Linux/Xen/DomU/Ubuntu/Ubuntu 18.04 LTS: Difference between revisions

From Guungle
Jump to navigation Jump to search
(Created page with "===Ubuntu 18.04 LTS=== Start this process on a existing Ubuntu system. Does not have to be a 18.04 system. You will need to have debootstrap installed and may need to update...")
 
 
(5 intermediate revisions by the same user not shown)
Line 13: Line 13:
  mount -oloop ubuntu_bionic.img /mnt/img
  mount -oloop ubuntu_bionic.img /mnt/img


Start the debootstrap process.
Start the debootstrap process.m


  debootstrap bionic /mnt/img/
  debootstrap --variant=minbase --include=iproute2,net-tools,isc-dhcp-client,isc-dhcp-common,rsyslog  bionic /mnt/img/


Once that completes, copy your existing /etc/apt/sources.list to the new image so we can run updates.
Once that completes, copy your existing /etc/apt/sources.list to the new image so we can run updates.
Line 34: Line 34:
  apt-get install language-pack-en-base
  apt-get install language-pack-en-base
  apt-get upgrade
  apt-get upgrade
Install a frontend for debconf
apt-get install whiptail
Install Timezone data
apt-get install tzdata


Configure the system timezone.
Configure the system timezone.
Line 41: Line 49:
Install the kernel image, SSH server and the full version of vim
Install the kernel image, SSH server and the full version of vim
   
   
  apt-get install linux-image-generic
  apt-get install linux-image-4.15.0-42-generic
  apt-get install openssh-server
  apt-get install openssh-server
  apt-get install vim
  apt-get install vim


To use the Xen console 'xm console (domU)' you need to setup a tty on /dev/hvc0. Create the file '/etc/init/hvc0.conf' with this content.
====Network====
 
Ubuntu 18.04 no longer used the traditional, '/etc/network/interfaces'. They have switched to netplan.io


<syntaxhighlight lang="bash">
apt-get install netplan.io
# This service maintains a getty on hvc0 from the point the system is
# started until it is shut down again.


start on stopped rc RUNLEVEL=[2345] and (
Configure /etc/netplan/01-netcfg.yaml for DHCP
            not-container or
            container CONTAINER=lxc or
            container CONTAINER=lxc-libvirt)
stop on runlevel [!2345]


respawn
<syntaxhighlight lang="bash">
exec /sbin/getty -8 38400 hvc0
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: yes
</syntaxhighlight>
</syntaxhighlight>


The default udev rules for 13.10 ignore Xen generated MAC addresses so you won't get a '/etc/udev/rules.d/70-persistent-net.rules' This causes your network interfaces not to come up.
We need to allow root logins over SSH.  
 
Edit '/lib/udev/rules.d/75-persistent-net-generator.rules' and comment these lines. Here's the changes in patch/diff format.
 
<syntaxhighlight lang="diff">
@@ -21,7 +21,7 @@ KERNEL!="eth*|ath*|wlan*[0-9]|msh*|ra*|s
                                        GOTO="persistent_net_generator_end"
 
# ignore Xen virtual interfaces
-SUBSYSTEMS=="xen",                    GOTO="persistent_net_generator_end"
+#SUBSYSTEMS=="xen",                    GOTO="persistent_net_generator_end"
 
# ignore UML virtual interfaces
DRIVERS=="uml-netdev",                GOTO="persistent_net_generator_end"
@@ -75,7 +75,7 @@ ENV{MATCHADDR}=="00:0c:29:*|00:50:56:*|0
ENV{MATCHADDR}=="00:15:5d:*",          ENV{MATCHADDR}=""
ENV{MATCHADDR}=="52:54:00:*|54:52:00:*", ENV{MATCHADDR}=""
ENV{MATCHADDR}=="08:00:27:*",          ENV{MATCHADDR}=""
-ENV{MATCHADDR}=="00:16:3e:*",          ENV{MATCHADDR}=""
+#ENV{MATCHADDR}=="00:16:3e:*",        ENV{MATCHADDR}=""


# ignore Windows Azure Hyper-V virtual interfaces
Edit /etc/ssh/sshd_config and change,
ENV{MATCHADDR}=="00:03:ff:*", ENV{MATCHADDR}=""
</syntaxhighlight>


Configure your '/etc/network/interfaces' for DHCP
#PermitRootLogin prohibit-password


<syntaxhighlight lang="bash">
to
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d


auto eth0
PermitRootLogin yes
iface eth0 inet dhcp
</syntaxhighlight>


====GRUB====
====GRUB====


Setup a basic grub config in "/boot/grub/menu.lst"
Setup a basic grub config in "/boot/grub/menu.lst"
In order for "xl console" to work we need to spawn a console on hvc0. So add "console=hvc0" to the kernel lines.


