User talk:Jch: Difference between revisions

From Alpine Linux
Line 243: Line 243:
</pre>
</pre>


Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC.<br/>
Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).<br/>
# KVM-router firewall/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd
# baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup<br/>
# KVM-SAN-NAS lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync (AL local repo)
# KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd
# KVM-Desktop server (X ; x2goclient; cups)
# KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync (AL local repo)
# KVM-proxy squid+privoxy
# KVM-Desktop : xorg (X ; x2goclient; cups); DE
 
# KVM-proxy : squid+privoxy
For details for a specific package in the above lists, please refer to appropriate page in this wiki.


<u>/etc/local.d/40-KVM-SAN.start</u>
<u>/etc/local.d/40-KVM-SAN.start</u>


D'abord <pre>
<pre>qemu-systems-x86_64 -enable-kvm -m 384 \
-cdrom file=/media/sda1/images/san.img \ # /
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)
-net storage \
-boot d</pre>
''run-from-ram'' based on an apkovl
<pre>
ovs-vsctl add-br wan
ovs-vsctl add-br wan
ovs-vsctl add-br storage
ovs-vsctl add-br storage
Line 270: Line 275:
mount -o remount,ro /media/usb
mount -o remount,ro /media/usb
lbu package # or lbu ci
lbu package # or lbu ci
fdisk /dev/sda
sync
</pre>
</pre>
et lancer <pre>
screen -d -m -S KVM-san \
qemu-systems-x86_64 -enable-kvm -m 384 \
-name san -curses \
-cdrom file=/media/sda1/images/san.img \ # /
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)
-net storage \
-boot d
</pre>
''run-from-ram'' based on an apkovl


<u>/etc/local.d/41-KVM-router.start</u>
<u>/etc/local.d/41-KVM-router.start</u>


<pre>
<pre>qemu-systems-x86_64 -enable-kvm -m 128 \
screen -d -m -S KVM-router \
qemu-systems-x86_64 -enable-kvm -m 128 \
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /
-drive file=nbd:kvm-san:router \ # /var
-drive file=nbd:kvm-san:router \ # /var
Line 297: Line 286:
-net vpn \
-net vpn \
-net consul \
-net consul \
-boot d
-boot d</pre>
</pre>
''run-from-ram'' based on an apkovl. We have a clean install at each boot.  
''run-from-ram'' based on an apkovl. We have a clean install at each boot.  


<u>/etc/local.d/42-KVM-proxy start</u>
<u>/etc/local.d/42-KVM-proxy start</u>


<pre>
<pre>qemu-systems-x86_64 -enable-kvm -m 256 \
 
screen -d -m -S KVM-proxy \
qemu-systems-x86_64 -enable-kvm -m 256 \
-name proxy -curses \
-drive file=nbd:kvm-san:proxy -net ...\ # /var
-drive file=nbd:kvm-san:proxy -net ...\ # /var
-boot n
-boot n</pre>
</pre>
''run-from-ram'' based on an apkovl
''run-from-ram'' based on an apkovl


<u>/etc/local.d/43-KVM-desktop start</u>
<u>/etc/local.d/43-KVM-desktop start</u>


<pre>
<pre>qemu-systems-x86_64 -enable-kvm -m 3000 \
screen -d -m -S KVM-desktop \
qemu-systems-x86_64 -enable-kvm -m 3000 \
-drive file=nbd:kvm-san:desktop \ # /usr
-drive file=nbd:kvm-san:desktop \ # /usr
-drive file=nbd:kvm-san:home \ # /home
-drive file=nbd:kvm-san:home \ # /home
Line 328: Line 309:
<u>/etc/local.d/40-KVM-desktop stop</u>
<u>/etc/local.d/40-KVM-desktop stop</u>


