CloudStack CentOS Template – Cloud Configuration

(NOTE: This post is a WIP)

This is Part 2/3 of the CloudStack CentOS Template creation process. Please do read Part 1: Install From ISO post if you haven’t already.

Once your CentOS instance is reachable from an external network, lets begin with the customization tasks…

Install XenServer Tools

Only required on XenServer OS templates. For VMware OS templates, attach the VMware tools ISO instead.

  1. Attach the ‘xen-pv-drv’ ISO to the running instance
    cloudstck-attach-xen-pv-drv-iso
  2. Mount /cdrom from the guest OS
    [root@centos65-xen64 ~]# mount /dev/cdrom /mnt
    
  3. Run the Installation script “/mnt/Linux/install.sh”
    [root@centos65-xen64 ~]# cd /mnt/Linux
    [root@centos65-xen64 ~]# ./install.sh
    
  4. Unmount and detach the ISO from the running instance
    [root@centos65-xen64 ~]# cd /
    [root@centos65-xen64 ~]# umount /mnt
    

OS Configuration

  1. Perform a full “yum update” run to pick up security and OS updates. Would take a few minutes depending on the Internet speeds.
    [root@centos65-xen64 ~]# yum update -y
    ...
    Installed:
      kernel.x86_64 0:2.6.32-431.3.1.el6
    
    Updated:
      ca-certificates.noarch 0:2013.1.95-65.1.el6_5
      centos-release.x86_64 0:6-5.el6.centos.11.2
      dracut.noarch 0:004-336.el6_5.2
      dracut-kernel.noarch 0:004-336.el6_5.2
      ethtool.x86_64 2:3.5-1.2.el6_5
      kernel-firmware.noarch 0:2.6.32-431.3.1.el6
      nspr.x86_64 0:4.10.2-1.el6_5
      nss.x86_64 0:3.15.3-3.el6_5
      nss-sysinit.x86_64 0:3.15.3-3.el6_5
      nss-tools.x86_64 0:3.15.3-3.el6_5
      nss-util.x86_64 0:3.15.3-1.el6_5
      openssl.x86_64 0:1.0.1e-16.el6_5.1
      tzdata.noarch 0:2013i-1.el6
      yum.noarch 0:3.2.29-43.el6.centos
    
    Complete!
    
  2. Remove CentOS graphical boot options. I like to see kernel messages
    [root@centos65-xen64 ~]# grubby --update-kernel=ALL --remove-args="rhgb quiet"
    
  3. Remove udev network rules file (if it exists)
    [root@centos65-xen64 ~]# rm -vf /etc/udev/rules.d/70-persistent-net.rules
    
  4. Install some useful packages
    [root@centos65-xen64 ~]# yum install -y \
     openssh-clients \
     screen \
     man
    
  5. And remove some not so useful packages in a cloud environment
    [root@centos65-xen64 ~]# yum remove -y \
      NetworkManager \
      fcoe-utils \
      lldpad
    
  6. I like SELinux=permissive in /etc/sysconfig/selinux instead of the default CentOS “enforcing” setting
    [root@centos65-xen64 ~]# grep ^SELINUX= /etc/sysconfig/selinux
    SELINUX=permissive
    
  7. Have a clean /etc/hosts with only localhost entries
    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    
  8. Remove existing SSH host keys under /etc/ssh/
    [root@centos65-xen64 ~]# rm -vf \
      /etc/ssh/{ssh_host_dsa_key.pub,ssh_host_dsa_key} \
      /etc/ssh/{ssh_host_rsa_key.pub,ssh_host_rsa_key} \
      /etc/ssh/{ssh_host_key.pub,ssh_host_key} \
      /etc/ssh/{ssh_host_ecdsa_key.pub,ssh_host_ecdsa_key}
    
  9. Also remove SSH known hosts file /root/.ssh/known_hosts
    [root@centos65-xen64 ~]# rm -vf /root/.ssh/known_hosts
    
  10. Cleanup root user’s history file.
    [root@centos65-xen64 ~]# truncate -s 0 /root/.bash_history 
    
  11. Cleanup all the log files
    [root@centos65-xen64 ~]# truncate -s 0 \
      /var/log/maillog \
      /var/log/messages \
      /var/log/secure \
      /var/log/spooler \
      /var/log/dracut.log \
      /var/log/lastlog \
      /var/log/wtmp \
      /var/log/cron \
    
  12. Disable services which are not useful in a cloud environment
    [root@centos65-xen64 ~]# chkconfig blk-availability off
    [root@centos65-xen64 ~]# chkconfig iscsi off
    [root@centos65-xen64 ~]# chkconfig iscsid off
    
  13. Created file /etc/sudoers.d/cloud-user granting sudo permissions for the user cloud-user with permissions 0440
    [root@centos65-xen64 ~]# cat /etc/sudoers.d/cloud-user
    # cloud-user
    cloud-user	ALL=(ALL)	NOPASSWD: ALL
    [root@centos65-xen64 ~]# chmod -v 0440 /etc/sudoers.d/cloud-user
    
  14. Perform a “yum clean all” action
    [root@centos65-xen64 ~]# yum clean all
    Loaded plugins: fastestmirror
    Cleaning repos: base
    Cleaning up Everything
    

Install cloud-init

The installation and configuration of cloud-init for CentOS is in this blog post.

The most important entries in /etc/cloud/cloud.cfg are

datasource_list: ['CloudStack']
disable_root: 1
ssh_pwauth:   0

The “root” account will be disabled along with PasswordAuthentication option for ssh service. Instead, you would be expected to use the account cloud-user which will be created by cloud-init. We have already enabled sudo access for this user earlier.

Once configured, you could remove the EPEL and cloud-init repo if you prefer to have templates without any pre-configured Yum repositories.

CAVEAT: At this time (Apache CloudStack 4.2.0) UI does not have a way for the user to create an instance with the SSH key specfied – It can only be done via the API. So unless you have a custom UI which allows end users to select a key, you might want to leave ssh_pwauth enabled for now.

CloudStack “guest-set-password” Script Installation

The installation and configuration of cloudstack-guest-set-password script is covered in an earlier blog post here

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

More Posts - Website

Follow Me:
TwitterLinkedIn

Published by

Shanker Balan

Shanker Balan is a devops and infrastructure freelancer with over 14 years of industry experience in large scale Internet systems. He is available for both short term and long term projects on contract. Please use the Contact Form for any enquiry.

One thought on “CloudStack CentOS Template – Cloud Configuration”

Leave a Reply