Ubuntu debloat - hpaluch/hpaluch.github.io GitHub Wiki
Ubuntu LTS debloat
Here is what I do with every Ubuntu 22.04 LTS VM after installation:
-
Most important: comment out all
pam_motd
lines in:/etc/pam.d/login
/etc/pam.d/sshd
- example from
/etc/pam.d/login
:# comment out garbage below: it runs bloat from /etc/update-motd.d/ on EVERY LOGIN! #session optional pam_motd.so motd=/run/motd.dynamic #session optional pam_motd.so noupdate
-
uninstall useless crap - WITHOUT ANY WARRANTY:
# NOTE: apt forgets to stop unattended-upgrades causing failure to remove it, so we must stop it ourselfs sudo systemctl stop unattended-upgrades apt-get purge snapd pollinate unattended-upgrades apport apport-symptoms bolt needrestart wireless-regdb apt-get purge lxd-agent-loader modemmanager motd-news-config multipath-tools packagekit\* open-iscsi apt-get purge update-notifier-common sosreport libx11-6 fwupd fwupd-signed irqbalance # if you are not using Public cloud: apt-get purge cloud-\* # if you are not usign encrypted partitions: sudo apt-get purge cryptsetup\* # when using Linux as VM (no firmware needed): # NOTE: This also removes some metapackages (but they are not strictly needed) apt-get purge linux-firmware \*-microcode firmware-sof-signed # when running under KVM: apt-get purge open-vm-tools && apt-get install qemu-guest-agent
- NOTE:
pollinate
is less knowns spyware - it sends OS info to Canonical's servers (privacy mare) and fetches entropy (security mare) on every boot:- see https://chasersystems.com/blog/entropy.ubuntu.com-giveth-and-taketh-away/
- and also (from above site): https://www.metzdowd.com/pipermail/cryptography/2016-November/030869.html
- references absurd patch "to detect 'abuse'" - abuse from Canonical(?)
- NOTE:
-
ensure that main bloat is not installed again:
- create file
/etc/apt/preferences.d/block_bloat.pref
with contents (see https://askubuntu.com/questions/75895/how-to-forbid-a-specific-package-to-be-installed):
Package: snapd pollinate unattended-upgrades apport apport-symptoms bolt needrestart Pin: release * Pin-Priority: -1 Package: cloud-guest-utils cloud-init cloud-initramfs-copymods cloud-initramfs-dyn-netconf Pin: release * Pin-Priority: -1
- create file
-
now remove not needed dependencies:
sudo apt-get autoremove --purge
-
disable resume on swap:
echo "RESUME=none" | sudo tee /etc/initramfs-tools/conf.d/noresume.conf sudo update-initramfs -u
-
disable systemd timers:
sudo systemctl list-timers sudo systemctl mask motd-news.timer apt-daily.timer fwupd-refresh.timer \ dpkg-db-backup.timer apt-daily-upgrade.timer man-db.timer e2scrub_all.timer fstrim.timer
- NOTE: You should always keep
systemd-tmpfiles-clean.timer
it is important job that manages directories under ramdisk/run/
location (!)
- NOTE: You should always keep
Optional: stop insane renaming of network interface(s):
- append
net.ifnames=0
to/etc/default/grub
, full example (with other options):GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 mitigations=off video=Virtual-1:800x600" # Uncomment to disable graphical terminal (grub-pc only) GRUB_TERMINAL=consol
- update
/boot/grub/grub.cfg
with:sudo update-grub
- rename interface from
enXXX
toeth0
in/etc/netplan/00-installer-config.yaml
- here is example content:
network: ethernets: eth0: dhcp4: true version: 2
- run
sudo netplan --debug generate
- reboot with
sudo reboot
- as bonus you can extend
/etc/issue
to show assigned IP address on local console:echo 'IP: eth0: \4{eth0}' | sudo tee -a /etc/issue
Optional: here is additional stuff I find useful:
# sysstat - provides useful programs: pidstat, iostat,...
# vim install "vim.basic"
sudo apt-get install curl wget mc lynx vim man sysstat
# set vim as default editor
sudo update-alternatives --list editor
sudo update-alternatives --set editor /usr/bin/vim.basic
- note: sometimes you have to uncomment
set background=dark
in/etc/vim/vimrc
to get bright foreground colors on dark background (but sometimes it works right away).
Optional: use readable fonts on local console:
- here is diff:
diff -u /etc/default/console-setup{.orig,} --- /etc/default/console-setup.orig 2023-12-08 08:16:43.525637124 +0000 +++ /etc/default/console-setup 2023-12-08 08:16:51.002016081 +0000 @@ -7,7 +7,7 @@ CHARMAP="UTF-8" CODESET="guess" -FONTFACE="Fixed" +FONTFACE="VGA" FONTSIZE="8x16" VIDEOMODE=
Privacy test
I have configured NAT network in Proxmox VE and dnsmasq to log DNS queries (see Proxmox in Azure or PVE Proxmox Tips for configuration details).
I then store journalctl -u dnsmasq > ~/ubuntu23-some.log
and scanned it
for DNS queries using something like:
fgrep 'query[A]' ubuntu23-some.log | awk '{ print $7 }' | sort -u
NOTE: There are still at least 3 ways how to evade this list:
- using direct connection to IP address
- using DNS over https (DoH)
- using any kind of tunnel to connect to other servers
But let's see results just for Ubuntu 23 default installation
from ubuntu-23.10.1-desktop-amd64.iso
api.snapcraft.io
connectivity-check.ubuntu.com
cz.archive.ubuntu.com
geoip.ubuntu.com
location.services.mozilla.com
motd.ubuntu.com
ntp.ubuntu.com
security.ubuntu.com
Additional notes:
- the
connectivity-check.ubuntu.com
DNS request is send every 90 seconds(!) - when record is CNAME the real FQDN may be different each time (not shown here)
Please also note that installation screen says that Ubuntu is both "private" and "secure"
NOTE: After reboot GUI did not come up (frozen on gdm startup service) Second boot worked without issues and here is list of DNS A queries:
api.snapcraft.io
changelogs.ubuntu.com
connectivity-check.ubuntu.com
dashboard.snapcraft.io
location.services.mozilla.com
metrics.ubuntu.com
ntp.ubuntu.com
Notice these new queries:
changelogs.ubuntu.com
dashboard.snapcraft.io
metrics.ubuntu.com
Summary
After so much suffering, why I still use Ubuntu LTS?
- Because it is last freely available LTS Linux distribution (you know what happened to CentOS and you likely know that, for example, Debian is actually rolling distribution - comparable to CentOS in that regard). Note: openSUSE LEAP is NOT LTS - you have to upgrade every year. Additionally SUSE want to kill LEAP (at the end of 2025) and replace it with read-only container non-sense called ALP.
- also OpenStack uses Ubuntu LTS as reference platform.