dudeisbrendan03/ubuntu-20.04-swapspace.md

## ubuntu-20.04-swapspace.md

      
    Raw
  

              ubuntu-20.04-swapspace.md
            
          
    Please note, some of the markdown inside this file does not meet the documentation provided by Linode to help improve the readability of the document on GitHub Gist.
I will happily modify these to meet the style specification from Linode.
---
author:
  name: Brendan Jennings
  email: jbrendan70@outlook.com
description: 'How to configure swap space in Ubuntu 20.04'
keywords: ["swap", "memory", "virtual memory", "low memory"]
license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)'
published: 2021-03-11
modified_by:
  name: Brendan Jennings
title: 'How to configure swap space in Ubuntu 20.04'
contributor:
  name: Brendan Jennings
  link: https://www.linkedin.com/in/brendan-jennings-3a2a7a199/
---
The steps in this guide require root privileges. Be sure to run the steps below as root or with the sudo prefix. For more information on privileges, see our Users and Groups guide.
Before You Begin


Familiarize yourself with our Getting Started guide and complete the steps for setting your Linode's hostname and timezone.


This guide will use sudo wherever possible. Complete the sections of our Securing Your Server to create a standard user account, harden SSH access and remove unnecessary network services.


What is swap space

Swap is a space on a disk used as virtual memory. When the Linux host is or out of memory, having swap allows the system to move inactive pages from RAM to the swap space on disk.
Swap spaces can be identified by either a file or as a partition.
The main reason people tend to use swap is to increase the amount of memory beyond what is physically installed (RAM) and to enable suspend-to-disk or 'Hibernate' support in Linux.
Issues with may occur with swap

Well, if swap just allows people to add more 'memory' to the machine, why don't we use this instead of paying for more memory?
People commonly try to use swap as an active extension of memory, and this is an issue for multiple reasons, here's two you should keep in mind:


Thrashing
When swap and memory become near-full the system spends so much time paging blocks of memory between your RAM and swap space it struggles to get actual work in!


Speed
Physical memory is designed to store temporary data which can be transferred at high-speeds. Swap however exists on your local disk, which aims for persistance and reliability over speed.
Relying on swap space could cause performance issues which could prove detrimental in production environments.


I wouldn't recommend against swap, it's an extremely useful tool- but ensure to use it properly.
How much swap should I look at allocating

This varies system-to-system, hosts with lower amounts of physical memory usually should have more allocated than ones with higher amounts.
Below is a table with an idea of how much memory you should go about allocating to your Linode.


Physical memory
Recommended allocation


1-4GiB
2   x Physical memory


4-8GiB
1.5 x Physical memory


16-32GiB
1   x Physical memory


32-64GiB
0.5 x Physical memory


Over 64GiB, you shouldn't really need swap space that much, although it's great to have to move items cached in memory for extended periods of time to disk.
How to enable swap

In this example, we'll allocate file-based swap space for a Linode with 8GiB of memory!


Pre-allocate the space you want for your swap file to your disk with the fallocate utility
 sudo fallocate -l 12G /var/swapfile


Set the permissions of our swap file to owner (root) write/read only using chmod
Since our virtual memory is as important as physical memory (in terms of data integrity), let's make sure no unauthorised users can tamper with it.
 sudo chmod 600 /var/swapfile    


Set up the file as a swap area on the device using mkswap
 sudo mkswap /var/swapfile


Enable the swap file on your system
We have our swap file ready, but we need to tell our system where it is and to use it!
 sudo swapon /var/swapfile


(Optional) Make your swap allocation persist
On reboot we want to ensure that our swap file is mounted to the system for usage again. fstab (the file systems table), stores information about internal devices for mounting and unmounting.
Let's append an entry for our new swap file to fstab.
 sudo cp /etc/fstab /etc/fstab.bkp #Backup fstab
 sudo echo -n '/var/swapfile swap swap defaults 0 0' | sudo tee -a /etc/fstab #Append fstab


