# Lessons learned & gotchas

The things that bite, collected so they bite you less:

- **Use the rescue system + `installimage`; don't fight a pre-installed OS.** Starting from a clean, known base is faster and far more supportable than trying to bend whatever image came on the disk.
- **Public networking is not your living-room switch.** The upstream drops frames from MAC addresses it doesn't recognise, so a naive "just bridge the VMs onto the public NIC" quietly fails. That single fact is the reason a whole separate book exists on VM connectivity — read it before you expect a VM to reach the internet.
- **Firewall + fail2ban on the first boot, not the second.** A fresh public SSH port collects brute-force attempts almost immediately. Set this up before you walk away from the install.
- **Check the CPU governor.** Dedicated boxes often boot in a power-saving mode; for a hypervisor you want `performance`, or you'll chase phantom latency.
- **IOMMU needs two things, not one.** A BIOS/firmware setting *and* a kernel command-line flag. Miss either and passthrough silently won't work.
- **Snapshot your working network config before you tune.** It is genuinely easy to sysctl or bridge yourself out of SSH on a remote box where you can't walk over and plug in a monitor. Know how to reach the rescue system before you need it.

> **Lesson in one line:** on a remote bare-metal host, the dangerous mistakes are the ones that cut your own network access. Harden early, change networking carefully, and always know your way back in.