Skip to main content

Lessons learned & gotchas

The things that bite, collected so they bite you less:

  • Use the rescue system + installimage; don't fight a pre-installed OS. Starting from a clean, known base is faster and far more supportable than trying to bend whatever image came on the disk.
  • Public networking is not your living-room switch. The upstream drops frames from MAC addresses it doesn't recognise, so a naive "just bridge the VMs onto the public NIC" quietly fails. That single fact is the reason a whole separate book exists on VM connectivity — read it before you expect a VM to reach the internet.
  • Firewall + fail2ban on the first boot, not the second. A fresh public SSH port collects brute-force attempts almost immediately. Set this up before you walk away from the install.
  • Check the CPU governor. Dedicated boxes often boot in a power-saving mode; for a hypervisor you want performance, or you'll chase phantom latency.
  • IOMMU needs two things, not one. A BIOS/firmware setting and a kernel command-line flag. Miss either and passthrough silently won't work.
  • Snapshot your working network config before you tune. It is genuinely easy to sysctl or bridge yourself out of SSH on a remote box where you can't walk over and plug in a monitor. Know how to reach the rescue system before you need it.

Lesson in one line: on a remote bare-metal host, the dangerous mistakes are the ones that cut your own network access. Harden early, change networking carefully, and always know your way back in.

No comments to display

Back to top