{"id":2144,"date":"2026-05-11T10:15:24","date_gmt":"2026-05-11T10:15:24","guid":{"rendered":"https:\/\/virtualall.sk\/?p=2144"},"modified":"2026-05-11T10:48:18","modified_gmt":"2026-05-11T10:48:18","slug":"vra-ubuntu-2604-desktop-template","status":"publish","type":"post","link":"https:\/\/virtualall.sk\/en\/2026\/05\/vra-ubuntu-2604-desktop-template\/","title":{"rendered":"VRA Ubuntu 26.04 Desktop Template \u2014 Kompletn\u00e1 \u0161abl\u00f3na pre vRealize Automation"},"content":{"rendered":"\n<p><strong>Ubuntu 26.04 LTS Desktop<\/strong> ako \u0161abl\u00f3na pre <strong>vRealize Automation<\/strong> (resp. VMware Aria Automation) je z\u00e1kladn\u00fd stavebn\u00fd kame\u0148 pre automatizovan\u00e9 nasadzovanie linuxov\u00fdch desktopov v podnikovom vSphere prostred\u00ed \u2014 typicky pre VDI, v\u00fdvoj\u00e1rske pracovn\u00e9 stanice alebo lab stroje. Tento n\u00e1vod pokr\u00fdva kompletn\u00fa pr\u00edpravu Ubuntu 26.04 Desktop \u0161abl\u00f3ny \u2014 od nastavenia VMware VM, cez optimaliz\u00e1ciu OS pre klonovanie, konfigur\u00e1ciu cloud-init, automatick\u00e9 aktualiz\u00e1cie pomocou unattended-upgrades, a\u017e po sealing skript a verifik\u00e1ciu po deploye z VRA blueprintu.<\/p>\n\n\n\n<p>Cie\u013e je dosiahnu\u0165 \u0161abl\u00f3nu, ktor\u00e1 po klonovan\u00ed spo\u013eahlivo regeneruje machine-ID, SSH host k\u013e\u00fa\u010de a sie\u0165ov\u00e9 parametre, automaticky preber\u00e1 konfigur\u00e1ciu z VRA blueprintu (cez VMwareGuestInfo datasource alebo manu\u00e1lnu customiz\u00e1ciu) a sama si dr\u017e\u00ed OS bezpe\u010dnostn\u00e9 z\u00e1platy bez ru\u010dn\u00e9ho z\u00e1sahu. Pre serverov\u00fa variantu \u0161abl\u00f3ny (bez GUI) pozri samostatn\u00fd n\u00e1vod <em><a href=\"https:\/\/virtualall.sk\/2026\/05\/vra-ubuntu-2604-server-template\/\">VRA Ubuntu 26.04 Server Template<\/a><\/em>.<\/p>\n\n\n\n\n<p><strong>Pozn\u00e1mka:<\/strong> v tejto verzii \u010dl\u00e1nku je obsah toto\u017en\u00fd so Server variantom \u2014 Desktop-\u0161pecifick\u00e9 sekcie (in\u0161tal\u00e1cia GUI, autologin, screen saver, xRDP self-healing setup a watchdog timer) sa do n\u00e1vodu doplnia v \u010fal\u0161ej rev\u00edzii.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. VMware VM custom attributes<\/h2>\n\n\n\n<p>Pred in\u0161tal\u00e1ciou OS nastav vo vSphere na novej VM tieto <strong>Advanced Configuration parametre<\/strong> (Edit Settings \u2192 VM Options \u2192 Advanced \u2192 Edit Configuration). Rob\u00edme to pred bootom, niektor\u00e9 z nich sa po prvom \u0161tarte u\u017e \u0165a\u017e\u0161ie menia.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sched.swap.vmxSwapEnabled    false\ndisk.EnableUUID              true\ntools.guest.desktop.autolock false<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>sched.swap.vmxSwapEnabled = false<\/strong> \u2014 vyp\u00edna vmx swap s\u00fabor v datastore (.vswp). Pri \u0161abl\u00f3nach kde je dostatok RAM sa zbyto\u010dne spotreb\u00fava diskov\u00fd priestor a IO na hostite\u013eovi.<\/li>\n<li><strong>disk.EnableUUID = true<\/strong> \u2014 exponuje stabiln\u00e9 disk UUID do guest OS. Bez toho Ubuntu LVM\/initramfs m\u00f4\u017ee pri klonoch pomen\u00fava\u0165 disky nekonzistentne.<\/li>\n<li><strong>tools.guest.desktop.autolock = false<\/strong> \u2014 vyp\u00edna auto-lock VMware Tools session (relevantn\u00e9 aj pre headless server kv\u00f4li vmtoolsd timeoutom).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">2. Update + base bal\u00ed\u010dky<\/h2>\n\n\n\n<p>Po in\u0161tal\u00e1cii Ubuntu 26.04 Desktop sa najprv pripoj cez SSH (alebo otvor termin\u00e1l v GNOME) ako sudo pou\u017e\u00edvate\u013e a ako prv\u00e9 urob pln\u00fd update syst\u00e9mu plus in\u0161tal\u00e1ciu z\u00e1kladn\u00fdch n\u00e1strojov.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt update\nsudo apt upgrade -y\nsudo apt autoremove -y\nsudo apt install -y mc htop ssh ntpsec net-tools util-linux-extra curl wget gnupg\nsudo systemctl enable ssh ntpsec<\/code><\/pre>\n\n\n\n<p><strong>Pozn\u00e1mka k vyraden\u00fdm bal\u00ed\u010dkom:<\/strong> Oproti star\u0161\u00edm verzi\u00e1m tohto n\u00e1vodu z\u00e1merne <em>neprid\u00e1vame<\/em> <code>xinetd<\/code> ani <code>ifupdown<\/code> \u2014 na Ubuntu 26.04 s\u00fa obe obsolete. Sie\u0165 rie\u0161i Netplan + systemd-networkd, super-server inetd takmer nikto re\u00e1lne nepou\u017e\u00edva. Ak ich aplika\u010dne potrebuje\u0161, doin\u0161taluje\u0161 ich nesk\u00f4r.<\/p>\n\n\n\n<p><strong>Pozn\u00e1mka k chrony \u2192 ntpsec swap-u:<\/strong> Ubuntu 26.04 Desktop m\u00e1 ako default time daemon <code>chrony<\/code>. In\u0161tal\u00e1cia <code>ntpsec<\/code> ho automaticky odstr\u00e1ni (konflikt \u2014 oba poskytuj\u00fa virtual package <code>time-daemon<\/code>). Apt pri tom zobraz\u00ed varovanie typu <em>&#8220;ubuntu-desktop-minimal depends on chrony | time-daemon&#8221;<\/em> \u2014 je to <strong>transient<\/strong> dpkg warning po\u010das swap-u, z\u00e1vislos\u0165 meta-packagu sa korektne spln\u00ed ke\u010f ntpsec dokon\u010d\u00ed setup (s\u00e1m poskytuje <code>time-daemon<\/code>). Sta\u010d\u00ed necha\u0165 dobehn\u00fa\u0165, v\u00fdsledn\u00fd stav je v poriadku.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Reset machine-ID parametra<\/h2>\n\n\n\n<p>Klony \u0161abl\u00f3ny by zdie\u013eali rovnak\u00fd <code>\/etc\/machine-id<\/code>, \u010do l\u00e1me DHCP DUID-LL (v\u0161etky VM by \u017eiadali rovnak\u00fa IP), systemd journal cie\u013eovanie a pr\u00edpadne licen\u010dn\u00fa v\u00e4zbu. Tu nastav\u00edme symlink a vynulujeme \u2014 fin\u00e1lny reset urob\u00ed <em>sealing skript<\/em> (sekcia 14).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo rm \/var\/lib\/dbus\/machine-id\nsudo ln -s \/etc\/machine-id \/var\/lib\/dbus\/machine-id\necho \"\" | sudo tee \/etc\/machine-id<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">4. Cloud-init s VMwareGuestInfo datasource<\/h2>\n\n\n\n<p>Cloud-init zost\u00e1va nain\u0161talovan\u00fd, ale presunieme ho na <strong>VMwareGuestInfo<\/strong> datasource. V\u010faka tomu VRA blueprint dok\u00e1\u017ee pri prvom boote injektova\u0165 hostname, SSH k\u013e\u00fa\u010de, prvotn\u00e9 users, alebo run-once user-data skripty cez <code>vmx guestinfo<\/code> properties.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># obmedzi\u0165 datasource_list iba na VMware (poradie = priorita)\nsudo tee \/etc\/cloud\/cloud.cfg.d\/99-vmware-guestinfo.cfg >\/dev\/null <<'EOF'\ndatasource_list: &#91; VMwareGuestInfo, NoCloud, ConfigDrive, OVF, None ]\nEOF\n\n# vy\u010disti\u0165 stav z install image \u2014 povinn\u00e9 pred sealingom\nsudo cloud-init clean --logs<\/code><\/pre>\n\n\n\n<p><strong>Roz\u0161\u00edrenie root part\u00edcie pri prvom boote<\/strong> \u2014 <em>neprid\u00e1vame<\/em> <code>cloud-initramfs-growroot<\/code>. Cloud-init m\u00e1 vlastn\u00e9 moduly <code>growpart<\/code> + <code>resizefs<\/code> ktor\u00e9 robia presne to ist\u00e9 nat\u00edvne po\u010das init f\u00e1zy (nie z initramfs hooku). S\u00fa v default cloud-init konfigur\u00e1cii zapnut\u00e9, tak\u017ee \u017eiadny extra bal\u00ed\u010dek netreba. Naviac sa t\u00fdm vyhneme probl\u00e9mov\u00e9mu swap-u na Ubuntu 26.04: <code>cloud-initramfs-growroot<\/code> m\u00e1 hard dependency na <code>initramfs-tools<\/code>, ale Ubuntu 26.04 m\u00e1 ako default initramfs generator <strong>dracut<\/strong> \u2014 apt by ho preto pri in\u0161tal\u00e1cii odstr\u00e1nil a nahradil <code>initramfs-tools<\/code>. Riskantn\u00e1 oper\u00e1cia na u\u017e-nain\u0161talovanom syst\u00e9me bez re\u00e1lneho benefitu.