The creation of the UBUNTU operating system template for the vmware automation system must meet certain requirements, whether security or the implementation of security policies of the organization or specific settings. Among the main settings that need to be made is to prevent the operating system from performing periodic operations that use up system resources. For example, cloned VMs would create the same servers with the same machine-ID, which would cause IP address allocation errors or network collisions.
VM vmware installation and setup
The Ubuntu server or desktop must be installed as a virtual machine with the UBUNTU operating system selected. To optimize the settings, it is recommended to deactivate the SWAP File which is created automatically. Deactivation of the SWAP File is performed provided that the system has sufficient RAM capacity or in systems where there is greater fluctuation of the created virtual.
Deactivation of VSWAP consists in creating Custom attributes in the Virtual Machine settings:
sched.swap.vmxSwapEnabled false
Adjust UBUNT settings
The installed ubuntu system is optimally set up in the default installation for the needs of automatic virtual creation.
A password for the ROOT account is required for proper functionality
passwd root1. Installation of additional SW
apt update
apt upgrade -y
apt autoremove -y
apt install mc htop xinetd ssh net-tools ifupdown ntp
systemctl enable ssh ntp2. Modify the machine-ID parameter
rm /var/lib/dbus/machine-id
ln -s /etc/machine-id /var/lib/dbus/machine-id
echo "" > /etc/machine-id3. Cancel Cloud-init and network-manager
sudo apt purge cloud-init network-manager -y
sudo apt autoremove -y4. Cancel NetPlan, network and DNS settings
rm -rf /etc/netplan/*
unlink /etc/resolv.conf
tee /etc/resolv.conf >/dev/null <<EOL
nameserver 192.168.3.2
nameserver 192.168.16.16
nameserver 8.8.8.8
EOL
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved5. OpenVMtools optimization
sudo sed -i 's/Before=cloud-init-local.service/After=dbus.service/g' /lib/systemd/system/open-vm-tools.service
sudo sed -i 's/D /tmp 1777 root root -/#D /tmp 1777 root root -/g' /usr/lib/tmpfiles.d/tmp.conf 6. SSH settings, rc.local activation
sudo tee /etc/rc.local >/dev/null <<EOL
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
test -f /etc/ssh/ssh_host_dsa_key || dpkg-reconfigure openssh-server
exit 0
EOL
sudo chmod +x /etc/rc.local
tee /etc/systemd/system/rc-local.service >/dev/null <<EOL
[Unit]
Description=/etc/rc.local Compatibility
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target
EOL
systemctl enable rc-local
rm -rf /etc/ssh/ssh_host_*For the server version, it is necessary to allow the SSH root connection and deactivate the pre-created vmware account
sed -i '/^#PermitRootLogin prohibit-password/a PermitRootLogin yes' /etc/ssh/sshd_config
sed -i '/^PermitRootLogin yes/a DenyUsers vmware' /etc/ssh/sshd_config7. Set the time and NTP server
timedatectl set-timezone Europe/Bratislava
timedatectl set-ntp no
sed -i '/^[^#]/ s/\(^.*pool.*$\)/#\ \1/' /etc/ntp.conf
echo "pool ntp.local.sk iburst" >> /etc/ntp.conf
systemctl restart ntp
ntpq -p8. RDP settings
cd /tmp
wget https://www.c-nergy.be/downloads/xRDP/xrdp-installer-1.2.3.zip
unzip xrdp-installer-1.2.3.zip
chmod +x xrdp-installer-1.2.3.sh
./xrdp-installer-1.2.3.sh -s -l9. Nastavenie multipathd
nano /etc/multipath.confDo konfiguračného súboru je potrebné pridať parameter:
blacklist {
devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st|sda)[0-9]*"
}10. Autoupdate
nano first-boot-update.sh
#!/bin/bash
# Súbor na sledovanie počtu reštartov
REBOOT_COUNTER_FILE="/etc/reboot-counter"
# Súčasný počet reštartov
if [ ! -f "$REBOOT_COUNTER_FILE" ]; then
REBOOT_COUNTER=0
else
REBOOT_COUNTER=$(cat "$REBOOT_COUNTER_FILE")
fi
# Zvýšenie a uloženie počtu reštartov
REBOOT_COUNTER=$((REBOOT_COUNTER+1))
echo $REBOOT_COUNTER > "$REBOOT_COUNTER_FILE"
# Vykonanie aktualizácie len po 4. reštarte
if [ $REBOOT_COUNTER -eq 4 ]; then
# Aktualizácia zoznamu balíčkov v silent mode
apt-get update -qq
# Bezpečná aktualizácia balíčkov v silent mode
apt-get upgrade -yqq
# Čistenie stiahnutých archívov balíčkov v silent mode
apt-get clean
# Označenie, že skript bol už vykonaný
touch /etc/first-boot-done
fi
# Kontrola, či bol skript už vykonaný, a v tom prípade reštartovanie
if [ ! -f "/etc/first-boot-done" ]; then
# Reštartovanie systému na zvýšenie počtu reštartov, ak to nie je 4. štart
reboot
finano /etc/systemd/system/first-boot-update.service
[Unit]
Description=Run apt update and upgrade at first boot
After=network.target
[Service]
Type=oneshot
ExecStart=/bin/first-boot-update.sh
RemainAfterExit=true
ConditionPathExists=!/etc/first-boot-done
[Install]
WantedBy=multi-user.target
systemctl enable first-boot-update.service
chmod +x /bin/first-boot-update.sh11. Zmazanie dočasných súborov a zakazanie SWAP partície
sudo swapoff --all
sudo sed -ri '/\sswap\s/s/^#?/#/' /etc/fstab
echo "Acquire::ForceIPv4 "true";" > /etc/apt/apt.conf.d/99force-ipv4
if [ -f /var/log/audit/audit.log ]; then
cat /dev/null > /var/log/audit/audit.log
fi
if [ -f /var/log/wtmp ]; then
cat /dev/null > /var/log/wtmp
fi
if [ -f /var/log/lastlog ]; then
cat /dev/null > /var/log/lastlog
fi
if [ -f /etc/udev/rules.d/70-persistent-net.rules ]; then
rm /etc/udev/rules.d/70-persistent-net.rules
fi
rm -rf /tmp/*
rm -rf /var/tmp/*
rm -f /etc/ssh/ssh_host_*
echo "" > /etc/machine-id
apt clean
echo 0 > /etc/reboot-counter
history -w
history -c
Odborník na kybernetickú bezpečnosť, správu Azure Cloud a VMware onprem. Využíva technológie, ako Checkmk a MRTG, na monitorovanie siete a zvyšovanie efektívnosti a bezpečnosti IT infraštruktúry. Kontakt: hasin(at)mhite.sk
