Best practices for image generation

Performance / optimization

  • no NTP synchronization in the VM, time is synchronized by the host through a paravirtualized clock
  • IO scheduler set to deadline
  • no empty large (> 5GB) /scratch type space, go through the volumes or the ephemeral disk for it
  • do not integrate swap in the image (go through the flavors)
  • limit partitioning to a strict minimum (a partition, or even a dedicated one for /tmp and /var)
  • minimize the size of the image so that it will not exceed 20GB.
  • Use RAW images

Security

  • update the packages and apply security patches
  • configure accesses for a non-root user + sudo rather than using the direct root connection
  • images are supposed to be public and must not contain confidential or sensitive data (keys, passwords etc …)
  • do not hardcode the root password, replace in the /etc/shadow the fingerprint by ‘*’ before uploading it to the catalog

Contextualization

  • the image must support cloud-init (especially for the injection of SSH keys)

  • cloud-init must be configured with retries for a long time to reach the metadata service

    # exemple de /etc/cloud/cloud.cfg.d/01_metadata.cfg
    datasource:
     OpenStack:
      max_wait: 600
      timeout: 30
      retries: 3
    

Compatibility

  • image must support cloud-init (particularly for the SSH keys injection)

  • remove any instance-specific configuration (keys, hostnames …)

  • no # at the fstab end of line

  • install virtio drivers for storage

  • support ACPI to manage hardware shutdown

  • to adjust the VMs clock, you need to: - use the KVM paravirtualized click, verify:

    % dmesg |grep clocksource
    Switching to clocksource kvm-clock
    
    • verify the timezone:

      % ls -l /etc/localtime
      /sys/devices/system/clocksource/clocksource0/current_clocksource
      
    • verify the zone defined in /etc/sysconfig/clock

    • check UTC parametrization:

      % sed -i 's/LOCAL/UTC/' /etc/adjtime
      

Network configuration

  • DHCP network configuration for eth0: dhclient must be configured to try again later (not to quit) if a lease cannot be renewed. Example for EL6:

    % cat /etc/sysconfig/network-scripts/ifcfg-eth0
    DEVICE=eth0
    ONBOOT=yes
    BOOTPROTO=dhcp
    TYPE=Ethernet
    PERSISTENT_DHCLIENT=1
    
  • install virtio_net drivers

  • delete udev and sysconfig entries for MAC addresses, example for EL6:

    % sed -i 's/^KERNEL!=/KERNEL==/p' /lib/udev/rules.d/75-persistent-net-generator.rules
    
  • delete DNS configuration, routing, NTP servers. All of these parameters are passed through DHCP to the VM.

  • the hostname is set by DHCP, you must disable the cloud-init module that sets it to the VM name (file /etc/cloud/cloud.cfg):

    [...]
    preserve_hostname: 1
    [...]