Page 1 of 1

How to install minimal Ubuntu Server 18.04

Posted: Fri Feb 28, 2020 11:52 am
by LHammonds
------------- WORK-IN-PROGRESS -------------

Greetings and salutations,

I hope this thread will be helpful to those who follow in my foot steps as well as getting any advice based on what I have done / documented.

To discuss this thread, please participate here: >> INSERT LINK HERE <<

High-level overview

This document will cover installation of a dedicated minimal Ubuntu server. This will be the "base" installation of the server as a prerequisite for other documents that will build upon it (e.g. KVM, NFS Storage). The server will be installed on bare-metal.

Tools utilized in this process

Assumptions

This documentation will need to make use of some very-specific information that will most-likely be different for each person / location. This variable data will be noted in this section and highlighted in red throughout the document as a reminder that you should plug-in your own value rather than actually using these "place-holder" values.

Under no circumstance should you use the actual values listed below. They are place-holders for the real thing. This is just a checklist template you need to have answered before you start the install process.

Wherever you see RED in this document, you need to substitute it for what your company uses.

  • Ubuntu Server name: srv-minimal
  • Ubuntu Server IP address: 192.168.107.61
  • Ubuntu Server IP subnet mask: 255.255.255.0
  • Ubuntu Server IP gateway: 192.168.107.1
  • Internal DNS Server 1: 192.168.107.212
  • Internal DNS Server 2: 192.168.107.213
  • External DNS Server 1: 1.1.1.1 (Cloudflare)
  • External DNS Server 2: 8.8.8.8 (Google)
  • Ubuntu Admin ID: administrator
  • Ubuntu Admin Password: myadminpass
It is also assumed that the reader knows how to use the VI editor. If not, you will need to beef up your skill set or use a different editor in place of it. The vim-nox package that is installed later includes "vimtutor" which is also a good place to learn how to use the vi editor.

Analysis and Design

Posted: Wed Mar 04, 2020 3:47 pm
by LHammonds
Analysis and Design

The Ubuntu Server Long-Term Support (LTS) is great choice for companies because it is a solid operating system that happens to be free. If professional support is needed, there is an option to buy support for the Long-Term Support (LTS) versions of the operating system.

The large decision over the configuration of Ubuntu is how the hard drive space is sliced up (partitioned). In order to keep this install as short as possible, I will forego my usual partition design and just use the entire disk for LVM (but keep the initial size small so we can expand later as needed).

Install PuTTY

We will use SSH to access the server remotely and as such, PuTTY is a good choice no matter what client you are using (Windows, Mac, Linux).
  1. Start PuTTY
  2. Under Window - Translation - Remote character set, select UTF-8
  3. Type the following and click the Save button:
    Host Name: SRV-Minimal (or the IP such as 192.168.107.61)
    Port: 22
    Connection type: SSH
    Saved Sessions: SRV-Minimal
  4. Now all you have to do is double-click on the session and it will connect to your server (when online).

