Databases Azure

Firebird SQL 5 on Ubuntu 22.04 on Azure User Guide

| Product: Firebird SQL 5 on Ubuntu 22.04 on Azure

Overview

This guide covers the deployment and configuration of Firebird SQL 5 on Ubuntu 22.04 on Azure using cloudimg Azure Marketplace images. Firebird is a lightweight, ACID compliant relational database that evolved from Borland InterBase. It is open source, written in C++, and has no Java or Python runtime dependency, which keeps the attack surface small and the image footprint tiny. Firebird 5 is the current major release, delivering improved multi threaded performance, a built in profiler, parallel backup and restore, and enhanced SQL standard compliance. It supports stored procedures, triggers, views, user defined functions, and transaction isolation up to snapshot level. Firebird is a natural fit for embedded workloads, departmental line of business systems, and any case where you want a production grade SQL database without the operational weight of a large multi tenant engine.

The image ships Firebird 5.0.4 in SuperServer mode, the multi threaded server profile that is the right default for a single virtual machine. Wire encryption is enabled by default through the WireCrypt = Enabled directive in firebird.conf, and remote access over TCP port 3050 is turned on so clients can connect from inside the virtual network. A randomly generated SYSDBA password is written to /stage/scripts/firebird-credentials.log on first boot and that file is the single source of truth for the administrator password on the running virtual machine. The installation lives at /opt/firebird as produced by the upstream Firebird tarball installer, so all binaries, configuration files, and the security database are discoverable in one place.

What is included:

  • Firebird SQL 5.0.4 in SuperServer mode, installed from the official upstream tarball at github.com/FirebirdSQL/firebird
  • Listener on TCP port 3050
  • isql command line client and the Firebird utilities (gbak, gfix, gsec, gstat, fbsvcmgr, qli) at /opt/firebird/bin/
  • Per VM SYSDBA password generated on first boot
  • Demo database at /opt/firebird/data/demo.fdb
  • Systemd service firebird.service for automatic startup on boot
  • OS package update script for keeping the system current
  • 24/7 cloudimg support with guaranteed 24 hour response SLA

Prerequisites

Before deploying this image, ensure you have:

  1. An active Azure subscription
  2. A subscription to the Firebird SQL 5 on Ubuntu listing on Azure Marketplace
  3. An SSH public key for virtual machine authentication
  4. Familiarity with Azure virtual machine management and SSH
  5. A virtual network and subnet in the target region (or be willing to create one in the deploy wizard)

Recommended virtual machine size: Standard_B2s (2 vCPU, 4 GB RAM). Firebird is extremely efficient. The burstable B series is the right default because most Firebird workloads are idle or near idle most of the time and burst briefly when a query lands, which is exactly the workload profile B series credits are designed for. Scale up to Standard_D2s_v3 for sustained concurrent write rates or if you are hosting more than a few tens of gigabytes of database per instance.

Step 1: Deploy the Virtual Machine from the Azure Portal

Navigate to Marketplace in the Azure Portal, search for Firebird SQL 5, and select the cloudimg publisher entry. Click Create to begin the wizard.

On the Basics tab choose your subscription, target resource group, and region. Set the virtual machine name. Choose SSH public key as the authentication type, set the username to a name of your choice (the examples below use azureuser), and paste your SSH public key. Standard_B2s is the recommended starting size.

On the Disks tab the recommended OS disk type is Standard SSD. The Firebird database directory lives at /opt/firebird/data. If your working set is larger than a few gigabytes, attach a separate data disk now and bind mount it over the data directory after the server is running.

On the Networking tab select your existing virtual network and subnet. Attach a network security group that allows inbound TCP 22 from your management IP range and inbound TCP 3050 only from the virtual network CIDR or the specific application server subnets that need to talk to the database. Do not expose 3050 to the public internet. Firebird authentication is strong, but an exposed relational database is always a bad idea and the SYSDBA password is written in plain text on the virtual machine by design so that you can read it without a second trip.

On the Management, Monitoring, and Advanced tabs the defaults are appropriate. Click Review + create, wait for validation to pass, then click Create. Deployment takes around two minutes.

Step 2: Deploy the Virtual Machine from the Azure CLI

If you prefer the command line, use the gallery image resource identifier as the source. The exact resource identifier is published on your Partner Center plan. A representative invocation:

RG="firebird-prod"
LOCATION="eastus"
VM_NAME="firebird-01"
ADMIN_USER="azureuser"
GALLERY_IMAGE_ID="/subscriptions/<sub-id>/resourceGroups/azure-cloudimg/providers/Microsoft.Compute/galleries/cloudimgGallery/images/firebird-5-ubuntu-22-04/versions/<version>"
SSH_KEY="$(cat ~/.ssh/id_rsa.pub)"

az group create --name "$RG" --location "$LOCATION"

az network vnet create \
  --resource-group "$RG" \
  --name firebird-vnet \
  --address-prefix 10.60.0.0/16 \
  --subnet-name firebird-subnet \
  --subnet-prefix 10.60.1.0/24

