-
Language:
English
-
Language:
English
Chapter 12. Create Client Images and Templates
The exact nature of the Red Hat Enterprise Linux (RHEL) images to be created depends on the technology stack in your environment. In all cases, the goal is to create an artifact (image, template, and so on) that will meet certain criteria when instantiated.
12.1. Image Requirements
The following requirements apply to certified cloud images, most of which are default behaviors or configurations.
- Red Hat packages may not be altered, rebuilt, or replaced.
- SELinux should be enabled and in enforcing mode.
- If used, iptables should be blocking access to all ports other than SSH (and any other ports required for proper operation of the cloud infrastructure).
- Local passwords should use a hashing algorithm at least as strong as the default for that RHEL version (SHA-512 for Red Hat Enterprise Linux 7).
- Disk size should be at least 6 GB.
- File system type should be ext4 (Red Hat Enterprise Linux 6) or xfs (Red Hat Enterprise Linux 7).
- sshd should be enabled for remote access.
- Syslog configuration should be unchanged from the operating system default.
See the Cloud Image Certification Policy Guide for more details.
12.2. Red Hat Update Infrastructure Integration
- Integrate the image with the Red Hat Update Infrastructure (RHUI) by transferring the RHUI entitlement RPM and GPG key to the target RHEL client system.
Install the appropriate client configuration RPM.
# yum install <rhui-client-rhel7>
- Import the Red Hat release GPG key (/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release) into the entitlement RPM, along with any custom repository keys.
Import the entitlement RPM GPG key.
#rpm --import <rhui-client-rhui>
- Updates will come from RHUI instead of the Red Hat Subscription Manager (rhsm); turn off rhsm by editing ./rhsm.conf to reflect enabled=0.
- Optionally (but strongly recommended), run the yum update command to apply all available updates.
12.3. Template Preparation
The image must be sanitized to make it suitable for use as a template. This script can be used to sanitize a virtual machine image in preparation for use as a template. It is compatible with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 images.
The script might require modification in some environments. Review this script carefully before use and make sure that the changes it makes to the image are compatible with your environment.
#!/bin/bash
# RHEL 7
if ! [[ `runlevel | cut -d " " -f 2` =~ ^[1S]$ ]]; then
echo "Please *boot* to runlevel 1"
exit 3
fi
# Kill udev
killall -9 udevd
# Clean out /root
rm -rf /root/*
rm -f /root/.bash_history
rm -rf /root/.ssh
# SSH host keys
rm -f /etc/ssh/ssh_host_*
# Remove all files in /var that are not owned by an RPM
for FILE in `find /var -type f`; do
rpm -qf --quiet "$FILE" || rm -f "$FILE"
done
# Remove empty directories in /var that are not owned by an RPM
until [ "$REMOVED_DIR" = false ]; do
REMOVED_DIR=false
for DIR in `find /var -type d -empty`; do
if ! rpm -qf --quiet "$DIR"; then
REMOVED_DIR=true
rmdir "$DIR"
fi
done
done
# Truncate any remaining files in /var/log
for FILE in `find /var/log -type f`; do
echo -n > "$FILE"
done
# Make sure the RPM GPG key has been imported
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 2> /dev/null
# Remove MAC addresses from /etc/sysconfig/network-scripts/ifcfg-*
for FILE in /etc/sysconfig/network-scripts/ifcfg-*; do
sed -i /^HWADDR/d "$FILE"
done
# Remove auto-generated udev rules for CD-ROM and network devices
rm -f /etc/udev/rules.d/70-persistent-{cd,net}.rules
# Clean out /tmp
find /tmp -mindepth 1 -deleteCopy the script to /mktemplate.sh and reboot the system to runlevel 1.
NoteDo not change to runlevel 1 instead of rebooting (with init 1, for example). Changing to runlevel 1 leaves certain daemons running that are not running when the system is booted to single-user mode (notably rsyslog).
When the system has rebooted into single-user mode, execute the following commands.
# unset HISTFILE # chmod 0755 /mktemplate.sh # /mktemplate.sh # rm -f /mktemplate.sh # poweroff
