Dolibarr 23 ERP CRM on Ubuntu 24.04 on Azure User Guide
Overview
Dolibarr is the open source ERP and CRM platform for small and medium businesses, freelancers and non profit organisations. It brings third party management, commercial proposals, sales and purchase orders, customer and supplier invoices, a product and service catalogue, stock and warehouse management, projects and time tracking, an agenda and a modular accounting suite together in one web interface, with a large module ecosystem for payments, email and external integrations. The cloudimg image ships Dolibarr 23 served by nginx and PHP 8.3 FPM on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The install wizard is pre completed and locked, so the platform is ready the moment the instance boots. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306) and keeps its data on a dedicated Azure data disk. A unique administrator password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.
What is included:
- Dolibarr 23 served by nginx and PHP 8.3 FPM, managed by systemd
- A bundled MariaDB server holding the Dolibarr database, already installed and ready
- The install wizard pre completed and locked, so no setup wizard is ever exposed
- A per VM administrator password generated on first boot and recorded in a root only file
- No shipped default login: the administrator password ships rotated to a discarded random and the real per VM password is set on first boot
- MariaDB bound to
127.0.0.1only, never exposed to the network - A dedicated Azure data disk carrying both the MariaDB database and Dolibarr's uploaded and generated documents
- A systemd timer running Dolibarr's scheduled jobs every five minutes
nginx.service,php8.3-fpm.serviceandmariadb.serviceas enabled systemd units- An unauthenticated
/healthzendpoint for Azure Load Balancer health probes - 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_D2s_v3 (2 vCPU / 8 GiB RAM) is a sensible starting point for typical production use; a smaller size such as Standard_B2s works for a small team. NSG inbound: allow 22/tcp from your management network, 80/tcp for the application and 443/tcp if you terminate TLS on the VM. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Dolibarr by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), HTTP (80) and HTTPS (443). Review the dedicated data disk on the Disks tab, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name dolibarr \
--image <marketplace-image-urn> \
--size Standard_D2s_v3 \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open ports 80 and 443:
az vm open-port --resource-group <your-rg> --name dolibarr --port 80,443
Step 3 - Confirm the services are running
SSH in as azureuser and confirm nginx, PHP FPM, MariaDB and the first boot service are all active. Note that MariaDB listens only on 127.0.0.1:3306 while nginx serves Dolibarr on port 80.
systemctl is-active nginx php8.3-fpm mariadb dolibarr-firstboot
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/ */ /g'

Step 4 - Retrieve the per VM administrator password
Every VM generates its own Dolibarr administrator password on first boot and writes it, along with the login user and the application URL, to a root only credentials file. Read it with sudo:
sudo cat /root/dolibarr-credentials.txt

You sign in to Dolibarr as user admin with the DOLIBARR_ADMIN_PASSWORD from this file. On the box itself you can also run sudo mariadb to reach the database directly over the local socket without a password.
Step 5 - Sign in
Browse to http://<vm-public-ip>/. You land on the Dolibarr sign in page. Enter username admin and the password from Step 4.

After signing in you land on the Dolibarr home dashboard, which summarises your proposals, orders, invoices and agenda at a glance.

Step 6 - Set up your company and enable modules
Open Home then Setup then Company or Organization to set your company identity, currency and accounting preferences. Then open Home then Setup then Modules to enable the modules you need. The image already enables the core ERP and CRM modules (Third Parties, Products, Proposals, Orders, Invoices, Projects and Agenda); enable more as your business grows, such as stock, accounting, expense reports or the REST API.
Step 7 - Manage third parties
Open Third parties in the top menu to create your customers, prospects and suppliers. Each third party holds contacts, addresses, bank details and the full history of proposals, orders and invoices raised against it.

Step 8 - Raise proposals, orders and invoices
Dolibarr models the full sales cycle. Create a commercial proposal for a third party, convert an accepted proposal into a sales order, then generate a customer invoice from the order and record the payment against it. Open Billing | Payment then Customer invoices to see and manage every invoice.