(Optional) Check if your swap allocation is functioning
 sudo swapon --show


Advanced swap settings

Swappiness (vm.swappiness)

Configure swapiness


Configure the swappiness value for the current state of the system
Below is an example of the swappiness value at 30
 sudo sysctl vm.swappiness=30


Ensure the swappines value persists by settings it in /etc/sysctl.conf
Add the line vm.swappiness=30 to your configuration to set it to 30 on boot.
 sudo nano /etc/sysctl.conf


What is swappiness

It's a common misconception that people believe that the swappiness value of a Linux system is a threshold of memory where swapping starts.
Linux splits your memory up into zones depending on your system architecture.
The zones available are: DMA, DMA32, Normal memory and HighMem (896MiB+ on 32-bit systems).
A zone is attached to node (a group of CPU cores), the kernel then allocates memory for new and existing processes from the nodes associated with a CPU.
Most modern devices only have one node.
Before I explain swappiness itself, I'll go over file pages and anonymous pages.
File page mappings contain raw data from local data from disk, file page mappings are smart, if the data on disk doesn't match the data in memory, when freeing the position in memory it will ensure we write the data to disk. When we need it again we can simply obtain and page the data again.
For anonymous pages, these are memory mappings which are not associated with files or devices. These can be requested on-the-fly, for software or for things like the call stack or heap/free store- practical applications could be running applications requiring more memory or hypervisors.
As we increase our swappiness, the priority of anonymous pages increases, as file pages decrease. With swappiness at 100 anonymous and file pages have the same priority.
Imagine the file priority of swappiness to be how willing the kernel is to free up file pages (pages that hold data which can easily be retrieved as they can be read from disk again, but if altered must write data back) and the priority of anonymous pages to be how much it wants to give up anonymous pages (usually memory allocated to our applications).
The swappiness value represents how likely the system will want to swap file pages between our swap space and physical memory.
Using sysctl we can experiment with our swappiness value, and see what performs better for our environment.
Cache Pressure (vm.vfs_cache_pressure)

Configure cache pressure


Configure the cache pressure value for the current state of the system
Below is an example of the cache pressure value at 100
 sudo sysctl vm.vfs_cache_pressure=100


Ensure the cache pressure value persists by settings it in /etc/sysctl.conf
Add the line vm.vfs_cache_pressure=100 to your configuration to set it to 100 on boot.
 sudo nano /etc/sysctl.conf


What is cache pressure

The vfs_cache_pressure value controls how often the kernel will reclaim memory which is using for dentries (a data structure representing a directory) and inode's (a data structure representing a file), we'll just say 'file pages'.
Decreasing the value makes the kernel prefer to file pages, lowering the amount of reclaimed file pages and if we increase it, this causes the kernel to reclaim file pages more often instead.

  
## ubuntu-ssh_over_https-hardening.md

      
    Raw
  

              ubuntu-ssh_over_https-hardening.md
            
          
    Please note, some of the markdown inside this file does not meet the documentation provided by Linode to help improve the readability of the document on GitHub Gist.
I will happily modify these to meet the style specification from Linode.
---
author:
  name: Brendan Jennings
  email: jbrendan70@outlook.com
description: 'How to Gravitational Teleport - an SSH over HTTPS solution offering a more secure method of managing your SSH hosts.'
keywords: ["teleport", "gravitational teleport", "ssh", "ssh over https","management","bastion","bastion","ssh proxy"]
license: '[CC BY-ND 4.0](https://creativecommons.org/licenses/by-nd/4.0)'
published: 2021-03-11
modified_by:
  name: Brendan Jennings
title: 'How to configure Teleport in Ubuntu 20.04'
contributor:
  name: Brendan Jennings
  link: https://www.linkedin.com/in/brendan-jennings-3a2a7a199/
external_resources:
  - '[Gravitational Teleport Documentation](https://gravitational.com/teleport/docs/admin-guide/)'
---
The steps in this guide require root privileges. Be sure to run the steps below as root or with the sudo prefix. For more information on privileges, see our Users and Groups guide.
Before You Begin


Familiarize yourself with our Getting Started guide and complete the steps for setting your Linode's hostname and timezone.


