Operating Systems Module at University of Roehampton

By Luke Pring (A00012218)
View on GitHub

System Planning and Distribution Selection

24/10/2025

System Architecture Diagram

System Architecture Diagram

Distribution Selection Justification

I chose to use the ARM64 version of Ubuntu Server. This is widely adopted in enterprise for good reason, as it offers a balance of stability and usability. This is important as it would be my first time configuring a Linux server. Ubuntu Server is easy to use, offering strong documentation and simple package management for additional software that may be needed for future tasks of the coursework.

This is in comparison to CentOS Stream, another server distribution which requires more manual configuration for installing software packages. Another distribution I considered was Debian, a popular and stable operating system. However, I decided against using Debian as it is less up-to-date, as it has a slower release cycle. In addition, Debian requires more configuration for security, while Ubuntu Server is more automated, speeding up the time it will take to set up my VM.

Ubuntu Server is also clearly the best option due to its simple and guided installation process, which is intuitive and requires less manual setup and knowledge to get started. It is designed to be accessible for new Linux users, with beginner-friendly documentation and simple package management. This is in contrast to CentOS Stream or Debian, which require more configuration knowledge with their more complex setup processes.

These distributions are more geared towards experienced server administrators, and require more learning than would be possible during the timescale of the coursework.

Workstation Configuration

My workstation is a MacBook Pro with the macOS Tahoe (version 26) operating system installed. This is my primary device, and is good for virtualisation due to the Apple Silicon ARM architect[...] and Apple’s virtualisation and hypervisor frameworks. Due to said CPU architecture, the version of Ubuntu Server I have to install will have to be the ARM64 build due to the performance is[...] another CPU architecture would introduce.

macOS is part of the UNIX family of operating systems, which has many similarities with Linux. This reduces compatibility issues as a lot of the kernel level features are the same, meaning the virtualised server will be more stable and performant. UNIX-based hosts such as macOS also come with Linux tools such as built-in SSH via the Terminal, which means connecting to the server will be easier, not requiring the installation of PuTTY like on Windows hosts.

Network Configuration

When configuring the network connection between my server VM and my workstation, I will use the "Bridged Adapter" option within VirtualBox to ensure the server VM is hosted on the same netw[...] connects the guest network interface to the host's, appearing as a seperate device on the local network. This allows connection to the guest machine via SSH without requiring port forwarding or NAT to be configured. This means that the server VM can be connected to from the local machine with a[...]

System Specifications

The specifications of my server VM are as follows:

  • uname: Linux
  • Total Memory: 1954MB
  • Free Memory (idle): 1579MB
  • Buff/Cache Memory: 216MB
  • df -h: 
    
            Filesystem      Size  Used Avail Use% Mounted on
tmpfs           196M 1004K  195M   1% /run
efivarfs        256K   16K  241K   6% /sys/firmware/efi/efivars
/dev/sda2        24G  2.8G   20G  13% /
tmpfs           978M     0  978M   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
/dev/sda1       1.1G  6.4M  1.1G   1% /boot/efi
tmpfs           196M   12K  196M   1% /run/user/1000
  • ip addr: 
    
            1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s8:  mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:a5:20:1c brd ff:ff:ff:ff:ff:ff
    inet 192.168.4.101/22 metric 100 brd 192.168.7.255 scope global dynamic enp0s8
       valid_lft 13853sec preferred_lft 13853sec
    inet6 fd94:238e:7224:284b:a00:27ff:fea5:201c/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 1743sec preferred_lft 1743sec
    inet6 fd79:f176:bc9f:1:a00:27ff:fea5:201c/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 2591731sec preferred_lft 604531sec
    inet6 fe80::a00:27ff:fea5:201c/64 scope link 
       valid_lft forever preferred_lft forever
  • lsb_release: No LSB modules are available.
I used the uname, free, df -h, ip addr, and lsb_release commands to provide the above system specifications.

Security Planning and Testing Methodology

31/10/2025 🎃

Performance Testing Plan

In my performance testing plan, I will monitor my server VM's metrics to ensure system stability, and collect data for capacity planning.

For remote monitoring, I will use the htop tool to view processes running, iostat to see CPU statistics, netstat to view current network connections and bandwidth usage, and vmstat to see how much virtual memory is being used, so I can increase the "physical" memory if[...] Key performance indicators (KPIs) I will track will include:

  • CPU Utilisation
  • Memory Usage
  • Disk I/O
  • Network Throughput
From these tests, I would like to determine how certain stresses affect response time through SSH. I could use stress testing tools such as stress-ng and sysbench.