<\/p>\n\n\n\n<p>Ak chce\u0161 overi\u0165 \u017ee growpart modul cloud-initu je akt\u00edvny:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>grep -E \"growpart|resizefs\" \/etc\/cloud\/cloud.cfg\n# malo by uk\u00e1za\u0165 tieto moduly v cloud_init_modules: alebo cloud_config_modules: sekcii<\/code><\/pre>\n\n\n\n<p>Pri tomto pr\u00edstupe vo VRA blueprinte definuje\u0161 <code>cloudConfig<\/code> sekciu (YAML) ktor\u00e1 sa pri klonovan\u00ed zap\u00ed\u0161e do <code>guestinfo.userdata<\/code> \u2014 cloud-init si ju pri prvom boote pre\u010d\u00edta a aplikuje.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. Sie\u0165 a DNS<\/h2>\n\n\n\n<p>\u0160abl\u00f3na by nemala nies\u0165 \u017eiadnu fixn\u00fa sie\u0165ov\u00fa konfigur\u00e1ciu \u2014 t\u00fa dod\u00e1 VRA blueprint alebo cloud-init pri prvom boote. Odstr\u00e1nime preto default netplan s\u00fabor a hardcoded fallback nameservery.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Odstr\u00e1ni\u0165 default netplan config\nsudo rm -f \/etc\/netplan\/*.yaml\n\n# Hardcoded resolv.conf (fallback ak systemd-resolved zlyh\u00e1)\nsudo unlink \/etc\/resolv.conf 2>\/dev\/null || true\nprintf '%s\\n' 'nameserver 192.168.3.2' 'nameserver 192.168.16.16' 'nameserver 8.8.8.8' | sudo tee \/etc\/resolv.conf >\/dev\/null<\/code><\/pre>\n\n\n\n<p><code>systemd-resolved<\/code> nechaj zapnut\u00fd \u2014 cloud-init s n\u00edm \u0161tandardne po\u010d\u00edta a v kombin\u00e1cii s VMwareGuestInfo datasourceom spr\u00e1vne aplikuje DNS prepisy doru\u010den\u00e9 z VRA blueprintu.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">6. Optimaliz\u00e1cia OpenVMtools<\/h2>\n\n\n\n<p>Default <code>open-vm-tools.service<\/code> sa \u0161tartuje pred <code>cloud-init-local.service<\/code> a pred <code>dbus.service<\/code>, \u010do na bootu sp\u00f4sobuje race condition \u2014 vmtoolsd ob\u010das zatuhne na 30\u201360 sekund\u00e1ch. Patch posunie \u0161tart za dbus a zakomentuje konfliktn\u00fd tmpfiles entry.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sed -i 's|Before=cloud-init-local.service|After=dbus.service|g' \\\n    \/lib\/systemd\/system\/open-vm-tools.service\n\nsudo sed -i 's|^D \/tmp 1777 root root -|#D \/tmp 1777 root root -|g' \\\n    \/usr\/lib\/tmpfiles.d\/tmp.conf\n\nsudo systemctl daemon-reload<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">7. \u010casov\u00e1 z\u00f3na a NTP<\/h2>\n\n\n\n<p>\u010casov\u00e1 z\u00f3na sa nastav\u00ed na <code>Europe\/Bratislava<\/code>. Prim\u00e1rny NTP server je <strong>ntp.tuke.sk<\/strong> (ozna\u010den\u00fd modifik\u00e1torom <code>prefer<\/code>), ako z\u00e1loha s\u00fa pridan\u00e9 verejn\u00e9 pooly <code>sk.pool.ntp.org<\/code> a <code>europe.pool.ntp.org<\/code>. Tri zdroje sta\u010dia na detekciu falseticker-a (NTP majority voting).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo timedatectl set-timezone Europe\/Bratislava\n\nsudo tee \/etc\/ntpsec\/ntp.conf >\/dev\/null <<'EOL'\ndriftfile \/var\/lib\/ntpsec\/ntp.drift\nleapfile \/usr\/share\/zoneinfo\/leap-seconds.list\n\nstatistics loopstats peerstats clockstats\nfilegen loopstats file loopstats type day enable\nfilegen peerstats file peerstats type day enable\nfilegen clockstats file clockstats type day enable\n\n# Prim\u00e1rny NTP server\npool ntp.tuke.sk prefer iburst\n\n# Z\u00e1lo\u017en\u00e9 verejn\u00e9 pooly\npool 0.sk.pool.ntp.org iburst\npool 1.europe.pool.ntp.org iburst\n\nrestrict default kod nomodify notrap nopeer noquery limited\nrestrict 127.0.0.1\nrestrict ::1\nEOL\n\nsudo systemctl restart ntpsec\nntpq -p<\/code><\/pre>\n\n\n\n<p>Pr\u00edkaz <code>ntpq -p<\/code> by mal po p\u00e1r sekund\u00e1ch uk\u00e1za\u0165 vybran\u00e9 peer-y so synchronizovan\u00fdm stavom \u2014 pri <code>ntp.tuke.sk<\/code> by mal by\u0165 znak <code>*<\/code> (vybran\u00fd ako system peer), pri ostatn\u00fdch <code>+<\/code> (kandid\u00e1t). Ak ostane v\u0161ade <code>x<\/code> alebo pr\u00e1zdno, skontroluj firewall na port 123\/UDP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">8. SSH server setup<\/h2>\n\n\n\n<p>SSH host k\u013e\u00fa\u010de sa musia regenerova\u0165 pri prvom boote ka\u017ed\u00e9ho klonu. Toto rie\u0161i kombin\u00e1cia <code>rc.local<\/code> (regener\u00e1cia ak ch\u00fdbaj\u00fa) plus fin\u00e1lne zmazanie k\u013e\u00fa\u010dov v sealing skripte (sekcia 14).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tee \/etc\/rc.local >\/dev\/null <<'EOL'\n#!\/bin\/sh -e\ntest -f \/etc\/ssh\/ssh_host_rsa_key || dpkg-reconfigure openssh-server\nexit 0\nEOL\nsudo chmod +x \/etc\/rc.local\n\nsudo tee \/etc\/systemd\/system\/rc-local.service >\/dev\/null <<'EOL'\n&#91;Unit]\nDescription=\/etc\/rc.local Compatibility\nConditionPathExists=\/etc\/rc.local\n\n&#91;Service]\nType=forking\nExecStart=\/etc\/rc.local start\nTimeoutSec=0\nStandardOutput=tty\nRemainAfterExit=yes\nSysVStartPriority=99\n\n&#91;Install]\nWantedBy=multi-user.target\nEOL\n\nsudo systemctl daemon-reload\nsudo systemctl enable rc-local<\/code><\/pre>\n\n\n\n<p>SSH konfigur\u00e1cia \u2014 povolenie root loginu (intern\u00fd admin pr\u00edstup) a z\u00e1kaz default <code>vmware<\/code> \u00fa\u010dtu zo subiquity in\u0161tal\u00e1tora:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sed -i '\/^#PermitRootLogin\/c\\PermitRootLogin yes' \/etc\/ssh\/sshd_config\necho 'DenyUsers vmware' | sudo tee -a \/etc\/ssh\/sshd_config\nsudo systemctl restart ssh<\/code><\/pre>\n\n\n\n<p><strong>Bezpe\u010dnostn\u00e1 pozn\u00e1mka:<\/strong> <code>PermitRootLogin yes<\/code> je vhodn\u00e9 kombinova\u0165 s <code>PasswordAuthentication no<\/code> + povinn\u00fdmi SSH k\u013e\u00fa\u010dmi. Pre VRA-deployovan\u00fa VM kde root pr\u00edstup te\u010die cez VPN\/jump host to akceptujeme; pre exposed hosty zv\u00e1\u017ei\u0165 aj limit cez <code>AllowUsers<\/code> alebo presne t\u00fato sekciu prerobi\u0165 na key-only.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">9. Automatick\u00e9 aktualiz\u00e1cie \u2014 unattended-upgrades<\/h2>\n\n\n\n<p>Automatick\u00e9 bezpe\u010dnostn\u00e9 z\u00e1platy s\u00fa pre \u0161abl\u00f3ny <em>must-have<\/em> \u2014 bez nich VM po deploy-i nieko\u013eko mesiacov vis\u00ed so zranite\u013enos\u0165ami k\u00fdm sa k nej niekto neprihl\u00e1si. Predt\u00fdm sme to v star\u0161\u00edch verzi\u00e1ch \u0161abl\u00f3ny rie\u0161ili custom <code>first-boot-update.sh<\/code> skriptom s reboot counterom; pre Ubuntu 26.04 odpor\u00fa\u010dam <strong>unattended-upgrades<\/strong> \u2014 je to \u0161tandardn\u00e1 Canonical cesta s lep\u0161ou integr\u00e1ciou (ESM, kernel cleanup, proper reboot scheduling).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install -y unattended-upgrades apt-listchanges<\/code><\/pre>\n\n\n\n<p><strong>Hlavn\u00fd enable<\/strong> \u2014 <code>\/etc\/apt\/apt.conf.d\/20auto-upgrades<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>printf '%s\\n' \\\n  'APT::Periodic::Update-Package-Lists \"1\";' \\\n  'APT::Periodic::Unattended-Upgrade \"1\";' \\\n  'APT::Periodic::AutocleanInterval \"7\";' \\\n  'APT::Periodic::Verbose \"1\";' \\\n| sudo tee \/etc\/apt\/apt.conf.d\/20auto-upgrades >\/dev\/null<\/code><\/pre>\n\n\n\n<p><strong>Allowlist a reboot policy<\/strong> \u2014 <code>\/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/code> (prep\u00ed\u0161e default, ktor\u00fd povo\u013euje iba <code>-security<\/code>). Heredoc s uvozovkovan\u00fdm termin\u00e1torom <code><<'EOL'<\/code> \u2014 apostrofy zais\u0165uj\u00fa \u017ee znaky <code>${...