This guide will use sudo wherever possible. Complete the sections of our Securing Your Server to create a standard user account, harden SSH access and remove unnecessary network services.


Update your system:
sudo apt-get update && sudo apt-get upgrade


What is Teleport

"Teleport is an identity-aware, multi-protocol access proxy which understands SSH, HTTPS, Kubernetes API, MySQL and PostgreSQL wire protocols."
Teleport is an open-source SSH-over-HTTPS solution which allows for a more secure and convenient approach to SSH proxy security.
Teleport provides a lovely web interface to easily access your infrastructure through web browsers as well!
How to install Teleport


Install the public key from Gravitational Teleport
 sudo curl https://deb.releases.teleport.dev/teleport-pubkey.asc | sudo apt-key add -


Add the remote repository to your system
 sudo add-apt-repository 'deb https://deb.releases.teleport.dev/ stable main'


Update the APT cache and install Teleport
 sudo apt install teleport


...and magic we're done!
Moving from here is very simple, we can now create a configuration for us to customise our instance.
Configuring your Teleport cluster


Create the local configuration
 sudo teleport configure | sudo tee -a /etc/teleport.yaml


Modify your local configuration
Check the documentation for more information on configuring Teleport, there's also a list and short description of some things you can configure at the end of this article!
 sudo nano /etc/teleport.yaml


Start teleport
Now Teleport is configured, let's go ahead and fire up the service, from there we can interact with our Teleport cluster using the tctl (Teleport Control) cli utility.
 sudo service teleport start


Create a new user with the teleport control tctl command
Once that's all done, we can go ahead and use tctl to create a new user for us to interact with Teleport with.
 sudo tctl users new myTeleportName myUnixUsers


All done! You should be able to access the web interface via https://IP:3080, after completing the registration of your account with the link provided by tctl.
You can also interact with Teleport in more detail using the cli tools. To authenticate yourself with teleport run the tsh login --proxy=IP:3080 to authenticate your client.


(Optional) Join a server to the cluster
To join a new server to the cluster we can use the tctl nodes command. This will generate an invite token and command for the new server to automatically join the cluster.
 sudo tctl nodes add --ttl=5m --roles=node,proxy

We can then run the output command on the new server to join it
 sudo teleport start --roles=node,proxy --ca-pin=sha256:cluter-ca-hash --token=secret-token-value --auth-server=teleport-proxy.example.com:3080


Configuration

More configuration options are available for Teleport.
After we've generated and opened the config, let's customise our instance!


Category
Configuration Key
Description
Type
Example
Default


teleport
nodename
An alternative name the host can be reached by, this doesn't have to be a hostname but an identifier you want to set
String
MyServer1


teleport
data_dir
Location of where teleport stores its instance information for tha instance
String
/home/teleport/data
/var/lib/teleport


teleport
auth_token
Token to join a remote cluster on start
String


teleport
ca_pin
Token used by the remote server for verifying it's authenticity
String


teleport
auth_servers
A list of authentication servers in the cluster.
List


teleport
log
A list of logging configuration values
List

log:
   -output: stderr
   -severity: INFO


auth_service
enabled
Run an auth service on this server
String / Boolean
no
yes


auth_service
cluster_name
The name of the cluster, this is also used when signing and generating certificates- this will invalidate all previous certificates and keys
String
myServersInLondon


auth_service
listen_addr
The IP:PORT of where the server will expose itself, if running
IP
172.24.0.1:3025
0.0.0.0:3025


auth_service
authentication
The default authentication method for the authentication service
String
github
local


auth_service
authentication
Will the server use/method of two-factor authentication
String

otp


ssh_service
enabled
Is the ssh service enabled on this host
String / Boolean
no
yes


ssh_service
labels
Labels that appear on the web interface, cli and that are accessible via the API
List
environment: production


