{"id":2129,"date":"2026-05-08T08:03:39","date_gmt":"2026-05-08T08:03:39","guid":{"rendered":"https:\/\/virtualall.sk\/?p=2129"},"modified":"2026-05-08T08:27:32","modified_gmt":"2026-05-08T08:27:32","slug":"vra-ubuntu-2604-server-template","status":"publish","type":"post","link":"https:\/\/virtualall.sk\/en\/2026\/05\/vra-ubuntu-2604-server-template\/","title":{"rendered":"VRA Ubuntu 26.04 Server Template \u2014 Kompletn\u00e1 \u0161abl\u00f3na pre vRealize Automation"},"content":{"rendered":"\n

Ubuntu 26.04 LTS<\/strong> ako \u0161abl\u00f3na pre vRealize Automation<\/strong> (resp. VMware Aria Automation) je z\u00e1kladn\u00fd stavebn\u00fd kame\u0148 pre automatizovan\u00e9 nasadzovanie linuxov\u00fdch serverov v podnikovom vSphere prostred\u00ed. Tento n\u00e1vod pokr\u00fdva kompletn\u00fa pr\u00edpravu Ubuntu 26.04 Server \u0161abl\u00f3ny \u2014 od nastavenia VMware VM, cez optimaliz\u00e1ciu OS pre klonovanie, konfigur\u00e1ciu cloud-init, automatick\u00e9 aktualiz\u00e1cie pomocou unattended-upgrades, a\u017e po sealing skript a verifik\u00e1ciu po deploye z VRA blueprintu.<\/p>\n\n\n\n

Cie\u013e je dosiahnu\u0165 \u0161abl\u00f3nu, ktor\u00e1 po klonovan\u00ed spo\u013eahlivo regeneruje machine-ID, SSH host k\u013e\u00fa\u010de a sie\u0165ov\u00e9 parametre, automaticky preber\u00e1 konfigur\u00e1ciu z VRA blueprintu (cez VMwareGuestInfo datasource alebo manu\u00e1lnu customiz\u00e1ciu) a sama si dr\u017e\u00ed OS bezpe\u010dnostn\u00e9 z\u00e1platy bez ru\u010dn\u00e9ho z\u00e1sahu. Pre desktop variantu \u0161abl\u00f3ny (s GUI a xRDP) pozri samostatn\u00fd n\u00e1vod VRA Ubuntu 26.04 Desktop Template<\/em>.<\/p>\n\n\n\n

1. VMware VM custom attributes<\/h2>\n\n\n\n

Pred in\u0161tal\u00e1ciou OS nastav vo vSphere na novej VM tieto Advanced Configuration parametre<\/strong> (Edit Settings \u2192 VM Options \u2192 Advanced \u2192 Edit Configuration). Rob\u00edme to pred bootom, niektor\u00e9 z nich sa po prvom \u0161tarte u\u017e \u0165a\u017e\u0161ie menia.<\/p>\n\n\n\n

sched.swap.vmxSwapEnabled    false\ndisk.EnableUUID              true\ntools.guest.desktop.autolock false<\/code><\/pre>\n\n\n\n
    \n
  • sched.swap.vmxSwapEnabled = false<\/strong> \u2014 vyp\u00edna vmx swap s\u00fabor v datastore (.vswp). Pri \u0161abl\u00f3nach kde je dostatok RAM sa zbyto\u010dne spotreb\u00fava diskov\u00fd priestor a IO na hostite\u013eovi.<\/li>\n
  • disk.EnableUUID = true<\/strong> \u2014 exponuje stabiln\u00e9 disk UUID do guest OS. Bez toho Ubuntu LVM\/initramfs m\u00f4\u017ee pri klonoch pomen\u00fava\u0165 disky nekonzistentne.<\/li>\n
  • tools.guest.desktop.autolock = false<\/strong> \u2014 vyp\u00edna auto-lock VMware Tools session (relevantn\u00e9 aj pre headless server kv\u00f4li vmtoolsd timeoutom).<\/li>\n<\/ul>\n\n\n\n
    2. Update + base bal\u00ed\u010dky<\/h2>\n\n\n\n
    Po in\u0161tal\u00e1cii Ubuntu 26.04 Server sa najprv pripoj cez SSH (alebo konzolu) ako sudo pou\u017e\u00edvate\u013e a ako prv\u00e9 urob pln\u00fd update syst\u00e9mu plus in\u0161tal\u00e1ciu z\u00e1kladn\u00fdch n\u00e1strojov.<\/p>\n\n\n\n
    sudo apt update\nsudo apt upgrade -y\nsudo apt autoremove -y\nsudo apt install -y mc htop ssh ntpsec net-tools util-linux-extra curl wget gnupg\nsudo systemctl enable ssh ntpsec<\/code><\/pre>\n\n\n\n
