Ubuntu Server Setup

assuming you got it up and running already, eventually through PXE

Quick post-install

Check what exact version you got installed

lsb_release -a

Get a lease to proceed remotely

ip addr
dhclient -v NETIF
apt update
apt install openssh-server

and eventually continue through ssh

Better networking

systemctl status network-manager
systemctl stop network-manager
systemctl disable network-manager

and see Better Networking for Ubuntu

GRUB

Make the menu appear and tune the kernel arguments

cp -pi /etc/default/grub /etc/default/grub.dist
vi /etc/default/grub

#GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=3
#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="netcfg/do_not_use_netplan=true net.ifnames=0 biosdevname=0 mitigations=0"
#ipv6.disable=1
#i915.enable_psr=0
#amdgpu.exp_hw_support=1

Re-generate the configuration

update-grub
ls -lhF /boot/grub/grub.cfg

Eventually setup debian-style networking and validate that it works at boot time

reboot

Editor

apt install vim-nox xxd
#nvi elvis-tiny

update-alternatives --config vi
update-alternatives --config editor

Packages

Clean-up the configuration file

    mv -i /etc/apt/sources.list /etc/apt/sources.list.dist
    grep -vE '^#|^$' /etc/apt/sources.list.dist > /etc/apt/sources.list

find about your nearest mirror

wget -qO - mirrors.ubuntu.com/mirrors.txt

and point the repositories against it e.g.

vi /etc/apt/sources.list

deb http://mirrors.online.net/ubuntu focal main restricted universe multiverse
deb http://mirrors.online.net/ubuntu focal-updates main restricted universe multiverse
deb http://mirrors.online.net/ubuntu focal-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu focal-security main restricted universe multiverse

#http://fr.archive.ubuntu.com/ubuntu/
#http://ru.archive.ubuntu.com/ubuntu/

Alternatively, you can build your own configuration with some helper

And in case you have an HTTP PROXY on your network for that purpose

nmap -p 3142 x.x.x.x
vi /etc/apt/apt.conf.d/02proxy

Acquire::http { Proxy "http://x.x.x.x:3142"; };

apt update

Update

Check for major release uprgade

do-release-upgrade

Proceed with patches

cat /etc/apt/apt.conf.d/02proxy
apt update
apt full-upgrade

and see Ubuntu Server Operations for further maintenance

Additional packages

Install a few more packages.

export DEBIAN_FRONTEND=noninteractive

Bare-metal

apt install \
    ethtool \
    hwinfo \
    screen \
    sudo

    #ifupdown \
    #ifupdown2 \
    #xfsprogs \
    #xfsdump \

Server system

    openssh-server \
    openssh-client \

and even more for any kind of system incl. containers that you need to troubleshoot

apt install \
    apt-utils \
    apt-transport-https \
    bzip2 \
    curl \
    dnsutils \
    dos2unix \
    git \
    htop \
    iputils-ping \
    iotop \
    ksh \
    less \
    lftp \
    lsb-release \
    lynx \
    man-db \
    manpages \
    mc \
    mlocate \
    net-tools \
    netcat \
    nmap \
    pwgen \
    software-properties-common \
    sysstat \
    telnet \
    unzip \
    vim-nox \
    wget \
    whois \
    xxd

    #elvis-tiny \
        #nvi \
    #inetutils-ping

    update-alternatives --config vi
    update-alternatives --config editor

Tweak your environment

Make it a true server

systemctl get-default
systemctl set-default multi-user.target

On Ubuntu, add $HOME/bin to your PATH

cat /etc/environment
mv -i /etc/environment /etc/environment.dist
vi /etc/environment

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$HOME/bin"

source /etc/environment
echo $PATH

On Debian, replace the whole root condition

cp -pi /etc/profile /etc/profile.dist
vi /etc/profile

PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$HOME/bin"

source /etc/profile
echo $PATH

Use all cores while building software

cp -pi /etc/bash.bashrc /etc/bash.bashrc.dist
vi /etc/bash.bashrc

MAKEFLAGS=-j$((`grep ^processor /proc/cpuinfo | tail -1 | awk '{print $3}'` + 1))

and eventually consider those additions

export DEBIAN_FRONTEND=noninteractive

export LANGUAGE="en_US:en"
export LC_ALL="en_US.UTF-8"
#export LC_COLLATE="C.UTF-8"
export LANG=en_US.UTF-8

apply at once

source /etc/bash.bashrc

and check if Perl is happy with the locales

perl -e exit

And eventually setup GNU/Screen

NTP

Setup time and date

Outbound email & daily cron job

Either setup outbound email

apt install \
postfix bsd-mailx rsyslog
#pmailq mailutils

or just disable the shit (that’s a friendly word, don’t take it badly)

systemctl status postfix
systemctl stop postfix
systemctl disable postfix

TODO daily cron.

