❗ N.B. Copy to 📂 /etc; do not symlink...
- Sets up WSL2 to use
systemd WSL2 is instructed to not create– not anymore, see belowresolv.conf- Interop is enabled, but no Windows directories are added to the
PATHautomatically- Instead this is done via
📄 ~/.profile.d/03-path-wsl
- Instead this is done via
- Automatic mounting of Windows filesystems is disabled – instead, the
C- andD-drive are manually mounted via📄 /etc/fstab- This is done so the
D-drive (/mnt/d) can be mounted withfmask 111(disabling the execute-bit for all users) – execute can be enabled on a per-file basis; themetadataoption ensures Linux-metadata persists in NTFS - This cannot be done via a regular
[automount]-section as it's impossible to differentiate between drives there – mounting theC-drive withfmask 111(for all intents and purposes) breaks interop.
- This is done so the
- A mount-point for AppArmor (
/sys/kernel/security) is created – see📂 windowsfor more details - A default username (
thijs) is set
When running WSL2 using Microsoft's /init system instead, a handful of
services need to be automatically started. Update the [boot]-section to match
the below:
📄 /etc/wsl.conf
[boot]
systemd=false
command=service rsyslog start && service dbus start && service cron start && service anacron start
I've recently tweaked my firewall settings so that Windows' DNS properly works
in WSL2 (as I needed mDNS inside WSL2). The allows for a much more robust DNS
setup and as such there's no more need for a custom 📄 /etc/resolv.conf.
Additionally, as of
WSL 2.0.0 with
dnsTunneling enabled, it doesn't make sense to mess with DNS settings at all
anymore: With this option enabled, DNS isn't proxied over the network so
firewall settings don't even impact its functionality anymore.
The below is kept for reference:
📄 /etc/resolv.conf
search sgraastra
nameserver 192.168.x.x
As of the initial Windows 11 release (21H2; build 22000.194) there appears to
be an issues which causes WSL2 to delete 📄 /etc/resolv.conf at boot – see
microsoft/WSL#5420 for details.
To work around this issue, ensure the modified 📄 resolv.conf is immutable:
sudo chattr +i /etc/resolv.conf. You might need to remove and recreate
📄 /etc/resolv.conf first (as the file created by WSL2 doesn't allow chattr
to be run against it).
With Mirrored-mode networking enabled, WSL2 seems to fully "bypasses" the Windows Filtering Platform (ie, simplewall), effectively connecting itself to the network without any filtering...
A firewall thus needs to be enabled inside WSL2.
The 📄 nftables.conf provides a sane default for a
workstation; it's based on a combination of
Gentoo's
and Arch's typical
workstation configurations, with some (trail-and-error) modifications of my own.
❗N.B. After copying (relevant parts of) the file to
📄 /etc/nftables.conf, run sudo systemctl enable --now nftables to ensure
nftables is enabled.
The only (substantial) addition to the typical configuration is to allow incoming (IPv4) DNS-traffic. This is somehow required for containers running via the (Ubuntu-native) Docker-daemon to be able to access DNS. As of yet unclear exactly why, but probably related to WSL2's DNS-tunneling feature...