Install Ubuntu Server

Posted: Wed Mar 04, 2020 4:37 pm
by LHammonds
Install Ubuntu Server
  1. Power on the machine and insert the Ubuntu Server Network Installer CD (or USB)
  2. Installer boot menu - Select "Install" and press {ENTER}
  3. Press {ENTER} to accept English
  4. Press {ENTER} to accept United States
  5. Press {ENTER} to accept do not detect keyboard layout
  6. Press {ENTER} to accept English (US)
  7. Press {ENTER} to accept English (US)
  8. Type srv-minimal {ENTER} (this is your hostname)
  9. Press {ENTER} to accept United States for a mirror site
  10. Press {ENTER} to accept us.archive.ubuntu.com
  11. Press {ENTER} to accept a blank line for the HTTP proxy
  12. Type Administrator, {ENTER} for the full name
  13. Press {ENTER} to accept the default of the lowercase name of administrator
  14. Type myadminpass, {ENTER}, myadminpass, {ENTER}
  15. Press {ENTER} to accept detected time zone (America/Chicago)
  16. Select Guided - use entire disk and set up LVM {ENTER}
  17. Select SCSI1 (0,0,0) (sda) - 500.1 GB ATA ST500DM002-1BD14 {ENTER}
  18. Select Yes to write change to disks and configure LVM, {ENTER}
  19. Type 30GB and press {ENTER}
  20. Select Yes to write change to disks and press {ENTER}
  21. Select No automatic updates, {ENTER} (* We will schedule a script for this later *)
  22. Set the following and press {ENTER} to continue:
    Uncheck - Ubuntu Cloud Image (instance)
    Uncheck - DNS server
    Uncheck - Kubuntu desktop
    Uncheck - Kubuntu full
    Uncheck - LAMP server
    Uncheck - Lubuntu minimal installation
    Uncheck - Lubuntu Desktop
    Uncheck - Lubuntu minimal installation (GTK part)
    Uncheck - Lubuntu Desktop (GTK part)
    Uncheck - Lubuntu minimal installation (Qt part)
    Uncheck - Lubuntu Desktop (Qt part)
    Uncheck - Mail server
    Uncheck - PostgreSQL database
    Uncheck - Print server
    Uncheck - Samba file server
    Uncheck - Ubuntu Budgie desktop
    Uncheck - Ubuntu desktop
    Uncheck - Ubuntu MATE minimal
    Uncheck - Ubuntu MATE desktop
    Uncheck - Audio recording and editing suite
    Uncheck - Ubuntu Studio desktop
    Uncheck - Ubuntu Studio minimal DE installation
    Uncheck - Large selection of font packages
    Uncheck - 2D/3D creation and editing suite
    Uncheck - Photograph touchup and editing suite
    Uncheck - Publishing applications
    Uncheck - Video creating and editing suite
    Uncheck - Vanilla GNOME desktop
    Uncheck - Xubuntu minimal installation
    Uncheck - Xubuntu desktop
    Check - OpenSSH server (allows us to use PuTTY after installation to connect to the server)
    Uncheck - Basic Ubuntu Server
  23. Select Yes, {ENTER} to install GRUB boot loader to the master boot record
  24. Installation Complete - Eject the install media. Now press {ENTER} to reboot.

Initial Configurations

Posted: Wed Mar 04, 2020 4:55 pm
by LHammonds
Initial Configurations

  1. Edit the network configuration file:

    Code: Select all

    sudo vi /etc/netplan/01-netcfg.yaml
  2. Change the Ethernet interface: (We need to change it from using DHCP to a static IP)
    From:

    Code: Select all

    network:
      version: 2
      renderer: networkd
      ethernets:
        enp0s3:
          dhcp4: yes
    
    To:
    network: version: 2 renderer: networkd ethernets: enp0s3: dhcp4: false dhcp6: false addresses: [192.168.107.61/24] gateway4: 192.168.107.1 nameservers: addresses: [192.168.107.212,192.168.107.213,1.1.1.1,8.8.8.8]
    NOTE #1: The above YAML format is extremely sensitive to spaces. Each indentation needs to be exactly 2 spaces. Visit NetPlan.io for more information.

    NOTE #2: The network card name (enp0s3) might be something different on your machine, be sure to use it instead of what I have.

    NOTE #3: You may need to manually remove the DHCP record (lease) associated to this Ubuntu server from your DHCP server so the correct IP can be found by other machines on the network.

    NOTE #4: You might also need to manually add a HOST(A) record to your local DNS server (for srv-minimal.mydomain.com and srv-minimal.work.mydomain.com)
  3. Verify that the configuration file syntax is good:

    Code: Select all

    sudo netplan --debug generate
  4. If there were no errors, restart the network by typing the following:

    Code: Select all

    sudo netplan --debug apply
  5. Sanity check! Type "ip address" and make sure the settings are correct. Then type ping www.google.com or similar and see if ping works.
  6. Make sure any file created by the root account is set to only be accessible to root by default:

    Code: Select all

    sudo su
    echo 'umask 0077' >> ~/.bashrc
    exit
  7. Disable command history for you and the root user on production systems to prevent hackers from seeing the commands you have typed in the past which might expose passwords:

    Code: Select all

    echo 'set +o history' >> ~/.bashrc
    sudo su
    echo 'set +o history' >> ~/.bashrc
    exit
  8. Make sure menus will correctly draw lines instead of displaying ascii codes for you and root:

    Code: Select all

    echo 'export NCURSES_NO_UTF8_ACS=1' >> ~/.bashrc
    sudo su
    echo 'export NCURSES_NO_UTF8_ACS=1' >> ~/.bashrc
    exit
  9. At this point forward, you can use PuTTY to access the console rather than the console itself.
Add more SUDO users and lockdown SSH

The root user is locked by default which is good. When you installed the server, you created the administrator account which can run sudo commands as root. Let's add one more user that can use SUDO and ensure only these user accounts can login via SSH to the server.

