Setting up a new Linux VM

This is similar to Setup New Liux (Physical) Box

This page goes through the various settings that take place to setup a new Ubuntu VM. In this case I was setting Ubuntu 20.10 Groovy Gorilla.

Specific steps for Debian/Bookworm

In the past (Debian Buster) you will have to update /etc/apt/sources.list by adding contrib non-free to the end of line. However, this time around, this file was empty! Below are the lines obtained from Debian sources list. Also added non-free-firmware to the end.

deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware

deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware

deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware

apt update
apt-get install aptitude
aptitude install vim sudo sysstat locate postfix ssl-cert bsd-mailx net-tools zip unzip rsync git screen
ln -s /usr/sbin/ifconfig /usr/local/bin/ifconfig
updatedb

Optional packages to install

aptitude install ncdu htop nload pydf iotop

Use tasksel to install GUI such as KDE Plasma.

• vim: Besides other .vimrc setting, also include set mouse=

echo "set mouse=" > ~/.vimrc
sudo echo "set mouse=" | sudo tee -a /root/.vimrc

https://unix.stackexchange.com/questions/616137/kernel-panic-on-debian-buster-with-128-mb-of-memory

When cloning, make sure to update the root password on the clone. Debian requires it when you need to rescue the system.

Update /etc/ssh/sshd_config to include

PermitRootLogin prohibit-password
PermitEmptyPasswords no
TCPKeepAlive yes

To temporarily enable Root Login

PermitRootLogin yes

Specify the Static IP address and DNS address in /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug enp0s3
#iface enp0s3 inet dhcp
auto enp0s3
iface enp0s3 inet static
        address 192.168.1.47
        netmask 255.255.255.0
        network 192.168.1.0
        gateway 192.168.1.1
        broadcast 192.168.1.255
        dns-nameservers 192.168.1.48
        dns-nameservers 192.168.1.10
        dns-nameservers 192.168.1.1
        dns-nameservers 8.8.8.8

# This is an autoconfigured IPv6 interface
#iface enp0s3 inet6 auto

#
# The network interface for Host-Only Network
auto enp0s8
iface enp0s8 inet static
        address 192.168.56.47
        netmask 255.255.255.0
        network 192.168.56.0
        gateway 192.168.56.1
        broadcast 192.168.56.255

Update /etc/resolv.conf as well to indicate the DNS entries and DNS configuration

nameserver 192.168.1.48
nameserver 192.168.1.10
nameserver 192.168.1.1
nameserver 8.8.8.8
options timeout:1
options attempts:1

Include the new server in the DNS entries on the DNS servers: ubv47 and ubv10.

Add the entry in /etc/hosts.dnsmasq as below:

192.168.1.50    server50  server50.example.org

Restart dnsmasq

systemctl restart dnsmasq
# OR
service dnsmasq restart

Add new server in Backuppc (ubv33) /etc/hosts. Then copy SSH keys to be able to log in as root from backuppc user.

ssh-copy-id root@<new server>

Below is the list of Nagios configurations

aptitude install nagios-nrpe-server
# On /etc/nagios/nrpe.cfg, update line to ''allowed_hosts=127.0.0.1,::1,192.168.1.0/24''
# Copy /etc/nagios/nrpe.d/cu_nrpe.cfg configuration from an existing server
# Copy the following files from another server to ''/usr/lib/nagios/plugins/''.
  # check_deleted_lsof
  # check_cpu.sh
  # check_uptime
  # check_template
  # check_mem.pl
  # check_lost_found
  # check_log1
  # check_file_per
  # check_mailq
# Make nagios user part of sudo group
systemctl restart nagios-nrpe-server

