_SystemPrep_ALPINE

Owned by Alex Perez Mendez
Last updated: Oct 04, 2019
1 min read

System Preparation

Install Alpine Linux

The first thing that is required is an Alpine Linux machine - this can be physical, virtual or a container.

Tip

We would recommend using LVM when disk partitioning to allow easier partition/disk expansion on a live system.

Warning

After install, you will want to secure/lockdown the server as best practice dictates - for both the server and any extra software installed. This is beyond the remit of this guide but there are many guides available that provide information on how to secure your Alpine servers and applications.

Configure Alpine

Next, there are a few Alpine configuration options that need to be set in advance:

Networking configuration

For production deployments, it is recommended that the machine be assigned a static IP address.

Firewall configuration

The following ports are required to be accessible from the outside world, both in the local firewall and in any external firewalls:

  • 2083/tcp (for RadSec connections to other Moonshot entities)
  • 12309/tcp (for Trust Router client connections - if using the Trust Router to broker trust relationships between entities)

Here are sample firewall rules that establish incoming and outgoing rules to both the Test and Live (Jisc Assent) Moonshot trust router infrastructures. If you connect to another Trust Router, adjust these rules to suit:

IP Tables sample firewall rules (Jisc Assent)

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp -s 0/0 --dst <IdP/RP Proxy IP address> --dport 2083 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp -s <IdP/RP Proxy IP address> --dst 0/0 --dport 2083 -j ACCEPT
 -A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp -s 212.219.179.130,212.219.179.131,212.219.179.138,212.219.179.146 --dst <IdP/RP Proxy IP address> --dport 12309 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp -s <IdP/RP Proxy IP address> --dst 212.219.179.130,212.219.179.131,212.219.179.138,212.219.179.146 --dport 12309 -j ACCEPT

IP Tables sample firewall rules (Test Network)

-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp -s 0/0 --dst <IdP/RP Proxy IP address> --dport 2083 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp -s <IdP/RP Proxy IP address> --dst 0/0 --dport 2083 -j ACCEPT
-A INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp -s 13.79.134.211,13.79.128.103,52.169.31.104 --dst <IdP/RP Proxy IP address> --dport 12309 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp -s <IdP/RP Proxy IP address> --dst 13.79.134.211,13.79.128.103,52.169.31.104 --dport 12309 -j ACCEPT

Add the Required Repositories

Supported versions

At the moment, Alpine 3.11 and Alpine 3.13 (x86_64 and armhf) are supported.

  1. Add the Moonshot Alpine repository to your system. To do this, run the following command (as root, or using sudo):

    Alpine 3.13 
    echo "https://repository.project-moonshot.org/alpine/v3.13" >> /etc/apk/repositories
echo "@moonshot https://repository.project-moonshot.org/alpine/v3.13" >> /etc/apk/repositories
    Alpine 3.15 
    echo "https://repository.project-moonshot.org/alpine/v3.15" >> /etc/apk/repositories
echo "@moonshot https://repository.project-moonshot.org/alpine/v3.15" >> /etc/apk/repositories

  2. Install the Moonshot repository RSA key.

    curl "https://repository.project-moonshot.org/alpine/moonshot@jisc.ac.uk-5be46530.rsa.pub" > /etc/apk/keys/moonshot@jisc.ac.uk-5be46530.rsa.pub