💾 Archived View for tilde.town › ~mio › log › 2021-11-27-kvm.gmi captured on 2024-12-17 at 09:46:34. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-07-22)

-=-=-=-=-=-=-

---

date: 2021-11-27T16:09:00Z

---

Alpine crash course on KVM

Here's a quick and messy checklist for running Alpine Linux on a KVM VPS.

* Get an example IPv4 address, netmask and gateway: `ifconfig` or `ip link` * Get the default nameservers (or set your own): `cat /etc/resolv.conf`

* *ISO* > *Add ISO* and paste the ISO link to the Virtual image

* *List VPS* > *Manage* (next to the vps name) > *Settings* > *VPS Configuration*

* Temporarily change the boot order: *1) CD Drive 2) Hard Disk*

* Select ISO: (select the custom user ISO)

* Save and reboot the VPS

* The CD drive usually has a name like `/dev/sr0` * Example of disk device name: `/dev/vda`

* This should be done before proceeding with the setup script, or it will fail during the disk partitioning with warnings about partitions not being found.

* Example configuration for network setup:

* Available interface: eth0

* Ip address for eth0: (IPv4 address from ifconfig/ip link output)

* Netmask: (from ifconfig/ip link, e.g. 255.255.255.0)

* Gateway: (often .0 or .1 in the IPv4 address subnet, e.g. xxx.xxx.xxx.1)

* DNS nameserver(s): (enter IPs separated by commas)

* Make sure to get the network connection working or the disk setup will fail to download the utilities needed to partition the disk. If it is unable to update the repo list, it's very likely there is something wrong with the network setup — ctrl+c to exit the script and re-run the script while checking the connection details carefully.

* The `setup-disk` part of the script will create 3 partitions: boot (~105 MB), swap (~4173 MB) and root (fills the remaining space).

Additional setup

* `vi /etc/apk/repositories`

* Remove the CD drive entry `/media/cdrom/apks`

* Optionally uncomment the community repo and/or the edge repo URLs if you want to pull from the testing repos

* Refresh the repo index: `apk update`

* `apk add bash doas vim`

* `adduser $user`

* From the ssh client: `ssh-copy-id -i ~/path/to/ssh/key.pub $user@$ip`

* `vi /etc/ssh/sshd_config`

* `PermitRootLogin no`

* `PasswordAuthentication no`

* Restart sshd: `rc-service sshd restart`

Firewall setup

If your VPS doesn't have IPv6, you can skip the `ip6` parts.

* `modprobe ip_tables`

* `modprobe ip6_tables`

* `rc-update add iptables`

* `rc-update add ip6tables`


:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow existing connections and pings
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Allow ssh port
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT


:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

* `iptables-restore < /etc/iptables/ipv4.rules` * `ip6tables-restore < /etc/iptables/ipv6.rules` * `/etc/iptables/rules-save` * `/etc/ip6tables/rules-save`

* `rc-service iptables start` * `rc-service ip6tables start`

Troubleshooting

Changing the network connection details

iface eth0
inet static
address $address
netmask 255.255.255.0
gateway $gateway

nameserver $dns1
nameserver $dns2

* `ifdown eth0` * `ifup eth0`

Documentation

Alpine Linux website

Installation overview

Install from an ISO to a Virtualbox machine

setup-alpine documentation

setup-alpine source

Further reading

Alpine Wall — firewall frontend

nixCraft article on Awall

fail2ban — ban unauthorised SSH login attempts

crazy-max/docker-fail2ban