https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=Ms13sp&feedformat=atomAlpine Linux - User contributions [en]2024-03-29T11:53:37ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=ZoneMinder_video_camera_security_and_surveillance&diff=21856ZoneMinder video camera security and surveillance2022-05-10T14:38:38Z<p>Ms13sp: missing details</p>
<hr />
<div>[https://www.zoneminder.com/ ZoneMinder] usually runs with [[Apache]], but in this short how-to we use [[Lighttpd]].<br />
<br />
First, add the needed packages to our system<br />
<br />
apk add zoneminder mariadb mysql-client lighttpd php5-fpm php5-pdo php5-pdo_mysql<br />
<br />
Initialize [https://www.mysql.com/ MySQL] database<br />
<br />
/etc/init.d/mariadb setup<br />
<br />
Set root password for MySQL as instructed by MySQL setup<br />
<br />
/usr/bin/mysqladmin -u root password 'your_secure_root_mysql_password'<br />
<br />
Create a ZoneMinder MySQL database and user<br />
<br />
mysql> create database zm;<br />
<br />
mysql> CREATE USER zmuser@localhost IDENTIFIED BY 'your_zm_password_as_set_in_config';<br />
<br />
mysql> grant ALL on zm.* to zmuser@localhost;<br />
<br />
We are running <code>lighttpd</code>, so let's run <code>php-fpm</code> as lighttpd user/group<br />
<br />
vim /etc/php5/php-fpm.conf<br />
<br />
Which should look like:<br />
<br />
; Unix user/group of processes<br />
; Note: The user is mandatory. If the group is not set, the default user's group<br />
; will be used.<br />
;user = nobody<br />
;group = nobody<br />
user = lighttpd<br />
group = lighttpd<br />
<br />
Enable the php cgi fpm config in <code>lighttpd.conf</code><br />
<br />
vim /etc/lighttpd/lighttpd.conf<br />
<br />
Go down to the includes section, it should look like:<br />
# {{{ includes<br />
include "mime-types.conf"<br />
# uncomment for cgi support<br />
include "mod_cgi.conf"<br />
# uncomment for php/fastcgi support<br />
# include "mod_fastcgi.conf"<br />
# uncomment for php/fastcgi fpm support<br />
include "mod_fastcgi_fpm.conf"<br />
<br />
# }}}<br />
<br />
Edit lighttpd cgi config and add old style cgi support by adding to cgi.assign<br />
<br />
vim /etc/lighttpd/mod_cgi.conf<br />
<br />
which should look like<br />
<br />
cgi.assign = (<br />
"" => "",<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/perl"<br />
)<br />
<br />
Start php-fpm<br />
<br />
/etc/init.d/php-fpm start<br />
<br />
Start lighttpd<br />
<br />
/etc/init.d/lighttpd start<br />
<br />
Set the MySQL hostname, username, password.<br />
<br />
Change the ZoneMinder user (<code>ZM_WEB_USER</code>) and group (<code>ZM_WEB_GROUP</code>) to lighttpd<br />
<br />
And set <code>ZM_SERVER_HOST</code> to your ZoneMinder hostname/ipaddress<br />
<br />
vim /etc/zm.conf<br />
<br />
Which should look like:<br />
<br />
# Username and group that web daemon (httpd/apache) runs as<br />
ZM_WEB_USER=lighttpd<br />
ZM_WEB_GROUP=lighttpd<br />
ZM_PATH_DATA=/usr/share/zoneminder<br />
<br />
# ZoneMinder database type: so far only mysql is supported<br />
ZM_DB_TYPE=mysql<br />
<br />
# ZoneMinder database hostname or ip address<br />
ZM_DB_HOST=localhost<br />
<br />
# ZoneMinder database name<br />
ZM_DB_NAME=zm<br />
<br />
# ZoneMinder database user<br />
ZM_DB_USER=zmuser<br />
<br />
# ZoneMinder database password<br />
ZM_DB_PASS=your_zm_password_as_set_in_config<br />
<br />
# Host of this machine<br />
ZM_SERVER_HOST=yourserver<br />
<br />
Change ownership of <code>zm.conf</code> to <code>lighttpd</code><br />
<br />
chown lighttpd.lighttpd /etc/zm.conf<br />
<br />
Initialize the ZoneMinder database<br />
<br />
/etc/init.d/zoneminder setup<br />
<br />
Start ZoneMinder<br />
<br />
/etc/init.d/zoneminder start<br />
<br />
Profit!<br />
<br />
To access ZoneMinder, browse to <nowiki>http://yourserver/zm/</nowiki><br />
<br />
To make it start automatically on boot:<br />
<br />
rc-update add lighttpd default<br />
rc-update add mariadb default<br />
rc-update add php-fpm default<br />
rc-update add zoneminder default<br />
<br />
== Added notes to work with Nginx ==<br />
Later to add some notes about running via nginx<br />
<br />
==Related Links==<br />
* https://wiki.alpinelinux.org/wiki/Raspberry_Pi_3_-_Browser_Client - Kiosk to watch Streams<br />
<br />
[[Category:Software]]<br />
[[Category:Security]]</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=ZoneMinder_video_camera_security_and_surveillance&diff=21855ZoneMinder video camera security and surveillance2022-05-10T14:36:01Z<p>Ms13sp: Added details for Alpine 3.15</p>
<hr />
<div>[https://www.zoneminder.com/ ZoneMinder] usually runs with [[Apache]], but in this short how-to we use [[Lighttpd]].<br />
<br />
First, add the needed packages to our system<br />
<br />
apk add zoneminder mariadb mysql-client lighttpd php5-fpm php5-pdo php5-pdo_mysql<br />
<br />
Initialize [https://www.mysql.com/ MySQL] database<br />
<br />
/etc/init.d/mariadb setup<br />
<br />
Set root password for MySQL as instructed by MySQL setup<br />
<br />
/usr/bin/mysqladmin -u root password 'your_secure_root_mysql_password'<br />
<br />
Create a ZoneMinder MySQL database and user<br />
<br />
mysql> create database zm;<br />
<br />
mysql> CREATE USER zmuser@localhost 'your_zm_password_as_set_in_config';<br />
<br />
mysql> grant ALL on zm.* to zmuser@localhost;<br />
<br />
We are running <code>lighttpd</code>, so let's run <code>php-fpm</code> as lighttpd user/group<br />
<br />
vim /etc/php5/php-fpm.conf<br />
<br />
Which should look like:<br />
<br />
; Unix user/group of processes<br />
; Note: The user is mandatory. If the group is not set, the default user's group<br />
; will be used.<br />
;user = nobody<br />
;group = nobody<br />
user = lighttpd<br />
group = lighttpd<br />
<br />
Enable the php cgi fpm config in <code>lighttpd.conf</code><br />
<br />
vim /etc/lighttpd/lighttpd.conf<br />
<br />
Go down to the includes section, it should look like:<br />
# {{{ includes<br />
include "mime-types.conf"<br />
# uncomment for cgi support<br />
include "mod_cgi.conf"<br />
# uncomment for php/fastcgi support<br />
# include "mod_fastcgi.conf"<br />
# uncomment for php/fastcgi fpm support<br />
include "mod_fastcgi_fpm.conf"<br />
<br />
# }}}<br />
<br />
Edit lighttpd cgi config and add old style cgi support by adding to cgi.assign<br />
<br />
vim /etc/lighttpd/mod_cgi.conf<br />
<br />
which should look like<br />
<br />
cgi.assign = (<br />
"" => "",<br />
".pl" => "/usr/bin/perl",<br />
".cgi" => "/usr/bin/perl"<br />
)<br />
<br />
Start php-fpm<br />
<br />
/etc/init.d/php-fpm start<br />
<br />
Start lighttpd<br />
<br />
/etc/init.d/lighttpd start<br />
<br />
Set the MySQL hostname, username, password.<br />
<br />
Change the ZoneMinder user (<code>ZM_WEB_USER</code>) and group (<code>ZM_WEB_GROUP</code>) to lighttpd<br />
<br />
And set <code>ZM_SERVER_HOST</code> to your ZoneMinder hostname/ipaddress<br />
<br />
vim /etc/zm.conf<br />
<br />
Which should look like:<br />
<br />
# Username and group that web daemon (httpd/apache) runs as<br />
ZM_WEB_USER=lighttpd<br />
ZM_WEB_GROUP=lighttpd<br />
ZM_PATH_DATA=/usr/share/zoneminder<br />
<br />
# ZoneMinder database type: so far only mysql is supported<br />
ZM_DB_TYPE=mysql<br />
<br />
# ZoneMinder database hostname or ip address<br />
ZM_DB_HOST=localhost<br />
<br />
# ZoneMinder database name<br />
ZM_DB_NAME=zm<br />
<br />
# ZoneMinder database user<br />
ZM_DB_USER=zmuser<br />
<br />
# ZoneMinder database password<br />
ZM_DB_PASS=your_zm_password_as_set_in_config<br />
<br />
# Host of this machine<br />
ZM_SERVER_HOST=yourserver<br />
<br />
Change ownership of <code>zm.conf</code> to <code>lighttpd</code><br />
<br />
chown lighttpd.lighttpd /etc/zm.conf<br />
<br />
Initialize the ZoneMinder database<br />
<br />
/etc/init.d/zoneminder setup<br />
<br />
Start ZoneMinder<br />
<br />
/etc/init.d/zoneminder start<br />
<br />
Profit!<br />
<br />
To access ZoneMinder, browse to <nowiki>http://yourserver/zm/</nowiki><br />
<br />
To make it start automatically on boot:<br />
<br />
rc-update add lighttpd default<br />
rc-update add mariadb default<br />
rc-update add php-fpm default<br />
rc-update add zoneminder default<br />
<br />
== Added notes to work with Nginx ==<br />
Later to add some notes about running via nginx<br />
<br />
==Related Links==<br />
* https://wiki.alpinelinux.org/wiki/Raspberry_Pi_3_-_Browser_Client - Kiosk to watch Streams<br />
<br />
[[Category:Software]]<br />
[[Category:Security]]</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Linux_in_a_chroot&diff=5795Alpine Linux in a chroot2011-10-17T12:20:43Z<p>Ms13sp: /* Create a build environment */</p>
<hr />
<div>= Setting up a 'edge' build environment in a chroot =<br />
<br />
This document explains how to set up an Alpine build environment in a chroot under a "normal" Linux distro, such as Arch, Debian, Fedora, Gentoo, or Ubuntu. Once inside the chroot environment, you can build, debug and run alpine packages.<br />
<br />
== Introduction ==<br />
<br />
You will need a few Gigabytes to have enough pace for kernel compiling and storing all the binary packages and iso image. <br />
<br />
== Create a build environment ==<br />
<br />
We are setting up our Build Environment in chroot.<br> <br />
<br />
'''Note:''' The variables below: <br />
<br />
*'''${build_dir}''' = You can name it whatever you like. <br />
*'''${mirror}''' = Should be replaced with one of the available alpine-mirrors:<br />
<br />
Choose a mirror from the [http://dl-2.alpinelinux.org/alpine/MIRRORS.txt mirror list].<br />
<br />
<br> Let's start by getting the latest apk static package: <br />
<br />
{{Tip|In the command below, replace x86_64 with x86 if running on a 32bit installation}}<br />
<br />
{{Cmd|wget http://dl-3.alpinelinux.org/alpine/v2.2/main/x86_64/apk-tools-static-2.1.0-r1.apk}}<br />
<br />
Unpack the tarball<br />
{{Cmd|tar -xzf apk-tools-static-2.1.0-r1.apk}}<br />
<br />
We are setting up a basic chroot: <br />
<br />
{{Cmd|mkdir ${build_dir}<br />
sudo ./sbin/apk.static -X ${mirror}/v2.2/main -U --allow-untrusted --root ${build_dir} --initdb add alpine-base alpine-sdk<br />
mkdir -p ./${build_dir}/proc<br />
sudo mount --bind /proc ./${build_dir}/proc}}<br />
<br />
Lets setup our needed devices: <br />
<br />
{{Cmd|sudo mknod -m 666 ./${build_dir}/dev/full c 1 7<br />
sudo mknod -m 666 ./${build_dir}/dev/ptmx c 5 2<br />
sudo mknod -m 644 ./${build_dir}/dev/random c 1 8<br />
sudo mknod -m 644 ./${build_dir}/dev/urandom c 1 9<br />
sudo mknod -m 666 ./${build_dir}/dev/zero c 1 5<br />
sudo mknod -m 666 ./${build_dir}/dev/tty c 5 0}}<br />
<br />
seems as /dev/null is wrong<br />
<br />
{{Cmd|sudo rm -f ./${build_dir}/dev/null && sudo mknod -m 666 ./${build_dir}/dev/null c 1 3}}<br />
<br />
We need a resolv.conf is needed for the DNS servers and the /root directory: <br />
<br />
{{Cmd|sudo cp /etc/resolv.conf ./${build_dir}/etc/<br />
mkdir -p ./${build_dir}/root}}<br />
<br />
If you don't want to copy the resolv.conf from the local machine, create this file with your DNS server entry. <br />
{{Cmd|echo 'nameserver 8.8.8.8' >/etc/resolv.conf}}<br />
<br />
We are setting up apk mirrors: <br />
<br />
{{Cmd|sudo mkdir -p ./${build_dir}/etc/apk<br />
echo "${mirror}/v2.2/main" > ./${build_dir}/etc/apk/repositories}}<br />
<br />
At this point you should be able to enter your chroot: <br />
<br />
{{Cmd|sudo chroot ./${build_dir} /bin/sh -l}}<br />
<br />
If you are using Alpine as a Native build system you will have to make sure that chroot can run chmod. Add following to /etc/sysctl.conf<br />
<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
<br />
Then run the following command<br />
<br />
{{Cmd|sysctl -p}}<br />
<br />
Now you can move on to [[Creating_an_Alpine_package|creating packages for Alpine.]]<br />
<br />
== Alpine Linux in a chroot on Fedora ==<br />
<br />
If you want to generate a chroot on a Fedora based system, you can use this [http://files.affolter-engineering.ch/alpinelinux/chroot/alpine-chroot.sh script].<br />
<br />
{{Note|Maybe you are able to use this script on other distribution but this is not tested.}}</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Linux_in_a_chroot&diff=5794Alpine Linux in a chroot2011-10-17T12:15:47Z<p>Ms13sp: /* Create a build environment */</p>
<hr />
<div>= Setting up a 'edge' build environment in a chroot =<br />
<br />
This document explains how to set up an Alpine build environment in a chroot under a "normal" Linux distro, such as Arch, Debian, Fedora, Gentoo, or Ubuntu. Once inside the chroot environment, you can build, debug and run alpine packages.<br />
<br />
== Introduction ==<br />
<br />
You will need a few Gigabytes to have enough pace for kernel compiling and storing all the binary packages and iso image. <br />
<br />
== Create a build environment ==<br />
<br />
We are setting up our Build Environment in chroot.<br> <br />
<br />
'''Note:''' The variables below: <br />
<br />
*'''${build_dir}''' = You can name it whatever you like. <br />
*'''${mirror}''' = Should be replaced with one of the available alpine-mirrors:<br />
<br />
Choose a mirror from the [http://dl-2.alpinelinux.org/alpine/MIRRORS.txt mirror list].<br />
<br />
<br> Let's start by getting the latest apk static package: <br />
<br />
{{Tip|In the command below, replace x86_64 with x86 if running on a 32bit installation}}<br />
<br />
{{Cmd|wget http://dl-3.alpinelinux.org/alpine/v2.2/main/x86_64/apk-tools-static-2.1.0-r1.apk}}<br />
<br />
Unpack the tarball<br />
{{Cmd|tar -xzf apk-tools-static-2.1.0-r1.apk}}<br />
<br />
We are setting up a basic chroot: <br />
<br />
{{Cmd|mkdir ${build_dir}<br />
sudo ./sbin/apk.static -X ${mirror}/v2.2/main -U --allow-untrusted --root ${build_dir} --initdb add alpine-base alpine-sdk<br />
mkdir -p ./${build_dir}/proc<br />
sudo mount --bind /proc ./${build_dir}/proc}}<br />
<br />
Lets setup our needed devices: <br />
<br />
{{Cmd|sudo mknod -m 666 ./${build_dir}/dev/full c 1 7<br />
sudo mknod -m 666 ./${build_dir}/dev/ptmx c 5 2<br />
sudo mknod -m 644 ./${build_dir}/dev/random c 1 8<br />
sudo mknod -m 644 ./${build_dir}/dev/urandom c 1 9<br />
sudo mknod -m 666 ./${build_dir}/dev/zero c 1 5<br />
sudo mknod -m 666 ./${build_dir}/dev/tty c 5 0}}<br />
<br />
seems as /dev/null is wrong<br />
<br />
{{Cmd|sudo rm -f ./${build_dir}/dev/null && sudo mknod -m 666 ./${build_dir}/dev/null c 1 3}}<br />
<br />
We need a resolv.conf is needed for the DNS servers and the /root directory: <br />
<br />
{{Cmd|sudo cp /etc/resolv.conf ./${build_dir}/etc/<br />
mkdir -p ./${build_dir}/root}}<br />
<br />
If you don't want to copy the resolv.conf from the local machine, create this file with your DNS server entry. <br />
{{Cmd|echo 'nameserver 8.8.8.8' >/etc/resolv.conf}}<br />
<br />
We are setting up apk mirrors: <br />
<br />
{{Cmd|sudo mkdir -p ./${build_dir}/etc/apk<br />
echo "${mirror}/v2.2/packages/main" > ./${build_dir}/etc/apk/repositories}}<br />
<br />
At this point you should be able to enter your chroot: <br />
<br />
{{Cmd|sudo chroot ./${build_dir} /bin/sh -l}}<br />
<br />
If you are using Alpine as a Native build system you will have to make sure that chroot can run chmod. Add following to /etc/sysctl.conf<br />
<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
<br />
Then run the following command<br />
<br />
{{Cmd|sysctl -p}}<br />
<br />
Now you can move on to [[Creating_an_Alpine_package|creating packages for Alpine.]]<br />
<br />
== Alpine Linux in a chroot on Fedora ==<br />
<br />
If you want to generate a chroot on a Fedora based system, you can use this [http://files.affolter-engineering.ch/alpinelinux/chroot/alpine-chroot.sh script].<br />
<br />
{{Note|Maybe you are able to use this script on other distribution but this is not tested.}}</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Upgrading_Alpine_-_v1.9.x&diff=3717Upgrading Alpine - v1.9.x2010-04-28T16:38:59Z<p>Ms13sp: /* Download and verify new release */</p>
<hr />
<div>This document covers upgrading from a previous version of Alpine 1.9 (or 1.10) to newer versions of 1.9 (or 1.10). Thanks to many improvements in Alpine 1.9, it is possible to easily upgrade in most scenarios.<br />
<br />
All examples/instructions/actions mentioned in this document should be executed on the box that you are planning to upgrade (unless you are instructed otherwise).<br />
<br />
== Upgrading an Alpine Linux Hard-disk installation ==<br />
<br />
When Alpine is installed to hard drive, upgrading the installation is simple.<br />
<br />
{{Using_Internet_Repositories_for_apk-tools}}<br />
<br />
Ensure you have the latest available version of the Alpine Package Manager first before upgrading anything else:<br />
apk add -u apk-tools<br />
<br />
Finally, upgrade all remaining packages, including the kernel if applicable:<br />
apk upgrade<br />
<br />
== Upgrading Separate Boot Media ==<br />
<br />
You may have an installation where the boot media being used (such as a CD, for example) is separate from the media used to store the configuration information. In this case, simply download the latest ISO, and replace the boot media contents with the contents of the latest ISO. If you are booting from a CD, this would simply mean replacing the CD with a CD made from the new image and rebooting the Alpine box. <br />
<br />
== Upgrading Alpine on CF/USB ==<br />
<br />
Your installation may consist of Alpine running on Compact Flash or USB media. In most cases, it should be sufficient to upgrade most packages using the '''Alpine Hard-disk Installation''' upgrade procedures described above. However, for new packages to survive after a reboot, you should enable [[How_to_enable_APK_caching|APK caching]].<br />
<br />
{{Warning|As the newer version of alpine may include kernel upgrades, simply pointing the Alpine Package Manager to an Internet-based repository and running ''apk upgrade'' will not be enough, as kernel components are not upgraded when Alpine is run from memory.}}<br />
<br />
{{Upgrading_Alpine_environmentvars}}<br />
<br />
=== Upgrade Step-by-Step ===<br />
<br />
Start by checking that you have enough space on your media.<BR><br />
You need at least 400MB available space.<br />
df -h | grep "Filesystem\|$LBU_MEDIA"<br />
<br />
==== Download and verify new release ====<br />
<br />
Start downloading a new '.iso' and a '.sha1' file <br />
cd /media/$LBU_MEDIA<br />
Seems files are under releases not iso anymore...<br />
http://dl-3.alpinelinux.org/alpine/v1.10/releases/alpine-1.10.1-x86.iso<br />
<br />
wget -c {{Latest_1.10_alpine_iso-mirror}}{{Latest_1.10_alpine_iso-filename}}<br />
wget http://dev.alpinelinux.org/alpine/v1.10/iso/{{Latest_1.10_alpine_iso-filename}}.sha1<br />
<br />
Check integrity of the downloaded files ''(it might take some time)''<br />
sha1sum -c {{Latest_1.10_alpine_iso-filename}}.sha1<br />
''The output of the above command should say 'OK'.<BR>''<br />
''If says 'FAILED', delete the iso file and download it again.''<br />
<br />
==== Copy the new release ====<br />
<br />
Mount the ISO.<br />
<br />
mount -t iso9660 {{Latest_1.10_alpine_iso-filename}} /mnt<br />
<br />
Back up files that you have modified. For example, you might have modified ''syslinux.cfg'' to show console output on a serial port.<BR><br />
<br />
cp /media/$LBU_MEDIA/syslinux.cfg /media/$LBU_MEDIA/syslinux.cfg.my<br />
<br />
Install the '''rsync''' package if necessary, and copy the files:<br />
<br />
cd /mnt<br />
apk add rsync<br />
rsync --delete -rltv .alpine-release * /media/$LBU_MEDIA/ <br />
<br />
Restore your backed up files ''(in case you had any)''<br />
<br />
mv -f /media/$LBU_MEDIA/syslinux.cfg.my /media/$LBU_MEDIA/syslinux.cfg<br />
<br />
Make sure that all files are permanently saved in right place <br />
<br />
sync<br />
<br />
==== Clean up ====<br />
Clean up the downloaded/unpacked files<br />
cd ..<br />
umount /mnt<br />
rm /media/$LBU_MEDIA/{{Latest_1.10_alpine_iso-filename}}<br />
rm /media/$LBU_MEDIA/{{Latest_1.10_alpine_iso-filename}}.sha1<br />
<br />
=== Save changes ===<br />
Now that all upgrades are done, we should save our settings to our media (which you hopefully have backed up prior to doing this upgrade).<br />
lbu ci<br />
<br />
== Rebooting ==<br />
In most cases you will need to reboot Alpine (especially if there are changes in the kernel):<br />
reboot<br />
{{Note|If you know what you are doing, you might not need to reboot. But make sure that all services affected by the upgrade are restarted.}}</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Release_Testing_Checklist&diff=3355Alpine Release Testing Checklist2010-02-17T20:11:45Z<p>Ms13sp: Created page with '= Alpine Release Testing Checklist = == CD Install == #Boot from CDrom #login as root at the prompt # '''/sbin/setup-alpine''' # '''lbu commit /dev/usbdisk''' # '''reboot''' # A...'</p>
<hr />
<div>= Alpine Release Testing Checklist =<br />
<br />
== CD Install ==<br />
#Boot from CDrom<br />
#login as root at the prompt<br />
# '''/sbin/setup-alpine'''<br />
# '''lbu commit /dev/usbdisk'''<br />
# '''reboot'''<br />
# A successful boot up will show the hostname and will require the password set during setup-alpine<br />
# If successful run '''lbu commit -e /dev/usbdisk'''<br />
# '''reboot'''<br />
# Password should be prompted for upon boot up<br />
<br />
== USB Install ==<br />
#Boot from USB<br />
#login as root at the prompt<br />
# '''/sbin/setup-alpine'''<br />
# '''lbu commit /dev/usbdisk'''<br />
# '''reboot'''<br />
# A successful boot up will show the hostname and will require the password set during setup-alpine<br />
# If successful run '''lbu commit -e /dev/usbdisk'''<br />
# '''reboot'''<br />
# Password should be prompted for upon boot up<br />
<br />
== HDD Install ==<br />
#Boot from CDrom<br />
#login as root at the prompt<br />
#'''/sbin/setup-alpine'''</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Developer_Documentation&diff=3354Developer Documentation2010-02-17T19:52:29Z<p>Ms13sp: </p>
<hr />
<div>= Developer Documentation =<br />
Documentation how to build and modify the Alpine distro.<br />
<br />
* [[Alpine Package Testing Suite]]<br />
* [[Alpine Release Testing Checklist]]<br />
* [[Alpine Configuration Framework Design]] (Why ACF is the way it is)<br />
* [[Development using git]]<br />
* [[Installing Alpine on a virtual machine]]<br />
* [[Writing User Documentation for ACF]]<br />
<br />
== Alpine 'edge' build system ==<br />
<br />
* [[General_description_of_the_build_system]]<br />
* [[Setting up the build environment]] ''(Lists the available build doc's)''<br />
** [[Setting_up_the_build_environment_on_HDD]] ''(Alpine on HDD)''<br />
** [[Setting_up_the_build_environment_in_chroot]] ''(In a chroot environment)''<br />
* [[Creating an Alpine package]]<br />
<br />
== Misc. References ==<br />
Other useful references.<br />
<br />
* http://www.metoffice.gov.uk/research/nwp/external/fcm/doc/user_guide/working_practices.html - Some guidelines on use of Trac and SVN<br />
<br />
<br />
== Obsolete docs ==<br />
* [[Setting_up_the_build_environment_1.9]]<br />
* [[Setting up the build environment 1.7]]<br />
* [[Newbie Guide to Building an apk]]<br />
* [[Creating patches]]</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_the_build_environment_in_a_chroot&diff=3058Setting up the build environment in a chroot2009-09-17T14:50:06Z<p>Ms13sp: /* Create a build environment */</p>
<hr />
<div>= Setting up a build environment for Alpine 1.9 =<br />
<br />
This document explains how to set up an Alpine build environment in a chroot under a "normal" Linux distro, such as Arch, Debian, Fedora, Gentoo, or Ubuntu. Once inside the chroot environment, you can build, debug and run alpine packages.<br />
<br />
== Introduction ==<br />
<br />
You will need a few Gigabytes to have enough pace for kernel compiling and storing all the binary packages and iso image. <br />
<br />
== Create a build environment ==<br />
<br />
We are setting up our Build Environment in chroot.<br> <br />
<br />
'''Note:''' The variables below: <br />
<br />
*'''${build_dir}''' = You can name it whatever you like. <br />
*'''${mirror}''' = Should be replaced with one of the available alpine-mirrors:<br />
<br />
{{Mirrors}} <br />
<br />
<br> Lets start by geting the latest apk static binary: <br />
<br />
wget ${mirror}/v1.9/apk.static<br />
chmod +x ./apk.static<br />
<br />
Verify you have apk-tools 2.0_rc1 or later:<br />
./apk.static --version<br />
apk-tools 2.0_rc1<br />
<br />
We are setting up a basic chroot: <br />
<br />
mkdir ${build_dir}<br />
sudo ./apk.static --repo ${mirror}/v1.9/packages/main -U --allow-untrusted --root ${build_dir} --initdb add alpine-base alpine-sdk<br />
mkdir -p ./${build_dir}/proc<br />
sudo mount --bind /proc ./${build_dir}/proc<br />
<br />
Lets setup our needed devices: <br />
<br />
sudo mknod -m 666 ./${build_dir}/dev/full c 1 7<br />
sudo mknod -m 777 ./${build_dir}/dev/null c 1 3<br />
sudo mknod -m 666 ./${build_dir}/dev/ptmx c 5 2<br />
sudo mknod -m 644 ./${build_dir}/dev/random c 1 8<br />
sudo mknod -m 644 ./${build_dir}/dev/urandom c 1 9<br />
sudo mknod -m 666 ./${build_dir}/dev/zero c 1 5<br />
sudo mknod -m 666 ./${build_dir}/dev/tty c 5 0<br />
<br />
We need or dns servers and root dir: <br />
<br />
sudo cp /etc/resolv.conf ./${build_dir}/etc/<br />
mkdir -p ./${build_dir}/root<br />
<br />
We are setting up apk mirrors: <br />
<br />
sudo mkdir -p ./${build_dir}/etc/apk<br />
su<br />
echo "${mirror}/v1.9/packages/main" > ./${build_dir}/etc/apk/repositories<br />
exit<br />
<br />
At this point you should be able to enter your chroot: <br />
<br />
sudo chroot ./${build_dir} /bin/sh -l<br />
<br />
If you are using Alpine as a Native build system you will have to make sure that chroot can run chmod. Add following to /etc/sysctl.conf<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
Then run the following command<br />
sysctl -p<br />
<br />
<br />
Now you can move on to [[Creating_an_Alpine_package|creating packages for Alpine.]]</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_the_build_environment_in_a_chroot&diff=3057Setting up the build environment in a chroot2009-09-17T14:49:31Z<p>Ms13sp: /* Create a build environment */</p>
<hr />
<div>= Setting up a build environment for Alpine 1.9 =<br />
<br />
This document explains how to set up an Alpine build environment in a chroot under a "normal" Linux distro, such as Arch, Debian, Fedora, Gentoo, or Ubuntu. Once inside the chroot environment, you can build, debug and run alpine packages.<br />
<br />
== Introduction ==<br />
<br />
You will need a few Gigabytes to have enough pace for kernel compiling and storing all the binary packages and iso image. <br />
<br />
== Create a build environment ==<br />
<br />
We are setting up our Build Environment in chroot.<br> <br />
<br />
'''Note:''' The variables below: <br />
<br />
*'''${build_dir}''' = You can name it whatever you like. <br />
*'''${mirror}''' = Should be replaced with one of the available alpine-mirrors:<br />
<br />
{{Mirrors}} <br />
<br />
<br> Lets start by geting the latest apk static binary: <br />
<br />
wget ${mirror}/v1.9/apk.static<br />
chmod +x ./apk.static<br />
<br />
Verify you have apk-tools 2.0_rc1 or later:<br />
./apk.static --version<br />
apk-tools 2.0_rc1<br />
<br />
We are setting up a basic chroot: <br />
<br />
mkdir ${build_dir}<br />
sudo ./apk.static --repo ${mirror}/v1.9/packages/main -U --allow-untrusted --root ${build_dir} --initdb add alpine-base alpine-sdk<br />
mkdir -p ./${build_dir}/proc<br />
sudo mount --bind /proc ./${build_dir}/proc<br />
<br />
Lets setup our needed devices: <br />
<br />
sudo mknod -m 666 ./${build_dir}/dev/full c 1 7<br />
sudo mknod -m 777 ./${build_dir}/dev/null c 1 3<br />
sudo mknod -m 666 ./${build_dir}/dev/ptmx c 5 2<br />
sudo mknod -m 644 ./${build_dir}/dev/random c 1 8<br />
sudo mknod -m 644 ./${build_dir}/dev/urandom c 1 9<br />
sudo mknod -m 666 ./${build_dir}/dev/zero c 1 5<br />
sudo mknod -m 666 ./${build_dir}/dev/tty c 5 0<br />
<br />
We need or dns servers and root dir: <br />
<br />
sudo cp /etc/resolv.conf ./${build_dir}/etc/<br />
mkdir -p ./${build_dir}/root<br />
<br />
We are setting up apk mirrors: <br />
<br />
sudo mkdir -p ./${build_dir}/etc/apk<br />
su<br />
echo "${mirror}/v1.9/packages/main" > ./${build_dir}/etc/apk/repositories<br />
exit<br />
<br />
At this point you should be able to enter your chroot: <br />
<br />
sudo chroot ./${build_dir} /bin/sh -l<br />
<br />
If you are using Alpine as a Native build system you will have to make sure that chroot can run chmod. Add following to /etc/sysctl.conf<br />
kernel.grsecurity.chroot_deny_chmod = 0<br />
sysctl -p<br />
<br />
<br />
Now you can move on to [[Creating_an_Alpine_package|creating packages for Alpine.]]</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_the_build_environment_in_a_chroot&diff=3056Setting up the build environment in a chroot2009-09-17T14:22:46Z<p>Ms13sp: /* Create a build environment */</p>
<hr />
<div>= Setting up a build environment for Alpine 1.9 =<br />
<br />
This document explains how to set up an Alpine build environment in a chroot under a "normal" Linux distro, such as Arch, Debian, Fedora, Gentoo, or Ubuntu. Once inside the chroot environment, you can build, debug and run alpine packages.<br />
<br />
== Introduction ==<br />
<br />
You will need a few Gigabytes to have enough pace for kernel compiling and storing all the binary packages and iso image. <br />
<br />
== Create a build environment ==<br />
<br />
We are setting up our Build Environment in chroot.<br> <br />
<br />
'''Note:''' The variables below: <br />
<br />
*'''${build_dir}''' = You can name it whatever you like. <br />
*'''${mirror}''' = Should be replaced with one of the available alpine-mirrors:<br />
<br />
{{Mirrors}} <br />
<br />
<br> Lets start by geting the latest apk static binary: <br />
<br />
wget ${mirror}/v1.9/apk.static<br />
chmod +x ./apk.static<br />
<br />
Verify you have apk-tools 2.0_rc1 or later:<br />
./apk.static --version<br />
apk-tools 2.0_rc1<br />
<br />
We are setting up a basic chroot: <br />
<br />
mkdir ${build_dir}<br />
sudo ./apk.static --repo ${mirror}/v1.9/packages/main -U --allow-untrusted --root ${build_dir} --initdb add alpine-base alpine-sdk<br />
mkdir -p ./${build_dir}/proc<br />
sudo mount --bind /proc ./${build_dir}/proc<br />
<br />
Lets setup our needed devices: <br />
<br />
sudo mknod -m 666 ./${build_dir}/dev/full c 1 7<br />
sudo mknod -m 777 ./${build_dir}/dev/null c 1 3<br />
sudo mknod -m 666 ./${build_dir}/dev/ptmx c 5 2<br />
sudo mknod -m 644 ./${build_dir}/dev/random c 1 8<br />
sudo mknod -m 644 ./${build_dir}/dev/urandom c 1 9<br />
sudo mknod -m 666 ./${build_dir}/dev/zero c 1 5<br />
sudo mknod -m 666 ./${build_dir}/dev/tty c 5 0<br />
<br />
We need or dns servers and root dir: <br />
<br />
sudo cp /etc/resolv.conf ./${build_dir}/etc/<br />
mkdir -p ./${build_dir}/root<br />
<br />
We are setting up apk mirrors: <br />
<br />
sudo mkdir -p ./${build_dir}/etc/apk<br />
su<br />
echo "${mirror}/v1.9/packages/main" > ./${build_dir}/etc/apk/repositories<br />
exit<br />
<br />
At this point you should be able to enter your chroot: <br />
<br />
sudo chroot ./${build_dir} /bin/sh -l<br />
<br />
Now you can move on to [[Creating_an_Alpine_package|creating packages for Alpine.]]</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2865Setting up a OpenVPN server2009-07-02T13:49:38Z<p>Ms13sp: </p>
<hr />
<div>= Setup Alpine =<br />
This article describes how to set up an OpenVPN server with the Alpine distro.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here:[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]<br />
<br />
In the case that your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
rc_add -s 40 -k openvpn<br />
modprobe tun<br />
echo "tun" >>/etc/modules<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity.<br />
<br />
If you are setting up a client and need to figure out how to divide the cert ( they gave you a pfx) use the following commands:<br />
<br />
To get the ca cert out...<br />
openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem<br />
<br />
To get the cert file out...<br />
openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem<br />
<br />
To get the private key file out. May sure this stays private...<br />
openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem<br />
<br />
= Configure OpenVPN-server =<br />
Example configuration file for server:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca ca.crt<br />
cert server.crt<br />
dh dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
log openvpn.log<br />
log-append openvpn.log<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
= Configure OpenVPN-client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu commit -v sdb1<br />
<br />
<br />
==== Manual Certificate Commands ====<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
===== Initial setup for administrating certificates =====<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
===== Set up a 'Certificate Authority' (CA) =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
===== Set up a 'OpenVPN Server' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
===== Set up a 'OpenVPN Client' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
===== Revoke a certificate =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2854Setting up a OpenVPN server2009-06-09T19:35:33Z<p>Ms13sp: /* Certificates */</p>
<hr />
<div>= Setup Alpine =<br />
This article describes how to set up an OpenVPN server with the Alpine distro.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here:[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]<br />
<br />
In the case that your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
rc_add -s 40 -k openvpn<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity.<br />
<br />
If you are setting up a client and need to figure out how to divide the cert ( they gave you a pfx) use the following commands:<br />
<br />
To get the ca cert out...<br />
openssl pkcs12 -in PFXFILE -cacerts -nokeys -out ca.pem<br />
<br />
To get the cert file out...<br />
openssl pkcs12 -in PFXFILE -nokeys -clcerts -out cert.pem<br />
<br />
To get the private key file out. May sure this stays private...<br />
openssl pkcs12 -in PFXFILE -nocerts -nodes -out key.pem<br />
<br />
= Configure OpenVPN-server =<br />
Example configuration file for server:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca ca.crt<br />
cert server.crt<br />
dh dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
log openvpn.log<br />
log-append openvpn.log<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
= Configure OpenVPN-client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu commit -v sdb1<br />
<br />
<br />
==== Manual Certificate Commands ====<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
===== Initial setup for administrating certificates =====<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
===== Set up a 'Certificate Authority' (CA) =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
===== Set up a 'OpenVPN Server' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
===== Set up a 'OpenVPN Client' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
===== Revoke a certificate =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2853Setting up a OpenVPN server2009-06-09T13:59:13Z<p>Ms13sp: /* Configure OpenVPN-server */</p>
<hr />
<div>= Setup Alpine =<br />
This article describes how to set up an OpenVPN server with the Alpine distro.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here:[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]<br />
<br />
In the case that your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
rc_add -s 40 -k openvpn<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity. <br />
<br />
= Configure OpenVPN-server =<br />
Example configuration file for server:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca ca.crt<br />
cert server.crt<br />
dh dh1024.pem #to generate by hand #openssl dhparam -out dh1024.pem 1024<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
log openvpn.log<br />
log-append openvpn.log<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
= Configure OpenVPN-client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu commit -v sdb1<br />
<br />
<br />
==== Manual Certificate Commands ====<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
===== Initial setup for administrating certificates =====<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
===== Set up a 'Certificate Authority' (CA) =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
===== Set up a 'OpenVPN Server' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
===== Set up a 'OpenVPN Client' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
===== Revoke a certificate =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2852Setting up a OpenVPN server2009-06-09T13:58:22Z<p>Ms13sp: /* Configure OpenVPN-client */</p>
<hr />
<div>= Setup Alpine =<br />
This article describes how to set up an OpenVPN server with the Alpine distro.<br />
This is an ideal solution for allowing single users or devices to remotely connect to your network. To establish connectivity with a Remote Office or site, [http://wiki.alpinelinux.org/w/index.php?title=Using_Racoon_for_Remote_Sites Racoon/Opennhrp] would provide better functionality. <br />
<br />
It is recommended that you have a publicly routable static IP address in order for this to work. This means that your IP address cannot be in the private IP address ranges described here:[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]<br />
<br />
In the case that your Internet-connected machine doesn't have a static IP address, [http://www.dyndns.com DynDNS] can be used for resolving DNS names to IP addresses.<br />
<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] to setup Alpine Linux.<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
rc_add -s 40 -k openvpn<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity. <br />
<br />
= Configure OpenVPN-server =<br />
Example configuration file for server:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca ca.crt<br />
cert server.crt<br />
dh dh1024.pem<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
log openvpn.log<br />
log-append openvpn.log<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
<br />
= Configure OpenVPN-client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
ns-cert-type server # This means that the certificate on the openvpn server needs to have this field. Prevents MitM attacks<br />
persist-key<br />
persist-tun<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu commit -v sdb1<br />
<br />
<br />
==== Manual Certificate Commands ====<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
===== Initial setup for administrating certificates =====<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
===== Set up a 'Certificate Authority' (CA) =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
===== Set up a 'OpenVPN Server' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
===== Set up a 'OpenVPN Client' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
===== Revoke a certificate =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2832Setting up a OpenVPN server2009-06-02T20:34:34Z<p>Ms13sp: /* Setup Alpine */</p>
<hr />
<div>= Setup Alpine =<br />
This article will describe how to set up a OpenVPN server with the Alpine distro.<br />
This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office. <br />
<br />
You will need to have a Publicly routable IP address for this to work. That means you connection to the Internet would not be with one of these IP addresses:<br />
[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]<br />
<br />
Dyndns is a service that can be used for doing DNS names to IP in case your machine connected to the Internet doesn't have a static IP address.<br />
<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] on how to setup Alpine<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
rc_add -s 40 -k openvpn<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity. <br />
<br />
= Configure OpenVPN-server =<br />
Example configuration file for server:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca ca.crt<br />
cert server.crt<br />
dh dh1024.pem<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
log openvpn.log<br />
log-append openvpn.log<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
<br />
= Configure OpenVPN-client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
persist-key<br />
persist-tun<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu commit -v sdb1<br />
<br />
<br />
==== Manual Certificate Commands ====<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
===== Initial setup for administrating certificates =====<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
===== Set up a 'Certificate Authority' (CA) =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
===== Set up a 'OpenVPN Server' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
===== Set up a 'OpenVPN Client' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
===== Revoke a certificate =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2831Setting up a OpenVPN server2009-06-02T18:08:04Z<p>Ms13sp: </p>
<hr />
<div>= Setup Alpine =<br />
This article will describe how to set up a OpenVPN server with the Alpine distro.<br />
This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office. <br />
<br />
You will need to have a Publicly routable IP address for this to work. That means you connection to the Internet would not be with one of these IP addresses:<br />
[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]<br />
<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] on how to setup Alpine<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
rc_add -s 40 -k openvpn<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity. <br />
<br />
= Configure OpenVPN-server =<br />
Example configuration file for server:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca ca.crt<br />
cert server.crt<br />
dh dh1024.pem<br />
server 10.0.0.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.0.0.1"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
log openvpn.log<br />
log-append openvpn.log<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
<br />
= Configure OpenVPN-client =<br />
Example client.conf:<br />
client<br />
dev tun<br />
proto udp<br />
remote "public IP" 1194<br />
resolv-retry infinite<br />
nobind<br />
persist-key<br />
persist-tun<br />
ca ca.crt<br />
cert client.crt<br />
key client.key<br />
comp-lzo<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu commit -v sdb1<br />
<br />
<br />
==== Manual Certificate Commands ====<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
===== Initial setup for administrating certificates =====<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
===== Set up a 'Certificate Authority' (CA) =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
===== Set up a 'OpenVPN Server' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
===== Set up a 'OpenVPN Client' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
===== Revoke a certificate =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2830Setting up a OpenVPN server2009-06-02T13:49:40Z<p>Ms13sp: </p>
<hr />
<div>= Setup Alpine =<br />
This article will describe how to set up a OpenVPN server with the Alpine distro.<br />
This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office. <br />
<br />
You will need to have a Publicly routable IP address for this to work. That means you connection to the Internet would not be with one of these IP addresses:<br />
[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]<br />
<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] on how to setup Alpine<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
rc_add -s 40 -k openvpn<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity. <br />
<br />
= Configure OpenVPN-server =<br />
Example configuration file for server:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca ca.crt<br />
cert server.crt<br />
dh dh1024.pem<br />
server 10.252.252.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.252.253.9"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
log openvpn.log<br />
log-append openvpn.log<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
<br />
= Configure OpenVPN-client =<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu ci floppy<br />
<br />
<br />
==== Manual Certificate Commands ====<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
===== Initial setup for administrating certificates =====<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
===== Set up a 'Certificate Authority' (CA) =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
===== Set up a 'OpenVPN Server' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
===== Set up a 'OpenVPN Client' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
===== Revoke a certificate =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2829Setting up a OpenVPN server2009-06-02T13:49:03Z<p>Ms13sp: </p>
<hr />
<div>This article will describe how to set up a OpenVPN server with the Alpine distro.<br />
This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office. <br />
<br />
You will need to have a Publicly routable IP address for this to work. That means you connection to the Internet would not be with one of these IP addresses:<br />
[http://en.wikipedia.org/wiki/IP_address#IPv4_private_addresses]<br />
<br />
= Setup Alpine =<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] on how to setup Alpine<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
rc_add -s 40 -k openvpn<br />
<br />
= Certificates =<br />
One of the first things that needs to be done is making sure you have secure keys to work with. Alpine makes this easy by having a web interface to manage the certificates. Documentation for it can be found here: [[Generating_SSL_certs_with_ACF]]. It is a best practice to not have your certificate server be on the same machine as the router being used for remote connectivity. <br />
<br />
= Configure OpenVPN-server =<br />
Example configuration file for server:<br />
local "Public Ip address"<br />
port 1194<br />
proto udp<br />
dev tun<br />
ca ca.crt<br />
cert server.crt<br />
dh dh1024.pem<br />
server 10.252.252.0 255.255.255.0<br />
ifconfig-pool-persist ipp.txt<br />
push "route 10.0.0.0 255.0.0.0"<br />
push "dhcp-option DNS 10.252.253.9"<br />
keepalive 10 120<br />
comp-lzo<br />
user nobody<br />
group nobody<br />
persist-key<br />
persist-tun<br />
status openvpn-status.log<br />
log openvpn.log<br />
log-append openvpn.log<br />
verb 3<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
<br />
= Configure OpenVPN-client =<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu ci floppy<br />
<br />
<br />
==== Manual Certificate Commands ====<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
===== Initial setup for administrating certificates =====<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
===== Set up a 'Certificate Authority' (CA) =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
===== Set up a 'OpenVPN Server' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
===== Set up a 'OpenVPN Client' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
===== Revoke a certificate =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Linux:Documentation&diff=2826Alpine Linux:Documentation2009-06-02T13:34:16Z<p>Ms13sp: /* Networking */</p>
<hr />
<div>== User Documentation ==<br />
Documentation how to install and use the Alpine distro.<br />
<br />
* [[Installing Alpine on CD]]<br />
* [[Installing Alpine on USB]]<br />
* [[Upgrading Alpine]]<br />
* [[Alpine package management]] ''(How to add/remove packages on your Alpine)''<br />
* [[Alpine boot services]] ''(Configure a service to automatically boot at next reboot)''<br />
* [[Alpine local backup]] ''(Permanently store your modifications in case your box needs reboot)''<br />
* [[Comparison with Gentoo and Debian]]<br />
* Submitting [http://bugs.alpinelinux.org Problem Reports]<br />
<br />
=== HOWTOS ===<br />
<br />
==== Installation ====<br />
* [[Bootstrapping Alpine on Soekris net4xxx]]<br />
* [[Bootstrapping Alpine on PC Engines ALIX.3]]<br />
* [[Setting up a software raid1 array]]<br />
* [[Setting up Logical Volumes with LVM]]<br />
* [[Setting up a /var partition on software IDE raid1]]<br />
* [[Native Harddisk Install]]<br />
* [[Installing XUbuntu using Alpine boot floppy]]<br />
<br />
==== Networking ====<br />
* [[Setting up a OpenVPN-server with Alpine]]<br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]]<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
* [[Using HSDPA modem]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
* [[Using Racoon for Remote Sites]]<br />
<br />
==== Misc ====<br />
* [[Setting up lm_sensors]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Formatting HD/Floppy/Other]]<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
* [[Hosting_services_on_Alpine]] ''(This applies to hosting mail, webservices and other services)''<br />
** [[Setting_up_postfix_with_virtual_domains]]<br />
** [[Protecting your email server with Alpine]]<br />
** [[Hosting Web/Email services on Alpine]]<br />
** [[Setting_up_trac_wiki]]<br />
* [[Running Alpinelinux As a QEMU networked Guest ]]<br />
* [[Screen on console]]<br />
* [[Using espeak on AlpineLinux]]<br />
* [[Generating SSL certs with ACF]]<br />
* [[Setting up a ssh-server]]<br />
* [[Changing passwords]]<br />
<br />
==== iSCSI ====<br />
* [[iSCSI Target and Initiator Configuration]]<br />
* [[iSCSI Raid and Clustered File Systems]]<br />
<br />
=== Vserver ===<br />
* [[Setting up a basic vserver]]<br />
<br />
== Developer Documentation ==<br />
Documentation how to build and modify the Alpine distro.<br />
<br />
* [[Alpine Package Testing Suite]]<br />
* [[Alpine Configuration Framework Design]] (Why ACF is the way it is)<br />
* [[Development using git]]<br />
<br />
=== Alpine 1.9.x build system ===<br />
After Alpine 1.8 is released we will switch to a new build system. Those docs here below is for bulding packages in Alpine 1.9 and later.<br />
<br />
* [[Setting up the build environment]]<br />
* [[Creating an Alpine package]]<br />
* [[Creating_an_Alpine_1.9_iso]] (This page is experimental and might go away or move in the future)<br />
<br />
=== Obsolete docs ===<br />
* [[Setting up the build environment 1.7]]<br />
* [[Newbie Guide to Building an apk]]<br />
* [[Creating patches]]<br />
<br />
== Misc. References ==<br />
Other useful references.<br />
<br />
* http://www.metoffice.gov.uk/research/nwp/external/fcm/doc/user_guide/working_practices.html - Some guidelines on use of Trac and SVN</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2825Setting up a OpenVPN server2009-06-02T12:09:16Z<p>Ms13sp: </p>
<hr />
<div>This article will describe how to set up a OpenVPN server with the Alpine distro.<br />
This article applies to persons trying to get remote persons to connect to their network securely over the Internet. Mostly for a single computer to connect. Racoon/Opennhrp would be better for a remote site or office. <br />
<br />
= Setup Alpine =<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] on how to setup Alpine<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
rc_add -s 40 -k openvpn<br />
<br />
= Configure OpenVPN-server =<br />
Example configuration file for server [http://openvpn.net/index.php/open-source/documentation/howto.html#server]<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
<br />
= Configure OpenVPN-client =<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
<br />
= Manage Certificates =<br />
See [[Generating_SSL_certs_with_ACF]] for a web interface way to manage Certificates.<br />
<br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu ci floppy<br />
<br />
<br />
==== Manual Certificate Commands ====<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
<br />
===== Initial setup for administrating certificates =====<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
===== Set up a 'Certificate Authority' (CA) =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
===== Set up a 'OpenVPN Server' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
===== Set up a 'OpenVPN Client' =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
===== Revoke a certificate =====<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_OpenVPN_server&diff=2824Setting up a OpenVPN server2009-06-01T20:32:14Z<p>Ms13sp: /* Manage Certificates */</p>
<hr />
<div>This article will describe how to set up a OpenVPN server with the Alpine distro.<br />
<br />
Documentation based on ''alpine-1.6''<br />
<br />
= Setup Alpine =<br />
== Initial Setup ==<br />
Follow [http://wiki.alpinelinux.org/w/index.php?title=Installing_Alpine] on how to setup Alpine<br />
<br />
== Install programs ==<br />
Install openvpn<br />
apk_add openvpn<br />
Prepare autostart of OpenVPN<BR><br />
(''The number is the start-order. Choose between 1-99'')<br />
rc_add -vks 95 openvpn<br />
<br />
= Configure OpenVPN-server =<br />
(''Instructions is based on [http://openvpn.net/howto.html#server openvpn.net/howto.html#server]'')<br />
<br />
== Test your configuration ==<br />
Test configuration and certificates<br />
openvpn --config /etc/openvpn/openvpn.conf<br />
<br />
<br />
= Configure OpenVPN-client =<br />
(''Instructions is based on [http://openvpn.net/howto.html#client openvpn.net/howto.html#client]'')<br />
<br />
<br />
= Manage Certificates =<br />
See [[Generating_SSL_certs_with_ACF]] for a web interface way to manage Certificates.<br />
<br />
(''Instructions is based on [http://openvpn.net/howto.html#pki openvpn.net/howto.html#pki]'')<br />
== Initial setup for administrating certificates ==<br />
The following instructions assume that you want to save your configs, certcs and keys in '''/etc/openvpn/keys'''.<BR><br />
Start by moving to the '''/usr/share/openvpn/easy-rsa''' folder to execute commands<br />
cd /usr/share/openvpn/easy-rsa<br />
If not already done then create a folder where you will save your certificates and<BR><br />
save a copy of your '''/usr/share/openvpn/easy-rsa/vars''' for later use.<BR><br />
(''All files in '''/usr/share/openvpn/easy-rsa''' is overwritten when the computer is restarted'')<br />
mkdir /etc/openvpn/keys<br />
cp ./vars /etc/openvpn/keys<br />
If not already done then edit '''/etc/openvpn/keys/vars'''<BR><br />
(''This file is used for defining paths and other standard settings'')<br />
vim /etc/openvpn/keys/vars<br />
* Change '''KEY_DIR=''' from "'''$EASY_RSA/keys'''" to "'''/etc/openvpn/keys'''"<br />
* Change '''KEY_SIZE, CA_EXPIRE, KEY_EXPIRE, KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAIL''' to match your system.<br />
source the '''vars''' to set properties<br />
source /etc/openvpn/keys/vars<br />
<br />
== Set up a 'Certificate Authority' (CA) ==<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Clean up the '''keys''' folder.<br />
./clean-all<br />
Generate Diffie Hellman parameters<br />
./build-dh<br />
Now lets make the CA certificates and keys<br />
./build-ca<br />
<br />
== Set up a 'OpenVPN Server' ==<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create server certificates<br />
./build-key-server {commonname}<br />
<br />
== Set up a 'OpenVPN Client' ==<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
Create client certificates<br />
./build-key {commonname}<br />
<br />
== Revoke a certificate ==<br />
* Start by doing the steps in [[#Initial_setup_for_administrating_certificates]]<br />
To revoke a certificate...<br />
./revoke-full {commonname}<br />
The revoke-full script will generate a CRL (certificate revocation list) file called '''crl.pem''' in the '''keys''' subdirectory.<BR>The file should be copied to a directory where the OpenVPN server can access it, then CRL verification should be enabled in the server configuration:<BR><br />
<code>crl-verify crl.pem</code><br />
<br />
= Save settings =<br />
Don't forget to save all your settings<br />
lbu ci floppy</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Logical_Volumes_with_LVM&diff=2819Setting up Logical Volumes with LVM2009-05-27T18:02:58Z<p>Ms13sp: /* Setting up /vservers partition */</p>
<hr />
<div>This document how to create logical volumes in Alpine using lvm2.<br />
<br />
LVM is collection of programs that allow larger physical disks to be reassembled into "logical" disks that can be shrunk or expanded as data needs change.<br />
<br />
In this document we will use a [[Setting up a software raid1 array | software raid1 device]] as physical storage for our logical volumes. We will set up a swap partition and a data partition for [[ Setting up a basic vserver | vservers ]]<br />
=== Installing LVM software ===<br />
First we need to load the kernel driver, ''dm-mod''<br />
<br />
modprobe dm-mod<br />
<br />
We also want it to be loaded during next reboot.<br />
<br />
echo dm-mod >> /etc/modules<br />
<br />
We also need the userspace programs.<br />
apk_add lvm2<br />
<br />
=== Preparing the physical volumes ===<br />
First we need to tell LVM that de partition is available as a physical volume and can be added to a volume group. In this example we use a software raid array as physical volume.<br />
pvcreate /dev/md0<br />
<br />
=== Preparing the Volume Group ===<br />
We can then create a volume group and add the physical volume ''/dev/md0''<br />
vgcreate vg0 /dev/md0<br />
<br />
If we later need more space we can add additional physcal volumes with ''vgextend''. All physcal disks/partitions added need to be prepared with ''pvcreate''.<br />
<br />
=== Creating Logical volumes ===<br />
In the volume group we can create logical volumes. To create a 1GB volume called ''swap'' and a 6GB volume called 'vservers'' on the volume group ''vg0'' we run<br />
lvcreate -n swap -L 1G vg0<br />
lvcreate -n vservers -L 6G vg0<br />
<br />
=== Display Logical Volumes ===<br />
You can now se the logical volumes with the lvdisplay utility.<br />
<br />
lvdisplay<br />
--- Logical volume ---<br />
LV Name /dev/vg0/swap<br />
VG Name vg0<br />
LV UUID a4NYOi-FQP6-Lj5Q-0TYk-Jjtk-Qxjt-nxeBPn<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 1.00 GB<br />
Current LE 256<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:0<br />
<br />
--- Logical volume ---<br />
LV Name /dev/vg0/vservers<br />
VG Name vg0<br />
LV UUID 16VMmy-7I0s-eeoW-tL2V-JrlN-jM6C-d0wEg0<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 6.00 GB<br />
Current LE 1536<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:1<br />
<br />
=== Rename Logical Volumes ===<br />
<br />
lvrename /dev/vg0/vservers /dev/vg0/database<br />
<br />
=== Extend Logical Volumes ===<br />
If you want to add space and the volume has the room for it...<br />
<br />
lvextend -L +50G /dev/vg0/vservers<br />
<br />
If you want to set the space to a new larger size...<br />
<br />
lvextend -L 10G /dev/vg0/vservers<br />
<br />
=== Start LVM during Boot ===<br />
We want lvm to init the logical voluems during boot. There is a boot service named ''lvm'' to do this. If your volumes are on raid, make sure that ''/etc/init.d/lvm'' is started after mdadm-raid.<br />
<br />
rc_add -s 12 -k lvm<br />
<br />
=== Setting up swap ===<br />
Now we have our devices in /dev/vg0 and can use them as normal disk paritions. To set up swap:<br />
<br />
mkswap /dev/vg0/swap<br />
<br />
Add the following line to your ''/etc/fstab'':<br />
/dev/vg0/swap none swap sw 0 0<br />
<br />
Start the swap service and make sure it starts during next reboot and tht is starts '''after''' lvm.<br />
<br />
/etc/init.d/swap start<br />
rc_add -s 14 -k swap<br />
<br />
=== Setting up /vservers partition ===<br />
Finally we want to set up an XFS partition for /vservers.<br />
<br />
Install xfsprogs.<br />
<br />
apk_add xfsprogs<br />
<br />
Create filesystem on /dev/vg0/vservers.<br />
mkfs.xfs /dev/vg0/vservers<br />
<br />
Add the mount information to your /etc/fstab: NOTE:tagxid may cause this not to mount. Try this by hand and check dmesg to see if there are any errors<br />
/dev/vg0/vservers /vservers xfs noatime,tagxid 0 0<br />
<br />
Note that the ''tagxid'' option is specific for setting up vserver [http://oldwiki.linux-vserver.org/Disk+Limits disk limits] so it might be you don't want it. The ''noatime'' option is to increase performance but you will no longer know when files were accessed last time.<br />
<br />
Now we can start the ''localmount'' boot service to mount our partition.<br />
/etc/init.d/localmount start<br />
<br />
Make sure we run ''localmount'' during boot too, and that it is done after lvm.<br />
rc_add -s 14 -k localmount<br />
<br />
=== More Info on LVM ===<br />
For more information, have a look at the [http://tldp.org/HOWTO/LVM-HOWTO/commontask.html common tasks] section in the [http://tldp.org/HOWTO/LVM-HOWTO/index.html LVM Howto].</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Logical_Volumes_with_LVM&diff=2818Setting up Logical Volumes with LVM2009-05-27T17:58:34Z<p>Ms13sp: /* Extend Logical Volumes */</p>
<hr />
<div>This document how to create logical volumes in Alpine using lvm2.<br />
<br />
LVM is collection of programs that allow larger physical disks to be reassembled into "logical" disks that can be shrunk or expanded as data needs change.<br />
<br />
In this document we will use a [[Setting up a software raid1 array | software raid1 device]] as physical storage for our logical volumes. We will set up a swap partition and a data partition for [[ Setting up a basic vserver | vservers ]]<br />
=== Installing LVM software ===<br />
First we need to load the kernel driver, ''dm-mod''<br />
<br />
modprobe dm-mod<br />
<br />
We also want it to be loaded during next reboot.<br />
<br />
echo dm-mod >> /etc/modules<br />
<br />
We also need the userspace programs.<br />
apk_add lvm2<br />
<br />
=== Preparing the physical volumes ===<br />
First we need to tell LVM that de partition is available as a physical volume and can be added to a volume group. In this example we use a software raid array as physical volume.<br />
pvcreate /dev/md0<br />
<br />
=== Preparing the Volume Group ===<br />
We can then create a volume group and add the physical volume ''/dev/md0''<br />
vgcreate vg0 /dev/md0<br />
<br />
If we later need more space we can add additional physcal volumes with ''vgextend''. All physcal disks/partitions added need to be prepared with ''pvcreate''.<br />
<br />
=== Creating Logical volumes ===<br />
In the volume group we can create logical volumes. To create a 1GB volume called ''swap'' and a 6GB volume called 'vservers'' on the volume group ''vg0'' we run<br />
lvcreate -n swap -L 1G vg0<br />
lvcreate -n vservers -L 6G vg0<br />
<br />
=== Display Logical Volumes ===<br />
You can now se the logical volumes with the lvdisplay utility.<br />
<br />
lvdisplay<br />
--- Logical volume ---<br />
LV Name /dev/vg0/swap<br />
VG Name vg0<br />
LV UUID a4NYOi-FQP6-Lj5Q-0TYk-Jjtk-Qxjt-nxeBPn<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 1.00 GB<br />
Current LE 256<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:0<br />
<br />
--- Logical volume ---<br />
LV Name /dev/vg0/vservers<br />
VG Name vg0<br />
LV UUID 16VMmy-7I0s-eeoW-tL2V-JrlN-jM6C-d0wEg0<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 6.00 GB<br />
Current LE 1536<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:1<br />
<br />
=== Rename Logical Volumes ===<br />
<br />
lvrename /dev/vg0/vservers /dev/vg0/database<br />
<br />
=== Extend Logical Volumes ===<br />
If you want to add space and the volume has the room for it...<br />
<br />
lvextend -L +50G /dev/vg0/vservers<br />
<br />
If you want to set the space to a new larger size...<br />
<br />
lvextend -L 10G /dev/vg0/vservers<br />
<br />
=== Start LVM during Boot ===<br />
We want lvm to init the logical voluems during boot. There is a boot service named ''lvm'' to do this. If your volumes are on raid, make sure that ''/etc/init.d/lvm'' is started after mdadm-raid.<br />
<br />
rc_add -s 12 -k lvm<br />
<br />
=== Setting up swap ===<br />
Now we have our devices in /dev/vg0 and can use them as normal disk paritions. To set up swap:<br />
<br />
mkswap /dev/vg0/swap<br />
<br />
Add the following line to your ''/etc/fstab'':<br />
/dev/vg0/swap none swap sw 0 0<br />
<br />
Start the swap service and make sure it starts during next reboot and tht is starts '''after''' lvm.<br />
<br />
/etc/init.d/swap start<br />
rc_add -s 14 -k swap<br />
<br />
=== Setting up /vservers partition ===<br />
Finally we want to set up an XFS partition for /vservers.<br />
<br />
Install xfsprogs.<br />
<br />
apk_add xfsprogs<br />
<br />
Create filesystem on /dev/vg0/vservers.<br />
mkfs.xfs /dev/vg0/vservers<br />
<br />
Add the mount information to your /etc/fstab:<br />
/dev/vg0/vservers /vservers xfs noatime,tagxid 0 0<br />
<br />
Note that the ''tagxid'' option is specific for setting up vserver [http://oldwiki.linux-vserver.org/Disk+Limits disk limits] so it might be you don't want it. The ''noatime'' option is to increase performance but you will no longer know when files were accessed last time.<br />
<br />
Now we can start the ''localmount'' boot service to mount our partition.<br />
/etc/init.d/localmount start<br />
<br />
Make sure we run ''localmount'' during boot too, and that it is done after lvm.<br />
rc_add -s 14 -k localmount<br />
<br />
=== More Info on LVM ===<br />
For more information, have a look at the [http://tldp.org/HOWTO/LVM-HOWTO/commontask.html common tasks] section in the [http://tldp.org/HOWTO/LVM-HOWTO/index.html LVM Howto].</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Logical_Volumes_with_LVM&diff=2817Setting up Logical Volumes with LVM2009-05-27T17:58:24Z<p>Ms13sp: /* Rename Logical Volumes */</p>
<hr />
<div>This document how to create logical volumes in Alpine using lvm2.<br />
<br />
LVM is collection of programs that allow larger physical disks to be reassembled into "logical" disks that can be shrunk or expanded as data needs change.<br />
<br />
In this document we will use a [[Setting up a software raid1 array | software raid1 device]] as physical storage for our logical volumes. We will set up a swap partition and a data partition for [[ Setting up a basic vserver | vservers ]]<br />
=== Installing LVM software ===<br />
First we need to load the kernel driver, ''dm-mod''<br />
<br />
modprobe dm-mod<br />
<br />
We also want it to be loaded during next reboot.<br />
<br />
echo dm-mod >> /etc/modules<br />
<br />
We also need the userspace programs.<br />
apk_add lvm2<br />
<br />
=== Preparing the physical volumes ===<br />
First we need to tell LVM that de partition is available as a physical volume and can be added to a volume group. In this example we use a software raid array as physical volume.<br />
pvcreate /dev/md0<br />
<br />
=== Preparing the Volume Group ===<br />
We can then create a volume group and add the physical volume ''/dev/md0''<br />
vgcreate vg0 /dev/md0<br />
<br />
If we later need more space we can add additional physcal volumes with ''vgextend''. All physcal disks/partitions added need to be prepared with ''pvcreate''.<br />
<br />
=== Creating Logical volumes ===<br />
In the volume group we can create logical volumes. To create a 1GB volume called ''swap'' and a 6GB volume called 'vservers'' on the volume group ''vg0'' we run<br />
lvcreate -n swap -L 1G vg0<br />
lvcreate -n vservers -L 6G vg0<br />
<br />
=== Display Logical Volumes ===<br />
You can now se the logical volumes with the lvdisplay utility.<br />
<br />
lvdisplay<br />
--- Logical volume ---<br />
LV Name /dev/vg0/swap<br />
VG Name vg0<br />
LV UUID a4NYOi-FQP6-Lj5Q-0TYk-Jjtk-Qxjt-nxeBPn<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 1.00 GB<br />
Current LE 256<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:0<br />
<br />
--- Logical volume ---<br />
LV Name /dev/vg0/vservers<br />
VG Name vg0<br />
LV UUID 16VMmy-7I0s-eeoW-tL2V-JrlN-jM6C-d0wEg0<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 6.00 GB<br />
Current LE 1536<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:1<br />
<br />
=== Rename Logical Volumes ===<br />
<br />
lvrename /dev/vg0/vservers /dev/vg0/database<br />
<br />
=== Extend Logical Volumes ===<br />
If you want to add space and the volume has the room for it...<br />
<br />
lvextend -L +50G /dev/vg0/vservers<br />
<br />
If you want to set the space to a new larger size...<br />
<br />
lvextend -L 10G /dev/vg0/vservers<br />
<br />
=== Start LVM during Boot ===<br />
We want lvm to init the logical voluems during boot. There is a boot service named ''lvm'' to do this. If your volumes are on raid, make sure that ''/etc/init.d/lvm'' is started after mdadm-raid.<br />
<br />
rc_add -s 12 -k lvm<br />
<br />
=== Setting up swap ===<br />
Now we have our devices in /dev/vg0 and can use them as normal disk paritions. To set up swap:<br />
<br />
mkswap /dev/vg0/swap<br />
<br />
Add the following line to your ''/etc/fstab'':<br />
/dev/vg0/swap none swap sw 0 0<br />
<br />
Start the swap service and make sure it starts during next reboot and tht is starts '''after''' lvm.<br />
<br />
/etc/init.d/swap start<br />
rc_add -s 14 -k swap<br />
<br />
=== Setting up /vservers partition ===<br />
Finally we want to set up an XFS partition for /vservers.<br />
<br />
Install xfsprogs.<br />
<br />
apk_add xfsprogs<br />
<br />
Create filesystem on /dev/vg0/vservers.<br />
mkfs.xfs /dev/vg0/vservers<br />
<br />
Add the mount information to your /etc/fstab:<br />
/dev/vg0/vservers /vservers xfs noatime,tagxid 0 0<br />
<br />
Note that the ''tagxid'' option is specific for setting up vserver [http://oldwiki.linux-vserver.org/Disk+Limits disk limits] so it might be you don't want it. The ''noatime'' option is to increase performance but you will no longer know when files were accessed last time.<br />
<br />
Now we can start the ''localmount'' boot service to mount our partition.<br />
/etc/init.d/localmount start<br />
<br />
Make sure we run ''localmount'' during boot too, and that it is done after lvm.<br />
rc_add -s 14 -k localmount<br />
<br />
=== More Info on LVM ===<br />
For more information, have a look at the [http://tldp.org/HOWTO/LVM-HOWTO/commontask.html common tasks] section in the [http://tldp.org/HOWTO/LVM-HOWTO/index.html LVM Howto].</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_Logical_Volumes_with_LVM&diff=2816Setting up Logical Volumes with LVM2009-05-27T17:57:53Z<p>Ms13sp: /* display Logicall Volumes */</p>
<hr />
<div>This document how to create logical volumes in Alpine using lvm2.<br />
<br />
LVM is collection of programs that allow larger physical disks to be reassembled into "logical" disks that can be shrunk or expanded as data needs change.<br />
<br />
In this document we will use a [[Setting up a software raid1 array | software raid1 device]] as physical storage for our logical volumes. We will set up a swap partition and a data partition for [[ Setting up a basic vserver | vservers ]]<br />
=== Installing LVM software ===<br />
First we need to load the kernel driver, ''dm-mod''<br />
<br />
modprobe dm-mod<br />
<br />
We also want it to be loaded during next reboot.<br />
<br />
echo dm-mod >> /etc/modules<br />
<br />
We also need the userspace programs.<br />
apk_add lvm2<br />
<br />
=== Preparing the physical volumes ===<br />
First we need to tell LVM that de partition is available as a physical volume and can be added to a volume group. In this example we use a software raid array as physical volume.<br />
pvcreate /dev/md0<br />
<br />
=== Preparing the Volume Group ===<br />
We can then create a volume group and add the physical volume ''/dev/md0''<br />
vgcreate vg0 /dev/md0<br />
<br />
If we later need more space we can add additional physcal volumes with ''vgextend''. All physcal disks/partitions added need to be prepared with ''pvcreate''.<br />
<br />
=== Creating Logical volumes ===<br />
In the volume group we can create logical volumes. To create a 1GB volume called ''swap'' and a 6GB volume called 'vservers'' on the volume group ''vg0'' we run<br />
lvcreate -n swap -L 1G vg0<br />
lvcreate -n vservers -L 6G vg0<br />
<br />
=== Display Logical Volumes ===<br />
You can now se the logical volumes with the lvdisplay utility.<br />
<br />
lvdisplay<br />
--- Logical volume ---<br />
LV Name /dev/vg0/swap<br />
VG Name vg0<br />
LV UUID a4NYOi-FQP6-Lj5Q-0TYk-Jjtk-Qxjt-nxeBPn<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 1.00 GB<br />
Current LE 256<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:0<br />
<br />
--- Logical volume ---<br />
LV Name /dev/vg0/vservers<br />
VG Name vg0<br />
LV UUID 16VMmy-7I0s-eeoW-tL2V-JrlN-jM6C-d0wEg0<br />
LV Write Access read/write<br />
LV Status available<br />
# open 0<br />
LV Size 6.00 GB<br />
Current LE 1536<br />
Segments 1<br />
Allocation inherit<br />
Read ahead sectors 0<br />
Block device 253:1<br />
<br />
=== Rename Logical Volumes ===<br />
<br />
lvrename /dev/vg0/vservers /dev/vg0/database<br />
<br />
=== Extend Logical Volumes ===<br />
If you want to add space and the volume has the room for it...<br />
<br />
lvextend -L +50G /dev/vg0/vservers<br />
<br />
If you want to set the space to a new larger size...<br />
<br />
lvextend -L 10G /dev/vg0/vservers<br />
<br />
=== Start LVM during Boot ===<br />
We want lvm to init the logical voluems during boot. There is a boot service named ''lvm'' to do this. If your volumes are on raid, make sure that ''/etc/init.d/lvm'' is started after mdadm-raid.<br />
<br />
rc_add -s 12 -k lvm<br />
<br />
=== Setting up swap ===<br />
Now we have our devices in /dev/vg0 and can use them as normal disk paritions. To set up swap:<br />
<br />
mkswap /dev/vg0/swap<br />
<br />
Add the following line to your ''/etc/fstab'':<br />
/dev/vg0/swap none swap sw 0 0<br />
<br />
Start the swap service and make sure it starts during next reboot and tht is starts '''after''' lvm.<br />
<br />
/etc/init.d/swap start<br />
rc_add -s 14 -k swap<br />
<br />
=== Setting up /vservers partition ===<br />
Finally we want to set up an XFS partition for /vservers.<br />
<br />
Install xfsprogs.<br />
<br />
apk_add xfsprogs<br />
<br />
Create filesystem on /dev/vg0/vservers.<br />
mkfs.xfs /dev/vg0/vservers<br />
<br />
Add the mount information to your /etc/fstab:<br />
/dev/vg0/vservers /vservers xfs noatime,tagxid 0 0<br />
<br />
Note that the ''tagxid'' option is specific for setting up vserver [http://oldwiki.linux-vserver.org/Disk+Limits disk limits] so it might be you don't want it. The ''noatime'' option is to increase performance but you will no longer know when files were accessed last time.<br />
<br />
Now we can start the ''localmount'' boot service to mount our partition.<br />
/etc/init.d/localmount start<br />
<br />
Make sure we run ''localmount'' during boot too, and that it is done after lvm.<br />
rc_add -s 14 -k localmount<br />
<br />
=== More Info on LVM ===<br />
For more information, have a look at the [http://tldp.org/HOWTO/LVM-HOWTO/commontask.html common tasks] section in the [http://tldp.org/HOWTO/LVM-HOWTO/index.html LVM Howto].</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2756Generating SSL certs with ACF2009-05-18T17:02:25Z<p>Ms13sp: /* View */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure.<br />
<br />
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it. <br />
<br />
Click Save. <br />
<br />
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA.<br />
<br />
<br />
=== Generate a certificate with ACF ===<br />
==== Request Form ====<br />
Provided Fields:<br />
* Country Name (2 letter abreviation)<br />
* Locality Name (e.g. city)<br />
* Organization Name<br />
* Common Name (eg, the certificate CN)<br />
* Email Address<br />
* Multiple Organizational Unit Name (eg, division)<br />
* Certificate Type<br />
<br />
A box has been set aside for adding Additional x509 Extensions formatted the same as if you were to fill out a section directly in openssl.cnf. Section would be <br />
<tt>[v3_req]</tt><br />
<br />
You could put in here:<br />
* subjectAltName ="IP:192.168.1.1"<br />
* subjectAltName ="DNS:192.168.1.10"<br />
<br />
<br />
Once this form has been filled out and the password entered click submit.<br />
<br />
==== View ====<br />
Once the request form has been filled out go to the View tab. This will show you pending requests for certificates. Also available from this tab is CRL, already approved requests and the cert generated, along with revoked certs.<br />
<br />
For a Pending request make sure to review the cert before approving it. Once you have verified that all the information is correct, no mis-types or spelling mistakes Approve the request. <br />
<br />
The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.<br />
<br />
==== Extract PFX certificate ====<br />
To get the CA CERT<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt><br />
<br />
To get the Private Key<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt><br />
<br />
To get the Certificate<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt><br />
<br />
Display the cert or key readable/text format<br />
<br />
<tt>openssl x509 -in mycert.pem -noout -text</tt><br />
<br />
<br />
====OpenSSL command line to create your CA ====<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.<br />
<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2741Generating SSL certs with ACF2009-05-14T17:36:20Z<p>Ms13sp: /* Request Form */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure.<br />
<br />
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it. <br />
<br />
Click Save. <br />
<br />
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA.<br />
<br />
<br />
=== Generate a certificate with ACF ===<br />
==== Request Form ====<br />
Provided Fields:<br />
* Country Name (2 letter abreviation)<br />
* Locality Name (e.g. city)<br />
* Organization Name<br />
* Common Name (eg, the certificate CN)<br />
* Email Address<br />
* Multiple Organizational Unit Name (eg, division)<br />
* Certificate Type<br />
<br />
A box has been set aside for adding Additional x509 Extensions formatted the same as if you were to fill out a section directly in openssl.cnf. Section would be <br />
<tt>[v3_req]</tt><br />
<br />
You could put in here:<br />
* subjectAltName ="IP:192.168.1.1"<br />
* subjectAltName ="DNS:192.168.1.10"<br />
<br />
<br />
Once this form has been filled out and the password entered click submit.<br />
<br />
==== View ====<br />
Once the request form has been filled out go to the View tab. This will show you pending requests for certificates. Also available from this tab is CRl, already approved requests and the cert generated, along with revoked certs.<br />
<br />
For a Pending request make sure to review the cert before approving it. Once you have verified that all the information is correct, no mis-types or spelling mistakes Approve the request. <br />
<br />
The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.<br />
<br />
==== Extract PFX certificate ====<br />
To get the CA CERT<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt><br />
<br />
To get the Private Key<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt><br />
<br />
To get the Certificate<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt><br />
<br />
Display the cert or key readable/text format<br />
<br />
<tt>openssl x509 -in mycert.pem -noout -text</tt><br />
<br />
<br />
====OpenSSL command line to create your CA ====<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.<br />
<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2740Generating SSL certs with ACF2009-05-14T15:35:40Z<p>Ms13sp: /* Creating SSL certs using ACF */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure.<br />
<br />
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it. <br />
<br />
Click Save. <br />
<br />
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA.<br />
<br />
<br />
=== Generate a certificate with ACF ===<br />
==== Request Form ====<br />
Provided Fields:<br />
* Country Name (2 letter abreviation)<br />
* Locality Name (e.g. city)<br />
* Organization Name<br />
* Common Name (eg, the certificate CN)<br />
* Email Address<br />
* Multiple Organizational Unit Name (eg, division)<br />
* Certificate Type<br />
<br />
A box has been set aside for adding Additional x509 Extensions... To be documented later.<br />
<br />
Once this form has been filled out and the password entered click submit.<br />
<br />
==== View ====<br />
Once the request form has been filled out go to the View tab. This will show you pending requests for certificates. Also available from this tab is CRl, already approved requests and the cert generated, along with revoked certs.<br />
<br />
For a Pending request make sure to review the cert before approving it. Once you have verified that all the information is correct, no mis-types or spelling mistakes Approve the request. <br />
<br />
The file that will be generated can be downloaded from the ACF. Use the command lines below to extract the pkcs12 file into its part to begin using it.<br />
<br />
==== Extract PFX certificate ====<br />
To get the CA CERT<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt><br />
<br />
To get the Private Key<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt><br />
<br />
To get the Certificate<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt><br />
<br />
Display the cert or key readable/text format<br />
<br />
<tt>openssl x509 -in mycert.pem -noout -text</tt><br />
<br />
<br />
====OpenSSL command line to create your CA ====<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.<br />
<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2739Generating SSL certs with ACF2009-05-14T15:34:13Z<p>Ms13sp: /* Acf-openssl */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure.<br />
<br />
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it. <br />
<br />
Click Save. <br />
<br />
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA.<br />
<br />
<br />
=== Generate a certificate with ACF ===<br />
==== Request Form ====<br />
Provided Fields:<br />
* Country Name (2 letter abreviation)<br />
* Locality Name (e.g. city)<br />
* Organization Name<br />
* Common Name (eg, the certificate CN)<br />
* Email Address<br />
* Multiple Organizational Unit Name (eg, division)<br />
* Certificate Type<br />
<br />
A box has been set aside for adding Additional x509 Extensions... To be documented later.<br />
<br />
Once this form has been filled out and the password entered click submit.<br />
<br />
==== View ====<br />
Once the request form has been filled out go to the View tab. This will show you pending requests for certificates. Also available from this tab is CRl, already approved requests and the cert generated, along with revoked certs.<br />
<br />
For a Pending request make sure to review the cert before approving it. Once you have verified that all the information is correct, no mis-types or spelling mistakes Approve the request. <br />
<br />
====OpenSSL command line to create your CA ====<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.<br />
<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt><br />
<br />
<br />
==== Extract PFX certificate ====<br />
To get the CA CERT<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt><br />
<br />
To get the Private Key<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt><br />
<br />
To get the Certificate<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt><br />
<br />
Display the cert or key readable/text format<br />
<br />
<tt>openssl x509 -in mycert.pem -noout -text</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2738Generating SSL certs with ACF2009-05-14T14:47:23Z<p>Ms13sp: /* Edits to /etc/ssl/openssl-ca-acf.cnf */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure.<br />
<br />
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it. <br />
<br />
Click Save. <br />
<br />
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA.<br />
<br />
<br />
====OpenSSL command line to create your CA ====<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
Via the expert tab on ACF edit the openssl-ca-acf.cnf file. Something like subjectAltName can be added to be used by the certificates that you generate.<br />
<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt><br />
<br />
<br />
==== Extract PFX certificate ====<br />
To get the CA CERT<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt><br />
<br />
To get the Private Key<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt><br />
<br />
To get the Certificate<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt><br />
<br />
Display the cert or key readable/text format<br />
<br />
<tt>openssl x509 -in mycert.pem -noout -text</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2737Generating SSL certs with ACF2009-05-14T13:15:41Z<p>Ms13sp: /* Extract PFX certificate */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure.<br />
<br />
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it. <br />
<br />
Click Save. <br />
<br />
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA.<br />
<br />
<br />
====OpenSSL command line to create your CA ====<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
If you need to add any subjectAltName value edit the openssl-ca-acf.cnf file add and a simlar entry<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt><br />
<br />
<br />
==== Extract PFX certificate ====<br />
To get the CA CERT<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt><br />
<br />
To get the Private Key<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt><br />
<br />
To get the Certificate<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt><br />
<br />
Display the cert or key readable/text format<br />
<br />
<tt>openssl x509 -in mycert.pem -noout -text</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2736Generating SSL certs with ACF2009-05-14T13:15:23Z<p>Ms13sp: /* Acf-openssl */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
If you already have a CA that you would like to have the web interface manage just go to the Status page. At the bottom click on Configure.<br />
<br />
Go to the Edit Defaults tab. Input the Items that will be needed for the CA and any other certs generated from it. <br />
<br />
Click Save. <br />
<br />
Go back to the Status tab. Click Configure. If you have already clicked configure then it may just prompt you for the input boxes to upload or generate a CA.<br />
<br />
<br />
====OpenSSL command line to create your CA ====<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
If you need to add any subjectAltName value edit the openssl-ca-acf.cnf file add and a simlar entry<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt><br />
<br />
<br />
=== Extract PFX certificate ===<br />
To get the CA CERT<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt><br />
<br />
To get the Private Key<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt><br />
<br />
To get the Certificate<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt><br />
<br />
Display the cert or key readable/text format<br />
<br />
<tt>openssl x509 -in mycert.pem -noout -text</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2733Generating SSL certs with ACF2009-05-13T20:41:21Z<p>Ms13sp: /* Extract PFX certificate */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
You need to create the CA you are going to use.<br />
<br />
This needs to be done on the alpine machine. You may already have a CA and key created.<br />
<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mkdir /etc/ssl/private;mkdir /etc/ssl/req/;mkdir /etc/ssl/cert;echo "7" > /etc/ssl/serial;touch /etc/ssl/index.txt;</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
If you need to add any subjectAltName value edit the openssl-ca-acf.cnf file add and a simlar entry<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt><br />
<br />
<br />
=== Extract PFX certificate ===<br />
To get the CA CERT<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt><br />
<br />
To get the Private Key<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt><br />
<br />
To get the Certificate<br />
<br />
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt><br />
<br />
Display the cert or key readable/text format<br />
<br />
<tt>openssl x509 -in mycert.pem -noout -text</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2732Generating SSL certs with ACF2009-05-13T20:40:49Z<p>Ms13sp: /* Edits to /etc/ssl/openssl-ca-acf.cnf */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
You need to create the CA you are going to use.<br />
<br />
This needs to be done on the alpine machine. You may already have a CA and key created.<br />
<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mkdir /etc/ssl/private;mkdir /etc/ssl/req/;mkdir /etc/ssl/cert;echo "7" > /etc/ssl/serial;touch /etc/ssl/index.txt;</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
If you need to add any subjectAltName value edit the openssl-ca-acf.cnf file add and a simlar entry<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt><br />
<br />
<br />
=== Extract PFX certificate ===<br />
To get the CA CERT<br />
<tt>openssl pkcs12 -in PFXFILE -cacerts -nokeys -out cacert.pem</tt><br />
<br />
To get the Private Key<br />
<tt>openssl pkcs12 -in PFXFILE -nocerts -nodes -out mykey.pem</tt><br />
<br />
To get the Certificate<br />
<tt>openssl pkcs12 -in PFXFILE -nokeys -clcerts -out mycert.pem</tt><br />
<br />
Display the cert or key readable/text format<br />
<br />
<tt>openssl x509 -in newcert.pem -noout -text</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2731Generating SSL certs with ACF2009-05-13T20:30:09Z<p>Ms13sp: /* Acf-openssl */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
You need to create the CA you are going to use.<br />
<br />
This needs to be done on the alpine machine. You may already have a CA and key created.<br />
<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mkdir /etc/ssl/private;mkdir /etc/ssl/req/;mkdir /etc/ssl/cert;echo "7" > /etc/ssl/serial;touch /etc/ssl/index.txt;</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
If you need to add any subjectAltName value edit the openssl-ca-acf.cnf file add and a simlar entry<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2730Generating SSL certs with ACF2009-05-13T20:27:47Z<p>Ms13sp: /* Acf-openssl */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
You need to create the CA you are going to use.<br />
<br />
This needs to be done on the alpine machine. You may already have a CA and key created.<br />
<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mkdir /etc/ssl/private;mkdir /etc/ssl/req/;mkdir /etc/ssl/cert;touch /etc/ssl/serial;touch /etc/ssl/index.txt;</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt><br />
<br />
===Edits to /etc/ssl/openssl-ca-acf.cnf ===<br />
If you need to add any subjectAltName value edit the openssl-ca-acf.cnf file add and a simlar entry<br />
<br />
<tt>3.subjectAltName = Assigned IP Address </tt><br />
<br />
<tt>3.subjectAltName_default = 192.168.1.1/32</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2729Generating SSL certs with ACF2009-05-13T18:31:31Z<p>Ms13sp: /* Install ACF */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install and Configure ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.<br />
<br />
=== Acf-openssl ===<br />
<br />
Under the Applications section you should now have a Certificate Authority link. Click on this.<br />
<br />
It should open with the Status tab. You will see a lot of red error messages.<br />
<br />
You need to create the CA you are going to use.<br />
<br />
This needs to be done on the alpine machine. You may already have a CA and key created.<br />
<br />
The following command will need a password. Make sure to remember this.<br />
<br />
<tt>openssl genrsa -des3 -out server.key 2048 </tt><br />
<br />
<tt>openssl req -new -key server.key -out server.csr</tt><br />
<br />
<tt>openssl rsa -in server.key. -out server.pem</tt><br />
<br />
<tt>openssl x509 -req -days 365 -in server.csr -signkey server.pem -out cacert.pem</tt><br />
<br />
<tt>mkdir /etc/ssl/private;mkdir /etc/ssl/req/;mkdir /etc/ssl/cert;touch /etc/ssl/serial;touch /etc/ssl/index.txt;</tt><br />
<br />
<tt>mv server.pem /etc/ssl/private; mv cacert.pem /etc/ssl/</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2728Generating SSL certs with ACF2009-05-13T17:18:53Z<p>Ms13sp: /* Install ACF */</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt><br />
<br />
Install acf-openssl<br />
<br />
Browse to your computer https://ipaddr/<br />
<br />
Login as default alpine user password test123<br />
<br />
Click on the User Management tab and change the password. <br />
<br />
Also make sure to create yourself an account.</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Generating_SSL_certs_with_ACF&diff=2726Generating SSL certs with ACF2009-05-07T15:50:14Z<p>Ms13sp: Created page with '=Creating SSL certs using ACF= You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it b...'</p>
<hr />
<div>=Creating SSL certs using ACF=<br />
You are in need of creating certificate for remote persons. You might use something like openvpn or racoon for your vpn services. But wouldn't it be nice to have some sort of way to manage and view all the certs you have given to everyone? Revoke the certs? Review the certificate before you issue it?<br />
Alpine, via the ACF, has a nice web interface to use for this sort of job...<br />
<br />
==Installation Process==<br />
This will somewhat guide you through the process of creating this type of server. It is suggested to not host this on you VPN gateway but use another machine to generate your certificates. <br />
<br />
===Install Alpine ===<br />
Link below to the standard document...<br />
<br />
[[Installing_Alpine]]<br />
<br />
=== Install ACF ===<br />
Run the following command:<br />
This will install the web front end to Alpine Linux, called ACF.<br />
<br />
<tt>/sbin/setup-webconf</tt></div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Linux:Documentation&diff=2719Alpine Linux:Documentation2009-05-06T20:08:07Z<p>Ms13sp: /* Misc */</p>
<hr />
<div>== User Documentation ==<br />
Documentation how to install and use the Alpine distro.<br />
<br />
* [[Installing Alpine]]<br />
* [[Upgrading Alpine]]<br />
* [[Alpine package management]]<br />
* [[Comparison with Gentoo and Debian]]<br />
* Submitting [http://bugs.alpinelinux.org Problem Reports]<br />
<br />
=== HOWTOS ===<br />
<br />
==== Installation ====<br />
* [[Bootstrapping Alpine on Soekris net4xxx]]<br />
* [[Bootstrapping Alpine on PC Engines ALIX.3]]<br />
* [[Setting up a software raid1 array]]<br />
* [[Setting up Logical Volumes with LVM]]<br />
* [[Setting up a /var partition on software IDE raid1]]<br />
* [[Native Harddisk Install]]<br />
* [[Installing XUbuntu using Alpine boot floppy]]<br />
<br />
==== Networking ====<br />
* [[Setting up a OpenVPN-server with Alpine]]<br />
* [[Setting up traffic monitoring using rrdtool (and snmp)]]<br />
* [[Setting up Zaptel/Asterisk on Alpine]]<br />
* [[Using HSDPA modem]]<br />
* [[Using Alpine on Windows domain with IPSEC isolation]]<br />
<br />
==== Misc ====<br />
* [[Setting up lm_sensors]]<br />
* [[Setting up Satellite Internet Connection]]<br />
* [[Setting up Streaming an Asterisk Channel]]<br />
* [[Formatting HD/Floppy/Other]]<br />
* [[Setting up Transmission (bittorrent) with Clutch WebUI]]<br />
* [[Protecting your email server with Alpine]]<br />
* [[Hosting Web/Email services on Alpine]]<br />
* [[Running Alpinelinux As a QEMU networked Guest ]]<br />
* [[Screen on console]]<br />
* [[Setting_up_trac_wiki]]<br />
* [[Using espeak on AlpineLinux]]<br />
* [[Generating SSL certs with ACF]]<br />
<br />
==== iSCSI ====<br />
* [[iSCSI Target and Initiator Configuration]]<br />
* [[iSCSI Raid and Clustered File Systems]]<br />
<br />
=== Vserver ===<br />
* [[Setting up a basic vserver]]<br />
<br />
== Developer Documentation ==<br />
Documentation how to build and modify the Alpine distro.<br />
<br />
* [[Alpine Package Testing Suite]]<br />
* [[Alpine Configuration Framework Design]] (Why ACF is the way it is)<br />
* [[Development using git]]<br />
<br />
=== Alpine 1.9.x build system ===<br />
After Alpine 1.8 is released we will switch to a new build system. Those docs here below is for bulding packages in Alpine 1.9 and later.<br />
<br />
* [[Setting up the build environment]]<br />
* [[Creating an Alpine package]]<br />
* [[Creating_an_Alpine_1.9_iso]] (This page is experimental and might go away or move in the future)<br />
<br />
=== Obsolete docs ===<br />
* [[Setting up the build environment 1.7]]<br />
* [[Newbie Guide to Building an apk]]<br />
* [[Creating patches]]<br />
<br />
== Misc. References ==<br />
Other useful references.<br />
<br />
* http://www.metoffice.gov.uk/research/nwp/external/fcm/doc/user_guide/working_practices.html - Some guidelines on use of Trac and SVN</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Protecting_your_email_server_with_Alpine&diff=2703Protecting your email server with Alpine2009-04-03T13:38:29Z<p>Ms13sp: /* Setting up Postfix */</p>
<hr />
<div>== Introduction ==<br />
<br />
This document will outline how you can setup a spam/virus gateway with Alpine Linux. I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!<br />
<br />
First thing I want to mention is, it is probably not a good way to setup Postfix on a disk less system (having the mailer spool in memory). If you would ever suffer from power failure you would loose the contents of your Postfix spool. That said, in our organization we are using a UPS device to supply our servers with backup power, so the chances that our server would shutdown because of power failure is minimal (and we are prepared to take this risk).<br />
<br />
For this particular setup we are going to use the following:<br />
<br />
* Mailer daemon: Postfix<br />
* Virus scanner: Clamav<br />
* SMTP filter: Clamsmtp<br />
* Greylisting server: Gross<br />
* Extra definitions: SaneSecurity & MSRBL<br />
* Exchange 2003 users/groups in relay_recipient_maps<br />
* Alpine Linux 1.7.19 (some packages are not available before this version)<br />
<br />
<br />
== Setting up Postfix ==<br />
<br />
The first thing we are going to install is our mailer daemon:<br />
<br />
<br />
''apk_add postfix''<br />
<br />
<br />
This will install Postfix with a default configuration in /etc/postfix. Lets first take a look at main.cf, this is the (as the name implies) main configuration file for Postfix. I will show you my configuration file which you can use (I've commented out some options which we enable later on):<br />
<br />
mynetworks = '''lan-net'''/24, 127.0.0.0/8<br />
transport_maps = hash:/etc/postfix/transport<br />
relay_domains = $transport_maps<br />
smtpd_helo_required = yes<br />
'''disable_vrfy_command = yes'''<br />
#relay_recipient_maps = hash:/etc/postfix/exchange_receipients<br />
<br />
smtpd_recipient_restrictions =<br />
reject_invalid_hostname,<br />
reject_non_fqdn_hostname,<br />
reject_non_fqdn_sender,<br />
reject_non_fqdn_recipient,<br />
reject_unknown_sender_domain,<br />
reject_unknown_recipient_domain,<br />
permit_mynetworks,<br />
reject_unauth_destination,<br />
#check_policy_service inet:127.0.0.1:5525,<br />
#<br />
# in case you want reject DNS blacklists rather than greylist them<br />
# with gross, uncomment the lines below<br />
#<br />
# reject_rbl_client cbl.abuseat.org,<br />
# reject_rbl_client sbl.spamhaus.org,<br />
# reject_rbl_client pbl.spamhaus.org,<br />
# reject_rbl_client bl.spamcop.net,<br />
# reject_rbl_client list.dsbl.org,<br />
permit<br />
<br />
smtpd_data_restrictions =<br />
reject_unauth_pipelining,<br />
permit<br />
<br />
#content_filter = scan:[127.0.0.1]:10025<br />
<br />
<br />
'''NOTE:''' Don't forget to change '''lan-net''' to your lan subnet.<br />
<br />
<br />
These are the minimal settings I use to setup a postfix mail gateway. If you are looking for other settings please issue the following command:<br />
<br />
<br />
''postconf |more''<br />
<br />
<br />
This will display your current default configuration. If you want to change any of these settings you can add them to main.cf and reload postfix. Looking at my main.cf file you will see the setting "transport_maps". This setting refers to a file inside the postfix config directory which will hold information for postfix to which server it should forward email to. It should look similar like this:<br />
<br />
domain-a.tld smtp:[192.168.1.1]<br />
domain-b.tld smtp:[192.168.1.2]<br />
<br />
When ever an email enters our mail gateway for a domain specified in our "transport_maps" file it will forward this email after processing to the IP address assigned. For complete documentation please refer to the postfix docs. When are ready editing this file, issue the following command:<br />
<br />
<br />
''postmap /etc/postfix/transport''<br />
<br />
<br />
This will create a hash db of this file which will be easier/faster for postfix to read. The second setting we will look at is 'relay_domains". This setting will tell postfix for which domains it will relay emails. Because this setting will most probably be the same as the domains we mention in "transport_maps" we can just link to it. Now your basic email gateway is ready and you can start it but remember there will be no virus or spam filtering.<br />
<br />
<br />
''/etc/init.d/postfix start''<br />
<br />
<br />
We can start it at boot:<br />
<br />
<br />
''rc_add -k postfix''<br />
<br />
== Setting up Clamav ==<br />
<br />
To be able to filter out viruses from our emails we need a virus scanner. The only real open-source solution available is Clamav. Lets install it:<br />
<br />
<br />
''apk_add clamav''<br />
<br />
<br />
We will be using the daemonized version of Clamav "clamd". There is nothing we need to change for Clamav, we can use the default settings and the virus definitions are automatically updated with freshclam. Lets start it:<br />
<br />
<br />
''/etc/init.d/clamd start''<br />
<br />
<br />
Lets start it at boot:<br />
<br />
<br />
''rc_add -k clamd''<br />
<br />
<br />
'''NOTE:''' I have had memory issues with clamd on Alpine. I am still looking for an solution regarding this. For now I advise you to restart clamd with cron everyday.<br />
<br />
'''UPDATE:''' See https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1028 this should be fixed in clamav 0.93.1<br />
<br />
== Setting up Clamsmtp ==<br />
<br />
<br />
Ok so now we got a mail daemon and a virus daemon installed and setup ready. Now we need the two daemons to talk to each other. The most popular tool to do so is amavisd-new but it is based on Perl and I don't like it because Perl can be a resource hog and I'm not planning to install it on my Alpine install. Another lighter C-based solution is Clamsmtp. It is a SMTP filter which listens for incoming connections and scans the emails with clamd and forwards it back again to the MTA. It doesn't come with a lot of features like amavisd-new does but its enough for me. Lets install it:<br />
<br />
<br />
''apk_add clamsmtp''<br />
<br />
<br />
Here is my clamsmtp.conf configuration file:<br />
<br />
OutAddress: 127.0.0.1:10026<br />
Listen: 127.0.0.1:10025<br />
ClamAddress: /var/run/clamav/clamd.sock<br />
TempDirectory: /tmp<br />
Action: drop<br />
Quarantine: on<br />
User: clamav<br />
VirusAction: /etc/postfix/scripts/virus_action.sh<br />
<br />
<br />
Clamsmtp has support for a virus action script which will be run each time clamd returns a positive detection. I have included my virus action script here but it has not been tested enough so use it at your own risk! Make sure you set the correct permissions on the /etc/postfix/scripts/ directory because clamsmtp will run as user clamav. Monitor the log file in your /tmp directory.<br />
<br />
[[virus_action.sh]]<br />
<br />
'''NOTE''': Here in our organization we are running Exchange 2003. Exchange has support for public folders which is a good way of storing the files we filter with Clamsmtp. Make sure you have proper permissions and size limitations for the public folder so it doesn't get to big and other people cannot access the folder, remember it will contain viruses!<br />
<br />
Ok lets configure postfix for clamsmtp by editing our master.cf and adding the following lines to the end of the file:<br />
<br />
<br />
# AV scan filter (used by content_filter)<br />
scan unix - - n - 16 smtp<br />
-o smtp_send_xforward_command=yes<br />
-o smtp_enforce_tls=no<br />
# For injecting mail back into postfix from the filter<br />
127.0.0.1:10026 inet n - n - 16 smtpd<br />
-o content_filter=<br />
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks<br />
-o smtpd_helo_restrictions=<br />
-o smtpd_client_restrictions=<br />
-o smtpd_sender_restrictions=<br />
-o smtpd_recipient_restrictions=permit_mynetworks,reject<br />
-o mynetworks_style=host<br />
-o smtpd_authorized_xforward_hosts=127.0.0.0/8<br />
<br />
<br />
<br />
Lets start Clamsmtp:<br />
<br />
<br />
''/etc/init.d/clamstmp start''<br />
<br />
<br />
And add it to our system start:<br />
<br />
<br />
''rc_add -k clamsmtp''<br />
<br />
<br />
If you are sure all your settings are correct we can uncomment the "content_filter" line in our main.cf which will enable Clamsmtp for Postfix and run:<br />
<br />
<br />
''postfix reload''<br />
<br />
== Setting up Gross greylisting server ==<br />
<br />
I have used greylisting for several months now and while it has it positive affects it also has its negative. One of the positive affects is that you will get almost no spam/virus emails into your system anymore but it will introduce a delay to a part of you email traffic. If your organization is big enough you will start to notice people complain about delayed emails, this is where Gross will jump in. It still uses greylisting but it will not do so for all hosts but only the ones that are matched to the specified DNSBL databases. If you want to find out more regarding gross please go to their website:<br />
<br />
<br />
http://code.google.com/p/gross/<br />
<br />
<br />
Lets install gross:<br />
<br />
<br />
''apk_add gross''<br />
<br />
<br />
Here is my grossd.conf file:<br />
<br />
<br />
protocol = postfix<br />
statefile = /var/db/gross/state<br />
check = dnsbl<br />
check = rhsbl<br />
dnsbl = zen.spamhaus.org<br />
dnsbl = list.dsbl.org<br />
dnsbl = bl.spamcop.net<br />
dnsbl = combined.njabl.org<br />
dnsbl = cbl.abuseat.org<br />
dnsbl = dnsbl.sorbs.net<br />
rhsbl = rhsbl.sorbs.net<br />
<br />
<br />
Lets start grossd:<br />
<br />
<br />
''/etc/init.d/grossd start''<br />
<br />
<br />
'''Please note''': the init file for gross will automatically generate the grossd state file in the directory specified in its config file. Because we are running Alpine from memory the state file is not saved to disk so we need to add it to our backup with lbu_commit. The safest way to do this is the first stop grossd before committing the changes to our backup.<br />
<br />
<br />
''lbu_include /var/db/gross/state''<br />
<br />
''/etc/init.d/grossd stop''<br />
<br />
''lbu_commit''<br />
<br />
''/etc/init.d/grossd start''<br />
<br />
<br />
Let's start it at boot:<br />
<br />
<br />
''rc_add -k grossd''<br />
<br />
<br />
Now we need to make Postfix use our greylisting service by uncommenting the "check_policy_service" line in our main.cf and run:<br />
<br />
<br />
''postfix reload''<br />
<br />
== Setting up SaneSecurity & MSRBL extra definitions ==<br />
<br />
<br />
Another good way of catching SPAM is Sanesecurity and MSRBL definitions. You can find more information regarding these definitions here:<br />
<br />
<br />
http://www.sanesecurity.co.uk/ <br />
<br />
<br />
To use the following script you will need to install the following packages:<br />
<br />
<br />
''apk_add curl rsync''<br />
<br />
<br />
[[up_clam_ex.sh]]<br />
<br />
<br />
Add this script to the follwing directory:<br />
<br />
<br />
/etc/postfix/scripts/<br />
<br />
<br />
And add this script to cron:<br />
<br />
<br />
''echo "37 03 * * * /etc/postfix/scripts/up_clam_ex.sh &> /dev/nul" >> /etc/crontabs/root<br />
''<br />
<br />
<br />
'''NOTE''': Please adjust the time so not everybody runs it at the same time. and make sure cron is running at boot:<br />
<br />
<br />
''rc_add -k cron''<br />
<br />
<br />
== Exchange 2003 & relay_recipient_maps ==<br />
<br />
<br />