    Pozn\u00e1mka k vyraden\u00fdm bal\u00ed\u010dkom:<\/strong> Oproti star\u0161\u00edm verzi\u00e1m tohto n\u00e1vodu z\u00e1merne neprid\u00e1vame<\/em> xinetd<\/code> ani ifupdown<\/code> \u2014 na Ubuntu 26.04 s\u00fa obe obsolete. Sie\u0165 rie\u0161i Netplan + systemd-networkd, super-server inetd takmer nikto re\u00e1lne nepou\u017e\u00edva. Ak ich aplika\u010dne potrebuje\u0161, doin\u0161taluje\u0161 ich nesk\u00f4r.<\/p>\n\n\n\n
    Pozn\u00e1mka k chrony \u2192 ntpsec swap-u:<\/strong> Ubuntu 26.04 server m\u00e1 ako default time daemon chrony<\/code>. In\u0161tal\u00e1cia ntpsec<\/code> ho automaticky odstr\u00e1ni (konflikt \u2014 oba poskytuj\u00fa virtual package time-daemon<\/code>). Apt pri tom zobraz\u00ed varovanie typu “ubuntu-server-minimal depends on chrony | time-daemon”<\/em> \u2014 je to transient<\/strong> dpkg warning po\u010das swap-u, z\u00e1vislos\u0165 meta-packagu sa korektne spln\u00ed ke\u010f ntpsec dokon\u010d\u00ed setup (s\u00e1m poskytuje time-daemon<\/code>). Sta\u010d\u00ed necha\u0165 dobehn\u00fa\u0165, v\u00fdsledn\u00fd stav je v poriadku.<\/p>\n\n\n\n
    3. Reset machine-ID parametra<\/h2>\n\n\n\n
    Klony \u0161abl\u00f3ny by zdie\u013eali rovnak\u00fd \/etc\/machine-id<\/code>, \u010do l\u00e1me DHCP DUID-LL (v\u0161etky VM by \u017eiadali rovnak\u00fa IP), systemd journal cie\u013eovanie a pr\u00edpadne licen\u010dn\u00fa v\u00e4zbu. Tu nastav\u00edme symlink a vynulujeme \u2014 fin\u00e1lny reset urob\u00ed sealing skript<\/em> (sekcia 11).<\/p>\n\n\n\n
    sudo rm \/var\/lib\/dbus\/machine-id\nsudo ln -s \/etc\/machine-id \/var\/lib\/dbus\/machine-id\necho \"\" | sudo tee \/etc\/machine-id<\/code><\/pre>\n\n\n\n
    4. Cloud-init \u2014 dve cesty<\/h2>\n\n\n\n
    Existuj\u00fa dva osved\u010den\u00e9 pr\u00edstupy ako sa popasova\u0165 s cloud-init v \u0161abl\u00f3ne pre VRA. Vyber si jeden pod\u013ea toho, ako je postaven\u00fd tvoj VRA blueprint.<\/p>\n\n\n\n
    Cesta A \u2014 \u00faplne odstr\u00e1ni\u0165 cloud-init<\/h3>\n\n\n\n
    Vhodn\u00e9 ke\u010f VRA blueprint nepou\u017e\u00edva cloud-init injection a v\u0161etky parametre (hostname, IP, DNS, users) si zad\u00e1va cez vCenter Guest OS Customization Spec<\/em> alebo manu\u00e1lne po deploye. Najmenej “magick\u00e9ho” spr\u00e1vania, predv\u00eddate\u013en\u00fd prv\u00fd boot.<\/p>\n\n\n\n
    sudo apt purge -y cloud-init network-manager\nsudo apt autoremove -y\nsudo rm -rf \/etc\/cloud \/var\/lib\/cloud<\/code><\/pre>\n\n\n\n
    Cesta B \u2014 ponecha\u0165 cloud-init s VMwareGuestInfo datasource (odpor\u00fa\u010dan\u00e9 pre VRA)<\/h3>\n\n\n\n
    Cloud-init zost\u00e1va nain\u0161talovan\u00fd, ale presunieme ho na VMwareGuestInfo<\/strong> datasource. V\u010faka tomu VRA blueprint dok\u00e1\u017ee pri prvom boote injektova\u0165 hostname, SSH k\u013e\u00fa\u010de, prvotn\u00e9 users, alebo run-once user-data skripty cez vmx guestinfo<\/code> properties.<\/p>\n\n\n\n
    # obmedzi\u0165 datasource_list iba na VMware (poradie = priorita)\nsudo tee \/etc\/cloud\/cloud.cfg.d\/99-vmware-guestinfo.cfg >\/dev\/null <<'EOF'\ndatasource_list: [ VMwareGuestInfo, NoCloud, ConfigDrive, OVF, None ]\nEOF\n\n# vy\u010disti\u0165 stav z install image \u2014 povinn\u00e9 pred sealingom\nsudo cloud-init clean --logs<\/code><\/pre>\n\n\n\n
