-
Notifications
You must be signed in to change notification settings - Fork 0
/
images.tex
284 lines (264 loc) · 8.33 KB
/
images.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
\label{part_images}
\part{Images}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}
\frametitle{Image Creation}
\framesubtitle{Basic Steps}
Starting points
\begin{itemize}
\item Existing images
\item Installation media
\item Special tools for image creation
\end{itemize}
Our recommendation
\begin{itemize}
\item Existing images
\begin{itemize}
\item Basic images of popular LINUX distributions available
\begin{itemize}
\item Ubuntu
\item Debian
\item ScientificLinux
\end{itemize}
\end{itemize}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}
\frametitle{Image Creation}
\framesubtitle{Starting from existing images}
\begin{itemize}
\item Download image from repository
\item Start image
\begin{itemize}
\item Start it as a VM
\begin{itemize}
\item Caveat: need local virtualization platform, e.\,g. KVM
\end{itemize}
\item Alternative: start as a cloud instance and create snapshot
\begin{itemize}
\item Caveat: creating snapshots not standardized among platforms
\end{itemize}
\end{itemize}
\item Make your updates and modifications
\item Clean up as you would do for a new image
\item Re-package the image
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{Image Creation}
\framesubtitle{Starting from scratch}
An example
\begin{lstlisting}
$ truncate -s 1G debian-7.4.0.img
$ kvm -cdrom debian-7.4.0-amd64-netinst.iso debian-7.4.0.img
\end{lstlisting}
During installation
\begin{itemize}
\item Select ``Install''
\item Give a strong root password despite it being locked later on
\item Use manual partitioning
\begin{itemize}
\item Avoid creating a swap partition and put everything in one partition
\item Additional block devices can and should be added at runtime
\item \emph{Do not} use LVM based setups
\end{itemize}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}
\frametitle{Image Creation}
\framesubtitle{Starting from scratch (cont'd)}
During installation
\begin{itemize}
\item Software installation
\begin{itemize}
\item Install as few packages as possible
\item Default set of system utilities
\item SSH server
\end{itemize}
\item Boot loader on MBR
\end{itemize}
\end{frame}
%% Optionally go through an example installation process
%% We have screenshots for Debian
%% If adding it here, provide a fast forward link to skip this
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}
\frametitle{Image Creation}
\framesubtitle{Final Cleanup}
\begin{itemize}
\item Users and passwords
\begin{itemize}
\item To disallow password base logins, put * or ! in the password field in \texttt{/etc/shadow}
\end{itemize}
\item Log files
\item Excessive data
\begin{itemize}
\item Find it using du or ncdu
\end{itemize}
\item ...?
\end{itemize}
\vfill\hfill\scriptsize{We posted the general procedure in the EGI Blog: \url{http://goo.gl/ju7vgP}}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{Image Creation}
\framesubtitle{Log Files}
\begin{itemize}
\item Avoids leaking of potentially personal/sensitive data, though
not likely right after installation
\item Reduces image size if lots of logging data was created during a
longer installation process
\item We've used the option to truncate log files to size 0
\begin{itemize}
\item Keeps files and their permissions
\end{itemize}
\end{itemize}
\begin{lstlisting}
# find /var/log -type f -exec truncate -s 0 {} \;
\end{lstlisting}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}
\frametitle{Excessive Data}
\framesubtitle{}
Look for
\begin{itemize}
\item Old Linux kernels and their modules in \texttt{/boot} and
\texttt{/lib/modules}
\item Undesired services
\begin{itemize}
\item some distributions install a number of services by default
\item web, mail, etc.
\item remove them also for security reasons
\end{itemize}
\item Unused packages
\begin{itemize}
\item after removal of undesired services, some dependencies may not
be needed anymore
\end{itemize}
\item Clear the package cache
\begin{itemize}
\item apt-get clean
\item yum clean all
\item zypper clean --all
\end{itemize}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{Image Creation}
\framesubtitle{Finding Excessive Data}
You can go on a hunt for the biggest directory structures of your image. The following tools will help you
\begin{itemize}
\item du
\begin{itemize}
\item \lstinline{du -a / | sort -n -r| head -10}
\item \lstinline{du -hsx *| sort -rh | head -10}
\end{itemize}
\item ncdu
\begin{itemize}
\item an interactive version of the above commands
\end{itemize}
\end{itemize}
\begin{tikzpicture}
\node at (9, -.7) [absolute,overlay] {\pgfimage[width=.4\textwidth]{images/screenshots/ncdu.png}};
\end{tikzpicture}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}
\frametitle{Image Creation}
\framesubtitle{Tools}
These tools can be used to deal with images after their creation. They
help to create small clean images and access the file systems within
for a final touch up.
qemu-img
\begin{itemize}
\item mainly used for image conversion, e.g. from raw to (compressed) QCOW2
\end{itemize}
zerofree
\begin{itemize}
\item zero out unused blocks in a file system
\item improves compression ratio
\end{itemize}
kpartx
\begin{itemize}
\item Make partitions within image files available as block devices in the current system
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}[fragile]
\frametitle{Image Creation}
\framesubtitle{Packaging}
\begin{itemize}
\item Use zerofree to set unused blocks in the file system to '0'
\begin{lstlisting}
# kpartx -av debian-7.4.0.img
add map loop0p1 (254:4): 0 4190208 linear /dev/loop0 2048
# zerofree /dev/mapper/loop0p1
# kpartx -d debian-7.4.0.img
\end{lstlisting}
\item Create compressed qcow2
\begin{lstlisting}
$ qemu-img convert -c -f raw -O qcow2 -p debian-7.4.0.img debian-7.4.0.qcow2
\end{lstlisting}
\item Including zerofree, we've seen compressed image sizes up to 50\% smaller
than without it
\end{itemize}
\hfill\scriptsize More details in the EGI Blog:
\url{http://goo.gl/UA6t1Y}
%% \begin{tikzpicture}
%% \node at (1,0) [absolute,overlay] {\pgfimage[width=1cm]{images/goo.gl_UA6t1Y.png}};
%% \end{tikzpicture}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}
\frametitle{Image Creation}
\framesubtitle{Hardening}
Try and make your images secure. Some simple measures:
\begin{itemize}
\item Disable or uninstall unneeded services and other software
\item Do not allow unauthenticated access
\item Use Strong passwords or disallow passwords
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}
\frametitle{Image Maintainance}
\framesubtitle{Things to avoid}
When creating or updating images, the following can occur
\begin{itemize}
\item Unneded software may remain installed
\begin{itemize}
\item Particularly true for older Kernel versions and their modules
\item Modules for a single Kernel are roughly 100MB
\item Desktop environment
\item Office suites
\item Games
\end{itemize}
\item Swap files
\begin{itemize}
\item Usually gigabytes in size
\item Do not make much sense for cloud. Use a larger instance instead.
\end{itemize}
\end{itemize}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{frame}
\frametitle{Image Creation}
\framesubtitle{Updates}
\begin{itemize}
\item Steps to update contents of an image and create a new one
\item Is this really possible with \emph{only OCCI} commands?
\begin{itemize}
\item We'd certainly want to support this, i.\,e. take an instance,
create a snapshot of it and use thas as a new image.
\end{itemize}
\item It should be just as easy as creating an image from an existing one.
\end{itemize}
\end{frame}
%%% Local Variables:
%%% TeX-master: "2014-05-23_Best_Practices"
%%% End: