Best practices for image generation

Performance / optimization

  • no NTP synchronization in the VM, time is synchronized by the host through a paravirtualized clock

  • IO scheduler set to deadline

  • no empty large (> 5GB) /scratch type space, go through the volumes or the ephemeral disk for it

  • do not integrate swap in the image (go through the flavors)

  • limit partitioning to a strict minimum (a partition, or even a dedicated one for /tmp and /var)

  • minimize the size of the image so that it will not exceed 20GB.

  • Use RAW images

Security

  • update the packages and apply security patches

  • configure accesses for a non-root user + sudo rather than using the direct root connection

  • images are supposed to be public and must not contain confidential or sensitive data (keys, passwords etc …)

  • do not hardcode the root password, replace in the /etc/shadow the fingerprint by ‘*’ before uploading it to the catalog

Contextualization

  • the image must support cloud-init (especially for the injection of SSH keys)

  • cloud-init must be configured with retries for a long time to reach the metadata service

    # exemple de /etc/cloud/cloud.cfg.d/01_metadata.cfg
datasource:
 OpenStack:
  max_wait: 600
  timeout: 30
  retries: 3

Compatibility

  • image must support cloud-init (particularly for the SSH keys injection)

  • remove any instance-specific configuration (keys, hostnames …)

  • no # at the fstab end of line

  • install virtio drivers for storage

  • support ACPI to manage hardware shutdown

  • to adjust the VMs clock, you need to:

    • use the KVM paravirtualized clock, verify:

      % dmesg |grep clocksource
Switching to clocksource kvm-clock

      otherwise, please refer to setup section.

    • verify the timezone:

      % ls -l /etc/localtime
/sys/devices/system/clocksource/clocksource0/current_clocksource

    • verify the zone defined in /etc/sysconfig/clock

    • check UTC parametrization:

      % sed -i 's/LOCAL/UTC/' /etc/adjtime

Network configuration

  • DHCP network configuration for eth0: dhclient must be configured to try again later (not to quit) if a lease cannot be renewed. Example for EL6:

    % cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
TYPE=Ethernet
PERSISTENT_DHCLIENT=1

  • install virtio_net drivers

  • delete udev and sysconfig entries for MAC addresses, example for EL6:

    % sed -i 's/^KERNEL!=/KERNEL==/p' /lib/udev/rules.d/75-persistent-net-generator.rules

  • delete DNS configuration, routing, NTP servers. All of these parameters are passed through DHCP to the VM.

  • the hostname is set by DHCP, you must disable the cloud-init module that sets it to the VM name (file /etc/cloud/cloud.cfg):

    [...]
preserve_hostname: 1
[...]