Alpine linux установка ssh

Setting up a ssh-server

Contents

Overview

This article provides a short overview of SSH on Alpine Linux.

OpenSSH

OpenSSH is a popular SSH implementation for remote encrypted login to a machine. OpenSSH defines sshd as the daemon, and ssh as the client program.

The openssh package provides OpenSSH on Alpine Linux.

Installation

Install the openssh package:

apk add openssh

Service commands

Enable the sshd service so that it starts at boot:

rc-update add sshd

List services to verify sshd is enabled:

Start the sshd service immediately and create configuration files:

Fine tuning

You may wish to change the default configuration. This section describes some of the configuration options as examples, however it is by no means an exhaustive list. See the manual for full details.

The fine-tuning is done by editing /etc/ssh/sshd_config. Any line starting with «#» is ignored by sshd.

Other configuration options are shown in /etc/ssh/sshd_config. The file includes comments that explain many of the options.

Firewalling and Port Changes

By default, sshd will communicate on TCP port 22.

Sometimes 22/tcp is blocked by a firewall over which you have no control. Changing the Port option to an unused port number in /etc/ssh/sshd_config may be useful in this situation.

Restart sshd after making modifications to the configuration file:

Dropbear

Dropbear is another open source SSH implementation. Install dropbear through the Alpine setup scripts, or manually with:

apk add dropbear

rc-service dropbear start

Add it to the default runlevel:

rc-update add dropbear

Use the following command to check all available server options:

The config file is located at /etc/conf.d/dropbear

dropbear also includes an SSH client which in its simplest form can be used like this:

(where x.x.x.x is the IP address of the remote machine).

Use dbclient -h to see all available options.

Источник

Replacing non-Alpine Linux with Alpine remotely

Contents

With VNC access

Download an alpine iso that boots from ram, e.g. alpine-virt

Flash the image to the drive of your server, e.g. /dev/sda

Reboot, and login again from vnc with root. Alpine is now running from ram, and should have mounted /dev/sda on /media/sda, paste it into ram.

Copy also the kernel modules which are located in /.modloop

Unmount modloop and the media folder

Move back the files in place

Finally you can format the disk to install alpine

Or just run the the whole setup

Without VNC access

• SSH access to the remote box (needs to have SSH server running)
• Alpine Linux supported hardware
• Adventurous mind
• Nerves of steel

These instructions are based on a debian (physical) server, and all steps are performed while logged into the machine. So you should start with a machine that has ssh running.

Create apk overlay suitable for hard disk based tmpfs boot

The first step is to create Alpine configuration file with basic configuration of the host. We need the new box to start networking and ssh in the beginning so we can reconnect to it after reboot.

Create basic layout for the overlay:

You can also use default Alpine configuration files. In this case you should use ssh key to authorize yourself (as root password is empty, and ssh has empty passwords disabled).

If you want to keep the existing host identity (e.g. SSH key), you can copy them over:

Copy over your ssh authorized_keys and make sure its included in future:

Find out which shell is used for root:

If its /bin/ash, you are good. If not, edit etc/passwd and change it to /bin/ash.

Create etc/network/interfaces with network configuration (unless it was previously copied over). It should look something like:

Since Alpine 3.13 must be:

Make sure there is no whitespace at end of lines in interfaces file. Busybox ifup is very picky.

Make sure your etc/resolv.conf exists; if not create etc/resolv.conf with the nameserver configuration like:

Create the apk world (etc/apk/world) with essential packages:

Double check the IP configuration and ssh keys.

Finally, make the essential services start up automatically and create the overlay file:

Verify the overlay with «tar tzf» to see that it contains everything in proper places, and ensure it is in the / directory

Install Alpine cd-rom image on hard disk

We need to copy over two sets of information: the boot kernel (kernel, initramdisk and boot configuration) and operating system boot data (overlay, apk packages and kernel modules). These can reside on same partition if they fit. However, /boot is usually small, so you might want to put the apks on separate partition. This guide assumes they are on sda1 (/boot) and sda2 (/) with both having ext3 filesystems. If you don’t have ext3 on / or /boot, then you might be able to disable swap and reformat the swap partition as ext3 and use that.

