lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity
documentation/docs/alpine-server-setup/post-install/users.md

2.9 KiB
Raw Blame History

Users

To run containers securely; in an environment with fewer privileges, a user is necessary.

Wheel

Before creating the user install doas, to use when root is required:

# apk add doas

Configure doas through /etc/doas.d/main.conf:

permit persist :wheel as root

Adding a user

Adding a user in Alpine Linux can be done using the setup-user script. Here we can specify the name, groups and more:

# setup-user -g wheel,_power <username>
# passwd <username>

Make sure that the home dataset is decrypted and mounted, before creating a user.

You may have to change the shell of the user in /etc/passwd from /sbin/nologin to a shell from /etc/shells. Alpine Linux comes with /bin/ash by default:

<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>

If you have checked that doas works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

# passwd -l root

and editing /etc/passwd to change the login shell from /bin/ash to /sbin/nologin:

root:x:0:0:root:/root:/sbin/nologin

User services

The user will have its own init system, for the management of user containers and other user services. The runsvdir command of the runit init system will be used to create a local init system for the user.

# apk add runit

Create /etc/init.d/runsvdir-user, which will be the init script for the local init system of the user.

#!/sbin/openrc-run

user="${RC_SVCNAME##*.}"
svdir="/home/${user}/.local/service"
pidfile="/run/runsvdir-user.${user}.pid"

command="/usr/bin/runsvdir"
command_args="$svdir"
command_user="$user"
command_background=true

depend()
{
    after mount-home
}

Make /etc/init.d/runsvdir-user an executable

# chmod +x /etc/init.d/runsvdir-user

Link the user to /etc/init.d/runsvdir-user

# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>

Finally, add the service to the manual runlevel

# rc-update add runsvdir-user.<username> manual

This process can of course be repeated for several users.

Mounting home

Before the user init system can be started, the home dataset should be decrypted and mounted. This process will be partially automated by adding it to the manual runlevel.

Create /etc/init.d/mount-home

#!/sbin/openrc-run

depend()
{
    need localmount
}

start()
{
    zfs load-key -L prompt tank/home
    zfs mount tank/home
}

stop()
{
    zfs unmount tank/home
    zfs unload-key tank/home
}

Make /etc/init.d/mount-home an executable

# chmod +x /etc/init.d/mount-home

Add the service to the manual runlevel

# rc-update add mount-home manual

Now the scripts can be started accordingly with

# openrc -n manual

Note that after a reboot this command should be performed to decrypt the home partition and to start the user services.