Step 9 - No known or default credentials
The cloudimg image ships with the Dolibarr administrator password rotated to a discarded random value, and the real per VM administrator password is generated with a unique random secret on the first boot of every VM. No known or blank credential authenticates. You can prove this with the built in round trip check, which confirms the per VM administrator signs in through Dolibarr's own login form while a blank password and common weak guesses are all rejected. The admin account is the only Dolibarr super admin:
mariadb --protocol=socket -uroot -N -e "SELECT CONCAT(login,' (Dolibarr super admin)') FROM dolibarr.llx_user WHERE admin=1"
sudo bash /usr/local/sbin/dolibarr-cred-roundtrip.sh

Step 10 - Verify the stack and where your data lives
Confirm the installed Dolibarr release, the health endpoint and the dedicated data disk. The MariaDB database lives on the data disk mounted at /data (bind mounted onto /var/lib/mysql), and Dolibarr's uploaded and generated documents live on the same disk at /data/dolibarr/documents, so all of your business data is kept separate from the operating system disk and rides with the VM:
mariadb --protocol=socket -uroot -N -e "SELECT CONCAT('Dolibarr ',value) FROM dolibarr.llx_const WHERE name='MAIN_VERSION_LAST_INSTALL'"
curl -sI http://127.0.0.1/healthz | head -1
findmnt -no SOURCE,TARGET,FSTYPE,SIZE /data; findmnt -no SOURCE,TARGET /var/lib/mysql

Adding your own domain and TLS
The appliance serves plain HTTP on port 80. For production, point a DNS record at your VM and obtain a certificate with Let's Encrypt:
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d <your-domain>
Dolibarr derives its base URL from the request Host header, so once you reach the VM on your domain over HTTPS the links render correctly with no further change. To force HTTPS, set $dolibarr_main_force_https='1'; in /var/www/dolibarr/htdocs/conf/conf.php.
Scheduled jobs
Dolibarr's scheduled jobs (recurring invoices, email reminders and more) run automatically every five minutes through a systemd timer. Check the timer and its schedule:
systemctl status dolibarr-cron.timer --no-pager | head -5
Backing up
Your business data is the Dolibarr database plus the uploaded and generated documents. Dump the database and archive the documents directory:
sudo mysqldump --protocol=socket -uroot dolibarr > /tmp/dolibarr-backup.sql
sudo tar czf /tmp/dolibarr-documents-backup.tar.gz -C /data/dolibarr documents
Copy both files off the VM on your usual schedule. To restore, load the SQL dump into the dolibarr database and unpack the archive back to /data/dolibarr/documents.
Security notes
- Dolibarr serves plain HTTP on port 80 out of the box. For anything beyond a trusted network, add your own domain and TLS as above, or front the VM with Azure Application Gateway.
- The bundled MariaDB listens on
127.0.0.1only and is never reachable from the network. Administer it through Dolibarr or over SSH withsudo mariadb. - The administrator password is unique per VM and no known or blank credential authenticates. Keep
/root/dolibarr-credentials.txtprotected. To rotate the password, sign in and change it under Users and Groups, or from the box set a new one directly:
sudo mariadb dolibarr -e "UPDATE llx_user SET pass_crypted=MD5('<new-password>'), pass=NULL WHERE login='admin'"
- The
/confand/documentstrees and dotfiles are denied by nginx, so configuration and uploaded files are never web reachable. - Apply operating system updates regularly with
sudo apt update && sudo apt upgrade; unattended security updates are enabled by default. - Restrict inbound
80/tcpand443/tcpin your NSG to the networks that need access.
Trademark
Dolibarr is an open source project distributed under the GNU General Public License version 3. This image is an independent packaging of the open source Dolibarr software by cloudimg and is not affiliated with, sponsored by, or endorsed by the Dolibarr project or the Dolibarr Foundation.
Support
This image is maintained by cloudimg with 24/7 support. If you need help deploying or operating Dolibarr on Azure, contact us at cloudimg.co.uk.