This is one of a series of posts on “Demystifying the Magical World of DevOps”
Alright, so, we have our Hyper-V server up and running, but as you may have noticed, it’s not very useful at the moment; it needs an actual VM with an OS on it.
There are a couple things to consider before we get started:
- What OS do you want to use?
- Does the VM disk image need to be encrypted?
For this post we’ll be creating an encrypted Ubuntu Server.
Before we begin
Before we can do much of anything, we’ll need an ISO for the Linux distribution we wish to install. I’ll be using Ubuntu Server 18.0.4. The standard image for it can be found here, but in our case, since we’re encrypting the disk image, we need the “alternate” installer, which can be found here: http://cdimage.ubuntu.com/releases/18.04/release/ubuntu-18.04.3-server-amd64.iso
In the last post, we walked through the basics of creating a VM, so I won’t dwell on that. One thing I think I neglected to note, however, is VM processor count. On the “settings” window, there’s an option to set the number of cores the VM can use. I typically choose something reasonable, but less than or equal to the total number of threads available on the system. We have four hyper-threaded cores on the current ‘server’ (which is really a spare laptop sitting on my desk), and since this is going to be the only VM running on it, I went ahead and allocated eight processors. If I were running multiple VMs or it was a Windows host instead of a straight Hyper-V server, I would probably have gone down to four, given that our application isn’t particularly processor intensive. Also worth noting, you don’t need TPM enabled on the security tab for what we’re doing here. If it is enabled, you won’t be able to change the number of processors.
Installing the OS
So, now we boot. Because we’re using the “alternate” installer, we’re greeted by a bright purple screen with a text-based menu. I didn’t take a screenshot of every option as we went along, but you can generally use defaults until you get to the partioning screen. Here, we needed to choose “Guided – use entire disk and set up encrypted LVM” as pictured below. Note: Your dialog will likely look slightly different given that you’ll be installing on a blank disk. In our case, I had previously installed a non-encrypted OS, so there are some existing partitions showing up here:
Make any changes needed on the next screens, probably going through a few scary menus warning you about losing everything on the drive and asking if you’re really sure you want to do this. Eventually, you’ll get to the following:
You’ll need to choose an intelligent password at this point, but it will need to be something memorable; you’ll be entering it every time you boot the machine. (More on that shortly.)
Following this, you’ll get another screen asking you to confirm the password, and then probably a few more warnings about the fact you’re changing the partition table, and then finally an option to install additional packages. (The only one you should really need is SSH for our purposes.) Finally, it will start installing, and at this point you can grab a cup of coffee, or surf YouTube.
And now, a word from our sponsors…
If you’re going the YouTube route, take a second to check out the Hiller Measurements channel. We have a new series called “Artists, Engineers, & Entrepreneurs,” where our president, Jeff Olsen sits down with different industry leaders to discuss the exciting things they’re doing, and how they got to where they are.
All facetiousness aside, they’ve been pretty interesting to me thus far. If you ever have recommendations for someone you’d like to see (or if you’d like to be interviewed), let us know!
Remote Unlocking
And… we’re back. Now that we have a functioning install, you’ve probably made it to the boot screen where you have to enter the password to boot the machine. You’ll have to enter this password every time the machine boots. At this point we’ll need to do it via the Hyper-V interface. If that’s fine with you, continue on. Otherwise, we need to enable remote unlocking via SSH. I used this tutorial to install and configure dropbear, the condensed version of which is as follows:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install dropbear-initramfs
- Ignore any warnings you may get.
Now, this is the basic implementation you’ll need; if you reboot the machine, you can connect via SSH (e.g. using PuTTY) on port 22. That said, there’s still a bit of a security hole because of the key situation. See the tutorial linked above for the complete explanation, but in short, you’ll probably want to change the port the SSH server runs on.
To change the port, you’ll need to edit /etc/dropbear-initramfs/config
to use a different port. Specifically, do the following:
sudo nano /etc/dropbear-initramfs/config
- Add the following line to the file where 8668 is replaced by the port you wish to use:
DROPBEAR_OPTIONS="-p 8668"
- If you’re super paranoid you can add
-s -j -k -I 60
which are explained below.
- Save and Exit (
ctrl+x
) sudo update-initramfs -u
If you’re paranoid…
Regarding the additional flags, those mentioned above ( -s -j -k -I 60
) are specifically called out in the referenced tutorial. They are, in order: Disable Password Logins, Disable Local Port Forwarding, Disable Remote Port Forwarding, Disconnect session if idle for 60 seconds. If disabling password logins, you’ll need to set up key-based authentication. I’m not going to discuss it at-length, but the tutorial does so.
Other OS level configuration considerations
If you don’t have a DHCP server on your network, you’ll need to set a static IP. That too, is outlined in the referenced tutorial. Finally, there are a few minor bugs in this dropbear implementation, such as occasionally getting a segfault warning on login, but they are typically just little annoyances. That said, if you’re easily annoyed, see the tutorial for a workaround.
Rebooting the machine
Now, after confirming we have an SSH client on your local machine, we can reboot the machine (sudo shutdown -r now
). You’ll be greeted with a message indicating that dropbear has been started.
Fire up your SSH client and connect to your new Ubuntu Server VM using the port you configured above (8668, in our case) using the root username and password. Finally, call cryptroot-unlock
in the resulting terminal to login.