Oct 242012
 
The best practice for maintaining a Linux server is to run the smallest optimal set of software. That is, there should be nothing running that isn’t being used, and ideally nothing should be installed that isn’t necessary. But the default installation will give you more than you need. The fat needs to be trimmed.
Hea...hedge-trimming, Old Bolingbroke - geograph.org.uk - 1565200

There are several good reasons for doing this:

  • Minimize resource utilization – disk space, network bandwidth, CPU time and RAM are all finite; there is no reason to waste these quantities on processes which don’t have a purpose.
  • Greater security – the fewer open ports and running processes, the few vulnerabilities there are likely to be on the system.
  • Easier maintenance – with less software there are fewer dependencies to worry about, less to upgrade, and patching is less problematic.
  • Elegant simplicity – management of a host is easier and cleaner if every component has its utility and nothing is extraneous.

A server freshly built from a Linux DVD – whatever distribution it is – will be automatically installed with a set of software suitable to its function. During the installation process, one selects “Basic Server” or “Desktop”, and a predetermined selection of software packages are selected accordingly. The thing to remember is that this selection is for a general case, and is rarely exactly applicable for any one host in particular. For example, if one were to select the “Web server” option for some distributions, one might by default get both Apache HTTPD and NGINX, although only one of these would probably be used at a time. It would be necessary to uninstall the extra package.

It is good practice to extend this principle of least utility with all your servers, uninstalling unnecessary packages or disabling unneeded services to create a minimal installation. Once this ideal configuration is arrived at, it should be persisted to your Kickstart configuration and closely maintained. Provisioning and configuration management with Kickstart will be the topic of a subsequent post.

The frequent difficulty for the novice administrator is that without a good amount of experience and research, there is an awful lot of installed software which need to be understood before one can decide what to cut, and what needs to be kept. This research process is a useful learning experience to understand what makes up a running Linux system, and is definitely advisable.

Linux packages under virtualization

Virtualization is now extremely widespread as a means of better utilizing and managing server resources. But in presenting emulated hardware to a Linux operating system, rather than physical devices, there is a set of software concerned with this hardware which becomes rendered superfluous on a virtual machine guest. This extra software should be removed. So a virtual machine installation provides an particular case study where the list of running services will be examined and disabled where irrelevant.

For the purposes of this discussion, I’m using CentOS 6.2, running on VMware ESXi 4.1, although much of the advice would apply equally to Xen or KVM as well. Also, RedHat and Fedora wouldn’t differ significantly from CentOS. Feel free to weigh in with your opinions in the comments. I may have overlooked things, or may be doing something you disagree with, and I’d love to hear about it.

Example Configuration

I’ve done a fresh installation from the DVD and had selected “Basic Server”. My host is up and running. If I then check and see what services are running by default (searching for ‘on’ for run-level 3, since this is the default multi-user run level), here is what I get:

# chkconfig --list | grep 3:on
abrt-ccpp          0:off    1:off    2:off    3:on    4:off    5:on    6:off
abrt-oops          0:off    1:off    2:off    3:on    4:off    5:on    6:off
abrtd              0:off    1:off    2:off    3:on    4:off    5:on    6:off
acpid              0:off    1:off    2:on    3:on    4:on    5:on    6:off
atd                0:off    1:off    2:off    3:on    4:on    5:on    6:off
auditd             0:off    1:off    2:on    3:on    4:on    5:on    6:off
cpuspeed           0:off    1:on    2:on    3:on    4:on    5:on    6:off
crond              0:off    1:off    2:on    3:on    4:on    5:on    6:off
haldaemon          0:off    1:off    2:off    3:on    4:on    5:on    6:off
ip6tables          0:off    1:off    2:on    3:on    4:on    5:on    6:off
iptables           0:off    1:off    2:on    3:on    4:on    5:on    6:off
irqbalance         0:off    1:off    2:off    3:on    4:on    5:on    6:off
kdump              0:off    1:off    2:off    3:on    4:on    5:on    6:off
lvm2-monitor       0:off    1:on    2:on    3:on    4:on    5:on    6:off
mdmonitor          0:off    1:off    2:on    3:on    4:on    5:on    6:off
messagebus         0:off    1:off    2:on    3:on    4:on    5:on    6:off
netfs              0:off    1:off    2:off    3:on    4:on    5:on    6:off
network            0:off    1:off    2:on    3:on    4:on    5:on    6:off
postfix            0:off    1:off    2:on    3:on    4:on    5:on    6:off
qpidd              0:off    1:off    2:on    3:on    4:on    5:on    6:off
rsyslog            0:off    1:off    2:on    3:on    4:on    5:on    6:off
sshd               0:off    1:off    2:on    3:on    4:on    5:on    6:off
sysstat            0:off    1:on    2:on    3:on    4:on    5:on    6:off
udev-post          0:off    1:on    2:on    3:on    4:on    5:on    6:off