    Roz\u0161\u00edrenie root part\u00edcie pri prvom boote<\/strong> \u2014 neprid\u00e1vame<\/em> cloud-initramfs-growroot<\/code>. Cloud-init m\u00e1 vlastn\u00e9 moduly growpart<\/code> + resizefs<\/code> ktor\u00e9 robia presne to ist\u00e9 nat\u00edvne po\u010das init f\u00e1zy (nie z initramfs hooku). S\u00fa v default cloud-init konfigur\u00e1cii zapnut\u00e9, tak\u017ee \u017eiadny extra bal\u00ed\u010dek netreba. Naviac sa t\u00fdm vyhneme probl\u00e9mov\u00e9mu swap-u na Ubuntu 26.04: cloud-initramfs-growroot<\/code> m\u00e1 hard dependency na initramfs-tools<\/code>, ale Ubuntu 26.04 m\u00e1 ako default initramfs generator dracut<\/strong> \u2014 apt by ho preto pri in\u0161tal\u00e1cii odstr\u00e1nil a nahradil initramfs-tools<\/code>. Riskantn\u00e1 oper\u00e1cia na u\u017e-nain\u0161talovanom syst\u00e9me bez re\u00e1lneho benefitu.<\/p>\n\n\n\n
    Ak chce\u0161 overi\u0165 \u017ee growpart modul cloud-initu je akt\u00edvny:<\/p>\n\n\n\n
    grep -E \"growpart|resizefs\" \/etc\/cloud\/cloud.cfg\n# malo by uk\u00e1za\u0165 tieto moduly v cloud_init_modules: alebo cloud_config_modules: sekcii<\/code><\/pre>\n\n\n\n
    Pri tomto pr\u00edstupe vo VRA blueprinte definuje\u0161 cloudConfig<\/code> sekciu (YAML) ktor\u00e1 sa pri klonovan\u00ed zap\u00ed\u0161e do guestinfo.userdata<\/code> \u2014 cloud-init si ju pri prvom boote pre\u010d\u00edta a aplikuje.<\/p>\n\n\n\n
    5. Sie\u0165 a DNS<\/h2>\n\n\n\n
    \u0160abl\u00f3na by nemala nies\u0165 \u017eiadnu fixn\u00fa sie\u0165ov\u00fa konfigur\u00e1ciu \u2014 t\u00fa dod\u00e1 VRA blueprint alebo cloud-init pri prvom boote. Odstr\u00e1nime preto default netplan s\u00fabor a hardcoded fallback nameservery.<\/p>\n\n\n\n
    # Odstr\u00e1ni\u0165 default netplan config\nsudo rm -f \/etc\/netplan\/*.yaml\n\n# Hardcoded resolv.conf (fallback ak systemd-resolved zlyh\u00e1)\nsudo unlink \/etc\/resolv.conf 2>\/dev\/null || true\nprintf '%s\\n' 'nameserver 192.168.3.2' 'nameserver 192.168.16.16' 'nameserver 8.8.8.8' | sudo tee \/etc\/resolv.conf >\/dev\/null\n\n# ak nepotrebuje\u0161 systemd-resolved (pri Ceste A z predch\u00e1dzaj\u00facej sekcie)\nsudo systemctl disable --now systemd-resolved 2>\/dev\/null || true<\/code><\/pre>\n\n\n\n
    Pri Ceste B (cloud-init zost\u00e1va) systemd-resolved<\/code> ponechaj zapnut\u00fd \u2014 cloud-init s n\u00edm \u0161tandardne po\u010d\u00edta.<\/p>\n\n\n\n
    6. Optimaliz\u00e1cia OpenVMtools<\/h2>\n\n\n\n
    Default open-vm-tools.service<\/code> sa \u0161tartuje pred cloud-init-local.service<\/code> a pred dbus.service<\/code>, \u010do na bootu sp\u00f4sobuje race condition \u2014 vmtoolsd ob\u010das zatuhne na 30\u201360 sekund\u00e1ch. Patch posunie \u0161tart za dbus a zakomentuje konfliktn\u00fd tmpfiles entry.<\/p>\n\n\n\n
    sudo sed -i 's|Before=cloud-init-local.service|After=dbus.service|g' \\\n    \/lib\/systemd\/system\/open-vm-tools.service\n\nsudo sed -i 's|^D \/tmp 1777 root root -|#D \/tmp 1777 root root -|g' \\\n    \/usr\/lib\/tmpfiles.d\/tmp.conf\n\nsudo systemctl daemon-reload<\/code><\/pre>\n\n\n\n
    7. \u010casov\u00e1 z\u00f3na a NTP<\/h2>\n\n\n\n
    \u010casov\u00e1 z\u00f3na sa nastav\u00ed na Europe\/Bratislava<\/code>. Prim\u00e1rny NTP server je ntp.tuke.sk<\/strong> (ozna\u010den\u00fd modifik\u00e1torom prefer<\/code>), ako z\u00e1loha s\u00fa pridan\u00e9 verejn\u00e9 pooly sk.pool.ntp.org<\/code> a europe.pool.ntp.org<\/code>. Tri zdroje sta\u010dia na detekciu falseticker-a (NTP majority voting).<\/p>\n\n\n\n
