Best practices for the images

Performance / optimization

  • No NTP synchronization in the VM, time is synchronized by the host through a paravirtualized clock,

  • IO scheduler set to deadline,

  • no empty large (>5GB) /scratch type space, go through the volumes or the ephemeral disk for it,

  • do not integrate swap in the image (go through the flavors),

  • limit partitioning to a strict minimum (a partition, or even a dedicated one for /tmp and /var),

  • minimize the size of the image so that it will not exceed 20GB,

  • use RAW images.

Security

  • Update the packages and apply security patches,

  • configure accesses for a non-root user + sudo rather than using the direct root connection,

  • images are supposed to be public and must not contain confidential or sensitive data (keys, passwords etc …),

  • do not hardcode the root password, replace in the /etc/shadow the fingerprint by * before uploading it to the catalog.

Contextualization

  • The image must support cloud-init (especially for the injection of SSH keys),

  • cloud-init must be configured with retries for a long time to reach the metadata service.

    # exemple de /etc/cloud/cloud.cfg.d/01_metadata.cfg
datasource:
 OpenStack:
  max_wait: 600
  timeout: 30
  retries: 3

Integration, compatibility

  • Remove any instance-specific configuration (keys, hostnames …),

  • no # at the fstab end of line,

  • install virtio drivers for storage,

  • support ACPI to manage hardware shutdown,

  • to adjust the VMs clock, you need to:

    • use the KVM paravirtualized clock, verify:

      % dmesg |grep clocksource
Switching to clocksource kvm-clock

      otherwise, please refer to setup section.

    • verify the timezone:

      % ls -l /etc/localtime
/sys/devices/system/clocksource/clocksource0/current_clocksource

    • verify the zone defined in /etc/sysconfig/clock,

    • check UTC parametrization:

      % sed -i 's/LOCAL/UTC/' /etc/adjtime

Network configuration

  • DHCP network configuration for eth0: DHCLIENT parameter must be configured to try again later (not to quit) if a lease cannot be renewed. Example for EL6:

    % cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
TYPE=Ethernet
PERSISTENT_DHCLIENT=1

  • install virtio_net drivers,

  • delete udev and sysconfig entries for MAC addresses, example for EL6:

    % sed -i 's/^KERNEL!=/KERNEL==/p' /lib/udev/rules.d/75-persistent-net-generator.rules

  • delete DNS configuration, routing, NTP servers. All of these parameters are passed through DHCP to the VM,

  • the hostname is set by DHCP, you must disable the cloud-init module that sets it to the VM name (file /etc/cloud/cloud.cfg):

    [...]
preserve_hostname: 1
[...]