Applications Azure

Dolibarr 23 ERP CRM on Ubuntu 24.04 on Azure User Guide

| Product: Dolibarr 23 ERP CRM on Ubuntu 24.04 LTS on Azure

Overview

Dolibarr is the open source ERP and CRM platform for small and medium businesses, freelancers and non profit organisations. It brings third party management, commercial proposals, sales and purchase orders, customer and supplier invoices, a product and service catalogue, stock and warehouse management, projects and time tracking, an agenda and a modular accounting suite together in one web interface, with a large module ecosystem for payments, email and external integrations. The cloudimg image ships Dolibarr 23 served by nginx and PHP 8.3 FPM on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The install wizard is pre completed and locked, so the platform is ready the moment the instance boots. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306) and keeps its data on a dedicated Azure data disk. A unique administrator password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • Dolibarr 23 served by nginx and PHP 8.3 FPM, managed by systemd
  • A bundled MariaDB server holding the Dolibarr database, already installed and ready
  • The install wizard pre completed and locked, so no setup wizard is ever exposed
  • A per VM administrator password generated on first boot and recorded in a root only file
  • No shipped default login: the administrator password ships rotated to a discarded random and the real per VM password is set on first boot
  • MariaDB bound to 127.0.0.1 only, never exposed to the network
  • A dedicated Azure data disk carrying both the MariaDB database and Dolibarr's uploaded and generated documents
  • A systemd timer running Dolibarr's scheduled jobs every five minutes
  • nginx.service, php8.3-fpm.service and mariadb.service as enabled systemd units
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_D2s_v3 (2 vCPU / 8 GiB RAM) is a sensible starting point for typical production use; a smaller size such as Standard_B2s works for a small team. NSG inbound: allow 22/tcp from your management network, 80/tcp for the application and 443/tcp if you terminate TLS on the VM. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Dolibarr by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), HTTP (80) and HTTPS (443). Review the dedicated data disk on the Disks tab, then Review + create then Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name dolibarr \
  --image <marketplace-image-urn> \
  --size Standard_D2s_v3 \
  --admin-username azureuser \
  --generate-ssh-keys \
  --public-ip-sku Standard

Then open ports 80 and 443:

az vm open-port --resource-group <your-rg> --name dolibarr --port 80,443

Step 3 - Confirm the services are running

SSH in as azureuser and confirm nginx, PHP FPM, MariaDB and the first boot service are all active. Note that MariaDB listens only on 127.0.0.1:3306 while nginx serves Dolibarr on port 80.

systemctl is-active nginx php8.3-fpm mariadb dolibarr-firstboot
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/  */ /g'

The nginx, php8.3-fpm, mariadb and dolibarr-firstboot services active, with nginx on port 80 and MariaDB bound to loopback 127.0.0.1:3306

Step 4 - Retrieve the per VM administrator password

Every VM generates its own Dolibarr administrator password on first boot and writes it, along with the login user and the application URL, to a root only credentials file. Read it with sudo:

sudo cat /root/dolibarr-credentials.txt

The per VM Dolibarr credentials file, showing the admin login user, the generated password masked, the application URL and the loopback MariaDB details

You sign in to Dolibarr as user admin with the DOLIBARR_ADMIN_PASSWORD from this file. On the box itself you can also run sudo mariadb to reach the database directly over the local socket without a password.

Step 5 - Sign in

Browse to http://<vm-public-ip>/. You land on the Dolibarr sign in page. Enter username admin and the password from Step 4.

The Dolibarr sign in page showing the username and password fields and the login button

After signing in you land on the Dolibarr home dashboard, which summarises your proposals, orders, invoices and agenda at a glance.

The Dolibarr home dashboard after signing in, with the top menu, the left setup sidebar and the global view tiles for proposals, orders, invoices and agenda

Step 6 - Set up your company and enable modules

Open Home then Setup then Company or Organization to set your company identity, currency and accounting preferences. Then open Home then Setup then Modules to enable the modules you need. The image already enables the core ERP and CRM modules (Third Parties, Products, Proposals, Orders, Invoices, Projects and Agenda); enable more as your business grows, such as stock, accounting, expense reports or the REST API.

Step 7 - Manage third parties

Open Third parties in the top menu to create your customers, prospects and suppliers. Each third party holds contacts, addresses, bank details and the full history of proposals, orders and invoices raised against it.

The Dolibarr third parties list showing the customer and supplier columns with the search and filter row

Step 8 - Raise proposals, orders and invoices

Dolibarr models the full sales cycle. Create a commercial proposal for a third party, convert an accepted proposal into a sales order, then generate a customer invoice from the order and record the payment against it. Open Billing | Payment then Customer invoices to see and manage every invoice.

