https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=Thinman&feedformat=atomAlpine Linux - User contributions [en]2024-03-29T11:14:05ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=PipeWire&diff=21542PipeWire2022-01-30T02:38:39Z<p>Thinman: </p>
<hr />
<div>{{Draft|The instructions below have not been thoroughly tested and may break things.}}<br />
<br />
[https://pipewire.org/ PipeWire] is a multimedia processing engine that aims to improve audio and video handling on Linux.<br />
<br />
== Prerequisites ==<br />
<br />
=== Audio Group ===<br />
<br />
When elogind is not available, the user has to be added to the <code>audio</code> group. The user must log in for this to take effect.<br />
<br />
<pre><br />
# addgroup <user> audio<br />
</pre><br />
<br />
=== D-Bus ===<br />
<br />
PipeWire requires a running [https://www.freedesktop.org/wiki/Software/dbus/ D-Bus] session. If you use a full desktop environment this will probably be started automatically, but with minimal window managers it must be done manually.<br />
<br />
<pre><br />
# apk add dbus dbus-openrc dbus-x11<br />
# rc-service dbus start<br />
# rc-update add dbus default<br />
</pre><br />
<br />
Then use <code>dbus-launch</code> whenever you start an X or Wayland session. For example:<br />
<pre><br />
$ dbus-launch --exit-with-session sway<br />
</pre><br />
<br />
=== XDG_RUNTIME_DIR ===<br />
<br />
If you are not using a Desktop Manager, ensure that your <code>XDG_RUNTIME_DIR</code> is set to a user-writable location. By default for pulseaudio this is {{Path|/run/user/1000/}} or {{Path|/tmp}}. If this is not set, pipewire will create a directory in your home folder instead, called <code>~/pulse</code>, and on attempting to run Pavucontrol or pactl, you will get the following error:<br />
<br />
<pre><br />
$ pactl list<br />
Connection failure: Connection refused<br />
pa_context_connect() failed: Connection refused<br />
</pre><br />
<br />
== Installation and configuration ==<br />
<br />
<pre><br />
# apk add pipewire wireplumber<br />
</pre><br />
<br />
{{Note|Using [https://gitlab.freedesktop.org/pipewire/wireplumber WirePlumber] rather than the pipewire-media-session (which comes with pipewire) is [https://gitlab.freedesktop.org/pipewire/media-session/-/blob/master/README.md recommended] but not required.}}<br />
<br />
Create a custom configuration file in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
# mkdir /etc/pipewire<br />
# cp /usr/share/pipewire/pipewire.conf /etc/pipewire/<br />
</pre><br />
<br />
Add the following line to the <code>context.exec</code> section at the bottom of {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
{ path = "wireplumber" args = "" }<br />
</pre><br />
<br />
Enable the <code>snd_seq</code> kernel module for ALSA support.<br />
<br />
<pre><br />
# modprobe snd_seq<br />
# echo snd_seq >> /etc/modules<br />
</pre><br />
<br />
=== ALSA ===<br />
<br />
If you use neither Jack nor PulseAudio and you don't intend to.<br />
<br />
<pre><br />
# touch /etc/pipewire/media-session.d/with-alsa<br />
</pre><br />
<br />
=== PulseAudio ===<br />
<br />
PipeWire can run a [https://www.freedesktop.org/wiki/Software/PulseAudio/ PulseAudio] daemon which should allow all existing PulseAudio applications to be used with the PipeWire backend.<br />
<br />
<pre><br />
# apk add pipewire-pulse<br />
</pre><br />
<br />
Uncomment the following line in {{Path|/etc/pipewire/pipewire.conf}}:<br />
<br />
<pre><br />
{ path = "/usr/bin/pipewire" args = "-c pipewire-pulse.conf" }<br />
</pre><br />
<br />
It should be automatically enabled.<br />
<br />
=== JACK ===<br />
<br />
If you will be using PipeWire for [https://jackaudio.org/ JACK] applications install the required package and make system wide links to the PipeWire replacement JACK libraries (I have not had success using <code>pw-jack</code>). You will not need to start a JACK server.<br />
<br />
<pre><br />
# apk add pipewire-jack<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjackserver.so.0 /usr/lib/libjackserver.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjacknet.so.0 /usr/lib/libjacknet.so.0<br />
# ln -sf /usr/lib/pipewire-0.3/jack/libjack.so.0 /usr/lib/libjack.so.0<br />
</pre><br />
<br />
{{Note|These symlinks might be overwritten during updates.}}<br />
<br />
=== Video ===<br />
<br />
Video should work out-of-the-box with v4l2 devices (e.g. a lot of webcams) and [https://gstreamer.freedesktop.org/ GStreamer] applications.<br />
<br />
=== Bluetooth headset ===<br />
<br />
Requires <code>pipewire-spa-bluez</code> package in addition to <code>pipewire-pulse</code> daemon to be installed.<br />
<br />
=== Automatic bluetooth profile selection ===<br />
<br />
To automatically switch between HSP/HFP and A2DP profiles when an input stream is detected, set the bluez5.autoswitch-profile property to true:<br />
<pre><br />
/etc/pipewire/media-session.d/bluez-monitor.conf<br />
<br />
...<br />
rules = [<br />
{<br />
...<br />
actions = {<br />
update-props = {<br />
...<br />
bluez5.autoswitch-profile = true<br />
...<br />
</pre><br />
<br />
<br />
<br />
=== Screen sharing on Wayland ===<br />
<br />
You will need the right [https://github.com/flatpak/xdg-desktop-portal xdg-desktop-portal] backend for your desktop environment. Screen sharing is known to work on:<br />
* GNOME with <code>xdg-desktop-portal-gtk</code><br />
* KDE Plasma with <code>xdg-desktop-portal-kde</code> and Firefox<br />
* Sway with <code>xdg-desktop-portal-wlr</code> and Firefox<br />