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
Line 106: Line 91:
timeout        2
timeout        2


title          Ubuntu 14.04
title          Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic
root            (hd0,0)
root            (hd0)
kernel          /boot/vmlinuz-3.13.0-24-generic root=/dev/xvda1 ro console=hvc0
kernel          /boot/vmlinuz-4.15.0-42-generic root=/dev/xvda1 ro console=hvc0
initrd          /boot/initrd.img-3.13.0-24-generic
initrd          /boot/initrd.img-4.15.0-42-generic


title          Ubuntu 14.04 (Single-User)
title          Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic (recovery mode)
root            (hd0,0)
root            (hd0)
kernel          /boot/vmlinuz-3.13.0-24-generic root=/dev/xvda1 ro single console=hvc0
kernel          /boot/vmlinuz-4.15.0-42-generic root=/dev/xvda1 ro single console=hvc0
initrd          /boot/initrd.img-3.13.0-24-generic
initrd          /boot/initrd.img-4.15.0-42-generic
</syntaxhighlight>
</syntaxhighlight>


Line 130: Line 115:
====SSH host keys fix====
====SSH host keys fix====


Since this image will get cloned and used to create new virtual machines we don't want to re-use the same keys for every virtual machine. Ubuntu won't regenerate SSH host keys if you delete them from /etc/ssh. So we need a script to check the host keys and regenerate them if needed.
Since this image will get cloned and used to create new virtual machines we don't want to re-use the same keys for every virtual machine. Ubuntu won't regenerate SSH host keys if you delete them from /etc/ssh. So we need a script to check the host keys and regenerate them if needed. The script will get called by systemd during sshd start/restart


Create /lib/init/ssh_gen_key and paste this in,
Ubuntu 18.04 is running OpenSSH version 7 and DSA keys are being deprecated so we don't need to generate a DSA host key.
 
Create /usr/sbin/rebuild-sshd-keys and paste this in,


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
#!/bin/sh
#!/bin/sh


# Some variables to make things more readable  
# Some variables to make things more readable
KEYGEN=/usr/bin/ssh-keygen
KEYGEN=/usr/bin/ssh-keygen
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key
Line 153: Line 138:
                         chmod 600 $RSA_KEY
                         chmod 600 $RSA_KEY
                         chmod 644 $RSA_KEY.pub
                         chmod 644 $RSA_KEY.pub
echo "OK"
                else
echo "FAIL"
                        exit 1
                fi
        fi
}
do_dsa_keygen() {
        if [ ! -s $DSA_KEY ]; then
                echo -n "Generating SSH2 DSA host key: "
                rm -f $DSA_KEY
                if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >/dev/null; then
                        chmod 600 $DSA_KEY
                        chmod 644 $DSA_KEY.pub
echo "OK"
echo "OK"
                 else
                 else
Line 207: Line 177:


do_rsa_keygen
do_rsa_keygen
do_dsa_keygen
do_ecdsa_keygen
do_ecdsa_keygen
do_ed25519_keygen
do_ed25519_keygen
</syntaxhighlight>
</syntaxhighlight>


  chmod 755 /lib/init/ssh_gen_keys
  chmod 755 /usr/sbin/rebuild-sshd-keys


Edit /etc/init/ssh.conf
Create a new systemd unit file, "/lib/systemd/system/rebuild-sshd-keys.service" and paste this in,


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
@@ -20,6 +20,7 @@ pre-start script
[Unit]
    test -c /dev/null || { stop; exit 0; }
Description=OpenSSH Server Key Generation
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key
PartOf=ssh.service ssh.socket


    mkdir -p -m0755 /var/run/sshd
[Service]
+   /lib/init/ssh_gen_keys
ExecStart=/usr/sbin/rebuild-sshd-keys
end script
Type=oneshot
RemainAfterExit=yes
</syntaxhighlight>
 
Edit "/lib/systemd/system/ssh.service" and make these changes to use the new rebuild-sshd-keys.service unit file.
 
