Technical Information: Ubuntu Topics
If you're setting up DNS services on Ubuntu server ...
lvs
, extend if not already larger than 28G (assuming the default root VG/LV naming):lvextend -L +28G /dev/ubuntu-vg/ubuntu-lv
resize2fs /dev/ubuntu-vg/ubuntu-lv
pvcreate -M2 /dev/yourdiskdevice
vgcreate -s 64 yourvgname /dev/yourdiskdevice
lvcreate -L 64G -n home yourvgname ; mkfs -t ext4 /dev/yourvgname/home
/etc/fstab
and add entry to mount the new home LV on /home
cd / mkdir home_ mv ./home/* ./home_/ mount /home mv ./home_/* ./home/ rmdir home_
/etc/netplan/whateveryourfilenameis.yaml
: wifis
section optional)network: version: 2 renderer: networkd ethernets: enp0s31f6: dhcp4: true dhcp6: false wifis: wlp4s0: dhcp4: true dhcp6: false access-points: "YourESSID": password: "YourWifiPassword"
addresses: [192.168.0.105/24] gateway4: 192.168.0.9 nameservers: addresses: [192.168.0.9]
bridge-utils
/etc/sysctl.d/20-bridge.conf
with:net.bridge.bridge-nf-call-ip6tables=0 net.bridge.bridge-nf-call-iptables=0 net.bridge.bridge-nf-call-arptables=0
/etc/udev/rules.d/99-bridge.rules
with:ACTION=="add",SUBSYSTEM=="module",KERNEL=="br_netfilter",RUN+="/sbin/sysctl -p /etc/sysctl.d/20-bridge.conf"
/etc/netplan/whateveryourfilenameis.yaml
:network: version: 2 renderer: networkd ethernets: enp4s0: dhcp4: false dhcp6: false bridges: br0: macaddress: DE:AD:BE:EF:10:01 interfaces: [enp4s0] dhcp4: true parameters: stp: false forward-delay: 0
Official documentation: https://github.com/lxc/lxd/blob/master/doc/production-setup.md
In /etc/security/limits.conf
:
* soft nofile 1048576 * hard nofile 1048576 root - nofile 8192000 * soft memlock unlimited * hard memlock unlimited root soft memlock unlimited root hard memlock unlimited
In /etc/sysctl.conf
:
fs.aio-max-nr = 524288 fs.inotify.max_queued_events = 8192000 fs.inotify.max_user_instances = 8192000 fs.inotify.max_user_watches = 8192000 kernel.dmesg_restrict = 1 kernel.keys.maxbytes = 2000000 kernel.keys.maxkeys = 2048 net.core.bpf_jit_limit = 3000000000 net.ipv4.neigh.default.gc_thresh3 = 81920 net.ipv6.neigh.default.gc_thresh3 = 81920 vm.max_map_count = 262144 #net.ipv4.tcp_mem = 182757 243679 365514 net.core.netdev_max_backlog = 182757
In /etc/udev/rules.d/90-net.rules
:
SUBSYSTEM=="net", ACTION=="add|change", KERNEL=="eth?" ATTR{tx_queue_len}="10000" SUBSYSTEM=="net", ACTION=="add|change", KERNEL=="br?" ATTR{tx_queue_len}="10000"
bridge-utils
, qemu-kvm
/etc/qemu/bridge.conf
:allow br0
/var/lib/kvm
root:disk
, with permissions 2775
(drwxrwsr-x)qemu-img create -f qcow2 baseline-vda 18G
(18G is decent for this purpose)root:disk
and permissions 444
qemu-img create -f qcow2 -b /path/to/baseline/image vmname-vda 18G
lvcreate -L 32G -n vmnamehome yourvgname
vdb
or vdc
, etc (depending on how many)/etc/fstab
to mount the filesystem at desired locationzfsutils
, libvirt-clients
, libvirt-daemon-system
, virt-manager
/tmp/br0.xml
:<network> <name>br0</name> <forward mode='bridge'/> <bridge name='br0'/> </network>
virsh net-define /tmp/br0.xml virsh net-start br0 virsh net-autostart br0
virsh list –all
virsh start vmname
virsh shutdown vmname
apt-transport-https
, ca-certificates
, software-properties-common
/etc/apt/sources.list.d/docker.list
:deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
apt update
apt install docker-ce
/etc/cloud/cloud.cfg
, change the preserve_hostname
setting to true
hostnamectl set-hostname <newhostname>
hostnamectl set-hostname –static <newhostname>
hostnamectl set-hostname –pretty <newhostname>
hostnamectl set-hostname –transient <newhostname>
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get install libc6:i386 libstdc++6:i386
apt -o Dpkg::Options::=“–force-overwrite” install openjdk-9-jdk
This should be in /etc/security/limits.d/audio.conf
or /etc/security/limits.conf
:
@audio - rtprio 95 @audio - memlock unlimited
Replace 1