<br />
== Usage ==<br />
<br />
Start the PipeWire media server. You'll probably get quite a few errors but just ignore them for now.<br />
<br />
<pre><br />
$ pipewire<br />
</pre><br />
<br />
{{Note| PipeWire doesn't auto-start a session manager anymore. <br />
In 3.14 and earlier, the PipeWire default config was edited in packaging to auto-start pipewire-media-session as the default session manager. Since we now have wireplumber available as an alternative session manager, this has been changed in favor of a launch wrapper for pipewire at /usr/libexec/pipewire-launcher. When executed, this will launch pipewire, pipewire-media-session or wireplumber, and pipewire-pulse, depending on what modules are available. If you were launching /usr/bin/pipewire and the session manager manually before, please use the new launcher wrapper instead. WirePlumber can now also be used as a proper alternative for pipewire-media-session.}}<br />
<br />
In a different terminal window check the default output device. I don't yet know how this default can be changed for all applications, so you'd better hope it's right!<br />
<br />
<pre><br />
# apk add pipewire-tools<br />
$ pw-cat -p --list-targets<br />
</pre><br />
<br />
Test sound is working using an audio file in a format supported by [http://www.mega-nerd.com/libsndfile/ libsndfile] (e.g. flac, opus, ogg, wav).<br />
<br />
<pre><br />
$ pw-cat -p test.flac<br />
</pre><br />
<br />
If you have a microphone test audio recording is working.<br />
<br />
<pre><br />
$ pw-cat -r --list-targets<br />
$ pw-cat -r recording.flac<br />
(Speak for a while then stop it with Ctrl+c)<br />
$ pw-cat -p recording.flac<br />
</pre><br />
<br />
Test PulseAudio clients using a media player (most use PulseAudio) and if you use JACK test that too:<br />
<br />
<pre><br />
# apk add jack-example-clients<br />
$ jack_simple_client<br />
</pre><br />
<br />
You should hear a sustained beep.<br />
<br />
If you are happy everything is working, make PipeWire start automatically when your X or Wayland session starts. For example, you could add the <code>pipewire</code> command to <code>~/.xinitrc</code> or your window manager's config file.<br />
<br />
== Troubleshooting ==<br />
<br />
=== `pw-cat -p --list-targets` shows no targets ===<br />
<br />
First, check whether ALSA knows about your sound card:<br />
<br />
<pre><br />
aplay -l<br />
</pre><br />
<br />
If sound devices are found, the issue is with your pipewire configuration. Consider double-checking the instructions above.<br />
<br />
Otherwise, your sound card may not be supported in the version of the Linux Kernel you're running. You should search online for fixes relating to your current kernel version and the codec of your sound card. You can find each of these with:<br />
<br />
<pre><br />
uname -r<br />
cat /proc/asound/card0/codec* | grep Codec<br />
</pre><br />
<br />
<br />
== See Also ==<br />
<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire PipeWire source repository]<br />
* [https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/home PipeWire Wiki]<br />
* [https://wiki.archlinux.org/index.php/PipeWire PipeWire on the ArchWiki]<br />
* [https://wiki.gentoo.org/wiki/Pipewire PipeWire on the Gentoo Wiki]<br />
<br />
[[Category:Multimedia]]</div>Thinmanhttps://wiki.alpinelinux.org/w/index.php?title=How_to_get_regular_stuff_working&diff=21494How to get regular stuff working2022-01-17T19:12:45Z<p>Thinman: added iproute2 to list of apps replaced by busybox</p>
<hr />
<div><br />
== Basic commands and shell hints ==<br />
<br />
Alpine comes with busybox by default. Busybox is set up as an endpoint for numerous symlinks that substitute various utilities. Though busybox is not that bad, the busybox replacement commands may still be missing some functionality.<br />
<br />
To replace the symlinks to busybox, install:<br />
<br />
* Shell utilities (things like grep, [[awk]], ls are all busybox symlinks)<br />
apk add util-linux pciutils usbutils coreutils binutils findutils grep iproute2<br />
<br />
* Bash<br />
It's also easy enough to install bash itself: <br />
apk add bash bash-doc bash-completion<br />
and optionally, change the login shell with '''chsh'''.<br />
<br />
== Disk Management ==<br />
<br />
Managing (removable) disk is much easier with udisks<br />
<br />
Installation <br />
<br />
apk add udisks2 udisks2-doc<br />
<br />
To see the mounted disks<br />
<br />
udisksctl status<br />
<br />
== Compiling : a few notes and a reminder ==<br />
<br />
Compiling in Alpine may be more challenging because it uses [http://www.musl-libc.org/ musl-libc] instead of glibc. Please review [http://wiki.musl-libc.org/wiki/Functional_differences_from_glibc 'The functional differences with glibc' ] if you think of porting packages or just for the sake of knowing, of course.<br />
<br />
Alpine offers the regular compiler stuff like gcc and cmake ... possible others<br />
<br />
==== (unvalidated) apk packages to install so one can start building software ====<br />
apk add build-base gcc abuild binutils binutils-doc gcc-doc<br />
<br />
==== a complete install for cmake looks like ====<br />
<br />
apk add cmake cmake-doc extra-cmake-modules extra-cmake-modules-doc<br />
<br />
==== ccache is also available ====<br />
<br />
apk add ccache ccache-doc<br />
<br />
[[Category:Installation]]</div>Thinmanhttps://wiki.alpinelinux.org/w/index.php?title=XFCE_Setup&diff=17088XFCE Setup2020-03-19T21:09:41Z<p>Thinman: Thinman moved page XFCE Setup to Xfce Setup: Change Xfce case to match other Xfce pages to aid in search results</p>
