Alpine on Cloud

1-click AWS Deployment    1-click Azure Deployment 1-click Google Deployment

Overview

Alpine Linux is an autonomous, non-commercial, over-all purpose Linux distribution designed for power users who appreciate security, easiness and resource competence.

SMALL

Alpine Linux is built around musl libc and busybox. This makes it smaller and more resource efficient than traditional GNU/Linux distributions. A container requires no more than 8 MB and a minimal installation to disk requires around 130 MB of storage. Not only do you get a fully-fledged Linux environment but a large selection of packages from the repository.

Binary packages are thinned out and split, giving you even more control over what you install, which in turn keeps your environment as small and efficient as possible.

SIMPLE

Alpine Linux is a very simple distribution that will try to stay out of your way. It uses its own package manager called apk, the OpenRC init system, script driven set-ups and that’s it! This provides you with a simple, crystal-clear Linux environment without all the noise. You can then add on top of that just the packages you need for your project, so whether it’s building a home PVR, or an iSCSI storage controller, a wafer-thin mail server container, or a rock-solid embedded switch, nothing else will get in the way.

SECURE

Alpine Linux was designed with security in mind. All userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.

Alpine Linux in its true sense was created by technical people for technical people. Its target has always been technical people who can fix things themselves and have the technical skills to contribute back.

Docker is the hottest buzzword in the tech industry and this limelight changed things for Alpine Linux as now it’s attracting more beginners.There are a fairly wide range of users. Docker uses Alpine both for their production and also in the products they ship. There are other non-profit organizations that use Alpine, including telephone companies, hosting companies.

Beyond Docker, Alpine is also used by many security related projects but these people don’t want to publicly talk about what they are using, so Alpine remains out of the press radar.

One of the advantages of being used by technically advanced projects is that in return, Alpine benefits from technically advanced people who develop and maintain Alpine. “Some of us are sponsored to work on Alpine and some spend our free time to work on it,” said Copa. “Most of us are more interested in coding than to tell the world how good Alpine is.”

These people work for companies and organizations that themselves use Alpine. So there is a very strong symbiotic relationship, which also creates stability and sustainability of the project. “There are various organizations and companies that are helping with funding. Some are sponsoring developers to work on Alpine, for example, Docker, and some are contributing with hardware and infrastructure. For example, Docker supports development, Scaleway provides hosting, Fastly provides the content delivery network, and many others are supporting in different ways,” he said.

Size Does Matter

What made Alpine unique was its size. The smaller size made it extremely secure and efficient. When I asked about the main difference in terms of efficiency between Alpine Linux and the big boys of the Linux world such as Red Hat Enterprise Linux and SUSE Enterprise Linux Server, Copa said, “They are probably more polished and somewhat easier to use (for many things) than Alpine, but I’d still say they are all big and slow compared to Alpine.  ‘Apt-get update’ spends almost the same amount of time to update the package index cache as Alpine spends on performing the entire system install or upgrade.

Alpine and Containers

Alpine, even though it pre-dates the popularity of Linux containers, compliments the concept of containers very well. “The original goal was to run from RAM, which is kind of a disposable system that gets re-installed every reboot. This matches very well with the disposable container concept.

Alpine supported vserver containers long before namespaces made it to mainline kernel. “We had an alpine-vserver flavor which we used for our own infrastructure. We later replaced this with LXC which does not require any special kernel patch. So we have supported and used containers for a long time When the Docker community was looking for a distro they found that they could make their containers significantly smaller if they used Alpine and that building the Alpine containers takes a fraction of the time compared to other distros.

“This made the Alpine community grow very fast the last 2 years. Even Docker Inc. got the eyes up for Alpine so now Docker sponsors the development of Alpine,” Copa added. “So Alpine Linux is very suitable for containers and has been in the containers game since the very beginning.”

