{"id":1449,"date":"2020-01-26T16:56:41","date_gmt":"2020-01-26T21:56:41","guid":{"rendered":"https:\/\/enterpriseadmins.org\/blog\/?p=1449"},"modified":"2020-03-02T20:52:15","modified_gmt":"2020-03-03T01:52:15","slug":"lab-updates-ubuntu-18-04-template","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/virtualization\/lab-updates-ubuntu-18-04-template\/","title":{"rendered":"Lab Updates: Ubuntu Server 18.04 LTS Template"},"content":{"rendered":"\n<p>Over three years ago I created a post for creating an Ubuntu 16.04 template for use in a lab environment.  I&#8217;ve been using that template, with very minor updates, ever since.  Ubuntu 16.04 LTS (Long Term Support) will stop receiving maintenance updates in just over a year,  so I plan to start moving to 18.04 LTS.  More information on Ubuntu release cycles can be found here:  <a href=\"https:\/\/ubuntu.com\/about\/release-cycle\">https:\/\/ubuntu.com\/about\/release-cycle<\/a>.<\/p>\n\n\n\n<p>To begin, we will download the ubuntu-18.04.3-server-amd64.iso file from  <a href=\"http:\/\/cdimage.ubuntu.com\/releases\/18.04\/release\/\">http:\/\/cdimage.ubuntu.com\/releases\/18.04\/release\/<\/a> and upload it to a datastore.  Next we will create a new virtual machine, entering names and selecting host\/datastore\/virtual hardware compatibility levels appropriate for our infrastructure.&nbsp; Select OS Linux&gt;Ubuntu Linux x64.&nbsp; The default network adapter should be vmxnet3, but I changed the SCSI controller from the default LSI Logic Parallel to PVSCSI.&nbsp; For the template, I stuck with 1vCPU, 1GB RAM, and 16GB disk (in a future post we will cover growing the filesystem if additional space is needed).&nbsp; We will select \u2018Datastore ISO File\u2019 and browse to the ubuntu-18.04.3-server-amd64.iso file we uploaded earlier, and then confirm that \u2018Connect At Power On\u2019 is selected for the CDROM.<\/p>\n\n\n\n<p>With the VM created, we will power it on and open the console, the installer should have begun automatically.&nbsp; For the install, I mostly selected defaults, except the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>User account to be created: template-admin<\/li><li>Partition disks: Guided \u2013 use entire disk (without LVM).&nbsp; When using guided with LVM the volumes embed the template hostname, which will change on deployment.&nbsp; We can still grow the filesystem without LVM, and other LVMs can be setup in the future, so we will continue without LVM for now.<\/li><li>Install security updates automatically.&nbsp; (Setup Landscape in the future?)<\/li><li>Select the box to add openssh server<\/li><\/ul>\n\n\n\n<p>When complete the installer will disconnect (eject) the CDROM.&nbsp; This is a good time to edit the VM settings to\nswitch back to \u2018Client Device\u2019 so that no CD is attached to the resulting\ntemplates once deployed.<\/p>\n\n\n\n<p>Login as the local user created during install.&nbsp; For example, template-admin.&nbsp; The IP address for ens192 (the default network adapter) should appear.&nbsp; We can now SSH in so the following commands can be copied\/pasted.  First we will set a password for root:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">template-admin@ubuntu:~$ sudo passwd root\n[sudo] password for template-admin:\nEnter new UNIX password: \nRetype new UNIX password: \npasswd: password updated successfully <\/pre>\n\n\n\n<p>Switch to the root user, this will save a bit of time as we can run as this user without specifying sudo for each command.  Once we are running as root, we will make sure the system is up to date.<\/p>\n\n\n\n<p>Note: if we use the command &#8216;su -&#8216; with a trailing hyphen, the system will put us in the \/root folder.  If we do not include the trailing hyphen then we will remain in the current directory of the session that issued the su command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">su -\napt update &amp;&amp; apt -y upgrade \napt clean &amp;&amp; apt -y autoremove --purge <\/pre>\n\n\n\n<p>Instead of using local accounts, we will join our Ubuntu systems to Active Directory using the BeyondTrust AD Bridge Open Edition.  The process is described here: <a href=\"https:\/\/repo.pbis.beyondtrust.com\/apt.html\">https:\/\/repo.pbis.beyondtrust.com\/apt.html<\/a>.&nbsp; Specifically we will run:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wget -O - http:\/\/repo.pbis.beyondtrust.com\/apt\/RPM-GPG-KEY-pbis|sudo apt-key add -\nsudo wget -O \/etc\/apt\/sources.list.d\/pbiso.list http:\/\/repo.pbis.beyondtrust.com\/apt\/pbiso.list\nsudo apt-get update\nsudo apt-get install pbis-open <\/pre>\n\n\n\n<p>Joining the domain will take a small handful of commands, so we will create a shell script for the template to help with future domain joins.