}<\/code> sa neexpandn\u00fa v shelle (apt parser si ich rie\u0161i s\u00e1m) a z\u00e1rove\u0148 pre\u017eije copy-paste z prehliada\u010da bez mangling-u.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tee \/etc\/apt\/apt.conf.d\/50unattended-upgrades >\/dev\/null <<'EOL'\nUnattended-Upgrade::Allowed-Origins {\n    \"${distro_id}:${distro_codename}-security\";\n    \"${distro_id}ESMApps:${distro_codename}-apps-security\";\n    \"${distro_id}ESM:${distro_codename}-infra-security\";\n    \"${distro_id}:${distro_codename}-updates\";\n};\n\nUnattended-Upgrade::Package-Blacklist {\n    \/\/ sem da\u0165 bal\u00ed\u010dky ktor\u00e9 nikdy nechce\u0161 auto-aktualizova\u0165\n    \/\/ napr.: \"linux-image-generic\";\n};\n\nUnattended-Upgrade::DevRelease \"auto\";\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\nUnattended-Upgrade::Remove-New-Unused-Dependencies \"true\";\nUnattended-Upgrade::Remove-Unused-Dependencies \"false\";\n\nUnattended-Upgrade::Automatic-Reboot \"true\";\nUnattended-Upgrade::Automatic-Reboot-WithUsers \"true\";\nUnattended-Upgrade::Automatic-Reboot-Time \"04:00\";\n\nUnattended-Upgrade::SyslogEnable \"true\";\nUnattended-Upgrade::SyslogFacility \"daemon\";\nEOL<\/code><\/pre>\n\n\n\n<p><strong>Valid\u00e1cia a sledovanie<\/strong> \u2014 overenie \u017ee timer-y s\u00fa akt\u00edvne, dry-run \u010do by sa nain\u0161talovalo, a kde \u010d\u00edta\u0165 logy:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># dry-run - vyp\u00ed\u0161e \u010do by upgrade urobil\nsudo unattended-upgrade --dry-run -d\n\n# stav timer-ov\nsystemctl list-timers apt-daily apt-daily-upgrade\n\n# log z dne\u0161n\u00e9ho behu\nsudo journalctl -u unattended-upgrades --since today\n\n# detailnej\u0161\u00ed apt log\nsudo cat \/var\/log\/unattended-upgrades\/unattended-upgrades.log<\/code><\/pre>\n\n\n\n<p>Po aplik\u00e1cii bude \u0161abl\u00f3na pri ka\u017edom deploye automaticky:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>denne s\u0165ahova\u0165 bal\u00ed\u010dkov\u00e9 listy a aplikova\u0165 <code>-security<\/code> aj <code>-updates<\/code> rep\u00e1<\/li>\n<li>autoremove-ova\u0165 star\u00e9 kernely a nepou\u017e\u00edvan\u00e9 z\u00e1vislosti<\/li>\n<li>re\u0161tartova\u0165 sa o 04:00 r\u00e1no ke\u010f je potrebn\u00fd reboot (typicky kernel update)<\/li>\n<li>logova\u0165 do journalctl + <code>\/var\/log\/unattended-upgrades\/<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">10. Optimaliz\u00e1cie pre vSphere a mass-deployment<\/h2>\n\n\n\n<p>\u0160abl\u00f3na z ktorej sa m\u00f4\u017ee klonova\u0165 aj 150 VM zasl\u00fa\u017ei p\u00e1r optimaliz\u00e1ci\u00ed navy\u0161e \u2014 vypnutie nepotrebn\u00fdch slu\u017eieb, rozumn\u00e9 limity pre logy, virtual-guest tuning a randomiz\u00e1cia automatick\u00fdch aktualiz\u00e1ci\u00ed aby ti 150 strojov neza\u010dalo s\u00fa\u010dasne s\u0165ahova\u0165 bal\u00ed\u010dky.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Vypnutie multipathd (default vo\u013eba pre vSphere VM)<\/h3>\n\n\n\n<p>Pre \u010dist\u00e9 <strong>vSphere VM bez in-guest iSCSI\/FC initi\u00e1tora<\/strong> je multipathd v hostite\u013eskom OS nadbyto\u010dn\u00fd \u2014 vSphere rie\u0161i cesty k storage na \u00farovni ESXi hosta (Round Robin, Fixed, MRU policy), guest vid\u00ed jeden virtu\u00e1lny disk a \u017eiadne alternat\u00edvne cesty. Spusten\u00fd multipathd v guest OS:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Zbyto\u010dne spotreb\u00fava pam\u00e4\u0165 a CPU pri ka\u017edom boote (mapping pokus)<\/li>\n<li>Ob\u010das konfliktuje s LVM\/initramfs po\u010das <code>update-initramfs<\/code><\/li>\n<li>Spoma\u013euje boot o nieko\u013eko sek\u00fand k\u00fdm detekuje \u017ee nem\u00e1 \u010do mapova\u0165<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Zastavi\u0165, vypn\u00fa\u0165 a odstr\u00e1ni\u0165 (typicky nie je nain\u0161talovan\u00fd, kontrola pre istotu)\nsudo systemctl disable --now multipathd multipathd.socket 2>\/dev\/null || true\nsudo apt purge -y multipath-tools 2>\/dev\/null || true<\/code><\/pre>\n\n\n\n<p><strong>V\u00fdnimka \u2014 ke\u010f multipathd <em>potrebuje\u0161<\/em>:<\/strong> ak v guest VM be\u017eia <em>in-guest iSCSI<\/em> alebo <em>FC initi\u00e1tory<\/em> (typicky Veeam Hardened Repository, datab\u00e1zov\u00fd server s direct LUN cez <code>open-iscsi<\/code>, alebo SAP HANA s ASM diskmi), multipathd doin\u0161talova\u0165 s <code>blacklist<\/code> regex pre <code>sda<\/code>\/<code>nvme<\/code>\/<code>hd*<\/code>. To je ale \u0161peci\u00e1lny pr\u00edpad \u2014 pre default VRA \u0161abl\u00f3nu vypneme.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Tuned profile virtual-guest<\/h3>\n\n\n\n<p>Tuned je daemon ktor\u00fd aplikuje pripraven\u00e9 ladiace profily \u2014 pre VMware\/KVM guest m\u00e1 <code>virtual-guest<\/code> profil ktor\u00fd nastav\u00ed spr\u00e1vny I\/O scheduler (mq-deadline pre virtio\/pvscsi), <code>vm.dirty_ratio<\/code>, transparent hugepages a CPU governor. Bez tuned-u zost\u00e1vaj\u00fa defaulty navrhnut\u00e9 pre desktop, ktor\u00e9 pre serverov\u00e9 VM nie s\u00fa optim\u00e1lne.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install -y tuned\nsudo systemctl enable --now tuned\nsudo tuned-adm profile virtual-guest\ntuned-adm active<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Vypnutie motd-news (zbyto\u010dn\u00fd network call pri ka\u017edom logine)<\/h3>\n\n\n\n<p>Default Ubuntu posiela pri ka\u017edom SSH logine HTTP request na <code>motd.ubuntu.com<\/code> aby zobrazil \"What's new\" reklamy a Pro upgrade lure. Pri 150 VM je to 150 zbyto\u010dn\u00fdch HTTPS requestov pri ka\u017edom prihl\u00e1sen\u00ed.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sed -i 's\/^ENABLED=1\/ENABLED=0\/' \/etc\/default\/motd-news\nsudo systemctl disable --now motd-news.timer motd-news.service 2>\/dev\/null || true<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Limit ve\u013ekosti journald<\/h3>\n\n\n\n<p>Pre \u0161abl\u00f3nu z ktorej sa generuj\u00fa efem\u00e9rne VM (priemern\u00e1 \u017eivotnos\u0165 dn\u00ed\/t\u00fd\u017ed\u0148ov, nie roky) dr\u017e \u017eurn\u00e1l mal\u00fd \u2014 default 4 GB cap je pre tak\u00e9to stroje plytvanie. 200 MB pokr\u00fdva nieko\u013eko t\u00fd\u017ed\u0148ov hist\u00f3rie pre debug.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo mkdir -p \/etc\/systemd\/journald.conf.d\nprintf '%s\\n' \\\n  '&#91;Journal]' \\\n  'SystemMaxUse=200M' \\\n  'SystemMaxFileSize=20M' \\\n  'ForwardToSyslog=no' \\\n| sudo tee \/etc\/systemd\/journald.conf.d\/00-template.conf >\/dev\/null\n\nsudo systemctl restart systemd-journald\nsystemctl status systemd-journald<\/code><\/pre>\n\n\n\n<p><strong>Pozn.<\/strong> Time-based <code>MaxRetentionSec<\/code> sme zo configu vynechali z\u00e1merne \u2014 pri \u0161abl\u00f3ne je <em>storage cap<\/em> (<code>SystemMaxUse=200M<\/code>) jedin\u00e1 zmyslupln\u00e1 retencia. Storage rotuje star\u00e9 z\u00e1znamy ke\u010f sa napln\u00ed 200 MB, \u010do je spo\u013eahlivej\u0161ie ako \u010das-based retention pri VM s nedeterministick\u00fdmi boot \u010dasmi.