🏠 Home Blog X GitHub 📚 Buy Me a Book 📧 Contact

Ubuntu Server - VM

PreviousUbuntu Desktop - VM NextLinux Tools

Last updated 1 month ago

Was this helpful?

Ubuntu Server - VM

🌐 Resources 🔗

Create a new Virtual Machine in VMWare with preferred specs:
- Processors: 1 CPU - 2 Cores
  - enable Virtualize Intel VT-x/EPT or AMD-V/RVI
- RAM Memory: 2 GB
- Hard Disk: 15 GB
- CD: use the Ubuntu Server LTS .iso image file - - and check Connect at power on
- Network: set it as NAT
- Display: Deactivate Accelerate 3D graphics
- Edit virtual machine and Remove: Printer
Boot the virtual machine and proceed with the

Installation Process

Boot to Try or Install Ubuntu Server
Choose the language
Update to the new installer (if offered)
Select keyboard layout
Select Ubuntu Server as base for the install
Wait for Network connection to establish via DHCP (continue without networking if this fails)
- Do not configure a proxy
Leave Ubuntu archive mirror as it is (or change based on necessity)
For storage, leave Use an entire disk checked, and choose a disk to install to
- Edit the ubuntu-lv logical volume by assigning it the max size
Select Done on the configuration screen and confirm the install
Enter a username, hostname and password
Skip for now the Ubuntu Pro upgrade
On the SSH Setup, check the Install OpenSSH server, select Done for the next 2-3 slides
Select Reboot

First Boot & Update

Disable CD Connect at power on
Boot Ubuntu Server
Connect through SSH and/or Run the following commands

sudo apt -y update && sudo apt -y dist-upgrade && sudo apt -y autoremove

Reboot the system

reboot

Configurations

SSH into the VM

# TIMEZONE
sudo timedatectl set-timezone Europe/Rome

# DISABLE AUTOMATIC UPDATES
sudo sed -i 's/1";/0";/' /etc/apt/apt.conf.d/20auto-upgrades
sudo systemctl disable apt-daily{,-upgrade}.timer
sudo systemctl mask apt-daily{,-upgrade}.service

# If not using Ubuntu PRO:
# Disable Ubuntu Pro ESM Hook and MOTD Spam - thanks to UnspamifyUbuntu
sudo mv /etc/apt/apt.conf.d/20apt-esm-hook.conf /etc/apt/apt.conf.d/20apt-esm-hook.conf.disabled
sudo sed -Ezi.orig \
  -e 's/(def _output_esm_service_status.outstream, have_esm_service, service_type.:\n)/\1    return\n/' \
  -e 's/(def _output_esm_package_alert.*?\n.*?\n.:\n)/\1    return\n/' \
  /usr/lib/update-notifier/apt_check.py
sudo /usr/lib/update-notifier/update-motd-updates-available --force
sudo sed -i 's/^ENABLED=.*/ENABLED=0/' /etc/default/motd-news

# Change "root" user password
sudo passwd root

Expand Partition and Filesystem

Turn off the VM, increase disk space on the hypervisor, turn on the VM
Proceed with expanding the necessary partition on the server

sudo -i
apt -y install cloud-guest-utils gdisk
df -h
lsblk

growpart /dev/sda 3 # 3 is the partition number
lsblk
resize2fs /dev/sda3

# or this for LVM
lvextend -r -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv

df -h

Network

Static IP

Set a static IP in the netplan .yaml if not configured during OS installation.

# Show listening sockets and running services
sudo ss -atpu

# List available network interfaces and use the interface ens32
ip -br -c a

# Disable cloud-init networking configuration - if necessary
sudo nano /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg
# Make sure it is "disabled"
# network: {config: disabled}

# Open the netplan configuration file for editing
sudo nano /etc/netplan/00-installer-config.yaml
# or
sudo nano /etc/netplan/50-cloud-init.yaml

    # This is the network config written by 'subiquity'
    network:
      version: 2
      ethernets:
        ens32:
          addresses: [<IP>/24]
          gateway4: <GATEWAY_IP>
          nameservers:
            addresses: [1.1.1.1, 9.9.9.9]
            
# Exit and save

# Apply the netplan configuration changes
sudo netplan apply

# Reboot the system

If necessary and the VM has 2 NICs, add the seccond one in the netplan .yaml

# List available network interfaces and check the second interface name
ip -br -c a

# Example of DHCP on both network interfaces
sudo nano /etc/netplan/50-cloud-init.yaml

    network:
        ethernets:
            enp0s3:
                dhcp4: true
            enp0s8:
                dhcp4: true
        version: 2

