Some updates in alpine-server-setup.
This commit is contained in:
parent
545d63dd15
commit
7f5bf88498
4 changed files with 36 additions and 25 deletions
|
|
@ -2,14 +2,14 @@
|
|||
|
||||
To install the Alpine Linux distribution on the system, the datasets of the system pool and the EFI partitions have to be mounted to the main system.
|
||||
|
||||
First import and decrypt the system pool
|
||||
First import and decrypt the system pool.
|
||||
|
||||
```
|
||||
# zpool import -N -R /mnt tank
|
||||
# zfs load-key -L file:///tmp/tank.key tank
|
||||
```
|
||||
|
||||
Mount the datasets in the system pool and decrypt the home dataset
|
||||
Mount the datasets in the system pool and decrypt the home dataset.
|
||||
|
||||
```
|
||||
# zfs mount tank/root/alpine
|
||||
|
|
@ -17,26 +17,27 @@ Mount the datasets in the system pool and decrypt the home dataset
|
|||
# zfs mount tank/var
|
||||
```
|
||||
|
||||
Mount the ESP
|
||||
Mount the ESP.
|
||||
|
||||
```
|
||||
# mkdir /mnt/esp
|
||||
# mount /dev/md/esp /mnt/esp -t vfat
|
||||
```
|
||||
|
||||
Then install Alpine Linux
|
||||
Then install Alpine Linux.
|
||||
|
||||
```
|
||||
# export BOOTLOADER=none
|
||||
# setup-disk -m sys /mnt
|
||||
```
|
||||
|
||||
> This will also add `grub` as bootloader which will be replaced but for now it will reside on the ESP.
|
||||
|
||||
To have a functional chroot into the system, bind the system process directories
|
||||
To have a functional chroot into the system, bind the system process directories.
|
||||
|
||||
```
|
||||
# for i in dev proc sys run; do
|
||||
> mount --rbind --make-rslave /$i /mnt/$i
|
||||
# for dir in dev proc sys run; do
|
||||
> mount --rbind --make-rslave /$dir /mnt/$dir
|
||||
> done
|
||||
# chroot /mnt
|
||||
```
|
||||
|
|
@ -66,7 +67,7 @@ clock_hctosys="NO"
|
|||
clock_systohc="NO"
|
||||
```
|
||||
|
||||
Configure the ESP raid array to mount
|
||||
Configure the ESP raid array to mount.
|
||||
|
||||
```
|
||||
# modprobe raid1
|
||||
|
|
@ -76,7 +77,7 @@ Configure the ESP raid array to mount
|
|||
# rc-update add mdadm-raid boot
|
||||
```
|
||||
|
||||
Configure ZFS to mount
|
||||
Configure ZFS to mount.
|
||||
|
||||
```
|
||||
rc-update add zfs-import sysinit
|
||||
|
|
@ -139,7 +140,7 @@ Use `sbctl` to create secureboot keys and sign them.
|
|||
|
||||
> Whilst enrolling the keys it might be necessary to add the `--microsoft` flag if you are unable to use custom keys.
|
||||
|
||||
Set the cache-file of the ZFS pool
|
||||
Set the cache-file of the ZFS pool.
|
||||
|
||||
```
|
||||
# zpool set cachefile=/etc/zfs/zpool.cache tank
|
||||
|
|
@ -162,13 +163,15 @@ As discussed earlier `grub` will be replaced, install `gummiboot` as a bootloade
|
|||
# cp /usr/lib/gummiboot/gummibootx64.efi /esp/efi/boot/bootx64.efi
|
||||
```
|
||||
|
||||
Sign the bootloader with `sbctl`
|
||||
Sign the bootloader with `sbctl`.
|
||||
|
||||
```
|
||||
# sbctl sign -s /esp/efi/boot/bootx64.efi
|
||||
```
|
||||
|
||||
and also remove some remnants of `grub`.
|
||||
> One may verify the signed files by running `sbctl verify`, in this case `ESP_PATH=/esp` should be defined to work properly.
