OS Settings to remember

This page is a collection of settings and adjustments made to various aspect of the operating systems installed at ElectricBrain. They mostly apply to the host nodes.

Ubuntu

Now used on all RPi4 nodes. Fedora has been replaced.

Ubuntu 20.04 LTS

Remove snapd

• > snap list
• > snap remove lxd
• > snap remove core18
• > apt autoremove snapd
• > apt purge snapd
• Reference: https://www.kevin-custer.com/blog/disabling-snaps-in-ubuntu-20-04/

Fixed address networking. Systemd-networkd is the default for Ubuntu so there is very little to do

• edit and setup /etc/systemd/network/20-wired.network
  • Fix network address
    [Match]
Name=eth0

[Network]
    LinkLocalAddressing=no
    Address=192.168.0.19/24
Gateway=192.168.0.254
DNS=192.168.0.254
• edit /etc/networks
  • comment out #link-local 169.254.0.0
• Remove netplan
  • > apt remove cloud-init libnetplan0 netplan.io
  • > systemctl reboot
• disable IPv6 on RPi4b
  • vi /boot/firmware/cmdline.txt
  • Append "ipv6.disable=1" to the end of the line (no quotes)
  • Append (docker swarm hosts) "cgroup_memory=1 audit=1 cgroup_enable=memory swapaccount=1"
  • save and reboot
• set the host name permanently
  • > hostnamectl set-hostname myhostname.localdomain
• These settings are not used by the OS. They are passed through to the firmware prior to booting. Essentially they work for all operating systems on the Pi 4 (although the file is in different places). It means runtime resolution adjustments are not possible on Pi's video - bootime only :-(

Disable unattanded upgrades

• vi /etc/apt/apt.conf.d/20auto-upgrades
• APT::Periodic::Update-Package-Lists "1";
  APT::Periodic::Unattended-Upgrade "0";

Fix audit messages in journal. ElasticSIEM is operating here and no audit messages are wanted in the journal:

• The socket is stopped:
  systemctl stop systemd-journald-audit.socket
• The socket is masked:
  systemctl mask systemd-journald-audit.socket
• The systemd-journald service is restarted:
  systemctl restart systemd-journald
• Reference https://github.com/systemd/systemd/issues/959

Stop kernel logging messages being blurted across the console:

• echo 'kernel.printk = 2 4 1 7' >> /etc/sysctl.conf
  sysctl -p
  

• Reference https://access.redhat.com/discussions/4905891
  This works on Ubuntu and Fedora (and probz Oracle Linux too).

Force screen output on HDMI0 even when no monitor is connected

• Edit /boot/firmware/usercfg.txt and add the following lines (4k@24hz)

  • hdmi_force_hotplug=1
    hdmi_group:0=1
    hdmi_mode:0=93

  • for Pi3 and earlier hdmi_mode=16 for 1920x1080 (no :0 )

Firewalld

• apt-get install firewalld
• systemctl enable firewalld
• systemctl start firewalld
• Setup your rules.

Make "docker" group local

• A network group for docker causes docker.socket to be delayed. This causes docker.service to fail with dependency issues.
• Create a local group with the same gid as the network group
• Reference: https://github.com/moby/moby/issues/29179

Fedora

• Remove ModemManager (I don't have a modem):
  rpm -e ModemManager
• Remove kdeconnect (phones are ios here) security risk (Fedora 31):
  rpm -e kdeconnectd kde-connect kde-connect-libs
• Turn off that !@#$% dnf makecache timer!
  http://swapoff.blogspot.com.au/2015/09/disable- automatic-package-metadata.html
  This jolly timer and makecache cause all sorts of AVCs from inside containers.
• Enable selinux 'container_manage_cgroup' which allows systemd to run inside containers
  • setsebool container_manage_cgroup 1
    • Using this less now with F29.
    • No longer used with Fedora 31
• disable and remove NetworkManager on servers - replace with systemd-networkd
  • dnf remove NetworkManager
    Note: this removes heaps of stuff. It worked for me. Be brave!
  • edit and setup /etc/systemd/network/20-wired.network
    [Match]
Name=eth0

[Network]
Address=192.168.0.19/24
Gateway=192.168.0.254
DNS=192.168.0.254

  • systemctl enable systemd-networkd

  • systemctl start systemd-networkd

• Soundblaster Katana no mic

  • amixer -c2 set 'PCM Capture Source',0  'External Mic'

• Nvidia Graphics

  • Downgraded hardware in latest desktop build from GT 1060 6GB -> GT 1030 2GB

  • GT 1030 2GB uses a maximum of 30 watts (no more PSU power cables)

  • Performance dictates using Nvidia propietary drivers. Massive speed difference.

• Akonadi

  • dnf remove kf5-akonadi-server

MacOS

StackOverFlow - How to install Guest addition in Mac OS as guest and Windows machine as host

The answer about using csrutil to turn off MacOS driver signing just blows my mind. There are some super geniuses out there :-) This also works on a Linux host.