Chapter 12. Create client images and templates


The exact nature of the Red Hat Enterprise Linux (RHEL) images to be created depends on the technology stack in your environment. In all cases, the goal is to create an artifact (image, template, and so on) that will meet certain criteria when instantiated.

12.1. Image requirements

The following requirements apply to certified cloud images, most of which are default behaviors or configurations:

  • Red Hat packages may not be altered, rebuilt, or replaced.
  • SELinux should be enabled and in enforcing mode.
  • If used, iptables should block access to all ports other than SSH (and any other ports required for proper operation of the cloud infrastructure).
  • Local passwords should use a hashing algorithm at least as strong as the default for that RHEL version (SHA-512 for Red Hat Enterprise Linux 7).
  • Disk size should be at least 6 GB.
  • File system type should be xfs (Red Hat Enterprise Linux 7).
  • sshd should be enabled for remote access.
  • Syslog configuration should be unchanged from the operating system default.

See the Cloud Image Certification Policy Guide for more details.

12.2. Red Hat Update Infrastructure integration

Procedure

  1. Integrate the image with the Red Hat Update Infrastructure (RHUI) by transferring the RHUI entitlement RPM and GPG key to the target RHEL client system.
  2. Install the appropriate client configuration RPM:

    # yum install <rhui-client-rhel7>
  3. Import the Red Hat release GPG key (/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release) into the entitlement RPM, along with any custom repository keys.
  4. Import the entitlement RPM GPG key:

    #rpm --import <rhui-client-rhui>
  5. Updates will come from RHUI instead of the Red Hat Subscription Manager (rhsm); turn off rhsm by editing ./rhsm.conf to reflect enabled=0.
  6. Optionally (but strongly recommended), run the yum update command to apply all available updates.

12.3. Template preparation

The image must be sanitized to make it suitable for use as a template. This script can be used to sanitize a virtual machine image in preparation for use as a template. It is compatible with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 images.

Note

The script might require modification in some environments. Review this script carefully before use and make sure that the changes it makes to the image are compatible with your environment.

Procedure

  1. Run the following script:

    #!/bin/bash
    
    # RHEL 7
    if ! [[ `runlevel | cut -d " " -f 2` =~ ^[1S]$ ]]; then
    echo "Please *boot* to runlevel 1"
    exit 3
    fi
    
    # Kill udev
    killall -9 udevd
    
    # Clean out /root
    rm -rf /root/*
    rm -f /root/.bash_history
    rm -rf /root/.ssh
    
    # SSH host keys
    rm -f /etc/ssh/ssh_host_*
    # Remove all files in /var that are not owned by an RPM
    
    for FILE in `find /var -type f`; do
    rpm -qf --quiet "$FILE" || rm -f "$FILE"
    
    done
    
    # Remove empty directories in /var that are not owned by an RPM
    
    until [ "$REMOVED_DIR" = false ]; do
         REMOVED_DIR=false
         for DIR in `find /var -type d -empty`; do
        if ! rpm -qf --quiet "$DIR"; then
             REMOVED_DIR=true
             rmdir "$DIR"
        fi
     done
    
    done
    
    # Truncate any remaining files in /var/log
    for FILE in `find /var/log -type f`; do
       echo -n > "$FILE"
    
    done
    
    # Make sure the RPM GPG key has been imported
    rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 2> /dev/null
    
    # Remove MAC addresses from /etc/sysconfig/network-scripts/ifcfg-*
    for FILE in /etc/sysconfig/network-scripts/ifcfg-*; do
    
       sed -i /^HWADDR/d "$FILE"
    
    done
    
    # Remove auto-generated udev rules for CD-ROM and network devices
    rm -f /etc/udev/rules.d/70-persistent-{cd,net}.rules
    
    # Clean out /tmp
    find /tmp -mindepth 1 -delete
  2. Copy the script to /mktemplate.sh and reboot the system to runlevel 1.

    Note

    Do not change to runlevel 1 instead of rebooting (with init 1, for example). Changing to runlevel 1 leaves certain daemons running that are not running when the system is booted to single-user mode (notably rsyslog).

  3. When the system has rebooted into single-user mode, run the following commands:

    # unset HISTFILE
    # chmod 0755  /mktemplate.sh
    # /mktemplate.sh
    # rm -f /mktemplate.sh
    # poweroff

Report a bug

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.