Postfix will process mail for every email address which are specified in "relay_domains". Because we want to prevent Postfix to process emails for destinations which do not exist, we add the relay_recipient_maps option to our main.cf file. I've already added it so it only needs to be uncommented. I have included a Visual Basic script here which will extract all valid email addresses of users and groups in exchange 2003 and put them in a text file inside the root of our IIS server. I've also included a script which will download this file and process it to a db which can be read by Postfix. Put the following file somewhere on your exchange server and make it run every so much time with a windows task:<br />
<br />
<br />
[[export_receipts.vbs]]<br />
<br />
<br />
Download the following file and move it to:<br />
<br />
<br />
[[exchange_receipients.sh]]<br />
<br />
<br />
/etc/postfix/scripts/<br />
<br />
<br />
And change it's settings and add it to cron. I've setup a time 10 minutes after I run the vbs script on my exchange server:<br />
<br />
<br />
''echo "10,40 * * * * /etc/postfix/scripts/exchange_receipients.sh &> /dev/nul" >> /etc/crontabs/root''<br />
<br />
<br />
<br />
<br />
<br />
<br />
To Be Continued....</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Native_Harddisk_Install_1.6&diff=2672Native Harddisk Install 1.62009-02-27T15:02:50Z<p>Ms13sp: Made a few minor changes... Because of changes ;)</p>
<hr />
<div>=Alpine HD install=<br />
<br />
'''NOTE''': This document covers 1.6 release. From version 1.7.3 there is an albootstrap script that will install the basic packages (except grub) into a subdir. The script is available here: http://dev.alpinelinux.org/alpine/v1.7/albootstrap<br />
<br />
Alpine is more geared toward live-cd or usb-key usage, but it is possible to install it to a harddisk.<br />
<br />
This is how it is done. The Alpine version is 1.6.1<br />
<br />
== Installation ==<br />
<br />
Create partitions with fdisk. <br />
<br />
fdisk /dev/hda<br />
<br />
You should have 2 partitions: /dev/hda1 as "Linux" (type 83) and /dev/hda2 as "linux swap" (type 82). <br />
<br />
Install needed programs for the setup <br />
<br />
apk_add e2fsprogs rsync grub<br />
<br />
Create filesystem and swap <br />
<br />
mkfs.ext3 /dev/hda1<br />
mkswap /dev/hda2<br />
<br />
Turn on swap already now <br />
<br />
swapon /dev/hda2<br />
<br />
Mount file-system <br />
<br />
mount -t ext3 /dev/hda1 /mnt<br />
<br />
Install base packages on harddisk <br />
<br />
ROOT=/mnt apk_add uclibc busybox apk-tools alpine-baselayout alpine-conf grub<br />
<br />
If you want pcmcia support, then also add the pcmciautils package <br />
<br />
ROOT=/mnt apk_add pcmciautils<br />
<br />
Install busybox links <br />
<br />
mkdir /mnt/proc<br />
mount --bind /proc /mnt/proc<br />
chroot /mnt /bin/busybox --install -s<br />
umount /mnt/proc<br />
<br />
For convenience, copy the apk repository. <br />
<br />
rsync -ruav /media/cdrom/apks /mnt<br />
<br />
Create the apk.conf: <br />
<br />
mkdir /mnt/etc/apk<br />
echo "APK_PATH=file://apks" &gt; /mnt/etc/apk/apk.conf<br />
<br />
Copy the hd/ext3 initramfs image, kernel and kernel modules. <br />
<br />
rsync -ruav /media/cdrom/kernel/generic/hd-ext3.gz /media/cdrom/vmlinuz /mnt<br />
rsync -ruav /lib/modules /mnt/lib/modules<br />
<br />
Configure grub <br />
<br />
grub-install --root-directory=/mnt /dev/hda1<br />
vi /mnt/boot/grub/menu.lst<br />
<br />
It should contain something like: <br />
<br />
default 0<br />
timeout 0<br />
title Alpine Linux<br />
root (hd0,0)<br />
kernel /bzImage root_dev=hda1:ext3 alpine_dev=../:ext3<br />
initrd /hd-ext3.gz<br />
<br />
Install grub on MBR: <br />
<br />
grub<br />
root (hd0,0)<br />
setup (hd0)<br />
quit<br />
<br />
Append the swap to fstab: <br />
<br />
echo -e "/dev/hda2 none swap sw 0 0" &gt;&gt; /mnt/etc/fstab<br />
<br />
Unmount, remove cdrom and reboot. (If you can't eject, just remove it manually as the machine reboots) <br />
<br />
umount /mnt<br />
eject <br />
reboot<br />
<br />
After reboot, log in as "root" and run: <br />
<br />
setup-alpine</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Creating_an_Alpine_package&diff=2668Creating an Alpine package2009-02-23T19:34:20Z<p>Ms13sp: </p>
<hr />
<div>DRAFT <br />
<br />
This document assumes that you have a working [[Setting up the build environment 1.9|build environment]], or use a diskbased alpine installation. <br />
<br />
=== The APKBUILDs ===<br />
<br />
The ''[http://dev.alpinelinux.org/cgit/cgit.cgi/abuild abuild]'' script reads the ''[http://dev.alpinelinux.org/cgit/cgit.cgi/abuild//tree/APKBUILD.proto APKBUILD]'' and executes the steps needed to create a package. <br />
<br />
=== The aports tree ===<br />
<br />
The [http://dev.alpinelinux.org/cgit/cgit.cgi/aports aports] tree is a [http://dev.alpinelinux.org/cgit/cgit.cgi/aports/tree directory tree] with many APKBUILDs. Those files are used when building alpine from source. <br />
<br />
== Installing and configuring the alpine-sdk ==<br />
<br />
The alpine-sdk is a metapackage that pulls in the most essinsial packages used to build new packages. To install those packages: <br />
<br />
'''NOTE''': if you used the [[Setting up the build environment 1.9|build environment]] howto, you already have alpine-sdk installed. <br />
<br />
apk add alpine-sdk<br />
<br />
The aports tree is in git so before we can clone the aports tree we need to install and configure git. We need to tell git our name and email. <br />
<br />
git config --global user.name "Your Full Name"<br />
git config --global user.email "your@email.address"<br />
<br />
Now we can clone the aports tree. <br />
<br />
git clone git://dev.alpinelinux.org/aports<br />
<br />
Before we are going to create APKBUILD files we need to setup abuild to our system/user. Please edit the file abuild.conf to your likings. <br />
<br />
vim /etc/abuild.conf<br />
<br />
== Creating an APKBUILD file ==<br />
<br />
=== General info ===<br />
<br />
APKBUILD files are read by the abuild program mentioned above. To see what abuilld can/cannot do you can execute: <br />
<br />
abuild -h<br />
<br />
To create the actual APKBUILD file abuild has the option -n (new). It will simply copy an example APKBUILD file to the given directory and fill some variables. If you are create a daemon package which needs initd scripts you can add the -c making it: <br />
<br />
abuild -c -n ''packagename''<br />
<br />
'''NOTE''': The ''packagename'' is a parameter to the -n option so order of -c and -n matters. <br />
<br />
<br> This will copy the sample initd and confd files to the build directory. A third file sample.install file will be copied as well (we will discuss this later on). <br />
<br />
Edit APKBUILD and fill in the needed info (especially pkgname, pkgver, pkgdesc, url, license, depends and source). <br />
<br />
If you are going to use any of the variables for directory's like $pkgdir always make sure they are double quoted like: <br />
<br />
"$pkgdir"/somedir<br />
<br />
This will prevent issues with spaces/special characters in the future. <br />
<br />
If you like syntax highlighting we suggest you to install vim. We have setup vim to recognize the APKBUILD file as a bash scripts so its easier to read them. <br />
<br />
=== APKBUILD variables/functions ===<br />
<br />
==== source ====<br />
<br />
Source is not only the link from which abuild will fetch the source, it should also hold all files abuild needs to build the apk. This could mean initd file, confd file, install file, patches or any other file needed. When you are finished adding them you can execute the following cmd to add checksum's to the APKBUILD file: <br />
<br />
abuild checksum<br />
<br />
Another thing to note is when a package is using sourceforge as hosting, if so you should add special mirrors link used by sf: <br />
<br />
http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz <br />
<br />
(or similar depending on the package). <br />
<br />
Currently abuild support the following archives/extensions: <br />
<br />
*.tar.gz, *.tgz, *.tar.bz2, *.tar.lzma, *.zip<br />
<br />
==== depends &amp; makedepends ====<br />
<br />
Depends are the actual running dependencies which a package would need when you are using it. Makedepends are only needed when you are building a package. If you set a package in depends you do not need to add it to makedepends anymore. The best way to find out what depends and makedepeds are of a package is to [http://en.wikipedia.org/wiki/Rtfm RTFM]. <br />
<br />
No kidding, lots of important information can be found it the package INSTALL and README file (or the likes). Another good way is the run ./configure --help from the source directory to see which options are needed for configure to finish without errors. If you do not yet have a src directory you can create one by doing: <br />
<br />
abuild unpack<br />
<br />
It will also show you how you can disable a specific option for this package. A good example is for instance "--disable-nls" which will disable native language support and thus does not depend on gettext(libiconv,glib..). <br />
<br />
Alpine likes to keep things small, so we try to disable as much as possible without loosing to many features. The exact disable/enable options are decided the package builder but please try to follow Alpines design concept as much as possible. <br />
<br />
An easy way of quickly finding out build info of a package is to check Archlinux (Alpine package management and build scripts are similar) or Gentoo linux ebuilds (previous versions of Alpine were based on Gentoo). <br />
<br />
[http://www.gentoo-portage.com Search ebuilds] <br />
<br />
[http://sources.gentoo.org/viewcvs.py/gentoo-x86/ Gentoo CVS] <br />
<br />
[http://www.archlinux.org/packages/search/ Archlinux packages] <br />
<br />
After the package is successfully compiled and created we should make sure it didn't link to any package which is not present in the $depends variable. We do this be using scanelf. If scanelf is not yet installed on your system you can do that by installing pax-utils. <br />
<br />
scanelf -nR pkg<br />
<br />
example output of libcurl would be: <br />
<br />
ET_DYN libssl.so.0.9.8,libcrypto.so.0.9.8,libz.so.1,libc.so.0,ld-uClibc.so.0 pkg/usr/lib/libcurl.so.4.1.1<br />
<br />
You can see the needed files and should be able to find out which file belongs to which package. <br />
<br />
==== license ====<br />
<br />
If a package has a special/custom license we need to provide it with the release. Because we want to save space and don't like to have licenses all over our system we have decided to include the license into the doc subpackage. Please follow the following guideline to add a proper license. Locate the license file inside the source package. Add to $subpackages variable the following: <br />
<br />
subpackages="$pkgname-doc"<br />
<br />
And add a similar line to your build() function depending on the license: <br />
<br />
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING<br />
<br />
If you follow these steps then abuild will automaticly add the license to the package-doc apk for you. <br />
<br />
==== url ====<br />
<br />
Website address for the program. This is usefully later on when either finding documentation or other information about the package.<br />
<br />
==== pkgdesc ====<br />
<br />
editme <br />
<br />
==== pkgver ====<br />
<br />
A brief, one line, description of what the package does. Useful for the package management system. <br> <br />
<br />
<br> <br />
<br />
Example from apk_info<br> <br />
<br />
openssh-client-5.1_p1-r1 - Port of OpenBSD's free SSH release - client<br><br />
<br />
==== pkgrel ====<br />
<br />
The $pkgrel versioning is made so if you change something to your APKBUILD file without changing the actual $pkgver you can higer pkgrel so apk tools will detect it as an update. For instance if you forget to add a dependency you can add it afterward and you can +1 pkgver so apk finds this update and add the missing dependency. <br />
<br />
==== pkgname ====<br />
<br />
editme <br />
<br />
==== install ====<br />
<br />
The install file is a script which will be execute by apk-tools when you are install,deinstall,update a package. An example of using it is when you need to add a user/group to the system. The install file will only be run on the actual install so it will only add the user and group to the target system and not to the build system when we are building it. Another good example is displaying a message to the user when installing a package. <br />
<br />
Please remember, commands specified in the build() function in APKBUILD will be run on both build system and target system. <br />
<br />
Please check the sample install file for syntax. <br />
<br />
==== subpackages ====<br />
<br />
$subpackages are made to split up the normal "make install" into separate packages. The most common subpackages we use are doc and dev. Because we like to keep our target system small we move documentation and development files (only needed when building packages) into separate packages. To use the specific program a user only need to install the base apk without package-doc or package-dev, but if he wants to read the manual he will need to install package-doc. <br />
<br />
The easiest way to find out if you need to use -dev and -doc is to first build the package without these options set and wait until the build finishes. When its finished you should have a pkg directory which is the fake root directory. Inside this directory you will see the structure as how it would be installed in / on the target system. <br />
<br />
To see if you need the -dev package you can run the following cmd: <br />
<br />
find pkg/usr/ -name '*.[acho]' -o -name '*.la'<br />
<br />
If this returns any files you need to include the -dev package. <br />
<br />
<br> To see if you need the -doc package you can run the following cmd: <br />
<br />
find pkg/usr/share -name doc -o -name man -o -name info -o -name html -o -name sgml -o -name licenses<br />
<br />
If this returns any directories you need to include the -doc package. <br />
<br />
===== Custom subpackages =====<br />
<br />
Some applications will have except doc and dev files other non needed at run time files which we want to separate away from the base package. Some packages include large test suites which are only needed in specific circumstances or binaries which have depends which we prefer not to install. To handle those we create our own package/function. In the APKBUILD below the build() function we create another function: <br />
<br />
test() {<br />
mkdir -p "$subpkgdir"/usr<br />
mv "$pkgdir"/usr/package-test "$subpkgdir"/usr/<br />
}<br />
<br />
<br />
We also need to add the package info to $subpackages variable: <br />
<br />
subpackages="$pkgname-doc $pkgname-dev $pkgname-test"<br />
<br />
After we finish building the package you should see another apk called packagename-test.apk which includes the files which we moved to the $subpkgdir dir. <br />
<br />
The above mentioned variables can also be used in our custom function. If we want for instance to build the test() function with perl support we would add: <br />
<br />
depends="perl"<br />
makedepends="perl-dev"<br />
<br />
If we would install the base package it would not install perl, but if we install the package-test package it would.<br />
<br />
==== Patches ====<br />
<br />
Please make sure you always submit human readable patches. Way's to create them are: <br />
<br />
directory compare: <br />
<br />
diff -urp original_directory new_directory &gt; filename.patch<br />
<br />
file compare: <br />
<br />
diff -up original.file new.file &gt; filename.patch<br />
<br />
If you are going to use multiple patches for a single package, the preferred way to handle those is a loop and numbering the patches. <br />
<br />
for i in "$srcdir"/*.patch; do<br />
msg "Applying ${i}"<br />
patch -p0 -i $i || return 1<br />
done<br />
<br />
Because multiple patches can patch the same file, we could create offset for the next patch. To make sure we always patch in a specified way we should number the patches as followed: <br />
<br />
10-patch1.patch 20-patch2.patch 30-patch3.patch<br />
<br />
This way we are always sure patch 1 is first and if we want to add additional patches between them we can use 11,12,21,22... <br />
<br />
==== Configure options ====<br />
<br />
Alpine has some default configure options we set by default. We use /usr for prefix to make sure everyting is installed with /usr in front of it. If you notice that anything is installed in the wrong directory please run ./configure --help and see if you can set the correct location. <br />
<br />
We are not covering the depend switches here we have discussed this already in the depend section. <br />
<br />
==== Make options ====<br />
<br />
If you notice weird problems when compiling or installing the package with make/make install you could try to disable [http://www.gnu.org/software/make/manual/make.html#Parallel parallel] building/installing. A normal make line would be: <br />
<br />
make || return 1<br />
<br />
To disable parallel we use: <br />
<br />
make -j1 || return 1<br />
<br />
We can use the same for make install. <br />
<br />
Because we do not want to install the package in our build environment but we want to install it in a fake root directory we need to tell 'make install' to use another destination directory instead of '/'. We do this by setting a variable when we execute make install as followed: <br />
<br />
make DESTDIR="$pkgdir" install<br />
<br />
Please note that some Makefiles do not support this variable and will always install software in '/'. To make sure you do not mess up your build system NEVER run your build system as root but always use a custom user and sudo when needed. If by accident the Makefile does not support DESTDIR variable it will fail to install in our build system system directories.<br />
<br />
==== Additional files ====<br />
<br />
If you want/need to install additional files not mentioned above you can use the following cmd (this is an example of a conf file): <br />
<br />
install -Dm644 doc/$pkgname.conf "$pkgdir"/etc/$pkgname.conf<br />
<br />
== Build the package ==<br />
<br />
If you did not already create the checksums as mentioned above you can do so now: <br />
<br />
cd $pkgname<br />
abuild checksum<br />
<br />
Its about time we build our package. Because a build system should never have all the package installed to prevent linking to packages we dont want it to link we use a abuild recursively with the -r switch. It will install all dependency's from your repository and builds it, afterwards it will uninstall all those depending packages again. You could also use the -R switch which would build your package including the dependency packages. <br />
<br />
abuild -r<br />
<br />
== Commit your work ==<br />
<br />
After you successfully build your package you can submit your APKBUILD to alpine git repository. <br />
<br />
Update you git repo, before adding new files: <br />
<br />
cd $aportsdir<br />
git pull<br />
<br />
This should pull all the changes made by others into you local git repo. When you think you are ready you can add your files to git: <br />
<br />
cd $apkbuilddir<br />
git add APKBUILD (include any other files needed for the build; $pkgname.install...)<br />
git commit<br />
<br />
Now your changes are only available locally in your repo. Because you do not have push rights to the alpine repo you need to create diff (patch) of the changes you made: <br />
<br />
git format-patch -1<br />
<br />
Where -1 sets how many commits you want to go back (mostly this is 1). This should create a patch called 0001......patch. <br />
<br />
An easy way to send this patch to the list is with an program called 'email'. <br />
<br />
apk_add email<br />
<br />
to send to the mailing list you would do: <br />
<br />
email -a 0001...patch alpine-devel@lists.alpinelinux.org<br />
<br />
And provide a subject and body after you execute the above cmd. <br />
<br />
<br> If you doubt to which repo your package belongs to you can safely use extra. If you are not sure your package works at all you need to use testing.</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Creating_an_Alpine_package&diff=2667Creating an Alpine package2009-02-23T19:23:34Z<p>Ms13sp: </p>
<hr />
<div>DRAFT <br />
<br />
This document assumes that you have a working [[Setting up the build environment 1.9|build environment]], or use a diskbased alpine installation. <br />
<br />
=== The APKBUILDs ===<br />
<br />
The ''[http://dev.alpinelinux.org/cgit/cgit.cgi/abuild abuild]'' script reads the ''[http://dev.alpinelinux.org/cgit/cgit.cgi/abuild//tree/APKBUILD.proto APKBUILD]'' and executes the steps needed to create a package. <br />
<br />
=== The aports tree ===<br />
<br />
The [http://dev.alpinelinux.org/cgit/cgit.cgi/aports aports] tree is a [http://dev.alpinelinux.org/cgit/cgit.cgi/aports/tree directory tree] with many APKBUILDs. Those files are used when building alpine from source. <br />
<br />
== Installing and configuring the alpine-sdk ==<br />
<br />
The alpine-sdk is a metapackage that pulls in the most essinsial packages used to build new packages. To install those packages: <br />
<br />
'''NOTE''': if you used the [[Setting up the build environment 1.9|build environment]] howto, you already have alpine-sdk installed. <br />
<br />
apk add alpine-sdk<br />
<br />
The aports tree is in git so before we can clone the aports tree we need to install and configure git. We need to tell git our name and email. <br />
<br />
git config --global user.name "Your Full Name"<br />
git config --global user.email "your@email.address"<br />
<br />
Now we can clone the aports tree. <br />
<br />
git clone git://dev.alpinelinux.org/aports<br />
<br />
