Ubuntu Server: Good Concept, Flawed Execution

We didn’t quite finish up our server kernel vs.
desktop kernel comparison
, so today we’ll wrap that up, plus we’ll dig into the included
services in Ubuntu Server, amaze at a couple of interesting blunders, and decide what is this
thing good for, anyway, fueling the tireless Canonical hype machine, or something actually
useful?

CPU Families

The server kernel uses CONFIG_M686=y, and the desktop kernel gets
CONFIG_M586=y. This means that the server kernel is optimized for Pentium Pro instruction sets,
and the desktop kernel for the entire 586 and 686 CPU families. This isn’t hugely significant,
as even a generic 486 kernel will run on modern computers. If you’re into compiling your own
kernels, the one change you can make that might actually improve performance is to choose the
CPU option that matches your own CPU. That way you’ll get full support for the instruction set
for your CPU.

Leaky IPC Namespaces

Before virtualization became all the rage, there was a single
set of Inter-Process Communications (IPC) objects (shared memory segments, message queues, and
semaphores) that the kernel used for everything. But virtual environments need to keep their own
IPCs confined inside their own containers; can’t have them leaking out all over the place. So
IPC namespaces, or virtualized IPC, were invented. This is enabled in the server kernel
(CONFIG_IPC_NS=y, CONFIG_UTS_NS=y) and not in the desktop kernel. Does this means virtual
environments are leaky and insecure on the desktop kernel? It seems so; perhaps some smart
person will tell us for certain.

The final difference of note is the server kernel supports multiple IPv6 routing tables,
which the desktop kernel does not.

Included Packages, Sort Of

The Ubuntu Server Edition page
says:

“In around 15 minutes…you can have a LAMP (Linux, Apache, MySQL and PHP)
server up and ready to go. This feature, exclusive to Ubuntu Server Edition, is available at the
time of installation.”

Well no, it’s not exclusive. There are many prefab Linux LAMP stacks, with XAMPP for Linux being one of the most
comprehensive and versatile. That same page also emphasizes the excellence of the Linux Terminal
Server, which is a wonderful thin and diskless-client server. But it’s not included with Ubuntu
Server, so I’m wondering why it gets so much attention.

I like to see in the release notes, or somewhere close by, a complete package list. I
couldn’t find one anywhere, nor even a detailed description of what comes in Ubuntu Server. So I
installed it on a test system and installed every package group. Then I created a
complete package list
by running dpkg -l. Ubuntu Server weighs in at nice lean 355
packages, and takes up 899 MB when you select everything.

And thus we learn that Ubuntu Server includes a LAMP stack made from a 2.6.22-14 kernel,
Apache 2.2.4, MySQL 5.0, PostgreSQL 8.2, PHP 5.2, Perl 5.8, and Python 2.5. So you get a couple
of options for your LAMP: MySQL or PostgreSQL for your database, and PHP, Perl, or Python for
scripting.

Inexplicable hype aside, you also get Samba for cross-platform network authentication, and
file and printer sharing. You even get ntfs-3g for read/write access to Windows NTFS
filesystems. There are Postfix and Dovecot for a nice SMTP/POP3/IMAP mail server, CUPS for
printing, BIND for name services, and AppArmor for enhanced security. There is a reasonable set
of networking packages that support Ethernet, dialup and wireless, and basic set of common
networking utilities. It also supports a serial console, but since Ubuntu uses the Upstart init system rather than the
old-fashioned Sys-V init, it’s configured in /etc/event.d/ ttyS* instead of
/etc/inittab.

Installation

The installer itself requires that you stick around to answer
questions; it’s not like Ubuntu Desktop, which asks everything at the beginning and then you can
go away. But it’s not too bad, as it installs fairly quickly.

If you install MySQL it will ask if you want to change the default MySQL password. It
doesn’t tell you what the default password is, and you only get one chance to enter a new
password, so you better get it right the first time.

The installer looks for a DHCP server and does not give you the chance to set a static IP
address. It would be nice to have the option to set a static address during installation instead
of having to remember to do it later.

Missing Sudo and Root Users

The installer prompted me to create only an unprivileged
user, which is standard for Ubuntu. Ordinarily this would be a sudo user with full
administrative privileges. But that didn’t happen — my user was an ordinary unprivileged
user who did not exist in /etc/sudoers. So there I was with a server that I couldn’t do
anything with. Until I booted with a rescue CD and fixed it by resetting the root password, that
is.

You always need a “real” root user anyway; some commands don’t work with sudo, and
the ext3 file system reserves 5% exclusively for the root user, so if a user process goes nuts
and fills up the filesystem, the root user can still save the day.

Security

Just like Debian, Ubuntu starts services immediately after installation.
(Run netstat -untap as root to see what ports are open). So out of the box your server is
open for business. I would rather that none of them start until I’ve had a chance to configure
some access controls, and am darned good and ready to start them. So be extra careful until you
have things configured the way you want.

AppArmor is supposed to be the “real world” alternative to SELinux. Unfortunately there is
nothing included that explains the default AppArmor configuration, or how to modify it.

Of course you get iptables for packet filtering, just like in any Linux.

Ubuntu pulls packages from Debian Testing, Unstable, and even Experimental. These are not
supported by the Debian security team. In addition, the default repositories
(/etc/apt/source.list) include Universe and Multiverse, which include these scary
messages:

“## N.B. software from this repository is ENTIRELY UNSUPPORTED by the
Ubuntu
## team..software in
## multiverse WILL NOT receive any review or updates from
the Ubuntu
## security team…..”

Summary

This turned into a long ole review, so let’s sum up.
First the good stuff: It’s an easy, one-CD installation. It’s a lean, barebones package
selection with no lard, which I like because it’s easier to add things than to wade through and
figure out what needs to be deleted.

Some users might have an expectation that Ubuntu Server will be all shiny and easy like
Ubuntu Desktop. It’s not—you need to know what you’re doing, because it doesn’t do any
hand-holding. It’s a honest-to-gosh proper server with no X windows or GUI tools cluttering it
up. You can have a GUI via remote administration; for example, Webmin is a high-quality and popular remote GUI adminstration
tool for servers.

The bad stuff: Poor documentation on the Ubuntu-specific customizations; it’s too hard to
find out what’s in it before downloading it. Bleeding-edge package versions are scary for
servers, and I question the effectiveness of putting something like AppArmor on a system that is
already security-questionable. LAMP security is famously difficult even with conservative
package choices and careful attention to security patching. Quality control seems in need of
some quality control.

Regarding expectations, I expect that with the funding, resources, and commercial aspirations
behind Ubuntu, it should be a marvel of quality, security, and stability, and with the awesomest
documentation of all. Debian succeeds at all of these with hardly any funding. Debian and Fedora
both show how release notes should be done.

The concept behind Ubuntu Server is wonderful— a lean, carefully-selected batch of
packages that gets you up and running quickly, and that you can easily add to as you need. I can
see using Ubuntu Server as a LAN server, and as a training server, but I think opening it up to
the Internet is asking for trouble.

Resources

Latest Articles

Follow Us On Social Media

Explore More