<hr />
<div>#REDIRECT [[Xfce Setup]]</div>Thinmanhttps://wiki.alpinelinux.org/w/index.php?title=Alpine_Linux:FAQ&diff=16785Alpine Linux:FAQ2020-01-18T02:29:35Z<p>Thinman: /* What architectures supports Alpine? */ Minor grammar changes to improve readability</p>
<hr />
<div>[[Image:filetypes.svg|64px|left|link=]]<br />
This is a list of '''frequently asked questions''' about Alpine Linux.<br><br />
If your question is not answered on this page, use the search box above to find work in progress pages not linked here, or in case of no answer, edit this page and write down your question.<br />
{{Tip| Prepare your question. Think it through. Make it simple and understandable.}} <br />
<br />
=General=<br />
<br />
To get oriented and learn what makes our distribution distinctive, see the [http://alpinelinux.org/about About page] or [[Alpine Linux:Overview|our more detailed overview]].<br />
<br />
== I have found a bug, where can I report it? ==<br />
<br />
You can report it on the '''https://gitlab.alpinelinux.org/groups/alpine/-/issues link of the bugtracker'''. But first search if was already reported.<br />
<br />
== Are there any details about the releases available? ==<br />
Yes, please check the [[Alpine Linux:Releases|Releases]] page.<br />
<br />
== How can I contribute? ==<br />
You can contribute by:<br />
* Using the software and giving feedback.<br />
* Documenting your [http://www.alpinelinux.org Alpine Linux] experiences on this [[Main_Page|wiki]].<br />
* In many other ways.<br />
Please visit [[Contribute|Contribute page]] to read more about this topic.<br />
<br />
== Why don't I have man pages or where is the 'man' command? ==<br />
The <code>man</code> command and man pages are not installed by default.<br />
<br />
* First, install the {{pkg|man}} package:<br />
<code>apk add man</code><br />
* Once that's done, install the documentation for the packages that you require man pages for:<br />
<code>apk add ''package''-doc</code><br />
<br />
For example, say you installed {{Pkg|iptables}} and you now require its man pages:<br />
<code>apk add iptables-doc</code> and then: <code>man iptables</code>. Keep in mind, not all packages will have a corresponding documentation package In our example above, we installed the man pages (and other documentation) for <code>iptables</code>}}<br />
<br />
== What is the difference between edge and stable releases? ==<br />
Stable releases are just what they sound like: initially a point-in-time snapshot of the package archives, but then maintained with bug-fixes only in order to keep a stable environment.<br />
<br />
[[Edge]] is more of a rolling-release, with the latest and greatest packages available in the online repositories.<br><br />
Occasionally, snapshot ISO images of the then-current state of [[edge]] are made and are available for download.<br><br />
Typically these are made when there are major kernel upgrades or package upgrades that require initramfs rebuilds.<br />
<br />
== What architectures does Alpine support? ==<br />
As Alpine uses the Linux kernel, it supports:<br />
* '''x86_64''': The popular AMD64 compatible 64-bit x86 based machines, i386 is not recommended for newer/latest hardware.<br />
* '''s390x''': For the Super powered IBM mainframes, especially IBM Z and IBM LinuxONE servers.<br />
* '''ppc64le''': For the PowerPC devices with pure little-endian mode, mostly for POWER8 and POWER9<br />
* '''x86''': (i386 pc 32bit) and x86_64 (i686 pc 64bit and amd64)<br />
* '''armhf''': The newer ARM hard-float for newer, more powerful 32-bit devices alongside 64-bit<br />
* '''armv7''': The 32-bit ARM only execution state of the ARMv7 devices machines.<br />
* '''aarch64''': The 64-bit ARM only execution state of the ARMv8 device machines.<br />
* '''ppc64le''': for 64-bit big-endian PowerPC and Power ISA processors like some MAC computers.<br />
* '''s390x''': for Server for IBM Z and LinuxONE mainframes.<br />
'''Please check [https://alpinelinux.org/downloads Download] page for media availability on each one''' and check [[Alpine_Linux:Releases|Releases]] pages for latest.<br />
<br />
== What kind of release of Alpine Linux are available? ==<br />
Please check the [[Alpine_Linux:Releases|Releases]] page for more information.<br />
<br />
=Setup=<br />
<br />
== What is the difference between 'sys', 'data', and 'diskless' when running 'setup-alpine' or 'setup-disk'? ==<br />
'''sys:''' This mode is a traditional disk install. The following partitions will be created on the disk: <nowiki>/boot</nowiki>, <nowiki>/</nowiki> (filesystem root) and <nowiki>swap</nowiki>.<br><br />
This mode may be used for development boxes, desktops, virtual servers, etc.<br />
<br />
'''data:''' This mode uses your disk(s) for data storage, not for the operating system. Runs from the media and only <nowiki>/var</nowiki> is created on disk. The system itself will run from tmpfs (RAM). Use this mode if you only want to use the disk(s) for a mailspool, databases, logs, etc.<br />
<br />
'''diskless:''' No disks are to be used. [[Alpine local backup]] may still be used in this mode.<br />
<br />
These modes are explained further [[Installation#Overview_of_run_modes_for_Alpine_system|on the '''Installation''' page]].<br />
<br />
== How do I upgrade Alpine? ==<br />
<br />
To upgrade to a new stable release or edge:<br />
<code>apk upgrade --available</code><br />
<br />
==My cron jobs don't run?==<br />
<br />
Start service ''crond'' and add it to runlevel:<br />