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Randomiz\u00e1cia apt-daily timer-ov pre 150 VM cluster<\/h3>\n\n\n\n<p>Default systemd <code>apt-daily.timer<\/code> a <code>apt-daily-upgrade.timer<\/code> maj\u00fa u\u017e zabudovan\u00fa n\u00e1hodn\u00fa odch\u00fdlku (<code>RandomizedDelaySec<\/code> 12h pre apt-daily, 60min pre apt-daily-upgrade). Pre 150 VM klonovan\u00fdch z rovnak\u00e9ho template to znamen\u00e1, \u017ee bezpe\u010dnostn\u00e9 aktualiz\u00e1cie sa rozlo\u017eia v \u010dase \u2014 bez randomiz\u00e1cie by v\u0161etky stroje za\u010dali \u0165aha\u0165 bal\u00ed\u010dky s\u00fa\u010dasne v ten ist\u00fd moment a tvoj apt mirror, NTP server a uplink by to nepekne poc\u00edtili.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># overenie randomiz\u00e1cie (default je u\u017e zapnut\u00e1)\nsystemctl cat apt-daily.timer | grep -i Randomized\nsystemctl cat apt-daily-upgrade.timer | grep -i Randomized\n\n# ak chce\u0161 e\u0161te v\u00e4\u010d\u0161\u00ed rozptyl pre ve\u013ek\u00fd cluster (napr. 4h pre apt-daily-upgrade):\nsudo mkdir -p \/etc\/systemd\/system\/apt-daily-upgrade.timer.d\nprintf '%s\\n' '&#91;Timer]' 'RandomizedDelaySec=4h' \\\n| sudo tee \/etc\/systemd\/system\/apt-daily-upgrade.timer.d\/override.conf >\/dev\/null\nsudo systemctl daemon-reload<\/code><\/pre>\n\n\n\n<p>Pri default 60-min jitteri sa 150 VM rozlo\u017e\u00ed pribli\u017ene na ~2.5 stroja za min\u00fatu \u2014 pre v\u00e4\u010d\u0161inu prostred\u00ed akceptovate\u013en\u00e9. Pri \u0161ir\u0161om 4h okne je to ~0.6 stroja za min\u00fatu, \u010do apt mirror prakticky nezac\u00edti.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11. Vypnutie screensaver a sleep<\/h2>\n\n\n\n<p>VM klonovan\u00e1 zo \u0161abl\u00f3ny <strong>nikdy nesmie \u00eds\u0165 do suspend<\/strong> ani zamkn\u00fa\u0165 obrazovku po\u010das prv\u00e9ho boota \u2014 cloud-init aplikuje guestinfo properties (hostname, user, SSH k\u013e\u00fa\u010de) a administr\u00e1tor si typicky prip\u00e1ja RDP\/console session na vyrie\u0161enie issue. Default Ubuntu Desktop ale po 5 min\u00fatach ne\u010dinnosti zhasne obrazovku, po 15 zamkne a po 20 min\u00fatach m\u00f4\u017ee \u00eds\u0165 do suspend. Pre VRA \u0161abl\u00f3nu to cel\u00e9 vypneme \u2014 rad\u0161ej deterministicky v\u017edy be\u017e\u00ed, koncov\u00fd VDI policy si firma definuje per-user cez GPO\/dconf nesk\u00f4r.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Mask systemd sleep targets<\/h3>\n\n\n\n<p>Najradik\u00e1lnej\u0161ia \u00farove\u0148 \u2014 zamaskovanie v\u0161etk\u00fdch systemd targets ktor\u00e9 realizuj\u00fa suspend\/hibernate. Po tomto je <code>systemctl suspend<\/code> ne\u00fa\u010dinn\u00fd (skon\u010d\u00ed s <em>\"Failed to start sleep.target: Unit sleep.target is masked\"<\/em>). Pre headless VDI ide\u00e1lne; ak by si v bud\u00facnosti chcel suspend povoli\u0165, sta\u010d\u00ed <code>systemctl unmask<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">GNOME dconf system-wide override<\/h3>\n\n\n\n<p>Per-user <code>gsettings<\/code> neposta\u010duje \u2014 pri klonovan\u00ed \u0161abl\u00f3ny e\u0161te nemus\u00ed existova\u0165 \u017eiadny user (cloud-init ho vytvor\u00ed pri prvom boote), tak\u017ee nastavenie aplikujeme cez <strong>system-wide dconf database<\/strong>. Override sa aktivuje pre v\u0161etk\u00fdch bud\u00facich userov (vr\u00e1tane gdm session) ihne\u010f po ich vytvoren\u00ed.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># 1. dconf profile - povie dconf-u, ktor\u00fa system-db m\u00e1 na\u010d\u00edta\u0165 okrem user-db\nsudo mkdir -p \/etc\/dconf\/profile \/etc\/dconf\/db\/local.d \/etc\/dconf\/db\/local.d\/locks\nsudo tee \/etc\/dconf\/profile\/user >\/dev\/null <<'EOL'\nuser-db:user\nsystem-db:local\nEOL\n\n# 2. Default values pre screensaver + power\nsudo tee \/etc\/dconf\/db\/local.d\/00-vra-template >\/dev\/null <<'EOL'\n&#91;org\/gnome\/desktop\/session]\nidle-delay=uint32 0\n\n&#91;org\/gnome\/desktop\/screensaver]\nlock-enabled=false\nidle-activation-enabled=false\n\n&#91;org\/gnome\/settings-daemon\/plugins\/power]\nsleep-inactive-ac-type='nothing'\nsleep-inactive-ac-timeout=0\nsleep-inactive-battery-type='nothing'\nsleep-inactive-battery-timeout=0\nidle-dim=false\npower-button-action='nothing'\nEOL\n\n# 3. Locks - zak\u00e1\u017ee userovi tieto k\u013e\u00fa\u010de prepn\u00fa\u0165 v Settings UI (toggle bude \u0161ed\u00fd)\nsudo tee \/etc\/dconf\/db\/local.d\/locks\/00-vra-template >\/dev\/null <<'EOL'\n\/org\/gnome\/desktop\/session\/idle-delay\n\/org\/gnome\/desktop\/screensaver\/lock-enabled\n\/org\/gnome\/desktop\/screensaver\/idle-activation-enabled\n\/org\/gnome\/settings-daemon\/plugins\/power\/sleep-inactive-ac-type\n\/org\/gnome\/settings-daemon\/plugins\/power\/sleep-inactive-battery-type\n\/org\/gnome\/settings-daemon\/plugins\/power\/power-button-action\nEOL\n\n# 4. Apply\nsudo dconf update<\/code><\/pre>\n\n\n\n<p><strong>Pozn. k locks:<\/strong> Locks s\u00fa silnej\u0161ie ako default values \u2014 u\u017e\u00edvate\u013e ich nem\u00f4\u017ee prepn\u00fa\u0165 cez GNOME Settings GUI. Ak naopak chce\u0161, aby si user mohol screensaver zapn\u00fa\u0165 ke\u010f chce, vynechaj <code>locks\/00-vra-template<\/code> \u2014 defaultn\u00e1 hodnota sa aplikuje len pri vytvoren\u00ed nov\u00e9ho usera a ten ju m\u00f4\u017ee n\u00e1sledne meni\u0165.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">GDM login screen (pred prihl\u00e1sen\u00edm)<\/h3>\n\n\n\n<p>GDM m\u00e1 vlastn\u00fd dconf profile s vlastnou login-time obrazovkou. Aby ani t\u00e1 ne\u0161la po p\u00e1r min\u00fatach do screen blank, treba override aj pre <code>gdm<\/code> profile:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo mkdir -p \/etc\/dconf\/db\/gdm.d\nsudo tee \/etc\/dconf\/db\/gdm.d\/00-vra-template >\/dev\/null <<'EOL'\n&#91;org\/gnome\/desktop\/session]\nidle-delay=uint32 0\n\n&#91;org\/gnome\/settings-daemon\/plugins\/power]\nsleep-inactive-ac-type='nothing'\nsleep-inactive-ac-timeout=0\nidle-dim=false\nEOL\n\nsudo dconf update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verifik\u00e1cia<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Systemd targets s\u00fa masked\nsystemctl is-active sleep.target suspend.target hibernate.target\nsystemctl status sleep.target | grep -i masked\n\n# dconf default values aplikovan\u00e9 (\u010d\u00edtam ako nobody pre syst\u00e9mov\u00fd defalut)\nsudo -u nobody dconf read \/org\/gnome\/desktop\/session\/idle-delay\nsudo -u nobody dconf read \/org\/gnome\/desktop\/screensaver\/lock-enabled\n# m\u00e1 vr\u00e1ti\u0165 uint32 0 a false\n\n# Na akt\u00edvnej user session-i overi\u0165 \u017ee settings s\u00fa locked (read-only):\ngsettings get org.gnome.desktop.session idle-delay\ngsettings get org.gnome.desktop.screensaver lock-enabled\ngsettings get org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type<\/code><\/pre>\n\n\n\n<p>Po deploye z VRA blueprintu by VM mala be\u017ea\u0165 indefinitne bez \u010dierneho screen-u alebo preru\u0161enia session. Power-management timer-y by nemali by\u0165 v top polo\u017ek\u00e1ch <code>systemd-analyze blame<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">12. Optimaliz\u00e1cie pre VMware Desktop VM<\/h2>\n\n\n\n<p>Predo\u0161l\u00e9 sekcie boli zdielan\u00e9 so Server variantom. Tu prid\u00e1vame tweaks ktor\u00e9 s\u00fa \u0161pecifick\u00e9 pre <strong>Ubuntu Desktop be\u017eiaci ako VMware VM<\/strong> \u2014 od skipu welcome wizarda cez performance tweaks pre VDI a\u017e po vypnutie HW slu\u017eieb ktor\u00e9 v guest VM nemaj\u00fa zmysel.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Skip Welcome wizard a Apport crash reporter<\/h3>\n\n\n\n<p>Pri prvom prihl\u00e1sen\u00ed nov\u00e9ho usera GNOME otvor\u00ed <em>gnome-initial-setup<\/em> wizard (\"Welcome to Ubuntu\" + privacy options + Ubuntu Pro setup) \u2014 irelevantn\u00fd pre VDI deployment, tu\u010d\u00ed kontrolu adminovi. Predmarkujeme ho ako \"done\" v skeletone, tak\u017ee ka\u017ed\u00fd nov\u00fd user ho presko\u010d\u00ed. <strong>Apport<\/strong> crash reporter na zdielanom VDI je iba noise \u2014 pri p\u00e1doch aplik\u00e1ci\u00ed zaplav\u00ed usera dial\u00f3gom \"Send report\" ktor\u00fd nikto ne\u010d\u00edta.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Skip gnome-initial-setup pre v\u0161etk\u00fdch bud\u00facich userov (cloud-init users tie\u017e)\nsudo mkdir -p \/etc\/skel\/.config\necho \"yes\" | sudo tee \/etc\/skel\/.config\/gnome-initial-setup-done >\/dev\/null\n\n# Apport off\nsudo sed -i 's\/^enabled=1\/enabled=0\/' \/etc\/default\/apport\nsudo systemctl disable --now apport.service 2>\/dev\/null || true<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Performance tweaks pre VDI<\/h3>\n\n\n\n<p>Pri 150 paralelne be\u017eiacich GUI session-ach sa GNOME anim\u00e1cie, Tracker search indexer a defaultn\u00e1 swappiness r\u00fdchlo prejavia na CPU\/IO ESXi hosta. Anim\u00e1cie a Tracker vypneme system-wide; <code>vm.swappiness<\/code> zn\u00ed\u017eime z linuxov\u00e9ho defaultu 60 (server profile) na desktop-friendly 10 \u2014 desktop user nen\u00e1vid\u00ed swap-in latency ke\u010f otv\u00e1ra okno.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># 1. Vypn\u00fa\u0165 GNOME anim\u00e1cie - apenduje sa do existuj\u00faceho dconf override-u (sekcia 11)\nsudo tee -a \/etc\/dconf\/db\/local.d\/00-vra-template >\/dev\/null <<'EOL'\n\n&#91;org\/gnome\/desktop\/interface]\nenable-animations=false\nEOL\n\n# 2. Lock animations off (u\u017e\u00edvate\u013e ich nem\u00f4\u017ee zapn\u00fa\u0165 cez GUI)\necho '\/org\/gnome\/desktop\/interface\/enable-animations' | \\\n  sudo tee -a \/etc\/dconf\/db\/local.d\/locks\/00-vra-template >\/dev\/null\n\n# 3. vm.swappiness=10 - desktop responsiveness\necho 'vm.swappiness=10' | sudo tee \/etc\/sysctl.d\/99-desktop-swap.conf >\/dev\/null\nsudo sysctl --system >\/dev\/null\n\n# 4. Tracker3 indexer mask (per-user services) - \u0161etr\u00ed disk IO\nsudo systemctl --global mask tracker-miner-fs-3.service \\\n    tracker-extract-3.service \\\n    tracker-miner-rss-3.service \\\n    tracker-writeback-3.service 2>\/dev\/null || true\n\n# 5. Apply dconf\nsudo dconf update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Wayland off, force Xorg session<\/h3>\n\n\n\n<p>Ubuntu 26.04 GNOME defaultne p\u00fa\u0161\u0165a Wayland session, ale viacer\u00e9 VDI\/remote-access n\u00e1stroje vy\u017eaduj\u00fa Xorg: <strong>VMware Horizon Blast Extreme<\/strong>, <strong>xRDP<\/strong>, <strong>x11vnc<\/strong>, niektor\u00e9 screen-recorder a screen-sharing utility. Force-neme Xorg v GDM. Ak Horizon\/xRDP nepou\u017e\u00edva\u0161, t\u00fato sekciu presko\u010di\u0165 \u2014 Wayland defaultne m\u00e1 lep\u0161ie izol\u00e1cie pre HiDPI a fractional scaling.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Odkomentova\u0165 existuj\u00faci WaylandEnable=false riadok ak je tam zakomentovan\u00fd\nsudo sed -i 's\/^#WaylandEnable=false\/WaylandEnable=false\/' \/etc\/gdm3\/custom.conf\n\n# Ak riadok e\u0161te nie je tam (custom.conf bol upravovan\u00fd), prida\u0165 do [daemon] sekcie\ngrep -q '^WaylandEnable=false' \/etc\/gdm3\/custom.conf || \\\n  sudo sed -i '\/^\\[daemon\\]\/a WaylandEnable=false' \/etc\/gdm3\/custom.conf\n\n# Verify\ngrep -E '^(Wayland|\\[daemon\\])' \/etc\/gdm3\/custom.conf\n\n# Re\u0161tart GDM (pozn: odhl\u00e1si GUI session - rad\u0161ej cez SSH alebo po reboote)\n# sudo systemctl restart gdm3<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Boot speed<\/h3>\n\n\n\n<p>V VM nikto nepozer\u00e1 Plymouth splash screen ani GRUB countdown \u2014 vypnutie u\u0161etr\u00ed ~3 sekundy boot \u010dasu. Snap refresh timer (default 4\u00d7\/de\u0148) throttle-neme na nightly window, aby pri kernel-class snapoch (Firefox, Chromium) nepreru\u0161oval user pr\u00e1cu po\u010das d\u0148a.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># 1. Plymouth splash off + r\u00fdchly GRUB timeout\nsudo sed -i 's\/quiet splash\/quiet nosplash\/g' \/etc\/default\/grub\nsudo sed -i 's\/^GRUB_TIMEOUT=.*\/GRUB_TIMEOUT=1\/' \/etc\/default\/grub\nsudo update-grub\n\n# 2. Snap refresh timer - len 02:00-04:00 r\u00e1no (nie po\u010das pracovn\u00e9ho d\u0148a)\nsudo snap set system refresh.timer=02:00-04:00\n\n# Verify\nsudo snap refresh --time\ngrep -E '^GRUB_(TIMEOUT|CMDLINE_LINUX_DEFAULT)=' \/etc\/default\/grub<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Vypnutie nepotrebn\u00fdch HW slu\u017eieb<\/h3>\n\n\n\n<p>VMware VM nem\u00e1 fyzick\u00fd bluetooth, modem, ani thermal-throttling capable CPU \u2014 slu\u017eby ktor\u00e9 tento HW riadia be\u017eia napr\u00e1zdno a spotreb\u00favaj\u00fa pam\u00e4\u0165 (typicky 5\u201330 MB ka\u017ed\u00e1). Pri 150 desktop VM \u00d7 4 daemony to rob\u00ed ~10\u201318 GB RAM nasmrad.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Bluetooth - VMware VM nem\u00e1 BT HW\nsudo systemctl disable --now bluetooth.service 2>\/dev\/null || true\nsudo apt purge -y bluez bluez-cups 2>\/dev\/null || true\n\n# ModemManager - 3G\/4G modem support, irrelevant v VM\nsudo systemctl disable --now ModemManager.service 2>\/dev\/null || true\n\n# thermald - thermal throttling, virtual CPU nem\u00e1 thermal sensor\nsudo systemctl disable --now thermald.service 2>\/dev\/null || true\n\n# fwupd - firmware updates, VMware HW emuluje cez vCenter\nsudo systemctl disable --now fwupd.service fwupd-refresh.timer 2>\/dev\/null || true\n\n# Verify - po cleanup-e by tam nemala by\u0165 \u017eiadna z t\u00fdchto slu\u017eieb\nsystemctl list-unit-files --state=enabled | grep -iE \"bluetooth|modem|thermal|fwupd\" || \\\n  echo \"OK: v\u0161etky HW slu\u017eby vypnut\u00e9\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">fstab noatime, nodiratime<\/h3>\n\n\n\n<p>Default Linux ext4 mount aktualizuje <code>atime<\/code> (access time) pri ka\u017edom \u010d\u00edtan\u00ed s\u00faboru \u2014 pre VMware VM nad iSCSI\/NFS datastore to znamen\u00e1 zbyto\u010dn\u00e9 random write IO. <code>noatime<\/code> tieto writes potla\u010d\u00ed (kernel zapisuje atime iba ak je s\u00fa\u010dasne menen\u00e9 <code>mtime<\/code>). <code>nodiratime<\/code> je redundantn\u00e9 s <code>noatime<\/code> (noatime ho zah\u0155\u0148a), prid\u00e1vame ho len pre explicit dokument\u00e1ciu.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Prida\u0165 noatime,nodiratime k existuj\u00facim mount options pre \/ a \/home\nsudo sed -i -E 's|(\\s+\/\\s+ext4\\s+)([^[:space:]]+)|\\1noatime,nodiratime,\\2|' \/etc\/fstab\nsudo sed -i -E 's|(\\s+\/home\\s+ext4\\s+)([^[:space:]]+)|\\1noatime,nodiratime,\\2|' \/etc\/fstab\n\n# Verify\ngrep -E '\\s+\/(home)?\\s+ext4' \/etc\/fstab\n\n# Remount immediately (bez reboota)\nsudo mount -o remount \/\nsudo mount -o remount \/home 2>\/dev\/null || true\n\n# Confirm\nmount | grep -E '\\son \/(home)?\\s' | grep -o 'noatime'<\/code><\/pre>\n\n\n\n<p><strong>Pozn.<\/strong> Ak m\u00e1 syst\u00e9m samostatn\u00fd <code>\/var<\/code> alebo <code>\/srv<\/code> mount, pridaj `noatime` aj tam. Ak pou\u017e\u00edva\u0161 LVM s logical volumes pre r\u00f4zne mount-pointy, prejdi cez v\u0161etky relevantn\u00e9 riadky <code>fstab<\/code>. Sealing skript v sekcii 14 sa fstab nedot\u00fdka \u2014 tieto mount options pre\u017eij\u00fa konverziu na \u0161abl\u00f3nu.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Vypnutie nepotrebn\u00fdch daemonov a autostartov<\/h3>\n\n\n\n<p>Ubuntu Desktop default obsahuje bal\u00edk slu\u017eieb ktor\u00e9 maj\u00fa zmysel na fyzickom notebooku\/desktope (printing, mDNS service discovery, telemetria, GNOME Online Accounts, alternat\u00edvny update daemon), ale na <strong>VDI cez Horizon\/RDP<\/strong> s\u00fa redundantn\u00e9 alebo proti firemnej policy. Vypneme ich \u2014 typicky 5\u201330 MB RAM ka\u017ed\u00e1, pri 150 VM \u00d7 6 daemonov to rob\u00ed ~10\u201325 GB nasmrad na ESXi.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># CUPS print server - VDI cez Horizon\/RDP m\u00e1 vlastn\u00e9 print redirect\nsudo systemctl disable --now cups cups-browsed 2>\/dev\/null || true\nsudo apt purge -y cups cups-browsed 2>\/dev\/null || true\n\n# Avahi mDNS - link-local discovery, na VDI v korpor\u00e1tnej sieti nepotrebn\u00e9\nsudo systemctl disable --now avahi-daemon avahi-daemon.socket 2>\/dev\/null || true\n\n# whoopsie - Ubuntu error telemetria do Canonical\nsudo systemctl disable --now whoopsie.service 2>\/dev\/null || true\nsudo apt purge -y whoopsie 2>\/dev\/null || true\n\n# packagekit - alternat\u00edvny update daemon, duplikuje apt + unattended-upgrades\nsudo systemctl disable --now packagekit.service 2>\/dev\/null || true\n\n# GNOME Online Accounts - Google\/Microsoft\/Nextcloud auth integration\nsudo systemctl --global mask goa-daemon.service 2>\/dev\/null || true\n\n# GNOME Software autostart - duplikuje update prompts s unattended-upgrades\nif [ -f \/etc\/xdg\/autostart\/gnome-software-service.desktop ]; then\n  sudo sed -i 's\/^Exec=\/Hidden=true\\nExec=\/' \/etc\/xdg\/autostart\/gnome-software-service.desktop\nfi\n\n# rsyslog - m\u00e1me journald centralizovan\u00fd, rsyslog duplikuje IO\nsudo systemctl disable --now rsyslog 2>\/dev\/null || true\nsudo apt purge -y rsyslog 2>\/dev\/null || true\n\n# Verify - po cleanup-e by tam nemala by\u0165 \u017eiadna z t\u00fdchto slu\u017eieb\nsystemctl list-unit-files --state=enabled | \\\n  grep -iE \"cups|avahi|whoopsie|packagekit|rsyslog|goa-daemon\" || \\\n  echo \"OK: v\u0161etky VDI-redundant slu\u017eby vypnut\u00e9\"<\/code><\/pre>\n\n\n\n<p><strong>Pozn. k GNOME Online Accounts:<\/strong> <code>--global mask<\/code> zak\u00e1\u017ee slu\u017ebu pre v\u0161etky user session-y. Ak chce\u0161 \u00eds\u0165 radik\u00e1lnej\u0161ie, m\u00f4\u017ee\u0161 odstr\u00e1ni\u0165 aj bal\u00ed\u010dky (<code>apt purge gnome-online-accounts gnome-online-accounts-common<\/code>), ale potom prestane fungova\u0165 Evolution mail integration a podobne. Pre \u010dist\u00fa VDI \u0161abl\u00f3nu kde users nemaj\u00fa spusten\u00fd email klient v guest VM je purge OK.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">systemd-coredump a \/tmp ako tmpfs<\/h3>\n\n\n\n<p><strong>systemd-coredump<\/strong> defaultne uklad\u00e1 core dumps do <code>\/var\/lib\/systemd\/coredump\/<\/code> \u2014 pri p\u00e1doch Chrome\/Firefox m\u00f4\u017ee ka\u017ed\u00fd dump ma\u0165 200 MB+. Na efem\u00e9rnej VDI VM nikto core dumpy ne\u010d\u00edta, ale dok\u00e1\u017eu naplni\u0165 disk. Vypneme ich storage. <strong><code>\/tmp<\/code> ako tmpfs<\/strong> presunie temp s\u00fabory do RAM \u2014 r\u00fdchlej\u0161ie IO, \u017eiadna disk write amplification, pri rebote sa automaticky vy\u010distia. 512 MB limit je rozumn\u00fd (default by bolo 50% RAM, \u010do je ve\u013ea pre VDI).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># systemd-coredump - Storage=none znamen\u00e1 \"iba forward do journald, nepi\u0161 na disk\"\nsudo mkdir -p \/etc\/systemd\/coredump.conf.d\nsudo tee \/etc\/systemd\/coredump.conf.d\/disable.conf >\/dev\/null <<'EOL'\n&#91;Coredump]\nStorage=none\nProcessSizeMax=0\nEOL\n\n# Reload systemd config\nsudo systemctl daemon-reexec\n\n# \/tmp ako tmpfs - 512 MB limit, neperzistuje (cisty po rebote)\n# Skontroluj \u017ee fstab e\u0161te nem\u00e1 explicit \/tmp riadok\nif ! grep -qE '^[^#].*\\s\/tmp\\s' \/etc\/fstab; then\n  echo 'tmpfs \/tmp tmpfs defaults,noatime,nosuid,nodev,size=512M 0 0' | \\\n    sudo tee -a \/etc\/fstab >\/dev\/null\nfi\n\n# Apply (vy\u017eaduje \u017ee \/tmp je pr\u00e1zdny - typicky \u00e1no po in\u0161tal\u00e1cii)\nsudo systemctl daemon-reload\nsudo mount \/tmp 2>\/dev\/null || echo \"Pozn: \/tmp mount sa aplikuje po reboote ak je busy\"\n\n# Verify\nmount | grep '\/tmp\\s' || echo \"Po reboote skontroluj: mount | grep \/tmp\"\ngrep '\/tmp' \/etc\/fstab<\/code><\/pre>\n\n\n\n<p><strong>Caveats k <code>\/tmp<\/code> tmpfs:<\/strong> Niektor\u00e9 apps (npr. niektor\u00e9 datab\u00e1zov\u00e9 migr\u00e1cie, ve\u013ek\u00e9 video editory, decompress ve\u013ek\u00fdch arch\u00edvov) m\u00f4\u017eu potrebova\u0165 <code>\/tmp<\/code> v\u00e4\u010d\u0161\u00ed ne\u017e 512 MB. Ak typick\u00fd workload na tomto VDI \u00e1no, zv\u00e4\u010d\u0161i na 1G alebo vypni \u00faplne (nechaj default disk-based). Pri klone z template-u Ubuntu vie \/tmp znova naform\u00e1tova\u0165 na tmpfs pri prvom boote \u2014 funguje pre v\u0161etky bud\u00face klony bez extra setupu.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">13. Vzdialen\u00fd pr\u00edstup cez xRDP (so self-healing watchdog)<\/h2>\n\n\n\n<p>Pre VDI deployment kde users pristupuj\u00fa z thin-clientov alebo Windows pracovn\u00fdch stan\u00edc cez RDP klient (mstsc, Remmina, FreeRDP) postav\u00edme stabiln\u00fd xRDP server priamo v \u0161abl\u00f3ne. Setup pokr\u00fdva v\u0161etky zn\u00e1me gotchas Ubuntu 26.04 GNOME + xRDP kombin\u00e1cie: GNOME Xorg session force (sekcia 12.3 u\u017e spravila Wayland off, tu dopln\u00edme session-env), polkit rules ktor\u00e9 eliminuj\u00fa \"Authentication required to create managed color device\" popup loop pri ka\u017edom logine, a self-healing watchdog ktor\u00fd automaticky re\u0161tartuje xrdp ak spadne service alebo prestane po\u010d\u00fava\u0165 na porte.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">In\u0161tal\u00e1cia + GNOME session konfigur\u00e1cia<\/h3>\n\n\n\n<p>xRDP bal\u00ed\u010dek + pridanie xrdp usera do <code>ssl-cert<\/code> skupiny (potrebuje \u010d\u00edta\u0165 <code>\/etc\/ssl\/private\/ssl-cert-snakeoil.key<\/code> pre TLS-encrypted RDP session). Default <code>\/etc\/xrdp\/startwm.sh<\/code> sp\u00fa\u0161\u0165a <code>\/etc\/X11\/Xsession<\/code> ktor\u00e9 bez session-env premenn\u00fdch nah\u00e1dza pr\u00e1zdnu\/zlomen\u00fa GNOME session. Prep\u00ed\u0161eme ho explicitne na <strong>GNOME Xorg<\/strong> mode.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install -y xrdp\nsudo adduser xrdp ssl-cert\n\n# Backup origin\u00e1lneho startwm.sh\nsudo cp \/etc\/xrdp\/startwm.sh \/etc\/xrdp\/startwm.sh.orig\n\n# Nov\u00fd startwm.sh s GNOME Xorg session env premenn\u00fdmi\nsudo tee \/etc\/xrdp\/startwm.sh >\/dev\/null <<'EOL'\n#!