Do you prefer install from an ISO or use Templates?

nfn

As the title says, do you prefer install from an ISO or use the provider template images for your OS?

I prefer install from the oficial ISO when possible.

comXyz

Hetzner always attach an USB for me when I need to install something they don't have

Daniel15

I always install via ISO. Templates sometimes have a lot of junk in them (eg Apache installed and running out-of-the-box), or questionable default settings. I've even seen some images where the SSH server keys were the same for each VPS created from the image! The ISO is guaranteed to be clean and minimal.

If your provider doesn't support ISOs, you can boot into netboot.xyz either via GRUB (I recently wrote this doc page about it: https://netboot.xyz/docs/booting/grub/) or iPXE (https://netboot.xyz/docs/booting/ipxe). As long as they have VNC, this should always work.

asd

A provider that puts junk in the template doesn't sound like a very trustworthy provider

AXYZE

@Daniel15 said:
I always install via ISO. Templates sometimes have a lot of junk in them (eg Apache installed and running out-of-the-box), or questionable default settings. I've even seen some images where the SSH server keys were the same for each VPS created from the image! The ISO is guaranteed to be clean and minimal.

If your provider doesn't support ISOs, you can boot into netboot.xyz either via GRUB (I recently wrote this doc page about it: https://netboot.xyz/docs/booting/grub/) or iPXE (https://netboot.xyz/docs/booting/ipxe). As long as they have VNC, this should always work.

If provider has "he SSH server keys were the same for each VPS" then do you really trust them with your data and money? This is such a big red flag, it doesn't matter at all if they have ISO option if they cant figure out basic security stuff.

Daniel15

@asd said:
A provider that puts junk in the template doesn't sound like a very trustworthy provider

Not sketchy junk, just some have full installations of Apache, BIND, PHP, etc. Useful for some people, but I use Nginx and almost never use PHP.

@AXYZE said:

@Daniel15 said:
I always install via ISO. Templates sometimes have a lot of junk in them (eg Apache installed and running out-of-the-box), or questionable default settings. I've even seen some images where the SSH server keys were the same for each VPS created from the image! The ISO is guaranteed to be clean and minimal.

If your provider doesn't support ISOs, you can boot into netboot.xyz either via GRUB (I recently wrote this doc page about it: https://netboot.xyz/docs/booting/grub/) or iPXE (https://netboot.xyz/docs/booting/ipxe). As long as they have VNC, this should always work.

If provider has "he SSH server keys were the same for each VPS" then do you really trust them with your data and money? This is such a big red flag, it doesn't matter at all if they have ISO option if they cant figure out basic security stuff.

Yeah I agree, and I've generally moved away from providers like this once my contract expires. They do exist though. Some providers use third-party images and don't properly vet them. Even official templates have had issues in the past (eg https://www.lowendtalk.com/discussion/169685/vulnerability-in-solusvm-debian-10-template-debianuser-backdoor-default-user/p1).

eris

I have created my own template(s)

asd

@Daniel15 said: Not sketchy junk, just some have full installations of Apache, BIND, PHP, etc. Useful for some people, but I use Nginx and almost never use PHP.

I see. I haven't encountered a provider like that yet. But imo, it still seems a bit sketchy to mess with the iso unless it's clearly stated.

ailice

I always use ISO custom, cause most provider doesnt provide Alpine Linux template (Im aware only @MannDude provided it, and love it so far).

MannDude

@ailice said:
I always use ISO custom, cause most provider doesnt provide Alpine Linux template (Im aware only @MannDude provided it, and love it so far).

Glad you're happy with the options. You're also free to bring your own ISO and upload it if there is one you'd like to try that we don't officially offer.

yoursunny

All my KVM servers, except Oracle Cloud, are installed from ISO or netboot.xyz.
OpenVZ and LXC have to use templates, but I have script to delete all the junk via apt-mark auto.

@AXYZE said:

@Daniel15 said:
I've even seen some images where the SSH server keys were the same for each VPS created from the image!

If provider has "he SSH server keys were the same for each VPS" then do you really trust them with your data and money? This is such a big red flag, it doesn't matter at all if they have ISO option if they cant figure out basic security stuff.

NATVPS.net Debian 11 template for OpenVZ was caught to have the same SSH host keys on every container, because the person who created the template wasn't aware of this.
I only discovered because I bought a bundle and saw the same key digest showing up 5 times.
The provider corrected the problem swiftly.

My future setup after a template install shall include a step to regenerate SSH host keys.

nobizzle

i prefer netboot.xyz

Daniel15

@yoursunny said: My future setup after a template install shall include a step to regenerate SSH host keys.

For cases where I must use an image (like OpenVZ), I explicitly uninstall and reinstall openssh-server. If you do apt remove --purge, it'll remove a package and all its config, which for OpenSSH server includes the host keys. They'll be freshly generated on reinstall.

dfroe

You don't necessarily need to remove and re-install the whole openssh-server package.
It's enough to simply delete the host keys and regenerate them:

rm -f /etc/ssh/ssh_host* ; dpkg-reconfigure openssh-server

Jackma1

always install via Templates

MannDude

I usually install via ISO so I can setup LUKS encryption for storage and have the peace of mind knowing the OS template is straight from the source (Debian, Alma, Ubuntu, etc)

Kousaka

I prefer ISO in most cases, but if the server is just for idling or very simple task, I won’t bother to install ISO

aj_potc

I've wasted so much time troubleshooting the oddest issues, only to find out it's because a provider's template was missing packages that would normally be included in a default installation.

After many such experiences, I've come to hate templates and use an ISO installation whenever possible, followed by an Ansible playlist to get everything set up to my default preferences.

I think the weirdest was when I couldn't find any log files being created on a system, only to find out that it didn't have rsyslog installed. Crazy.

dominos

@Daniel15 said:
I always install via ISO. Templates sometimes have a lot of junk in them (eg Apache installed and running out-of-the-box), or questionable default settings. I've even seen some images where the SSH server keys were the same for each VPS created from the image! The ISO is guaranteed to be clean and minimal.

If your provider doesn't support ISOs, you can boot into netboot.xyz either via GRUB (I recently wrote this doc page about it: https://netboot.xyz/docs/booting/grub/) or iPXE (https://netboot.xyz/docs/booting/ipxe). As long as they have VNC, this should always work.

Very helpful links!Thank you!

KermEd

Template - but I trust my providers. If I need to install a custom ISO because their templates are messed up and it becomes a problem I'll migrate hosts when it's convenient

Nothing against custom ISOs mind you. Just not worth the work for me with a LET provider for how little I use my servers