Guts of Alpine

Alpine was originally built with Gentoo, but it is now independent and self-hosting. It uses the Linux kernel (with an unofficial port of grsecurity patch), the musl C library, BusyBox, LibreSSL, and OpenRC.

It  uses the Gentoo hardened toolchain originally to use the security features that were in Gentoo hardened. We needed the extra hardening since the typical use case was for security devices like VPN and firewalls,”“Later we added support for install to disk, but we still support and use the run from RAM style of setup.”

Alpine uses its own package manager called, apk-tools. Don’t confuse it with Android’s .apk format. Here APK stands for Alpine Package Keeper. Alpine has been using “apk-tools” and “.apk” before Google bought Android Inc.

Since Alpine Linux needed to be extremely small, its developers wanted everything to fit in memory so they had to make things as small as possible. In addition to that,  the system was installed from scratch every reboot we needed a package manager that was fast too

The Alpine community did extensive studies before writing their own package manager. “We evaluated pacman from Arch Linux, .deb, ipkg, .rpm and others,” said Copa. “The major reason that we ended up with our own is our ‘run-from-ram’ requirement. We needed a fast manager that can set up tmpfs rootfs from initfs.”

Alpine developers also wanted low overhead for installed package database. “Our main requirement was that it should have only a few files as the full state — all others usually had one or more files per installed package,” Copa added.

To deliver packages to users, Alpine uses  “aports,” a tree of ported applications for the distro, which a handful of Alpine package maintainers keep up to date with upstream. They build a package repository from this tree and rsync this to the master mirror. Then there is a list of mirror sites that will mirror the repository and end users will use “apk add” to fetch the required packages over HTTP. To ensure security and integrity, the packages are signed and apk add verifies that they haven’t been accidentally or intentionally modified.

Security is Not a Point

We have heard a  lot about security holes in Linux. Not that Linux is becoming more insecure, just that now it’s used so heavily in critical areas that it is getting the additional eyeballs that it always wanted .One misapprehension in the industry is that security is all about rolling out security fixes as fast as possible and I think this is because keeping track of CVEs and times when detected and resolved is the easiest thing to measure. While it’s true that keeping up with fixing patches is important, that’s not the only way to secure software. we manage to provide fixes relatively fast and I would not be surprised if we are faster than other distros on average. But fixing CVEs in time is far from the only thing we do to maintain security.”

Fixing bugs is a reactionary approach. In addition to that, the Alpine team also takes proactive steps to keep things secure by design. The first step is to keep the core system as small as possible.

Alpine never installs a lot of stuff that users will never use but might be handy. One example is the Bash shell. There is no Bash installed by default; Alpine uses BusyBox Bash as the default shell. As a result, no Alpine systems were affected by the Shellshock Bash vulnerability of 2014.

In addition to keeping the number of pre-installed components low, Alpine adds another layer of security by not enabling things by default. All Alpine does is provide the building blocks, leaving it up to seasoned sysadmins to enable what they need. That’s contrary to what many distros do: they not only install a lot by default, they also enable a lot of things by default. In those cases, the sysadmin has to actually disable things to start with, in order to keep the systems secure.

Alpine is also very conservative when it comes to selecting secure libraries for the core system. As and when needed they also replace libraries if they find something more secure. “We replaced OpenSSL with LibreSSL recently because we think that is a more secure library

Alpine also provides sysadmins with a hardened toolchain by default. “This means that stack smashing protection (-fstack-protector), position independent executables, and full RELRO [memory corruption mitigation technique] with bind-now linking are all enabled by default and you will have to explicitly disable them if you cannot use them

Another smart move that the Alpine team made from the very first release was to use the grsecurity patch for the kernel. These days they use a non-official fork of it since the patch for stable kernels are not available for the public. This kernel, together with the hardened toolchain, makes it significantly harder to exploit security vulnerabilities.

All those things together make Alpine a good choice for those who care about real security and not only just care about nice graphs.Another thing that’s becoming a catchword these days is automatic updates. But Alpine doesn’t offer any. Security is finally the accountability for sysadmins because much of it is in the configuration, but the Alpine community needs to deliver decent defaults and tools to accomplish this.