Tuning

Basic Tools

# Tools
sudo apt install -y apt-transport-https aptitude btop ca-certificates coreutils curl duf eza fastfetch gdu git-all gnupg iftop locate nano net-tools nload npm pipx software-properties-common speedtest-cli sshpass sysstat tree ugrep vim wget zsh

sudo apt-add-repository ppa:zanchey/asciinema
sudo apt update && sudo apt install asciinema

sudo su
apt install curl

# Docker Engine - Convenience Script
sh <(curl -sSL https://get.docker.com)

# Docker Compose
LATEST=$(curl -sL https://api.github.com/repos/docker/compose/releases/latest | grep '"tag_name":' | cut -d'"' -f4)
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
mkdir -p $DOCKER_CONFIG/cli-plugins
curl -sSL https://github.com/docker/compose/releases/download/$LATEST/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
docker compose version

# Add a user to the "docker" group to let it run Docker
sudo groupadd docker
sudo gpasswd -a "${USER}" docker

Alternative to install Docker Engine (via APT)

# Install Docker Engine via APT repository

for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done

sudo apt update -y && sudo apt install -y ca-certificates curl gnupg

sudo sh -c '
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg
    sudo chmod a+r /usr/share/keyrings/docker.gpg

    echo "deb [arch="$(dpkg --print-architecture)" signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list

    sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
'

sudo systemctl enable docker --now
sudo gpasswd -a "${USER}" docker

# On Debian and Ubuntu, the Docker service starts on boot by default, if not run
sudo systemctl enable docker.service
sudo systemctl enable containerd.service

# OR Disable the services at boot
sudo systemctl disable docker.service containerd.service
# still has docker.socket active to start the Docker service only when necessary

# Reboot and Test
reboot
docker run hello-world

Hardening

SSH-key-based authentication

Generate an SSH Key Pair on the local HOST from which the connection is established

# Local HOST
cd
mkdir -p ~/.ssh
cd ~/.ssh
ssh-keygen -t ed25519
# Type a secure passphrase when asked

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

# Add the SSH private key to the ssh-agent
eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519

Add the Public Key to a system/sudo user on the Ubuntu Server VM

If you want to use the same key saved on Github profile, having already the private key in the Ubuntu Local HOST (commands above), ssh into the Ubuntu Server VM and use the following curl command
# Ubuntu Server VM
curl -s https://github.com/<github-username>.keys >> $HOME/.ssh/authorized_keys

# e.g.
curl -s https://github.com/syselement.keys >> $HOME/.ssh/authorized_keys

# Automatic (if password SSH is allowed)
ssh-copy-id <sudo_user>@<remote_Server_IP>

# Manually

# Local HOST
cat ~/.ssh/id_ed25519.pub
# copy the string
# Should start with ssh-ed25519 AAAA... or ssh-rsa AAAA... (if rsa)

# Ubuntu Server VM
echo "pubkey_string" >> ~/.ssh/authorized_keys
# Set permissions
chmod -R go= ~/.ssh

Log out and log in using the Private Key

ssh <sudo_user>@<remote_Server_IP>

# ssh -i ~/.ssh/id_ed25519 <sudo_user>@<remote_host_IP>

# Enter the key Passphrase if necessary

Disable SSH password authentication

# Delete sshd_config.d/50-cloud-init.conf
sudo rm /etc/ssh/sshd_config.d/50-cloud-init.conf

# Inside /etc/ssh/sshd_config set PasswordAuthentication to "no"
sudo sed -i '/^[#]*[[:space:]]*PasswordAuthentication[[:space:]]*yes/c\PasswordAuthentication no' /etc/ssh/sshd_config

# Restart SSH service
 sudo systemctl restart sshd

Try again to logout and login. Only SSH-key-base authentication is permitted.

... more to come ...

PreviousUbuntu Desktop - VM NextLinux Tools

Last updated 1 month ago

Was this helpful?