Download an alpine iso and mount it; for example

Copy the apkovl and the contents of cd-rom image to root of current installation:

Next we make the Alpine Linux kernel bootable (requires syslinux) and use fdisk to mark the /boot partition as bootable (if not done already):

Make sure that /boot dir has a symlink pointing to itself. This is to handle the case when /boot is on separate partition.

Create /boot/extlinux.conf with contents like (check the filesystem type for alpine_dev; kernel and initrd are relative to partition root):

From Alpine Linux 2.1 you can use the UUID of the partition that holds the apkovl and the apks directory, the current root. Use blkid to get the proper UUID. By using UUID we solve the problem when there are multiple disks and we don’t knowing how kernel enumerates them after boot. Example extlinux.conf:

[Comment added by IceCodeNew]

I tried this instruction on Ubuntu 20.04, and I’m installing Alpine-virt 3.13.2.

I found there is no such file named `*/syslinux/mbr.bin`, but even if I skip the step which issuing `dd if=/usr/share/syslinux/mbr.bin of=/dev/sda`, the machine was able to boot alpine without problem.

Here is the extlinux.conf I use (since there are lots of files that had been renamed):

Finally make the /boot partition bootable by extlinux.

(Tested on 2.1.2 and higher) Make sure:

• grsec.cmg is on /
• [something].apkovl.tar.gz is on /
• grsec.gz is on /boot
• The apline_dev UUID value points to whatever is currently /
• the partition for /boot is flagged as bootable
• the output of extlinux was for the partition currently mounted at /boot

Install Alpine on hard-disk

Reboot the box. And wait for it to come alive again. If it doesn’t, tough luck. So dry practice with local box, with as identical hardware as possible.

Once back in the box, we are running in Alpine Linux from tmpfs. So just do a regular installation of Alpine from network via ssh connection.

Edit /etc/apk/repositories to contain your favorite Alpine mirror or just:

After hard disk setup is complete, copy ssh_authorized_keys to hard disk.

Reboot once more, and you have the server with native Alpine hard disk installation.

Источник

Semi-Automatic Installation

If you’re here, it’s because you want to install alpine semi-automatically, or because you ran into issues (whether in scope or otherwise) with setup-alpine . Either way, this section of the handbook describes, step by step, how to get a system up and running. In this section you will find the usage of the various setup-* utilities, as well as explanations as to what they do.

Keyboard Layout

Keyboard layout is controlled by the loadkmap service file. In /etc/conf.d/loadkmap a variable ( KEYMAP ) is defined. The file named in this variable is the keymap that will be loaded.

The various keymaps are available in the package kbd-bkeymaps , and are located in /usr/share/bkeymaps . Inside that directory, are multiple directories with the global categories for keymaps (e.g us and ca for United States and Canada respectively). Within those directories are the local variants of each keymap category. For example, to have the common keyboard type, you would use /usr/share/bkeymaps/us/us.bmap.gz .

One easy way to select the keymap is by using setup-keymap . Simply running it will make it go over various available keymaps, prompt you for which one you want to use, and then configure loadkmap for you. It will also remove the kbd-bkeymaps package after choosing the keymap and copying it into a different directory. Alternatively, if you already know what keymap you want (for example, the us/us.bmap.gz from before), you can pass that information to setup-keymap .

1

this will copy and use /usr/share/bkeymaps/us/us.bmap.gz

Hostname

Your hostname is the name of your computer. It is important that hostnames on your local area network be unique. If you need recommendations as to what to make your hostname, you can refer to RFC 1178.