\/bin\/sh\n\n# Load shell profiles\nif test -r \/etc\/profile; then\n    . \/etc\/profile\nfi\nif test -r ~\/.profile; then\n    . ~\/.profile\nfi\n\n# === xRDP: force GNOME Xorg session ===\nunset DBUS_SESSION_BUS_ADDRESS\nunset XDG_RUNTIME_DIR\nexport XDG_SESSION_TYPE=x11\nexport XDG_CURRENT_DESKTOP=ubuntu:GNOME\nexport GNOME_SHELL_SESSION_MODE=ubuntu\n\n# Start session\ntest -x \/etc\/X11\/Xsession &#038;&#038; exec \/etc\/X11\/Xsession\nexec \/bin\/sh \/etc\/X11\/Xsession\nEOL\nsudo chmod +x \/etc\/xrdp\/startwm.sh<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Polkit rules \u2014 fix \"Authentication required\" popup loop<\/h3>\n\n\n\n<p>Klasick\u00fd xRDP gotcha: po prvom prihl\u00e1sen\u00ed sa userovi zobraz\u00ed dial\u00f3g <em>\"Authentication is required to create managed color devices\"<\/em>, ktor\u00fd po zatvoren\u00ed ihne\u010f otvor\u00ed druh\u00fd a tret\u00ed. Pr\u00ed\u010dina: GNOME colord service vy\u017eaduje autentifik\u00e1ciu pre oper\u00e1cie ktor\u00e9 v non-console RDP session-e fail-n\u00fa. Polkit rule explicit povol\u00ed tieto akcie pre v\u0161etky session-y (console aj remote).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tee \/etc\/polkit-1\/rules.d\/02-allow-colord.rules >\/dev\/null <<'EOL'\npolkit.addRule(function(action, subject) {\n    if (action.id == \"org.freedesktop.color-manager.create-device\" ||\n        action.id == \"org.freedesktop.color-manager.create-profile\" ||\n        action.id == \"org.freedesktop.color-manager.delete-device\" ||\n        action.id == \"org.freedesktop.color-manager.delete-profile\" ||\n        action.id == \"org.freedesktop.color-manager.modify-device\" ||\n        action.id == \"org.freedesktop.color-manager.modify-profile\") {\n        return polkit.Result.YES;\n    }\n});\nEOL\n\n# Polkit reload (alebo reboot)\nsudo systemctl restart polkit<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Firewall \u2014 povoli\u0165 3389\/tcp<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Ak je ufw akt\u00edvne, otvor port. Ak nie je akt\u00edvne, allow je no-op (pr\u00edkaz neumiera).\nsudo ufw allow 3389\/tcp comment 'xRDP'\nsudo ufw status verbose | head -10<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">systemd Restart=always pre xrdp<\/h3>\n\n\n\n<p>Default <code>xrdp.service<\/code> nem\u00e1 <code>Restart=<\/code> \u2014 ke\u010f proces spadne (segfault, OOM kill, rare race condition pri sesman komunik\u00e1cii), service zostane m\u0155tva a\u017e do reboota. Drop-in override jej d\u00e1 automatick\u00e9 restart-on-failure.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo mkdir -p \/etc\/systemd\/system\/xrdp.service.d\nsudo tee \/etc\/systemd\/system\/xrdp.service.d\/restart.conf >\/dev\/null <<'EOL'\n&#91;Service]\nRestart=always\nRestartSec=5s\nStartLimitIntervalSec=0\nEOL\nsudo systemctl daemon-reload<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Self-healing watchdog (check_xrdp.timer)<\/h3>\n\n\n\n<p>Druh\u00e1 vrstva poistky \u2014 systemd timer ktor\u00fd ka\u017ed\u00e9 2 min\u00faty zavol\u00e1 script <code>check_xrdp.sh<\/code>. Script verifikuje \u017ee (a) xrdp service je <em>active<\/em> a (b) re\u00e1lne po\u010d\u00fava na porte 3389. Ak nie, re\u0161tartuje. Toto zachyt\u00ed scen\u00e1re kde service vyzer\u00e1 by\u0165 hore ale TCP listener je m\u0155tvy (typicky po long-running session leak), \u010do by samotn\u00fd <code>Restart=always<\/code> nezdetekoval.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Watchdog script\nsudo tee \/usr\/local\/sbin\/check_xrdp.sh >\/dev\/null <<'EOL'\n#!\/bin\/bash\nset -u\nSERVICE=\"xrdp\"\nPORT=3389\n\n# 1. Service must be active\nif ! systemctl is-active --quiet \"$SERVICE\"; then\n    logger -t check_xrdp \"service $SERVICE not active \u2014 restarting\"\n    systemctl restart \"$SERVICE\"\n    exit 0\nfi\n\n# 2. TCP listener must be present on the expected port\nif ! ss -tln 2>\/dev\/null | awk '{print $4}' | grep -qE \":${PORT}\\$\"; then\n    logger -t check_xrdp \"port ${PORT} not listening \u2014 restarting $SERVICE\"\n    systemctl restart \"$SERVICE\"\nfi\nEOL\nsudo chmod +x \/usr\/local\/sbin\/check_xrdp.sh\n\n# systemd service (oneshot - spust\u00ed sa, urob\u00ed check, skon\u010d\u00ed)\nsudo tee \/etc\/systemd\/system\/check_xrdp.service >\/dev\/null <<'EOL'\n&#91;Unit]\nDescription=xRDP health check (one-shot)\nAfter=xrdp.service\n\n&#91;Service]\nType=oneshot\nExecStart=\/usr\/local\/sbin\/check_xrdp.sh\nEOL\n\n# systemd timer (ka\u017ed\u00e9 2 min)\nsudo tee \/etc\/systemd\/system\/check_xrdp.timer >\/dev\/null <<'EOL'\n&#91;Unit]\nDescription=Periodic xRDP health check\n\n&#91;Timer]\nOnBootSec=2min\nOnUnitActiveSec=2min\nAccuracySec=10s\n\n&#91;Install]\nWantedBy=timers.target\nEOL\n\n# Enable + \u0161tart\nsudo systemctl daemon-reload\nsudo systemctl enable --now xrdp.service check_xrdp.timer<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verifik\u00e1cia<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Service je hore\nsudo systemctl status xrdp --no-pager | head -10\n\n# TCP listener na 3389 (xrdp + xrdp-sesman na 3350 internal)\nsudo ss -tlnp | grep -E \":(3389|3350)\"\n\n# Self-healing timer akt\u00edvny\nsudo systemctl list-timers | grep xrdp\nsudo systemctl status check_xrdp.timer --no-pager | head -5\n\n# Posledn\u00fd beh watchdogu (mal by by\u0165 do ~2 min)\nsudo journalctl -u check_xrdp.service --since \"5 min ago\"\n\n# IP na pripojenie\nip -4 -brief addr show | grep -v lo<\/code><\/pre>\n\n\n\n<p>Z Windows klientu <strong>mstsc<\/strong> (Remote Desktop Connection) sa pripoj na zobrazen\u00fa IP, port 3389. Ako username pou\u017eij linuxov\u00fd login (cloud-init user z VRA blueprintu), heslo rovnak\u00e9 ako na lok\u00e1lne prihl\u00e1senie. Pri prvom pripojen\u00ed ti klient uk\u00e1\u017ee warning oh\u013eadom self-signed TLS certu (xRDP pou\u017e\u00edva <code>ssl-cert-snakeoil<\/code>) \u2014 pre produk\u010dn\u00e9 nasadenie nahra\u010f certifik\u00e1t z firemnej PKI v <code>\/etc\/xrdp\/cert.pem<\/code> + <code>\/etc\/xrdp\/key.pem<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u010cast\u00e9 probl\u00e9my<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Black screen po prihl\u00e1sen\u00ed<\/strong> \u2192 ch\u00fdba <code>XDG_SESSION_TYPE=x11<\/code> v <code>startwm.sh<\/code>, alebo je st\u00e1le akt\u00edvna Wayland session na GDM (sekcia 12.3 to mala vypn\u00fa\u0165 \u2014 over <code>grep WaylandEnable \/etc\/gdm3\/custom.conf<\/code>).<\/li>\n<li><strong>\"Authentication required\" popup loop<\/strong> \u2192 polkit rule ch\u00fdba alebo nebola reloadnut\u00e1. <code>sudo systemctl restart polkit<\/code>.<\/li>\n<li><strong>\"Already logged in\"<\/strong> \u2192 user m\u00e1 otvoren\u00fa GDM session na lok\u00e1lnej konzole. xRDP nevie \u010fal\u0161iu in\u0161tanciu rovnak\u00e9ho usera spusti\u0165. Odhl\u00e1\u0161 sa z GDM (alebo pou\u017e\u00edvaj rozdielnych userov).<\/li>\n<li><strong>\u017diadny zvuk<\/strong> \u2192 z\u00e1kladn\u00fd setup audio nep\u00fa\u0161\u0165a z\u00e1merne (stabilita). Doin\u0161taluj <code>pipewire-module-xrdp<\/code> ak ho distrib\u00facia m\u00e1, alebo audio nechaj na nesk\u00f4r.<\/li>\n<li><strong>Clipboard nefunguje<\/strong> \u2192 over \u017ee be\u017e\u00ed <code>xrdp-chansrv<\/code> proces per session: <code>pgrep -af chansrv<\/code>. Ak ch\u00fdba, skontroluj <code>\/etc\/xrdp\/sesman.ini<\/code> [Globals] sekciu.<\/li>\n<li><strong>RDP klient hl\u00e1si TLS cert warning<\/strong> \u2192 o\u010dak\u00e1van\u00e9 pri default snakeoil certifik\u00e1te. Pre produkciu nahra\u010f firemn\u00fdm certom.