Installing Alpine Linux on a Raspberry Pi 3
Step by step
1. Download the image
Since we have a Raspberry Pi 3B we should be using the aarch64
version.
# Get the OpenPGP signing key and import it into our keyring
# It will be used to verify the integrity of the downloaded archive
wget -O- https://alpinelinux.org/keys/ncopa.asc | gpg --import -
# Download the archive, the SHA256 sum and GPG signature
wget https://dl-cdn.alpinelinux.org/alpine/v3.18/releases/aarch64/alpine-rpi-3.18.4-aarch64.tar.gz
wget https://dl-cdn.alpinelinux.org/alpine/v3.18/releases/aarch64/alpine-rpi-3.18.4-aarch64.tar.gz.sha256
wget https://dl-cdn.alpinelinux.org/alpine/v3.18/releases/aarch64/alpine-rpi-3.18.4-aarch64.tar.gz.asc
# Verify SHA256 sum (once the .iso is fully downloaded)
% sha256sum alpine-rpi-3.18.4-aarch64.tar.gz ec0c111a465b2fcf8190b45d5b8c41cf9c8b9160f9eb3153590076f8ca1a9942 alpine-rpi-3.18.4-aarch64.tar.gz
% cat alpine-rpi-3.18.4-aarch64.tar.gz.sha256 ec0c111a465b2fcf8190b45d5b8c41cf9c8b9160f9eb3153590076f8ca1a9942 alpine-rpi-3.18.4-aarch64.tar.gz
# Verify OpenPGP signature
% gpg --verify alpine-rpi-3.18.4-aarch64.tar.gz.asc
gpg: assuming signed data in 'alpine-rpi-3.18.4-aarch64.tar.gz'
gpg: Signature made Thu 28 Sep 2023 03:04:58 PM CEST
gpg: using RSA key 0482D84022F52DF1C4E7CD43293ACD0907D9495A
gpg: Good signature from "Natanael Copa <ncopa@alpinelinux.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0482 D840 22F5 2DF1 C4E7 CD43 293A CD09 07D9 495A
All good.
If something is wrong here, either your GNUPG setup is wrong or the files you downloaded are wrong. This should not happen. If it does, well, you’re on your own, but do not try to install something that does not match the cryptographic specifications: it must have been tampered with.
2. Format the SD card
- Make a DOS partition table
- Make a FAT32 (vfat) partition
- Format the partition
sudo fdisk -w always /dev/sdb1 <<EOF
o
n
p
1
2048
-0
t
0c
a
w
EOF
mkdosfs -F32 /dev/sdb1
3. Make it bootable
https://wiki.alpinelinux.org/wiki/Create_a_Bootable_Device#Manually_copying_Alpine_files
This requires the syslinux
package. The following command assumes you’re running Debian:
sudo apt install syslinux
sudo dd bs=440 count=1 conv=notrunc if=/usr/lib/syslinux/mbr/mbr.bin of=/dev/sdb
4. Extract Alpine archive to the device
mkdir -p /media/mmcblk0p1
sudo mount -t vfat /dev/sdb1 /media/mmcblk0p1
sudo tar -p -s --atime-preserve --same-owner --one-top-level=/media/mmcblk0p1 -zxvf alpine-rpi-3.18.4-aarch64.tar.gz
Now you may want to add the headless overlay and associated configuration:
wget https://is.gd/apkovl_master
sudo cp headless.apkovl.tar.gz /media/mmcblk0p1
# Add the authorized_file (with your own SSH public key)
cp ~/.ssh/id_ed25519.pub authorized_keys
chmod 0600 authorized_keys
sudo cp authorized_keys /media/mmcblk0p1
# Add the wireless configuration
cat > wpa_supplicant.conf <<EOF
country=NL
network={
key_mgmt=WPA-PSK
ssid="FIBER"
psk="this is not the actual password but should be"
}
EOF
sudo cp wpa_supplicant.conf /media/mmcblk0p1
5. Boot the Pi and setup Alpine Linux
Unmount the SD card safely:
sync
sudo umount /media/mmcblk0p1
Put the SD Card into the Pi and boot it. You should have a working SSH on the Pi’s IP address on port 22 where root
can login without a password. Run setup-alpine
.
You should use diskless mode. It did not work for me at first. I had to modify the /etc/fstab
file to add:
echo "/dev/mmcblk0p1 /media/mmcblk0p1 vfat auto,rw 0 2" >> /etc/fstab
mkdir /media/mmcblk0p1
setup-apkcache /media/mmcblk0p1
Change repositories:
cat > /etc/apk/repositories <<EOF
/media/mmcblk0p1/apks
http://dl-cdn.alpinelinux.org/alpine/v3.18/main
http://dl-cdn.alpinelinux.org/alpine/v3.18/community
#http://dl-cdn.alpinelinux.org/alpine/edge/main
#http://dl-cdn.alpinelinux.org/alpine/edge/community
EOF
Then I could fix the install:
apk update
apk upgrade
# This final step is REQUIRED to keep configurations over reboots!
lbu commit -d
6. Add some configurations before rebooting
Let’s add a firewall:
apk add ufw
ufw default deny incoming
ufw allow ssh
ufw enable
lbu commit -d
And configure SSH to only allow the ssh group with public key authentication:
addgroup ssh
adduser root ssh
adduser $USER ssh
sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sed -i -e 's/#PubkeyAuthentication no/PubkeyAuthentication yes/' /etc/ssh/sshd_config
echo "AllowGroupes ssh" >> /etc/ssh/sshd_config
/etc/init.d/sshd reload
lbu commit -d
7. reboot
Run the reboot
command and connect to your IP address. You’re in! Now you can add more packages…
ssh 192.168.0.144 -i ~/.ssh/id_ed25519