The Dolibarr customer invoices module showing the reference, invoice date, due date, third party, amount and status columns

Step 9 - No known or default credentials

The cloudimg image ships with the Dolibarr administrator password rotated to a discarded random value, and the real per VM administrator password is generated with a unique random secret on the first boot of every VM. No known or blank credential authenticates. You can prove this with the built in round trip check, which confirms the per VM administrator signs in through Dolibarr's own login form while a blank password and common weak guesses are all rejected. The admin account is the only Dolibarr super admin:

mariadb --protocol=socket -uroot -N -e "SELECT CONCAT(login,'  (Dolibarr super admin)') FROM dolibarr.llx_user WHERE admin=1"
sudo bash /usr/local/sbin/dolibarr-cred-roundtrip.sh

The admin account as the only Dolibarr super admin, and the round trip check confirming the per VM admin authenticates via the Dolibarr login form while blank and weak guesses are rejected

Step 10 - Verify the stack and where your data lives

Confirm the installed Dolibarr release, the health endpoint and the dedicated data disk. The MariaDB database lives on the data disk mounted at /data (bind mounted onto /var/lib/mysql), and Dolibarr's uploaded and generated documents live on the same disk at /data/dolibarr/documents, so all of your business data is kept separate from the operating system disk and rides with the VM:

mariadb --protocol=socket -uroot -N -e "SELECT CONCAT('Dolibarr ',value) FROM dolibarr.llx_const WHERE name='MAIN_VERSION_LAST_INSTALL'"
curl -sI http://127.0.0.1/healthz | head -1
findmnt -no SOURCE,TARGET,FSTYPE,SIZE /data; findmnt -no SOURCE,TARGET /var/lib/mysql

The installed Dolibarr version, the healthz endpoint returning 200, and the ext4 data disk mounted at /data and bind mounted onto /var/lib/mysql

Adding your own domain and TLS

The appliance serves plain HTTP on port 80. For production, point a DNS record at your VM and obtain a certificate with Let's Encrypt:

sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>

Dolibarr derives its base URL from the request Host header, so once you reach the VM on your domain over HTTPS the links render correctly with no further change. To force HTTPS, set $dolibarr_main_force_https='1'; in /var/www/dolibarr/htdocs/conf/conf.php.

Scheduled jobs

Dolibarr's scheduled jobs (recurring invoices, email reminders and more) run automatically every five minutes through a systemd timer. Check the timer and its schedule:

systemctl status dolibarr-cron.timer --no-pager | head -5

Backing up

Your business data is the Dolibarr database plus the uploaded and generated documents. Dump the database and archive the documents directory:

sudo mysqldump --protocol=socket -uroot dolibarr > /tmp/dolibarr-backup.sql
sudo tar czf /tmp/dolibarr-documents-backup.tar.gz -C /data/dolibarr documents

Copy both files off the VM on your usual schedule. To restore, load the SQL dump into the dolibarr database and unpack the archive back to /data/dolibarr/documents.

Security notes

  • Dolibarr serves plain HTTP on port 80 out of the box. For anything beyond a trusted network, add your own domain and TLS as above, or front the VM with Azure Application Gateway.
  • The bundled MariaDB listens on 127.0.0.1 only and is never reachable from the network. Administer it through Dolibarr or over SSH with sudo mariadb.
  • The administrator password is unique per VM and no known or blank credential authenticates. Keep /root/dolibarr-credentials.txt protected. To rotate the password, sign in and change it under Users and Groups, or from the box set a new one directly:
sudo mariadb dolibarr -e "UPDATE llx_user SET pass_crypted=MD5('<new-password>'), pass=NULL WHERE login='admin'"
  • The /conf and /documents trees and dotfiles are denied by nginx, so configuration and uploaded files are never web reachable.
  • Apply operating system updates regularly with sudo apt update && sudo apt upgrade; unattended security updates are enabled by default.
  • Restrict inbound 80/tcp and 443/tcp in your NSG to the networks that need access.

Trademark

Dolibarr is an open source project distributed under the GNU General Public License version 3. This image is an independent packaging of the open source Dolibarr software by cloudimg and is not affiliated with, sponsored by, or endorsed by the Dolibarr project or the Dolibarr Foundation.

Support

This image is maintained by cloudimg with 24/7 support. If you need help deploying or operating Dolibarr on Azure, contact us at cloudimg.co.uk.