💾 Archived View for tilde.town › ~mio › log › 2021-11-27-kvm.gmi captured on 2023-07-22 at 16:18:06. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

---

date: 2021-11-27T16:09:00Z

---

Alpine crash course on KVM

Here's a quick and messy checklist for running Alpine Linux on a KVM VPS.

• SSH into the pre-installed OS and copy the network settings. They will be needed during network connection setup.

* Get an example IPv4 address, netmask and gateway: `ifconfig` or `ip link` * Get the default nameservers (or set your own): `cat /etc/resolv.conf`

• Get the link to a suitable ISO image for your server architecture from the Alpine Linux website, e.g. `alpine-virt-3.15.0-x86_64.iso`

• Log into the VPS control panel. The exact wording may differ, but most control panels for KVM/Xen will have these features.

* *ISO* > *Add ISO* and paste the ISO link to the Virtual image

* *List VPS* > *Manage* (next to the vps name) > *Settings* > *VPS Configuration*

* Temporarily change the boot order: *1) CD Drive 2) Hard Disk*

* Select ISO: (select the custom user ISO)

* Save and reboot the VPS

• Log into the VPS via VNC. Most control panels have a VNC address for external clients and/or a built-in web VNC client for system recovery.

• Get the CD drive and disk device names: `df -h`

* The CD drive usually has a name like `/dev/sr0` * Example of disk device name: `/dev/vda`

• Unmount the vda device: `umount /media/vda`

* This should be done before proceeding with the setup script, or it will fail during the disk partitioning with warnings about partitions not being found.

• Run the setup script: `setup-alpine`

* Example configuration for network setup:

* Available interface: eth0

* Ip address for eth0: (IPv4 address from ifconfig/ip link output)

* Netmask: (from ifconfig/ip link, e.g. 255.255.255.0)

* Gateway: (often .0 or .1 in the IPv4 address subnet, e.g. xxx.xxx.xxx.1)

* DNS nameserver(s): (enter IPs separated by commas)

* Make sure to get the network connection working or the disk setup will fail to download the utilities needed to partition the disk. If it is unable to update the repo list, it's very likely there is something wrong with the network setup — ctrl+c to exit the script and re-run the script while checking the connection details carefully.

* The `setup-disk` part of the script will create 3 partitions: boot (~105 MB), swap (~4173 MB) and root (fills the remaining space).

• Before rebooting the VPS, go back to the VPS control panel, revert the boot order back to: *1) Hard Disk 2) CD Drive*, set the ISO to *none* if you don't plan to reinstall again soon and save. Reboot from the control panel, as the VM may still be running on the previous boot order.

Additional setup

• Edit the list of repos:

* `vi /etc/apk/repositories`

* Remove the CD drive entry `/media/cdrom/apks`

* Optionally uncomment the community repo and/or the edge repo URLs if you want to pull from the testing repos

* Refresh the repo index: `apk update`

• Install some essential packages, e.g. a different shell or editor:

* `apk add bash doas vim`

• Add a new standard user and include a SSH public key for login.

* `adduser $user`

* From the ssh client: `ssh-copy-id -i ~/path/to/ssh/key.pub $user@$ip`

• **Important:** disable SSH root login and password authentication.

* `vi /etc/ssh/sshd_config`

* `PermitRootLogin no`

* `PasswordAuthentication no`

* Restart sshd: `rc-service sshd restart`

Firewall setup

If your VPS doesn't have IPv6, you can skip the `ip6` parts.

• Load the iptables modules:

* `modprobe ip_tables`

* `modprobe ip6_tables`

• Install the packages: `apk add iptables ip6tables`

• Set services to start automatically at default runlevel:

* `rc-update add iptables`

* `rc-update add ip6tables`

• Add a few simple firewall rules for IPv4, using the example to add more ports as needed: `nano /etc/iptables/ipv4.rules`

	
filter


:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow existing connections and pings
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Allow ssh port
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

• Repeat for IPv6: `nano /etc/iptables/ipv6.rules`

	
filter


:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

• Apply the rules:

* `iptables-restore < /etc/iptables/ipv4.rules` * `ip6tables-restore < /etc/iptables/ipv6.rules` * `/etc/iptables/rules-save` * `/etc/ip6tables/rules-save`

• To see currently active rules, use `iptables -L` and `ip6tables -L`.

• Start the firewall:

* `rc-service iptables start` * `rc-service ip6tables start`

Troubleshooting

Changing the network connection details

• eth0 configuration: `vi /etc/network/interfaces`

iface eth0
inet static
address $address
netmask 255.255.255.0
gateway $gateway

• Edit nameservers: `vi /etc/resolv.conf`

nameserver $dns1
nameserver $dns2

• Restart the network interface:

* `ifdown eth0` * `ifup eth0`

Documentation

Alpine Linux website

Installation overview

Install from an ISO to a Virtualbox machine

setup-alpine documentation

setup-alpine source

Further reading

Alpine Wall — firewall frontend

nixCraft article on Awall

fail2ban — ban unauthorised SSH login attempts

crazy-max/docker-fail2ban