There are some miscellaneous OS tweaks which are required.
Disable Spectre/Meltdown mitigations
The platform will be running a large number of virtual machines, and unfortunately the Spectre/Meltdown mitigations have such a huge impact on performance that the CPU may be completely swamped.
To disable these mitigations, edit
/etc/default/grub and set
If you are having problems with the text console, adding
You should also set:
The first is because of this bug which can cause VM images to be corrupted, if the OS prober finds them. (This is unlikely to affect you unless you're using LVM volumes).
The second is helpful for a "headless" system. There is a feature in Ubuntu whereby if a boot doesn't complete fully for any reason, then the next boot hangs indefinitely at the grub menu waiting for a keypress. We don't want this to happen when we don't have a keyboard and screen connected.
Once the file is saved, run this command:
Configure sshd security
When your machine is connected on its WAN side, it may get a public IP address and be reachable from the Internet.
To prevent attackers making brute-force password attacks against your
/etc/ssh/sshd_config and ensure both these settings are "no":
PasswordAuthentication no ... ChallengeResponseAuthentication no
Then add this to the very end of the file:
# Allow PasswordAuthentication from trusted networks only Match Address 100.64.0.0/10,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,2001:db8::/32,fc00::/7 PasswordAuthentication yes
This means you'll be able to use password authentication when connecting on the local LAN, but access from the Internet will be restricted to public/private key authentication.
After this change, restart the ssh service:
sudo systemctl restart ssh
Disable known hosts hashing (optional)
In its default configuration, the ssh client writes obscured information in
~/.ssh/known_hosts. The idea is to make it harder for an intruder to
learn the names of other hosts you have connected to.
This is not a concern in a lab, so we suggest you edit
This is helpful when reinitializing the lab, as it makes it easier to find
and delete entries from
Disable sudo DNS lookups (optional)
sudo can give long timeouts when for some reason DNS is not available.
To disable them, create a file
/etc/sudoers.d/nofqdn with the
Check time sync status with:
timedatectl status ... System clock synchronized: yes systemd-timesyncd.service active: yes
systemd-timesyncd.service is not active then run
sudo timedatectl set-ntp on
You may not see
System clock synchronized change to
yes for a quite
a while; this is normal.