All Products
Search
Document Center

Elastic Compute Service:Check whether an image meets the import requirements

Last Updated:Jul 21, 2023

You can the image compliance tool to check whether the operating system settings of an image meet the import requirements. For example, check whether the image can be used to create full-featured Elastic Compute Service (ECS) instances. This topic describes how to check whether an image meets the import requirements. In the examples, an image that contains a CentOS 7.9 64-bit operating system is used.

Background information

We recommend that you use the image compliance tool of ECS to improve the efficiency of image creation. The image compliance tool can check configuration items in a Linux server environment to identify non-compliant items and provide solutions if required.

Note

The image compliance tool supports Linux operating systems, except FreeBSD and Fedora CoreOS. The image compliance tool does not support Windows operating systems.

Procedure

  1. Log on to the server, virtual machine (VM), or cloud host based on which you want to create an image file.

  2. Run the following commands in sequence to download and decompress the image compliance tool:

    wget https://ecs-image-tools.oss-cn-hangzhou.aliyuncs.com/imagecheck/ecsgo-helper.tar.gz
    tar -xf ecsgo-helper.tar.gz

    You can download the image compliance tool by using your browser.

  3. Run the following command to run the image compliance tool:

    ./ecsgo-helper.sh  image-online-diagnostic

    Wait for the image compliance tool to check the system configurations. The following code provides an example of the check result. For information about the check items, see the Check items section of this topic.

    ------------------------------------------------------------
    
                OS: CentOS 7.9.2009   Kernel: 3.10.0-1160.76.1.el7.x86_64
                Arch: x86_64       RTC-Mode: utc       Boot-Mode: Legacy
    
    ------------------------------------------------------------
    Image Check Result
    Virtio                                                                                 [OK]
    Nvme                                                                                   [OK]
    Fstab                                                                                  [OK]
    Grub                                                                                   [OK]
    Dhcp                                                                                   [OK]
    Selinux                                                                                [OK]
    OnlineResizeFS                                                                         [OK]
    CloudAssistant                                                                         [OK]
    CloudInit                                                                              [OK]
    SecurityCenterAgent                                                                    [OK]
    SupportMocInstanceTypes                                                                [OK]
    DiskUsage                                                                              [OK]
    InodeUsage                                                                             [OK]
    SystemFileAttribute                                                                    [OK]
    CriticalUser                                                                           [OK]
    QemuGuestAgent                                                                         [OK]
    SshConfig                                                                              [OK]
    Firewall                                                                               [OK]
    LibDirectory                                                                           [OK]
    
             Total case Count                19
                Successes:                   19
                Failures:                    0
                Warnings:                    0
    
    ------------------------------------------------------------

Check items

The image compliance tool provides a check result of OK, FAILED, or WARNING based on the levels of check items.

  • OK: All check items comply with the requirements.

  • FAILED: Check items do not comply with the requirements, and the ECS instances that are created from the image cannot start as expected or may encounter network exceptions. We recommend that you rectify the non-compliant items before you import the image.

  • WARNING: Check items do not comply with the requirements, and the ECS instances that are created from the image are not protected by Security Center and cannot be automatically operated or maintained by using Cloud Assistant. To improve cloud O&M efficiency, we recommend that you rectify the non-compliant items before you import the image.

The image compliance tool checks the configuration items of source servers. The following table describes the check items of the image compliance tool.

Check item

Level

Description

Non-compliance issue

Suggested solution

Virtio

High

Check whether the virtio driver is installed in the image.

ECS instances are VMs that are built on top of the Kernel-based Virtual Machine (KVM) architecture, and require that the virtio driver be installed in images.

The ECS instances that use the image cannot start as expected.

Install the virtio driver. For more information, see Install the virtio driver.

Nvme

High

Check whether the Non-Volatile Memory Express (NVMe) driver is installed in the image.

For instances of specific instance types that support NVMe-based disks, such as ecs.g7se, the NVMe driver must be installed in the image. NVMe delivers faster response times and higher bandwidth than traditional driver protocols, such as Small Computer System Interface (SCSI) and virtio-blk. We recommend that you install the NVMe driver in images to support specific instance types. For more information, see NVMe protocol.

The image is not applicable to instance types that support NVMe-based disks, such as ecs.g7se.

Adapt Linux custom images to NVMe-based system disks

Fstab

High

Check the configurations in the /etc/fstab file.

Incorrect configurations in the /etc/fstab file, such as configurations of nonexistent devices and incorrect universally unique identifiers (UUIDs), cause system startup exceptions.

The operating system cannot start as expected.

None.

Grub

High

Check the GRand Unified Bootloader (GRUB) configuration file.

GRUB is a tool used to load and boot the kernel and is an important configuration item of operating systems. Incorrect configurations lead to system startup exceptions. We recommend that you check the GRUB configuration file in the operating system. For example, check the GRUB configuration file to ensure that device names are not used to specify the boot partition. Example: root=/dev/sda1. Device names may vary based on environments. We recommend that you use UUIDs instead to specify boot partitions.

The operating system cannot start as expected.

None.

Dhcp

High

Check whether Dynamic Host Configuration Protocol (DHCP) is configured in the network configuration file of the image.

We recommend that you configure DHCP for network devices to assign dynamic IP addresses to instances. If a static IP address is configured in the image, network configuration exceptions may occur and the instances that use the image cannot start. We also recommend that you add the net.ifnames parameter to the kernel startup parameters in the GRUB configuration file and set the parameter to 0 to prevent network interfaces from being renamed in the kernel. This way, the network interface (NIC) remains named eth0.

System network errors occur.

None.

Selinux

Medium

Check whether Security-Enhanced Linux (SELinux) is disabled in the image. We recommend that you disable SELinux.

The ECS instances that use the image cannot start as expected.

Disable SELinux in the image. For more information, see Enable or disable SELinux.

OnlineResizeFS

High

Check whether file systems in the image can be extended online.

For example, the size of the virtual disk in your image is 10 GB, and you create an instance that has a 100-GB system disk from the image and install components, such as cloud-init and growpart, on the instance. The root partition and file system are automatically extended to the size of the system disk (100 GB) when the instance is initialized. For more information, see Extend the partitions and file systems of disks on a Linux instance.

The root partition of the instance cannot be extended.

CloudInit

High

Check whether cloud-init is installed in the image.

cloud-init initializes system configurations on instance startup and executes user data scripts. The system configurations include the Network Time Protocol (NTP) settings, software repositories, hostnames, and SSH key pairs.

The system initialization configuration is missing.

Install cloud-init.

DiskUsage

High

Check the usage of disk space in the image.

You can run the df -h command to check the usage of your disk space and ensure that sufficient disk space is available.

The operating system cannot start as expected.

Delete unnecessary files.

InodeUsage

High

Check the inode usage of disks in the image.

You can run the df -i command to check the inode usage of disks.

The operating system cannot start as expected.

Delete unnecessary files.

SystemFileAttribute

High

Check whether the attributes of critical configuration files are normal.

The ECS instances that use the image cannot start as expected and some features cannot be used.

Do not run the chattr command to lock the /etc/shadow file.

CriticalUser

High

Check whether a critical user, such as root, exists in the operating system.

The absence of critical users leads to system startup exceptions and instance feature exceptions. For example, you cannot use the username and password to connect to an instance.

The ECS instances that use the image cannot start as expected and some features cannot be used.

Retain the root account.

QemuGuestAgent

Medium

Check whether qemu-guest-agent is installed on the operating system.

qemu-guest-agent runs on VMs to interact with hosts. If qemu-guest-agent is installed, some services that are required by ECS are unavailable, and the instance is not full-featured.

Some features of the instance cannot be used.

Uninstall qemu-guestos-agent.

SshConfig

High

Check whether the configuration file of sshd is normal. In most cases, the configuration file of sshd is /etc/ssh/sshd_config.

If incorrect configurations exist in the sshd configuration file, the sshd service fails to start. As a result, ECS instances cannot be connected over SSH. We recommend that you check the correctness and validity of the sshd configuration file. You can run the following commands:

  • Run the sshd -T command to display all sshd configuration options.

  • Run the sshd -t command to verity the validity of the sshd configuration file.

The ECS instances that use the image cannot be connected over SSH.

Check the sshd configuration file.

Firewall

Medium

Check whether the firewall service is enabled.

We recommend that you disable the firewall service in the operating system and use ECS security groups to manage inbound and outbound traffic of instances. For more information, see Overview.

System firewall applications may cause instance access failures.

Disable the system firewall service.

LibDirectory

High

In Red Hat operating systems, /lib and /lib64 are symbolic links that point to /usr/lib and /usr/lib64. Do not modify these links. Otherwise, system exceptions may occur.

Features of the operating system cannot work as expected.

The /lib and /lib64 symbolic links cannot point to absolute paths. Change the paths to which /lib and /lib64 point to relative paths.

SupportMocInstanceTypes

High

Check whether the image supports instance types that are based on the SHENLONG architecture.

In most cases, the latest ECS instance types, such as ecs.g6 and ecs.g7 instance types, are based on the SHENLONG architecture. If the operating system and kernel versions of the image are earlier than expected, exceptions may occur on the instances that use the image. For information about instance types, see Overview of instance families.

Instance types that are based on the SHENLONG architecture, such as ecs.g6 and ecs.g7 instance types, cannot be used.

In most cases, operating systems that do not support SHENLONG-based instance types are early versions that reached their end of life (EOL) and end of maintenance (EOM). We recommend that you upgrade the operating systems at your earliest opportunity and use operating systems that are maintained and updated by distributors.

CloudAssistant

Medium

Check whether Cloud Assistant Agent is installed in the image.

Cloud Assistant is a native automated O&M tool that is developed for ECS. We recommend that you install Cloud Assistant Agent in the image for efficient O&M of ECS. For more information, see Overview.

O&M management on the cloud is inefficient.

Install Cloud Assistant Agent.

SecurityCenterAgent

Medium

Check whether the Security Center agent is installed in the image.

A server can be protected by Security Center only after the Security Center agent is installed on the server.

Vulnerabilities on the instances that are created from the image cannot be identified, and the instances are not protected by Security Center.

Install the Security Center agent.

What to do next

Use the image compliance tool to check the image before you obtain the image file. For more information, see Obtain a Linux image file.