&nbsp; We will put this script in the root users profile directory, so we can launch it simply after customization with <strong>.\/joinad.sh<\/strong>. &nbsp;Launch a text editor such as <strong>nano joinad.sh<\/strong> and paste in the following text:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># The following line has the OU, Domain Name, User Account, and Password of a user with permissions to create computer objects.\n\/opt\/pbis\/bin\/domainjoin-cli join --ou \"LAB Servers\/Services\" lab.enterpriseadmins.org svc-windowsjoin VMware1!\n\/opt\/pbis\/bin\/config AssumeDefaultDomain true\n\/opt\/pbis\/bin\/config LoginShellTemplate \/bin\/bash\n\/opt\/pbis\/bin\/config HomeDirTemplate %H\/%U\n\/opt\/pbis\/bin\/config RequireMembershipOf \"lab\\\\domain^users\"\n\/opt\/pbis\/bin\/update-dns<\/pre>\n\n\n\n<p>Save the file, then make it executable<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">chmod +x joinad.sh<\/pre>\n\n\n\n<p>When executing the above script, a DNS record is created.  In the past I&#8217;ve had issues with that record eventually being scavenged\/deleted by the DNS server.  To ensure that the DNS record is occasionally updated, I like to add a task to crontab.  We can do this in the template by running <strong>crontab -e<\/strong> which will allow us to select a default editor.  Once inside the editor we can add a single line like the following:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> 1 1 * * 0,3 \/opt\/pbis\/bin\/update-dns <\/pre>\n\n\n\n<p>This will schedule a task to run at 1:01 every Sunday and Wednesday.  For reference, I did stumble on a great site to validate your crontab syntax at  <a href=\"https:\/\/crontab.guru\/\">https:\/\/crontab.guru\/<\/a>.  <\/p>\n\n\n\n<p>The last AD related configuration to make is to add a domain group to the <strong>\/etc\/sudoers<\/strong> file, so that certain users can use sudo to run commands as root.  To do this, we edit the \/etc\/sudoers file and add a line similar to:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"> %lab^linux^sudoers&nbsp;&nbsp;&nbsp;ALL=(ALL) ALL,!ROOTONLY <\/pre>\n\n\n\n<p>This will allow members of the AD group LAB Linux Sudoers to be able to execute commands such as <strong>sudo whoami<\/strong>.  After entering their password, they should see that they are running a command as <strong>root<\/strong>.<\/p>\n\n\n\n<p>By default, netplan uses a client ID for DHCP assignments.&nbsp; When using DHCP we want to use a MAC address as an identifier.&nbsp; I found two sources to describe this, first <a href=\"https:\/\/bugs.launchpad.net\/netplan\/+bug\/1759532\">https:\/\/bugs.launchpad.net\/netplan\/+bug\/1759532<\/a>, which links to this parent bug: <a href=\"https:\/\/bugs.launchpad.net\/netplan\/+bug\/1738998\">https:\/\/bugs.launchpad.net\/netplan\/+bug\/1738998<\/a>.  The recommendation is to change the netplan yaml config file to include <strong>dhcp-identifier: mac<\/strong>.  We will do this in a text editor by running <strong>nano \/etc\/netplan\/01-netcfg.yaml<\/strong>.  The resulting file should look similar to this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">network:<br>&nbsp; version: 2<br>&nbsp; renderer: networkd<br>&nbsp; ethernets:<br>&nbsp;&nbsp;&nbsp; ens192:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dhcp4: yes<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dhcp-identifier: mac<\/pre>\n\n\n\n<p>Note: this yaml file uses white space as a deliminator.  The dhcp4 and dhcp-identifier lines have 6 leading spaces (there are 2 for ethernets, 2 more for ens192, and 2 more for the property we added).<\/p>\n\n\n\n<p>We could apply this with <strong>netplan apply<\/strong>, but doing so will likely result in a new IP address assignment from DHCP and a disconnect from SSH.  I really only need the setting for the future, so I&#8217;ll leave this for the next reboot.<\/p>\n\n\n\n<p>While working on this template, the VM console was at the login screen, and I accidentally hit the CTRL+ALT+DELETE button in the vSphere HTML5 client\u2026 and the VM immediately rebooted.&nbsp; I tried this a couple of times, and a bit of research confirms it is a default behavior.&nbsp; I want to disable that in my template, so I used the instructions here: <a href=\"https:\/\/www.linuxbuzz.com\/disable-reboot-ctrl-alt-del-ubuntu-debian\/\">https:\/\/www.linuxbuzz.com\/disable-reboot-ctrl-alt-del-ubuntu-debian\/<\/a>.