|
||||
|
||||
Remove some remnants of `grub`.
|
||||
|
||||
```
|
||||
# rm -rf /boot/grub
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ Set up the network namespace configuration for the user
|
|||
|
||||
```
|
||||
# modprobe tun
|
||||
# echo tun >> /etc/modules
|
||||
# echo tun >> /etc/modules-load.d/tun.conf
|
||||
# for i in subuid subgid; do
|
||||
> echo <username>:100000:65536 >> /etc/$i
|
||||
> done
|
||||
|
|
|
|||
|
|
@ -50,12 +50,11 @@ After reconfiguring `kernel-hooks` try to reboot and it should boot. Although th
|
|||
|
||||
### Sysctl
|
||||
|
||||
More kernel settings can be configured through sysctl. Edit `/etc/sysctl.d/main.conf`:
|
||||
More kernel settings can be configured through sysctl.
|
||||
|
||||
Create `/etc/sysctl.d/kernel.conf`:
|
||||
|
||||
```
|
||||
# Main security configuration.
|
||||
|
||||
## Kernel
|
||||
kernel.kptr_restrict=2
|
||||
kernel.dmesg_restrict=1
|
||||
kernel.printk=3 3 3 3
|
||||
|
|
@ -65,10 +64,17 @@ dev.tty.ldisc_autoload=0
|
|||
kernel.kexec_load_disabled=1
|
||||
kernel.sysrq=0
|
||||
kernel.perf_event_paranoid=3
|
||||
```
|
||||
|
||||
## Network
|
||||
Create `/etc/sysctl.d/network.conf`:
|
||||
|
||||
```
|
||||
net.ipv4.icmp_echo_ignore_all=1
|
||||
net.ipv4.tcp_syncookies=1
|
||||
net.ipv4.tcp_rfc1337=1
|
||||
net.ipv4.tcp_sack=0
|
||||
net.ipv4.tcp_dsack=0
|
||||
net.ipv4.tcp_fack=0
|
||||
net.ipv4.conf.all.rp_filter=1
|
||||
net.ipv4.conf.default.rp_filter=1
|
||||
net.ipv4.conf.all.accept_redirects=0
|
||||
|
|
@ -77,14 +83,13 @@ net.ipv4.conf.all.secure_redirects=0
|
|||
net.ipv4.conf.default.secure_redirects=0
|
||||
net.ipv4.conf.all.send_redirects=0
|
||||
net.ipv4.conf.default.send_redirects=0
|
||||
net.ipv4.icmp_echo_ignore_all=1
|
||||
net.ipv4.conf.all.accept_source_route=0
|
||||
net.ipv4.conf.default.accept_source_route=0
|
||||
net.ipv4.tcp_sack=0
|
||||
net.ipv4.tcp_dsack=0
|
||||
net.ipv4.tcp_fack=0
|
||||
```
|
||||
|
||||
## User space
|
||||
Create `/etc/sysctl.d/user.conf`:
|
||||
|
||||
```
|
||||
kernel.yama.ptrace_scope=2
|
||||
vm.mmap_rnd_bits=32
|
||||
vm.mmap_rnd_compat_bits=16
|
||||
|
|
@ -92,8 +97,11 @@ fs.protected_symlinks=1
|
|||
fs.protected_hardlinks=1
|
||||
fs.protected_fifos=2
|
||||
fs.protected_regular=2
|
||||
```
|
||||
|
||||
## For hardened_malloc
|
||||
Create `/etc/sysctl.d/malloc.conf`:
|
||||
|
||||
```
|
||||
vm.max_map_count=1048576
|
||||
```
|
||||
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ Before creating the user, install `doas`. To be able to "do as" root when it is
|
|||
# apk add doas
|
||||
```
|
||||
|
||||
Configure `doas` through `/etc/doas.d/main.conf`:
|
||||
Configure `doas` through `/etc/doas.d/wheel.conf`:
|
||||
|
||||
```
|
||||
permit persist :wheel as root
|
||||
|
|
|
|||
Loading…
Reference in a new issue