From e1d8ecf6252bc69b512a1ad0f1c57625ff04ccab Mon Sep 17 00:00:00 2001 From: Luc Date: Sun, 11 Aug 2024 17:22:35 +0200 Subject: [PATCH] Updated post install section of alpine-server setup. --- .../post-install/users.md | 4 +- .../post-install/{podman.md => containers.md} | 0 .../post-install/drivers.md | 4 +- .../post-install/logging.md | 16 +++++++ .../post-install/repositories.md | 18 ++++++++ .../post-install/security.md | 3 +- .../alpine-server-setup/post-install/users.md | 43 +++++++++++++++++++ mkdocs.yml | 4 +- 8 files changed, 85 insertions(+), 7 deletions(-) rename docs/alpine-server-setup/post-install/{podman.md => containers.md} (100%) diff --git a/docs/alpine-desktop-setup/post-install/users.md b/docs/alpine-desktop-setup/post-install/users.md index d81edc7..0488876 100644 --- a/docs/alpine-desktop-setup/post-install/users.md +++ b/docs/alpine-desktop-setup/post-install/users.md @@ -26,10 +26,10 @@ and create a `_power` group for users to be able to poweroff the system without ## Adding a user -Adding a user in Alpine Linux can be done using the `setup-user` script. Here we can specify the name, full name with `-f`, groups and more: +Adding a user in Alpine Linux can be done using the `setup-user` script. Here we can specify the name, groups and more: ``` -# setup-user -g wheel,_power -f "" +# setup-user -g wheel,_power # passwd ``` diff --git a/docs/alpine-server-setup/post-install/podman.md b/docs/alpine-server-setup/post-install/containers.md similarity index 100% rename from docs/alpine-server-setup/post-install/podman.md rename to docs/alpine-server-setup/post-install/containers.md diff --git a/docs/alpine-server-setup/post-install/drivers.md b/docs/alpine-server-setup/post-install/drivers.md index 88376ea..9378813 100644 --- a/docs/alpine-server-setup/post-install/drivers.md +++ b/docs/alpine-server-setup/post-install/drivers.md @@ -1,6 +1,6 @@ # Firmware and drivers -Device firmware and drivers are necessary for graphics and also security. Luckily the graphics drivers will be installed through `home-manager` which now only leaves the CPU firmware. For Intel systems install `intel-ucode` and for AMD systems install `amd-ucode`: +Device firmware and drivers are necessary for better performance and security. For Intel systems install `intel-ucode` and for AMD systems install `amd-ucode`: ``` # apk add intel-ucode @@ -8,7 +8,7 @@ Device firmware and drivers are necessary for graphics and also security. Luckil # apk add amd-ucode ``` -To make sure it is included during boot, regenerate the initramfs with: +To make sure it is included during boot, regenerate the UKI with: ``` # apk fix kernel-hooks diff --git a/docs/alpine-server-setup/post-install/logging.md b/docs/alpine-server-setup/post-install/logging.md index e69de29..29e8b59 100644 --- a/docs/alpine-server-setup/post-install/logging.md +++ b/docs/alpine-server-setup/post-install/logging.md @@ -0,0 +1,16 @@ +# Logging + +Enable the logger to log the rc-processes by editing `/etc/rc.conf` + +``` +rc_logger="YES" +``` + +To also log the kernel add `klogd`. + +``` +# apk add sysklogd +# rc-update add klogd boot +``` + +You can view the logs in `/var/log/dmesg` and `/var/log/messages`. \ No newline at end of file diff --git a/docs/alpine-server-setup/post-install/repositories.md b/docs/alpine-server-setup/post-install/repositories.md index e69de29..89ddd77 100644 --- a/docs/alpine-server-setup/post-install/repositories.md +++ b/docs/alpine-server-setup/post-install/repositories.md @@ -0,0 +1,18 @@ +# Repositories + +It's important to set the correct repositories when using any Linux distro. For Alpine these can be configured in `/etc/apk/repositories`: + +``` +https://dl-cdn.alpinelinux.org/alpine/latest-stable/main +https://dl-cdn.alpinelinux.org/alpine/latest-stable/community +``` + +This will use the latest stable repository of Alpine (for example `v3.19`). To use a different version of Alpine simply change `latest-stable` to whatever version you want. Do note that you can not (easily) downgrade your system's version. There also is the `edge` repository which contains more packages but it is not recommended because it can result in faster breakage of your system. + +## apk-ample + +We also host our own repository which contains some packages not found in the stable repository but also our own packages like `linux-hardened`. If you want to add it to your system edit `/etc/apk/repositories` and add this line under the other repositories: + +``` +https://git.bijl.us/lnco/apk-ample/raw/branch/main/alpine/ +``` \ No newline at end of file diff --git a/docs/alpine-server-setup/post-install/security.md b/docs/alpine-server-setup/post-install/security.md index 6afd2c8..3d8c2f0 100644 --- a/docs/alpine-server-setup/post-install/security.md +++ b/docs/alpine-server-setup/post-install/security.md @@ -33,6 +33,7 @@ You can check the status of apparmor using `apparmor-utils`: # apk add apparmor-utils # aa-status ``` + ## Kernel settings ### Commandline @@ -43,7 +44,7 @@ There are a lot of kernel settings which can be passed to the command line to ma cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 intel_iommu=on amd_iommu=on iommu=force efi=disable_early_pci_dma spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1 rd.shell=0 rd.emergency=reboot" ``` -After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now. +After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time, so these settings should do for now. > Whilst booting up your system you may see sysctl complaining about ipv6 settings. [We are trying to resolve the problem](https://git.bijl.us/lnco/documentation/issues/30). diff --git a/docs/alpine-server-setup/post-install/users.md b/docs/alpine-server-setup/post-install/users.md index e69de29..c9de02b 100644 --- a/docs/alpine-server-setup/post-install/users.md +++ b/docs/alpine-server-setup/post-install/users.md @@ -0,0 +1,43 @@ +# Users + +To run containers securely; in an environment with fewer privileges, a user is necessary. + +## Wheel + +Before creating the user install `doas`, to use when root is required: + +``` +# apk add doas +``` + +Configure `doas` through `/etc/doas.d/main.conf`: + +``` +permit persist :wheel as root +permit nopasss :_power cmd /sbin/poweroff +permit nopasss :_power cmd /sbin/reboot +``` + +## Adding a user + +Adding a user in Alpine Linux can be done using the `setup-user` script. Here we can specify the name, groups and more: + +``` +# setup-user -g wheel,_power +# passwd +``` + +If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with: + +``` +# passwd -l root +``` + +and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`: + +``` +root:x:0:0:root:/root:/sbin/nologin +``` + +## User services + diff --git a/mkdocs.yml b/mkdocs.yml index 2daeda2..251e5cd 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -14,7 +14,7 @@ theme: - media: "(prefers-color-scheme: light)" scheme: default primary: white - accent: teal + accent: blue toggle: icon: material/brightness-7 name: Switch to dark mode @@ -79,7 +79,7 @@ nav: - 'Logging': alpine-server-setup/post-install/logging.md - 'Swap': alpine-server-setup/post-install/swap.md - 'Users': alpine-server-setup/post-install/users.md - - 'Podman': alpine-server-setup/post-install/podman.md + - 'Containers': alpine-server-setup/post-install/containers.md - 'Void-desktop setup': - void-desktop-setup/index.md