Differences

This shows you the differences between two versions of the page.

--- it-artikel:linux:how-to-install-ubuntu-server-2004-lts-with-bridged-interfaces [2022-09-01 11:24] – [sshguard - Installation and configuration:] axel.werner.1973@gmail.com
+++ it-artikel:linux:how-to-install-ubuntu-server-2004-lts-with-bridged-interfaces [2022-11-02 15:47] (current) – axel.werner.1973@gmail.com
@@ Line 43: / Line 43: @@
   - Use manual (fixed ip) network configuration for servers right from the beginning
   - install updates as soon as possible <code>sudo apt update && sudo apt upgrade -y && sudo reboot</code>
+  - **FOR VMs ONLY:** If this installation is a virtual machine on some hypervisor don't forget to install the "guest drivers" or "guest tools" matching your virtualisation host. So a VM on a VMWARE host needs **open-vm-tools** to be installed. On a ProxMox/QEMU/KVM host you usually install **qemu-guest-agent**. On Virtualbox it's called **virtualbox-guest-utils**: <code>
+# Pick one, only one!
+apt install -y qemu-guest-agent # for proxmox qemu kvm VMs
+# or
+apt install -y virtualbox-guest-utils # for VMs on Virtualbox
+# or
+apt install -y open-vm-tools # i wouldn't use VMWARE. no, really!
+</code>
   - Install generic useful tools early:<code>apt install -y ethtool bridge-utils net-tools vim nmap atop htop iftop iotop lvm2 tmux screenfetch firefox</code>
   - Edit bootloader "grub", disable graphical bootloader modes, make it human readable:<code>cat << EOF >> /etc/default/grub
@@ Line 874: / Line 887: @@
   - On ubuntu Server out of the box Apache has been enabled to look and serve pages and files from within the **/var/www/html/** directory. This is defined through the configuration file at **/etc/apache2/sites-enabled/000-default.conf**. Ubuntu put a demo page there, named **index.html**. To test if Apache is working so far, you can aim your webbrowser at it, like... <code>firefox http://freiburg.lan/ &</code> A **"Apache2 Ubuntu Default Page"** should come up. So your Apache webserver works so far. Still not able to process PHP files nor supporting TLS/SSL (https) just yet.
     - :!: **IMPORTANT: Since Firefox and similar professional web browsers these days decided to prefer the TLS secured https over http by default, its important to tell it explicitly when NOT to use https by prefixing the hostname with '%%http://%%' ! Else the browser may try to connect using https only, which will fail at this point in time, since we did not configure TLS/SSL with our webserver just yet!**
-  - Now for PHP cont/etc/apache2/sites-available/default-ssl.confent we prepare a small php test page for Apache, like this: <code>
+  - Now for PHP content we prepare a small php test page for Apache, like this: <code>
 cat << "EOF" > /var/www/html/test.php
 <?php phpinfo(); ?>
@@ Line 1323: / Line 1336: @@
-===== FIXME: =====
+===== Setting up 'unattended-upgrades' : =====
-FIXME
+UBUNTU comes with some 'unattended-upgrades' partly enabled. But on some UBUNTU LXC containers there might it be disabled by default. So this is how i like my (non enterprise) UBUNTU to be handling automatic upgrades:
+  - Install 'unattended-upgrades' it not already installed: <code>
+apt install -y unattended-upgrades
+</code>
+  - Replace the default configuration file that comes with 'unattended-upgrades': <code>
+cat << 'EOF' > /etc/apt/apt.conf.d/50unattended-upgrades
+// Automatically upgrade packages from these (origin:archive) pairs
+//
+// Note that in Ubuntu security updates may pull in new dependencies
+// from non-security sources (e.g. chromium). By allowing the release
+// pocket these get automatically pulled in.
+Unattended-Upgrade::Allowed-Origins {
+	"${distro_id}:${distro_codename}";
+	"${distro_id}:${distro_codename}-security";
+	// Extended Security Maintenance; doesn't necessarily exist for
+	// every release and this system may not have it installed, but if
+	// available, the policy for updates is such that unattended-upgrades
+	// should also install from here by default.
+	"${distro_id}ESMApps:${distro_codename}-apps-security";
+	"${distro_id}ESM:${distro_codename}-infra-security";
+	"${distro_id}:${distro_codename}-updates";
+//	"${distro_id}:${distro_codename}-proposed";
+//	"${distro_id}:${distro_codename}-backports";
+};
+// Python regular expressions, matching packages to exclude from upgrading
+Unattended-Upgrade::Package-Blacklist {
+    // The following matches all packages starting with linux-
+//  "linux-";
+    // Use $ to explicitely define the end of a package name. Without
+    // the $, "libc6" would match all of them.
+//  "libc6$";
+//  "libc6-dev$";
+//  "libc6-i686$";
+    // Special characters need escaping
+//  "libstdc\+\+6$";
+    // The following matches packages like xen-system-amd64, xen-utils-4.1,
+    // xenstore-utils and libxenstore3.0
+//  "(lib)?xen(store)?";
+    // For more information about Python regular expressions, see
+    // https://docs.python.org/3/howto/regex.html
+};
+// This option controls whether the development release of Ubuntu will be
+// upgraded automatically. Valid values are "true", "false", and "auto".
+Unattended-Upgrade::DevRelease "auto";
+// This option allows you to control if on a unclean dpkg exit
+// unattended-upgrades will automatically run
+//   dpkg --force-confold --configure -a
+// The default is true, to ensure updates keep getting installed
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+// Split the upgrade into the smallest possible chunks so that
+// they can be interrupted with SIGTERM. This makes the upgrade
+// a bit slower but it has the benefit that shutdown while a upgrade
+// is running is possible (with a small delay)
+Unattended-Upgrade::MinimalSteps "true";
+// Install all updates when the machine is shutting down
+// instead of doing it in the background while the machine is running.
+// This will (obviously) make shutdown slower.
+// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
+// This allows more time for unattended-upgrades to shut down gracefully
+// or even install a few packages in InstallOnShutdown mode, but is still a
+// big step back from the 30 minutes allowed for InstallOnShutdown previously.
+// Users enabling InstallOnShutdown mode are advised to increase
+// InhibitDelayMaxSec even further, possibly to 30 minutes.
+//Unattended-Upgrade::InstallOnShutdown "false";
+// Send email to this address for problems or packages upgrades
+// If empty or unset then no email is sent, make sure that you
+// have a working mail setup on your system. A package that provides
+// 'mailx' must be installed. E.g. "user@example.com"
+Unattended-Upgrade::Mail "root";
+// Set this value to one of:
+//    "always", "only-on-error" or "on-change"
+// If this is not set, then any legacy MailOnlyOnError (boolean) value
+// is used to chose between "only-on-error" and "on-change"
+Unattended-Upgrade::MailReport "only-on-error";
+// Remove unused automatically installed kernel-related packages
+// (kernel images, kernel headers and kernel version locked tools).
+//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+// Do automatic removal of newly unused dependencies after the upgrade
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+// Do automatic removal of unused packages after the upgrade
+// (equivalent to apt-get autoremove)
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+// Automatically reboot *WITHOUT CONFIRMATION* if
+//  the file /var/run/reboot-required is found after the upgrade
+Unattended-Upgrade::Automatic-Reboot "true";
+// Automatically reboot even if there are users currently logged in
+// when Unattended-Upgrade::Automatic-Reboot is set to true
+Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+// If automatic reboot is enabled and needed, reboot at the specific
+// time instead of immediately
+//  Default: "now"
+//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+// Use apt bandwidth limit feature, this example limits the download
+// speed to 70kb/sec
+//Acquire::http::Dl-Limit "70";
+// Enable logging to syslog. Default is False
+Unattended-Upgrade::SyslogEnable "true";
+// Specify syslog facility. Default is daemon
+// Unattended-Upgrade::SyslogFacility "daemon";
+// Download and install upgrades only on AC power
+// (i.e. skip or gracefully stop updates on battery)
+// Unattended-Upgrade::OnlyOnACPower "true";
+// Download and install upgrades only on non-metered connection
+// (i.e. skip or gracefully stop updates on a metered connection)
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+// Verbose logging
+// Unattended-Upgrade::Verbose "false";
+// Print debugging information both in unattended-upgrades and
+// in unattended-upgrade-shutdown
+// Unattended-Upgrade::Debug "false";
+// Allow package downgrade if Pin-Priority exceeds 1000
+// Unattended-Upgrade::Allow-downgrade "false";
+// When APT fails to mark a package to be upgraded or installed try adjusting
+// candidates of related packages to help APT's resolver in finding a solution
+// where the package can be upgraded or installed.
+// This is a workaround until APT's resolver is fixed to always find a
+// solution if it exists. (See Debian bug #711128.)