<syntaxhighlight lang="bash">
--- ssh.service.old    2018-12-09 23:51:39.687140401 +0000
+++ ssh.service 2018-12-09 23:53:14.364249439 +0000
@@ -1,7 +1,8 @@
[Unit]
Description=OpenBSD Secure Shell server
-After=network.target auditd.service
+After=network.target auditd.service rebuild-sshd-keys.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+Wants=rebuild-sshd-keys.service


  # if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
  [Service]
EnvironmentFile=-/etc/default/ssh
</syntaxhighlight>
</syntaxhighlight>
Enable the new systemd unit files.
systemctl enable rebuild-sshd-keys.service
systemctl enable ssh.service


====Firewall====
====Firewall====
Line 240: Line 234:


Set a hostname.
Set a hostname.
Remove /etc/udev/rules.d/70-persistent-net.rules so that network comes up clean when the image is booted for the first time.


Remove SSH host keys so that new ones get generated on first boot.
Remove SSH host keys so that new ones get generated on first boot.
Line 248: Line 240:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
echo 'trusy' > /etc/hostname
echo 'bionic' > /etc/hostname
rm /etc/udev/rules.d/70-persistent-net.rules
rm /etc/ssh/ssh_host_*
rm /etc/ssh/ssh_host_*
passwd root
passwd root
</syntaxhighlight>
</syntaxhighlight>

Latest revision as of 11:50, 14 December 2018

Ubuntu 18.04 LTS

Start this process on a existing Ubuntu system. Does not have to be a 18.04 system. You will need to have debootstrap installed and may need to update debootstrap so it has the correct script for 18.04.

Create a empty image file and format it with ext3. 

dd if=/dev/zero of=ubuntu_bionic.img bs=1M count=1 seek=1024
mkfs.ext3 ubuntu_bionic.img

Create a directory to mount the image on. Using '/mnt/img' for this example. 

mkdir /mnt/img
mount -oloop ubuntu_bionic.img /mnt/img

Start the debootstrap process.m 

debootstrap --variant=minbase --include=iproute2,net-tools,isc-dhcp-client,isc-dhcp-common,rsyslog  bionic /mnt/img/

Once that completes, copy your existing /etc/apt/sources.list to the new image so we can run updates. 

cp /etc/apt/sources.list /mnt/img/etc/apt/

Mount the necessary system files so that we can enter the new root filesystem with chroot. 

mount --bind /dev /mnt/img/dev
mount --bind /dev/pts /mnt/img/dev/pts
mount -t proc proc /mnt/img/proc
mount -t sysfs sys /mnt/img/sys
chroot /mnt/img

Run updates and install a language pack. 

apt-get update
apt-get install language-pack-en-base
apt-get upgrade

Install a frontend for debconf 

apt-get install whiptail

Install Timezone data 

apt-get install tzdata

Configure the system timezone. 

dpkg-reconfigure tzdata

Install the kernel image, SSH server and the full version of vim 

apt-get install linux-image-4.15.0-42-generic
apt-get install openssh-server
apt-get install vim

Network

Ubuntu 18.04 no longer used the traditional, '/etc/network/interfaces'. They have switched to netplan.io 

apt-get install netplan.io

Configure /etc/netplan/01-netcfg.yaml for DHCP 

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: yes

We need to allow root logins over SSH.

Edit /etc/ssh/sshd_config and change, 

#PermitRootLogin prohibit-password

to 

PermitRootLogin yes

GRUB

Setup a basic grub config in "/boot/grub/menu.lst" In order for "xl console" to work we need to spawn a console on hvc0. So add "console=hvc0" to the kernel lines. 

default         0
timeout         2

title           Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic
root            (hd0)
kernel          /boot/vmlinuz-4.15.0-42-generic root=/dev/xvda1 ro console=hvc0
initrd          /boot/initrd.img-4.15.0-42-generic

title           Ubuntu 18.04.1 LTS, kernel 4.15.0-42-generic (recovery mode)
root            (hd0)
kernel          /boot/vmlinuz-4.15.0-42-generic root=/dev/xvda1 ro  single console=hvc0
initrd          /boot/initrd.img-4.15.0-42-generic