 

Alpine Linux is an independent, non-commercial, general purpose Linux distribution designed for power users who appreciate security, simplicity and resource efficiency.

Alpine Linux is built around musl libc and busybox. This makes it smaller and more resource efficient than traditional GNU/Linux distributions. A container requires no more than 8 MB and a minimal installation to disk requires around 130 MB of storage. Not only do you get a fully-fledged Linux environment but a large selection of packages from the repository.

Alpine Linux is a very simple distribution that will try to stay out of your way. It uses its own package manager called apk, the OpenRC init system, script driven set-ups and that’s it! This provides you with a simple, crystal-clear Linux environment without all the noise. You can then add on top of that just the packages you need for your project, so whether it’s building a home PVR, or an iSCSI storage controller, a wafer-thin mail server container, or a rock-solid embedded switch, nothing else will get in the way.

Alpine Linux was designed with security in mind. The kernel is patched with an unofficial port of grsecurity/PaX, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.

                                           

 

 

Features

NEW FEATURES AND NOTEWORTHY NEW PACKAGES

  • Support netboot on all architectures
  • Add arm64 (aarch64) Raspberry Pi image
  • Add support for Raspberry Pi 3 Model B+
  • Support ISO image on s390x (KVM installation)
  • End of support for hardened kernel (unofficial Grsecurity)
  • Support for Crystal language

SIGNIFICANT UPDATES

  • Linux 4.14
  • Go 1.10
  • js 8.11 (LTS)
  • Rust 1.26
  • Ruby 2.5
  • PHP 7.2
  • ghc 8.4
  • OCaml 4.06
  • R 3.5
  • JRuby 9.2

The Alpine Linux spreading is defined as ‘minimal’ and best matched for ‘power users’. Initially created by Gentoo, the project is now exclusively independent and, as such, it is self-hosting. Gentoo Linux is another distribution but built with the Portage package management system. This project is fundamentally a security-oriented lightweight Linux distribution based on musl libc and Busybox.

Tough hardened kernel

This distribution uses  toughened kernel and compiles all user space binaries as position-independent executables with stack-smashing protection.Alpine has been compared to NanoBSD – a tool developed by Poul-Henning Kamp which creates a FreeBSD system image for embedded applications – in that it can be provisioned for the precise job in hand without additional difficulties, interruptions or indeed any superfluous functions.

Trumping Docker

The project was raised in awareness and status in recent times as a result of it being selection by Docker as its new base ‘image’ – the previous image being Ubuntu. According to the development team, “Alpine Linux is a very simple distribution that will try to stay out of your way. It uses its own package manager called apk, the OpenRC init system, script driven set-ups and that’s it! This provides you with a simple, crystal-clear Linux environment without all the noise. You can then add on top of that just the packages you need for your project, so whether it’s building a home PVR, or an iSCSI storage controller, a wafer-thin mail server container, or a rock-solid embedded switch, nothing else will get in the way.”

Alpine is technically competent

Moderately due to the way it has been built… almost all of the binaries in the core kernel fabric are links to Busybox — this is a group of regularly used user and system utilities all presented in one single binary. The use of links to Busybox allows Alpine Linux to achieve speedier startup time and a smaller storage space requirements overall.

It can be installed to a hard disk/SSD/other storage medium like any other distro; this is called the sys mode. The storage medium in question can be removable, if you like, so long as you can configure your machine to boot from it.“The kernel is patched with an unofficial port of grsecurity/PaX, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities,” Binary packages are thinned out and split, giving users more control over what they install, which in turn keeps the computing environment as small and efficient as possible… and, in theory, more secure.

