usermod


Rough notes on setting up an Ubuntu server with docker

Static IP

First, we set up a static IP to our Ubuntu server using netplan. To do so, we created the following file:

/etc/netplan/01-netcfg.yaml

using the following command

sudo nano /etc/netplan/01-netcfg.yaml;

and added the following content to it:

# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp3s0f0:
      dhcp4: no
      addresses: [192.168.45.13/24]
      gateway4: 192.168.45.1
      nameservers:
          addresses: [1.1.1.1,8.8.8.8]

To apply the changes, we executed the following:

sudo netplan apply;

Update everything (the operating system and all packages)

Usually, it is a good idea to update your system before making significant changes to it:

sudo apt update -y; sudo apt upgrade -y; sudo apt autoremove -y;

Install docker

In this setup we did not use the docker version that is available on the Ubuntu repositories, we went for the official ones from docker.com. To install it, we used the following commands:

sudo apt-get install ca-certificates curl gnupg lsb-release;
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg;
echo   "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null;
sudo apt-get update;
sudo apt-get install docker-ce docker-ce-cli containerd.io;

Install docker-compose

Again, we installed the official docker-compose from github.com instead of the one available in the Ubuntu repositories. At the time that this post was created, version 1.29.2 was the recommended one:

sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose;
sudo chmod +x /usr/local/bin/docker-compose;

Increase network pool for docker daemon

To handle the following problem:

ERROR: could not find an available, non-overlapping IPv4 address pool among the defaults to assign to the network

We created the following file,

/etc/docker/daemon.json

using the command:

sudo nano /etc/docker/daemon.json;

and added the following content to it:

{
  "default-address-pools": [
    {
      "base": "172.80.0.0/16",
      "size": 24
    },
    {
      "base": "172.90.0.0/16",
      "size": 24
    }
  ]
}

We executed the following command to restart the docker daemon and get the network changes applied:

sudo systemctl restart docker;

Gave access to our user to manage docker

We added our user to the docker group so that we could manage the docker daemon without sudo rights.

sudo usermod -aG docker $USER;

Deploying

After we copied everything in place, we executed the following command to create our containers and start them with the appropriate networks and volumes:

export COMPOSE_HTTP_TIMEOUT=120;
docker-compose up -d --remove-orphans;

We had to increase the timeout as we were getting the following error:

ERROR: for container_a  UnixHTTPConnectionPool(host='localhost', port=None): Read timed out. (read timeout=60)
ERROR: An HTTP request took too long to complete. Retry with --verbose to obtain debug information.
If you encounter this issue regularly because of slow network conditions, consider setting COMPOSE_HTTP_TIMEOUT to a higher value (current value: 60).

Stopping all containers using a filter on the name

docker container stop $(docker container ls -q --filter name=_web);

The above command will find all containers whose names contain _web and stop them. That command is actually two commands where one is nested inside the other.

#This command finds all containers that their name contains _web, using the -q parameter, we only get back the container ID and not all information about them.
docker container ls -q --filter name=_web;
#The second command takes as input the output of the nested command and stops all containers that are returned.
docker container stop $(docker container ls -q --filter name=_web);

Install Gnome Boxes on Kali Linux

Our solution in getting Gnome Boxes to work on Kali Linux (which is a Debian-derived Linux distribution just like Ubuntu) is the following:

First install Gnome Boxes along with all needed virtualization software:


sudo apt-get install -y gnome-boxes qemu-kvm libvirt0 virt-manager bridge-utils;

Then, edit the file /etc/libvirt/qemu.conf to uncomment the following line:

#user = "root"

Finally, restart the host machine and your Gnome Boxes will be ready to use.

Long story

Recently, we were setting up a Kali Linux machine and one of the requirements was to add virtualization support so that the user could execute virtual machines doing.. other stuff. We started by installing gnome-boxes only (hoping that would be enough)


sudo apt-get install -y gnome-boxes;

.. but we got an error:

Boxes cannot access the virtualization backend

Apparently, installing gnome-boxes only, the dependency system did not automatically assume we would need to install an engine to handle the virtual machines, so we had to install the following as well:


sudo apt-get install -y qemu-kvm libvirt0 virt-manager bridge-utils;

After the installation, we tried  to create a new virtual machine but it would fail when we tried to start it. After looking into the logs we found the following useful information:

State: GVIR_DOMAIN_STATE_SHUTOFF

It seems that our user (even if it was root) could not start the QEMU process. To fix this issue we had to modify the file /etc/libvirt/qemu.conf and uncomment the following line:

#user = "root"

from this section

# The user for QEMU processes run by the system instance. It can be
# specified as a user name or as a user id. The qemu driver will try to
# parse this value first as a name and then, if the name doesn't exist,
# as a user id.
#
# Since a sequence of digits is a valid user name, a leading plus sign
# can be used to ensure that a user id will not be interpreted as a user
# name.
#
# Some examples of valid values are:
#
# user = "qemu" # A user named "qemu"
# user = "+0" # Super user (uid=0)
# user = "100" # A user named "100" or a user with uid=100
#
#user = "root"

# The group for QEMU processes run by the system instance. It can be
# specified in a similar way to user.
#group = "root"

After doing this change and restarting the host machine we were able to start and use any virtual machine in Gnome Boxes.

Extra information

In this case, we were using Kali Linux, where people usually operate it using the root account only.
On other installations, like on an Ubuntu installation you would need to handle differently the last step that requires you to edit the /etc/libvirt/qemu.conf file.

Specifically, the best way to handle this issue on a multi-user environment (like Ubuntu) would be to replace the following line:

#group = "root"

with this

group = "kvm"

and then add yourself to the kvm group before restarting the host machine


sudo usermod -a -G kvm $USER;

Doing so, it allows you to enable access to the virtualization services to multiple users of you choice instead of limiting it to one account.


Add an existing user to an existing group

Add an existing user to secondary/supplementary user group using the -a option

usermod -a -G groupname useraccount;

The usermod command is a Linux utility used to modify the user account information stored in the /etc/passwd and /etc/group files. The -a option is used to append the specified user account to the specified group. The -G option is used to specify the group name that the user account will be added to. The groupname argument is the name of the group that the user account will be added to, and the useraccount argument is the name of the user account that will be added to the group.

In this command, the user account specified by “useraccount” will be added to the group specified by “groupname”. The -a option ensures that the user account will be added to the specified group without removing it from any other groups it may belong to. The -G option specifies that the user account will be added to the specified group as a secondary group.

Once the user account has been added to the specified group, it will have the permissions and access rights associated with that group. For example, if the group has permissions to read and write to certain files or directories, then the user account will also have these permissions once it has been added to the group.

It’s important to note that changes made with the “usermod” command are not applied immediately. The changes will take effect after the next time the user logs in or after a system reboot. Additionally, it’s important to use this command with caution as adding a user to the wrong group could grant unintended access rights to sensitive information.

In conclusion, the usermod -a -G groupname useraccount command is a useful tool for managing user accounts and group memberships in Linux systems. By adding a user account to a specific group, administrators can grant the user access to specific resources and permissions, making it easier to manage and control access to resources on a system.