ssh_service
commands
Labels that are set by the output of a command
List

- name: hostname
    command: [/usr/bin/hostname]
    period: 1m0s
  - name: arch
    command: [/usr/bin/uname, -p]
    period: 1h0m0s


proxy_service
enabled
Is the proxy service enabled on this host
String / Boolean
no
yes


proxy_service
listen_addr
The address the proxy service listens on
IP
172.24.0.1:3023
0.0.0.0:3023


proxy_service
web_listen_addr
The address the web proxy service listens on
IP
172.24.0.1:3080
0.0.0.0:3080


proxy_service
tunnel_listen_addr
The address the ssh tunnel proxy service listens on
IP
172.24.0.1:3024
0.0.0.0:3024


proxy_service
kube_listen_addr
The address the kubernetes proxy service listens on
IP
172.24.0.1:3026
0.0.0.0:3026


proxy_service
public_addr
A dns name the proxy https endpoint is accessible through
IP
teleport.example.org:3080


proxy_service
https_keypairs
Key/cert pairs to be used for the proxy service, must be valid for dns name the server is accessed through, or the public_addr
List

- key_file: /var/lib/teleport/webproxy_key.pem
      cert_file: /var/lib/teleport/webproxy_cert.pem
Physical memory	Recommended allocation
1-4GiB	2 x Physical memory
4-8GiB	1.5 x Physical memory
16-32GiB	1 x Physical memory
32-64GiB	0.5 x Physical memory
Category	Configuration Key	Description	Type	Example	Default
teleport	nodename	An alternative name the host can be reached by, this doesn't have to be a hostname but an identifier you want to set	String	MyServer1
teleport	data_dir	Location of where teleport stores its instance information for tha instance	String	/home/teleport/data	/var/lib/teleport
teleport	auth_token	Token to join a remote cluster on start	String
teleport	ca_pin	Token used by the remote server for verifying it's authenticity	String
teleport	auth_servers	A list of authentication servers in the cluster.	List
teleport	log	A list of logging configuration values	List		log: -output: stderr -severity: INFO
auth_service	enabled	Run an auth service on this server	String / Boolean	no	yes
auth_service	cluster_name	The name of the cluster, this is also used when signing and generating certificates- this will invalidate all previous certificates and keys	String	myServersInLondon
auth_service	listen_addr	The IP:PORT of where the server will expose itself, if running	IP	172.24.0.1:3025	0.0.0.0:3025
auth_service	authentication	The default authentication method for the authentication service	String	github	local
auth_service	authentication	Will the server use/method of two-factor authentication	String		otp
ssh_service	enabled	Is the ssh service enabled on this host	String / Boolean	no	yes
ssh_service	labels	Labels that appear on the web interface, cli and that are accessible via the API	List	environment: production
ssh_service	commands	Labels that are set by the output of a command	List		- name: hostname command: [/usr/bin/hostname] period: 1m0s - name: arch command: [/usr/bin/uname, -p] period: 1h0m0s
proxy_service	enabled	Is the proxy service enabled on this host	String / Boolean	no	yes
proxy_service	listen_addr	The address the proxy service listens on	IP	172.24.0.1:3023	0.0.0.0:3023
proxy_service	web_listen_addr	The address the web proxy service listens on	IP	172.24.0.1:3080	0.0.0.0:3080
proxy_service	tunnel_listen_addr	The address the ssh tunnel proxy service listens on	IP	172.24.0.1:3024	0.0.0.0:3024
proxy_service	kube_listen_addr	The address the kubernetes proxy service listens on	IP	172.24.0.1:3026	0.0.0.0:3026
proxy_service	public_addr	A dns name the proxy https endpoint is accessible through	IP	teleport.example.org:3080
proxy_service	https_keypairs	Key/cert pairs to be used for the proxy service, must be valid for dns name the server is accessed through, or the public_addr	List		- key_file: /var/lib/teleport/webproxy_key.pem cert_file: /var/lib/teleport/webproxy_cert.pem