Martin Carpentier's picture

While updating my installation of Virtualbox this weekend I stumbled on a post in their forums mentioning Turnkey and its appliances.

So I had a look and decided to try out the Wordpress appliance and I must say, I'm very impressed by how easy it is to have a running web server with Wordpress setup and ready. My prevous attempt, starting from a Ubuntu iso and installing everything manually, had me spend a whole weekend to have everything right. And that's without setting up the extra packages and custumisation you've included in the appliances!

So far,

what I really like:

  • inclusion of packages that help with system maintenance (backup, auto-update, webmin, etc)
  • the command line power tools (Although I'd like to know more about what has been customized and how it can be used)

what I like but I'd like to see improved:

  • Initialization hooks. I like being able to setup my own password and not be imposed one by default (a lot better security-wise). I would like to be able to also choose the username for the different accounts and also the hostname of the machine. Is it something possible with the hook system ?
  • The appliances' description and their package manifest. The packages addition and the customizations are well listed but again I'd like to see more documentation on the why and the how of some custumizations. 

what I don't like

  • using the root account and the removal of sudo. I really don't think it's a good idea to have the root account activated by default. It goes against the security recomendations found all over the web (and the many howtos using sudo). I know it's possible to install back sudo and deactivate the root account but I'd like to know the rationale behind this choice. If it's only a convenience issue then I think it should be back to having sudo by default. Priority should be given to security over convenience.

 

Now for my questions,

I've been looking into a solution for my web development and hosting needs for a long time now and it seems like the Turnkey + AWS combo is a very nice fit.

I saw on the AWS site that they currently offer a free one year plan to new suscribers. Does it mean the Turnkey Hub services will also be free for the same period ?

My last question is more about AWS but I couldn't find any info on the subject so maybe someone here can help me out. Right now I only need webhosting for 2 or 3 simple personal blogs. Is going with AWS overkill ? What are the basic AWS components that I need (the free offering includes components that seem superfluous) ?

Ok I'll stop here for now and will wait for an answer.

Meanwhile, thank you again for the great appliances. I'm sure I'll be using many of them in the future.

Forum: 
Jeremy Davis's picture

I can't speak on behalf of the core devs but I've been involved with TKL for a while so I think I can speak with at least a little authority. :)

Firstly a question for you. Not sure what you mean by "command line power tools"? Like TKLPatch? Or something else?

Some answers:

  • Passwords - You should be able to set passwords at first boot. I'm not sure why that didn't happen for you? Are you using the current release? (v11.x) Where/how are you running it? Live from an ISO/CD? Or is it installed to hardware or vm from ISO? Or imported vm image? Or are you using AWS? (If you launch AWS instance via TKL Hub you can set passwords prior ro launch).
  • Username(s) - I'll give you my 2c on usage of root below to keep my response somewhat corresponding to your post. So I'd say one of the reasons TKL uses default usernames is that TKL appliances are designed for a very wide audience. They are provided as a foundational product rather than a highly customised end product. On one hand they've got some nice customisations and additions, but in another sense they're quite minimalist. This means that as they currently sit, they should be fully functional and accessable OOTB for a 'newb' but also provide a great platform for customisation without requiring to much trimming for 'power users' and pros. Generally using default usernames shouldn't be an issue, and if you think it is, then they are generally pretty easy to change.
  • Hostname - Above also applies to hostname. The hostname is really easy to change if you wish. nano /etc/hostname and change it to whatever you want (<Ctrl><x> to save and close). If you are (or want to) using a FQDN then you will also want to edit /etc/hosts
  • Documentation - This is one area where TKL definately has some shortcomings. There has been some (slow) progress but it still far from ideal. By design most the the upstream docs (Ubuntu particularly) are relevant to TKL so that's at least of some help. I definately agree that it would be great to have clearer documentation on what the TKL tweaks and customisations are and their rationale. Some info iis buried here in the forums and the docs are absent without design or intention,it's just that the core devs are a 2 man team and their resources are limited. Everything they do, comes at the expense of something else cool they could be doing instead. I think that even if all upstream software development froze it'd still probably take them years to catchup with all the great ideas, suggestions and additions they have on their todo list. The devs are usually fairly responsive to questions. Although they can take a while to respond because of their ongoing commitments, they usually get there in the end.
  • root acount - I'm pretty sure that the devs have explained their rationale for using the root account but I can't find it ATM nor can I really recall fully. But I'll give you my 2c. Disabling root on a desktop system makes lots of sense. One important security concept is to only require as much admin power as required. On a desktop mostly you do not need root powers and when you do, sudo adds little work if you are only running a few commands, or there's always su if you want to run a few. It also reduces the chances of you destroying your workhourse with a casual command without due regard for the consequences! But on a server system it makes a lot less sense. All the software pre-installed and pre-configured on TKL appliances alreay runs under limited user accounts. So even if the services get hacked into, the damage will be limited. The apps pre-installed on TKL usually have their own user account systems, but these services all generally run under a specific limited webserver account.Often servers will be run as a single user environment (root the only useraccount that can login) so it makes little sense to have an extra user account, when they are run multiuser then generally you will not want those additional users having root access anyway (not even under sudo) so again it makes little sense to even have it installed (it actually increases security without sudo in that sense). The only extra security disabling root gives you is 'security by obscurity' and generally it's not that useful against any serious hacker. The core devs (Alon and Liraz) have history in the security field (both having experience in military IT security) so needless to say they take it very seriously. Still as I've already highlighted the system is highly configurable and if you wish to install sudo, create new (sudo) users and disable root, your able to do so pretty easily:
apt-get update && apt-get install sudo
adduser <newuser>