The primary hostname setting is whatever the contents of /etc/hostname are. However, there are some common restrictions as to what it should or shouldn’t be (also listed in the RFC mentioned above). As such, you can use setup-hostname to make the process safer. You can either invoke it with no arguments to be prompted, or you can run it with an argument to set your hostname.

For example, if you want your hostname to be «alpine», you might run it like so:

1

sets the machine’s hostname to «alpine»

Note, however, that this will not populate /etc/hosts — your local hardcoded DNS cache. If you want to accelerate some loopback operations, you can modify that file too. For example, if you were to set your hostname to «alpine», with no particular domain for your network (if you have one of those, you likely do not need these instructions), your /etc/hosts file could look like so:

With that done, you should apply the hostname using either rc-service hostname restart or /etc/init.d/hostname restart .

Networking

Before you configure the rest of the system, you should set up networking. This will allow you, for instance, to fetch bootloaders, configure sshd (to continue this setup from the comfort of a different, graphically-enabled machine), and other such desirable features.

Configure Wireless Networking

If your system does not have an ethernet port (or connection) available, you will need to set up wireless connectivity. It is strongly recommended that you try to avoid this.

However, in the scenario that you have no choice, before you can configure the network, you must establish a connection to it.

To do so, it is recommended that you use the setup-interfaces utility. In it, you should select your wireless interface when prompted (it will usually be called something like wlan0 ) and answer the questions (for more details on that, see the next section).

This will not persist across a reboot. However, if you wish to continue using a similar method, you may use rc-update add wpa_supplicant boot . It is still recommended to get a more complete solution, such as wpa_cli. You can find guides around various wireless networking management solutions (including wpa_cli and NetworkManager) over on the wiki.

In most cases, you will want to use DHCP. If you are on a professional network, or have a common home router, you very likely have it available. It is also very common on networks in general. DHCP will allocate an IP address to your system, give it a nameserver for DNS queries, and will generally greatly decrease the amount of work required. For a typical DHCP setup, you can set it up quickly by running setup-interfaces -a (the «a» stands for «auto»).

Do not do this if you are using a wireless network.

In case this doesn’t work (or you’re on a wireless network), you may need to run it without the «a» flag. In such a scenario, the script will ask you questions about your network topology, that you can answer.

Static IP

In some cases, your network will not have DHCP available. In that scenario, you will need to edit /etc/network/interfaces and /etc/resolv.conf on your own. If you ran setup-interfaces , it will have asked you if you want to do any manual editing of the network configuration. You may answer yes there, or simply edit both files manually.

The default (DHCP-style) /etc/network/interfaces file will look something like this:

To specify your own network details, you will need to find the following details:

The address your system should have (it must not be taken yet)

The gateway address

The network subnet mask (in most networks, this is 255.255.255.0 )

You should be able to ask your network administrator for most of these. In this example, we have determines that your system should have the IP 192.168.0.147 , the gateway is at 192.168.0.1 and the subnet mask is 255.255.255.0 . In that scenario, the /etc/network/interfaces file should look like so:

If you did not end up using DHCP, you will also need to set up DNS. This is done by editing the /etc/resolv.conf file. In most cases, you can use 1.1.1.1 , 8.8.8.8 or 9.9.9.9 as your DNS server. Often, your router will also provide one for use. In case of confusion, you can also ask your network administrator.

Here is an example /etc/resolv.conf file, that uses both the 1.1.1.1 and 8.8.8.8 nameservers.

Alternatively, you can use the setup-dns script.

Currently, setup-dns asks for a domain name . Feel free to leave the answer blank, as it is optional.

Applying Configuration

Once all of the above is accounted for, you can now start the networking configuration. This is done by running rc-service networking start . If desired, you can also set it to load during boot, using rc-update add networking boot .

Timezone

Unless you live in the GMT timezone, you may be interested in having your device know where you (or it) is located, time-wise. On musl, the timezone is defined by the TZ environment variable, which should either mention a POSIX-style timezone, directly point at a file, or have a standard Area/SubArea definition, which must be found under /usr/share/zoneinfo , /share/zoneinfo or /etc/zoneinfo .

