This is a guide for a secure installation of 64-bit Ubuntu Server 21.10 on Raspberry Pi 4.
1. Upgrade Raspberry Pi4 Bootloader Firmware
If you are using an older Pi4 then it might have an old bootloader. There were some nice firmware updates since the fall of 2020 to support USB SSD boot. When I start a new project I like to make sure the Pi has the latest stable version of the firmware.
See this guide for upgrading bootloader.
2a. Ubuntu Installation on SD card
- Download & Extract Ubuntu Server 21.10 64-bit Version
- https://ubuntu.com/download/raspberry-pi
- Download & Install Raspberry Pi Imager v1.6 Software
- https://www.raspberrypi.org/downloads/
- Write Ubuntu Image to SD card
- Insert SD card into Raspberry Pi
2b. Ubuntu Installation on USB SSD
Instead of running from SD card you can use an external USB SSD. See this guide for Booting from USB SSD.
3. Ubuntu Setup with Headless Operation + Ethernet Connection
- Power up Raspberry Pi
- Wait a couple of minutes for initial bootup
- Determine local IP address of Raspberry Pi using your favorite method
- login into your router and check the DHCP client list. Default hostname of the Pi is ubuntu
- Fing is nice application on Android for scanning devices on your network
- Open SSH connection using your favorite application(example: putty)
- Default login
- user: ubuntu
- password: ubuntu
- On first login you will be asked to change default password
- SSH session will be automatically closed as soon as password is changed
- Default login
- Login with new password
- Switch to root environment
sudo -i
- Update Time Zone. Configure according to this guide
- To get list of available timeszones:
timedatectl list-timezones - Example Configure Timezone
timedatectl set-timezone America/Edmonton
- To get list of available timeszones:
- At this point Ubuntu will immediately start auto updating which can interfere with other other packages that you may be installing next. I have found that the best thing is to just let the updates complete in the background before moving to the next steps. This could maybe take 30 minutes or more. I will just use
topcommand to see when the CPU activity is back down to idle level. - Obtain latest versions of installed packages(autoupdates in the background should have everything updated but you can check to make sure)
apt update
- update all installed packages
apt upgrade
- Disable auto updates(Optional). Open 20auto-upgrades file.
nano /etc/apt/apt.conf.d/20auto-upgrades
- Replace values in file with the following:
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";
APT::Periodic::Unattended-Upgrade "0";- Configure basic firewall to close all ports except for SSH
- Use this if you want SSH access from outside your local network:
ufw allow 22
- Use this if you want to limit SSH access to your local network:
ufw allow from 192.168.1.0/16 to any port 22
- Enable Firewall
ufw enable
- Note: use
ufw show addedto see rules when ufw is not enabled - Note: use
ufw statusto see active rules when ufw is enabled
- Use this if you want SSH access from outside your local network:
- Create new user and add to sudo group. Replace friends with your own username.
adduser friends && usermod -aG sudo friendsexitexit
- Close SSH connection and login using new user
- Switch to root environment
sudo -i
- Install userland vcgencmd tools(optional)
apt install libraspberrypi-bin
- Add user to video group. Replace friends with your own username.
usermod -aG video friends
- Delete ubuntu user info
deluser ubunturm -rf /home/ubuntu- `exit
- Find MAC address(optional) . This can be useful if you need to configure port forwarding in your router.
cat /sys/class/net/eth0/address
- Clear terminal history
history -c && history -w
- Reboot with new settings
sudo reboot