This should ask you a number of questions including the desired password. Password can be changed with the passwd command.

adduser <newuser> admin

Now you can logout and logback in as your new (sudo)user.

logout

Once logged back in you can disable root

sudo usermod -p '!' root
  • AWS - AWS is great and via the TKL Hub its really easy to use. I'm not 100% sure whether the free accounts are possible for use with TKL, you'll have to do a bit of reading of the Amazon fineprint. I thought that this question had been answered recently but I couldn't find it. Anyway assuming that the free accounts include use of small (&/or medium) instances (TKL AMIs are not available for micro or large instances) then I reckon you should be right. Probably easiest way to find out for sure, is sign up for one then try linking it to a Hub account and launching an instance and see if you get charged for it (don't forget to run a TKLBAM backup if you want to keep any data and shut it down when you've finished). It's pretty cheap by the hour but can clock up if you are running it 'always on'. There are significantly cheaper (although not as convienient) options if you're only hosting a few low traffic blogs (even the small instance is high spec for a basic TKL server IMO).

Hope my extended rant answered some of your questions. :)

Martin Carpentier's picture

Hi Jeremy,

thank you very much for your fantastic reply. I wasn't expecting to get so many answers and information in 1 post! 

Also I'd like to appologies if I came across a bit harsh or negative in my previous post. I really didn't mean to, far from it. Like I said, I'm very glad I found out about TKL and very impressed by the quality of the appliances, the Hub services and the TKL web site in general. Now enven more so that I know there's only 2 core developpers on the project!

As for my questions and your answers...

  • cli power tools - I was reffering to what's documented in the TLK-Core decription. I'd like to know more about what's been improved and what extra stuff can be accomplished with the additions. So far I can see the improvement to the shell colors and the auto-completion feature which are great but I'm not sure what the other features provides.
  • username/password setup through inithooks - I think I wasn't very clear and somewhat mislead you. I did get the prompts to setup the passwords to the accounts during the first boot of the appliance and everything went fine. I was just expressing my wish to also have the option to choose a username for the various accounts. Now, I undersand the design choice for the appliance and the minimalistic approach to the install and setup experience. I just think that adding the options to also choose the usernames and the machine hostname would still fit the bill. But like you said it's pretty easy to change those after the initial setup. I certainly can live with that. Maybe some howtos on those specific tasks should be added to the How To section or maybe having a specific TKL patch for those who'd like to have this extra flexibility available. I'm still not sure how patches work or how to create one but once I do I'd gladly help with that (same goes for the documentation).
  • Documentation - Being a developper myself, I perfectly understand how often documentation can be left behind as an afterthought or how easy it can be pushed aside to give more priority to extra features or fixes. So I'm not judging at all. I was merelly trying to suggest where the focus should be put IF/WHEN documentation efforts were to  be contributed. I'm perfectly aware though that the needs of the TKL community might be different then mine.
  • root account - I'm not a security expert and was basing my assesment only on what I've been using so far (Ubuntu) and my limited understanding of the benefits of using sudo. Seeing the choice made by TKL I was curious to see why the choice had been made. After searching arround on the forums and the documentation the only explanation I could find was a post by one of the dev making it sound like it was mostly a convenience thing. That is what motivated my questionning. Thanks to your inputs and explanations the decision makes a lot more sense and I realise that my worries about security were misplaced. As for the convenience benefits, I'm not sure I can agree yet... I'm just so used to type sudo <some command> that I keep typing it even though I don't need to! Also thanks for the instructions on how to install sudo back. :)
  • AWS - You inderectly provided the answer: AWS free tier is for a micro instance so it's not compatible with TKL Hub as it needs a small instance. It's now also confirmed since yesterday's announcement of the release of version 1.0 of the Hub. I'm still tempted to try it out but I don't want to overspend too much. I'll try to find more info on what's the minimal AWS component that I need to run a simple wordpress appliance and see if it's worth it.

Once again thank you for your reply it's very much appreciated.

Add new comment