Configure a basic fstab 

# Begin /etc/fstab
# <file system> <mount-point>   <type>   <options>                      <dump> <pass>
/dev/sda1          /             ext3      defaults,errors=remount-ro    0     0
proc               /proc         proc      defaults                      0     0

# End /etc/fstab

SSH host keys fix

Since this image will get cloned and used to create new virtual machines we don't want to re-use the same keys for every virtual machine. Ubuntu won't regenerate SSH host keys if you delete them from /etc/ssh. So we need a script to check the host keys and regenerate them if needed. The script will get called by systemd during sshd start/restart

Ubuntu 18.04 is running OpenSSH version 7 and DSA keys are being deprecated so we don't need to generate a DSA host key.

Create /usr/sbin/rebuild-sshd-keys and paste this in, 

#!/bin/sh

# Some variables to make things more readable
KEYGEN=/usr/bin/ssh-keygen
RSA_KEY=/etc/ssh/ssh_host_rsa_key
ECDSA_KEY=/etc/ssh/ssh_host_ecdsa_key
ED25519_KEY=/etc/ssh/ssh_host_ed25519_key


do_rsa_keygen() {
        if [ ! -s $RSA_KEY ]; then
                echo -n "Generating SSH2 RSA host key: "
                rm -f $RSA_KEY
                if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >/dev/null; then
                        chmod 600 $RSA_KEY
                        chmod 644 $RSA_KEY.pub
			echo "OK"
                else
			echo "FAIL"
                        exit 1
                fi
        fi
}

do_ecdsa_keygen() {
        if [ ! -s $ECDSA_KEY ]; then
                echo -n "Generating SSH2 ECDSA host key: "
                rm -f $ECDSA_KEY
                if test ! -f $ECDSA_KEY && $KEYGEN -q -t ecdsa -f $ECDSA_KEY -C '' -N '' >/dev/null; then
                        chmod 600 $ECDSA_KEY
                        chmod 644 $ECDSA_KEY.pub
			echo "OK"
                else
			echo "FAIL"
                        exit 1
                fi
        fi
}

do_ed25519_keygen() {
        if [ ! -s $ED25519_KEY ]; then
                echo -n "Generating SSH2 ED25519 host key: "
                rm -f $ED25519_KEY
                if test ! -f $ED25519_KEY && $KEYGEN -q -t ed25519 -f $ED25519_KEY -C '' -N '' >/dev/null; then
                        chmod 600 $ED25519_KEY
                        chmod 644 $ED25519_KEY.pub
			echo "OK"
                else
			echo "FAIL"
                        exit 1
                fi
        fi
}

do_rsa_keygen
do_ecdsa_keygen
do_ed25519_keygen

chmod 755 /usr/sbin/rebuild-sshd-keys

Create a new systemd unit file, "/lib/systemd/system/rebuild-sshd-keys.service" and paste this in, 

[Unit]
Description=OpenSSH Server Key Generation
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key
PartOf=ssh.service ssh.socket

[Service]
ExecStart=/usr/sbin/rebuild-sshd-keys
Type=oneshot
RemainAfterExit=yes

Edit "/lib/systemd/system/ssh.service" and make these changes to use the new rebuild-sshd-keys.service unit file. 

--- ssh.service.old     2018-12-09 23:51:39.687140401 +0000
+++ ssh.service 2018-12-09 23:53:14.364249439 +0000
@@ -1,7 +1,8 @@
 [Unit]
 Description=OpenBSD Secure Shell server
-After=network.target auditd.service
+After=network.target auditd.service rebuild-sshd-keys.service
 ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+Wants=rebuild-sshd-keys.service

 [Service]
 EnvironmentFile=-/etc/default/ssh

Enable the new systemd unit files. 

systemctl enable rebuild-sshd-keys.service
systemctl enable ssh.service

Firewall

apt-get install iptables
apt-get install ufw

ufw allow OpenSSH
ufw enable

Final Cleanup

Set a hostname.

Remove SSH host keys so that new ones get generated on first boot.

Set a root password 

echo 'bionic' > /etc/hostname
rm /etc/ssh/ssh_host_*
passwd root
Retrieved from "https://wiki.guungle.com/index.php?title=Linux/Xen/DomU/Ubuntu/Ubuntu_18.04_LTS&oldid=52"