<pre>
<pre>kill pidof</pre>
screen -d -m -S KVM-desktop \
kill pidof
</pre>


<u>/etc/local.d/41-KVM-proxy stop</u>
<u>/etc/local.d/41-KVM-proxy stop</u>


<pre>
<pre>kill pidof</pre>
screen -d -m -S KVM-proxy \
kill pidof
</pre>


<u>/etc/local.d/42-KVM-router.stop</u>
<u>/etc/local.d/42-KVM-router.stop</u>


<pre>
<pre>kill pidof</pre>
screen -d -m -S KVM-router \
kill pidof
</pre>


<u>/etc/local.d/43-KVM-SAN.stop</u>
<u>/etc/local.d/43-KVM-SAN.stop</u>


<pre>
<pre>kill pidof</pre>
screen -d -m -S KVM-san \
kill pidof
</pre>


<u>Start X</u> on bare-metal against KVM-desktop
<u>Start X</u> on bare-metal against KVM-desktop

Revision as of 08:42, 28 May 2015

How to automate KVM creation

How to emulate USB stick with KVM.

Starting_AL_from_network

How to set up a PXE environement.

Building_a_complete_infrastucture_with_AL

From first repo (boot media):

AlpineLinux dhcpd tftp-hpa syslinux mkinitfs nfs-utils darkhttpd rsync openssh openvswitch screen qemu-system-X86_64 qemu-img gptfdisk parted mdadm lvm2 nbd xfsprogs e2fsprogs multipath consul dnsmasq vim collectd collectd-network git syslog-ng envconsul consul-template xnbd ceph lxc lxc-templates xfsprogs gptfdisk e2fsprogs multipath wipe tcpdump curl openvpn fsconsul

and all dependecies...

will build a custom ISO with that list...

About NFS

NFS is now working with AL. Both as server and client with the nfs-utils package.
However, to use NFS as client in some LXC does not seems to work yet as shown below

nfstest:~# mount -t nfs -o ro 192.168.1.149:/srv/boot/alpine /mnt
mount.nfs: Operation not permitted
mount: permission denied (are you root?)
nfstest:~# tail /var/log/messages 
Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting
Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC 
Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read /var/lib/nfs/state: Address in use
Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state
Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM state number: Operation not permitted
Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root.  chown /var/lib/nfs to choose different user
nfstest:~# ls -l /var/lib/nfs
total 12
-rw-r--r--    1 root     root             0 Nov 10 15:43 etab
-rw-r--r--    1 root     root             0 Nov 10 15:43 rmtab
drwx------    2 nobody   root          4096 Apr  4 10:05 sm
drwx------    2 nobody   root          4096 Apr  4 10:05 sm.bak
-rw-r--r--    1 root     root             4 Apr  4 10:05 state
-rw-r--r--    1 root     root             0 Nov 10 15:43 xtab

msg from ncopa """ dmesg should tell you that grsecurity tries to prevent you to do this.

grsecurity does not permit the syscall mount from within a chroot since that is a way to break out of a chroot. This affects lxc containers too.

I would recommend that you do the mouting from the lxc host in the container config with lxc.mount.entry or similar.

https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR

If you still want disable mount protection in grsecurity then you can do that with: echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount """

this is not working with

lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0

on the host machine with all nfs modules and helper software installed and loaded.

backend:~# lxc-start -n nfstest
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for
'nfstest'
lxc-start: start.c: do_start: 688 failed to setup the container
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'

Nor with

echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount

on the host machine with all nfs modules and helper software installed and loaded which does'nt work either.

To find a proper way to use NFS shares from AL LXC is an important topic in order to be able to, for instance, load balance web servers sharing contents uploaded by users.

Next step will be to have HA for the NFS server itself (with only AL machines).

About NBD

NBD is now in edge/testing thanks to clandmeter.

I cannot test it properly at the moment because all the machine are busy in prod. and this package allows newstyle only. I'm waiting my new lab machine...

We still miss xnbd fot it's proxy features allowing live migration. We are very exited by xnbd capacities!
Will be avid tester!

Also we are still looking after the right solution to backup NBD as a whole (versus by it's content) while in use. dd|nc is the used way nowadays.

