Chapter 12. Create client images and templates
The exact nature of the Red Hat Enterprise Linux (RHEL) images to be created depends on the technology stack in your environment. In all cases, the goal is to create an artifact (image, template, and so on) that will meet certain criteria when instantiated.
12.1. Image requirements
The following requirements apply to certified cloud images, most of which are default behaviors or configurations:
- Red Hat packages may not be altered, rebuilt, or replaced.
- SELinux should be enabled and in enforcing mode.
- If used, iptables should block access to all ports other than SSH (and any other ports required for proper operation of the cloud infrastructure).
- Local passwords should use a hashing algorithm at least as strong as the default for that RHEL version (SHA-512 for Red Hat Enterprise Linux 7).
- Disk size should be at least 6 GB.
- File system type should be xfs (Red Hat Enterprise Linux 7).
- sshd should be enabled for remote access.
- Syslog configuration should be unchanged from the operating system default.
See the Cloud Image Certification Policy Guide for more details.
12.2. Red Hat Update Infrastructure integration
Procedure
- Integrate the image with the Red Hat Update Infrastructure (RHUI) by transferring the RHUI entitlement RPM and GPG key to the target RHEL client system.
Install the appropriate client configuration RPM:
# yum install <rhui-client-rhel7>
-
Import the Red Hat release GPG key (
/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
) into the entitlement RPM, along with any custom repository keys. Import the entitlement RPM GPG key:
#rpm --import <rhui-client-rhui>
-
Updates will come from RHUI instead of the Red Hat Subscription Manager (rhsm); turn off rhsm by editing
./rhsm.conf
to reflect enabled=0. -
Optionally (but strongly recommended), run the
yum update
command to apply all available updates.
12.3. Template preparation
The image must be sanitized to make it suitable for use as a template. This script can be used to sanitize a virtual machine image in preparation for use as a template. It is compatible with Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 images.
The script might require modification in some environments. Review this script carefully before use and make sure that the changes it makes to the image are compatible with your environment.
Procedure
Run the following script:
#!/bin/bash # RHEL 7 if ! [[ `runlevel | cut -d " " -f 2` =~ ^[1S]$ ]]; then echo "Please *boot* to runlevel 1" exit 3 fi # Kill udev killall -9 udevd # Clean out /root rm -rf /root/* rm -f /root/.bash_history rm -rf /root/.ssh # SSH host keys rm -f /etc/ssh/ssh_host_* # Remove all files in /var that are not owned by an RPM for FILE in `find /var -type f`; do rpm -qf --quiet "$FILE" || rm -f "$FILE" done # Remove empty directories in /var that are not owned by an RPM until [ "$REMOVED_DIR" = false ]; do REMOVED_DIR=false for DIR in `find /var -type d -empty`; do if ! rpm -qf --quiet "$DIR"; then REMOVED_DIR=true rmdir "$DIR" fi done done # Truncate any remaining files in /var/log for FILE in `find /var/log -type f`; do echo -n > "$FILE" done # Make sure the RPM GPG key has been imported rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release 2> /dev/null # Remove MAC addresses from /etc/sysconfig/network-scripts/ifcfg-* for FILE in /etc/sysconfig/network-scripts/ifcfg-*; do sed -i /^HWADDR/d "$FILE" done # Remove auto-generated udev rules for CD-ROM and network devices rm -f /etc/udev/rules.d/70-persistent-{cd,net}.rules # Clean out /tmp find /tmp -mindepth 1 -delete
Copy the script to
/mktemplate.sh
and reboot the system to runlevel 1.NoteDo not change to runlevel 1 instead of rebooting (with init 1, for example). Changing to runlevel 1 leaves certain daemons running that are not running when the system is booted to single-user mode (notably
rsyslog
).When the system has rebooted into single-user mode, run the following commands:
# unset HISTFILE # chmod 0755 /mktemplate.sh # /mktemplate.sh # rm -f /mktemplate.sh # poweroff