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Sealing skript seal-template.sh<\/h2>\n\n\n\n<p>Konsolidovan\u00fd skript ktor\u00fd spust\u00ed\u0161 <strong>tesne pred<\/strong> konverziou VM na \u0161abl\u00f3nu. Nahr\u00e1dza desiatky ru\u010dn\u00fdch pr\u00edkazov z p\u00f4vodnej verzie n\u00e1vodu jedin\u00fdm <code>sudo \/usr\/local\/sbin\/seal-template.sh<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tee \/usr\/local\/sbin\/seal-template.sh >\/dev\/null <<'EOL'\n#!\/bin\/bash\n# Spus\u0165 pred konverziou VM na \u0161abl\u00f3nu, potom poweroff.\nset -e\n\necho \"=== Sealing template ===\"\n\n# Cloud-init reset (ak je nain\u0161talovan\u00fd)\nif command -v cloud-init >\/dev\/null; then\n    cloud-init clean --logs --machine-id\nfi\n\n# SWAP off + zakomentova\u0165 v fstab\nswapoff --all || true\nsed -ri '\/\\sswap\\s\/s\/^#?\/#\/' \/etc\/fstab\n\n# Force IPv4 pre apt (ipv6 ob\u010das zlyh\u00e1va v exotickej sieti)\necho 'Acquire::ForceIPv4 \"true\";' > \/etc\/apt\/apt.conf.d\/99force-ipv4\n\n# Truncate logy\nfor f in \/var\/log\/audit\/audit.log \/var\/log\/wtmp \/var\/log\/lastlog \/var\/log\/btmp \\\n         \/var\/log\/syslog \/var\/log\/auth.log \/var\/log\/kern.log; do\n    &#91; -f \"$f\" ] && truncate -s 0 \"$f\"\ndone\n\n# Vy\u010distenie persistent rules a tmp\nrm -f \/etc\/udev\/rules.d\/70-persistent-net.rules\nrm -rf \/tmp\/* \/var\/tmp\/*\n\n# SSH host k\u013e\u00fa\u010de - regeneruj\u00fa sa pri prvom boote (sekcia 8)\nrm -f \/etc\/ssh\/ssh_host_*\n\n# Machine-ID wipe (regeneruje sa pri prvom boote)\necho \"\" > \/etc\/machine-id\n&#91; -L \/var\/lib\/dbus\/machine-id ] || echo \"\" > \/var\/lib\/dbus\/machine-id\n\n# APT cache cleanup\napt clean\n\n# History\nhistory -c\n> ~\/.bash_history\n&#91; -f \/root\/.bash_history ] && > \/root\/.bash_history\n\n# fstrim - vynuluje vo\u013en\u00e9 bloky vo file syst\u00e9me, dramaticky zmen\u0161\u00ed v\u00fdsledn\u00fa VMDK\n# (pri thin-provisioned diskoch m\u00f4\u017ee u\u0161etri\u0165 desiatky GB pri 150 klonoch)\nfstrim -av || true\n\necho \"=== Done. Now: sudo poweroff ; convert to template in vCenter. ===\"\nEOL\n\nsudo chmod +x \/usr\/local\/sbin\/seal-template.sh<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">15. Konverzia na \u0161abl\u00f3nu a verifik\u00e1cia<\/h2>\n\n\n\n<p>Z\u00e1vere\u010dn\u00e9 kroky na zdrojovej VM:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo \/usr\/local\/sbin\/seal-template.sh\nsudo poweroff<\/code><\/pre>\n\n\n\n<p>Vo vCenter:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Right-click na VM \u2192 <strong>Template<\/strong> \u2192 <strong>Convert to Template<\/strong><\/li>\n<li>Premenuj template (napr. <code>tpl-ubuntu-2604-desktop<\/code>) a presu\u0148 do template foldera<\/li>\n<li>V <strong>Aria Automation Cloud Assembly<\/strong> pridaj template ako <em>Cloud Template Image Mapping<\/em><\/li>\n<\/ol>\n\n\n\n<p>Po prvom deploye z VRA blueprintu na novej VM overi\u0165:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Cloud-init stav\ncloud-init status\ncloud-init analyze show\n\n# Logy z prv\u00e9ho bootu\nsudo tail -200 \/var\/log\/cloud-init.log\nsudo tail -200 \/var\/log\/cloud-init-output.log\n\n# Boot performance\nsystemd-analyze\nsystemd-analyze blame | head -10\n\n# Tuned profil je akt\u00edvny\ntuned-adm active        # malo by uk\u00e1za\u0165 \"Current active profile: virtual-guest\"\n\n# Multipathd vypnut\u00fd\nsystemctl is-enabled multipathd 2>&1 | grep -E \"disabled|not-found\"\n\n# Unattended-upgrades je akt\u00edvny + randomiz\u00e1cia funguje\nsystemctl status apt-daily.timer apt-daily-upgrade.timer\nsystemctl list-timers apt-daily*\nsudo unattended-upgrade --dry-run -d\n\n# Journald limit funguje\njournalctl --disk-usage     # <= ~200 MB\n\n# Uniqueness \u2014 nesmie by\u0165 identick\u00e9 s template\ncat \/etc\/machine-id\nhostname\nip a\nssh-keygen -lf \/etc\/ssh\/ssh_host_ed25519_key.pub<\/code><\/pre>\n\n\n\n<p><strong>\u010cast\u00e9 probl\u00e9my a kde h\u013eada\u0165:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>cloud-init status<\/code> ukazuje <code>error<\/code> \u2192 <code>\/var\/log\/cloud-init.log<\/code> ; naj\u010dastej\u0161ie nedostal \u017eiadne <code>guestinfo<\/code> properties z VRA blueprintu (chyba v cloud-config YAML \u0161abl\u00f3ny)<\/li>\n<li>St\u00e1le sa prip\u00e1ja\u0161 ako root cez password ale nem\u00e1\u0161 \u2192 skontroluj <code>\/etc\/ssh\/sshd_config<\/code> a <code>journalctl -u ssh<\/code><\/li>\n<li>Machine-ID identick\u00fd s template \u2192 sealing skript zlyhal alebo sa nespustil; ru\u010dne <code>echo \"\" > \/etc\/machine-id && reboot<\/code><\/li>\n<li>Unattended-upgrades sa nesp\u00fa\u0161\u0165a \u2192 <code>systemctl list-timers apt-daily*<\/code>, pr\u00edpadne <code>systemctl unmask apt-daily.service<\/code><\/li>\n<li><code>systemd-journald.service<\/code> zlyh\u00e1 s <code>Error: code: 117 (Structure needs cleaning)<\/code> \u2014 po\u0161koden\u00e9 \u017eurn\u00e1lov\u00e9 s\u00fabory (typicky po VM snapshot\/pause incident, alebo preru\u0161enom IO na datastore). \u017durn\u00e1l nie je mo\u017en\u00e9 opravi\u0165, treba ho zmaza\u0165 a necha\u0165 journald vytvori\u0165 nov\u00fd: <code>sudo rm -rf \/var\/log\/journal\/* \/run\/log\/journal\/* && sudo systemctl restart systemd-journald<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">S\u00favisiace n\u00e1vody<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/virtualall.sk\/2026\/05\/vra-ubuntu-2604-server-template\/\">VRA Ubuntu 26.04 Server Template<\/a> \u2014 server variant tohto n\u00e1vodu (bez GUI)<\/li>\n<li><a href=\"https:\/\/virtualall.sk\/2024\/07\/vra-ubuntu-template\/\">VRA Ubuntu 24.04 Template<\/a> \u2014 predo\u0161l\u00e1 verzia n\u00e1vodu pre Ubuntu 24.04 LTS<\/li>\n<li><a href=\"https:\/\/virtualall.sk\/2021\/11\/instalacia-ubuntu-sablony-pre-vrealize-automation\/\">In\u0161tal\u00e1cia Ubuntu \u0161abl\u00f3ny pre vRealize Automation<\/a> \u2014 p\u00f4vodn\u00fd n\u00e1vod pre star\u0161ie Ubuntu<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Kompletn\u00fd n\u00e1vod ako pripravi\u0165 Ubuntu 26.04 Desktop \u0161abl\u00f3nu pre VMware vRealize Automation: cloud-init, unattended-upgrades, hardening a sealing skript. Desktop-\u0161pecifick\u00e9 sekcie (GUI, autologin, xRDP) bud\u00fa doplnen\u00e9 v \u010fal\u0161ej rev\u00edzii.<\/p>\n","protected":false},"author":1,"featured_media":2143,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[9,6],"class_list":["post-2144","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-automation","tag-esxi","tag-vcenter"],"_links":{"self":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts\/2144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/comments?post=2144"}],"version-history":[{"count":5,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts\/2144\/revisions"}],"predecessor-version":[{"id":2149,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/posts\/2144\/revisions\/2149"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/media\/2143"}],"wp:attachment":[{"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/media?parent=2144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/categories?post=2144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/virtualall.sk\/en\/wp-json\/wp\/v2\/tags?post=2144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}