    sudo timedatectl set-timezone Europe\/Bratislava\n\nsudo tee \/etc\/ntpsec\/ntp.conf >\/dev\/null <<'EOL'\ndriftfile \/var\/lib\/ntpsec\/ntp.drift\nleapfile \/usr\/share\/zoneinfo\/leap-seconds.list\n\nstatistics loopstats peerstats clockstats\nfilegen loopstats file loopstats type day enable\nfilegen peerstats file peerstats type day enable\nfilegen clockstats file clockstats type day enable\n\n# Prim\u00e1rny NTP server\npool ntp.tuke.sk prefer iburst\n\n# Z\u00e1lo\u017en\u00e9 verejn\u00e9 pooly\npool 0.sk.pool.ntp.org iburst\npool 1.europe.pool.ntp.org iburst\n\nrestrict default kod nomodify notrap nopeer noquery limited\nrestrict 127.0.0.1\nrestrict ::1\nEOL\n\nsudo systemctl restart ntpsec\nntpq -p<\/code><\/pre>\n\n\n\n
    Pr\u00edkaz ntpq -p<\/code> by mal po p\u00e1r sekund\u00e1ch uk\u00e1za\u0165 vybran\u00e9 peer-y so synchronizovan\u00fdm stavom \u2014 pri ntp.tuke.sk<\/code> by mal by\u0165 znak *<\/code> (vybran\u00fd ako system peer), pri ostatn\u00fdch +<\/code> (kandid\u00e1t). Ak ostane v\u0161ade x<\/code> alebo pr\u00e1zdno, skontroluj firewall na port 123\/UDP.<\/p>\n\n\n\n
    8. SSH server setup<\/h2>\n\n\n\n
    SSH host k\u013e\u00fa\u010de sa musia regenerova\u0165 pri prvom boote ka\u017ed\u00e9ho klonu. Toto rie\u0161i kombin\u00e1cia rc.local<\/code> (regener\u00e1cia ak ch\u00fdbaj\u00fa) plus fin\u00e1lne zmazanie k\u013e\u00fa\u010dov v sealing skripte (sekcia 11).<\/p>\n\n\n\n
    sudo tee \/etc\/rc.local >\/dev\/null <<'EOL'\n#!\/bin\/sh -e\ntest -f \/etc\/ssh\/ssh_host_rsa_key || dpkg-reconfigure openssh-server\nexit 0\nEOL\nsudo chmod +x \/etc\/rc.local\n\nsudo tee \/etc\/systemd\/system\/rc-local.service >\/dev\/null <<'EOL'\n[Unit]\nDescription=\/etc\/rc.local Compatibility\nConditionPathExists=\/etc\/rc.local\n\n[Service]\nType=forking\nExecStart=\/etc\/rc.local start\nTimeoutSec=0\nStandardOutput=tty\nRemainAfterExit=yes\nSysVStartPriority=99\n\n[Install]\nWantedBy=multi-user.target\nEOL\n\nsudo systemctl daemon-reload\nsudo systemctl enable rc-local<\/code><\/pre>\n\n\n\n
    SSH konfigur\u00e1cia \u2014 povolenie root loginu (intern\u00fd admin pr\u00edstup) a z\u00e1kaz default vmware<\/code> \u00fa\u010dtu zo subiquity in\u0161tal\u00e1tora:<\/p>\n\n\n\n
    sudo sed -i '\/^#PermitRootLogin\/c\\PermitRootLogin yes' \/etc\/ssh\/sshd_config\necho 'DenyUsers vmware' | sudo tee -a \/etc\/ssh\/sshd_config\nsudo systemctl restart ssh<\/code><\/pre>\n\n\n\n
    Bezpe\u010dnostn\u00e1 pozn\u00e1mka:<\/strong> PermitRootLogin yes<\/code> je vhodn\u00e9 kombinova\u0165 s PasswordAuthentication no<\/code> + povinn\u00fdmi SSH k\u013e\u00fa\u010dmi. Pre VRA-deployovan\u00fa VM kde root pr\u00edstup te\u010die cez VPN\/jump host to akceptujeme; pre exposed hosty zv\u00e1\u017ei\u0165 aj limit cez AllowUsers<\/code> alebo presne t\u00fato sekciu prerobi\u0165 na key-only.<\/p>\n\n\n\n
    9. Automatick\u00e9 aktualiz\u00e1cie \u2014 unattended-upgrades<\/h2>\n\n\n\n
