
alsa-utils<br />
awesome<br />
lxterminal<br />
openssh-client<br />
midori<br />
claws-mail<br />
</pre></div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10889User talk:Jch2015-05-27T16:05:57Z<p>Jch: /* My laptop setup */ new section</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...<br />
<br />
== My laptop setup ==<br />
<br />
After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).<br />
<br />
I want it to run-from-ram as from an USB stick but from the first partition.<br/><br />
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).<br/><br />
It will need to have good sound support with network support (jack? pulse-audio?).<br />
<br />
For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/<br/><br />
Unfortunately there is nothing about setting up sound in this wiki :(</div>Jchhttps://wiki.alpinelinux.org/w/index.php?title=User_talk:Jch&diff=10884User talk:Jch2015-05-26T06:45:40Z<p>Jch: /* About X2Go */ new section</p>
<hr />
<div>== [[User_talk:Jch/How to automate KVM creation|How to automate KVM creation]] ==<br />
How to emulate USB stick with KVM.<br />
<br />
== [[User_talk:Jch/Starting_AL_from_network|Starting_AL_from_network]] ==<br />
How to set up a PXE environement.<br />
<br />
== [[User_talk:Jch/Building_a_complete_infrastucture_with_AL|Building_a_complete_infrastucture_with_AL]] ==<br />
<br />
<u>From first repo</u> (boot media):<br />
<br />
AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath '''consul''' dnsmasq vim collectd collectd-network git syslog-ng <s>envconsul</s> <s>consul-template</s> <s>xnbd</s> <s>ceph</s> lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn <s>fsconsul</s><br />
<br />
and all dependecies...<br />
<br />
will [[How_to_make_a_custom_ISO_image|build a custom ISO]] with that list...<br />
<br />
== About NFS ==<br />
<br />
NFS is now working with AL. Both as server and client with the nfs-utils package.<br/><br />
However, to use NFS as client in some LXC does not seems to work yet as shown below<br />
<pre><br />
nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt<br />
mount.nfs: Operation not permitted<br />
mount: permission denied (are you root?)<br />
nfstest:~# tail /var/log/messages <br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC <br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use<br />
Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted<br />
Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root. chown /var/lib/nfs to choose different user<br />
nfstest:~# ls -l /var/lib/nfs<br />
total 12<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 etab<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm<br />
drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak<br />
-rw-r--r-- 1 root root 4 Apr 4 10:05 state<br />
-rw-r--r-- 1 root root 0 Nov 10 15:43 xtab<br />
</pre><br />
<br />
msg from ncopa """<br />
dmesg should tell you that grsecurity tries to prevent you to do this.<br />
<br />
grsecurity does not permit the syscall mount from within a chroot since<br />
that is a way to break out of a chroot. This affects lxc containers too.<br />
<br />
I would recommend that you do the mouting from the lxc host in the<br />
container config with lxc.mount.entry or similar.<br />
<br />
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR<br />
<br />
If you still want disable mount protection in grsecurity then you<br />
can do that with:<br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
"""<br />
<br />
this is not working with<br />
<br />
<pre>lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded.<br />
<br />
<pre><br />
backend:~# lxc-start -n nfstest<br />
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount<br />
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'<br />
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for<br />
'nfstest'<br />
lxc-start: start.c: do_start: 688 failed to setup the container<br />
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2<br />
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'<br />
</pre><br />
<br />
Nor with<br />
<br />
<pre><br />
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount<br />
</pre><br />
<br />
on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.<br />
<br />
To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.<br />
<br />
Next step will be to have HA for the NFS server itself (with only AL machines).<br />
<br />
== About NBD ==<br />
<br />
NBD is now in edge/testing thanks to clandmeter.<br />
<br />
''I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...''<br />
<br />
We still miss '''xnbd''' fot it's proxy features allowing live migration.<br />
'''We are very exited by xnbd capacities!'''<br/><br />
Will be avid tester!<br />
<br />
Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.<br />
<br />
== [[User_talk:Jch/New_lab_machine|New_lab_machine]] ==<br />
My new lab machine ;)<br />
<br />
still waiting :(<br />
<br />
== About consul ==<br />
<br />
nothing yet but big hopes ^^<br/><br />
I'm lurking IRC about it ;)<br />
<br />
We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store... <br/><br />
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.<br/><br />
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.<br/><br />
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.<br/><br />
'''We are very exited by consul capacities!'''<br/><br />
Will be avid tester!<br />
<br />
'''Open questions''':<br />
<br />
# What memory footprint is needed?<br />
# What about dynamycally adapt quorum size?<br />
# Are checks possible triggers?<br />
#* <pre>consul watch -prefix type -name name /path/to/executable</pre><br />
#* <pre>consul event [options] -name name [payload]</pre><br />
# What best practice to store etc configurations?<br />
#* http://code.hootsuite.com/distributed-configuration-management-and-dark-launching-using-consul/<br />
#* http://agiletesting.blogspot.fr/2014/11/service-discovery-with-consul-and.html<br />
#* envconsul<br />
#* consul-template<br />
<br />
log of experimentation at [[User_talk:Jch/consul]]<br />
<br />
== About CEPH ==<br />
<br />
CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).<br />
<br />
The actual situation is not satisfactory.<br />
<br />
'''We are very exited by CEPH capacities!'''<br/><br />
Will be avid tester!<br />
<br />
== About Docker ==<br />
<br />
not a lot of information on the [[Docker]] page yet ...<br />
<br />
== About E-MailRelay ==<br />
<br />
E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA). <br/><br />
See http://emailrelay.sourceforge.net/<br />
<br />
It compiles fine on AL.<br />
<pre><br />
apk update<br />
apk add subversion alpine-sdk<br />
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code<br />
cd emailrelay-code<br />
./configure --prefix=/usr<br />
make<br />
make install<br />
apk del subversion alpine-sdk<br />
apk add libgcc libstdc++<br />
emailrelay --help<br />
</pre><br />
<br />
But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...<br/><br />
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)<br />
<br />
== About X2Go ==<br />
<br />
=== x2goserver === <br />
<br />
I did prepare x2goserver and nx-libs packages. <br />
<br />
=== x2goclient ===<br />
<br />
<pre><br />
lrelease-qt4 x2goclient.pro<br />
/bin/bash: lrelease-qt4: command not found<br />
Makefile:39: recipe for target 'build_client' failed<br />
</pre> Dunno where to find that...</div>Jch