container-server/setup/README.md

260 lines
4.7 KiB
Markdown
Raw Normal View History

# Alpine Host Setup
Setup steps for alpine container host using docker compose.
Download standard iso from https://alpinelinux.org/downloads/
## live system
boot from downloaded iso
### setup-alpine
```sh
setup-alpine
```
- Keyboard: `us-us` (adjust if needed)
- set hostname
- Network: `eth0`, `dhcp`, manual `n`
- set root password
- Timezone: `Europe/Berlin` (adjust if preferred)
- Proxy: `none`
- apk mirror: `f` (detect automatically)
- add user to your liking
- SSH server: `openssh`
- Select disk: `sda` (depending on your system)
- Disk Setup: `lvm`, then `sys`
- Erase disk: `y`
**Setup lvm (see next step) before reboot!**
### LVM
https://wiki.archlinux.org/title/LVM
```sh
# install some needed packages (only installed in live system)
apk add lvm2-extra e2fsprogs-extra device-mapper
# list existing LVs
lvs
# resize existing and create missing LVs
lvresize -L <SIZE>G [-r] /dev/vg0/<LV>
lvcreate -L <SIZE>G -n <LV NAME> vg0
lvcreate -l 100%FREE -n <LV NAME> vg0
# init filesystem for each newly created LV
mkfs.ext4 /dev/vg0/<LV>
```
```
LV LSize Mount
lv_root 8.00g /
lv_logs 4.00g /var/log
lv_containers 20.00g /var/lib/containers
lv_swap =RAM swap
lv_srv =REST /srv
```
## Reboot into installed system
Remove/reorder boot iso. Reboot via hardreset, qemu-guest not functional yet!
### SSHD
```sh
vi /etc/ssh/sshd_config
```
- `Port 222`
- `PermitRootLogin no`
- `AllowTcpForwarding yes`
```sh
service sshd restart
```
### sudo
```sh
apk update && apk add sudo
visudo
```
Uncomment `%wheel ALL=(ALL:ALL) ALL` to allow users in 'wheel' group to use sudo.
## From here on you can use ssh and sudo
```sh
ssh -p 222 <username>@<hostname>
2023-09-19 22:28:39 +02:00
sudo -i # use only for setup, it's not good practice to use a root shell!
```
### Installed Packages
Enable community repo (uncomment line):
```sh
2023-09-19 22:28:39 +02:00
vi /etc/apk/repositories
```
Install needed packages. Check and adjust to your needs.
```sh
2023-09-19 22:28:39 +02:00
apk update && apk upgrade && apk add \
gettext \
awall \
curl \
docker \
docker-zsh-completion \
git \
htop \
nano \
qemu-guest-agent \
sudo \
tree \
2023-12-16 20:39:14 +01:00
wireguard-tools \
zsh \
```
### zsh
```sh
2023-09-19 22:28:39 +02:00
nano /etc/passwd
```
- Change to `/bin/zsh` for desired user.
#### ohmyzsh
https://ohmyz.sh/#install
```sh
sh -c "$(wget https://raw.github.com/ohmyzsh/ohmyzsh/master/tools/install.sh -O -)"
```
- Theme: amuse
2023-09-19 22:28:39 +02:00
- `export EDITOR=nano`
### fstab
```sh
2023-09-19 22:28:39 +02:00
nano /etc/fstab
```
fstab content:
```
/dev/vg0/lv_root / ext4 rw,relatime 0 1
/dev/vg0/lv_logs /var/log ext4 rw,relatime 0 2
/dev/vg0/lv_containers /var/lib/containers ext4 rw,relatime 0 2
/dev/vg0/lv_srv /srv ext4 rw,relatime 0 2
```
To mount all:
```sh
2023-09-19 22:28:39 +02:00
mount -a
```
### ntp
```sh
rc-update add ntpd
service ntpd start
```
### checkout repo
```sh
cd /opt
2023-09-19 22:28:39 +02:00
git clone <this repo's url>
```
### awall
https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-awall-on-alpine-linux/
https://github.com/alpinelinux/awall/blob/master/README.md
https://ipset.netfilter.org/iptables-extensions.man.html#lbAO
If error `modprobe: FATAL: Module ip_tables not found...` -> reboot
```sh
cd /etc/awall/optional
2023-09-19 22:28:39 +02:00
ln -vs /opt/container-server/setup/awall/* .
awall enable {default,ssh,http}
awall activate
```
### docker
https://wiki.alpinelinux.org/wiki/Docker
https://docs.docker.com/engine/logging/drivers/local/
```sh
mkdir -p /etc/docker
cd /etc/docker
ln -vs /opt/container-server/setup/docker/daemon.json .
rc-update add docker
service docker start
```
### docker-compose
https://docs.docker.com/compose/install/standalone/
docker-compose in system packages or pip is outdated, we need to install it manually
```sh
curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
```
2023-09-19 22:28:39 +02:00
### mta
Allow system to send mail
```sh
setup-mta
```
Set outgoing mail server to localhost
### cron
2024-01-27 14:43:50 +01:00
Link the crons:
2023-09-19 22:28:39 +02:00
```sh
mkdir -p /etc/periodic/always/
2024-01-27 14:43:50 +01:00
for part in /opt/container-server/setup/cron/*; do
ln -vs $part/* /etc/periodic/${part##*/}/
done
```
2023-09-19 22:28:39 +02:00
2024-01-27 14:43:50 +01:00
Update crontab:
```sh
2024-01-27 14:43:50 +01:00
crontab -e
```
2023-09-24 22:47:56 +02:00
2024-01-27 14:43:50 +01:00
Add first line: `MAILTO=cron@<your domain>`
Add following cron entry: `* * * * * run-parts /etc/periodic/always`
2024-01-27 14:43:50 +01:00
2023-09-24 22:47:56 +02:00
### cgroup mode
To allow woodpecker build Dockerfiles, set correct cgroup mode.
```sh
nano /etc/rc.conf
reboot
```
Set `rc_cgroup_mode="unified`
### memory overcommit
https://redis.io/docs/latest/develop/get-started/faq/#background-saving-fails-with-a-fork-error-on-linux
https://www.kernel.org/doc/Documentation/vm/overcommit-accounting
```sh
cd /etc/sysctl.d
ln -vs /opt/container-server/setup/sysctl.d/* .
```