Reduce heading depths
This commit is contained in:
redbeardymcgee
parent
f3fca31dd9
commit
6969babfde
2 changed files with 19 additions and 19 deletions
36
AlmaLinux.md
36
AlmaLinux.md
|
|
@ -1,4 +1,4 @@
|
||||||
## Operating System
|
# AlmaLinux
|
||||||
|
|
||||||
My proof of concept server running this container stack is built on AlmaLinux
|
My proof of concept server running this container stack is built on AlmaLinux
|
||||||
9.4.
|
9.4.
|
||||||
|
|
@ -6,7 +6,7 @@ My proof of concept server running this container stack is built on AlmaLinux
|
||||||
> [!WARNING]
|
> [!WARNING]
|
||||||
> Perform `dnf update` immediately
|
> Perform `dnf update` immediately
|
||||||
|
|
||||||
### [Repositories](https://wiki.almalinux.org/repos/)
|
## [Repositories](https://wiki.almalinux.org/repos/)
|
||||||
|
|
||||||
These may not really be necessary to set up, but you should absolutely review
|
These may not really be necessary to set up, but you should absolutely review
|
||||||
them and decide for yourself.
|
them and decide for yourself.
|
||||||
|
|
@ -21,9 +21,9 @@ them and decide for yourself.
|
||||||
- `dnf install elrepo-release`
|
- `dnf install elrepo-release`
|
||||||
- [RPM Fusion](https://wiki.almalinux.org/documentation/epel-and-rpmfusion.html)
|
- [RPM Fusion](https://wiki.almalinux.org/documentation/epel-and-rpmfusion.html)
|
||||||
|
|
||||||
### Disks
|
## Disks
|
||||||
|
|
||||||
#### Partitions
|
## Partitions
|
||||||
|
|
||||||
Repeat the following steps for all disks that you want to join together into
|
Repeat the following steps for all disks that you want to join together into
|
||||||
one single logical volume.
|
one single logical volume.
|
||||||
|
|
@ -37,7 +37,7 @@ dd if=/dev/zero of=/dev/sdX bs=512 count=1 conv=notrunc
|
||||||
dd if=/dev/zero of=/dev/sdY bs=512 count=1 conv=notrunc
|
dd if=/dev/zero of=/dev/sdY bs=512 count=1 conv=notrunc
|
||||||
```
|
```
|
||||||
|
|
||||||
#### LVM
|
## LVM
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Create physical volume
|
# Create physical volume
|
||||||
|
|
@ -54,7 +54,7 @@ mke2fs -t ext4 /dev/library/books
|
||||||
e2fsck -f /dev/library/books
|
e2fsck -f /dev/library/books
|
||||||
```
|
```
|
||||||
|
|
||||||
#### /etc/systemd/system/volumes-books.mount
|
## /etc/systemd/system/volumes-books.mount
|
||||||
|
|
||||||
```ini
|
```ini
|
||||||
[Mount]
|
[Mount]
|
||||||
|
|
@ -74,7 +74,7 @@ WantedBy=default.target
|
||||||
chown -R $ctuser:$ctuser /volumes
|
chown -R $ctuser:$ctuser /volumes
|
||||||
```
|
```
|
||||||
|
|
||||||
### SSH
|
## SSH
|
||||||
|
|
||||||
SSH is optional, but highly encouraged. Cockpit gives you a terminal too, but
|
SSH is optional, but highly encouraged. Cockpit gives you a terminal too, but
|
||||||
that's nowhere near as good as what you can do with a real terminal emulator
|
that's nowhere near as good as what you can do with a real terminal emulator
|
||||||
|
|
@ -90,7 +90,7 @@ ssh-keygen -t ed25519 -a 32 -f ~/.ssh/$localhost-to-$remotehost
|
||||||
ssh-copy-id -i ~/.ssh/$localhost-to-$remotehost $user@$remotehost
|
ssh-copy-id -i ~/.ssh/$localhost-to-$remotehost $user@$remotehost
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Override `sshd` config
|
## Override `sshd` config
|
||||||
|
|
||||||
We don't want to allow anyone to login as root remotely ever. You must be a
|
We don't want to allow anyone to login as root remotely ever. You must be a
|
||||||
`sudoer` with public key auth to elevate to root.
|
`sudoer` with public key auth to elevate to root.
|
||||||
|
|
@ -125,14 +125,14 @@ firewall-cmd --permanent --zone=public --add-service=cockpit
|
||||||
firewall-cmd --reload
|
firewall-cmd --reload
|
||||||
```
|
```
|
||||||
|
|
||||||
### Add SSH keys
|
## Add SSH keys
|
||||||
|
|
||||||
> [!TIP]
|
> [!TIP]
|
||||||
> Skip if you copied your keys with `ssh-copy-id` above.