    Automatick\u00e9 bezpe\u010dnostn\u00e9 z\u00e1platy s\u00fa pre \u0161abl\u00f3ny must-have<\/em> \u2014 bez nich VM po deploy-i nieko\u013eko mesiacov vis\u00ed so zranite\u013enos\u0165ami k\u00fdm sa k nej niekto neprihl\u00e1si. Predt\u00fdm sme to v star\u0161\u00edch verzi\u00e1ch \u0161abl\u00f3ny rie\u0161ili custom first-boot-update.sh<\/code> skriptom s reboot counterom; pre Ubuntu 26.04 odpor\u00fa\u010dam unattended-upgrades<\/strong> \u2014 je to \u0161tandardn\u00e1 Canonical cesta s lep\u0161ou integr\u00e1ciou (ESM, kernel cleanup, proper reboot scheduling).<\/p>\n\n\n\n
    sudo apt install -y unattended-upgrades apt-listchanges<\/code><\/pre>\n\n\n\n
    Hlavn\u00fd enable<\/strong> \u2014 \/etc\/apt\/apt.conf.d\/20auto-upgrades<\/code>:<\/p>\n\n\n\n
    printf '%s\\n' \\\n  'APT::Periodic::Update-Package-Lists \"1\";' \\\n  'APT::Periodic::Unattended-Upgrade \"1\";' \\\n  'APT::Periodic::AutocleanInterval \"7\";' \\\n  'APT::Periodic::Verbose \"1\";' \\\n| sudo tee \/etc\/apt\/apt.conf.d\/20auto-upgrades >\/dev\/null<\/code><\/pre>\n\n\n\n
    Allowlist a reboot policy<\/strong> \u2014 \/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/code> (prep\u00ed\u0161e default, ktor\u00fd povo\u013euje iba -security<\/code>). Heredoc s uvozovkovan\u00fdm termin\u00e1torom <<'EOL'<\/code> \u2014 apostrofy zais\u0165uj\u00fa \u017ee znaky ${...}<\/code> sa neexpandn\u00fa v shelle (apt parser si ich rie\u0161i s\u00e1m) a z\u00e1rove\u0148 pre\u017eije copy-paste z prehliada\u010da bez mangling-u.<\/p>\n\n\n\n
    sudo tee \/etc\/apt\/apt.conf.d\/50unattended-upgrades >\/dev\/null <<'EOL'\nUnattended-Upgrade::Allowed-Origins {\n    \"${distro_id}:${distro_codename}-security\";\n    \"${distro_id}ESMApps:${distro_codename}-apps-security\";\n    \"${distro_id}ESM:${distro_codename}-infra-security\";\n    \"${distro_id}:${distro_codename}-updates\";\n};\n\nUnattended-Upgrade::Package-Blacklist {\n    \/\/ sem da\u0165 bal\u00ed\u010dky ktor\u00e9 nikdy nechce\u0161 auto-aktualizova\u0165\n    \/\/ napr.: \"linux-image-generic\";\n};\n\nUnattended-Upgrade::DevRelease \"auto\";\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\nUnattended-Upgrade::Remove-New-Unused-Dependencies \"true\";\nUnattended-Upgrade::Remove-Unused-Dependencies \"false\";\n\nUnattended-Upgrade::Automatic-Reboot \"true\";\nUnattended-Upgrade::Automatic-Reboot-WithUsers \"true\";\nUnattended-Upgrade::Automatic-Reboot-Time \"04:00\";\n\nUnattended-Upgrade::SyslogEnable \"true\";\nUnattended-Upgrade::SyslogFacility \"daemon\";\nEOL<\/code><\/pre>\n\n\n\n
    Valid\u00e1cia a sledovanie<\/strong> \u2014 overenie \u017ee timer-y s\u00fa akt\u00edvne, dry-run \u010do by sa nain\u0161talovalo, a kde \u010d\u00edta\u0165 logy:<\/p>\n\n\n\n
    # dry-run - vyp\u00ed\u0161e \u010do by upgrade urobil\nsudo unattended-upgrade --dry-run -d\n\n# stav timer-ov\nsystemctl list-timers apt-daily apt-daily-upgrade\n\n# log z dne\u0161n\u00e9ho behu\nsudo journalctl -u unattended-upgrades --since today\n\n# detailnej\u0161\u00ed apt log\nsudo cat \/var\/log\/unattended-upgrades\/unattended-upgrades.log<\/code><\/pre>\n\n\n\n
    Po aplik\u00e1cii bude \u0161abl\u00f3na pri ka\u017edom deploye automaticky:<\/p>\n\n\n\n
      \n
    • denne s\u0165ahova\u0165 bal\u00ed\u010dkov\u00e9 listy a aplikova\u0165 -security<\/code> aj -updates<\/code> rep\u00e1<\/li>\n
    • autoremove-ova\u0165 star\u00e9 kernely a nepou\u017e\u00edvan\u00e9 z\u00e1vislosti<\/li>\n
    • re\u0161tartova\u0165 sa o 04:00 r\u00e1no ke\u010f je potrebn\u00fd reboot (typicky kernel update)<\/li>\n
    • logova\u0165 do journalctl + \/var\/log\/unattended-upgrades\/<\/code><\/li>\n<\/ul>\n\n\n\n
      10. Optimaliz\u00e1cie pre vSphere a mass-deployment<\/h2>\n\n\n\n
      \u0160abl\u00f3na z ktorej sa m\u00f4\u017ee klonova\u0165 aj 150 VM zasl\u00fa\u017ei p\u00e1r optimaliz\u00e1ci\u00ed navy\u0161e \u2014 vypnutie nepotrebn\u00fdch slu\u017eieb, rozumn\u00e9 limity pre logy, virtual-guest tuning a randomiz\u00e1cia automatick\u00fdch aktualiz\u00e1ci\u00ed aby ti 150 strojov neza\u010dalo s\u00fa\u010dasne s\u0165ahova\u0165 bal\u00ed\u010dky.<\/p>\n\n\n\n
      Vypnutie multipathd (default vo\u013eba pre vSphere VM)<\/h3>\n\n\n\n
      Pre \u010dist\u00e9 vSphere VM bez in-guest iSCSI\/FC initi\u00e1tora<\/strong> je multipathd v hostite\u013eskom OS nadbyto\u010dn\u00fd \u2014 vSphere rie\u0161i cesty k storage na \u00farovni ESXi hosta (Round Robin, Fixed, MRU policy), guest vid\u00ed jeden virtu\u00e1lny disk a \u017eiadne alternat\u00edvne cesty. Spusten\u00fd multipathd v guest OS:<\/p>\n\n\n\n
        \n
      • Zbyto\u010dne spotreb\u00fava pam\u00e4\u0165 a CPU pri ka\u017edom boote (mapping pokus)<\/li>\n
      • Ob\u010das konfliktuje s LVM\/initramfs po\u010das update-initramfs<\/code><\/li>\n
      • Spoma\u013euje boot o nieko\u013eko sek\u00fand k\u00fdm detekuje \u017ee nem\u00e1 \u010do mapova\u0165<\/li>\n<\/ul>\n\n\n\n
        # Zastavi\u0165, vypn\u00fa\u0165 a odstr\u00e1ni\u0165 (typicky nie je nain\u0161talovan\u00fd, kontrola pre istotu)\nsudo systemctl disable --now multipathd multipathd.socket 2>\/dev\/null || true\nsudo apt purge -y multipath-tools 2>\/dev\/null || true<\/code><\/pre>\n\n\n\n
        V\u00fdnimka \u2014 ke\u010f multipathd potrebuje\u0161<\/em>:<\/strong> ak v guest VM be\u017eia in-guest iSCSI<\/em> alebo FC initi\u00e1tory<\/em> (typicky Veeam Hardened Repository, datab\u00e1zov\u00fd server s direct LUN cez open-iscsi<\/code>, alebo SAP HANA s ASM diskmi), multipathd doin\u0161talova\u0165 s blacklist<\/code> regex pre sda<\/code>\/nvme<\/code>\/hd*<\/code>. To je ale \u0161peci\u00e1lny pr\u00edpad \u2014 pre default VRA \u0161abl\u00f3nu vypneme.<\/p>\n\n\n\n
        Tuned profile virtual-guest<\/h3>\n\n\n\n
        Tuned je daemon ktor\u00fd aplikuje pripraven\u00e9 ladiace profily \u2014 pre VMware\/KVM guest m\u00e1 virtual-guest<\/code> profil ktor\u00fd nastav\u00ed spr\u00e1vny I\/O scheduler (mq-deadline pre virtio\/pvscsi), vm.dirty_ratio<\/code>, transparent hugepages a CPU governor. Bez tuned-u zost\u00e1vaj\u00fa defaulty navrhnut\u00e9 pre desktop, ktor\u00e9 pre serverov\u00e9 VM nie s\u00fa optim\u00e1lne.<\/p>\n\n\n\n
        sudo apt install -y tuned\nsudo systemctl enable --now tuned\nsudo tuned-adm profile virtual-guest\ntuned-adm active<\/code><\/pre>\n\n\n\n
        Vypnutie motd-news (zbyto\u010dn\u00fd network call pri ka\u017edom logine)<\/h3>\n\n\n\n
        Default Ubuntu posiela pri ka\u017edom SSH logine HTTP request na motd.ubuntu.com<\/code> aby zobrazil \"What's new\" reklamy a Pro upgrade lure. Pri 150 VM je to 150 zbyto\u010dn\u00fdch HTTPS requestov pri ka\u017edom prihl\u00e1sen\u00ed.<\/p>\n\n\n\n
        sudo sed -i 's\/^ENABLED=1\/ENABLED=0\/' \/etc\/default\/motd-news\nsudo systemctl disable --now motd-news.timer motd-news.service 2>\/dev\/null || true<\/code><\/pre>\n\n\n\n