&nbsp; Since we are already switched to the root user, we don\u2019t need to specify sudo for each line and can run these two commands:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl mask ctrl-alt-del.target<br>systemctl daemon-reload<\/pre>\n\n\n\n<p>For time keeping we\u2019ll use timesyncd, so we\u2019ll edit the config file and add our NTP servers.  We&#8217;ll remove the comment from the NTP line and add our servers, separated by spaces.  We can edit the file with any text editor, such as <strong>nano \/etc\/systemd\/timesyncd.conf<\/strong>.  After changing the file, we&#8217;ll want to make these servers active, which we can do with the following restart command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart systemd-timesyncd.service<\/pre>\n\n\n\n<p>Install the Log Insight agent.&nbsp; I have previously downloaded the Log Insight agent installers and placed them on an internal web server.&nbsp; The web server does not support .deb files, so I simply added a .zip to the end of the file name.&nbsp; After downloading, we will need to rename the file back to the original name:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/tmp<br>wget <a href=\"http:\/\/www.example.com\/vmware-log-insight-agent_8.0.0-14743436_all_192.168.45.80.deb.zip\">http:\/\/www.example.com\/vmware-log-insight-agent_8.0.0-14743436_all_192.168.45.80.deb.zip<\/a><br>mv vmware-log-insight-agent_8.0.0-14743436_all_192.168.45.80.deb.zip vmware-log-insight-agent_8.0.0-14743436_all_192.168.45.80.deb<br>dpkg -i vmware-log-insight-agent_8.0.0-14743436_all_192.168.45.80.deb<\/pre>\n\n\n\n<p>Check the configuration file to ensure it has the settings you want, for example with <strong>nano \/var\/lib\/loginsight-agent\/liagent.ini<\/strong>.  In my case I decided to enable central_config and auto_update properties.<\/p>\n\n\n\n<p>I used part of a script here: <a href=\"https:\/\/jimangel.io\/post\/create-a-vm-template-ubuntu-18.04\/\">https:\/\/jimangel.io\/post\/create-a-vm-template-ubuntu-18.04\/<\/a> to make sure new openssh-server keys are generated after template deployment.  You should check out the original post for additional optional settings you may want to change at first boot, like a randomly generated hostname.  The below text can be run from the shell:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">#add check for ssh keys on reboot...regenerate if neccessary<br>cat &lt;&lt; 'EOL' | sudo tee \/etc\/rc.local<br>#!\/bin\/sh -e<br>#<br># rc.local<br>#<br>test -f \/etc\/ssh\/ssh_host_dsa_key || dpkg-reconfigure openssh-server<br>exit 0<br>EOL<br><br># make sure the script is executable<br>chmod +x \/etc\/rc.local<\/pre>\n\n\n\n<p>There are a handful of cleanup items we will want to run anytime we crack open the template for updates.  Those commands are listed below:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rm -rf \/tmp\/*<br>rm -rf \/var\/tmp\/*<br>rm -f \/etc\/ssh\/ssh_host_*<br>history -c<br>shutdown -h now<\/pre>\n\n\n\n<p>Add a description to the VM note\/annotation field.&nbsp; This will be cloned when the VM is updated,\nso it will give you an idea of the starting point for all subsequent VMs.&nbsp; For example, I added the following text:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">2020-01-19: Ubuntu 18.04 Template, Open-VM-Tools 11.0.1,\npbis-open, Log Insight Agent<\/pre>\n\n\n\n<p>Convert template-Ubuntu1804 to a template.  We now have an Ubuntu 18.04 template that is ready for use.  <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over three years ago I created a post for creating an Ubuntu 16.04 template for use in a lab environment. I&#8217;ve been using that template, with very minor updates, ever since. Ubuntu 16.04 LTS (Long Term Support) will stop receiving &hellip; <a href=\"https:\/\/enterpriseadmins.org\/blog\/virtualization\/lab-updates-ubuntu-18-04-template\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1449","post","type-post","status-publish","format-standard","hentry","category-virtualization"],"_links":{"self":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1449","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/comments?post=1449"}],"version-history":[{"count":7,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1449\/revisions"}],"predecessor-version":[{"id":1515,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/1449\/revisions\/1515"}],"wp:attachment":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/media?parent=1449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/categories?post=1449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/tags?post=1449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}