|
> Skip if you copied your keys with `ssh-copy-id` above.
|
||||||
|
|
||||||
`Accounts` -> `Your account` -> `Authorized public SSH keys` -> `Add Key`
|
`Accounts` -> `Your account` -> `Authorized public SSH keys` -> `Add Key`
|
||||||
|
|
||||||
### Install SELinux troubleshoot tool
|
## Install SELinux troubleshoot tool
|
||||||
|
|
||||||
This is a component for Cockpit.
|
This is a component for Cockpit.
|
||||||
|
|
||||||
|
|
@ -145,7 +145,7 @@ dnf install setroubleshoot-server
|
||||||
Podman is a daemonless container hypervisor. This document prepares a fully
|
Podman is a daemonless container hypervisor. This document prepares a fully
|
||||||
rootless environment for our containers to run in.
|
rootless environment for our containers to run in.
|
||||||
|
|
||||||
### Install
|
## Install
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
dnf install podman
|
dnf install podman
|
||||||
|
|
@ -156,9 +156,9 @@ systemctl enable --now podman
|
||||||
> Read the docs.
|
> Read the docs.
|
||||||
> `man podman-systemd.unit`
|
> `man podman-systemd.unit`
|
||||||
|
|
||||||
### Prepare host networking stack
|
## Prepare host networking stack
|
||||||
|
|
||||||
#### slirp4netns
|
## slirp4netns
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> This may not be necessary but my system is currently using it.
|
> This may not be necessary but my system is currently using it.
|
||||||
|
|
@ -167,7 +167,7 @@ systemctl enable --now podman
|
||||||
dnf install slirp4netns
|
dnf install slirp4netns
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Install DNS server for `podman`
|
## Install DNS server for `podman`
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Not sure how to resolve these correctly yet but the journal logs it
|
> Not sure how to resolve these correctly yet but the journal logs it
|
||||||
|
|
@ -177,7 +177,7 @@ dnf install slirp4netns
|
||||||
dnf install aardvark-dns
|
dnf install aardvark-dns
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Allow rootless binding port 80+
|
## Allow rootless binding port 80+
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> This is only necessary if you are setting up the reverse proxy.
|
> This is only necessary if you are setting up the reverse proxy.
|
||||||
|
|
@ -187,14 +187,14 @@ printf '%s\n' 'net.ipv4.ip_unprivileged_port_start=80' > /etc/sysctl.d/99-unpriv
|
||||||
sysctl 'net.ipv4.ip_unprivileged_port_start=80'
|
sysctl 'net.ipv4.ip_unprivileged_port_start=80'
|
||||||
```
|
```
|
||||||
|
|
||||||
#### Allow containers to route within multiple networks
|
## Allow containers to route within multiple networks
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
printf '%s\n' 'net.ipv4.conf.all.rp_filter=2' > /etc/sysctl.d/99-reverse-path-loose.conf
|
printf '%s\n' 'net.ipv4.conf.all.rp_filter=2' > /etc/sysctl.d/99-reverse-path-loose.conf
|
||||||
sysctl -w net.ipv4.conf.all.rp_filter=2
|
sysctl -w net.ipv4.conf.all.rp_filter=2
|
||||||
```
|
```
|
||||||
|
|
||||||
### Prepare container user
|
## Prepare container user
|
||||||
|
|
||||||
This user will be the owner of all containers with no login shell or root
|
This user will be the owner of all containers with no login shell or root
|
||||||
privileges.
|
privileges.
|
||||||
|
|
@ -227,7 +227,7 @@ loginctl enable-linger $ctuser
|
||||||
> The login shell doesn't exist. Launch `bash -l` manually to get a shell or
|
> The login shell doesn't exist. Launch `bash -l` manually to get a shell or
|
||||||
> else your `ssh` will exit with a status of 1.
|
> else your `ssh` will exit with a status of 1.
|
||||||
|
|
||||||
### Setup $ctuser env
|
## Setup $ctuser env
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Switch to user (`-i` doesn't work without a login shell)
|
# Switch to user (`-i` doesn't work without a login shell)
|
||||||
|
|
|
||||||
|
|
@ -37,7 +37,7 @@ Create the following unit file at `~/.config/containers/systemd/helloworld.conta
|
||||||
|
|
||||||
```ini
|
```ini
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=hello world
|
Description=Hello, world
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue