Arch Linux Live-USB for B3 updated (archlinuxarm.org kernel, shorewall migration)

Discuss development on Bubba
Post Reply
sakaki
Posts: 172
Joined: 15 Aug 2014, 11:20

Arch Linux Live-USB for B3 updated (archlinuxarm.org kernel, shorewall migration)

Post by sakaki » 14 Sep 2018, 14:49

Hello,

I've just released version 1.6.0 of the live-USB image of Arch Linux for the B3 on GitHub (here). All included packages are up-to-date against the archlinuxarm.org tree, as of 14 September 2018. The kernel supplied on the image is 4.18.7-1-ARCH, and as before, will be updated (along with the rest of your packages) to the most recent version available on archlinuxarm.org, each time you run pacman -Syu.

Other changes in this release include:
  • Adopted Gordon's workaround to keep the Ethernet MAC addresses during kexec; this replaces the previous setethermac userland-service-based approach (which has now been retired).
  • Replaced the shorewall forwarding firewall setup with a simpler script (/usr/local/sbin/fw-setup), the shipped version of which may be viewed here. The firewall startup is managed by /etc/systemd/system/setup-b3-firewall.service (which can be viewed here).
  • The file /etc/hostapd/hostapd.conf was modified following this suggestion by thumb (thanks!).
You can burn the supplied image to a USB key (>=4GB, Lexar and SanDisk keys seem the most reliable), then boot your B3 from it, without affecting any installed (Excito) system on your B3's hard drive. (The compressed image is 237MiB; writing takes between 5 and 15 minutes, depending on your system.) You can even boot a diskless B3! No soldering, compilation or U-Boot flashing is required.

The live-USB may then be used as a rescue disk, to play with Arch Linux, or as the starting point to install Arch Linux on your B3's main hard drive. Any packages you install, or other changes you make, while running the live-USB are saved on the USB key, but do not affect your existing Excito system, so you can run Arch for a while, then reboot back into your Excito system and continue to use it as normal, then boot back into the USB at a later date - any changes you made will still be there when you do.

Arch Linux, like Debian, is a binary distribution, so you can install new packages and update your B3 very quickly (using the command "pacman -Syu", see below).

The initial networking setup of the B3 when started from the live-USB is shown below:ImageConnected clients can browse the web etc. since there is a forwarding firewall setup (although login via eth1/WiFi is still possible, even if the eth0 (wan) interface is disconnected, or the wan network does not support DHCP).

Full instructions are provided on the project's GitHub page (including how to install Arch on your B3's internal hard drive too, in case you want to do that).

Once logged in, you can then play around with Arch. For example, install the apache web server:

Code: Select all

[root@archb3 ~]# pacman -Sy
   (confirm if prompted, this is equivalent to apt-get update on Debian)
[root@archb3 ~]# pacman -S apache
   (confirm if prompted, this is equivalent to apt-get install ... on Debian)
You can search a list of prebuilt archlinuxarm packages here (filter by "arm" architecture).

Bring all packages (userspace and kernel) bang up to date:

Code: Select all

[root@archb3 ~]# pacman -Syu
   (confirm if prompted; like apt-get update && apt-get upgrade on Debian)
Have fun ^-^

best,
sakaki

Edited to fix typo, add link to versioned package list
Last edited by sakaki on 14 Sep 2018, 16:56, edited 1 time in total.

MouettE
Site admin
Posts: 263
Joined: 06 Oct 2011, 19:45

Re: Arch Linux Live-USB for B3 updated (archlinuxarm.org kernel, shorewall migration)

Post by MouettE » 14 Sep 2018, 15:16

That's great, thanks !

I'm curious, why did you drop shorewall ? And why did you write a custom script instead of using another wrapper like firehol ?

sakaki
Posts: 172
Joined: 15 Aug 2014, 11:20

Re: Arch Linux Live-USB for B3 updated (archlinuxarm.org kernel, shorewall migration)

Post by sakaki » 15 Sep 2018, 10:19

Hi MouettE,

there were two reasons for dropping shorewall really:
  1. With the version currently in the archlinuxarm.org tree (v5.2.0.4-1), I was getting a number of perl errors (as well as warnings) compiling my existing rule set (perl on the image is v5.28.0-1). Initially I thought this was just due to deprecated or dropped directives, but I got the same problems when trying some of their bundled rulesets too.
  2. I've had more support requests by email from Arch users regarding shorewall than anything else - it seems to be in the postfix category of 'fabulous but a bit overwhelming' for users coming to it fresh and just wanting to get something done quickly.
Issue (1) is probably just one of those things that happens from time to time in rolling distros like Arch - and will likely iron itself out via update in the next few weeks. However, I only had a limited amount of time to put the image together, since I don't use Arch day-to-day on the B3 myself. I tried reverting shorewall and shorewall-core to the previously shipped version (using this handy package archive), but no luck. Reverting the perlset as well did fix things but, since that's a dep for a lot of packages, I was very reluctant to pin it. In the end, I decided to just write a simple script to get the job done (the script may be viewed here, its systemd unit file here).

This isn't perfect (it doesn't add the logging rules, early startup blocks etc. that shorewall gives you by default), but it does have everything in one place and most people should be able to get their head around what is going on. Sophisticated users can of course disable the service and install their own firewall approach if they choose.

Incidentally, shorewall is still in use on the gentoo-on-b3 image, for now anyhow (although Gentoo is a rolling distro like Arch, it has the concept of 'stable' versions of packages, and I have used these for most things on the image; accordingly, it is running dev-lang/perl-5.24.3-r1 and net-firewall/shorewall-5.2.0.5 [1], which work fine together).

Best, sakaki

[1] Of course, net-firewall/shorewall isn't keyworded for arm, so this is "* ~*" variant ^-^

Gordon
Posts: 1339
Joined: 10 Aug 2011, 03:18

Re: Arch Linux Live-USB for B3 updated (archlinuxarm.org kernel, shorewall migration)

Post by Gordon » 15 Sep 2018, 14:22

Yeah, Shorewall, strong as it is can definitely be overwhelming. First time I came into contact with it was with the LEAF project - a single floppy based OS and firewall. That is 1.44Mb in total, those were the days... I think it must have taken me over a year to fully comprehend what I was supposed to put where, and as Shorewall has only gotten bigger with more config files that can't possibly have improved.

In truth I think Shorewall is way over the top for simple applications like connecting a single LAN segment with the internet. I also found it to be hopelessly complex to implement targets like `recent` and `geoip`, which I found to be extremely useful in countering unwanted access and doing fail2ban-like stuff. As a result I stopped using it - and I have 5 (V)LAN segments.

Post Reply