Before we are going to create APKBUILD files we need to setup abuild to our system/user. Please edit the file abuild.conf to your likings. <br />
<br />
vim /etc/abuild.conf<br />
<br />
== Creating an APKBUILD file ==<br />
<br />
=== General info ===<br />
<br />
APKBUILD files are read by the abuild program mentioned above. To see what abuilld can/cannot do you can execute: <br />
<br />
abuild -h<br />
<br />
To create the actual APKBUILD file abuild has the option -n (new). It will simply copy an example APKBUILD file to the given directory and fill some variables. If you are create a daemon package which needs initd scripts you can add the -c making it: <br />
<br />
abuild -c -n ''packagename''<br />
<br />
'''NOTE''': The ''packagename'' is a parameter to the -n option so order of -c and -n matters. <br />
<br />
<br> This will copy the sample initd and confd files to the build directory. A third file sample.install file will be copied as well (we will discuss this later on). <br />
<br />
Edit APKBUILD and fill in the needed info (especially pkgname, pkgver, pkgdesc, url, license, depends and source). <br />
<br />
If you are going to use any of the variables for directory's like $pkgdir always make sure they are double quoted like: <br />
<br />
"$pkgdir"/somedir<br />
<br />
This will prevent issues with spaces/special characters in the future. <br />
<br />
If you like syntax highlighting we suggest you to install vim. We have setup vim to recognize the APKBUILD file as a bash scripts so its easier to read them. <br />
<br />
=== APKBUILD variables/functions ===<br />
<br />
==== source ====<br />
<br />
Source is not only the link from which abuild will fetch the source, it should also hold all files abuild needs to build the apk. This could mean initd file, confd file, install file, patches or any other file needed. When you are finished adding them you can execute the following cmd to add checksum's to the APKBUILD file: <br />
<br />
abuild checksum<br />
<br />
Another thing to note is when a package is using sourceforge as hosting, if so you should add special mirrors link used by sf: <br />
<br />
http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz <br />
<br />
(or similar depending on the package). <br />
<br />
Currently abuild support the following archives/extensions: <br />
<br />
*.tar.gz, *.tgz, *.tar.bz2, *.tar.lzma, *.zip<br />
<br />
==== depends &amp; makedepends ====<br />
<br />
Depends are the actual running dependencies which a package would need when you are using it. Makedepends are only needed when you are building a package. If you set a package in depends you do not need to add it to makedepends anymore. The best way to find out what depends and makedepeds are of a package is to [http://en.wikipedia.org/wiki/Rtfm RTFM]. <br />
<br />
No kidding, lots of important information can be found it the package INSTALL and README file (or the likes). Another good way is the run ./configure --help from the source directory to see which options are needed for configure to finish without errors. If you do not yet have a src directory you can create one by doing: <br />
<br />
abuild unpack<br />
<br />
It will also show you how you can disable a specific option for this package. A good example is for instance "--disable-nls" which will disable native language support and thus does not depend on gettext(libiconv,glib..). <br />
<br />
Alpine likes to keep things small, so we try to disable as much as possible without loosing to many features. The exact disable/enable options are decided the package builder but please try to follow Alpines design concept as much as possible. <br />
<br />
An easy way of quickly finding out build info of a package is to check Archlinux (Alpine package management and build scripts are similar) or Gentoo linux ebuilds (previous versions of Alpine were based on Gentoo). <br />
<br />
[http://www.gentoo-portage.com Search ebuilds] <br />
<br />
[http://sources.gentoo.org/viewcvs.py/gentoo-x86/ Gentoo CVS] <br />
<br />
[http://www.archlinux.org/packages/search/ Archlinux packages] <br />
<br />
After the package is successfully compiled and created we should make sure it didn't link to any package which is not present in the $depends variable. We do this be using scanelf. If scanelf is not yet installed on your system you can do that by installing pax-utils. <br />
<br />
scanelf -nR pkg<br />
<br />
example output of libcurl would be: <br />
<br />
ET_DYN libssl.so.0.9.8,libcrypto.so.0.9.8,libz.so.1,libc.so.0,ld-uClibc.so.0 pkg/usr/lib/libcurl.so.4.1.1<br />
<br />
You can see the needed files and should be able to find out which file belongs to which package. <br />
<br />
==== license ====<br />
<br />
If a package has a special/custom license we need to provide it with the release. Because we want to save space and don't like to have licenses all over our system we have decided to include the license into the doc subpackage. Please follow the following guideline to add a proper license. Locate the license file inside the source package. Add to $subpackages variable the following: <br />
<br />
subpackages="$pkgname-doc"<br />
<br />
And add a similar line to your build() function depending on the license: <br />
<br />
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING<br />
<br />
If you follow these steps then abuild will automaticly add the license to the package-doc apk for you. <br />
<br />
==== url ====<br />
<br />
Website address for the program. This is usefully later on when either finding documentation or other information about the package.<br />
<br />
==== pkgdesc ====<br />
<br />
editme <br />
<br />
==== pkgver ====<br />
<br />
A brief, one line, description of what the package does. Useful for the package management system. <br> <br />
<br />
<br> <br />
<br />
Example from apk_info<br> <br />
<br />
openssh-client-5.1_p1-r1 - Port of OpenBSD's free SSH release - client<br><br />
<br />
==== pkgrel ====<br />
<br />
The $pkgrel versioning is made so if you change something to your APKBUILD file without changing the actual $pkgver you can higer pkgrel so apk tools will detect it as an update. For instance if you forget to add a dependency you can add it afterward and you can +1 pkgver so apk finds this update and add the missing dependency. <br />
<br />
==== pkgname ====<br />
<br />
editme <br />
<br />
==== install ====<br />
<br />
The install file is a script which will be execute by apk-tools when you are install,deinstall,update a package. An example of using it is when you need to add a user/group to the system. The install file will only be run on the actual install so it will only add the user and group to the target system and not to the build system when we are building it. Another good example is displaying a message to the user when installing a package. <br />
<br />
Please remember, commands specified in the build() function in APKBUILD will be run on both build system and target system. <br />
<br />
Please check the sample install file for syntax. <br />
<br />
==== subpackages ====<br />
<br />
$subpackages are made to split up the normal "make install" into separate packages. The most common subpackages we use are doc and dev. Because we like to keep our target system small we move documentation and development files (only needed when building packages) into separate packages. To use the specific program a user only need to install the base apk without package-doc or package-dev, but if he wants to read the manual he will need to install package-doc. <br />
<br />
The easiest way to find out if you need to use -dev and -doc is to first build the package without these options set and wait until the build finishes. When its finished you should have a pkg directory which is the fake root directory. Inside this directory you will see the structure as how it would be installed in / on the target system. <br />
<br />
To see if you need the -dev package you can run the following cmd: <br />
<br />
find pkg/usr/ -name '*.[acho]' -o -name '*.la'<br />
<br />
If this returns any files you need to include the -dev package. <br />
<br />
<br> To see if you need the -doc package you can run the following cmd: <br />
<br />
find pkg/usr/share -name doc -o -name man -o -name info -o -name html -o -name sgml -o -name licenses<br />
<br />
If this returns any directories you need to include the -doc package. <br />
<br />
===== Custom subpackages =====<br />
<br />
Some applications will have except doc and dev files other non needed at run time files which we want to separate away from the base package. Some packages include large test suites which are only needed in specific circumstances or binaries which have depends which we prefer not to install. To handle those we create our own package/function. In the APKBUILD below the build() function we create another function: <br />
<br />
test() {<br />
mkdir -p "$subpkgdir"/usr<br />
mv "$pkgdir"/usr/package-test "$subpkgdir"/usr/<br />
}<br />
<br />
<br />
We also need to add the package info to $subpackages variable: <br />
<br />
subpackages="$pkgname-doc $pkgname-dev $pkgname-test"<br />
<br />
After we finish building the package you should see another apk called packagename-test.apk which includes the files which we moved to the $subpkgdir dir. <br />
<br />
The above mentioned variables can also be used in our custom function. If we want for instance to build the test() function with perl support we would add: <br />
<br />
depends="perl"<br />
makedepends="perl-dev"<br />
<br />
If we would install the base package it would not install perl, but if we install the package-test package it would.<br />
<br />
==== Patches ====<br />
<br />
Please make sure you always submit human readable patches. Way's to create them are: <br />
<br />
directory compare: <br />
<br />
diff -urp original_directory new_directory &gt; filename.patch<br />
<br />
file compare: <br />
<br />
diff -up original.file new.file &gt; filename.patch<br />
<br />
If you are going to use multiple patches for a single package, the preferred way to handle those is a loop and numbering the patches. <br />
<br />
for i in "$srcdir"/*.patch; do<br />
msg "Applying ${i}"<br />
patch -p0 -i $i || return 1<br />
done<br />
<br />
Because multiple patches can patch the same file, we could create offset for the next patch. To make sure we always patch in a specified way we should number the patches as followed: <br />
<br />
10-patch1.patch 20-patch2.patch 30-patch3.patch<br />
<br />
This way we are always sure patch 1 is first and if we want to add additional patches between them we can use 11,12,21,22... <br />
<br />
==== Configure options ====<br />
<br />
Alpine has some default configure options we set by default. We use /usr for prefix to make sure everyting is installed with /usr in front of it. If you notice that anything is installed in the wrong directory please run ./configure --help and see if you can set the correct location. <br />
<br />
We are not covering the depend switches here we have discussed this already in the depend section. <br />
<br />
==== Make options ====<br />
<br />
If you notice weird problems when compiling or installing the package with make/make install you could try to disable [http://www.gnu.org/software/make/manual/make.html#Parallel parallel] building/installing. A normal make line would be: <br />
<br />
make || return 1<br />
<br />
To disable parallel we use: <br />
<br />
make -j1 || return 1<br />
<br />
We can use the same for make install. <br />
<br />
Because we do not want to install the package in our build environment but we want to install it in a fake root directory we need to tell 'make install' to use another destination directory instead of '/'. We do this by setting a variable when we execute make install as followed: <br />
<br />
make DESTDIR="$pkgdir" install<br />
<br />
Please note that some Makefiles do not support this variable and will always install software in '/'. To make sure you do not mess up your build system NEVER run your build system as root but always use a custom user and sudo when needed. If by accident the Makefile does not support DESTDIR variable it will fail to install in our build system system directories.<br />
<br />
==== Additional files ====<br />
<br />
If you want/need to install additional files not mentioned above you can use the following cmd (this is an example of a conf file): <br />
<br />
install -Dm644 doc/$pkgname.conf "$pkgdir"/etc/$pkgname.conf<br />
<br />
== Build the package ==<br />
<br />
If you did not already create the checksums as mentioned above you can do so now: <br />
<br />
cd $pkgname<br />
abuild checksum<br />
<br />
Its about time we build our package. Because a build system should never have all the package installed to prevent linking to packages we dont want it to link we use a abuild recursively with the -r switch. It will install all dependency's from your repository and builds it, afterwards it will uninstall all those depending packages again. You could also use the -R switch which would build your package including the dependency packages. <br />
<br />
abuild -r<br />
<br />
== Commit your work ==<br />
<br />
After you successfully build your package you can submit your APKBUILD to alpine git repository. <br />
<br />
Update you git repo, before adding new files: <br />
<br />
cd $aportsdir<br />
git pull<br />
<br />
This should pull all the changes made by others into you local git repo. When you think you are ready you can add your files to git: <br />
<br />
cd $apkbuilddir<br />
git add APKBUILD<br />
git commit<br />
<br />
Now your changes are only available locally in your repo. Because you do not have push rights to the alpine repo you need to create diff (patch) of the changes you made: <br />
<br />
git format-patch -1<br />
<br />
Where -1 sets how many commits you want to go back (mostly this is 1). This should create a patch called 0001......patch. <br />
<br />
An easy way to send this patch to the list is with an program called 'email'. <br />
<br />
apk_add email<br />
<br />
to send to the mailing list you would do: <br />
<br />
email -a 0001...patch alpine-devel@lists.alpinelinux.org<br />
<br />
And provide a subject and body after you execute the above cmd. <br />
<br />
<br> If you doubt to which repo your package belongs to you can safely use extra. If you are not sure your package works at all you need to use testing.</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Creating_an_Alpine_package&diff=2666Creating an Alpine package2009-02-23T19:19:46Z<p>Ms13sp: </p>
<hr />
<div>DRAFT <br />
<br />
This document assumes that you have a working [[Setting up the build environment 1.9|build environment]], or use a diskbased alpine installation. <br />
<br />
=== The APKBUILDs ===<br />
<br />
The ''[http://dev.alpinelinux.org/cgit/cgit.cgi/abuild abuild]'' script reads the ''[http://dev.alpinelinux.org/cgit/cgit.cgi/abuild//tree/APKBUILD.proto APKBUILD]'' and executes the steps needed to create a package. <br />
<br />
=== The aports tree ===<br />
<br />
The [http://dev.alpinelinux.org/cgit/cgit.cgi/aports aports] tree is a [http://dev.alpinelinux.org/cgit/cgit.cgi/aports/tree directory tree] with many APKBUILDs. Those files are used when building alpine from source. <br />
<br />
== Installing and configuring the alpine-sdk ==<br />
<br />
The alpine-sdk is a metapackage that pulls in the most essinsial packages used to build new packages. To install those packages: <br />
<br />
'''NOTE''': if you used the [[Setting up the build environment 1.9|build environment]] howto, you already have alpine-sdk installed. <br />
<br />
apk add alpine-sdk<br />
<br />
The aports tree is in git so before we can clone the aports tree we need to install and configure git. We need to tell git our name and email. <br />
<br />
git config --global user.name "Your Full Name"<br />
git config --global user.email "your@email.address"<br />
<br />
Now we can clone the aports tree. <br />
<br />
git clone git://dev.alpinelinux.org/aports<br />
<br />
Before we are going to create APKBUILD files we need to setup abuild to our system/user. Please edit the file abuild.conf to your likings. <br />
<br />
vim /etc/abuild.conf<br />
<br />
== Creating an APKBUILD file ==<br />
<br />
=== General info ===<br />
<br />
APKBUILD files are read by the abuild program mentioned above. To see what abuilld can/cannot do you can execute: <br />
<br />
abuild -h<br />
<br />
To create the actual APKBUILD file abuild has the option -n (new). It will simply copy an example APKBUILD file to the given directory and fill some variables. If you are create a daemon package which needs initd scripts you can add the -c making it: <br />
<br />
abuild -c -n ''packagename''<br />
<br />
'''NOTE''': The ''packagename'' is a parameter to the -n option so order of -c and -n matters. <br />
<br />
<br> This will copy the sample initd and confd files to the build directory. A third file sample.install file will be copied as well (we will discuss this later on). <br />
<br />
Edit APKBUILD and fill in the needed info (especially pkgname, pkgver, pkgdesc, url, license, depends and source). <br />
<br />
If you are going to use any of the variables for directory's like $pkgdir always make sure they are double quoted like: <br />
<br />
"$pkgdir"/somedir<br />
<br />
This will prevent issues with spaces/special characters in the future. <br />
<br />
If you like syntax highlighting we suggest you to install vim. We have setup vim to recognize the APKBUILD file as a bash scripts so its easier to read them. <br />
<br />
=== APKBUILD variables/functions ===<br />
<br />
==== source ====<br />
<br />
Source is not only the link from which abuild will fetch the source, it should also hold all files abuild needs to build the apk. This could mean initd file, confd file, install file, patches or any other file needed. When you are finished adding them you can execute the following cmd to add checksum's to the APKBUILD file: <br />
<br />
abuild checksum<br />
<br />
Another thing to note is when a package is using sourceforge as hosting, if so you should add special mirrors link used by sf: <br />
<br />
http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz <br />
<br />
(or similar depending on the package). <br />
<br />
Currently abuild support the following archives/extensions: <br />
<br />
*.tar.gz, *.tgz, *.tar.bz2, *.tar.lzma, *.zip<br />
<br />
==== depends &amp; makedepends ====<br />
<br />
Depends are the actual running dependencies which a package would need when you are using it. Makedepends are only needed when you are building a package. If you set a package in depends you do not need to add it to makedepends anymore. The best way to find out what depends and makedepeds are of a package is to [http://en.wikipedia.org/wiki/Rtfm RTFM]. <br />
<br />
No kidding, lots of important information can be found it the package INSTALL and README file (or the likes). Another good way is the run ./configure --help from the source directory to see which options are needed for configure to finish without errors. If you do not yet have a src directory you can create one by doing: <br />
<br />
abuild unpack<br />
<br />
It will also show you how you can disable a specific option for this package. A good example is for instance "--disable-nls" which will disable native language support and thus does not depend on gettext(libiconv,glib..). <br />
<br />
Alpine likes to keep things small, so we try to disable as much as possible without loosing to many features. The exact disable/enable options are decided the package builder but please try to follow Alpines design concept as much as possible. <br />
<br />
An easy way of quickly finding out build info of a package is to check Archlinux (Alpine package management and build scripts are similar) or Gentoo linux ebuilds (previous versions of Alpine were based on Gentoo). <br />
<br />
[http://www.gentoo-portage.com Search ebuilds] <br />
<br />
[http://sources.gentoo.org/viewcvs.py/gentoo-x86/ Gentoo CVS] <br />
<br />
[http://www.archlinux.org/packages/search/ Archlinux packages] <br />
<br />
After the package is successfully compiled and created we should make sure it didn't link to any package which is not present in the $depends variable. We do this be using scanelf. If scanelf is not yet installed on your system you can do that by installing pax-utils. <br />
<br />
scanelf -nR pkg<br />
<br />
example output of libcurl would be: <br />
<br />
ET_DYN libssl.so.0.9.8,libcrypto.so.0.9.8,libz.so.1,libc.so.0,ld-uClibc.so.0 pkg/usr/lib/libcurl.so.4.1.1<br />
<br />
You can see the needed files and should be able to find out which file belongs to which package. <br />
<br />
==== license ====<br />
<br />
If a package has a special/custom license we need to provide it with the release. Because we want to save space and don't like to have licenses all over our system we have decided to include the license into the doc subpackage. Please follow the following guideline to add a proper license. Locate the license file inside the source package. Add to $subpackages variable the following: <br />
<br />
subpackages="$pkgname-doc"<br />
<br />
And add a similar line to your build() function depending on the license: <br />
<br />
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING<br />
<br />
If you follow these steps then abuild will automaticly add the license to the package-doc apk for you. <br />
<br />
==== url ====<br />
<br />
Website address for the program. This is usefully later on when either finding documentation or other information about the package.<br />
<br />
==== pkgdesc ====<br />
<br />
editme <br />
<br />
==== pkgver ====<br />
<br />
editme <br />
<br />
==== pkgrel ====<br />
<br />