<br />
: {{cmd|rc-service crond start && rc-update add crond}}<br />
<br />
After that the cron daemon is started automatically on system boot and executes the scripts placed in the folders under {{path|/etc/periodic}} - there's a {{path|15min}} folder, plus ones for {{path|hourly}}, {{path|daily}}, {{path|weekly}} and {{path|monthly}} scripts.<br />
<br />
You can check whether your scripts are likely to run using the command:<br />
<br />
: {{cmd|run-parts --test /etc/periodic/[foldername]}} - for example: ''run-parts --test /etc/periodic/15min''<br />
<br />
This command will tell you what should run but will not actually execute the scripts.<br />
<br />
If the results of the test are not as expected, check the following:<br />
<br />
* Make sure the script is executable - if unsure, issue the command : {{cmd|chmod a+x [scriptname]}}<br />
* Make sure the first line of your script is :<pre>#!/bin/sh</pre><br />
* Do not put file extensions on your script names - this stops them from working; for example: {{path|myscript}} will run, but {{path|myscript.sh}} won't<br />
<br />
= Time and timezones =<br />
<br />
== How do I set the local timezone? ==<br />
<br />
Starting in Alpine 2.2, setting the timezone can be done through the [[Setup-alpine|setup-alpine]] script, and no manual settings should be necessary.<br><br />
If you wish to edit the timezone after installation, run the [[Alpine_setup_scripts|setup-timezone]] script.<br />
<br />
= Packages =<br />
<br />
== Can you build an apk package for ...? ==<br />
Yes, we probably can.<br><br />
Please create an [https://gitlab.alpinelinux.org/alpine/aports/issues/new issue] in the [https://gitlab.alpinelinux.org bugtracker]. Prefix with "feat" in title and include a short description (one-line), an url for the home page, and an url for the source package.<br />
<br />
== How can I build my own package? ==<br />
Please see the [[Creating an Alpine package]] page.<br />
<br />
== What does "required by: world[$pkgname]" mean? ==<br />
<br />
It means that the package you try to install does not exist in the repositories you have configured in <code>/etc/apk/repositories</code>. Maybe you forgot to add community, testing or unmaintained to /etc/apk/repositories?<br />
<br />
== How can i find out if a certain package exists in alpine? ==<br />
<br />
If you want to only search repositories you have configured in /etc/apk/repositories, then <code>apk search $pkgname</code> should get you sorted. If you want to search all repositories have a look at the [https://pkgs.alpinelinux.org/ online pkg oracle]<br />
<br />
== WARNING: Ignoring APKINDEX.xxxx.tar.gz ==<br />
If you get <code>WARNING: Ignoring APKINDEX.xxxx.tar.gz: No such file or directory</code> while running package related tools, check your {{path|/etc/apk/repositories}} file if an entry points to {{path|.../v2.4/testing/}}. This directory is gone.<br />
<br />
To check the content of the repositories file<br />
{{Cmd|cat /etc/apk/repositories}}<br />
<br />
or <br />
{{Cmd|setup-apkrepos}}<br />
<br />
= Dynamic DNS =<br />
== How do I schedule a regular dynamic DNS update? ==<br />
You'll want to install the {{pkg|ez-ipupdate}} package:<br />
{{cmd|apk add ez-ipupdate}}<br />
<br />
After that, create a new file at {{path|/etc/ez-ipupdate.conf}} with contents similar to:<br />
service-type=dyndns<br />
user=myusername:mypassword<br />
interface=eth1<br />
host=myhostname.dyndns.org<br />
<br />
Make the new ip cache directory:<br />
{{cmd|mkdir /var/cache/ez-ipupdate<br />
lbu add /var/cache/ez-ipupdate}}<br />
<br />
Then schedule a new cron job with this command:<br />
{{cmd|echo >> /var/log/ez-ipupdate && \<br>/bin/date >> /var/log/ez-ipupdate && \<br>ez-ipupdate --config-file /etc/ez-ipupdate.conf -f -F /var/run/ez-ipupdate.pid \<br> --cache-file /var/cache/ez-ipupdate/ipcache --quiet >> /var/log/ez-ipupdate 2>&1}}<br />
<br />
Don't forget to backup your settings!<br />
{{cmd|lbu ci}}<br />
<br />
= Terminal =<br />
<br />
== How to enable/fix colors for git? ==<br />
<br />
The problem is not in git itself or terminal, but in the <tt>less</tt> command.<br />
Busybox’s <tt>less</tt> doesn’t support <tt>-r</tt> (<tt>--raw-control-chars</tt>) and <tt>-R</tt> (<tt>--RAW-CONTROL-CHARS</tt>) options.<br />
<br />
The simplest (yet not ideal) solution is to install GNU less:<br />
<br />
{{cmd|apk add less}}<br />
<br />
= Old questions, no longer freqently asked =<br />
<br />
== Alpine freezes during boot from Compact Flash, how can I fix? ==<br />
Most Compact Flash card readers do not support proper DMA.<br><br />
You should append '''nodma''' to the ''append'' line in {{path|syslinux.cfg}}.<br />
<br />
== How do I remove the CDROM? ==<br />
Since the modloop loopback device is on CDROM you cannot just run <code>eject</code>. You need to unmount the modloop first.<br><br />
Unmounting both the modloop and the CDROM in one step can be done by executing:<br />
{{Cmd|/etc/init.d/modloop stop}}<br />
<br />
Then it's possible to eject the CDROM:<br />
{{Cmd|eject}}<br />
<br />
== How can I install a custom firmware in a diskless system? ==<br />
<br />
The modules and firmware are both special images which are mounted as read-only.<br><br />
To fix this issue you can copy the firmware directory to your writeable media (cf/usb) and copy your custom firmware to it.<br><br />
After reboot Alpine should automatically use the directory on your local storage instead of the loopback device.<br />
<br />
== How do I play my .ogg/.mp3 files? ==<br />