        Limit ve\u013ekosti journald<\/h3>\n\n\n\n
        Pre \u0161abl\u00f3nu z ktorej sa generuj\u00fa efem\u00e9rne VM (priemern\u00e1 \u017eivotnos\u0165 dn\u00ed\/t\u00fd\u017ed\u0148ov, nie roky) dr\u017e \u017eurn\u00e1l mal\u00fd \u2014 default 4 GB cap je pre tak\u00e9to stroje plytvanie. 200 MB pokr\u00fdva nieko\u013eko t\u00fd\u017ed\u0148ov hist\u00f3rie pre debug.<\/p>\n\n\n\n
        sudo mkdir -p \/etc\/systemd\/journald.conf.d\nprintf '%s\\n' \\\n  '[Journal]' \\\n  'SystemMaxUse=200M' \\\n  'SystemMaxFileSize=20M' \\\n  'ForwardToSyslog=no' \\\n| sudo tee \/etc\/systemd\/journald.conf.d\/00-template.conf >\/dev\/null\n\nsudo systemctl restart systemd-journald\nsystemctl status systemd-journald<\/code><\/pre>\n\n\n\n
        Pozn.<\/strong> Time-based MaxRetentionSec<\/code> sme zo configu vynechali z\u00e1merne \u2014 pri \u0161abl\u00f3ne je storage cap<\/em> (SystemMaxUse=200M<\/code>) jedin\u00e1 zmyslupln\u00e1 retencia. Storage rotuje star\u00e9 z\u00e1znamy ke\u010f sa napln\u00ed 200 MB, \u010do je spo\u013eahlivej\u0161ie ako \u010das-based retention pri VM s nedeterministick\u00fdmi boot \u010dasmi.<\/p>\n\n\n\n
        Randomiz\u00e1cia apt-daily timer-ov pre 150 VM cluster<\/h3>\n\n\n\n
        Default systemd apt-daily.timer<\/code> a apt-daily-upgrade.timer<\/code> maj\u00fa u\u017e zabudovan\u00fa n\u00e1hodn\u00fa odch\u00fdlku (RandomizedDelaySec<\/code> 12h pre apt-daily, 60min pre apt-daily-upgrade). Pre 150 VM klonovan\u00fdch z rovnak\u00e9ho template to znamen\u00e1, \u017ee bezpe\u010dnostn\u00e9 aktualiz\u00e1cie sa rozlo\u017eia v \u010dase \u2014 bez randomiz\u00e1cie by v\u0161etky stroje za\u010dali \u0165aha\u0165 bal\u00ed\u010dky s\u00fa\u010dasne v ten ist\u00fd moment a tvoj apt mirror, NTP server a uplink by to nepekne poc\u00edtili.<\/p>\n\n\n\n
        # overenie randomiz\u00e1cie (default je u\u017e zapnut\u00e1)\nsystemctl cat apt-daily.timer | grep -i Randomized\nsystemctl cat apt-daily-upgrade.timer | grep -i Randomized\n\n# ak chce\u0161 e\u0161te v\u00e4\u010d\u0161\u00ed rozptyl pre ve\u013ek\u00fd cluster (napr. 4h pre apt-daily-upgrade):\nsudo mkdir -p \/etc\/systemd\/system\/apt-daily-upgrade.timer.d\nprintf '%s\\n' '[Timer]' 'RandomizedDelaySec=4h' \\\n| sudo tee \/etc\/systemd\/system\/apt-daily-upgrade.timer.d\/override.conf >\/dev\/null\nsudo systemctl daemon-reload<\/code><\/pre>\n\n\n\n
        Pri default 60-min jitteri sa 150 VM rozlo\u017e\u00ed pribli\u017ene na ~2.5 stroja za min\u00fatu \u2014 pre v\u00e4\u010d\u0161inu prostred\u00ed akceptovate\u013en\u00e9. Pri \u0161ir\u0161om 4h okne je to ~0.6 stroja za min\u00fatu, \u010do apt mirror prakticky nezac\u00edti.<\/p>\n\n\n\n
        11. Sealing skript seal-template.sh<\/h2>\n\n\n\n
        Konsolidovan\u00fd skript ktor\u00fd spust\u00ed\u0161 tesne pred<\/strong> konverziou VM na \u0161abl\u00f3nu. Nahr\u00e1dza desiatky ru\u010dn\u00fdch pr\u00edkazov z p\u00f4vodnej verzie n\u00e1vodu jedin\u00fdm sudo \/usr\/local\/sbin\/seal-template.sh<\/code>.<\/p>\n\n\n\n