The $pkgrel versioning is made so if you change something to your APKBUILD file without changing the actual $pkgver you can higer pkgrel so apk tools will detect it as an update. For instance if you forget to add a dependency you can add it afterward and you can +1 pkgver so apk finds this update and add the missing dependency. <br />
<br />
==== pkgname ====<br />
<br />
editme <br />
<br />
==== install ====<br />
<br />
The install file is a script which will be execute by apk-tools when you are install,deinstall,update a package. An example of using it is when you need to add a user/group to the system. The install file will only be run on the actual install so it will only add the user and group to the target system and not to the build system when we are building it. Another good example is displaying a message to the user when installing a package. <br />
<br />
Please remember, commands specified in the build() function in APKBUILD will be run on both build system and target system. <br />
<br />
Please check the sample install file for syntax. <br />
<br />
==== subpackages ====<br />
<br />
$subpackages are made to split up the normal "make install" into separate packages. The most common subpackages we use are doc and dev. Because we like to keep our target system small we move documentation and development files (only needed when building packages) into separate packages. To use the specific program a user only need to install the base apk without package-doc or package-dev, but if he wants to read the manual he will need to install package-doc. <br />
<br />
The easiest way to find out if you need to use -dev and -doc is to first build the package without these options set and wait until the build finishes. When its finished you should have a pkg directory which is the fake root directory. Inside this directory you will see the structure as how it would be installed in / on the target system. <br />
<br />
To see if you need the -dev package you can run the following cmd: <br />
<br />
find pkg/usr/ -name '*.[acho]' -o -name '*.la'<br />
<br />
If this returns any files you need to include the -dev package. <br />
<br />
<br> To see if you need the -doc package you can run the following cmd: <br />
<br />
find pkg/usr/share -name doc -o -name man -o -name info -o -name html -o -name sgml -o -name licenses<br />
<br />
If this returns any directories you need to include the -doc package. <br />
<br />
===== Custom subpackages =====<br />
<br />
Some applications will have except doc and dev files other non needed at run time files which we want to separate away from the base package. Some packages include large test suites which are only needed in specific circumstances or binaries which have depends which we prefer not to install. To handle those we create our own package/function. In the APKBUILD below the build() function we create another function: <br />
<br />
test() {<br />
mkdir -p "$subpkgdir"/usr<br />
mv "$pkgdir"/usr/package-test "$subpkgdir"/usr/<br />
}<br />
<br />
<br />
We also need to add the package info to $subpackages variable: <br />
<br />
subpackages="$pkgname-doc $pkgname-dev $pkgname-test"<br />
<br />
After we finish building the package you should see another apk called packagename-test.apk which includes the files which we moved to the $subpkgdir dir. <br />
<br />
The above mentioned variables can also be used in our custom function. If we want for instance to build the test() function with perl support we would add: <br />
<br />
depends="perl"<br />
makedepends="perl-dev"<br />
<br />
If we would install the base package it would not install perl, but if we install the package-test package it would.<br />
<br />
==== Patches ====<br />
<br />
Please make sure you always submit human readable patches. Way's to create them are: <br />
<br />
directory compare: <br />
<br />
diff -urp original_directory new_directory &gt; filename.patch<br />
<br />
file compare: <br />
<br />
diff -up original.file new.file &gt; filename.patch<br />
<br />
If you are going to use multiple patches for a single package, the preferred way to handle those is a loop and numbering the patches. <br />
<br />
for i in "$srcdir"/*.patch; do<br />
msg "Applying ${i}"<br />
patch -p0 -i $i || return 1<br />
done<br />
<br />
Because multiple patches can patch the same file, we could create offset for the next patch. To make sure we always patch in a specified way we should number the patches as followed: <br />
<br />
10-patch1.patch 20-patch2.patch 30-patch3.patch<br />
<br />
This way we are always sure patch 1 is first and if we want to add additional patches between them we can use 11,12,21,22... <br />
<br />
==== Configure options ====<br />
<br />
Alpine has some default configure options we set by default. We use /usr for prefix to make sure everyting is installed with /usr in front of it. If you notice that anything is installed in the wrong directory please run ./configure --help and see if you can set the correct location. <br />
<br />
We are not covering the depend switches here we have discussed this already in the depend section. <br />
<br />
==== Make options ====<br />
<br />
If you notice weird problems when compiling or installing the package with make/make install you could try to disable [http://www.gnu.org/software/make/manual/make.html#Parallel parallel] building/installing. A normal make line would be: <br />
<br />
make || return 1<br />
<br />
To disable parallel we use: <br />
<br />
make -j1 || return 1<br />
<br />
We can use the same for make install. <br />
<br />
Because we do not want to install the package in our build environment but we want to install it in a fake root directory we need to tell 'make install' to use another destination directory instead of '/'. We do this by setting a variable when we execute make install as followed: <br />
<br />
make DESTDIR="$pkgdir" install<br />
<br />
Please note that some Makefiles do not support this variable and will always install software in '/'. To make sure you do not mess up your build system NEVER run your build system as root but always use a custom user and sudo when needed. If by accident the Makefile does not support DESTDIR variable it will fail to install in our build system system directories.<br />
<br />
==== Additional files ====<br />
<br />
If you want/need to install additional files not mentioned above you can use the following cmd (this is an example of a conf file): <br />
<br />
install -Dm644 doc/$pkgname.conf "$pkgdir"/etc/$pkgname.conf<br />
<br />
== Build the package ==<br />
<br />
If you did not already create the checksums as mentioned above you can do so now: <br />
<br />
cd $pkgname<br />
abuild checksum<br />
<br />
Its about time we build our package. Because a build system should never have all the package installed to prevent linking to packages we dont want it to link we use a abuild recursively with the -r switch. It will install all dependency's from your repository and builds it, afterwards it will uninstall all those depending packages again. You could also use the -R switch which would build your package including the dependency packages. <br />
<br />
abuild -r<br />
<br />
== Commit your work ==<br />
<br />
After you successfully build your package you can submit your APKBUILD to alpine git repository. <br />
<br />
Update you git repo, before adding new files: <br />
<br />
cd $aportsdir<br />
git pull<br />
<br />
This should pull all the changes made by others into you local git repo. When you think you are ready you can add your files to git: <br />
<br />
cd $apkbuilddir<br />
git add APKBUILD<br />
git commit<br />
<br />
Now your changes are only available locally in your repo. Because you do not have push rights to the alpine repo you need to create diff (patch) of the changes you made: <br />
<br />
git format-patch -1<br />
<br />
Where -1 sets how many commits you want to go back (mostly this is 1). This should create a patch called 0001......patch. <br />
<br />
An easy way to send this patch to the list is with an program called 'email'. <br />
<br />
apk_add email<br />
<br />
to send to the mailing list you would do: <br />
<br />
email -a 0001...patch alpine-devel@lists.alpinelinux.org<br />
<br />
And provide a subject and body after you execute the above cmd. <br />
<br />
<br> If you doubt to which repo your package belongs to you can safely use extra. If you are not sure your package works at all you need to use testing.</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Setting_up_the_build_environment_in_a_chroot&diff=2664Setting up the build environment in a chroot2009-02-18T20:02:26Z<p>Ms13sp: Minor changes</p>
<hr />
<div>= Introduction =<br />
The Build Environment will be called [[#Create a build environment|BE]] from now on.<BR><br />
You will need a few Gigabytes to have enough pace for kernel compiling and storing all the binary packages and iso image.<br />
<br />
= Create a build environment =<br />
<br />
We are setting up our [[#Create_a_build_environment|BE]] in chroot.<br> <br />
<br />
'''Note:''' The variables below: <br />
<br />
*'''${build_dir}''' = You can name it whatever you like. <br />
*'''${mirror}''' = Should be replaced with one of the available alpine-mirrors:<br />
<br />
{{Mirrors}} <br />
<br />
<br> Lets start by geting the latest apk static binary: <br />
<br />
wget ${mirror}/apk.static<br />
chmod +x ./apk.static<br />
<br />
We are setting up a basic chroot: <br />
<br />
mkdir ${build_dir}<br />
./apk.static --repo ${mirror}/v1.9/packages/core --root $PWD/${build_dir} add --initdb build-base git abuild<br />
mkdir -p ./${build_dir}/proc<br />
mount --bind /proc ./${build_dir}/proc<br />
<br />
Lets setup our needed devices: <br />
<br />
mknod -m 666 ./${build_dir}/dev/full c 1 7<br />
mknod -m 777 ./${build_dir}/dev/null c 1 3<br />
mknod -m 666 ./${build_dir}/dev/ptmx c 5 2<br />
mknod -m 644 ./${build_dir}/dev/random c 1 8<br />
mknod -m 644 ./${build_dir}/dev/urandom c 1 9<br />
mknod -m 666 ./${build_dir}/dev/zero c 1 5<br />
mknod -m 666 ./${build_dir}/dev/tty c 5 0<br />
<br />
We need or dns servers and root dir: <br />
<br />
cp /etc/resolv.conf ./${build_dir}/etc/<br />
mkdir -p ./${build_dir}/root<br />
<br />
We are setting up apk mirrors: <br />
<br />
mkdir -p ./${build_dir}/etc/apk<br />
echo "${mirror}/v1.9/packages/core" &gt; ./${build_dir}/etc/apk/repositories<br />
echo "${mirror}/v1.9/packages/extra" &gt;&gt; ./${build_dir}/etc/apk/repositories<br />
<br />
At this point you should be able to enter your chroot: <br />
<br />
chroot ./${build_dir} /bin/sh<br />
<br />
= Update a existing environment =</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Using_Alpine_on_Windows_domain_with_IPSEC_isolation&diff=2434Using Alpine on Windows domain with IPSEC isolation2008-10-16T14:43:03Z<p>Ms13sp: </p>
<hr />
<div>Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document].<br />
<br />
=== Things needed ===<br />
# IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.<br />
# Computer to run Alpine<br />
# a couple of nics - if you plan on making this the gateway to talk to the domain<br />
<br />
== Step by Step ==<br />
<br />
# Install alpine with the latest version. <br />
# Configure it: Remember to keep one interface to be masq and another on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be domain<br />
# #setup-alpine<br />
# Install the following packages: ipsec-tools-cvs, openssl, iptables<br />
# Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work:<br />
Extract the CA<br />
* #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem <br />
Extract the Key part of your cert<br />
* #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem<br />
Extract the Pub cert file<br />
* #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem<br />
Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem<br />
* #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem<br />
# Put these certs in /etc/racoon/<br />
# This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is <br />
policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy<br />
<br />
Below will do AH for just rdesktop connection(terminal server)<br />
<br />
* #vi /etc/ipsec.conf<br />
<br />
<pre><br />
<br />
spdflush;<br />
spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use;<br />
spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;<br />
<br />
</pre><br />
<br />
* #vi /etc/racoon/racoon.conf<br />
<br />
<pre> <br />
path certificate "/etc/racoon/";<br />
<br />
remote anonymous {<br />
exchange_mode main;<br />
certificate_type x509 "MY_cert.pem" "MY_key.pem";<br />
ca_type x509 "DOMAIN-ca.pem";<br />
#nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this.<br />
proposal {<br />
authentication_method rsasig;<br />
encryption_algorithm 3des;<br />
hash_algorithm sha1;<br />
dh_group 14 ; <br />
}<br />
<br />
}<br />
sainfo anonymous {<br />
encryption_algorithm 3des;<br />
authentication_algorithm hmac_sha1;<br />
compression_algorithm deflate;<br />
<br />
}<br />
<br />
</pre><br />
<br />
* /etc/init.d/racoon start<br />
* Get the masq working correctly<br />
* #iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Using_Alpine_on_Windows_domain_with_IPSEC_isolation&diff=2432Using Alpine on Windows domain with IPSEC isolation2008-10-15T22:55:05Z<p>Ms13sp: </p>
<hr />
<div>Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document].<br />
<br />
=== Things needed ===<br />
# IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.<br />
# Computer to run Alpine<br />
# a couple of nics - if you plan on making this the gateway to talk to the domain<br />
<br />
== Step by Step ==<br />
<br />
# Install alpine with the latest version. <br />
# Configure it: Remember to keep one interface to be masq and another on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be domain<br />
# #setup-alpine<br />
# Install the following packages: ipsec-tools-cvs, openssl, iptables<br />
# Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work:<br />
Extract the CA<br />
* #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem <br />
Extract the Key part of your cert<br />
* #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem<br />
Extract the Pub cert file<br />
* #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem<br />
Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem<br />
* #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem<br />
# Put these certs in /etc/racoon/<br />
# This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is <br />
policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy<br />
[[BR]] Below will do AH for just rdesktop connection(terminal server)<br />
<br />
* #vi /etc/ipsec.conf<br />
<br />
<pre><br />
<br />
spdflush;<br />
spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use;<br />
spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;<br />
<br />
</pre><br />
<br />
* #vi /etc/racoon/racoon.conf<br />
<br />
<pre> <br />
path certificate "/etc/racoon/";<br />
<br />
remote anonymous {<br />
exchange_mode main;<br />
certificate_type x509 "MY_cert.pem" "MY_key.pem";<br />
ca_type x509 "DOMAIN-ca.pem";<br />
#nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this.<br />
proposal {<br />
authentication_method rsasig;<br />
encryption_algorithm 3des;<br />
hash_algorithm sha1;<br />
dh_group 14 ; <br />
}<br />
<br />
}<br />
sainfo anonymous {<br />
encryption_algorithm 3des;<br />
authentication_algorithm hmac_sha1;<br />
compression_algorithm deflate;<br />
<br />
}<br />
<br />
</pre><br />
<br />
* /etc/init.d/racoon start<br />
* Get the masq working correctly<br />
* #iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Using_Alpine_on_Windows_domain_with_IPSEC_isolation&diff=2431Using Alpine on Windows domain with IPSEC isolation2008-10-15T22:54:22Z<p>Ms13sp: </p>
<hr />
<div>Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document].<br />
<br />
=== Things needed ===<br />
# IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.<br />
# Computer to run Alpine<br />
# a couple of nics - if you plan on making this the gateway to talk to the domain<br />
<br />
== Step by Step ==<br />
<br />
# Install alpine with the latest version. <br />
# Configure it: Remember to keep one interface to be masq and another on the domain network. 192.168.1.0/24 will be masq and 10.1.1.0/24 will be domain<br />
# #setup-alpine<br />
# Install the following packages: ipsec-tools-cvs, openssl, iptables<br />
# Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work:<br />
Extract the CA<br />
* #openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem <br />
Extract the Key part of your cert<br />
* #openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem<br />
Extract the Pub cert file<br />
* #openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem<br />
Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem<br />
* #openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem<br />
# Put these certs in /etc/racoon/<br />
# This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is <br />
policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy<br />
[[BR]] Below will do AH for just rdesktop connection(terminal server)<br />
<br />
* #vi /etc/ipsec.conf<br />
<br />
<pre><br />
<br />
spdflush;<br />
spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use;<br />
spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;<br />
<br />
</pre><br />
<br />
* #vi /etc/racoon/racoon.conf<br />
<br />
<pre> <br />
path certificate "/etc/racoon/";<br />
<br />
remote anonymous {<br />
exchange_mode main;<br />
certificate_type x509 "MY_cert.pem" "MY_key.pem";<br />
ca_type x509 "DOMAIN-ca.pem";<br />
#nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this.<br />
proposal {<br />
authentication_method rsasig;<br />
encryption_algorithm 3des;<br />
hash_algorithm sha1;<br />
dh_group 14 ; <br />
}<br />
<br />
}<br />
sainfo anonymous {<br />
encryption_algorithm 3des;<br />
authentication_algorithm hmac_sha1;<br />
compression_algorithm deflate;<br />
<br />
}<br />
<br />
</pre><br />
<br />
* /etc/init.d/racoon start<br />
* Get the masq working correctly<br />
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE</div>Ms13sphttps://wiki.alpinelinux.org/w/index.php?title=Using_Alpine_on_Windows_domain_with_IPSEC_isolation&diff=2430Using Alpine on Windows domain with IPSEC isolation2008-10-15T22:42:14Z<p>Ms13sp: New page: Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document]. == Why Alpine? == You may have several computers; OSX, WIN98, Linux... that need to ...</p>
<hr />
<div>Based off [http://port25.technet.com/videos/research/IPsec%20Interop%20Final.pdf Micro$ofts document].<br />
<br />
== Why Alpine? ==<br />
You may have several computers; OSX, WIN98, Linux... that need to talk on a Windows Domain that does IPSEC isolation. Maybe it is a mail server that needs to talk to Windows boxes only for port 25. Whatever it may be you don't want to have to configure each client to do the IPSEC stuff. Overhead on clients or clients that can't do it. This brief how to with Alpine as a router. This just goes into an implementation that uses AH but full blown encryption on the network should also work with a few changes. OS X clients could also be configured similarly.<br />
<br />
<br />
=== Things needed ===<br />
IPSEC uses certificates to authenticate computers to each other. You will need to have a cert or PSK (pre-shared key) from the Domain Admin before proceeding. This will outline the way to do it with a certificate. PSK is just a few changes in the configuration.<br />
<br />
== Step by Step ==<br />
<br />
# Install alpine with the latest version. <br />
# Install the following packages: ipsec-tools-cvs, openssl<br />
# Extract the certificate in parts. The cert given to you by the domain admin most likely will be a pfx. The following commands will work:<br />
Extract the CA<br />
* openssl pkcs12 -in PFXFILE -cacerts -nokeys -out DOMAIN-ca.pem <br />
Extract the Key part of your cert<br />
* openssl pkcs12 -in PFXFILE -nocerts -nodes -out MY-key.pem<br />
Extract the Pub cert file<br />
* openssl pkcs12 -in PFXFILE -nokeys -clcerts -out MY-cert.pem<br />
Now if your admin gives you a p7b file, this most likely contains the CA chain, then you have to convert it to a pem file format and use it for DOMAIN-ca.pem<br />
* openssl pkcs7 -inform DER -outform PEM -in CA_CHAIN -print_certs -text -out DOMAIN-ca.pem<br />
# Put these certs in /etc/racoon/<br />
# This is for Authentication headers in Domain isolation. Below the policy file is just to use port 3389 on a machine. Format is <br />
policy src_net/mask[port] dst_net/mask[port] protocol policy and implementation of policy<br />
[[BR]] Below will do AH for just rdesktop connection(terminal server)<br />
<br />
* vi /etc/ipsec.conf<br />
<br />
<pre><br />
<br />
spdflush;<br />
spdadd 0.0.0.0/0 10.1.1.2/32[3389] tcp -P out ipsec ah/transport//use;<br />
spdadd 10.1.1.2/32[3389] 0.0.0.0/0 tcp -P in ipsec ah/transport//use;<br />
<br />
</pre><br />
<br />
* vi /etc/racoon/racoon.conf<br />
<br />
<pre> <br />
path certificate "/etc/racoon/";<br />
<br />
remote anonymous {<br />
exchange_mode main;<br />
certificate_type x509 "MY_cert.pem" "MY_key.pem";<br />
ca_type x509 "DOMAIN-ca.pem";<br />
#nat_traversal on; #this may not need to be used even if you are doing a router :). Have to research this.<br />
proposal {<br />
authentication_method rsasig;<br />
encryption_algorithm 3des;<br />
hash_algorithm sha1;<br />
dh_group 14 ; <br />
}<br />
<br />
}<br />
sainfo anonymous {<br />
encryption_algorithm 3des;<br />
authentication_algorithm hmac_sha1;<br />
compression_algorithm deflate;<br />
<br />
}<br />
<br />
</pre><br />
<br />
* /etc/init.d/racoon start</div>Ms13sp