Use the image compliance tool - Images| Alibaba Cloud Documentation Center

Background information

ECS allows you to create instances from imported custom images. You must import custom images to ECS before you can create instances from them. Custom images can be created based on on-premises servers, virtual machines (VMs), or cloud servers of other service providers. Custom images must meet certain requirements before they can be used in Alibaba Cloud. For more information, see Notes for importing images.

We recommend that you use the image compliance tool of ECS to reduce the time needed to create a custom image. The image compliance tool is designed to automatically validate configuration items in a Linux server environment to identify non-compliant items, generate detection reports in TXT and JSON formats, and provide troubleshooting actions if required.

This topic uses a server running the CentOS 7.4 64-bit OS as an example.

Application scope

The image compliance tool only supports Linux images, such as Ubuntu, CentOS, Debian, Red Hat, SUSE Linux Enterprise Server (SLES), openSUSE, FreeBSD, and CoreOS.

Procedure

Log on to your server, VM, or cloud server.
Run the following command to download the image compliance tool to the current directory of your server:
```
wget http://docs-aliyun.cn-hangzhou.oss.aliyun-inc.com/assets/attach/73848/cn_zh/1557459863884/image_check
```
You can also download the image compliance tool directly.
Run the image compliance tool with root privileges to ensure that it can read permission-restricted configuration files.
```
chmod +x image_check
sudo <Path of the image compliance tool>/image_check –p [Destination path] 
```
In the preceding code example, <Path of the image compliance tool> is also the path where to generate the detection report. Therefore, run the following command to start the image compliance tool:
```
sudo ./image_check
```
Note You can use -p [Destination path] to specify the path where to generate the detection report. If this parameter is not specified, the detection report will be generated in the same path as the image compliance tool.

Wait for the image compliance tool to check the system configurations.

Begin check your system......
The report is generating.
---------------------------------------
The infomation you need to input when you import your image to Alibaba Cloud website:
Current system: CentOS
Architecture: x86_64
System disk size: 42 GB
---------------------------------------
Check driver                                               [  OK  ]
Check shadow file authority                                [  OK  ]
Check security                                             [  OK  ]
Check qemu-ga                                              [  OK  ]
Check network                                              [  OK  ]
Check ssh                                                  [  OK  ]
Check firewall                                             [  OK  ]
Check filesystem                                           [  OK  ]
Check device id                                            [  OK  ]
Check root account                                         [  OK  ]
Check password                                             [  OK  ]
Check partition table                                      [  OK  ]
Check lib                                                  [  OK  ]
Check disk size                                            [  OK  ]
Check disk use rate                                        [  OK  ]
Check inode use rate                                       [  OK  ]
---------------------------------------
16 items are OK.
0 items are failed.
0 items are warning.
---------------------------------------
The report is generated: /root/image_check_report_2019-05-10_13-28-21.txt
Please read the report to check the details.

View the detection report.
The path of the detection report is displayed in the output of tool execution. In this example, the report is stored in the /root directory. The report is named in the format of image_check_report_date_time.txt or image_check_report.json.

Detection items

The compliance tool detects the following configuration items to ensure that ECS instances created from your custom image will be fully functional.