 Some awesome features of Alpine:

  1. Light-weight. It was primarily targeted towards embedded and server applications and doesn’t have a lot of extra cruft by default. The base is busybox and the system uses musl as the libc, which makes things pretty small (albeit at the cost of compatibility and less features). You can install GNU utilities if you wish, but for the most part you don’t need to (on my machines, I only use one or two version of GNU applications).
  2. Stable and Rolling. Alpine has two releasemodels: the first is edge which is basically rolling and is relatively stable (but will have hiccups every once in a while). The second is stable which means that a release is cut about every 6 months and frozen. Security updates are applied to both the stable and edge branches, and stable versions are supported for about two years.
  3. Packaging. Alpine’s package manager, APK, is pretty straightforward to use, is really fast (faster than pacman!), and supports some advance features like pinning (which apt/dpkg has but I don’t believe pacman does). More importantly, creating a packagefor Alpine is really easy as the package script is very similar to ArchLinux’s PKGBUILD (it’s called APKBUILD in Alpine). Because of this, I have been able to contribute a few packages and even fixed a few others.
  4. Community. The Alpine community is indeed small, but the folks on IRC are pretty friendly and responsive. Most of the core developer’s hangout in #alpine-linuxand #alpine-devel and you communicate directly with them to get bugs resolved or to provide other feedback.
  5. Direction. As noted above, Alpine was primarily geared towards embedded and server applications, but this focus is changing or at least broadening. There is now increased desktop application support (e.g. there is now Mate and Chromium in the package repositories) and more and more testing and development is happening on these types of software. Additionally, I like that Alpine is open to be an alternativeto the mainstream Linux distributions. It uses busybox instead of GNU, OpenRC instead of Systemd (init), musl instead of GNU libc, etc. This is not for everyone, but I like that it is different and simple.
  6. Security. One of the key marketing points of Alpine is the added security such as PaX and grsec.

  • Features of Alpine Linux

    • Tiny base system size — less than 5 MB, excluding the kernel.
    • Has its own package management system, called apk-tools.
    • To conserve disk space, it uses the uClibc C standard library rather than glibc.
    • It can be run exclusively from RAM.

AWS


Installation Instructions For Ubuntu

Installation Instructions For Ubuntu

Note: How to find PublicDNS in AWS

Step 1) SSH Connection: To connect to the deployed instance, Please follow Instructions to Connect to Ubuntu instance on AWS Cloud

1) Download Putty.

2) Connect to the virtual machine using SSH key Refer this link:

  • Hostname: PublicDNS  / IP of machine
  • Port : 22

Step 2) Other Information:

1.Default ports:

  • Linux Machines:  SSH Port – 22

2. To access Webmin interface for management please follow this link

Configure custom inbound and outbound rules using this link

Azure


Installation Instructions For Ubuntu

Installation Instructions For Ubuntu

Note: How to find PublicDNS in Azure

Step 1) SSH Connection: To connect to the deployed instance, Please follow Instructions to Connect to Ubuntu instance on Azure Cloud

1) Download Putty.

2) Connect to the virtual machine using following SSH credentials:

  • Hostname: PublicDNS  / IP of machine
  • Port : 22

Username: Your chosen username when you created the machine ( For example:  Azureuser)

Password: Your Chosen Password when you created the machine ( How to reset the password if you do not remember)

Step 2) Other Information:

1.Default ports:

  • Linux Machines:  SSH Port – 22

2. To access Webmin interface for management please follow this link

Configure custom inbound and outbound rules using this link

Google

Installation Instructions For Ubuntu

Installation Instructions For Ubuntu

Step 1) SSH Connection: To connect to the deployed instance, Please follow Instructions to Connect to Ubuntu instance on Google Cloud

1) Download Putty.

2) Connect to the virtual machine using SSH key

  • Hostname: PublicDNS  / IP of machine
  • Port : 22

Step 2) Other Information:

1.Default ports:

  • Linux Machines:  SSH Port – 22

2. To access Webmin interface for management please follow this link

 

Video

 

 

 

 

Alpine on Cloud

Related Posts