It’s worth checking the man page for every running service to ensure you at least know what they all are, but of the above list, here’s what I would disable on a virtual machine, and why:

acpid Power configuration interface, useful for graceful shutdown when pressing the power button; not really needed on a VMware guest
cpuspeed Manipulates the CPU clock speed according to idle time; Hypervisor manages CPU scheduling
haldaemon Collects hardware info; VMware console handles all this
ip6tables Firewall for IPv6; Disable if you’re not using IPv6
irqbalance Balances load across CPUs; hypervisor will handle this.
postfix Mail server; unless you’re actually relaying mail disable this. It’s not required for sending mail
sendmail Mail server; see above
qpidd Message queuing; if not being used, disable
lvm2-monitor Logical volume manager monitoring; disable if you’re using regular partitions or VxVM
mdmonitor Software RAID monitoring; possibly not required with virtual disks
messagebus Broadcasts system events; only use if needed
netfs NFS-related service; possibly disable if not running an NFS server
nfslock As above
rpcgssd As above
rpcidmapd As above
portmap As above
rpcbind As above
restorecond Monitors files for correct Selinux context; disable if not using Selinux

There may be quite a few other services that appear in your installation, particularly if you’re using an older version of CentOS/Fedora, or if you installed different groups of packages. The gist of all this is that it’s important to be familiar with what you’re running, what it does, and why it’s there. And then disable the rest.

To stop and disable these services, one would execute:

  # service SERVICENAME stop
  # chkconfig SERVICENAME off

Or better, remove it from the service list with:

  # chkconfig --del SERVICENAME

You could also use “rpm” or “yum” (or “apt-get”) to uninstall the software completely, although I’m often loath to do so unless I’m certain there are no dependencies to worry about.

Other services to cut

Depending on your distribution or the package groups you’ve installed, you may have other services running that aren’t in this list. In the past, I’ve always tended to disable these as well, where I find them:

cups Printer daemon; Only use if managing printers *
bluetooth, hidd Bluetooth; not needed on a server
avahi-daemon Zeroconf networking; not really needed on a server
iscsi iSCSI daemon; VMs would generally have disk devices presented natively
firstboot Runs some initialization on the first boot, then never needed
pcscd Smart card daemon
xfs Font server not really needed when not using X
smartd Monitor disk devices, again not usually needed on a VM guest
ntpd NTP daemon; if the VM agent software is synchronising time, then disable it

* Seriously, write in the comments if you’ve ever used cups on a server (not a desktop). I don’t remember the last time I handled paper in this job.

To further secure things, it’s a good idea to run netstat and take note of any listening ports and the services listening upon them:

# netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7729/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1239/sshd

On this server there’s only SSH and HTTPD listening. Given that it’s a webserver, this is as expected. If, for example, port 25 was being listened to, this would indicate a mail server was present, and I’d probably want to disable this and segregate the mail function elsewhere to a dedicated server.

Again, all of these changes should be formalised into a stable Kickstart, Jumpstart or Cobbler configuration in order to be assured of consistent and secure builds.

Linux system administration is an active process which requires attention, research, documentation and discipline. It’s no longer adequate to choose defaults and hope for the best. The suggestions I’ve made here may be incorrect for your environment or your distribution, but it’s important to work out what software you need to have installed, document that, and rigorously adhere to your plan.

[flattr uid=’matthewparsons’ /] If you have found this article useful, please consider making a microdonation.


Matt Parsons is a freelance Linux specialist who has designed, built and supported Unix and Linux systems in the finance, telecommunications and media industries.

He lives and works in London.

  One Response to “Trimming the excess from a virtual machine”

  1. Just a small note: ntpd is most of the time needed on a virtual machine, VMware even recommends it over their method of syncing the time of a VM.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>