There are some miscellaneous OS tweaks which are required.

Disable Spectre/Meltdown mitigations

The platform will be running a large number of virtual machines, and unfortunately the Spectre/Meltdown mitigations have such a huge impact on performance that the CPU may be completely swamped.

To disable these mitigations, edit /etc/default/grub and set

GRUB_CMDLINE_LINUX="mitigations=off"

If you are having problems with the text console, adding nomodeset here may help.

You should also set:

GRUB_DISABLE_OS_PROBER=true

GRUB_RECORDFAIL_TIMEOUT=2

The first is because of this bug which can cause VM images to be corrupted, if the OS prober finds them. (This is unlikely to affect you unless you're using LVM volumes).

The second is helpful for a "headless" system. There is a feature in Ubuntu whereby if a boot doesn't complete fully for any reason, then the next boot hangs indefinitely at the grub menu waiting for a keypress. We don't want this to happen when we don't have a keyboard and screen connected.

Once the file is saved, run this command:

sudo update-grub

Configure sshd security

When your machine is connected on its WAN side, it may get a public IP address and be reachable from the Internet.

To prevent attackers making brute-force password attacks against your system, edit /etc/ssh/sshd_config and ensure both these settings are "no":

PasswordAuthentication no
...
ChallengeResponseAuthentication no

Then add this to the very end of the file:

# Allow PasswordAuthentication from trusted networks only
Match Address 100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,2001:db8::/32,fc00::/7
PasswordAuthentication yes

This means you'll be able to use password authentication when connecting on the local LAN, but access from the Internet will be restricted to public/private key authentication.

After this change, restart the ssh service:

sudo systemctl restart ssh

Disable known hosts hashing (optional)

In its default configuration, the ssh client writes obscured information in ~/.ssh/known_hosts. The idea is to make it harder for an intruder to learn the names of other hosts you have connected to.

This is not a concern in a lab, so we suggest you edit /etc/ssh/ssh_config and set:

HashKnownHosts no

This is helpful when reinitializing the lab, as it makes it easier to find and delete entries from known_hosts selectively.

Disable sudo DNS lookups (optional)

sudo can give long timeouts when for some reason DNS is not available. To disable them, create a file /etc/sudoers.d/nofqdn with the following contents:

Defaults !fqdn

Time sync

Check time sync status with:

timedatectl status
...
       System clock synchronized: yes
systemd-timesyncd.service active: yes

If systemd-timesyncd.service is not active then run

sudo timedatectl set-ntp on

Note

You may not see System clock synchronized change to yes for a quite a while; this is normal.