You can get /usr/share/zoneinfo by installing the tzdata package. You can see the available Areas by looking that directory, and the available SubAreas by looking into your chosen Area’s directory. Once chosen, you may either keep the package installed, or you may copy your chosen file into /etc/zoneinfo .

It is recommended that you keep the package installed.

For example, if your chosen area is America/New_York , you would run this:

Finally, you will need to add the TZ environment variable to your system. You can do this by running the following, with the same timezone example:

1

This step is primarily here to propagate the new setting to your current session.

Alternatively, you may use setup-timezone , which will copy the file over for you.

setup-timezone , as it is now, will not set up the TZ environment variable. It will instead pretend the timezone data is a localtime-style file. This is a technical difference, that you likely do not need to worry about, but due to this difference it is recommended that you perform this step entirely by hand.

Repositories

If you want to be able to install packages, you’re going to want to have some repositories. By default, your boot medium will come with a built-in repository that is on the boot medium itself. However, now that you have networking, you may wish to install packages outside the relatively small pool available on the boot medium. Repositories for the package manager ( apk ) are configured in a file named /etc/apk/repositories , and valid signing keys are located under /etc/apk/keys/ . Your boot medium should come with valid pre-configured keys, but no external repositories. Currently, you can see the list of available mirrors and their status over at mirrors.alpinelinux.org.

Do not worry about the lack of «https» in the mirrors — all packages are signed, so as long as you do not add any untrustworthy keys, your package manager will refuse to install any illegitimate packages.

Here is an example /etc/apk/repositories file, that uses all stable repositories from the primary mirror of the latest release version:

Assuming your network configuration is done, you may also use the setup-apkrepos utility, which will fetch a list of valid repositories, and give you a choice between them (and options such as «random»).

Root Password

At this point, you should set up a root password. This is easy to do — simply run passwd and follow the prompts.

You will not see your own typing — this is normal, it is obscured to stop people from being able to peek at your screen, even if just to see the number of characters in your passwords.

SSH is very convenient to have — it means you can be in the comfort of your terminal emulator, rather than a raw getty (the full-screen emulator that shows up when booting up an alpine install medium). Now that we have networking, we can set up an ssh daemon.

There are currently two primary secure shell daemons available — openssh and dropbear. The latter is more simple, but has its own (incompatible) key format, and can only be configured through command line arguments — as such, it is not recommended for beginners. You can install either one using apk add name , where name is either «dropbear» or «openssh» respectively. After that, you may want to start it, and possibly enable it — using rc-service openssh start and rc-update add openssh respectively.

By default, you cannot use SSH to log in as root using a password.

Note that this can also be done for you by the setup-sshd utility — it will ask you which one you would like, install, start and enable it for you.

It may be useful to make sure that your clock is correct. This can be achieved by using an NTP daemon. Some of the common ones are chronyd and openntpd . You can install them by using apk add name , where name is the desired daemon. After that, you may want to start it, and possibly enable it — using rc-service name start and rc-update add name respectively.

Currently, chronyd is bugged. The bug in question is mostly cosmetic, but it may be alarming to a new user. As such, temporarily, it is recommended that you use the setup-ntp script and pick busybox .

Note that this can also be done for you by the setup-ntp utility — it will ask you which one you would like, install, start and enable it for you.

Partitioning Your Disk

setup-disk

The setup-disk utility can do the rest of this work for you. It will make a partition table on your hard drive, partition it as per a specification, format the partitions with filesystems, set up the base system, and install the bootloader. This section describes how to use it, as well as the various tweakables.

As it is currently, setup-disk should work for typical single-disk non-UEFI setups. If the defaults seem acceptable to you, feel free to use it. However, in other cases, it is recommended that you at least consider doing this (admittedly difficult) section of the installation by hand.

setup-disk also supports non-disk installations. These are not covered in this handbook.