Update file /etc/nagios/nrpe.cfg and change line as below

allowed_hosts=127.0.0.1,::1,192.168.1.0/24

Create file /etc/nagios/nrpe.d/cu_nrpe.cfg with the below

command[check_cu_users]=/usr/lib/nagios/plugins/check_users -w 10 -c 15
command[check_cu_load]=/usr/lib/nagios/plugins/check_load -w 15,10,5 -c 20,15,10
command[check_cu_zombie_procs]=/usr/lib/nagios/plugins/check_procs -w 1 -c 2 -s Z
command[check_cu_total_procs]=/usr/lib/nagios/plugins/check_procs -w 150 -c 200
command[check_cu_swap]=/usr/lib/nagios/plugins/check_swap -w 20 -c 10
command[check_cu_mailq]=/usr/lib/nagios/plugins/check_mailq -w 1 -c 5 -M postfix
command[check_cu_ntp_time]=/usr/lib/nagios/plugins/check_ntp_time -H pool.ntp.org -w 30 -c 60
command[check_cu_memory]=/usr/lib/nagios/plugins/check_mem.pl -u -C -w 80 -c 90
command[check_cu_raid]=/usr/lib/nagios/plugins/check_raid
command[check_cu_cron]=/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1024 -C cron
command[check_cu_pcpu]=/usr/lib/nagios/plugins/check_procs -w 40 -c 45 --metric=CPU -v
command[check_cu_fp_tmp]=/usr/lib/nagios/plugins/check_file_per -f /tmp -p 1777
command[check_cu_disk]=/usr/lib/nagios/plugins/check_disk -w 15% -c 10% -N ext4 -f
command[check_cu_uptime]=/usr/lib/nagios/plugins/check_uptime --warning 60: --critical 60:
command[check_cu_cpu]=/usr/lib/nagios/plugins/check_cpu.sh -w 90 -c 95
command[check_cu_lostfound]=/usr/bin/sudo /usr/lib/nagios/plugins/check_lost_found -w 1 -c 2
command[check_cu_kernlog]=/usr/bin/sudo /usr/lib/nagios/plugins/check_log1 -F /var/log/kern.log -O /tmp/kern.log -q ^
command[check_cu_deleted_lsof]=/usr/bin/sudo /usr/lib/nagios/plugins/check_deleted_lsof -w 50000000 -c 60000000

Add nagios to sudo group to execute commands that need root access

usermod -a -G sudo nagios

Copy /home/senthil/tools directory to the new server

Validate Postfix configuration

• Choose a password: date|md5sum
• Run mysql_secure_installation to make db secure.
  • Use the above password
• Run Create root user and set password for remote user
• Copy /etc/cron.daily/mysql_backup
• Create MySQL User and Database ncheck and ucheck (not nagioscheck) for Monitoring.

• Postfix is no longer installed by default on Groovy - so please install

• Update system by running “aptitude”
  • Completed Security Upgrades
  • Complete Package Upgrades
  • Reboot
• Network configuration
  • Settings are at /etc/netplan/00-installer-config.yaml
• Update user settings with this set
• Install the most common packages that will the required

• Automatic apt upgrades
• APT update resource overload

• Mail
  • Setup postfix
    • Configure /etc/aliases to include

root: system@example.org
user: system@example.org

Then run newaliases

• SSH
  • Generate SSH private and public keys
• Tuning
  • Change swapiness and other parameters based on server needs - sysctl.conf
• Others
  • Optionally ask server to reboot automatically on kernel panic
  • Disable module i2c_piix4 on Virtual Machines
  • Install NRPE to be monitored
    • nagios-nrpe-server nagios-plugins
  • Install x11-utils x11-xserver-utils

• Apache Configuration
• Setup to sudo without password
• Mail Server Configuration
• MySQL Backups
• Reset System Clock with NTP Update
• Setup mail reporting using pflogsumm
• Notify if the system requires a reboot
• Mounting a USB drive permanently for Backups
• Install telnetd - To be used in case SSH server is down. Remember to change password immediately if doing a remote connection.
• Update php.ini configuration file to improve on default limits
• Disable APT update resource overload
• Nagios
  • If only setting this up for being monitored install nagios-nrpe-server nagios-plugins
  • Share keys between Nagios host and the new VM
• Backuppc
  • Setup key share access between backuppc host and the new VM