Additional notes

fixing locales

warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)

==> the easy way

dpkg-reconfigure locales

==> the quick & dirty way, re-generate the locales you need

#apt install language-pack-en-base
locale-gen en_US.UTF-8
update-locale LANG=en_US.UTF-8

then check the current setting and try again

cat /etc/default/locale
locale
perl -e exit

in case some variables such as LANGUAGE and LC_ALL are still missing, add those the brutal way

cat >> /etc/bash.bashrc <<EOF
export LANGUAGE="en_US.UTF-8"
export LC_ALL="en_US.UTF-8"
EOF
source /etc/bash.bashrc

old-school init scripts

at startup

systemctl status rc-local
vi /etc/rc.local

#!/bin/bash
#nothing here yet

chmod +x /etc/rc.local

at shutdown

cat > /lib/systemd/system/rc-local-shutdown.service <<-EOF
[Unit]
Description=/etc/rc.local_shutdown Compatibility
ConditionFileIsExecutable=/etc/rc.local_shutdown
DefaultDependencies=no
After=rc-local.service basic.target
Before=shutdown.target

[Service]
ExecStop=/etc/rc.local_shutdown
StandardInput=tty
RemainAfterExit=yes

[Install]
WantedBy=shutdown.target
EOF

vi /etc/rc.local_shutdown

#!/bin/bash
#nothing here yet

chmod +x /etc/rc.local_shutdown
systemctl daemon-reload 
systemctl enable rc-local-shutdown.service

do not clear the screen

tested on Bionic

On a bare-metal system, prevent the system from clearing the screen after boot (equivalent of getty --noclear)

#systemctl edit getty@tty1
ls -lF /etc/systemd/system/getty.target.wants/
vi /lib/systemd/system/getty@.service

[Service]
...
TTYVTDisallocate=no
...

systemctl daemon-reload

revert to the default set of packages

draft/untested

Revert to default installed pkgs,

dpkg --get-selections >output
dpkg --set-selections <output
apt-get dselect-upgrade

super-duper sysprep

We do not need the hostname to change dynamically

#systemctl stop systemd-hostnamed.service
#systemctl disable systemd-hostnamed.service

…and countless daemons to disable

Troubleshooting

What has failed at system startup?

systemctl list-units --failed
systemctl list-units --state failed

Additional notes

One should get the time with it (does not work on Slackware Linux)

dmesg -wHt

Harden your SSL trust store

#dpkg-reconfigure ca-certificates
#update-ca-certificates

#apt purge ca-certificates
cd /etc/ssl/
mv certs/ certs.trash/
mv private/ private.trash/
diff -bu /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf

wget --no-check-certificate https://curl.se/ca/cacert.pem
wget --no-check-certificate https://curl.se/ca/cacert.pem.sha256
cat cacert.pem.sha256
sha256sum cacert.pem
# e010c0c071a2c79a76aa3c289dc7e4ac4ed38492bfda06d766a80b707ebd2f29  cacert.pem

mkdir certs/
cd certs/
ln -s ../cacert.pem ca-certificates.crt

get rid of some unused repos here e.g. jami

rm -f /usr/share/keyrings/jami-archive-keyring.gpg
rm -f /etc/apt/sources.list.d/jami.list

grep ^Package /var/lib/apt/lists/dl.jami.net_nightly_ubuntu*_Packages
apt purge ...

tune some clients accordingly

cp -pi /etc/wgetrc /etc/wgetrc.dist
vi /etc/wgetrc

ca_certificate = /etc/ssl/cacert.pem

and finally upgrade your system

apt update
apt full-upgrade
updatedb

Resources

how can I remove the clear screen before login https://askubuntu.com/questions/58097/how-can-i-remove-the-clear-screen-before-login

Prevent the console from clearing the screen? https://serverfault.com/questions/255969/prevent-the-console-from-clearing-the-screen

Configure Locales in Ubuntu https://www.thomas-krenn.com/en/wiki/Configure_Locales_in_Ubuntu

old-school init scripts

How can I execute command on startup (rc.local alternative) on Ubuntu 16.10 https://askubuntu.com/questions/886620/how-can-i-execute-command-on-startup-rc-local-alternative-on-ubuntu-16-10

(dead link) https://askubuntu.com/questions/952300/how-can-i-execute-command-on-shutdown-rc-local-alternative-on-ubuntu

fastest mirror

How to select the fastest apt mirror on Ubuntu Linux https://linuxconfig.org/how-to-select-the-fastest-apt-mirror-on-ubuntu-linux

misc

How to fix a locale setting warning from Perl https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl

trust store harden

CA certificates extracted from Mozilla https://curl.se/docs/caextract.html

6.3 Wgetrc Commands https://www.gnu.org/software/wget/manual/html_node/Wgetrc-Commands.html

GNU Wget 1.21.1-dirty Manual https://www.gnu.org/software/wget/manual/wget.html