🌐 Resources 🔗

Create a new Virtual Machine in VMWare with preferred specs:
- Processors: 1 CPU - 2 Cores
  - enable Virtualize Intel VT-x/EPT or AMD-V/RVI
- RAM Memory: 2 GB
- Hard Disk: 15 GB
- CD: use the Ubuntu Server LTS .iso image file - - and check Connect at power on
- Network: set it as NAT
- Display: Deactivate Accelerate 3D graphics
- Edit virtual machine and Remove: Printer
Boot the virtual machine and proceed with the

Installation Process

Boot to Try or Install Ubuntu Server
Choose the language
Update to the new installer (if offered)
Select keyboard layout
Select Ubuntu Server as base for the install
Wait for Network connection to establish via DHCP (continue without networking if this fails)
- Do not configure a proxy
Leave Ubuntu archive mirror as it is (or change based on necessity)
For storage, leave Use an entire disk checked, and choose a disk to install to
- Edit the ubuntu-lv logical volume by assigning it the max size
Select Done on the configuration screen and confirm the install
Enter a username, hostname and password
Skip for now the Ubuntu Pro upgrade
On the SSH Setup, check the Install OpenSSH server, select Done for the next 2-3 slides
Select Reboot

First Boot & Update

Disable CD Connect at power on
Boot Ubuntu Server
Connect through SSH and/or Run the following commands

sudo apt -y update && sudo apt -y dist-upgrade && sudo apt -y autoremove

Reboot the system

reboot

Configurations

SSH into the VM

# TIMEZONE
sudo timedatectl set-timezone Europe/Rome

# DISABLE AUTOMATIC UPDATES
sudo sed -i 's/1";/0";/' /etc/apt/apt.conf.d/20auto-upgrades
sudo systemctl disable apt-daily{,-upgrade}.timer
sudo systemctl mask apt-daily{,-upgrade}.service

# If not using Ubuntu PRO:
# Disable Ubuntu Pro ESM Hook and MOTD Spam - thanks to UnspamifyUbuntu
sudo mv /etc/apt/apt.conf.d/20apt-esm-hook.conf /etc/apt/apt.conf.d/20apt-esm-hook.conf.disabled
sudo sed -Ezi.orig \
  -e 's/(def _output_esm_service_status.outstream, have_esm_service, service_type.:\n)/\1    return\n/' \
  -e 's/(def _output_esm_package_alert.*?\n.*?\n.:\n)/\1    return\n/' \
  /usr/lib/update-notifier/apt_check.py
sudo /usr/lib/update-notifier/update-motd-updates-available --force
sudo sed -i 's/^ENABLED=.*/ENABLED=0/' /etc/default/motd-news

# Change "root" user password
sudo passwd root

Follow the guide here to setup ZSH with Oh-My-Zsh -
Remove unwanted spam with

Expand Partition and Filesystem

Turn off the VM, increase disk space on the hypervisor, turn on the VM
Proceed with expanding the necessary partition on the server

sudo -i
apt -y install cloud-guest-utils gdisk
df -h
lsblk

growpart /dev/sda 3 # 3 is the partition number
lsblk
resize2fs /dev/sda3

# or this for LVM
lvextend -r -l +100%FREE /dev/mapper/ubuntu--vg-ubuntu--lv

df -h

Network

Static IP

Set a static IP in the netplan .yaml if not configured during OS installation.

# Show listening sockets and running services
sudo ss -atpu

# List available network interfaces and use the interface ens32
ip -br -c a

# Disable cloud-init networking configuration - if necessary
sudo nano /etc/cloud/cloud.cfg.d/subiquity-disable-cloudinit-networking.cfg
# Make sure it is "disabled"
# network: {config: disabled}

# Open the netplan configuration file for editing
sudo nano /etc/netplan/00-installer-config.yaml
# or
sudo nano /etc/netplan/50-cloud-init.yaml

    # This is the network config written by 'subiquity'
    network:
      version: 2
      ethernets:
        ens32:
          addresses: [<IP>/24]
          gateway4: <GATEWAY_IP>
          nameservers:
            addresses: [1.1.1.1, 9.9.9.9]
            
# Exit and save

# Apply the netplan configuration changes
sudo netplan apply

# Reboot the system

If necessary and the VM has 2 NICs, add the seccond one in the netplan .yaml

# List available network interfaces and check the second interface name
ip -br -c a

# Example of DHCP on both network interfaces
sudo nano /etc/netplan/50-cloud-init.yaml

    network:
        ethernets:
            enp0s3:
                dhcp4: true
            enp0s8:
                dhcp4: true
        version: 2