First, the sound card should be recognized (you must have {{path|/dev/snd/*****}} files)<br />
<br />
{{pkg|sox}}, {{pkg|mpg123}}, etc all use the oss sound driver, while Alpine uses ALSA drivers.<br><br />
So you need to load the snd-pcm-oss compatibility module.<br><br />
While you're at it, you might need {{pkg|aumix}} to turn up the sound volume<br />
{{cmd|echo snd-pcm-oss >> /etc/modules<br />
modprobe snd-pcm-oss <br />
apk_add aumix sox<br />
aumix (set volume settings)<br />
play really_cool_song.mp3}}<br />
<br />
== OpenNTPD reports an error with "adjtime" ==<br />
Your log contains something like:<br />
reply from 85.214.86.126: offset 865033148.784255 delay 0.055466, next query 32s<br />
reply from 202.150.212.24: offset 865033148.779314 delay 0.400771, next query 3s<br />
adjusting local clock by 865033148.779835s <br />
adjtime failed: Invalid argument <br />
<br />
{{pkg|openntpd}} is supposed to make small adjustments in the time without causing time jumps.<br><br />
If the adjustment is too big then something is clearly wrong and ntpd gives up. (its actually adjtime(3) that has a limit on how big adjustments are allowed)<br />
<br />
You can make ntpd set the time at startup by adding ''-s'' option to ntpd. This is done by setting '''NTPD_OPTS="-s"''' in {{path|/etc/conf.d/ntpd}}.<br />
<br />
== Using a cron job to keep the time in sync ==<br />
Add the following to {{path|/etc/periodic/daily}} (or use another folder under the {{path|/etc/periodic}} heirarchy if you want to run the script more/less frequently)<br />
<br />
Example: file called {{path|do-ntp}}<br />
<pre><br />
#!/bin/sh<br />
ntpd -d -q -n -p uk.pool.ntp.org</pre><br />
<br />
This queries the uk time server pool - you can modify this to suit your localisation, or just use ''pool.ntp.org''. More info here: [http://www.pool.ntp.org/zone/@ http://www.pool.ntp.org/zone/@]<br />
<br />
== Windows clients reports an error when trying to sync ==<br />
{{pkg|openntpd}} needs to run for a while before it is satisfied it is in sync.<br />
Until then it will set a flag "clock not synchronized" and Windows will report an error while trying to sync with your {{pkg|openntpd}} server.<br />
<br />
Only thing to do is wait, do something else for 15-20mins and then check.<br />
<br />
<br />
[[Category:Newbie]]</div>Thinmanhttps://wiki.alpinelinux.org/w/index.php?title=LVM_on_LUKS&diff=16762LVM on LUKS2019-12-30T00:22:16Z<p>Thinman: /* Syslinux with BIOS */ changed 'vda' to 'sda' for dd command</p>
<hr />
<div>= Introduction =<br />
<br />
This documentation describes how to set up Alpine Linux on a fully encrypted disk (apart from the bootloader's partition). We will have an LVM container installed inside an encrypted partition. To encrypt the partition containing the LVM volume group, dm-crypt (which is managed by the <code>cryptsetup</code> command) and its LUKS subsystem is used.<br />
<br />
Note that your <code>/boot/</code> partition must be non-encrypted to work with Syslinux. When using GRUB2 it is possible to boot from an encrypted partition to provide a layer of protection from [https://en.wikipedia.org/wiki/Evil_maid_attack Evil Maid attacks], but Syslinux doesn't support this.<br />
<br />
== Storage Device Name ==<br />
<br />
To find your storage device's name, you could either install <code>util-linux</code> (<code>apk add util-linux</code>) and find your device using the <code>lspci</code> command, or you could make an educated guess by using BusyBox's <code>blkid</code> and <code>df</code> commands, and running <code>ls /dev/sd*</code> if you are installing to a USB, SATA or SCSI device, <code>ls /dev/fd*</code> for floppy disks and <code>ls /dev/hd*</code> for IDE (PATA) devices.<br />
<br />
The following documentation uses the <code>/dev/sda</code> device as installation destination. If your environment uses a different device name for your storage device, use the corresponding device names in the examples.<br />
<br />
= Setting up Alpine Linux Using LVM on Top of a LUKS Partition =<br />
<br />
To install Alpine Linux in logical volumes running on top of a LUKS encrypted partition, you cannot use the [[Installation|official installation]] procedure. The installation requires several manual steps you must run in the Alpine Linux Live CD environment.<br />
<br />
== Preparing the Temporary Installation Environment ==<br />
<br />
Before you begin to install Alpine Linux, prepare the temporary environment:<br />
<br />
Boot the latest Alpine Linux Installation CD. At the login prompt, use the <code>root</code> user without a password to log in. Now we will follow the [[Setup-alpine]] script and make our changes along the way.<br />
<br />
Run the scripts in this order:<br />
<br />
<pre># setup-keymap<br />
# setup-hostname<br />
# setup-interfaces<br />
# rc-service networking start</pre><br />
<br />
If you are configuring static networking (you didn't configure any interfaces to use DHCP), run <code>setup-dns</code>.<br />
<br />
<pre># passwd<br />
# setup-timezone<br />
# rc-update add networking boot<br />
# rc-update add urandom boot<br />
# rc-update add acpid default<br />
# rc-service acpid start</pre><br />
<br />
Edit your {{Path|/etc/hosts}} to look like this, replacing <hostname> with your hostname and <domain> with your TLD (if you don't have a TLD, use 'localdomain':<br />
{{Tip|The default text editor in BusyBox is <code>vi</code> (pronounced ''vee-eye'').}}<br />
{{Cat|/etc/hosts|127.0.0.1 <hostname> <hostname>.<domain> localhost localhost.localdomain<br />
