Linux/Xen/DomU/Ubuntu/Ubuntu 18.04 LTS: Difference between revisions
| Line 216: | Line 216: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Enable the new systemd unit files. | |||
systemctl enable rebuild-sshd-keys.service | |||
systemctl enable ssh.service | |||
====Firewall==== | ====Firewall==== | ||
Latest revision as of 11:50, 14 December 2018
Ubuntu 18.04 LTS
Start this process on a existing Ubuntu system. Does not have to be a 18.04 system. You will need to have debootstrap installed and may need to update debootstrap so it has the correct script for 18.04.
Create a empty image file and format it with ext3.
dd if=/dev/zero of=ubuntu_bionic.img bs=1M count=1 seek=1024 mkfs.ext3 ubuntu_bionic.img
Create a directory to mount the image on. Using '/mnt/img' for this example.
mkdir /mnt/img mount -oloop ubuntu_bionic.img /mnt/img
Start the debootstrap process.m
debootstrap --variant=minbase --include=iproute2,net-tools,isc-dhcp-client,isc-dhcp-common,rsyslog bionic /mnt/img/
Once that completes, copy your existing /etc/apt/sources.list to the new image so we can run updates.
cp /etc/apt/sources.list /mnt/img/etc/apt/
Mount the necessary system files so that we can enter the new root filesystem with chroot.
mount --bind /dev /mnt/img/dev mount --bind /dev/pts /mnt/img/dev/pts mount -t proc proc /mnt/img/proc mount -t sysfs sys /mnt/img/sys chroot /mnt/img
Run updates and install a language pack.
apt-get update apt-get install language-pack-en-base apt-get upgrade
Install a frontend for debconf
apt-get install whiptail
Install Timezone data
apt-get install tzdata
Configure the system timezone.
dpkg-reconfigure tzdata
Install the kernel image, SSH server and the full version of vim
apt-get install linux-image-4.15.0-42-generic apt-get install openssh-server apt-get install vim
Network
Ubuntu 18.04 no longer used the traditional, '/etc/network/interfaces'. They have switched to netplan.io
apt-get install netplan.io
Configure /etc/netplan/01-netcfg.yaml for DHCP
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
eth0:
dhcp4: yes
We need to allow root logins over SSH.
Edit /etc/ssh/sshd_config and change,
#PermitRootLogin prohibit-password
to
PermitRootLogin yes
GRUB
Setup a basic grub config in "/boot/grub/menu.lst" In order for "xl console" to work we need to spawn a console on hvc0. So add "console=hvc0" to the kernel lines.
default 0
timeout 2
title Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic
root (hd0)
kernel /boot/vmlinuz-4.15.0-42-generic root=/dev/xvda1 ro console=hvc0
initrd /boot/initrd.img-4.15.0-42-generic
title Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic (recovery mode)
root (hd0)
kernel /boot/vmlinuz-4.15.0-42-generic root=/dev/xvda1 ro single console=hvc0
initrd /boot/initrd.img-4.15.0-42-generic
Configure a basic fstab
# Begin /etc/fstab
# <file system> <mount-point> <type> <options> <dump> <pass>
/dev/sda1 / ext3 defaults,errors=remount-ro 0 0
proc /proc proc defaults 0 0
# End /etc/fstab
SSH host keys fix
Since this image will get cloned and used to create new virtual machines we don't want to re-use the same keys for every virtual machine. Ubuntu won't regenerate SSH host keys if you delete them from /etc/ssh. So we need a script to check the host keys and regenerate them if needed. The script will get called by systemd during sshd start/restart
Ubuntu 18.04 is running OpenSSH version 7 and DSA keys are being deprecated so we don't need to generate a DSA host key.
Create /usr/sbin/rebuild-sshd-keys and paste this in,
#!/bin/sh
# Some variables to make things more readable
KEYGEN=/usr/bin/ssh-keygen
RSA_KEY=/etc/ssh/ssh_host_rsa_key
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n "Generating SSH2 RSA host key: "
rm -f $RSA_KEY
if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
echo "OK"
else
echo "FAIL"
exit 1
fi
fi
}
do_ecdsa_keygen() {
if [ ! -s $ECDSA_KEY ]; then
echo -n "Generating SSH2 ECDSA host key: "
rm -f $ECDSA_KEY
if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >/dev/null; then
chmod 600 $ECDSA_KEY
chmod 644 $ECDSA_KEY.pub
echo "OK"
else
echo "FAIL"
exit 1
fi
fi
}
do_ed25519_keygen() {
if [ ! -s $ED25519_KEY ]; then
echo -n "Generating SSH2 ED25519 host key: "
rm -f $ED25519_KEY
if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >/dev/null; then
chmod 600 $ED25519_KEY
chmod 644 $ED25519_KEY.pub
echo "OK"
else
echo "FAIL"
exit 1
fi
fi
}
do_rsa_keygen
do_ecdsa_keygen
do_ed25519_keygen
chmod 755 /usr/sbin/rebuild-sshd-keys
Create a new systemd unit file, "/lib/systemd/system/rebuild-sshd-keys.service" and paste this in,
[Unit]
Description=OpenSSH Server Key Generation
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key
PartOf=ssh.service ssh.socket
[Service]
ExecStart=/usr/sbin/rebuild-sshd-keys
Type=oneshot
RemainAfterExit=yes
Edit "/lib/systemd/system/ssh.service" and make these changes to use the new rebuild-sshd-keys.service unit file.
--- ssh.service.old 2018-12-09 23:51:39.687140401 +0000
+++ ssh.service 2018-12-09 23:53:14.364249439 +0000
@@ -1,7 +1,8 @@
[Unit]
Description=OpenBSD Secure Shell server
-After=network.target auditd.service
+After=network.target auditd.service rebuild-sshd-keys.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+Wants=rebuild-sshd-keys.service
[Service]
EnvironmentFile=-/etc/default/ssh
Enable the new systemd unit files.
systemctl enable rebuild-sshd-keys.service systemctl enable ssh.service
Firewall
apt-get install iptables
apt-get install ufw
ufw allow OpenSSH
ufw enable
Final Cleanup
Set a hostname.
Remove SSH host keys so that new ones get generated on first boot.
Set a root password
echo 'bionic' > /etc/hostname
rm /etc/ssh/ssh_host_*
passwd root