        sudo tee \/usr\/local\/sbin\/seal-template.sh >\/dev\/null <<'EOL'\n#!\/bin\/bash\n# Spus\u0165 pred konverziou VM na \u0161abl\u00f3nu, potom poweroff.\nset -e\n\necho \"=== Sealing template ===\"\n\n# Cloud-init reset (ak je nain\u0161talovan\u00fd)\nif command -v cloud-init >\/dev\/null; then\n    cloud-init clean --logs --machine-id\nfi\n\n# SWAP off + zakomentova\u0165 v fstab\nswapoff --all || true\nsed -ri '\/\\sswap\\s\/s\/^#?\/#\/' \/etc\/fstab\n\n# Force IPv4 pre apt (ipv6 ob\u010das zlyh\u00e1va v exotickej sieti)\necho 'Acquire::ForceIPv4 \"true\";' > \/etc\/apt\/apt.conf.d\/99force-ipv4\n\n# Truncate logy\nfor f in \/var\/log\/audit\/audit.log \/var\/log\/wtmp \/var\/log\/lastlog \/var\/log\/btmp \\\n         \/var\/log\/syslog \/var\/log\/auth.log \/var\/log\/kern.log; do\n    [ -f \"$f\" ] && truncate -s 0 \"$f\"\ndone\n\n# Vy\u010distenie persistent rules a tmp\nrm -f \/etc\/udev\/rules.d\/70-persistent-net.rules\nrm -rf \/tmp\/* \/var\/tmp\/*\n\n# SSH host k\u013e\u00fa\u010de - regeneruj\u00fa sa pri prvom boote (sekcia 8)\nrm -f \/etc\/ssh\/ssh_host_*\n\n# Machine-ID wipe (regeneruje sa pri prvom boote)\necho \"\" > \/etc\/machine-id\n[ -L \/var\/lib\/dbus\/machine-id ] || echo \"\" > \/var\/lib\/dbus\/machine-id\n\n# APT cache cleanup\napt clean\n\n# History\nhistory -c\n> ~\/.bash_history\n[ -f \/root\/.bash_history ] && > \/root\/.bash_history\n\n# fstrim - vynuluje vo\u013en\u00e9 bloky vo file syst\u00e9me, dramaticky zmen\u0161\u00ed v\u00fdsledn\u00fa VMDK\n# (pri thin-provisioned diskoch m\u00f4\u017ee u\u0161etri\u0165 desiatky GB pri 150 klonoch)\nfstrim -av || true\n\necho \"=== Done. Now: sudo poweroff ; convert to template in vCenter. ===\"\nEOL\n\nsudo chmod +x \/usr\/local\/sbin\/seal-template.sh<\/code><\/pre>\n\n\n\n
        12. Konverzia na \u0161abl\u00f3nu a verifik\u00e1cia<\/h2>\n\n\n\n
        Z\u00e1vere\u010dn\u00e9 kroky na zdrojovej VM:<\/p>\n\n\n\n
        sudo \/usr\/local\/sbin\/seal-template.sh\nsudo poweroff<\/code><\/pre>\n\n\n\n
        Vo vCenter:<\/p>\n\n\n\n
          \n
        1. Right-click na VM \u2192 Template<\/strong> \u2192 Convert to Template<\/strong><\/li>\n
        2. Premenuj template (napr. tpl-ubuntu-2604-server<\/code>) a presu\u0148 do template foldera<\/li>\n
        3. V Aria Automation Cloud Assembly<\/strong> pridaj template ako Cloud Template Image Mapping<\/em><\/li>\n<\/ol>\n\n\n\n
          Po prvom deploye z VRA blueprintu na novej VM overi\u0165:<\/p>\n\n\n\n
          # Cloud-init stav (iba ak ide o Cestu B)\ncloud-init status\ncloud-init analyze show\n\n# Logy z prv\u00e9ho bootu\nsudo tail -200 \/var\/log\/cloud-init.log\nsudo tail -200 \/var\/log\/cloud-init-output.log\n\n# Boot performance\nsystemd-analyze\nsystemd-analyze blame | head -10\n\n# Tuned profil je akt\u00edvny\ntuned-adm active        # malo by uk\u00e1za\u0165 \"Current active profile: virtual-guest\"\n\n# Multipathd vypnut\u00fd\nsystemctl is-enabled multipathd 2>&1 | grep -E \"disabled|not-found\"\n\n# Unattended-upgrades je akt\u00edvny + randomiz\u00e1cia funguje\nsystemctl status apt-daily.timer apt-daily-upgrade.timer\nsystemctl list-timers apt-daily*\nsudo unattended-upgrade --dry-run -d\n\n# Journald limit funguje\njournalctl --disk-usage     # <= ~200 MB\n\n# Uniqueness \u2014 nesmie by\u0165 identick\u00e9 s template\ncat \/etc\/machine-id\nhostname\nip a\nssh-keygen -lf \/etc\/ssh\/ssh_host_ed25519_key.pub<\/code><\/pre>\n\n\n\n
          \u010cast\u00e9 probl\u00e9my a kde h\u013eada\u0165:<\/strong><\/p>\n\n\n\n