::1 <hostname> <hostname>.<domain> localhost localhost.localdomain}}<br />
<br />
<br />
{{Note|In order to setup GRUB with UEFI, you are required to use the edge branch with the main and community repository. The reason for this is that <code>efibootmgr</code> is not available in the stable branch. If you do not want to switch completely over to edge you can do something called repository pinning. You will need to do this after the <code>setup-apkrepos</code> step.}}<br />
<br />
<pre># setup-apkrepos<br />
# apk update<br />
# setup-sshd<br />
# setup-ntp</pre><br />
<br />
Now we will deviate from the install script.<br />
<br />
Install the following packages required to set up LVM and LUKS:<br />
<br />
{{Note|The <code>parted</code> partition editor is needed for advanced partitioning and GPT disklabels. BusyBox <code>fdisk</code> is a very stripped-down version with minimal functionality}}<br />
<br />
<pre># apk add lvm2 cryptsetup e2fsprogs parted</pre><br />
<br />
Optionally, if you want to overwrite your storage with random data first, install <code>haveged</code>, which is a random number generator based on hardware events and has a higher throughput than <code>/dev/urandom</code>:<br />
<br />
<pre># apk add haveged<br />
# rc-service haveged start</pre><br />
<br />
== Creating the Partition Layout ==<br />
<br />
=== BIOS/MBR with DOS disklabel ===<br />
<br />
We will be partitioning the storage device with a non-encrypted <code>/boot</code> partition for use with the Syslinux bootloader. Syslinux is meant for use with legacy BIOS and the MSDOS MBR partition table. Syslinux does support GPT partition tables but GRUB2 is the better option for UEFI.<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | Boot partition | ext4 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 100MB partition to boot off, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel msdos<br />
(parted) mkpart primary ext4 0% 100M<br />
(parted) name 1 boot<br />
(parted) set 1 boot on<br />
(parted) mkpart primary ext4 100M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
To view your partition table, type <code>print</code> while still in <code>parted</code>. Your results should look something like this:<br />
<pre>(parted) print<br />
Model: ATA TOSHIBA ******** (scsi)<br />
Disk /dev/sda: 1000GB<br />
Sector size (logical/physical): 512B/4096B<br />
Partition Table: msdos<br />
Disk Flags:<br />
<br />
Number Start End Size Type File system Flags<br />
1 1049kB 99.6MB 98.6MB primary ext4 boot<br />
2 99.6MB 1000GB 1000GB primary ext4</pre><br />
<br />
=== UEFI with GPT disklabel ===<br />
<br />
We will be encrypting the whole disk but the EFI system partition mounted at <code>/boot/efi</code>. This means that GRUB2 will decrypt the LUKS volume and load the kernel from there, preventing someone with physical access to your computer from maliciously installing a rootkit (or bootkit) in your boot partition while your computer is not already unlocked. The partitioning scheme will look like this:<br />
<br />
<pre>+---------------------------+------------------------+-----------------------+<br />
| Partition name | Partition purpose | Filesystem type |<br />
+---------------------------+------------------------+-----------------------+<br />
| /dev/sda1 | EFI system partition | fat32 |<br />
| /dev/sda2 | LUKS container | LUKS |<br />
| |-> /dev/mapper/lvmcrypt | LVM container | LVM |<br />
| |-> /dev/vg01/root | Root partition | ext4 |<br />
| |-> /dev/vg01/boot | Boot partition | ext4 |<br />
| |-> /dev/vg01/swap | Swap partition | swap |<br />
+---------------------------+------------------------+-----------------------+</pre><br />
<br />
{{Warning|This will delete your previous partitioning table and make your data very hard to recover. If you want to dual boot, stop here and ask an expert.}}<br />
<br />
Create an approx. 200MB EFI system partition, then assign the rest of the space to your LUKS partition.<br />
<br />
<pre># parted -a optimal<br />
(parted) mklabel gpt<br />
(parted) mkpart primary fat32 0% 200M<br />
(parted) name 1 esp<br />
(parted) set 1 esp on<br />
(parted) mkpart primary ext4 200M 100%<br />
(parted) name 2 crypto-luks</pre><br />
<br />
== Optional: Overwrite LUKS Partition with Random Data ==<br />
<br />
This should be done if your hard drive wasn't encrypted previously. It helps purge old, non-encrypted data and makes it harder for an attacker to work out how much data you have on your drive if they have access to the encrypted contents.<br />
<br />
We will be using <code>haveged</code> as it is considerably faster than <code>/dev/urandom</code> when generating pseudo-random numbers (it's almost as high as <code>/dev/zero</code> in throughput), and is (supposedly) very close to truly random.<br />
<br />
<pre># haveged -n 0 | dd of=/dev/sda2</pre><br />
<br />
== Encrypting the LVM Physical Volume Partition == <br />
<br />
To encrypt the partition which will later contain the LVM PV, you could either use the default settings (aes-xts-plain64 cipher with 256-bit key and Argon2 hashing with iter-time 2000ms), or you could use these settings which have added security with the trade-off being a non-noticeable decrease in performance in modern computers:<br />
<br />
Default settings:<br />
<br />
<pre># cryptsetup luksFormat /dev/sda2</pre><br />
<br />
Optimized for security:<br />
<br />
<pre># cryptsetup -v -c serpent-xts-plain64 -s 512 --hash whirlpool --iter-time 5000 --use-random luksFormat /dev/sda2</pre><br />
