Ubuntu debloat - hpaluch/hpaluch.github.io GitHub Wiki

Ubuntu LTS debloat

Here is what I do with every Ubuntu 22.04 LTS VM after installation:

  • Most important: comment out all pam_motd lines in:

    • /etc/pam.d/login
    • /etc/pam.d/sshd
    • example from /etc/pam.d/login:
      # comment out garbage below: it runs bloat from /etc/update-motd.d/ on EVERY LOGIN!
      #session    optional   pam_motd.so motd=/run/motd.dynamic
      #session    optional   pam_motd.so noupdate
      
  • uninstall useless crap - WITHOUT ANY WARRANTY:

    # NOTE: apt forgets to stop unattended-upgrades causing failure to remove it, so we must stop it ourselfs
    sudo systemctl stop unattended-upgrades
    apt-get purge snapd pollinate unattended-upgrades apport apport-symptoms bolt needrestart wireless-regdb
    apt-get purge lxd-agent-loader modemmanager motd-news-config multipath-tools packagekit\* open-iscsi
    apt-get purge update-notifier-common sosreport libx11-6 fwupd fwupd-signed irqbalance
    # if you are not using Public cloud:
    apt-get purge cloud-\*
    # if you are not usign encrypted partitions:
    sudo apt-get purge cryptsetup\*
    # when using Linux as VM (no firmware needed):
    # NOTE: This also removes some metapackages (but they are not strictly needed)
    apt-get purge linux-firmware \*-microcode firmware-sof-signed
    # when running under KVM:
    apt-get purge open-vm-tools && apt-get install qemu-guest-agent
    
  • ensure that main bloat is not installed again:

    Package: snapd pollinate unattended-upgrades apport apport-symptoms bolt needrestart
    Pin: release *
    Pin-Priority: -1
    
    Package: cloud-guest-utils cloud-init cloud-initramfs-copymods cloud-initramfs-dyn-netconf
    Pin: release *
    Pin-Priority: -1
    
  • now remove not needed dependencies:

    sudo apt-get autoremove --purge
    
  • disable resume on swap:

    echo "RESUME=none" | sudo tee /etc/initramfs-tools/conf.d/noresume.conf
    sudo update-initramfs -u
    
  • disable systemd timers:

    sudo systemctl list-timers
    sudo systemctl mask motd-news.timer apt-daily.timer fwupd-refresh.timer \
          dpkg-db-backup.timer apt-daily-upgrade.timer man-db.timer e2scrub_all.timer fstrim.timer
    
    • NOTE: You should always keep systemd-tmpfiles-clean.timer it is important job that manages directories under ramdisk /run/ location (!)

Optional: stop insane renaming of network interface(s):

  • append net.ifnames=0 to /etc/default/grub, full example (with other options):
    GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 mitigations=off video=Virtual-1:800x600"
    # Uncomment to disable graphical terminal (grub-pc only)
    GRUB_TERMINAL=consol
    
  • update /boot/grub/grub.cfg with:
    sudo update-grub
    
  • rename interface from enXXX to eth0 in /etc/netplan/00-installer-config.yaml
  • here is example content:
    network:
      ethernets:
        eth0:
          dhcp4: true
      version: 2
    
  • run sudo netplan --debug generate
  • reboot with sudo reboot
  • as bonus you can extend /etc/issue to show assigned IP address on local console:
    echo 'IP: eth0: \4{eth0}' | sudo tee -a /etc/issue
    

Optional: here is additional stuff I find useful:

# sysstat - provides useful programs: pidstat, iostat,...
# vim install "vim.basic"
sudo apt-get install curl wget mc lynx vim man sysstat
# set vim as default editor
sudo update-alternatives --list editor
sudo update-alternatives --set editor /usr/bin/vim.basic
  • note: sometimes you have to uncomment set background=dark in /etc/vim/vimrc to get bright foreground colors on dark background (but sometimes it works right away).

Optional: use readable fonts on local console:

  • here is diff:
    diff -u /etc/default/console-setup{.orig,}
    --- /etc/default/console-setup.orig	2023-12-08 08:16:43.525637124 +0000
    +++ /etc/default/console-setup	2023-12-08 08:16:51.002016081 +0000
    @@ -7,7 +7,7 @@
     CHARMAP="UTF-8"
     
     CODESET="guess"
    -FONTFACE="Fixed"
    +FONTFACE="VGA"
     FONTSIZE="8x16"
     
     VIDEOMODE=
    

Privacy test

I have configured NAT network in Proxmox VE and dnsmasq to log DNS queries (see Proxmox in Azure or PVE Proxmox Tips for configuration details).

I then store journalctl -u dnsmasq > ~/ubuntu23-some.log and scanned it for DNS queries using something like:

fgrep 'query[A]' ubuntu23-some.log | awk '{ print $7 }' | sort -u

NOTE: There are still at least 3 ways how to evade this list:

  • using direct connection to IP address
  • using DNS over https (DoH)
  • using any kind of tunnel to connect to other servers

But let's see results just for Ubuntu 23 default installation from ubuntu-23.10.1-desktop-amd64.iso

api.snapcraft.io
connectivity-check.ubuntu.com
cz.archive.ubuntu.com
geoip.ubuntu.com
location.services.mozilla.com
motd.ubuntu.com
ntp.ubuntu.com
security.ubuntu.com

Additional notes:

  • the connectivity-check.ubuntu.com DNS request is send every 90 seconds(!)
  • when record is CNAME the real FQDN may be different each time (not shown here)

Please also note that installation screen says that Ubuntu is both "private" and "secure"

NOTE: After reboot GUI did not come up (frozen on gdm startup service) Second boot worked without issues and here is list of DNS A queries:

api.snapcraft.io
changelogs.ubuntu.com
connectivity-check.ubuntu.com
dashboard.snapcraft.io
location.services.mozilla.com
metrics.ubuntu.com
ntp.ubuntu.com

Notice these new queries:

  • changelogs.ubuntu.com
  • dashboard.snapcraft.io
  • metrics.ubuntu.com

Summary

After so much suffering, why I still use Ubuntu LTS?

  • Because it is last freely available LTS Linux distribution (you know what happened to CentOS and you likely know that, for example, Debian is actually rolling distribution - comparable to CentOS in that regard). Note: openSUSE LEAP is NOT LTS - you have to upgrade every year. Additionally SUSE want to kill LEAP (at the end of 2025) and replace it with read-only container non-sense called ALP.
  • also OpenStack uses Ubuntu LTS as reference platform.