Security Configuration Checklist

I will edit the SSH configuration file editing various settings to ensure the security of my VM instance. While the risk of attack is low as it is on my own local network, security measures [...]

  • Using key based authentication instead of passwords, as these cannot be as easily stolen/brute forced.
  • Installing "Fail2ban", this is a tool that bans IP addresses that show malicious behaviours like too many password attempts.
  • Configuring a firewall using the ufw command, only allowing necessary ports for SSH and HTTP(S).
  • Enable unattended-upgrades to automatically install security updates.
  • I could scan for open ports that don't need to be open, to tighten security.

Security Threat Model

My threat model will identify three security threats and propose mitigation strategies for them.

  1. Unauthorised Access: The mitigation for this would be to use strong passwords, or to use the key-based authentication that I mentioned above. This would prevent access to the server VM from bad actors.
  2. Malware/Ransomware: If malware is unknowingly installed on the system, data could be stolen or the system could cease functioning, meaning that my coursework would be disrupted. Mitigation for this includes enabling unattended-upgrades (as mentioned above), and potentially installing an[...] backups of the virtual machine, saving its state at each stage so that I can rollback at any time.
  3. Denial of Service (DoS) Attacks: Fail2ban and firewall configuration can be used to prevent an attacker flooding my system with malicious traffic which would prevent me from working. In addition, I could configure rate limiting preventing an influx of requests fron a single IP address.

Application Selection for Performance Testing

14/11/2025

Application Selection Matrix & Installation Commands/Documentation

Workload Type Application Install Command Description Justification
CPU Workload sudo apt install -y stress-ng Produces synthetic CPU stress tests using multiple threads to test whole processor performance. Good for controlled benchmarking of CPU performance. Gives consistent results and is very customisable.
RAM Workload sudo apt install -y stress-ng Allocates and stressed RAM through consistent methods. The tool will already be installed for the CPU benchmark, so it is efficient to use the same tool. Simple to script for repeatable, consistent tests.
I/O Benchmark sudo apt install -y fio fio is a professional grade storage benchmarking tool that simulates reads and writes. Highly configurable and industry standard for storage testing, meaning any results I get from this benchmark will be of good quality.
Networking Benchmark sudo apt install -y iperf3 A widely used network performance tester. Important for a server. Provides clean measureable data. Perfect for bandwidth and latency tests.

Expected Resource Profiles

Based on the selected applications, I anticipate the following resource behaviors:

  • CPU Tests: The stress-ng CPU stressors should drive user-space CPU utilization to near 100%. I expect to see the system load average rise significantly above the number of available cores (which is 2 in this VM). This will verify if the virtual CPU allocation is sufficient for high-demand tasks.
  • Memory Tests: RAM stressors will rapidly consume available memory. I anticipate seeing the "free" memory drop close to zero. If the stressor exceeds physical RAM (approx 2GB), I expect to see swap usage ("si" and "so" columns in vmstat) increase, resulting in degraded system responsiveness.
  • I/O Tests: The fio benchmarks will saturate the virtual disk controller. I expect high read/write throughput and a notable spike in "iowait" percentages during heavy random access tests, which will help benchmark the underlying storage performance.
  • Network Tests: iperf3 should saturate the virtual network adapter. I expect to see consistent throughput matching the provisioned bandwidth of the bridged adapter, potentially reaching gigabit speeds on the local network.

Monitoring Strategy

To effectively capture performance data during these tests, I will employ a "split-terminal" strategy using two simultaneous SSH connections:

  1. Terminal A (Load Generator): This session will execute the benchmark commands (e.g., stress-ng or fio).
  2. Terminal B (Monitor): This session will run real-time monitoring tools. I will use htop for a visual overview of processes and vmstat 1 to capture second-by-second granular data on memory, swap, and CPU activity.

For the final report, I will pipe the output of the monitoring tools to log files (e.g., vmstat 1 > cpu_test_log.txt) to generate graphs. I will also verify system stability by checking dmesg or /var/log/syslog for any kernel errors or OOM (Out of Memory) killer events that may occur during the stress tests.

Initial System Configuration & Security Implementation

21/11/2025

Configuring SSH with key-based authentication

I started by generating an ed25519 key pair with my student email on my workstation.

Configuring a firewall permitting SSH from one specific workstation only

Managing users and implement privilege management, creating a non-root administrative user

Configuration Files with before and after comparisons

Advanced Security and Monitoring Infrastructure

28/11/2025

Implementing Access Control using SELinux or AppArmor

Configuring automatic security updates

Configuring fail2ban for enhanced intrusion detection

Creating a security baseline verification script that verifies security configurations

Creating a remote monitoring script to collect performance metrics