New_lab_machine

My new lab machine ;)

still waiting :(

About consul

nothing yet but big hopes ^^
I'm lurking IRC about it ;)

We plan to use it's dynamic DNS feature, it's hosts listing, services inventory, events, k/v store...
and even semi high-availability for our PXE infrastructure the consul leader being the active PXEserver and other consul server are dormant PXEservers.
All config scripts adapted to pull values out of consul k/v datastore based on profiles found out of consul various lists.
As the key for dhcpd and PXEboot is the hwaddr, it will become our uuid for LAN and consul too.
We are very exited by consul capacities!
Will be avid tester!

Open questions:

  1. What memory footprint is needed?
  2. What about dynamycally adapt quorum size?
  3. Are checks possible triggers?
    • consul watch -prefix type -name name /path/to/executable
    • consul event [options] -name name [payload]
  4. What best practice to store etc configurations?

log of experimentation at User_talk:Jch/consul

About CEPH

CEPH is supposed to sovle the problem of high availability for the data stores, be it block devices (disks) or character devices (files).

The actual situation is not satisfactory.

We are very exited by CEPH capacities!
Will be avid tester!

About Docker

not a lot of information on the Docker page yet ...

About E-MailRelay

E-MailRelay is a simple SMTP proxy and store-and-forward message transfer agent (MTA).
See http://emailrelay.sourceforge.net/

It compiles fine on AL.

apk update
apk add subversion alpine-sdk
svn checkout svn://svn.code.sf.net/p/emailrelay/code/trunk emailrelay-code
cd emailrelay-code
./configure --prefix=/usr
make
make install
apk del subversion alpine-sdk
apk add libgcc libstdc++
emailrelay --help

But I still have issues to properly build a package because it wants to install some stuff in <PREFIX>/libexec...
(And I also need to separate -doc, -test, -extra and optionnaly -gui in subpackages I guess)

About X2Go

x2goserver

I did prepare x2goserver and nx-libs packages.

x2goclient

lrelease-qt4 x2goclient.pro
/bin/bash: lrelease-qt4: command not found
Makefile:39: recipe for target 'build_client' failed

Dunno where to find that...

My laptop setup

After having migrating nearly all my server boxes from Debian to Alpine, it's about time to migrate my laptop (desktop will be last).

It his relly cool to prepare the setup on USB stick preparing an apkovl. It keeps the environnement with no pollution; no history, no temporary files,
At the end it could be pushed as kind of sys install (more later on the topic).

I want it to run-from-ram as from an USB stick but from the first partition.
It will need to run X (not wayland as I plan to make eavy usage of remote X of both full desktops and applications).
It will need to have good sound support with network support (jack? pulse-audio?).

For now I'm struggling with the basic sound system :( This has always been my weakiest point with Linux. :/
Unfortunately there is nothing about setting up sound in this wiki :(/
Lucky me, my sound card is automatically installed at boot time ("lsmod|grep snd" shows several lines of info). I just apk add alsa-utils then ran alsamixer to un-mute the speaker and it just works! (tested with aplay /usr/share/sound/alsa/Noise.wav)

My laptop has an ethernet card and a wifi one. On normal use, I will not use both at the same time. But I want to have an automatic selection based on what network is available and only eth0 if both are. As I will make heavy use of VM and containers on that machine, I want some unified interface to expose to the VMs. Therefore I install openvswitch; define an OVS called wan; connect both eth0 and wlan0 to the switch wan. For now, I have in /etc/network/interfaces

auto lo wlan0 wan
allow-hotplug eth0 
iface lo inet loopback
iface eth0 inet manual
up ip link set eth0 up
up ip link set wlan0 down
down ip link set eth0 down
down ip link set wlan0 up
iface wlan0 inet manual
up ip link set wlan0 up
down ip link set wlan0 down
iface wan inet dhcp
pre-up ip link set eth0 up
hostname jch-laptop

With it wlan0 is started before eth0. If eth0 is then fired, wlan0 is taken down. And wan just needs one of them to provide a link. Now I need to fire "ifup eth0" and "ifdown eth0" automatically when the ethernet link becomes active or inactive... normally the allow-hotplug stanza should do ther trick but it seems that the event is not fired by the kernel if the link is not set...
The pre-up stanza is to be able to catch the kernel event. It works as expected at boot time. rc-service networking start sets lo wlan0 and wan up. The kernel set eth0 up when connected, down when disconnected.
But wan is not updated on eth0 link change. ifdown wan should be issued iif needed. And ifup wan everytime eth0 change state.
Also I need to restart the dhcp client on wan on link change on eth0 . And to restart openvpn.* daemons...