az network nsg create --resource-group "$RG" --name firebird-nsg

az network nsg rule create \
  --resource-group "$RG" --nsg-name firebird-nsg \
  --name allow-ssh-mgmt --priority 100 \
  --source-address-prefixes "<your-mgmt-cidr>" \
  --destination-port-ranges 22 --access Allow --protocol Tcp

az network nsg rule create \
  --resource-group "$RG" --nsg-name firebird-nsg \
  --name allow-firebird-vnet --priority 110 \
  --source-address-prefixes 10.60.0.0/16 \
  --destination-port-ranges 3050 --access Allow --protocol Tcp

az vm create \
  --resource-group "$RG" \
  --name "$VM_NAME" \
  --image "$GALLERY_IMAGE_ID" \
  --size Standard_B2s \
  --storage-sku StandardSSD_LRS \
  --admin-username "$ADMIN_USER" \
  --ssh-key-values "$SSH_KEY" \
  --vnet-name firebird-vnet --subnet firebird-subnet \
  --nsg firebird-nsg \
  --public-ip-address "" \
  --os-disk-size-gb 32

The --public-ip-address "" flag keeps the database off the public internet. Use a bastion host or your existing private connectivity to reach it.

Step 3: Connect via SSH

After deployment, find the private IP of the new virtual machine. From a host inside the same virtual network:

ssh azureuser@<private-ip>

The first login may take a few seconds while cloud init finalises. Once you have a shell, the server has already been started by systemd and the first boot oneshot has already generated the per VM SYSDBA password and created the default database.

Step 4: Retrieve the SYSDBA Password

The SYSDBA password has been randomly generated on this specific virtual machine and written to a root only file. Read it once with:

sudo cat /stage/scripts/firebird-credentials.log

You will see lines similar to:

port=3050
default_database=/opt/firebird/data/demo.fdb
sysdba_password=<random-password-unique-to-this-vm>
sample_connect_local=/opt/firebird/bin/isql -user SYSDBA -password '<random-password>' /opt/firebird/data/demo.fdb
sample_connect_remote=/opt/firebird/bin/isql -user SYSDBA -password '<random-password>' <vm-ip>:/opt/firebird/data/demo.fdb

Store the value of sysdba_password= in your secret store. You can delete /stage/scripts/firebird-credentials.log after you have copied the password, but keeping it read protected to root is a reasonable default.

Step 5: Connect Locally with isql

The Firebird command line client is installed at /opt/firebird/bin/isql. You can either source the cloudimg environment helper so /opt/firebird/bin is on your PATH:

source /usr/local/sbin/setEnv.sh

or invoke isql by its full path in every command. This guide uses the full path so every example is copy-paste ready without relying on shell state.

Export the password as a shell variable so you do not have to type it repeatedly:

export SYSDBA_PW="$(sudo awk -F= '/^sysdba_password=/ {print $2}' /stage/scripts/firebird-credentials.log)"
export FB_DB="$(sudo awk -F= '/^default_database=/ {print $2}' /stage/scripts/firebird-credentials.log)"

Connect to the demo database as SYSDBA:

/opt/firebird/bin/isql -user SYSDBA -password "$SYSDBA_PW" "$FB_DB"

You should see a prompt of the form:

Database: "/opt/firebird/data/demo.fdb", User: SYSDBA
SQL>

Type SHOW VERSION; to confirm the server version, then QUIT; to exit.

Step 6: Create a Table, Insert a Row, and Query

From a new shell, run the canonical SQL round-trip. This is the exact smoke test cloudimg runs in its build pipeline before shipping an image.

/opt/firebird/bin/isql -user SYSDBA -password "$SYSDBA_PW" "$FB_DB" <<'SQL'
CREATE TABLE customers (
  id INTEGER NOT NULL PRIMARY KEY,
  name VARCHAR(100),
  created TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
COMMIT;

INSERT INTO customers (id, name) VALUES (1, 'cloudimg');
COMMIT;

SELECT id, name, created FROM customers;
QUIT;
SQL

The SELECT will return one row with 1 cloudimg <timestamp>. Transactions in Firebird are explicit; the COMMIT after each statement makes the changes durable. Without it the rows remain in an uncommitted transaction and will be lost when the session ends.

Step 7: Connect from a Remote Client

Firebird's remote connection string uses the HOST:PATH form rather than the host:port/dbname style used by PostgreSQL, MySQL, or SQL Server. The path is the server side absolute path to the .fdb file:

/opt/firebird/bin/isql -user SYSDBA -password '<pw>' <vm-ip>:/opt/firebird/data/demo.fdb

The same pattern works from any Firebird client: the FlameRobin GUI, DBeaver with the community Jaybird driver, or any JDBC/ODBC application. A JDBC URL looks like:

jdbc:firebirdsql://<vm-ip>:3050//opt/firebird/data/demo.fdb

The double slash after the hostname is not a typo; it is the JDBC syntax for an absolute path on the server.

