CloudStack CentOS Template – Cloud Configuration

(NOTE: This post is a WIP)

This is Part 2/3 of the CloudStack CentOS Template creation process. Please do read Part 1: Install From ISO post if you haven’t already.

Once your CentOS instance is reachable from an external network, lets begin with the customization tasks…

Install XenServer Tools

Only required on XenServer OS templates. For VMware OS templates, attach the VMware tools ISO instead.

  1. Attach the ‘xen-pv-drv’ ISO to the running instance
  2. Mount /cdrom from the guest OS
    [root@centos65-xen64 ~]# mount /dev/cdrom /mnt
  3. Run the Installation script “/mnt/Linux/”
    [root@centos65-xen64 ~]# cd /mnt/Linux
    [root@centos65-xen64 ~]# ./
  4. Unmount and detach the ISO from the running instance
    [root@centos65-xen64 ~]# cd /
    [root@centos65-xen64 ~]# umount /mnt

OS Configuration

  1. Perform a full “yum update” run to pick up security and OS updates. Would take a few minutes depending on the Internet speeds.
    [root@centos65-xen64 ~]# yum update -y

    kernel.x86_64 0:2.6.32-431.3.1.el6

    ca-certificates.noarch 0:2013.1.95-65.1.el6_5
    centos-release.x86_64 0:6-5.el6.centos.11.2
    dracut.noarch 0:004-336.el6_5.2
    dracut-kernel.noarch 0:004-336.el6_5.2
    ethtool.x86_64 2:3.5-1.2.el6_5
    kernel-firmware.noarch 0:2.6.32-431.3.1.el6
    nspr.x86_64 0:4.10.2-1.el6_5
    nss.x86_64 0:3.15.3-3.el6_5
    nss-sysinit.x86_64 0:3.15.3-3.el6_5
    nss-tools.x86_64 0:3.15.3-3.el6_5
    nss-util.x86_64 0:3.15.3-1.el6_5
    openssl.x86_64 0:1.0.1e-16.el6_5.1
    tzdata.noarch 0:2013i-1.el6
    yum.noarch 0:3.2.29-43.el6.centos


  2. Remove CentOS graphical boot options. I like to see kernel messages
    [root@centos65-xen64 ~]# grubby –update-kernel=ALL –remove-args="rhgb quiet"
  3. Remove udev network rules file (if it exists)
    [root@centos65-xen64 ~]# rm -vf /etc/udev/rules.d/70-persistent-net.rules
  4. Install some useful packages

    [root@centos65-xen64 ~]# yum install -y \
    openssh-clients \
    screen \

  5. And remove some not so useful packages in a cloud environment

    [root@centos65-xen64 ~]# yum remove -y \
    NetworkManager \
    fcoe-utils \

  6. I like SELinux=permissive in /etc/sysconfig/selinux instead of the default CentOS “enforcing” setting
    [root@centos65-xen64 ~]# grep ^SELINUX= /etc/sysconfig/selinux
  7. Have a clean /etc/hosts with only localhost entries
    [text] localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
  8. Remove existing SSH host keys under /etc/ssh/
    [root@centos65-xen64 ~]# rm -vf \
    /etc/ssh/{,ssh_host_dsa_key} \
    /etc/ssh/{,ssh_host_rsa_key} \
    /etc/ssh/{,ssh_host_key} \
  9. Also remove SSH known hosts file /root/.ssh/known_hosts
    [root@centos65-xen64 ~]# rm -vf /root/.ssh/known_hosts
  10. Cleanup root user’s history file.
    [root@centos65-xen64 ~]# truncate -s 0 /root/.bash_history
  11. Cleanup all the log files
    [root@centos65-xen64 ~]# truncate -s 0 \
    /var/log/maillog \
    /var/log/messages \
    /var/log/secure \
    /var/log/spooler \
    /var/log/dracut.log \
    /var/log/lastlog \
    /var/log/wtmp \
    /var/log/cron \
  12. Disable services which are not useful in a cloud environment
    [root@centos65-xen64 ~]# chkconfig blk-availability off
    [root@centos65-xen64 ~]# chkconfig iscsi off
    [root@centos65-xen64 ~]# chkconfig iscsid off
  13. Created file /etc/sudoers.d/cloud-user granting sudo permissions for the user cloud-user with permissions 0440
    [root@centos65-xen64 ~]# cat /etc/sudoers.d/cloud-user
    # cloud-user
    cloud-user ALL=(ALL) NOPASSWD: ALL
    [root@centos65-xen64 ~]# chmod -v 0440 /etc/sudoers.d/cloud-user
  14. Perform a “yum clean all” action
    [root@centos65-xen64 ~]# yum clean all
    Loaded plugins: fastestmirror
    Cleaning repos: base
    Cleaning up Everything

Install cloud-init

The installation and configuration of cloud-init for CentOS is in this blog post.

The most important entries in /etc/cloud/cloud.cfg are

datasource_list: [‘CloudStack’]
disable_root: 1
ssh_pwauth: 0

The “root” account will be disabled along with PasswordAuthentication option for ssh service. Instead, you would be expected to use the account cloud-user which will be created by cloud-init. We have already enabled sudo access for this user earlier.

Once configured, you could remove the EPEL and cloud-init repo if you prefer to have templates without any pre-configured Yum repositories.

CAVEAT: At this time (Apache CloudStack 4.2.0) UI does not have a way for the user to create an instance with the SSH key specfied – It can only be done via the API. So unless you have a custom UI which allows end users to select a key, you might want to leave ssh_pwauth enabled for now.

CloudStack “guest-set-password” Script Installation

The installation and configuration of cloudstack-guest-set-password script is covered in an earlier blog post here

By Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

1 comment

Leave a comment

Your email address will not be published. Required fields are marked *