We need to fire an event (script) on eth0 link state changes!
To (re)start the dhcp client on wan and to restart openvpn.*...
Others exposed services should listen to 0.0.0.0 on wan interface and not be affected by the change.
I tried with a script called with a up stanza. To no result.
To launch the script manually does the trick for now.

setup-xorg-base and awesome minimal with (claws-mail, midori, lxterminal)

At this moment /etc/apk/world

alpine-base
wireless-tools
wpa_supplicant
openvswitch
openvpn
xorg-server
xf86-video-vesa
xf86-video-intel
xf86-video-modesetting
xf86-intput-evdev
xf86-intput-mouse
xf86-intput-keyboard
xf86-intput-synaptics
udev
alsa-utils
qemu-systems-x86_64
screen

Later on, the DE and applications will be accessed remotely over the network from inside a bunch of KVM and LXC (services in KVM are exposed from LXC whenever possible (notable exception: nfs)).

  1. baremetal : openvswitch;irqbalance;screen;qemu;xorg;alsa;cryptsetup
  2. KVM-router : iptables/openvpn/dnsmasq/consul leader/ntpd/squid/emailrelay+postfix/proxy soks (TOR)/dhcpd
  3. KVM-SAN-NAS : lvm2+nbd-server;ssh;nfs;samba;darkhttpd;tftp;rsync (AL local repo)
  4. KVM-Desktop : xorg (X ; x2goclient; cups); DE
  5. KVM-proxy : squid+privoxy

/etc/local.d/40-KVM-SAN.start

qemu-systems-x86_64 -enable-kvm -m 384 \
-cdrom file=/media/sda1/images/san.img \ # /
-drive file=/dev/sda2 \ # /dev/storage (lvm2+luks)
-net storage \
-boot d

run-from-ram based on an apkovl

ovs-vsctl add-br wan
ovs-vsctl add-br storage
ovs-vsctl add-br lan
ovs-vsctl add-br consul
mount -o remount,rw /media/usb
mkdir /media/usb/images
cd /media/usb/images
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-3-2-0-x86_64.iso
wget http://wiki/alpinelinux.org/cgi-bin/dl.cgi/v3.2/releases/x86_64/alpine-mini-3-2-0-x86_64.iso
qemu-img create -f raw /media/usb/images/san.img
sync
cd
mkdir /media/usb/apkovl
apk -v sync
mount -o remount,ro /media/usb
lbu package # or lbu ci

/etc/local.d/41-KVM-router.start

qemu-systems-x86_64 -enable-kvm -m 128 \
-cdrom file=/media/sda1/images/alpine-mini-3.2-x86_64.iso \ # /
-drive file=nbd:kvm-san:router \ # /var
-net wan \
-net lan \
-net vpn \
-net consul \
-boot d

run-from-ram based on an apkovl. We have a clean install at each boot.

/etc/local.d/42-KVM-proxy start

qemu-systems-x86_64 -enable-kvm -m 256 \
-drive file=nbd:kvm-san:proxy -net ...\ # /var
-boot n

run-from-ram based on an apkovl

/etc/local.d/43-KVM-desktop start

qemu-systems-x86_64 -enable-kvm -m 3000 \
-drive file=nbd:kvm-san:desktop \ # /usr
-drive file=nbd:kvm-san:home \ # /home
-net ...\
-boot n

sys install on NBD and NFS takes on the sound system

/etc/local.d/40-KVM-desktop stop

kill pidof

/etc/local.d/41-KVM-proxy stop

kill pidof

/etc/local.d/42-KVM-router.stop

kill pidof

/etc/local.d/43-KVM-SAN.stop

kill pidof

Start X on bare-metal against KVM-desktop