Create a new user called "newadmin"

Code: Select all

sudo adduser newadmin
Now add them to the SUDO group which will allow them to use the SUDO command.

Code: Select all

sudo usermod -aG sudo newadmin
Now modify SSH service to only allow these 2 users to login via SSH.

Code: Select all

sudo vi /etc/ssh/sshd_config
Add the following line anywhere in the file:

Code: Select all

AllowUsers administrator newadmin
Reload the SSH config for the change to take affect:

Code: Select all

sudo systemctl reload sshd
Now only administrator and newadmin can login to the server via SSH. If you create another user, that user will not be able to login even with the correct password. It will just say "Access denied."

The firewall and fail2ban sections later on will further increase SSH security.

You can also use SSH key-based authentication and disable user/password authentication.

Operating System Patches

  1. Connect to the Ubuntu server using PuTTY.
  2. Install the patches by typing the following commands:

    Code: Select all

    sudo apt update
    sudo apt upgrade
    sudo apt dist-upgrade

Volume / Disk Management

Posted: Wed Mar 04, 2020 6:01 pm
by LHammonds
Volume / Disk Management

During installation, we specified a 30GB LVM which was just big enough to fit the base installation with a little bit of breathing room. When the volumes were created during setup, the file systems were automatically expanded to fill the entire volume. We will now increase the allocated size of the LVM and then extend the logical volume to gain even more breathing space. This can be repeated as often as needed as long as there is free space in the LVM. The steps below will cover the commands to do all of this.

Volume and File System Status

Let's look at how the system should look like if we have a 500 GB disk and only gave 30 GB to the LVM during the initial install:

Code: Select all

$ sudo vgdisplay
  --- Volume group ---
  VG Name               srv-minimal-vg
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  3
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                2
  Open LV               2
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               <465.76 GiB
  PE Size               4.00 MiB
  Total PE              119234
  Alloc PE / Size       7152 / <27.94 GiB
  Free  PE / Size       112082 / 437.82 GiB
  VG UUID               AZfVJy-1Z3K-gbgf-4Z0L-zpAg-bEca-pj4FgP

Code: Select all

$ sudo lvscan
  ACTIVE            '/dev/srv-minimal-vg/root' [26.98 GiB] inherit
  ACTIVE            '/dev/srv-minimal-vg/swap_1' [976.00 MiB] inherit

Code: Select all

$ df -h
Filesystem                       Size  Used Avail Use% Mounted on
udev                             3.9G     0  3.9G   0% /dev
tmpfs                            790M  828K  789M   1% /run
/dev/mapper/srv--minimal--vg-root   27G  1.6G   24G   6% /
tmpfs                            3.9G     0  3.9G   0% /dev/shm
tmpfs                            5.0M     0  5.0M   0% /run/lock
tmpfs                            3.9G     0  3.9G   0% /sys/fs/cgroup
tmpfs                            790M     0  790M   0% /run/user/1000
Grow the volume

The vgdisplay command says we have 437 GB free. Let's add 10 GB of that free space to the root volume which is named "/dev/srv-minimal-vg/root" according to the lvscan command above:

Code: Select all

sudo lvextend -L+10G /dev/srv-minimal-vg/root
  Size of logical volume srv-minimal-vg/root changed from 26.98 GiB (6908 extents) to 36.98 GiB (9468 extents).
  Logical volume srv-minimal-vg/root successfully resized.
Grow the file system

Now that we have added 10 GB to the volume, let's increase the size of the file system:

Code: Select all

$ sudo resize2fs /dev/srv-minimal-vg/root
resize2fs 1.44.1 (24-Mar-2018)
Filesystem at /dev/srv-minimal-vg/root is mounted on /; on-line resizing required
old_desc_blocks = 4, new_desc_blocks = 5
The filesystem on /dev/srv-minimal-vg/root is now 9695232 (4k) blocks long.
Remember, df -h will tell you the size of the file system and lvscan will tell you the size of the volumes where the file systems live in.

TIP: If you want to see everything in a specific block size, such as everything showing up in megabytes, you can use df --block-size m

>> TO BE CONTINUED <<