+// The fallback is enabled by default, except on Debian's sid release because
+// uninstallable packages are frequent there.
+// Disabling the fallback speeds up unattended-upgrades when there are
+// uninstallable packages at the expense of rarely keeping back packages which
+// could be upgraded or installed.
+// Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
+EOF
+</code>
+  - Check and enable Service if nessesary: <code>
+systemctl status unattended-upgrades
+systemctl enable --now unattended-upgrades
+</code>
+  - This should automatically update/upgrade the OS once a day including automatic reboot (instantly) if necessary. Since this is part of the **cron.daily** it's usually started between 0600-0700 UTC.
+  - To test run it manually in verbose mode:<code>
+unattended-upgrades --verbose
+</code>
 ===== Mailserver MTA installation and configuration for status mails: =====
+Without any installed MTA local status mails or error messages stay within the local server and cannot be externaly retreived.
+Because i like my Linux Servers to be able to send and receive Emails via SMTP i usually install the Postfix MTA and some additional IMAP/IMAPS/POP3/POP3S daemons, so a server can send and receive emails (for a local user or the ROOT user) and/or received mails can be retrieved via a standard mailclient like Thunderbird, Gmail or similar.
+This is how i usually do it:
+  - Since Google Mail / GMAIL let us down on **SMTP AUTH** and in 2022 **oauth2** is not yet supported with postfix out of the box, we need to use a more classic free email provider service, that still supports plain simple **SMTP AUTH** to send at least "some" mails per month. Im my case i use the free service of [[https://www.sendinblue.com/]]. So get your own free account there. Good for up to 300 mail per month. Should be plenty for status mails.
+  - Install Postfix MTA and Mailutils: <code>
+apt install -y postfix mailutils libsasl2-modules sasl2-bin swaks vim
+</code> Configure it using the text UI with the default values, even they are wrong for now. We will reconfigure it shortly with even more parameters.
+  - Reconfigure Postfix using the **postconf** command like this: <code>
+postconf "mynetworks=127.0.0.0/8 [::1]/128"
+postconf "mydestination = $(hostname -s),$(hostname -f),$(hostname -s).local,$(hostname -s).localdomain,127.0.0.1,[::1]"
+postconf "relayhost=[smtp-relay.sendinblue.com]:587"
+postconf "recipient_delimiter=+"
+postconf "mailbox_size_limit = 51000000"
+postconf "inet_protocols = all"
+postconf "inet_interfaces = all"
+postconf 'smtp_use_tls = yes'
+postconf 'smtp_tls_security_level = encrypt'
+postconf 'smtp_tls_CApath = /etc/ssl/certs/'
+postconf 'smtp_sasl_auth_enable = yes'
+postconf 'smtp_sasl_security_options ='
+postconf 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
+postconf 'smtp_sasl_mechanism_filter ='
+systemctl restart postfix
+systemctl status postfix
+</code>
+  - Store your SMTP AUTH login credentials for the mail relay: <code>
+# NOTE THE LEADING SPACE in the next line!
+# Prevents it from being saved in bash history
+ echo '[smtp-relay.sendinblue.com]:587 axel.werner.1973@gmail.com:seecreetPazzword' > /etc/postfix/sasl_passwd
+chmod 600 /etc/postfix/sasl_passwd
+postmap hash:/etc/postfix/sasl_passwd
+</code>
+  - Set the destination email address for the **root** account: <code>
+echo "root: axel.werner.1973@gmail.com" >> /etc/aliases
+newaliases
+</code>
+    *  You can check the outbound mailqueue with mailq to see if the mail is still pending. Or you can watch the logs “live” like this: <code>
+tail -n0 -f /var/log/messages /var/log/syslog /var/log/mail.* &
+</code>
+  - Test sending Email to local recipient:<code>
+echo "local testmail to ROOT" | mail -s "test email from $HOSTNAME to root user" root
+</code> **Test Email should be found in your mailbox.**
+  - Test sending Email to external recipient:<code>
+echo "external testmail to gmail user" | mail -s "test email from $HOSTNAME to gmail user" axel.werner.1973@gmail.com
+</code> **Another Email should be found in your mailbox.**
+  - FIXME:<code>
 FIXME
+</code>
+  - FIXME:<code>
+FIXME
+</code>
+  - FIXME:<code>
+FIXME
+</code>
+  - FIXME:<code>
+FIXME
+</code>
+  - FIXME:<code>
+FIXME
+</code>
 ===== FIXME: =====