Options and Settings

setup-disk is configured through command line arguments, as well as environment variables. In most cases, if you want setup-disk to do all the work for you, you should not need to specify anything beyond -m sys , as in setup-disk -m sys . This is an incomplete listing — it lacks anything mentioning non-disk installations, as well as anything overly complex (such as automatic lvm/raid). If you need those, head over to the manual or developer pages.

The filesystem to use on /boot , defaults to ext4, also allows ext2, ext3, (flat) btrfs, xfs and vfat (required on UEFI).

Bootloader to use. Defaults to syslinux, but also allows using grub, unless UEFI is used, in which case grub is required.

The size of /boot .

The type of partition table to use. Defaults to dos, but also allows using gpt, unless UEFI is used, in which case gpt is required.

The filesystem to use on / , defaults to ext4, also allows ext2, ext3, (flat) btrfs and xfs.

Enable this to force using UEFI.

The disk mode to use — you want -m sys .

Operate more quietly.

Specify the size of the swap partition.

Operate more verbosely.

The mounted root to install to.

Any missing information will be queried from you by setup-disk , so only change the above beyond -m if you explicitly want to override the defaults/questions.

In the scenario where the bootloader installation causes problems, see the sections that follow.

Parted

Parted is GNU’s PARTition EDitor. It is a very useful tool that’s capable of performing partition editing of various sorts — including the ones we’re interested in, both programmatically and interactively. Because of this, that is the utility we will be using in this section. Begin by installing it, using apk add parted .

This is also the part of the handbook in which you must determine whether you need (or want) to use UEFI. This decision will be left up to you, but you can determine whether or not you are currently booted using UEFI by checking if the /sys/firmware/efi folder exists. In case this is difficult, you may use the following snippet to get a direct answer:

Once you have decided, you must also choose the non-booting-related partitions you want to have (as the boot method will determine how the prior go). For beginners, making a big root partition is recommended, and that is what will be used in the examples that follow. If you know that you want something different, you should also know how to modify the examples.

We thus end up with 3 common options: — BIOS installation on an MS-DOS partition table — BIOS installation on a GPT partition table — UEFI installation on a GPT partition table

Other options exist, but they are for more advanced users. Using MS-DOS for the BIOS installation is more trivial, but comes with some limitations (only 4 partitions, maximum disk size of 2 TB), so both options are covered. It is also assumed that your disk is sufficiently large, that small losses (e.g making the ESP 1 GB) are not relevant for ease of installation. «Sufficiently large», in this case, is anywhere at or above 32 GB in total. If your disk is smaller, you are likely on a specialized device, and should either follow the automatic installation method mentioned previously, or perform a tmpfs-based install (which is not covered in this handbook). The following sections cover each of those options, so feel free to skip to the one chosen.

Also note that you may notice «swap» partitions mentioned as a flag. «swap» is not actually a flag, but a filesystem type. It is a pagefile, meant to supplement your system memory. It is recommended to make it up to 2x the size of your physical ram, but can be considered optional.

One of swap’s common uses is the suspend-to-disk feature, often called «hibernation», which requires enough swap space to function.

In the following sections, you will see code such as this:

12

This is a shortcut/alias. The primary thing to worry about is /dev/sda — this must be the device you want to use for the installation.

Parted supports both interactive and non-interactive commands. This is the equivalent to running parted -a optimal /dev/sda , then entering mklabel msdos into the prompt, or entering mklabel into the prompt, and answering msdos to the incoming question. The specifics as to how you perform the below are up to you.

BIOS + MS-DOS

Under a BIOS setup with an MS-DOS partition table, we can only have 4 primary partitions, and are limited to 2TB disks. Extended partitions are outside of the scope of this handbook. Under BIOS+MS-DOS, we can use the MBR for installing the bootloader, so we only need to worry about the actual data partitions. Here is an example partitioning scheme:

Источник