with ALSA card number /etc/asound.conf
:
defaults.pcm.card 1 defaults.ctl.card 1
If you want to run Jack for low-latency high-performance audio, you'll need to make sure that Jack can grab your audio interface directly, which means you won't want PulseAudio to grab it on startup. Disabling PulseAudio auto-spawn is most likely necessary, so you can start it manually after Jack is running:
systemctl --user stop pulseaudio.socket systemctl --user stop pulseaudio.service sudo systemctl stop pulseaudio sudo systemctl disable pulseaudio
/etc/pulse/client.conf
: autospawn = no daemon-binary = /bin/true
/etc/pulse/daemon.conf
: daemonize = no
mv /etc/rc2.d/S50pulseaudio /etc/rc2.d/K50pulseaudio
sudo systemctl mask pulseaudio
On Debian-like systems, be sure to install pulseaudio-module-jack
. Load with:
pacmd load-module module-native-protocol-unix pacmd load-module module-jack-source channels=2 pacmd load-module module-jack-sink channels=2 pacmd set-default-sink jack_out pacmd set-default-source jack_in
(TODO: Add information about Fedora, OpenSuSE and the lot)
Then, if you intend to run jackd all the time, in /etc/pulse/default.pa
or ~/.pulse/default.pa
:
load-module module-native-protocol-unix load-module module-jack-sink channels=2 load-module module-jack-source channels=2 load-module module-null-sink load-module module-stream-restore load-module module-rescue-streams load-module module-always-sink load-module module-suspend-on-idle set-default-sink jack_out set-default-source jack_in
The following isn't strictly necessary but might be useful, in ~/.pulse/daemon.conf
:
default-sample-format = float32le default-sample-rate = 48000 realtime-scheduling = yes exit-idle-time = -1
As root:
add-apt-repository ppa:mkusb/ppa # and press Enter apt update apt install mkusb
dpkg –add-architecture i386
apt-get update
apt-get install libc6:i386 libstdc++6:i386
libx11-6:i386 libxext6:i386 libasound2:i386 libc6:i386 libfreetype6:i386 libc6:i386 libstdc++6:i386 libgcc1:i386 libxcb1:i386 zlib1g:i386 libpng12-0:i386 libxau6:i386 libxdmcp6:i386
add-apt-repository "deb http://archive.canonical.com/ $(lsb_release -sc) partner" apt-get update apt-get install skype
/var/lib/docker
snap install microk8s –classic
snap alias microk8s.kubectl kubectl
microk8s.enable dns storage ingress registry
Optional: dashboard microk8s.stop
… to start again: microk8s.start
/var/snap/microk8s/common/var
/var/snap/microk8s/common/default-storage
kubectl -n kube-system get secret
kubectl -n kube-system describe secret yoursecretname
kubectl get all –all-namespaces |grep kubernetes-dashboard | grep ClusterIP
443
at that address, then point web browser at tunnelled portkubectl proxy –accept-hosts=.* –address=0.0.0.0 &
config
for container:lxc.apparmor.profile = lxc-container-default-with-mounting
/etc/apparmor.d/lxc/lxc-default-with-mounting
:mount options=(rw, bind, ro),
/etc/init.d/apparmor reload
lxc-create -t download -n name – -d ubuntu -r zesty -a amd64
lxcbr0
to br0
)lxc.mount.entry = /dev/yourvg/yourlv dev/yourvg/yourlv none bind,create=file 0 0
lxc.cgroup.devices.allow = b 253:13 rwm
net-tools
and openssh-server
rmmod floppy echo "blacklist floppy" > /etc/modprobe.d/blacklist-floppy.conf dpkg-reconfigure initramfs-tools
dpkg –add-architecture i386
apt-get update
systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
systemd-resolve --flush-caches
/etc/default/grub
:GRUB_CMDLINE_LINUX_DEFAULT="text" GRUB_TERMINAL=console
update-grub systemctl set-default multi-user.target
systemctl set-default graphical.target
~/.local/share/applications
named yourapp.desktop
with:#!/usr/bin/env xdg-open [Desktop Entry] Encoding=UTF-8 Version=1.0 Type=Application Terminal=false Exec=/home/you/bin/yourpgm Name=YourProgramName Icon=your-icon-name
/usr/share/icons
and can be either .png
or .svg
files
The /boot
partition can fill up with old kernels unless periodically purged.
