USB Linux Part 2

Introduction

This small series describes the process of creating a LiveCD Linux distribution. In Part 1 a custom Alpine Linux iso was created which has WireGuard and Broadcom Wi-Fi packages integrated. This can now be installed to a usb flash disk and then the required software added to it to give the LiveCD build.

As the Linux system is copied to, and runs from ram we need to be mindful of the packages that are installed. This is to avoid exceeding the maximum ram of the computer. This will mean installing the minimum needed to get a desktop environment and using lightweight terminal applications.

Installing the ISO to the USB

Requirements

  • Machine booting the custom iso created in Part 1; I use a virtual machine for this.
  • USB formatted with a bootable partition. I formatted the usb with one partition using a vfat file system.

Install

Plug the usb into the machine or, if using a VM, use usb pass-through. Boot the iso and then login into the root terminal by entering the username root. Once at the root terminal install syslinux:

# apk add syslinux

Load the vfat kernel module:

# modprobe vfat

Determine the correct device and partition to install to:

# dmesg # lists the device name of the usb, for example, "sda"
# fdisk -l # lists the partition labels, for example, "sda1"

Install Alpine Linux using setup-bootable; below uses the example usb partition “sda1”:

# setup-bootable /media/cdrom /dev/sda1

The usb is now ready and will boot into Alpine Linux running in diskless mode (run from ram).

Setting up the USB

Boot up the newly created usb; this is best done on a machine with ethernet access.

Note: For ease of set up I boot the USB into a VM with usb pass through.

Setup Alpine

Log into the root terminal by entering the username ‘root’. Start the Alpine setup script with:

# setup-alpine

Follow the guided setup. Use these settings for the last questions:

  • Which disk(s) would you like to use? none
  • Enter where to store configs: usb
  • Enter apk cache directory: /media/usb/cache

Commit the changes to the usb using lbu (local backup):

# lbu commit -d

The changes made by the setup-alpine script are now stored on the usb and will be loaded when booting from the usb. Restart the system and boot back into Alpine Linux. We can now log into the root terminal using the password provided during the setup script and continue the setup.

Add the community repository

Add the community repository by uncommenting the url ending with v3.11/community in /etc/apk/repositories, for example:

/etc/apk/repositories
...
http://dl-cdn.alpinelinux.org/alpine/v3.11/community/
...

Reload the repositories and apply any upgrades with:

# apk update
# apk upgrade

User management

Create a user, for example, portable:

# adduser portable

Now grant the user sudo privileges:

# apk add sudo
# visudo

And enter:

# visudo
...
##
## User privilege specification
##
portable ALL=(ALL:ALL) ALL
...

Installing a desktop environment

There are several desktop environments that can be installed on Alpine Linux. I installed xfce as it is both lightweight and fast.

Install the required packages with:

# setup-xorg-base xfce4 xfce4-terminal lightdm-gtk-greeter xfce-polkit slock consolekit2 dbus-x11 ntfs-3g xf86-input-mouse xf86-input-keyboard kbd

Auto-login to the desktop environment

To automatically login in to xfce on system boot first create a new system group called autologin and add the user.

# addgroup --system autologin
# addgroup portable autologin

Then create /etc/lightdm/lightdm.conf with the following:

/etc/lightdm/lightdm.conf
[Seat:*]
autologin-user=portable
autologin-user-timeout=0
autologin-session=xfce

Add lightdm to start at boot:

# rc-update add lightdm default

Set up Wireless and Broadcom support

These packages will allow the system to connect and manage WiFi connections:

# apk add dbus iwd wireless-tools networkmanager b43-fwcutter b43-firmware

Note: this setup uses iwd instead of wpa_supplicant for the backend of NetworkManager.

Add these packages to start at boot:

# rc-update add hwdrivers sysinit
# rc-update add iwd default
# rc-update add networkmanager default
# rc-update add bus default

Add the Broadcom firmware to /etc/modules; this automatically loads the module at boot:

# echo b43 >> /etc/modules

Edit NetworkManager to use iwd (by default it uses wpa_supplicant) by adding the below to /etc/NetworkManager/NetworkManager.conf:

/etc/NetworkManager/NetworkManager.conf
...
[device]
wifi.backend=iwd
...

Add the user to plugdev group to allow control of NetworkManager:

# addgroup portable plugdev

The NetworkManager command line interface can be now started, whilst logged in as user portable, with:

$ nmcli

WireGuard

The custom iso we installed has the WireGuard kernel module installed. We now need to setup the tools to use it, the configuration below will use wg-quick to bring up the WireGuard interface:

# apk add wireguard-tools ip6tables

Generate the private and public keys:

# mkdir /etc/wireguard/
# wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickey

Create a WireGuard configuration file, for example:

/etc/wireguard/wg0.conf
[Interface]
Address = 10.0.1.2/32
PrivateKey = {copied from /etc/wireguard/privatekey}
DNS = 9.9.9.9

[Peer]
PublicKey = {public key of peer to connect to}
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.domain.tld
PersistentKeepalive = 25

Bring up the interface with (requires sudo when logged in as user):

# wg-quick up wg0

Note: Detailed set up of WireGuard is beyond the scope of this write up. Resources to help with this can be found here.

Adding Sound Support

Add sound support by installing:

# apk add alsa-utils alsa-utils-doc alsa-lib alsaconf

Add alsa to start at boot:

# rc-update add alsa default

Then add the user to the audio group:

# addgroup portable audio

Sound can now be controlled, whilst logged in as user portable, using:

$ alsamixer

Add applications

Now is the time to add any other needed programs, for example:

# apk add firefox-esr vlc-qt keepassxc ranger vim htop git

Commit the changes

lbu only commits changes from /etc/ by default. We can include the user’s home directory to commits with:

# lbu include /home/portable/

Then commit all the above changes with:

# lbu commit -d -e

Note: -e will password protect the changes. At system boot the user will be asked to supply this password to unlock the overlay file.

Any other changes made at a later time to the system or home directory (e.g. extra packages or files) can be committed using lbu commit -d -e whilst the usb flash drive is still plugged in.

Summary

The usb is now setup with xfce desktop, sound, networking including WireGuard and common applications. All of these are password protected at boot. The system will also continue running when the usb removed.

Using the setup above, the total ram use is around 2gb when browsing the internet on firefox with a WireGuard interface running. A lightweight customisable LiveCD Linux!

May 2020