This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
02 — Operating System
This page documents the operating system configuration and baseline policies of the production server.
Snapshot date: 2026-02
Environment: Ubuntu Server 24.04.4 LTS
Role: Single-node Docker Swarm production host
1. Host Identity
Verification Commands
hostnamectl
lsb_release -a
uname -a
Current Configuration
- Hostname:
vps-0c6a392c - Distribution: Ubuntu 24.04.4 LTS
- Codename: noble
- Kernel: 6.8.0-86-generic
- Architecture: x86_64
- Virtualization: KVM
2. Package Baseline
Docker host dependencies installed:
sudo apt update
sudo apt install ca-certificates curl gnupg
Docker installed from the official Docker repository (not Ubuntu default repository).
Verification
docker --version
Current version:
- Docker Engine: 29.2.1
3. System Updates Policy
Verification
sudo apt update
sudo apt list --upgradable
Policy
- Security updates must be applied regularly.
- Kernel upgrades require controlled reboot.
- Production upgrades should be performed during maintenance windows.
- Major Docker upgrades must be validated before deployment.
4. Time Synchronization
Verification
timedatectl
Current Configuration
- NTP service: active
- System clock synchronized: yes
- Time zone: Etc/UTC (UTC, +0000)
Ensure:
- NTP service: active
- System clock synchronized: yes
- Correct timezone configured
Timezone Verification
timedatectl | grep "Time zone"
5. Firewall (UFW)
Verification
sudo ufw status
Current Configuration
- UFW status: Active
Allowed ports:
- 22 (SSH)
- 80 (HTTP)
- 443 (HTTPS)
- 3478/udp (TURN)
- 49160–49200/udp (TURN relay range)
Policy
- Default incoming: deny
- Default outgoing: allow
6. Docker Permissions
Docker currently requires sudo to run commands.
Verification
docker info
Current Configuration
docker info
Client: Docker Engine - Community
Version: 29.2.1
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.31.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v5.1.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
permission denied while trying to connect to the docker API at unix:///var/run/docker.sock
7. Swap Policy
Swap is intentionally disabled.
Verification
free -h
Current state:
- Swap: 0B
Rationale:
Swap is disabled to avoid performance degradation and unpredictable latency in containerized workloads.
8. Reboot Policy
Reboot required after:
- Kernel upgrades
- Critical security patches
- Major Docker upgrades
Verification of Last Reboot
who -b
9. Operational Quick Check
Useful commands for system health verification:
uptime
df -h
free -h
sudo docker service ls
These commands provide a quick operational snapshot of system load, disk usage, memory usage, and running services.
- Architecture Overview
- System Hardware
- Operating System
- SSH Hardening
- Docker Installation
- Docker Swarm Configuration
- Network Architecture
- Stacks Deployment
- Reverse Proxy
- Certbot & Let's Encrypt
- TURN Server (Coturn)
- PostgreSQL Configuration
- MinIO Configuration
- Forgejo Configuration
- Mattermost Configuration
- Backup and Recovery
- Security Checklist