Tuning

Basic Tools

# Tools
sudo apt install -y apt-transport-https aptitude btop ca-certificates coreutils curl duf eza fastfetch gdu git-all gnupg iftop locate nano net-tools nload npm pipx software-properties-common speedtest-cli sshpass sysstat tree ugrep vim wget zsh

sudo apt-add-repository ppa:zanchey/asciinema
sudo apt update && sudo apt install asciinema

sudo su
apt install curl

# Docker Engine - Convenience Script
sh <(curl -sSL https://get.docker.com)

# Docker Compose
LATEST=$(curl -sL https://api.github.com/repos/docker/compose/releases/latest | grep '"tag_name":' | cut -d'"' -f4)
DOCKER_CONFIG=${DOCKER_CONFIG:-$HOME/.docker}
mkdir -p $DOCKER_CONFIG/cli-plugins
curl -sSL https://github.com/docker/compose/releases/download/$LATEST/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
chmod +x $DOCKER_CONFIG/cli-plugins/docker-compose
docker compose version

# Add a user to the "docker" group to let it run Docker
sudo groupadd docker
sudo gpasswd -a "${USER}" docker

Alternative to install Docker Engine (via APT)

# Install Docker Engine via APT repository

for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do sudo apt-get remove $pkg; done

sudo apt update -y && sudo apt install -y ca-certificates curl gnupg

sudo sh -c '
    curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg
    sudo chmod a+r /usr/share/keyrings/docker.gpg

    echo "deb [arch="$(dpkg --print-architecture)" signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | sudo tee /etc/apt/sources.list.d/docker.list

    sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
'

sudo systemctl enable docker --now
sudo gpasswd -a "${USER}" docker

# On Debian and Ubuntu, the Docker service starts on boot by default, if not run
sudo systemctl enable docker.service
sudo systemctl enable containerd.service

# OR Disable the services at boot
sudo systemctl disable docker.service containerd.service
# still has docker.socket active to start the Docker service only when necessary

# Reboot and Test
reboot
docker run hello-world

Hardening

SSH-key-based authentication

Ubuntu Server with OpenSSH pre-installed comes with PasswordAuthentication yes parameter already set inside /etc/ssh/sshd_config.d/50-cloud-init.conf (or /etc/ssh/sshd_config). If the parameter is commented, the default is yes (password auth permitted) for the .

Generate an SSH Key Pair on the local HOST from which the connection is established

# Local HOST
cd
mkdir -p ~/.ssh
cd ~/.ssh
ssh-keygen -t ed25519
# Type a secure passphrase when asked

chmod 700 ~/.ssh
chmod 600 ~/.ssh/*

# Add the SSH private key to the ssh-agent
eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519

Add the Public Key to a system/sudo user on the Ubuntu Server VM

If you want to use the same key saved on Github profile, having already the private key in the Ubuntu Local HOST (commands above), ssh into the Ubuntu Server VM and use the following curl command
# Ubuntu Server VM
curl -s https://github.com/<github-username>.keys >> $HOME/.ssh/authorized_keys

# e.g.
curl -s https://github.com/syselement.keys >> $HOME/.ssh/authorized_keys

# Automatic (if password SSH is allowed)
ssh-copy-id <sudo_user>@<remote_Server_IP>

# Manually

# Local HOST
cat ~/.ssh/id_ed25519.pub
# copy the string
# Should start with ssh-ed25519 AAAA... or ssh-rsa AAAA... (if rsa)

# Ubuntu Server VM
echo "pubkey_string" >> ~/.ssh/authorized_keys
# Set permissions
chmod -R go= ~/.ssh

Log out and log in using the Private Key

ssh <sudo_user>@<remote_Server_IP>

# ssh -i ~/.ssh/id_ed25519 <sudo_user>@<remote_host_IP>

# Enter the key Passphrase if necessary

Disable SSH password authentication

# Delete sshd_config.d/50-cloud-init.conf
sudo rm /etc/ssh/sshd_config.d/50-cloud-init.conf

# Inside /etc/ssh/sshd_config set PasswordAuthentication to "no"
sudo sed -i '/^[#]*[[:space:]]*PasswordAuthentication[[:space:]]*yes/c\PasswordAuthentication no' /etc/ssh/sshd_config

# Restart SSH service
 sudo systemctl restart sshd

Try again to logout and login. Only SSH-key-base authentication is permitted.

... more to come ...