<br />
== Creating the Logical Volumes and File Systems ==<br />
<br />
Open the LUKS partition:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2 lvmcrypt</pre><br />
<br />
Create the PV on <code>lvmcrypt</code>:<br />
<br />
<pre># pvcreate /dev/mapper/lvmcrypt</pre><br />
<br />
Create the <code>vg0</code> LVM VG in the <code>/dev/mapper/lvmcrypt</code> PV:<br />
<br />
<pre># vgcreate vg0 /dev/mapper/lvmcrypt</pre><br />
<br />
=== LV Creation fro BIOS/MBR ===<br />
<br />
This will create a 2GB swap partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
=== LV Creation for UEFI/GPT ===<br />
<br />
This will create a 2GB swap partition, a 2GB boot partition and a root partition which takes up the rest of the space. This setup is for those who do not need to use the hibernate/suspend to disk state. If you do need to suspend to disk, create a swap partition slightly larger than the size of your RAM (change the size after <code># lvcreate -L</code>).<br />
<br />
<pre># lvcreate -L 2G vg0 -n swap<br />
# lvcreate -L 2G vg0 -n boot<br />
# lvcreate -l 100%FREE vg0 -n root</pre><br />
<br />
The LVs created in the previous steps are automatically marked active. To verify, enter:<br />
<br />
<pre># lvscan</pre><br />
<br />
== Creating and Mounting the File Systems ==<br />
<br />
Format the <code>root</code> and <code>boot</code> LVs using the ext4 file system:<br />
<br />
<pre># mkfs.ext4 /dev/vg0/root</pre><br />
<br />
Format the swap LV:<br />
<br />
<pre># mkswap /dev/vg0/swap</pre><br />
<br />
Before you can install Alpine Linux, you must mount the partitions and LVs. Mount the root LV to the <code>/mnt/</code> directory:<br />
<br />
<pre># mount -t ext4 /dev/vg0/root /mnt/</pre><br />
<br />
Next format your boot partition, create a mount point and mount it:<br />
<br />
* If you're using BIOS and MBR:<br />
<br />
<pre># mkfs.ext4 /dev/sda1<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/sda1 /mnt/boot</pre><br />
<br />
* If you're using UEFI and GPT:<br />
<br />
<pre># apk add dosfstools<br />
# mkfs.fat -F32 /dev/sda1<br />
# mkfs.ext4 /dev/vg0/boot<br />
# mkdir -v /mnt/boot<br />
# mount -t ext4 /dev/vg0/boot /mnt/boot<br />
# mkdir -v /mnt/boot/efi<br />
# mount -t vfat /dev/sda1 /mnt/boot/efi</pre><br />
<br />
Lastly, activate your swap partition:<br />
<br />
<pre># swapon /dev/vg0/swap</pre><br />
<br />
== Installing Alpine Linux ==<br />
<br />
In this step you will install Alpine Linux in the <code>/mnt/</code> directory, which contains the mounted file system structure:<br />
<br />
<pre># setup-disk -m sys /mnt/</pre><br />
<br />
The installer downloads the latest packages to install the base installation. Additionally, the installer automatically creates the entries for the mount points in {{Path|/etc/fstab}} file, which is currently mounted in the <code>/mnt/</code> directory.<br />
<br />
{{Note|The automatic writing of the master boot record (MBR) fails in this step. You will write the MBR later manually to the disk.}}<br />
<br />
To get the UUID of your storage device into a file for later use, use this command:<br />
<br />
<pre># blkid -s UUID -o value /dev/sda2 > ~/uuid</pre><br />
<br />
To enable the operating system to decrypt the PV at boot time, create the {{Path|/mnt/etc/crypttab}} file. Enter the following line into the file to decrypt the <code>/dev/sda2</code> partition using the <code>luks</code> module and map it to the <code>lvmcrypt</code> name:<br />
<br />
<pre>lvmcrypt UUID=<UUID> none luks</pre><br />
<br />
{{Tip|To easily read the UUID into this file so you don't have to type it manually, open it in <code>vi</code>, then type <code>:r ~/uuid</code> to load the UUID onto a new line.}}<br />
<br />
{{Note|To enable TRIM append <code>discard</code> after <code>luks</code> in <code>/mnt/etc/crypttab</code> (coma separated). If LVM is being used you'll also need to change <code>issue_discards</code> to equal 1 in <code>/mnt/etc/lvm.conf</code>. You will then want to add a cron job for <code>/sbin/fstrim</code> to run periodically. Be aware that there are security risks involved when enabling TRIM with LUKS.}}<br />
<br />
<br />
The swap LV is not automatically added to the <code>fstab</code> file. To add it manually, add the following line to the {{Path|/mnt/etc/fstab}} file:<br />
<br />
<pre>/dev/vg0/swap swap swap defaults 0 0</pre><br />
<br />
Edit the {{Path|/mnt/etc/mkinitfs/mkinitfs.conf}} file and append the <code>cryptsetup</code> module to the <code>features</code> parameter:<br />
<br />
<pre>features="... cryptsetup"</pre><br />
<br />
{{Note|Alpine Linux uses the <code>en-us</code> keyboard mapping by default when prompting for the password to decrypt the partition at boot time. If you changed the keyboard mapping in the temporary environment and want to use it at the boot password prompt, be sure to also add the <code>keymap</code> feature to the list above.}}<br />
<br />
{{Note|Check the output of <code>mkinitfs -L</code> and add the features necessary for your system to boot. You may need to add <code>kms</code> in order to see a password prompt at boot.}}<br />
<br />
<br />
Rebuild the initial RAM disk:<br />
<br />
<pre># mkinitfs -c /mnt/etc/mkinitfs/mkinitfs.conf -b /mnt/ $(ls /mnt/lib/modules/)</pre><br />
<br />
The command uses the settings from the <code>mkinitfs.conf</code> file set in the <code>-c</code> parameter to generate the RAM disk. The command is executed in the <code>/mnt/</code> directory and the RAM disk is generated using the modules for the installed kernel. Without setting the kernel version using the <code>$(ls /mnt/lib/modules/</code>) option, <code>mkinitfs</code> tries to generate the RAM disk using the kernel version installed in the temporary environment, which can differ from the latest one installed by the <code>setup-disk</code> utility.<br />
<br />
== Installing a bootloader ==<br />
=== Syslinux with BIOS ===<br />
<br />
Install the Syslinux package:<br />
<br />
<pre># apk add syslinux</pre><br />
<br />
Edit {{Path|/mnt/etc/update-extlinux.conf}} and append the following kernel options to the <code>default_kernel_opts</code> parameter, replacing <UUID> with the UUID of <code>/dev/sda2</code>:<br />
<br />
<pre>default_kernel_opts="... cryptroot=UUID=<UUID> cryptdm=lvmcrypt"</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system, and the <code>cryptdm</code> parameter sets the name of the mapping previously set in <code>crypttab</code>.<br />
<br />
Because the <code>update-extlinux</code> utility operates only on the <code>/boot/</code> directory, temporarily change the root to the <code>/mnt/</code> directory and update the boot loader configuration:<br />
<br />
<pre># chroot /mnt/<br />
# update-extlinux<br />
# exit</pre><br />
<br />
: If an error occurs in the <code>update-extlinux</code> command you can most likely ignore it.<br />
<br />
Write the MBR to the <code>/dev/sda</code> device:<br />
<br />
<pre># dd bs=440 count=1 conv=notrunc if=/mnt/usr/share/syslinux/mbr.bin of=/dev/sda</pre><br />
<br />
=== Grub with UEFI ===<br />
<br />
Mount the required filesystems for the Grub EFI installer to the installation:<br />
<br />
<pre># mount -t proc /proc /mnt/proc<br />
# mount --rbind /dev /mnt/dev<br />
# mount --make-rslave /mnt/dev<br />
# mount --rbind /sys /mnt/sys</pre><br />
<br />
Then chroot in and use <code>grub-install</code> to install Grub.<br />
<br />
<pre># chroot /mnt<br />
# source /etc/profile<br />
# export PS1="(chroot) $PS1"</pre><br />
<br />
Install <code>GRUB2</code> for EFI and (optionally) remove syslinux:<br />
<br />
<pre># apk add grub grub-efi efibootmgr<br />
# apk del syslinux</pre><br />
<br />
Edit {{Path|/etc/default/grub}} and add the following kernel options to the <code>GRUB_CMDLINE_LINUX_DEFAULT</code> parameter, replacing <UUID> with the UUID of the encrypted partition (in this case, <code>/dev/sda2</code>):<br />
<br />
<pre>cryptroot=UUID=<UUID> cryptdm=lvmcrypt</pre><br />
<br />
The <code>cryptroot</code> parameter sets the name of the device that contains the root file system. The <code>cryptdm</code> parameter sets the name of the mapping previously set in the <code>crypttab</code> file.<br />
<br />
<pre># (chroot) grub-install --target=x86_64-efi --efi-directory=/boot/efi<br />
# (chroot) grub-mkconfig -o /boot/grub/grub.cfg<br />
# (chroot) exit</pre><br />
<br />
== Unmounting the Volumes and Partitions ==<br />
<br />
Unmount the <code>/mnt/</code> partitions and reboot:<br />
<br />
<pre># cd<br />
# umount -ql /mnt/dev<br />
# umount -R /mnt<br />
# reboot</pre><br />
<br />
= Troubleshooting =<br />
<br />
== General Procedure ==<br />
<br />
In case your system fails to boot, you can verify the settings and fix incorrect configurations.<br />
<br />
Reboot and do the steps in [[#Preparing_the_Temporary_Installation_Environment|Prepare the temporary installation environment]] again.<br />
<br />
Setup the LUKS partition and activate the LVs:<br />
<br />
<pre># cryptsetup luksOpen /dev/sda2<br />
# vgchange -ay</pre><br />
<br />
[[#Creating_and_Mounting_the_File Systems|Mount the file systems]]<br />
<br />
Verify that you run the steps described in the [[#Installing_Alpine_Linux|Installing Alpine Linux]] section correctly. Update the configuration if necessary, unmount the partitions, then reboot.<br />
<br />
== System can't find boot device ==<br />
<br />
This can be because you are using a GPT partition table on a motherboard that runs BIOS instead of UEFI, or you are running an MSDOS/MBR/Syslinux install without enabling legacy boot mode in the UEFI settings.<br />
<br />
== Secure boot ==<br />
<br />
If secure boot complains of an unsigned bootloader, you can either disable it or adapt [https://wiki.archlinux.org/index.php/Secure_Boot this] guide to sign GRUB. If you're using Syslinux, then secure boot should be automatically disabled when you enable legacy boot mode.<br />
<br />
= Hardening =<br />
<br />
* To harden, you should disable DMA[https://old.iseclab.org/papers/acsac2012dma.pdf] and install a hardened version of AES (TRESOR[https://www1.informatik.uni-erlangen.de/tresor] or Loop-Amnesia[http://moongate.ydns.eu/amnesia.html]) since by default cryptsetup with luks uses AES by default.<br />
* Disable DMA in the BIOS and set the password for the BIOS according to Wikipedia.[https://en.wikipedia.org/wiki/DMA_attack]<br />
* Blacklist kernel modules that use DMA and any unused expansion modules (FireWire, CardBus, ExpressCard, Thunderbolt, USB 3.0, PCI Express and hotplug modules) that use DMA.<br />
<br />
= See also =<br />
*[[Bootloaders]]<br />
*[[Alpine setup scripts]]<br />
*[[Installing on GPT LVM]]<br />
*[[Setting up LVM on GPT-labeled disks]]<br />
*[[Setting up disks manually]]<br />
*https://wiki.gentoo.org/wiki/Syslinux<br />
*https://wiki.gentoo.org/wiki/GRUB2<br />
*https://wiki.archlinux.org/index.php/Syslinux<br />
*https://wiki.archlinux.org/index.php/GRUB<br />
*https://wiki.gentoo.org/wiki/Sakaki's_EFI_Install_Guide<br />
<br />
[[Category:Storage]]<br />
[[Category:Security]]</div>Thinman