Step 8: Server Components

Component Install path
Firebird server daemon /opt/firebird/bin/fbguard, /opt/firebird/bin/firebird
Firebird CLI (isql) /opt/firebird/bin/isql
Firebird utilities (gbak, gfix, gsec, gstat, fbsvcmgr, qli) /opt/firebird/bin/
Primary configuration file /opt/firebird/firebird.conf
Database aliases /opt/firebird/databases.conf
Database directory /opt/firebird/data/
Security database /opt/firebird/security5.fdb
Firebird log /opt/firebird/firebird.log
Systemd unit /etc/systemd/system/firebird.service
Environment helper /usr/local/sbin/setEnv.sh

The image ships Firebird 5.0.4 from the official upstream tarball at github.com/FirebirdSQL/firebird. The exact installed version is recorded in /stage/scripts/BUILD_VERSIONS which you can inspect with cat /stage/scripts/BUILD_VERSIONS.

Step 9: Filesystem Layout

Mount point Size Description
/ 30 GB Root filesystem (includes /opt/firebird)
/boot 1 GB Operating system kernel files
/opt/firebird (on root) Firebird installation root
/opt/firebird/data (on root) Database files (.fdb)

For production you should attach a separate Premium SSD data disk, format it, and bind mount it over /opt/firebird/data. This keeps database I/O off the root disk, which improves IOPS and makes it easy to resize, snapshot, or move the data volume independently of the operating system.

Step 10: Managing the Firebird Service

Firebird is started and stopped by systemd via the firebird.service unit.

Check service status:

systemctl status firebird.service

Stop Firebird:

sudo /usr/local/sbin/firebird-stop.sh
# equivalent to: sudo systemctl stop firebird.service

Start Firebird:

sudo /usr/local/sbin/firebird-start.sh
# equivalent to: sudo systemctl start firebird.service

Restart Firebird:

sudo systemctl restart firebird.service

Step 11: Troubleshooting

Cannot connect to Firebird on port 3050

  1. Verify the service is running: systemctl status firebird.service
  2. Verify the listener is bound: ss -tln | grep 3050
  3. Check that RemoteAccess = true is set in /opt/firebird/firebird.conf
  4. Confirm the network security group allows TCP 3050 from your client source IP
  5. Confirm the virtual machine's NIC is in the expected subnet and has the NSG attached

isql returns "Your user name and password are not defined"

  1. Re read the password from the credentials file — the in memory shell variable may have been truncated
  2. Confirm the SYSDBA user still exists: ls -l /opt/firebird/security5.fdb
  3. If you have rotated the SYSDBA password since deploy, use the rotated value rather than the one in /stage/scripts/firebird-credentials.log which reflects only the initial first boot value

Database file permission denied

  1. Check ownership: ls -l /opt/firebird/data/
  2. Files should be owned by firebird:firebird with mode 0640
  3. If you copied a .fdb from elsewhere, run sudo chown firebird:firebird <path>.fdb

Service fails to start

  1. Check systemd journal: journalctl -u firebird.service --no-pager -n 50
  2. Check Firebird's own log: sudo tail -n 50 /opt/firebird/firebird.log
  3. Check filesystem space: df -h /opt/firebird
  4. Check for port conflicts: ss -tln | grep 3050

Step 12: Security Recommendations

  • Rotate the SYSDBA password after first read using ALTER USER SYSDBA PASSWORD '<new>' from an isql session connected to any database (the command operates on the security database, not the one you connect to):
/opt/firebird/bin/isql -user SYSDBA -password "$SYSDBA_PW" "$FB_DB" <<'SQL'
ALTER USER SYSDBA PASSWORD 'NewStr0ng!Pass';
COMMIT;
QUIT;
SQL
  • Create application specific users with CREATE USER and GRANT statements, never let application code connect as SYSDBA
  • Restrict port 3050 to trusted application server subnets only in your NSG
  • Enforce wire encryption by setting WireCrypt = Required in /opt/firebird/firebird.conf and restarting. Clients that do not support wire encryption will then be refused
  • Back up regularly with gbak: gbak -backup -user SYSDBA -password '<pw>' <db> <backup.fbk>
  • Keep Firebird updated by monitoring github.com/FirebirdSQL/firebird/releases. Point releases can be applied in place by extracting the tarball over /opt/firebird after stopping the service
  • Delete the credentials file once the SYSDBA password is stored in your secret store: sudo shred -u /stage/scripts/firebird-credentials.log

Step 13: Support and Licensing

Firebird SQL is released under the Initial Developer's Public License (IDPL) and the Interbase Public License (IPL). There is no per core, per seat, or per server runtime licence fee; you can run Firebird on as many cores, sockets, and virtual machines as you like without any contact with the Firebird project for licensing purposes.

cloudimg provides commercial support for this image separately from the upstream project. Contact us at any time for support questions, architectural advice, or migration help.

  • Email: support@cloudimg.co.uk
  • Website: www.cloudimg.co.uk
  • Support hours: 24/7 with guaranteed 24 hour response SLA

Deploy on Azure

Launch Firebird SQL 5 on Ubuntu 22.04 with 24/7 support from cloudimg.

View on Marketplace

Need Help?

Our support team is available 24/7.

support@cloudimg.co.uk