Detection item	Non-compliance issue	Suggestion
driver	The ECS instance cannot start correctly.	Install the virtualization driver. For more information, see Install cloud-init for Linux images.
/etc/shadow	The password file cannot be modified. As a result, you cannot create an ECS instance from the custom image.	Do not run the `chattr` command to lock the /etc/shadow file.
SElinux	The ECS instance cannot start correctly.	Do not start SELinux by modifying /etc/selinux/config.
qemu-ga	Some services required by ECS are unavailable, and the instance is not fully functional.	Uninstall qemu-ga.
network	Network functions of the ECS instance are unstable.	Disable or delete Network Manager and enable the network service.
ssh	You cannot connect to the ECS instance from the console.	Enable the SSH service and do not set PermitRootLogin.
firewall	The system does not automatically configure your ECS instance environment.	Disable firewalls such as iptables, firewalld, IPFilter (IPF), IPFireWall (IPFW), or PacketFilter (PF).
file system	You cannot resize the disk.	We recommend that you use the XFS, ext3, and ext4 file systems. The ext2, UFS, and UDF file systems are supported. Do not use the `64 bit` feature for the ext4 file system. Note The `64 bit` feature is one feature of the ext4 file system. You can run the man ext4 command to view detailed descriptions.
device id	The ECS instance cannot start correctly.	Clean up the fstab file and remove unneeded device IDs from the file to make sure that the device IDs in use appear in the output of the blkid command.
root	The username and password cannot be used to connect to the ECS instance.	Reserve the root account.
passwd	You cannot add users to the ECS instance.	Retain the passwd command or reinstall the password file.
Partition table	The ECS instance cannot start correctly.	Use MBR partitioning.
/lib	The ECS instance cannot be configured automatically.	The /lib and /lib64 files cannot be stored in absolute paths. Modify the storage paths of the /lib and /lib64 files to their relative paths.
system disk	N/A	Increase the system disk capacity. The optimal system disk capacity is 40 GiB to 500 GiB. When you import images, configure the system disk capacity based on the virtual file size of images, instead of the size of images.
disk usage	Required drivers or services cannot be installed for the ECS instance.	Make sure that sufficient disk space is available.
inode usage	Required drivers or services cannot be installed for the ECS instance.	Make sure that sufficient inode resources are available.

The image compliance tool provides OK, FAILED, or WARNING detection result based on detection items.

OK: The detection items all comply with requirements.
FAILED: The detection items do not comply with requirements, which means ECS instances created from the custom image will not be able to start correctly. We recommend that you rectify the non-compliant items and create a new image to improve instance startup efficiency.
WARNING: The detection items do not comply with requirements, which means ECS instances created from the custom image will be able to start correctly, but ECS cannot use valid methods to configure your instance. You can choose to immediately rectify the non-compliant items or temporarily retain the items and create an image.

Output items

The image compliance tool generates detection reports in both TXT and JSON formats in the destination path.

Note You can use -p [Destination path] to specify the path where to generate the detection report. If this parameter is not specified, the detection report will be generated in the same path as the compliance tool.

Reports in TXT format are named image_check_report_date_time.txt. The reports include server configuration information and detection results. The following example uses a server running the CentOS 7.4 64-bit OS.

The information you need to input when you import your image to Alibaba Cloud Website:
  Current system is: CentOS #Server operating system
  Architecture: x86_64 #System architecture
  System disk size: 42 GB #Server system disk capacity
  -----------------------------------------
   Check driver #Detection item name
   Pass: kvm drive is exist #Detection result
   Alibaba Cloud supports kvm virtualization technology
   We strongly recommend installing kvm driver.

Reports in JSON format are named image_check_report.json. The reports include server configuration information and detection results. The following example uses a server running the CentOS 7.4 64-bit OS.

"platform": "CentOS", \\Server operating system
  "os_big_version": "7", \\Operating system version number (major)
  "os_small_version": "4", \\Operating system version number (minor)
  "architecture": "x86_64", \\System architecture
  "system_disk_size": "42", \\Server system disk capacity
  "version": "1.0.2", \\Compliance tool version
  "time": "2018-05-14_19-18-10", \\Detection time
  "check_items": [{
      "name": "driver", \\Detection item name
      "result": "OK", \\Detection result
      "error_code": "0", \\Error code
      "description": "Pass: kvm driver exists.", \\Description
      "comment": "Alibaba Cloud supports kvm virtualization technology. We strongly recommend installing kvm driver."
  }]
}

What to do next

View Notes for importing images.
Install virtio driver.
Optional. Convert the image file format.
Import custom images.
Create an instance by using a custom image.