To see how many old kernels are present:
apt list --installed | grep 'linux-image'
There's little/no reason to keep more than one old kernel, so removing all but the most recent is advised.
After upgrading, if a new kernel is installed, keeping the most recent two is fine.
Put into /etc/sysctl.conf:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1
Run to re-load: sysctl -p
In /etc/gdm3/custom.conf
:
[security] DisallowTCP=false [xdmcp] ServerArguments=-listen tcp
Populate /etc/lightdm/lightdm.conf
with:
[SeatDefaults] greater-session=unity-greater user-session=ubuntu xserver-allow-tcp=true [XDMCPServer] enabled=true
apt-get install lighttpd
apt-get install php-cgi
lighty-enable-mod fastcgi
lighty-enable-mod fastcgi-php
apt-get install php-mysql
apt-get install php-gd
systemctl disable systemd-networkd-wait-online.service systemctl mask systemd-networkd-wait-online.service
(second line prevents the wait-online
service from starting if requested by another service)
apt-get install duplicity
apt-get install –reinstall python-gi
wins
to end of hosts line in /etc/nsswitch.conf
cifs
mounts for locations desired
When installing a .deb
package using apt
, and the package file is placed under the root
user's home directory (typically /root
), permissions will usually not allow the _apt
user to access the .deb
file for everything it needs to. The error would show up something like this:
Download is performed unsandboxed as root as file <somepathtofile> couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
In this case, the /root
directory is probably set to drwx——
for permissions, so changing it to allow the root
group access fixes the problem:
chmod 775 /root
In /boot/firmware/cmdline.txt
, add to end of line:
usbhid.mousepoll=8
cd /lib/firmware/brcm ; cp brcmfmac43455-sdio.raspberrypi,4-model-b.txt brcmfmac43455-sdio.txt
cpufreq-set -g performance
(use unmask
to re-enable)
systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
… or, reactivate a deactivated display (happens with some HDMI)
xset -dpms s off s noblank s 0 0 s noexpose
apt install exfat-utils exfat-fuse
This should resolve the issue:
modprobe -rv rt2800pci modprobe -v rt2800pci nohwcrypt=Y
Put this in /etc/modprobe.d/rt2800pci.conf
to make it permanent:
options rt2800pci nohwcrypt=Y
https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot
openssl req -config ./openssl.conf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout “MOK.priv” -out “MOK.der”
mokutil –import MOK.der
mv vmlinuz-4.18.20-041820-generic vmlinuz-4.18.20-041820-generic-unsigned
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
sbsign –key MOK.priv –cert MOK.pem /boot/vmlinuz-4.18.20-041820-generic-unsigned –output /boot/vmlinuz-4.18.20-041820-generic
# This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd [ req ] distinguished_name = kernel_signing x509_extensions = v3 string_mask = utf8only prompt = no [ kernel_signing ] countryName = US stateOrProvinceName = Minnesota localityName = Albert Lea 0.organizationName = Albert Lea Data commonName = Secure Boot Signing emailAddress = kernelsigning@albertleadata.com [ v3 ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical,CA:FALSE # Only include the second for module-signing #extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2 extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 nsComment = "OpenSSL Generated Certificate"
Links: Linux Info … Tech Info